@neondatabase/auth 0.3.0-beta → 0.4.1-beta

package/dist/next/server/index.mjs

@@ -1,4 +1,4 @@
-import { o as NEON_AUTH_SESSION_VERIFIER_PARAM_NAME } from "../../constants-Cupc_bln.mjs";
+import { c as isAuthApiError, l as isAuthError, m as NEON_AUTH_SESSION_VERIFIER_PARAM_NAME, o as AuthApiError, r as normalizeBetterAuthError, s as AuthError } from "../../better-auth-helpers-Bkezghej.mjs";
 import { SignJWT, jwtVerify } from "jose";
 import { parseCookies, parseSetCookieHeader } from "better-auth/cookies";
 import { cookies, headers } from "next/headers";
@@ -54,6 +54,10 @@ const API_ENDPOINTS = {
 		emailOtp: {
 			path: "sign-in/email-otp",
 			method: "POST"
+		},
+		magicLink: {
+			path: "sign-in/magic-link",
+			method: "POST"
 		}
 	},
 	signUp: { email: {
@@ -273,7 +277,11 @@ const API_ENDPOINTS = {
 			path: "email-otp/passcode",
 			method: "POST"
 		}
-	}
+	},
+	magicLink: { verify: {
+		path: "magic-link/verify",
+		method: "GET"
+	} }
 };
 
 //#endregion
@@ -558,7 +566,7 @@ async function mintSessionDataCookie(sessionTokenCookie, baseUrl, cookieConfig)
 			domain: cookieConfig.domain,
 			httpOnly: true,
 			secure: true,
-			sameSite: "lax",
+			sameSite: cookieConfig.sameSite ?? "strict",
 			maxAge
 		});
 	} catch (error) {
@@ -593,7 +601,7 @@ async function mintSessionDataFromResponse(responseHeaders, baseUrl, cookieConfi
 		domain: cookieConfig.domain,
 		httpOnly: true,
 		secure: true,
-		sameSite: "lax",
+		sameSite: cookieConfig.sameSite ?? "strict",
 		maxAge: 0
 	});
 	return await mintSessionDataCookie(sessionTokenCookie, baseUrl, cookieConfig);
@@ -613,10 +621,138 @@ async function mintSessionDataFromToken(sessionTokenCookie, baseUrl, cookieConfi
 	return await mintSessionDataCookie(sessionTokenCookie, baseUrl, cookieConfig);
 }
 
+//#endregion
+//#region src/server/network-error.ts
+/**
+* Classifies failed upstream `fetch` calls for clearer client responses and logs.
+*/
+/**
+* Semver-stable transport error codes surfaced as JSON `code` on synthetic HTTP responses
+* (for example 502 from the proxy) and in logs. Treat adding values as non-breaking;
+* renaming or removing values is a breaking change.
+*/
+const NEON_AUTH_NETWORK_ERROR_CODES = [
+	"NETWORK_ERROR",
+	"NETWORK_DNS",
+	"NETWORK_REFUSED",
+	"NETWORK_TIMEOUT",
+	"NETWORK_TLS",
+	"NETWORK_RESET",
+	"NETWORK_ABORT"
+];
+function readErrnoCode(node) {
+	if (!node || typeof node !== "object") return void 0;
+	const code = node.code;
+	return typeof code === "string" ? code : void 0;
+}
+function isAbortError(node) {
+	if (node instanceof Error && node.name === "AbortError") return true;
+	if (typeof node === "object" && node !== null && "name" in node && node.name === "AbortError") return true;
+	return false;
+}
+function isTlsRelated(code, message) {
+	if (!code && !message) return false;
+	const c = code ?? "";
+	if (c.startsWith("ERR_TLS") || c.startsWith("CERT_") || c === "UNABLE_TO_VERIFY_LEAF_SIGNATURE") return true;
+	const m = message.toLowerCase();
+	return m.includes("certificate") || m.includes("ssl") || m.includes("tls") || m.includes("wrong version number");
+}
+function isLegacyFetchTypeError(node) {
+	return node instanceof TypeError && typeof node.message === "string" && node.message.includes("fetch");
+}
+function collectRelatedErrors(error) {
+	const seen = /* @__PURE__ */ new Set();
+	const list = [];
+	function add(e) {
+		if (e === void 0 || e === null) return;
+		if (typeof e === "object") {
+			if (seen.has(e)) return;
+			seen.add(e);
+		}
+		list.push(e);
+		if (e instanceof Error && e.cause !== void 0) add(e.cause);
+		if (e instanceof AggregateError && Array.isArray(e.errors)) for (const sub of e.errors) add(sub);
+	}
+	add(error);
+	return list;
+}
+function clientMessageFor(code) {
+	switch (code) {
+		case "NETWORK_DNS": return "Could not resolve authentication server hostname";
