@spfn/auth 0.2.0-beta.10 → 0.2.0-beta.12

package/dist/nextjs/server.js

@@ -5,8 +5,16 @@ import "server-only";
 import { redirect } from "next/navigation";
 
 // src/nextjs/session-helpers.ts
+import * as jose from "jose";
 import { cookies } from "next/headers.js";
-import { sealSession, unsealSession, COOKIE_NAMES, getSessionTtl, parseDuration } from "@spfn/auth/server";
+import {
+  sealSession,
+  unsealSession,
+  COOKIE_NAMES,
+  getSessionTtl,
+  parseDuration
+} from "@spfn/auth/server";
+import { env } from "@spfn/auth/config";
 import { logger } from "@spfn/core/logger";
 async function saveSession(data, options) {
   let maxAge;
@@ -38,7 +46,6 @@ async function getSession() {
       userId: session.userId
     };
   } catch (error) {
-    console.error(error);
     logger.debug("Session validation failed", {
       error: error instanceof Error ? error.message : String(error)
     });
@@ -50,6 +57,44 @@ async function clearSession() {
   cookieStore.delete(COOKIE_NAMES.SESSION);
   cookieStore.delete(COOKIE_NAMES.SESSION_KEY_ID);
 }
+async function getPendingSessionKey() {
+  const secret = env.SPFN_AUTH_SESSION_SECRET;
+  const encoder = new TextEncoder();
+  const data = encoder.encode(`oauth-pending:${secret}`);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  return new Uint8Array(hashBuffer);
+}
+async function sealPendingSession(data, ttl = 600) {
+  const key = await getPendingSessionKey();
+  return await new jose.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-oauth").encrypt(key);
+}
+async function unsealPendingSession(jwt) {
+  const key = await getPendingSessionKey();
+  const { payload } = await jose.jwtDecrypt(jwt, key, {
+    issuer: "spfn-auth",
+    audience: "spfn-oauth"
+  });
+  return payload.data;
+}
+async function getPendingSession() {
+  const cookieStore = await cookies();
+  const pendingCookie = cookieStore.get(COOKIE_NAMES.OAUTH_PENDING);
+  if (!pendingCookie) {
+    return null;
+  }
+  try {
+    return await unsealPendingSession(pendingCookie.value);
+  } catch (error) {
+    logger.debug("Pending session validation failed", {
+      error: error instanceof Error ? error.message : String(error)
+    });
+    return null;
+  }
+}
+async function clearPendingSession() {
+  const cookieStore = await cookies();
+  cookieStore.delete(COOKIE_NAMES.OAUTH_PENDING);
+}
 
 // src/nextjs/guards/require-auth.tsx
 import { Fragment, jsx } from "react/jsx-runtime";
@@ -163,16 +208,93 @@ async function RequirePermission({
   }
   return /* @__PURE__ */ jsx3(Fragment3, { children });
 }
+
+// src/nextjs/oauth-handlers.ts
+import { NextResponse } from "next/server";
+import { cookies as cookies2 } from "next/headers.js";
+import { sealSession as sealSession2, COOKIE_NAMES as COOKIE_NAMES2, getSessionTtl as getSessionTtl2 } from "@spfn/auth/server";
+import { env as env2 } from "@spfn/core/config";
+import { logger as logger2 } from "@spfn/core/logger";
+function createOAuthCallbackHandler(options) {
+  const defaultRedirect = options?.defaultRedirectUrl || "/";
+  const errorRedirect = options?.errorRedirectUrl || "/auth/error";
+  return async (request) => {
+    const searchParams = request.nextUrl.searchParams;
+    const userId = searchParams.get("userId");
+    const keyId = searchParams.get("keyId");
+    const returnUrl = searchParams.get("returnUrl") || defaultRedirect;
+    const error = searchParams.get("error");
+    if (error) {
+      const errorUrl = new URL(errorRedirect, request.url);
+      errorUrl.searchParams.set("error", error);
+      return NextResponse.redirect(errorUrl);
+    }
+    if (!userId || !keyId) {
+      logger2.error("OAuth callback missing required params", { userId: !!userId, keyId: !!keyId });
+      const errorUrl = new URL(errorRedirect, request.url);
+      errorUrl.searchParams.set("error", "Missing required parameters");
+      return NextResponse.redirect(errorUrl);
+    }
+    try {
+      const cookieStore = await cookies2();
+      const pendingCookie = cookieStore.get(COOKIE_NAMES2.OAUTH_PENDING);
+      if (!pendingCookie) {
+        throw new Error("OAuth session expired. Please try again.");
+      }
+      const pendingSession = await unsealPendingSession(pendingCookie.value);
+      if (pendingSession.keyId !== keyId) {
+        throw new Error("Session mismatch. Please try again.");
+      }
+      const ttl = getSessionTtl2();
+      const sessionToken = await sealSession2({
+        userId,
+        privateKey: pendingSession.privateKey,
+        keyId: pendingSession.keyId,
+        algorithm: pendingSession.algorithm
+      }, ttl);
+      const redirectUrl = new URL(returnUrl, request.url);
+      const response = NextResponse.redirect(redirectUrl);
+      response.cookies.set(COOKIE_NAMES2.SESSION, sessionToken, {
+        httpOnly: true,
+        secure: env2.NODE_ENV === "production",
+        sameSite: "strict",
+        maxAge: ttl,
+        path: "/"
+      });
+      response.cookies.set(COOKIE_NAMES2.SESSION_KEY_ID, keyId, {
+        httpOnly: true,
+        secure: env2.NODE_ENV === "production",
+        sameSite: "strict",
+        maxAge: ttl,
+        path: "/"
+      });
+      response.cookies.delete(COOKIE_NAMES2.OAUTH_PENDING);
