@relipay/nextjs 0.1.0-beta.0

package/AGENTS.md

@@ -0,0 +1,59 @@
+# AGENTS.md — `@relipay/nextjs`
+
+Next.js 14/15 App Router helpers built on top of `@relipay/node`.
+
+## Two entrypoints
+
+| Import | Runtime | Use case |
+|---|---|---|
+| `@relipay/nextjs/middleware` | **Edge** | Wire into `middleware.ts` to gate routes |
+| `@relipay/nextjs/server`     | **Node** | `auth()`, `signIn()`, `signUp()`, `signOut()` for server components / server actions / route handlers |
+
+The split exists because middleware runs in Edge and can't import `@prisma/client` etc. that `@relipay/node` pulls in transitively.
+
+## Required env
+
+```
+RELIPAY_URL=https://your-relipay.example.com
+RELIPAY_SECRET=rp_live_…   # Application secret key — server-only
+```
+
+## Five-line happy path
+
+```ts
+// middleware.ts
+import { relipayMiddleware } from '@relipay/nextjs/middleware';
+export default relipayMiddleware({ publicRoutes: ['/sign-in', '/sign-up'] });
+export const config = { matcher: ['/((?!_next|.*\\..*).*)'] };
+
+// app/dashboard/page.tsx
+import { auth } from '@relipay/nextjs/server';
+export default async function Dashboard() {
+  const session = await auth();
+  if (!session) return null; // middleware already redirected; defensive
+  return <p>Hi {session.user.email}</p>;
+}
+
+// app/sign-in/actions.ts
+'use server';
+import { signIn } from '@relipay/nextjs/server';
+export async function signInAction(fd: FormData) {
+  await signIn({ email: String(fd.get('email')), password: String(fd.get('password')) });
+  redirect('/dashboard');
+}
+```
+
+## Cookie model
+
+Two httpOnly cookies, set by `signIn` / `signUp`:
+
+- `relipay_access`  — 15 min, the user's JWT
+- `relipay_refresh` — 30 days, the refresh token
+
+`auth()` tries access first, falls back to refresh-and-rotate, returns `null` only when both fail. Auto-rotation in `auth()` works when called from a server action or a route handler (Next.js limitation: server components can't write cookies, so a stale-access read in a server component returns null instead of refreshing — handle this in your protected page by also calling `auth()` inside the action that triggered the page).
+
+## What NOT to do
+
+- Don't import `@relipay/nextjs/server` from a client component or a middleware. It pulls Node-only deps; bundling will fail or balloon.
+- Don't bypass the cookies (e.g. read `RELIPAY_SECRET` directly in a route handler to skip session). The whole point is the session check is the chokepoint.
+- Don't loosen `httpOnly` or `sameSite=lax` without a reason. They're aligned with the panel and the demo for consistency.

package/dist/cookies.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Shared cookie names + helpers. Used by both middleware (Edge runtime) and
+ * server-component code (Node runtime) — must stay edge-compatible
+ * (no Node-only deps, no `node:crypto`).
+ */
+export declare const ACCESS_COOKIE = "relipay_access";
+export declare const REFRESH_COOKIE = "relipay_refresh";
+export interface CookieOptions {
+    httpOnly?: boolean;
+    sameSite?: 'strict' | 'lax' | 'none';
+    secure?: boolean;
+    path?: string;
+    maxAge?: number;
+}
+export declare const ACCESS_COOKIE_OPTS: CookieOptions;
+export declare const REFRESH_COOKIE_OPTS: CookieOptions;
+//# sourceMappingURL=cookies.d.ts.map

package/dist/cookies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookies.d.ts","sourceRoot":"","sources":["../src/cookies.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,eAAO,MAAM,aAAa,mBAAmB,CAAC;AAC9C,eAAO,MAAM,cAAc,oBAAoB,CAAC;AAEhD,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IACrC,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAcD,eAAO,MAAM,kBAAkB,EAAE,aAMhC,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,aAMjC,CAAC"}