+		case "NETWORK_REFUSED": return "Connection refused by authentication server";
+		case "NETWORK_TIMEOUT": return "Authentication server connection timed out";
+		case "NETWORK_TLS": return "TLS error connecting to authentication server";
+		case "NETWORK_RESET": return "Connection to authentication server was reset";
+		case "NETWORK_ABORT": return "Authentication request was aborted";
+		default: return "Unable to connect to authentication server";
+	}
+}
+const INTERNAL_PUBLIC_MESSAGE = "Internal Server Error";
+/**
+* Inspects an error from `fetch` (including `cause` and aggregate errors) and
+* returns a stable code for responses and observability.
+*/
+function classifyFetchFailure(error) {
+	const nodes = collectRelatedErrors(error);
+	for (const node of nodes) if (isAbortError(node)) return {
+		kind: "transport",
+		code: "NETWORK_ABORT",
+		detail: "AbortError",
+		clientMessage: clientMessageFor("NETWORK_ABORT")
+	};
+	for (const node of nodes) {
+		const code = readErrnoCode(node);
+		const message = node instanceof Error ? node.message : "";
+		if (code === "ENOTFOUND" || code === "EAI_AGAIN") return {
+			kind: "transport",
+			code: "NETWORK_DNS",
+			detail: code,
+			clientMessage: clientMessageFor("NETWORK_DNS")
+		};
+		if (code === "ECONNREFUSED") return {
+			kind: "transport",
+			code: "NETWORK_REFUSED",
+			detail: code,
+			clientMessage: clientMessageFor("NETWORK_REFUSED")
+		};
+		if (code === "ETIMEDOUT" || code === "UND_ERR_CONNECT_TIMEOUT" || code === "UND_ERR_HEADERS_TIMEOUT" || code === "UND_ERR_BODY_TIMEOUT") return {
+			kind: "transport",
+			code: "NETWORK_TIMEOUT",
+			detail: code ?? "timeout",
+			clientMessage: clientMessageFor("NETWORK_TIMEOUT")
+		};
+		if (code === "ECONNRESET" || code === "EPIPE" || code === "ECONNABORTED") return {
+			kind: "transport",
+			code: "NETWORK_RESET",
+			detail: code,
+			clientMessage: clientMessageFor("NETWORK_RESET")
+		};
+		if (isTlsRelated(code, message)) return {
+			kind: "transport",
+			code: "NETWORK_TLS",
+			detail: code ?? "tls",
+			clientMessage: clientMessageFor("NETWORK_TLS")
+		};
+	}
+	for (const node of nodes) if (isLegacyFetchTypeError(node)) return {
+		kind: "transport",
+		code: "NETWORK_ERROR",
+		detail: "fetch TypeError",
+		clientMessage: clientMessageFor("NETWORK_ERROR")
+	};
+	const head = nodes[0];
+	return {
+		kind: "internal",
+		detail: (head instanceof Error ? head.message : INTERNAL_PUBLIC_MESSAGE).slice(0, 200),
+		clientMessage: INTERNAL_PUBLIC_MESSAGE
+	};
+}
+
 //#endregion
 //#region src/server/client-factory.ts
 function createAuthServerInternal(config) {
-	const { baseUrl, context: getContext, cookieSecret, sessionDataTtl, domain } = config;
+	const { baseUrl, context: getContext, cookieSecret, sessionDataTtl, domain, sameSite, log } = config;
+	const effectiveSameSite = sameSite ?? "strict";
 	const fetchWithAuth = async (path, method, args) => {
 		const ctx = await getContext();
 		const cookies$1 = await ctx.getCookies();
@@ -638,10 +774,61 @@ function createAuthServerInternal(config) {
 			headers$1["Content-Type"] = "application/json";
 			requestBody = JSON.stringify(Object.keys(body).length > 0 ? body : {});
 		}
-		const response = await fetch(url.toString(), {
-			method,
-			headers: headers$1,
-			body: requestBody
+		let response;
+		try {
+			response = await fetch(url.toString(), {
+				method,
+				headers: headers$1,
+				body: requestBody
+			});
+		} catch (error) {
+			const classified = classifyFetchFailure(error);
+			if (classified.kind === "transport") {
+				log?.warn("[neon-auth] Server API upstream fetch failed", {
+					component: "server-api",
+					path: url.pathname,
+					code: classified.code,
+					detail: classified.detail,
+					host: url.host
+				});
+				return {
+					data: null,
+					error: {
+						message: classified.clientMessage,
