@neondatabase/auth 0.2.0-beta.1 → 0.4.0-beta

package/dist/next/server/index.mjs

@@ -1,4 +1,4 @@
-import { o as NEON_AUTH_SESSION_VERIFIER_PARAM_NAME } from "../../constants-Cupc_bln.mjs";
+import { c as isAuthApiError, l as isAuthError, m as NEON_AUTH_SESSION_VERIFIER_PARAM_NAME, o as AuthApiError, r as normalizeBetterAuthError, s as AuthError } from "../../better-auth-helpers-Bkezghej.mjs";
 import { SignJWT, jwtVerify } from "jose";
 import { parseCookies, parseSetCookieHeader } from "better-auth/cookies";
 import { cookies, headers } from "next/headers";
@@ -54,6 +54,10 @@ const API_ENDPOINTS = {
 		emailOtp: {
 			path: "sign-in/email-otp",
 			method: "POST"
+		},
+		magicLink: {
+			path: "sign-in/magic-link",
+			method: "POST"
 		}
 	},
 	signUp: { email: {
@@ -273,7 +277,11 @@ const API_ENDPOINTS = {
 			path: "email-otp/passcode",
 			method: "POST"
 		}
-	}
+	},
+	magicLink: { verify: {
+		path: "magic-link/verify",
+		method: "GET"
+	} }
 };
 
 //#endregion
@@ -473,6 +481,35 @@ async function getSessionDataFromCookie(request, cookieName, cookieSecret) {
 		return null;
 	}
 }
+/**
+* Fetch session data from upstream using session token cookie
+*
+* @param sessionTokenCookie - Session token cookie string (can be Set-Cookie header or "name=value" format)
+* @param baseUrl - Auth server base URL
+* @returns Session data from upstream
+*/
+async function fetchSessionWithCookie(sessionTokenCookie, baseUrl) {
+	let cookieName;
+	let cookieValue;
+	if (sessionTokenCookie.includes("=")) {
+		const [name, ...valueParts] = sessionTokenCookie.split(";")[0].trim().split("=");
+		cookieName = name.trim();
+		cookieValue = valueParts.join("=").trim();
+	} else throw new Error("Invalid session token cookie format");
+	if (!cookieName.includes("session_token")) throw new Error("session_token not found in cookie");
+	const response = await fetch(`${baseUrl}/get-session`, {
+		headers: { Cookie: `${cookieName}=${cookieValue}` },
+		signal: AbortSignal.timeout(3e3)
+	});
+	if (!response.ok) throw new Error(`Failed to fetch session data: ${response.status} ${response.statusText}`);
+	let body;
+	try {
+		body = await response.json();
+	} catch (error) {
+		throw new Error(`Failed to parse /get-session response as JSON: ${error instanceof Error ? error.message : String(error)}`);
+	}
+	return parseSessionData(body);
+}
 
 //#endregion
 //#region src/server/errors.ts
@@ -506,6 +543,253 @@ async function validateSessionData(sessionDataString, cookieSecret) {
 	}
 }
 
+//#endregion
+//#region src/server/session/minting.ts
+/**
+* Core minting logic - creates session_data cookie from session token
+*
+* @param sessionTokenCookie - Session token cookie string (format: "name=value")
+* @param baseUrl - Auth server base URL
+* @param cookieConfig - Cookie configuration
+* @returns Set-Cookie string or null on error
+*/
+async function mintSessionDataCookie(sessionTokenCookie, baseUrl, cookieConfig) {
+	try {
+		const sessionData = await fetchSessionWithCookie(sessionTokenCookie, baseUrl);
+		if (!sessionData.session) return null;
+		const { value: signedData, expiresAt } = await signSessionDataCookie(sessionData, cookieConfig.secret, cookieConfig.sessionDataTtl);
+		const maxAge = Math.floor((expiresAt.getTime() - Date.now()) / 1e3);
+		return serializeSetCookie({
+			name: NEON_AUTH_SESSION_DATA_COOKIE_NAME,
+			value: signedData,
+			path: "/",
+			domain: cookieConfig.domain,
+			httpOnly: true,
+			secure: true,
+			sameSite: cookieConfig.sameSite ?? "strict",
+			maxAge
+		});
+	} catch (error) {
+		const errorMessage = error instanceof Error ? error.message : String(error);
+		console.error("[mintSessionDataCookie] Failed to mint session_data cookie:", {
+			error: errorMessage,
+			...process.env.NODE_ENV !== "production" && { stack: error instanceof Error ? error.stack : void 0 }
+		});
+		return null;
+	}
+}
+/**
+* Utility A: Mint session_data cookie when session_token is updated by upstream
+*
+* Checks response headers for session_token in Set-Cookie, then mints session_data.
