@neondatabase/auth 0.1.0-beta.2 → 0.1.0-beta.21

package/dist/next/server/index.mjs

@@ -0,0 +1,731 @@
+import { r as NEON_AUTH_COOKIE_PREFIX, s as NEON_AUTH_SESSION_VERIFIER_PARAM_NAME } from "../../constants-2bpp2_-f.mjs";
+import { parseCookies, parseSetCookieHeader } from "better-auth/cookies";
+import { cookies, headers } from "next/headers";
+import { NextRequest, NextResponse } from "next/server";
+
+//#region src/server/request-context.ts
+/**
+* Header name used to identify server-side proxy requests.
+* The value will be the framework name (e.g., 'nextjs', 'remix').
+*/
+const NEON_AUTH_SERVER_PROXY_HEADER = "x-neon-auth-proxy";
+
+//#endregion
+//#region src/server/endpoints.ts
+const API_ENDPOINTS = {
+	getSession: {
+		path: "get-session",
+		method: "GET"
+	},
+	getAccessToken: {
+		path: "get-access-token",
+		method: "GET"
+	},
+	listSessions: {
+		path: "list-sessions",
+		method: "GET"
+	},
+	revokeSession: {
+		path: "revoke-session",
+		method: "POST"
+	},
+	revokeSessions: {
+		path: "revoke-sessions",
+		method: "POST"
+	},
+	revokeOtherSessions: {
+		path: "revoke-all-sessions",
+		method: "POST"
+	},
+	refreshToken: {
+		path: "refresh-token",
+		method: "POST"
+	},
+	signIn: {
+		email: {
+			path: "sign-in/email",
+			method: "POST"
+		},
+		social: {
+			path: "sign-in/social",
+			method: "POST"
+		},
+		emailOtp: {
+			path: "sign-in/email-otp",
+			method: "POST"
+		}
+	},
+	signUp: { email: {
+		path: "sign-up/email",
+		method: "POST"
+	} },
+	signOut: {
+		path: "sign-out",
+		method: "POST"
+	},
+	listAccounts: {
+		path: "list-accounts",
+		method: "GET"
+	},
+	accountInfo: {
+		path: "account-info",
+		method: "GET"
+	},
+	updateUser: {
+		path: "update-user",
+		method: "POST"
+	},
+	deleteUser: {
+		path: "delete-user",
+		method: "POST"
+	},
+	changePassword: {
+		path: "change-password",
+		method: "POST"
+	},
+	sendVerificationEmail: {
+		path: "send-verification-email",
+		method: "POST"
+	},
+	verifyEmail: {
+		path: "verify-email",
+		method: "POST"
+	},
+	resetPassword: {
+		path: "reset-password",
+		method: "POST"
+	},
+	requestPasswordReset: {
+		path: "request-password-reset",
+		method: "POST"
+	},
+	token: {
+		path: "token",
+		method: "GET"
+	},
+	jwks: {
+		path: "jwt",
+		method: "GET"
+	},
+	getAnonymousToken: {
+		path: "token/anonymous",
+		method: "GET"
+	},
+	admin: {
+		createUser: {
+			path: "admin/create-user",
+			method: "POST"
+		},
+		listUsers: {
+			path: "admin/list-users",
+			method: "GET"
+		},
+		setRole: {
+			path: "admin/set-role",
+			method: "POST"
+		},
+		setUserPassword: {
+			path: "admin/set-user-password",
+			method: "POST"
+		},
+		updateUser: {
+			path: "admin/update-user",
+			method: "POST"
+		},
+		banUser: {
+			path: "admin/ban-user",
+			method: "POST"
+		},
+		unbanUser: {
+			path: "admin/unban-user",
+			method: "POST"
+		},
+		listUserSessions: {
+			path: "admin/list-user-sessions",
+			method: "GET"
+		},
+		revokeUserSession: {
+			path: "admin/revoke-user-session",
+			method: "POST"
+		},
+		revokeUserSessions: {
+			path: "admin/revoke-user-sessions",
+			method: "POST"
+		},
+		impersonateUser: {
+			path: "admin/impersonate-user",
+			method: "POST"
+		},
+		stopImpersonating: {
+			path: "admin/stop-impersonating",
+			method: "POST"
