@oauth42/next 0.1.0

package/dist/index.mjs

@@ -0,0 +1,260 @@
+// src/provider.ts
+function OAuth42Provider(options) {
+  const issuer = options.issuer || process.env.OAUTH42_ISSUER || "https://oauth42.com";
+  const baseUrl = issuer.replace(/\/$/, "");
+  return {
+    id: "oauth42",
+    name: "OAuth42",
+    type: "oauth",
+    version: "2.0",
+    // Use OIDC discovery to automatically find endpoints
+    wellKnown: `${baseUrl}/.well-known/openid-configuration`,
+    // Also set individual endpoints for compatibility
+    authorization: {
+      url: `${baseUrl}/oauth2/authorize`,
+      params: {
+        scope: (options.scopes || ["openid", "profile", "email"]).join(" "),
+        response_type: "code"
+      }
+    },
+    token: `${baseUrl}/oauth2/token`,
+    userinfo: `${baseUrl}/oauth2/userinfo`,
+    client: {
+      id: options.clientId,
+      secret: options.clientSecret,
+      token_endpoint_auth_method: "client_secret_post",
+      id_token_signed_response_alg: "HS256"
+      // OAuth42 uses HS256 for ID tokens
+    },
+    issuer: baseUrl,
+    checks: options.pkceEnabled !== false ? ["pkce", "state"] : ["state"],
+    profile(profile, tokens) {
+      return {
+        id: profile.sub || profile.id || profile.email,
+        email: profile.email,
+        emailVerified: profile.email_verified ? /* @__PURE__ */ new Date() : null,
+        name: profile.name || `${profile.given_name || ""} ${profile.family_name || ""}`.trim(),
+        image: profile.picture
+      };
+    },
+    style: {
+      logo: "/oauth42-logo.svg",
+      bg: "#1e40af",
+      text: "#ffffff"
+    },
+    options
+  };
+}
+
+// src/server/auth.ts
+import NextAuthDefault from "next-auth";
+
+// src/server/session.ts
+import { getServerSession as getNextAuthSession } from "next-auth";
+async function getOAuth42Session(...args) {
+  return getNextAuthSession(...args);
+}
+function withOAuth42Session(handler, authOptions) {
+  return async (req, res) => {
+    const session = await getOAuth42Session(req, res, authOptions);
+    if (!session) {
+      return res.status(401).json({ error: "Unauthorized" });
+    }
+    return handler(req, res, session);
+  };
+}
+function withOAuth42ServerSideProps(getServerSideProps, authOptions) {
+  return async (context) => {
+    const session = await getOAuth42Session(
+      context.req,
+      context.res,
+      authOptions
+    );
+    if (!session) {
+      return {
+        redirect: {
+          destination: "/auth/signin",
+          permanent: false
+        }
+      };
+    }
+    return getServerSideProps(context, session);
+  };
+}
+
+// src/server/auth.ts
+var NextAuth = NextAuthDefault.default || NextAuthDefault;
+function createAuth(options = {}) {
+  const clientId = options.clientId || process.env.OAUTH42_CLIENT_ID;
+  const clientSecret = options.clientSecret || process.env.OAUTH42_CLIENT_SECRET;
+  if (!clientId || !clientSecret) {
+    throw new Error(
+      "OAuth42 client credentials are required. Set OAUTH42_CLIENT_ID and OAUTH42_CLIENT_SECRET environment variables or pass them in the options."
+    );
+  }
+  const authOptions = {
+    providers: [
+      OAuth42Provider({
+        clientId,
+        clientSecret,
+        issuer: options.issuer,
+        scopes: options.scopes,
+        pkceEnabled: options.pkceEnabled
+      })
+    ],
+    callbacks: {
+      async jwt({ token, account, profile }) {
+        if (account) {
+          token.accessToken = account.access_token;
+          token.refreshToken = account.refresh_token;
+          token.expiresAt = account.expires_at;
+          token.idToken = account.id_token;
+        }
+        if (profile) {
+          const oauth42Profile = profile;
+          token.email = oauth42Profile.email;
+          token.username = oauth42Profile.username;
+          token.emailVerified = oauth42Profile.email_verified;
+        }
+        if (options.callbacks?.jwt) {
+          return options.callbacks.jwt({ token, account, profile });
+        }
+        return token;
+      },
+      async session({ session, token }) {
+        session.accessToken = token.accessToken;
+        session.idToken = token.idToken;
+        if (session.user) {
+          session.user.email = token.email;
+          session.user.username = token.username;
+          session.user.emailVerified = token.emailVerified;
+        }
+        if (options.callbacks?.session) {
+          return options.callbacks.session({ session, token });
+        }
+        return session;
+      },
+      ...options.callbacks
+    },
+    pages: {
+      signIn: "/auth/signin",
+      signOut: "/auth/signout",
+      error: "/auth/error",
+      ...options.pages
+    },
+    session: {
+      strategy: "jwt",
+      ...options.session
+    },
+    debug: options.debug || process.env.NODE_ENV === "development",
+    secret: process.env.NEXTAUTH_SECRET
+  };
+  return {
+    auth: authOptions,
+    handlers: NextAuth(authOptions)
+  };
+}
+var getServerSession = getOAuth42Session;
+async function refreshAccessToken(token, clientId, clientSecret, issuer) {
+  try {
+    const baseUrl = issuer || process.env.OAUTH42_ISSUER || "https://oauth42.com";
+    const tokenUrl = `${baseUrl}/oauth2/token`;
+    const fetchOptions = {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: token.refreshToken,
+        client_id: clientId,
+        client_secret: clientSecret
+      })
+    };
+    if (process.env.NODE_ENV !== "production" && tokenUrl.startsWith("https://")) {
+      const https = await import("https");
+      fetchOptions.agent = new https.Agent({
+        rejectUnauthorized: false
+      });
+    }
+    const response = await fetch(tokenUrl, fetchOptions);
+    const refreshedTokens = await response.json();
+    if (!response.ok) {
+      throw refreshedTokens;
+    }
+    return {
+      ...token,
+      accessToken: refreshedTokens.access_token,
+      refreshToken: refreshedTokens.refresh_token ?? token.refreshToken,
+      // Store expiration time in seconds (Unix timestamp)
+      expiresAt: Math.floor(Date.now() / 1e3) + (refreshedTokens.expires_in || 3600),
+      // Explicitly remove any error property on successful refresh
+      error: void 0
+    };
+  } catch (error) {
+    console.error("Failed to refresh access token:", error);
+    return {
+      ...token,
+      error: "RefreshAccessTokenError"
+    };
+  }
+}
+
+// src/server/middleware.ts
+import { NextResponse } from "next/server";
+import { getToken } from "next-auth/jwt";
+function withOAuth42Auth(options = {}) {
+  return async function middleware(req) {
+    const token = await getToken({
+      req,
+      secret: process.env.NEXTAUTH_SECRET
+    });
+    const pathname = req.nextUrl.pathname;
+    if (options.publicPaths?.some((path) => pathname.startsWith(path))) {
+      return NextResponse.next();
