@propelauth/nextjs 0.0.60 → 0.0.67

package/dist/server/app-router/index.js

@@ -0,0 +1,624 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __async = (__this, __arguments, generator) => {
+  return new Promise((resolve, reject) => {
+    var fulfilled = (value) => {
+      try {
+        step(generator.next(value));
+      } catch (e) {
+        reject(e);
+      }
+    };
+    var rejected = (value) => {
+      try {
+        step(generator.throw(value));
+      } catch (e) {
+        reject(e);
+      }
+    };
+    var step = (x) => x.done ? resolve(x.value) : Promise.resolve(x.value).then(fulfilled, rejected);
+    step((generator = generator.apply(__this, __arguments)).next());
+  });
+};
+
+// src/server/app-router-index.ts
+var app_router_index_exports = {};
+__export(app_router_index_exports, {
+  ConfigurationException: () => ConfigurationException,
+  UnauthorizedException: () => UnauthorizedException,
+  authMiddleware: () => authMiddleware,
+  getRouteHandlers: () => getRouteHandlers,
+  getUser: () => getUser,
+  getUserOrRedirect: () => getUserOrRedirect
+});
+module.exports = __toCommonJS(app_router_index_exports);
+
+// src/server/exceptions.ts
+var UnauthorizedException = class extends Error {
+  constructor(message) {
+    super(message);
+    this.message = message;
+    this.status = 401;
+  }
+};
+var ConfigurationException = class extends Error {
+  constructor(message) {
+    super(message);
+    this.message = message;
+    this.status = 500;
+  }
+};
+
+// src/user.ts
+var User = class {
+  constructor(userId, email, orgIdToOrgMemberInfo, firstName, lastName, username, legacyUserId, impersonatorUserId) {
+    this.userId = userId;
+    this.orgIdToOrgMemberInfo = orgIdToOrgMemberInfo;
+    this.email = email;
+    this.firstName = firstName;
+    this.lastName = lastName;
+    this.username = username;
+    this.legacyUserId = legacyUserId;
+    this.impersonatorUserId = impersonatorUserId;
+  }
+  getOrg(orgId) {
+    if (!this.orgIdToOrgMemberInfo) {
+      return void 0;
+    }
+    return this.orgIdToOrgMemberInfo[orgId];
+  }
+  getOrgByName(orgName) {
+    if (!this.orgIdToOrgMemberInfo) {
+      return void 0;
+    }
+    const urlSafeOrgName = orgName.toLowerCase().replace(/ /g, "-");
+    for (const orgId in this.orgIdToOrgMemberInfo) {
+      const orgMemberInfo = this.orgIdToOrgMemberInfo[orgId];
+      if (orgMemberInfo.urlSafeOrgName === urlSafeOrgName) {
+        return orgMemberInfo;
+      }
+    }
+    return void 0;
+  }
+  getOrgs() {
+    if (!this.orgIdToOrgMemberInfo) {
+      return [];
+    }
+    return Object.values(this.orgIdToOrgMemberInfo);
+  }
+  isImpersonating() {
+    return !!this.impersonatorUserId;
+  }
+  static fromJSON(json) {
+    const obj = JSON.parse(json);
+    const orgIdToOrgMemberInfo = {};
+    for (const orgId in obj.orgIdToOrgMemberInfo) {
+      orgIdToOrgMemberInfo[orgId] = OrgMemberInfo.fromJSON(
+        JSON.stringify(obj.orgIdToOrgMemberInfo[orgId])
+      );
+    }
+    return new User(
+      obj.userId,
+      obj.email,
+      orgIdToOrgMemberInfo,
+      obj.firstName,
+      obj.lastName,
+      obj.username,
+      obj.legacyUserId,
+      obj.impersonatorUserId
+    );
+  }
+};
+var OrgMemberInfo = class {
+  constructor(orgId, orgName, orgMetadata, urlSafeOrgName, userAssignedRole, userInheritedRolesPlusCurrentRole, userPermissions) {
+    this.orgId = orgId;
+    this.orgName = orgName;
+    this.orgMetadata = orgMetadata;
+    this.urlSafeOrgName = urlSafeOrgName;
+    this.userAssignedRole = userAssignedRole;
+    this.userInheritedRolesPlusCurrentRole = userInheritedRolesPlusCurrentRole;
+    this.userPermissions = userPermissions;
+  }
+  // validation methods
+  isRole(role) {
+    return this.userAssignedRole === role;
+  }
+  isAtLeastRole(role) {
+    return this.userInheritedRolesPlusCurrentRole.includes(role);
+  }
+  hasPermission(permission) {
+    return this.userPermissions.includes(permission);
+  }
+  hasAllPermissions(permissions) {
+    return permissions.every((permission) => this.hasPermission(permission));
+  }
