@smittdev/next-jwt-auth 0.1.0

package/dist/files/lib/auth/core/jwt.ts

@@ -0,0 +1,65 @@
+import type { TokenPayload } from "../types";
+import { TokenPayloadSchema } from "../types";
+
+/**
+ * Decodes a JWT without verifying the signature.
+ * Verification is the responsibility of your API — we only need the payload
+ * for expiry checks and user data hydration.
+ *
+ * Returns null if the token is malformed or cannot be parsed.
+ */
+export function decodeJwt(token: string): TokenPayload | null {
+  try {
+    const segments = token.split(".");
+    if (segments.length !== 3) return null;
+
+    const payloadSegment = segments[1];
+    const base64 = payloadSegment
+      .replace(/-/g, "+")
+      .replace(/_/g, "/")
+      .padEnd(
+        payloadSegment.length + ((4 - (payloadSegment.length % 4)) % 4),
+        "=",
+      );
+
+    const jsonString = Buffer.from(base64, "base64").toString("utf-8");
+    const payload = JSON.parse(jsonString) as unknown;
+
+    if (typeof payload !== "object" || payload === null) return null;
+    return payload as TokenPayload;
+  } catch {
+    return null;
+  }
+}
+
+export interface TokenExpiryInfo {
+  maxAgeSeconds: number;
+  expiresAt: Date;
+  isExpired: boolean;
+}
+
+export function getTokenExpiry(token: string): TokenExpiryInfo | null {
+  const payload = decodeJwt(token);
+  if (!payload) return null;
+
+  const validated = TokenPayloadSchema.safeParse(payload);
+  if (!validated.success) return null;
+
+  const { exp } = validated.data;
+  const expiresAt = new Date(exp * 1000);
+  const nowMs = Date.now();
+  const maxAgeSeconds = Math.floor((expiresAt.getTime() - nowMs) / 1000);
+
+  return { maxAgeSeconds, expiresAt, isExpired: maxAgeSeconds <= 0 };
+}
+
+export function isTokenValid(token: string): boolean {
+  const expiry = getTokenExpiry(token);
+  return expiry !== null && !expiry.isExpired;
+}
+
+export function getSecondsUntilExpiry(token: string): number {
+  const expiry = getTokenExpiry(token);
+  if (!expiry) return 0;
+  return Math.max(0, expiry.maxAgeSeconds);
+}

package/dist/files/lib/auth/index.ts

@@ -0,0 +1,112 @@
+// lib/auth/index.ts
+//
+// ⚠️  SERVER-ONLY — DO NOT IMPORT THIS FILE IN CLIENT COMPONENTS
+//
+// This is the main entry point for the library. It exports the Auth() factory
+// and all server-side utilities. Client-side usage goes through:
+//   import { AuthProvider, useSession, useAuth } from "@/lib/auth/client"
+
+import type { AuthActions, AuthConfig } from "./types";
+import { createAuthConfig } from "./core/config";
+import { setGlobalAuthConfig } from "./config";
+import {
+  getSession,
+  getUser,
+  getAccessToken,
+  getRefreshToken,
+  requireSession,
+} from "./server/session";
+import { withSession, withRequiredSession } from "./server/fetchers";
+import {
+  createAuthMiddleware,
+  matchesPath,
+} from "./middleware/auth-middleware";
+import { fetchSessionAction, loginAction, logoutAction, updateSessionTokenAction } from "./server/actions";
+
+/**
+ * Initializes the auth library with your adapter and configuration.
+ *
+ * Call this once in `auth.ts` at your project root. The resolved config is
+ * stored in a module-level singleton so every internal module can access it
+ * without prop drilling.
+ *
+ * @example
+ * // auth.ts
+ * import { Auth } from "@/lib/auth";
+ *
+ * export const auth = Auth({
+ *   adapter: {
+ *     async login(credentials) { ... },
+ *     async refreshToken(token) { ... },
+ *     async fetchUser(accessToken) { ... },
+ *   },
+ *   debug: process.env.NODE_ENV === "development",
+ * });
+ */
+export function Auth(config: AuthConfig) {
+  const resolved = createAuthConfig(config);
+
+  // Store in the module-level singleton — every internal call to
+  // getGlobalAuthConfig() will return this resolved config.
+  setGlobalAuthConfig(resolved);
+
+  return {
+    // ── Server-side session helpers ────────────────────────────────────────
+    /** Returns the current session, or null if unauthenticated. */
+    getSession,
+    /** Returns the current user, or null if unauthenticated. */
+    getUser,
+    /** Returns the current access token, or null if unauthenticated. */
+    getAccessToken,
+    /** Returns the current refresh token, or null if unauthenticated. */
+    getRefreshToken,
+    /** Returns the current session, or redirects to the sign-in page. */
+    requireSession,
+
+    // ── Fetch utilities ────────────────────────────────────────────────────
+    /** Run a callback with the session if it exists, otherwise return null. */
+    withSession,
+    /** Run a callback with the session, or redirect to sign-in. */
+    withRequiredSession,
+    // ── Middleware ─────────────────────────────────────────────────────────
+    /** Returns a middleware resolver function for use in middleware.ts. */
+    createMiddleware: () => createAuthMiddleware(),
+    /** Returns true if pathname matches any of the given path patterns. */
+    matchesPath,
+
+    // ── Config ─────────────────────────────────────────────────────────────
+    /** The resolved configuration object (rarely needed directly). */
+    config: resolved,
+
+    // ── Server Actions ─────────────────────────────────────────────────────
+    // Bundled here so your root layout can pass them to <AuthProvider>.
+    // Since auth.ts is imported by layout.tsx, the singleton is guaranteed
+    // to be initialized before any of these actions ever run.
+    actions: {
+      login: loginAction,
+      logout: logoutAction,
+      fetchSession: fetchSessionAction,
+      updateSessionToken: updateSessionTokenAction,
+    } satisfies AuthActions,
+  };
+}
+
+// ─── Re-exports ───────────────────────────────────────────────────────────────
+// These let consumers do:  import type { SessionUser } from "@/lib/auth"
+
+export type {
+  AuthConfig,
+  AuthAdapter,
+  AuthPages,
+  CookieOptions,
+  RefreshOptions,
+  Session,
+  SessionUser,
+  TokenPair,
+  ClientSession,
+  SessionStatus,
+  ActionResult,
+  SessionActionData,
+  AuthActions,
+  LoginActionOptions,
+} from "./types";

