@monocloud/auth-nextjs 0.1.9 → 0.1.11

package/dist/monocloud-next-client.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"monocloud-next-client.cjs","names":["MonoCloudCoreClient","isAppRouter","MonoCloudAppRouterRequest","getNextRequest","MonoCloudAppRouterResponse","getNextResponse","MonoCloudPageRouterRequest","MonoCloudPageRouterResponse","NextResponse","mergeResponse","MonoCloudCookieRequest","MonoCloudCookieResponse","getMonoCloudCookieReqRes","isNodeRequest","isNodeResponse","isMonoCloudRequest","isMonoCloudResponse","MonoCloudValidationError"],"sources":["../src/monocloud-next-client.ts"],"sourcesContent":["/* eslint-disable import/extensions */\n/* eslint-disable @typescript-eslint/no-non-null-assertion */\nimport type {\n  monoCloudAuth,\n  protect,\n  protectPage,\n  authMiddleware,\n  getSession,\n  getTokens,\n  isAuthenticated,\n  isUserInGroup,\n  redirectToSignIn,\n  redirectToSignOut,\n} from './initialize';\nimport {\n  NextFetchEvent,\n  NextRequest,\n  NextResponse,\n  NextMiddleware,\n  NextProxy,\n} from 'next/server.js';\nimport type {\n  NextApiHandler,\n  NextApiRequest,\n  NextApiResponse,\n} from 'next/types';\nimport {\n  ensureLeadingSlash,\n  isAbsoluteUrl,\n} from '@monocloud/auth-node-core/internal';\nimport { isUserInGroup as isUserInGroupCore } from '@monocloud/auth-node-core/utils';\nimport type {\n  GetSessionOptions,\n  GetTokensOptions,\n  IMonoCloudCookieRequest,\n  IMonoCloudCookieResponse,\n  MonoCloudOptions,\n  MonoCloudRequest,\n  MonoCloudResponse,\n  MonoCloudTokens,\n  MonoCloudSession,\n  OnError,\n} from '@monocloud/auth-node-core';\nimport { MonoCloudOidcClient } from '@monocloud/auth-core';\nimport {\n  MonoCloudCoreClient,\n  MonoCloudValidationError,\n} from '@monocloud/auth-node-core';\nimport {\n  AppRouterApiHandlerFn,\n  AppRouterContext,\n  AppRouterPageHandler,\n  IsUserInGroupOptions,\n  MonoCloudAuthHandler,\n  MonoCloudAuthOptions,\n  MonoCloudMiddlewareOptions,\n  NextMiddlewareResult,\n  ProtectApiAppOptions,\n  ProtectApiPageOptions,\n  ProtectAppPageOptions,\n  ProtectedAppServerComponent,\n  ProtectOptions,\n  ProtectPagePageOptions,\n  ProtectPagePageReturnType,\n  RedirectToSignInOptions,\n  RedirectToSignOutOptions,\n} from './types';\nimport {\n  getMonoCloudCookieReqRes,\n  getNextRequest,\n  getNextResponse,\n  isAppRouter,\n  isMonoCloudRequest,\n  isMonoCloudResponse,\n  mergeResponse,\n  isNodeRequest,\n  isNodeResponse,\n} from './utils';\nimport MonoCloudCookieRequest from './requests/monocloud-cookie-request';\nimport MonoCloudCookieResponse from './responses/monocloud-cookie-response';\nimport MonoCloudAppRouterRequest from './requests/monocloud-app-router-request';\nimport MonoCloudAppRouterResponse from './responses/monocloud-app-router-response';\nimport type { JSX } from 'react';\nimport type { ParsedUrlQuery } from 'node:querystring';\nimport type { IncomingMessage, ServerResponse } from 'node:http';\nimport MonoCloudPageRouterRequest from './requests/monocloud-page-router-request';\nimport MonoCloudPageRouterResponse from './responses/monocloud-page-router-response';\n\n/**\n * `MonoCloudNextClient` is the core SDK entry point for integrating MonoCloud authentication into a Next.js application.\n *\n * It provides:\n * - Authentication middleware\n * - Route protection helpers\n * - Session and token access\n * - Redirect utilities\n * - Server-side enforcement helpers\n *\n * ## 1. Add environment variables\n *\n * ```bash:.env.local\n * MONOCLOUD_AUTH_TENANT_DOMAIN=<tenant-domain>\n * MONOCLOUD_AUTH_CLIENT_ID=<client-id>\n * MONOCLOUD_AUTH_CLIENT_SECRET=<client-secret>\n * MONOCLOUD_AUTH_SCOPES=openid profile email\n * MONOCLOUD_AUTH_APP_URL=http://localhost:3000\n * MONOCLOUD_AUTH_COOKIE_SECRET=<cookie-secret>\n * ```\n *\n * ## 2. Register middleware\n *\n * ```typescript:src/proxy.ts\n * import { authMiddleware } from \"@monocloud/auth-nextjs\";\n *\n * export default authMiddleware();\n *\n * export const config = {\n *   matcher: [\n *     \"/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)\",\n *   ],\n * };\n * ```\n *\n * ## Advanced usage\n *\n * ### Create a shared client instance\n *\n * By default, the SDK exposes function exports (for example, `authMiddleware()`, `getSession()`, `getTokens()`) that internally use a shared singleton `MonoCloudNextClient`.\n *\n * Create your own `MonoCloudNextClient` instance when you need multiple configurations, dependency injection, or explicit control over initialization.\n *\n * ```ts:src/monocloud.ts\n * import { MonoCloudNextClient } from \"@monocloud/auth-nextjs\";\n *\n * export const monoCloud = new MonoCloudNextClient();\n * ```\n *\n * ### Using instance methods\n *\n * Once you create a client instance, call methods directly on it instead of using the default function exports.\n *\n * ```ts:src/app/page.tsx\n * import { monoCloud } from \"@/monocloud\";\n *\n * export default async function Page() {\n *   const session = await monoCloud.getSession();\n *\n *   if (!session) {\n *     return <>Not signed in</>;\n *   }\n *\n *   return <>Hello {session.user.name}</>;\n * }\n * ```\n *\n * #### Using constructor options\n *\n * When configuration is provided through both constructor options and environment variables, the values passed to the constructor take precedence. Environment variables are used only for options that are not explicitly supplied.\n *\n * ```ts:src/monocloud.ts\n * import { MonoCloudNextClient } from \"@monocloud/auth-nextjs\";\n *\n * export const monoCloud = new MonoCloudNextClient({\n *   tenantDomain: \"<tenant-domain>\",\n *   clientId: \"<client-id>\",\n *   clientSecret: \"<client-secret>\",\n *   appUrl: \"http://localhost:3000\",\n *   cookieSecret: \"<cookie-secret>\",\n *   defaultAuthParams: {\n *     scopes: \"openid profile email\",\n *   },\n * });\n * ```\n *\n * ### Modifying default routes\n *\n * If you customize any of the default auth route paths:\n *\n * - Also set the corresponding `NEXT_PUBLIC_` environment variables so client-side helpers\n *   (for example `<SignIn />`, `<SignOut />`, and `useAuth()`) can discover the correct URLs.\n * - Update the **Application URLs** in your MonoCloud Dashboard to match the new paths.\n *\n * Example:\n *\n * ```bash:.env.local\n * MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback\n * NEXT_PUBLIC_MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback\n * ```\n *\n * When routes are overridden, the Redirect URI configured in the dashboard\n * must reflect the new path. For example, during local development:\n *\n * `http://localhost:3000/api/custom_callback`\n *\n * @category Classes\n */\nexport class MonoCloudNextClient {\n  private readonly _coreClient: MonoCloudCoreClient;\n\n  /**\n   * This exposes the framework-agnostic MonoCloud client used internally by the Next.js SDK.\n   * Use it if you need access to lower-level functionality not directly exposed by MonoCloudNextClient.\n   *\n   * @returns Returns the underlying **Node client** instance.\n   */\n  public get coreClient(): MonoCloudCoreClient {\n    return this._coreClient;\n  }\n\n  /**\n   * This is intended for advanced scenarios requiring direct control over the authorization or token flow.\n   *\n   * @returns Returns the underlying **OIDC client** used for OpenID Connect operations.\n   */\n  public get oidcClient(): MonoCloudOidcClient {\n    return this.coreClient.oidcClient;\n  }\n\n  /**\n   * Creates a new client instance.\n   *\n   * @param options Optional configuration for initializing the MonoCloud client. If not provided, settings are automatically resolved from environment variables.\n   */\n  constructor(options?: MonoCloudOptions) {\n    const opt = {\n      ...(options ?? {}),\n      userAgent: options?.userAgent ?? `${SDK_NAME}@${SDK_VERSION}`,\n      debugger: options?.debugger ?? SDK_DEBUGGER_NAME,\n    };\n\n    this.registerPublicEnvVariables();\n    this._coreClient = new MonoCloudCoreClient(opt);\n  }\n\n  /**\n   * @see {@link monoCloudAuth} for full docs and examples.\n   * @param options Optional configuration for the auth handler.\n   * @returns Returns a Next.js-compatible handler for App Router route handlers or Pages Router API routes.\n   */\n  public monoCloudAuth(options?: MonoCloudAuthOptions): MonoCloudAuthHandler {\n    return (req, resOrCtx) => {\n      const { routes, appUrl } = this.getOptions();\n\n      let { url = '' } = req;\n\n      if (!isAbsoluteUrl(url)) {\n        url = new URL(url, appUrl).toString();\n      }\n\n      const route = new URL(url);\n\n      let onError;\n      if (typeof options?.onError === 'function') {\n        onError = (\n          error: Error\n        ): void | NextResponse | Promise<void | NextResponse<unknown>> =>\n          options.onError!(req as any, resOrCtx as any, error);\n      }\n\n      let request: MonoCloudRequest;\n      let response: MonoCloudResponse;\n\n      if (isAppRouter(req)) {\n        request = new MonoCloudAppRouterRequest(getNextRequest(req as Request));\n        response = new MonoCloudAppRouterResponse(\n          getNextResponse(resOrCtx as Response)\n        );\n      } else {\n        request = new MonoCloudPageRouterRequest(req as NextApiRequest);\n        response = new MonoCloudPageRouterResponse(resOrCtx as NextApiResponse);\n      }\n\n      return this.handleAuthRoutes(\n        request,\n        response,\n        route.pathname,\n        routes,\n        onError\n      );\n    };\n  }\n\n  /**\n   * @see {@link protectPage} for full docs and examples.\n   * @param component The App Router server component to protect.\n   * @param options Optional configuration for authentication, authorization, and custom access handling (`onAccessDenied`, `onGroupAccessDenied`).