+  static fromJSON(json) {
+    const obj = JSON.parse(json);
+    return new OrgMemberInfo(
+      obj.orgId,
+      obj.orgName,
+      obj.orgMetadata,
+      obj.urlSafeOrgName,
+      obj.userAssignedRole,
+      obj.userInheritedRolesPlusCurrentRole,
+      obj.userPermissions
+    );
+  }
+  // getters for the private fields
+  get assignedRole() {
+    return this.userAssignedRole;
+  }
+  get inheritedRolesPlusCurrentRole() {
+    return this.userInheritedRolesPlusCurrentRole;
+  }
+  get permissions() {
+    return this.userPermissions;
+  }
+};
+function toUser(snake_case) {
+  return new User(
+    snake_case.user_id,
+    snake_case.email,
+    toOrgIdToOrgMemberInfo(snake_case.org_id_to_org_member_info),
+    snake_case.first_name,
+    snake_case.last_name,
+    snake_case.username,
+    snake_case.legacy_user_id,
+    snake_case.impersonatorUserId
+  );
+}
+function toOrgIdToOrgMemberInfo(snake_case) {
+  if (snake_case === void 0) {
+    return void 0;
+  }
+  const camelCase = {};
+  for (const key of Object.keys(snake_case)) {
+    const snakeCaseValue = snake_case[key];
+    if (snakeCaseValue) {
+      camelCase[key] = new OrgMemberInfo(
+        snakeCaseValue.org_id,
+        snakeCaseValue.org_name,
+        snakeCaseValue.org_metadata,
+        snakeCaseValue.url_safe_org_name,
+        snakeCaseValue.user_role,
+        snakeCaseValue.inherited_user_roles_plus_current_role,
+        snakeCaseValue.user_permissions
+      );
+    }
+  }
+  return camelCase;
+}
+
+// src/server/app-router.ts
+var import_navigation = require("next/navigation");
+var import_headers = require("next/headers");
+var import_server = require("next/server");
+
+// src/server/shared.ts
+var jose = __toESM(require("jose"));
+var LOGIN_PATH = "/api/auth/login";
+var CALLBACK_PATH = "/api/auth/callback";
+var USERINFO_PATH = "/api/auth/userinfo";
+var LOGOUT_PATH = "/api/auth/logout";
+var ACCESS_TOKEN_COOKIE_NAME = "__pa_at";
+var REFRESH_TOKEN_COOKIE_NAME = "__pa_rt";
+var STATE_COOKIE_NAME = "__pa_state";
+var CUSTOM_HEADER_FOR_ACCESS_TOKEN = "x-propelauth-access-token";
+var COOKIE_OPTIONS = {
+  httpOnly: true,
+  sameSite: "lax",
+  secure: true,
+  path: "/"
+};
+function getAuthUrlOrigin() {
+  const authUrl = process.env.NEXT_PUBLIC_AUTH_URL;
+  if (!authUrl) {
+    throw new Error("NEXT_PUBLIC_AUTH_URL is not set");
+  }
+  return new URL(authUrl).origin;
+}
+function getRedirectUri() {
+  const redirectUri = process.env.REDIRECT_URI;
+  if (!redirectUri) {
+    throw new Error("REDIRECT_URI is not set");
+  }
+  return redirectUri;
+}
+function getIntegrationApiKey() {
+  const integrationApiKey = process.env.PROPELAUTH_API_KEY;
+  if (!integrationApiKey) {
+    throw new Error("PROPELAUTH_API_KEY is not set");
+  }
+  return integrationApiKey;
+}
+function getVerifierKey() {
+  const verifierKey = process.env.VERIFIER_KEY;
+  if (!verifierKey) {
+    throw new Error("VERIFIER_KEY is not set");
+  }
+  return verifierKey.replace(/\\n/g, "\n");
+}
+function refreshTokenWithAccessAndRefreshToken(refreshToken) {
+  return __async(this, null, function* () {
+    const body = {
+      refresh_token: refreshToken
+    };
+    const url = `${getAuthUrlOrigin()}/api/backend/v1/refresh_token`;
+    const response = yield fetch(url, {
+      method: "POST",
+      body: JSON.stringify(body),
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: "Bearer " + getIntegrationApiKey()
+      }
+    });
+    if (response.ok) {
+      const data = yield response.json();
+      const newRefreshToken = data.refresh_token;
+      const {
+        access_token: accessToken,
+        expires_at_seconds: expiresAtSeconds
+      } = data.access_token;
+      return {
+        refreshToken: newRefreshToken,
+        accessToken,
+        error: "none"
+      };
+    } else if (response.status === 400) {
+      return { error: "unauthorized" };
+    } else {
+      return { error: "unexpected" };
+    }
+  });
+}
+function validateAccessTokenOrUndefined(accessToken) {
+  return __async(this, null, function* () {
+    try {
+      return yield validateAccessToken(accessToken);