+						status: 502,
+						statusText: "Bad Gateway",
+						code: classified.code
+					}
+				};
+			}
+			log?.error("[neon-auth] Server API unexpected fetch error", {
+				component: "server-api",
+				path: url.pathname,
+				detail: classified.detail,
+				host: url.host,
+				err: error
+			});
+			throw error instanceof Error ? error : new Error(String(error));
+		}
+		if (response.ok) log?.debug("[neon-auth] Server API upstream fetch completed", {
+			component: "server-api",
+			path: url.pathname,
+			status: response.status,
+			host: url.host
+		});
+		else if (response.status >= 500) log?.warn("[neon-auth] Server API upstream HTTP error", {
+			component: "server-api",
+			path: url.pathname,
+			status: response.status,
+			statusText: response.statusText,
+			host: url.host
+		});
+		else log?.info("[neon-auth] Server API upstream HTTP non-2xx", {
+			component: "server-api",
+			path: url.pathname,
+			status: response.status,
+			statusText: response.statusText,
+			host: url.host
 		});
 		const setCookieHeaders = response.headers.getSetCookie();
 		if (setCookieHeaders.length > 0) {
@@ -652,7 +839,7 @@ function createAuthServerInternal(config) {
 						...cookie,
 						domain,
 						partitioned: void 0,
-						sameSite: "lax"
+						sameSite: effectiveSameSite
 					};
 					await ctx.setCookie(cookie.name, cookie.value, cookieOptions);
 				}
@@ -661,25 +848,40 @@ function createAuthServerInternal(config) {
 				const sessionDataCookie = await mintSessionDataFromResponse(response.headers, baseUrl, {
 					secret: cookieSecret,
 					sessionDataTtl,
-					domain
+					domain,
+					sameSite
 				});
 				if (sessionDataCookie) {
 					const [parsedSessionData] = parseSetCookies(sessionDataCookie);
 					if (parsedSessionData) await ctx.setCookie(parsedSessionData.name, parsedSessionData.value, parsedSessionData);
 				}
 			} catch (error) {
-				console.error("[fetchWithAuth] Failed to mint session data cookie:", error);
+				log?.warn("[neon-auth] Failed to mint session data cookie", {
+					component: "server-api",
+					detail: error instanceof Error ? error.message : String(error),
+					err: error
+				});
 			}
 		}
 		const responseData = await response.json().catch(() => null);
-		if (!response.ok) return {
-			data: null,
-			error: {
-				message: responseData?.message || response.statusText,
+		if (!response.ok) {
+			const normalized = normalizeBetterAuthError({
 				status: response.status,
-				statusText: response.statusText
-			}
-		};
+				statusText: response.statusText,
+				message: responseData?.message || response.statusText,
+				code: responseData?.code,
+				body: responseData
+			});
+			return {
+				data: null,
+				error: {
+					message: normalized.message,
+					status: normalized.status ?? response.status,
+					statusText: response.statusText,
+					code: normalized.code
+				}
+			};
+		}
 		return {
 			data: responseData,
 			error: null
@@ -701,7 +903,11 @@ function createAuthServerInternal(config) {
 				};
 			}
 		} catch (error) {
-			console.error("[auth.getSession] Cookie validation error:", error);
+			log?.warn("[neon-auth] Cookie validation error before getSession upstream call", {
+				component: "server-api",
+				detail: error instanceof Error ? error.message : String(error),
+				err: error
+			});
 		}
 		return originalGetSession(...args);
 	};
@@ -726,6 +932,70 @@ function createApiProxy(endpoints, fetchFn) {
 	});
 }
 
+//#endregion
+//#region src/server/logger.ts
+const LEVEL_RANK = {
+	error: 0,
+	warn: 1,
+	info: 2,
+	debug: 3
+};
+const consoleSink = {
+	error: (message, meta) => {
+		if (meta && Object.keys(meta).length > 0) console.error(message, meta);
+		else console.error(message);
+	},
+	warn: (message, meta) => {
+		if (meta && Object.keys(meta).length > 0) console.warn(message, meta);