+      logger2.debug("OAuth callback completed", { userId, keyId });
+      return response;
+    } catch (error2) {
+      const err = error2;
+      logger2.error("OAuth callback failed", { error: err.message });
+      const errorUrl = new URL(errorRedirect, request.url);
+      errorUrl.searchParams.set("error", err.message);
+      return NextResponse.redirect(errorUrl);
+    }
+  };
+}
 export {
   RequireAuth,
   RequirePermission,
   RequireRole,
+  clearPendingSession,
   clearSession,
+  createOAuthCallbackHandler,
+  getPendingSession,
   getSession,
   getUserPermissions,
   getUserRole,
   hasAnyPermission,
   hasAnyRole,
-  saveSession
+  saveSession,
+  sealPendingSession,
+  unsealPendingSession
 };
 //# sourceMappingURL=server.js.map

package/dist/nextjs/server.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/nextjs/server.ts","../../src/nextjs/guards/require-auth.tsx","../../src/nextjs/session-helpers.ts","../../src/nextjs/guards/require-role.tsx","../../src/nextjs/guards/auth-utils.ts","../../src/nextjs/guards/require-permission.tsx"],"sourcesContent":["import \"server-only\";\n\nexport { RequireAuth } from './guards/require-auth';\nexport type { RequireAuthProps } from './guards/require-auth';\n\nexport { RequireRole } from './guards/require-role';\nexport type { RequireRoleProps } from './guards/require-role';\n\nexport { RequirePermission } from './guards/require-permission';\nexport type { RequirePermissionProps } from './guards/require-permission';\n\nexport { getUserRole, getUserPermissions, hasAnyRole, hasAnyPermission } from './guards/auth-utils';\n\n// Session helpers\nexport {\n    saveSession,\n    getSession,\n    clearSession,\n    type SessionData,\n    type PublicSession,\n    type SaveSessionOptions\n} from './session-helpers';","/**\n * RequireAuth Guard Component\n *\n * Requires user to be authenticated\n */\n\nimport { redirect } from 'next/navigation';\nimport { getSession } from '../session-helpers';\nimport type { ReactNode } from 'react';\n\nexport interface RequireAuthProps\n{\n    /**\n     * Children to render if authenticated\n     */\n    children: ReactNode;\n\n    /**\n     * Path to redirect to if not authenticated\n     * @default '/login'\n     */\n    redirectTo?: string;\n\n    /**\n     * Fallback UI to show instead of redirecting\n     */\n    fallback?: ReactNode;\n}\n\n/**\n * Require Authentication Guard\n *\n * Ensures user is logged in before rendering children\n *\n * @example\n * ```tsx\n * <RequireAuth redirectTo=\"/login\">\n *   <DashboardContent />\n * </RequireAuth>\n * ```\n *\n * @example With fallback\n * ```tsx\n * <RequireAuth fallback={<LoginPrompt />}>\n *   <PrivateContent />\n * </RequireAuth>\n * ```\n */\nexport async function RequireAuth({\n    children,\n    redirectTo = '/auth/login',\n    fallback,\n}: RequireAuthProps)\n{\n    const session = await getSession();\n\n    if (!session)\n    {\n        if (fallback)\n        {\n            return <>{fallback}</>;\n        }\n\n        redirect(redirectTo);\n    }\n\n    return <>{children}</>;\n}","/**\n * Session helpers for Next.js\n *\n * Server-side only (uses next/headers)\n */\n\nimport { cookies } from 'next/headers.js';\nimport { sealSession, unsealSession, COOKIE_NAMES, getSessionTtl, parseDuration, type SessionData } from '@spfn/auth/server';\nimport { logger } from '@spfn/core/logger';\n\nexport type { SessionData };\n\n/**\n * Public session information (excludes sensitive data)\n */\nexport interface PublicSession\n{\n    /** User ID */\n    userId: string;\n}\n\n/**\n * Options for saveSession\n */\nexport interface SaveSessionOptions\n{\n    /**\n     * Session TTL (time to live)\n     *\n     * Supports:\n     * - Number: seconds (e.g., 2592000)\n     * - String: duration format ('30d', '12h', '45m', '3600s')\n     *\n     * If not provided, uses global configuration:\n     * 1. Global config (configureAuth)\n     * 2. Environment variable (SPFN_AUTH_SESSION_TTL)\n     * 3. Default (7d)\n     */\n    maxAge?: number | string;\n\n    /**\n     * Remember me option\n     *\n     * When true, uses extended session duration (if configured)\n     */\n    remember?: boolean;\n}\n\n/**\n * Save session to HttpOnly cookie\n *\n * @param data - Session data to save\n * @param options - Session options (maxAge, remember)\n *\n * @example\n * ```typescript\n * // Use global configuration\n * await saveSession(sessionData);\n *\n * // Custom TTL with duration string\n * await saveSession(sessionData, { maxAge: '30d' });\n *\n * // Custom TTL in seconds\n * await saveSession(sessionData, { maxAge: 2592000 });\n *\n * // Remember me\n * await saveSession(sessionData, { remember: true });\n * ```\n */\nexport async function saveSession(\n    data: SessionData,\n    options?: SaveSessionOptions\n): Promise<void>\n{\n    // Calculate maxAge\n    let maxAge: number;\n\n    if (options?.maxAge !