package/dist/files/lib/auth/middleware/auth-middleware.ts

@@ -0,0 +1,191 @@
+// lib/auth/middleware/auth-middleware.ts
+import { NextRequest, NextResponse } from "next/server";
+import { getSecondsUntilExpiry, isTokenValid } from "../core/jwt";
+import { getGlobalAuthConfig, debugLog } from "../config";
+
+export interface AuthMiddlewareResult {
+  /** True if the request has a valid, non-expired access token. */
+  isAuthenticated: boolean;
+  /** The current access token (may be a freshly rotated one). */
+  accessToken: string | null;
+  /** The current refresh token (may be a freshly rotated one). */
+  refreshToken: string | null;
+  /**
+   * Wraps a NextResponse, writing any refreshed token cookies onto it.
+   * Always use this instead of returning the response directly.
+   *
+   * @example
+   * return session.response(NextResponse.next());
+   * return session.response(NextResponse.redirect(url));
+   */
+  response: (base: NextResponse) => NextResponse;
+  /**
+   * Redirects to a URL and clears the session cookies.
+   * Use this when redirecting unauthenticated users to the login page.
+   *
+   * @example
+   * return session.redirect(new URL("/login", request.url));
+   */
+  redirect: (url: URL) => NextResponse;
+}
+
+/**
+ * Converts a path pattern string to a regex.
+ * Supports :param and :path* wildcards.
+ *
+ * Examples:
+ *   "/dashboard/:path*"  → matches /dashboard, /dashboard/settings, etc.
+ *   "/user/:id"          → matches /user/123 but not /user/123/profile
+ */
+function patternToRegex(pattern: string): RegExp {
+  const escaped = pattern
+    .replace(/[.+?^${}()|[\]\\]/g, "\\$&")
+    .replace(/\/:[\w]+\*/g, "(?:/.*)?")
+    .replace(/:[\w]+\*/g, ".*")
+    .replace(/:[\w]+/g, "[^/]+");
+  return new RegExp(`^${escaped}\\/?$`);
+}
+
+/**
+ * Returns true if `pathname` matches any of the provided path patterns.
+ *
+ * @example
+ * auth.matchesPath("/dashboard/settings", ["/dashboard/:path*"]) // true
+ * auth.matchesPath("/login", ["/", "/login"])                    // true
+ */
+export function matchesPath(pathname: string, patterns: string[]): boolean {
+  return patterns.some((pattern) => patternToRegex(pattern).test(pathname));
+}
+
+function writeTokensToResponse(
+  response: NextResponse,
+  accessToken: string,
+  refreshToken: string,
+): void {
+  const config = getGlobalAuthConfig();
+  const accessExpiry = getSecondsUntilExpiry(accessToken);
+  const refreshExpiry = getSecondsUntilExpiry(refreshToken);
+
+  const baseOptions = {
+    httpOnly: true,
+    secure: config.cookieOptions.secure,
+    sameSite: config.cookieOptions.sameSite as "strict" | "lax" | "none",
+    path: config.cookieOptions.path,
+    ...(config.cookieOptions.domain
+      ? { domain: config.cookieOptions.domain }
+      : {}),
+  };
+
+  response.cookies.set(config.cookieNames.accessToken, accessToken, {
+    ...baseOptions,
+    ...(accessExpiry > 0 ? { maxAge: accessExpiry } : {}),
+  });
+
+  response.cookies.set(config.cookieNames.refreshToken, refreshToken, {
+    ...baseOptions,
+    ...(refreshExpiry > 0 ? { maxAge: refreshExpiry } : {}),
+  });
+}
+
+function clearTokensFromResponse(response: NextResponse): void {
+  const config = getGlobalAuthConfig();
+  response.cookies.set(config.cookieNames.accessToken, "", { maxAge: 0 });
+  response.cookies.set(config.cookieNames.refreshToken, "", { maxAge: 0 });
+}
+
+/**
+ * Returns an async middleware resolver function.