+    } catch (err) {
+      if (err instanceof ConfigurationException) {
+        throw err;
+      } else if (err instanceof UnauthorizedException) {
+        return void 0;
+      } else {
+        console.log("Error validating access token", err);
+        return void 0;
+      }
+    }
+  });
+}
+function validateAccessToken(accessToken) {
+  return __async(this, null, function* () {
+    let publicKey;
+    try {
+      publicKey = yield jose.importSPKI(getVerifierKey(), "RS256");
+    } catch (err) {
+      console.error("Verifier key is invalid. Make sure it's specified correctly, including the newlines.", err);
+      throw new ConfigurationException("Invalid verifier key");
+    }
+    if (!accessToken) {
+      throw new UnauthorizedException("No access token provided");
+    }
+    let accessTokenWithoutBearer = accessToken;
+    if (accessToken.toLowerCase().startsWith("bearer ")) {
+      accessTokenWithoutBearer = accessToken.substring("bearer ".length);
+    }
+    try {
+      const { payload } = yield jose.jwtVerify(accessTokenWithoutBearer, publicKey, {
+        issuer: getAuthUrlOrigin(),
+        algorithms: ["RS256"]
+      });
+      return toUser(payload);
+    } catch (e) {
+      if (e instanceof Error) {
+        throw new UnauthorizedException(e.message);
+      } else {
+        throw new UnauthorizedException("Unable to decode jwt");
+      }
+    }
+  });
+}
+
+// src/server/app-router.ts
+function getUserOrRedirect() {
+  return __async(this, null, function* () {
+    const user = yield getUser();
+    if (user) {
+      return user;
+    } else {
+      (0, import_navigation.redirect)(LOGIN_PATH);
+      throw new Error("Redirecting to login");
+    }
+  });
+}
+function getUser() {
+  return __async(this, null, function* () {
+    var _a;
+    const accessToken = (0, import_headers.headers)().get(CUSTOM_HEADER_FOR_ACCESS_TOKEN) || ((_a = (0, import_headers.cookies)().get(ACCESS_TOKEN_COOKIE_NAME)) == null ? void 0 : _a.value);
+    if (accessToken) {
+      const user = yield validateAccessTokenOrUndefined(accessToken);
+      if (user) {
+        return user;
+      }
+    }
+    return void 0;
+  });
+}
+function authMiddleware(req) {
+  return __async(this, null, function* () {
+    var _a, _b;
+    if (req.headers.has(CUSTOM_HEADER_FOR_ACCESS_TOKEN)) {
+      throw new Error(`${CUSTOM_HEADER_FOR_ACCESS_TOKEN} is set which is for internal use only`);
+    } else if (req.nextUrl.pathname === CALLBACK_PATH || req.nextUrl.pathname === LOGOUT_PATH) {
+      return import_server.NextResponse.next();
+    }
+    const accessToken = (_a = req.cookies.get(ACCESS_TOKEN_COOKIE_NAME)) == null ? void 0 : _a.value;
+    const refreshToken = (_b = req.cookies.get(REFRESH_TOKEN_COOKIE_NAME)) == null ? void 0 : _b.value;
+    if (req.nextUrl.pathname === USERINFO_PATH && refreshToken) {
+      const response = yield refreshTokenWithAccessAndRefreshToken(refreshToken);
+      if (response.error === "unexpected") {
+        throw new Error("Unexpected error while refreshing access token");
+      } else if (response.error === "unauthorized") {
+        const headers2 = new Headers();
+        headers2.append("Set-Cookie", `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`);
+        headers2.append("Set-Cookie", `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`);
+        return new Response("Unauthorized", { status: 401, headers: headers2 });
+      } else {
+        const headers2 = new Headers(req.headers);
+        headers2.append(CUSTOM_HEADER_FOR_ACCESS_TOKEN, response.accessToken);
+        const nextResponse = import_server.NextResponse.next({
+          request: {
+            headers: headers2
+          }
+        });
+        nextResponse.cookies.set(ACCESS_TOKEN_COOKIE_NAME, response.accessToken, COOKIE_OPTIONS);
+        nextResponse.cookies.set(REFRESH_TOKEN_COOKIE_NAME, response.refreshToken, COOKIE_OPTIONS);
+        return nextResponse;
+      }
+    }
+    if (accessToken) {
+      const user = yield validateAccessTokenOrUndefined(accessToken);
+      if (user) {