package/dist/cookies.js

@@ -0,0 +1,33 @@
+/**
+ * Shared cookie names + helpers. Used by both middleware (Edge runtime) and
+ * server-component code (Node runtime) — must stay edge-compatible
+ * (no Node-only deps, no `node:crypto`).
+ */
+export const ACCESS_COOKIE = 'relipay_access';
+export const REFRESH_COOKIE = 'relipay_refresh';
+/**
+ * `secure: true` instructs browsers to refuse setting the cookie over plain
+ * HTTP. That is the only correct posture in production. In local dev over
+ * http://localhost it silently drops the cookie and the user appears to be
+ * permanently signed-out — env-branch keeps both environments working
+ * without forcing developers to run a TLS terminator locally.
+ *
+ * Edge-runtime compatible: `process.env.NODE_ENV` is available in both Edge
+ * and Node Next.js runtimes (statically inlined by the bundler).
+ */
+const IS_PROD = process.env.NODE_ENV === 'production';
+export const ACCESS_COOKIE_OPTS = {
+    httpOnly: true,
+    sameSite: 'lax',
+    secure: IS_PROD,
+    path: '/',
+    maxAge: 60 * 15, // 15 minutes (matches access token lifetime)
+};
+export const REFRESH_COOKIE_OPTS = {
+    httpOnly: true,
+    sameSite: 'lax',
+    secure: IS_PROD,
+    path: '/',
+    maxAge: 60 * 60 * 24 * 30, // 30 days
+};
+//# sourceMappingURL=cookies.js.map

package/dist/cookies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookies.js","sourceRoot":"","sources":["../src/cookies.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,CAAC,MAAM,aAAa,GAAG,gBAAgB,CAAC;AAC9C,MAAM,CAAC,MAAM,cAAc,GAAG,iBAAiB,CAAC;AAUhD;;;;;;;;;GASG;AACH,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;AAEtD,MAAM,CAAC,MAAM,kBAAkB,GAAkB;IAC/C,QAAQ,EAAE,IAAI;IACd,QAAQ,EAAE,KAAK;IACf,MAAM,EAAE,OAAO;IACf,IAAI,EAAE,GAAG;IACT,MAAM,EAAE,EAAE,GAAG,EAAE,EAAE,6CAA6C;CAC/D,CAAC;AAEF,MAAM,CAAC,MAAM,mBAAmB,GAAkB;IAChD,QAAQ,EAAE,IAAI;IACd,QAAQ,EAAE,KAAK;IACf,MAAM,EAAE,OAAO;IACf,IAAI,EAAE,GAAG;IACT,MAAM,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,UAAU;CACtC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,17 @@
+/**
+ * @relipay/nextjs — Next.js helpers for ReliPay.
+ *
+ * Two entrypoints:
+ *
+ *   `@relipay/nextjs/middleware`  — relipayMiddleware() for middleware.ts
+ *   `@relipay/nextjs/server`      — auth() / signIn() / signOut() server-side
+ *
+ * Re-exported here for convenience. Direct subpath imports keep edge bundle
+ * size minimal when you only need the middleware piece.
+ */
+export { relipayMiddleware } from './middleware.js';
+export { auth, signIn, signUp, signOut } from './server.js';
+export type { Session } from './server.js';
+export type { MiddlewareConfig } from './middleware.js';
+export { ACCESS_COOKIE, REFRESH_COOKIE, ACCESS_COOKIE_OPTS, REFRESH_COOKIE_OPTS, } from './cookies.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC5D,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3C,YAAY,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EACL,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,cAAc,CAAC"}

