@peterbud/nuxt-aegis 1.1.0-alpha

package/dist/runtime/app/composables/useAuth.js

@@ -0,0 +1,187 @@
+import { useRuntimeConfig, navigateTo, useState, computed } from "#imports";
+import { clearAccessToken } from "../utils/tokenStore.js";
+import { createLogger } from "../utils/logger.js";
+import { validateRedirectPath } from "../utils/redirectValidation.js";
+import { filterTimeSensitiveClaims } from "../utils/tokenUtils.js";
+const logger = createLogger("Auth");
+export function useAuth() {
+  const authState = useState(
+    "auth-state",
+    () => {
+      return { user: null, isLoading: false, error: null };
+    }
+  );
+  const isLoggedIn = computed(() => authState.value?.user !== null);
+  const isImpersonating = computed(() => !!authState.value?.user?.impersonation);
+  const originalUser = computed(() => {
+    const impersonation = authState.value?.user?.impersonation;
+    if (!impersonation) {
+      return null;
+    }
+    return {
+      originalUserId: impersonation.originalUserId,
+      originalUserEmail: impersonation.originalUserEmail,
+      originalUserName: impersonation.originalUserName
+    };
+  });
+  const config = useRuntimeConfig();
+  const publicConfig = config.public;
+  const authPath = publicConfig.nuxtAegis?.authPath;
+  const loginPath = publicConfig.nuxtAegis?.loginPath || authPath;
+  const logoutPath = publicConfig.nuxtAegis?.logoutPath;
+  const refreshPath = publicConfig.nuxtAegis?.refreshPath;
+  async function refresh() {
+    authState.value.isLoading = true;
+    authState.value.error = null;
+    logger.debug("Refreshing authentication state...");
+    try {
+      const response = await $fetch(`${refreshPath}`, {
+        method: "POST"
+      });
+      if (response?.accessToken) {
+        const { setAccessToken } = await import("../utils/tokenStore.js");
+        setAccessToken(response.accessToken);
+        const tokenParts = response.accessToken.split(".");
+        if (tokenParts[1]) {
+          const payload = JSON.parse(atob(tokenParts[1]));
+          authState.value.user = filterTimeSensitiveClaims(payload);
+          authState.value.error = null;
+          logger.debug("Auth state refreshed successfully");
+        }
+      } else {
+        authState.value.user = null;
+        clearAccessToken();
+      }
+    } catch (error) {
+      authState.value.user = null;
+      authState.value.error = "Failed to refresh authentication";
+      clearAccessToken();
+      logger.error("Auth refresh failed:", error);
+    } finally {
+      authState.value.isLoading = false;
+    }
+  }
+  async function login(provider = "google", _redirectTo) {
+    try {
+      authState.value.error = null;
+      if (!provider || typeof provider !== "string") {
+        throw new Error("Provider must be a non-empty string");
+      }
+      await navigateTo(`${loginPath}/${provider}`, { external: true });
+    } catch (error) {
+      authState.value.error = "Failed to initiate login";
+      logger.error("Login error:", error);
+      throw error;
+    }
+  }
+  async function logout(redirectTo) {
+    const config2 = useRuntimeConfig();
+    try {
+      authState.value.error = null;
+      await $fetch(`${logoutPath}`, { method: "POST" });
+      authState.value.user = null;
+    } catch (error) {
+      authState.value.user = null;
+      authState.value.error = "Logout completed with errors";
+      logger.error("Logout error:", error);
+    } finally {
+      clearAccessToken();
+      const logoutRedirect = redirectTo ? validateRedirectPath(redirectTo) : validateRedirectPath(config2.public.nuxtAegis.redirect?.logout || "/");
+      await navigateTo(logoutRedirect);
+    }
+  }
+  async function impersonate(targetUserId, reason) {
+    try {
+      authState.value.error = null;
+      authState.value.isLoading = true;
+      logger.debug("Starting impersonation...", { targetUserId });
+      const { getAccessToken } = await import("../utils/tokenStore.js");
+      const currentToken = getAccessToken();
+      if (!currentToken) {
+        throw new Error("Must be authenticated to impersonate");
+      }
+      const response = await $fetch(`${authPath}/impersonate`, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${currentToken}`
+        },
+        body: {
+          targetUserId,
+          reason
+        }
+      });
+      if (response?.accessToken) {
+        const { setAccessToken } = await import("../utils/tokenStore.js");
+        setAccessToken(response.accessToken);
+        const tokenParts = response.accessToken.split(".");
+        if (tokenParts[1]) {
+          const payload = JSON.parse(atob(tokenParts[1]));
+          authState.value.user = filterTimeSensitiveClaims(payload);
+          authState.value.error = null;
+          logger.debug("Impersonation started successfully", {
+            targetUser: payload.sub,
+            originalUser: payload.impersonation?.originalUserId
+          });
+        }
+      }
+    } catch (error) {
+      const err = error;
+      authState.value.error = err.data?.message || err.message || "Failed to start impersonation";
+      logger.error("Impersonation failed:", error);
+      throw error;
+    } finally {
+      authState.value.isLoading = false;
+    }
+  }
+  async function stopImpersonation() {
+    try {
+      authState.value.error = null;
+      authState.value.isLoading = true;
+      logger.debug("Stopping impersonation...");
+      const { getAccessToken } = await import("../utils/tokenStore.js");
+      const currentToken = getAccessToken();
+      if (!currentToken) {
+        throw new Error("No active session");
+      }
+      const response = await $fetch(`${authPath}/unimpersonate`, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${currentToken}`
+        }
+      });
+      if (response?.accessToken) {
+        const { setAccessToken } = await import("../utils/tokenStore.js");
+        setAccessToken(response.accessToken);
+        const tokenParts = response.accessToken.split(".");
+        if (tokenParts[1]) {
+          const payload = JSON.parse(atob(tokenParts[1]));
+          authState.value.user = filterTimeSensitiveClaims(payload);
+          authState.value.error = null;
+          logger.debug("Impersonation stopped, original session restored", {
+            restoredUser: payload.sub
+          });
+        }
+      }
+    } catch (error) {
+      const err = error;
+      authState.value.error = err.data?.message || err.message || "Failed to stop impersonation";
+      logger.error("Stop impersonation failed:", error);
+      throw error;
+    } finally {
+      authState.value.isLoading = false;
+    }
+  }
+  return {
+    isLoggedIn,
+    isLoading: computed(() => authState.value.isLoading),
+    user: computed(() => authState.value.user),
+    error: computed(() => authState.value.error),
+    isImpersonating,
+    originalUser,
+    login,
+    logout,
+    refresh,
+    impersonate,
+    stopImpersonation
+  };
+}