+    }
+    const needsProtection = options.protectedPaths ? options.protectedPaths.some((path) => pathname.startsWith(path)) : true;
+    if (!needsProtection) {
+      return NextResponse.next();
+    }
+    let isAuthorized = !!token;
+    if (options.callbacks?.authorized) {
+      isAuthorized = await options.callbacks.authorized({ token, req });
+    }
+    if (!isAuthorized) {
+      const signInUrl = options.pages?.signIn || "/auth/signin";
+      const url = new URL(signInUrl, req.url);
+      url.searchParams.set("callbackUrl", pathname);
+      return NextResponse.redirect(url);
+    }
+    return NextResponse.next();
+  };
+}
+function createMiddlewareConfig(protectedPaths = ["/protected"], publicPaths = ["/auth", "/api/auth"]) {
+  return {
+    matcher: [
+      /*
+       * Match all request paths except for the ones starting with:
+       * - _next/static (static files)
+       * - _next/image (image optimization files)
+       * - favicon.ico (favicon file)
+       * - public folder
+       */
+      "/((?!_next/static|_next/image|favicon.ico|public).*)"
+    ],
+    protectedPaths,
+    publicPaths
+  };
+}
+export {
+  OAuth42Provider,
+  createAuth,
+  createMiddlewareConfig,
+  getOAuth42Session,
+  getServerSession,
+  refreshAccessToken,
+  withOAuth42Auth,
+  withOAuth42ServerSideProps,
+  withOAuth42Session
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/provider.ts","../src/server/auth.ts","../src/server/session.ts","../src/server/middleware.ts"],"sourcesContent":["import type { OAuthConfig, OAuthUserConfig } from 'next-auth/providers/oauth';\n\nexport interface OAuth42Profile {\n  sub: string;\n  email: string;\n  email_verified?: boolean;\n  name?: string;\n  given_name?: string;\n  family_name?: string;\n  picture?: string;\n  username?: string;\n  id?: string;\n}\n\nexport interface OAuth42ProviderOptions {\n  clientId: string;\n  clientSecret: string;\n  issuer?: string;\n  authorizationUrl?: string;\n  tokenUrl?: string;\n  userinfoUrl?: string;\n  scopes?: string[];\n  pkceEnabled?: boolean;\n}\n\nexport function OAuth42Provider<P extends OAuth42Profile>(\n  options: OAuthUserConfig<P> & Partial<OAuth42ProviderOptions>\n): OAuthConfig<P> {\n  const issuer = options.issuer || process.env.OAUTH42_ISSUER || 'https://oauth42.com';\n  const baseUrl = issuer.replace(/\\/$/, '');\n  \n  return {\n    id: 'oauth42',\n    name: 'OAuth42',\n    type: 'oauth',\n    version: '2.0',\n    \n    // Use OIDC discovery to automatically find endpoints\n    wellKnown: `${baseUrl}/.well-known/openid-configuration`,\n    \n    // Also set individual endpoints for compatibility\n    authorization: {\n      url: `${baseUrl}/oauth2/authorize`,\n      params: {\n        scope: (options.scopes || ['openid', 'profile', 'email']).join(' '),\n        response_type: 'code',\n      },\n    },\n    token: `${baseUrl}/oauth2/token`,\n    userinfo: `${baseUrl}/oauth2/userinfo`,\n    \n    client: {\n      id: options.clientId,\n      secret: options.clientSecret,\n      token_endpoint_auth_method: 'client_secret_post',\n      id_token_signed_response_alg: 'HS256', // OAuth42 uses HS256 for ID tokens\n    },\n    \n    issuer: baseUrl,\n    \n    checks: options.pkceEnabled !== false ? ['pkce', 'state'] : ['state'],\n    \n    profile(profile: OAuth42Profile, tokens: any) {\n      return {\n        id: profile.sub || profile.id || profile.email,\n        email: profile.email,\n        emailVerified: profile.email_verified ? new Date() : null,\n        name: profile.name || `${profile.given_name || ''} ${profile.family_name || ''}`.trim(),\n        image: profile.picture,\n      };\n    },\n    \n    style: {\n      logo: '/oauth42-logo.svg',\n      bg: '#1e40af',\n      text: '#ffffff',\n    },\n    \n    options,\n  };\n}","import NextAuthDefault from 'next-auth';\nimport type { NextAuthOptions } from 'next-auth';\nimport { OAuth42Provider, OAuth42Profile } from '../provider';\nimport { getOAuth42Session } from './session';\n\n// Handle both CommonJS and ESM exports\nconst NextAuth = (NextAuthDefault as any).default || NextAuthDefault;\n\nexport { type NextAuthOptions };\n\nexport interface CreateAuthOptions {\n  clientId?: string;\n  clientSecret?: string;\n  issuer?: string;\n  scopes?: string[];\n  pkceEnabled?: boolean;\n  debug?: boolean;\n  callbacks?: NextAuthOptions['callbacks'];\n  pages?: NextAuthOptions['pages'];\n  session?: NextAuthOptions['session'];\n}\n\n/**\n * Create a pre-configured NextAuth instance for OAuth42\n * This provides a simplified setup with sensible defaults\n */\nexport function createAuth(options: CreateAuthOptions = {}) {\n  const clientId = options.clientId || process.env.OAUTH42_CLIENT_ID;\n  const clientSecret = options.clientSecret || process.env.OAUTH42_CLIENT_SECRET;\n  \n  if (!clientId || !clientSecret) {\n    throw new Error(\n      'OAuth42 client credentials are required. ' +\n      'Set OAUTH42_CLIENT_ID and OAUTH42_CLIENT_SECRET environment variables ' +\n      'or pass them in the options.'\n    );\n  }\n  \n  const authOptions: NextAuthOptions = {\n    providers: [\n      OAuth42Provider({\n        clientId,\n        clientSecret,\n        issuer: options.issuer,\n        scopes: options.scopes,\n        pkceEnabled: options.pkceEnabled,\n      }),\n    ],\n    \n    callbacks: {\n      async jwt({ token, account, profile }) {\n        // Store OAuth tokens in the JWT\n        if (account) {\n          token.accessToken = account.access_token;\n          token.refreshToken = account.refresh_token;\n          token.expiresAt = account.expires_at;\n          token.idToken = account.id_token;\n        }\n        \n        // Add user profile data\n        if (profile) {\n          const oauth42Profile = profile as OAuth42Profile;\n          token.email = oauth42Profile.email;\n          token.username = oauth42Profile.username;\n          token.emailVerified = oauth42Profile.email_verified;\n        }\n        \n        // Call custom callback if provided\n        if (options.callbacks?.jwt) {\n          return options.callbacks.jwt({ token, account, profile } as any);\n        }\n        \n        return token;\n      },\n      \n      async session({ session, token }) {\n        // Add OAuth42-specific data to session\n        session.accessToken = token.accessToken as string;\n        session.idToken = token.idToken as string;\n        \n        if (session.user) {\n          session.user.email = token.email as string;\n          session.user.username = token.username as string;\n          session.user.emailVerified = token.emailVerified as boolean;\n        }\n        \n        // Call custom callback if provided\n        if (options.callbacks?.session) {\n          return options.callbacks.session({ session, token } as any);\n        }\n        \n        return session;\n      },\n      \n      ...options.callbacks,\n    },\n    \n    pages: {\n      signIn: '/auth/signin',\n      signOut: '/auth/signout',\n      error: '/auth/error',\n      ...options.pages,\n    },\n    \n    session: {\n      strategy: 'jwt',\n      ...options.session,\n    },\n    \n    debug: options.debug || process.env.NODE_ENV === 'development',\n    \n    secret: process.env.NEXTAUTH_SECRET,\n  };\n  \n  // Return the configuration and a function to create handlers\n  return {\n    auth: authOptions,\n    handlers: NextAuth(authOptions),\n  };\n}\n\n/**\n * Create NextAuth handlers for API routes\n */\nexport function createHandlers(authOptions: NextAuthOptions) {\n  const handler = NextAuth(authOptions);\n  return { GET: handler, POST: handler };\n}\n\n/**\n * Helper to get the current session server-side\n * @deprecated Use getOAuth42Session instead - this is now just an alias for backward compatibility\n * \n * This function is maintained for backward compatibility but internally\n * calls getOAuth42Session which properly handles both App Router and Pages Router\n */\nexport const getServerSession = getOAuth42Session;\n\n/**\n * Token refresh helper\n */\nexport async function refreshAccessToken(token: any, clientId: string, clientSecret: string, issuer?: string) {\n  try {\n    const baseUrl = issuer || process.env.OAUTH42_ISSUER || 'https://oauth42.com';\n    const tokenUrl = `${baseUrl}/oauth2/token`;\n    \n    // In development, we need to handle self-signed certificates\n    const fetchOptions: any = {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/x-www-form-urlencoded',\n      },\n      body: new URLSearchParams({\n        grant_type: 'refresh_token',\n        refresh_token: token.refreshToken,\n        client_id: clientId,\n        client_secret: clientSecret,\n      }),\n    };\n    \n    // Add agent for self-signed certificates in development\n    if (process.env.NODE_ENV !== 'production' && tokenUrl.startsWith('https://')) {\n      const https = await import('https');\n      fetchOptions.agent = new https.Agent({\n        rejectUnauthorized: false\n      });\n    }\n    \n    const response = await fetch(tokenUrl, fetchOptions);\n    const refreshedTokens = await response.json();\n    \n    if (!response.ok) {\n      throw refreshedTokens;\n    }\n    \n    return {\n      ...token,\n      accessToken: refreshedTokens.access_token,\n      refreshToken: refreshedTokens.refresh_token ?? token.refreshToken,\n      // Store expiration time in seconds (Unix timestamp)\n      expiresAt: Math.floor(Date.now() / 1000) + (refreshedTokens.expires_in || 3600),\n      // Explicitly remove any error property on successful refresh\n      error: undefined,\n    };\n  } catch (error) {\n    console.error('Failed to refresh access token:', error);\n    return {\n      ...token,\n      error: 'RefreshAccessTokenError',\n    };\n  }\n}","import { getServerSession as getNextAuthSession } from 'next-auth';\nimport { NextAuthOptions } from 'next-auth';\nimport { GetServerSidePropsContext, NextApiRequest, NextApiResponse } from 'next';\n\n/**\n * Get the OAuth42 session server-side\n * \n * This is the primary method for retrieving sessions in OAuth42 SDK.\n * Supports both Pages Router and App Router:\n * \n * App Router:\n * ```ts\n * const session = await getOAuth42Session(authOptions);\n * ```\n * \n * Pages Router:\n * ```ts\n * const session = await getOAuth42Session(req, res, authOptions);\n * ```\n */\nexport async function getOAuth42Session(\n  ...args: \n    | [GetServerSidePropsContext['req'], GetServerSidePropsContext['res'], NextAuthOptions]\n    | [NextApiRequest, NextApiResponse, NextAuthOptions]\n    | [NextAuthOptions]\n) {\n  return getNextAuthSession(...args as any);\n}\n\n/**\n * Helper for protecting API routes\n */\nexport function withOAuth42Session(\n  handler: (req: NextApiRequest, res: NextApiResponse, session: any) => Promise<void> | void,\n  authOptions: NextAuthOptions\n) {\n  return async (req: NextApiRequest, res: NextApiResponse) => {\n    const session = await getOAuth42Session(req, res, authOptions);\n    \n    if (!session) {\n      return res.status(401).json({ error: 'Unauthorized' });\n    }\n    \n    return handler(req, res, session);\n  };\n}\n\n/**\n * Helper for protecting server-side props\n */\nexport function withOAuth42ServerSideProps(\n  getServerSideProps: (\n    context: GetServerSidePropsContext,\n    session: any\n  ) => Promise<any>,\n  authOptions: NextAuthOptions\n) {\n  return async (context: GetServerSidePropsContext) => {\n    const session = await getOAuth42Session(\n      context.req,\n      context.res,\n      authOptions\n    );\n    \n    if (!session) {\n      return {\n        redirect: {\n          destination: '/auth/signin',\n          permanent: false,\n        },\n      };\n    }\n    \n    return getServerSideProps(context, session);\n  };\n}","import { NextRequest, NextResponse } from 'next/server';\nimport { getToken } from 'next-auth/jwt';\n\nexport interface OAuth42AuthOptions {\n  pages?: {\n    signIn?: string;\n    error?: string;\n  };\n  callbacks?: {\n    authorized?: (params: { token: any; req: NextRequest }) => boolean | Promise<boolean>;\n  };\n  protectedPaths?: string[];\n  publicPaths?: string[];\n}\n\n/**\n * Middleware helper for protecting routes with OAuth42\n */\nexport function withOAuth42Auth(options: OAuth42AuthOptions = {}) {\n  return async function middleware(req: NextRequest) {\n    const token = await getToken({ \n      req: req as any, \n      secret: process.env.NEXTAUTH_SECRET \n    });\n    \n    const pathname = req.nextUrl.pathname;\n    \n    // Check if path is explicitly public\n    if (options.publicPaths?.some(path => pathname.startsWith(path))) {\n      return NextResponse.next();\n    }\n    \n    // Check if path needs protection\n    const needsProtection = options.protectedPaths\n      ? options.protectedPaths.some(path => pathname.startsWith(path))\n      : true; // Default to protecting all paths\n    \n    if (!needsProtection) {\n      return NextResponse.next();\n    }\n    \n    // Check authorization\n    let isAuthorized = !!token;\n    \n    if (options.callbacks?.authorized) {\n      isAuthorized = await options.callbacks.authorized({ token, req });\n    }\n    \n    if (!isAuthorized) {\n      const signInUrl = options.pages?.signIn || '/auth/signin';\n      const url = new URL(signInUrl, req.url);\n      url.searchParams.set('callbackUrl', pathname);\n      return NextResponse.redirect(url);\n    }\n    \n    return NextResponse.next();\n  };\n}\n\n/**\n * Helper to create middleware configuration\n */\nexport function createMiddlewareConfig(\n  protectedPaths: string[] = ['/protected'],\n  publicPaths: string[] = ['/auth', '/api/auth']\n) {\n  return {\n    matcher: [\n      /*\n       * Match all request paths except for the ones starting with:\n       * - _next/static (static files)\n       * - _next/image (image optimization files)\n       * - favicon.ico (favicon file)\n       * - public folder\n       */\n      '/((?!