package/dist/index.js

@@ -0,0 +1,15 @@
+/**
+ * @relipay/nextjs — Next.js helpers for ReliPay.
+ *
+ * Two entrypoints:
+ *
+ *   `@relipay/nextjs/middleware`  — relipayMiddleware() for middleware.ts
+ *   `@relipay/nextjs/server`      — auth() / signIn() / signOut() server-side
+ *
+ * Re-exported here for convenience. Direct subpath imports keep edge bundle
+ * size minimal when you only need the middleware piece.
+ */
+export { relipayMiddleware } from './middleware.js';
+export { auth, signIn, signUp, signOut } from './server.js';
+export { ACCESS_COOKIE, REFRESH_COOKIE, ACCESS_COOKIE_OPTS, REFRESH_COOKIE_OPTS, } from './cookies.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAG5D,OAAO,EACL,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,cAAc,CAAC"}

package/dist/middleware.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Next.js middleware helpers.
+ *
+ * `relipayMiddleware({ publicRoutes, signInUrl })` returns a middleware
+ * function the user wires up in their `middleware.ts`. It:
+ *   - Lets `publicRoutes` pass through unauthenticated.
+ *   - For protected routes, requires the access cookie. Missing → redirect
+ *     to `signInUrl` with a `next` query param so the user lands back here
+ *     after sign-in.
+ *
+ * This middleware is intentionally simple — it does not call ReliPay over
+ * the network on every request. Token validity is verified the next time
+ * the customer's server uses it via `auth()` or directly. The cookie's
+ * presence is the gate; the cookie's *value* is checked deeper in the stack.
+ */
+import { NextResponse, type NextRequest } from 'next/server';
+export interface MiddlewareConfig {
+    /** Routes that don't require auth. Strings or RegExp; matched against pathname. */
+    publicRoutes?: Array<string | RegExp>;
+    /** Where to send unauthenticated users. Defaults to /sign-in. */
+    signInUrl?: string;
+}
+export declare function relipayMiddleware(config?: MiddlewareConfig): (req: NextRequest) => NextResponse;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,YAAY,EAAE,KAAK,WAAW,EAAE,MAAM,aAAa,CAAC;AAG7D,MAAM,WAAW,gBAAgB;IAC/B,mFAAmF;IACnF,YAAY,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;IACtC,iEAAiE;IACjE,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAQD,wBAAgB,iBAAiB,CAAC,MAAM,GAAE,gBAAqB,IAUlC,KAAK,WAAW,KAAG,YAAY,CAY3D"}

package/dist/middleware.js

@@ -0,0 +1,43 @@
+/**
+ * Next.js middleware helpers.
+ *
+ * `relipayMiddleware({ publicRoutes, signInUrl })` returns a middleware
+ * function the user wires up in their `middleware.ts`. It:
+ *   - Lets `publicRoutes` pass through unauthenticated.
+ *   - For protected routes, requires the access cookie. Missing → redirect
+ *     to `signInUrl` with a `next` query param so the user lands back here
+ *     after sign-in.
+ *
+ * This middleware is intentionally simple — it does not call ReliPay over
+ * the network on every request. Token validity is verified the next time
+ * the customer's server uses it via `auth()` or directly. The cookie's
+ * presence is the gate; the cookie's *value* is checked deeper in the stack.
+ */
+import { NextResponse } from 'next/server';
+import { ACCESS_COOKIE } from './cookies.js';
+function matches(pathname, patterns) {
+    return patterns.some((p) => typeof p === 'string' ? pathname === p || pathname.startsWith(p + '/') : p.test(pathname));
+}
+export function relipayMiddleware(config = {}) {
+    const publicRoutes = config.publicRoutes ?? [
+        '/sign-in',
+        '/sign-up',
+        '/forgot-password',
+        '/reset-password',
+        '/api/auth',
+    ];
+    const signInUrl = config.signInUrl ?? '/sign-in';
+    return function middleware(req) {
+        const { pathname } = req.nextUrl;
+        if (matches(pathname, publicRoutes))
+            return NextResponse.next();
+        const access = req.cookies.get(ACCESS_COOKIE)?.value;
+        if (access)
+            return NextResponse.next();
+        const url = req.nextUrl.clone();
+        url.pathname = signInUrl;
+        url.searchParams.set('next', pathname);
+        return NextResponse.redirect(url);
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,YAAY,EAAoB,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAS7C,SAAS,OAAO,CAAC,QAAgB,EAAE,QAAgC;IACjE,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CACzB,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAC1F,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,SAA2B,EAAE;IAC7D,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,IAAI;QAC1C,UAAU;QACV,UAAU;QACV,kBAAkB;QAClB,iBAAiB;QACjB,WAAW;KACZ,CAAC;IACF,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,UAAU,CAAC;IAEjD,OAAO,SAAS,UAAU,CAAC,GAAgB;QACzC,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC;QACjC,IAAI,OAAO,CAAC,QAAQ,EAAE,YAAY,CAAC;YAAE,OAAO,YAAY,CAAC,IAAI,EAAE,CAAC;QAEhE,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,KAAK,CAAC;QACrD,IAAI,MAAM;YAAE,OAAO,YAAY,CAAC,IAAI,EAAE,CAAC;QAEvC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QAChC,GAAG,CAAC,QAAQ,GAAG,SAAS,CAAC;QACzB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACvC,OAAO,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC,CAAC;AACJ,CAAC"}

