@neondatabase/auth 0.1.0-beta.15 → 0.1.0-beta.17

package/README.md

@@ -242,6 +242,7 @@ For Next.js projects, this package provides built-in integration via `@neondatab
 - Importing styles (with or without Tailwind CSS)
 - Accessing session data with `neonAuth()` in server components
 - Using `authClient.useSession()` hook in client components
+- Server-side auth operations with `createAuthServer()` from `@neondatabase/auth/next/server`
 
 ## CSS for UI Components
 

package/dist/{adapter-core-ChIlSbGg.mjs → adapter-core-BQ6ga1zK.mjs}

@@ -1,3 +1,4 @@
+import { a as NEON_AUTH_POPUP_CALLBACK_ROUTE, c as OAUTH_POPUP_MESSAGE_TYPE, i as NEON_AUTH_POPUP_CALLBACK_PARAM_NAME, l as SESSION_CACHE_TTL_MS, o as NEON_AUTH_POPUP_PARAM_NAME, s as NEON_AUTH_SESSION_VERIFIER_PARAM_NAME, t as CLOCK_SKEW_BUFFER_MS } from "./constants-2bpp2_-f.mjs";
 import { getGlobalBroadcastChannel } from "better-auth/client";
 import { adminClient, emailOTPClient, jwtClient, organizationClient } from "better-auth/client/plugins";
 import z from "zod";
@@ -100,33 +101,6 @@ var InFlightRequestManager = class {
 	}
 };
 
-//#endregion
-//#region src/core/constants.ts
-/**
-* Session caching configuration constants
-*
-* Uses industry-standard 60s cache TTL (common across auth providers).
-*
-* Note: Token refresh detection is now automatic via Better Auth's
-* fetchOptions.onSuccess callback. No polling is needed.
-*/
-/** Session cache TTL in milliseconds (60 seconds) */
-const SESSION_CACHE_TTL_MS = 6e4;
-/** Clock skew buffer for token expiration checks in milliseconds (10 seconds) */
-const CLOCK_SKEW_BUFFER_MS = 1e4;
-/** Default session expiry duration in milliseconds (1 hour) */
-const DEFAULT_SESSION_EXPIRY_MS = 36e5;
-/** Name of the session verifier parameter in the URL, used for the OAUTH flow */
-const NEON_AUTH_SESSION_VERIFIER_PARAM_NAME = "neon_auth_session_verifier";
-/** Name of the popup marker parameter in the URL, used for OAuth popup flow in iframes */
-const NEON_AUTH_POPUP_PARAM_NAME = "neon_popup";
-/** Name of the original callback URL parameter, used in OAuth popup flow */
-const NEON_AUTH_POPUP_CALLBACK_PARAM_NAME = "neon_popup_callback";
-/** The callback route used for OAuth popup completion (must be in middleware SKIP_ROUTES) */
-const NEON_AUTH_POPUP_CALLBACK_ROUTE = "/auth/callback";
-/** Message type for OAuth popup completion postMessage */
-const OAUTH_POPUP_MESSAGE_TYPE = "neon-auth:oauth-complete";
-
 //#endregion
 //#region src/utils/jwt.ts
 /**
@@ -740,4 +714,4 @@ var NeonAuthAdapterCore = class {
 };
 
 //#endregion
-export { DEFAULT_SESSION_EXPIRY_MS as a, CURRENT_TAB_CLIENT_ID as i, BETTER_AUTH_METHODS_CACHE as n, NEON_AUTH_SESSION_VERIFIER_PARAM_NAME as o, BETTER_AUTH_METHODS_HOOKS as r, NeonAuthAdapterCore as t };
+export { CURRENT_TAB_CLIENT_ID as i, BETTER_AUTH_METHODS_CACHE as n, BETTER_AUTH_METHODS_HOOKS as r, NeonAuthAdapterCore as t };

package/dist/{better-auth-react-adapter-C3_WRaIy.mjs → better-auth-react-adapter-BLKXYcWM.mjs}

