@oauth42/next 0.2.5 → 0.2.7

package/dist/middleware/index.js

@@ -0,0 +1,172 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/middleware/index.ts
+var middleware_exports = {};
+__export(middleware_exports, {
+  createMiddlewareConfig: () => createMiddlewareConfig,
+  withOAuth42Auth: () => withOAuth42Auth
+});
+module.exports = __toCommonJS(middleware_exports);
+
+// src/server/middleware.ts
+var import_server = require("next/server");
+var import_jwt = require("next-auth/jwt");
+async function refreshTokens(refreshToken, clientId, clientSecret, issuer) {
+  try {
+    const tokenUrl = `${issuer}/oauth2/token`;
+    const response = await fetch(tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: refreshToken,
+        client_id: clientId,
+        client_secret: clientSecret
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      console.error("[OAuth42 Middleware] Token refresh failed:", data);
+      return { success: false, error: data.error || "refresh_failed" };
+    }
+    console.log("[OAuth42 Middleware] Token refreshed successfully");
+    return {
+      success: true,
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresAt: Math.floor(Date.now() / 1e3) + (data.expires_in || 3600)
+    };
+  } catch (error) {
+    console.error("[OAuth42 Middleware] Token refresh error:", error);
+    return { success: false, error: "refresh_error" };
+  }
+}
+function withOAuth42Auth(options = {}) {
+  const secret = process.env.NEXTAUTH_SECRET;
+  const clientId = process.env.OAUTH42_CLIENT_ID;
+  const clientSecret = process.env.OAUTH42_CLIENT_SECRET;
+  const issuer = process.env.OAUTH42_ISSUER || "https://localhost:8443";
+  if (!secret) {
+    console.warn("[OAuth42 Middleware] NEXTAUTH_SECRET not set");
+  }
+  return async function middleware(req) {
+    const cookieName = options.cookiePrefix ? `${options.cookiePrefix}.session-token` : "next-auth.session-token";
+    const token = await (0, import_jwt.getToken)({
+      req,
+      secret,
+      cookieName
+    });
+    const pathname = req.nextUrl.pathname;
+    if (options.publicPaths?.some((path) => pathname.startsWith(path))) {
+      return import_server.NextResponse.next();
+    }
+    const needsProtection = options.protectedPaths ? options.protectedPaths.some((path) => pathname.startsWith(path)) : true;
+    if (!needsProtection) {
+      return import_server.NextResponse.next();
+    }
+    if (!token) {
+      const signInUrl = options.pages?.signIn || "/auth/signin";
+      const url = new URL(signInUrl, req.url);
+      url.searchParams.set("callbackUrl", pathname);
+      return import_server.NextResponse.redirect(url);
+    }
+    const expiresAt = token.expiresAt;
+    const now = Math.floor(Date.now() / 1e3);
+    const bufferSeconds = 60;
+    const needsRefresh = expiresAt && now >= expiresAt - bufferSeconds;
+    if (needsRefresh && token.refreshToken && clientId && clientSecret) {
+      console.log("[OAuth42 Middleware] Access token expired, refreshing...");
+      const refreshed = await refreshTokens(
+        token.refreshToken,
+        clientId,
+        clientSecret,
+        issuer
+      );
+      if (refreshed.success && refreshed.accessToken && refreshed.refreshToken) {
+        const updatedToken = {
+          ...token,
+          accessToken: refreshed.accessToken,
+          refreshToken: refreshed.refreshToken,
+          expiresAt: refreshed.expiresAt
+        };
+        const newJwt = await (0, import_jwt.encode)({
+          token: updatedToken,
+          secret
+        });
+        const requestHeaders = new Headers(req.headers);
+        requestHeaders.set("x-oauth42-refreshed-token", refreshed.accessToken);
+        const response = import_server.NextResponse.next({
+          request: {
+            headers: requestHeaders
+          }
+        });
+        response.cookies.set(cookieName, newJwt, {
+          httpOnly: true,
+          sameSite: "lax",
+          path: "/",
+          secure: process.env.NODE_ENV === "production"
+        });
+        console.log("[OAuth42 Middleware] Cookie updated with refreshed tokens, header set for current request");
+        return response;
+      } else {