+		else console.warn(message);
+	},
+	info: (message, meta) => {
+		if (meta && Object.keys(meta).length > 0) console.info(message, meta);
+		else console.info(message);
+	},
+	debug: (message, meta) => {
+		if (meta && Object.keys(meta).length > 0) console.debug(message, meta);
+		else console.debug(message);
+	}
+};
+function wrapWithLevel(level, logger) {
+	const minRank = LEVEL_RANK[level];
+	const gate = (messageLevel, fn) => {
+		return (message, meta) => {
+			if (LEVEL_RANK[messageLevel] <= minRank) fn(message, meta);
+		};
+	};
+	return {
+		error: gate("error", logger.error),
+		warn: gate("warn", logger.warn),
+		info: gate("info", logger.info),
+		debug: gate("debug", logger.debug)
+	};
+}
+const noopResolved = {
+	error: () => {},
+	warn: () => {},
+	info: () => {},
+	debug: () => {}
+};
+/**
+* Merges user logger with `console`, applies {@link NeonAuthLoggingInput} level rules.
+*
+* **Opt-out:** Defaults to `warn` (structured `error` / `warn` to `console`). Set **`logLevel: 'silent'`**
+* to disable completely. Custom **`logger`** overrides `console` per level when not silent.
+*/
+function resolveNeonAuthLogging(input) {
+	if (input?.logLevel === "silent") return noopResolved;
+	const level = input?.logLevel ?? "warn";
+	const raw = input?.logger ?? {};
+	return wrapWithLevel(level, {
+		error: raw.error ?? consoleSink.error,
+		warn: raw.warn ?? consoleSink.warn,
+		info: raw.info ?? consoleSink.info,
+		debug: raw.debug ?? consoleSink.debug
+	});
+}
+
 //#endregion
 //#region src/next/server/adapter.ts
 /**
@@ -783,36 +1053,80 @@ const PROXY_HEADERS = [
 * This is framework-agnostic and can be used by any server framework
 */
 const NEON_AUTH_HEADER_MIDDLEWARE_NAME = "x-neon-auth-middleware";
+function safeAuthHost(baseUrl) {
+	try {
+		return new URL(baseUrl).host;
+	} catch {
+		return;
+	}
+}
 /**
 * Handles proxying authentication requests to the upstream Neon Auth server
 *
 * @param baseUrl - Base URL of the Neon Auth server
 * @param request - Standard Web API Request object
 * @param path - API path to proxy to (e.g., 'get-session', 'sign-in')
+* @param log - Optional resolved logging sink
 * @returns Response from upstream server or error response
 */
-const handleAuthRequest = async (baseUrl, request, path) => {
+const handleAuthRequest = async (baseUrl, request, path, log) => {
 	const headers$1 = prepareRequestHeaders(request);
 	const body = await parseRequestBody(request);
 	try {
 		const upstreamURL = getUpstreamURL(baseUrl, path, { originalUrl: new URL(request.url) });
-		return await fetch(upstreamURL.toString(), {
+		const response = await fetch(upstreamURL.toString(), {
 			method: request.method,
 			headers: headers$1,
 			body
 		});
+		const host = safeAuthHost(baseUrl);
+		if (response.ok) log?.debug("[neon-auth] Upstream fetch completed", {
+			component: "proxy",
+			proxyPath: path,
+			status: response.status,
+			host
+		});
+		else if (response.status >= 500) log?.warn("[neon-auth] Upstream HTTP error", {
+			component: "proxy",
+			proxyPath: path,
+			status: response.status,
+			statusText: response.statusText,
+			host
+		});
+		else log?.info("[neon-auth] Upstream HTTP non-2xx", {
+			component: "proxy",
+			proxyPath: path,
+			status: response.status,
+			statusText: response.statusText,
+			host
+		});
+		return response;
 	} catch (error) {
-		if (error instanceof Error && error.name === "TypeError" && error.message.includes("fetch")) return Response.json({
-			error: "Unable to connect to authentication server",
-			code: "NETWORK_ERROR"
-		}, {
-			status: 502,
-			headers: { "Content-Type": "application/json" }
+		const classified = classifyFetchFailure(error);
+		if (classified.kind === "transport") {
+			log?.warn("[neon-auth] Upstream fetch failed", {
+				component: "proxy",
+				proxyPath: path,
+				code: classified.code,