package/dist/server.d.ts

@@ -0,0 +1,93 @@
+/**
+ * Server-side helpers for App Router server components, server actions,
+ * and route handlers.
+ *
+ * Pattern:
+ *   import { auth, signIn, signOut } from '@relipay/nextjs/server';
+ *
+ *   // In a server component:
+ *   const session = await auth(); // null when signed out, { user, accessToken } otherwise
+ *
+ *   // In a server action:
+ *   await signIn({ email, password });   // sets cookies + returns the user
+ *   await signOut();                     // revokes refresh + clears cookies
+ *
+ * The helpers expect:
+ *   - `process.env.RELIPAY_URL` (the API URL)
+ *   - `process.env.RELIPAY_SECRET` (the Application secret key, server-only)
+ *
+ * Pure server module — never bundled to the browser.
+ */
+import type { EndUserDto } from '@relipay/shared-types';
+export interface Session {
+    user: EndUserDto;
+    /** The access JWT — pass it to client components via the provider's `accessToken`. */
+    accessToken: string;
+}
+/**
+ * Resolve the current session from cookies. Tries access first; on
+ * USER_TOKEN_INVALID, attempts refresh-and-retry once. Returns null when
+ * signed out (or when refresh fails).
+ *
+ * Use from any server component. Cookie writes work in server actions and
+ * route handlers (Next.js limitation: not in pure server-component reads).
+ */
+export declare function auth(): Promise<Session | null>;
+/**
+ * Sign-in outcome for the Next SDK. `kind === "session"` is the happy path;
+ * `kind === "mfa_required"` means the user has MFA enrolled and the caller
+ * must collect a TOTP / backup code and call `mfaVerify` to complete.
+ *
+ * No cookies are set on the `mfa_required` branch — the challenge token is
+ * NOT a session and must never land in `relipay_access`.
+ */
+export type SignInOutcome = {
+    kind: 'session';
+    session: Session;
+} | {
+    kind: 'mfa_required';
+    mfaChallengeToken: string;
+    mfaChallengeExpiresAt: string;
+    user: EndUserDto;
+};
+/**
+ * Server action: sign in with email + password.
+ *
+ * Branches on the server's MFA verdict:
+ *   - No MFA enrolled → cookies are set and `{ kind: "session" }` is returned.
+ *   - MFA enrolled    → `{ kind: "mfa_required", mfaChallengeToken }` is
+ *                       returned with **no cookies**. Pass the challenge
+ *                       token + the user's code to `mfaVerify(...)` to
+ *                       complete.
+ */
+export declare function signIn(input: {
+    email: string;
+    password: string;
+}): Promise<SignInOutcome>;
+/**
+ * Server action: complete an MFA-required sign-in. Sets cookies on success.
+ * Throws `RelipayError` with code `MFA_CODE_INVALID` /
+ * `MFA_CHALLENGE_INVALID` on failure — surface the error message to the
+ * user and prompt to retry.
+ */
+export declare function mfaVerify(input: {
+    mfaChallengeToken: string;
+    code: string;
+}): Promise<Session>;
+/**
+ * Server action: sign up + create the user + start a session.
+ *
+ * Sign-up never returns mfa-required (the new user can't have MFA enrolled
+ * yet), so this always sets cookies.
+ */
+export declare function signUp(input: {
+    email: string;
+    password: string;
+    metadata?: Record<string, unknown>;
+}): Promise<Session>;
+/**
+ * Server action: revoke the refresh token + clear cookies. Optionally
+ * pass `redirectTo` to bounce afterwards.
+ */
+export declare function signOut(redirectTo?: string): Promise<void>;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAsBxD,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,UAAU,CAAC;IACjB,sFAAsF;IACtF,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;GAOG;AACH,wBAAsB,IAAI,IAAI,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CA4BpD;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,aAAa,GACrB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,GACrC;IACE,IAAI,EAAE,cAAc,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,IAAI,EAAE,UAAU,CAAC;CAClB,CAAC;AAQN;;;;;;;;;GASG;AACH,wBAAsB,MAAM,CAAC,KAAK,EAAE;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB,GAAG,OAAO,CAAC,aAAa,CAAC,CAezB;AAED;;;;;GAKG;AACH,wBAAsB,SAAS,CAAC,KAAK,EAAE;IACrC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,IAAI,EAAE,MAAM,CAAC;CACd,GAAG,OAAO,CAAC,OAAO,CAAC,CAInB;AAED;;;;;GAKG;AACH,wBAAsB,MAAM,CAAC,KAAK,EAAE;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC,GAAG,OAAO,CAAC,OAAO,CAAC,CAInB;AAED;;;GAGG;AACH,wBAAsB,OAAO,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE"}