+        console.error("[OAuth42 Middleware] Refresh failed, redirecting to sign in");
+        const signInUrl = options.pages?.signIn || "/auth/signin";
+        const url = new URL(signInUrl, req.url);
+        url.searchParams.set("callbackUrl", pathname);
+        url.searchParams.set("error", "RefreshAccessTokenError");
+        return import_server.NextResponse.redirect(url);
+      }
+    }
+    if (options.callbacks?.authorized) {
+      const isAuthorized = await options.callbacks.authorized({ token, req });
+      if (!isAuthorized) {
+        const signInUrl = options.pages?.signIn || "/auth/signin";
+        const url = new URL(signInUrl, req.url);
+        url.searchParams.set("callbackUrl", pathname);
+        return import_server.NextResponse.redirect(url);
+      }
+    }
+    return import_server.NextResponse.next();
+  };
+}
+function createMiddlewareConfig(protectedPaths = ["/protected"], publicPaths = ["/auth", "/api/auth"]) {
+  return {
+    matcher: [
+      /*
+       * Match all request paths except for the ones starting with:
+       * - _next/static (static files)
+       * - _next/image (image optimization files)
+       * - favicon.ico (favicon file)
+       * - public folder
+       */
+      "/((?!_next/static|_next/image|favicon.ico|public).*)"
+    ],
+    protectedPaths,
+    publicPaths
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createMiddlewareConfig,
+  withOAuth42Auth
+});
+//# sourceMappingURL=index.js.map

package/dist/middleware/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/middleware/index.ts","../../src/server/middleware.ts"],"sourcesContent":["// Edge-compatible middleware exports\n// This file is separate from server/index.ts to avoid pulling in Node.js modules\n\nexport { withOAuth42Auth, createMiddlewareConfig } from '../server/middleware';\nexport type { OAuth42AuthOptions } from '../server/middleware';\n","import { NextRequest, NextResponse } from 'next/server';\nimport { getToken, encode } from 'next-auth/jwt';\n\nexport interface OAuth42AuthOptions {\n  pages?: {\n    signIn?: string;\n    error?: string;\n  };\n  callbacks?: {\n    authorized?: (params: { token: any; req: NextRequest }) => boolean | Promise<boolean>;\n  };\n  protectedPaths?: string[];\n  publicPaths?: string[];\n  /**\n   * Cookie prefix for custom cookie names. Must match the prefix used in createAuth().\n   * E.g., 'oauth42-portal' will look for cookie 'oauth42-portal.session-token'\n   */\n  cookiePrefix?: string;\n}\n\n/**\n * Refresh tokens by calling the OAuth42 backend directly\n */\nasync function refreshTokens(\n  refreshToken: string,\n  clientId: string,\n  clientSecret: string,\n  issuer: string\n): Promise<{ success: boolean; accessToken?: string; refreshToken?: string; expiresAt?: number; error?: string }> {\n  try {\n    const tokenUrl = `${issuer}/oauth2/token`;\n\n    const response = await fetch(tokenUrl, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/x-www-form-urlencoded',\n      },\n      body: new URLSearchParams({\n        grant_type: 'refresh_token',\n        refresh_token: refreshToken,\n        client_id: clientId,\n        client_secret: clientSecret,\n      }),\n    });\n\n    const data = await response.json();\n\n    if (!response.ok) {\n      console.error('[OAuth42 Middleware] Token refresh failed:', data);\n      return { success: false, error: data.error || 'refresh_failed' };\n    }\n\n    console.log('[OAuth42 Middleware] Token refreshed successfully');\n    return {\n      success: true,\n      accessToken: data.access_token,\n      refreshToken: data.refresh_token,\n      expiresAt: Math.floor(Date.now() / 1000) + (data.expires_in || 3600),\n    };\n  } catch (error) {\n    console.error('[OAuth42 Middleware] Token refresh error:', error);\n    return { success: false, error: 'refresh_error' };\n  }\n}\n\n/**\n * Middleware helper for protecting routes with OAuth42\n *\n * This middleware handles:\n * 1. Route protection (redirect to login if no session)\n * 2. Token refresh (refresh expired tokens and update cookie)\n */\nexport function withOAuth42Auth(options: OAuth42AuthOptions = {}) {\n  const secret = process.env.NEXTAUTH_SECRET;\n  const clientId = process.env.OAUTH42_CLIENT_ID;\n  const clientSecret = process.env.OAUTH42_CLIENT_SECRET;\n  const issuer = process.env.OAUTH42_ISSUER || 'https://localhost:8443';\n\n  if (!secret) {\n    console.warn('[OAuth42 Middleware] NEXTAUTH_SECRET not set');\n  }\n\n  return async function middleware(req: NextRequest) {\n    // Build cookie name - if prefix is provided, use custom name\n    const cookieName = options.cookiePrefix\n      ? `${options.cookiePrefix}.session-token`\n      : 'next-auth.session-token';\n\n    const token = await getToken({\n      req: req as any,\n      secret,\n      cookieName,\n    });\n\n    const pathname = req.nextUrl.pathname;\n\n    // Check if path is explicitly public\n    if (options.publicPaths?.some(path => pathname.startsWith(path))) {\n      return NextResponse.next();\n    }\n\n    // Check if path needs protection\n    const needsProtection = options.protectedPaths\n      ? options.protectedPaths.some(path => pathname.startsWith(path))\n      : true; // Default to protecting all paths\n\n    if (!needsProtection) {\n      return NextResponse.next();\n    }\n\n    // No token at all - redirect to sign in\n    if (!token) {\n      const signInUrl = options.pages?.signIn || '/auth/signin';\n      const url = new URL(signInUrl, req.url);\n      url.searchParams.set('callbackUrl', pathname);\n      return NextResponse.redirect(url);\n    }\n\n    // Check if access token is expired or expiring soon (60 second buffer)\n    const expiresAt = token.expiresAt as number | undefined;\n    const now = Math.floor(Date.now() / 1000);\n    const bufferSeconds = 60;\n    const needsRefresh = expiresAt && now >= expiresAt - bufferSeconds;\n\n    if (needsRefresh && token.refreshToken && clientId && clientSecret) {\n      console.log('[OAuth42 Middleware] Access token expired, refreshing...');\n\n      const refreshed = await refreshTokens(\n        token.refreshToken as string,\n        clientId,\n        clientSecret,\n        issuer\n      );\n\n      if (refreshed.success && refreshed.accessToken && refreshed.refreshToken) {\n        // Update the token with new values\n        const updatedToken = {\n          ...token,\n          accessToken: refreshed.accessToken,\n          refreshToken: refreshed.refreshToken,\n          expiresAt: refreshed.expiresAt,\n        };\n\n        // Re-encode the JWT\n        const newJwt = await encode({\n          token: updatedToken,\n          secret: secret!,\n        });\n\n        // Create response with request headers that pass the new token to API routes\n        // This is necessary because API routes read from the request, not the response cookie\n        const requestHeaders = new Headers(req.headers);\n        requestHeaders.set('x-oauth42-refreshed-token', refreshed.accessToken);\n\n        const response = NextResponse.next({\n          request: {\n            headers: requestHeaders,\n          },\n        });\n\n        // Set cookie with same settings NextAuth uses (for future requests)\n        response.cookies.set(cookieName, newJwt, {\n          httpOnly: true,\n          sameSite: 'lax',\n          path: '/',\n          secure: process.env.NODE_ENV === 'production',\n        });\n\n        console.log('[OAuth42 Middleware] Cookie updated with refreshed tokens, header set for current request');\n        return response;\n      } else {\n        // Refresh failed - redirect to sign in\n        console.error('[OAuth42 Middleware] Refresh failed, redirecting to sign in');\n        const signInUrl = options.pages?.signIn || '/auth/signin';\n        const url = new URL(signInUrl, req.url);\n        url.searchParams.set('callbackUrl', pathname);\n        url.searchParams.set('error', 'RefreshAccessTokenError');\n        return NextResponse.redirect(url);\n      }\n    }\n\n    // Check custom authorization callback\n    if (options.callbacks?.authorized) {\n      const isAuthorized = await options.callbacks.authorized({ token, req });\n      if (!isAuthorized) {\n        const signInUrl = options.pages?.signIn || '/auth/signin';\n        const url = new URL(signInUrl, req.url);\n        url.searchParams.set('callbackUrl', pathname);\n        return NextResponse.redirect(url);\n      }\n    }\n\n    return NextResponse.next();\n  };\n}\n\n/**\n * Helper to create middleware configuration\n */\nexport function createMiddlewareConfig(\n  protectedPaths: string[] = ['/protected'],\n  publicPaths: string[] = ['/auth', '/api/auth']\n) {\n  return {\n    matcher: [\n      /*\n       * Match all request paths except for the ones starting with:\n       * - _next/static (static files)\n       * - _next/image (image optimization files)\n       * - favicon.ico (favicon file)\n       * - public folder\n       */\n      '/((?!