== undefined)\n    {\n        // Custom maxAge provided\n        maxAge = typeof options.maxAge === 'number'\n            ? options.maxAge\n            : parseDuration(options.maxAge);\n    }\n    else\n    {\n        // Use getSessionTtl for consistent configuration\n        maxAge = getSessionTtl();\n    }\n\n    const token = await sealSession(data, maxAge);\n    const cookieStore = await cookies();\n\n    cookieStore.set(COOKIE_NAMES.SESSION, token, {\n        httpOnly: true,\n        secure: process.env.NODE_ENV === 'production',\n        sameSite: 'strict',\n        path: '/',\n        maxAge\n    });\n}\n\n/**\n * Get session from HttpOnly cookie\n *\n * Returns public session info only (excludes privateKey, algorithm, keyId)\n */\nexport async function getSession(): Promise<PublicSession | null>\n{\n    const cookieStore = await cookies();\n    const sessionCookie = cookieStore.get(COOKIE_NAMES.SESSION);\n\n    if (!sessionCookie)\n    {\n        return null;\n    }\n\n    try\n    {\n        logger.debug('Validating session cookie', { cookie: sessionCookie.value });\n        const session = await unsealSession(sessionCookie.value);\n        // Return only public information\n        return {\n            userId: session.userId,\n        };\n    }\n    catch (error)\n    {\n        console.error(error);\n\n        // Session expired or invalid - log in dev mode\n        // Note: Cannot delete cookies in Server Components (read-only)\n        // Invalid cookies will be cleaned up on next login/logout via Route Handler or Server Action\n        logger.debug('Session validation failed', {\n            error: error instanceof Error ? error.message : String(error)\n        });\n\n        return null;\n    }\n}\n\n/**\n * Clear session cookie\n */\nexport async function clearSession(): Promise<void>\n{\n    const cookieStore = await cookies();\n    cookieStore.delete(COOKIE_NAMES.SESSION);\n    cookieStore.delete(COOKIE_NAMES.SESSION_KEY_ID);\n}\n","/**\n * RequireRole Guard Component\n *\n * Requires user to have at least one of the specified roles\n */\n\nimport { redirect } from 'next/navigation';\nimport { getSession } from '../session-helpers';\nimport { hasAnyRole } from './auth-utils';\nimport type { ReactNode } from 'react';\n\nexport interface RequireRoleProps\n{\n    /**\n     * Required role(s) - user must have at least one\n     */\n    roles: string | string[];\n\n    /**\n     * Children to render if user has required role\n     */\n    children: ReactNode;\n\n    /**\n     * Path to redirect to if user doesn't have role\n     * @default '/unauthorized'\n     */\n    redirectTo?: string;\n\n    /**\n     * Fallback UI to show instead of redirecting\n     */\n    fallback?: ReactNode;\n}\n\n/**\n * Require Role Guard\n *\n * Ensures user has at least one of the specified roles\n *\n * @example Single role\n * ```tsx\n * <RequireRole roles=\"admin\">\n *   <AdminPanel />\n * </RequireRole>\n * ```\n *\n * @example Multiple roles (OR condition)\n * ```tsx\n * <RequireRole roles={['admin', 'manager']}>\n *   <ManagementDashboard />\n * </RequireRole>\n * ```\n *\n * @example With fallback\n * ```tsx\n * <RequireRole roles=\"admin\" fallback={<AccessDenied />}>\n *   <AdminContent />\n * </RequireRole>\n * ```\n */\nexport async function RequireRole({\n    roles,\n    children,\n    redirectTo = '/unauthorized',\n    fallback,\n}: RequireRoleProps)\n{\n    const session = await getSession();\n\n    // Not authenticated\n    if (!session)\n    {\n        if (fallback)\n        {\n            return <>{fallback}</>;\n        }\n\n        redirect('/login');\n    }\n\n    // Normalize to array\n    const requiredRoles = Array.isArray(roles) ? roles : [roles];\n\n    // Check if user has any of the required roles\n    const hasRole = await hasAnyRole(requiredRoles);\n\n    if (!hasRole)\n    {\n        if (fallback)\n        {\n            return <>{fallback}</>;\n        }\n\n        redirect(redirectTo);\n    }\n\n    return <>{children}</>;\n}","/**\n * Server-side auth utilities for guards\n *\n * Uses authApi to check permissions in real-time\n */\n\nimport { authApi } from '@spfn/auth';\nimport { authLogger } from '@spfn/auth/server';\n\n/**\n * Get current auth session with roles and permissions via API\n */\nasync function getAuthSessionData()\n{\n    try\n    {\n        const session = await authApi.getAuthSession.call();\n        authLogger.middleware.debug('Auth session retrieved', { name: session.role?.name });\n\n        return session;\n    }\n    catch (error)\n    {\n        authLogger.middleware.error('Failed to get auth session', { error });\n        return null;\n    }\n}\n\n/**\n * Get user role\n */\nexport async function getUserRole(): Promise<string | null>\n{\n    const session = await getAuthSessionData();\n    return session?.role?.name || null;\n}\n\n/**\n * Get user permissions\n */\nexport async function getUserPermissions(): Promise<string[]>\n{\n    const session = await getAuthSessionData();\n\n    if (!session)\n    {\n        return [];\n    }\n\n    return session.permissions?.map((p: any) => p.name) || [];\n}\n\n/**\n * Check if user has any of the specified roles\n */\nexport async function hasAnyRole(requiredRoles: string[]): Promise<boolean>\n{\n    const session = await getAuthSessionData();\n    if (!session)\n    {\n        return false;\n    }\n\n    return requiredRoles.includes(session.role?.name);\n}\n\n/**\n * Check if user has any of the specified