package/dist/server.js

@@ -0,0 +1,144 @@
+/**
+ * Server-side helpers for App Router server components, server actions,
+ * and route handlers.
+ *
+ * Pattern:
+ *   import { auth, signIn, signOut } from '@relipay/nextjs/server';
+ *
+ *   // In a server component:
+ *   const session = await auth(); // null when signed out, { user, accessToken } otherwise
+ *
+ *   // In a server action:
+ *   await signIn({ email, password });   // sets cookies + returns the user
+ *   await signOut();                     // revokes refresh + clears cookies
+ *
+ * The helpers expect:
+ *   - `process.env.RELIPAY_URL` (the API URL)
+ *   - `process.env.RELIPAY_SECRET` (the Application secret key, server-only)
+ *
+ * Pure server module — never bundled to the browser.
+ */
+import { cookies } from 'next/headers';
+import { redirect } from 'next/navigation';
+import { ReliPay, RelipayError } from '@relipay/node';
+import { ACCESS_COOKIE, REFRESH_COOKIE, ACCESS_COOKIE_OPTS, REFRESH_COOKIE_OPTS, } from './cookies.js';
+let _client = null;
+function client() {
+    if (_client)
+        return _client;
+    const apiUrl = process.env.RELIPAY_URL;
+    const secretKey = process.env.RELIPAY_SECRET;
+    if (!apiUrl || !secretKey) {
+        throw new Error('@relipay/nextjs: RELIPAY_URL and RELIPAY_SECRET must be set on the server.');
+    }
+    _client = new ReliPay({ apiUrl, secretKey });
+    return _client;
+}
+/**
+ * Resolve the current session from cookies. Tries access first; on
+ * USER_TOKEN_INVALID, attempts refresh-and-retry once. Returns null when
+ * signed out (or when refresh fails).
+ *
+ * Use from any server component. Cookie writes work in server actions and
+ * route handlers (Next.js limitation: not in pure server-component reads).
+ */
+export async function auth() {
+    const jar = await cookies();
+    const access = jar.get(ACCESS_COOKIE)?.value;
+    if (access) {
+        try {
+            const user = await client().auth.getCurrentUser(access);
+            return { user, accessToken: access };
+        }
+        catch (err) {
+            if (!(err instanceof RelipayError) || err.code !== 'USER_TOKEN_INVALID') {
+                throw err;
+            }
+        }
+    }
+    // Try refresh.
+    const refresh = jar.get(REFRESH_COOKIE)?.value;
+    if (!refresh)
+        return null;
+    try {
+        const fresh = await client().auth.refresh(refresh);
+        jar.set(ACCESS_COOKIE, fresh.accessToken, ACCESS_COOKIE_OPTS);
+        jar.set(REFRESH_COOKIE, fresh.refreshToken, REFRESH_COOKIE_OPTS);
+        const user = await client().auth.getCurrentUser(fresh.accessToken);
+        return { user, accessToken: fresh.accessToken };
+    }
+    catch {
+        jar.delete(ACCESS_COOKIE);
+        jar.delete(REFRESH_COOKIE);
+        return null;
+    }
+}
+async function setSessionCookies(accessToken, refreshToken) {
+    const jar = await cookies();
+    jar.set(ACCESS_COOKIE, accessToken, ACCESS_COOKIE_OPTS);
+    jar.set(REFRESH_COOKIE, refreshToken, REFRESH_COOKIE_OPTS);
+}
+/**
+ * Server action: sign in with email + password.
+ *
+ * Branches on the server's MFA verdict:
+ *   - No MFA enrolled → cookies are set and `{ kind: "session" }` is returned.
+ *   - MFA enrolled    → `{ kind: "mfa_required", mfaChallengeToken }` is
+ *                       returned with **no cookies**. Pass the challenge
+ *                       token + the user's code to `mfaVerify(...)` to
+ *                       complete.