package/dist/runtime/app/middleware/auth-logged-in.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Client-side middleware for protecting routes that require authentication
+ *
+ * This middleware redirects unauthenticated users to the login page.
+ * It can be used globally or on specific pages using definePageMeta.
+ *
+ * Usage:
+ * - Global: Configure in module options with clientMiddleware.global = true
+ * - Per-page: definePageMeta({ middleware: ['auth-logged-in'] })
+ *
+ * Note: This is client-side only and improves UX. Server-side validation
+ * via Nitro routeRules is still required for security.
+ */
+declare const _default: import("#app").RouteMiddleware;
+export default _default;
+export { default as authLoggedIn } from './auth-logged-in.js';

package/dist/runtime/app/middleware/auth-logged-in.js

@@ -0,0 +1,25 @@
+import { defineNuxtRouteMiddleware, navigateTo, useRuntimeConfig } from "#app";
+import { useAuth } from "../composables/useAuth.js";
+import { isRouteMatch } from "../utils/routeMatching.js";
+export default defineNuxtRouteMiddleware((to) => {
+  const { isLoggedIn, isLoading } = useAuth();
+  const config = useRuntimeConfig();
+  const clientMiddleware = config.public.nuxtAegis?.clientMiddleware;
+  if (!clientMiddleware?.enabled) {
+    return;
+  }
+  if (isLoading.value) {
+    return;
+  }
+  if (clientMiddleware.global) {
+    const publicRoutes = clientMiddleware.publicRoutes || [];
+    const isPublicRoute = isRouteMatch(to.path, publicRoutes);
+    if (isPublicRoute) {
+      return;
+    }
+  }
+  if (!isLoggedIn.value) {
+    return navigateTo(clientMiddleware.redirectTo || "/login");
+  }
+});
+export { default as authLoggedIn } from "./auth-logged-in.js";