permissions\n */\nexport async function hasAnyPermission(requiredPermissions: string[]): Promise<boolean>\n{\n    const session = await getAuthSessionData();\n\n    if (!session)\n    {\n        return false;\n    }\n\n    const userPermissionNames = session.permissions?.map((p: any) => p.name) || [];\n    return requiredPermissions.some(permission => userPermissionNames.includes(permission));\n}\n","/**\n * RequirePermission Guard Component\n *\n * Requires user to have at least one of the specified permissions\n */\n\nimport { redirect } from 'next/navigation';\nimport { getSession } from '../session-helpers';\nimport { hasAnyPermission } from './auth-utils';\nimport type { ReactNode } from 'react';\n\nexport interface RequirePermissionProps\n{\n    /**\n     * Required permission(s) - user must have at least one\n     */\n    permissions: string | string[];\n\n    /**\n     * Children to render if user has required permission\n     */\n    children: ReactNode;\n\n    /**\n     * Path to redirect to if user doesn't have permission\n     * @default '/unauthorized'\n     */\n    redirectTo?: string;\n\n    /**\n     * Fallback UI to show instead of redirecting\n     */\n    fallback?: ReactNode;\n}\n\n/**\n * Require Permission Guard\n *\n * Ensures user has at least one of the specified permissions\n *\n * @example Single permission\n * ```tsx\n * <RequirePermission permissions=\"user:delete\">\n *   <DeleteUserButton />\n * </RequirePermission>\n * ```\n *\n * @example Multiple permissions (OR condition)\n * ```tsx\n * <RequirePermission permissions={['user:delete', 'user:update']}>\n *   <UserManagement />\n * </RequirePermission>\n * ```\n *\n * @example With fallback\n * ```tsx\n * <RequirePermission permissions=\"project:create\" fallback={<UpgradePrompt />}>\n *   <CreateProject />\n * </RequirePermission>\n * ```\n */\nexport async function RequirePermission({\n    permissions,\n    children,\n    redirectTo = '/unauthorized',\n    fallback,\n}: RequirePermissionProps)\n{\n    const session = await getSession();\n\n    // Not authenticated\n    if (!session)\n    {\n        if (fallback)\n        {\n            return <>{fallback}</>;\n        }\n\n        redirect('/login');\n    }\n\n    // Normalize to array\n    const requiredPermissions = Array.isArray(permissions) ? permissions : [permissions];\n\n    // Check if user has any of the required permissions\n    const hasPermission = await hasAnyPermission(requiredPermissions);\n\n    if (!hasPermission)\n    {\n        if (fallback)\n        {\n            return <>{fallback}</>;\n        }\n\n        redirect(redirectTo);\n    }\n\n    return <>{children}</>;\n}"],"mappings":";AAAA,OAAO;;;ACMP,SAAS,gBAAgB;;;ACAzB,SAAS,eAAe;AACxB,SAAS,aAAa,eAAe,cAAc,eAAe,qBAAuC;AACzG,SAAS,cAAc;AA6DvB,eAAsB,YAClB,MACA,SAEJ;AAEI,MAAI;AAEJ,MAAI,SAAS,WAAW,QACxB;AAEI,aAAS,OAAO,QAAQ,WAAW,WAC7B,QAAQ,SACR,cAAc,QAAQ,MAAM;AAAA,EACtC,OAEA;AAEI,aAAS,cAAc;AAAA,EAC3B;AAEA,QAAM,QAAQ,MAAM,YAAY,MAAM,MAAM;AAC5C,QAAM,cAAc,MAAM,QAAQ;AAElC,cAAY,IAAI,aAAa,SAAS,OAAO;AAAA,IACzC,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN;AAAA,EACJ,CAAC;AACL;AAOA,eAAsB,aACtB;AACI,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,gBAAgB,YAAY,IAAI,aAAa,OAAO;AAE1D,MAAI,CAAC,eACL;AACI,WAAO;AAAA,EACX;AAEA,MACA;AACI,WAAO,MAAM,6BAA6B,EAAE,QAAQ,cAAc,MAAM,CAAC;AACzE,UAAM,UAAU,MAAM,cAAc,cAAc,KAAK;AAEvD,WAAO;AAAA,MACH,QAAQ,QAAQ;AAAA,IACpB;AAAA,EACJ,SACO,OACP;AACI,YAAQ,MAAM,KAAK;AAKnB,WAAO,MAAM,6BAA6B;AAAA,MACtC,OAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,IAChE,CAAC;AAED,WAAO;AAAA,EACX;AACJ;AAKA,eAAsB,eACtB;AACI,QAAM,cAAc,MAAM,QAAQ;AAClC,cAAY,OAAO,aAAa,OAAO;AACvC,cAAY,OAAO,aAAa,cAAc;AAClD;;;ADzFmB;AAZnB,eAAsB,YAAY;AAAA,EAC9B;AAAA,EACA,aAAa;AAAA,EACb;AACJ,GACA;AACI,QAAM,UAAU,MAAM,WAAW;AAEjC,MAAI,CAAC,SACL;AACI,QAAI,UACJ;AACI,aAAO,gCAAG,oBAAS;AAAA,IACvB;AAEA,aAAS,UAAU;AAAA,EACvB;AAEA,SAAO,gCAAG,UAAS;AACvB;;;AE7DA,SAAS,YAAAA,iBAAgB;;;ACAzB,SAAS,eAAe;AACxB,SAAS,kBAAkB;AAK3B,eAAe,qBACf;AACI,MACA;AACI,UAAM,UAAU,MAAM,QAAQ,eAAe,KAAK;AAClD,eAAW,WAAW,MAAM,0BAA0B,EAAE,MAAM,QAAQ,MAAM,KAAK,CAAC;AAElF,WAAO;AAAA,EACX,SACO,OACP;AACI,eAAW,WAAW,MAAM,8BAA8B,EAAE,MAAM,CAAC;AACnE,WAAO;AAAA,EACX;AACJ;AAKA,eAAsB,cACtB;AACI,QAAM,UAAU,MAAM,mBAAmB;AACzC,SAAO,SAAS,MAAM,QAAQ;AAClC;AAKA,eAAsB,qBACtB;AACI,QAAM,UAAU,MAAM,mBAAmB;AAEzC,MAAI,CAAC,SACL;AACI,WAAO,CAAC;AAAA,EACZ;AAEA,SAAO,QAAQ,aAAa,IAAI,CAAC,MAAW,EAAE,IAAI,KAAK,CAAC;AAC5D;AAKA,eAAsB,WAAW,eACjC;AACI,QAAM,UAAU,MAAM,mBAAmB;AACzC,MAAI,CAAC,SACL;AACI,WAAO;AAAA,EACX;AAEA,SAAO,cAAc,SAAS,QAAQ,MAAM,IAAI;AACpD;AAKA,eAAsB,iBAAiB,qBACvC;AACI,QAAM,UAAU,MAAM,mBAAmB;AAEzC,MAAI,CAAC,SACL;AACI,WAAO;AAAA,EACX;AAEA,QAAM,sBAAsB,QAAQ,aAAa,IAAI,CAAC,MAAW,EAAE,IAAI,KAAK,CAAC;AAC7E,SAAO,oBAAoB,KAAK,gBAAc,oBAAoB,SAAS,UAAU,CAAC;AAC1F;;;ADLmB,qBAAAC,WAAA,OAAAC,YAAA;AAdnB,eAAsB,YAAY;AAAA,EAC9B;AAAA,EACA;AAAA,EACA,aAAa;AAAA,EACb;AACJ,GACA;AACI,QAAM,UAAU,MAAM,WAAW;AAGjC,MAAI,CAAC,SACL;AACI,QAAI,UACJ;AACI,aAAO,gBAAAA,KAAAD,WAAA,EAAG,oBAAS;AAAA,IACvB;AAEA,IAAAE,UAAS,QAAQ;AAAA,EACrB;AAGA,QAAM,gBAAgB,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK;AAG3D,QAAM,UAAU,MAAM,WAAW,aAAa;AAE9C,MAAI,CAAC,SACL;AACI,QAAI,UACJ;AACI,aAAO,gBAAAD,KAAAD,WAAA,EAAG,oBAAS;AAAA,IACvB;AAEA,IAAAE,UAAS,UAAU;AAAA,EACvB;AAEA,SAAO,gBAAAD,KAAAD,WAAA,EAAG,UAAS;AACvB;;;AE5FA,SAAS,YAAAG,iBAAgB;AAqEN,qBAAAC,WAAA,OAAAC,YAAA;AAdnB,eAAsB,kBAAkB;AAAA,EACpC;AAAA,EACA;AAAA,EACA,aAAa;AAAA,EACb;AACJ,GACA;AACI,QAAM,UAAU,MAAM,WAAW;AAGjC,MAAI,CAAC,SACL;AACI,QAAI,UACJ;AACI,aAAO,gBAAAA,KAAAD,WAAA,EAAG,oBAAS;AAAA,IACvB;AAEA,IAAAE,UAAS,QAAQ;AAAA,EACrB;AAGA,QAAM,sBAAsB,MAAM,QAAQ,WAAW,IAAI,cAAc,CAAC,WAAW;AAGnF,QAAM,gBAAgB,MAAM,iBAAiB,mBAAmB;AAEhE,MAAI,CAAC,eACL;AACI,QAAI,UACJ;AACI,aAAO,gBAAAD,KAAAD,WAAA,EAAG,oBAAS;AAAA,IACvB;AAEA,IAAAE,UAAS,UAAU;AAAA,EACvB;AAEA,SAAO,gBAAAD,KAAAD,WAAA,EAAG,UAAS;AACvB;","names":["redirect","Fragment","jsx","redirect","redirect","Fragment","jsx","redirect"]}