+		},
+		removeUser: {
+			path: "admin/remove-user",
+			method: "POST"
+		},
+		hasPermission: {
+			path: "admin/has-permission",
+			method: "POST"
+		}
+	},
+	organization: {
+		create: {
+			path: "organization/create",
+			method: "POST"
+		},
+		update: {
+			path: "organization/update",
+			method: "POST"
+		},
+		delete: {
+			path: "organization/delete",
+			method: "POST"
+		},
+		list: {
+			path: "organization/list",
+			method: "GET"
+		},
+		getFullOrganization: {
+			path: "organization/get-full-organization",
+			method: "GET"
+		},
+		setActive: {
+			path: "organization/set-active",
+			method: "POST"
+		},
+		checkSlug: {
+			path: "organization/check-slug",
+			method: "GET"
+		},
+		listMembers: {
+			path: "organization/list-members",
+			method: "GET"
+		},
+		removeMember: {
+			path: "organization/remove-member",
+			method: "POST"
+		},
+		updateMemberRole: {
+			path: "organization/update-member-role",
+			method: "POST"
+		},
+		leave: {
+			path: "organization/leave",
+			method: "POST"
+		},
+		getActiveMember: {
+			path: "organization/get-active-member",
+			method: "GET"
+		},
+		getActiveMemberRole: {
+			path: "organization/get-active-member-role",
+			method: "GET"
+		},
+		inviteMember: {
+			path: "organization/invite-member",
+			method: "POST"
+		},
+		acceptInvitation: {
+			path: "organization/accept-invitation",
+			method: "POST"
+		},
+		rejectInvitation: {
+			path: "organization/reject-invitation",
+			method: "POST"
+		},
+		cancelInvitation: {
+			path: "organization/cancel-invitation",
+			method: "POST"
+		},
+		getInvitation: {
+			path: "organization/get-invitation",
+			method: "GET"
+		},
+		listInvitations: {
+			path: "organization/list-invitations",
+			method: "GET"
+		},
+		listUserInvitations: {
+			path: "organization/list-user-invitations",
+			method: "GET"
+		},
+		hasPermission: {
+			path: "organization/has-permission",
+			method: "POST"
+		}
+	},
+	emailOtp: {
+		sendVerificationOtp: {
+			path: "email-otp/send-verification-otp",
+			method: "POST"
+		},
+		verifyEmail: {
+			path: "email-otp/verify-email",
+			method: "POST"
+		},
+		checkVerificationOtp: {
+			path: "email-otp/check-verification-otp",
+			method: "POST"
+		},
+		resetPassword: {
+			path: "email-otp/passcode",
+			method: "POST"
+		}
+	}
+};
+
+//#endregion
+//#region src/utils/cookies.ts
+/**
+* Extract the Neon Auth cookies from the request headers.
+* Only returns cookies that start with the NEON_AUTH_COOKIE_PREFIX.
+*
+* @param headers - The request headers or cookie header string.
+* @returns The cookie string with all Neon Auth cookies (e.g., "name=value; name2=value2").
+*/
+const extractNeonAuthCookies = (headers$1) => {
+	const cookieHeader = typeof headers$1 === "string" ? headers$1 : headers$1.get("cookie");
+	if (!cookieHeader) return "";
+	const parsedCookies = parseCookies(cookieHeader);
+	const result = [];
+	for (const [name, value] of parsedCookies.entries()) if (name.startsWith(NEON_AUTH_COOKIE_PREFIX)) result.push(`${name}=${value}`);
+	return result.join("; ");
+};
+/**
+* Parses the `set-cookie` header from Neon Auth response into a list of cookies.
+*
+* @param setCookieHeader - The `set-cookie` header from Neon Auth response.
+* @returns The list of parsed cookies with their options.