+* Handles token deletion (max-age=0) by returning deletion cookie.
+*
+* Use case: Response handling in proxy/middleware after upstream auth calls
+*
+* @param responseHeaders - Response headers from upstream auth server
+* @param baseUrl - Auth server base URL
+* @param cookieConfig - Cookie configuration
+* @returns Set-Cookie string for session_data or null if no action needed
+*/
+async function mintSessionDataFromResponse(responseHeaders, baseUrl, cookieConfig) {
+	const sessionTokenCookie = responseHeaders.getSetCookie().find((cookie) => cookie.includes("session_token"));
+	if (!sessionTokenCookie) return null;
+	if (sessionTokenCookie.toLowerCase().includes("max-age=0")) return serializeSetCookie({
+		name: NEON_AUTH_SESSION_DATA_COOKIE_NAME,
+		value: "",
+		path: "/",
+		domain: cookieConfig.domain,
+		httpOnly: true,
+		secure: true,
+		sameSite: cookieConfig.sameSite ?? "strict",
+		maxAge: 0
+	});
+	return await mintSessionDataCookie(sessionTokenCookie, baseUrl, cookieConfig);
+}
+/**
+* Utility B: Mint/refresh session_data cookie from existing session_token
+*
+* Extracts session_token from request cookies and mints a fresh session_data cookie.
+* Use case: Cache misses, expired cookies, proactive refresh
+*
+* @param sessionTokenCookie - Session token cookie string (format: "name=value")
+* @param baseUrl - Auth server base URL
+* @param cookieConfig - Cookie configuration
+* @returns Set-Cookie string for session_data or null on error
+*/
+async function mintSessionDataFromToken(sessionTokenCookie, baseUrl, cookieConfig) {
+	return await mintSessionDataCookie(sessionTokenCookie, baseUrl, cookieConfig);
+}
+
+//#endregion
+//#region src/server/client-factory.ts
+function createAuthServerInternal(config) {
+	const { baseUrl, context: getContext, cookieSecret, sessionDataTtl, domain, sameSite } = config;
+	const effectiveSameSite = sameSite ?? "strict";
+	const fetchWithAuth = async (path, method, args) => {
+		const ctx = await getContext();
+		const cookies$1 = await ctx.getCookies();
+		const origin = await ctx.getOrigin();
+		const framework = ctx.getFramework();
+		const url = new URL(path, baseUrl.endsWith("/") ? baseUrl : `${baseUrl}/`);
+		const { query, fetchOptions: _fetchOptions, ...body } = args || {};
+		if (query && typeof query === "object") {
+			const queryParams = query;
+			for (const [key, value] of Object.entries(queryParams)) if (value !== void 0 && value !== null) url.searchParams.set(key, String(value));
+		}
+		const headers$1 = {
+			Cookie: cookies$1,
+			Origin: origin,
+			[NEON_AUTH_SERVER_PROXY_HEADER]: framework
+		};
+		let requestBody;
+		if (method === "POST") {
+			headers$1["Content-Type"] = "application/json";
+			requestBody = JSON.stringify(Object.keys(body).length > 0 ? body : {});
+		}
+		const response = await fetch(url.toString(), {
+			method,
+			headers: headers$1,
+			body: requestBody
+		});
+		const setCookieHeaders = response.headers.getSetCookie();
+		if (setCookieHeaders.length > 0) {
+			for (const setCookieHeader of setCookieHeaders) {
+				const parsedCookies = parseSetCookies(setCookieHeader);
+				for (const cookie of parsedCookies) {
+					const cookieOptions = {
+						...cookie,
+						domain,
+						partitioned: void 0,
+						sameSite: effectiveSameSite
+					};
+					await ctx.setCookie(cookie.name, cookie.value, cookieOptions);
+				}
+			}
+			try {
+				const sessionDataCookie = await mintSessionDataFromResponse(response.headers, baseUrl, {
+					secret: cookieSecret,
+					sessionDataTtl,
+					domain,
+					sameSite
+				});
+				if (sessionDataCookie) {
+					const [parsedSessionData] = parseSetCookies(sessionDataCookie);
+					if (parsedSessionData) await ctx.setCookie(parsedSessionData.name, parsedSessionData.value, parsedSessionData);
+				}
+			} catch (error) {
+				console.error("[fetchWithAuth] Failed to mint session data cookie:", error);
+			}
+		}
+		const responseData = await response.json().catch(() => null);
+		if (!response.ok) {
+			const normalized = normalizeBetterAuthError({
+				status: response.status,
+				statusText: response.statusText,
+				message: responseData?.message || response.statusText,