\n   * @returns A wrapped page component that enforces authentication before rendering.\n   */\n  protectPage(\n    component: ProtectedAppServerComponent,\n    options?: ProtectAppPageOptions\n  ): AppRouterPageHandler;\n\n  /**\n   * @see {@link protectPage} for full docs and examples.\n   * @param options Optional configuration for authentication, authorization, and custom access handling (`onAccessDenied`, `onGroupAccessDenied`).\n   * @typeParam P - Props returned from `getServerSideProps`.\n   * @typeParam Q - Query parameters parsed from the URL.\n   * @returns A getServerSideProps wrapper that enforces authentication before executing the page logic.\n   */\n  protectPage<\n    P extends Record<string, any> = Record<string, any>,\n    Q extends ParsedUrlQuery = ParsedUrlQuery,\n  >(options?: ProtectPagePageOptions<P, Q>): ProtectPagePageReturnType<P, Q>;\n\n  public protectPage(...args: unknown[]): any {\n    if (typeof args[0] === 'function') {\n      return this.protectAppPage(\n        args[0] as AppRouterPageHandler,\n        args[1] as ProtectAppPageOptions\n      ) as any;\n    }\n\n    return this.protectPagePage(\n      args[0] as ProtectPagePageOptions\n    ) as ProtectPagePageReturnType<any, any>;\n  }\n\n  private protectAppPage(\n    component: ProtectedAppServerComponent,\n    options?: ProtectAppPageOptions\n  ): AppRouterPageHandler {\n    return async params => {\n      const session = await this.getSession();\n\n      if (!session) {\n        if (options?.onAccessDenied) {\n          return options.onAccessDenied({ ...params });\n        }\n\n        const { routes, appUrl } = this.getOptions();\n\n        // @ts-expect-error Cannot find module 'next/headers'\n        const { headers } = await import('next/headers');\n\n        const path = (await headers()).get('x-monocloud-path');\n\n        const signInRoute = new URL(\n          `${appUrl}${ensureLeadingSlash(routes!.signIn)}`\n        );\n\n        signInRoute.searchParams.set(\n          'return_url',\n          options?.returnUrl ?? path ?? '/'\n        );\n\n        if (options?.authParams?.scopes) {\n          signInRoute.searchParams.set('scope', options.authParams.scopes);\n        }\n        if (options?.authParams?.resource) {\n          signInRoute.searchParams.set('resource', options.authParams.resource);\n        }\n\n        if (options?.authParams?.acrValues) {\n          signInRoute.searchParams.set(\n            'acr_values',\n            options.authParams.acrValues.join(' ')\n          );\n        }\n\n        if (options?.authParams?.display) {\n          signInRoute.searchParams.set('display', options.authParams.display);\n        }\n\n        if (options?.authParams?.prompt) {\n          signInRoute.searchParams.set('prompt', options.authParams.prompt);\n        }\n\n        if (options?.authParams?.authenticatorHint) {\n          signInRoute.searchParams.set(\n            'authenticator_hint',\n            options.authParams.authenticatorHint\n          );\n        }\n\n        if (options?.authParams?.uiLocales) {\n          signInRoute.searchParams.set(\n            'ui_locales',\n            options.authParams.uiLocales\n          );\n        }\n\n        if (options?.authParams?.maxAge) {\n          signInRoute.searchParams.set(\n            'max_age',\n            options.authParams.maxAge.toString()\n          );\n        }\n\n        if (options?.authParams?.loginHint) {\n          signInRoute.searchParams.set(\n            'login_hint',\n            options.authParams.loginHint\n          );\n        }\n\n        // @ts-expect-error Cannot find module 'next/navigation'\n        const { redirect } = await import('next/navigation');\n\n        return redirect(signInRoute.toString());\n      }\n\n      if (\n        options?.groups &&\n        !isUserInGroupCore(\n          session.user,\n          options.groups,\n          options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n          options.matchAll\n        )\n      ) {\n        if (options.onGroupAccessDenied) {\n          return options.onGroupAccessDenied({\n            ...params,\n            user: session.user,\n          });\n        }\n\n        return 'Access Denied' as unknown as JSX.Element;\n      }\n\n      return component({ ...params, user: session.user });\n    };\n  }\n\n  private protectPagePage<\n    P extends Record<string, any> = Record<string, any>,\n    Q extends ParsedUrlQuery = ParsedUrlQuery,\n  >(options?: ProtectPagePageOptions<P, Q>): ProtectPagePageReturnType<P, Q> {\n    return async context => {\n      const session = await this.getSession(\n        context.req as any,\n        context.res as any\n      );\n\n      if (!session) {\n        if (options?.onAccessDenied) {\n          const customProps: any = await options.onAccessDenied({\n            ...context,\n          });\n\n          const props = {\n            ...(customProps ?? {}),\n            props: { ...(customProps?.props ?? {}) },\n          };\n\n          return props;\n        }\n\n        const { routes, appUrl } = this.getOptions();\n\n        const signInRoute = new URL(\n          `${appUrl}${ensureLeadingSlash(routes!.signIn)}`\n        );\n\n        signInRoute.searchParams.set(\n          'return_url',\n          options?.returnUrl ?? context.resolvedUrl\n        );\n\n        if (options?.authParams?.scopes) {\n          signInRoute.searchParams.set('scope', options.authParams.scopes);\n        }\n        if (options?.authParams?.resource) {\n          signInRoute.searchParams.set('resource', options.authParams.resource);\n        }\n\n        if (options?.authParams?.acrValues) {\n          signInRoute.searchParams.set(\n            'acr_values',\n            options.authParams.acrValues.join(' ')\n          );\n        }\n\n        if (options?.authParams?.display) {\n          signInRoute.searchParams.set('display', options.authParams.display);\n        }\n\n        if (options?.authParams?.prompt) {\n          signInRoute.searchParams.set('prompt', options.authParams.prompt);\n        }\n\n        if (options?.authParams?.authenticatorHint) {\n          signInRoute.searchParams.set(\n            'authenticator_hint',\n            options.authParams.authenticatorHint\n          );\n        }\n\n        if (options?.authParams?.uiLocales) {\n          signInRoute.searchParams.set(\n            'ui_locales',\n            options.authParams.uiLocales\n          );\n        }\n\n        if (options?.authParams?.maxAge) {\n          signInRoute.searchParams.set(\n            'max_age',\n            options.authParams.maxAge.toString()\n          );\n        }\n\n        if (options?.authParams?.loginHint) {\n          signInRoute.searchParams.set(\n            'login_hint',\n            options.authParams.loginHint\n          );\n        }\n\n        return {\n          redirect: {\n            destination: signInRoute.toString(),\n            permanent: false,\n          },\n        };\n      }\n\n      if (\n        options?.groups &&\n        !isUserInGroupCore(\n          session.user,\n          options.groups,\n          options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n          options.matchAll\n        )\n      ) {\n        const customProps: any = (await options.onGroupAccessDenied?.({\n          ...context,\n          user: session.user,\n        })) ?? { props: { groupAccessDenied: true } };\n\n        const props = {\n          ...customProps,\n          props: { ...(customProps.props ?? {}) },\n        };\n\n        return props;\n      }\n\n      const customProps: any = options?.getServerSideProps\n        ? await options.getServerSideProps(context)\n        : {};\n\n      const promiseProp = customProps.props;\n\n      if (promiseProp instanceof Promise) {\n        return {\n          ...customProps,\n          props: promiseProp.then((props: any) => ({\n            user: session.user,\n            ...props,\n          })),\n        };\n      }\n\n      return {\n        ...customProps,\n        props: { user: session.user, ...customProps.props },\n      };\n    };\n  }\n\n  /**\n   * @see {@link protectApi} for full docs and examples.\n   * @param handler The route handler to protect.\n   * @param options Optional configuration controlling authentication and authorization behavior.\n   * @returns Returns a wrapped handler that enforces authentication (and optional authorization) before invoking the original handler.\n   */\n  protectApi(\n    handler: AppRouterApiHandlerFn,\n    options?: ProtectApiAppOptions\n  ): AppRouterApiHandlerFn;\n\n  /**\n   * @see {@link protectApi} for full docs and examples.\n   * @param handler - The route handler to protect.\n   * @param options Optional configuration controlling authentication and authorization behavior.\n   * @returns Returns a wrapped handler that enforces authentication (and optional authorization) before invoking the original handler.