+        return import_server.NextResponse.next();
+      }
+    }
+    if (refreshToken) {
+      const response = yield refreshTokenWithAccessAndRefreshToken(refreshToken);
+      if (response.error === "unexpected") {
+        throw new Error("Unexpected error while refreshing access token");
+      } else if (response.error === "unauthorized") {
+        const response2 = import_server.NextResponse.next();
+        response2.cookies.delete(ACCESS_TOKEN_COOKIE_NAME);
+        response2.cookies.delete(REFRESH_TOKEN_COOKIE_NAME);
+        return response2;
+      } else {
+        const headers2 = new Headers(req.headers);
+        headers2.append(CUSTOM_HEADER_FOR_ACCESS_TOKEN, response.accessToken);
+        const nextResponse = import_server.NextResponse.next({
+          request: {
+            headers: headers2
+          }
+        });
+        nextResponse.cookies.set(ACCESS_TOKEN_COOKIE_NAME, response.accessToken, COOKIE_OPTIONS);
+        nextResponse.cookies.set(REFRESH_TOKEN_COOKIE_NAME, response.refreshToken, COOKIE_OPTIONS);
+        return nextResponse;
+      }
+    }
+    return import_server.NextResponse.next();
+  });
+}
+function getRouteHandlers(args) {
+  const authUrlOrigin = getAuthUrlOrigin();
+  const redirectUri = getRedirectUri();
+  const integrationApiKey = getIntegrationApiKey();
+  function loginGetHandler() {
+    const state = randomState();
+    const authorize_url = authUrlOrigin + "/propelauth/ssr/authorize?redirect_uri=" + redirectUri + "&state=" + state;
+    return new Response(null, {
+      status: 302,
+      headers: {
+        Location: authorize_url,
+        "Set-Cookie": `${STATE_COOKIE_NAME}=${state}; Path=/; HttpOnly; Secure; SameSite=Lax`
+      }
+    });
+  }
+  function signupGetHandler() {
+    const state = randomState();
+    const authorize_url = getAuthUrlOrigin() + "/propelauth/ssr/authorize?redirect_uri=" + redirectUri + "&state=" + state + "&signup=true";
+    return new Response(null, {
+      status: 302,
+      headers: {
+        Location: authorize_url,
+        "Set-Cookie": `${STATE_COOKIE_NAME}=${state}; Path=/; HttpOnly; Secure; SameSite=Lax`
+      }
+    });
+  }
+  function callbackGetHandler(req) {
+    return __async(this, null, function* () {
+      var _a;
+      const oauthState = (_a = req.cookies.get(STATE_COOKIE_NAME)) == null ? void 0 : _a.value;
+      if (!oauthState || oauthState.length !== 64) {
+        console.log("No oauth state found");
+        return new Response(null, { status: 302, headers: { Location: LOGIN_PATH } });
+      }
+      const queryParams = req.nextUrl.searchParams;
+      const state = queryParams.get("state");
+      const code = queryParams.get("code");
+      if (state !== oauthState) {
+        console.log("Mismatch between states, redirecting to login");
+        return new Response(null, { status: 302, headers: { Location: LOGIN_PATH } });
+      }
+      const oauth_token_body = {
+        redirect_uri: redirectUri,
+        code
+      };
+      const url = `${authUrlOrigin}/propelauth/ssr/token`;
+      const response = yield fetch(url, {
+        method: "POST",
+        body: JSON.stringify(oauth_token_body),
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: "Bearer " + integrationApiKey
+        }
+      });
+      if (response.ok) {
+        const data = yield response.json();
+        const accessToken = data.access_token;
+        const user = yield validateAccessToken(accessToken);
+        const path = (args == null ? void 0 : args.postLoginRedirectPathFn) ? args.postLoginRedirectPathFn(user, req) : "/";
+        if (!path) {
+          console.log("postLoginPathFn returned undefined");
+          return new Response("Unexpected error", { status: 500 });
+        }
+        const headers2 = new Headers();
+        headers2.append("Location", path);
+        headers2.append("Set-Cookie", `${ACCESS_TOKEN_COOKIE_NAME}=${accessToken}; Path=/; HttpOnly; Secure; SameSite=Lax`);
+        headers2.append("Set-Cookie", `${REFRESH_TOKEN_COOKIE_NAME}=${data.refresh_token}; Path=/; HttpOnly; Secure; SameSite=Lax`);
+        return new Response(null, {