@@ -1,4 +1,4 @@
-import { t as NeonAuthAdapterCore } from "./adapter-core-ChIlSbGg.mjs";
+import { t as NeonAuthAdapterCore } from "./adapter-core-BQ6ga1zK.mjs";
 import { createAuthClient } from "better-auth/react";
 
 //#region src/adapters/better-auth-react/better-auth-react-adapter.ts

package/dist/{better-auth-react-adapter-AucJqubr.d.mts → better-auth-react-adapter-BWH-XVdf.d.mts}

@@ -1,4 +1,4 @@
-import { n as NeonAuthAdapterCoreAuthOptions, t as NeonAuthAdapterCore } from "./adapter-core-CtcS7ex8.mjs";
+import { n as NeonAuthAdapterCoreAuthOptions, t as NeonAuthAdapterCore } from "./adapter-core-Sx7jkLdB.mjs";
 import * as better_auth_client11 from "better-auth/client";
 import * as better_auth_client_plugins5 from "better-auth/client/plugins";
 import * as jose0 from "jose";

package/dist/constants-2bpp2_-f.mjs

@@ -0,0 +1,30 @@
+//#region src/core/constants.ts
+/**
+* Session caching configuration constants
+*
+* Uses industry-standard 60s cache TTL (common across auth providers).
+*
+* Note: Token refresh detection is now automatic via Better Auth's
+* fetchOptions.onSuccess callback. No polling is needed.
+*/
+/** Session cache TTL in milliseconds (60 seconds) */
+const SESSION_CACHE_TTL_MS = 6e4;
+/** Clock skew buffer for token expiration checks in milliseconds (10 seconds) */
+const CLOCK_SKEW_BUFFER_MS = 1e4;
+/** Default session expiry duration in milliseconds (1 hour) */
+const DEFAULT_SESSION_EXPIRY_MS = 36e5;
+/** Name of the session verifier parameter in the URL, used for the OAUTH flow */
+const NEON_AUTH_SESSION_VERIFIER_PARAM_NAME = "neon_auth_session_verifier";
+/** Name of the popup marker parameter in the URL, used for OAuth popup flow in iframes */
+const NEON_AUTH_POPUP_PARAM_NAME = "neon_popup";
+/** Name of the original callback URL parameter, used in OAuth popup flow */
+const NEON_AUTH_POPUP_CALLBACK_PARAM_NAME = "neon_popup_callback";
+/** The callback route used for OAuth popup completion (must be in middleware SKIP_ROUTES) */
+const NEON_AUTH_POPUP_CALLBACK_ROUTE = "/auth/callback";
+/** Message type for OAuth popup completion postMessage */
+const OAUTH_POPUP_MESSAGE_TYPE = "neon-auth:oauth-complete";
+/** Prefix for all Neon Auth cookies */
+const NEON_AUTH_COOKIE_PREFIX = "__Secure-neon-auth";
+
+//#endregion
+export { NEON_AUTH_POPUP_CALLBACK_ROUTE as a, OAUTH_POPUP_MESSAGE_TYPE as c, NEON_AUTH_POPUP_CALLBACK_PARAM_NAME as i, SESSION_CACHE_TTL_MS as l, DEFAULT_SESSION_EXPIRY_MS as n, NEON_AUTH_POPUP_PARAM_NAME as o, NEON_AUTH_COOKIE_PREFIX as r, NEON_AUTH_SESSION_VERIFIER_PARAM_NAME as s, CLOCK_SKEW_BUFFER_MS as t };