+				code: responseData?.code,
+				body: responseData
+			});
+			return {
+				data: null,
+				error: {
+					message: normalized.message,
+					status: normalized.status ?? response.status,
+					statusText: response.statusText,
+					code: normalized.code
+				}
+			};
+		}
+		return {
+			data: responseData,
+			error: null
+		};
+	};
+	const baseServer = createApiProxy(API_ENDPOINTS, fetchWithAuth);
+	const originalGetSession = baseServer.getSession;
+	baseServer.getSession = async (...args) => {
+		const [data] = args;
+		if (!(data?.query?.disableCookieCache === "true")) try {
+			const cookiesString = await (await getContext()).getCookies();
+			const hasSessionToken = cookiesString.includes(NEON_AUTH_SESSION_COOKIE_NAME);
+			const sessionDataCookie = parseCookieValue(cookiesString, NEON_AUTH_SESSION_DATA_COOKIE_NAME);
+			if (sessionDataCookie && hasSessionToken) {
+				const result = await validateSessionData(sessionDataCookie, cookieSecret);
+				if (result.valid && result.payload) return {
+					data: result.payload,
+					error: null
+				};
+			}
+		} catch (error) {
+			console.error("[auth.getSession] Cookie validation error:", error);
+		}
+		return originalGetSession(...args);
+	};
+	return baseServer;
+}
+function isEndpointConfig(value) {
+	return typeof value === "object" && value !== null && "path" in value && "method" in value;
+}
+function createApiProxy(endpoints, fetchFn) {
+	return new Proxy({}, {
+		get(target, prop) {
+			if (prop in target) return target[prop];
+			const endpoint = endpoints[prop];
+			if (!endpoint) return;
+			if (isEndpointConfig(endpoint)) return (args) => fetchFn(endpoint.path, endpoint.method, args);
+			return createApiProxy(endpoint, fetchFn);
+		},
+		set(target, prop, value) {
+			target[prop] = value;
+			return true;
+		}
+	});
+}
+
+//#endregion
+//#region src/next/server/adapter.ts
+/**
+* Creates a Next.js-specific RequestContext that reads cookies and headers
+* from next/headers and handles cookie setting.
+*/
+async function createNextRequestContext() {
+	const cookieStore = await cookies();
+	const headerStore = await headers();
+	return {
+		getCookies() {
+			return extractNeonAuthCookies(headerStore);
+		},
+		setCookie(name, value, options) {
+			cookieStore.set(name, value, options);
+		},
+		getHeader(name) {
+			return headerStore.get(name) ?? null;
+		},
+		getOrigin() {
+			return headerStore.get("origin") || headerStore.get("referer")?.split("/").slice(0, 3).join("/") || "";
+		},
+		getFramework() {
+			return "nextjs";
+		}
+	};
+}
+
+//#endregion
+//#region src/server/config.ts
+/**
+* Framework-agnostic configuration types for Neon Auth
+*/
+/**
+* Validates cookie configuration meets security requirements
+* @param cookies - The cookie configuration to validate
+* @throws Error if secret is too short (< 32 characters)
+*/
+function validateCookieConfig(cookies$1) {
+	if (!cookies$1.secret) throw new Error(ERRORS.MISSING_COOKIE_SECRET);
+	if (cookies$1.secret.length < 32) throw new Error(ERRORS.COOKIE_SECRET_TOO_SHORT);
+	if (cookies$1.sessionDataTtl !== void 0 && cookies$1.sessionDataTtl <= 0) throw new Error(ERRORS.INVALID_SESSION_DATA_TTL);
+}
+
 //#endregion
 //#region src/server/proxy/request.ts
 const PROXY_HEADERS = [
@@ -612,8 +896,8 @@ const RESPONSE_HEADERS_ALLOWLIST = [
 * @returns New Response with proxied headers and session data cookie
 */
 const handleAuthResponse = async (response, baseUrl, cookieConfig) => {
-	const responseHeaders = prepareResponseHeaders(response, cookieConfig.domain);
-	const sessionDataCookie = await mintSessionData(response.headers, baseUrl, cookieConfig);
+	const responseHeaders = prepareResponseHeaders(response, cookieConfig);
+	const sessionDataCookie = await mintSessionDataFromResponse(response.headers, baseUrl, cookieConfig);
 	if (sessionDataCookie) responseHeaders.append("Set-Cookie", sessionDataCookie);
 	return new Response(response.body, {
 		status: response.status,
@@ -621,85 +905,27 @@ const handleAuthResponse = async (response, baseUrl, cookieConfig) => {
 		headers: responseHeaders
 	});
 };
-const prepareResponseHeaders = (response, domain) => {