_next/static|_next/image|favicon.ico|public).*)',\n    ],\n    protectedPaths,\n    publicPaths,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,oBAA0C;AAC1C,iBAAiC;AAsBjC,eAAe,cACb,cACA,UACA,cACA,QACgH;AAChH,MAAI;AACF,UAAM,WAAW,GAAG,MAAM;AAE1B,UAAM,WAAW,MAAM,MAAM,UAAU;AAAA,MACrC,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,MAClB;AAAA,MACA,MAAM,IAAI,gBAAgB;AAAA,QACxB,YAAY;AAAA,QACZ,eAAe;AAAA,QACf,WAAW;AAAA,QACX,eAAe;AAAA,MACjB,CAAC;AAAA,IACH,CAAC;AAED,UAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,QAAI,CAAC,SAAS,IAAI;AAChB,cAAQ,MAAM,8CAA8C,IAAI;AAChE,aAAO,EAAE,SAAS,OAAO,OAAO,KAAK,SAAS,iBAAiB;AAAA,IACjE;AAEA,YAAQ,IAAI,mDAAmD;AAC/D,WAAO;AAAA,MACL,SAAS;AAAA,MACT,aAAa,KAAK;AAAA,MAClB,cAAc,KAAK;AAAA,MACnB,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,KAAK,KAAK,cAAc;AAAA,IACjE;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,6CAA6C,KAAK;AAChE,WAAO,EAAE,SAAS,OAAO,OAAO,gBAAgB;AAAA,EAClD;AACF;AASO,SAAS,gBAAgB,UAA8B,CAAC,GAAG;AAChE,QAAM,SAAS,QAAQ,IAAI;AAC3B,QAAM,WAAW,QAAQ,IAAI;AAC7B,QAAM,eAAe,QAAQ,IAAI;AACjC,QAAM,SAAS,QAAQ,IAAI,kBAAkB;AAE7C,MAAI,CAAC,QAAQ;AACX,YAAQ,KAAK,8CAA8C;AAAA,EAC7D;AAEA,SAAO,eAAe,WAAW,KAAkB;AAEjD,UAAM,aAAa,QAAQ,eACvB,GAAG,QAAQ,YAAY,mBACvB;AAEJ,UAAM,QAAQ,UAAM,qBAAS;AAAA,MAC3B;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAED,UAAM,WAAW,IAAI,QAAQ;AAG7B,QAAI,QAAQ,aAAa,KAAK,UAAQ,SAAS,WAAW,IAAI,CAAC,GAAG;AAChE,aAAO,2BAAa,KAAK;AAAA,IAC3B;AAGA,UAAM,kBAAkB,QAAQ,iBAC5B,QAAQ,eAAe,KAAK,UAAQ,SAAS,WAAW,IAAI,CAAC,IAC7D;AAEJ,QAAI,CAAC,iBAAiB;AACpB,aAAO,2BAAa,KAAK;AAAA,IAC3B;AAGA,QAAI,CAAC,OAAO;AACV,YAAM,YAAY,QAAQ,OAAO,UAAU;AAC3C,YAAM,MAAM,IAAI,IAAI,WAAW,IAAI,GAAG;AACtC,UAAI,aAAa,IAAI,eAAe,QAAQ;AAC5C,aAAO,2BAAa,SAAS,GAAG;AAAA,IAClC;AAGA,UAAM,YAAY,MAAM;AACxB,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,UAAM,gBAAgB;AACtB,UAAM,eAAe,aAAa,OAAO,YAAY;AAErD,QAAI,gBAAgB,MAAM,gBAAgB,YAAY,cAAc;AAClE,cAAQ,IAAI,0DAA0D;AAEtE,YAAM,YAAY,MAAM;AAAA,QACtB,MAAM;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,UAAI,UAAU,WAAW,UAAU,eAAe,UAAU,cAAc;AAExE,cAAM,eAAe;AAAA,UACnB,GAAG;AAAA,UACH,aAAa,UAAU;AAAA,UACvB,cAAc,UAAU;AAAA,UACxB,WAAW,UAAU;AAAA,QACvB;AAGA,cAAM,SAAS,UAAM,mBAAO;AAAA,UAC1B,OAAO;AAAA,UACP;AAAA,QACF,CAAC;AAID,cAAM,iBAAiB,IAAI,QAAQ,IAAI,OAAO;AAC9C,uBAAe,IAAI,6BAA6B,UAAU,WAAW;AAErE,cAAM,WAAW,2BAAa,KAAK;AAAA,UACjC,SAAS;AAAA,YACP,SAAS;AAAA,UACX;AAAA,QACF,CAAC;AAGD,iBAAS,QAAQ,IAAI,YAAY,QAAQ;AAAA,UACvC,UAAU;AAAA,UACV,UAAU;AAAA,UACV,MAAM;AAAA,UACN,QAAQ,QAAQ,IAAI,aAAa;AAAA,QACnC,CAAC;AAED,gBAAQ,IAAI,2FAA2F;AACvG,eAAO;AAAA,MACT,OAAO;AAEL,gBAAQ,MAAM,6DAA6D;AAC3E,cAAM,YAAY,QAAQ,OAAO,UAAU;AAC3C,cAAM,MAAM,IAAI,IAAI,WAAW,IAAI,GAAG;AACtC,YAAI,aAAa,IAAI,eAAe,QAAQ;AAC5C,YAAI,aAAa,IAAI,SAAS,yBAAyB;AACvD,eAAO,2BAAa,SAAS,GAAG;AAAA,MAClC;AAAA,IACF;AAGA,QAAI,QAAQ,WAAW,YAAY;AACjC,YAAM,eAAe,MAAM,QAAQ,UAAU,WAAW,EAAE,OAAO,IAAI,CAAC;AACtE,UAAI,CAAC,cAAc;AACjB,cAAM,YAAY,QAAQ,OAAO,UAAU;AAC3C,cAAM,MAAM,IAAI,IAAI,WAAW,IAAI,GAAG;AACtC,YAAI,aAAa,IAAI,eAAe,QAAQ;AAC5C,eAAO,2BAAa,SAAS,GAAG;AAAA,MAClC;AAAA,IACF;AAEA,WAAO,2BAAa,KAAK;AAAA,EAC3B;AACF;AAKO,SAAS,uBACd,iBAA2B,CAAC,YAAY,GACxC,cAAwB,CAAC,SAAS,WAAW,GAC7C;AACA,SAAO;AAAA,IACL,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQP;AAAA,IACF;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":[]}

package/dist/middleware/index.mjs

@@ -0,0 +1,144 @@
+// src/server/middleware.ts
+import { NextResponse } from "next/server";
+import { getToken, encode } from "next-auth/jwt";
+async function refreshTokens(refreshToken, clientId, clientSecret, issuer) {
+  try {
+    const tokenUrl = `${issuer}/oauth2/token`;
+    const response = await fetch(tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: refreshToken,
+        client_id: clientId,
+        client_secret: clientSecret
+      })