package/dist/index-B4dy0AqC.d.mts

@@ -0,0 +1,49 @@
+import { n as BetterAuthSession, r as BetterAuthUser } from "./better-auth-types-Kq3kGuiz.mjs";
+import { NextRequest, NextResponse } from "next/server";
+
+//#region src/next/auth/session.d.ts
+type SessionData = {
+  session: BetterAuthSession;
+  user: BetterAuthUser;
+} | {
+  session: null;
+  user: null;
+};
+/**
+ * A utility function to be used in react server components fetch the session details from the Neon Auth API, if session token is available in cookie.
+ *
+ * @returns - `{ session: Session, user: User }` | `{ session: null, user: null}`.
+ *
+ * @example
+ * ```ts
+ * import { neonAuth } from "@neondatabase/auth/next"
+ *
+ * const { session, user } = await neonAuth()
+ * ```
+ */
+declare const neonAuth: () => Promise<SessionData>;
+//#endregion
+//#region src/next/middleware/index.d.ts
+type NeonAuthMiddlewareOptions = {
+  loginUrl?: string;
+};
+/**
+ * A Next.js middleware to protect routes from unauthenticated requests and refresh the session if required.
+ *
+ * @param loginUrl - The URL to redirect to when the user is not authenticated.
+ * @returns A middleware function that can be used in the Next.js app.
+ *
+ * @example
+ * ```ts
+ * import { neonAuthMiddleware } from "@neondatabase/auth/next"
+ *
+ * export default neonAuthMiddleware({
+ *   loginUrl: '/auth/sign-in',
+ * });
+ * ```
+ */
+declare function neonAuthMiddleware({
+  loginUrl
+}: NeonAuthMiddlewareOptions): (request: NextRequest) => Promise<NextResponse<unknown>>;
+//#endregion
+export { SessionData as n, neonAuth as r, neonAuthMiddleware as t };

