npm - @monocloud/auth-nextjs - Versions diffs - 0.1.6 → 0.1.8 - Mend

@monocloud/auth-nextjs 0.1.6 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/README.md +1 -1
package/dist/client/index.cjs +3 -3
package/dist/client/index.d.mts +68 -112
package/dist/client/index.mjs +2 -2
package/dist/components/client/index.cjs +40 -84
package/dist/components/client/index.cjs.map +1 -1
package/dist/components/client/index.d.mts +55 -90
package/dist/components/client/index.mjs +38 -82
package/dist/components/client/index.mjs.map +1 -1
package/dist/components/index.cjs +44 -41
package/dist/components/index.cjs.map +1 -1
package/dist/components/index.d.mts +68 -45
package/dist/components/index.mjs +44 -41
package/dist/components/index.mjs.map +1 -1
package/dist/index.cjs +384 -365
package/dist/index.cjs.map +1 -1
package/dist/index.d.mts +1545 -1833
package/dist/index.mjs +380 -372
package/dist/index.mjs.map +1 -1
package/dist/{protect-K9srvUkq.mjs → protect-client-page-BFVskb3X.mjs} +58 -106
package/dist/protect-client-page-BFVskb3X.mjs.map +1 -0
package/dist/{protect-BCIji2i7.cjs → protect-client-page-BdsnH8gs.cjs} +59 -107
package/dist/protect-client-page-BdsnH8gs.cjs.map +1 -0
package/dist/types-ClljFIvK.d.mts +543 -0
package/package.json +3 -2
package/dist/protect-BCIji2i7.cjs.map +0 -1
package/dist/protect-K9srvUkq.mjs.map +0 -1
package/dist/types-Cx32VRoI.d.mts +0 -409

package/dist/index.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.mjs","names":["MonoCloudValidationError","MonoCloudValidationError"],"sources":["../src/requests/monocloud-app-router-request.ts","../src/requests/monocloud-page-router-request.ts","../src/responses/monocloud-app-router-response.ts","../src/responses/monocloud-page-router-response.ts","../src/responses/monocloud-cookie-response.ts","../src/requests/monocloud-cookie-request.ts","../src/utils.ts","../src/monocloud-next-client.ts"],"sourcesContent":["import type { MonoCloudRequest } from '@monocloud/auth-node-core';\n// eslint-disable-next-line import/extensions\nimport type { NextRequest } from 'next/server.js';\n\nexport default class MonoCloudAppRouterRequest implements MonoCloudRequest {\n constructor(public readonly req: NextRequest) {}\n\n getQuery(parameter: string): string \| string[] \| undefined {\n const url = new URL(this.req.url);\n return url.searchParams.get(parameter) ?? undefined;\n }\n\n getCookie(name: string): Promise<string \| undefined> {\n return Promise.resolve(this.req.cookies.get(name)?.value);\n }\n\n async getRawRequest(): Promise<{\n method: string;\n url: string;\n body: Record<string, string> \| string;\n }> {\n return {\n method: this.req.method,\n url: this.req.url,\n body: await this.req.text(),\n };\n }\n\n getAllCookies(): Promise<Map<string, string>> {\n const values = new Map<string, string>();\n this.req.cookies.getAll().forEach(x => {\n values.set(x.name, x.value);\n });\n return Promise.resolve(values);\n }\n}\n","/* eslint-disable @typescript-eslint/no-non-null-assertion /\nimport type { MonoCloudRequest } from '@monocloud/auth-node-core';\nimport type { NextApiRequest } from 'next';\n\nexport default class MonoCloudPageRouterRequest implements MonoCloudRequest {\n constructor(public readonly req: NextApiRequest) {}\n\n / v8 ignore next /\n getQuery(parameter: string): string \| string[] \| undefined {\n return this.req.query[parameter];\n }\n\n / v8 ignore next /\n getCookie(name: string): Promise<string \| undefined> {\n return Promise.resolve(this.req.cookies[name]);\n }\n\n / v8 ignore next /\n getRawRequest(): Promise<{\n method: string;\n url: string;\n body: Record<string, string> \| string;\n }> {\n return Promise.resolve({\n method: this.req.method!,\n url: this.req.url!,\n body: this.req.body,\n });\n }\n\n getAllCookies(): Promise<Map<string, string>> {\n const values = new Map<string, string>();\n const { cookies } = this.req;\n Object.keys(cookies).forEach(x => {\n const val = cookies[x];\n / v8 ignore else -- @preserve /\n if (typeof x === 'string' && typeof val === 'string') {\n values.set(x, val);\n }\n });\n return Promise.resolve(values);\n }\n}\n","import type {\n CookieOptions,\n MonoCloudResponse,\n} from '@monocloud/auth-node-core';\n// eslint-disable-next-line import/extensions\nimport { NextResponse } from 'next/server.js';\n\nexport default class MonoCloudAppRouterResponse implements MonoCloudResponse {\n constructor(public res: NextResponse) {}\n\n setCookie(\n cookieName: string,\n value: string,\n options: CookieOptions\n ): Promise<void> {\n this.res.cookies.set(cookieName, value, options);\n return Promise.resolve();\n }\n\n redirect(url: string, statusCode: number \| undefined = 302): void {\n const { headers } = this.res;\n this.res = NextResponse.redirect(url, { status: statusCode, headers });\n }\n\n sendJson(data: any, statusCode?: number): void {\n const { headers } = this.res;\n this.res = NextResponse.json(data, { status: statusCode, headers });\n }\n\n / v8 ignore next /\n notFound(): void {\n const { headers } = this.res;\n this.res = new NextResponse(null, { status: 404, headers });\n }\n\n internalServerError(): void {\n const { headers } = this.res;\n this.res = new NextResponse(null, { status: 500, headers });\n }\n\n noContent(): void {\n const { headers } = this.res;\n this.res = new NextResponse(null, { status: 204, headers });\n }\n\n methodNotAllowed(): void {\n const { headers } = this.res;\n this.res = new NextResponse(null, { status: 405, headers });\n }\n\n setNoCache(): void {\n this.res.headers.set('Cache-Control', 'no-cache no-store');\n this.res.headers.set('Pragma', 'no-cache');\n }\n\n done(): any {\n return this.res;\n }\n}\n","import type {\n CookieOptions,\n MonoCloudResponse,\n} from '@monocloud/auth-node-core';\nimport type { NextApiResponse } from 'next';\nimport { serialize } from 'cookie';\n\nexport default class MonoCloudPageRouterResponse implements MonoCloudResponse {\n constructor(public readonly res: NextApiResponse) {}\n\n setCookie(\n cookieName: string,\n value: string,\n options: CookieOptions\n ): Promise<void> {\n let cookies = this.res.getHeader('Set-Cookie') ?? [];\n\n / v8 ignore if -- @preserve /\n if (!Array.isArray(cookies)) {\n cookies = [cookies as string];\n }\n\n this.res.setHeader('Set-Cookie', [\n ...cookies.filter(cookie => !cookie.startsWith(`${cookieName}=`)),\n serialize(cookieName, value, options),\n ]);\n\n return Promise.resolve();\n }\n\n / v8 ignore next /\n redirect(url: string, statusCode?: number): void {\n this.res.redirect(statusCode ?? 302, url);\n }\n\n / v8 ignore next /\n sendJson(data: any, statusCode?: number): void {\n this.res.status(statusCode ?? 200);\n this.res.json(data);\n }\n\n / v8 ignore next /\n notFound(): void {\n this.res.status(404);\n }\n\n / v8 ignore next /\n internalServerError(): void {\n this.res.status(500);\n }\n\n / v8 ignore next /\n noContent(): void {\n this.res.status(204);\n }\n\n / v8 ignore next /\n methodNotAllowed(): void {\n this.res.status(405);\n }\n\n / v8 ignore next /\n setNoCache(): void {\n this.res.setHeader('Cache-Control', 'no-cache no-store');\n this.res.setHeader('Pragma', 'no-cache');\n }\n\n / v8 ignore next /\n done(): any {\n this.res.end();\n }\n}\n","/ eslint-disable no-console /\nimport type {\n CookieOptions,\n IMonoCloudCookieResponse,\n} from '@monocloud/auth-node-core';\n\nlet isWarned = false;\n\nexport default class MonoCloudCookieResponse implements IMonoCloudCookieResponse {\n async setCookie(\n cookieName: string,\n value: string,\n options: CookieOptions\n ): Promise<void> {\n try {\n // @ts-expect-error Cannot find module 'next/headers'\n const { cookies } = await import('next/headers');\n\n (await cookies()).set(cookieName, value, options);\n } catch (e: any) {\n if (!isWarned) {\n console.warn(e.message);\n isWarned = true;\n }\n }\n }\n}\n","import type { IMonoCloudCookieRequest } from '@monocloud/auth-node-core';\n\nexport default class MonoCloudCookieRequest implements IMonoCloudCookieRequest {\n / v8 ignore next /\n async getCookie(name: string): Promise<string \| undefined> {\n // @ts-expect-error Cannot find module 'next/headers'\n const { cookies } = await import('next/headers');\n\n return (await cookies()).get(name)?.value;\n }\n\n async getAllCookies(): Promise<Map<string, string>> {\n const values = new Map<string, string>();\n // @ts-expect-error Cannot find module 'next/headers'\n const { cookies } = await import('next/headers');\n\n (await cookies()).getAll().forEach((x: any) => {\n values.set(x.name, x.value);\n });\n return values;\n }\n}\n","// eslint-disable-next-line import/extensions\nimport { NextRequest, NextResponse } from 'next/server.js';\nimport type { NextApiRequest, NextApiResponse } from 'next/types';\nimport {\n MonoCloudValidationError,\n type IMonoCloudCookieRequest,\n type IMonoCloudCookieResponse,\n} from '@monocloud/auth-node-core';\nimport { AppRouterContext } from './types';\nimport MonoCloudAppRouterRequest from './requests/monocloud-app-router-request';\nimport MonoCloudPageRouterRequest from './requests/monocloud-page-router-request';\nimport MonoCloudAppRouterResponse from './responses/monocloud-app-router-response';\nimport MonoCloudPageRouterResponse from './responses/monocloud-page-router-response';\nimport MonoCloudCookieResponse from './responses/monocloud-cookie-response';\nimport MonoCloudCookieRequest from './requests/monocloud-cookie-request';\nimport type { IncomingMessage, ServerResponse } from 'node:http';\nimport { isPresent } from '@monocloud/auth-node-core/internal';\n\nexport const isMonoCloudRequest = (\n req: unknown\n): req is IMonoCloudCookieRequest =>\n req instanceof MonoCloudAppRouterRequest \|\|\n req instanceof MonoCloudPageRouterRequest \|\|\n req instanceof MonoCloudCookieRequest;\n\nexport const isMonoCloudResponse = (\n res: unknown\n): res is IMonoCloudCookieResponse =>\n res instanceof MonoCloudAppRouterResponse \|\|\n res instanceof MonoCloudPageRouterResponse \|\|\n res instanceof MonoCloudCookieResponse;\n\nexport const isAppRouter = (req: unknown): boolean =>\n req instanceof Request \|\|\n (req as Request).headers instanceof Headers \|\|\n typeof (req as Request).bodyUsed === 'boolean';\n\nexport const isNodeRequest = (req: any): req is IncomingMessage => {\n return !!(\n req &&\n typeof req === 'object' &&\n 'headers' in req &&\n !('bodyUsed' in req) &&\n typeof req.on === 'function'\n );\n};\n\nexport const isNodeResponse = (res: any): res is ServerResponse => {\n return !!(\n res &&\n typeof res === 'object' &&\n 'setHeader' in res &&\n typeof res.setHeader === 'function' &&\n 'end' in res &&\n typeof res.end === 'function'\n );\n};\n\nexport const getNextRequest = (req: Request \| NextRequest): NextRequest => {\n if (req instanceof NextRequest) {\n return req;\n }\n\n return new NextRequest(req.url, {\n method: req.method,\n headers: req.headers,\n body: req.body,\n / v8 ignore next -- @preserve /\n duplex: (req as any).duplex ?? 'half',\n });\n};\n\nexport const getNextResponse = (\n res: Response \| NextResponse \| AppRouterContext\n): NextResponse => {\n if (res instanceof NextResponse) {\n return res;\n }\n\n if (res instanceof Response) {\n const nextResponse = new NextResponse(res.body, {\n status: res.status,\n statusText: res.statusText,\n headers: res.headers,\n url: res.url,\n });\n\n try {\n / v8 ignore else -- @preserve /\n if (!isPresent(nextResponse.url)) {\n (nextResponse as any).url = res.url;\n }\n } catch {\n // ignore\n }\n\n return nextResponse;\n }\n\n return new NextResponse();\n};\n\nexport const getMonoCloudCookieReqRes = (\n req: unknown,\n resOrCtx: unknown\n): {\n request: IMonoCloudCookieRequest;\n response: IMonoCloudCookieResponse;\n} => {\n let request: IMonoCloudCookieRequest;\n let response: IMonoCloudCookieResponse;\n\n if (isAppRouter(req)) {\n request = new MonoCloudAppRouterRequest(getNextRequest(req as Request));\n\n response =\n resOrCtx instanceof Response\n ? new MonoCloudAppRouterResponse(getNextResponse(resOrCtx))\n : new MonoCloudCookieResponse();\n } else {\n if (!isNodeRequest(req) \|\| !isNodeResponse(resOrCtx)) {\n throw new MonoCloudValidationError(\n 'Invalid pages router request and response'\n );\n }\n request = new MonoCloudPageRouterRequest(req as NextApiRequest);\n response = new MonoCloudPageRouterResponse(resOrCtx as NextApiResponse);\n }\n\n return { request, response };\n};\n\nexport const mergeResponse = (responses: NextResponse[]): NextResponse => {\n const resp = responses.pop();\n\n if (!resp) {\n return new NextResponse();\n }\n\n responses.forEach(response => {\n response.headers.forEach((v, k) => {\n if ((k === 'location' && !resp.headers.has(k)) \|\| k !== 'location') {\n resp.headers.set(k, v);\n }\n });\n\n response.cookies.getAll().forEach(c => {\n const { name, value, ...cookieOpt } = c;\n resp.cookies.set(name, value, cookieOpt);\n });\n });\n\n return resp;\n};\n","/ eslint-disable import/extensions /\n/ eslint-disable @typescript-eslint/no-non-null-assertion /\nimport {\n NextFetchEvent,\n NextRequest,\n NextResponse,\n NextMiddleware,\n NextProxy,\n} from 'next/server.js';\nimport type {\n NextApiHandler,\n NextApiRequest,\n NextApiResponse,\n} from 'next/types';\nimport {\n ensureLeadingSlash,\n isAbsoluteUrl,\n} from '@monocloud/auth-node-core/internal';\nimport { isUserInGroup } from '@monocloud/auth-node-core/utils';\nimport type {\n GetTokensOptions,\n IMonoCloudCookieRequest,\n IMonoCloudCookieResponse,\n MonoCloudOptions,\n MonoCloudRequest,\n MonoCloudResponse,\n MonoCloudTokens,\n MonoCloudSession,\n OnError,\n} from '@monocloud/auth-node-core';\nimport {\n MonoCloudCoreClient,\n MonoCloudValidationError,\n MonoCloudOidcClient,\n} from '@monocloud/auth-node-core';\nimport {\n AppRouterApiHandlerFn,\n AppRouterContext,\n AppRouterPageHandler,\n IsUserInGroupOptions,\n MonoCloudAuthHandler,\n MonoCloudAuthOptions,\n MonoCloudMiddlewareOptions,\n NextMiddlewareResult,\n ProtectApiAppOptions,\n ProtectApiPageOptions,\n ProtectAppPageOptions,\n ProtectedAppServerComponent,\n ProtectOptions,\n ProtectPagePageOptions,\n ProtectPagePageReturnType,\n RedirectToSignInOptions,\n RedirectToSignOutOptions,\n} from './types';\nimport {\n getMonoCloudCookieReqRes,\n getNextRequest,\n getNextResponse,\n isAppRouter,\n isMonoCloudRequest,\n isMonoCloudResponse,\n mergeResponse,\n isNodeRequest,\n isNodeResponse,\n} from './utils';\nimport MonoCloudCookieRequest from './requests/monocloud-cookie-request';\nimport MonoCloudCookieResponse from './responses/monocloud-cookie-response';\nimport MonoCloudAppRouterRequest from './requests/monocloud-app-router-request';\nimport MonoCloudAppRouterResponse from './responses/monocloud-app-router-response';\nimport { JSX } from 'react';\nimport { ParsedUrlQuery } from 'node:querystring';\nimport type { IncomingMessage, ServerResponse } from 'node:http';\nimport MonoCloudPageRouterRequest from './requests/monocloud-page-router-request';\nimport MonoCloudPageRouterResponse from './responses/monocloud-page-router-response';\n\n/\n The MonoCloud Next.js Client.\n \n @example Using Environment Variables (Recommended)\n \n 1. Add following variables to your `.env`.\n \n ```bash\n * MONOCLOUD_AUTH_TENANT_DOMAIN=<tenant-domain>\n * MONOCLOUD_AUTH_CLIENT_ID=<client-id>\n * MONOCLOUD_AUTH_CLIENT_SECRET=<client-secret>\n * MONOCLOUD_AUTH_SCOPES=openid profile email # Default\n * MONOCLOUD_AUTH_APP_URL=http://localhost:3000\n * MONOCLOUD_AUTH_COOKIE_SECRET=<cookie-secret>\n * ```\n \n 2. Instantiate the client in a shared file (e.g., lib/monocloud.ts)\n \n ```typescript\n * import { MonoCloudNextClient } from '@monocloud/auth-nextjs';\n \n export const monoCloud = new MonoCloudNextClient();\n * ```\n \n 3. Add MonoCloud middleware/proxy\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default monoCloud.authMiddleware();\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example Using Constructor Options\n \n ⚠️ Security Note: Never commit your credentials to version control. Load them from environment variables.\n \n 1. Instantiate the client in a shared file (e.g., lib/monocloud.ts)\n \n ```typescript\n * import { MonoCloudNextClient } from '@monocloud/auth-nextjs';\n \n export const monoCloud = new MonoCloudNextClient({\n * tenantDomain: '<tenant-domain>',\n * clientId: '<client-id>',\n * clientSecret: '<client-secret>',\n * scopes: 'openid profile email', // Default\n * appUrl: 'http://localhost:3000',\n * cookieSecret: '<cookie-secret>'\n * });\n * ```\n * 2. Add MonoCloud middleware/proxy\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default monoCloud.authMiddleware();\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n <details>\n * <summary>All Environment Variables</summary>\n * <h4>Core Configuration (Required)</h4>\n \n <ul>\n * <li><strong>MONOCLOUD_AUTH_CLIENT_ID : </strong>Unique identifier for your application/client.</li>\n * <li><strong>MONOCLOUD_AUTH_CLIENT_SECRET : </strong>Application/client secret.</li>\n * <li><strong>MONOCLOUD_AUTH_TENANT_DOMAIN : </strong>The domain of your MonoCloud tenant (e.g., https://your-tenant.us.monocloud.com).</li>\n * <li><strong>MONOCLOUD_AUTH_APP_URL : </strong>The base URL where your application is hosted.</li>\n * <li><strong>MONOCLOUD_AUTH_COOKIE_SECRET : </strong>A long, random string used to encrypt and sign session cookies.</li>\n * </ul>\n \n <h4>Authentication & Security</h4>\n \n <ul>\n * <li><strong>MONOCLOUD_AUTH_SCOPES : </strong>A space-separated list of OIDC scopes to request (e.g., openid profile email).</li>\n * <li><strong>MONOCLOUD_AUTH_RESOURCE : </strong>The default resource/audience identifier for access tokens.</li>\n * <li><strong>MONOCLOUD_AUTH_USE_PAR : </strong>Enables Pushed Authorization Requests.</li>\n * <li><strong>MONOCLOUD_AUTH_CLOCK_SKEW : </strong>The allowed clock drift in seconds when validating token timestamps.</li>\n * <li><strong>MONOCLOUD_AUTH_FEDERATED_SIGNOUT : </strong>If true, signs the user out of MonoCloud (SSO sign-out) when they sign out of the app.</li>\n * <li><strong>MONOCLOUD_AUTH_RESPONSE_TIMEOUT : </strong>The maximum time in milliseconds to wait for a response.</li>\n * <li><strong>MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES : </strong>Allows dynamic overrides of auth parameters via URL query strings.</li>\n * <li><strong>MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI : </strong>The URL users are sent to after a successful logout.</li>\n * <li><strong>MONOCLOUD_AUTH_USER_INFO : </strong>Determines if user profile data from the UserInfo endpoint should be fetched after authorization code exchange.</li>\n * <li><strong>MONOCLOUD_AUTH_REFETCH_USER_INFO : </strong>If true, re-fetches user information on every request to userinfo endpoint or when calling getTokens()</li>\n * <li><strong>MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG : </strong>The expected algorithm for signing ID tokens (e.g., RS256).</li>\n * <li><strong>MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS : </strong>A space-separated list of claims to exclude from the session object.</li>\n * </ul>\n \n <h4>Routes</h4>\n \n <aside>\n * <strong>⚠️ Important: Modifying Default Routes</strong>\n * <p>If you choose to customize any of the default route paths, you must adhere to the following requirements:</p>\n * <ul>\n * <li>\n * <strong>Client-Side Synchronization:</strong> You must also define a corresponding <code>NEXT_PUBLIC_</code> version of the environment variable (e.g., <code>NEXT_PUBLIC_MONOCLOUD_AUTH_CALLBACK_URL</code>). This ensures that client-side components like <code><SignIn /></code>, <code><SignOut /></code>, and the <code>useAuth()</code> hook can correctly identify your custom endpoints.\n * </li>\n * <li>\n * <strong>Dashboard Configuration:</strong> Changing these URLs will alter the endpoints required by MonoCloud. You must update the <strong>Application URLs</strong> section in your MonoCloud Dashboard to match these new paths.\n * </li>\n * </ul>\n * <p><em>Example:</em></p>\n * <code>\n * MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback<br />\n * NEXT_PUBLIC_MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback\n * </code>\n * <p>In this case, the Redirect URI in your dashboard should be set to: <code>http://localhost:3000/api/custom_callback</code> (assuming local development).</p>\n * </aside>\n \n <ul>\n * <li><strong>MONOCLOUD_AUTH_CALLBACK_URL : </strong>The application path where MonoCloud sends the user after authentication.</li>\n * <li><strong>MONOCLOUD_AUTH_SIGNIN_URL : </strong>The internal route path to trigger the sign-in.</li>\n * <li><strong>MONOCLOUD_AUTH_SIGNOUT_URL : </strong>The internal route path to trigger the sign-out.</li>\n * <li><strong>MONOCLOUD_AUTH_USER_INFO_URL : </strong>The route that exposes the current user's profile from userinfo endpoint.</li>\n * </ul>\n \n <h4>Session Cookie Settings</h4>\n \n <ul>\n * <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_NAME : </strong>The name of the cookie used to store the user session.</li>\n * <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_PATH : </strong>The scope path for the session cookie.</li>\n * <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN : </strong>The domain scope for the session cookie.</li>\n * <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY : </strong>Prevents client-side scripts from accessing the session cookie.</li>\n * <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_SECURE : </strong>Ensures the session cookie is only sent over HTTPS.</li>\n * <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE : </strong>The SameSite policy for the session cookie (Lax, Strict, or None).</li>\n * <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT : </strong>If true, the session survives browser restarts.</li>\n * <li><strong>MONOCLOUD_AUTH_SESSION_SLIDING : </strong>If true, the session will be a sliding session instead of absolute.</li>\n * <li><strong>MONOCLOUD_AUTH_SESSION_DURATION : </strong>The session lifetime in seconds.</li>\n * <li><strong>MONOCLOUD_AUTH_SESSION_MAX_DURATION : </strong>The absolute maximum lifetime of a session in seconds.</li>\n * </ul>\n \n <h4>State Cookie Settings</h4>\n \n <ul>\n * <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_NAME : </strong>The name of the cookie used to store OpenID state/nonce.</li>\n * <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_PATH : </strong>The scope path for the state cookie.</li>\n * <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN : </strong>The domain scope for the state cookie.</li>\n * <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_SECURE : </strong>Ensures the state cookie is only sent over HTTPS</li>\n * <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE : </strong>The SameSite policy for the state cookie.</li>\n * <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT : </strong>Whether the state cookie is persistent.</li>\n * </ul>\n \n <h4>Caching</h4>\n \n <ul>\n * <li><strong>MONOCLOUD_AUTH_JWKS_CACHE_DURATION : </strong>Duration in seconds to cache the JSON Web Key Set.</li>\n * <li><strong>MONOCLOUD_AUTH_METADATA_CACHE_DURATION : </strong>Duration in seconds to cache the OpenID discovery metadata.</li>\n * </ul>\n * </details>\n \n \n /\nexport class MonoCloudNextClient {\n /\n The underlying MonoCloud Node Core Client instance.\n \n This property exposes the framework-agnostic node core client used by the Next.js client.\n * You can access this to use low-level methods not directly exposed by the Next.js wrapper.\n \n @example Manually destroy session\n * ```typescript\n * // req and res must implement IMonoCloudCookieRequest/Response\n * await monoCloud.coreClient.destroySession(request, response);\n * ```\n /\n public readonly coreClient: MonoCloudCoreClient;\n\n /\n The underlying OIDC client instance used for low-level OpenID Connect operations.\n \n @example\n * // Manually revoke an access token\n * await client.oidcClient.revokeToken(accessToken, 'access_token');\n /\n public get oidcClient(): MonoCloudOidcClient {\n return this.coreClient.oidcClient;\n }\n\n /\n @param options Configuration options including domain, client ID, and secret.\n /\n constructor(options?: MonoCloudOptions) {\n const opt = {\n ...(options ?? {}),\n userAgent: options?.userAgent ?? `${SDK_NAME}@${SDK_VERSION}`,\n debugger: options?.debugger ?? SDK_DEBUGGER_NAME,\n };\n\n this.registerPublicEnvVariables();\n this.coreClient = new MonoCloudCoreClient(opt);\n }\n\n /\n Creates a Next.js API route handler (for both Pages Router and App Router)\n * that processes all MonoCloud authentication endpoints\n * (`/signin`, `/callback`, `/userinfo`, `/signout`).\n \n @param options Authentication configuration routes.\n \n Note: If you are already using `authMiddleware()`, you typically do not\n * need this API route handler. This function is intended for applications where\n * middleware cannot be used—such as statically generated (SSG) deployments that still\n * require server-side authentication flows.\n \n @example App Router\n \n ```typescript\n * // app/api/auth/[...monocloud]/route.ts\n \n import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = monoCloud.monoCloudAuth();\n ```\n \n * @example App Router with Response\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export const GET = (req: NextRequest) => {\n * const authHandler = monoCloud.monoCloudAuth();\n \n const res = new NextResponse();\n \n res.cookies.set(\"last_auth_requested\", `${Date.now()}`);\n \n return authHandler(req, res);\n * };\n * ```\n \n @example Pages Router\n \n ```typescript\n * // pages/api/auth/[...monocloud].ts\n \n import { monoCloud } from \"@/lib/monocloud\";\n \n export default monoCloud.monoCloudAuth();\n ```\n \n * @example Page Router with Response\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextApiRequest, NextApiResponse } from \"next\";\n \n export default function handler(req: NextApiRequest, res: NextApiResponse) {\n * const authHandler = monoCloud.monoCloudAuth();\n \n res.setHeader(\"last_auth_requested\", `${Date.now()}`);\n \n return authHandler(req, res);\n * }\n * ```\n \n /\n public monoCloudAuth(options?: MonoCloudAuthOptions): MonoCloudAuthHandler {\n return (req, resOrCtx) => {\n const { routes, appUrl } = this.getOptions();\n\n let { url = '' } = req;\n\n if (!isAbsoluteUrl(url)) {\n url = new URL(url, appUrl).toString();\n }\n\n const route = new URL(url);\n\n let onError;\n if (typeof options?.onError === 'function') {\n onError = (\n error: Error\n ): void \| NextResponse \| Promise<void \| NextResponse<unknown>> =>\n options.onError!(req as any, resOrCtx as any, error);\n }\n\n let request: MonoCloudRequest;\n let response: MonoCloudResponse;\n\n if (isAppRouter(req)) {\n request = new MonoCloudAppRouterRequest(getNextRequest(req as Request));\n response = new MonoCloudAppRouterResponse(\n getNextResponse(resOrCtx as Response)\n );\n } else {\n request = new MonoCloudPageRouterRequest(req as NextApiRequest);\n response = new MonoCloudPageRouterResponse(resOrCtx as NextApiResponse);\n }\n\n return this.handleAuthRoutes(\n request,\n response,\n route.pathname,\n routes,\n onError\n );\n };\n }\n\n /*\n \n * ## App Router\n \n Restricts access to server-rendered pages in your Next.js App Router application, ensures that only authenticated (and optionally authorized) users can view the page.\n \n *Note⚠️ - When using groups to protect a page, 'Access Denied' is rendered by default when the user does not belong to the groups.\n To display a custom component, pass the `onGroupAccessDenied` parameter.*\n \n * @param component The App Router server component that protectPage wraps and secures\n * @param options App Router `protectPage()` configuration options\n \n @returns A protected page handler.\n \n @example\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default monoCloud.protectPage(async function Home({ user }) {\n * return <>Hi {user.email}. You accessed a protected page.</>;\n * });\n * ```\n \n @example App Router with options\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default monoCloud.protectPage(\n * async function Home({ user }) {\n * return <>Hi {user.email}. You accessed a protected page.</>;\n * },\n * {\n * returnUrl: \"/dashboard\",\n * groups: [\"admin\"],\n * }\n * );\n * ```\n /\n protectPage(\n component: ProtectedAppServerComponent,\n options?: ProtectAppPageOptions\n ): AppRouterPageHandler;\n\n /\n ## Pages Router\n \n Restricts access to server-rendered pages in your Next.js Pages Router application, ensures that only authenticated (and optionally authorized) users can view the page.\n \n *Note⚠️ - When using groups to protect a page, the page will be rendered even if the user does not belong to the groups.\n You should check the props for `groupAccessDenied` boolean value to determine whether the user is\n * allowed to access the page. Alternatively, you can pass `onGroupAccessDenied` parameter to return custom props.*\n \n * @param options Pages Router `protectPage()` configuration options\n \n @typeParam P - The type of parameters accepted by the page handler.