+*/
+const parseSetCookies = (setCookieHeader) => {
+	const parsedCookies = parseSetCookieHeader(setCookieHeader);
+	const cookies$1 = [];
+	for (const entry of parsedCookies.entries()) {
+		const [name, parsedCookie] = entry;
+		cookies$1.push({
+			name,
+			value: decodeURIComponent(parsedCookie.value),
+			path: parsedCookie.path,
+			maxAge: parsedCookie["max-age"] ?? parsedCookie.maxAge,
+			httpOnly: parsedCookie.httponly ?? true,
+			secure: parsedCookie.secure ?? true,
+			sameSite: parsedCookie.samesite ?? "lax",
+			partitioned: parsedCookie.partitioned
+		});
+	}
+	return cookies$1;
+};
+
+//#endregion
+//#region src/server/client-factory.ts
+function createAuthServerInternal(config) {
+	const { baseUrl, context: getContext } = config;
+	const fetchWithAuth = async (path, method, args) => {
+		const ctx = await getContext();
+		const cookies$1 = await ctx.getCookies();
+		const origin = await ctx.getOrigin();
+		const framework = ctx.getFramework();
+		const url = new URL(path, baseUrl.endsWith("/") ? baseUrl : `${baseUrl}/`);
+		const { query, fetchOptions: _fetchOptions, ...body } = args || {};
+		if (query && typeof query === "object") {
+			const queryParams = query;
+			for (const [key, value] of Object.entries(queryParams)) if (value !== void 0 && value !== null) url.searchParams.set(key, String(value));
+		}
+		const headers$1 = {
+			Cookie: cookies$1,
+			Origin: origin,
+			[NEON_AUTH_SERVER_PROXY_HEADER]: framework
+		};
+		let requestBody;
+		if (method === "POST") {
+			headers$1["Content-Type"] = "application/json";
+			requestBody = JSON.stringify(Object.keys(body).length > 0 ? body : {});
+		}
+		const response = await fetch(url.toString(), {
+			method,
+			headers: headers$1,
+			body: requestBody
+		});
+		const setCookieHeader = response.headers.get("set-cookie");
+		if (setCookieHeader) {
+			const parsedCookies = parseSetCookies(setCookieHeader);
+			for (const cookie of parsedCookies) await ctx.setCookie(cookie.name, cookie.value, cookie);
+		}
+		const responseData = await response.json().catch(() => null);
+		if (!response.ok) return {
+			data: null,
+			error: {
+				message: responseData?.message || response.statusText,
+				status: response.status,
+				statusText: response.statusText
+			}
+		};
+		return {
+			data: responseData,
+			error: null
+		};
+	};
+	return createApiProxy(API_ENDPOINTS, fetchWithAuth);
+}
+function isEndpointConfig(value) {
+	return typeof value === "object" && value !== null && "path" in value && "method" in value;
+}
+function createApiProxy(endpoints, fetchFn) {
+	return new Proxy({}, { get(_, prop) {
+		const endpoint = endpoints[prop];
+		if (!endpoint) return;
+		if (isEndpointConfig(endpoint)) return (args) => fetchFn(endpoint.path, endpoint.method, args);
+		return createApiProxy(endpoint, fetchFn);
+	} });
+}
+
+//#endregion
+//#region src/next/server/adapter.ts
+/**
+* Creates a Next.js-specific RequestContext that reads cookies and headers
+* from next/headers and handles cookie setting.