+const prepareResponseHeaders = (response, cookieConfig) => {
 	const headers$1 = new Headers();
+	const effectiveSameSite = cookieConfig.sameSite ?? "strict";
+	const { domain } = cookieConfig;
 	for (const header of RESPONSE_HEADERS_ALLOWLIST) if (header === "set-cookie") {
 		const cookies$1 = response.headers.getSetCookie();
-		for (const cookieHeader of cookies$1) if (domain) {
+		for (const cookieHeader of cookies$1) {
 			const parsedCookies = parseSetCookies(cookieHeader);
 			for (const parsedCookie of parsedCookies) {
-				parsedCookie.domain = domain;
+				parsedCookie.partitioned = void 0;
+				parsedCookie.sameSite = effectiveSameSite;
+				if (domain) parsedCookie.domain = domain;
 				headers$1.append("Set-Cookie", serializeSetCookie(parsedCookie));
 			}
-		} else headers$1.append("Set-Cookie", cookieHeader);
+		}
 	} else {
 		const value = response.headers.get(header);
 		if (value) headers$1.set(header, value);
 	}
 	return headers$1;
 };
-async function mintSessionData(headers$1, baseUrl, cookieConfig) {
-	const { secret, sessionDataTtl, domain } = cookieConfig;
-	const sessionToken = headers$1.getSetCookie().find((cookie) => cookie.includes("session_token"));
-	if (!sessionToken) return null;
-	if (sessionToken.toLowerCase().includes("max-age=0")) return serializeSetCookie({
-		name: NEON_AUTH_SESSION_DATA_COOKIE_NAME,
-		value: "",
-		path: "/",
-		domain,
-		httpOnly: true,
-		secure: true,
-		sameSite: "lax",
-		maxAge: 0
-	});
-	try {
-		const sessionData = await fetchSessionWithCookie(sessionToken, baseUrl);
-		if (sessionData.session) {
-			const { value: signedData, expiresAt } = await signSessionDataCookie(sessionData, secret, sessionDataTtl);
-			return serializeSetCookie({
-				name: NEON_AUTH_SESSION_DATA_COOKIE_NAME,
-				value: signedData,
-				path: "/",
-				domain,
-				httpOnly: true,
-				secure: true,
-				sameSite: "lax",
-				maxAge: Math.floor((expiresAt.getTime() - Date.now()) / 1e3)
-			});
-		}
-	} catch (error) {
-		const errorMessage = error instanceof Error ? error.message : String(error);
-		const errorContext = {
-			error: errorMessage,
-			setCookieHeaderLength: sessionToken?.length || 0
-		};
-		if (errorMessage.includes("session_token not found")) console.warn("[mintSessionData] Session token missing in set-cookie:", errorContext);
-		else if (errorMessage.includes("Failed to fetch session data")) console.error("[mintSessionData] Upstream /get-session request failed:", errorContext);
-		else if (errorMessage.includes("NEON_AUTH_COOKIE_SECRET")) console.error("[mintSessionData] Cookie secret configuration error:", errorContext);
-		else if (errorMessage.includes("Invalid date")) console.error("[mintSessionData] Date parsing error:", errorContext);
-		else console.error("[mintSessionData] Unexpected error:", {
-			...errorContext,
-			...process.env.NODE_ENV !== "production" && { stack: error instanceof Error ? error.stack : void 0 }
-		});
-	}
-	return null;
-}
-async function fetchSessionWithCookie(setCookieHeader, baseUrl) {
-	const sessionToken = parseSetCookies(setCookieHeader).find((c) => c.name.includes("session_token"));
-	if (!sessionToken) throw new Error("session_token not found in set-cookie header");
-	const response = await fetch(`${baseUrl}/get-session`, {
-		headers: { Cookie: `${sessionToken.name}=${sessionToken.value}` },
-		signal: AbortSignal.timeout(3e3)
-	});
-	if (!response.ok) throw new Error(`Failed to fetch session data: ${response.status} ${response.statusText}`);
-	let body;
-	try {
-		body = await response.json();
-	} catch (error) {
-		throw new Error(`Failed to parse /get-session response as JSON: ${error instanceof Error ? error.message : String(error)}`);
-	}
-	return parseSessionData(body);
-}
 
 //#endregion
 //#region src/server/session/cache-handler.ts
@@ -707,38 +933,68 @@ async function fetchSessionWithCookie(setCookieHeader, baseUrl) {
 * Attempts to retrieve session data from cookie cache
 * Returns Response with session data if cache hit, null otherwise
 *
+* If session_data cookie is missing or invalid, attempts to mint a new one
+* from the session_token cookie (reactive minting).