\n   */\n  protectApi(\n    handler: NextApiHandler,\n    options?: ProtectApiPageOptions\n  ): NextApiHandler;\n\n  public protectApi(\n    handler: AppRouterApiHandlerFn | NextApiHandler,\n    options?: ProtectApiAppOptions | ProtectApiPageOptions\n  ): AppRouterApiHandlerFn | NextApiHandler {\n    return (\n      req: NextRequest | NextApiRequest,\n      resOrCtx: AppRouterContext | NextApiResponse\n    ) => {\n      if (isAppRouter(req)) {\n        return this.protectAppApi(\n          req as NextRequest,\n          resOrCtx as AppRouterContext,\n          handler as AppRouterApiHandlerFn,\n          options as ProtectApiAppOptions\n        );\n      }\n      return this.protectPageApi(\n        req as NextApiRequest,\n        resOrCtx as NextApiResponse,\n        handler as NextApiHandler,\n        options as ProtectApiPageOptions\n      );\n    };\n  }\n\n  private async protectAppApi(\n    req: NextRequest,\n    ctx: AppRouterContext,\n    handler: AppRouterApiHandlerFn,\n    options?: ProtectApiAppOptions\n  ): Promise<NextResponse> {\n    const res = new NextResponse();\n\n    const session = await this.getSession(req, res);\n\n    if (!session) {\n      if (options?.onAccessDenied) {\n        const result = await options.onAccessDenied(req, ctx);\n\n        if (result instanceof NextResponse) {\n          return mergeResponse([res, result]);\n        }\n\n        return mergeResponse([res, new NextResponse(result.body, result)]);\n      }\n\n      return mergeResponse([\n        res,\n        NextResponse.json({ message: 'unauthorized' }, { status: 401 }),\n      ]);\n    }\n\n    if (\n      options?.groups &&\n      !isUserInGroupCore(\n        session.user,\n        options.groups,\n        options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n        options.matchAll\n      )\n    ) {\n      if (options.onGroupAccessDenied) {\n        const result = await options.onGroupAccessDenied(\n          req,\n          ctx,\n          session.user\n        );\n\n        if (result instanceof NextResponse) {\n          return mergeResponse([res, result]);\n        }\n\n        return mergeResponse([res, new NextResponse(result.body, result)]);\n      }\n\n      return mergeResponse([\n        res,\n        NextResponse.json({ message: 'forbidden' }, { status: 403 }),\n      ]);\n    }\n\n    const resp = await handler(req, ctx);\n\n    if (resp instanceof NextResponse) {\n      return mergeResponse([res, resp]);\n    }\n\n    return mergeResponse([res, new NextResponse(resp.body, resp)]);\n  }\n\n  private async protectPageApi(\n    req: NextApiRequest,\n    res: NextApiResponse,\n    handler: NextApiHandler,\n    options?: ProtectApiPageOptions\n  ): Promise<unknown> {\n    const session = await this.getSession(req, res);\n\n    if (!session) {\n      if (options?.onAccessDenied) {\n        return options.onAccessDenied(req, res);\n      }\n\n      return res.status(401).json({\n        message: 'unauthorized',\n      });\n    }\n\n    if (\n      options?.groups &&\n      !isUserInGroupCore(\n        session.user,\n        options.groups,\n        options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n        options.matchAll\n      )\n    ) {\n      if (options.onGroupAccessDenied) {\n        return options.onGroupAccessDenied(req, res, session.user);\n      }\n\n      return res.status(403).json({\n        message: 'forbidden',\n      });\n    }\n\n    return handler(req, res);\n  }\n\n  /**\n   * @see {@link authMiddleware} for full docs and examples.\n   * @param options Optional configuration that controls how authentication is enforced (for example, redirect behavior, route matching, or custom handling of unauthenticated requests).\n   * @returns Returns a Next.js middleware result (`NextResponse`, redirect, or `undefined` to continue processing).\n   */\n  authMiddleware(\n    options?: MonoCloudMiddlewareOptions\n  ): NextMiddleware | NextProxy;\n\n  /**\n   * @see {@link authMiddleware} for full docs and examples.\n   * @param request Incoming Next.js middleware request used to resolve authentication state.\n   * @param event Next.js middleware event providing lifecycle hooks such as `waitUntil`.\n   * @returns Returns a Next.js middleware result (`NextResponse`, redirect, or `undefined` to continue processing).\n   */\n  authMiddleware(\n    request: NextRequest,\n    event: NextFetchEvent\n  ): Promise<NextMiddlewareResult> | NextMiddlewareResult;\n\n  public authMiddleware(\n    ...args: any[]\n  ):\n    | NextMiddleware\n    | NextProxy\n    | Promise<NextMiddlewareResult>\n    | NextMiddlewareResult {\n    let req: NextRequest | undefined;\n    let evt: NextFetchEvent | undefined;\n    let options: MonoCloudMiddlewareOptions | undefined;\n\n    /* v8 ignore else -- @preserve */\n    if (Array.isArray(args)) {\n      if (args.length === 2) {\n        /* v8 ignore else -- @preserve */\n        if (isAppRouter(args[0])) {\n          req = args[0] as NextRequest;\n          evt = args[1] as NextFetchEvent;\n        }\n      }\n\n      if (args.length === 1) {\n        options = args[0] as MonoCloudMiddlewareOptions;\n      }\n    }\n\n    if (req && evt) {\n      return this.authMiddlewareHandler(req, evt, options) as any;\n    }\n\n    return (request: NextRequest, nxtEvt: NextFetchEvent) => {\n      return this.authMiddlewareHandler(request, nxtEvt, options);\n    };\n  }\n\n  private async authMiddlewareHandler(\n    req: NextRequest,\n    evt: NextFetchEvent,\n    options?: MonoCloudMiddlewareOptions\n  ): Promise<NextMiddlewareResult> {\n    // eslint-disable-next-line no-param-reassign\n    req = getNextRequest(req);\n\n    if (req.headers.has('x-middleware-subrequest')) {\n      return NextResponse.json({ message: 'forbidden' }, { status: 403 });\n    }\n\n    const { routes, appUrl } = this.getOptions();\n\n    if (\n      Object.values(routes!)\n        .map(x => ensureLeadingSlash(x))\n        .includes(req.nextUrl.pathname)\n    ) {\n      let onError;\n      if (typeof options?.onError === 'function') {\n        onError = (\n          error: Error\n        ):\n          | Promise<void | NextResponse<unknown>>\n          | void\n          | NextResponse<unknown> => options.onError!(req, evt, error);\n      }\n\n      const request = new MonoCloudAppRouterRequest(req);\n      const response = new MonoCloudAppRouterResponse(new NextResponse());\n\n      return this.handleAuthRoutes(\n        request,\n        response,\n        req.nextUrl.pathname,\n        routes,\n        onError\n      );\n    }\n\n    const nxtResp = new NextResponse();\n\n    nxtResp.headers.set(\n      'x-monocloud-path',\n      req.nextUrl.pathname + req.nextUrl.search\n    );\n\n    let isRouteProtected = true;\n    let allowedGroups: string[] | undefined;\n\n    if (typeof options?.protectedRoutes === 'function') {\n      isRouteProtected = await options.protectedRoutes(req);\n    } else if (\n      typeof options?.protectedRoutes !== 'undefined' &&\n      Array.isArray(options.protectedRoutes)\n    ) {\n      isRouteProtected = options.protectedRoutes.some(route => {\n        if (typeof route === 'string' || route instanceof RegExp) {\n          return new RegExp(route).test(req.nextUrl.pathname);\n        }\n\n        return route.routes.some(groupRoute => {\n          const result = new RegExp(groupRoute).test(req.nextUrl.pathname);\n\n          if (result) {\n            allowedGroups = route.groups;\n          }\n\n          return result;\n        });\n      });\n    }\n\n    if (!isRouteProtected) {\n      return NextResponse.next({\n        headers: {\n          'x-monocloud-path': req.nextUrl.pathname + req.nextUrl.search,\n        },\n      });\n    }\n\n    const session = await this.getSession(req, nxtResp);\n\n    if (!session) {\n      if (options?.onAccessDenied) {\n        const result = await options.onAccessDenied(req, evt);\n\n        if (result instanceof NextResponse) {\n          return mergeResponse([nxtResp, result]);\n        }\n\n        if (result) {\n          return mergeResponse([\n            nxtResp,\n            new NextResponse(result.body, result),\n          ]);\n        }\n\n        return NextResponse.next(nxtResp);\n      }\n\n      if (req.nextUrl.pathname.startsWith('/api')) {\n        return mergeResponse([\n          nxtResp,\n          NextResponse.json({ message: 'unauthorized' }, { status: 401 }),\n        ]);\n      }\n\n      const signInRoute = new URL(\n        `${appUrl}${ensureLeadingSlash(routes!.signIn)}`\n      );\n\n      signInRoute.searchParams.set(\n        'return_url',\n        req.nextUrl.pathname + req.nextUrl.search\n      );\n\n      return mergeResponse([nxtResp, NextResponse.redirect(signInRoute)]);\n    }\n\n    const groupsClaim =\n      options?.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM;\n\n    if (\n      allowedGroups &&\n      !isUserInGroupCore(session.user, allowedGroups, groupsClaim)\n    ) {\n      if (options?.onGroupAccessDenied) {\n        const result = await options.onGroupAccessDenied(\n          req,\n          evt,\n          session.user\n        );\n\n        if (result instanceof NextResponse) {\n          return mergeResponse([nxtResp, result]);\n        }\n\n        if (result) {\n          return mergeResponse([\n            nxtResp,\n            new NextResponse(result.body, result),\n          ]);\n        }\n\n        return NextResponse.next(nxtResp);\n      }\n\n      if (req.nextUrl.pathname.startsWith('/api')) {\n        return mergeResponse([\n          nxtResp,\n          NextResponse.json({ message: 'forbidden' }, { status: 403 }),\n        ]);\n      }\n\n      return new NextResponse(`forbidden`, {\n        status: 403,\n      });\n    }\n\n    return NextResponse.next(nxtResp);\n  }\n\n  private handleAuthRoutes(\n    request: MonoCloudRequest,\n    response: MonoCloudResponse,\n    path: string,\n    routes: MonoCloudOptions['routes'],\n    onError?: OnError\n  ): Promise<any> {\n    switch (path) {\n      case ensureLeadingSlash(routes!.signIn):\n        return this.coreClient.signIn(request, response, {\n          onError,\n        });\n\n      case ensureLeadingSlash(routes!.callback):\n        return this.coreClient.callback(request, response, {\n          onError,\n        });\n\n      case ensureLeadingSlash(routes!.userInfo):\n        return this.coreClient.userInfo(request, response, {\n          onError,\n        });\n\n      case ensureLeadingSlash(routes!.signOut):\n        return this.coreClient.signOut(request, response, {\n          onError,\n        });\n\n      default:\n        response.notFound();\n        return response.done();\n    }\n  }\n\n  /**\n   * @see {@link getSession} for full docs and examples.