+*/
+async function createNextRequestContext() {
+	const cookieStore = await cookies();
+	const headerStore = await headers();
+	return {
+		getCookies() {
+			return extractNeonAuthCookies(headerStore);
+		},
+		setCookie(name, value, options) {
+			cookieStore.set(name, value, options);
+		},
+		getHeader(name) {
+			return headerStore.get(name) ?? null;
+		},
+		getOrigin() {
+			return headerStore.get("origin") || headerStore.get("referer")?.split("/").slice(0, 3).join("/") || "";
+		},
+		getFramework() {
+			return "nextjs";
+		}
+	};
+}
+
+//#endregion
+//#region src/next/constants.ts
+const NEON_AUTH_SESSION_COOKIE_NAME = `${NEON_AUTH_COOKIE_PREFIX}.session_token`;
+const NEON_AUTH_SESSION_CHALLENGE_COOKIE_NAME = `${NEON_AUTH_COOKIE_PREFIX}.session_challange`;
+const NEON_AUTH_HEADER_MIDDLEWARE_NAME = "X-Neon-Auth-Next-Middleware";
+
+//#endregion
+//#region src/next/handler/request.ts
+const PROXY_HEADERS = [
+	"user-agent",
+	"authorization",
+	"referer",
+	"content-type"
+];
+const handleAuthRequest = async (baseUrl, request, path) => {
+	const headers$1 = prepareRequestHeaders(request);
+	const body = await parseRequestBody(request);
+	try {
+		const upstreamURL = getUpstreamURL(baseUrl, path, { originalUrl: new URL(request.url) });
+		return await fetch(upstreamURL.toString(), {
+			method: request.method,
+			headers: headers$1,
+			body
+		});
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Internal Server Error";
+		console.error(`[AuthError] ${message}`, error);
+		return new Response(`[AuthError] ${message}`, { status: 500 });
+	}
+};
+const getUpstreamURL = (baseUrl, path, { originalUrl }) => {
+	const url = new URL(`${baseUrl}/${path}`);
+	if (originalUrl) {
+		url.search = originalUrl.search;
+		return url;
+	}
+	return url;
+};
+const prepareRequestHeaders = (request) => {
+	const headers$1 = new Headers();
+	for (const header of PROXY_HEADERS) if (request.headers.get(header)) headers$1.set(header, request.headers.get(header));
+	headers$1.set("Origin", getOrigin(request));
+	headers$1.set("Cookie", extractNeonAuthCookies(request.headers));
+	headers$1.set(NEON_AUTH_HEADER_MIDDLEWARE_NAME, "true");
+	return headers$1;
+};
+const getOrigin = (request) => {
+	return request.headers.get("origin") || request.headers.get("referer")?.split("/").slice(0, 3).join("/") || new URL(request.url).origin;
+};
+const parseRequestBody = async (request) => {
+	if (request.body) return request.text();
+};
+
+//#endregion
+//#region src/next/env-variables.ts
+const NEON_AUTH_BASE_URL = process.env.NEON_AUTH_BASE_URL;
+
+//#endregion
+//#region src/next/auth/session.ts
+/**
+* A utility function to be used in react server components fetch the session details from the Neon Auth API, if session token is available in cookie.
+*
+* @returns - `{ session: Session, user: User }` | `{ session: null, user: null}`.
+*
+* @example
+* ```ts
+* import { neonAuth } from "@neondatabase/auth/next/server"
+*
+* const { session, user } = await neonAuth()
+* ```
+*/
+const neonAuth = async () => {
+	return await fetchSession();
+};
+/**
+* A utility function to fetch the session details from the Neon Auth API, if session token is available in cookie.
+*
+* @returns - `{ session: Session, user: User }` | `{ session: null, user: null}`.