+*
 * This is the framework-agnostic session cache optimization used by API handlers.
 *
 * @param request - Standard Web API Request object
-* @param cookieSecret - Secret for validating signed session cookies
+* @param baseUrl - Auth server base URL for upstream calls
+* @param cookieConfig - Cookie configuration (secret, TTL, domain)
 * @returns Response with session data JSON if cache hit, null if miss/disabled
 */
-async function trySessionCache(request, cookieSecret) {
+async function trySessionCache(request, baseUrl, cookieConfig) {
 	if (new URL(request.url).searchParams.get("disableCookieCache") === "true") return null;
-	if (!(request.headers.get("cookie") || "").includes(NEON_AUTH_SESSION_COOKIE_NAME)) return null;
+	const cookieHeader = request.headers.get("cookie") || "";
+	if (!cookieHeader.includes(NEON_AUTH_SESSION_COOKIE_NAME)) return null;
+	const hasSessionData = parseCookies(cookieHeader).has(NEON_AUTH_SESSION_DATA_COOKIE_NAME);
+	const mintAndReturn = async () => {
+		const sessionTokenCookie = extractSessionTokenCookie(cookieHeader);
+		if (!sessionTokenCookie) return null;
+		const sessionDataCookieString = await mintSessionDataFromToken(sessionTokenCookie, baseUrl, cookieConfig);
+		if (!sessionDataCookieString) return null;
+		try {
+			const sessionData = await fetchSessionWithCookie(sessionTokenCookie, baseUrl);
+			if (!sessionData.session) return null;
+			const response = Response.json(sessionData);
+			response.headers.set("Set-Cookie", sessionDataCookieString);
+			return response;
+		} catch (error) {
+			console.error("[trySessionCache] Failed to fetch session after minting cookie:", error);
+			return null;
+		}
+	};
+	if (!hasSessionData) return await mintAndReturn();
 	try {
-		const sessionData = await getSessionDataFromCookie(request, NEON_AUTH_SESSION_DATA_COOKIE_NAME, cookieSecret);
+		const sessionData = await getSessionDataFromCookie(request, NEON_AUTH_SESSION_DATA_COOKIE_NAME, cookieConfig.secret);
 		if (sessionData && sessionData.session) return Response.json(sessionData);
+		return await mintAndReturn();
 	} catch (error) {
 		const errorMessage = error instanceof Error ? error.message : String(error);
 		const errorName = error instanceof Error ? error.name : "Unknown";
-		if (errorName === "JWTExpired") console.debug("[trySessionCache] Session cookie expired (expected):", {
+		if (errorName === "JWTExpired") console.debug("[trySessionCache] Session cookie expired, minting new one:", {
 			error: errorMessage,
-			errorType: errorName,
 			url: request.url
 		});
-		else if (errorName === "JWTInvalid" || errorName === "JWTClaimValidationFailed") console.warn("[trySessionCache] Invalid session cookie (possible tampering):", {
+		else if (errorName === "JWTInvalid" || errorName === "JWTClaimValidationFailed") console.warn("[trySessionCache] Invalid session cookie, minting new one:", {
 			error: errorMessage,
-			errorType: errorName,
 			url: request.url
 		});
-		else console.error("[trySessionCache] Unexpected cookie validation error:", {
+		else console.error("[trySessionCache] Unexpected validation error:", {
 			error: errorMessage,
-			errorType: errorName,
 			url: request.url
 		});
+		return await mintAndReturn();
 	}
-	return null;
+}
+/**
+* Extract session_token cookie value from cookie header
+* @internal
+*/
+function extractSessionTokenCookie(cookieHeader) {
+	const sessionToken = parseCookies(cookieHeader).get(NEON_AUTH_SESSION_COOKIE_NAME);
+	if (!sessionToken) return null;
+	return `${NEON_AUTH_SESSION_COOKIE_NAME}=${sessionToken}`;
 }
 
 //#endregion