package/dist/runtime/app/middleware/auth-logged-out.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Client-side middleware for protecting routes that should only be accessible
+ * when NOT authenticated (e.g., login, register pages)
+ *
+ * This middleware redirects authenticated users away from pages that don't
+ * make sense for logged-in users.
+ *
+ * Usage:
+ * - Per-page: definePageMeta({ middleware: ['auth-logged-out'] })
+ *
+ * Example use cases:
+ * - /login - redirect logged-in users to home
+ * - /register - redirect logged-in users to dashboard
+ * - /forgot-password - redirect logged-in users to home
+ *
+ * Note: This is client-side only and improves UX.
+ */
+declare const _default: import("#app").RouteMiddleware;
+export default _default;
+export { default as authLoggedOut } from './auth-logged-out.js';

package/dist/runtime/app/middleware/auth-logged-out.js

@@ -0,0 +1,17 @@
+import { defineNuxtRouteMiddleware, navigateTo, useRuntimeConfig } from "#app";
+import { useAuth } from "../composables/useAuth.js";
+export default defineNuxtRouteMiddleware(() => {
+  const { isLoggedIn, isLoading } = useAuth();
+  const config = useRuntimeConfig();
+  const clientMiddleware = config.public.nuxtAegis?.clientMiddleware;
+  if (!clientMiddleware?.enabled) {
+    return;
+  }
+  if (isLoading.value) {
+    return;
+  }
+  if (isLoggedIn.value) {
+    return navigateTo(clientMiddleware.loggedOutRedirectTo || "/");
+  }
+});
+export { default as authLoggedOut } from "./auth-logged-out.js";

package/dist/runtime/app/pages/AuthCallback.d.vue.ts

@@ -0,0 +1,3 @@
+declare const __VLS_export: import("vue").DefineComponent<{}, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {}, string, import("vue").PublicProps, Readonly<{}> & Readonly<{}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, true, {}, any>;
+declare const _default: typeof __VLS_export;
+export default _default;

package/dist/runtime/app/pages/AuthCallback.vue

@@ -0,0 +1,92 @@
+<script setup>
+import { navigateTo, useRuntimeConfig } from "#app";
+import { ref, onMounted } from "vue";
+import { setAccessToken } from "../utils/tokenStore";
+import { createLogger } from "../utils/logger";
+import { validateRedirectPath } from "../utils/redirectValidation";
+import { filterTimeSensitiveClaims } from "../utils/tokenUtils";
+const logger = createLogger("Callback");
+const config = useRuntimeConfig();
+const processing = ref(true);
+const error = ref(null);
+onMounted(async () => {
+  try {
+    const urlParams = new URLSearchParams(window.location.search);
+    const code = urlParams.get("code");
+    const errorParam = urlParams.get("error");
+    if (errorParam) {
+      error.value = "Authentication failed. Please try again.";
+      logger.error("Authentication error:", errorParam);
+      window.history.replaceState(null, "", window.location.pathname);
+      processing.value = false;
+      const errorUrl = validateRedirectPath(config.public.nuxtAegis.redirect?.error || "/");
+      const errorDescription = urlParams.get("error_description") || "Authentication failed";
+      await navigateTo(`${errorUrl}?error=${encodeURIComponent(errorParam)}&error_description=${encodeURIComponent(errorDescription)}`);
+      return;
+    }
+    if (!code) {
+      error.value = "Authentication failed. Please try again.";
+      logger.error("No authorization code in URL");
+      processing.value = false;
+      const errorUrl = validateRedirectPath(config.public.nuxtAegis.redirect?.error || "/");
+      await navigateTo(`${errorUrl}?error=invalid_request&error_description=${encodeURIComponent("Authentication failed. Please try again.")}`);
+      return;
+    }
+    const response = await $fetch(
+      "/auth/token",
+      {
+        method: "POST",
+        body: { code }
+      }
+    );
+    if (!response?.accessToken) {
+      error.value = "Authentication failed. Please try again.";
+      logger.error("No access token in response");
+      processing.value = false;
+      const errorUrl = validateRedirectPath(config.public.nuxtAegis.redirect?.error || "/");
+      await navigateTo(`${errorUrl}?error=token_exchange_failed&error_description=${encodeURIComponent("Authentication failed. Please try again.")}`);
+      return;
+    }
+    setAccessToken(response.accessToken);
+    const tokenParts = response.accessToken.split(".");
+    if (tokenParts[1]) {
+      const payload = JSON.parse(atob(tokenParts[1]));
+      const { useState } = await import("#app");
+      const authState = useState("auth-state");
+      authState.value = { user: filterTimeSensitiveClaims(payload), isLoading: false, error: null };
+    }
+    window.history.replaceState(
+      {},
+      "",
+      window.location.pathname
+    );
+    processing.value = false;
+    const successUrl = validateRedirectPath(config.public.nuxtAegis.redirect?.success || "/");
+    await navigateTo(successUrl);
+  } catch (err) {
+    logger.error("Error processing callback:", err);
+    error.value = "Authentication failed. Please try again.";
+    processing.value = false;
+    const errorUrl = validateRedirectPath(config.public.nuxtAegis.redirect?.error || "/");
+    await navigateTo(`${errorUrl}?error=processing_error&error_description=${encodeURIComponent("Authentication failed. Please try again.")}`);
+  }
+});
+</script>
+
+<template>
+  <div class="auth-callback">
+    <div v-if="error">
+      <p>Authentication error: {{ error }}</p>
+    </div>
+    <div v-else-if="processing">
+      <p>Processing authentication...</p>
+    </div>
+    <div v-else>
+      <p>Authentication successful. Redirecting...</p>
+    </div>
+  </div>
+</template>
+
+<style scoped>
+.auth-callback{align-items:center;display:flex;justify-content:center;min-height:100vh;text-align:center}
+</style>