\n   * @param options Optional configuration controlling session retrieval behavior.\n   * @returns Returns the resolved session, or `undefined` if none exists.\n   */\n  public getSession(\n    options?: GetSessionOptions\n  ): Promise<MonoCloudSession | undefined>;\n\n  /**\n   * @see {@link getSession} for full docs and examples.\n   * @param req Incoming request used to read authentication cookies and headers to resolve the current user's session.\n   * @param options Optional configuration controlling session retrieval behavior.\n   * @returns Returns the resolved session, or `undefined` if none exists.\n   */\n  public getSession(\n    req: NextRequest | Request,\n    options?: GetSessionOptions\n  ): Promise<MonoCloudSession | undefined>;\n\n  /**\n   * @see {@link getSession} for full docs and examples.\n   * @param req Incoming request used to read authentication cookies and headers to resolve the current user's session.\n   * @param res Optional response to update if session resolution requires refreshed authentication cookies or headers.\n   * @param options Optional configuration controlling session retrieval behavior.\n   * @returns Returns the resolved session, or `undefined` if none exists.\n   */\n  public getSession(\n    req: NextRequest | Request,\n    res: NextResponse | Response,\n    options?: GetSessionOptions\n  ): Promise<MonoCloudSession | undefined>;\n\n  /**\n   * @see {@link getSession} for full docs and examples.\n   * @param req Incoming Node.js request used to read authentication cookies and resolve the current user's session.\n   * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.\n   * @param options Optional configuration controlling session retrieval behavior.\n   * @returns Returns the resolved session, or `undefined` if none exists.\n   */\n  public getSession(\n    req: NextApiRequest | IncomingMessage,\n    res: NextApiResponse | ServerResponse<IncomingMessage>,\n    options?: GetSessionOptions\n  ): Promise<MonoCloudSession | undefined>;\n\n  async getSession(...args: any[]): Promise<MonoCloudSession | undefined> {\n    let request: IMonoCloudCookieRequest;\n    let response: IMonoCloudCookieResponse;\n    let options: GetSessionOptions | undefined;\n\n    if (args.length === 0) {\n      request = new MonoCloudCookieRequest();\n      response = new MonoCloudCookieResponse();\n    } else if (args.length === 1) {\n      if (args[0] instanceof Request) {\n        ({ request, response } = getMonoCloudCookieReqRes(args[0], undefined));\n      } else {\n        request = new MonoCloudCookieRequest();\n        response = new MonoCloudCookieResponse();\n        options = args[0];\n      }\n    } else if (args.length === 2 && args[0] instanceof Request) {\n      if (args[1] instanceof Response) {\n        ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n      } else {\n        ({ request, response } = getMonoCloudCookieReqRes(args[0], undefined));\n\n        options = args[1] as GetSessionOptions;\n      }\n    } else if (\n      args.length === 2 &&\n      isNodeRequest(args[0]) &&\n      isNodeResponse(args[1])\n    ) {\n      ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n    } else {\n      ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n\n      options = args[2] as GetSessionOptions;\n    }\n\n    if (\n      !isMonoCloudRequest(request) ||\n      !isMonoCloudResponse(response) ||\n      (options && typeof options !== 'object')\n    ) {\n      throw new MonoCloudValidationError(\n        'Invalid parameters passed to getSession()'\n      );\n    }\n\n    return await this.coreClient.getSession(request, response, options);\n  }\n\n  /**\n   * @see {@link getTokens} for full docs and examples.\n   * @param options Optional configuration controlling refresh behavior and resource/scope selection.\n   * @returns The current user's tokens, refreshed if necessary.\n   * @throws {@link MonoCloudValidationError} If no valid session exists.\n   */\n  public getTokens(options?: GetTokensOptions): Promise<MonoCloudTokens>;\n\n  /**\n   * @see {@link getTokens} for full docs and examples.\n   * @param req Incoming request used to resolve authentication from cookies and headers.\n   * @param options Optional configuration controlling refresh behavior and resource/scope selection.\n   * @returns The current user's tokens, refreshed if necessary.\n   * @throws {@link MonoCloudValidationError} If no valid session exists.\n   */\n  public getTokens(\n    req: NextRequest | Request,\n    options?: GetTokensOptions\n  ): Promise<MonoCloudTokens>;\n\n  /**\n   * @see {@link getTokens} for full docs and examples.\n   * @param req Incoming request used to resolve authentication from cookies and headers.\n   * @param res Existing response to update with refreshed authentication cookies or headers.\n   * @param options Optional configuration controlling refresh behavior and resource/scope selection.\n   * @returns The current user's tokens, refreshed if necessary.\n   * @throws {@link MonoCloudValidationError} If no valid session exists.\n   */\n  public getTokens(\n    req: NextRequest | Request,\n    res: NextResponse | Response,\n    options?: GetTokensOptions\n  ): Promise<MonoCloudTokens>;\n\n  /**\n   * @see {@link getTokens} for full docs and examples.\n   * @param req Incoming Node.js request used to resolve authentication from cookies.\n   * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.\n   * @param options Optional configuration controlling refresh behavior and resource/scope selection.\n   * @returns The current user's tokens, refreshed if necessary.\n   * @throws {@link MonoCloudValidationError} If no valid session exists.\n   */\n  public getTokens(\n    req: NextApiRequest | IncomingMessage,\n    res: NextApiResponse | ServerResponse<IncomingMessage>,\n    options?: GetTokensOptions\n  ): Promise<MonoCloudTokens>;\n\n  async getTokens(...args: any[]): Promise<MonoCloudTokens> {\n    let request: IMonoCloudCookieRequest;\n    let response: IMonoCloudCookieResponse;\n    let options: GetTokensOptions | undefined;\n\n    if (args.length === 0) {\n      request = new MonoCloudCookieRequest();\n      response = new MonoCloudCookieResponse();\n    } else if (args.length === 1) {\n      if (args[0] instanceof Request) {\n        ({ request, response } = getMonoCloudCookieReqRes(args[0], undefined));\n      } else {\n        request = new MonoCloudCookieRequest();\n        response = new MonoCloudCookieResponse();\n        options = args[0];\n      }\n    } else if (args.length === 2 && args[0] instanceof Request) {\n      if (args[1] instanceof Response) {\n        ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n      } else {\n        ({ request, response } = getMonoCloudCookieReqRes(args[0], undefined));\n\n        options = args[1] as GetTokensOptions;\n      }\n    } else if (\n      args.length === 2 &&\n      isNodeRequest(args[0]) &&\n      isNodeResponse(args[1])\n    ) {\n      ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n    } else {\n      ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n\n      options = args[2] as GetTokensOptions;\n    }\n\n    if (\n      !isMonoCloudRequest(request) ||\n      !isMonoCloudResponse(response) ||\n      (options && typeof options !== 'object')\n    ) {\n      throw new MonoCloudValidationError(\n        'Invalid parameters passed to getTokens()'\n      );\n    }\n\n    return await this.coreClient.getTokens(request, response, options);\n  }\n\n  /**\n   * @see {@link isAuthenticated} for full docs and examples.\n   * @returns Returns `true` if a valid session exists; otherwise `false`.\n   */\n  public isAuthenticated(): Promise<boolean>;\n\n  /**\n   * @see {@link isAuthenticated} for full docs and examples.\n   * @param req Incoming request used to resolve authentication from cookies and headers.\n   * @param res Optional response to update if refreshed authentication cookies or headers are required.\n   * @returns Returns `true` if a valid session exists; otherwise `false`.\n   */\n  public isAuthenticated(\n    req: NextRequest | Request,\n    res?: NextResponse | Response\n  ): Promise<boolean>;\n\n  /**\n   * @see {@link isAuthenticated} for full docs and examples.\n   * @param req Incoming Node.js request used to resolve authentication from cookies.\n   * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.\n   * @returns Returns `true` if a valid session exists; otherwise `false`.\n   */\n  public isAuthenticated(\n    req: NextApiRequest | IncomingMessage,\n    res: NextApiResponse | ServerResponse<IncomingMessage>\n  ): Promise<boolean>;\n\n  async isAuthenticated(...args: any[]): Promise<boolean> {\n    let request: IMonoCloudCookieRequest;\n    let response: IMonoCloudCookieResponse;\n\n    if (args.length === 0) {\n      request = new MonoCloudCookieRequest();\n      response = new MonoCloudCookieResponse();\n    } else {\n      ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n    }\n\n    /* v8 ignore next -- @preserve */\n    if (!isMonoCloudRequest(request) || !isMonoCloudResponse(response)) {\n      throw new MonoCloudValidationError(\n        'Invalid parameters passed to isAuthenticated()'\n      );\n    }\n\n    return await this.coreClient.isAuthenticated(request, response);\n  }\n\n  /**\n   * @see {@link protect} for full docs and examples.\n   * @param options Optional configuration for redirect behavior (for example, return URL or sign-in parameters).