@@ -758,173 +1014,24 @@ async function trySessionCache(request, cookieSecret) {
 * @returns Standard Web API Response
 */
 async function handleAuthProxyRequest(config) {
-	const { request, path, baseUrl, cookieSecret, sessionDataTtl, domain } = config;
+	const { request, path, baseUrl, cookieSecret, sessionDataTtl, domain, sameSite } = config;
 	if (path === API_ENDPOINTS.getSession.path && request.method === API_ENDPOINTS.getSession.method) {
-		const cachedResponse = await trySessionCache(request, cookieSecret);
+		const cachedResponse = await trySessionCache(request, baseUrl, {
+			secret: cookieSecret,
+			sessionDataTtl,
+			domain,
+			sameSite
+		});
 		if (cachedResponse) return cachedResponse;
 	}
 	return await handleAuthResponse(await handleAuthRequest(baseUrl, request, path), baseUrl, {
 		secret: cookieSecret,
 		sessionDataTtl,
-		domain
-	});
-}
-
-//#endregion
-//#region src/server/client-factory.ts
-function createAuthServerInternal(config) {
-	const { baseUrl, context: getContext, cookieSecret, sessionDataTtl, domain } = config;
-	const fetchWithAuth = async (path, method, args) => {
-		const ctx = await getContext();
-		const cookies$1 = await ctx.getCookies();
-		const origin = await ctx.getOrigin();
-		const framework = ctx.getFramework();
-		const url = new URL(path, baseUrl.endsWith("/") ? baseUrl : `${baseUrl}/`);
-		const { query, fetchOptions: _fetchOptions, ...body } = args || {};
-		if (query && typeof query === "object") {
-			const queryParams = query;
-			for (const [key, value] of Object.entries(queryParams)) if (value !== void 0 && value !== null) url.searchParams.set(key, String(value));
-		}
-		const headers$1 = {
-			Cookie: cookies$1,
-			Origin: origin,
-			[NEON_AUTH_SERVER_PROXY_HEADER]: framework
-		};
-		let requestBody;
-		if (method === "POST") {
-			headers$1["Content-Type"] = "application/json";
-			requestBody = JSON.stringify(Object.keys(body).length > 0 ? body : {});
-		}
-		const response = await fetch(url.toString(), {
-			method,
-			headers: headers$1,
-			body: requestBody
-		});
-		const setCookieHeaders = response.headers.getSetCookie();
-		if (setCookieHeaders.length > 0) {
-			for (const setCookieHeader of setCookieHeaders) {
-				const parsedCookies = parseSetCookies(setCookieHeader);
-				for (const cookie of parsedCookies) {
-					const cookieOptions = domain ? {
-						...cookie,
-						domain
-					} : cookie;
-					await ctx.setCookie(cookie.name, cookie.value, cookieOptions);
-				}
-			}
-			try {
-				const sessionDataCookie = await mintSessionData(response.headers, baseUrl, {
-					secret: cookieSecret,
-					sessionDataTtl,
-					domain
-				});
-				if (sessionDataCookie) {
-					const [parsedSessionData] = parseSetCookies(sessionDataCookie);
-					if (parsedSessionData) await ctx.setCookie(parsedSessionData.name, parsedSessionData.value, parsedSessionData);
-				}
-			} catch (error) {
-				console.error("[fetchWithAuth] Failed to mint session data cookie:", error);
-			}
-		}
-		const responseData = await response.json().catch(() => null);
-		if (!response.ok) return {
-			data: null,
-			error: {
-				message: responseData?.message || response.statusText,
-				status: response.status,
-				statusText: response.statusText
-			}
-		};
-		return {
-			data: responseData,
-			error: null
-		};
-	};
-	const baseServer = createApiProxy(API_ENDPOINTS, fetchWithAuth);
-	const originalGetSession = baseServer.getSession;
-	baseServer.getSession = async (...args) => {
-		const [data] = args;
-		if (!(data?.query?.disableCookieCache === "true")) try {
-			const cookiesString = await (await getContext()).getCookies();