+				detail: classified.detail,
+				host: safeAuthHost(baseUrl)
+			});
+			return Response.json({
+				error: classified.clientMessage,
+				code: classified.code
+			}, {
+				status: 502,
+				headers: { "Content-Type": "application/json" }
+			});
+		}
+		log?.error("[neon-auth] Unexpected proxy error", {
+			component: "proxy",
+			proxyPath: path,
+			detail: classified.detail,
+			host: safeAuthHost(baseUrl)
 		});
-		const message = error instanceof Error ? error.message : "Internal Server Error";
-		console.error(`[AuthError] ${message}`, error);
 		return Response.json({
-			error: message,
+			error: classified.clientMessage,
 			code: "INTERNAL_ERROR"
 		}, {
 			status: 500,
@@ -876,7 +1190,7 @@ const RESPONSE_HEADERS_ALLOWLIST = [
 * @returns New Response with proxied headers and session data cookie
 */
 const handleAuthResponse = async (response, baseUrl, cookieConfig) => {
-	const responseHeaders = prepareResponseHeaders(response, cookieConfig.domain);
+	const responseHeaders = prepareResponseHeaders(response, cookieConfig);
 	const sessionDataCookie = await mintSessionDataFromResponse(response.headers, baseUrl, cookieConfig);
 	if (sessionDataCookie) responseHeaders.append("Set-Cookie", sessionDataCookie);
 	return new Response(response.body, {
@@ -885,15 +1199,17 @@ const handleAuthResponse = async (response, baseUrl, cookieConfig) => {
 		headers: responseHeaders
 	});
 };
-const prepareResponseHeaders = (response, domain) => {
+const prepareResponseHeaders = (response, cookieConfig) => {
 	const headers$1 = new Headers();
+	const effectiveSameSite = cookieConfig.sameSite ?? "strict";
+	const { domain } = cookieConfig;
 	for (const header of RESPONSE_HEADERS_ALLOWLIST) if (header === "set-cookie") {
 		const cookies$1 = response.headers.getSetCookie();
 		for (const cookieHeader of cookies$1) {
 			const parsedCookies = parseSetCookies(cookieHeader);
 			for (const parsedCookie of parsedCookies) {
 				parsedCookie.partitioned = void 0;
-				parsedCookie.sameSite = "lax";
+				parsedCookie.sameSite = effectiveSameSite;
 				if (domain) parsedCookie.domain = domain;
 				headers$1.append("Set-Cookie", serializeSetCookie(parsedCookie));
 			}
@@ -992,19 +1308,21 @@ function extractSessionTokenCookie(cookieHeader) {
 * @returns Standard Web API Response
 */
 async function handleAuthProxyRequest(config) {
-	const { request, path, baseUrl, cookieSecret, sessionDataTtl, domain } = config;
+	const { request, path, baseUrl, cookieSecret, sessionDataTtl, domain, sameSite, log } = config;
 	if (path === API_ENDPOINTS.getSession.path && request.method === API_ENDPOINTS.getSession.method) {
 		const cachedResponse = await trySessionCache(request, baseUrl, {
 			secret: cookieSecret,
 			sessionDataTtl,
-			domain
+			domain,
+			sameSite
 		});
 		if (cachedResponse) return cachedResponse;
 	}
-	return await handleAuthResponse(await handleAuthRequest(baseUrl, request, path), baseUrl, {
+	return await handleAuthResponse(await handleAuthRequest(baseUrl, request, path, log), baseUrl, {
 		secret: cookieSecret,
 		sessionDataTtl,
-		domain
+		domain,
+		sameSite
 	});
 }
 
@@ -1040,6 +1358,7 @@ async function handleAuthProxyRequest(config) {
 function authApiHandler(config) {
 	const { baseUrl, cookies: cookies$1 } = config;
 	validateCookieConfig(cookies$1);
+	const log = resolveNeonAuthLogging(config);
 	const handler = async (request, { params }) => {
 		return handleAuthProxyRequest({
 			request,
@@ -1047,7 +1366,9 @@ function authApiHandler(config) {
 			baseUrl,
 			cookieSecret: cookies$1.secret,
 			sessionDataTtl: cookies$1.sessionDataTtl,
-			domain: cookies$1.domain
+			domain: cookies$1.domain,
+			sameSite: cookies$1.sameSite,
+			log
 		});
 	};
 	return {
@@ -1084,9 +1405,11 @@ function needsSessionVerification(request) {
 * @param cookieSecret - Secret for signing session cookies