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      console.error("[OAuth42 Middleware] Token refresh failed:", data);
+      return { success: false, error: data.error || "refresh_failed" };
+    }
+    console.log("[OAuth42 Middleware] Token refreshed successfully");
+    return {
+      success: true,
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresAt: Math.floor(Date.now() / 1e3) + (data.expires_in || 3600)
+    };
+  } catch (error) {
+    console.error("[OAuth42 Middleware] Token refresh error:", error);
+    return { success: false, error: "refresh_error" };
+  }
+}
+function withOAuth42Auth(options = {}) {
+  const secret = process.env.NEXTAUTH_SECRET;
+  const clientId = process.env.OAUTH42_CLIENT_ID;
+  const clientSecret = process.env.OAUTH42_CLIENT_SECRET;
+  const issuer = process.env.OAUTH42_ISSUER || "https://localhost:8443";
+  if (!secret) {
+    console.warn("[OAuth42 Middleware] NEXTAUTH_SECRET not set");
+  }
+  return async function middleware(req) {
+    const cookieName = options.cookiePrefix ? `${options.cookiePrefix}.session-token` : "next-auth.session-token";
+    const token = await getToken({
+      req,
+      secret,
+      cookieName
+    });
+    const pathname = req.nextUrl.pathname;
+    if (options.publicPaths?.some((path) => pathname.startsWith(path))) {
+      return NextResponse.next();
+    }
+    const needsProtection = options.protectedPaths ? options.protectedPaths.some((path) => pathname.startsWith(path)) : true;
+    if (!needsProtection) {
+      return NextResponse.next();
+    }
+    if (!token) {
+      const signInUrl = options.pages?.signIn || "/auth/signin";
+      const url = new URL(signInUrl, req.url);
+      url.searchParams.set("callbackUrl", pathname);
+      return NextResponse.redirect(url);
+    }
+    const expiresAt = token.expiresAt;
+    const now = Math.floor(Date.now() / 1e3);
+    const bufferSeconds = 60;
+    const needsRefresh = expiresAt && now >= expiresAt - bufferSeconds;
+    if (needsRefresh && token.refreshToken && clientId && clientSecret) {
+      console.log("[OAuth42 Middleware] Access token expired, refreshing...");
+      const refreshed = await refreshTokens(
+        token.refreshToken,
+        clientId,
+        clientSecret,
+        issuer
+      );
+      if (refreshed.success && refreshed.accessToken && refreshed.refreshToken) {
+        const updatedToken = {
+          ...token,
+          accessToken: refreshed.accessToken,
+          refreshToken: refreshed.refreshToken,
+          expiresAt: refreshed.expiresAt
+        };
+        const newJwt = await encode({
+          token: updatedToken,
+          secret
+        });
+        const requestHeaders = new Headers(req.headers);
+        requestHeaders.set("x-oauth42-refreshed-token", refreshed.accessToken);
+        const response = NextResponse.next({
+          request: {
+            headers: requestHeaders
+          }
+        });
+        response.cookies.set(cookieName, newJwt, {
+          httpOnly: true,
+          sameSite: "lax",
+          path: "/",
+          secure: process.env.NODE_ENV === "production"
+        });
+        console.log("[OAuth42 Middleware] Cookie updated with refreshed tokens, header set for current request");
+        return response;
+      } else {
+        console.error("[OAuth42 Middleware] Refresh failed, redirecting to sign in");
+        const signInUrl = options.pages?.signIn || "/auth/signin";
+        const url = new URL(signInUrl, req.url);
+        url.searchParams.set("callbackUrl", pathname);
+        url.searchParams.set("error", "RefreshAccessTokenError");
+        return NextResponse.redirect(url);
+      }
+    }
+    if (options.callbacks?.authorized) {
+      const isAuthorized = await options.callbacks.authorized({ token, req });
+      if (!isAuthorized) {
+        const signInUrl = options.pages?.signIn || "/auth/signin";
+        const url = new URL(signInUrl, req.url);
+        url.searchParams.set("callbackUrl", pathname);
+        return NextResponse.redirect(url);
+      }
+    }
+    return NextResponse.next();
+  };
+}
+function createMiddlewareConfig(protectedPaths = ["/protected"], publicPaths = ["/auth", "/api/auth"]) {
+  return {
+    matcher: [
+      /*