-			const hasSessionToken = cookiesString.includes(NEON_AUTH_SESSION_COOKIE_NAME);
-			const sessionDataCookie = parseCookieValue(cookiesString, NEON_AUTH_SESSION_DATA_COOKIE_NAME);
-			if (sessionDataCookie && hasSessionToken) {
-				const result = await validateSessionData(sessionDataCookie, cookieSecret);
-				if (result.valid && result.payload) return {
-					data: result.payload,
-					error: null
-				};
-			}
-		} catch (error) {
-			console.error("[auth.getSession] Cookie validation error:", error);
-		}
-		return originalGetSession(...args);
-	};
-	return baseServer;
-}
-function isEndpointConfig(value) {
-	return typeof value === "object" && value !== null && "path" in value && "method" in value;
-}
-function createApiProxy(endpoints, fetchFn) {
-	return new Proxy({}, {
-		get(target, prop) {
-			if (prop in target) return target[prop];
-			const endpoint = endpoints[prop];
-			if (!endpoint) return;
-			if (isEndpointConfig(endpoint)) return (args) => fetchFn(endpoint.path, endpoint.method, args);
-			return createApiProxy(endpoint, fetchFn);
-		},
-		set(target, prop, value) {
-			target[prop] = value;
-			return true;
-		}
+		domain,
+		sameSite
 	});
 }
 
-//#endregion
-//#region src/next/server/adapter.ts
-/**
-* Creates a Next.js-specific RequestContext that reads cookies and headers
-* from next/headers and handles cookie setting.
-*/
-async function createNextRequestContext() {
-	const cookieStore = await cookies();
-	const headerStore = await headers();
-	return {
-		getCookies() {
-			return extractNeonAuthCookies(headerStore);
-		},
-		setCookie(name, value, options) {
-			cookieStore.set(name, value, options);
-		},
-		getHeader(name) {
-			return headerStore.get(name) ?? null;
-		},
-		getOrigin() {
-			return headerStore.get("origin") || headerStore.get("referer")?.split("/").slice(0, 3).join("/") || "";
-		},
-		getFramework() {
-			return "nextjs";
-		}
-	};
-}
-
-//#endregion
-//#region src/server/config.ts
-/**
-* Framework-agnostic configuration types for Neon Auth
-*/
-/**
-* Validates cookie configuration meets security requirements
-* @param cookies - The cookie configuration to validate
-* @throws Error if secret is too short (< 32 characters)
-*/
-function validateCookieConfig(cookies$1) {
-	if (!cookies$1.secret) throw new Error(ERRORS.MISSING_COOKIE_SECRET);
-	if (cookies$1.secret.length < 32) throw new Error(ERRORS.COOKIE_SECRET_TOO_SHORT);
-	if (cookies$1.sessionDataTtl !== void 0 && cookies$1.sessionDataTtl <= 0) throw new Error(ERRORS.INVALID_SESSION_DATA_TTL);
-}
-
 //#endregion
 //#region src/next/server/handler.ts
 /**
@@ -964,7 +1071,8 @@ function authApiHandler(config) {
 			baseUrl,
 			cookieSecret: cookies$1.secret,
 			sessionDataTtl: cookies$1.sessionDataTtl,
-			domain: cookies$1.domain
+			domain: cookies$1.domain,
+			sameSite: cookies$1.sameSite
 		});
 	};
 	return {
@@ -1003,7 +1111,7 @@ function needsSessionVerification(request) {
 * @param domain - Optional cookie domain
 * @returns Exchange result with redirect URL and cookies, or null if exchange not needed/failed
 */
-async function exchangeOAuthToken(request, baseUrl, cookieSecret, sessionDataTtl, domain) {
+async function exchangeOAuthToken(request, baseUrl, cookieSecret, sessionDataTtl, domain, sameSite) {
 	const url = new URL(request.url);
 	const verifier = url.searchParams.get(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME);
 	const cookieHeader = request.headers.get("cookie");
@@ -1016,7 +1124,8 @@ async function exchangeOAuthToken(request, baseUrl, cookieSecret, sessionDataTtl