\n * @typeParam Q - The type of query parameters parsed from the URL.\n \n @returns A protected page handler.\n \n @example\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { InferGetServerSidePropsType } from \"next\";\n \n export default function Home({\n * user,\n * }: InferGetServerSidePropsType<typeof getServerSideProps>) {\n * return <>Hi {user.email}. You accessed a protected page.</>;\n * }\n \n export const getServerSideProps = monoCloud.protectPage();\n * ```\n \n @example Pages Router with options\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { GetServerSidePropsContext, InferGetServerSidePropsType } from \"next\";\n \n export default function Home({\n * user,\n * url,\n * }: InferGetServerSidePropsType<typeof getServerSideProps>) {\n * console.log(url);\n * return <div>Hi {user?.email}. You accessed a protected page.</div>;\n * }\n \n export const getServerSideProps = monoCloud.protectPage({\n * returnUrl: \"/dashboard\",\n * groups: [\"admin\"],\n * getServerSideProps: async (context: GetServerSidePropsContext) => ({\n * props: { url: context.resolvedUrl },\n * }),\n * });\n * ```\n /\n protectPage<\n P extends Record<string, any> = Record<string, any>,\n Q extends ParsedUrlQuery = ParsedUrlQuery,\n >(options?: ProtectPagePageOptions<P, Q>): ProtectPagePageReturnType<P, Q>;\n\n public protectPage(...args: unknown[]): any {\n if (typeof args[0] === 'function') {\n return this.protectAppPage(\n args[0] as AppRouterPageHandler,\n args[1] as ProtectAppPageOptions\n ) as any;\n }\n\n return this.protectPagePage(\n args[0] as ProtectPagePageOptions\n ) as ProtectPagePageReturnType<any, any>;\n }\n\n private protectAppPage(\n component: ProtectedAppServerComponent,\n options?: ProtectAppPageOptions\n ): AppRouterPageHandler {\n return async params => {\n const session = await this.getSession();\n\n if (!session) {\n if (options?.onAccessDenied) {\n return options.onAccessDenied({ ...params });\n }\n\n const { routes, appUrl } = this.getOptions();\n\n // @ts-expect-error Cannot find module 'next/headers'\n const { headers } = await import('next/headers');\n\n const path = (await headers()).get('x-monocloud-path');\n\n const signInRoute = new URL(\n `${appUrl}${ensureLeadingSlash(routes!.signIn)}`\n );\n\n signInRoute.searchParams.set(\n 'return_url',\n options?.returnUrl ?? path ?? '/'\n );\n\n if (options?.authParams?.scopes) {\n signInRoute.searchParams.set('scope', options.authParams.scopes);\n }\n if (options?.authParams?.resource) {\n signInRoute.searchParams.set('resource', options.authParams.resource);\n }\n\n if (options?.authParams?.acrValues) {\n signInRoute.searchParams.set(\n 'acr_values',\n options.authParams.acrValues.join(' ')\n );\n }\n\n if (options?.authParams?.display) {\n signInRoute.searchParams.set('display', options.authParams.display);\n }\n\n if (options?.authParams?.prompt) {\n signInRoute.searchParams.set('prompt', options.authParams.prompt);\n }\n\n if (options?.authParams?.authenticatorHint) {\n signInRoute.searchParams.set(\n 'authenticator_hint',\n options.authParams.authenticatorHint\n );\n }\n\n if (options?.authParams?.uiLocales) {\n signInRoute.searchParams.set(\n 'ui_locales',\n options.authParams.uiLocales\n );\n }\n\n if (options?.authParams?.maxAge) {\n signInRoute.searchParams.set(\n 'max_age',\n options.authParams.maxAge.toString()\n );\n }\n\n if (options?.authParams?.loginHint) {\n signInRoute.searchParams.set(\n 'login_hint',\n options.authParams.loginHint\n );\n }\n\n // @ts-expect-error Cannot find module 'next/navigation'\n const { redirect } = await import('next/navigation');\n\n return redirect(signInRoute.toString());\n }\n\n if (\n options?.groups &&\n !isUserInGroup(\n session.user,\n options.groups,\n options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n options.matchAll\n )\n ) {\n if (options.onGroupAccessDenied) {\n return options.onGroupAccessDenied({\n ...params,\n user: session.user,\n });\n }\n\n return 'Access Denied' as unknown as JSX.Element;\n }\n\n return component({ ...params, user: session.user });\n };\n }\n\n private protectPagePage<\n P extends Record<string, any> = Record<string, any>,\n Q extends ParsedUrlQuery = ParsedUrlQuery,\n >(options?: ProtectPagePageOptions<P, Q>): ProtectPagePageReturnType<P, Q> {\n return async context => {\n const session = await this.getSession(\n context.req as any,\n context.res as any\n );\n\n if (!session) {\n if (options?.onAccessDenied) {\n const customProps: any = await options.onAccessDenied({\n ...context,\n });\n\n const props = {\n ...(customProps ?? {}),\n props: { ...(customProps?.props ?? {}) },\n };\n\n return props;\n }\n\n const { routes, appUrl } = this.getOptions();\n\n const signInRoute = new URL(\n `${appUrl}${ensureLeadingSlash(routes!.signIn)}`\n );\n\n signInRoute.searchParams.set(\n 'return_url',\n options?.returnUrl ?? context.resolvedUrl\n );\n\n if (options?.authParams?.scopes) {\n signInRoute.searchParams.set('scope', options.authParams.scopes);\n }\n if (options?.authParams?.resource) {\n signInRoute.searchParams.set('resource', options.authParams.resource);\n }\n\n if (options?.authParams?.acrValues) {\n signInRoute.searchParams.set(\n 'acr_values',\n options.authParams.acrValues.join(' ')\n );\n }\n\n if (options?.authParams?.display) {\n signInRoute.searchParams.set('display', options.authParams.display);\n }\n\n if (options?.authParams?.prompt) {\n signInRoute.searchParams.set('prompt', options.authParams.prompt);\n }\n\n if (options?.authParams?.authenticatorHint) {\n signInRoute.searchParams.set(\n 'authenticator_hint',\n options.authParams.authenticatorHint\n );\n }\n\n if (options?.authParams?.uiLocales) {\n signInRoute.searchParams.set(\n 'ui_locales',\n options.authParams.uiLocales\n );\n }\n\n if (options?.authParams?.maxAge) {\n signInRoute.searchParams.set(\n 'max_age',\n options.authParams.maxAge.toString()\n );\n }\n\n if (options?.authParams?.loginHint) {\n signInRoute.searchParams.set(\n 'login_hint',\n options.authParams.loginHint\n );\n }\n\n return {\n redirect: {\n destination: signInRoute.toString(),\n permanent: false,\n },\n };\n }\n\n if (\n options?.groups &&\n !isUserInGroup(\n session.user,\n options.groups,\n options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n options.matchAll\n )\n ) {\n const customProps: any = (await options.onGroupAccessDenied?.({\n ...context,\n user: session.user,\n })) ?? { props: { groupAccessDenied: true } };\n\n const props = {\n ...customProps,\n props: { ...(customProps.props ?? {}) },\n };\n\n return props;\n }\n\n const customProps: any = options?.getServerSideProps\n ? await options.getServerSideProps(context)\n : {};\n\n const promiseProp = customProps.props;\n\n if (promiseProp instanceof Promise) {\n return {\n ...customProps,\n props: promiseProp.then((props: any) => ({\n user: session.user,\n ...props,\n })),\n };\n }\n\n return {\n ...customProps,\n props: { user: session.user, ...customProps.props },\n };\n };\n }\n\n /\n ## App Router\n \n Secures Next.js App Router APIs. It ensures only authenticated (and optionally authorized) requests can access the route.\n \n @param handler The api route handler function to protect\n * @param options App Router `protectApi()` configuration options\n \n @returns Protected route handler\n \n @example\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextResponse } from \"next/server\";\n \n export const GET = monoCloud.protectApi(async () => {\n * return NextResponse.json({\n * message: \"You accessed a protected endpoint\",\n * });\n * });\n * ```\n /\n protectApi(\n handler: AppRouterApiHandlerFn,\n options?: ProtectApiAppOptions\n ): AppRouterApiHandlerFn;\n\n /\n ## Pages Router\n \n Secures Next.js Pages Router APIs. It ensures only authenticated (and optionally authorized) requests can access the route.\n \n @param handler The api route handler function to protect\n * @param options Pages Router `protectApi()` configuration options\n \n @returns Protected route handler\n \n @example\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import type { NextApiRequest, NextApiResponse } from \"next\";\n \n export default monoCloud.protectApi(\n * async (req: NextApiRequest, res: NextApiResponse) => {\n * return res.json({\n * message: \"You accessed a protected endpoint\",\n * });\n * }\n * );\n * ```\n /\n protectApi(\n handler: NextApiHandler,\n options?: ProtectApiPageOptions\n ): NextApiHandler;\n\n public protectApi(\n handler: AppRouterApiHandlerFn \| NextApiHandler,\n options?: ProtectApiAppOptions \| ProtectApiPageOptions\n ): AppRouterApiHandlerFn \| NextApiHandler {\n return (\n req: NextRequest \| NextApiRequest,\n resOrCtx: AppRouterContext \| NextApiResponse\n ) => {\n if (isAppRouter(req)) {\n return this.protectAppApi(\n req as NextRequest,\n resOrCtx as AppRouterContext,\n handler as AppRouterApiHandlerFn,\n options as ProtectApiAppOptions\n );\n }\n return this.protectPageApi(\n req as NextApiRequest,\n resOrCtx as NextApiResponse,\n handler as NextApiHandler,\n options as ProtectApiPageOptions\n );\n };\n }\n\n private async protectAppApi(\n req: NextRequest,\n ctx: AppRouterContext,\n handler: AppRouterApiHandlerFn,\n options?: ProtectApiAppOptions\n ): Promise<NextResponse> {\n const res = new NextResponse();\n\n const session = await this.getSession(req, res);\n\n if (!session) {\n if (options?.onAccessDenied) {\n const result = await options.onAccessDenied(req, ctx);\n\n if (result instanceof NextResponse) {\n return mergeResponse([res, result]);\n }\n\n return mergeResponse([res, new NextResponse(result.body, result)]);\n }\n\n return mergeResponse([\n res,\n NextResponse.json({ message: 'unauthorized' }, { status: 401 }),\n ]);\n }\n\n if (\n options?.groups &&\n !isUserInGroup(\n session.user,\n options.groups,\n options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n options.matchAll\n )\n ) {\n if (options.onGroupAccessDenied) {\n const result = await options.onGroupAccessDenied(\n req,\n ctx,\n session.user\n );\n\n if (result instanceof NextResponse) {\n return mergeResponse([res, result]);\n }\n\n return mergeResponse([res, new NextResponse(result.body, result)]);\n }\n\n return mergeResponse([\n res,\n NextResponse.json({ message: 'forbidden' }, { status: 403 }),\n ]);\n }\n\n const resp = await handler(req, ctx);\n\n if (resp instanceof NextResponse) {\n return mergeResponse([res, resp]);\n }\n\n return mergeResponse([res, new NextResponse(resp.body, resp)]);\n }\n\n private async protectPageApi(\n req: NextApiRequest,\n res: NextApiResponse,\n handler: NextApiHandler,\n options?: ProtectApiPageOptions\n ): Promise<unknown> {\n const session = await this.getSession(req, res);\n\n if (!session) {\n if (options?.onAccessDenied) {\n return options.onAccessDenied(req, res);\n }\n\n return res.status(401).json({\n message: 'unauthorized',\n });\n }\n\n if (\n options?.groups &&\n !isUserInGroup(\n session.user,\n options.groups,\n options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n options.matchAll\n )\n ) {\n if (options.onGroupAccessDenied) {\n return options.onGroupAccessDenied(req, res, session.user);\n }\n\n return res.status(403).json({\n message: 'forbidden',\n });\n }\n\n return handler(req, res);\n }\n\n /\n A middleware/proxy that protects pages and APIs and handles authentication.\n \n @param options Middleware configuration options\n \n @returns A Next.js middleware/proxy function.\n \n @example Protect All Routes\n \n - Default behavior: protect all routes matched by `config.matcher`\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default monoCloud.authMiddleware();\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example Protect Selected Routes\n \n - Protect only the routes listed in `protectedRoutes`\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default monoCloud.authMiddleware({\n * protectedRoutes: [\"/api/admin\", \"^/api/protected(/.)?$\"],\n });\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n ```\n \n * @example Make All Routes Public\n \n - Do not protect any routes; MonoCloud still handles auth endpoints\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default monoCloud.authMiddleware({\n * protectedRoutes: [],\n * });\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example Protect Routes Dynamically\n \n - Decide at runtime which routes to protect\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default monoCloud.authMiddleware({\n * protectedRoutes: (req) => {\n * return req.nextUrl.pathname.startsWith(\"/api/protected\");\n * },\n * });\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example Protect routes based on groups\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default monoCloud.authMiddleware({\n * // group names or IDs\n * protectedRoutes: [\n * {\n * groups: [\"admin\", \"editor\", \"537e7c3d-a442-4b5b-b308-30837aa045a4\"],\n * routes: [\"/internal\", \"/api/internal(.)\"],\n },\n * ],\n * });\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n /\n authMiddleware(\n options?: MonoCloudMiddlewareOptions\n ): NextMiddleware \| NextProxy;\n\n /*\n A middleware that protects pages and APIs and handles authentication.\n \n @param request The Next.js fetch event object.\n * @param event The associated fetch event [Docs](https://nextjs.org/docs/app/api-reference/file-conventions/proxy#waituntil-and-nextfetchevent).\n \n @returns A promise resolving to a Next.js middleware result or a Next.js middleware result.\n \n @example Nest Custom Middleware\n \n - Use your own middleware wrapper and call MonoCloud only for specific routes\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextFetchEvent, NextRequest, NextResponse } from \"next/server\";\n \n export default function customMiddleware(req: NextRequest, evt: NextFetchEvent) {\n * if (req.nextUrl.pathname.startsWith(\"/api/protected\")) {\n * return monoCloud.authMiddleware(req, evt);\n * }\n \n return NextResponse.next();\n * }\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n /\n authMiddleware(\n request: NextRequest,\n event: NextFetchEvent\n ): Promise<NextMiddlewareResult> \| NextMiddlewareResult;\n\n public authMiddleware(\n ...args: unknown[]\n ):\n \| NextMiddleware\n \| NextProxy\n \| Promise<NextMiddlewareResult>\n \| NextMiddlewareResult {\n let req: NextRequest \| undefined;\n let evt: NextFetchEvent \| undefined;\n let options: MonoCloudMiddlewareOptions \| undefined;\n\n /* v8 ignore else -- @preserve /\n if (Array.isArray(args)) {\n if (args.length === 2) {\n / v8 ignore else -- @preserve /\n if (isAppRouter(args[0])) {\n req = args[0] as NextRequest;\n evt = args[1] as NextFetchEvent;\n }\n }\n\n if (args.length === 1) {\n options = args[0] as MonoCloudMiddlewareOptions;\n }\n }\n\n if (req && evt) {\n return this.authMiddlewareHandler(req, evt, options) as any;\n }\n\n return (request: NextRequest, nxtEvt: NextFetchEvent) => {\n return this.authMiddlewareHandler(request, nxtEvt, options);\n };\n }\n\n private async authMiddlewareHandler(\n req: NextRequest,\n evt: NextFetchEvent,\n options?: MonoCloudMiddlewareOptions\n ): Promise<NextMiddlewareResult> {\n // eslint-disable-next-line no-param-reassign\n req = getNextRequest(req);\n\n if (req.headers.has('x-middleware-subrequest')) {\n return NextResponse.json({ message: 'forbidden' }, { status: 403 });\n }\n\n const { routes, appUrl } = this.getOptions();\n\n if (\n Object.values(routes!)\n .map(x => ensureLeadingSlash(x))\n .includes(req.nextUrl.pathname)\n ) {\n let onError;\n if (typeof options?.onError === 'function') {\n onError = (\n error: Error\n ):\n \| Promise<void \| NextResponse<unknown>>\n \| void\n \| NextResponse<unknown> => options.onError!(req, evt, error);\n }\n\n const request = new MonoCloudAppRouterRequest(req);\n const response = new MonoCloudAppRouterResponse(new NextResponse());\n\n return this.handleAuthRoutes(\n request,\n response,\n req.nextUrl.pathname,\n routes,\n onError\n );\n }\n\n const nxtResp = new NextResponse();\n\n nxtResp.headers.set(\n 'x-monocloud-path',\n req.nextUrl.pathname + req.nextUrl.search\n );\n\n let isRouteProtected = true;\n let allowedGroups: string[] \| undefined;\n\n if (typeof options?.protectedRoutes === 'function') {\n isRouteProtected = await options.protectedRoutes(req);\n } else if (\n typeof options?.protectedRoutes !== 'undefined' &&\n Array.isArray(options.protectedRoutes)\n ) {\n isRouteProtected = options.protectedRoutes.some(route => {\n if (typeof route === 'string' \|\| route instanceof RegExp) {\n return new RegExp(route).test(req.nextUrl.pathname);\n }\n\n return route.routes.some(groupRoute => {\n const result = new RegExp(groupRoute).test(req.nextUrl.pathname);\n\n if (result) {\n allowedGroups = route.groups;\n }\n\n return result;\n });\n });\n }\n\n if (!isRouteProtected) {\n return NextResponse.next({\n headers: {\n 'x-monocloud-path': req.nextUrl.pathname + req.nextUrl.search,\n },\n });\n }\n\n const session = await this.getSession(req, nxtResp);\n\n if (!session) {\n if (options?.onAccessDenied) {\n const result = await options.onAccessDenied(req, evt);\n\n if (result instanceof NextResponse) {\n return mergeResponse([nxtResp, result]);\n }\n\n if (result) {\n return mergeResponse([\n nxtResp,\n new NextResponse(result.body, result),\n ]);\n }\n\n return NextResponse.next(nxtResp);\n }\n\n if (req.nextUrl.pathname.startsWith('/api')) {\n return mergeResponse([\n nxtResp,\n NextResponse.json({ message: 'unauthorized' }, { status: 401 }),\n ]);\n }\n\n const signInRoute = new URL(\n `${appUrl}${ensureLeadingSlash(routes!.signIn)}`\n );\n\n signInRoute.searchParams.set(\n 'return_url',\n req.nextUrl.pathname + req.nextUrl.search\n );\n\n return mergeResponse([nxtResp, NextResponse.redirect(signInRoute)]);\n }\n\n const groupsClaim =\n options?.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM;\n\n if (\n allowedGroups &&\n !isUserInGroup(session.user, allowedGroups, groupsClaim)\n ) {\n if (options?.onGroupAccessDenied) {\n const result = await options.onGroupAccessDenied(\n req,\n evt,\n session.user\n );\n\n if (result instanceof NextResponse) {\n return mergeResponse([nxtResp, result]);\n }\n\n if (result) {\n return mergeResponse([\n nxtResp,\n new NextResponse(result.body, result),\n ]);\n }\n\n return NextResponse.next(nxtResp);\n }\n\n if (req.nextUrl.pathname.startsWith('/api')) {\n return mergeResponse([\n nxtResp,\n NextResponse.json({ message: 'forbidden' }, { status: 403 }),\n ]);\n }\n\n return new NextResponse(`forbidden`, {\n status: 403,\n });\n }\n\n return NextResponse.next(nxtResp);\n }\n\n private handleAuthRoutes(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n path: string,\n routes: MonoCloudOptions['routes'],\n onError?: OnError\n ): Promise<any> {\n switch (path) {\n case ensureLeadingSlash(routes!.signIn):\n return this.coreClient.signIn(request, response, {\n onError,\n });\n\n case ensureLeadingSlash(routes!.callback):\n return this.coreClient.callback(request, response, {\n onError,\n });\n\n case ensureLeadingSlash(routes!.userInfo):\n return this.coreClient.userInfo(request, response, {\n onError,\n });\n\n case ensureLeadingSlash(routes!.signOut):\n return this.coreClient.signOut(request, response, {\n onError,\n });\n\n default:\n response.notFound();\n return response.done();\n }\n }\n\n /\n ## SSR Components, Actions, Middleware or API Handlers\n \n Retrieves the session object for the currently authenticated user on the server.\n \n Use Case:\n * - App Router Server Components (RSC).\n * - Server Actions\n * - Route Handlers (App Router only).\n * - Middleware (App Router and Pages Router).\n \n Note: If the session cannot be resolved or an underlying error occurs, the promise rejects with an error.\n \n @returns `MonoCloudSession` if found, or `undefined`.\n \n @example Middleware/Proxy\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextResponse } from \"next/server\";\n \n export default async function middleware() {\n * const session = await monoCloud.getSession();\n \n if (!session) {\n * return new NextResponse(\"User not signed in\", { status: 401 });\n * }\n \n return NextResponse.next();\n * }\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example App Router API Handler\n \n ```typescript\n * import { NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async () => {\n * const session = await monoCloud.getSession();\n \n return NextResponse.json({ name: session?.user.name });\n * };\n * ```\n \n @example React Server Components\n \n ```tsx\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default async function Home() {\n * const session = await monoCloud.getSession();\n \n return <div>{session?.user.name}</div>;\n * }\n * ```\n \n @example Server Action\n \n ```typescript\n * \"use server\";\n \n import { monoCloud } from \"@/lib/monocloud\";\n \n export async function getUserAction() {\n * const session = await monoCloud.getSession();\n \n return { name: session?.user.name };\n * }\n * ```\n \n /\n public getSession(): Promise<MonoCloudSession \| undefined>;\n\n /*\n ## Middleware/Proxy or Route Handlers\n \n Retrieves the session object for the currently authenticated user on the server.\n \n Use Case:\n * - Middleware (for both App and Pages Router).\n * - App Router Route Handlers (API routes).\n * - Edge functions.\n \n Note: If the session cannot be resolved or an underlying error occurs, the promise rejects with an error.\n \n @param req NextRequest\n * @param res An optional `NextResponse` instance. Pass this if you have already initialized a response; otherwise, omit this parameter.\n \n @returns `MonoCloudSession` if found, or `undefined`.\n \n @example Middleware/Proxy\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function middleware(req: NextRequest) {\n * const session = await monoCloud.getSession(req);\n \n if (!session) {\n * return new NextResponse(\"User not signed in\", { status: 401 });\n * }\n \n return NextResponse.next();\n * }\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example Middleware/Proxy (Custom Response)\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function middleware(req: NextRequest) {\n * const res = NextResponse.next();\n \n const session = await monoCloud.getSession(req, res);\n \n if (!session) {\n * return new NextResponse(\"User not signed in\", { status: 401 });\n * }\n \n res.headers.set(\"x-auth-status\", \"active\");\n \n return res;\n * }\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example API Handler\n \n ```typescript\n * import { NextRequest, NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async (req: NextRequest) => {\n * const session = await monoCloud.getSession(req);\n \n return NextResponse.json({ name: session?.user.name });\n * };\n * ```\n \n @example API Handler with NextResponse\n \n ```typescript\n * import { NextRequest, NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async (req: NextRequest) => {\n * const res = new NextResponse(\"YOUR CUSTOM RESPONSE\");\n \n const session = await monoCloud.getSession(req, res);\n \n if (session?.user) {\n * res.cookies.set(\"something\", \"important\");\n * }\n \n return res;\n * };\n * ```\n /\n public getSession(\n req: NextRequest \| Request,\n res?: NextResponse \| Response\n ): Promise<MonoCloudSession \| undefined>;\n\n /\n ## Pages Router (Node.js Runtime)\n \n Retrieves the session object for the currently authenticated user on the server.\n \n Note: If the session cannot be resolved or an underlying error occurs, the promise rejects with an error.\n \n @param req NextApiRequest\n * @param res NextApiResponse\n \n @returns `MonoCloudSession` if found, or `undefined`.\n \n @example API Handler\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import type { NextApiRequest, NextApiResponse } from \"next\";\n \n type Data = {\n * name?: string;\n * };\n \n export default async function handler(\n * req: NextApiRequest,\n * res: NextApiResponse<Data>\n * ) {\n * const session = await monoCloud.getSession(req, res);\n \n res.status(200).json({ name: session?.user.name });\n * }\n * ```\n \n @example SSR Component\n \n ```typescript\n * import { monoCloud } from \"@/monocloud\";\n * import type {\n * GetServerSideProps,\n * GetServerSidePropsContext,\n * InferGetServerSidePropsType,\n * } from \"next\";\n \n type HomeProps = InferGetServerSidePropsType<typeof getServerSideProps>;\n \n export default function Home({ session }: HomeProps) {\n * return <pre>Session: {JSON.stringify(session, null, 2)}</pre>;\n * }\n \n export const getServerSideProps = (async (\n * context: GetServerSidePropsContext,\n * ) => {\n * const session = await monoCloud.getSession(\n * context.req,\n * context.res,\n * );\n \n return {\n * props: {\n * session: session ?? null,\n * },\n * };\n * }) satisfies GetServerSideProps;\n * ```\n /\n public getSession(\n req: NextApiRequest \| IncomingMessage,\n res: NextApiResponse \| ServerResponse<IncomingMessage>\n ): Promise<MonoCloudSession \| undefined>;\n\n async getSession(...args: any[]): Promise<MonoCloudSession \| undefined> {\n let request: IMonoCloudCookieRequest;\n let response: IMonoCloudCookieResponse;\n\n if (args.length === 0) {\n request = new MonoCloudCookieRequest();\n response = new MonoCloudCookieResponse();\n } else {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n }\n\n / v8 ignore next -- @preserve /\n if (!isMonoCloudRequest(request) \|\| !isMonoCloudResponse(response)) {\n throw new MonoCloudValidationError(\n 'Invalid parameters passed to getSession()'\n );\n }\n\n return await this.coreClient.getSession(request, response);\n }\n\n /\n ## SSR Components, Actions, Middleware or API Handlers\n \n Retrieves the tokens for the currently signed-in user. Optionally refreshes/fetches new tokens.\n \n Use Case:\n * - App Router Server Components (RSC).\n * - Server Actions\n * - Route Handlers (App Router only).\n * - Middleware (App Router and Pages Router).\n \n @param options Configuration options for token retrieval.\n \n @returns\n \n @throws {@link MonoCloudValidationError} If session is not found\n \n @example Middleware/Proxy\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextResponse } from \"next/server\";\n \n export default async function middleware() {\n * const tokens = await monoCloud.getTokens();\n \n if (tokens.isExpired) {\n * return new NextResponse(\"Tokens expired\", { status: 401 });\n * }\n \n return NextResponse.next();\n * }\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example App Router API Handler\n \n ```typescript\n * import { NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async () => {\n * const tokens = await monoCloud.getTokens();\n \n return NextResponse.json({ expired: tokens.isExpired });\n * };\n * ```\n \n @example React Server Components\n \n ```tsx\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default async function Home() {\n * const tokens = await monoCloud.getTokens();\n \n return <div>Expired: {tokens.isExpired.toString()}</div>;\n * }\n * ```\n \n @example Server Action\n \n ```typescript\n * \"use server\";\n \n import { monoCloud } from \"@/lib/monocloud\";\n \n export async function getExpiredAction() {\n * const tokens = await monoCloud.getTokens();\n \n return { expired: tokens.isExpired };\n * }\n * ```\n \n @example Refresh Default Token\n \n The default token is an access token with scopes set through `MONOCLOUD_AUTH_SCOPES` or\n * `options.defaultAuthParams.scopes`, and resources set through `MONOCLOUD_AUTH_RESOURCE` or\n * `options.defaultAuthParams.resource`. This token is refreshed when calling getTokens without resource and scopes parameters.\n \n ```typescript\n * import { NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async () => {\n * // Although the token refreshes automatically upon expiration, we are manually refreshing it here.\n * const tokens = await monoCloud.getTokens({ forceRefresh: true });\n \n return NextResponse.json({ accessToken: tokens?.accessToken });\n * };\n * ```\n \n @example Request new access token for resource(s)\n \n Note: Ensure that the resources and scopes are included in the initial authorization flow\n \n The following example shows how to request a new token scoped to two non-exclusive resources.\n \n ```typescript\n * import { NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async () => {\n * const tokens = await monoCloud.getTokens({\n * resource: \"https://first.example.com https://second.example.com\",\n * scopes: \"read:first read:second shared\",\n * });\n \n return NextResponse.json({ accessToken: tokens?.accessToken });\n * };\n * ```\n \n @example Request an exclusive token\n \n Note: Ensure that the resources and scopes are included in the initial authorization flow\n \n ```typescript\n * import { NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async () => {\n * const tokens = await monoCloud.getTokens({\n * resource: \"https://exclusive.example.com\",\n * scopes: \"read:exclusive shared\",\n * });\n \n return NextResponse.json({ accessToken: tokens?.accessToken });\n * };\n * ```\n /\n public getTokens(options?: GetTokensOptions): Promise<MonoCloudTokens>;\n\n /\n ## Middleware/Proxy or Route Handlers\n \n Retrieves the tokens for the currently signed-in user. Optionally refreshes/fetches new tokens.