\n   * @returns Resolves if the user is authenticated; otherwise triggers a redirect.\n   */\n  public async protect(options?: ProtectOptions): Promise<void> {\n    const { routes, appUrl } = this.coreClient.getOptions();\n    let path: string;\n    try {\n      const session = await this.getSession();\n\n      if (session && !options?.groups) {\n        return;\n      }\n\n      if (\n        session &&\n        options?.groups &&\n        isUserInGroupCore(\n          session.user,\n          options.groups,\n          options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n          options.matchAll\n        )\n      ) {\n        return;\n      }\n\n      // @ts-expect-error Cannot find module 'next/headers'\n      const { headers } = await import('next/headers');\n\n      path = (await headers()).get('x-monocloud-path') ?? '/';\n    } catch {\n      throw new Error(\n        'protect() can only be used in App Router server environments (RSC, route handlers, or server actions)'\n      );\n    }\n\n    const signInRoute = new URL(`${appUrl}${routes.signIn}`);\n\n    signInRoute.searchParams.set('return_url', options?.returnUrl ?? path);\n\n    if (options?.authParams?.maxAge) {\n      signInRoute.searchParams.set(\n        'max_age',\n        options.authParams.maxAge.toString()\n      );\n    }\n\n    if (options?.authParams?.authenticatorHint) {\n      signInRoute.searchParams.set(\n        'authenticator_hint',\n        options.authParams.authenticatorHint\n      );\n    }\n\n    if (options?.authParams?.scopes) {\n      signInRoute.searchParams.set('scope', options.authParams.scopes);\n    }\n\n    if (options?.authParams?.resource) {\n      signInRoute.searchParams.set('resource', options.authParams.resource);\n    }\n\n    if (options?.authParams?.display) {\n      signInRoute.searchParams.set('display', options.authParams.display);\n    }\n\n    if (options?.authParams?.uiLocales) {\n      signInRoute.searchParams.set('ui_locales', options.authParams.uiLocales);\n    }\n\n    if (Array.isArray(options?.authParams?.acrValues)) {\n      signInRoute.searchParams.set(\n        'acr_values',\n        options.authParams.acrValues.join(' ')\n      );\n    }\n\n    if (options?.authParams?.loginHint) {\n      signInRoute.searchParams.set('login_hint', options.authParams.loginHint);\n    }\n\n    if (options?.authParams?.prompt) {\n      signInRoute.searchParams.set('prompt', options.authParams.prompt);\n    }\n\n    // @ts-expect-error Cannot find module 'next/navigation'\n    const { redirect } = await import('next/navigation');\n\n    redirect(signInRoute.toString());\n  }\n\n  /**\n   * @see {@link isUserInGroup} for full docs and examples.\n   * @param groups Group IDs or names to check against the user's group memberships.\n   * @param options Optional configuration controlling how group membership is evaluated.\n   * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.\n   */\n  isUserInGroup(\n    groups: string[],\n    options?: IsUserInGroupOptions\n  ): Promise<boolean>;\n\n  /**\n   * @see {@link isUserInGroup} for full docs and examples.\n   * @param req Incoming request used to resolve authentication from cookies and headers.\n   * @param groups Group IDs or names to check against the user's group memberships.\n   * @param options Optional configuration controlling how group membership is evaluated.\n   * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.\n   */\n  isUserInGroup(\n    req: NextRequest | Request,\n    groups: string[],\n    options?: IsUserInGroupOptions\n  ): Promise<boolean>;\n\n  /**\n   * @see {@link isUserInGroup} for full docs and examples.\n   * @param req Incoming request used to resolve authentication from cookies and headers.\n   * @param res Existing response to update with refreshed authentication cookies or headers when required.\n   * @param groups Group IDs or names to check against the user's group memberships.\n   * @param options Optional configuration controlling how group membership is evaluated.\n   * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.\n   */\n  isUserInGroup(\n    req: NextRequest | Request,\n    res: NextResponse | Response,\n    groups: string[],\n    options?: IsUserInGroupOptions\n  ): Promise<boolean>;\n\n  /**\n   * @see {@link isUserInGroup} for full docs and examples.\n   * @param req Incoming Node.js request used to resolve authentication from cookies.\n   * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.\n   * @param groups Group IDs or names to check against the user's group memberships.\n   * @param options Optional configuration controlling how group membership is evaluated.\n   * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.\n   */\n  isUserInGroup(\n    req: NextApiRequest | IncomingMessage,\n    res: NextApiResponse | ServerResponse<IncomingMessage>,\n    groups: string[],\n    options?: IsUserInGroupOptions\n  ): Promise<boolean>;\n\n  public async isUserInGroup(...args: any[]): Promise<boolean> {\n    let request: IMonoCloudCookieRequest | undefined;\n    let response: IMonoCloudCookieResponse | undefined;\n    let groups: string[] | undefined;\n    let options: IsUserInGroupOptions | undefined;\n\n    if (args.length === 4) {\n      groups = args[2];\n      options = args[3];\n\n      ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n    }\n\n    if (args.length === 3) {\n      if (args[0] instanceof Request) {\n        if (args[1] instanceof Response) {\n          ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n          groups = args[2];\n        } else {\n          ({ request, response } = getMonoCloudCookieReqRes(\n            args[0],\n            undefined\n          ));\n          groups = args[1];\n          options = args[2];\n        }\n      }\n\n      if (isNodeRequest(args[0]) && isNodeResponse(args[1])) {\n        ({ request, response } = getMonoCloudCookieReqRes(args[0], args[1]));\n        groups = args[2];\n      }\n    }\n\n    if (args.length === 2) {\n      if (args[0] instanceof Request) {\n        ({ request, response } = getMonoCloudCookieReqRes(args[0], undefined));\n        groups = args[1];\n      }\n\n      if (Array.isArray(args[0])) {\n        request = new MonoCloudCookieRequest();\n        response = new MonoCloudCookieResponse();\n\n        groups = args[0];\n        options = args[1];\n      }\n    }\n\n    if (args.length === 1) {\n      request = new MonoCloudCookieRequest();\n      response = new MonoCloudCookieResponse();\n\n      groups = args[0];\n    }\n\n    if (\n      !Array.isArray(groups) ||\n      !isMonoCloudRequest(request) ||\n      !isMonoCloudResponse(response) ||\n      (options && typeof options !== 'object')\n    ) {\n      throw new MonoCloudValidationError(\n        'Invalid parameters passed to isUserInGroup()'\n      );\n    }\n\n    const result = await this.coreClient.isUserInGroup(\n      request,\n      response,\n      groups,\n      options?.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM,\n      options?.matchAll\n    );\n\n    return result;\n  }\n\n  /**\n   * @see {@link redirectToSignIn} for full docs and examples.\n   * @param options Optional configuration for the redirect, such as `returnUrl` or additional sign-in parameters.\n   * @returns Never resolves. Triggers a redirect to the sign-in flow.\n   */\n  public async redirectToSignIn(\n    options?: RedirectToSignInOptions\n  ): Promise<void> {\n    const { routes, appUrl } = this.coreClient.getOptions();\n\n    try {\n      // @ts-expect-error Cannot find module 'next/headers'\n      const { headers } = await import('next/headers');\n\n      await headers();\n    } catch {\n      throw new Error(\n        'redirectToSignIn() can only be used in App Router server environments (RSC, route handlers, or server actions)'\n      );\n    }\n\n    const signInRoute = new URL(`${appUrl}${routes.signIn}`);\n\n    if (options?.returnUrl) {\n      signInRoute.searchParams.set('return_url', options.returnUrl);\n    }\n\n    if (options?.maxAge) {\n      signInRoute.searchParams.set('max_age', options.maxAge.toString());\n    }\n\n    if (options?.authenticatorHint) {\n      signInRoute.searchParams.set(\n        'authenticator_hint',\n        options.authenticatorHint\n      );\n    }\n\n    if (options?.scopes) {\n      signInRoute.searchParams.set('scope', options.scopes);\n    }\n\n    if (options?.resource) {\n      signInRoute.searchParams.set('resource', options.resource);\n    }\n\n    if (options?.display) {\n      signInRoute.searchParams.set('display', options.display);\n    }\n\n    if (options?.uiLocales) {\n      signInRoute.searchParams.set('ui_locales', options.uiLocales);\n    }\n\n    if (Array.isArray(options?.acrValues)) {\n      signInRoute.searchParams.set('acr_values', options.acrValues.join(' '));\n    }\n\n    if (options?.loginHint) {\n      signInRoute.searchParams.set('login_hint', options.loginHint);\n    }\n\n    if (options?.prompt) {\n      signInRoute.searchParams.set('prompt', options.prompt);\n    }\n\n    // @ts-expect-error Cannot find module 'next/navigation'\n    const { redirect } = await import('next/navigation');\n\n    redirect(signInRoute.toString());\n  }\n\n  /**\n   * @see {@link redirectToSignOut} for full docs and examples.\n   * @param options Optional configuration for the redirect, such as `postLogoutRedirectUri` or additional sign-out parameters.\n   * @returns Never resolves. Triggers a redirect to the sign-out flow.