+       * Match all request paths except for the ones starting with:
+       * - _next/static (static files)
+       * - _next/image (image optimization files)
+       * - favicon.ico (favicon file)
+       * - public folder
+       */
+      "/((?!_next/static|_next/image|favicon.ico|public).*)"
+    ],
+    protectedPaths,
+    publicPaths
+  };
+}
+export {
+  createMiddlewareConfig,
+  withOAuth42Auth
+};
+//# sourceMappingURL=index.mjs.map

package/dist/middleware/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/server/middleware.ts"],"sourcesContent":["import { NextRequest, NextResponse } from 'next/server';\nimport { getToken, encode } from 'next-auth/jwt';\n\nexport interface OAuth42AuthOptions {\n  pages?: {\n    signIn?: string;\n    error?: string;\n  };\n  callbacks?: {\n    authorized?: (params: { token: any; req: NextRequest }) => boolean | Promise<boolean>;\n  };\n  protectedPaths?: string[];\n  publicPaths?: string[];\n  /**\n   * Cookie prefix for custom cookie names. Must match the prefix used in createAuth().\n   * E.g., 'oauth42-portal' will look for cookie 'oauth42-portal.session-token'\n   */\n  cookiePrefix?: string;\n}\n\n/**\n * Refresh tokens by calling the OAuth42 backend directly\n */\nasync function refreshTokens(\n  refreshToken: string,\n  clientId: string,\n  clientSecret: string,\n  issuer: string\n): Promise<{ success: boolean; accessToken?: string; refreshToken?: string; expiresAt?: number; error?: string }> {\n  try {\n    const tokenUrl = `${issuer}/oauth2/token`;\n\n    const response = await fetch(tokenUrl, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/x-www-form-urlencoded',\n      },\n      body: new URLSearchParams({\n        grant_type: 'refresh_token',\n        refresh_token: refreshToken,\n        client_id: clientId,\n        client_secret: clientSecret,\n      }),\n    });\n\n    const data = await response.json();\n\n    if (!response.ok) {\n      console.error('[OAuth42 Middleware] Token refresh failed:', data);\n      return { success: false, error: data.error || 'refresh_failed' };\n    }\n\n    console.log('[OAuth42 Middleware] Token refreshed successfully');\n    return {\n      success: true,\n      accessToken: data.access_token,\n      refreshToken: data.refresh_token,\n      expiresAt: Math.floor(Date.now() / 1000) + (data.expires_in || 3600),\n    };\n  } catch (error) {\n    console.error('[OAuth42 Middleware] Token refresh error:', error);\n    return { success: false, error: 'refresh_error' };\n  }\n}\n\n/**\n * Middleware helper for protecting routes with OAuth42\n *\n * This middleware handles:\n * 1. Route protection (redirect to login if no session)\n * 2. Token refresh (refresh expired tokens and update cookie)\n */\nexport function withOAuth42Auth(options: OAuth42AuthOptions = {}) {\n  const secret = process.env.NEXTAUTH_SECRET;\n  const clientId = process.env.OAUTH42_CLIENT_ID;\n  const clientSecret = process.env.OAUTH42_CLIENT_SECRET;\n  const issuer = process.env.OAUTH42_ISSUER || 'https://localhost:8443';\n\n  if (!secret) {\n    console.warn('[OAuth42 Middleware] NEXTAUTH_SECRET not set');\n  }\n\n  return async function middleware(req: NextRequest) {\n    // Build cookie name - if prefix is provided, use custom name\n    const cookieName = options.cookiePrefix\n      ? `${options.cookiePrefix}.session-token`\n      : 'next-auth.session-token';\n\n    const token = await getToken({\n      req: req as any,\n      secret,\n      cookieName,\n    });\n\n    const pathname = req.nextUrl.pathname;\n\n    // Check if path is explicitly public\n    if (options.publicPaths?.some(path => pathname.startsWith(path))) {\n      return NextResponse.next();\n    }\n\n    // Check if path needs protection\n    const needsProtection = options.protectedPaths\n      ? options.protectedPaths.some(path => pathname.startsWith(path))\n      : true; // Default to protecting all paths\n\n    if (!needsProtection) {\n      return NextResponse.next();\n    }\n\n    // No token at all - redirect to sign in\n    if (!token) {\n      const signInUrl = options.pages?.signIn || '/auth/signin';\n      const url = new URL(signInUrl, req.url);\n      url.searchParams.set('callbackUrl', pathname);\n      