\n \n Use Case:\n * - Middleware (for both App and Pages Router).\n * - App Router Route Handlers (API routes).\n * - Edge functions.\n \n @param req NextRequest\n * @param options Configuration options for token retrieval.\n \n @returns\n \n @throws {@link MonoCloudValidationError} If session is not found\n \n @example Middleware/Proxy\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function middleware(req: NextRequest) {\n * const tokens = await monoCloud.getTokens(req);\n \n if (tokens.isExpired) {\n * return new NextResponse(\"Tokens expired\", { status: 401 });\n * }\n \n return NextResponse.next();\n * }\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example App Router API Handler\n \n ```typescript\n * import { NextRequest, NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async (req: NextRequest) => {\n * const tokens = await monoCloud.getTokens(req);\n \n return NextResponse.json({ expired: tokens?.isExpired });\n * };\n * ```\n \n @example Refresh Default Token\n \n The default token is an access token with scopes set through `MONOCLOUD_AUTH_SCOPES` or\n * `options.defaultAuthParams.scopes`, and resources set through `MONOCLOUD_AUTH_RESOURCE` or\n * `options.defaultAuthParams.resource`. This token is refreshed when calling getTokens without parameters.\n \n ```typescript\n * import { NextRequest, NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async (req: NextRequest) => {\n * // Although the token refreshes automatically upon expiration, we are manually refreshing it here.\n * const tokens = await monoCloud.getTokens(req, { forceRefresh: true });\n \n return NextResponse.json({ accessToken: tokens?.accessToken });\n * };\n * ```\n \n @example Request new access token for resource(s)\n \n Note: Ensure that the resources and scopes are included in the initial authorization flow\n \n The following example shows how to request a new token scoped to two non-exclusive resources.\n \n ```typescript\n * import { NextRequest, NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async (req: NextRequest) => {\n * const tokens = await monoCloud.getTokens(req, {\n * resource: \"https://first.example.com https://second.example.com\",\n * scopes: \"read:first read:second shared\",\n * });\n \n return NextResponse.json({ accessToken: tokens?.accessToken });\n * };\n * ```\n \n @example Request an exclusive token\n \n Note: Ensure that the resources and scopes are included in the initial authorization flow\n \n ```typescript\n * import { NextRequest, NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async (req: NextRequest) => {\n * const tokens = await monoCloud.getTokens(req, {\n * resource: \"https://exclusive.example.com\",\n * scopes: \"read:exclusive shared\",\n * });\n \n return NextResponse.json({ accessToken: tokens?.accessToken });\n * };\n * ```\n /\n public getTokens(\n req: NextRequest \| Request,\n options?: GetTokensOptions\n ): Promise<MonoCloudTokens>;\n\n /\n ## Middleware/Proxy or Route Handlers (Custom Response)\n \n Retrieves the tokens for the currently signed-in user. Optionally refreshes/fetches new tokens and updates the provided response object.\n \n Use Case:\n * - Middleware (when modifying the response).\n * - App Router Route Handlers (when a NextResponse is already initialized).\n \n @param req NextRequest\n * @param res An optional `NextResponse` instance. Pass this if you have already initialized a response and want token updates (e.g., refreshing) to be applied to it.\n * @param options Configuration options for token retrieval.\n \n @returns\n \n @throws {@link MonoCloudValidationError} If session is not found\n \n @example Middleware/Proxy\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function middleware(req: NextRequest) {\n * const res = NextResponse.next();\n \n const tokens = await monoCloud.getTokens(req, res);\n \n res.headers.set(\"x-tokens-expired\", tokens.isExpired.toString());\n \n return res;\n * }\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example API Handler with NextResponse\n \n ```typescript\n * import { NextRequest, NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async (req: NextRequest) => {\n * const res = new NextResponse(\"Custom Body\");\n \n const tokens = await monoCloud.getTokens(req, res);\n \n if (!tokens.isExpired) {\n * res.headers.set(\"x-auth-status\", \"active\");\n * }\n \n return res;\n * };\n * ```\n \n @example Refresh Default Token\n \n The default token is an access token with scopes set through `MONOCLOUD_AUTH_SCOPES` or\n * `options.defaultAuthParams.scopes`, and resources set through `MONOCLOUD_AUTH_RESOURCE` or\n * `options.defaultAuthParams.resource`. This token is refreshed when calling getTokens without parameters.\n \n ```typescript\n * import { NextRequest, NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async (req: NextRequest) => {\n * const res = new NextResponse(\"Custom Body\");\n \n // Although the token refreshes automatically upon expiration, we are manually refreshing it here.\n * const tokens = await monoCloud.getTokens(req, res, { forceRefresh: true });\n \n if (!tokens.isExpired) {\n * res.headers.set(\"x-auth-status\", \"active\");\n * }\n \n return res;\n * };\n * ```\n \n @example Request new access token for resource(s)\n \n Note: Ensure that the resources and scopes are included in the initial authorization flow\n \n The following example shows how to request a new token scoped to two non-exclusive resources.\n \n ```typescript\n * import { NextRequest, NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async (req: NextRequest) => {\n * const res = new NextResponse(\"Custom Body\");\n \n const tokens = await monoCloud.getTokens(req, res, {\n * resource: \"https://first.example.com https://second.example.com\",\n * scopes: \"read:first read:second shared\",\n * });\n \n if (!tokens.isExpired) {\n * res.headers.set(\"x-auth-status\", \"active\");\n * }\n \n return res;\n * };\n * ```\n \n @example Request an exclusive token\n \n Note: Ensure that the resources and scopes are included in the initial authorization flow\n \n ```typescript\n * import { NextRequest, NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async (req: NextRequest) => {\n * const res = new NextResponse(\"Custom Body\");\n \n const tokens = await monoCloud.getTokens(req, res, {\n * resource: \"https://exclusive.example.com\",\n * scopes: \"read:exclusive shared\",\n * });\n \n if (!tokens.isExpired) {\n * res.headers.set(\"x-auth-status\", \"active\");\n * }\n \n return res;\n * };\n * ```\n /\n public getTokens(\n req: NextRequest \| Request,\n res: NextResponse \| Response,\n options?: GetTokensOptions\n ): Promise<MonoCloudTokens>;\n\n /\n ## Pages Router (Node.js Runtime)\n \n Retrieves the tokens for the currently signed-in user. Optionally refreshes/fetches new tokens.\n \n @param req The `NextApiRequest` or `IncomingMessage`.\n * @param res The `NextApiResponse` or `ServerResponse`.\n * @param options Configuration options for token retrieval.\n \n @returns\n \n @throws {@link MonoCloudValidationError} If session is not found\n \n @example API Route\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import type { NextApiRequest, NextApiResponse } from \"next\";\n \n export default async function handler(\n * req: NextApiRequest,\n * res: NextApiResponse\n * ) {\n * const tokens = await monoCloud.getTokens(req, res);\n \n res.status(200).json({ accessToken: tokens?.accessToken });\n * }\n * ```\n \n @example SSR Component\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import type { GetServerSideProps, InferGetServerSidePropsType } from \"next\";\n \n type HomeProps = InferGetServerSidePropsType<typeof getServerSideProps>;\n \n export default function Home({ tokens }: HomeProps) {\n * return <pre>Tokens: {JSON.stringify(tokens, null, 2)}</pre>;\n * }\n \n export const getServerSideProps: GetServerSideProps = async (context) => {\n * const tokens = await monoCloud.getTokens(context.req, context.res);\n \n return {\n * props: {\n * tokens: tokens ?? null,\n * },\n * };\n * };\n * ```\n \n @example Refresh Default Token\n \n The default token is an access token with scopes set through `MONOCLOUD_AUTH_SCOPES` or\n * `options.defaultAuthParams.scopes`, and resources set through `MONOCLOUD_AUTH_RESOURCE` or\n * `options.defaultAuthParams.resource`. This token is refreshed when calling getTokens without parameters.\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import type { NextApiRequest, NextApiResponse } from \"next\";\n \n export default async function handler(\n * req: NextApiRequest,\n * res: NextApiResponse\n * ) {\n * // Although the token refreshes automatically upon expiration, we are manually refreshing it here.\n * const tokens = await monoCloud.getTokens(req, res, { forceRefresh: true });\n \n res.status(200).json({ accessToken: tokens?.accessToken });\n * }\n * ```\n \n @example Request new access token for resource(s)\n \n Note: Ensure that the resources and scopes are included in the initial authorization flow\n \n The following example shows how to request a new token scoped to two non-exclusive resources.\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import type { NextApiRequest, NextApiResponse } from \"next\";\n \n export default async function handler(\n * req: NextApiRequest,\n * res: NextApiResponse\n * ) {\n * const tokens = await monoCloud.getTokens(req, res, {\n * resource: \"https://first.example.com https://second.example.com\",\n * scopes: \"read:first read:second shared\",\n * });\n \n res.status(200).json({ accessToken: tokens?.accessToken });\n * }\n * ```\n \n @example Request an exclusive token\n \n Note: Ensure that the resources and scopes are included in the initial authorization flow\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import type { NextApiRequest, NextApiResponse } from \"next\";\n \n export default async function handler(\n * req: NextApiRequest,\n * res: NextApiResponse\n * ) {\n * const tokens = await monoCloud.getTokens(req, res, {\n * resource: \"https://exclusive.example.com\",\n * scopes: \"read:exclusive shared\",\n * });\n \n res.status(200).json({ accessToken: tokens?.accessToken });\n * }\n * ```\n /\n public getTokens(\n req: NextApiRequest \| IncomingMessage,\n res: NextApiResponse \| ServerResponse<IncomingMessage>,\n options?: GetTokensOptions\n ): Promise<MonoCloudTokens>;\n\n async getTokens(...args: any[]): Promise<MonoCloudTokens> {\n let request: IMonoCloudCookieRequest;\n let response: IMonoCloudCookieResponse;\n let options: GetTokensOptions \| undefined;\n\n if (args.length === 0) {\n request = new MonoCloudCookieRequest();\n response = new MonoCloudCookieResponse();\n } else if (args.length === 1) {\n if (args[0] instanceof Request) {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], undefined));\n } else {\n request = new MonoCloudCookieRequest();\n response = new MonoCloudCookieResponse();\n options = args[0];\n }\n } else if (args.length === 2 && args[0] instanceof Request) {\n if (args[1] instanceof Response) {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n } else {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], undefined));\n\n options = args[1] as GetTokensOptions;\n }\n } else if (\n args.length === 2 &&\n isNodeRequest(args[0]) &&\n isNodeResponse(args[1])\n ) {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n } else {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n\n options = args[2] as GetTokensOptions;\n }\n\n if (\n !isMonoCloudRequest(request) \|\|\n !isMonoCloudResponse(response) \|\|\n (options && typeof options !== 'object')\n ) {\n throw new MonoCloudValidationError(\n 'Invalid parameters passed to getTokens()'\n );\n }\n\n return await this.coreClient.getTokens(request, response, options);\n }\n\n /\n ## SSR Components, Actions, Middleware or API Handlers\n \n Checks if the current user is authenticated.\n \n Use Case:\n * - App Router Server Components (RSC).\n * - Server Actions\n * - Route Handlers (App Router only).\n * - Middleware (App Router and Pages Router).\n \n @returns `true` if the user is authenticated, otherwise `false`.\n \n @example Middleware/Proxy\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextResponse } from \"next/server\";\n \n export default async function middleware() {\n * const authenticated = await monoCloud.isAuthenticated();\n \n if (!authenticated) {\n * return new NextResponse(\"User not signed in\", { status: 401 });\n * }\n \n return NextResponse.next();\n * }\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example App Router API Handler\n \n ```typescript\n * import { NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async () => {\n * const authenticated = await monoCloud.isAuthenticated();\n \n return NextResponse.json({ authenticated });\n * };\n * ```\n \n @example React Server Components\n \n ```tsx\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default async function Home() {\n * const authenticated = await monoCloud.isAuthenticated();\n \n return <div>Authenticated: {authenticated.toString()}</div>;\n * }\n * ```\n \n @example Server Action\n \n ```typescript\n * \"use server\";\n \n import { monoCloud } from \"@/lib/monocloud\";\n \n export async function checkAuthAction() {\n * const authenticated = await monoCloud.isAuthenticated();\n \n return { authenticated };\n * }\n * ```\n /\n public isAuthenticated(): Promise<boolean>;\n\n /\n ## Middleware/Proxy or Route Handlers\n \n Checks if the current user is authenticated.\n \n Use Case:\n * - Middleware (for both App and Pages Router).\n * - App Router Route Handlers (API routes).\n * - Edge functions.\n \n @param req NextRequest\n * @param res An optional `NextResponse` instance. Pass this if you have already initialized a response; otherwise, omit this parameter.\n \n @returns `true` if the user is authenticated, otherwise `false`.\n \n @example Middleware/Proxy\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function middleware(req: NextRequest) {\n * const authenticated = await monoCloud.isAuthenticated(req);\n \n if (!authenticated) {\n * return new NextResponse(\"User not signed in\", { status: 401 });\n * }\n \n return NextResponse.next();\n * }\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example Middleware/Proxy (Custom Response)\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function middleware(req: NextRequest) {\n * const res = NextResponse.next();\n \n const authenticated = await monoCloud.isAuthenticated(req, res);\n \n if (!authenticated) {\n * return new NextResponse(\"User not signed in\", { status: 401 });\n * }\n \n res.headers.set(\"x-authenticated\", \"true\");\n \n return res;\n * }\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example API Handler\n \n ```typescript\n * import { NextRequest, NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async (req: NextRequest) => {\n * const authenticated = await monoCloud.isAuthenticated(req);\n \n return NextResponse.json({ authenticated });\n * };\n * ```\n \n @example API Handler with NextResponse\n \n ```typescript\n * import { NextRequest, NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async (req: NextRequest) => {\n * const res = new NextResponse(\"YOUR CUSTOM RESPONSE\");\n \n const authenticated = await monoCloud.isAuthenticated(req, res);\n \n if (authenticated) {\n * res.cookies.set(\"something\", \"important\");\n * }\n \n return res;\n * };\n * ```\n /\n public isAuthenticated(\n req: NextRequest \| Request,\n res?: NextResponse \| Response\n ): Promise<boolean>;\n\n /\n ## Pages Router (Node.js Runtime)\n \n Checks if the current user is authenticated.\n \n @param req NextApiRequest\n * @param res NextApiResponse\n \n @returns `true` if the user is authenticated, otherwise `false`.\n \n @example API Handler\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import type { NextApiRequest, NextApiResponse } from \"next\";\n \n type Data = {\n * authenticated: boolean;\n * };\n \n export default async function handler(\n * req: NextApiRequest,\n * res: NextApiResponse<Data>\n * ) {\n * const authenticated = await monoCloud.isAuthenticated(req, res);\n \n res.status(200).json({ authenticated });\n * }\n * ```\n \n @example SSR Component\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import type { GetServerSideProps, InferGetServerSidePropsType } from \"next\";\n \n type HomeProps = InferGetServerSidePropsType<typeof getServerSideProps>;\n \n export default function Home({ authenticated }: HomeProps) {\n * return <pre>User is {authenticated ? \"logged in\" : \"guest\"}</pre>;\n * }\n \n export const getServerSideProps: GetServerSideProps = async (context) => {\n * const authenticated = await monoCloud.isAuthenticated(\n * context.req,\n * context.res\n * );\n \n return {\n * props: {\n * authenticated,\n * },\n * };\n * };\n * ```\n /\n public isAuthenticated(\n req: NextApiRequest \| IncomingMessage,\n res: NextApiResponse \| ServerResponse<IncomingMessage>\n ): Promise<boolean>;\n\n async isAuthenticated(...args: any[]): Promise<boolean> {\n let request: IMonoCloudCookieRequest;\n let response: IMonoCloudCookieResponse;\n\n if (args.length === 0) {\n request = new MonoCloudCookieRequest();\n response = new MonoCloudCookieResponse();\n } else {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n }\n\n / v8 ignore next -- @preserve /\n if (!isMonoCloudRequest(request) \|\| !isMonoCloudResponse(response)) {\n throw new MonoCloudValidationError(\n 'Invalid parameters passed to isAuthenticated()'\n );\n }\n\n return await this.coreClient.isAuthenticated(request, response);\n }\n\n /\n Redirects the user to the sign-in flow if they are not authenticated.\n \n This helper is App Router only and is designed for server environments (server components, route handlers, and server actions).\n \n @param options Options to customize the sign-in.\n \n @returns\n \n @example React Server Component\n \n ```tsx\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default async function Home() {\n * await monoCloud.protect();\n \n return <>You are signed in.</>;\n * }\n * ```\n \n @example API Handler\n \n ```typescript\n * import { NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async () => {\n * await monoCloud.protect();\n \n return NextResponse.json({ secret: \"ssshhhh!!!\" });\n * };\n * ```\n \n @example Server Action\n \n ```typescript\n * \"use server\";\n \n import { monoCloud } from \"@/lib/monocloud\";\n \n export async function getMessage() {\n * await monoCloud.protect();\n \n return { secret: \"sssshhhhh!!!\" };\n * }\n * ```\n /\n public async protect(options?: ProtectOptions): Promise<void> {\n const { routes, appUrl } = this.coreClient.getOptions();\n let path: string;\n try {\n const session = await this.getSession();\n\n if (session && !options?.groups) {\n return;\n }\n\n if (\n session &&\n options &&\n options.groups &&\n isUserInGroup(\n session.user,\n options.groups,\n options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n options.matchAll\n )\n ) {\n return;\n }\n\n // @ts-expect-error Cannot find module 'next/headers'\n const { headers } = await import('next/headers');\n\n path = (await headers()).get('x-monocloud-path') ?? '/';\n } catch {\n throw new Error(\n 'protect() can only be used in App Router server environments (RSC, route handlers, or server actions)'\n );\n }\n\n const signInRoute = new URL(`${appUrl}${routes.signIn}`);\n\n signInRoute.searchParams.set('return_url', options?.returnUrl ?? path);\n\n if (options?.authParams?.maxAge) {\n signInRoute.searchParams.set(\n 'max_age',\n options.authParams.maxAge.toString()\n );\n }\n\n if (options?.authParams?.authenticatorHint) {\n signInRoute.searchParams.set(\n 'authenticator_hint',\n options.authParams.authenticatorHint\n );\n }\n\n if (options?.authParams?.scopes) {\n signInRoute.searchParams.set('scope', options.authParams.scopes);\n }\n\n if (options?.authParams?.resource) {\n signInRoute.searchParams.set('resource', options.authParams.resource);\n }\n\n if (options?.authParams?.display) {\n signInRoute.searchParams.set('display', options.authParams.display);\n }\n\n if (options?.authParams?.uiLocales) {\n signInRoute.searchParams.set('ui_locales', options.authParams.uiLocales);\n }\n\n if (Array.isArray(options?.authParams?.acrValues)) {\n signInRoute.searchParams.set(\n 'acr_values',\n options.authParams.acrValues.join(' ')\n );\n }\n\n if (options?.authParams?.loginHint) {\n signInRoute.searchParams.set('login_hint', options.authParams.loginHint);\n }\n\n if (options?.authParams?.prompt) {\n signInRoute.searchParams.set('prompt', options.authParams.prompt);\n }\n\n // @ts-expect-error Cannot find module 'next/navigation'\n const { redirect } = await import('next/navigation');\n\n redirect(signInRoute.toString());\n }\n\n /\n ## SSR Components, Actions, Middleware or API Handlers\n \n Checks if the currently authenticated user is a member of any of the specified groups.\n \n Use Case:\n * - App Router Server Components (RSC).\n * - Server Actions\n * - Route Handlers (App Router only).\n * - Middleware (App Router and Pages Router).\n \n @param groups A list of group names or IDs to check against the user's group memberships.\n * @param options Configuration options.\n \n @returns\n \n @example Middleware/Proxy\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextResponse } from \"next/server\";\n \n export default async function middleware() {\n * const isAdmin = await monoCloud.isUserInGroup([\"admin\"]);\n \n if (!isAdmin) {\n * return new NextResponse(\"User is not admin\", { status: 403 });\n * }\n \n return NextResponse.next();\n * }\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example App Router API Handler\n \n ```typescript\n * import { NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async () => {\n * const allowed = await monoCloud.isUserInGroup([\"admin\", \"editor\"]);\n \n if (!allowed) {\n * return new NextResponse(\"Forbidden\", { status: 403 });\n * }\n \n return NextResponse.json({ status: \"success\" });\n * };\n * ```\n \n @example React Server Components\n \n ```tsx\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default async function AdminPanel() {\n * const isAdmin = await monoCloud.isUserInGroup([\"admin\"]);\n \n if (!isAdmin) {\n * return <div>Access Denied</div>;\n * }\n \n return <div>Admin Control Panel</div>;\n * }\n * ```\n \n @example Server Action\n \n ```typescript\n * \"use server\";\n \n import { monoCloud } from \"@/lib/monocloud\";\n \n export async function deletePostAction() {\n * const canDelete = await monoCloud.isUserInGroup([\"admin\", \"editor\"]);\n \n if (!canDelete) {\n * return { success: false };\n * }\n \n return { success: true };\n * }\n * ```\n /\n isUserInGroup(\n groups: string[],\n options?: IsUserInGroupOptions\n ): Promise<boolean>;\n\n /\n ## Middleware/Proxy or Route Handlers\n \n Checks if the currently authenticated user is a member of any of the specified groups.\n \n Use Case:\n * - Middleware (for both App and Pages Router).\n * - App Router Route Handlers (API routes).\n * - Edge functions.\n \n @param req NextRequest\n * @param groups A list of group names or IDs to check against the user's group memberships.\n * @param options Configuration options.\n \n @returns\n \n @example Middleware/Proxy\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function middleware(req: NextRequest) {\n * const isAdmin = await monoCloud.isUserInGroup(req, [\"admin\"]);\n \n if (!isAdmin) {\n * return new NextResponse(\"User is not admin\", { status: 403 });\n * }\n \n return NextResponse.next();\n * }\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example App Router API Handler\n \n ```typescript\n * import { NextRequest, NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async (req: NextRequest) => {\n * const isMember = await monoCloud.isUserInGroup(req, [\"admin\", \"editor\"]);\n \n return NextResponse.json({ isMember });\n * };\n * ```\n /\n isUserInGroup(\n req: NextRequest \| Request,\n groups: string[],\n options?: IsUserInGroupOptions\n ): Promise<boolean>;\n\n /\n ## Middleware/Proxy or Route Handlers (Custom Response)\n \n Checks if the currently authenticated user is a member of any of the specified groups.\n \n Use Case:\n * - Middleware (when modifying the response).\n * - App Router Route Handlers (when a NextResponse is already initialized).\n \n @param req NextRequest\n * @param res An optional `NextResponse` instance. Pass this if you have already initialized a response and want token updates to be applied to it.\n * @param groups A list of group names or IDs to check against the user's group memberships.\n * @param options Configuration options.\n \n @returns\n \n @example Middleware/Proxy\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function middleware(req: NextRequest) {\n * const res = NextResponse.next();\n \n const isAdmin = await monoCloud.isUserInGroup(req, res, [\"admin\"]);\n \n if (!isAdmin) {\n * return new NextResponse(\"User is not admin\", { status: 403 });\n * }\n \n res.headers.set(\"x-user\", \"admin\");\n \n return res;\n * }\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example API Handler with NextResponse\n \n ```typescript\n * import { NextRequest, NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async (req: NextRequest) => {\n * const res = new NextResponse(\"Restricted Content\");\n \n const allowed = await monoCloud.isUserInGroup(req, res, [\"admin\"]);\n \n if (!allowed) {\n * return new NextResponse(\"Not Allowed\", res);\n * }\n \n return res;\n * };\n * ```\n /\n isUserInGroup(\n req: NextRequest \| Request,\n res: NextResponse \| Response,\n groups: string[],\n options?: IsUserInGroupOptions\n ): Promise<boolean>;\n\n /\n ## Pages Router (Node.js Runtime)\n \n Checks if the currently authenticated user is a member of any of the specified groups.\n \n @param req The `NextApiRequest` or `IncomingMessage`.\n * @param res The `NextApiResponse` or `ServerResponse`.\n * @param groups A list of group names or IDs to check against the user's group memberships.\n * @param options Configuration options.\n \n @returns\n \n @example API Route\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import type { NextApiRequest, NextApiResponse } from \"next\";\n \n export default async function handler(\n * req: NextApiRequest,\n * res: NextApiResponse\n * ) {\n * const isAdmin = await monoCloud.isUserInGroup(req, res, [\"admin\"]);\n \n if (!isAdmin) {\n * return res.status(403).json({ error: \"Forbidden\" });\n * }\n \n res.status(200).json({ message: \"Welcome Admin\" });\n * }\n * ```\n \n @example SSR Component\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import type { GetServerSideProps, InferGetServerSidePropsType } from \"next\";\n \n type HomeProps = InferGetServerSidePropsType<typeof getServerSideProps>;\n \n export default function Home({ isAdmin }: HomeProps) {\n * return <div>User is admin: {isAdmin.toString()}</div>;\n * }\n \n export const getServerSideProps: GetServerSideProps = async (context) => {\n * const isAdmin = await monoCloud.isUserInGroup(context.req, context.res, [\n * \"admin\",\n * ]);\n \n return {\n * props: {\n * isAdmin,\n * },\n * };\n * };\n * ```\n /\n isUserInGroup(\n req: NextApiRequest \| IncomingMessage,\n res: NextApiResponse \| ServerResponse<IncomingMessage>,\n groups: string[],\n options?: IsUserInGroupOptions\n ): Promise<boolean>;\n\n public async isUserInGroup(...args: any[]): Promise<boolean> {\n let request: IMonoCloudCookieRequest \| undefined;\n let response: IMonoCloudCookieResponse \| undefined;\n let groups: string[] \| undefined;\n let options: IsUserInGroupOptions \| undefined;\n\n if (args.length === 4) {\n groups = args[2];\n options = args[3];\n\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n }\n\n if (args.length === 3) {\n if (args[0] instanceof Request) {\n if (args[1] instanceof Response) {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n groups = args[2];\n } else {\n ({ request, response } = getMonoCloudCookieReqRes(\n args[0],\n undefined\n ));\n groups = args[1];\n options = args[2];\n }\n }\n\n if (isNodeRequest(args[0]) && isNodeResponse(args[1])) {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n groups = args[2];\n }\n }\n\n if (args.length === 2) {\n if (args[0] instanceof Request) {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], undefined));\n groups = args[1];\n }\n\n if (Array.isArray(args[0])) {\n request = new MonoCloudCookieRequest();\n response = new MonoCloudCookieResponse();\n\n groups = args[0];\n options = args[1];\n }\n }\n\n if (args.length === 1) {\n request = new MonoCloudCookieRequest();\n response = new MonoCloudCookieResponse();\n\n groups = args[0];\n }\n\n if (\n !Array.isArray(groups) \|\|\n !isMonoCloudRequest(request) \|\|\n !isMonoCloudResponse(response) \|\|\n (options && typeof options !== 'object')\n ) {\n throw new MonoCloudValidationError(\n 'Invalid parameters passed to isUserInGroup()'\n );\n }\n\n const result = await this.coreClient.isUserInGroup(\n request,\n response,\n groups,\n options?.