\n   */\n  public async redirectToSignOut(\n    options?: RedirectToSignOutOptions\n  ): Promise<void> {\n    const { routes, appUrl } = this.coreClient.getOptions();\n\n    try {\n      // @ts-expect-error Cannot find module 'next/headers'\n      const { headers } = await import('next/headers');\n\n      await headers();\n    } catch {\n      throw new Error(\n        'redirectToSignOut() can only be used in App Router server environments (RSC, route handlers, or server actions)'\n      );\n    }\n\n    const signOutRoute = new URL(`${appUrl}${routes.signOut}`);\n\n    if (options?.postLogoutRedirectUri?.trim().length) {\n      signOutRoute.searchParams.set(\n        'post_logout_url',\n        options.postLogoutRedirectUri\n      );\n    }\n\n    if (typeof options?.federated === 'boolean') {\n      signOutRoute.searchParams.set('federated', options.federated.toString());\n    }\n\n    // @ts-expect-error Cannot find module 'next/navigation'\n    const { redirect } = await import('next/navigation');\n\n    redirect(signOutRoute.toString());\n  }\n\n  private getOptions(): MonoCloudOptions {\n    return this.coreClient.getOptions();\n  }\n\n  private registerPublicEnvVariables(): void {\n    Object.keys(process.env)\n      .filter(key => key.startsWith('NEXT_PUBLIC_MONOCLOUD_AUTH'))\n      .forEach(publicKey => {\n        const [, privateKey] = publicKey.split('NEXT_PUBLIC_');\n        process.env[privateKey] = process.env[publicKey];\n      });\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoMA,IAAa,sBAAb,MAAiC;;;;;;;CAS/B,IAAW,aAAkC;AAC3C,SAAO,KAAK;;;;;;;CAQd,IAAW,aAAkC;AAC3C,SAAO,KAAK,WAAW;;;;;;;CAQzB,YAAY,SAA4B;EACtC,MAAM,MAAM;GACV,GAAI,WAAW,EAAE;GACjB,8DAAW,QAAS,cAAa;GACjC,6DAAU,QAAS;GACpB;AAED,OAAK,4BAA4B;AACjC,OAAK,cAAc,IAAIA,8CAAoB,IAAI;;;;;;;CAQjD,AAAO,cAAc,SAAsD;AACzE,UAAQ,KAAK,aAAa;GACxB,MAAM,EAAE,QAAQ,WAAW,KAAK,YAAY;GAE5C,IAAI,EAAE,MAAM,OAAO;AAEnB,OAAI,uDAAe,IAAI,CACrB,OAAM,IAAI,IAAI,KAAK,OAAO,CAAC,UAAU;GAGvC,MAAM,QAAQ,IAAI,IAAI,IAAI;GAE1B,IAAI;AACJ,OAAI,0DAAO,QAAS,aAAY,WAC9B,YACE,UAEA,QAAQ,QAAS,KAAY,UAAiB,MAAM;GAGxD,IAAI;GACJ,IAAI;AAEJ,OAAIC,0BAAY,IAAI,EAAE;AACpB,cAAU,IAAIC,6CAA0BC,6BAAe,IAAe,CAAC;AACvE,eAAW,IAAIC,8CACbC,8BAAgB,SAAqB,CACtC;UACI;AACL,cAAU,IAAIC,8CAA2B,IAAsB;AAC/D,eAAW,IAAIC,+CAA4B,SAA4B;;AAGzE,UAAO,KAAK,iBACV,SACA,UACA,MAAM,UACN,QACA,QACD;;;CA2BL,AAAO,YAAY,GAAG,MAAsB;AAC1C,MAAI,OAAO,KAAK,OAAO,WACrB,QAAO,KAAK,eACV,KAAK,IACL,KAAK,GACN;AAGH,SAAO,KAAK,gBACV,KAAK,GACN;;CAGH,AAAQ,eACN,WACA,SACsB;AACtB,SAAO,OAAM,WAAU;GACrB,MAAM,UAAU,MAAM,KAAK,YAAY;AAEvC,OAAI,CAAC,SAAS;;AACZ,0DAAI,QAAS,eACX,QAAO,QAAQ,eAAe,EAAE,GAAG,QAAQ,CAAC;IAG9C,MAAM,EAAE,QAAQ,WAAW,KAAK,YAAY;IAG5C,MAAM,EAAE,YAAY,MAAM,OAAO;IAEjC,MAAM,QAAQ,MAAM,SAAS,EAAE,IAAI,mBAAmB;IAEtD,MAAM,cAAc,IAAI,IACtB,GAAG,oEAA4B,OAAQ,OAAO,GAC/C;AAED,gBAAY,aAAa,IACvB,iEACA,QAAS,cAAa,QAAQ,IAC/B;AAED,yEAAI,QAAS,sFAAY,OACvB,aAAY,aAAa,IAAI,SAAS,QAAQ,WAAW,OAAO;AAElE,0EAAI,QAAS,wFAAY,SACvB,aAAY,aAAa,IAAI,YAAY,QAAQ,WAAW,SAAS;AAGvE,0EAAI,QAAS,wFAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UAAU,KAAK,IAAI,CACvC;AAGH,0EAAI,QAAS,wFAAY,QACvB,aAAY,aAAa,IAAI,WAAW,QAAQ,WAAW,QAAQ;AAGrE,0EAAI,QAAS,wFAAY,OACvB,aAAY,aAAa,IAAI,UAAU,QAAQ,WAAW,OAAO;AAGnE,0EAAI,QAAS,wFAAY,kBACvB,aAAY,aAAa,IACvB,sBACA,QAAQ,WAAW,kBACpB;AAGH,0EAAI,QAAS,wFAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UACpB;AAGH,0EAAI,QAAS,wFAAY,OACvB,aAAY,aAAa,IACvB,WACA,QAAQ,WAAW,OAAO,UAAU,CACrC;AAGH,0EAAI,QAAS,wFAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UACpB;IAIH,MAAM,EAAE,aAAa,MAAM,OAAO;AAElC,WAAO,SAAS,YAAY,UAAU,CAAC;;AAGzC,0DACE,QAAS,WACT,oDACE,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,EACD;AACA,QAAI,QAAQ,oBACV,QAAO,QAAQ,oBAAoB;KACjC,GAAG;KACH,MAAM,QAAQ;KACf,CAAC;AAGJ,WAAO;;AAGT,UAAO,UAAU;IAAE,GAAG;IAAQ,MAAM,QAAQ;IAAM,CAAC;;;CAIvD,AAAQ,gBAGN,SAAyE;AACzE,SAAO,OAAM,YAAW;GACtB,MAAM,UAAU,MAAM,KAAK,WACzB,QAAQ,KACR,QAAQ,IACT;AAED,OAAI,CAAC,SAAS;;AACZ,0DAAI,QAAS,gBAAgB;KAC3B,MAAM,cAAmB,MAAM,QAAQ,eAAe,EACpD,GAAG,SACJ,CAAC;AAOF,YALc;MACZ,GAAI,eAAe,EAAE;MACrB,OAAO,EAAE,8DAAI,YAAa,UAAS,EAAE,EAAG;MACzC;;IAKH,MAAM,EAAE,QAAQ,WAAW,KAAK,YAAY;IAE5C,MAAM,cAAc,IAAI,IACtB,GAAG,oEAA4B,OAAQ,OAAO,GAC/C;AAED,gBAAY,aAAa,IACvB,iEACA,QAAS,cAAa,QAAQ,YAC/B;AAED,2EAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IAAI,SAAS,QAAQ,WAAW,OAAO;AAElE,2EAAI,QAAS,0FAAY,SACvB,aAAY,aAAa,IAAI,YAAY,QAAQ,WAAW,SAAS;AAGvE,2EAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UAAU,KAAK,IAAI,CACvC;AAGH,2EAAI,QAAS,0FAAY,QACvB,aAAY,aAAa,IAAI,WAAW,QAAQ,WAAW,QAAQ;AAGrE,2EAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IAAI,UAAU,QAAQ,WAAW,OAAO;AAGnE,2EAAI,QAAS,0FAAY,kBACvB,aAAY,aAAa,IACvB,sBACA,QAAQ,WAAW,kBACpB;AAGH,2EAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UACpB;AAGH,2EAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IACvB,WACA,QAAQ,WAAW,OAAO,UAAU,CACrC;AAGH,2EAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UACpB;AAGH,WAAO,EACL,UAAU;KACR,aAAa,YAAY,UAAU;KACnC,WAAW;KACZ,EACF;;AAGH,0DACE,QAAS,WACT,oDACE,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,EACD;;IACA,MAAM,cAAoB,gCAAM,QAAQ,iHAAsB;KAC5D,GAAG;KACH,MAAM,QAAQ;KACf,CAAC,KAAK,EAAE,OAAO,EAAE,mBAAmB,MAAM,EAAE;AAO7C,WALc;KACZ,GAAG;KACH,OAAO,EAAE,GAAI,YAAY,SAAS,EAAE,EAAG;KACxC;;GAKH,MAAM,iEAAmB,QAAS,sBAC9B,MAAM,QAAQ,mBAAmB,QAAQ,GACzC,EAAE;GAEN,MAAM,cAAc,YAAY;AAEhC,OAAI,uBAAuB,QACzB,QAAO;IACL,GAAG;IACH,OAAO,YAAY,MAAM,WAAgB;KACvC,MAAM,QAAQ;KACd,GAAG;KACJ,EAAE;IACJ;AAGH,UAAO;IACL,GAAG;IACH,OAAO;KAAE,MAAM,QAAQ;KAAM,GAAG,YAAY;KAAO;IACpD;;;CA0BL,AAAO,WACL,SACA,SACwC;AACxC,UACE,KACA,aACG;AACH,OAAIN,0BAAY,IAAI,CAClB,QAAO,KAAK,cACV,KACA,UACA,SACA,QACD;AAEH,UAAO,KAAK,eACV,KACA,UACA,SACA,QACD;;;CAIL,MAAc,cACZ,KACA,KACA,SACA,SACuB;EACvB,MAAM,MAAM,IAAIO,6BAAc;EAE9B,MAAM,UAAU,MAAM,KAAK,WAAW,KAAK,IAAI;AAE/C,MAAI,CAAC,SAAS;AACZ,yDAAI,QAAS,gBAAgB;IAC3B,MAAM,SAAS,MAAM,QAAQ,eAAe,KAAK,IAAI;AAErD,QAAI,kBAAkBA,4BACpB,QAAOC,4BAAc,CAAC,KAAK,OAAO,CAAC;AAGrC,WAAOA,4BAAc,CAAC,KAAK,IAAID,4BAAa,OAAO,MAAM,OAAO,CAAC,CAAC;;AAGpE,UAAOC,4BAAc,CACnB,KACAD,4BAAa,KAAK,EAAE,SAAS,gBAAgB,EAAE,EAAE,QAAQ,KAAK,CAAC,CAChE,CAAC;;AAGJ,yDACE,QAAS,WACT,oDACE,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,EACD;AACA,OAAI,QAAQ,qBAAqB;IAC/B,MAAM,SAAS,MAAM,QAAQ,oBAC3B,KACA,KACA,QAAQ,KACT;AAED,QAAI,kBAAkBA,4BACpB,QAAOC,4BAAc,CAAC,KAAK,OAAO,CAAC;AAGrC,WAAOA,4BAAc,CAAC,KAAK,IAAID,4BAAa,OAAO,MAAM,OAAO,CAAC,CAAC;;AAGpE,UAAOC,4BAAc,CACnB,KACAD,4BAAa,KAAK,EAAE,SAAS,aAAa,EAAE,EAAE,QAAQ,KAAK,CAAC,CAC7D,CAAC;;EAGJ,MAAM,OAAO,MAAM,QAAQ,KAAK,IAAI;AAEpC,MAAI,gBAAgBA,4BAClB,QAAOC,4BAAc,CAAC,KAAK,KAAK,CAAC;AAGnC,SAAOA,4BAAc,CAAC,KAAK,IAAID,4BAAa,KAAK,MAAM,KAAK,CAAC,CAAC;;CAGhE,MAAc,eACZ,KACA,KACA,SACA,SACkB;EAClB,MAAM,UAAU,MAAM,KAAK,WAAW,KAAK,IAAI;AAE/C,MAAI,CAAC,SAAS;AACZ,yDAAI,QAAS,eACX,QAAO,QAAQ,eAAe,KAAK,IAAI;AAGzC,UAAO,IAAI,OAAO,IAAI,CAAC,KAAK,EAC1B,SAAS,gBACV,CAAC;;AAGJ,yDACE,QAAS,WACT,oDACE,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,EACD;AACA,OAAI,QAAQ,oBACV,QAAO,QAAQ,oBAAoB,KAAK,KAAK,QAAQ,KAAK;AAG5D,UAAO,IAAI,OAAO,IAAI,CAAC,KAAK,EAC1B,SAAS,aACV,CAAC;;AAGJ,SAAO,QAAQ,KAAK,IAAI;;CAuB1B,AAAO,eACL,GAAG,MAKoB;EACvB,IAAI;EACJ,IAAI;EACJ,IAAI;;AAGJ,MAAI,MAAM,QAAQ,KAAK,EAAE;AACvB,OAAI,KAAK,WAAW,GAElB;;QAAIP,0BAAY,KAAK,GAAG,EAAE;AACxB,WAAM,KAAK;AACX,WAAM,KAAK;;;AAIf,OAAI,KAAK,WAAW,EAClB,WAAU,KAAK;;AAInB,MAAI,OAAO,IACT,QAAO,KAAK,sBAAsB,KAAK,KAAK,QAAQ;AAGtD,UAAQ,SAAsB,WAA2B;AACvD,UAAO,KAAK,sBAAsB,SAAS,QAAQ,QAAQ;;;CAI/D,MAAc,sBACZ,KACA,KACA,SAC+B;AAE/B,QAAME,6BAAe,IAAI;AAEzB,MAAI,IAAI,QAAQ,IAAI,0BAA0B,CAC5C,QAAOK,4BAAa,KAAK,EAAE,SAAS,aAAa,EAAE,EAAE,QAAQ,KAAK,CAAC;EAGrE,MAAM,EAAE,QAAQ,WAAW,KAAK,YAAY;AAE5C,MACE,OAAO,OAAO,OAAQ,CACnB,KAAI,iEAAwB,EAAE,CAAC,CAC/B,SAAS,IAAI,QAAQ,SAAS,EACjC;GACA,IAAI;AACJ,OAAI,0DAAO,QAAS,aAAY,WAC9B,YACE,UAI2B,QAAQ,QAAS,KAAK,KAAK,MAAM;GAGhE,MAAM,UAAU,IAAIN,6CAA0B,IAAI;GAClD,MAAM,WAAW,IAAIE,8CAA2B,IAAII,6BAAc,CAAC;AAEnE,UAAO,KAAK,iBACV,SACA,UACA,IAAI,QAAQ,UACZ,QACA,QACD;;EAGH,MAAM,UAAU,IAAIA,6BAAc;AAElC,UAAQ,QAAQ,IACd,oBACA,IAAI,QAAQ,WAAW,IAAI,QAAQ,OACpC;EAED,IAAI,mBAAmB;EACvB,IAAI;AAEJ,MAAI,0DAAO,QAAS,qBAAoB,WACtC,oBAAmB,MAAM,QAAQ,gBAAgB,IAAI;WAErD,0DAAO,QAAS,qBAAoB,eACpC,MAAM,QAAQ,QAAQ,gBAAgB,CAEtC,oBAAmB,QAAQ,gBAAgB,MAAK,UAAS;AACvD,OAAI,OAAO,UAAU,YAAY,iBAAiB,OAChD,QAAO,IAAI,OAAO,MAAM,CAAC,KAAK,IAAI,QAAQ,SAAS;AAGrD,UAAO,MAAM,OAAO,MAAK,eAAc;IACrC,MAAM,SAAS,IAAI,OAAO,WAAW,CAAC,KAAK,IAAI,QAAQ,SAAS;AAEhE,QAAI,OACF,iBAAgB,MAAM;AAGxB,WAAO;KACP;IACF;AAGJ,MAAI,CAAC,iBACH,QAAOA,4BAAa,KAAK,EACvB,SAAS,EACP,oBAAoB,IAAI,QAAQ,WAAW,IAAI,QAAQ,QACxD,EACF,CAAC;EAGJ,MAAM,UAAU,MAAM,KAAK,WAAW,KAAK,QAAQ;AAEnD,MAAI,CAAC,SAAS;AACZ,yDAAI,QAAS,gBAAgB;IAC3B,MAAM,SAAS,MAAM,QAAQ,eAAe,KAAK,IAAI;AAErD,QAAI,kBAAkBA,4BACpB,QAAOC,4BAAc,CAAC,SAAS,OAAO,CAAC;AAGzC,QAAI,OACF,QAAOA,4BAAc,CACnB,SACA,IAAID,4BAAa,OAAO,MAAM,OAAO,CACtC,CAAC;AAGJ,WAAOA,4BAAa,KAAK,QAAQ;;AAGnC,OAAI,IAAI,QAAQ,SAAS,WAAW,OAAO,CACzC,QAAOC,4BAAc,CACnB,SACAD,4BAAa,KAAK,EAAE,SAAS,gBAAgB,EAAE,EAAE,QAAQ,KAAK,CAAC,CAChE,CAAC;GAGJ,MAAM,cAAc,IAAI,IACtB,GAAG,oEAA4B,OAAQ,OAAO,GAC/C;AAED,eAAY,aAAa,IACvB,cACA,IAAI,QAAQ,WAAW,IAAI,QAAQ,OACpC;AAED,UAAOC,4BAAc,CAAC,SAASD,4BAAa,SAAS,YAAY,CAAC,CAAC;;EAGrE,MAAM,iEACJ,QAAS,gBAAe,QAAQ,IAAI;AAEtC,MACE,iBACA,oDAAmB,QAAQ,MAAM,eAAe,YAAY,EAC5D;AACA,yDAAI,QAAS,qBAAqB;IAChC,MAAM,SAAS,MAAM,QAAQ,oBAC3B,KACA,KACA,QAAQ,KACT;AAED,QAAI,kBAAkBA,4BACpB,QAAOC,4BAAc,CAAC,SAAS,OAAO,CAAC;AAGzC,QAAI,OACF,QAAOA,4BAAc,CACnB,SACA,IAAID,4BAAa,OAAO,MAAM,OAAO,CACtC,CAAC;AAGJ,WAAOA,4BAAa,KAAK,QAAQ;;AAGnC,OAAI,IAAI,QAAQ,SAAS,WAAW,OAAO,CACzC,QAAOC,4BAAc,CACnB,SACAD,4BAAa,KAAK,EAAE,SAAS,aAAa,EAAE,EAAE,QAAQ,KAAK,CAAC,CAC7D,CAAC;AAGJ,UAAO,IAAIA,4BAAa,aAAa,EACnC,QAAQ,KACT,CAAC;;AAGJ,SAAOA,4BAAa,KAAK,QAAQ;;CAGnC,AAAQ,iBACN,SACA,UACA,MACA,QACA,SACc;AACd,UAAQ,MAAR;GACE,gEAAwB,OAAQ,OAAO,CACrC,QAAO,KAAK,WAAW,OAAO,SAAS,UAAU,EAC/C,SACD,CAAC;GAEJ,gEAAwB,OAAQ,SAAS,CACvC,QAAO,KAAK,WAAW,SAAS,SAAS,UAAU,EACjD,SACD,CAAC;GAEJ,gEAAwB,OAAQ,SAAS,CACvC,QAAO,KAAK,WAAW,SAAS,SAAS,UAAU,EACjD,SACD,CAAC;GAEJ,gEAAwB,OAAQ,QAAQ,CACtC,QAAO,KAAK,WAAW,QAAQ,SAAS,UAAU,EAChD,SACD,CAAC;GAEJ;AACE,aAAS,UAAU;AACnB,WAAO,SAAS,MAAM;;;CAkD5B,MAAM,WAAW,GAAG,MAAoD;EACtE,IAAI;EACJ,IAAI;EACJ,IAAI;AAEJ,MAAI,KAAK,WAAW,GAAG;AACrB,aAAU,IAAIE,0CAAwB;AACtC,cAAW,IAAIC,2CAAyB;aAC/B,KAAK,WAAW,EACzB,KAAI,KAAK,cAAc,QACrB,EAAC,CAAE,SAAS,YAAaC,uCAAyB,KAAK,IAAI,OAAU;OAChE;AACL,aAAU,IAAIF,0CAAwB;AACtC,cAAW,IAAIC,2CAAyB;AACxC,aAAU,KAAK;;WAER,KAAK,WAAW,KAAK,KAAK,cAAc,QACjD,KAAI,KAAK,cAAc,SACrB,EAAC,CAAE,SAAS,YAAaC,uCAAyB,KAAK,IAAI,KAAK,GAAG;OAC9D;AACL,IAAC,CAAE,SAAS,YAAaA,uCAAyB,KAAK,IAAI,OAAU;AAErE,aAAU,KAAK;;WAGjB,KAAK,WAAW,KAChBC,4BAAc,KAAK,GAAG,IACtBC,6BAAe,KAAK,GAAG,CAEvB,EAAC,CAAE,SAAS,YAAaF,uCAAyB,KAAK,IAAI,KAAK,GAAG;OAC9D;AACL,IAAC,CAAE,SAAS,YAAaA,uCAAyB,KAAK,IAAI,KAAK,GAAG;AAEnE,aAAU,KAAK;;AAGjB,MACE,CAACG,iCAAmB,QAAQ,IAC5B,CAACC,kCAAoB,SAAS,IAC7B,WAAW,OAAO,YAAY,SAE/B,OAAM,IAAIC,mDACR,4CACD;AAGH,SAAO,MAAM,KAAK,WAAW,WAAW,SAAS,UAAU,QAAQ;;CAmDrE,MAAM,UAAU,GAAG,MAAuC;EACxD,IAAI;EACJ,IAAI;EACJ,IAAI;AAEJ,MAAI,KAAK,WAAW,GAAG;AACrB,aAAU,IAAIP,0CAAwB;AACtC,cAAW,IAAIC,2CAAyB;aAC/B,KAAK,WAAW,EACzB,KAAI,KAAK,cAAc,QACrB,EAAC,CAAE,SAAS,YAAaC,uCAAyB,KAAK,IAAI,OAAU;OAChE;AACL,aAAU,IAAIF,0CAAwB;AACtC,cAAW,IAAIC,2CAAyB;AACxC,aAAU,KAAK;;WAER,KAAK,WAAW,KAAK,KAAK,cAAc,QACjD,KAAI,KAAK,cAAc,SACrB,EAAC,CAAE,SAAS,YAAaC,uCAAyB,KAAK,IAAI,KAAK,GAAG;OAC9D;AACL,IAAC,CAAE,SAAS,YAAaA,uCAAyB,KAAK,IAAI,OAAU;AAErE,aAAU,KAAK;;WAGjB,KAAK,WAAW,KAChBC,4BAAc,KAAK,GAAG,IACtBC,6BAAe,KAAK,GAAG,CAEvB,EAAC,CAAE,SAAS,YAAaF,uCAAyB,KAAK,IAAI,KAAK,GAAG;OAC9D;AACL,IAAC,CAAE,SAAS,YAAaA,uCAAyB,KAAK,IAAI,KAAK,GAAG;AAEnE,aAAU,KAAK;;AAGjB,MACE,CAACG,iCAAmB,QAAQ,IAC5B,CAACC,kCAAoB,SAAS,IAC7B,WAAW,OAAO,YAAY,SAE/B,OAAM,IAAIC,mDACR,2CACD;AAGH,SAAO,MAAM,KAAK,WAAW,UAAU,SAAS,UAAU,QAAQ;;CA+BpE,MAAM,gBAAgB,GAAG,MAA+B;EACtD,IAAI;EACJ,IAAI;AAEJ,MAAI,KAAK,WAAW,GAAG;AACrB,aAAU,IAAIP,0CAAwB;AACtC,cAAW,IAAIC,2CAAyB;QAExC,EAAC,CAAE,SAAS,YAAaC,uCAAyB,KAAK,IAAI,KAAK,GAAG;;AAIrE,MAAI,CAACG,iCAAmB,QAAQ,IAAI,CAACC,kCAAoB,SAAS,CAChE,OAAM,IAAIC,mDACR,iDACD;AAGH,SAAO,MAAM,KAAK,WAAW,gBAAgB,SAAS,SAAS;;;;;;;CAQjE,MAAa,QAAQ,SAAyC;;EAC5D,MAAM,EAAE,QAAQ,WAAW,KAAK,WAAW,YAAY;EACvD,IAAI;AACJ,MAAI;GACF,MAAM,UAAU,MAAM,KAAK,YAAY;AAEvC,OAAI,WAAW,oDAAC,QAAS,QACvB;AAGF,OACE,8DACA,QAAS,8DAEP,QAAQ,MACR,QAAQ,QACR,QAAQ,eAAe,QAAQ,IAAI,6BACnC,QAAQ,SACT,CAED;GAIF,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,WAAQ,MAAM,SAAS,EAAE,IAAI,mBAAmB,IAAI;UAC9C;AACN,SAAM,IAAI,MACR,wGACD;;EAGH,MAAM,cAAc,IAAI,IAAI,GAAG,SAAS,OAAO,SAAS;AAExD,cAAY,aAAa,IAAI,iEAAc,QAAS,cAAa,KAAK;AAEtE,yEAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IACvB,WACA,QAAQ,WAAW,OAAO,UAAU,CACrC;AAGH,yEAAI,QAAS,0FAAY,kBACvB,aAAY,aAAa,IACvB,sBACA,QAAQ,WAAW,kBACpB;AAGH,yEAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IAAI,SAAS,QAAQ,WAAW,OAAO;AAGlE,yEAAI,QAAS,0FAAY,SACvB,aAAY,aAAa,IAAI,YAAY,QAAQ,WAAW,SAAS;AAGvE,yEAAI,QAAS,0FAAY,QACvB,aAAY,aAAa,IAAI,WAAW,QAAQ,WAAW,QAAQ;AAGrE,yEAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IAAI,cAAc,QAAQ,WAAW,UAAU;AAG1E,MAAI,MAAM,2EAAQ,QAAS,0FAAY,UAAU,CAC/C,aAAY,aAAa,IACvB,cACA,QAAQ,WAAW,UAAU,KAAK,IAAI,CACvC;AAGH,yEAAI,QAAS,0FAAY,UACvB,aAAY,aAAa,IAAI,cAAc,QAAQ,WAAW,UAAU;AAG1E,yEAAI,QAAS,0FAAY,OACvB,aAAY,aAAa,IAAI,UAAU,QAAQ,WAAW,OAAO;EAInE,MAAM,EAAE,aAAa,MAAM,OAAO;AAElC,WAAS,YAAY,UAAU,CAAC;;CAyDlC,MAAa,cAAc,GAAG,MAA+B;EAC3D,IAAI;EACJ,IAAI;EACJ,IAAI;EACJ,IAAI;AAEJ,MAAI,KAAK,WAAW,GAAG;AACrB,YAAS,KAAK;AACd,aAAU,KAAK;AAEf,IAAC,CAAE,SAAS,YAAaL,uCAAyB,KAAK,IAAI,KAAK,GAAG;;AAGrE,MAAI,KAAK,WAAW,GAAG;AACrB,OAAI,KAAK,cAAc,QACrB,KAAI,KAAK,cAAc,UAAU;AAC/B,KAAC,CAAE,SAAS,YAAaA,uCAAyB,KAAK,IAAI,KAAK,GAAG;AACnE,aAAS,KAAK;UACT;AACL,KAAC,CAAE,SAAS,YAAaA,uCACvB,KAAK,IACL,OACD;AACD,aAAS,KAAK;AACd,cAAU,KAAK;;AAInB,OAAIC,4BAAc,KAAK,GAAG,IAAIC,6BAAe,KAAK,GAAG,EAAE;AACrD,KAAC,CAAE,SAAS,YAAaF,uCAAyB,KAAK,IAAI,KAAK,GAAG;AACnE,aAAS,KAAK;;;AAIlB,MAAI,KAAK,WAAW,GAAG;AACrB,OAAI,KAAK,cAAc,SAAS;AAC9B,KAAC,CAAE,SAAS,YAAaA,uCAAyB,KAAK,IAAI,OAAU;AACrE,aAAS,KAAK;;AAGhB,OAAI,MAAM,QAAQ,KAAK,GAAG,EAAE;AAC1B,cAAU,IAAIF,0CAAwB;AACtC,eAAW,IAAIC,2CAAyB;AAExC,aAAS,KAAK;AACd,cAAU,KAAK;;;AAInB,MAAI,KAAK,WAAW,GAAG;AACrB,aAAU,IAAID,0CAAwB;AACtC,cAAW,IAAIC,2CAAyB;AAExC,YAAS,KAAK;;AAGhB,MACE,CAAC,MAAM,QAAQ,OAAO,IACtB,CAACI,iCAAmB,QAAQ,IAC5B,CAACC,kCAAoB,SAAS,IAC7B,WAAW,OAAO,YAAY,SAE/B,OAAM,IAAIC,mDACR,+CACD;AAWH,SARe,MAAM,KAAK,WAAW,cACnC,SACA,UACA,2DACA,QAAS,gBAAe,QAAQ,IAAI,+EACpC,QAAS,SACV;;;;;;;CAUH,MAAa,iBACX,SACe;EACf,MAAM,EAAE,QAAQ,WAAW,KAAK,WAAW,YAAY;AAEvD,MAAI;GAEF,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,SAAM,SAAS;UACT;AACN,SAAM,IAAI,MACR,iHACD;;EAGH,MAAM,cAAc,IAAI,IAAI,GAAG,SAAS,OAAO,SAAS;AAExD,wDAAI,QAAS,UACX,aAAY,aAAa,IAAI,cAAc,QAAQ,UAAU;AAG/D,wDAAI,QAAS,OACX,aAAY,aAAa,IAAI,WAAW,QAAQ,OAAO,UAAU,CAAC;AAGpE,wDAAI,QAAS,kBACX,aAAY,aAAa,IACvB,sBACA,QAAQ,kBACT;AAGH,wDAAI,QAAS,OACX,aAAY,aAAa,IAAI,SAAS,QAAQ,OAAO;AAGvD,wDAAI,QAAS,SACX,aAAY,aAAa,IAAI,YAAY,QAAQ,SAAS;AAG5D,wDAAI,QAAS,QACX,aAAY,aAAa,IAAI,WAAW,QAAQ,QAAQ;AAG1D,wDAAI,QAAS,UACX,aAAY,aAAa,IAAI,cAAc,QAAQ,UAAU;AAG/D,MAAI,MAAM,0DAAQ,QAAS,UAAU,CACnC,aAAY,aAAa,IAAI,cAAc,QAAQ,UAAU,KAAK,IAAI,CAAC;AAGzE,wDAAI,QAAS,UACX,aAAY,aAAa,IAAI,cAAc,QAAQ,UAAU;AAG/D,wDAAI,QAAS,OACX,aAAY,aAAa,IAAI,UAAU,QAAQ,OAAO;EAIxD,MAAM,EAAE,aAAa,MAAM,OAAO;AAElC,WAAS,YAAY,UAAU,CAAC;;;;;;;CAQlC,MAAa,kBACX,SACe;;EACf,MAAM,EAAE,QAAQ,WAAW,KAAK,WAAW,YAAY;AAEvD,MAAI;GAEF,MAAM,EAAE,YAAY,MAAM,OAAO;AAEjC,SAAM,SAAS;UACT;AACN,SAAM,IAAI,MACR,kHACD;;EAGH,MAAM,eAAe,IAAI,IAAI,GAAG,SAAS,OAAO,UAAU;AAE1D,yEAAI,QAAS,qGAAuB,MAAM,CAAC,OACzC,cAAa,aAAa,IACxB,mBACA,QAAQ,sBACT;AAGH,MAAI,0DAAO,QAAS,eAAc,UAChC,cAAa,aAAa,IAAI,aAAa,QAAQ,UAAU,UAAU,CAAC;EAI1E,MAAM,EAAE,aAAa,MAAM,OAAO;AAElC,WAAS,aAAa,UAAU,CAAC;;CAGnC,AAAQ,aAA+B;AACrC,SAAO,KAAK,WAAW,YAAY;;CAGrC,AAAQ,6BAAmC;AACzC,SAAO,KAAK,QAAQ,IAAI,CACrB,QAAO,QAAO,IAAI,WAAW,6BAA6B,CAAC,CAC3D,SAAQ,cAAa;GACpB,MAAM,GAAG,cAAc,UAAU,MAAM,eAAe;AACtD,WAAQ,IAAI,cAAc,QAAQ,IAAI;IACtC"}

package/dist/monocloud-next-client.d.mts

@@ -0,0 +1,330 @@
+import { AppRouterApiHandlerFn, AppRouterPageHandler, IsUserInGroupOptions, MonoCloudAuthHandler, MonoCloudAuthOptions, MonoCloudMiddlewareOptions, NextMiddlewareResult, ProtectApiAppOptions, ProtectApiPageOptions, ProtectAppPageOptions, ProtectOptions, ProtectPagePageOptions, ProtectPagePageReturnType, ProtectedAppServerComponent, RedirectToSignInOptions, RedirectToSignOutOptions } from "./types.mjs";
+import { GetSessionOptions, GetTokensOptions, MonoCloudCoreClient, MonoCloudOptions, MonoCloudSession, MonoCloudTokens } from "@monocloud/auth-node-core";
+import { NextFetchEvent, NextMiddleware, NextProxy, NextRequest, NextResponse } from "next/server.js";
+import { NextApiHandler, NextApiRequest, NextApiResponse } from "next/types";
+import { ParsedUrlQuery } from "node:querystring";
+import { MonoCloudOidcClient } from "@monocloud/auth-core";
+import { IncomingMessage, ServerResponse } from "node:http";
+
+//#region src/monocloud-next-client.d.ts
+/**
+ * `MonoCloudNextClient` is the core SDK entry point for integrating MonoCloud authentication into a Next.js application.
+ *
+ * It provides:
+ * - Authentication middleware
+ * - Route protection helpers
+ * - Session and token access
+ * - Redirect utilities
+ * - Server-side enforcement helpers
+ *
+ * ## 1. Add environment variables
+ *
+ * ```bash:.env.local
+ * MONOCLOUD_AUTH_TENANT_DOMAIN=<tenant-domain>
+ * MONOCLOUD_AUTH_CLIENT_ID=<client-id>
+ * MONOCLOUD_AUTH_CLIENT_SECRET=<client-secret>
+ * MONOCLOUD_AUTH_SCOPES=openid profile email
+ * MONOCLOUD_AUTH_APP_URL=http://localhost:3000
+ * MONOCLOUD_AUTH_COOKIE_SECRET=<cookie-secret>
+ * ```
+ *
+ * ## 2. Register middleware
+ *
+ * ```typescript:src/proxy.ts
+ * import { authMiddleware } from "@monocloud/auth-nextjs";
+ *
+ * export default authMiddleware();
+ *
+ * export const config = {
+ *   matcher: [
+ *     "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)",
+ *   ],
+ * };
+ * ```
+ *
+ * ## Advanced usage
+ *
+ * ### Create a shared client instance
+ *
+ * By default, the SDK exposes function exports (for example, `authMiddleware()`, `getSession()`, `getTokens()`) that internally use a shared singleton `MonoCloudNextClient`.
+ *
+ * Create your own `MonoCloudNextClient` instance when you need multiple configurations, dependency injection, or explicit control over initialization.
+ *
+ * ```ts:src/monocloud.ts
+ * import { MonoCloudNextClient } from "@monocloud/auth-nextjs";
+ *
+ * export const monoCloud = new MonoCloudNextClient();
+ * ```
+ *
+ * ### Using instance methods
+ *
+ * Once you create a client instance, call methods directly on it instead of using the default function exports.
+ *
+ * ```ts:src/app/page.tsx
+ * import { monoCloud } from "@/monocloud";
+ *
+ * export default async function Page() {
+ *   const session = await monoCloud.getSession();
+ *
+ *   if (!session) {
+ *     return <>Not signed in</>;
+ *   }
+ *
+ *   return <>Hello {session.user.name}</>;
+ * }
+ * ```
+ *
+ * #### Using constructor options
+ *
+ * When configuration is provided through both constructor options and environment variables, the values passed to the constructor take precedence. Environment variables are used only for options that are not explicitly supplied.
+ *
+ * ```ts:src/monocloud.ts
+ * import { MonoCloudNextClient } from "@monocloud/auth-nextjs";
+ *
+ * export const monoCloud = new MonoCloudNextClient({
+ *   tenantDomain: "<tenant-domain>",
+ *   clientId: "<client-id>",
+ *   clientSecret: "<client-secret>",
+ *   appUrl: "http://localhost:3000",
+ *   cookieSecret: "<cookie-secret>",
+ *   defaultAuthParams: {
+ *     scopes: "openid profile email",
+ *   },
+ * });
+ * ```
+ *
+ * ### Modifying default routes
+ *
+ * If you customize any of the default auth route paths:
+ *
+ * - Also set the corresponding `NEXT_PUBLIC_` environment variables so client-side helpers
+ *   (for example `<SignIn />`, `<SignOut />`, and `useAuth()`) can discover the correct URLs.
+ * - Update the **Application URLs** in your MonoCloud Dashboard to match the new paths.