_next/static|_next/image|favicon.ico|public).*)',\n    ],\n    protectedPaths,\n    publicPaths,\n  };\n}"],"mappings":";AAyBO,SAAS,gBACd,SACgB;AAChB,QAAM,SAAS,QAAQ,UAAU,QAAQ,IAAI,kBAAkB;AAC/D,QAAM,UAAU,OAAO,QAAQ,OAAO,EAAE;AAExC,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,MAAM;AAAA,IACN,SAAS;AAAA;AAAA,IAGT,WAAW,GAAG,OAAO;AAAA;AAAA,IAGrB,eAAe;AAAA,MACb,KAAK,GAAG,OAAO;AAAA,MACf,QAAQ;AAAA,QACN,QAAQ,QAAQ,UAAU,CAAC,UAAU,WAAW,OAAO,GAAG,KAAK,GAAG;AAAA,QAClE,eAAe;AAAA,MACjB;AAAA,IACF;AAAA,IACA,OAAO,GAAG,OAAO;AAAA,IACjB,UAAU,GAAG,OAAO;AAAA,IAEpB,QAAQ;AAAA,MACN,IAAI,QAAQ;AAAA,MACZ,QAAQ,QAAQ;AAAA,MAChB,4BAA4B;AAAA,MAC5B,8BAA8B;AAAA;AAAA,IAChC;AAAA,IAEA,QAAQ;AAAA,IAER,QAAQ,QAAQ,gBAAgB,QAAQ,CAAC,QAAQ,OAAO,IAAI,CAAC,OAAO;AAAA,IAEpE,QAAQ,SAAyB,QAAa;AAC5C,aAAO;AAAA,QACL,IAAI,QAAQ,OAAO,QAAQ,MAAM,QAAQ;AAAA,QACzC,OAAO,QAAQ;AAAA,QACf,eAAe,QAAQ,iBAAiB,oBAAI,KAAK,IAAI;AAAA,QACrD,MAAM,QAAQ,QAAQ,GAAG,QAAQ,cAAc,EAAE,IAAI,QAAQ,eAAe,EAAE,GAAG,KAAK;AAAA,QACtF,OAAO,QAAQ;AAAA,MACjB;AAAA,IACF;AAAA,IAEA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,IAAI;AAAA,MACJ,MAAM;AAAA,IACR;AAAA,IAEA;AAAA,EACF;AACF;;;AChFA,OAAO,qBAAqB;;;ACA5B,SAAS,oBAAoB,0BAA0B;AAoBvD,eAAsB,qBACjB,MAIH;AACA,SAAO,mBAAmB,GAAG,IAAW;AAC1C;AAKO,SAAS,mBACd,SACA,aACA;AACA,SAAO,OAAO,KAAqB,QAAyB;AAC1D,UAAM,UAAU,MAAM,kBAAkB,KAAK,KAAK,WAAW;AAE7D,QAAI,CAAC,SAAS;AACZ,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,eAAe,CAAC;AAAA,IACvD;AAEA,WAAO,QAAQ,KAAK,KAAK,OAAO;AAAA,EAClC;AACF;AAKO,SAAS,2BACd,oBAIA,aACA;AACA,SAAO,OAAO,YAAuC;AACnD,UAAM,UAAU,MAAM;AAAA,MACpB,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR;AAAA,IACF;AAEA,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,QACL,UAAU;AAAA,UACR,aAAa;AAAA,UACb,WAAW;AAAA,QACb;AAAA,MACF;AAAA,IACF;AAEA,WAAO,mBAAmB,SAAS,OAAO;AAAA,EAC5C;AACF;;;ADrEA,IAAM,WAAY,gBAAwB,WAAW;AAoB9C,SAAS,WAAW,UAA6B,CAAC,GAAG;AAC1D,QAAM,WAAW,QAAQ,YAAY,QAAQ,IAAI;AACjD,QAAM,eAAe,QAAQ,gBAAgB,QAAQ,IAAI;AAEzD,MAAI,CAAC,YAAY,CAAC,cAAc;AAC9B,UAAM,IAAI;AAAA,MACR;AAAA,IAGF;AAAA,EACF;AAEA,QAAM,cAA+B;AAAA,IACnC,WAAW;AAAA,MACT,gBAAgB;AAAA,QACd;AAAA,QACA;AAAA,QACA,QAAQ,QAAQ;AAAA,QAChB,QAAQ,QAAQ;AAAA,QAChB,aAAa,QAAQ;AAAA,MACvB,CAAC;AAAA,IACH;AAAA,IAEA,WAAW;AAAA,MACT,MAAM,IAAI,EAAE,OAAO,SAAS,QAAQ,GAAG;AAErC,YAAI,SAAS;AACX,gBAAM,cAAc,QAAQ;AAC5B,gBAAM,eAAe,QAAQ;AAC7B,gBAAM,YAAY,QAAQ;AAC1B,gBAAM,UAAU,QAAQ;AAAA,QAC1B;AAGA,YAAI,SAAS;AACX,gBAAM,iBAAiB;AACvB,gBAAM,QAAQ,eAAe;AAC7B,gBAAM,WAAW,eAAe;AAChC,gBAAM,gBAAgB,eAAe;AAAA,QACvC;AAGA,YAAI,QAAQ,WAAW,KAAK;AAC1B,iBAAO,QAAQ,UAAU,IAAI,EAAE,OAAO,SAAS,QAAQ,CAAQ;AAAA,QACjE;AAEA,eAAO;AAAA,MACT;AAAA,MAEA,MAAM,QAAQ,EAAE,SAAS,MAAM,GAAG;AAEhC,gBAAQ,cAAc,MAAM;AAC5B,gBAAQ,UAAU,MAAM;AAExB,YAAI,QAAQ,MAAM;AAChB,kBAAQ,KAAK,QAAQ,MAAM;AAC3B,kBAAQ,KAAK,WAAW,MAAM;AAC9B,kBAAQ,KAAK,gBAAgB,MAAM;AAAA,QACrC;AAGA,YAAI,QAAQ,WAAW,SAAS;AAC9B,iBAAO,QAAQ,UAAU,QAAQ,EAAE,SAAS,MAAM,CAAQ;AAAA,QAC5D;AAEA,eAAO;AAAA,MACT;AAAA,MAEA,GAAG,QAAQ;AAAA,IACb;AAAA,IAEA,OAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,OAAO;AAAA,MACP,GAAG,QAAQ;AAAA,IACb;AAAA,IAEA,SAAS;AAAA,MACP,UAAU;AAAA,MACV,GAAG,QAAQ;AAAA,IACb;AAAA,IAEA,OAAO,QAAQ,SAAS,QAAQ,IAAI,aAAa;AAAA,IAEjD,QAAQ,QAAQ,IAAI;AAAA,EACtB;AAGA,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAU,SAAS,WAAW;AAAA,EAChC;AACF;AAiBO,IAAM,mBAAmB;AAKhC,eAAsB,mBAAmB,OAAY,UAAkB,cAAsB,QAAiB;AAC5G,MAAI;AACF,UAAM,UAAU,UAAU,QAAQ,IAAI,kBAAkB;AACxD,UAAM,WAAW,GAAG,OAAO;AAG3B,UAAM,eAAoB;AAAA,MACxB,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,MAClB;AAAA,MACA,MAAM,IAAI,gBAAgB;AAAA,QACxB,YAAY;AAAA,QACZ,eAAe,MAAM;AAAA,QACrB,WAAW;AAAA,QACX,eAAe;AAAA,MACjB,CAAC;AAAA,IACH;AAGA,QAAI,QAAQ,IAAI,aAAa,gBAAgB,SAAS,WAAW,UAAU,GAAG;AAC5E,YAAM,QAAQ,MAAM,OAAO,OAAO;AAClC,mBAAa,QAAQ,IAAI,MAAM,MAAM;AAAA,QACnC,oBAAoB;AAAA,MACtB,CAAC;AAAA,IACH;AAEA,UAAM,WAAW,MAAM,MAAM,UAAU,YAAY;AACnD,UAAM,kBAAkB,MAAM,SAAS,KAAK;AAE5C,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM;AAAA,IACR;AAEA,WAAO;AAAA,MACL,GAAG;AAAA,MACH,aAAa,gBAAgB;AAAA,MAC7B,cAAc,gBAAgB,iBAAiB,MAAM;AAAA;AAAA,MAErD,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,KAAK,gBAAgB,cAAc;AAAA;AAAA,MAE1E,OAAO;AAAA,IACT;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,mCAAmC,KAAK;AACtD,WAAO;AAAA,MACL,GAAG;AAAA,MACH,OAAO;AAAA,IACT;AAAA,EACF;AACF;;;AE/LA,SAAsB,oBAAoB;AAC1C,SAAS,gBAAgB;AAiBlB,SAAS,gBAAgB,UAA8B,CAAC,GAAG;AAChE,SAAO,eAAe,WAAW,KAAkB;AACjD,UAAM,QAAQ,MAAM,SAAS;AAAA,MAC3B;AAAA,MACA,QAAQ,QAAQ,IAAI;AAAA,IACtB,CAAC;AAED,UAAM,WAAW,IAAI,QAAQ;AAG7B,QAAI,QAAQ,aAAa,KAAK,UAAQ,SAAS,WAAW,IAAI,CAAC,GAAG;AAChE,aAAO,aAAa,KAAK;AAAA,IAC3B;AAGA,UAAM,kBAAkB,QAAQ,iBAC5B,QAAQ,eAAe,KAAK,UAAQ,SAAS,WAAW,IAAI,CAAC,IAC7D;AAEJ,QAAI,CAAC,iBAAiB;AACpB,aAAO,aAAa,KAAK;AAAA,IAC3B;AAGA,QAAI,eAAe,CAAC,CAAC;AAErB,QAAI,QAAQ,WAAW,YAAY;AACjC,qBAAe,MAAM,QAAQ,UAAU,WAAW,EAAE,OAAO,IAAI,CAAC;AAAA,IAClE;AAEA,QAAI,CAAC,cAAc;AACjB,YAAM,YAAY,QAAQ,OAAO,UAAU;AAC3C,YAAM,MAAM,IAAI,IAAI,WAAW,IAAI,GAAG;AACtC,UAAI,aAAa,IAAI,eAAe,QAAQ;AAC5C,aAAO,aAAa,SAAS,GAAG;AAAA,IAClC;AAEA,WAAO,aAAa,KAAK;AAAA,EAC3B;AACF;AAKO,SAAS,uBACd,iBAA2B,CAAC,YAAY,GACxC,cAAwB,CAAC,SAAS,WAAW,GAC7C;AACA,SAAO;AAAA,IACL,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQP;AAAA,IACF;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":[]}

package/dist/server/index.d.mts

@@ -0,0 +1,5 @@
+export { C as CreateAuthOptions, e as OAuth42AuthOptions, O as OAuth42Provider, c as createAuth, j as createHandlers, d as createMiddlewareConfig, f as getOAuth42Session, g as getServerSession, r as refreshAccessToken, w as withOAuth42Auth, i as withOAuth42ServerSideProps, h as withOAuth42Session } from '../index-xJCMwWtK.mjs';
+export { default as NextAuth, NextAuthOptions } from 'next-auth';
+import 'next';
+import 'next-auth/providers/oauth';
+import 'next/server';

package/dist/server/index.d.ts

@@ -0,0 +1,5 @@
+export { C as CreateAuthOptions, e as OAuth42AuthOptions, O as OAuth42Provider, c as createAuth, j as createHandlers, d as createMiddlewareConfig, f as getOAuth42Session, g as getServerSession, r as refreshAccessToken, w as withOAuth42Auth, i as withOAuth42ServerSideProps, h as withOAuth42Session } from '../index-xJCMwWtK.js';
+export { default as NextAuth, NextAuthOptions } from 'next-auth';
+import 'next';
+import 'next-auth/providers/oauth';
+import 'next/server';

package/dist/server/index.js

@@ -0,0 +1,316 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/server/index.ts
+var server_exports = {};
+__export(server_exports, {
+  NextAuth: () => import_next_auth3.default,
+  OAuth42Provider: () => OAuth42Provider,
+  createAuth: () => createAuth,
+  createHandlers: () => createHandlers,
+  createMiddlewareConfig: () => createMiddlewareConfig,
+  getOAuth42Session: () => getOAuth42Session,