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n options?.matchAll\n );\n\n return result;\n }\n\n /\n Redirects the user to the sign-in flow.\n \n This helper is App Router only and is designed for server environments (server components, route handlers, and server actions).\n \n @param options Options to customize the sign-in.\n \n @returns\n \n @example React Server Component\n \n ```tsx\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default async function Home() {\n * const allowed = await monoCloud.isUserInGroup([\"admin\"]);\n \n if (!allowed) {\n * await monoCloud.redirectToSignIn({ returnUrl: \"/home\" });\n * }\n \n return <>You are signed in.</>;\n * }\n * ```\n \n @example Server Action\n \n ```typescript\n * \"use server\";\n \n import { monoCloud } from \"@/lib/monocloud\";\n \n export async function protectedAction() {\n * const session = await monoCloud.getSession();\n \n if (!session) {\n * await monoCloud.redirectToSignIn();\n * }\n \n return { data: \"Sensitive Data\" };\n * }\n * ```\n \n @example API Handler\n \n ```typescript\n * import { NextResponse } from \"next/server\";\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export const GET = async () => {\n * const session = await monoCloud.getSession();\n \n if (!session) {\n * await monoCloud.redirectToSignIn({\n * returnUrl: \"/dashboard\",\n * });\n * }\n \n return NextResponse.json({ data: \"Protected content\" });\n * };\n * ```\n /\n public async redirectToSignIn(\n options?: RedirectToSignInOptions\n ): Promise<void> {\n const { routes, appUrl } = this.coreClient.getOptions();\n\n try {\n // @ts-expect-error Cannot find module 'next/headers'\n const { headers } = await import('next/headers');\n\n await headers();\n } catch {\n throw new Error(\n 'redirectToSignIn() can only be used in App Router server environments (RSC, route handlers, or server actions)'\n );\n }\n\n const signInRoute = new URL(`${appUrl}${routes.signIn}`);\n\n if (options?.returnUrl) {\n signInRoute.searchParams.set('return_url', options.returnUrl);\n }\n\n if (options?.maxAge) {\n signInRoute.searchParams.set('max_age', options.maxAge.toString());\n }\n\n if (options?.authenticatorHint) {\n signInRoute.searchParams.set(\n 'authenticator_hint',\n options.authenticatorHint\n );\n }\n\n if (Array.isArray(options?.scopes)) {\n signInRoute.searchParams.set('scope', options.scopes.join(' '));\n }\n\n if (Array.isArray(options?.resource)) {\n signInRoute.searchParams.set('resource', options.resource.join(' '));\n }\n\n if (options?.display) {\n signInRoute.searchParams.set('display', options.display);\n }\n\n if (options?.uiLocales) {\n signInRoute.searchParams.set('ui_locales', options.uiLocales);\n }\n\n if (Array.isArray(options?.acrValues)) {\n signInRoute.searchParams.set('acr_values', options.acrValues.join(' '));\n }\n\n if (options?.loginHint) {\n signInRoute.searchParams.set('login_hint', options.loginHint);\n }\n\n if (options?.prompt) {\n signInRoute.searchParams.set('prompt', options.prompt);\n }\n\n // @ts-expect-error Cannot find module 'next/navigation'\n const { redirect } = await import('next/navigation');\n\n redirect(signInRoute.toString());\n }\n\n /\n Redirects the user to the sign-out flow.\n \n This helper is App Router only and is designed for server environments (server components, route handlers, and server actions).\n \n @param options Options to customize the sign out.\n \n @returns\n \n @example React Server Component\n \n ```tsx\n * import { monoCloud } from \"@/lib/monocloud\";\n \n export default async function Page() {\n * const session = await monoCloud.getSession();\n \n // Example: Force sign-out if a specific condition is met (e.g., account suspended)\n * if (session?.user.isSuspended) {\n * await monoCloud.redirectToSignOut();\n * }\n \n return <>Welcome User</>;\n * }\n * ```\n \n @example Server Action\n \n ```typescript\n * \"use server\";\n \n import { monoCloud } from \"@/lib/monocloud\";\n \n export async function signOutAction() {\n * const session = await monoCloud.getSession();\n \n if (session) {\n * await monoCloud.redirectToSignOut();\n * }\n * }\n * ```\n \n @example API Handler\n \n ```typescript\n * import { monoCloud } from \"@/lib/monocloud\";\n * import { NextResponse } from \"next/server\";\n \n export const GET = async () => {\n * const session = await monoCloud.getSession();\n \n if (session) {\n * await monoCloud.redirectToSignOut({\n * postLogoutRedirectUri: \"/goodbye\",\n * });\n * }\n \n return NextResponse.json({ status: \"already_signed_out\" });\n * };\n * ```\n */\n public async redirectToSignOut(\n options?: RedirectToSignOutOptions\n ): Promise<void> {\n const { routes, appUrl } = this.coreClient.getOptions();\n\n try {\n // @ts-expect-error Cannot find module 'next/headers'\n const { headers } = await import('next/headers');\n\n await headers();\n } catch {\n throw new Error(\n 'redirectToSignOut() can only be used in App Router server environments (RSC, route handlers, or server actions)'\n );\n }\n\n const signOutRoute = new URL(`${appUrl}${routes.signOut}`);\n\n if (options?.postLogoutRedirectUri?.trim().length) {\n signOutRoute.searchParams.set(\n 'post_logout_url',\n options.postLogoutRedirectUri\n );\n }\n\n if (typeof options?.federated === 'boolean') {\n signOutRoute.searchParams.set('federated', options.federated.toString());\n }\n\n // @ts-expect-error Cannot find module 'next/navigation'\n const { redirect } = await import('next/navigation');\n\n redirect(signOutRoute.toString());\n }\n\n private getOptions(): MonoCloudOptions {\n return this.coreClient.getOptions();\n }\n\n private registerPublicEnvVariables(): void {\n Object.keys(process.env)\n .filter(key => key.startsWith('NEXT_PUBLIC_MONOCLOUD_AUTH'))\n .forEach(publicKey => {\n const [, privateKey] = publicKey.split('NEXT_PUBLIC_');\n process.env[privateKey] = process.env[publicKey];\n });\n }\n}\n"],"mappings":";;;;;;;AAIA,IAAqB,4BAArB,MAA2E;CACzE,YAAY,AAAgB,KAAkB;EAAlB;;CAE5B,SAAS,WAAkD;AAEzD,SADY,IAAI,IAAI,KAAK,IAAI,IAAI,CACtB,aAAa,IAAI,UAAU,IAAI;;CAG5C,UAAU,MAA2C;;AACnD,SAAO,QAAQ,iCAAQ,KAAK,IAAI,QAAQ,IAAI,KAAK,gFAAE,MAAM;;CAG3D,MAAM,gBAIH;AACD,SAAO;GACL,QAAQ,KAAK,IAAI;GACjB,KAAK,KAAK,IAAI;GACd,MAAM,MAAM,KAAK,IAAI,MAAM;GAC5B;;CAGH,gBAA8C;EAC5C,MAAM,yBAAS,IAAI,KAAqB;AACxC,OAAK,IAAI,QAAQ,QAAQ,CAAC,SAAQ,MAAK;AACrC,UAAO,IAAI,EAAE,MAAM,EAAE,MAAM;IAC3B;AACF,SAAO,QAAQ,QAAQ,OAAO;;;;;;AC7BlC,IAAqB,6BAArB,MAA4E;CAC1E,YAAY,AAAgB,KAAqB;EAArB;;;CAG5B,SAAS,WAAkD;AACzD,SAAO,KAAK,IAAI,MAAM;;;CAIxB,UAAU,MAA2C;AACnD,SAAO,QAAQ,QAAQ,KAAK,IAAI,QAAQ,MAAM;;;CAIhD,gBAIG;AACD,SAAO,QAAQ,QAAQ;GACrB,QAAQ,KAAK,IAAI;GACjB,KAAK,KAAK,IAAI;GACd,MAAM,KAAK,IAAI;GAChB,CAAC;;CAGJ,gBAA8C;EAC5C,MAAM,yBAAS,IAAI,KAAqB;EACxC,MAAM,EAAE,YAAY,KAAK;AACzB,SAAO,KAAK,QAAQ,CAAC,SAAQ,MAAK;GAChC,MAAM,MAAM,QAAQ;;AAEpB,OAAI,OAAO,MAAM,YAAY,OAAO,QAAQ,SAC1C,QAAO,IAAI,GAAG,IAAI;IAEpB;AACF,SAAO,QAAQ,QAAQ,OAAO;;;;;;ACjClC,IAAqB,6BAArB,MAA6E;CAC3E,YAAY,AAAO,KAAmB;EAAnB;;CAEnB,UACE,YACA,OACA,SACe;AACf,OAAK,IAAI,QAAQ,IAAI,YAAY,OAAO,QAAQ;AAChD,SAAO,QAAQ,SAAS;;CAG1B,SAAS,KAAa,aAAiC,KAAW;EAChE,MAAM,EAAE,YAAY,KAAK;AACzB,OAAK,MAAM,aAAa,SAAS,KAAK;GAAE,QAAQ;GAAY;GAAS,CAAC;;CAGxE,SAAS,MAAW,YAA2B;EAC7C,MAAM,EAAE,YAAY,KAAK;AACzB,OAAK,MAAM,aAAa,KAAK,MAAM;GAAE,QAAQ;GAAY;GAAS,CAAC;;;CAIrE,WAAiB;EACf,MAAM,EAAE,YAAY,KAAK;AACzB,OAAK,MAAM,IAAI,aAAa,MAAM;GAAE,QAAQ;GAAK;GAAS,CAAC;;CAG7D,sBAA4B;EAC1B,MAAM,EAAE,YAAY,KAAK;AACzB,OAAK,MAAM,IAAI,aAAa,MAAM;GAAE,QAAQ;GAAK;GAAS,CAAC;;CAG7D,YAAkB;EAChB,MAAM,EAAE,YAAY,KAAK;AACzB,OAAK,MAAM,IAAI,aAAa,MAAM;GAAE,QAAQ;GAAK;GAAS,CAAC;;CAG7D,mBAAyB;EACvB,MAAM,EAAE,YAAY,KAAK;AACzB,OAAK,MAAM,IAAI,aAAa,MAAM;GAAE,QAAQ;GAAK;GAAS,CAAC;;CAG7D,aAAmB;AACjB,OAAK,IAAI,QAAQ,IAAI,iBAAiB,oBAAoB;AAC1D,OAAK,IAAI,QAAQ,IAAI,UAAU,WAAW;;CAG5C,OAAY;AACV,SAAO,KAAK;;;;;;ACjDhB,IAAqB,8BAArB,MAA8E;CAC5E,YAAY,AAAgB,KAAsB;EAAtB;;CAE5B,UACE,YACA,OACA,SACe;EACf,IAAI,UAAU,KAAK,IAAI,UAAU,aAAa,IAAI,EAAE;;AAGpD,MAAI,CAAC,MAAM,QAAQ,QAAQ,CACzB,WAAU,CAAC,QAAkB;AAG/B,OAAK,IAAI,UAAU,cAAc,CAC/B,GAAG,QAAQ,QAAO,WAAU,CAAC,OAAO,WAAW,GAAG,WAAW,GAAG,CAAC,EACjE,UAAU,YAAY,OAAO,QAAQ,CACtC,CAAC;AAEF,SAAO,QAAQ,SAAS;;;CAI1B,SAAS,KAAa,YAA2B;AAC/C,OAAK,IAAI,SAAS,cAAc,KAAK,IAAI;;;CAI3C,SAAS,MAAW,YAA2B;AAC7C,OAAK,IAAI,OAAO,cAAc,IAAI;AAClC,OAAK,IAAI,KAAK,KAAK;;;CAIrB,WAAiB;AACf,OAAK,IAAI,OAAO,IAAI;;;CAItB,sBAA4B;AAC1B,OAAK,IAAI,OAAO,IAAI;;;CAItB,YAAkB;AAChB,OAAK,IAAI,OAAO,IAAI;;;CAItB,mBAAyB;AACvB,OAAK,IAAI,OAAO,IAAI;;;CAItB,aAAmB;AACjB,OAAK,IAAI,UAAU,iBAAiB,oBAAoB;AACxD,OAAK,IAAI,UAAU,UAAU,WAAW;;;CAI1C,OAAY;AACV,OAAK,IAAI,KAAK;;;;;;AC/DlB,IAAI,WAAW;AAEf,IAAqB,0BAArB,MAAiF;CAC/E,MAAM,UACJ,YACA,OACA,SACe;AACf,MAAI;GAEF,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,IAAC,MAAM,SAAS,EAAE,IAAI,YAAY,OAAO,QAAQ;WAC1C,GAAQ;AACf,OAAI,CAAC,UAAU;AACb,YAAQ,KAAK,EAAE,QAAQ;AACvB,eAAW;;;;;;;;ACpBnB,IAAqB,yBAArB,MAA+E;;CAE7E,MAAM,UAAU,MAA2C;;EAEzD,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,gCAAQ,MAAM,SAAS,EAAE,IAAI,KAAK,0EAAE;;CAGtC,MAAM,gBAA8C;EAClD,MAAM,yBAAS,IAAI,KAAqB;EAExC,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,GAAC,MAAM,SAAS,EAAE,QAAQ,CAAC,SAAS,MAAW;AAC7C,UAAO,IAAI,EAAE,MAAM,EAAE,MAAM;IAC3B;AACF,SAAO;;;;;;ACDX,MAAa,sBACX,QAEA,eAAe,6BACf,eAAe,8BACf,eAAe;AAEjB,MAAa,uBACX,QAEA,eAAe,8BACf,eAAe,+BACf,eAAe;AAEjB,MAAa,eAAe,QAC1B,eAAe,WACd,IAAgB,mBAAmB,WACpC,OAAQ,IAAgB,aAAa;AAEvC,MAAa,iBAAiB,QAAqC;AACjE,QAAO,CAAC,EACN,OACA,OAAO,QAAQ,YACf,aAAa,OACb,EAAE,cAAc,QAChB,OAAO,IAAI,OAAO;;AAItB,MAAa,kBAAkB,QAAoC;AACjE,QAAO,CAAC,EACN,OACA,OAAO,QAAQ,YACf,eAAe,OACf,OAAO,IAAI,cAAc,cACzB,SAAS,OACT,OAAO,IAAI,QAAQ;;AAIvB,MAAa,kBAAkB,QAA4C;AACzE,KAAI,eAAe,YACjB,QAAO;AAGT,QAAO,IAAI,YAAY,IAAI,KAAK;EAC9B,QAAQ,IAAI;EACZ,SAAS,IAAI;EACb,MAAM,IAAI;EAEV,QAAS,IAAY,UAAU;EAChC,CAAC;;AAGJ,MAAa,mBACX,QACiB;AACjB,KAAI,eAAe,aACjB,QAAO;AAGT,KAAI,eAAe,UAAU;EAC3B,MAAM,eAAe,IAAI,aAAa,IAAI,MAAM;GAC9C,QAAQ,IAAI;GACZ,YAAY,IAAI;GAChB,SAAS,IAAI;GACb,KAAK,IAAI;GACV,CAAC;AAEF,MAAI;;AAEF,OAAI,CAAC,UAAU,aAAa,IAAI,CAC9B,CAAC,aAAqB,MAAM,IAAI;UAE5B;AAIR,SAAO;;AAGT,QAAO,IAAI,cAAc;;AAG3B,MAAa,4BACX,KACA,aAIG;CACH,IAAI;CACJ,IAAI;AAEJ,KAAI,YAAY,IAAI,EAAE;AACpB,YAAU,IAAI,0BAA0B,eAAe,IAAe,CAAC;AAEvE,aACE,oBAAoB,WAChB,IAAI,2BAA2B,gBAAgB,SAAS,CAAC,GACzD,IAAI,yBAAyB;QAC9B;AACL,MAAI,CAAC,cAAc,IAAI,IAAI,CAAC,eAAe,SAAS,CAClD,OAAM,IAAIA,2BACR,4CACD;AAEH,YAAU,IAAI,2BAA2B,IAAsB;AAC/D,aAAW,IAAI,4BAA4B,SAA4B;;AAGzE,QAAO;EAAE;EAAS;EAAU;;AAG9B,MAAa,iBAAiB,cAA4C;CACxE,MAAM,OAAO,UAAU,KAAK;AAE5B,KAAI,CAAC,KACH,QAAO,IAAI,cAAc;AAG3B,WAAU,SAAQ,aAAY;AAC5B,WAAS,QAAQ,SAAS,GAAG,MAAM;AACjC,OAAK,MAAM,cAAc,CAAC,KAAK,QAAQ,IAAI,EAAE,IAAK,MAAM,WACtD,MAAK,QAAQ,IAAI,GAAG,EAAE;IAExB;AAEF,WAAS,QAAQ,QAAQ,CAAC,SAAQ,MAAK;GACrC,MAAM,EAAE,MAAM,OAAO,GAAG,cAAc;AACtC,QAAK,QAAQ,IAAI,MAAM,OAAO,UAAU;IACxC;GACF;AAEF,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACsFT,IAAa,sBAAb,MAAiC;;;;;;;;CAsB/B,IAAW,aAAkC;AAC3C,SAAO,KAAK,WAAW;;;;;CAMzB,YAAY,SAA4B;EACtC,MAAM,MAAM;GACV,GAAI,WAAW,EAAE;GACjB,8DAAW,QAAS,cAAa;GACjC,6DAAU,QAAS;GACpB;AAED,OAAK,4BAA4B;AACjC,OAAK,aAAa,IAAI,oBAAoB,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAoEhD,AAAO,cAAc,SAAsD;AACzE,UAAQ,KAAK,aAAa;GACxB,MAAM,EAAE,QAAQ,WAAW,KAAK,YAAY;GAE5C,IAAI,EAAE,MAAM,OAAO;AAEnB,OAAI,CAAC,cAAc,IAAI,CACrB,OAAM,IAAI,IAAI,KAAK,OAAO,CAAC,UAAU;GAGvC,MAAM,QAAQ,IAAI,IAAI,IAAI;GAE1B,IAAI;AACJ,OAAI,0DAAO,QAAS,aAAY,WAC9B,YACE,UAEA,QAAQ,QAAS,KAAY,UAAiB,MAAM;GAGxD,IAAI;GACJ,IAAI;AAEJ,OAAI,YAAY,IAAI,EAAE;AACpB,cAAU,IAAI,0BAA0B,eAAe,IAAe,CAAC;AACvE,eAAW,IAAI,2BACb,gBAAgB,SAAqB,CACtC;UACI;AACL,cAAU,IAAI,2BAA2B,IAAsB;AAC/D,eAAW,IAAI,4BAA4B,SAA4B;;AAGzE,UAAO,KAAK,iBACV,SACA,UACA,MAAM,UACN,QACA,QACD;;;CA4GL,AAAO,YAAY,GAAG,MAAsB;AAC1C,MAAI,OAAO,KAAK,OAAO,WACrB,QAAO,KAAK,eACV,KAAK,IACL,KAAK,GACN;AAGH,SAAO,KAAK,gBACV,KAAK,GACN;;CAGH,AAAQ,eACN,WACA,SACsB;AACtB,SAAO,OAAM,WAAU;GACrB,MAAM,UAAU,MAAM,KAAK,YAAY;AAEvC,OAAI,CAAC,SAAS;;AACZ,0DAAI,QAAS,eACX,QAAO,QAAQ,eAAe,EAAE,GAAG,QAAQ,CAAC;IAG9C,MAAM,EAAE,QAAQ,WAAW,KAAK,YAAY;IAG5C,MAAM,EAAE,YAAY,MAAM,OAAO;IAEjC,MAAM,QAAQ,MAAM,SAAS,EAAE,IAAI,mBAAmB;IAEtD,MAAM,cAAc,IAAI,IACtB,GAAG,SAAS,mBAAmB,OAAQ,OAAO,GAC/C;AAED,gBAAY,aAAa,IACvB,iEACA,QAAS,cAAa,QAAQ,IAC/B;AAED,yEAAI,QAAS,sFAAY,OACvB,aAAY,aAAa,IAAI,SAAS,QAAQ,WAAW,OAAO;AAElE,0EAAI,QAAS,wFAAY,SACvB,aAAY,aAAa,IAAI,YAAY,QAAQ,WAAW,SAAS;AAGvE,0EAAI,QAAS,wFAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UAAU,KAAK,IAAI,CACvC;AAGH,0EAAI,QAAS,wFAAY,QACvB,aAAY,aAAa,IAAI,WAAW,QAAQ,WAAW,QAAQ;AAGrE,0EAAI,QAAS,wFAAY,OACvB,aAAY,aAAa,IAAI,UAAU,QAAQ,WAAW,OAAO;AAGnE,0EAAI,QAAS,wFAAY,kBACvB,aAAY,aAAa,IACvB,sBACA,QAAQ,WAAW,kBACpB;AAGH,0EAAI,QAAS,wFAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UACpB;AAGH,0EAAI,QAAS,wFAAY,OACvB,aAAY,aAAa,IACvB,WACA,QAAQ,WAAW,OAAO,UAAU,CACrC;AAGH,0EAAI,QAAS,wFAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UACpB;IAIH,MAAM,EAAE,aAAa,MAAM,OAAO;AAElC,WAAO,SAAS,YAAY,UAAU,CAAC;;AAGzC,0DACE,QAAS,WACT,CAAC,cACC,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,EACD;AACA,QAAI,QAAQ,oBACV,QAAO,QAAQ,oBAAoB;KACjC,GAAG;KACH,MAAM,QAAQ;KACf,CAAC;AAGJ,WAAO;;AAGT,UAAO,UAAU;IAAE,GAAG;IAAQ,MAAM,QAAQ;IAAM,CAAC;;;CAIvD,AAAQ,gBAGN,SAAyE;AACzE,SAAO,OAAM,YAAW;GACtB,MAAM,UAAU,MAAM,KAAK,WACzB,QAAQ,KACR,QAAQ,IACT;AAED,OAAI,CAAC,SAAS;;AACZ,0DAAI,QAAS,gBAAgB;KAC3B,MAAM,cAAmB,MAAM,QAAQ,eAAe,EACpD,GAAG,SACJ,CAAC;AAOF,YALc;MACZ,GAAI,eAAe,EAAE;MACrB,OAAO,EAAE,8DAAI,YAAa,UAAS,EAAE,EAAG;MACzC;;IAKH,MAAM,EAAE,QAAQ,WAAW,KAAK,YAAY;IAE5C,MAAM,cAAc,IAAI,IACtB,GAAG,SAAS,mBAAmB,OAAQ,OAAO,GAC/C;AAED,gBAAY,aAAa,IACvB,iEACA,QAAS,cAAa,QAAQ,YAC/B;AAED,2EAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IAAI,SAAS,QAAQ,WAAW,OAAO;AAElE,2EAAI,QAAS,0FAAY,SACvB,aAAY,aAAa,IAAI,YAAY,QAAQ,WAAW,SAAS;AAGvE,2EAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UAAU,KAAK,IAAI,CACvC;AAGH,2EAAI,QAAS,0FAAY,QACvB,aAAY,aAAa,IAAI,WAAW,QAAQ,WAAW,QAAQ;AAGrE,2EAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IAAI,UAAU,QAAQ,WAAW,OAAO;AAGnE,2EAAI,QAAS,0FAAY,kBACvB,aAAY,aAAa,IACvB,sBACA,QAAQ,WAAW,kBACpB;AAGH,2EAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UACpB;AAGH,2EAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IACvB,WACA,QAAQ,WAAW,OAAO,UAAU,CACrC;AAGH,2EAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UACpB;AAGH,WAAO,EACL,UAAU;KACR,aAAa,YAAY,UAAU;KACnC,WAAW;KACZ,EACF;;AAGH,0DACE,QAAS,WACT,CAAC,cACC,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,EACD;;IACA,MAAM,cAAoB,gCAAM,QAAQ,iHAAsB;KAC5D,GAAG;KACH,MAAM,QAAQ;KACf,CAAC,KAAK,EAAE,OAAO,EAAE,mBAAmB,MAAM,EAAE;AAO7C,WALc;KACZ,GAAG;KACH,OAAO,EAAE,GAAI,YAAY,SAAS,EAAE,EAAG;KACxC;;GAKH,MAAM,iEAAmB,QAAS,sBAC9B,MAAM,QAAQ,mBAAmB,QAAQ,GACzC,EAAE;GAEN,MAAM,cAAc,YAAY;AAEhC,OAAI,uBAAuB,QACzB,QAAO;IACL,GAAG;IACH,OAAO,YAAY,MAAM,WAAgB;KACvC,MAAM,QAAQ;KACd,GAAG;KACJ,EAAE;IACJ;AAGH,UAAO;IACL,GAAG;IACH,OAAO;KAAE,MAAM,QAAQ;KAAM,GAAG,YAAY;KAAO;IACpD;;;CA8DL,AAAO,WACL,SACA,SACwC;AACxC,UACE,KACA,aACG;AACH,OAAI,YAAY,IAAI,CAClB,QAAO,KAAK,cACV,KACA,UACA,SACA,QACD;AAEH,UAAO,KAAK,eACV,KACA,UACA,SACA,QACD;;;CAIL,MAAc,cACZ,KACA,KACA,SACA,SACuB;EACvB,MAAM,MAAM,IAAI,cAAc;EAE9B,MAAM,UAAU,MAAM,KAAK,WAAW,KAAK,IAAI;AAE/C,MAAI,CAAC,SAAS;AACZ,yDAAI,QAAS,gBAAgB;IAC3B,MAAM,SAAS,MAAM,QAAQ,eAAe,KAAK,IAAI;AAErD,QAAI,kBAAkB,aACpB,QAAO,cAAc,CAAC,KAAK,OAAO,CAAC;AAGrC,WAAO,cAAc,CAAC,KAAK,IAAI,aAAa,OAAO,MAAM,OAAO,CAAC,CAAC;;AAGpE,UAAO,cAAc,CACnB,KACA,aAAa,KAAK,EAAE,SAAS,gBAAgB,EAAE,EAAE,QAAQ,KAAK,CAAC,CAChE,CAAC;;AAGJ,yDACE,QAAS,WACT,CAAC,cACC,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,EACD;AACA,OAAI,QAAQ,qBAAqB;IAC/B,MAAM,SAAS,MAAM,QAAQ,oBAC3B,KACA,KACA,QAAQ,KACT;AAED,QAAI,kBAAkB,aACpB,QAAO,cAAc,CAAC,KAAK,OAAO,CAAC;AAGrC,WAAO,cAAc,CAAC,KAAK,IAAI,aAAa,OAAO,MAAM,OAAO,CAAC,CAAC;;AAGpE,UAAO,cAAc,CACnB,KACA,aAAa,KAAK,EAAE,SAAS,aAAa,EAAE,EAAE,QAAQ,KAAK,CAAC,CAC7D,CAAC;;EAGJ,MAAM,OAAO,MAAM,QAAQ,KAAK,IAAI;AAEpC,MAAI,gBAAgB,aAClB,QAAO,cAAc,CAAC,KAAK,KAAK,CAAC;AAGnC,SAAO,cAAc,CAAC,KAAK,IAAI,aAAa,KAAK,MAAM,KAAK,CAAC,CAAC;;CAGhE,MAAc,eACZ,KACA,KACA,SACA,SACkB;EAClB,MAAM,UAAU,MAAM,KAAK,WAAW,KAAK,IAAI;AAE/C,MAAI,CAAC,SAAS;AACZ,yDAAI,QAAS,eACX,QAAO,QAAQ,eAAe,KAAK,IAAI;AAGzC,UAAO,IAAI,OAAO,IAAI,CAAC,KAAK,EAC1B,SAAS,gBACV,CAAC;;AAGJ,yDACE,QAAS,WACT,CAAC,cACC,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,EACD;AACA,OAAI,QAAQ,oBACV,QAAO,QAAQ,oBAAoB,KAAK,KAAK,QAAQ,KAAK;AAG5D,UAAO,IAAI,OAAO,IAAI,CAAC,KAAK,EAC1B,SAAS,aACV,CAAC;;AAGJ,SAAO,QAAQ,KAAK,IAAI;;CAkJ1B,AAAO,eACL,GAAG,MAKoB;EACvB,IAAI;EACJ,IAAI;EACJ,IAAI;;AAGJ,MAAI,MAAM,QAAQ,KAAK,EAAE;AACvB,OAAI,KAAK,WAAW,GAElB;;QAAI,YAAY,KAAK,GAAG,EAAE;AACxB,WAAM,KAAK;AACX,WAAM,KAAK;;;AAIf,OAAI,KAAK,WAAW,EAClB,WAAU,KAAK;;AAInB,MAAI,OAAO,IACT,QAAO,KAAK,sBAAsB,KAAK,KAAK,QAAQ;AAGtD,UAAQ,SAAsB,WAA2B;AACvD,UAAO,KAAK,sBAAsB,SAAS,QAAQ,QAAQ;;;CAI/D,MAAc,sBACZ,KACA,KACA,SAC+B;AAE/B,QAAM,eAAe,IAAI;AAEzB,MAAI,IAAI,QAAQ,IAAI,0BAA0B,CAC5C,QAAO,aAAa,KAAK,EAAE,SAAS,aAAa,EAAE,EAAE,QAAQ,KAAK,CAAC;EAGrE,MAAM,EAAE,QAAQ,WAAW,KAAK,YAAY;AAE5C,MACE,OAAO,OAAO,OAAQ,CACnB,KAAI,MAAK,mBAAmB,EAAE,CAAC,CAC/B,SAAS,IAAI,QAAQ,SAAS,EACjC;GACA,IAAI;AACJ,OAAI,0DAAO,QAAS,aAAY,WAC9B,YACE,UAI2B,QAAQ,QAAS,KAAK,KAAK,MAAM;GAGhE,MAAM,UAAU,IAAI,0BAA0B,IAAI;GAClD,MAAM,WAAW,IAAI,2BAA2B,IAAI,cAAc,CAAC;AAEnE,UAAO,KAAK,iBACV,SACA,UACA,IAAI,QAAQ,UACZ,QACA,QACD;;EAGH,MAAM,UAAU,IAAI,cAAc;AAElC,UAAQ,QAAQ,IACd,oBACA,IAAI,QAAQ,WAAW,IAAI,QAAQ,OACpC;EAED,IAAI,mBAAmB;EACvB,IAAI;AAEJ,MAAI,0DAAO,QAAS,qBAAoB,WACtC,oBAAmB,MAAM,QAAQ,gBAAgB,IAAI;WAErD,0DAAO,QAAS,qBAAoB,eACpC,MAAM,QAAQ,QAAQ,gBAAgB,CAEtC,oBAAmB,QAAQ,gBAAgB,MAAK,UAAS;AACvD,OAAI,OAAO,UAAU,YAAY,iBAAiB,OAChD,QAAO,IAAI,OAAO,MAAM,CAAC,KAAK,IAAI,QAAQ,SAAS;AAGrD,UAAO,MAAM,OAAO,MAAK,eAAc;IACrC,MAAM,SAAS,IAAI,OAAO,WAAW,CAAC,KAAK,IAAI,QAAQ,SAAS;AAEhE,QAAI,OACF,iBAAgB,MAAM;AAGxB,WAAO;KACP;IACF;AAGJ,MAAI,CAAC,iBACH,QAAO,aAAa,KAAK,EACvB,SAAS,EACP,oBAAoB,IAAI,QAAQ,WAAW,IAAI,QAAQ,QACxD,EACF,CAAC;EAGJ,MAAM,UAAU,MAAM,KAAK,WAAW,KAAK,QAAQ;AAEnD,MAAI,CAAC,SAAS;AACZ,yDAAI,QAAS,gBAAgB;IAC3B,MAAM,SAAS,MAAM,QAAQ,eAAe,KAAK,IAAI;AAErD,QAAI,kBAAkB,aACpB,QAAO,cAAc,CAAC,SAAS,OAAO,CAAC;AAGzC,QAAI,OACF,QAAO,cAAc,CACnB,SACA,IAAI,aAAa,OAAO,MAAM,OAAO,CACtC,CAAC;AAGJ,WAAO,aAAa,KAAK,QAAQ;;AAGnC,OAAI,IAAI,QAAQ,SAAS,WAAW,OAAO,CACzC,QAAO,cAAc,CACnB,SACA,aAAa,KAAK,EAAE,SAAS,gBAAgB,EAAE,EAAE,QAAQ,KAAK,CAAC,CAChE,CAAC;GAGJ,MAAM,cAAc,IAAI,IACtB,GAAG,SAAS,mBAAmB,OAAQ,OAAO,GAC/C;AAED,eAAY,aAAa,IACvB,cACA,IAAI,QAAQ,WAAW,IAAI,QAAQ,OACpC;AAED,UAAO,cAAc,CAAC,SAAS,aAAa,SAAS,YAAY,CAAC,CAAC;;EAGrE,MAAM,iEACJ,QAAS,gBAAe,QAAQ,IAAI;AAEtC,MACE,iBACA,CAAC,cAAc,QAAQ,MAAM,eAAe,YAAY,EACxD;AACA,yDAAI,QAAS,qBAAqB;IAChC,MAAM,SAAS,MAAM,QAAQ,oBAC3B,KACA,KACA,QAAQ,KACT;AAED,QAAI,kBAAkB,aACpB,QAAO,cAAc,CAAC,SAAS,OAAO,CAAC;AAGzC,QAAI,OACF,QAAO,cAAc,CACnB,SACA,IAAI,aAAa,OAAO,MAAM,OAAO,CACtC,CAAC;AAGJ,WAAO,aAAa,KAAK,QAAQ;;AAGnC,OAAI,IAAI,QAAQ,SAAS,WAAW,OAAO,CACzC,QAAO,cAAc,CACnB,SACA,aAAa,KAAK,EAAE,SAAS,aAAa,EAAE,EAAE,QAAQ,KAAK,CAAC,CAC7D,CAAC;AAGJ,UAAO,IAAI,aAAa,aAAa,EACnC,QAAQ,KACT,CAAC;;AAGJ,SAAO,aAAa,KAAK,QAAQ;;CAGnC,AAAQ,iBACN,SACA,UACA,MACA,QACA,SACc;AACd,UAAQ,MAAR;GACE,KAAK,mBAAmB,OAAQ,OAAO,CACrC,QAAO,KAAK,WAAW,OAAO,SAAS,UAAU,EAC/C,SACD,CAAC;GAEJ,KAAK,mBAAmB,OAAQ,SAAS,CACvC,QAAO,KAAK,WAAW,SAAS,SAAS,UAAU,EACjD,SACD,CAAC;GAEJ,KAAK,mBAAmB,OAAQ,SAAS,CACvC,QAAO,KAAK,WAAW,SAAS,SAAS,UAAU,EACjD,SACD,CAAC;GAEJ,KAAK,mBAAmB,OAAQ,QAAQ,CACtC,QAAO,KAAK,WAAW,QAAQ,SAAS,UAAU,EAChD,SACD,CAAC;GAEJ;AACE,aAAS,UAAU;AACnB,WAAO,SAAS,MAAM;;;CAiQ5B,MAAM,WAAW,GAAG,MAAoD;EACtE,IAAI;EACJ,IAAI;AAEJ,MAAI,KAAK,WAAW,GAAG;AACrB,aAAU,IAAI,wBAAwB;AACtC,cAAW,IAAI,yBAAyB;QAExC,EAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;;AAIrE,MAAI,CAAC,mBAAmB,QAAQ,IAAI,CAAC,oBAAoB,SAAS,CAChE,OAAM,IAAIC,2BACR,4CACD;AAGH,SAAO,MAAM,KAAK,WAAW,WAAW,SAAS,SAAS;;CAogB5D,MAAM,UAAU,GAAG,MAAuC;EACxD,IAAI;EACJ,IAAI;EACJ,IAAI;AAEJ,MAAI,KAAK,WAAW,GAAG;AACrB,aAAU,IAAI,wBAAwB;AACtC,cAAW,IAAI,yBAAyB;aAC/B,KAAK,WAAW,EACzB,KAAI,KAAK,cAAc,QACrB,EAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,OAAU;OAChE;AACL,aAAU,IAAI,wBAAwB;AACtC,cAAW,IAAI,yBAAyB;AACxC,aAAU,KAAK;;WAER,KAAK,WAAW,KAAK,KAAK,cAAc,QACjD,KAAI,KAAK,cAAc,SACrB,EAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;OAC9D;AACL,IAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,OAAU;AAErE,aAAU,KAAK;;WAGjB,KAAK,WAAW,KAChB,cAAc,KAAK,GAAG,IACtB,eAAe,KAAK,GAAG,CAEvB,EAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;OAC9D;AACL,IAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;AAEnE,aAAU,KAAK;;AAGjB,MACE,CAAC,mBAAmB,QAAQ,IAC5B,CAAC,oBAAoB,SAAS,IAC7B,WAAW,OAAO,YAAY,SAE/B,OAAM,IAAIA,2BACR,2CACD;AAGH,SAAO,MAAM,KAAK,WAAW,UAAU,SAAS,UAAU,QAAQ;;CAmPpE,MAAM,gBAAgB,GAAG,MAA+B;EACtD,IAAI;EACJ,IAAI;AAEJ,MAAI,KAAK,WAAW,GAAG;AACrB,aAAU,IAAI,wBAAwB;AACtC,cAAW,IAAI,yBAAyB;QAExC,EAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;;AAIrE,MAAI,CAAC,mBAAmB,QAAQ,IAAI,CAAC,oBAAoB,SAAS,CAChE,OAAM,IAAIA,2BACR,iDACD;AAGH,SAAO,MAAM,KAAK,WAAW,gBAAgB,SAAS,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAmDjE,MAAa,QAAQ,SAAyC;;EAC5D,MAAM,EAAE,QAAQ,WAAW,KAAK,WAAW,YAAY;EACvD,IAAI;AACJ,MAAI;GACF,MAAM,UAAU,MAAM,KAAK,YAAY;AAEvC,OAAI,WAAW,oDAAC,QAAS,QACvB;AAGF,OACE,WACA,WACA,QAAQ,UACR,cACE,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,CAED;GAIF,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,WAAQ,MAAM,SAAS,EAAE,IAAI,mBAAmB,IAAI;UAC9C;AACN,SAAM,IAAI,MACR,wGACD;;EAGH,MAAM,cAAc,IAAI,IAAI,GAAG,SAAS,OAAO,SAAS;AAExD,cAAY,aAAa,IAAI,iEAAc,QAAS,cAAa,KAAK;AAEtE,yEAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IACvB,WACA,QAAQ,WAAW,OAAO,UAAU,CACrC;AAGH,yEAAI,QAAS,0FAAY,kBACvB,aAAY,aAAa,IACvB,sBACA,QAAQ,WAAW,kBACpB;AAGH,yEAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IAAI,SAAS,QAAQ,WAAW,OAAO;AAGlE,yEAAI,QAAS,0FAAY,SACvB,aAAY,aAAa,IAAI,YAAY,QAAQ,WAAW,SAAS;AAGvE,yEAAI,QAAS,0FAAY,QACvB,aAAY,aAAa,IAAI,WAAW,QAAQ,WAAW,QAAQ;AAGrE,yEAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IAAI,cAAc,QAAQ,WAAW,UAAU;AAG1E,MAAI,MAAM,2EAAQ,QAAS,0FAAY,UAAU,CAC/C,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UAAU,KAAK,IAAI,CACvC;AAGH,yEAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IAAI,cAAc,QAAQ,WAAW,UAAU;AAG1E,yEAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IAAI,UAAU,QAAQ,WAAW,OAAO;EAInE,MAAM,EAAE,aAAa,MAAM,OAAO;AAElC,WAAS,YAAY,UAAU,CAAC;;CAiSlC,MAAa,cAAc,GAAG,MAA+B;EAC3D,IAAI;EACJ,IAAI;EACJ,IAAI;EACJ,IAAI;AAEJ,MAAI,KAAK,WAAW,GAAG;AACrB,YAAS,KAAK;AACd,aAAU,KAAK;AAEf,IAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;;AAGrE,MAAI,KAAK,WAAW,GAAG;AACrB,OAAI,KAAK,cAAc,QACrB,KAAI,KAAK,cAAc,UAAU;AAC/B,KAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;AACnE,aAAS,KAAK;UACT;AACL,KAAC,CAAE,SAAS,YAAa,yBACvB,KAAK,IACL,OACD;AACD,aAAS,KAAK;AACd,cAAU,KAAK;;AAInB,OAAI,cAAc,KAAK,GAAG,IAAI,eAAe,KAAK,GAAG,EAAE;AACrD,KAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;AACnE,aAAS,KAAK;;;AAIlB,MAAI,KAAK,WAAW,GAAG;AACrB,OAAI,KAAK,cAAc,SAAS;AAC9B,KAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,OAAU;AACrE,aAAS,KAAK;;AAGhB,OAAI,MAAM,QAAQ,KAAK,GAAG,EAAE;AAC1B,cAAU,IAAI,wBAAwB;AACtC,eAAW,IAAI,yBAAyB;AAExC,aAAS,KAAK;AACd,cAAU,KAAK;;;AAInB,MAAI,KAAK,WAAW,GAAG;AACrB,aAAU,IAAI,wBAAwB;AACtC,cAAW,IAAI,yBAAyB;AAExC,YAAS,KAAK;;AAGhB,MACE,CAAC,MAAM,QAAQ,OAAO,IACtB,CAAC,mBAAmB,QAAQ,IAC5B,CAAC,oBAAoB,SAAS,IAC7B,WAAW,OAAO,YAAY,SAE/B,OAAM,IAAIA,2BACR,+CACD;AAWH,SARe,MAAM,KAAK,WAAW,cACnC,SACA,UACA,2DACA,QAAS,gBAAe,QAAQ,IAAI,+EACpC,QAAS,SACV;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAmEH,MAAa,iBACX,SACe;EACf,MAAM,EAAE,QAAQ,WAAW,KAAK,WAAW,YAAY;AAEvD,MAAI;GAEF,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,SAAM,SAAS;UACT;AACN,SAAM,IAAI,MACR,iHACD;;EAGH,MAAM,cAAc,IAAI,IAAI,GAAG,SAAS,OAAO,SAAS;AAExD,wDAAI,QAAS,UACX,aAAY,aAAa,IAAI,cAAc,QAAQ,UAAU;AAG/D,wDAAI,QAAS,OACX,aAAY,aAAa,IAAI,WAAW,QAAQ,OAAO,UAAU,CAAC;AAGpE,wDAAI,QAAS,kBACX,aAAY,aAAa,IACvB,sBACA,QAAQ,kBACT;AAGH,MAAI,MAAM,0DAAQ,QAAS,OAAO,CAChC,aAAY,aAAa,IAAI,SAAS,QAAQ,OAAO,KAAK,IAAI,CAAC;AAGjE,MAAI,MAAM,0DAAQ,QAAS,SAAS,CAClC,aAAY,aAAa,IAAI,YAAY,QAAQ,SAAS,KAAK,IAAI,CAAC;AAGtE,wDAAI,QAAS,QACX,aAAY,aAAa,IAAI,WAAW,QAAQ,QAAQ;AAG1D,wDAAI,QAAS,UACX,aAAY,aAAa,IAAI,cAAc,QAAQ,UAAU;AAG/D,MAAI,MAAM,0DAAQ,QAAS,UAAU,CACnC,aAAY,aAAa,IAAI,cAAc,QAAQ,UAAU,KAAK,IAAI,CAAC;AAGzE,wDAAI,QAAS,UACX,aAAY,aAAa,IAAI,cAAc,QAAQ,UAAU;AAG/D,wDAAI,QAAS,OACX,aAAY,aAAa,IAAI,UAAU,QAAQ,OAAO;EAIxD,MAAM,EAAE,aAAa,MAAM,OAAO;AAElC,WAAS,YAAY,UAAU,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgElC,MAAa,kBACX,SACe;;EACf,MAAM,EAAE,QAAQ,WAAW,KAAK,WAAW,YAAY;AAEvD,MAAI;GAEF,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,SAAM,SAAS;UACT;AACN,SAAM,IAAI,MACR,kHACD;;EAGH,MAAM,eAAe,IAAI,IAAI,GAAG,SAAS,OAAO,UAAU;AAE1D,yEAAI,QAAS,qGAAuB,MAAM,CAAC,OACzC,cAAa,aAAa,IACxB,mBACA,QAAQ,sBACT;AAGH,MAAI,0DAAO,QAAS,eAAc,UAChC,cAAa,aAAa,IAAI,aAAa,QAAQ,UAAU,UAAU,CAAC;EAI1E,MAAM,EAAE,aAAa,MAAM,OAAO;AAElC,WAAS,aAAa,UAAU,CAAC;;CAGnC,AAAQ,aAA+B;AACrC,SAAO,KAAK,WAAW,YAAY;;CAGrC,AAAQ,6BAAmC;AACzC,SAAO,KAAK,QAAQ,IAAI,CACrB,QAAO,QAAO,IAAI,WAAW,6BAA6B,CAAC,CAC3D,SAAQ,cAAa;GACpB,MAAM,GAAG,cAAc,UAAU,MAAM,eAAe;AACtD,WAAQ,IAAI,cAAc,QAAQ,IAAI;IACtC"}
1	+ {"version":3,"file":"index.mjs","names":["MonoCloudValidationError","isUserInGroupCore","MonoCloudValidationError"],"sources":["../src/requests/monocloud-app-router-request.ts","../src/requests/monocloud-page-router-request.ts","../src/responses/monocloud-app-router-response.ts","../src/responses/monocloud-page-router-response.ts","../src/responses/monocloud-cookie-response.ts","../src/requests/monocloud-cookie-request.ts","../src/utils.ts","../src/monocloud-next-client.ts","../src/initialize.ts"],"sourcesContent":["import type { MonoCloudRequest } from '@monocloud/auth-node-core';\n// eslint-disable-next-line import/extensions\nimport type { NextRequest } from 'next/server.js';\n\nexport default class MonoCloudAppRouterRequest implements MonoCloudRequest {\n constructor(public readonly req: NextRequest) {}\n\n getQuery(parameter: string): string \| string[] \| undefined {\n const url = new URL(this.req.url);\n return url.searchParams.get(parameter) ?? undefined;\n }\n\n getCookie(name: string): Promise<string \| undefined> {\n return Promise.resolve(this.req.cookies.get(name)?.value);\n }\n\n async getRawRequest(): Promise<{\n method: string;\n url: string;\n body: Record<string, string> \| string;\n }> {\n return {\n method: this.req.method,\n url: this.req.url,\n body: await this.req.text(),\n };\n }\n\n getAllCookies(): Promise<Map<string, string>> {\n const values = new Map<string, string>();\n this.req.cookies.getAll().forEach(x => {\n values.set(x.name, x.value);\n });\n return Promise.resolve(values);\n }\n}\n","/* eslint-disable @typescript-eslint/no-non-null-assertion /\nimport type { MonoCloudRequest } from '@monocloud/auth-node-core';\nimport type { NextApiRequest } from 'next';\n\nexport default class MonoCloudPageRouterRequest implements MonoCloudRequest {\n constructor(public readonly req: NextApiRequest) {}\n\n / v8 ignore next /\n getQuery(parameter: string): string \| string[] \| undefined {\n return this.req.query[parameter];\n }\n\n / v8 ignore next /\n getCookie(name: string): Promise<string \| undefined> {\n return Promise.resolve(this.req.cookies[name]);\n }\n\n / v8 ignore next /\n getRawRequest(): Promise<{\n method: string;\n url: string;\n body: Record<string, string> \| string;\n }> {\n return Promise.resolve({\n method: this.req.method!,\n url: this.req.url!,\n body: this.req.body,\n });\n }\n\n getAllCookies(): Promise<Map<string, string>> {\n const values = new Map<string, string>();\n const { cookies } = this.req;\n Object.keys(cookies).forEach(x => {\n const val = cookies[x];\n / v8 ignore else -- @preserve /\n if (typeof x === 'string' && typeof val === 'string') {\n values.set(x, val);\n }\n });\n return Promise.resolve(values);\n }\n}\n","import type {\n CookieOptions,\n MonoCloudResponse,\n} from '@monocloud/auth-node-core';\n// eslint-disable-next-line import/extensions\nimport { NextResponse } from 'next/server.js';\n\nexport default class MonoCloudAppRouterResponse implements MonoCloudResponse {\n constructor(public res: NextResponse) {}\n\n setCookie(\n cookieName: string,\n value: string,\n options: CookieOptions\n ): Promise<void> {\n this.res.cookies.set(cookieName, value, options);\n return Promise.resolve();\n }\n\n redirect(url: string, statusCode: number \| undefined = 302): void {\n const { headers } = this.res;\n this.res = NextResponse.redirect(url, { status: statusCode, headers });\n }\n\n sendJson(data: any, statusCode?: number): void {\n const { headers } = this.res;\n this.res = NextResponse.json(data, { status: statusCode, headers });\n }\n\n / v8 ignore next /\n notFound(): void {\n const { headers } = this.res;\n this.res = new NextResponse(null, { status: 404, headers });\n }\n\n internalServerError(): void {\n const { headers } = this.res;\n this.res = new NextResponse(null, { status: 500, headers });\n }\n\n noContent(): void {\n const { headers } = this.res;\n this.res = new NextResponse(null, { status: 204, headers });\n }\n\n methodNotAllowed(): void {\n const { headers } = this.res;\n this.res = new NextResponse(null, { status: 405, headers });\n }\n\n setNoCache(): void {\n this.res.headers.set('Cache-Control', 'no-cache no-store');\n this.res.headers.set('Pragma', 'no-cache');\n }\n\n done(): any {\n return this.res;\n }\n}\n","import type {\n CookieOptions,\n MonoCloudResponse,\n} from '@monocloud/auth-node-core';\nimport type { NextApiResponse } from 'next';\nimport { serialize } from 'cookie';\n\nexport default class MonoCloudPageRouterResponse implements MonoCloudResponse {\n constructor(public readonly res: NextApiResponse) {}\n\n setCookie(\n cookieName: string,\n value: string,\n options: CookieOptions\n ): Promise<void> {\n let cookies = this.res.getHeader('Set-Cookie') ?? [];\n\n / v8 ignore if -- @preserve /\n if (!Array.isArray(cookies)) {\n cookies = [cookies as string];\n }\n\n this.res.setHeader('Set-Cookie', [\n ...cookies.filter(cookie => !cookie.startsWith(`${cookieName}=`)),\n serialize(cookieName, value, options),\n ]);\n\n return Promise.resolve();\n }\n\n / v8 ignore next /\n redirect(url: string, statusCode?: number): void {\n this.res.redirect(statusCode ?? 