package/dist/runtime/app/pages/AuthCallback.vue.d.ts

@@ -0,0 +1,3 @@
+declare const __VLS_export: import("vue").DefineComponent<{}, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {}, string, import("vue").PublicProps, Readonly<{}> & Readonly<{}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, true, {}, any>;
+declare const _default: typeof __VLS_export;
+export default _default;

package/dist/runtime/app/plugins/api.client.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Client-side api plugin
+ * Intercepts API calls and attaches authorization bearer token from memory
+ * See: https://nuxt.com/docs/4.x/guide/recipes/custom-usefetch
+ */
+declare const _default: import("#app").Plugin<{
+    api: import("nitropack").$Fetch<unknown, import("nitropack").NitroFetchRequest>;
+}> & import("#app").ObjectPlugin<{
+    api: import("nitropack").$Fetch<unknown, import("nitropack").NitroFetchRequest>;
+}>;
+export default _default;

package/dist/runtime/app/plugins/api.client.js

@@ -0,0 +1,92 @@
+import { defineNuxtPlugin, navigateTo, useRuntimeConfig } from "#app";
+import { useAuth } from "#imports";
+import { getAccessToken, clearAccessToken } from "../utils/tokenStore.js";
+import { isRouteMatch } from "../utils/routeMatching.js";
+import { createLogger } from "../utils/logger.js";
+import { validateRedirectPath } from "../utils/redirectValidation.js";
+const logger = createLogger("API:Client");
+export default defineNuxtPlugin(async (nuxtApp) => {
+  let isRefreshing = false;
+  let refreshPromise = null;
+  let isInitialized = false;
+  const autoRefreshEnabled = nuxtApp.$config.public.nuxtAegis.tokenRefresh.automaticRefresh ?? true;
+  async function attemptTokenRefresh() {
+    if (isRefreshing) return refreshPromise;
+    logger.debug("Attempting token refresh...");
+    isRefreshing = true;
+    refreshPromise = nuxtApp.runWithContext(async () => {
+      const auth = useAuth();
+      try {
+        await auth.refresh();
+        return getAccessToken();
+      } catch (error) {
+        logger.error("Token refresh failed:", error);
+        return null;
+      } finally {
+        isRefreshing = false;
+        refreshPromise = null;
+      }
+    });
+    return refreshPromise;
+  }
+  const api = $fetch.create({
+    onRequest({ options }) {
+      const token = getAccessToken();
+      if (token) {
+        options.headers.set("Authorization", `Bearer ${token}`);
+      }
+    },
+    async onResponseError({ options, response }) {
+      if (response.status === 401 && autoRefreshEnabled) {
+        const newToken = await attemptTokenRefresh();
+        if (newToken) {
+          options.headers.set("Authorization", `Bearer ${newToken}`);
+          return;
+        }
+        clearAccessToken();
+        const config = useRuntimeConfig();
+        const errorUrl = validateRedirectPath(config.public.nuxtAegis.redirect?.error || "/");
+        await nuxtApp.runWithContext(() => navigateTo(`${errorUrl}?error=token_refresh_failed&error_description=${encodeURIComponent("Session expired. Please log in again.")}`));
+      }
+    },
+    retry: autoRefreshEnabled ? 1 : 0,
+    retryStatusCodes: [401]
+  });
+  const result = {
+    provide: {
+      api
+    }
+  };
+  if (!isInitialized && autoRefreshEnabled) {
+    isInitialized = true;
+    logger.debug("Initializing auth state on startup...");
+    nuxtApp.hook("app:mounted", async () => {