+  getServerSession: () => getServerSession,
+  refreshAccessToken: () => refreshAccessToken,
+  withOAuth42Auth: () => withOAuth42Auth,
+  withOAuth42ServerSideProps: () => withOAuth42ServerSideProps,
+  withOAuth42Session: () => withOAuth42Session
+});
+module.exports = __toCommonJS(server_exports);
+
+// src/server/auth.ts
+var import_next_auth2 = __toESM(require("next-auth"));
+
+// src/provider.ts
+function OAuth42Provider(options) {
+  const issuer = options.issuer || process.env.OAUTH42_ISSUER || "https://oauth42.com";
+  const baseUrl = issuer.replace(/\/$/, "");
+  return {
+    id: "oauth42",
+    name: "OAuth42",
+    type: "oauth",
+    version: "2.0",
+    // Use OIDC discovery to automatically find endpoints
+    wellKnown: `${baseUrl}/.well-known/openid-configuration`,
+    // Also set individual endpoints for compatibility
+    authorization: {
+      url: `${baseUrl}/oauth2/authorize`,
+      params: {
+        scope: (options.scopes || ["openid", "profile", "email"]).join(" "),
+        response_type: "code"
+      }
+    },
+    token: `${baseUrl}/oauth2/token`,
+    userinfo: `${baseUrl}/oauth2/userinfo`,
+    client: {
+      id: options.clientId,
+      secret: options.clientSecret,
+      token_endpoint_auth_method: "client_secret_post",
+      id_token_signed_response_alg: "HS256"
+      // OAuth42 uses HS256 for ID tokens
+    },
+    issuer: baseUrl,
+    checks: options.pkceEnabled !== false ? ["pkce", "state"] : ["state"],
+    profile(profile, tokens) {
+      return {
+        id: profile.sub || profile.id || profile.email,
+        email: profile.email,
+        emailVerified: profile.email_verified ? /* @__PURE__ */ new Date() : null,
+        name: profile.name || `${profile.given_name || ""} ${profile.family_name || ""}`.trim(),
+        image: profile.picture
+      };
+    },
+    style: {
+      logo: "/oauth42-logo.svg",
+      bg: "#1e40af",
+      text: "#ffffff"
+    },
+    options
+  };
+}
+
+// src/server/session.ts
+var import_next_auth = require("next-auth");
+async function getOAuth42Session(...args) {
+  return (0, import_next_auth.getServerSession)(...args);
+}
+function withOAuth42Session(handler, authOptions) {
+  return async (req, res) => {
+    const session = await getOAuth42Session(req, res, authOptions);
+    if (!session) {
+      return res.status(401).json({ error: "Unauthorized" });
+    }
+    return handler(req, res, session);
+  };
+}
+function withOAuth42ServerSideProps(getServerSideProps, authOptions) {
+  return async (context) => {
+    const session = await getOAuth42Session(
+      context.req,
+      context.res,
+      authOptions
+    );
+    if (!session) {
+      return {
+        redirect: {
+          destination: "/auth/signin",
+          permanent: false
+        }
+      };
+    }
+    return getServerSideProps(context, session);
+  };
+}
+
+// src/server/auth.ts
+var NextAuth = import_next_auth2.default.default || import_next_auth2.default;
+function createAuth(options = {}) {
+  const clientId = options.clientId || process.env.OAUTH42_CLIENT_ID;
+  const clientSecret = options.clientSecret || process.env.OAUTH42_CLIENT_SECRET;
+  if (!clientId || !clientSecret) {
+    throw new Error(
+      "OAuth42 client credentials are required. Set OAUTH42_CLIENT_ID and OAUTH42_CLIENT_SECRET environment variables or pass them in the options."
+    );
+  }
+  const authOptions = {
+    providers: [
+      OAuth42Provider({
+        clientId,
+        clientSecret,
+        issuer: options.issuer,
+        scopes: options.scopes,
+        pkceEnabled: options.pkceEnabled
+      })
+    ],
+    callbacks: {
+      async jwt({ token, account, profile }) {
+        if (account) {
+          token.accessToken = account.access_token;
+          token.refreshToken = account.refresh_token;
+          token.expiresAt = account.expires_at;
+          token.idToken = account.id_token;
+        }
+        if (profile) {
+          const oauth42Profile = profile;
+          token.email = oauth42Profile.email;
+          token.username = oauth42Profile.username;
+          token.emailVerified = oauth42Profile.email_verified;
+        }
+        if (options.callbacks?.jwt) {
+          return options.callbacks.jwt({ token, account, profile });
+        }
+        return token;
+      },
+      async session({ session, token }) {
+        session.accessToken = token.accessToken;
+        session.idToken = token.idToken;
+        if (session.user) {
+          session.user.email = token.email;
+          session.user.username = token.username;
+          session.user.emailVerified = token.emailVerified;
+        }
+        if (options.callbacks?.session) {
+          return options.callbacks.session({ session, token });
+        }
+        return session;
+      },
+      ...options.callbacks
+    },
+    pages: {
+      signIn: "/auth/signin",
+      signOut: "/auth/signout",
+      error: "/auth/error",
+      ...options.pages
+    },
+    session: {
+      strategy: "jwt",
+      ...options.session
+    },
+    debug: options.debug || process.env.NODE_ENV === "development",
+    secret: process.env.NEXTAUTH_SECRET
+  };
+  return {
+    auth: authOptions,
+    handlers: NextAuth(authOptions)
+  };
+}
+function createHandlers(authOptions) {
+  const handler = NextAuth(authOptions);
+  return { GET: handler, POST: handler };
+}
+var getServerSession = getOAuth42Session;
+async function refreshAccessToken(token, clientId, clientSecret, issuer) {
+  try {
+    const baseUrl = issuer || process.env.OAUTH42_ISSUER || "https://oauth42.com";
+    const tokenUrl = `${baseUrl}/oauth2/token`;
+    const fetchOptions = {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: token.refreshToken,
+        client_id: clientId,
+        client_secret: clientSecret
+      })
+    };
+    if (process.env.NODE_ENV !== "production" && tokenUrl.startsWith("https://")) {
+      const https = await import("https");
+      fetchOptions.agent = new https.Agent({
+        rejectUnauthorized: false
+      });
+    }
+    const response = await fetch(tokenUrl, fetchOptions);
+    const refreshedTokens = await response.json();
+    if (!response.ok) {
+      throw refreshedTokens;
+    }
+    return {
+      ...token,
+      accessToken: refreshedTokens.access_token,
+      refreshToken: refreshedTokens.refresh_token ?? token.refreshToken,
+      // Store expiration time in seconds (Unix timestamp)
+      expiresAt: Math.floor(Date.now() / 1e3) + (refreshedTokens.expires_in || 3600),
+      // Explicitly remove any error property on successful refresh
+      error: void 0
+    };
+  } catch (error) {
+    console.error("Failed to refresh access token:", error);
+    return {
+      ...token,
+      error: "RefreshAccessTokenError"
+    };
+  }
+}
+
+// src/server/index.ts