302, url);\n }\n\n / v8 ignore next /\n sendJson(data: any, statusCode?: number): void {\n this.res.status(statusCode ?? 200);\n this.res.json(data);\n }\n\n / v8 ignore next /\n notFound(): void {\n this.res.status(404);\n }\n\n / v8 ignore next /\n internalServerError(): void {\n this.res.status(500);\n }\n\n / v8 ignore next /\n noContent(): void {\n this.res.status(204);\n }\n\n / v8 ignore next /\n methodNotAllowed(): void {\n this.res.status(405);\n }\n\n / v8 ignore next /\n setNoCache(): void {\n this.res.setHeader('Cache-Control', 'no-cache no-store');\n this.res.setHeader('Pragma', 'no-cache');\n }\n\n / v8 ignore next /\n done(): any {\n this.res.end();\n }\n}\n","/ eslint-disable no-console /\nimport type {\n CookieOptions,\n IMonoCloudCookieResponse,\n} from '@monocloud/auth-node-core';\n\nlet isWarned = false;\n\nexport default class MonoCloudCookieResponse implements IMonoCloudCookieResponse {\n async setCookie(\n cookieName: string,\n value: string,\n options: CookieOptions\n ): Promise<void> {\n try {\n // @ts-expect-error Cannot find module 'next/headers'\n const { cookies } = await import('next/headers');\n\n (await cookies()).set(cookieName, value, options);\n } catch (e: any) {\n if (!isWarned) {\n console.warn(e.message);\n isWarned = true;\n }\n }\n }\n}\n","import type { IMonoCloudCookieRequest } from '@monocloud/auth-node-core';\n\nexport default class MonoCloudCookieRequest implements IMonoCloudCookieRequest {\n / v8 ignore next /\n async getCookie(name: string): Promise<string \| undefined> {\n // @ts-expect-error Cannot find module 'next/headers'\n const { cookies } = await import('next/headers');\n\n return (await cookies()).get(name)?.value;\n }\n\n async getAllCookies(): Promise<Map<string, string>> {\n const values = new Map<string, string>();\n // @ts-expect-error Cannot find module 'next/headers'\n const { cookies } = await import('next/headers');\n\n (await cookies()).getAll().forEach((x: any) => {\n values.set(x.name, x.value);\n });\n return values;\n }\n}\n","// eslint-disable-next-line import/extensions\nimport { NextRequest, NextResponse } from 'next/server.js';\nimport type { NextApiRequest, NextApiResponse } from 'next/types';\nimport {\n MonoCloudValidationError,\n type IMonoCloudCookieRequest,\n type IMonoCloudCookieResponse,\n} from '@monocloud/auth-node-core';\nimport { AppRouterContext } from './types';\nimport MonoCloudAppRouterRequest from './requests/monocloud-app-router-request';\nimport MonoCloudPageRouterRequest from './requests/monocloud-page-router-request';\nimport MonoCloudAppRouterResponse from './responses/monocloud-app-router-response';\nimport MonoCloudPageRouterResponse from './responses/monocloud-page-router-response';\nimport MonoCloudCookieResponse from './responses/monocloud-cookie-response';\nimport MonoCloudCookieRequest from './requests/monocloud-cookie-request';\nimport type { IncomingMessage, ServerResponse } from 'node:http';\nimport { isPresent } from '@monocloud/auth-node-core/internal';\n\nexport const isMonoCloudRequest = (\n req: unknown\n): req is IMonoCloudCookieRequest =>\n req instanceof MonoCloudAppRouterRequest \|\|\n req instanceof MonoCloudPageRouterRequest \|\|\n req instanceof MonoCloudCookieRequest;\n\nexport const isMonoCloudResponse = (\n res: unknown\n): res is IMonoCloudCookieResponse =>\n res instanceof MonoCloudAppRouterResponse \|\|\n res instanceof MonoCloudPageRouterResponse \|\|\n res instanceof MonoCloudCookieResponse;\n\nexport const isAppRouter = (req: unknown): boolean =>\n req instanceof Request \|\|\n (req as Request).headers instanceof Headers \|\|\n typeof (req as Request).bodyUsed === 'boolean';\n\nexport const isNodeRequest = (req: any): req is IncomingMessage => {\n return !!(\n req &&\n typeof req === 'object' &&\n 'headers' in req &&\n !('bodyUsed' in req) &&\n typeof req.on === 'function'\n );\n};\n\nexport const isNodeResponse = (res: any): res is ServerResponse => {\n return !!(\n res &&\n typeof res === 'object' &&\n 'setHeader' in res &&\n typeof res.setHeader === 'function' &&\n 'end' in res &&\n typeof res.end === 'function'\n );\n};\n\nexport const getNextRequest = (req: Request \| NextRequest): NextRequest => {\n if (req instanceof NextRequest) {\n return req;\n }\n\n return new NextRequest(req.url, {\n method: req.method,\n headers: req.headers,\n body: req.body,\n / v8 ignore next -- @preserve /\n duplex: (req as any).duplex ?? 'half',\n });\n};\n\nexport const getNextResponse = (\n res: Response \| NextResponse \| AppRouterContext\n): NextResponse => {\n if (res instanceof NextResponse) {\n return res;\n }\n\n if (res instanceof Response) {\n const nextResponse = new NextResponse(res.body, {\n status: res.status,\n statusText: res.statusText,\n headers: res.headers,\n url: res.url,\n });\n\n try {\n / v8 ignore else -- @preserve /\n if (!isPresent(nextResponse.url)) {\n (nextResponse as any).url = res.url;\n }\n } catch {\n // ignore\n }\n\n return nextResponse;\n }\n\n return new NextResponse();\n};\n\nexport const getMonoCloudCookieReqRes = (\n req: unknown,\n resOrCtx: unknown\n): {\n request: IMonoCloudCookieRequest;\n response: IMonoCloudCookieResponse;\n} => {\n let request: IMonoCloudCookieRequest;\n let response: IMonoCloudCookieResponse;\n\n if (isAppRouter(req)) {\n request = new MonoCloudAppRouterRequest(getNextRequest(req as Request));\n\n response =\n resOrCtx instanceof Response\n ? new MonoCloudAppRouterResponse(getNextResponse(resOrCtx))\n : new MonoCloudCookieResponse();\n } else {\n if (!isNodeRequest(req) \|\| !isNodeResponse(resOrCtx)) {\n throw new MonoCloudValidationError(\n 'Invalid pages router request and response'\n );\n }\n request = new MonoCloudPageRouterRequest(req as NextApiRequest);\n response = new MonoCloudPageRouterResponse(resOrCtx as NextApiResponse);\n }\n\n return { request, response };\n};\n\nexport const mergeResponse = (responses: NextResponse[]): NextResponse => {\n const resp = responses.pop();\n\n if (!resp) {\n return new NextResponse();\n }\n\n responses.forEach(response => {\n response.headers.forEach((v, k) => {\n if ((k === 'location' && !resp.headers.has(k)) \|\| k !== 'location') {\n resp.headers.set(k, v);\n }\n });\n\n response.cookies.getAll().forEach(c => {\n const { name, value, ...cookieOpt } = c;\n resp.cookies.set(name, value, cookieOpt);\n });\n });\n\n return resp;\n};\n","/ eslint-disable import/extensions /\n/ eslint-disable @typescript-eslint/no-non-null-assertion /\nimport type {\n monoCloudAuth,\n protect,\n protectPage,\n authMiddleware,\n getSession,\n getTokens,\n isAuthenticated,\n isUserInGroup,\n redirectToSignIn,\n redirectToSignOut,\n} from './initialize';\nimport {\n NextFetchEvent,\n NextRequest,\n NextResponse,\n NextMiddleware,\n NextProxy,\n} from 'next/server.js';\nimport type {\n NextApiHandler,\n NextApiRequest,\n NextApiResponse,\n} from 'next/types';\nimport {\n ensureLeadingSlash,\n isAbsoluteUrl,\n} from '@monocloud/auth-node-core/internal';\nimport { isUserInGroup as isUserInGroupCore } from '@monocloud/auth-node-core/utils';\nimport type {\n GetTokensOptions,\n IMonoCloudCookieRequest,\n IMonoCloudCookieResponse,\n MonoCloudOptions,\n MonoCloudRequest,\n MonoCloudResponse,\n MonoCloudTokens,\n MonoCloudSession,\n OnError,\n} from '@monocloud/auth-node-core';\nimport { MonoCloudOidcClient } from '@monocloud/auth-core';\nimport {\n MonoCloudCoreClient,\n MonoCloudValidationError,\n} from '@monocloud/auth-node-core';\nimport {\n AppRouterApiHandlerFn,\n AppRouterContext,\n AppRouterPageHandler,\n IsUserInGroupOptions,\n MonoCloudAuthHandler,\n MonoCloudAuthOptions,\n MonoCloudMiddlewareOptions,\n NextMiddlewareResult,\n ProtectApiAppOptions,\n ProtectApiPageOptions,\n ProtectAppPageOptions,\n ProtectedAppServerComponent,\n ProtectOptions,\n ProtectPagePageOptions,\n ProtectPagePageReturnType,\n RedirectToSignInOptions,\n RedirectToSignOutOptions,\n} from './types';\nimport {\n getMonoCloudCookieReqRes,\n getNextRequest,\n getNextResponse,\n isAppRouter,\n isMonoCloudRequest,\n isMonoCloudResponse,\n mergeResponse,\n isNodeRequest,\n isNodeResponse,\n} from './utils';\nimport MonoCloudCookieRequest from './requests/monocloud-cookie-request';\nimport MonoCloudCookieResponse from './responses/monocloud-cookie-response';\nimport MonoCloudAppRouterRequest from './requests/monocloud-app-router-request';\nimport MonoCloudAppRouterResponse from './responses/monocloud-app-router-response';\nimport type { JSX } from 'react';\nimport type { ParsedUrlQuery } from 'node:querystring';\nimport type { IncomingMessage, ServerResponse } from 'node:http';\nimport MonoCloudPageRouterRequest from './requests/monocloud-page-router-request';\nimport MonoCloudPageRouterResponse from './responses/monocloud-page-router-response';\n\n/\n `MonoCloudNextClient` is the core SDK entry point for integrating MonoCloud authentication into a Next.js application.\n \n It provides:\n * - Authentication middleware\n * - Route protection helpers\n * - Session and token access\n * - Redirect utilities\n * - Server-side enforcement helpers\n \n ## 1. Add environment variables\n \n ```bash:.env.local\n * MONOCLOUD_AUTH_TENANT_DOMAIN=<tenant-domain>\n * MONOCLOUD_AUTH_CLIENT_ID=<client-id>\n * MONOCLOUD_AUTH_CLIENT_SECRET=<client-secret>\n * MONOCLOUD_AUTH_SCOPES=openid profile email\n * MONOCLOUD_AUTH_APP_URL=http://localhost:3000\n * MONOCLOUD_AUTH_COOKIE_SECRET=<cookie-secret>\n * ```\n \n ## 2. Register middleware\n \n ```typescript:src/proxy.ts\n * import { authMiddleware } from \"@monocloud/auth-nextjs\";\n \n export default authMiddleware();\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n ## Advanced usage\n \n ### Create a shared client instance\n \n By default, the SDK exposes function exports (for example, `authMiddleware()`, `getSession()`, `getTokens()`) that internally use a shared singleton `MonoCloudNextClient`.\n \n Create your own `MonoCloudNextClient` instance when you need multiple configurations, dependency injection, or explicit control over initialization.\n \n ```ts:src/monocloud.ts\n * import { MonoCloudNextClient } from \"@monocloud/auth-nextjs\";\n \n export const monoCloud = new MonoCloudNextClient();\n * ```\n \n ### Using instance methods\n \n Once you create a client instance, call methods directly on it instead of using the default function exports.\n \n ```ts:src/app/page.tsx\n * import { monoCloud } from \"@/monocloud\";\n \n export default async function Page() {\n * const session = await monoCloud.getSession();\n \n if (!session) {\n * return <>Not signed in</>;\n * }\n \n return <>Hello {session.user.name}</>;\n * }\n * ```\n \n #### Using constructor options\n \n When configuration is provided through both constructor options and environment variables, the values passed to the constructor take precedence. Environment variables are used only for options that are not explicitly supplied.\n \n ```ts:src/monocloud.ts\n * import { MonoCloudNextClient } from \"@monocloud/auth-nextjs\";\n \n export const monoCloud = new MonoCloudNextClient({\n * tenantDomain: \"<tenant-domain>\",\n * clientId: \"<client-id>\",\n * clientSecret: \"<client-secret>\",\n * appUrl: \"http://localhost:3000\",\n * cookieSecret: \"<cookie-secret>\",\n * defaultAuthParams: {\n * scopes: \"openid profile email\",\n * },\n * });\n * ```\n \n ### Modifying default routes\n \n If you customize any of the default auth route paths:\n \n - Also set the corresponding `NEXT_PUBLIC_` environment variables so client-side helpers\n * (for example `<SignIn />`, `<SignOut />`, and `useAuth()`) can discover the correct URLs.\n * - Update the Application URLs in your MonoCloud Dashboard to match the new paths.\n \n Example:\n \n ```bash:.env.local\n * MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback\n * NEXT_PUBLIC_MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback\n * ```\n \n When routes are overridden, the Redirect URI configured in the dashboard\n * must reflect the new path. For example, during local development:\n \n `http://localhost:3000/api/custom_callback`\n \n @category Classes\n /\nexport class MonoCloudNextClient {\n private readonly _coreClient: MonoCloudCoreClient;\n\n /\n This exposes the framework-agnostic MonoCloud client used internally by the Next.js SDK.\n * Use it if you need access to lower-level functionality not directly exposed by MonoCloudNextClient.\n \n @returns Returns the underlying Node client instance.\n /\n public get coreClient(): MonoCloudCoreClient {\n return this._coreClient;\n }\n\n /\n This is intended for advanced scenarios requiring direct control over the authorization or token flow.\n \n @returns Returns the underlying OIDC client used for OpenID Connect operations.\n /\n public get oidcClient(): MonoCloudOidcClient {\n return this.coreClient.oidcClient;\n }\n\n /\n Creates a new client instance.\n \n @param options Optional configuration for initializing the MonoCloud client. If not provided, settings are automatically resolved from environment variables.\n /\n constructor(options?: MonoCloudOptions) {\n const opt = {\n ...(options ?? {}),\n userAgent: options?.userAgent ?? `${SDK_NAME}@${SDK_VERSION}`,\n debugger: options?.debugger ?? SDK_DEBUGGER_NAME,\n };\n\n this.registerPublicEnvVariables();\n this._coreClient = new MonoCloudCoreClient(opt);\n }\n\n /\n @see {@link monoCloudAuth} for full docs and examples.\n * @param options Optional configuration for the auth handler.\n * @returns Returns a Next.js-compatible handler for App Router route handlers or Pages Router API routes.\n /\n public monoCloudAuth(options?: MonoCloudAuthOptions): MonoCloudAuthHandler {\n return (req, resOrCtx) => {\n const { routes, appUrl } = this.getOptions();\n\n let { url = '' } = req;\n\n if (!isAbsoluteUrl(url)) {\n url = new URL(url, appUrl).toString();\n }\n\n const route = new URL(url);\n\n let onError;\n if (typeof options?.onError === 'function') {\n onError = (\n error: Error\n ): void \| NextResponse \| Promise<void \| NextResponse<unknown>> =>\n options.onError!(req as any, resOrCtx as any, error);\n }\n\n let request: MonoCloudRequest;\n let response: MonoCloudResponse;\n\n if (isAppRouter(req)) {\n request = new MonoCloudAppRouterRequest(getNextRequest(req as Request));\n response = new MonoCloudAppRouterResponse(\n getNextResponse(resOrCtx as Response)\n );\n } else {\n request = new MonoCloudPageRouterRequest(req as NextApiRequest);\n response = new MonoCloudPageRouterResponse(resOrCtx as NextApiResponse);\n }\n\n return this.handleAuthRoutes(\n request,\n response,\n route.pathname,\n routes,\n onError\n );\n };\n }\n\n /\n @see {@link protectPage} for full docs and examples.\n * @param component The App Router server component to protect.\n * @param options Optional configuration for authentication, authorization, and custom access handling (`onAccessDenied`, `onGroupAccessDenied`).\n * @returns A wrapped page component that enforces authentication before rendering.\n /\n protectPage(\n component: ProtectedAppServerComponent,\n options?: ProtectAppPageOptions\n ): AppRouterPageHandler;\n\n /\n @see {@link protectPage} for full docs and examples.\n * @param options Optional configuration for authentication, authorization, and custom access handling (`onAccessDenied`, `onGroupAccessDenied`).\n * @typeParam P - Props returned from `getServerSideProps`.\n * @typeParam Q - Query parameters parsed from the URL.\n * @returns A getServerSideProps wrapper that enforces authentication before executing the page logic.\n /\n protectPage<\n P extends Record<string, any> = Record<string, any>,\n Q extends ParsedUrlQuery = ParsedUrlQuery,\n >(options?: ProtectPagePageOptions<P, Q>): ProtectPagePageReturnType<P, Q>;\n\n public protectPage(...args: unknown[]): any {\n if (typeof args[0] === 'function') {\n return this.protectAppPage(\n args[0] as AppRouterPageHandler,\n args[1] as ProtectAppPageOptions\n ) as any;\n }\n\n return this.protectPagePage(\n args[0] as ProtectPagePageOptions\n ) as ProtectPagePageReturnType<any, any>;\n }\n\n private protectAppPage(\n component: ProtectedAppServerComponent,\n options?: ProtectAppPageOptions\n ): AppRouterPageHandler {\n return async params => {\n const session = await this.getSession();\n\n if (!session) {\n if (options?.onAccessDenied) {\n return options.onAccessDenied({ ...params });\n }\n\n const { routes, appUrl } = this.getOptions();\n\n // @ts-expect-error Cannot find module 'next/headers'\n const { headers } = await import('next/headers');\n\n const path = (await headers()).get('x-monocloud-path');\n\n const signInRoute = new URL(\n `${appUrl}${ensureLeadingSlash(routes!.signIn)}`\n );\n\n signInRoute.searchParams.set(\n 'return_url',\n options?.returnUrl ?? path ?? '/'\n );\n\n if (options?.authParams?.scopes) {\n signInRoute.searchParams.set('scope', options.authParams.scopes);\n }\n if (options?.authParams?.resource) {\n signInRoute.searchParams.set('resource', options.authParams.resource);\n }\n\n if (options?.authParams?.acrValues) {\n signInRoute.searchParams.set(\n 'acr_values',\n options.authParams.acrValues.join(' ')\n );\n }\n\n if (options?.authParams?.display) {\n signInRoute.searchParams.set('display', options.authParams.display);\n }\n\n if (options?.authParams?.prompt) {\n signInRoute.searchParams.set('prompt', options.authParams.prompt);\n }\n\n if (options?.authParams?.authenticatorHint) {\n signInRoute.searchParams.set(\n 'authenticator_hint',\n options.authParams.authenticatorHint\n );\n }\n\n if (options?.authParams?.uiLocales) {\n signInRoute.searchParams.set(\n 'ui_locales',\n options.authParams.uiLocales\n );\n }\n\n if (options?.authParams?.maxAge) {\n signInRoute.searchParams.set(\n 'max_age',\n options.authParams.maxAge.toString()\n );\n }\n\n if (options?.authParams?.loginHint) {\n signInRoute.searchParams.set(\n 'login_hint',\n options.authParams.loginHint\n );\n }\n\n // @ts-expect-error Cannot find module 'next/navigation'\n const { redirect } = await import('next/navigation');\n\n return redirect(signInRoute.toString());\n }\n\n if (\n options?.groups &&\n !isUserInGroupCore(\n session.user,\n options.groups,\n options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n options.matchAll\n )\n ) {\n if (options.onGroupAccessDenied) {\n return options.onGroupAccessDenied({\n ...params,\n user: session.user,\n });\n }\n\n return 'Access Denied' as unknown as JSX.Element;\n }\n\n return component({ ...params, user: session.user });\n };\n }\n\n private protectPagePage<\n P extends Record<string, any> = Record<string, any>,\n Q extends ParsedUrlQuery = ParsedUrlQuery,\n >(options?: ProtectPagePageOptions<P, Q>): ProtectPagePageReturnType<P, Q> {\n return async context => {\n const session = await this.getSession(\n context.req as any,\n context.res as any\n );\n\n if (!session) {\n if (options?.onAccessDenied) {\n const customProps: any = await options.onAccessDenied({\n ...context,\n });\n\n const props = {\n ...(customProps ?? {}),\n props: { ...(customProps?.props ?? {}) },\n };\n\n return props;\n }\n\n const { routes, appUrl } = this.getOptions();\n\n const signInRoute = new URL(\n `${appUrl}${ensureLeadingSlash(routes!.signIn)}`\n );\n\n signInRoute.searchParams.set(\n 'return_url',\n options?.returnUrl ?? context.resolvedUrl\n );\n\n if (options?.authParams?.scopes) {\n signInRoute.searchParams.set('scope', options.authParams.scopes);\n }\n if (options?.authParams?.resource) {\n signInRoute.searchParams.set('resource', options.authParams.resource);\n }\n\n if (options?.authParams?.acrValues) {\n signInRoute.searchParams.set(\n 'acr_values',\n options.authParams.acrValues.join(' ')\n );\n }\n\n if (options?.authParams?.display) {\n signInRoute.searchParams.set('display', options.authParams.display);\n }\n\n if (options?.authParams?.prompt) {\n signInRoute.searchParams.set('prompt', options.authParams.prompt);\n }\n\n if (options?.authParams?.authenticatorHint) {\n signInRoute.searchParams.set(\n 'authenticator_hint',\n options.authParams.authenticatorHint\n );\n }\n\n if (options?.authParams?.uiLocales) {\n signInRoute.searchParams.set(\n 'ui_locales',\n options.authParams.uiLocales\n );\n }\n\n if (options?.authParams?.maxAge) {\n signInRoute.searchParams.set(\n 'max_age',\n options.authParams.maxAge.toString()\n );\n }\n\n if (options?.authParams?.loginHint) {\n signInRoute.searchParams.set(\n 'login_hint',\n options.authParams.loginHint\n );\n }\n\n return {\n redirect: {\n destination: signInRoute.toString(),\n permanent: false,\n },\n };\n }\n\n if (\n options?.groups &&\n !isUserInGroupCore(\n session.user,\n options.groups,\n options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n options.matchAll\n )\n ) {\n const customProps: any = (await options.onGroupAccessDenied?.({\n ...context,\n user: session.user,\n })) ?? { props: { groupAccessDenied: true } };\n\n const props = {\n ...customProps,\n props: { ...(customProps.props ?? {}) },\n };\n\n return props;\n }\n\n const customProps: any = options?.getServerSideProps\n ? await options.getServerSideProps(context)\n : {};\n\n const promiseProp = customProps.props;\n\n if (promiseProp instanceof Promise) {\n return {\n ...customProps,\n props: promiseProp.then((props: any) => ({\n user: session.user,\n ...props,\n })),\n };\n }\n\n return {\n ...customProps,\n props: { user: session.user, ...customProps.props },\n };\n };\n }\n\n /\n @see {@link protectApi} for full docs and examples.\n * @param handler The route handler to protect.\n * @param options Optional configuration controlling authentication and authorization behavior.\n * @returns Returns a wrapped handler that enforces authentication (and optional authorization) before invoking the original handler.\n /\n protectApi(\n handler: AppRouterApiHandlerFn,\n options?: ProtectApiAppOptions\n ): AppRouterApiHandlerFn;\n\n /\n @see {@link protectApi} for full docs and examples.\n * @param handler - The route handler to protect.\n * @param options Optional configuration controlling authentication and authorization behavior.\n * @returns Returns a wrapped handler that enforces authentication (and optional authorization) before invoking the original handler.\n /\n protectApi(\n handler: NextApiHandler,\n options?: ProtectApiPageOptions\n ): NextApiHandler;\n\n public protectApi(\n handler: AppRouterApiHandlerFn \| NextApiHandler,\n options?: ProtectApiAppOptions \| ProtectApiPageOptions\n ): AppRouterApiHandlerFn \| NextApiHandler {\n return (\n req: NextRequest \| NextApiRequest,\n resOrCtx: AppRouterContext \| NextApiResponse\n ) => {\n if (isAppRouter(req)) {\n return this.protectAppApi(\n req as NextRequest,\n resOrCtx as AppRouterContext,\n handler as AppRouterApiHandlerFn,\n options as ProtectApiAppOptions\n );\n }\n return this.protectPageApi(\n req as NextApiRequest,\n resOrCtx as NextApiResponse,\n handler as NextApiHandler,\n options as ProtectApiPageOptions\n );\n };\n }\n\n private async protectAppApi(\n req: NextRequest,\n ctx: AppRouterContext,\n handler: AppRouterApiHandlerFn,\n options?: ProtectApiAppOptions\n ): Promise<NextResponse> {\n const res = new NextResponse();\n\n const session = await this.getSession(req, res);\n\n if (!session) {\n if (options?.onAccessDenied) {\n const result = await options.onAccessDenied(req, ctx);\n\n if (result instanceof NextResponse) {\n return mergeResponse([res, result]);\n }\n\n return mergeResponse([res, new NextResponse(result.body, result)]);\n }\n\n return mergeResponse([\n res,\n NextResponse.json({ message: 'unauthorized' }, { status: 401 }),\n ]);\n }\n\n if (\n options?.groups &&\n !isUserInGroupCore(\n session.user,\n options.groups,\n options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n options.matchAll\n )\n ) {\n if (options.onGroupAccessDenied) {\n const result = await options.onGroupAccessDenied(\n req,\n ctx,\n session.user\n );\n\n if (result instanceof NextResponse) {\n return mergeResponse([res, result]);\n }\n\n return mergeResponse([res, new NextResponse(result.body, result)]);\n }\n\n return mergeResponse([\n res,\n NextResponse.json({ message: 'forbidden' }, { status: 403 }),\n ]);\n }\n\n const resp = await handler(req, ctx);\n\n if (resp instanceof NextResponse) {\n return mergeResponse([res, resp]);\n }\n\n return mergeResponse([res, new NextResponse(resp.body, resp)]);\n }\n\n private async protectPageApi(\n req: NextApiRequest,\n res: NextApiResponse,\n handler: NextApiHandler,\n options?: ProtectApiPageOptions\n ): Promise<unknown> {\n const session = await this.getSession(req, res);\n\n if (!session) {\n if (options?.onAccessDenied) {\n return options.onAccessDenied(req, res);\n }\n\n return res.status(401).json({\n message: 'unauthorized',\n });\n }\n\n if (\n options?.groups &&\n !isUserInGroupCore(\n session.user,\n options.groups,\n options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n options.matchAll\n )\n ) {\n if (options.onGroupAccessDenied) {\n return options.onGroupAccessDenied(req, res, session.user);\n }\n\n return res.status(403).json({\n message: 'forbidden',\n });\n }\n\n return handler(req, res);\n }\n\n /\n @see {@link authMiddleware} for full docs and examples.\n * @param options Optional configuration that controls how authentication is enforced (for example, redirect behavior, route matching, or custom handling of unauthenticated requests).\n * @returns Returns a Next.js middleware result (`NextResponse`, redirect, or `undefined` to continue processing).\n /\n authMiddleware(\n options?: MonoCloudMiddlewareOptions\n ): NextMiddleware \| NextProxy;\n\n /\n @see {@link authMiddleware} for full docs and examples.\n * @param request Incoming Next.js middleware request used to resolve authentication state.\n * @param event Next.js middleware event providing lifecycle hooks such as `waitUntil`.\n * @returns Returns a Next.js middleware result (`NextResponse`, redirect, or `undefined` to continue processing).\n /\n authMiddleware(\n request: NextRequest,\n event: NextFetchEvent\n ): Promise<NextMiddlewareResult> \| NextMiddlewareResult;\n\n public authMiddleware(\n ...args: any[]\n ):\n \| NextMiddleware\n \| NextProxy\n \| Promise<NextMiddlewareResult>\n \| NextMiddlewareResult {\n let req: NextRequest \| undefined;\n let evt: NextFetchEvent \| undefined;\n let options: MonoCloudMiddlewareOptions \| undefined;\n\n / v8 ignore else -- @preserve /\n if (Array.isArray(args)) {\n if (args.length === 2) {\n / v8 ignore else -- @preserve /\n if (isAppRouter(args[0])) {\n req = args[0] as NextRequest;\n evt = args[1] as NextFetchEvent;\n }\n }\n\n if (args.length === 1) {\n options = args[0] as MonoCloudMiddlewareOptions;\n }\n }\n\n if (req && evt) {\n return this.authMiddlewareHandler(req, evt, options) as any;\n }\n\n return (request: NextRequest, nxtEvt: NextFetchEvent) => {\n return this.authMiddlewareHandler(request, nxtEvt, options);\n };\n }\n\n private async authMiddlewareHandler(\n req: NextRequest,\n evt: NextFetchEvent,\n options?: MonoCloudMiddlewareOptions\n ): Promise<NextMiddlewareResult> {\n // eslint-disable-next-line no-param-reassign\n req = getNextRequest(req);\n\n if (req.headers.has('x-middleware-subrequest')) {\n return NextResponse.json({ message: 'forbidden' }, { status: 403 });\n }\n\n const { routes, appUrl } = this.getOptions();\n\n if (\n Object.values(routes!)\n .map(x => ensureLeadingSlash(x))\n .includes(req.nextUrl.pathname)\n ) {\n let onError;\n if (typeof options?.onError === 'function') {\n onError = (\n error: Error\n ):\n \| Promise<void \| NextResponse<unknown>>\n \| void\n \| NextResponse<unknown> => options.onError!(req, evt, error);\n }\n\n const request = new MonoCloudAppRouterRequest(req);\n const response = new MonoCloudAppRouterResponse(new NextResponse());\n\n return this.handleAuthRoutes(\n request,\n response,\n req.nextUrl.pathname,\n routes,\n onError\n );\n }\n\n const nxtResp = new NextResponse();\n\n nxtResp.headers.set(\n 'x-monocloud-path',\n req.nextUrl.pathname + req.nextUrl.search\n );\n\n let isRouteProtected = true;\n let allowedGroups: string[] \| undefined;\n\n if (typeof options?.protectedRoutes === 'function') {\n isRouteProtected = await options.protectedRoutes(req);\n } else if (\n typeof options?.protectedRoutes !