+ *
+ * Example:
+ *
+ * ```bash:.env.local
+ * MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback
+ * NEXT_PUBLIC_MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback
+ * ```
+ *
+ * When routes are overridden, the Redirect URI configured in the dashboard
+ * must reflect the new path. For example, during local development:
+ *
+ * `http://localhost:3000/api/custom_callback`
+ *
+ * @category Classes
+ */
+declare class MonoCloudNextClient {
+  private readonly _coreClient;
+  /**
+   * This exposes the framework-agnostic MonoCloud client used internally by the Next.js SDK.
+   * Use it if you need access to lower-level functionality not directly exposed by MonoCloudNextClient.
+   *
+   * @returns Returns the underlying **Node client** instance.
+   */
+  get coreClient(): MonoCloudCoreClient;
+  /**
+   * This is intended for advanced scenarios requiring direct control over the authorization or token flow.
+   *
+   * @returns Returns the underlying **OIDC client** used for OpenID Connect operations.
+   */
+  get oidcClient(): MonoCloudOidcClient;
+  /**
+   * Creates a new client instance.
+   *
+   * @param options Optional configuration for initializing the MonoCloud client. If not provided, settings are automatically resolved from environment variables.
+   */
+  constructor(options?: MonoCloudOptions);
+  /**
+   * @see {@link monoCloudAuth} for full docs and examples.
+   * @param options Optional configuration for the auth handler.
+   * @returns Returns a Next.js-compatible handler for App Router route handlers or Pages Router API routes.
+   */
+  monoCloudAuth(options?: MonoCloudAuthOptions): MonoCloudAuthHandler;
+  /**
+   * @see {@link protectPage} for full docs and examples.
+   * @param component The App Router server component to protect.
+   * @param options Optional configuration for authentication, authorization, and custom access handling (`onAccessDenied`, `onGroupAccessDenied`).
+   * @returns A wrapped page component that enforces authentication before rendering.
+   */
+  protectPage(component: ProtectedAppServerComponent, options?: ProtectAppPageOptions): AppRouterPageHandler;
+  /**
+   * @see {@link protectPage} for full docs and examples.
+   * @param options Optional configuration for authentication, authorization, and custom access handling (`onAccessDenied`, `onGroupAccessDenied`).
+   * @typeParam P - Props returned from `getServerSideProps`.
+   * @typeParam Q - Query parameters parsed from the URL.
+   * @returns A getServerSideProps wrapper that enforces authentication before executing the page logic.
+   */
+  protectPage<P extends Record<string, any> = Record<string, any>, Q extends ParsedUrlQuery = ParsedUrlQuery>(options?: ProtectPagePageOptions<P, Q>): ProtectPagePageReturnType<P, Q>;
+  private protectAppPage;
+  private protectPagePage;
+  /**
+   * @see {@link protectApi} for full docs and examples.
+   * @param handler The route handler to protect.
+   * @param options Optional configuration controlling authentication and authorization behavior.
+   * @returns Returns a wrapped handler that enforces authentication (and optional authorization) before invoking the original handler.
+   */
+  protectApi(handler: AppRouterApiHandlerFn, options?: ProtectApiAppOptions): AppRouterApiHandlerFn;
+  /**
+   * @see {@link protectApi} for full docs and examples.
+   * @param handler - The route handler to protect.
+   * @param options Optional configuration controlling authentication and authorization behavior.
+   * @returns Returns a wrapped handler that enforces authentication (and optional authorization) before invoking the original handler.
+   */
+  protectApi(handler: NextApiHandler, options?: ProtectApiPageOptions): NextApiHandler;
+  private protectAppApi;
+  private protectPageApi;
+  /**
+   * @see {@link authMiddleware} for full docs and examples.
+   * @param options Optional configuration that controls how authentication is enforced (for example, redirect behavior, route matching, or custom handling of unauthenticated requests).
+   * @returns Returns a Next.js middleware result (`NextResponse`, redirect, or `undefined` to continue processing).
+   */
+  authMiddleware(options?: MonoCloudMiddlewareOptions): NextMiddleware | NextProxy;
+  /**
+   * @see {@link authMiddleware} for full docs and examples.
+   * @param request Incoming Next.js middleware request used to resolve authentication state.
+   * @param event Next.js middleware event providing lifecycle hooks such as `waitUntil`.
+   * @returns Returns a Next.js middleware result (`NextResponse`, redirect, or `undefined` to continue processing).
+   */
+  authMiddleware(request: NextRequest, event: NextFetchEvent): Promise<NextMiddlewareResult> | NextMiddlewareResult;
+  private authMiddlewareHandler;
+  private handleAuthRoutes;
+  /**
+   * @see {@link getSession} for full docs and examples.
+   * @param options Optional configuration controlling session retrieval behavior.
+   * @returns Returns the resolved session, or `undefined` if none exists.
+   */
+  getSession(options?: GetSessionOptions): Promise<MonoCloudSession | undefined>;
+  /**
+   * @see {@link getSession} for full docs and examples.
+   * @param req Incoming request used to read authentication cookies and headers to resolve the current user's session.
+   * @param options Optional configuration controlling session retrieval behavior.
+   * @returns Returns the resolved session, or `undefined` if none exists.
+   */
+  getSession(req: NextRequest | Request, options?: GetSessionOptions): Promise<MonoCloudSession | undefined>;
+  /**
+   * @see {@link getSession} for full docs and examples.
+   * @param req Incoming request used to read authentication cookies and headers to resolve the current user's session.
+   * @param res Optional response to update if session resolution requires refreshed authentication cookies or headers.
+   * @param options Optional configuration controlling session retrieval behavior.
+   * @returns Returns the resolved session, or `undefined` if none exists.
+   */
+  getSession(req: NextRequest | Request, res: NextResponse | Response, options?: GetSessionOptions): Promise<MonoCloudSession | undefined>;
+  /**
+   * @see {@link getSession} for full docs and examples.
+   * @param req Incoming Node.js request used to read authentication cookies and resolve the current user's session.
+   * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.
+   * @param options Optional configuration controlling session retrieval behavior.
+   * @returns Returns the resolved session, or `undefined` if none exists.
+   */
+  getSession(req: NextApiRequest | IncomingMessage, res: NextApiResponse | ServerResponse<IncomingMessage>, options?: GetSessionOptions): Promise<MonoCloudSession | undefined>;
+  /**
+   * @see {@link getTokens} for full docs and examples.
+   * @param options Optional configuration controlling refresh behavior and resource/scope selection.
+   * @returns The current user's tokens, refreshed if necessary.
+   * @throws {@link MonoCloudValidationError} If no valid session exists.
+   */
+  getTokens(options?: GetTokensOptions): Promise<MonoCloudTokens>;
+  /**
+   * @see {@link getTokens} for full docs and examples.
+   * @param req Incoming request used to resolve authentication from cookies and headers.
+   * @param options Optional configuration controlling refresh behavior and resource/scope selection.
+   * @returns The current user's tokens, refreshed if necessary.
+   * @throws {@link MonoCloudValidationError} If no valid session exists.
+   */
+  getTokens(req: NextRequest | Request, options?: GetTokensOptions): Promise<MonoCloudTokens>;
+  /**
+   * @see {@link getTokens} for full docs and examples.
+   * @param req Incoming request used to resolve authentication from cookies and headers.
+   * @param res Existing response to update with refreshed authentication cookies or headers.
+   * @param options Optional configuration controlling refresh behavior and resource/scope selection.
+   * @returns The current user's tokens, refreshed if necessary.
+   * @throws {@link MonoCloudValidationError} If no valid session exists.
+   */
+  getTokens(req: NextRequest | Request, res: NextResponse | Response, options?: GetTokensOptions): Promise<MonoCloudTokens>;
+  /**
+   * @see {@link getTokens} for full docs and examples.
+   * @param req Incoming Node.js request used to resolve authentication from cookies.
+   * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.
+   * @param options Optional configuration controlling refresh behavior and resource/scope selection.
+   * @returns The current user's tokens, refreshed if necessary.
+   * @throws {@link MonoCloudValidationError} If no valid session exists.
+   */
+  getTokens(req: NextApiRequest | IncomingMessage, res: NextApiResponse | ServerResponse<IncomingMessage>, options?: GetTokensOptions): Promise<MonoCloudTokens>;
+  /**
+   * @see {@link isAuthenticated} for full docs and examples.
+   * @returns Returns `true` if a valid session exists; otherwise `false`.
+   */
+  isAuthenticated(): Promise<boolean>;
+  /**
+   * @see {@link isAuthenticated} for full docs and examples.
+   * @param req Incoming request used to resolve authentication from cookies and headers.
+   * @param res Optional response to update if refreshed authentication cookies or headers are required.
+   * @returns Returns `true` if a valid session exists; otherwise `false`.
+   */
+  isAuthenticated(req: NextRequest | Request, res?: NextResponse | Response): Promise<boolean>;
+  /**
+   * @see {@link isAuthenticated} for full docs and examples.
+   * @param req Incoming Node.js request used to resolve authentication from cookies.
+   * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.
+   * @returns Returns `true` if a valid session exists; otherwise `false`.
+   */
+  isAuthenticated(req: NextApiRequest | IncomingMessage, res: NextApiResponse | ServerResponse<IncomingMessage>): Promise<boolean>;
+  /**
+   * @see {@link protect} for full docs and examples.
+   * @param options Optional configuration for redirect behavior (for example, return URL or sign-in parameters).
+   * @returns Resolves if the user is authenticated; otherwise triggers a redirect.
+   */
+  protect(options?: ProtectOptions): Promise<void>;
+  /**
+   * @see {@link isUserInGroup} for full docs and examples.
+   * @param groups Group IDs or names to check against the user's group memberships.
+   * @param options Optional configuration controlling how group membership is evaluated.
+   * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.
+   */
+  isUserInGroup(groups: string[], options?: IsUserInGroupOptions): Promise<boolean>;
+  /**
+   * @see {@link isUserInGroup} for full docs and examples.
+   * @param req Incoming request used to resolve authentication from cookies and headers.
+   * @param groups Group IDs or names to check against the user's group memberships.
+   * @param options Optional configuration controlling how group membership is evaluated.
+   * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.
+   */
+  isUserInGroup(req: NextRequest | Request, groups: string[], options?: IsUserInGroupOptions): Promise<boolean>;
+  /**
+   * @see {@link isUserInGroup} for full docs and examples.
+   * @param req Incoming request used to resolve authentication from cookies and headers.
+   * @param res Existing response to update with refreshed authentication cookies or headers when required.
+   * @param groups Group IDs or names to check against the user's group memberships.
+   * @param options Optional configuration controlling how group membership is evaluated.
+   * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.
+   */
+  isUserInGroup(req: NextRequest | Request, res: NextResponse | Response, groups: string[], options?: IsUserInGroupOptions): Promise<boolean>;
+  /**
+   * @see {@link isUserInGroup} for full docs and examples.
+   * @param req Incoming Node.js request used to resolve authentication from cookies.
+   * @param res Outgoing Node.js response used to apply refreshed authentication cookies when required.
+   * @param groups Group IDs or names to check against the user's group memberships.
+   * @param options Optional configuration controlling how group membership is evaluated.
+   * @returns Returns `true` if the user belongs to at least one specified group; otherwise `false`.
+   */
+  isUserInGroup(req: NextApiRequest | IncomingMessage, res: NextApiResponse | ServerResponse<IncomingMessage>, groups: string[], options?: IsUserInGroupOptions): Promise<boolean>;
+  /**
+   * @see {@link redirectToSignIn} for full docs and examples.
+   * @param options Optional configuration for the redirect, such as `returnUrl` or additional sign-in parameters.
+   * @returns Never resolves. Triggers a redirect to the sign-in flow.
+   */
+  redirectToSignIn(options?: RedirectToSignInOptions): Promise<void>;
+  /**
+   * @see {@link redirectToSignOut} for full docs and examples.
+   * @param options Optional configuration for the redirect, such as `postLogoutRedirectUri` or additional sign-out parameters.
+   * @returns Never resolves. Triggers a redirect to the sign-out flow.
+   */
+  redirectToSignOut(options?: RedirectToSignOutOptions): Promise<void>;
+  private getOptions;
+  private registerPublicEnvVariables;
+}
+//#endregion
+export { MonoCloudNextClient };
+//# sourceMappingURL=monocloud-next-client.d.mts.map