+ * Call this once per middleware invocation to get the session state.
+ *
+ * The resolver automatically handles token refresh — if the access token
+ * is expired or close to expiry, it calls adapter.refreshToken() and
+ * returns the new tokens. Use session.response() to write them to cookies.
+ */
+export function createAuthMiddleware() {
+  return async function resolveAuth(
+    request: NextRequest,
+  ): Promise<AuthMiddlewareResult> {
+    const config = getGlobalAuthConfig();
+    const { pathname } = request.nextUrl;
+
+    let accessToken =
+      request.cookies.get(config.cookieNames.accessToken)?.value ?? null;
+    const refreshToken =
+      request.cookies.get(config.cookieNames.refreshToken)?.value ?? null;
+
+    let refreshedTokens: { accessToken: string; refreshToken: string } | null =
+      null;
+
+    if (!accessToken && !refreshToken) {
+      debugLog("Middleware: no tokens found", { pathname });
+    }
+
+    // Refresh if: no access token, expired, or within the refresh threshold
+    const secondsRemaining = accessToken
+      ? getSecondsUntilExpiry(accessToken)
+      : 0;
+    const needsRefresh =
+      !accessToken ||
+      !isTokenValid(accessToken) ||
+      secondsRemaining <= config.refreshThresholdSeconds;
+
+    if (needsRefresh && refreshToken && isTokenValid(refreshToken)) {
+      debugLog("Middleware: access token needs refresh — attempting", {
+        pathname,
+        reason: !accessToken
+          ? "no access token"
+          : !isTokenValid(accessToken)
+            ? "access token expired"
+            : `within threshold (${secondsRemaining}s remaining)`,
+      });
+
+      try {
+        refreshedTokens = await config.adapter.refreshToken(refreshToken);
+        accessToken = refreshedTokens.accessToken;
+        debugLog("Middleware: token refresh successful", { pathname });
+      } catch (error) {
+        // Refresh failed — proceed with the existing (potentially expired) token state
+        debugLog(
+          "Middleware: token refresh failed — proceeding with existing state",
+          {
+            pathname,
+            error: error instanceof Error ? error.message : String(error),
+          },
+        );
+      }
+    }
+
+    const isAuthenticated = accessToken ? isTokenValid(accessToken) : false;
+
+    debugLog("Middleware: resolved", { pathname, isAuthenticated });
+
+    function response(base: NextResponse): NextResponse {
+      if (refreshedTokens) {
+        writeTokensToResponse(
+          base,
+          refreshedTokens.accessToken,
+          refreshedTokens.refreshToken,
+        );
+      }
+      return base;
+    }
+
+    function redirect(url: URL): NextResponse {
+      debugLog("Middleware: redirecting and clearing session cookies", {
+        pathname,
+        destination: url.pathname,
+      });
+      const redirectResponse = NextResponse.redirect(url);
+      clearTokensFromResponse(redirectResponse);
+      return redirectResponse;
+    }
+
+    return {
+      isAuthenticated,
+      accessToken,
+      refreshToken: refreshedTokens?.refreshToken ?? refreshToken,
+      response,
+      redirect,
+    };
+  };
+}

package/dist/files/lib/auth/middleware/index.ts

@@ -0,0 +1,3 @@
+// lib/auth/middleware/index.ts
+export { createAuthMiddleware, matchesPath } from "./auth-middleware";
+export type { AuthMiddlewareResult } from "./auth-middleware";