+ */
+export async function signIn(input) {
+    const result = await client().auth.signIn(input);
+    if (result.mfaRequired) {
+        return {
+            kind: 'mfa_required',
+            mfaChallengeToken: result.mfaChallengeToken,
+            mfaChallengeExpiresAt: result.mfaChallengeExpiresAt,
+            user: result.endUser,
+        };
+    }
+    await setSessionCookies(result.accessToken, result.refreshToken);
+    return {
+        kind: 'session',
+        session: { user: result.endUser, accessToken: result.accessToken },
+    };
+}
+/**
+ * Server action: complete an MFA-required sign-in. Sets cookies on success.
+ * Throws `RelipayError` with code `MFA_CODE_INVALID` /
+ * `MFA_CHALLENGE_INVALID` on failure — surface the error message to the
+ * user and prompt to retry.
+ */
+export async function mfaVerify(input) {
+    const result = await client().auth.mfaVerify(input);
+    await setSessionCookies(result.accessToken, result.refreshToken);
+    return { user: result.endUser, accessToken: result.accessToken };
+}
+/**
+ * Server action: sign up + create the user + start a session.
+ *
+ * Sign-up never returns mfa-required (the new user can't have MFA enrolled
+ * yet), so this always sets cookies.
+ */
+export async function signUp(input) {
+    const result = await client().auth.signUp(input);
+    await setSessionCookies(result.accessToken, result.refreshToken);
+    return { user: result.endUser, accessToken: result.accessToken };
+}
+/**
+ * Server action: revoke the refresh token + clear cookies. Optionally
+ * pass `redirectTo` to bounce afterwards.
+ */
+export async function signOut(redirectTo) {
+    const jar = await cookies();
+    const refresh = jar.get(REFRESH_COOKIE)?.value;
+    if (refresh) {
+        await client().auth.signOut(refresh).catch(() => undefined);
+    }
+    jar.delete(ACCESS_COOKIE);
+    jar.delete(REFRESH_COOKIE);
+    if (redirectTo)
+        redirect(redirectTo);
+}
+//# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAEtD,OAAO,EACL,aAAa,EACb,cAAc,EACd,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAEtB,IAAI,OAAO,GAAmB,IAAI,CAAC;AACnC,SAAS,MAAM;IACb,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC;IAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;IACvC,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAC7C,IAAI,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,4EAA4E,CAC7E,CAAC;IACJ,CAAC;IACD,OAAO,GAAG,IAAI,OAAO,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC;AACjB,CAAC;AAQD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,IAAI;IACxB,MAAM,GAAG,GAAG,MAAM,OAAO,EAAE,CAAC;IAC5B,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,KAAK,CAAC;IAC7C,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,MAAM,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;YACxD,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC;QACvC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,CAAC,GAAG,YAAY,YAAY,CAAC,IAAI,GAAG,CAAC,IAAI,KAAK,oBAAoB,EAAE,CAAC;gBACxE,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;IACH,CAAC;IAED,eAAe;IACf,MAAM,OAAO,GAAG,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC;IAC/C,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,MAAM,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACnD,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,KAAK,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;QAC9D,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,KAAK,