package/dist/index.d.mts

@@ -1,106 +1,6 @@
-import "./better-auth-types-VqadyqlG.mjs";
-import { r as SupportedBetterAuthClientPlugins } from "./adapter-core-CtcS7ex8.mjs";
-import { r as BetterAuthReactAdapterInstance } from "./better-auth-react-adapter-AucJqubr.mjs";
-import { r as SupabaseAuthAdapterInstance, s as BetterAuthVanillaAdapterInstance } from "./supabase-adapter-Bbn88gZj.mjs";
-import { createAuthClient as createAuthClient$1 } from "better-auth/react";
-import { createAuthClient as createAuthClient$2 } from "better-auth/client";
-
-//#region src/neon-auth.d.ts
-
-/**
- * Type representing the Better Auth React client
- */
-type ReactBetterAuthClient = ReturnType<typeof createAuthClient$1<{
-  plugins: SupportedBetterAuthClientPlugins;
-}>>;
-/**`
- * Type representing the Better Auth Vanilla client
- */
-type VanillaBetterAuthClient = ReturnType<typeof createAuthClient$2<{
-  plugins: SupportedBetterAuthClientPlugins;
-}>>;
-/**
- * Union type of all supported auth adapter instances
- */
-type NeonAuthAdapter = BetterAuthVanillaAdapterInstance | BetterAuthReactAdapterInstance | SupabaseAuthAdapterInstance;
-/**
- * Configuration for createAuthClient
- */
-interface NeonAuthConfig<T extends NeonAuthAdapter> {
-  /** The adapter builder to use. Defaults to BetterAuthVanillaAdapter() if not specified. */
-  adapter?: (url: string) => T;
-  /**
-   * When true, automatically uses an anonymous token when no user session exists.
-   * This enables RLS-based data access for users with the anonymous role.
-   * @default false
-   */
-  allowAnonymous?: boolean;
-}
-/**
- * Resolves the public API type for an adapter.
- * - SupabaseAuthAdapter: exposes its own methods directly (Supabase-compatible API)
- * - BetterAuth adapters: expose the Better Auth client directly
- */
-type NeonAuthPublicApi<T extends NeonAuthAdapter> = T extends BetterAuthVanillaAdapterInstance ? VanillaBetterAuthClient : T extends BetterAuthReactAdapterInstance ? ReactBetterAuthClient : T;
-/**
- * NeonAuth type - combines base functionality with the appropriate public API
- * This is the return type of createAuthClient()
- *
- * For SupabaseAuthAdapter: exposes Supabase-compatible methods (signInWithPassword, getSession, etc.)
- * For BetterAuth adapters: exposes the Better Auth client directly (signIn.email, signUp.email, etc.)
- */
-type NeonAuth<T extends NeonAuthAdapter> = {
-  adapter: NeonAuthPublicApi<T>;
-  getJWTToken: () => Promise<string | null>;
-};
-/**
- * Create a NeonAuth instance that exposes the appropriate API based on the adapter.
- *
- * @param url - The auth service URL (e.g., 'https://auth.example.com')
- * @param config - Configuration with adapter builder
- * @returns NeonAuth instance with the adapter's API exposed directly
- *
- * @example SupabaseAuthAdapter - Supabase-compatible API
- * ```typescript
- * import { createAuthClient, SupabaseAuthAdapter } from '@neondatabase/auth';
- *
- * const auth = createAuthClient('https://auth.example.com', {
- *   adapter: SupabaseAuthAdapter(),
- * });
- *
- * // Supabase-compatible methods
- * await auth.signInWithPassword({ email, password });
- * await auth.getSession();
- * ```
- *
- * @example BetterAuthVanillaAdapter - Direct Better Auth API
- * ```typescript
- * import { createAuthClient, BetterAuthVanillaAdapter } from '@neondatabase/auth';
- *
- * const auth = createAuthClient('https://auth.example.com', {
- *   adapter: BetterAuthVanillaAdapter(),
- * });
- *
- * // Direct Better Auth API access
- * await auth.signIn.email({ email, password });
- * await auth.signUp.email({ email, password, name: 'John' });
- * await auth.getSession();
- * ```
- *
- * @example BetterAuthReactAdapter - Better Auth with React hooks
- * ```typescript
- * import { createAuthClient, BetterAuthReactAdapter } from '@neondatabase/auth';
- *
- * const auth = createAuthClient('https://auth.example.com', {
- *   adapter: BetterAuthReactAdapter(),
- * });
- *
- * // Direct Better Auth API with React hooks
- * await auth.signIn.email({ email, password });
- * const session = auth.useSession(); // React hook
- * ```
- */
-declare function createInternalNeonAuth<T extends NeonAuthAdapter = BetterAuthVanillaAdapterInstance>(url: string, config?: NeonAuthConfig<T>): NeonAuth<T>;
-declare function createAuthClient<T extends NeonAuthAdapter = BetterAuthVanillaAdapterInstance>(url: string, config?: NeonAuthConfig<T>): NeonAuthPublicApi<T>;
-//#endregion
+import "./better-auth-types-Kq3kGuiz.mjs";
+import "./adapter-core-Sx7jkLdB.mjs";
+import "./better-auth-react-adapter-BWH-XVdf.mjs";
+import "./supabase-adapter-k8RBezY9.mjs";
+import { a as ReactBetterAuthClient, c as createInternalNeonAuth, i as NeonAuthPublicApi, n as NeonAuthAdapter, o as VanillaBetterAuthClient, r as NeonAuthConfig, s as createAuthClient, t as NeonAuth } from "./neon-auth-DDPaciiS.mjs";
 export { type NeonAuth, type NeonAuthAdapter, type NeonAuthConfig, type NeonAuthPublicApi, type ReactBetterAuthClient, type VanillaBetterAuthClient, createAuthClient, createInternalNeonAuth };

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import "./adapter-core-ChIlSbGg.mjs";
-import { n as createInternalNeonAuth, t as createAuthClient } from "./neon-auth-sSiNq4zM.mjs";
+import "./adapter-core-BQ6ga1zK.mjs";
+import { n as createInternalNeonAuth, t as createAuthClient } from "./neon-auth-ClDZNB9a.mjs";
 
 export { createAuthClient, createInternalNeonAuth };