+{"version":3,"sources":["../../src/nextjs/server.ts","../../src/nextjs/guards/require-auth.tsx","../../src/nextjs/session-helpers.ts","../../src/nextjs/guards/require-role.tsx","../../src/nextjs/guards/auth-utils.ts","../../src/nextjs/guards/require-permission.tsx","../../src/nextjs/oauth-handlers.ts"],"sourcesContent":["import \"server-only\";\n\nexport { RequireAuth } from './guards/require-auth';\nexport type { RequireAuthProps } from './guards/require-auth';\n\nexport { RequireRole } from './guards/require-role';\nexport type { RequireRoleProps } from './guards/require-role';\n\nexport { RequirePermission } from './guards/require-permission';\nexport type { RequirePermissionProps } from './guards/require-permission';\n\nexport { getUserRole, getUserPermissions, hasAnyRole, hasAnyPermission } from './guards/auth-utils';\n\n// Session helpers\nexport {\n    saveSession,\n    getSession,\n    clearSession,\n    // Pending session (OAuth)\n    sealPendingSession,\n    unsealPendingSession,\n    getPendingSession,\n    clearPendingSession,\n    type SessionData,\n    type PublicSession,\n    type SaveSessionOptions,\n    type PendingSessionData,\n} from './session-helpers';\n\n// OAuth handlers\nexport {\n    createOAuthCallbackHandler,\n    type OAuthCallbackOptions,\n} from './oauth-handlers';","/**\n * RequireAuth Guard Component\n *\n * Requires user to be authenticated\n */\n\nimport { redirect } from 'next/navigation';\nimport { getSession } from '../session-helpers';\nimport type { ReactNode } from 'react';\n\nexport interface RequireAuthProps\n{\n    /**\n     * Children to render if authenticated\n     */\n    children: ReactNode;\n\n    /**\n     * Path to redirect to if not authenticated\n     * @default '/login'\n     */\n    redirectTo?: string;\n\n    /**\n     * Fallback UI to show instead of redirecting\n     */\n    fallback?: ReactNode;\n}\n\n/**\n * Require Authentication Guard\n *\n * Ensures user is logged in before rendering children\n *\n * @example\n * ```tsx\n * <RequireAuth redirectTo=\"/login\">\n *   <DashboardContent />\n * </RequireAuth>\n * ```\n *\n * @example With fallback\n * ```tsx\n * <RequireAuth fallback={<LoginPrompt />}>\n *   <PrivateContent />\n * </RequireAuth>\n * ```\n */\nexport async function RequireAuth({\n    children,\n    redirectTo = '/auth/login',\n    fallback,\n}: RequireAuthProps)\n{\n    const session = await getSession();\n\n    if (!session)\n    {\n        if (fallback)\n        {\n            return <>{fallback}</>;\n        }\n\n        redirect(redirectTo);\n    }\n\n    return <>{children}</>;\n}","/**\n * Session helpers for Next.js\n *\n * Server-side only (uses next/headers)\n */\n\nimport * as jose from 'jose';\nimport { cookies } from 'next/headers.js';\nimport {\n    sealSession,\n    unsealSession,\n    COOKIE_NAMES,\n    getSessionTtl,\n    parseDuration,\n    type SessionData,\n    type KeyAlgorithmType,\n} from '@spfn/auth/server';\nimport { env } from '@spfn/auth/config';\nimport { logger } from '@spfn/core/logger';\n\nexport type { SessionData };\n\n/**\n * Pending OAuth session data (before user ID is known)\n */\nexport interface PendingSessionData\n{\n    privateKey: string;\n    keyId: string;\n    algorithm: KeyAlgorithmType;\n}\n\n/**\n * Public session information (excludes sensitive data)\n */\nexport interface PublicSession\n{\n    /** User ID */\n    userId: string;\n}\n\n/**\n * Options for saveSession\n */\nexport interface SaveSessionOptions\n{\n    /**\n     * Session TTL (time to live)\n     *\n     * Supports:\n     * - Number: seconds (e.g., 2592000)\n     * - String: duration format ('30d', '12h', '45m', '3600s')\n     *\n     * If not provided, uses global configuration:\n     * 1. Global config (configureAuth)\n     * 2. Environment variable (SPFN_AUTH_SESSION_TTL)\n     * 3. Default (7d)\n     */\n    maxAge?: number | string;\n\n    /**\n     * Remember me option\n     *\n     * When true, uses extended session duration (if configured)\n     */\n    remember?: boolean;\n}\n\n/**\n * Save session to HttpOnly cookie\n *\n * @param data - Session data to save\n * @param options - Session options (maxAge, remember)\n *\n * @example\n * ```typescript\n * // Use global configuration\n * await saveSession(sessionData);\n *\n * // Custom TTL with duration string\n * await saveSession(sessionData, { maxAge: '30d' });\n *\n * // Custom TTL in seconds\n * await saveSession(sessionData, { maxAge: 2592000 });\n *\n * // Remember me\n * await saveSession(sessionData, { remember: true });\n * ```\n */\nexport async function saveSession(\n    data: SessionData,\n    options?: SaveSessionOptions\n): Promise<void>\n{\n    // Calculate maxAge\n    let maxAge: number;\n\n    if (options?.maxAge !