+          status: 302,
+          headers: headers2
+        });
+      } else if (response.status === 401) {
+        return new Response("Unexpected error", { status: 500 });
+      } else {
+        return new Response("Unexpected error", { status: 500 });
+      }
+    });
+  }
+  function userinfoGetHandler(req) {
+    return __async(this, null, function* () {
+      var _a;
+      const accessToken = req.headers.get(CUSTOM_HEADER_FOR_ACCESS_TOKEN) || ((_a = req.cookies.get(ACCESS_TOKEN_COOKIE_NAME)) == null ? void 0 : _a.value);
+      if (accessToken) {
+        const path = `${authUrlOrigin}/propelauth/oauth/userinfo`;
+        const response = yield fetch(path, {
+          headers: {
+            "Content-Type": "application/json",
+            "Authorization": "Bearer " + accessToken
+          }
+        });
+        if (response.ok) {
+          const data = yield response.json();
+          const user = new User(
+            data.user_id,
+            data.email,
+            toOrgIdToOrgMemberInfo(data.org_id_to_org_info),
+            data.first_name,
+            data.last_name,
+            data.username,
+            data.legacy_user_id,
+            data.impersonator_user_id
+          );
+          return new Response(JSON.stringify(user), {
+            status: 200,
+            headers: {
+              "Content-Type": "application/json"
+            }
+          });
+        } else if (response.status === 401) {
+          return new Response(null, { status: 401 });
+        } else {
+          return new Response(null, { status: 500 });
+        }
+      }
+      return new Response(null, { status: 401 });
+    });
+  }
+  function logoutPostHandler(req) {
+    return __async(this, null, function* () {
+      var _a;
+      const refresh_token = (_a = req.cookies.get(REFRESH_TOKEN_COOKIE_NAME)) == null ? void 0 : _a.value;
+      if (!refresh_token) {
+        const headers3 = new Headers();
+        headers3.append("Set-Cookie", `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`);
+        headers3.append("Set-Cookie", `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`);
+        return new Response(null, { status: 200, headers: headers3 });
+      }
+      const logoutBody = { refresh_token };
+      const url = `${authUrlOrigin}/api/backend/v1/logout`;
+      const response = yield fetch(url, {
+        method: "POST",
+        body: JSON.stringify(logoutBody),
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: "Bearer " + integrationApiKey
+        }
+      });
+      if (!response.ok) {
+        console.log(
+          "Unable to logout, clearing cookies and continuing anyway",
+          response.status,
+          response.statusText
+        );
+      }
+      const headers2 = new Headers();
+      headers2.append("Set-Cookie", `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`);
+      headers2.append("Set-Cookie", `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`);
+      return new Response(null, { status: 200, headers: headers2 });
+    });
+  }
+  function getRouteHandler(req, { params }) {
+    if (params.slug === "login") {
+      return loginGetHandler();
+    } else if (params.slug === "signup") {
+      return signupGetHandler();
+    } else if (params.slug === "callback") {
+      return callbackGetHandler(req);
+    } else if (params.slug === "userinfo") {
+      return userinfoGetHandler(req);
+    } else {
+      return new Response("", { status: 404 });
+    }
+  }
+  function postRouteHandler(req, { params }) {
+    if (params.slug === "logout") {
+      return logoutPostHandler(req);
+    } else {
+      return new Response("", { status: 404 });
+    }
+  }
+  return {
+    getRouteHandler,
+    postRouteHandler
+  };
+}
+function randomState() {
+  const randomBytes = crypto.getRandomValues(new Uint8Array(32));
+  return Array.from(randomBytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ConfigurationException,
+  UnauthorizedException,
+  authMiddleware,
+  getRouteHandlers,
+  getUser,
+  getUserOrRedirect
+});
+//# sourceMappingURL=index.js.map