package/dist/middleware-DPLYghmx.mjs

@@ -0,0 +1,303 @@
+import { r as NEON_AUTH_COOKIE_PREFIX, s as NEON_AUTH_SESSION_VERIFIER_PARAM_NAME } from "./constants-2bpp2_-f.mjs";
+import { parseCookies, parseSetCookieHeader } from "better-auth/cookies";
+import { NextRequest, NextResponse } from "next/server";
+import { cookies, headers } from "next/headers";
+
+//#region src/next/errors.ts
+const ERRORS = { MISSING_AUTH_BASE_URL: "Missing environment variable: NEON_AUTH_BASE_URL. \n You must provide the auth url of your Neon Auth instance in environment variables" };
+
+//#endregion
+//#region src/utils/cookies.ts
+/**
+* Extract the Neon Auth cookies from the request headers.
+* Only returns cookies that start with the NEON_AUTH_COOKIE_PREFIX.
+*
+* @param headers - The request headers or cookie header string.
+* @returns The cookie string with all Neon Auth cookies (e.g., "name=value; name2=value2").
+*/
+const extractNeonAuthCookies = (headers$1) => {
+	const cookieHeader = typeof headers$1 === "string" ? headers$1 : headers$1.get("cookie");
+	if (!cookieHeader) return "";
+	const parsedCookies = parseCookies(cookieHeader);
+	const result = [];
+	for (const [name, value] of parsedCookies.entries()) if (name.startsWith(NEON_AUTH_COOKIE_PREFIX)) result.push(`${name}=${value}`);
+	return result.join("; ");
+};
+/**
+* Parses the `set-cookie` header from Neon Auth response into a list of cookies.
+*
+* @param setCookieHeader - The `set-cookie` header from Neon Auth response.
+* @returns The list of parsed cookies with their options.
+*/
+const parseSetCookies = (setCookieHeader) => {
+	const parsedCookies = parseSetCookieHeader(setCookieHeader);
+	const cookies$1 = [];
+	for (const entry of parsedCookies.entries()) {
+		const [name, parsedCookie] = entry;
+		cookies$1.push({
+			name,
+			value: decodeURIComponent(parsedCookie.value),
+			path: parsedCookie.path,
+			maxAge: parsedCookie["max-age"] ?? parsedCookie.maxAge,
+			httpOnly: parsedCookie.httponly ?? true,
+			secure: parsedCookie.secure ?? true,
+			sameSite: parsedCookie.samesite ?? "lax",
+			partitioned: parsedCookie.partitioned
+		});
+	}
+	return cookies$1;
+};
+
+//#endregion
+//#region src/next/constants.ts
+const NEON_AUTH_SESSION_COOKIE_NAME = `${NEON_AUTH_COOKIE_PREFIX}.session_token`;
+const NEON_AUTH_SESSION_CHALLENGE_COOKIE_NAME = `${NEON_AUTH_COOKIE_PREFIX}.session_challange`;
+const NEON_AUTH_HEADER_MIDDLEWARE_NAME = "X-Neon-Auth-Next-Middleware";
+
+//#endregion
+//#region src/next/handler/request.ts
+const PROXY_HEADERS = [
+	"user-agent",
+	"authorization",
+	"referer",
+	"content-type"
+];
+const handleAuthRequest = async (baseUrl, request, path) => {
+	const headers$1 = prepareRequestHeaders(request);
+	const body = await parseRequestBody(request);
+	try {
+		const upstreamURL = getUpstreamURL(baseUrl, path, { originalUrl: new URL(request.url) });
+		return await fetch(upstreamURL.toString(), {
+			method: request.method,
+			headers: headers$1,
+			body
+		});
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Internal Server Error";
+		console.error(`[AuthError] ${message}`, error);
+		return new Response(`[AuthError] ${message}`, { status: 500 });
+	}
+};
+const getUpstreamURL = (baseUrl, path, { originalUrl }) => {
+	const url = new URL(`${baseUrl}/${path}`);
+	if (originalUrl) {
+		url.search = originalUrl.search;
+		return url;
+	}
+	return url;
+};
+const prepareRequestHeaders = (request) => {
+	const headers$1 = new Headers();
+	for (const header of PROXY_HEADERS) if (request.headers.get(header)) headers$1.set(header, request.headers.get(header));
+	headers$1.set("Origin", getOrigin(request));