+var import_next_auth3 = __toESM(require("next-auth"));
+
+// src/server/middleware.ts
+var import_server = require("next/server");
+var import_jwt = require("next-auth/jwt");
+function withOAuth42Auth(options = {}) {
+  return async function middleware(req) {
+    const token = await (0, import_jwt.getToken)({
+      req,
+      secret: process.env.NEXTAUTH_SECRET
+    });
+    const pathname = req.nextUrl.pathname;
+    if (options.publicPaths?.some((path) => pathname.startsWith(path))) {
+      return import_server.NextResponse.next();
+    }
+    const needsProtection = options.protectedPaths ? options.protectedPaths.some((path) => pathname.startsWith(path)) : true;
+    if (!needsProtection) {
+      return import_server.NextResponse.next();
+    }
+    let isAuthorized = !!token;
+    if (options.callbacks?.authorized) {
+      isAuthorized = await options.callbacks.authorized({ token, req });
+    }
+    if (!isAuthorized) {
+      const signInUrl = options.pages?.signIn || "/auth/signin";
+      const url = new URL(signInUrl, req.url);
+      url.searchParams.set("callbackUrl", pathname);
+      return import_server.NextResponse.redirect(url);
+    }
+    return import_server.NextResponse.next();
+  };
+}
+function createMiddlewareConfig(protectedPaths = ["/protected"], publicPaths = ["/auth", "/api/auth"]) {
+  return {
+    matcher: [
+      /*
+       * Match all request paths except for the ones starting with:
+       * - _next/static (static files)
+       * - _next/image (image optimization files)
+       * - favicon.ico (favicon file)
+       * - public folder
+       */
+      "/((?!_next/static|_next/image|favicon.ico|public).*)"
+    ],
+    protectedPaths,
+    publicPaths
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  NextAuth,
+  OAuth42Provider,
+  createAuth,
+  createHandlers,
+  createMiddlewareConfig,
+  getOAuth42Session,
+  getServerSession,
+  refreshAccessToken,
+  withOAuth42Auth,
+  withOAuth42ServerSideProps,
+  withOAuth42Session
+});
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/server/index.ts","../../src/server/auth.ts","../../src/provider.ts","../../src/server/session.ts","../../src/server/middleware.ts"],"sourcesContent":["// Server-side exports\nexport { createAuth, createHandlers, getServerSession, refreshAccessToken } from './auth';\nexport type { CreateAuthOptions, NextAuthOptions } from './auth';\n\n// Re-export NextAuth from next-auth\nexport { default as NextAuth } from 'next-auth';\n\n// Re-export OAuth42Provider\nexport { OAuth42Provider } from '../provider';\n\nexport { withOAuth42Auth, createMiddlewareConfig } from './middleware';\nexport type { OAuth42AuthOptions } from './middleware';\n\nexport { getOAuth42Session, withOAuth42Session, withOAuth42ServerSideProps } from './session';","import NextAuthDefault from 'next-auth';\nimport type { NextAuthOptions } from 'next-auth';\nimport { OAuth42Provider, OAuth42Profile } from '../provider';\nimport { getOAuth42Session } from './session';\n\n// Handle both CommonJS and ESM exports\nconst NextAuth = (NextAuthDefault as any).default || NextAuthDefault;\n\nexport { type NextAuthOptions };\n\nexport interface CreateAuthOptions {\n  clientId?: string;\n  clientSecret?: string;\n  issuer?: string;\n  scopes?: string[];\n  pkceEnabled?: boolean;\n  debug?: boolean;\n  callbacks?: NextAuthOptions['callbacks'];\n  pages?: NextAuthOptions['pages'];\n  session?: NextAuthOptions['session'];\n}\n\n/**\n * Create a pre-configured NextAuth instance for OAuth42\n * This provides a simplified setup with sensible defaults\n */\nexport function createAuth(options: CreateAuthOptions = {}) {\n  const clientId = options.clientId || process.env.OAUTH42_CLIENT_ID;\n  const clientSecret = options.clientSecret || process.env.OAUTH42_CLIENT_SECRET;\n  \n  if (!clientId || !clientSecret) {\n    throw new Error(\n      'OAuth42 client credentials are required. ' +\n      'Set OAUTH42_CLIENT_ID and OAUTH42_CLIENT_SECRET environment variables ' +\n      'or pass them in the options.'\n    );\n  }\n  \n  const authOptions: NextAuthOptions = {\n    providers: [\n      OAuth42Provider({\n        clientId,\n        clientSecret,\n        issuer: options.issuer,\n        scopes: options.scopes,\n        pkceEnabled: options.pkceEnabled,\n      }),\n    ],\n    \n    callbacks: {\n      async jwt({ token, account, profile }) {\n        // Store OAuth tokens in the JWT\n        if (account) {\n          token.accessToken = account.access_token;\n          token.refreshToken = account.refresh_token;\n          token.expiresAt = account.expires_at;\n          token.idToken = account.id_token;\n        }\n        \n        // Add user profile data\n        if (profile) {\n          const oauth42Profile = profile as OAuth42Profile;\n          token.email = oauth42Profile.email;\n          token.username = oauth42Profile.username;\n          token.emailVerified = oauth42Profile.email_verified;\n        }\n        \n        // Call custom callback if provided\n        if (options.callbacks?.jwt) {\n          return options.callbacks.jwt({ token, account, profile } as any);\n        }\n        \n        return token;\n      },\n      \n      async session({ session, token }) {\n        // Add OAuth42-specific data to session\n        session.accessToken = token.accessToken as string;\n        session.idToken = token.idToken as string;\n        \n        if (session.user) {\n          session.user.email = token.email as string;\n          session.user.username = token.username as string;\n          session.user.emailVerified = token.emailVerified as boolean;\n        }\n        \n        // Call custom callback if provided\n        if (options.callbacks?.session) {\n          return options.callbacks.session({ session, token } as any);\n        }\n        \n        return session;\n      },\n      \n      ...options.callbacks,\n    },\n    \n    pages: {\n      signIn: '/auth/signin',\n      signOut: '/auth/signout',\n      error: '/auth/error',\n      ...options.pages,\n    },\n    \n    session: {\n      strategy: 'jwt',\n      ...options.session,\n    },\n    \n    debug: options.debug || process.env.NODE_ENV === 'development',\n    \n    secret: process.env.NEXTAUTH_SECRET,\n  };\n  \n  // Return the configuration and a function to create handlers\n  return {\n    auth: authOptions,\n    handlers: NextAuth(authOptions),\n  };\n}\n\n/**\n * Create NextAuth handlers for API routes\n */\nexport function createHandlers(authOptions: NextAuthOptions) {\n  const handler = NextAuth(authOptions);\n  return { GET: handler, POST: handler };\n}\n\n/**\n * Helper to get the current session server-side\n * @deprecated Use getOAuth42Session instead - this is now just an alias for backward compatibility\n * \n * This function is maintained for backward compatibility but internally\n * calls getOAuth42Session which properly handles both App Router and Pages Router\n */\nexport const getServerSession = getOAuth42Session;\n\n/**\n * Token refresh helper\n */\nexport async function refreshAccessToken(token: any, clientId: string, clientSecret: string, issuer?: string) {\n  try {\n    const baseUrl = issuer || process.env.OAUTH42_ISSUER || 'https://oauth42.com';\n    const tokenUrl = `${baseUrl}/oauth2/token`;\n    \n    // In development, we need to handle self-signed certificates\n    const fetchOptions: any = {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/x-www-form-urlencoded',\n      },\n      body: new URLSearchParams({\n        grant_type: 'refresh_token',\n        refresh_token: token.refreshToken,\n        client_id: clientId,\n        client_secret: clientSecret,\n      }),\n    };\n    \n    // Add agent for self-signed certificates in development\n    if (process.env.NODE_ENV !