+*/
+const fetchSession = async () => {
+	const baseUrl = NEON_AUTH_BASE_URL;
+	const requestHeaders = await headers();
+	const upstreamURL = getUpstreamURL(baseUrl, "get-session", { originalUrl: new URL("get-session", baseUrl) });
+	const response = await fetch(upstreamURL.toString(), {
+		method: "GET",
+		headers: { Cookie: extractNeonAuthCookies(requestHeaders) }
+	});
+	const body = await response.json();
+	const cookieHeader = response.headers.get("set-cookie");
+	if (cookieHeader) {
+		const cookieStore = await cookies();
+		parseSetCookies(cookieHeader).map((cookie) => {
+			cookieStore.set(cookie.name, cookie.value, cookie);
+		});
+	}
+	if (!response.ok || body === null) return {
+		session: null,
+		user: null
+	};
+	return {
+		session: body.session,
+		user: body.user
+	};
+};
+
+//#endregion
+//#region src/next/handler/response.ts
+const RESPONSE_HEADERS_ALLOWLIST = [
+	"content-type",
+	"content-length",
+	"content-encoding",
+	"transfer-encoding",
+	"connection",
+	"date",
+	"set-cookie",
+	"set-auth-jwt",
+	"set-auth-token",
+	"x-neon-ret-request-id"
+];
+const handleAuthResponse = async (response) => {
+	return new Response(response.body, {
+		status: response.status,
+		statusText: response.statusText,
+		headers: prepareResponseHeaders(response)
+	});
+};
+const prepareResponseHeaders = (response) => {
+	const headers$1 = new Headers();
+	for (const header of RESPONSE_HEADERS_ALLOWLIST) {
+		const value = response.headers.get(header);
+		if (value) headers$1.set(header, value);
+	}
+	return headers$1;
+};
+
+//#endregion
+//#region src/next/auth/cookies.ts
+/**
+* Extract the Neon Auth cookies from the response headers.
+* @deprecated Use parseSetCookies instead
+*/
+const extractResponseCookies = (headers$1) => {
+	const cookieHeader = headers$1.get("set-cookie");
+	if (!cookieHeader) return [];
+	return cookieHeader.split(", ").map((c) => c.trim());
+};
+
+//#endregion
+//#region src/next/middleware/oauth.ts
+const needsSessionVerification = (request) => {
+	const hasVerifier = request.nextUrl.searchParams.has(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME);
+	const hasChallenge = request.cookies.get(NEON_AUTH_SESSION_CHALLENGE_COOKIE_NAME);
+	return hasVerifier && hasChallenge;
+};
+const exchangeOAuthToken = async (request, baseUrl) => {
+	const url = request.nextUrl;
+	const verifier = url.searchParams.get(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME);
+	const challenge = request.cookies.get(NEON_AUTH_SESSION_CHALLENGE_COOKIE_NAME);
+	if (!verifier || !challenge) return null;
+	const response = await handleAuthResponse(await handleAuthRequest(baseUrl, new Request(request.url, {
+		method: "GET",
+		headers: request.headers
+	}), "get-session"));
+	if (response.ok) {
+		const headers$1 = new Headers();
+		const cookies$1 = extractResponseCookies(response.headers);
+		for (const cookie of cookies$1) headers$1.append("Set-Cookie", cookie);
+		url.searchParams.delete(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME);
+		return NextResponse.redirect(url, { headers: headers$1 });
+	}
+	return null;
+};
+
+//#endregion
+//#region src/next/errors.ts
+const ERRORS = { MISSING_AUTH_BASE_URL: "Missing environment variable: NEON_AUTH_BASE_URL. \n You must provide the auth url of your Neon Auth instance in environment variables" };
+
+//#endregion
+//#region src/next/middleware/index.ts
+const SKIP_ROUTES = [
+	"/api/auth",
+	"/auth/callback",
+	"/auth/sign-in",
+	"/auth/sign-up",
+	"/auth/magic-link",
+	"/auth/email-otp",
+	"/auth/forgot-password"
+];
+/**
+* A Next.js middleware to protect routes from unauthenticated requests and refresh the session if required.
+*
+* @param loginUrl - The URL to redirect to when the user is not authenticated.
+* @returns A middleware function that can be used in the Next.js app.