return NextResponse.redirect(url);\n    }\n\n    // Check if access token is expired or expiring soon (60 second buffer)\n    const expiresAt = token.expiresAt as number | undefined;\n    const now = Math.floor(Date.now() / 1000);\n    const bufferSeconds = 60;\n    const needsRefresh = expiresAt && now >= expiresAt - bufferSeconds;\n\n    if (needsRefresh && token.refreshToken && clientId && clientSecret) {\n      console.log('[OAuth42 Middleware] Access token expired, refreshing...');\n\n      const refreshed = await refreshTokens(\n        token.refreshToken as string,\n        clientId,\n        clientSecret,\n        issuer\n      );\n\n      if (refreshed.success && refreshed.accessToken && refreshed.refreshToken) {\n        // Update the token with new values\n        const updatedToken = {\n          ...token,\n          accessToken: refreshed.accessToken,\n          refreshToken: refreshed.refreshToken,\n          expiresAt: refreshed.expiresAt,\n        };\n\n        // Re-encode the JWT\n        const newJwt = await encode({\n          token: updatedToken,\n          secret: secret!,\n        });\n\n        // Create response with request headers that pass the new token to API routes\n        // This is necessary because API routes read from the request, not the response cookie\n        const requestHeaders = new Headers(req.headers);\n        requestHeaders.set('x-oauth42-refreshed-token', refreshed.accessToken);\n\n        const response = NextResponse.next({\n          request: {\n            headers: requestHeaders,\n          },\n        });\n\n        // Set cookie with same settings NextAuth uses (for future requests)\n        response.cookies.set(cookieName, newJwt, {\n          httpOnly: true,\n          sameSite: 'lax',\n          path: '/',\n          secure: process.env.NODE_ENV === 'production',\n        });\n\n        console.log('[OAuth42 Middleware] Cookie updated with refreshed tokens, header set for current request');\n        return response;\n      } else {\n        // Refresh failed - redirect to sign in\n        console.error('[OAuth42 Middleware] Refresh failed, redirecting to sign in');\n        const signInUrl = options.pages?.signIn || '/auth/signin';\n        const url = new URL(signInUrl, req.url);\n        url.searchParams.set('callbackUrl', pathname);\n        url.searchParams.set('error', 'RefreshAccessTokenError');\n        return NextResponse.redirect(url);\n      }\n    }\n\n    // Check custom authorization callback\n    if (options.callbacks?.authorized) {\n      const isAuthorized = await options.callbacks.authorized({ token, req });\n      if (!isAuthorized) {\n        const signInUrl = options.pages?.signIn || '/auth/signin';\n        const url = new URL(signInUrl, req.url);\n        url.searchParams.set('callbackUrl', pathname);\n        return NextResponse.redirect(url);\n      }\n    }\n\n    return NextResponse.next();\n  };\n}\n\n/**\n * Helper to create middleware configuration\n */\nexport function createMiddlewareConfig(\n  protectedPaths: string[] = ['/protected'],\n  publicPaths: string[] = ['/auth', '/api/auth']\n) {\n  return {\n    matcher: [\n      /*\n       * Match all request paths except for the ones starting with:\n       * - _next/static (static files)\n       * - _next/image (image optimization files)\n       * - favicon.ico (favicon file)\n       * - public folder\n       */\n      '/((?!_next/static|_next/image|favicon.ico|public).*)',\n    ],\n    protectedPaths,\n    publicPaths,\n  };\n}\n"],"mappings":";AAAA,SAAsB,oBAAoB;AAC1C,SAAS,UAAU,cAAc;AAsBjC,eAAe,cACb,cACA,UACA,cACA,QACgH;AAChH,MAAI;AACF,UAAM,WAAW,GAAG,MAAM;AAE1B,UAAM,WAAW,MAAM,MAAM,UAAU;AAAA,MACrC,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,MAClB;AAAA,MACA,MAAM,IAAI,gBAAgB;AAAA,QACxB,YAAY;AAAA,QACZ,eAAe;AAAA,QACf,WAAW;AAAA,QACX,eAAe;AAAA,MACjB,CAAC;AAAA,IACH,CAAC;AAED,UAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,QAAI,CAAC,SAAS,IAAI;AAChB,cAAQ,MAAM,8CAA8C,IAAI;AAChE,aAAO,EAAE,SAAS,OAAO,OAAO,KAAK,SAAS,iBAAiB;AAAA,IACjE;AAEA,YAAQ,IAAI,mDAAmD;AAC/D,WAAO;AAAA,MACL,SAAS;AAAA,MACT,aAAa,KAAK;AAAA,MAClB,cAAc,KAAK;AAAA,MACnB,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,KAAK,KAAK,cAAc;AAAA,IACjE;