 * @param sessionDataTtl - Optional TTL for session data cache
 * @param domain - Optional cookie domain
+* @param sameSite - SameSite for cookies set during exchange
+* @param log - Resolved Neon Auth logging sink (proxy / middleware)
 * @returns Exchange result with redirect URL and cookies, or null if exchange not needed/failed
 */
-async function exchangeOAuthToken(request, baseUrl, cookieSecret, sessionDataTtl, domain) {
+async function exchangeOAuthToken(request, baseUrl, cookieSecret, sessionDataTtl, domain, sameSite, log) {
 	const url = new URL(request.url);
 	const verifier = url.searchParams.get(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME);
 	const cookieHeader = request.headers.get("cookie");
@@ -1096,10 +1419,11 @@ async function exchangeOAuthToken(request, baseUrl, cookieSecret, sessionDataTtl
 	const response = await handleAuthResponse(await handleAuthRequest(baseUrl, new Request(request.url, {
 		method: "GET",
 		headers: request.headers
-	}), "get-session"), baseUrl, {
+	}), "get-session", log), baseUrl, {
 		secret: cookieSecret,
 		sessionDataTtl,
-		domain
+		domain,
+		sameSite
 	});
 	if (response.ok) {
 		const setCookieHeaders = response.headers.getSetCookie();
@@ -1174,10 +1498,15 @@ function checkSessionRequired(pathname, skipRoutes, loginUrl, session) {
 * @returns Decision object indicating what action to take
 */
 async function processAuthMiddleware(config) {
-	const { request, pathname, skipRoutes, loginUrl, baseUrl, cookieSecret, sessionDataTtl, domain } = config;
+	const log = config.log ?? resolveNeonAuthLogging({
+		logger: config.logger,
+		logLevel: config.logLevel
+	});
+	const { request, pathname, skipRoutes, loginUrl, baseUrl, cookieSecret, sessionDataTtl, domain, sameSite } = config;
+	const effectiveSameSite = sameSite ?? "strict";
 	if (pathname.startsWith(loginUrl)) return { action: "allow" };
 	if (needsSessionVerification(request)) {
-		const exchangeResult = await exchangeOAuthToken(request, baseUrl, cookieSecret, sessionDataTtl, domain);
+		const exchangeResult = await exchangeOAuthToken(request, baseUrl, cookieSecret, sessionDataTtl, domain, sameSite, log);
 		if (exchangeResult !== null) return {
 			action: "redirect_oauth",
 			redirectUrl: exchangeResult.redirectUrl,
@@ -1199,10 +1528,18 @@ async function processAuthMiddleware(config) {
 			baseUrl,
 			cookieSecret,
 			sessionDataTtl,
-			domain
+			domain,
+			sameSite,
+			log
 		});
 		if (sessionResponse.ok) {
-			const data = await sessionResponse.json().catch(() => null);
+			const data = await sessionResponse.json().catch((error) => {
+				log.debug("[neon-auth] Failed to parse session response JSON", {
+					component: "middleware",
+					detail: error instanceof Error ? error.message : String(error)
+				});
+				return null;
+			});
 			if (data) sessionData = data;
 		}
 		sessionCookies = sessionResponse.headers.getSetCookie();
@@ -1220,7 +1557,7 @@ async function processAuthMiddleware(config) {
 		domain,
 		httpOnly: true,
 		secure: true,
-		sameSite: "lax",
+		sameSite: effectiveSameSite,
 		maxAge: 0
 	}));
 	return {
@@ -1249,6 +1586,9 @@ const SKIP_ROUTES = [
 * @param config.cookies - Cookie configuration
 * @param config.cookies.secret - Secret for signing session cookies (minimum 32 characters)
 * @param config.cookies.sessionDataTtl - Optional TTL for session cache in seconds (default: 300)
+* @param config.logger - Optional structured logger; omitted methods fall back to `console`
+* @param config.logLevel - Minimum log level; `'silent'` disables Neon Auth console output (default: `warn`)
+* @param config.log - Pre-resolved logging sink (set by {@link createNeonAuth})
 * @param config.loginUrl - The URL to redirect to when the user is not authenticated (default: '/auth/sign-in')
 * @returns A middleware function that can be used in the Next.js app.