== 'undefined' &&\n Array.isArray(options.protectedRoutes)\n ) {\n isRouteProtected = options.protectedRoutes.some(route => {\n if (typeof route === 'string' \|\| route instanceof RegExp) {\n return new RegExp(route).test(req.nextUrl.pathname);\n }\n\n return route.routes.some(groupRoute => {\n const result = new RegExp(groupRoute).test(req.nextUrl.pathname);\n\n if (result) {\n allowedGroups = route.groups;\n }\n\n return result;\n });\n });\n }\n\n if (!isRouteProtected) {\n return NextResponse.next({\n headers: {\n 'x-monocloud-path': req.nextUrl.pathname + req.nextUrl.search,\n },\n });\n }\n\n const session = await this.getSession(req, nxtResp);\n\n if (!session) {\n if (options?.onAccessDenied) {\n const result = await options.onAccessDenied(req, evt);\n\n if (result instanceof NextResponse) {\n return mergeResponse([nxtResp, result]);\n }\n\n if (result) {\n return mergeResponse([\n nxtResp,\n new NextResponse(result.body, result),\n ]);\n }\n\n return NextResponse.next(nxtResp);\n }\n\n if (req.nextUrl.pathname.startsWith('/api')) {\n return mergeResponse([\n nxtResp,\n NextResponse.json({ message: 'unauthorized' }, { status: 401 }),\n ]);\n }\n\n const signInRoute = new URL(\n `${appUrl}${ensureLeadingSlash(routes!.signIn)}`\n );\n\n signInRoute.searchParams.set(\n 'return_url',\n req.nextUrl.pathname + req.nextUrl.search\n );\n\n return mergeResponse([nxtResp, NextResponse.redirect(signInRoute)]);\n }\n\n const groupsClaim =\n options?.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM;\n\n if (\n allowedGroups &&\n !isUserInGroupCore(session.user, allowedGroups, groupsClaim)\n ) {\n if (options?.onGroupAccessDenied) {\n const result = await options.onGroupAccessDenied(\n req,\n evt,\n session.user\n );\n\n if (result instanceof NextResponse) {\n return mergeResponse([nxtResp, result]);\n }\n\n if (result) {\n return mergeResponse([\n nxtResp,\n new NextResponse(result.body, result),\n ]);\n }\n\n return NextResponse.next(nxtResp);\n }\n\n if (req.nextUrl.pathname.startsWith('/api')) {\n return mergeResponse([\n nxtResp,\n NextResponse.json({ message: 'forbidden' }, { status: 403 }),\n ]);\n }\n\n return new NextResponse(`forbidden`, {\n status: 403,\n });\n }\n\n return NextResponse.next(nxtResp);\n }\n\n private handleAuthRoutes(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n path: string,\n routes: MonoCloudOptions['routes'],\n onError?: OnError\n ): Promise<any> {\n switch (path) {\n case ensureLeadingSlash(routes!.signIn):\n return this.coreClient.signIn(request, response, {\n onError,\n });\n\n case ensureLeadingSlash(routes!.callback):\n return this.coreClient.callback(request, response, {\n onError,\n });\n\n case ensureLeadingSlash(routes!.userInfo):\n return this.coreClient.userInfo(request, response, {\n onError,\n });\n\n case ensureLeadingSlash(routes!.signOut):\n return this.coreClient.signOut(request, response, {\n onError,\n });\n\n default:\n response.notFound();\n return response.done();\n }\n }\n\n /\n @see {@link getSession} for full docs and examples.\n * @returns Returns the resolved session, or `undefined` if none exists.\n /\n public getSession(): Promise<MonoCloudSession \| undefined>;\n\n /\n @see {@link getSession} for full docs and examples.\n * @param req Incoming request used to read authentication cookies and headers to resolve the current user's session.\n * @param res Optional response to update if session resolution requires refreshed authentication cookies or headers.\n * @returns Returns the resolved session, or `undefined` if none exists.\n /\n public getSession(\n req: NextRequest \| Request,\n res?: NextResponse \| Response\n ): Promise<MonoCloudSession \| undefined>;\n\n /\n @see {@link getSession} for full docs and examples.\n * @param req Incoming Node.js request used to read authentication cookies and resolve the current user's session.\n * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.\n * @returns Returns the resolved session, or `undefined` if none exists.\n /\n public getSession(\n req: NextApiRequest \| IncomingMessage,\n res: NextApiResponse \| ServerResponse<IncomingMessage>\n ): Promise<MonoCloudSession \| undefined>;\n\n async getSession(...args: any[]): Promise<MonoCloudSession \| undefined> {\n let request: IMonoCloudCookieRequest;\n let response: IMonoCloudCookieResponse;\n\n if (args.length === 0) {\n request = new MonoCloudCookieRequest();\n response = new MonoCloudCookieResponse();\n } else {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n }\n\n / v8 ignore next -- @preserve /\n if (!isMonoCloudRequest(request) \|\| !isMonoCloudResponse(response)) {\n throw new MonoCloudValidationError(\n 'Invalid parameters passed to getSession()'\n );\n }\n\n return await this.coreClient.getSession(request, response);\n }\n\n /\n @see {@link getTokens} for full docs and examples.\n * @param options Optional configuration controlling refresh behavior and resource/scope selection.\n * @returns The current user's tokens, refreshed if necessary.\n * @throws {@link MonoCloudValidationError} If no valid session exists.\n /\n public getTokens(options?: GetTokensOptions): Promise<MonoCloudTokens>;\n\n /\n @see {@link getTokens} for full docs and examples.\n * @param req Incoming request used to resolve authentication from cookies and headers.\n * @param options Optional configuration controlling refresh behavior and resource/scope selection.\n * @returns The current user's tokens, refreshed if necessary.\n * @throws {@link MonoCloudValidationError} If no valid session exists.\n /\n public getTokens(\n req: NextRequest \| Request,\n options?: GetTokensOptions\n ): Promise<MonoCloudTokens>;\n\n /\n @see {@link getTokens} for full docs and examples.\n * @param req Incoming request used to resolve authentication from cookies and headers.\n * @param res Existing response to update with refreshed authentication cookies or headers.\n * @param options Optional configuration controlling refresh behavior and resource/scope selection.\n * @returns The current user's tokens, refreshed if necessary.\n * @throws {@link MonoCloudValidationError} If no valid session exists.\n /\n public getTokens(\n req: NextRequest \| Request,\n res: NextResponse \| Response,\n options?: GetTokensOptions\n ): Promise<MonoCloudTokens>;\n\n /\n @see {@link getTokens} for full docs and examples.\n * @param req Incoming Node.js request used to resolve authentication from cookies.\n * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.\n * @param options Optional configuration controlling refresh behavior and resource/scope selection.\n * @returns The current user's tokens, refreshed if necessary.\n * @throws {@link MonoCloudValidationError} If no valid session exists.\n /\n public getTokens(\n req: NextApiRequest \| IncomingMessage,\n res: NextApiResponse \| ServerResponse<IncomingMessage>,\n options?: GetTokensOptions\n ): Promise<MonoCloudTokens>;\n\n async getTokens(...args: any[]): Promise<MonoCloudTokens> {\n let request: IMonoCloudCookieRequest;\n let response: IMonoCloudCookieResponse;\n let options: GetTokensOptions \| undefined;\n\n if (args.length === 0) {\n request = new MonoCloudCookieRequest();\n response = new MonoCloudCookieResponse();\n } else if (args.length === 1) {\n if (args[0] instanceof Request) {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], undefined));\n } else {\n request = new MonoCloudCookieRequest();\n response = new MonoCloudCookieResponse();\n options = args[0];\n }\n } else if (args.length === 2 && args[0] instanceof Request) {\n if (args[1] instanceof Response) {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n } else {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], undefined));\n\n options = args[1] as GetTokensOptions;\n }\n } else if (\n args.length === 2 &&\n isNodeRequest(args[0]) &&\n isNodeResponse(args[1])\n ) {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n } else {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n\n options = args[2] as GetTokensOptions;\n }\n\n if (\n !isMonoCloudRequest(request) \|\|\n !isMonoCloudResponse(response) \|\|\n (options && typeof options !== 'object')\n ) {\n throw new MonoCloudValidationError(\n 'Invalid parameters passed to getTokens()'\n );\n }\n\n return await this.coreClient.getTokens(request, response, options);\n }\n\n /\n @see {@link isAuthenticated} for full docs and examples.\n * @returns Returns `true` if a valid session exists; otherwise `false`.\n /\n public isAuthenticated(): Promise<boolean>;\n\n /\n @see {@link isAuthenticated} for full docs and examples.\n * @param req Incoming request used to resolve authentication from cookies and headers.\n * @param res Optional response to update if refreshed authentication cookies or headers are required.\n * @returns Returns `true` if a valid session exists; otherwise `false`.\n /\n public isAuthenticated(\n req: NextRequest \| Request,\n res?: NextResponse \| Response\n ): Promise<boolean>;\n\n /\n @see {@link isAuthenticated} for full docs and examples.\n * @param req Incoming Node.js request used to resolve authentication from cookies.\n * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.\n * @returns Returns `true` if a valid session exists; otherwise `false`.\n /\n public isAuthenticated(\n req: NextApiRequest \| IncomingMessage,\n res: NextApiResponse \| ServerResponse<IncomingMessage>\n ): Promise<boolean>;\n\n async isAuthenticated(...args: any[]): Promise<boolean> {\n let request: IMonoCloudCookieRequest;\n let response: IMonoCloudCookieResponse;\n\n if (args.length === 0) {\n request = new MonoCloudCookieRequest();\n response = new MonoCloudCookieResponse();\n } else {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n }\n\n / v8 ignore next -- @preserve /\n if (!isMonoCloudRequest(request) \|\| !isMonoCloudResponse(response)) {\n throw new MonoCloudValidationError(\n 'Invalid parameters passed to isAuthenticated()'\n );\n }\n\n return await this.coreClient.isAuthenticated(request, response);\n }\n\n /\n @see {@link protect} for full docs and examples.\n * @param options Optional configuration for redirect behavior (for example, return URL or sign-in parameters).\n * @returns Resolves if the user is authenticated; otherwise triggers a redirect.\n /\n public async protect(options?: ProtectOptions): Promise<void> {\n const { routes, appUrl } = this.coreClient.getOptions();\n let path: string;\n try {\n const session = await this.getSession();\n\n if (session && !options?.groups) {\n return;\n }\n\n if (\n session &&\n options?.groups &&\n isUserInGroupCore(\n session.user,\n options.groups,\n options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n options.matchAll\n )\n ) {\n return;\n }\n\n // @ts-expect-error Cannot find module 'next/headers'\n const { headers } = await import('next/headers');\n\n path = (await headers()).get('x-monocloud-path') ?? '/';\n } catch {\n throw new Error(\n 'protect() can only be used in App Router server environments (RSC, route handlers, or server actions)'\n );\n }\n\n const signInRoute = new URL(`${appUrl}${routes.signIn}`);\n\n signInRoute.searchParams.set('return_url', options?.returnUrl ?? path);\n\n if (options?.authParams?.maxAge) {\n signInRoute.searchParams.set(\n 'max_age',\n options.authParams.maxAge.toString()\n );\n }\n\n if (options?.authParams?.authenticatorHint) {\n signInRoute.searchParams.set(\n 'authenticator_hint',\n options.authParams.authenticatorHint\n );\n }\n\n if (options?.authParams?.scopes) {\n signInRoute.searchParams.set('scope', options.authParams.scopes);\n }\n\n if (options?.authParams?.resource) {\n signInRoute.searchParams.set('resource', options.authParams.resource);\n }\n\n if (options?.authParams?.display) {\n signInRoute.searchParams.set('display', options.authParams.display);\n }\n\n if (options?.authParams?.uiLocales) {\n signInRoute.searchParams.set('ui_locales', options.authParams.uiLocales);\n }\n\n if (Array.isArray(options?.authParams?.acrValues)) {\n signInRoute.searchParams.set(\n 'acr_values',\n options.authParams.acrValues.join(' ')\n );\n }\n\n if (options?.authParams?.loginHint) {\n signInRoute.searchParams.set('login_hint', options.authParams.loginHint);\n }\n\n if (options?.authParams?.prompt) {\n signInRoute.searchParams.set('prompt', options.authParams.prompt);\n }\n\n // @ts-expect-error Cannot find module 'next/navigation'\n const { redirect } = await import('next/navigation');\n\n redirect(signInRoute.toString());\n }\n\n /\n @see {@link isUserInGroup} for full docs and examples.\n * @param groups Group IDs or names to check against the user's group memberships.\n * @param options Optional configuration controlling how group membership is evaluated.\n * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.\n /\n isUserInGroup(\n groups: string[],\n options?: IsUserInGroupOptions\n ): Promise<boolean>;\n\n /\n @see {@link isUserInGroup} for full docs and examples.\n * @param req Incoming request used to resolve authentication from cookies and headers.\n * @param groups Group IDs or names to check against the user's group memberships.\n * @param options Optional configuration controlling how group membership is evaluated.\n * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.\n /\n isUserInGroup(\n req: NextRequest \| Request,\n groups: string[],\n options?: IsUserInGroupOptions\n ): Promise<boolean>;\n\n /\n @see {@link isUserInGroup} for full docs and examples.\n * @param req Incoming request used to resolve authentication from cookies and headers.\n * @param res Existing response to update with refreshed authentication cookies or headers when required.\n * @param groups Group IDs or names to check against the user's group memberships.\n * @param options Optional configuration controlling how group membership is evaluated.\n * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.\n /\n isUserInGroup(\n req: NextRequest \| Request,\n res: NextResponse \| Response,\n groups: string[],\n options?: IsUserInGroupOptions\n ): Promise<boolean>;\n\n /\n @see {@link isUserInGroup} for full docs and examples.\n * @param req Incoming Node.js request used to resolve authentication from cookies.\n * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.\n * @param groups Group IDs or names to check against the user's group memberships.\n * @param options Optional configuration controlling how group membership is evaluated.\n * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.\n /\n isUserInGroup(\n req: NextApiRequest \| IncomingMessage,\n res: NextApiResponse \| ServerResponse<IncomingMessage>,\n groups: string[],\n options?: IsUserInGroupOptions\n ): Promise<boolean>;\n\n public async isUserInGroup(...args: any[]): Promise<boolean> {\n let request: IMonoCloudCookieRequest \| undefined;\n let response: IMonoCloudCookieResponse \| undefined;\n let groups: string[] \| undefined;\n let options: IsUserInGroupOptions \| undefined;\n\n if (args.length === 4) {\n groups = args[2];\n options = args[3];\n\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n }\n\n if (args.length === 3) {\n if (args[0] instanceof Request) {\n if (args[1] instanceof Response) {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n groups = args[2];\n } else {\n ({ request, response } = getMonoCloudCookieReqRes(\n args[0],\n undefined\n ));\n groups = args[1];\n options = args[2];\n }\n }\n\n if (isNodeRequest(args[0]) && isNodeResponse(args[1])) {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n groups = args[2];\n }\n }\n\n if (args.length === 2) {\n if (args[0] instanceof Request) {\n ({ request, response } = getMonoCloudCookieReqRes(args[0], undefined));\n groups = args[1];\n }\n\n if (Array.isArray(args[0])) {\n request = new MonoCloudCookieRequest();\n response = new MonoCloudCookieResponse();\n\n groups = args[0];\n options = args[1];\n }\n }\n\n if (args.length === 1) {\n request = new MonoCloudCookieRequest();\n response = new MonoCloudCookieResponse();\n\n groups = args[0];\n }\n\n if (\n !Array.isArray(groups) \|\|\n !isMonoCloudRequest(request) \|\|\n !isMonoCloudResponse(response) \|\|\n (options && typeof options !== 'object')\n ) {\n throw new MonoCloudValidationError(\n 'Invalid parameters passed to isUserInGroup()'\n );\n }\n\n const result = await this.coreClient.isUserInGroup(\n request,\n response,\n groups,\n options?.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n options?.matchAll\n );\n\n return result;\n }\n\n /\n @see {@link redirectToSignIn} for full docs and examples.\n * @param options Optional configuration for the redirect, such as `returnUrl` or additional sign-in parameters.\n * @returns Never resolves. Triggers a redirect to the sign-in flow.\n /\n public async redirectToSignIn(\n options?: RedirectToSignInOptions\n ): Promise<void> {\n const { routes, appUrl } = this.coreClient.getOptions();\n\n try {\n // @ts-expect-error Cannot find module 'next/headers'\n const { headers } = await import('next/headers');\n\n await headers();\n } catch {\n throw new Error(\n 'redirectToSignIn() can only be used in App Router server environments (RSC, route handlers, or server actions)'\n );\n }\n\n const signInRoute = new URL(`${appUrl}${routes.signIn}`);\n\n if (options?.returnUrl) {\n signInRoute.searchParams.set('return_url', options.returnUrl);\n }\n\n if (options?.maxAge) {\n signInRoute.searchParams.set('max_age', options.maxAge.toString());\n }\n\n if (options?.authenticatorHint) {\n signInRoute.searchParams.set(\n 'authenticator_hint',\n options.authenticatorHint\n );\n }\n\n if (options?.scopes) {\n signInRoute.searchParams.set('scope', options.scopes);\n }\n\n if (options?.resource) {\n signInRoute.searchParams.set('resource', options.resource);\n }\n\n if (options?.display) {\n signInRoute.searchParams.set('display', options.display);\n }\n\n if (options?.uiLocales) {\n signInRoute.searchParams.set('ui_locales', options.uiLocales);\n }\n\n if (Array.isArray(options?.acrValues)) {\n signInRoute.searchParams.set('acr_values', options.acrValues.join(' '));\n }\n\n if (options?.loginHint) {\n signInRoute.searchParams.set('login_hint', options.loginHint);\n }\n\n if (options?.prompt) {\n signInRoute.searchParams.set('prompt', options.prompt);\n }\n\n // @ts-expect-error Cannot find module 'next/navigation'\n const { redirect } = await import('next/navigation');\n\n redirect(signInRoute.toString());\n }\n\n /\n @see {@link redirectToSignOut} for full docs and examples.\n * @param options Optional configuration for the redirect, such as `postLogoutRedirectUri` or additional sign-out parameters.\n * @returns Never resolves. Triggers a redirect to the sign-out flow.\n /\n public async redirectToSignOut(\n options?: RedirectToSignOutOptions\n ): Promise<void> {\n const { routes, appUrl } = this.coreClient.getOptions();\n\n try {\n // @ts-expect-error Cannot find module 'next/headers'\n const { headers } = await import('next/headers');\n\n await headers();\n } catch {\n throw new Error(\n 'redirectToSignOut() can only be used in App Router server environments (RSC, route handlers, or server actions)'\n );\n }\n\n const signOutRoute = new URL(`${appUrl}${routes.signOut}`);\n\n if (options?.postLogoutRedirectUri?.trim().length) {\n signOutRoute.searchParams.set(\n 'post_logout_url',\n options.postLogoutRedirectUri\n );\n }\n\n if (typeof options?.federated === 'boolean') {\n signOutRoute.searchParams.set('federated', options.federated.toString());\n }\n\n // @ts-expect-error Cannot find module 'next/navigation'\n const { redirect } = await import('next/navigation');\n\n redirect(signOutRoute.toString());\n }\n\n private getOptions(): MonoCloudOptions {\n return this.coreClient.getOptions();\n }\n\n private registerPublicEnvVariables(): void {\n Object.keys(process.env)\n .filter(key => key.startsWith('NEXT_PUBLIC_MONOCLOUD_AUTH'))\n .forEach(publicKey => {\n const [, privateKey] = publicKey.split('NEXT_PUBLIC_');\n process.env[privateKey] = process.env[publicKey];\n });\n }\n}\n","import type { ParsedUrlQuery } from 'node:querystring';\nimport { MonoCloudNextClient } from './monocloud-next-client';\nimport type {\n AppRouterApiHandlerFn,\n AppRouterPageHandler,\n IsUserInGroupOptions,\n MonoCloudAuthHandler,\n MonoCloudAuthOptions,\n MonoCloudMiddlewareOptions,\n NextMiddlewareResult,\n ProtectApiAppOptions,\n ProtectApiPageOptions,\n ProtectAppPageOptions,\n ProtectedAppServerComponent,\n ProtectOptions,\n ProtectPagePageOptions,\n ProtectPagePageReturnType,\n RedirectToSignInOptions,\n RedirectToSignOutOptions,\n} from './types';\nimport type {\n NextMiddleware,\n NextProxy,\n NextRequest,\n NextFetchEvent,\n NextResponse,\n} from 'next/server';\nimport type { MonoCloudSession } from '@monocloud/auth-core';\nimport type { IncomingMessage, ServerResponse } from 'node:http';\nimport type { NextApiHandler, NextApiRequest, NextApiResponse } from 'next';\nimport type {\n GetTokensOptions,\n MonoCloudTokens,\n} from '@monocloud/auth-node-core';\n\nlet instance: MonoCloudNextClient \| undefined;\n\n/\n Retrieves the singleton instance of the MonoCloudNextClient.\n * Initializes it lazily on the first call.\n /\nconst getInstance = (): MonoCloudNextClient => {\n instance ??= new MonoCloudNextClient();\n return instance;\n};\n\n/\n Creates a Next.js catch-all auth route handler (Pages Router and App Router) for the built-in routes (`/signin`, `/callback`, `/userinfo`, `/signout`).\n \n Mount this handler on a catch-all route (e.g. `/api/auth/[...monocloud]`).\n \n > If you already use `authMiddleware()`, you typically don’t need this handler. Use `monoCloudAuth()` when middleware cannot be used or when auth routes need customization.\n \n @example App Router\n * ```tsx:src/app/api/auth/[...monocloud]/route.ts tab=\"App Router\" tab-group=\"monoCloudAuth\"\n * import { monoCloudAuth } from \"@monocloud/auth-nextjs\";\n \n export const GET = monoCloudAuth();\n ```\n \n * @example App Router (Response)\n * ```tsx:src/app/api/auth/[...monocloud]/route.ts tab=\"App Router (Response)\" tab-group=\"monoCloudAuth\"\n * import { monoCloudAuth } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export const GET = (req: NextRequest) => {\n * const authHandler = monoCloudAuth();\n \n const res = new NextResponse();\n \n res.cookies.set(\"last_auth_requested\", `${Date.now()}`);\n \n return authHandler(req, res);\n * };\n * ```\n \n @example Pages Router\n * ```tsx:src/pages/api/auth/[...monocloud].ts tab=\"Pages Router\" tab-group=\"monoCloudAuth\"\n * import { monoCloudAuth } from \"@monocloud/auth-nextjs\";\n \n export default monoCloudAuth();\n ```\n \n * @example Pages Router (Response)\n * ```tsx:src/pages/api/auth/[...monocloud].ts tab=\"Pages Router (Response)\" tab-group=\"monoCloudAuth\"\n * import { monoCloudAuth } from \"@monocloud/auth-nextjs\";\n * import { NextApiRequest, NextApiResponse } from \"next\";\n \n export default function handler(req: NextApiRequest, res: NextApiResponse) {\n * const authHandler = monoCloudAuth();\n \n res.setHeader(\"last_auth_requested\", `${Date.now()}`);\n \n return authHandler(req, res);\n * }\n * ```\n \n @param options Optional configuration for the auth handler.\n * @returns Returns a Next.js-compatible handler for App Router route handlers or Pages Router API routes.\n \n @category Functions\n /\nexport function monoCloudAuth(\n options?: MonoCloudAuthOptions\n): MonoCloudAuthHandler {\n return getInstance().monoCloudAuth(options);\n}\n\n/\n Creates a Next.js authentication middleware that protects routes.\n \n By default, all routes matched by `config.matcher` are protected unless configured otherwise.\n \n @example Protect All Routes\n * ```tsx:src/proxy.ts tab=\"Protect All Routes\" tab-group=\"auth-middleware\"\n * import { authMiddleware } from \"@monocloud/auth-nextjs\";\n \n export default authMiddleware();\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example Protect Selected Routes\n * ```tsx:src/proxy.ts tab=\"Protect Selected Routes\" tab-group=\"auth-middleware\"\n * import { authMiddleware } from \"@monocloud/auth-nextjs\";\n \n export default authMiddleware({\n * protectedRoutes: [\"/api/admin\", \"^/api/protected(/.)?$\"],\n });\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n ```\n \n * @example No Protected Routes\n * ```tsx:src/proxy.ts tab=\"No Protected Routes\" tab-group=\"auth-middleware\"\n * import { authMiddleware } from \"@monocloud/auth-nextjs\";\n \n export default authMiddleware({\n * protectedRoutes: [],\n * });\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example Dynamic\n * ```tsx:src/proxy.ts tab=\"Dynamic\" tab-group=\"auth-middleware\"\n * import { authMiddleware } from \"@monocloud/auth-nextjs\";\n \n export default authMiddleware({\n * protectedRoutes: (req) => {\n * return req.nextUrl.pathname.startsWith(\"/api/protected\");\n * },\n * });\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @example Group Protection\n * ```tsx:src/proxy.ts tab=\"Group Protection\" tab-group=\"auth-middleware\"\n * import { authMiddleware } from \"@monocloud/auth-nextjs\";\n \n export default authMiddleware({\n * protectedRoutes: [\n * {\n * groups: [\"admin\", \"editor\", \"537e7c3d-a442-4b5b-b308-30837aa045a4\"],\n * routes: [\"/internal\", \"/api/internal(.)\"],\n },\n * ],\n * });\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @param options Optional configuration that controls how authentication is enforced (for example, redirect behavior, route matching, or custom handling of unauthenticated requests).\n * @returns Returns a Next.js middleware result, such as a `NextResponse`, `redirect`, or `undefined` to continue processing.\n \n @category Functions\n /\nexport function authMiddleware(\n options?: MonoCloudMiddlewareOptions\n): NextMiddleware \| NextProxy;\n\n/\n Executes the authentication middleware manually.\n \n Intended for advanced scenarios where the middleware is composed within custom logic.\n \n @example Composing with custom middleware\n \n ```tsx:src/proxy.ts title=\"Composing with custom middleware\"\n * import { authMiddleware } from \"@monocloud/auth-nextjs\";\n * import { NextFetchEvent, NextRequest, NextResponse } from \"next/server\";\n \n export default function customMiddleware(req: NextRequest, evt: NextFetchEvent) {\n * if (req.nextUrl.pathname.startsWith(\"/api/protected\")) {\n * return authMiddleware(req, evt);\n * }\n \n return NextResponse.next();\n * }\n \n export const config = {\n * matcher: [\n * \"/((?!_next/static\|_next/image\|favicon.ico\|sitemap.xml\|robots.txt).)\",\n ],\n * };\n * ```\n \n @param request Incoming Next.js middleware request used to resolve authentication state.\n * @param event Next.js middleware event providing lifecycle hooks such as `waitUntil`.\n * @returns Returns a Next.js middleware result (`NextResponse`, redirect, or `undefined` to continue processing).\n \n @category Functions\n /\nexport function authMiddleware(\n request: NextRequest,\n event: NextFetchEvent\n): Promise<NextMiddlewareResult> \| NextMiddlewareResult;\n\nexport function authMiddleware(\n ...args: any[]\n):\n \| NextMiddleware\n \| NextProxy\n \| Promise<NextMiddlewareResult>\n \| NextMiddlewareResult {\n return getInstance().authMiddleware(...args);\n}\n\n/\n Retrieves the current user's session using the active server request context.\n \n Intended for Server Components, Server Actions, Route Handlers, and Middleware where the request is implicitly available.\n \n @example Server Component\n * ```tsx:src/app/page.tsx tab=\"Server Component\" tab-group=\"session-ssr\"\n * import { getSession } from \"@monocloud/auth-nextjs\";\n \n export default async function Home() {\n * const session = await getSession();\n \n return <div>{session?.user.name}</div>;\n * }\n * ```\n \n @example Server Action\n * ```tsx:src/action.ts tab=\"Server Action\" tab-group=\"session-ssr\"\n * \"use server\";\n \n import { getSession } from \"@monocloud/auth-nextjs\";\n \n export async function getUserAction() {\n * const session = await getSession();\n \n return { name: session?.user.name };\n * }\n * ```\n \n @example API Handler\n * ```tsx:src/app/api/user/route.ts tab=\"API Handler\" tab-group=\"session-ssr\"\n * import { getSession } from \"@monocloud/auth-nextjs\";\n * import { NextResponse } from \"next/server\";\n \n export const GET = async () => {\n * const session = await getSession();\n \n return NextResponse.json({ name: session?.user.name });\n * };\n * ```\n \n @example Middleware\n * ```tsx:src/proxy.ts tab=\"Middleware\" tab-group=\"session-ssr\"\n * import { getSession } from \"@monocloud/auth-nextjs\";\n * import { NextResponse } from \"next/server\";\n \n export default async function proxy() {\n * const session = await getSession();\n \n if (!session) {\n * return new NextResponse(\"User not signed in\", { status: 401 });\n * }\n \n return NextResponse.next();\n * }\n * ```\n \n @returns Returns the resolved session, or `undefined` if none exists.\n \n @category Functions\n /\nexport function getSession(): Promise<MonoCloudSession \| undefined>;\n\n/\n Retrieves the current user's session using an explicit Web or Next.js request.\n \n Use this overload when you already have access to a `Request` or `NextRequest` (for example in Middleware or Route Handlers).