+      await nuxtApp.runWithContext(async () => {
+        const callbackPath = nuxtApp.$config.public.nuxtAegis.callbackPath;
+        if (typeof window !== "undefined" && window.location.pathname === callbackPath) {
+          logger.debug("On auth callback page, skipping refresh");
+          return;
+        }
+        if (typeof window !== "undefined") {
+          const publicRoutes = nuxtApp.$config.public.nuxtAegis?.clientMiddleware?.publicRoutes || [];
+          const currentPath = window.location.pathname;
+          if (isRouteMatch(currentPath, publicRoutes)) {
+            logger.debug("On public route, skipping refresh on startup");
+            return;
+          }
+        }
+        const currentToken = getAccessToken();
+        if (currentToken) {
+          logger.debug("Access token already present, skipping refresh on startup");
+          return;
+        }
+        try {
+          await useAuth().refresh();
+        } catch {
+          logger.debug("No valid refresh token found on startup");
+        }
+      });
+    });
+  }
+  return result;
+});

package/dist/runtime/app/plugins/api.server.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Server-side api plugin for SSR
+ * Attaches SSR access token from event.context to $api requests
+ *
+ * Note: This creates a custom $api instance with SSR token injection.
+ * It will only work when explicitly called via useNuxtApp().$api
+ */
+declare const _default: import("#app").Plugin<{
+    api: import("nitropack").$Fetch<unknown, import("nitropack").NitroFetchRequest>;
+}> & import("#app").ObjectPlugin<{
+    api: import("nitropack").$Fetch<unknown, import("nitropack").NitroFetchRequest>;
+}>;
+export default _default;

package/dist/runtime/app/plugins/api.server.js

@@ -0,0 +1,28 @@
+import { defineNuxtPlugin, useRequestEvent } from "#app";
+export default defineNuxtPlugin({
+  name: "api-server",
+  enforce: "pre",
+  async setup() {
+    const api = $fetch.create({
+      onRequest({ options }) {
+        const event = useRequestEvent();
+        const ssrAccessToken = event?.context?.ssrAccessToken;
+        if (ssrAccessToken) {
+          options.headers = options.headers || {};
+          if (options.headers instanceof Headers) {
+            options.headers.set("Authorization", `Bearer ${ssrAccessToken}`);
+          } else if (Array.isArray(options.headers)) {
+            options.headers.push(["Authorization", `Bearer ${ssrAccessToken}`]);
+          } else {
+            options.headers.Authorization = `Bearer ${ssrAccessToken}`;
+          }
+        }
+      }
+    });
+    return {
+      provide: {
+        api
+      }
+    };
+  }
+});

package/dist/runtime/app/plugins/ssr-state.server.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("#app").Plugin<Record<string, unknown>> & import("#app").ObjectPlugin<Record<string, unknown>>;
+export default _default;

package/dist/runtime/app/plugins/ssr-state.server.js

@@ -0,0 +1,13 @@
+import { defineNuxtPlugin, useState, useRequestEvent } from "#app";
+import { filterTimeSensitiveClaims } from "../utils/tokenUtils.js";
+export default defineNuxtPlugin(() => {
+  const event = useRequestEvent();
+  if (event?.context.user) {
+    const user = event.context.user;
+    useState("auth-state", () => ({
+      user: filterTimeSensitiveClaims(user),
+      isLoading: false,
+      error: null
+    }));
+  }
+});