+	headers$1.set("Cookie", extractNeonAuthCookies(request.headers));
+	headers$1.set(NEON_AUTH_HEADER_MIDDLEWARE_NAME, "true");
+	return headers$1;
+};
+const getOrigin = (request) => {
+	return request.headers.get("origin") || request.headers.get("referer")?.split("/").slice(0, 3).join("/") || new URL(request.url).origin;
+};
+const parseRequestBody = async (request) => {
+	if (request.body) return request.text();
+};
+
+//#endregion
+//#region src/next/handler/response.ts
+const RESPONSE_HEADERS_ALLOWLIST = [
+	"content-type",
+	"content-length",
+	"content-encoding",
+	"transfer-encoding",
+	"connection",
+	"date",
+	"set-cookie",
+	"set-auth-jwt",
+	"set-auth-token",
+	"x-neon-ret-request-id"
+];
+const handleAuthResponse = async (response) => {
+	return new Response(response.body, {
+		status: response.status,
+		statusText: response.statusText,
+		headers: prepareResponseHeaders(response)
+	});
+};
+const prepareResponseHeaders = (response) => {
+	const headers$1 = new Headers();
+	for (const header of RESPONSE_HEADERS_ALLOWLIST) {
+		const value = response.headers.get(header);
+		if (value) headers$1.set(header, value);
+	}
+	return headers$1;
+};
+
+//#endregion
+//#region src/next/handler/index.ts
+/**
+* 
+* An API route handler to handle the auth requests from the client and proxy them to the Neon Auth.
+* 
+* @returns A Next.js API handler functions those can be used in a Next.js route.
+*
+* @example
+* Mount the `authApiHandler` to an API route. Create a route file inside `/api/auth/[...all]/route.ts` directory. 
+*  And add the following code:
+* 
+* ```ts 
+* // app/api/auth/[...all]/route.ts
+* import { authApiHandler } from '@neondatabase/auth/next';
+* 
+* export const { GET, POST } = authApiHandler();
+* ```
+*/
+function authApiHandler() {
+	const baseURL = process.env.NEON_AUTH_BASE_URL;
+	if (!baseURL) throw new Error(ERRORS.MISSING_AUTH_BASE_URL);
+	const handler = async (request, { params }) => {
+		return await handleAuthResponse(await handleAuthRequest(baseURL, request, (await params).path.join("/")));
+	};
+	return {
+		GET: handler,
+		POST: handler,
+		PUT: handler,
+		DELETE: handler,
+		PATCH: handler
+	};
+}
+
+//#endregion
+//#region src/next/auth/cookies.ts
+/**
+* Extract the Neon Auth cookies from the response headers.
+* @deprecated Use parseSetCookies instead
+*/
+const extractResponseCookies = (headers$1) => {
+	const cookieHeader = headers$1.get("set-cookie");
+	if (!cookieHeader) return [];
+	return cookieHeader.split(", ").map((c) => c.trim());
+};
+
+//#endregion
+//#region src/next/middleware/oauth.ts
+const needsSessionVerification = (request) => {
+	const hasVerifier = request.nextUrl.searchParams.has(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME);
+	const hasChallenge = request.cookies.get(NEON_AUTH_SESSION_CHALLENGE_COOKIE_NAME);
+	return hasVerifier && hasChallenge;
+};
+const exchangeOAuthToken = async (request, baseUrl) => {
+	const url = request.nextUrl;
+	const verifier = url.searchParams.get(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME);
+	const challenge = request.cookies.get(NEON_AUTH_SESSION_CHALLENGE_COOKIE_NAME);
+	if (!verifier || !challenge) return null;
+	const response = await handleAuthResponse(await handleAuthRequest(baseUrl, new Request(request.url, {
+		method: "GET",
+		headers: request.headers
+	}), "get-session"));
+	if (response.ok) {
+		const headers$1 = new Headers();
+		const cookies$1 = extractResponseCookies(response.headers);
+		for (const cookie of cookies$1) headers$1.append("Set-Cookie", cookie);
+		url.searchParams.delete(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME);