\n \n @example Middleware (Request)\n * ```tsx:src/proxy.ts tab=\"Middleware (Request)\" tab-group=\"session-route-handler\"\n * import { getSession } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function proxy(req: NextRequest) {\n * const session = await getSession(req);\n \n if (!session) {\n * return new NextResponse(\"User not signed in\", { status: 401 });\n * }\n \n return NextResponse.next();\n * }\n * ```\n \n @example Middleware (Response)\n * ```tsx:src/proxy.ts tab=\"Middleware (Response)\" tab-group=\"session-route-handler\"\n * import { getSession } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function proxy(req: NextRequest) {\n * const res = NextResponse.next();\n \n const session = await getSession(req, res);\n \n if (!session) {\n * return new NextResponse(\"User not signed in\", { status: 401 });\n * }\n \n res.headers.set(\"x-auth-status\", \"active\");\n \n return res;\n * }\n * ```\n \n @example API Handler (Request)\n * ```tsx:src/app/api/user/route.ts tab=\"API Handler (Request)\" tab-group=\"session-route-handler\"\n * import { getSession } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export const GET = async (req: NextRequest) => {\n * const session = await getSession(req);\n \n return NextResponse.json({ name: session?.user.name });\n * };\n * ```\n \n @example API Handler (Response)\n * ```tsx:src/app/api/user/route.ts tab=\"API Handler (Response)\" tab-group=\"session-route-handler\"\n * import { getSession } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export const GET = async (req: NextRequest) => {\n * const res = new NextResponse(\"YOUR CUSTOM RESPONSE\");\n \n const session = await getSession(req, res);\n \n if (session?.user) {\n * res.cookies.set(\"something\", \"important\");\n * }\n \n return res;\n * };\n * ```\n \n @param req Incoming request used to read authentication cookies and headers to resolve the current user's session.\n * @param res Optional response to update if session resolution requires refreshed authentication cookies or headers.\n * @returns Returns the resolved session, or `undefined` if none exists.\n \n @category Functions\n /\nexport function getSession(\n req: NextRequest \| Request,\n res?: NextResponse \| Response\n): Promise<MonoCloudSession \| undefined>;\n\n/\n Retrieves the current user's session in the Pages Router or Node.js runtime.\n \n Use this overload in API routes or `getServerSideProps`, where Node.js request and response objects are available.\n \n @example Pages Router (Pages)\n * ```tsx:src/pages/index.tsx tab=\"Pages Router (Pages)\" tab-group=\"session-pages\"\n * import { getSession, MonoCloudSession } from \"@monocloud/auth-nextjs\";\n * import { GetServerSideProps } from \"next\";\n \n type Props = {\n * session?: MonoCloudSession;\n * };\n \n export default function Home({ session }: Props) {\n * return <pre>Session: {JSON.stringify(session, null, 2)}</pre>;\n * }\n \n export const getServerSideProps: GetServerSideProps<Props> = async (ctx) => {\n * const session = await getSession(ctx.req, ctx.res);\n \n return {\n * props: {\n * session\n * }\n * };\n * };\n * ```\n * @example Pages Router (API)\n * ```tsx:src/pages/api/user.ts tab=\"Pages Router (API)\" tab-group=\"session-pages\"\n * import { getSession } from \"@monocloud/auth-nextjs\";\n * import { NextApiRequest, NextApiResponse } from \"next\";\n \n export default async function handler(\n * req: NextApiRequest,\n * res: NextApiResponse\n * ) {\n * const session = await getSession(req, res);\n \n res.status(200).json({ name: session?.user.name });\n * }\n * ```\n \n @param req Incoming Node.js request used to read authentication cookies and resolve the current user's session.\n * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.\n * @returns Returns the resolved session, or `undefined` if none exists.\n \n @category Functions\n /\nexport function getSession(\n req: NextApiRequest \| IncomingMessage,\n res: NextApiResponse \| ServerResponse<IncomingMessage>\n): Promise<MonoCloudSession \| undefined>;\n\nexport function getSession(\n ...args: any[]\n): Promise<MonoCloudSession \| undefined> {\n return (getInstance().getSession as any)(...args);\n}\n\n/\n Retrieves the current user's tokens using the active server request context.\n \n @example Server Component\n * ```tsx:src/app/page.tsx tab=\"Server Component\" tab-group=\"tokens-ssr\"\n * import { getTokens } from \"@monocloud/auth-nextjs\";\n \n export default async function Home() {\n * const tokens = await getTokens();\n \n return <div>Expired: {tokens.isExpired.toString()}</div>;\n * }\n * ```\n \n @example Server Action\n * ```tsx:src/action.ts tab=\"Server Action\" tab-group=\"tokens-ssr\"\n * \"use server\";\n \n import { getTokens } from \"@monocloud/auth-nextjs\";\n \n export async function getExpiredAction() {\n * const tokens = await getTokens();\n \n return { expired: tokens.isExpired };\n * }\n * ```\n \n @example API Handler\n * ```tsx:src/app/api/tokens/route.ts tab=\"API Handler\" tab-group=\"tokens-ssr\"\n * import { getTokens } from \"@monocloud/auth-nextjs\";\n * import { NextResponse } from \"next/server\";\n \n export const GET = async () => {\n * const tokens = await getTokens();\n \n return NextResponse.json({ expired: tokens.isExpired });\n * };\n * ```\n \n @example Middleware\n * ```tsx:src/proxy.ts tab=\"Middleware\" tab-group=\"tokens-ssr\"\n * import { getTokens } from \"@monocloud/auth-nextjs\";\n * import { NextResponse } from \"next/server\";\n \n export default async function proxy() {\n * const tokens = await getTokens();\n \n if (tokens.isExpired) {\n * return new NextResponse(\"Tokens expired\", { status: 401 });\n * }\n \n return NextResponse.next();\n * }\n * ```\n \n @example Refresh the default token\n \n The default token is the access token associated with your default authorization parameters:\n * - Scopes: `MONOCLOUD_AUTH_SCOPES` or `options.defaultAuthParams.scopes`\n * - Resource: `MONOCLOUD_AUTH_RESOURCE` or `options.defaultAuthParams.resource`\n \n Calling `getTokens()` returns the current token set and refreshes the default token automatically when needed (for example, if it has expired). To force a refresh even when it isn’t expired, use `forceRefresh: true`.\n \n ```tsx:src/app/page.tsx title=\"Refresh default token\"\n * import { getTokens } from \"@monocloud/auth-nextjs\";\n * import { NextResponse } from \"next/server\";\n \n export const GET = async () => {\n * // Forces a refresh of the default token\n * const tokens = await getTokens({ forceRefresh: true });\n \n return NextResponse.json({ accessToken: tokens?.accessToken });\n * };\n * ```\n \n @example Request an access token for resource(s)\n \n Use `resource` and `scopes` to request an access token for one or more resources.\n \n > The requested resource and scopes must be included in the initial authorization flow (so the user has consented / the session is eligible to mint that token).\n \n ```tsx:src/app/page.tsx title=\"Request a new access token for resource(s)\"\n * import { getTokens } from \"@monocloud/auth-nextjs\";\n * import { NextResponse } from \"next/server\";\n \n export const GET = async () => {\n * const tokens = await getTokens({\n * resource: \"https://first.example.com https://second.example.com\",\n * scopes: \"read:first read:second shared\",\n * });\n \n return NextResponse.json({ accessToken: tokens?.accessToken });\n * };\n * ```\n \n @param options Optional configuration controlling refresh behavior and resource/scope selection.\n * @returns The current user's tokens, refreshed if necessary.\n * @throws {@link MonoCloudValidationError} If no valid session exists.\n \n @category Functions\n /\nexport function getTokens(options?: GetTokensOptions): Promise<MonoCloudTokens>;\n\n/\n Retrieves the current user's tokens using an explicit Web or Next.js request.\n \n Use this overload when you already have access to a `Request` or `NextRequest` (for example, in Middleware or Route Handlers).\n \n @example Middleware (Request)\n * ```tsx:src/proxy.ts tab=\"Middleware (Request)\" tab-group=\"tokens-route-handler-request\"\n * import { getTokens } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function proxy(req: NextRequest) {\n * const tokens = await getTokens(req);\n \n if (tokens.isExpired) {\n * return new NextResponse(\"Tokens expired\", { status: 401 });\n * }\n \n return NextResponse.next();\n * }\n * ```\n \n @example API Handler (Request)\n * ```tsx:src/app/api/tokens/route.ts tab=\"API Handler (Request)\" tab-group=\"tokens-route-handler-request\"\n * import { getTokens } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export const GET = async (req: NextRequest) => {\n * const tokens = await getTokens(req);\n \n return NextResponse.json({ expired: tokens?.isExpired });\n * };\n * ```\n \n @param req Incoming request used to resolve authentication from cookies and headers.\n * @param options Optional configuration controlling refresh behavior and resource/scope selection.\n * @returns The current user's tokens, refreshed if necessary.\n * @throws {@link MonoCloudValidationError} If no valid session exists.\n \n @category Functions\n /\nexport function getTokens(\n req: NextRequest \| Request,\n options?: GetTokensOptions\n): Promise<MonoCloudTokens>;\n\n/\n Retrieves the current user's tokens using an explicit request and response.\n \n Use this overload when you have already created a response and want refreshed authentication cookies or headers applied to it.\n \n @example Middleware (Response)\n ```tsx:src/proxy.ts tab=\"Middleware (Response)\" tab-group=\"tokens-route-handler-response\"\n import { getTokens } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function proxy(req: NextRequest) {\n * const res = NextResponse.next();\n \n const tokens = await getTokens(req, res);\n \n res.headers.set(\"x-tokens-expired\", tokens.isExpired.toString());\n \n return res;\n * }\n * ```\n \n @example API Handler (Response)\n * ```tsx:src/app/api/tokens/route.ts tab=\"API Handler (Response)\" tab-group=\"tokens-route-handler-response\"\n * import { getTokens } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export const GET = async (req: NextRequest) => {\n * const res = new NextResponse(\"Custom Body\");\n \n const tokens = await getTokens(req, res);\n \n if (!tokens.isExpired) {\n * res.headers.set(\"x-auth-status\", \"active\");\n * }\n \n return res;\n * };\n * ```\n \n @param req Incoming request used to resolve authentication from cookies and headers.\n * @param res Existing response to update with refreshed authentication cookies or headers.\n * @param options Optional configuration controlling refresh behavior and resource/scope selection.\n * @returns The current user's tokens, refreshed if necessary.\n * @throws {@link MonoCloudValidationError} If no valid session exists.\n \n @category Functions\n /\nexport function getTokens(\n req: NextRequest \| Request,\n res: NextResponse \| Response,\n options?: GetTokensOptions\n): Promise<MonoCloudTokens>;\n\n/\n Retrieves the current user's tokens in the Pages Router or Node.js runtime.\n \n Use this overload in API routes or `getServerSideProps`, where Node.js request and response objects are available.\n \n @example Pages Router (Pages)\n * ```tsx:src/pages/index.tsx tab=\"Pages Router (Pages)\" tab-group=\"tokens-pages\"\n * import { getTokens, MonoCloudTokens } from \"@monocloud/auth-nextjs\";\n * import { GetServerSideProps } from \"next\";\n \n type Props = {\n * tokens: MonoCloudTokens;\n * };\n \n export default function Home({ tokens }: Props) {\n * return <pre>Tokens: {JSON.stringify(tokens, null, 2)}</pre>;\n * }\n \n export const getServerSideProps: GetServerSideProps<Props> = async (ctx) => {\n * const tokens = await getTokens(ctx.req, ctx.res);\n \n return {\n * props: {\n * tokens: tokens\n * }\n * };\n * };\n * ```\n \n @example Pages Router (API)\n * ```tsx:src/pages/api/tokens.ts tab=\"Pages Router (API)\" tab-group=\"tokens-pages\"\n * import { getTokens } from \"@monocloud/auth-nextjs\";\n * import { NextApiRequest, NextApiResponse } from \"next\";\n \n export default async function handler(\n * req: NextApiRequest,\n * res: NextApiResponse\n * ) {\n * const tokens = await getTokens(req, res);\n \n res.status(200).json({ accessToken: tokens?.accessToken });\n * }\n * ```\n \n @param req Incoming Node.js request used to resolve authentication from cookies.\n * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.\n * @param options Optional configuration controlling refresh behavior and resource/scope selection.\n * @returns The current user's tokens, refreshed if necessary.\n * @throws {@link MonoCloudValidationError} If no valid session exists.\n \n @category Functions\n /\nexport function getTokens(\n req: NextApiRequest \| IncomingMessage,\n res: NextApiResponse \| ServerResponse<IncomingMessage>,\n options?: GetTokensOptions\n): Promise<MonoCloudTokens>;\n\nexport function getTokens(...args: any[]): Promise<MonoCloudTokens> {\n return getInstance().getTokens(...args);\n}\n\n/\n Checks whether the current user is authenticated using the active server request context.\n \n Intended for Server Components, Server Actions, Route Handlers, and Middleware where the request is implicitly available.\n \n @example Server Component\n * ```tsx:src/app/page.tsx tab=\"Server Component\" tab-group=\"is-authenticated-ssr\"\n * import { isAuthenticated } from \"@monocloud/auth-nextjs\";\n \n export default async function Home() {\n * const authenticated = await isAuthenticated();\n \n return <div>Authenticated: {authenticated.toString()}</div>;\n * }\n * ```\n \n @example Server Action\n * ```tsx:src/action.ts tab=\"Server Action\" tab-group=\"is-authenticated-ssr\"\n * \"use server\";\n \n import { isAuthenticated } from \"@monocloud/auth-nextjs\";\n \n export async function checkAuthAction() {\n * const authenticated = await isAuthenticated();\n \n return { authenticated };\n * }\n * ```\n \n @example API Handler\n * ```tsx:src/app/api/authenticated/route.ts tab=\"API Handler\" tab-group=\"is-authenticated-ssr\"\n * import { isAuthenticated } from \"@monocloud/auth-nextjs\";\n * import { NextResponse } from \"next/server\";\n \n export const GET = async () => {\n * const authenticated = await isAuthenticated();\n \n return NextResponse.json({ authenticated });\n * };\n * ```\n \n @example Middleware\n * ```tsx:src/proxy.ts tab=\"Middleware\" tab-group=\"is-authenticated-ssr\"\n * import { isAuthenticated } from \"@monocloud/auth-nextjs\";\n * import { NextResponse } from \"next/server\";\n \n export default async function proxy() {\n * const authenticated = await isAuthenticated();\n \n if (!authenticated) {\n * return new NextResponse(\"User not signed in\", { status: 401 });\n * }\n \n return NextResponse.next();\n * }\n * ```\n \n @returns Returns `true` if a valid session exists; otherwise `false`.\n \n @category Functions\n /\nexport function isAuthenticated(): Promise<boolean>;\n\n/\n Checks whether the current user is authenticated using an explicit Web or Next.js request.\n \n Use this overload when you already have access to a `Request` or `NextRequest` (for example, in Middleware or Route Handlers).\n \n @example Middleware (Request)\n * ```tsx:src/proxy.ts tab=\"Middleware (Request)\" tab-group=\"is-authenticated-route-handler\"\n * import { isAuthenticated } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function proxy(req: NextRequest) {\n * const authenticated = await isAuthenticated(req);\n \n if (!authenticated) {\n * return new NextResponse(\"User not signed in\", { status: 401 });\n * }\n \n return NextResponse.next();\n * }\n * ```\n \n @example Middleware (Response)\n * ```tsx:src/proxy.ts tab=\"Middleware (Response)\" tab-group=\"is-authenticated-route-handler\"\n * import { isAuthenticated } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function proxy(req: NextRequest) {\n * const res = NextResponse.next();\n \n const authenticated = await isAuthenticated(req, res);\n \n if (!authenticated) {\n * return new NextResponse(\"User not signed in\", { status: 401 });\n * }\n \n res.headers.set(\"x-authenticated\", \"true\");\n \n return res;\n * }\n * ```\n \n @example API Handler (Request)\n * ```tsx:src/app/api/authenticated/route.ts tab=\"API Handler (Request)\" tab-group=\"is-authenticated-route-handler\"\n * import { isAuthenticated } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export const GET = async (req: NextRequest) => {\n * const authenticated = await isAuthenticated(req);\n \n return NextResponse.json({ authenticated });\n * };\n * ```\n \n @example API Handler (Response)\n * ```tsx:src/app/api/authenticated/route.ts tab=\"API Handler (Response)\" tab-group=\"is-authenticated-route-handler\"\n * import { isAuthenticated } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export const GET = async (req: NextRequest) => {\n * const res = new NextResponse(\"YOUR CUSTOM RESPONSE\");\n \n const authenticated = await isAuthenticated(req, res);\n \n if (authenticated) {\n * res.cookies.set(\"something\", \"important\");\n * }\n \n return res;\n * };\n * ```\n \n @param req Incoming request used to resolve authentication from cookies and headers.\n * @param res Optional response to update if refreshed authentication cookies or headers are required.\n * @returns Returns `true` if a valid session exists; otherwise `false`.\n \n @category Functions\n /\nexport function isAuthenticated(\n req: NextRequest \| Request,\n res?: NextResponse \| Response\n): Promise<boolean>;\n\n/\n Checks whether the current user is authenticated in the Pages Router or Node.js runtime.\n \n Use this overload in API routes or `getServerSideProps`, where Node.js request and response objects are available.\n \n @example Pages Router (Pages)\n * ```tsx:src/pages/index.tsx tab=\"Pages Router (Pages)\" tab-group=\"is-authenticated-pages\"\n * import { isAuthenticated } from \"@monocloud/auth-nextjs\";\n * import { GetServerSideProps } from \"next\";\n \n type Props = {\n * authenticated: boolean;\n * };\n \n export default function Home({ authenticated }: Props) {\n * return <pre>User is {authenticated ? \"logged in\" : \"guest\"}</pre>;\n * }\n \n export const getServerSideProps: GetServerSideProps<Props> = async (ctx) => {\n * const authenticated = await isAuthenticated(ctx.req, ctx.res);\n \n return {\n * props: {\n * authenticated\n * }\n * };\n * };\n * ```\n \n @example Pages Router (API)\n * ```tsx:src/pages/api/authenticated.ts tab=\"Pages Router (API)\" tab-group=\"is-authenticated-pages\"\n * import { isAuthenticated } from \"@monocloud/auth-nextjs\";\n * import { NextApiRequest, NextApiResponse } from \"next\";\n \n export default async function handler(\n * req: NextApiRequest,\n * res: NextApiResponse\n * ) {\n * const authenticated = await isAuthenticated(req, res);\n \n res.status(200).json({ authenticated });\n * }\n * ```\n \n @param req Incoming Node.js request used to resolve authentication from cookies.\n * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.\n * @returns Returns `true` if a valid session exists; otherwise `false`.\n \n @category Functions\n /\nexport function isAuthenticated(\n req: NextApiRequest \| IncomingMessage,\n res: NextApiResponse \| ServerResponse<IncomingMessage>\n): Promise<boolean>;\n\nexport function isAuthenticated(...args: any[]): Promise<boolean> {\n return (getInstance().isAuthenticated as any)(...args);\n}\n\n/\n Ensures the current user is authenticated. If not, redirects to the sign-in flow.\n \n > App Router only. Intended for Server Components, Route Handlers, and Server Actions.\n \n @example Server Component\n * ```tsx:src/app/page.tsx tab=\"Server Component\" tab-group=\"protect\"\n * import { protect } from \"@monocloud/auth-nextjs\";\n \n export default async function Home() {\n * await protect();\n \n return <>You are signed in.</>;\n * }\n * ```\n \n @example Server Action\n * ```tsx:src/action.ts tab=\"Server Action\" tab-group=\"protect\"\n * \"use server\";\n \n import { protect } from \"@monocloud/auth-nextjs\";\n \n export async function getMessage() {\n * await protect();\n \n return { secret: \"sssshhhhh!!!\" };\n * }\n * ```\n \n @example API Handler\n * ```tsx:src/app/api/protected/route.ts tab=\"API Handler\" tab-group=\"protect\"\n * import { protect } from \"@monocloud/auth-nextjs\";\n * import { NextResponse } from \"next/server\";\n \n export const GET = async () => {\n * await protect();\n \n return NextResponse.json({ secret: \"ssshhhh!!!\" });\n * };\n * ```\n \n @param options Optional configuration for redirect behavior (for example, return URL or sign-in parameters).\n * @returns Resolves if the user is authenticated; otherwise triggers a redirect.\n \n @category Functions\n /\nexport function protect(options?: ProtectOptions): Promise<void> {\n return getInstance().protect(options);\n}\n\n/\n Wraps an App Router API route handler and ensures that only authenticated (and optionally authorized) requests can access the route.\n \n Intended for Next.js App Router Route Handlers.\n \n @example\n * ```tsx:src/app/api/protected/route.ts\n * import { protectApi } from \"@monocloud/auth-nextjs\";\n * import { NextResponse } from \"next/server\";\n \n export const GET = protectApi(async () => {\n * return NextResponse.json({\n * message: \"You accessed a protected endpoint\",\n * });\n * });\n * ```\n \n @param handler The route handler to protect.\n * @param options Optional configuration controlling authentication and authorization behavior.\n * @returns Returns a wrapped handler that enforces authentication (and optional authorization) before invoking the original handler.\n \n @category Functions\n /\nexport function protectApi(\n handler: AppRouterApiHandlerFn,\n options?: ProtectApiAppOptions\n): AppRouterApiHandlerFn;\n\n/\n Wraps a Pages Router API route handler and ensures that only authenticated (and optionally authorized) requests can access the route.\n \n Intended for Next.js Pages Router API routes.\n \n @example\n * ```tsx:src/pages/api/protected.ts\n * import { protectApi } from \"@monocloud/auth-nextjs\";\n * import { NextApiRequest, NextApiResponse } from \"next\";\n \n export default protectApi(\n * async (req: NextApiRequest, res: NextApiResponse) => {\n * return res.json({\n * message: \"You accessed a protected endpoint\",\n * });\n * }\n * );\n * ```\n \n @param handler - The route handler to protect.\n * @param options Optional configuration controlling authentication and authorization behavior.\n * @returns Returns a wrapped handler that enforces authentication (and optional authorization) before invoking the original handler.\n \n @category Functions\n /\nexport function protectApi(\n handler: NextApiHandler,\n options?: ProtectApiPageOptions\n): NextApiHandler;\n\nexport function protectApi(\n handler: AppRouterApiHandlerFn \| NextApiHandler,\n options?: ProtectApiAppOptions \| ProtectApiPageOptions\n): AppRouterApiHandlerFn \| NextApiHandler {\n return (getInstance().protectApi as any)(handler, options);\n}\n\n/\n Restricts access to App Router server-rendered pages.\n \n Access control\n * - If the user is not authenticated, `onAccessDenied` is invoked (or default behavior applies).\n * - If the user is authenticated but fails group checks, `onGroupAccessDenied` is invoked (or the default \"Access Denied\" view is rendered).\n \n Both behaviors can be customized via options.\n \n @example Basic Usage\n * ```tsx:src/app/page.tsx tab=\"Basic Usage\" tab-group=\"protectPage-app\"\n * import { protectPage } from \"@monocloud/auth-nextjs\";\n \n export default protectPage(async function Home({ user }) {\n * return <>Hi {user.email}. You accessed a protected page.</>;\n * });\n * ```\n \n @example With Options\n * ```tsx:src/app/page.tsx tab=\"With Options\" tab-group=\"protectPage-app\"\n * import { protectPage } from \"@monocloud/auth-nextjs\";\n \n export default protectPage(\n * async function Home({ user }) {\n * return <>Hi {user.email}. You accessed a protected page.</>;\n * },\n * {\n * returnUrl: \"/dashboard\",\n * groups: [\"admin\"],\n * }\n * );\n * ```\n \n @param component The App Router server component to protect.\n * @param options Optional configuration for authentication, authorization, and custom access handling (`onAccessDenied`, `onGroupAccessDenied`).\n * @returns A wrapped page component that enforces authentication before rendering.\n \n @category Functions\n /\nexport function protectPage(\n component: ProtectedAppServerComponent,\n options?: ProtectAppPageOptions\n): AppRouterPageHandler;\n\n/\n Restricts access to Pages Router server-rendered pages using `getServerSideProps`.\n \n Access control\n * - If the user is not authenticated, `onAccessDenied` is invoked (or default behavior applies).\n * - If the user is authenticated but fails group checks, the page can still render and `groupAccessDenied` is provided in props. Use `onGroupAccessDenied` to customize the props or behavior.\n \n Both behaviors can be customized via options.\n \n @example Basic Usage\n * ```tsx:src/pages/index.tsx tab=\"Basic Usage\" tab-group=\"protectPage-page\"\n * import { protectPage, MonoCloudUser } from \"@monocloud/auth-nextjs\";\n \n type Props = {\n * user: MonoCloudUser;\n * };\n \n export default function Home({ user }: Props) {\n * return <>Hi {user.email}. You accessed a protected page.</>;\n * }\n \n export const getServerSideProps = protectPage();\n * ```\n \n @example With Options\n * ```tsx:src/pages/index.tsx tab=\"With Options\" tab-group=\"protectPage-page\"\n * import { protectPage, MonoCloudUser } from \"@monocloud/auth-nextjs\";\n * import { GetServerSidePropsContext } from \"next\";\n \n type Props = {\n * user: MonoCloudUser;\n * url: string;\n * };\n \n export default function Home({ user, url }: Props) {\n * console.log(url);\n * return <div>Hi {user?.email}. You accessed a protected page.</div>;\n * }\n \n export const getServerSideProps = protectPage({\n * returnUrl: \"/dashboard\",\n * groups: [\"admin\"],\n * getServerSideProps: async (context: GetServerSidePropsContext) => ({\n * props: { url: context.resolvedUrl }\n * })\n * });\n * ```\n \n @param options Optional configuration for authentication, authorization, and custom access handling (`onAccessDenied`, `onGroupAccessDenied`).\n * @typeParam P - Props returned from `getServerSideProps`.\n * @typeParam Q - Query parameters parsed from the URL.\n * @returns A getServerSideProps wrapper that enforces authentication before executing the page logic.\n \n @category Functions\n /\nexport function protectPage<\n P extends Record<string, any> = Record<string, any>,\n Q extends ParsedUrlQuery = ParsedUrlQuery,\n>(options?: ProtectPagePageOptions<P, Q>): ProtectPagePageReturnType<P, Q>;\n\nexport function protectPage(...args: any[]): any {\n return getInstance().protectPage(...args);\n}\n\n/\n Checks whether the currently authenticated user is a member of any of the specified groups.\n \n The `groups` parameter accepts group identifiers (IDs or names).\n \n The authenticated user's session may contain groups represented as:\n * - Group IDs\n * - Group names\n * - `Group` objects (for example, `{ id: string; name: string }`)\n \n Matching is always performed against the group's ID and name, regardless of how the group is represented in the session.\n \n @example Server Component\n * ```tsx:src/app/page.tsx tab=\"Server Component\" tab-group=\"is-user-in-group-rsc\"\n * import { isUserInGroup } from \"@monocloud/auth-nextjs\";\n \n export default async function AdminPanel() {\n * const isAdmin = await isUserInGroup([\"admin\"]);\n \n if (!isAdmin) {\n * return <div>Access Denied</div>;\n * }\n \n return <div>Admin Control Panel</div>;\n * }\n * ```\n \n @example Server Action\n * ```tsx:src/action.ts tab=\"Server Action\" tab-group=\"is-user-in-group-rsc\"\n * \"use server\";\n \n import { isUserInGroup } from \"@monocloud/auth-nextjs\";\n \n export async function deletePostAction() {\n * const canDelete = await isUserInGroup([\"admin\", \"editor\"]);\n \n if (!canDelete) {\n * return { success: false };\n * }\n \n return { success: true };\n * }\n * ```\n \n @example API Handler\n * ```tsx:src/app/api/group-check/route.ts tab=\"API Handler\" tab-group=\"is-user-in-group-rsc\"\n * import { isUserInGroup } from \"@monocloud/auth-nextjs\";\n * import { NextResponse } from \"next/server\";\n \n export const GET = async () => {\n * const allowed = await isUserInGroup([\"admin\", \"editor\"]);\n \n if (!allowed) {\n * return new NextResponse(\"Forbidden\", { status: 403 });\n * }\n \n return NextResponse.json({ status: \"success\" });\n * };\n * ```\n \n @example Middleware\n * ```tsx:src/proxy.ts tab=\"Middleware\" tab-group=\"is-user-in-group-rsc\"\n * import { isUserInGroup } from \"@monocloud/auth-nextjs\";\n * import { NextResponse } from \"next/server\";\n \n export default async function proxy() {\n * const isAdmin = await isUserInGroup([\"admin\"]);\n \n if (!isAdmin) {\n * return new NextResponse(\"User is not admin\", { status: 403 });\n * }\n \n return NextResponse.next();\n * }\n * ```\n \n @param groups Group IDs or names to check against the user's group memberships.\n * @param options Optional configuration controlling how group membership is evaluated.\n * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.