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAC;QACjE,MAAM,IAAI,GAAG,MAAM,MAAM,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACnE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAC1B,GAAG,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC3B,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAmBD,KAAK,UAAU,iBAAiB,CAAC,WAAmB,EAAE,YAAoB;IACxE,MAAM,GAAG,GAAG,MAAM,OAAO,EAAE,CAAC;IAC5B,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,EAAE,kBAAkB,CAAC,CAAC;IACxD,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,YAAY,EAAE,mBAAmB,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,KAG5B;IACC,MAAM,MAAM,GAAG,MAAM,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACjD,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QACvB,OAAO;YACL,IAAI,EAAE,cAAc;YACpB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;YAC3C,qBAAqB,EAAE,MAAM,CAAC,qBAAqB;YACnD,IAAI,EAAE,MAAM,CAAC,OAAqB;SACnC,CAAC;IACJ,CAAC;IACD,MAAM,iBAAiB,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACjE,OAAO;QACL,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,OAAqB,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE;KACjF,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,KAG/B;IACC,MAAM,MAAM,GAAG,MAAM,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACpD,MAAM,iBAAiB,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACjE,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,OAAqB,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC;AACjF,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,KAI5B;IACC,MAAM,MAAM,GAAG,MAAM,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACjD,MAAM,iBAAiB,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACjE,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,OAAqB,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC;AACjF,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,UAAmB;IAC/C,MAAM,GAAG,GAAG,MAAM,OAAO,EAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,KAAK,CAAC;IAC/C,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,MAAM,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC9D,CAAC;IACD,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAC1B,GAAG,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IAC3B,IAAI,UAAU;QAAE,QAAQ,CAAC,UAAU,CAAC,CAAC;AACvC,CAAC"}

package/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "@relipay/nextjs",
+  "version": "0.1.0-beta.0",
+  "description": "ReliPay helpers for Next.js — middleware, server-side auth(), cookie session.",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./middleware": {
+      "types": "./dist/middleware.d.ts",
+      "import": "./dist/middleware.js"
+    },
+    "./server": {
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.js"
+    }
+  },
+  "files": [
+    "dist",
+    "AGENTS.md",
+    "README.md"
+  ],
+  "keywords": [
+    "next.js",
+    "auth",
+    "middleware",
+    "relipay"
+  ],
+  "peerDependencies": {
+    "next": "^14.0.0 || ^15.0.0",
+    "react": "^18.0.0 || ^19.0.0"
+  },
+  "dependencies": {
+    "@relipay/shared-types": "0.1.0-beta.0",
+    "@relipay/node": "0.1.0-beta.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.9.0",
+    "next": "^15.1.0",
+    "react": "^19.0.0",
+    "typescript": "^5.6.3",
+    "vitest": "^2.1.5"
+  },
+  "publishConfig": {
+    "access": "public",
+    "tag": "beta"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "lint": "echo \"(eslint not yet wired)\"",
+    "test": "echo \"(nextjs SDK tests deferred to panel/demo e2e)\""
+  }
+}