+*
+* @example
+* ```ts
+* import { neonAuthMiddleware } from "@neondatabase/auth/next"
+*
+* export default neonAuthMiddleware({
+*   loginUrl: '/auth/sign-in',
+* });
+* ```
+*/
+function neonAuthMiddleware({ loginUrl = "/auth/sign-in" }) {
+	const baseUrl = NEON_AUTH_BASE_URL;
+	if (!baseUrl) throw new Error(ERRORS.MISSING_AUTH_BASE_URL);
+	return async (request) => {
+		const { pathname } = request.nextUrl;
+		if (pathname.startsWith(loginUrl)) return NextResponse.next();
+		if (needsSessionVerification(request)) {
+			const response = await exchangeOAuthToken(request, baseUrl);
+			if (response !== null) return response;
+		}
+		if (SKIP_ROUTES.some((route) => pathname.startsWith(route))) return NextResponse.next();
+		if ((await fetchSession()).session === null) return NextResponse.redirect(new URL(loginUrl, request.url));
+		const reqHeaders = new Headers(request.headers);
+		reqHeaders.set(NEON_AUTH_HEADER_MIDDLEWARE_NAME, "true");
+		return NextResponse.next({ request: { headers: reqHeaders } });
+	};
+}
+
+//#endregion
+//#region src/next/handler/index.ts
+/**
+* 
+* An API route handler to handle the auth requests from the client and proxy them to the Neon Auth.
+* 
+* @returns A Next.js API handler functions those can be used in a Next.js route.
+*
+* @example
+* Mount the `authApiHandler` to an API route. Create a route file inside `/api/auth/[...all]/route.ts` directory. 
+*  And add the following code:
+* 
+* ```ts 
+* // app/api/auth/[...all]/route.ts
+* import { authApiHandler } from '@neondatabase/auth/next';
+* 
+* export const { GET, POST } = authApiHandler();
+* ```
+*/
+function authApiHandler() {
+	const baseURL = process.env.NEON_AUTH_BASE_URL;
+	if (!baseURL) throw new Error(ERRORS.MISSING_AUTH_BASE_URL);
+	const handler = async (request, { params }) => {
+		return await handleAuthResponse(await handleAuthRequest(baseURL, request, (await params).path.join("/")));
+	};
+	return {
+		GET: handler,
+		POST: handler,
+		PUT: handler,
+		DELETE: handler,
+		PATCH: handler
+	};
+}
+
+//#endregion
+//#region src/next/server/index.ts
+/**
+* Creates a server-side auth API client for Next.js.
+* 
+* This client exposes the Neon Auth APIs including authentication, user management, organizations, and admin operations.
+* 
+* **Where to use:**
+* - React Server Components
+* - Server Actions
+* - Route Handlers
+* 
+* **Requirements:**
+* - `NEON_AUTH_BASE_URL` environment variable must be set
+* - Cookies are automatically read/written via `next/headers`
+* 
+* @returns Auth server API client for Next.js
+* @throws Error if `NEON_AUTH_BASE_URL` environment variable is not set
+* 
+* @example
+* ```typescript
+* // lib/auth/server.ts - Create a singleton instance
+* import { createAuthServer } from '@neondatabase/auth/next/server';
+* export const authServer = createAuthServer();
+* ```
+* 
+* @example
+* ```typescript
+* // Server Component - Reading session
+* import { authServer } from '@/lib/auth/server';
+* 
+* export default async function Page() {
+*   const { data: session } = await authServer.getSession();
+*   if (!session?.user) return <div>Not logged in</div>;
+*   return <div>Hello {session.user.name}</div>;
+* }
+* ```
+* 
+* @example
+* ```typescript
+* // Server Action - Sign in
+* 'use server';
+* import { authServer } from '@/lib/auth/server';
+* import { redirect } from 'next/navigation';
+* 
+* export async function signIn(formData: FormData) {
+*   const { error } = await authServer.signIn.email({
+*     email: formData.get('email') as string,
+*     password: formData.get('password') as string,
+*   });
+*   if (error) return { error: error.message };
+*   redirect('/dashboard');
+* }
+* ```
+*/
+function createAuthServer() {
+	const baseUrl = process.env.NEON_AUTH_BASE_URL;
+	if (!baseUrl) throw new Error("NEON_AUTH_BASE_URL environment variable is required for createAuthServer()");
+	return createAuthServerInternal({
+		baseUrl,
+		context: createNextRequestContext
+	});
+}
+
+//#endregion
+export { authApiHandler, createAuthServer, neonAuth, neonAuthMiddleware };