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,6CAA6C,KAAK;AAChE,WAAO,EAAE,SAAS,OAAO,OAAO,gBAAgB;AAAA,EAClD;AACF;AASO,SAAS,gBAAgB,UAA8B,CAAC,GAAG;AAChE,QAAM,SAAS,QAAQ,IAAI;AAC3B,QAAM,WAAW,QAAQ,IAAI;AAC7B,QAAM,eAAe,QAAQ,IAAI;AACjC,QAAM,SAAS,QAAQ,IAAI,kBAAkB;AAE7C,MAAI,CAAC,QAAQ;AACX,YAAQ,KAAK,8CAA8C;AAAA,EAC7D;AAEA,SAAO,eAAe,WAAW,KAAkB;AAEjD,UAAM,aAAa,QAAQ,eACvB,GAAG,QAAQ,YAAY,mBACvB;AAEJ,UAAM,QAAQ,MAAM,SAAS;AAAA,MAC3B;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAED,UAAM,WAAW,IAAI,QAAQ;AAG7B,QAAI,QAAQ,aAAa,KAAK,UAAQ,SAAS,WAAW,IAAI,CAAC,GAAG;AAChE,aAAO,aAAa,KAAK;AAAA,IAC3B;AAGA,UAAM,kBAAkB,QAAQ,iBAC5B,QAAQ,eAAe,KAAK,UAAQ,SAAS,WAAW,IAAI,CAAC,IAC7D;AAEJ,QAAI,CAAC,iBAAiB;AACpB,aAAO,aAAa,KAAK;AAAA,IAC3B;AAGA,QAAI,CAAC,OAAO;AACV,YAAM,YAAY,QAAQ,OAAO,UAAU;AAC3C,YAAM,MAAM,IAAI,IAAI,WAAW,IAAI,GAAG;AACtC,UAAI,aAAa,IAAI,eAAe,QAAQ;AAC5C,aAAO,aAAa,SAAS,GAAG;AAAA,IAClC;AAGA,UAAM,YAAY,MAAM;AACxB,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,UAAM,gBAAgB;AACtB,UAAM,eAAe,aAAa,OAAO,YAAY;AAErD,QAAI,gBAAgB,MAAM,gBAAgB,YAAY,cAAc;AAClE,cAAQ,IAAI,0DAA0D;AAEtE,YAAM,YAAY,MAAM;AAAA,QACtB,MAAM;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,UAAI,UAAU,WAAW,UAAU,eAAe,UAAU,cAAc;AAExE,cAAM,eAAe;AAAA,UACnB,GAAG;AAAA,UACH,aAAa,UAAU;AAAA,UACvB,cAAc,UAAU;AAAA,UACxB,WAAW,UAAU;AAAA,QACvB;AAGA,cAAM,SAAS,MAAM,OAAO;AAAA,UAC1B,OAAO;AAAA,UACP;AAAA,QACF,CAAC;AAID,cAAM,iBAAiB,IAAI,QAAQ,IAAI,OAAO;AAC9C,uBAAe,IAAI,6BAA6B,UAAU,WAAW;AAErE,cAAM,WAAW,aAAa,KAAK;AAAA,UACjC,SAAS;AAAA,YACP,SAAS;AAAA,UACX;AAAA,QACF,CAAC;AAGD,iBAAS,QAAQ,IAAI,YAAY,QAAQ;AAAA,UACvC,UAAU;AAAA,UACV,UAAU;AAAA,UACV,MAAM;AAAA,UACN,QAAQ,QAAQ,IAAI,aAAa;AAAA,QACnC,CAAC;AAED,gBAAQ,IAAI,2FAA2F;AACvG,eAAO;AAAA,MACT,OAAO;AAEL,gBAAQ,MAAM,6DAA6D;AAC3E,cAAM,YAAY,QAAQ,OAAO,UAAU;AAC3C,cAAM,MAAM,IAAI,IAAI,WAAW,IAAI,GAAG;AACtC,YAAI,aAAa,IAAI,eAAe,QAAQ;AAC5C,YAAI,aAAa,IAAI,SAAS,yBAAyB;AACvD,eAAO,aAAa,SAAS,GAAG;AAAA,MAClC;AAAA,IACF;AAGA,QAAI,QAAQ,WAAW,YAAY;AACjC,YAAM,eAAe,MAAM,QAAQ,UAAU,WAAW,EAAE,OAAO,IAAI,CAAC;AACtE,UAAI,CAAC,cAAc;AACjB,cAAM,YAAY,QAAQ,OAAO,UAAU;AAC3C,cAAM,MAAM,IAAI,IAAI,WAAW,IAAI,GAAG;AACtC,YAAI,aAAa,IAAI,eAAe,QAAQ;AAC5C,eAAO,aAAa,SAAS,GAAG;AAAA,MAClC;AAAA,IACF;AAEA,WAAO,aAAa,KAAK;AAAA,EAC3B;AACF;AAKO,SAAS,uBACd,iBAA2B,CAAC,YAAY,GACxC,cAAwB,CAAC,SAAS,WAAW,GAC7C;AACA,SAAO;AAAA,IACL,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQP;AAAA,IACF;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":[]}

package/dist/server/index.d.mts

@@ -1,5 +1,6 @@
-export { C as CreateAuthOptions, e as OAuth42AuthOptions, O as OAuth42Provider, c as createAuth, j as createHandlers, d as createMiddlewareConfig, f as getOAuth42Session, g as getServerSession, r as refreshAccessToken, w as withOAuth42Auth, i as withOAuth42ServerSideProps, h as withOAuth42Session } from '../middleware-B8dYrjZ1.mjs';
+export { C as CreateAuthOptions, O as OAuth42Provider, c as createAuth, f as createHandlers, d as getOAuth42Session, g as getServerSession, r as refreshAccessToken, e as withOAuth42ServerSideProps, w as withOAuth42Session } from '../auth-ClOnIcCK.mjs';
 export { default as NextAuth, NextAuthOptions } from 'next-auth';
+export { OAuth42AuthOptions, createMiddlewareConfig, withOAuth42Auth } from '../middleware/index.mjs';
 import { NextRequest, NextResponse } from 'next/server';
 import 'next-auth/providers/oauth';
 import 'next';

package/dist/server/index.d.ts

@@ -1,5 +1,6 @@
-export { C as CreateAuthOptions, e as OAuth42AuthOptions, O as OAuth42Provider, c as createAuth, j as createHandlers, d as createMiddlewareConfig, f as getOAuth42Session, g as getServerSession, r as refreshAccessToken, w as withOAuth42Auth, i as withOAuth42ServerSideProps, h as withOAuth42Session } from '../middleware-B8dYrjZ1.js';
+export { C as CreateAuthOptions, O as OAuth42Provider, c as createAuth, f as createHandlers, d as getOAuth42Session, g as getServerSession, r as refreshAccessToken, e as withOAuth42ServerSideProps, w as withOAuth42Session } from '../auth-ClOnIcCK.js';
 export { default as NextAuth, NextAuthOptions } from 'next-auth';
+export { OAuth42AuthOptions, createMiddlewareConfig, withOAuth42Auth } from '../middleware/index.js';
 import { NextRequest, NextResponse } from 'next/server';
 import 'next-auth/providers/oauth';
 import 'next';