\n \n @category Functions\n /\nexport function isUserInGroup(\n groups: string[],\n options?: IsUserInGroupOptions\n): Promise<boolean>;\n\n/\n Checks group membership using an explicit Web or Next.js request.\n \n Use this overload when you already have access to a `Request` or `NextRequest` (for example, in Middleware or Route Handlers).\n \n @example Middleware (Request)\n * ```tsx:src/proxy.ts tab=\"Middleware (Request)\" tab-group=\"is-user-in-group-request\"\n * import { isUserInGroup } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function proxy(req: NextRequest) {\n * const isAdmin = await isUserInGroup(req, [\"admin\"]);\n \n if (!isAdmin) {\n * return new NextResponse(\"User is not admin\", { status: 403 });\n * }\n \n return NextResponse.next();\n * }\n * ```\n \n @example API Handler (Request)\n * ```tsx:src/app/api/group-check/route.ts tab=\"API Handler (Request)\" tab-group=\"is-user-in-group-request\"\n * import { isUserInGroup } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export const GET = async (req: NextRequest) => {\n * const isMember = await isUserInGroup(req, [\"admin\", \"editor\"]);\n \n return NextResponse.json({ isMember });\n * };\n * ```\n \n @param req Incoming request used to resolve authentication from cookies and headers.\n * @param groups Group IDs or names to check against the user's group memberships.\n * @param options Optional configuration controlling how group membership is evaluated.\n * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.\n \n @category Functions\n /\nexport function isUserInGroup(\n req: NextRequest \| Request,\n groups: string[],\n options?: IsUserInGroupOptions\n): Promise<boolean>;\n\n/\n Checks group membership using an explicit request and response.\n \n Use this overload when you have already created a response and want refreshed authentication cookies or headers applied to it.\n \n @example Middleware (Response)\n * ```tsx:src/proxy.ts tab=\"Middleware (Response)\" tab-group=\"is-user-in-group-response\"\n * import { isUserInGroup } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export default async function proxy(req: NextRequest) {\n * const res = NextResponse.next();\n \n const isAdmin = await isUserInGroup(req, res, [\"admin\"]);\n \n if (!isAdmin) {\n * return new NextResponse(\"User is not admin\", { status: 403 });\n * }\n \n res.headers.set(\"x-user\", \"admin\");\n \n return res;\n * }\n * ```\n \n @example API Handler (Response)\n * ```tsx:src/app/api/group-check/route.ts tab=\"API Handler (Response)\" tab-group=\"is-user-in-group-response\"\n * import { isUserInGroup } from \"@monocloud/auth-nextjs\";\n * import { NextRequest, NextResponse } from \"next/server\";\n \n export const GET = async (req: NextRequest) => {\n * const res = new NextResponse(\"Restricted Content\");\n \n const allowed = await isUserInGroup(req, res, [\"admin\"]);\n \n if (!allowed) {\n * return new NextResponse(\"Not Allowed\", res);\n * }\n \n return res;\n * };\n * ```\n \n @param req Incoming request used to resolve authentication from cookies and headers.\n * @param res Existing response to update with refreshed authentication cookies or headers when required.\n * @param groups Group IDs or names to check against the user's group memberships.\n * @param options Optional configuration controlling how group membership is evaluated.\n * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.\n \n @category Functions\n /\nexport function isUserInGroup(\n req: NextRequest \| Request,\n res: NextResponse \| Response,\n groups: string[],\n options?: IsUserInGroupOptions\n): Promise<boolean>;\n\n/\n Checks group membership in the Pages Router or Node.js runtime.\n \n Use this overload in API routes or `getServerSideProps`, where Node.js request and response objects are available.\n \n @example Pages Router (Pages)\n * ```tsx:src/pages/index.tsx tab=\"Pages Router (Pages)\" tab-group=\"is-user-in-group-pages\"\n * import { isUserInGroup } from \"@monocloud/auth-nextjs\";\n * import { GetServerSideProps } from \"next\";\n \n type Props = {\n * isAdmin: boolean;\n * };\n \n export default function Home({ isAdmin }: Props) {\n * return <div>User is admin: {isAdmin.toString()}</div>;\n * }\n \n export const getServerSideProps: GetServerSideProps<Props> = async (ctx) => {\n * const isAdmin = await isUserInGroup(ctx.req, ctx.res, [\"admin\"]);\n \n return {\n * props: {\n * isAdmin\n * }\n * };\n * };\n * ```\n \n @example Pages Router (API)\n * ```tsx:src/pages/api/group-check.ts tab=\"Pages Router (API)\" tab-group=\"is-user-in-group-pages\"\n * import { isUserInGroup } from \"@monocloud/auth-nextjs\";\n * import { NextApiRequest, NextApiResponse } from \"next\";\n \n export default async function handler(\n * req: NextApiRequest,\n * res: NextApiResponse\n * ) {\n * const isAdmin = await isUserInGroup(req, res, [\"admin\"]);\n \n if (!isAdmin) {\n * return res.status(403).json({ error: \"Forbidden\" });\n * }\n \n res.status(200).json({ message: \"Welcome Admin\" });\n * }\n * ```\n \n @param req Incoming Node.js request used to resolve authentication from cookies.\n * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.\n * @param groups Group IDs or names to check against the user's group memberships.\n * @param options Optional configuration controlling how group membership is evaluated.\n * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.\n \n @category Functions\n /\nexport function isUserInGroup(\n req: NextApiRequest \| IncomingMessage,\n res: NextApiResponse \| ServerResponse<IncomingMessage>,\n groups: string[],\n options?: IsUserInGroupOptions\n): Promise<boolean>;\n\nexport function isUserInGroup(...args: any[]): Promise<boolean> {\n return (getInstance().isUserInGroup as any)(...args);\n}\n\n/\n Redirects the user to the sign-in flow.\n \n > App Router only. Intended for use in Server Components, Route Handlers, and Server Actions.\n \n This helper performs a server-side redirect to the configured sign-in route. Execution does not continue after the redirect is triggered.\n \n @example Server Component\n * ```tsx:src/app/page.tsx tab=\"Server Component\" tab-group=\"redirect-to-sign-in\"\n * import { isUserInGroup, redirectToSignIn } from \"@monocloud/auth-nextjs\";\n \n export default async function Home() {\n * const allowed = await isUserInGroup([\"admin\"]);\n \n if (!allowed) {\n * await redirectToSignIn({ returnUrl: \"/home\" });\n * }\n \n return <>You are signed in.</>;\n * }\n * ```\n \n @example Server Action\n * ```tsx:src/action.ts tab=\"Server Action\" tab-group=\"redirect-to-sign-in\"\n * \"use server\";\n \n import { getSession, redirectToSignIn } from \"@monocloud/auth-nextjs\";\n \n export async function protectedAction() {\n * const session = await getSession();\n \n if (!session) {\n * await redirectToSignIn();\n * }\n \n return { data: \"Sensitive Data\" };\n * }\n * ```\n \n @example API Handler\n * ```tsx:src/app/api/protected/route.ts tab=\"API Handler\" tab-group=\"redirect-to-sign-in\"\n * import { getSession, redirectToSignIn } from \"@monocloud/auth-nextjs\";\n * import { NextResponse } from \"next/server\";\n \n export const GET = async () => {\n * const session = await getSession();\n \n if (!session) {\n * await redirectToSignIn({\n * returnUrl: \"/dashboard\",\n * });\n * }\n \n return NextResponse.json({ data: \"Protected content\" });\n * };\n * ```\n \n @param options Optional configuration for the redirect, such as `returnUrl` or additional sign-in parameters.\n * @returns Never resolves. Triggers a redirect to the sign-in flow.\n \n @category Functions\n /\nexport function redirectToSignIn(\n options?: RedirectToSignInOptions\n): Promise<void> {\n return getInstance().redirectToSignIn(options);\n}\n\n/\n Redirects the user to the sign-out flow.\n \n > App Router only. Intended for use in Server Components, Route Handlers, and Server Actions.\n \n This helper performs a server-side redirect to the configured sign-out route. Execution does not continue after the redirect is triggered.\n \n @example Server Component\n * ```tsx:src/app/page.tsx tab=\"Server Component\" tab-group=\"redirect-to-sign-out\"\n * import { getSession, redirectToSignOut } from \"@monocloud/auth-nextjs\";\n \n export default async function Page() {\n * const session = await getSession();\n \n // Example: Force sign-out if a specific condition is met (e.g., account suspended)\n * if (session?.user.isSuspended) {\n * await redirectToSignOut();\n * }\n \n return <>Welcome User</>;\n * }\n * ```\n \n @example Server Action\n * ```tsx:src/action.ts tab=\"Server Action\" tab-group=\"redirect-to-sign-out\"\n * \"use server\";\n \n import { getSession, redirectToSignOut } from \"@monocloud/auth-nextjs\";\n \n export async function signOutAction() {\n * const session = await getSession();\n \n if (session) {\n * await redirectToSignOut();\n * }\n * }\n * ```\n \n @example API Handler\n * ```tsx:src/app/api/signout/route.ts tab=\"API Handler\" tab-group=\"redirect-to-sign-out\"\n * import { getSession, redirectToSignOut } from \"@monocloud/auth-nextjs\";\n * import { NextResponse } from \"next/server\";\n \n export const GET = async () => {\n * const session = await getSession();\n \n if (session) {\n * await redirectToSignOut({\n * postLogoutRedirectUri: \"/goodbye\",\n * });\n * }\n \n return NextResponse.json({ status: \"already_signed_out\" });\n * };\n * ```\n \n @param options Optional configuration for the redirect, such as `postLogoutRedirectUri` or additional sign-out parameters.\n * @returns Never resolves. Triggers a redirect to the sign-out flow.\n \n @category Functions\n */\nexport function redirectToSignOut(\n options?: RedirectToSignOutOptions\n): Promise<void> {\n return getInstance().redirectToSignOut(options);\n}\n"],"mappings":";;;;;;;AAIA,IAAqB,4BAArB,MAA2E;CACzE,YAAY,AAAgB,KAAkB;EAAlB;;CAE5B,SAAS,WAAkD;AAEzD,SADY,IAAI,IAAI,KAAK,IAAI,IAAI,CACtB,aAAa,IAAI,UAAU,IAAI;;CAG5C,UAAU,MAA2C;;AACnD,SAAO,QAAQ,iCAAQ,KAAK,IAAI,QAAQ,IAAI,KAAK,gFAAE,MAAM;;CAG3D,MAAM,gBAIH;AACD,SAAO;GACL,QAAQ,KAAK,IAAI;GACjB,KAAK,KAAK,IAAI;GACd,MAAM,MAAM,KAAK,IAAI,MAAM;GAC5B;;CAGH,gBAA8C;EAC5C,MAAM,yBAAS,IAAI,KAAqB;AACxC,OAAK,IAAI,QAAQ,QAAQ,CAAC,SAAQ,MAAK;AACrC,UAAO,IAAI,EAAE,MAAM,EAAE,MAAM;IAC3B;AACF,SAAO,QAAQ,QAAQ,OAAO;;;;;;AC7BlC,IAAqB,6BAArB,MAA4E;CAC1E,YAAY,AAAgB,KAAqB;EAArB;;;CAG5B,SAAS,WAAkD;AACzD,SAAO,KAAK,IAAI,MAAM;;;CAIxB,UAAU,MAA2C;AACnD,SAAO,QAAQ,QAAQ,KAAK,IAAI,QAAQ,MAAM;;;CAIhD,gBAIG;AACD,SAAO,QAAQ,QAAQ;GACrB,QAAQ,KAAK,IAAI;GACjB,KAAK,KAAK,IAAI;GACd,MAAM,KAAK,IAAI;GAChB,CAAC;;CAGJ,gBAA8C;EAC5C,MAAM,yBAAS,IAAI,KAAqB;EACxC,MAAM,EAAE,YAAY,KAAK;AACzB,SAAO,KAAK,QAAQ,CAAC,SAAQ,MAAK;GAChC,MAAM,MAAM,QAAQ;;AAEpB,OAAI,OAAO,MAAM,YAAY,OAAO,QAAQ,SAC1C,QAAO,IAAI,GAAG,IAAI;IAEpB;AACF,SAAO,QAAQ,QAAQ,OAAO;;;;;;ACjClC,IAAqB,6BAArB,MAA6E;CAC3E,YAAY,AAAO,KAAmB;EAAnB;;CAEnB,UACE,YACA,OACA,SACe;AACf,OAAK,IAAI,QAAQ,IAAI,YAAY,OAAO,QAAQ;AAChD,SAAO,QAAQ,SAAS;;CAG1B,SAAS,KAAa,aAAiC,KAAW;EAChE,MAAM,EAAE,YAAY,KAAK;AACzB,OAAK,MAAM,aAAa,SAAS,KAAK;GAAE,QAAQ;GAAY;GAAS,CAAC;;CAGxE,SAAS,MAAW,YAA2B;EAC7C,MAAM,EAAE,YAAY,KAAK;AACzB,OAAK,MAAM,aAAa,KAAK,MAAM;GAAE,QAAQ;GAAY;GAAS,CAAC;;;CAIrE,WAAiB;EACf,MAAM,EAAE,YAAY,KAAK;AACzB,OAAK,MAAM,IAAI,aAAa,MAAM;GAAE,QAAQ;GAAK;GAAS,CAAC;;CAG7D,sBAA4B;EAC1B,MAAM,EAAE,YAAY,KAAK;AACzB,OAAK,MAAM,IAAI,aAAa,MAAM;GAAE,QAAQ;GAAK;GAAS,CAAC;;CAG7D,YAAkB;EAChB,MAAM,EAAE,YAAY,KAAK;AACzB,OAAK,MAAM,IAAI,aAAa,MAAM;GAAE,QAAQ;GAAK;GAAS,CAAC;;CAG7D,mBAAyB;EACvB,MAAM,EAAE,YAAY,KAAK;AACzB,OAAK,MAAM,IAAI,aAAa,MAAM;GAAE,QAAQ;GAAK;GAAS,CAAC;;CAG7D,aAAmB;AACjB,OAAK,IAAI,QAAQ,IAAI,iBAAiB,oBAAoB;AAC1D,OAAK,IAAI,QAAQ,IAAI,UAAU,WAAW;;CAG5C,OAAY;AACV,SAAO,KAAK;;;;;;ACjDhB,IAAqB,8BAArB,MAA8E;CAC5E,YAAY,AAAgB,KAAsB;EAAtB;;CAE5B,UACE,YACA,OACA,SACe;EACf,IAAI,UAAU,KAAK,IAAI,UAAU,aAAa,IAAI,EAAE;;AAGpD,MAAI,CAAC,MAAM,QAAQ,QAAQ,CACzB,WAAU,CAAC,QAAkB;AAG/B,OAAK,IAAI,UAAU,cAAc,CAC/B,GAAG,QAAQ,QAAO,WAAU,CAAC,OAAO,WAAW,GAAG,WAAW,GAAG,CAAC,EACjE,UAAU,YAAY,OAAO,QAAQ,CACtC,CAAC;AAEF,SAAO,QAAQ,SAAS;;;CAI1B,SAAS,KAAa,YAA2B;AAC/C,OAAK,IAAI,SAAS,cAAc,KAAK,IAAI;;;CAI3C,SAAS,MAAW,YAA2B;AAC7C,OAAK,IAAI,OAAO,cAAc,IAAI;AAClC,OAAK,IAAI,KAAK,KAAK;;;CAIrB,WAAiB;AACf,OAAK,IAAI,OAAO,IAAI;;;CAItB,sBAA4B;AAC1B,OAAK,IAAI,OAAO,IAAI;;;CAItB,YAAkB;AAChB,OAAK,IAAI,OAAO,IAAI;;;CAItB,mBAAyB;AACvB,OAAK,IAAI,OAAO,IAAI;;;CAItB,aAAmB;AACjB,OAAK,IAAI,UAAU,iBAAiB,oBAAoB;AACxD,OAAK,IAAI,UAAU,UAAU,WAAW;;;CAI1C,OAAY;AACV,OAAK,IAAI,KAAK;;;;;;AC/DlB,IAAI,WAAW;AAEf,IAAqB,0BAArB,MAAiF;CAC/E,MAAM,UACJ,YACA,OACA,SACe;AACf,MAAI;GAEF,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,IAAC,MAAM,SAAS,EAAE,IAAI,YAAY,OAAO,QAAQ;WAC1C,GAAQ;AACf,OAAI,CAAC,UAAU;AACb,YAAQ,KAAK,EAAE,QAAQ;AACvB,eAAW;;;;;;;;ACpBnB,IAAqB,yBAArB,MAA+E;;CAE7E,MAAM,UAAU,MAA2C;;EAEzD,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,gCAAQ,MAAM,SAAS,EAAE,IAAI,KAAK,0EAAE;;CAGtC,MAAM,gBAA8C;EAClD,MAAM,yBAAS,IAAI,KAAqB;EAExC,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,GAAC,MAAM,SAAS,EAAE,QAAQ,CAAC,SAAS,MAAW;AAC7C,UAAO,IAAI,EAAE,MAAM,EAAE,MAAM;IAC3B;AACF,SAAO;;;;;;ACDX,MAAa,sBACX,QAEA,eAAe,6BACf,eAAe,8BACf,eAAe;AAEjB,MAAa,uBACX,QAEA,eAAe,8BACf,eAAe,+BACf,eAAe;AAEjB,MAAa,eAAe,QAC1B,eAAe,WACd,IAAgB,mBAAmB,WACpC,OAAQ,IAAgB,aAAa;AAEvC,MAAa,iBAAiB,QAAqC;AACjE,QAAO,CAAC,EACN,OACA,OAAO,QAAQ,YACf,aAAa,OACb,EAAE,cAAc,QAChB,OAAO,IAAI,OAAO;;AAItB,MAAa,kBAAkB,QAAoC;AACjE,QAAO,CAAC,EACN,OACA,OAAO,QAAQ,YACf,eAAe,OACf,OAAO,IAAI,cAAc,cACzB,SAAS,OACT,OAAO,IAAI,QAAQ;;AAIvB,MAAa,kBAAkB,QAA4C;AACzE,KAAI,eAAe,YACjB,QAAO;AAGT,QAAO,IAAI,YAAY,IAAI,KAAK;EAC9B,QAAQ,IAAI;EACZ,SAAS,IAAI;EACb,MAAM,IAAI;EAEV,QAAS,IAAY,UAAU;EAChC,CAAC;;AAGJ,MAAa,mBACX,QACiB;AACjB,KAAI,eAAe,aACjB,QAAO;AAGT,KAAI,eAAe,UAAU;EAC3B,MAAM,eAAe,IAAI,aAAa,IAAI,MAAM;GAC9C,QAAQ,IAAI;GACZ,YAAY,IAAI;GAChB,SAAS,IAAI;GACb,KAAK,IAAI;GACV,CAAC;AAEF,MAAI;;AAEF,OAAI,CAAC,UAAU,aAAa,IAAI,CAC9B,CAAC,aAAqB,MAAM,IAAI;UAE5B;AAIR,SAAO;;AAGT,QAAO,IAAI,cAAc;;AAG3B,MAAa,4BACX,KACA,aAIG;CACH,IAAI;CACJ,IAAI;AAEJ,KAAI,YAAY,IAAI,EAAE;AACpB,YAAU,IAAI,0BAA0B,eAAe,IAAe,CAAC;AAEvE,aACE,oBAAoB,WAChB,IAAI,2BAA2B,gBAAgB,SAAS,CAAC,GACzD,IAAI,yBAAyB;QAC9B;AACL,MAAI,CAAC,cAAc,IAAI,IAAI,CAAC,eAAe,SAAS,CAClD,OAAM,IAAIA,2BACR,4CACD;AAEH,YAAU,IAAI,2BAA2B,IAAsB;AAC/D,aAAW,IAAI,4BAA4B,SAA4B;;AAGzE,QAAO;EAAE;EAAS;EAAU;;AAG9B,MAAa,iBAAiB,cAA4C;CACxE,MAAM,OAAO,UAAU,KAAK;AAE5B,KAAI,CAAC,KACH,QAAO,IAAI,cAAc;AAG3B,WAAU,SAAQ,aAAY;AAC5B,WAAS,QAAQ,SAAS,GAAG,MAAM;AACjC,OAAK,MAAM,cAAc,CAAC,KAAK,QAAQ,IAAI,EAAE,IAAK,MAAM,WACtD,MAAK,QAAQ,IAAI,GAAG,EAAE;IAExB;AAEF,WAAS,QAAQ,QAAQ,CAAC,SAAQ,MAAK;GACrC,MAAM,EAAE,MAAM,OAAO,GAAG,cAAc;AACtC,QAAK,QAAQ,IAAI,MAAM,OAAO,UAAU;IACxC;GACF;AAEF,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC2CT,IAAa,sBAAb,MAAiC;;;;;;;CAS/B,IAAW,aAAkC;AAC3C,SAAO,KAAK;;;;;;;CAQd,IAAW,aAAkC;AAC3C,SAAO,KAAK,WAAW;;;;;;;CAQzB,YAAY,SAA4B;EACtC,MAAM,MAAM;GACV,GAAI,WAAW,EAAE;GACjB,8DAAW,QAAS,cAAa;GACjC,6DAAU,QAAS;GACpB;AAED,OAAK,4BAA4B;AACjC,OAAK,cAAc,IAAI,oBAAoB,IAAI;;;;;;;CAQjD,AAAO,cAAc,SAAsD;AACzE,UAAQ,KAAK,aAAa;GACxB,MAAM,EAAE,QAAQ,WAAW,KAAK,YAAY;GAE5C,IAAI,EAAE,MAAM,OAAO;AAEnB,OAAI,CAAC,cAAc,IAAI,CACrB,OAAM,IAAI,IAAI,KAAK,OAAO,CAAC,UAAU;GAGvC,MAAM,QAAQ,IAAI,IAAI,IAAI;GAE1B,IAAI;AACJ,OAAI,0DAAO,QAAS,aAAY,WAC9B,YACE,UAEA,QAAQ,QAAS,KAAY,UAAiB,MAAM;GAGxD,IAAI;GACJ,IAAI;AAEJ,OAAI,YAAY,IAAI,EAAE;AACpB,cAAU,IAAI,0BAA0B,eAAe,IAAe,CAAC;AACvE,eAAW,IAAI,2BACb,gBAAgB,SAAqB,CACtC;UACI;AACL,cAAU,IAAI,2BAA2B,IAAsB;AAC/D,eAAW,IAAI,4BAA4B,SAA4B;;AAGzE,UAAO,KAAK,iBACV,SACA,UACA,MAAM,UACN,QACA,QACD;;;CA2BL,AAAO,YAAY,GAAG,MAAsB;AAC1C,MAAI,OAAO,KAAK,OAAO,WACrB,QAAO,KAAK,eACV,KAAK,IACL,KAAK,GACN;AAGH,SAAO,KAAK,gBACV,KAAK,GACN;;CAGH,AAAQ,eACN,WACA,SACsB;AACtB,SAAO,OAAM,WAAU;GACrB,MAAM,UAAU,MAAM,KAAK,YAAY;AAEvC,OAAI,CAAC,SAAS;;AACZ,0DAAI,QAAS,eACX,QAAO,QAAQ,eAAe,EAAE,GAAG,QAAQ,CAAC;IAG9C,MAAM,EAAE,QAAQ,WAAW,KAAK,YAAY;IAG5C,MAAM,EAAE,YAAY,MAAM,OAAO;IAEjC,MAAM,QAAQ,MAAM,SAAS,EAAE,IAAI,mBAAmB;IAEtD,MAAM,cAAc,IAAI,IACtB,GAAG,SAAS,mBAAmB,OAAQ,OAAO,GAC/C;AAED,gBAAY,aAAa,IACvB,iEACA,QAAS,cAAa,QAAQ,IAC/B;AAED,yEAAI,QAAS,sFAAY,OACvB,aAAY,aAAa,IAAI,SAAS,QAAQ,WAAW,OAAO;AAElE,0EAAI,QAAS,wFAAY,SACvB,aAAY,aAAa,IAAI,YAAY,QAAQ,WAAW,SAAS;AAGvE,0EAAI,QAAS,wFAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UAAU,KAAK,IAAI,CACvC;AAGH,0EAAI,QAAS,wFAAY,QACvB,aAAY,aAAa,IAAI,WAAW,QAAQ,WAAW,QAAQ;AAGrE,0EAAI,QAAS,wFAAY,OACvB,aAAY,aAAa,IAAI,UAAU,QAAQ,WAAW,OAAO;AAGnE,0EAAI,QAAS,wFAAY,kBACvB,aAAY,aAAa,IACvB,sBACA,QAAQ,WAAW,kBACpB;AAGH,0EAAI,QAAS,wFAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UACpB;AAGH,0EAAI,QAAS,wFAAY,OACvB,aAAY,aAAa,IACvB,WACA,QAAQ,WAAW,OAAO,UAAU,CACrC;AAGH,0EAAI,QAAS,wFAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UACpB;IAIH,MAAM,EAAE,aAAa,MAAM,OAAO;AAElC,WAAO,SAAS,YAAY,UAAU,CAAC;;AAGzC,0DACE,QAAS,WACT,CAACC,gBACC,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,EACD;AACA,QAAI,QAAQ,oBACV,QAAO,QAAQ,oBAAoB;KACjC,GAAG;KACH,MAAM,QAAQ;KACf,CAAC;AAGJ,WAAO;;AAGT,UAAO,UAAU;IAAE,GAAG;IAAQ,MAAM,QAAQ;IAAM,CAAC;;;CAIvD,AAAQ,gBAGN,SAAyE;AACzE,SAAO,OAAM,YAAW;GACtB,MAAM,UAAU,MAAM,KAAK,WACzB,QAAQ,KACR,QAAQ,IACT;AAED,OAAI,CAAC,SAAS;;AACZ,0DAAI,QAAS,gBAAgB;KAC3B,MAAM,cAAmB,MAAM,QAAQ,eAAe,EACpD,GAAG,SACJ,CAAC;AAOF,YALc;MACZ,GAAI,eAAe,EAAE;MACrB,OAAO,EAAE,8DAAI,YAAa,UAAS,EAAE,EAAG;MACzC;;IAKH,MAAM,EAAE,QAAQ,WAAW,KAAK,YAAY;IAE5C,MAAM,cAAc,IAAI,IACtB,GAAG,SAAS,mBAAmB,OAAQ,OAAO,GAC/C;AAED,gBAAY,aAAa,IACvB,iEACA,QAAS,cAAa,QAAQ,YAC/B;AAED,2EAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IAAI,SAAS,QAAQ,WAAW,OAAO;AAElE,2EAAI,QAAS,0FAAY,SACvB,aAAY,aAAa,IAAI,YAAY,QAAQ,WAAW,SAAS;AAGvE,2EAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UAAU,KAAK,IAAI,CACvC;AAGH,2EAAI,QAAS,0FAAY,QACvB,aAAY,aAAa,IAAI,WAAW,QAAQ,WAAW,QAAQ;AAGrE,2EAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IAAI,UAAU,QAAQ,WAAW,OAAO;AAGnE,2EAAI,QAAS,0FAAY,kBACvB,aAAY,aAAa,IACvB,sBACA,QAAQ,WAAW,kBACpB;AAGH,2EAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UACpB;AAGH,2EAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IACvB,WACA,QAAQ,WAAW,OAAO,UAAU,CACrC;AAGH,2EAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UACpB;AAGH,WAAO,EACL,UAAU;KACR,aAAa,YAAY,UAAU;KACnC,WAAW;KACZ,EACF;;AAGH,0DACE,QAAS,WACT,CAACA,gBACC,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,EACD;;IACA,MAAM,cAAoB,gCAAM,QAAQ,iHAAsB;KAC5D,GAAG;KACH,MAAM,QAAQ;KACf,CAAC,KAAK,EAAE,OAAO,EAAE,mBAAmB,MAAM,EAAE;AAO7C,WALc;KACZ,GAAG;KACH,OAAO,EAAE,GAAI,YAAY,SAAS,EAAE,EAAG;KACxC;;GAKH,MAAM,iEAAmB,QAAS,sBAC9B,MAAM,QAAQ,mBAAmB,QAAQ,GACzC,EAAE;GAEN,MAAM,cAAc,YAAY;AAEhC,OAAI,uBAAuB,QACzB,QAAO;IACL,GAAG;IACH,OAAO,YAAY,MAAM,WAAgB;KACvC,MAAM,QAAQ;KACd,GAAG;KACJ,EAAE;IACJ;AAGH,UAAO;IACL,GAAG;IACH,OAAO;KAAE,MAAM,QAAQ;KAAM,GAAG,YAAY;KAAO;IACpD;;;CA0BL,AAAO,WACL,SACA,SACwC;AACxC,UACE,KACA,aACG;AACH,OAAI,YAAY,IAAI,CAClB,QAAO,KAAK,cACV,KACA,UACA,SACA,QACD;AAEH,UAAO,KAAK,eACV,KACA,UACA,SACA,QACD;;;CAIL,MAAc,cACZ,KACA,KACA,SACA,SACuB;EACvB,MAAM,MAAM,IAAI,cAAc;EAE9B,MAAM,UAAU,MAAM,KAAK,WAAW,KAAK,IAAI;AAE/C,MAAI,CAAC,SAAS;AACZ,yDAAI,QAAS,gBAAgB;IAC3B,MAAM,SAAS,MAAM,QAAQ,eAAe,KAAK,IAAI;AAErD,QAAI,kBAAkB,aACpB,QAAO,cAAc,CAAC,KAAK,OAAO,CAAC;AAGrC,WAAO,cAAc,CAAC,KAAK,IAAI,aAAa,OAAO,MAAM,OAAO,CAAC,CAAC;;AAGpE,UAAO,cAAc,CACnB,KACA,aAAa,KAAK,EAAE,SAAS,gBAAgB,EAAE,EAAE,QAAQ,KAAK,CAAC,CAChE,CAAC;;AAGJ,yDACE,QAAS,WACT,CAACA,gBACC,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,EACD;AACA,OAAI,QAAQ,qBAAqB;IAC/B,MAAM,SAAS,MAAM,QAAQ,oBAC3B,KACA,KACA,QAAQ,KACT;AAED,QAAI,kBAAkB,aACpB,QAAO,cAAc,CAAC,KAAK,OAAO,CAAC;AAGrC,WAAO,cAAc,CAAC,KAAK,IAAI,aAAa,OAAO,MAAM,OAAO,CAAC,CAAC;;AAGpE,UAAO,cAAc,CACnB,KACA,aAAa,KAAK,EAAE,SAAS,aAAa,EAAE,EAAE,QAAQ,KAAK,CAAC,CAC7D,CAAC;;EAGJ,MAAM,OAAO,MAAM,QAAQ,KAAK,IAAI;AAEpC,MAAI,gBAAgB,aAClB,QAAO,cAAc,CAAC,KAAK,KAAK,CAAC;AAGnC,SAAO,cAAc,CAAC,KAAK,IAAI,aAAa,KAAK,MAAM,KAAK,CAAC,CAAC;;CAGhE,MAAc,eACZ,KACA,KACA,SACA,SACkB;EAClB,MAAM,UAAU,MAAM,KAAK,WAAW,KAAK,IAAI;AAE/C,MAAI,CAAC,SAAS;AACZ,yDAAI,QAAS,eACX,QAAO,QAAQ,eAAe,KAAK,IAAI;AAGzC,UAAO,IAAI,OAAO,IAAI,CAAC,KAAK,EAC1B,SAAS,gBACV,CAAC;;AAGJ,yDACE,QAAS,WACT,CAACA,gBACC,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,EACD;AACA,OAAI,QAAQ,oBACV,QAAO,QAAQ,oBAAoB,KAAK,KAAK,QAAQ,KAAK;AAG5D,UAAO,IAAI,OAAO,IAAI,CAAC,KAAK,EAC1B,SAAS,aACV,CAAC;;AAGJ,SAAO,QAAQ,KAAK,IAAI;;CAuB1B,AAAO,eACL,GAAG,MAKoB;EACvB,IAAI;EACJ,IAAI;EACJ,IAAI;;AAGJ,MAAI,MAAM,QAAQ,KAAK,EAAE;AACvB,OAAI,KAAK,WAAW,GAElB;;QAAI,YAAY,KAAK,GAAG,EAAE;AACxB,WAAM,KAAK;AACX,WAAM,KAAK;;;AAIf,OAAI,KAAK,WAAW,EAClB,WAAU,KAAK;;AAInB,MAAI,OAAO,IACT,QAAO,KAAK,sBAAsB,KAAK,KAAK,QAAQ;AAGtD,UAAQ,SAAsB,WAA2B;AACvD,UAAO,KAAK,sBAAsB,SAAS,QAAQ,QAAQ;;;CAI/D,MAAc,sBACZ,KACA,KACA,SAC+B;AAE/B,QAAM,eAAe,IAAI;AAEzB,MAAI,IAAI,QAAQ,IAAI,0BAA0B,CAC5C,QAAO,aAAa,KAAK,EAAE,SAAS,aAAa,EAAE,EAAE,QAAQ,KAAK,CAAC;EAGrE,MAAM,EAAE,QAAQ,WAAW,KAAK,YAAY;AAE5C,MACE,OAAO,OAAO,OAAQ,CACnB,KAAI,MAAK,mBAAmB,EAAE,CAAC,CAC/B,SAAS,IAAI,QAAQ,SAAS,EACjC;GACA,IAAI;AACJ,OAAI,0DAAO,QAAS,aAAY,WAC9B,YACE,UAI2B,QAAQ,QAAS,KAAK,KAAK,MAAM;GAGhE,MAAM,UAAU,IAAI,0BAA0B,IAAI;GAClD,MAAM,WAAW,IAAI,2BAA2B,IAAI,cAAc,CAAC;AAEnE,UAAO,KAAK,iBACV,SACA,UACA,IAAI,QAAQ,UACZ,QACA,QACD;;EAGH,MAAM,UAAU,IAAI,cAAc;AAElC,UAAQ,QAAQ,IACd,oBACA,IAAI,QAAQ,WAAW,IAAI,QAAQ,OACpC;EAED,IAAI,mBAAmB;EACvB,IAAI;AAEJ,MAAI,0DAAO,QAAS,qBAAoB,WACtC,oBAAmB,MAAM,QAAQ,gBAAgB,IAAI;WAErD,0DAAO,QAAS,qBAAoB,eACpC,MAAM,QAAQ,QAAQ,gBAAgB,CAEtC,oBAAmB,QAAQ,gBAAgB,MAAK,UAAS;AACvD,OAAI,OAAO,UAAU,YAAY,iBAAiB,OAChD,QAAO,IAAI,OAAO,MAAM,CAAC,KAAK,IAAI,QAAQ,SAAS;AAGrD,UAAO,MAAM,OAAO,MAAK,eAAc;IACrC,MAAM,SAAS,IAAI,OAAO,WAAW,CAAC,KAAK,IAAI,QAAQ,SAAS;AAEhE,QAAI,OACF,iBAAgB,MAAM;AAGxB,WAAO;KACP;IACF;AAGJ,MAAI,CAAC,iBACH,QAAO,aAAa,KAAK,EACvB,SAAS,EACP,oBAAoB,IAAI,QAAQ,WAAW,IAAI,QAAQ,QACxD,EACF,CAAC;EAGJ,MAAM,UAAU,MAAM,KAAK,WAAW,KAAK,QAAQ;AAEnD,MAAI,CAAC,SAAS;AACZ,yDAAI,QAAS,gBAAgB;IAC3B,MAAM,SAAS,MAAM,QAAQ,eAAe,KAAK,IAAI;AAErD,QAAI,kBAAkB,aACpB,QAAO,cAAc,CAAC,SAAS,OAAO,CAAC;AAGzC,QAAI,OACF,QAAO,cAAc,CACnB,SACA,IAAI,aAAa,OAAO,MAAM,OAAO,CACtC,CAAC;AAGJ,WAAO,aAAa,KAAK,QAAQ;;AAGnC,OAAI,IAAI,QAAQ,SAAS,WAAW,OAAO,CACzC,QAAO,cAAc,CACnB,SACA,aAAa,KAAK,EAAE,SAAS,gBAAgB,EAAE,EAAE,QAAQ,KAAK,CAAC,CAChE,CAAC;GAGJ,MAAM,cAAc,IAAI,IACtB,GAAG,SAAS,mBAAmB,OAAQ,OAAO,GAC/C;AAED,eAAY,aAAa,IACvB,cACA,IAAI,QAAQ,WAAW,IAAI,QAAQ,OACpC;AAED,UAAO,cAAc,CAAC,SAAS,aAAa,SAAS,YAAY,CAAC,CAAC;;EAGrE,MAAM,iEACJ,QAAS,gBAAe,QAAQ,IAAI;AAEtC,MACE,iBACA,CAACA,gBAAkB,QAAQ,MAAM,eAAe,YAAY,EAC5D;AACA,yDAAI,QAAS,qBAAqB;IAChC,MAAM,SAAS,MAAM,QAAQ,oBAC3B,KACA,KACA,QAAQ,KACT;AAED,QAAI,kBAAkB,aACpB,QAAO,cAAc,CAAC,SAAS,OAAO,CAAC;AAGzC,QAAI,OACF,QAAO,cAAc,CACnB,SACA,IAAI,aAAa,OAAO,MAAM,OAAO,CACtC,CAAC;AAGJ,WAAO,aAAa,KAAK,QAAQ;;AAGnC,OAAI,IAAI,QAAQ,SAAS,WAAW,OAAO,CACzC,QAAO,cAAc,CACnB,SACA,aAAa,KAAK,EAAE,SAAS,aAAa,EAAE,EAAE,QAAQ,KAAK,CAAC,CAC7D,CAAC;AAGJ,UAAO,IAAI,aAAa,aAAa,EACnC,QAAQ,KACT,CAAC;;AAGJ,SAAO,aAAa,KAAK,QAAQ;;CAGnC,AAAQ,iBACN,SACA,UACA,MACA,QACA,SACc;AACd,UAAQ,MAAR;GACE,KAAK,mBAAmB,OAAQ,OAAO,CACrC,QAAO,KAAK,WAAW,OAAO,SAAS,UAAU,EAC/C,SACD,CAAC;GAEJ,KAAK,mBAAmB,OAAQ,SAAS,CACvC,QAAO,KAAK,WAAW,SAAS,SAAS,UAAU,EACjD,SACD,CAAC;GAEJ,KAAK,mBAAmB,OAAQ,SAAS,CACvC,QAAO,KAAK,WAAW,SAAS,SAAS,UAAU,EACjD,SACD,CAAC;GAEJ,KAAK,mBAAmB,OAAQ,QAAQ,CACtC,QAAO,KAAK,WAAW,QAAQ,SAAS,UAAU,EAChD,SACD,CAAC;GAEJ;AACE,aAAS,UAAU;AACnB,WAAO,SAAS,MAAM;;;CAgC5B,MAAM,WAAW,GAAG,MAAoD;EACtE,IAAI;EACJ,IAAI;AAEJ,MAAI,KAAK,WAAW,GAAG;AACrB,aAAU,IAAI,wBAAwB;AACtC,cAAW,IAAI,yBAAyB;QAExC,EAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;;AAIrE,MAAI,CAAC,mBAAmB,QAAQ,IAAI,CAAC,oBAAoB,SAAS,CAChE,OAAM,IAAIC,2BACR,4CACD;AAGH,SAAO,MAAM,KAAK,WAAW,WAAW,SAAS,SAAS;;CAmD5D,MAAM,UAAU,GAAG,MAAuC;EACxD,IAAI;EACJ,IAAI;EACJ,IAAI;AAEJ,MAAI,KAAK,WAAW,GAAG;AACrB,aAAU,IAAI,wBAAwB;AACtC,cAAW,IAAI,yBAAyB;aAC/B,KAAK,WAAW,EACzB,KAAI,KAAK,cAAc,QACrB,EAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,OAAU;OAChE;AACL,aAAU,IAAI,wBAAwB;AACtC,cAAW,IAAI,yBAAyB;AACxC,aAAU,KAAK;;WAER,KAAK,WAAW,KAAK,KAAK,cAAc,QACjD,KAAI,KAAK,cAAc,SACrB,EAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;OAC9D;AACL,IAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,OAAU;AAErE,aAAU,KAAK;;WAGjB,KAAK,WAAW,KAChB,cAAc,KAAK,GAAG,IACtB,eAAe,KAAK,GAAG,CAEvB,EAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;OAC9D;AACL,IAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;AAEnE,aAAU,KAAK;;AAGjB,MACE,CAAC,mBAAmB,QAAQ,IAC5B,CAAC,oBAAoB,SAAS,IAC7B,WAAW,OAAO,YAAY,SAE/B,OAAM,IAAIA,2BACR,2CACD;AAGH,SAAO,MAAM,KAAK,WAAW,UAAU,SAAS,UAAU,QAAQ;;CA+BpE,MAAM,gBAAgB,GAAG,MAA+B;EACtD,IAAI;EACJ,IAAI;AAEJ,MAAI,KAAK,WAAW,GAAG;AACrB,aAAU,IAAI,wBAAwB;AACtC,cAAW,IAAI,yBAAyB;QAExC,EAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;;AAIrE,MAAI,CAAC,mBAAmB,QAAQ,IAAI,CAAC,oBAAoB,SAAS,CAChE,OAAM,IAAIA,2BACR,iDACD;AAGH,SAAO,MAAM,KAAK,WAAW,gBAAgB,SAAS,SAAS;;;;;;;CAQjE,MAAa,QAAQ,SAAyC;;EAC5D,MAAM,EAAE,QAAQ,WAAW,KAAK,WAAW,YAAY;EACvD,IAAI;AACJ,MAAI;GACF,MAAM,UAAU,MAAM,KAAK,YAAY;AAEvC,OAAI,WAAW,oDAAC,QAAS,QACvB;AAGF,OACE,8DACA,QAAS,WACTD,gBACE,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,CAED;GAIF,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,WAAQ,MAAM,SAAS,EAAE,IAAI,mBAAmB,IAAI;UAC9C;AACN,SAAM,IAAI,MACR,wGACD;;EAGH,MAAM,cAAc,IAAI,IAAI,GAAG,SAAS,OAAO,SAAS;AAExD,cAAY,aAAa,IAAI,iEAAc,QAAS,cAAa,KAAK;AAEtE,yEAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IACvB,WACA,QAAQ,WAAW,OAAO,UAAU,CACrC;AAGH,yEAAI,QAAS,0FAAY,kBACvB,aAAY,aAAa,IACvB,sBACA,QAAQ,WAAW,kBACpB;AAGH,yEAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IAAI,SAAS,QAAQ,WAAW,OAAO;AAGlE,yEAAI,QAAS,0FAAY,SACvB,aAAY,aAAa,IAAI,YAAY,QAAQ,WAAW,SAAS;AAGvE,yEAAI,QAAS,0FAAY,QACvB,aAAY,aAAa,IAAI,WAAW,QAAQ,WAAW,QAAQ;AAGrE,yEAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IAAI,cAAc,QAAQ,WAAW,UAAU;AAG1E,MAAI,MAAM,2EAAQ,QAAS,0FAAY,UAAU,CAC/C,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UAAU,KAAK,IAAI,CACvC;AAGH,yEAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IAAI,cAAc,QAAQ,WAAW,UAAU;AAG1E,yEAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IAAI,UAAU,QAAQ,WAAW,OAAO;EAInE,MAAM,EAAE,aAAa,MAAM,OAAO;AAElC,WAAS,YAAY,UAAU,CAAC;;CAyDlC,MAAa,cAAc,GAAG,MAA+B;EAC3D,IAAI;EACJ,IAAI;EACJ,IAAI;EACJ,IAAI;AAEJ,MAAI,KAAK,WAAW,GAAG;AACrB,YAAS,KAAK;AACd,aAAU,KAAK;AAEf,IAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;;AAGrE,MAAI,KAAK,WAAW,GAAG;AACrB,OAAI,KAAK,cAAc,QACrB,KAAI,KAAK,cAAc,UAAU;AAC/B,KAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;AACnE,aAAS,KAAK;UACT;AACL,KAAC,CAAE,SAAS,YAAa,yBACvB,KAAK,IACL,OACD;AACD,aAAS,KAAK;AACd,cAAU,KAAK;;AAInB,OAAI,cAAc,KAAK,GAAG,IAAI,eAAe,KAAK,GAAG,EAAE;AACrD,KAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,KAAK,GAAG;AACnE,aAAS,KAAK;;;AAIlB,MAAI,KAAK,WAAW,GAAG;AACrB,OAAI,KAAK,cAAc,SAAS;AAC9B,KAAC,CAAE,SAAS,YAAa,yBAAyB,KAAK,IAAI,OAAU;AACrE,aAAS,KAAK;;AAGhB,OAAI,MAAM,QAAQ,KAAK,GAAG,EAAE;AAC1B,cAAU,IAAI,wBAAwB;AACtC,eAAW,IAAI,yBAAyB;AAExC,aAAS,KAAK;AACd,cAAU,KAAK;;;AAInB,MAAI,KAAK,WAAW,GAAG;AACrB,aAAU,IAAI,wBAAwB;AACtC,cAAW,IAAI,yBAAyB;AAExC,YAAS,KAAK;;AAGhB,MACE,CAAC,MAAM,QAAQ,OAAO,IACtB,CAAC,mBAAmB,QAAQ,IAC5B,CAAC,oBAAoB,SAAS,IAC7B,WAAW,OAAO,YAAY,SAE/B,OAAM,IAAIC,2BACR,+CACD;AAWH,SARe,MAAM,KAAK,WAAW,cACnC,SACA,UACA,2DACA,QAAS,gBAAe,QAAQ,IAAI,+EACpC,QAAS,SACV;;;;;;;CAUH,MAAa,iBACX,SACe;EACf,MAAM,EAAE,QAAQ,WAAW,KAAK,WAAW,YAAY;AAEvD,MAAI;GAEF,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,SAAM,SAAS;UACT;AACN,SAAM,IAAI,MACR,iHACD;;EAGH,MAAM,cAAc,IAAI,IAAI,GAAG,SAAS,OAAO,SAAS;AAExD,wDAAI,QAAS,UACX,aAAY,aAAa,IAAI,cAAc,QAAQ,UAAU;AAG/D,wDAAI,QAAS,OACX,aAAY,aAAa,IAAI,WAAW,QAAQ,OAAO,UAAU,CAAC;AAGpE,wDAAI,QAAS,kBACX,aAAY,aAAa,IACvB,sBACA,QAAQ,kBACT;AAGH,wDAAI,QAAS,OACX,aAAY,aAAa,IAAI,SAAS,QAAQ,OAAO;AAGvD,wDAAI,QAAS,SACX,aAAY,aAAa,IAAI,YAAY,QAAQ,SAAS;AAG5D,wDAAI,QAAS,QACX,aAAY,aAAa,IAAI,WAAW,QAAQ,QAAQ;AAG1D,wDAAI,QAAS,UACX,aAAY,aAAa,IAAI,cAAc,QAAQ,UAAU;AAG/D,MAAI,MAAM,0DAAQ,QAAS,UAAU,CACnC,aAAY,aAAa,IAAI,cAAc,QAAQ,UAAU,KAAK,IAAI,CAAC;AAGzE,wDAAI,QAAS,UACX,aAAY,aAAa,IAAI,cAAc,QAAQ,UAAU;AAG/D,wDAAI,QAAS,OACX,aAAY,aAAa,IAAI,UAAU,QAAQ,OAAO;EAIxD,MAAM,EAAE,aAAa,MAAM,OAAO;AAElC,WAAS,YAAY,UAAU,CAAC;;;;;;;CAQlC,MAAa,kBACX,SACe;;EACf,MAAM,EAAE,QAAQ,WAAW,KAAK,WAAW,YAAY;AAEvD,MAAI;GAEF,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,SAAM,SAAS;UACT;AACN,SAAM,IAAI,MACR,kHACD;;EAGH,MAAM,eAAe,IAAI,IAAI,GAAG,SAAS,OAAO,UAAU;AAE1D,yEAAI,QAAS,qGAAuB,MAAM,CAAC,OACzC,cAAa,aAAa,IACxB,mBACA,QAAQ,sBACT;AAGH,MAAI,0DAAO,QAAS,eAAc,UAChC,cAAa,aAAa,IAAI,aAAa,QAAQ,UAAU,UAAU,CAAC;EAI1E,MAAM,EAAE,aAAa,MAAM,OAAO;AAElC,WAAS,aAAa,UAAU,CAAC;;CAGnC,AAAQ,aAA+B;AACrC,SAAO,KAAK,WAAW,YAAY;;CAGrC,AAAQ,6BAAmC;AACzC,SAAO,KAAK,QAAQ,IAAI,CACrB,QAAO,QAAO,IAAI,WAAW,6BAA6B,CAAC,CAC3D,SAAQ,cAAa;GACpB,MAAM,GAAG,cAAc,UAAU,MAAM,eAAe;AACtD,WAAQ,IAAI,cAAc,QAAQ,IAAI;IACtC;;;;;;ACj8CR,IAAI;;;;;AAMJ,MAAM,oBAAyC;AAC7C,cAAa,IAAI,qBAAqB;AACtC,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2DT,SAAgB,cACd,SACsB;AACtB,QAAO,aAAa,CAAC,cAAc,QAAQ;;AAsI7C,SAAgB,eACd,GAAG,MAKoB;AACvB,QAAO,aAAa,CAAC,eAAe,GAAG,KAAK;;AA0M9C,SAAgB,WACd,GAAG,MACoC;AACvC,QAAQ,aAAa,CAAC,WAAmB,GAAG,KAAK;;AAsQnD,SAAgB,UAAU,GAAG,MAAuC;AAClE,QAAO,aAAa,CAAC,UAAU,GAAG,KAAK;;AA2MzC,SAAgB,gBAAgB,GAAG,MAA+B;AAChE,QAAQ,aAAa,CAAC,gBAAwB,GAAG,KAAK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiDxD,SAAgB,QAAQ,SAAyC;AAC/D,QAAO,aAAa,CAAC,QAAQ,QAAQ;;AA6DvC,SAAgB,WACd,SACA,SACwC;AACxC,QAAQ,aAAa,CAAC,WAAmB,SAAS,QAAQ;;AA2G5D,SAAgB,YAAY,GAAG,MAAkB;AAC/C,QAAO,aAAa,CAAC,YAAY,GAAG,KAAK;;AAiQ3C,SAAgB,cAAc,GAAG,MAA+B;AAC9D,QAAQ,aAAa,CAAC,cAAsB,GAAG,KAAK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiEtD,SAAgB,iBACd,SACe;AACf,QAAO,aAAa,CAAC,iBAAiB,QAAQ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgEhD,SAAgB,kBACd,SACe;AACf,QAAO,aAAa,CAAC,kBAAkB,QAAQ"}