 	}), "get-session"), baseUrl, {
 		secret: cookieSecret,
 		sessionDataTtl,
-		domain
+		domain,
+		sameSite
 	});
 	if (response.ok) {
 		const setCookieHeaders = response.headers.getSetCookie();
@@ -1091,10 +1200,11 @@ function checkSessionRequired(pathname, skipRoutes, loginUrl, session) {
 * @returns Decision object indicating what action to take
 */
 async function processAuthMiddleware(config) {
-	const { request, pathname, skipRoutes, loginUrl, baseUrl, cookieSecret, sessionDataTtl, domain } = config;
+	const { request, pathname, skipRoutes, loginUrl, baseUrl, cookieSecret, sessionDataTtl, domain, sameSite } = config;
+	const effectiveSameSite = sameSite ?? "strict";
 	if (pathname.startsWith(loginUrl)) return { action: "allow" };
 	if (needsSessionVerification(request)) {
-		const exchangeResult = await exchangeOAuthToken(request, baseUrl, cookieSecret, sessionDataTtl, domain);
+		const exchangeResult = await exchangeOAuthToken(request, baseUrl, cookieSecret, sessionDataTtl, domain, sameSite);
 		if (exchangeResult !== null) return {
 			action: "redirect_oauth",
 			redirectUrl: exchangeResult.redirectUrl,
@@ -1108,6 +1218,7 @@ async function processAuthMiddleware(config) {
 		session: null,
 		user: null
 	};
+	let sessionCookies = [];
 	if (hasSessionToken) {
 		const sessionResponse = await handleAuthProxyRequest({
 			request,
@@ -1115,16 +1226,19 @@ async function processAuthMiddleware(config) {
 			baseUrl,
 			cookieSecret,
 			sessionDataTtl,
-			domain
+			domain,
+			sameSite
 		});
 		if (sessionResponse.ok) {
 			const data = await sessionResponse.json().catch(() => null);
 			if (data) sessionData = data;
 		}
+		sessionCookies = sessionResponse.headers.getSetCookie();
 	}
 	if (checkSessionRequired(pathname, skipRoutes, loginUrl, sessionData).allowed) return {
 		action: "allow",
-		headers: { [NEON_AUTH_HEADER_MIDDLEWARE_NAME]: "true" }
+		headers: { [NEON_AUTH_HEADER_MIDDLEWARE_NAME]: "true" },
+		cookies: sessionCookies
 	};
 	const cookies$1 = [];
 	if (hasStaleSessionData) cookies$1.push(serializeSetCookie({
@@ -1134,7 +1248,7 @@ async function processAuthMiddleware(config) {
 		domain,
 		httpOnly: true,
 		secure: true,
-		sameSite: "lax",
+		sameSite: effectiveSameSite,
 		maxAge: 0
 	}));
 	return {
@@ -1193,13 +1307,16 @@ function neonAuthMiddleware(config) {
 			baseUrl,
 			cookieSecret: cookies$1.secret,
 			sessionDataTtl: cookies$1.sessionDataTtl,
-			domain: cookies$1.domain
+			domain: cookies$1.domain,
+			sameSite: cookies$1.sameSite
 		});
 		switch (result.action) {
 			case "allow": {
 				const headers$1 = new Headers(request.headers);
 				if (result.headers) for (const [key, value] of Object.entries(result.headers)) headers$1.set(key, value);
-				return NextResponse.next({ request: { headers: headers$1 } });
+				const response = NextResponse.next({ request: { headers: headers$1 } });
+				if (result.cookies) for (const cookie of result.cookies) response.headers.append("Set-Cookie", cookie);
+				return response;
 			}
 			case "redirect_oauth": {
 				const oauthHeaders = new Headers();
@@ -1319,7 +1436,8 @@ function createNeonAuth(config) {
 		context: createNextRequestContext,
 		cookieSecret: cookies$1.secret,
 		sessionDataTtl: cookies$1.sessionDataTtl,
-		domain: cookies$1.domain
+		domain: cookies$1.domain,
+		sameSite: cookies$1.sameSite
 	});
 	/**
 	* Creates API route handlers for Next.js
@@ -1370,4 +1488,4 @@ function createNeonAuth(config) {
 }
 
 //#endregion
-export { createNeonAuth };
+export { AuthApiError, AuthError, createNeonAuth, isAuthApiError, isAuthError };