+		return NextResponse.redirect(url, { headers: headers$1 });
+	}
+	return null;
+};
+
+//#endregion
+//#region src/next/env-variables.ts
+const NEON_AUTH_BASE_URL = process.env.NEON_AUTH_BASE_URL;
+
+//#endregion
+//#region src/next/auth/session.ts
+/**
+* A utility function to be used in react server components fetch the session details from the Neon Auth API, if session token is available in cookie.
+*
+* @returns - `{ session: Session, user: User }` | `{ session: null, user: null}`.
+*
+* @example
+* ```ts
+* import { neonAuth } from "@neondatabase/auth/next"
+*
+* const { session, user } = await neonAuth()
+* ```
+*/
+const neonAuth = async () => {
+	return await fetchSession();
+};
+/**
+* A utility function to fetch the session details from the Neon Auth API, if session token is available in cookie.
+*
+* @returns - `{ session: Session, user: User }` | `{ session: null, user: null}`.
+*/
+const fetchSession = async () => {
+	const baseUrl = NEON_AUTH_BASE_URL;
+	const requestHeaders = await headers();
+	const upstreamURL = getUpstreamURL(baseUrl, "get-session", { originalUrl: new URL("get-session", baseUrl) });
+	const response = await fetch(upstreamURL.toString(), {
+		method: "GET",
+		headers: { Cookie: extractNeonAuthCookies(requestHeaders) }
+	});
+	const body = await response.json();
+	const cookieHeader = response.headers.get("set-cookie");
+	if (cookieHeader) {
+		const cookieStore = await cookies();
+		parseSetCookies(cookieHeader).map((cookie) => {
+			cookieStore.set(cookie.name, cookie.value, cookie);
+		});
+	}
+	if (!response.ok || body === null) return {
+		session: null,
+		user: null
+	};
+	return {
+		session: body.session,
+		user: body.user
+	};
+};
+
+//#endregion
+//#region src/next/middleware/index.ts
+const SKIP_ROUTES = [
+	"/api/auth",
+	"/auth/callback",
+	"/auth/sign-in",
+	"/auth/sign-up",
+	"/auth/magic-link",
+	"/auth/email-otp",
+	"/auth/forgot-password"
+];
+/**
+* A Next.js middleware to protect routes from unauthenticated requests and refresh the session if required.
+*
+* @param loginUrl - The URL to redirect to when the user is not authenticated.
+* @returns A middleware function that can be used in the Next.js app.
+*
+* @example
+* ```ts
+* import { neonAuthMiddleware } from "@neondatabase/auth/next"
+*
+* export default neonAuthMiddleware({
+*   loginUrl: '/auth/sign-in',
+* });
+* ```
+*/
+function neonAuthMiddleware({ loginUrl = "/auth/sign-in" }) {
+	const baseUrl = NEON_AUTH_BASE_URL;
+	if (!baseUrl) throw new Error(ERRORS.MISSING_AUTH_BASE_URL);
+	return async (request) => {
+		const { pathname } = request.nextUrl;
+		if (pathname.startsWith(loginUrl)) return NextResponse.next();
+		if (needsSessionVerification(request)) {
+			const response = await exchangeOAuthToken(request, baseUrl);
+			if (response !== null) return response;
+		}
+		if (SKIP_ROUTES.some((route) => pathname.startsWith(route))) return NextResponse.next();
+		if ((await fetchSession()).session === null) return NextResponse.redirect(new URL(loginUrl, request.url));
+		const reqHeaders = new Headers(request.headers);
+		reqHeaders.set(NEON_AUTH_HEADER_MIDDLEWARE_NAME, "true");
+		return NextResponse.next({ request: { headers: reqHeaders } });
+	};
+}
+
+//#endregion
+export { parseSetCookies as a, extractNeonAuthCookies as i, neonAuth as n, authApiHandler as r, neonAuthMiddleware as t };

package/dist/{neon-auth-sSiNq4zM.mjs → neon-auth-ClDZNB9a.mjs}

@@ -1,4 +1,4 @@
-import { n as BetterAuthVanillaAdapter } from "./supabase-adapter-DhlcXYb9.mjs";
+import { n as BetterAuthVanillaAdapter } from "./supabase-adapter-Bl576usk.mjs";
 
 //#region src/neon-auth.ts
 /**