 * @throws Error if `cookies.secret` is less than 32 characters
@@ -1267,7 +1607,7 @@ const SKIP_ROUTES = [
 * ```
 */
 function neonAuthMiddleware(config) {
-	const { baseUrl, cookies: cookies$1, loginUrl = "/auth/sign-in" } = config;
+	const { baseUrl, cookies: cookies$1, loginUrl = "/auth/sign-in", log, logger, logLevel } = config;
 	validateCookieConfig(cookies$1);
 	return async (request) => {
 		const pathname = request.nextUrl.pathname;
@@ -1279,7 +1619,11 @@ function neonAuthMiddleware(config) {
 			baseUrl,
 			cookieSecret: cookies$1.secret,
 			sessionDataTtl: cookies$1.sessionDataTtl,
-			domain: cookies$1.domain
+			domain: cookies$1.domain,
+			sameSite: cookies$1.sameSite,
+			log,
+			logger,
+			logLevel
 		});
 		switch (result.action) {
 			case "allow": {
@@ -1330,6 +1674,8 @@ function neonAuthMiddleware(config) {
 * @param config.cookies.secret - Secret for signing session cookies (minimum 32 characters)
 * @param config.cookies.sessionDataTtl - Optional TTL for session cache in seconds (default: 300)
 * @param config.cookies.domain - Optional cookie domain (default: current domain)
+* @param config.logger - Optional structured logger; omitted methods fall back to `console` (see {@link NeonAuthLogger})
+* @param config.logLevel - Minimum level; `'silent'` disables Neon Auth server console logs (default: `warn`)
 * @returns Unified auth instance with server methods, handler, and middleware
 * @throws Error if `cookies.secret` is less than 32 characters
 *
@@ -1402,12 +1748,15 @@ function neonAuthMiddleware(config) {
 function createNeonAuth(config) {
 	const { baseUrl, cookies: cookies$1 } = config;
 	validateCookieConfig(cookies$1);
+	const log = resolveNeonAuthLogging(config);
 	const server = createAuthServerInternal({
 		baseUrl,
 		context: createNextRequestContext,
 		cookieSecret: cookies$1.secret,
 		sessionDataTtl: cookies$1.sessionDataTtl,
-		domain: cookies$1.domain
+		domain: cookies$1.domain,
+		sameSite: cookies$1.sameSite,
+		log
 	});
 	/**
 	* Creates API route handlers for Next.js
@@ -1452,10 +1801,11 @@ function createNeonAuth(config) {
 	*/
 	server.middleware = (middlewareConfig) => neonAuthMiddleware({
 		...config,
-		...middlewareConfig
+		...middlewareConfig,
+		log
 	});
 	return server;
 }
 
 //#endregion
-export { createNeonAuth };
+export { AuthApiError, AuthError, NEON_AUTH_NETWORK_ERROR_CODES, classifyFetchFailure, createNeonAuth, isAuthApiError, isAuthError, resolveNeonAuthLogging };