package/dist/runtime/app/router.options.d.ts

@@ -0,0 +1,12 @@
+declare const _default: {
+    scrollBehavior(to: import("vue-router").RouteLocationNormalizedGeneric, from: import("vue-router").RouteLocationNormalizedLoadedGeneric, savedPosition: {
+        behavior?: ScrollOptions["behavior"];
+        left: number;
+        top: number;
+    } | null): false | {
+        behavior?: ScrollOptions["behavior"];
+        left: number;
+        top: number;
+    };
+};
+export default _default;

package/dist/runtime/app/router.options.js

@@ -0,0 +1,11 @@
+export default {
+  scrollBehavior(to, from, savedPosition) {
+    if (to.name === "auth-callback" || to.path === "/auth-callback") {
+      return false;
+    }
+    if (savedPosition) {
+      return savedPosition;
+    }
+    return { top: 0, left: 0 };
+  }
+};

package/dist/runtime/app/utils/logger.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Logger instance for consistent logging across client-side code
+ */
+export interface Logger {
+    debug: (message: string, ...args: unknown[]) => void;
+    info: (message: string, ...args: unknown[]) => void;
+    warn: (message: string, ...args: unknown[]) => void;
+    error: (message: string, ...args: unknown[]) => void;
+    security: (message: string, ...args: unknown[]) => void;
+}
+/**
+ * Create a logger instance with a specific context
+ * Respects the logging configuration from runtime config
+ *
+ * @param context - Context identifier for log messages (e.g., 'Auth', 'Callback', 'API')
+ * @returns Logger instance with debug, info, warn, error, and security methods
+ */
+export declare function createLogger(context: string): Logger;

package/dist/runtime/app/utils/logger.js

@@ -0,0 +1,48 @@
+import { consola } from "consola";
+import { useRuntimeConfig } from "#imports";
+export function createLogger(context) {
+  const prefix = `[Nuxt Aegis][${context}]`;
+  return {
+    debug: (message, ...args) => {
+      const config = useRuntimeConfig();
+      const loggingConfig = config.public.nuxtAegis?.logging;
+      const level = loggingConfig?.level || "info";
+      if (level === "debug") {
+        consola.debug(prefix, message, ...args);
+      }
+    },
+    info: (message, ...args) => {
+      const config = useRuntimeConfig();
+      const loggingConfig = config.public.nuxtAegis?.logging;
+      const level = loggingConfig?.level || "info";
+      if (level !== "silent" && level !== "error" && level !== "warn") {
+        consola.info(prefix, message, ...args);
+      }
+    },
+    warn: (message, ...args) => {
+      const config = useRuntimeConfig();
+      const loggingConfig = config.public.nuxtAegis?.logging;
+      const level = loggingConfig?.level || "info";
+      if (level !== "silent" && level !== "error") {
+        consola.warn(prefix, message, ...args);
+      }
+    },
+    error: (message, ...args) => {
+      const config = useRuntimeConfig();
+      const loggingConfig = config.public.nuxtAegis?.logging;
+      const level = loggingConfig?.level || "info";
+      if (level !== "silent") {
+        consola.error(prefix, message, ...args);
+      }
+    },
+    security: (message, ...args) => {
+      const config = useRuntimeConfig();
+      const loggingConfig = config.public.nuxtAegis?.logging;
+      const level = loggingConfig?.level || "info";
+      const securityEnabled = loggingConfig?.security === true || level === "debug";
+      if (securityEnabled && level !== "silent") {
+        consola.warn(`[Nuxt Aegis Security][${context}]`, message, ...args);
+      }
+    }
+  };
+}

package/dist/runtime/app/utils/redirectValidation.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Validate redirect path to prevent open redirect vulnerabilities
+ *
+ * Security Requirements:
+ * - Only allow relative paths (must start with '/')
+ * - Reject absolute URLs (http://, https://, //)
+ * - Throw error for invalid paths
+ *
+ * @param path - The redirect path to validate
+ * @returns The validated path if valid
+ * @throws Error if path is not a valid relative path
+ *
+ * @example
+ * validateRedirectPath('/dashboard') // Returns '/dashboard'
+ * validateRedirectPath('https://evil.com') // Throws error
+ * validateRedirectPath('//evil.com') // Throws error
+ */
+export declare function validateRedirectPath(path: string): string;