== 'production' && tokenUrl.startsWith('https://')) {\n      const https = await import('https');\n      fetchOptions.agent = new https.Agent({\n        rejectUnauthorized: false\n      });\n    }\n    \n    const response = await fetch(tokenUrl, fetchOptions);\n    const refreshedTokens = await response.json();\n    \n    if (!response.ok) {\n      throw refreshedTokens;\n    }\n    \n    return {\n      ...token,\n      accessToken: refreshedTokens.access_token,\n      refreshToken: refreshedTokens.refresh_token ?? token.refreshToken,\n      // Store expiration time in seconds (Unix timestamp)\n      expiresAt: Math.floor(Date.now() / 1000) + (refreshedTokens.expires_in || 3600),\n      // Explicitly remove any error property on successful refresh\n      error: undefined,\n    };\n  } catch (error) {\n    console.error('Failed to refresh access token:', error);\n    return {\n      ...token,\n      error: 'RefreshAccessTokenError',\n    };\n  }\n}","import type { OAuthConfig, OAuthUserConfig } from 'next-auth/providers/oauth';\n\nexport interface OAuth42Profile {\n  sub: string;\n  email: string;\n  email_verified?: boolean;\n  name?: string;\n  given_name?: string;\n  family_name?: string;\n  picture?: string;\n  username?: string;\n  id?: string;\n}\n\nexport interface OAuth42ProviderOptions {\n  clientId: string;\n  clientSecret: string;\n  issuer?: string;\n  authorizationUrl?: string;\n  tokenUrl?: string;\n  userinfoUrl?: string;\n  scopes?: string[];\n  pkceEnabled?: boolean;\n}\n\nexport function OAuth42Provider<P extends OAuth42Profile>(\n  options: OAuthUserConfig<P> & Partial<OAuth42ProviderOptions>\n): OAuthConfig<P> {\n  const issuer = options.issuer || process.env.OAUTH42_ISSUER || 'https://oauth42.com';\n  const baseUrl = issuer.replace(/\\/$/, '');\n  \n  return {\n    id: 'oauth42',\n    name: 'OAuth42',\n    type: 'oauth',\n    version: '2.0',\n    \n    // Use OIDC discovery to automatically find endpoints\n    wellKnown: `${baseUrl}/.well-known/openid-configuration`,\n    \n    // Also set individual endpoints for compatibility\n    authorization: {\n      url: `${baseUrl}/oauth2/authorize`,\n      params: {\n        scope: (options.scopes || ['openid', 'profile', 'email']).join(' '),\n        response_type: 'code',\n      },\n    },\n    token: `${baseUrl}/oauth2/token`,\n    userinfo: `${baseUrl}/oauth2/userinfo`,\n    \n    client: {\n      id: options.clientId,\n      secret: options.clientSecret,\n      token_endpoint_auth_method: 'client_secret_post',\n      id_token_signed_response_alg: 'HS256', // OAuth42 uses HS256 for ID tokens\n    },\n    \n    issuer: baseUrl,\n    \n    checks: options.pkceEnabled !== false ? ['pkce', 'state'] : ['state'],\n    \n    profile(profile: OAuth42Profile, tokens: any) {\n      return {\n        id: profile.sub || profile.id || profile.email,\n        email: profile.email,\n        emailVerified: profile.email_verified ? new Date() : null,\n        name: profile.name || `${profile.given_name || ''} ${profile.family_name || ''}`.trim(),\n        image: profile.picture,\n      };\n    },\n    \n    style: {\n      logo: '/oauth42-logo.svg',\n      bg: '#1e40af',\n      text: '#ffffff',\n    },\n    \n    options,\n  };\n}","import { getServerSession as getNextAuthSession } from 'next-auth';\nimport { NextAuthOptions } from 'next-auth';\nimport { GetServerSidePropsContext, NextApiRequest, NextApiResponse } from 'next';\n\n/**\n * Get the OAuth42 session server-side\n * \n * This is the primary method for retrieving sessions in OAuth42 SDK.\n * Supports both Pages Router and App Router:\n * \n * App Router:\n * ```ts\n * const session = await getOAuth42Session(authOptions);\n * ```\n * \n * Pages Router:\n * ```ts\n * const session = await getOAuth42Session(req, res, authOptions);\n * ```\n */\nexport async function getOAuth42Session(\n  ...args: \n    | [GetServerSidePropsContext['req'], GetServerSidePropsContext['res'], NextAuthOptions]\n    | [NextApiRequest, NextApiResponse, NextAuthOptions]\n    | [NextAuthOptions]\n) {\n  return getNextAuthSession(...args as any);\n}\n\n/**\n * Helper for protecting API routes\n */\nexport function withOAuth42Session(\n  handler: (req: NextApiRequest, res: NextApiResponse, session: any) => Promise<void> | void,\n  authOptions: NextAuthOptions\n) {\n  return async (req: NextApiRequest, res: NextApiResponse) => {\n    const session = await getOAuth42Session(req, res, authOptions);\n    \n    if (!session) {\n      return res.status(401).json({ error: 'Unauthorized' });\n    }\n    \n    return handler(req, res, session);\n  };\n}\n\n/**\n * Helper for protecting server-side props\n */\nexport function withOAuth42ServerSideProps(\n  getServerSideProps: (\n    context: GetServerSidePropsContext,\n    session: any\n  ) => Promise<any>,\n  authOptions: NextAuthOptions\n) {\n  return async (context: GetServerSidePropsContext) => {\n    const session = await getOAuth42Session(\n      context.req,\n      context.res,\n      authOptions\n    );\n    \n    if (!session) {\n      return {\n        redirect: {\n          destination: '/auth/signin',\n          permanent: false,\n        },\n      };\n    }\n    \n    return getServerSideProps(context, session);\n  };\n}","import { NextRequest, NextResponse } from 'next/server';\nimport { getToken } from 'next-auth/jwt';\n\nexport interface OAuth42AuthOptions {\n  pages?: {\n    signIn?: string;\n    error?: string;\n  };\n  callbacks?: {\n    authorized?: (params: { token: any; req: NextRequest }) => boolean | Promise<boolean>;\n  };\n  protectedPaths?: string[];\n  publicPaths?: string[];\n}\n\n/**\n * Middleware helper for protecting routes with OAuth42\n */\nexport function withOAuth42Auth(options: OAuth42AuthOptions = {}) {\n  return async function middleware(req: NextRequest) {\n    const token = await getToken({ \n      req: req as any, \n      secret: process.env.NEXTAUTH_SECRET \n    });\n    \n    const pathname = req.nextUrl.pathname;\n    \n    // Check if path is explicitly public\n    if (options.publicPaths?.some(path => pathname.startsWith(path))) {\n      return NextResponse.next();\n    }\n    \n    // Check if path needs protection\n    const needsProtection = options.protectedPaths\n      ? options.protectedPaths.some(path => pathname.startsWith(path))\n      : true; // Default to protecting all paths\n    \n    if (!needsProtection) {\n      return NextResponse.next();\n    }\n    \n    // Check authorization\n    let isAuthorized = !!token;\n    \n    if (options.callbacks?.authorized) {\n      isAuthorized = await options.callbacks.authorized({ token, req });\n    }\n    \n    if (!isAuthorized) {\n      const signInUrl = options.pages?.signIn || '/auth/signin';\n      const url = new URL(signInUrl, req.url);\n      url.searchParams.set('callbackUrl', pathname);\n      return NextResponse.redirect(url);\n    }\n    \n    return NextResponse.next();\n  };\n}\n\n/**\n * Helper to create middleware configuration\n */\nexport function createMiddlewareConfig(\n  protectedPaths: string[] = ['/protected'],\n  publicPaths: string[] = ['/auth', '/api/auth']\n) {\n  return {\n    matcher: [\n      /*\n       * Match all request paths except for the ones starting with:\n       * - _next/static (static files)\n       * - _next/image (image optimization files)\n       * - favicon.ico (favicon file)\n       * - public folder\n       */\n      '/((?!_next/static|_next/image|favicon.ico|public).*)',\n    ],\n    protectedPaths,\n    publicPaths,\n  };\n}"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAA,oBAA4B;;;ACyBrB,SAAS,gBACd,SACgB;AAChB,QAAM,SAAS,QAAQ,UAAU,QAAQ,IAAI,kBAAkB;AAC/D,QAAM,UAAU,OAAO,QAAQ,OAAO,EAAE;AAExC,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,MAAM;AAAA,IACN,SAAS;AAAA;AAAA,IAGT,WAAW,GAAG,OAAO;AAAA;AAAA,IAGrB,eAAe;AAAA,MACb,KAAK,GAAG,OAAO;AAAA,MACf,QAAQ;AAAA,QACN,QAAQ,QAAQ,UAAU,CAAC,UAAU,WAAW,OAAO,GAAG,KAAK,GAAG;AAAA,QAClE,eAAe;AAAA,MACjB;AAAA,IACF;AAAA,IACA,OAAO,GAAG,OAAO;AAAA,IACjB,UAAU,GAAG,OAAO;AAAA,IAEpB,QAAQ;AAAA,MACN,IAAI,QAAQ;AAAA,MACZ,QAAQ,QAAQ;AAAA,MAChB,4BAA4B;AAAA,MAC5B,8BAA8B;AAAA;AAAA,IAChC;AAAA,IAEA,QAAQ;AAAA,IAER,QAAQ,QAAQ,gBAAgB,QAAQ,CAAC,QAAQ,OAAO,IAAI,CAAC,OAAO;AAAA,IAEpE,QAAQ,SAAyB,QAAa;AAC5C,aAAO;AAAA,QACL,IAAI,QAAQ,OAAO,QAAQ,MAAM,QAAQ;AAAA,QACzC,OAAO,QAAQ;AAAA,QACf,eAAe,QAAQ,iBAAiB,oBAAI,KAAK,IAAI;AAAA,QACrD,MAAM,QAAQ,QAAQ,GAAG,QAAQ,cAAc,EAAE,IAAI,QAAQ,eAAe,EAAE,GAAG,KAAK;AAAA,QACtF,OAAO,QAAQ;AAAA,MACjB;AAAA,IACF;AAAA,IAEA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,IAAI;AAAA,MACJ,MAAM;AAAA,IACR;AAAA,IAEA;AAAA,EACF;AACF;;;AChFA,uBAAuD;AAoBvD,eAAsB,qBACjB,MAIH;AACA,aAAO,iBAAAC,kBAAmB,GAAG,IAAW;AAC1C;AAKO,SAAS,mBACd,SACA,aACA;AACA,SAAO,OAAO,KAAqB,QAAyB;AAC1D,UAAM,UAAU,MAAM,kBAAkB,KAAK,KAAK,WAAW;AAE7D,QAAI,CAAC,SAAS;AACZ,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,eAAe,CAAC;AAAA,IACvD;AAEA,WAAO,QAAQ,KAAK,KAAK,OAAO;AAAA,EAClC;AACF;AAKO,SAAS,2BACd,oBAIA,aACA;AACA,SAAO,OAAO,YAAuC;AACnD,UAAM,UAAU,MAAM;AAAA,MACpB,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR;AAAA,IACF;AAEA,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,QACL,UAAU;AAAA,UACR,aAAa;AAAA,UACb,WAAW;AAAA,QACb;AAAA,MACF;AAAA,IACF;AAEA,WAAO,mBAAmB,SAAS,OAAO;AAAA,EAC5C;AACF;;;AFrEA,IAAM,WAAY,kBAAAC,QAAwB,WAAW,kBAAAA;AAoB9C,SAAS,WAAW,UAA6B,CAAC,GAAG;AAC1D,QAAM,WAAW,QAAQ,YAAY,QAAQ,IAAI;AACjD,QAAM,eAAe,QAAQ,gBAAgB,QAAQ,IAAI;AAEzD,MAAI,CAAC,YAAY,CAAC,cAAc;AAC9B,UAAM,IAAI;AAAA,MACR;AAAA,IAGF;AAAA,EACF;AAEA,QAAM,cAA+B;AAAA,IACnC,WAAW;AAAA,MACT,gBAAgB;AAAA,QACd;AAAA,QACA;AAAA,QACA,QAAQ,QAAQ;AAAA,QAChB,QAAQ,QAAQ;AAAA,QAChB,aAAa,QAAQ;AAAA,MACvB,CAAC;AAAA,IACH;AAAA,IAEA,WAAW;AAAA,MACT,MAAM,IAAI,EAAE,OAAO,SAAS,QAAQ,GAAG;AAErC,YAAI,SAAS;AACX,gBAAM,cAAc,QAAQ;AAC5B,gBAAM,eAAe,QAAQ;AAC7B,gBAAM,YAAY,QAAQ;AAC1B,gBAAM,UAAU,QAAQ;AAAA,QAC1B;AAGA,YAAI,SAAS;AACX,gBAAM,iBAAiB;AACvB,gBAAM,QAAQ,eAAe;AAC7B,gBAAM,WAAW,eAAe;AAChC,gBAAM,gBAAgB,eAAe;AAAA,QACvC;AAGA,YAAI,QAAQ,WAAW,KAAK;AAC1B,iBAAO,QAAQ,UAAU,IAAI,EAAE,OAAO,SAAS,QAAQ,CAAQ;AAAA,QACjE;AAEA,eAAO;AAAA,MACT;AAAA,MAEA,MAAM,QAAQ,EAAE,SAAS,MAAM,GAAG;AAEhC,gBAAQ,cAAc,MAAM;AAC5B,gBAAQ,UAAU,MAAM;AAExB,YAAI,QAAQ,MAAM;AAChB,kBAAQ,KAAK,QAAQ,MAAM;AAC3B,kBAAQ,KAAK,WAAW,MAAM;AAC9B,kBAAQ,KAAK,gBAAgB,MAAM;AAAA,QACrC;AAGA,YAAI,QAAQ,WAAW,SAAS;AAC9B,iBAAO,QAAQ,UAAU,QAAQ,EAAE,SAAS,MAAM,CAAQ;AAAA,QAC5D;AAEA,eAAO;AAAA,MACT;AAAA,MAEA,GAAG,QAAQ;AAAA,IACb;AAAA,IAEA,OAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,OAAO;AAAA,MACP,GAAG,QAAQ;AAAA,IACb;AAAA,IAEA,SAAS;AAAA,MACP,UAAU;AAAA,MACV,GAAG,QAAQ;AAAA,IACb;AAAA,IAEA,OAAO,QAAQ,SAAS,QAAQ,IAAI,aAAa;AAAA,IAEjD,QAAQ,QAAQ,IAAI;AAAA,EACtB;AAGA,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAU,SAAS,WAAW;AAAA,EAChC;AACF;AAKO,SAAS,eAAe,aAA8B;AAC3D,QAAM,UAAU,SAAS,WAAW;AACpC,SAAO,EAAE,KAAK,SAAS,MAAM,QAAQ;AACvC;AASO,IAAM,mBAAmB;AAKhC,eAAsB,mBAAmB,OAAY,UAAkB,cAAsB,QAAiB;AAC5G,MAAI;AACF,UAAM,UAAU,UAAU,QAAQ,IAAI,kBAAkB;AACxD,UAAM,WAAW,GAAG,OAAO;AAG3B,UAAM,eAAoB;AAAA,MACxB,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,MAClB;AAAA,MACA,MAAM,IAAI,gBAAgB;AAAA,QACxB,YAAY;AAAA,QACZ,eAAe,MAAM;AAAA,QACrB,WAAW;AAAA,QACX,eAAe;AAAA,MACjB,CAAC;AAAA,IACH;AAGA,QAAI,QAAQ,IAAI,aAAa,gBAAgB,SAAS,WAAW,UAAU,GAAG;AAC5E,YAAM,QAAQ,MAAM,OAAO,OAAO;AAClC,mBAAa,QAAQ,IAAI,MAAM,MAAM;AAAA,QACnC,oBAAoB;AAAA,MACtB,CAAC;AAAA,IACH;AAEA,UAAM,WAAW,MAAM,MAAM,UAAU,YAAY;AACnD,UAAM,kBAAkB,MAAM,SAAS,KAAK;AAE5C,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM;AAAA,IACR;AAEA,WAAO;AAAA,MACL,GAAG;AAAA,MACH,aAAa,gBAAgB;AAAA,MAC7B,cAAc,gBAAgB,iBAAiB,MAAM;AAAA;AAAA,MAErD,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,KAAK,gBAAgB,cAAc;AAAA;AAAA,MAE1E,OAAO;AAAA,IACT;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,mCAAmC,KAAK;AACtD,WAAO;AAAA,MACL,GAAG;AAAA,MACH,OAAO;AAAA,IACT;AAAA,EACF;AACF;;;AD1LA,IAAAC,oBAAoC;;;AILpC,oBAA0C;AAC1C,iBAAyB;AAiBlB,SAAS,gBAAgB,UAA8B,CAAC,GAAG;AAChE,SAAO,eAAe,WAAW,KAAkB;AACjD,UAAM,QAAQ,UAAM,qBAAS;AAAA,MAC3B;AAAA,MACA,QAAQ,QAAQ,IAAI;AAAA,IACtB,CAAC;AAED,UAAM,WAAW,IAAI,QAAQ;AAG7B,QAAI,QAAQ,aAAa,KAAK,UAAQ,SAAS,WAAW,IAAI,CAAC,GAAG;AAChE,aAAO,2BAAa,KAAK;AAAA,IAC3B;AAGA,UAAM,kBAAkB,QAAQ,iBAC5B,QAAQ,eAAe,KAAK,UAAQ,SAAS,WAAW,IAAI,CAAC,IAC7D;AAEJ,QAAI,CAAC,iBAAiB;AACpB,aAAO,2BAAa,KAAK;AAAA,IAC3B;AAGA,QAAI,eAAe,CAAC,CAAC;AAErB,QAAI,QAAQ,WAAW,YAAY;AACjC,qBAAe,MAAM,QAAQ,UAAU,WAAW,EAAE,OAAO,IAAI,CAAC;AAAA,IAClE;AAEA,QAAI,CAAC,cAAc;AACjB,YAAM,YAAY,QAAQ,OAAO,UAAU;AAC3C,YAAM,MAAM,IAAI,IAAI,WAAW,IAAI,GAAG;AACtC,UAAI,aAAa,IAAI,eAAe,QAAQ;AAC5C,aAAO,2BAAa,SAAS,GAAG;AAAA,IAClC;AAEA,WAAO,2BAAa,KAAK;AAAA,EAC3B;AACF;AAKO,SAAS,uBACd,iBAA2B,CAAC,YAAY,GACxC,cAAwB,CAAC,SAAS,WAAW,GAC7C;AACA,SAAO;AAAA,IACL,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQP;AAAA,IACF;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":["import_next_auth","getNextAuthSession","NextAuthDefault","import_next_auth"]}