== undefined)\n    {\n        // Custom maxAge provided\n        maxAge = typeof options.maxAge === 'number'\n            ? options.maxAge\n            : parseDuration(options.maxAge);\n    }\n    else\n    {\n        // Use getSessionTtl for consistent configuration\n        maxAge = getSessionTtl();\n    }\n\n    const token = await sealSession(data, maxAge);\n    const cookieStore = await cookies();\n\n    cookieStore.set(COOKIE_NAMES.SESSION, token, {\n        httpOnly: true,\n        secure: process.env.NODE_ENV === 'production',\n        sameSite: 'strict',\n        path: '/',\n        maxAge\n    });\n}\n\n/**\n * Get session from HttpOnly cookie\n *\n * Returns public session info only (excludes privateKey, algorithm, keyId)\n */\nexport async function getSession(): Promise<PublicSession | null>\n{\n    const cookieStore = await cookies();\n    const sessionCookie = cookieStore.get(COOKIE_NAMES.SESSION);\n\n    if (!sessionCookie)\n    {\n        return null;\n    }\n\n    try\n    {\n        logger.debug('Validating session cookie', { cookie: sessionCookie.value });\n        const session = await unsealSession(sessionCookie.value);\n        // Return only public information\n        return {\n            userId: session.userId,\n        };\n    }\n    catch (error)\n    {\n        // Session expired or invalid\n        // Note: Cannot delete cookies in Server Components (read-only)\n        // Use validateSessionMiddleware() in Next.js middleware for automatic cleanup\n        logger.debug('Session validation failed', {\n            error: error instanceof Error ? error.message : String(error)\n        });\n\n        return null;\n    }\n}\n\n/**\n * Clear session cookie\n */\nexport async function clearSession(): Promise<void>\n{\n    const cookieStore = await cookies();\n    cookieStore.delete(COOKIE_NAMES.SESSION);\n    cookieStore.delete(COOKIE_NAMES.SESSION_KEY_ID);\n}\n\n// ============================================================================\n// Pending OAuth Session (for OAuth flow)\n// ============================================================================\n\n/**\n * Get encryption key for pending session\n */\nasync function getPendingSessionKey(): Promise<Uint8Array>\n{\n    const secret = env.SPFN_AUTH_SESSION_SECRET;\n    const encoder = new TextEncoder();\n    const data = encoder.encode(`oauth-pending:${secret}`);\n    const hashBuffer = await crypto.subtle.digest('SHA-256', data);\n    return new Uint8Array(hashBuffer);\n}\n\n/**\n * Seal pending session data (for OAuth flow)\n *\n * @param data - Pending session data (privateKey, keyId, algorithm)\n * @param ttl - Time to live in seconds (default: 10 minutes)\n */\nexport async function sealPendingSession(\n    data: PendingSessionData,\n    ttl: number = 600\n): Promise<string>\n{\n    const key = await getPendingSessionKey();\n\n    return await new jose.EncryptJWT({ data })\n        .setProtectedHeader({ alg: 'dir', enc: 'A256GCM' })\n        .setIssuedAt()\n        .setExpirationTime(`${ttl}s`)\n        .setIssuer('spfn-auth')\n        .setAudience('spfn-oauth')\n        .encrypt(key);\n}\n\n/**\n * Unseal pending session data\n *\n * @param jwt - Encrypted pending session token\n */\nexport async function unsealPendingSession(jwt: string): Promise<PendingSessionData>\n{\n    const key = await getPendingSessionKey();\n\n    const { payload } = await jose.jwtDecrypt(jwt, key, {\n        issuer: 'spfn-auth',\n        audience: 'spfn-oauth',\n    });\n\n    return payload.data as PendingSessionData;\n}\n\n/**\n * Get pending session from cookie\n */\nexport async function getPendingSession(): Promise<PendingSessionData | null>\n{\n    const cookieStore = await cookies();\n    const pendingCookie = cookieStore.get(COOKIE_NAMES.OAUTH_PENDING);\n\n    if (!pendingCookie)\n    {\n        return null;\n    }\n\n    try\n    {\n        return await unsealPendingSession(pendingCookie.value);\n    }\n    catch (error)\n    {\n        logger.debug('Pending session validation failed', {\n            error: error instanceof Error ? error.message : String(error),\n        });\n        return null;\n    }\n}\n\n/**\n * Clear pending session cookie\n */\nexport async function clearPendingSession(): Promise<void>\n{\n    const cookieStore = await cookies();\n    cookieStore.delete(COOKIE_NAMES.OAUTH_PENDING);\n}\n","/**\n * RequireRole Guard Component\n *\n * Requires user to have at least one of the specified roles\n */\n\nimport { redirect } from 'next/navigation';\nimport { getSession } from '../session-helpers';\nimport { hasAnyRole } from './auth-utils';\nimport type { ReactNode } from 'react';\n\nexport interface RequireRoleProps\n{\n    /**\n     * Required role(s) - user must have at least one\n     */\n    roles: string | string[];\n\n    /**\n     * Children to render if user has required role\n     */\n    children: ReactNode;\n\n    /**\n     * Path to redirect to if user doesn't have role\n     * @default '/unauthorized'\n     */\n    redirectTo?: string;\n\n    /**\n     * Fallback UI to show instead of redirecting\n     */\n    fallback?: ReactNode;\n}\n\n/**\n * Require Role Guard\n *\n * Ensures user has at least one of the specified roles\n *\n * @example Single role\n * ```tsx\n * <RequireRole roles=\"admin\">\n *   <AdminPanel />\n * </RequireRole>\n * ```\n *\n * @example Multiple roles (OR condition)\n * ```tsx\n * <RequireRole roles={['admin', 'manager']}>\n *   <ManagementDashboard />\n * </RequireRole>\n * ```\n *\n * @example With fallback\n * ```tsx\n * <RequireRole roles=\"admin\" fallback={<AccessDenied />}>\n *   <AdminContent />\n * </RequireRole>\n * ```\n */\nexport async function RequireRole({\n    roles,\n    children,\n    redirectTo = '/unauthorized',\n    fallback,\n}: RequireRoleProps)\n{\n    const session = await getSession();\n\n    // Not authenticated\n    if (!session)\n    {\n        if (fallback)\n        {\n            return <>{fallback}</>;\n        }\n\n        redirect('/login');\n    }\n\n    // Normalize to array\n    const requiredRoles = Array.isArray(roles) ? roles : [roles];\n\n    // Check if user has any of the required roles\n    const hasRole = await hasAnyRole(requiredRoles);\n\n    if (!hasRole)\n    {\n        if (fallback)\n        {\n            return <>{fallback}</>;\n        }\n\n        redirect(redirectTo);\n    }\n\n    return <>{children}</>;\n}","/**\n * Server-side auth utilities for guards\n *\n * Uses authApi to check permissions in real-time\n */\n\nimport { authApi } from '@spfn/auth';\nimport { authLogger } from '@spfn/auth/server';\n\n/**\n * Get current auth session with roles and permissions via API\n */\nasync function getAuthSessionData()\n{\n    try\n    {\n        const session = await authApi.getAuthSession.call();\n        authLogger.middleware.debug('Auth session retrieved', { name: session.role?.name });\n\n        return session;\n    }\n    catch (error)\n    {\n        authLogger.middleware.error('Failed to get auth session', { error });\n        return null;\n    }\n}\n\n/**\n * Get user role\n */\nexport async function getUserRole(): Promise<string | null>\n{\n    const session = await getAuthSessionData();\n    return session?.role?.name || null;\n}\n\n/**\n * Get user permissions\n */\nexport async function getUserPermissions(): Promise<string[]>\n{\n    const session = await getAuthSessionData();\n\n    if (!session)\n    {\n        return [];\n    }\n\n    return session.permissions?.map((p: any) => p.name) || [];\n}\n\n/**\n * Check if user has any of the specified roles\n */\nexport async function hasAnyRole(requiredRoles: string[]): Promise<boolean>\n{\n    const session = await getAuthSessionData();\n    if (!session)\n    {\n        return false;\n    }\n\n    return requiredRoles.includes(session.role?.name);\n}\n\n/**\n * Check if user has any of the specified permissions\n */\nexport async function hasAnyPermission(requiredPermissions: string[]): Promise<boolean>\n{\n    const session = await getAuthSessionData();\n\n    if (!session)\n    {\n        return false;\n    }\n\n    const userPermissionNames = session.permissions?.map((p: any) => p.name) || [];\n    return requiredPermissions.some(permission => userPermissionNames.includes(permission));\n}\n","/**\n * RequirePermission Guard Component\n *\n * Requires user to have at least one of the specified permissions\n */\n\nimport { redirect } from 'next/navigation';\nimport { getSession } from '../session-helpers';\nimport { hasAnyPermission } from './auth-utils';\nimport type { ReactNode } from 'react';\n\nexport interface RequirePermissionProps\n{\n    /**\n     * Required permission(s) - user must have at least one\n     */\n    permissions: string | string[];\n\n    /**\n     * Children to render if user has required permission\n     */\n    children: ReactNode;\n\n    /**\n     * Path to redirect to if user doesn't have permission\n     * @default '/unauthorized'\n     */\n    redirectTo?: string;\n\n    /**\n     * Fallback UI to show instead of redirecting\n     */\n    fallback?: ReactNode;\n}\n\n/**\n * Require Permission Guard\n *\n * Ensures user has at least one of the specified permissions\n *\n * @example Single permission\n * ```tsx\n * <RequirePermission permissions=\"user:delete\">\n *   <DeleteUserButton />\n * </RequirePermission>\n * ```\n *\n * @example Multiple permissions (OR condition)\n * ```tsx\n * <RequirePermission permissions={['user:delete', 'user:update']}>\n *   <UserManagement />\n * </RequirePermission>\n * ```\n *\n * @example With fallback\n * ```tsx\n * <RequirePermission permissions=\"project:create\" fallback={<UpgradePrompt />}>\n *   <CreateProject />\n * </RequirePermission>\n * ```\n */\nexport async function RequirePermission({\n    permissions,\n    children,\n    redirectTo = '/unauthorized',\n    fallback,\n}: RequirePermissionProps)\n{\n    const session = await getSession();\n\n    // Not authenticated\n    if (!session)\n    {\n        if (fallback)\n        {\n            return <>{fallback}</>;\n        }\n\n        redirect('/login');\n    }\n\n    // Normalize to array\n    const requiredPermissions = Array.isArray(permissions) ? permissions : [permissions];\n\n    // Check if user has any of the required permissions\n    const hasPermission = await hasAnyPermission(requiredPermissions);\n\n    if (!hasPermission)\n    {\n        if (fallback)\n        {\n            return <>{fallback}</>;\n        }\n\n        redirect(redirectTo);\n    }\n\n    return <>{children}</>;\n}","/**\n * OAuth Handlers for Next.js\n *\n * Helper functions to create OAuth callback route handlers\n */\n\nimport { NextRequest, NextResponse } from 'next/server';\nimport { cookies } from 'next/headers.js';\nimport { sealSession, COOKIE_NAMES, getSessionTtl } from '@spfn/auth/server';\nimport { env } from '@spfn/core/config';\nimport { logger } from '@spfn/core/logger';\nimport { unsealPendingSession } from './session-helpers';\n\nexport interface OAuthCallbackOptions\n{\n    /**\n     * Default redirect URL if returnUrl is not provided\n     * @default '/'\n     */\n    defaultRedirectUrl?: string;\n\n    /**\n     * Error redirect URL\n     * @default '/auth/error'\n     */\n    errorRedirectUrl?: string;\n}\n\n/**\n * Create OAuth callback handler for Next.js API Route\n *\n * Handles the final step of OAuth flow:\n * 1. Gets userId, keyId from query params (set by backend)\n * 2. Gets privateKey from pending session cookie\n * 3. Creates full session and saves to cookie\n * 4. Redirects to returnUrl\n *\n * @example\n * ```typescript\n * // /api/auth/callback/route.ts\n * import { createOAuthCallbackHandler } from '@spfn/auth/nextjs/server';\n * export const GET = createOAuthCallbackHandler();\n * ```\n */\nexport function createOAuthCallbackHandler(options?: OAuthCallbackOptions)\n{\n    const defaultRedirect = options?.defaultRedirectUrl || '/';\n    const errorRedirect = options?.errorRedirectUrl || '/auth/error';\n\n    return async (request: NextRequest): Promise<NextResponse> =>\n    {\n        const searchParams = request.nextUrl.searchParams;\n        const userId = searchParams.get('userId');\n        const keyId = searchParams.get('keyId');\n        const returnUrl = searchParams.get('returnUrl') || defaultRedirect;\n        const error = searchParams.get('error');\n\n        // Handle error from backend\n        if (error)\n        {\n            const errorUrl = new URL(errorRedirect, request.url);\n            errorUrl.searchParams.set('error', error);\n            return NextResponse.redirect(errorUrl);\n        }\n\n        // Validate required params\n        if (!userId || !keyId)\n        {\n            logger.error('OAuth callback missing required params', { userId: !!userId, keyId: !!keyId });\n            const errorUrl = new URL(errorRedirect, request.url);\n            errorUrl.searchParams.set('error', 'Missing required parameters');\n            return NextResponse.redirect(errorUrl);\n        }\n\n        try\n        {\n            // Get pending session from cookie\n            const cookieStore = await cookies();\n            const pendingCookie = cookieStore.get(COOKIE_NAMES.OAUTH_PENDING);\n\n            if (!pendingCookie)\n            {\n                throw new Error('OAuth session expired. Please try again.');\n            }\n\n            const pendingSession = await unsealPendingSession(pendingCookie.value);\n\n            // Verify keyId matches\n            if (pendingSession.keyId !== keyId)\n            {\n                throw new Error('Session mismatch. Please try again.');\n            }\n\n            // Create full session\n            const ttl = getSessionTtl();\n            const sessionToken = await sealSession({\n                userId,\n                privateKey: pendingSession.privateKey,\n                keyId: pendingSession.keyId,\n                algorithm: pendingSession.algorithm,\n            }, ttl);\n\n            // Build redirect response\n            const redirectUrl = new URL(returnUrl, request.url);\n            const response = NextResponse.redirect(redirectUrl);\n\n            // Set session cookie\n            response.cookies.set(COOKIE_NAMES.SESSION, sessionToken, {\n                httpOnly: true,\n                secure: env.NODE_ENV === 'production',\n                sameSite: 'strict',\n                maxAge: ttl,\n                path: '/',\n            });\n\n            // Set keyId cookie\n            response.cookies.set(COOKIE_NAMES.SESSION_KEY_ID, keyId, {\n                httpOnly: true,\n                secure: env.NODE_ENV === 'production',\n                sameSite: 'strict',\n                maxAge: ttl,\n                path: '/',\n            });\n\n            // Clear pending session cookie\n            response.cookies.delete(COOKIE_NAMES.OAUTH_PENDING);\n\n            logger.debug('OAuth callback completed', { userId, keyId });\n\n            return response;\n        }\n        catch (error)\n        {\n            const err = error as Error;\n            logger.error('OAuth callback failed', { error: err.message });\n\n            const errorUrl = new URL(errorRedirect, request.url);\n            errorUrl.searchParams.set('error', err.message);\n            return NextResponse.redirect(errorUrl);\n        }\n    };\n}\n"],"mappings":";AAAA,OAAO;;;ACMP,SAAS,gBAAgB;;;ACAzB,YAAY,UAAU;AACtB,SAAS,eAAe;AACxB;AAAA,EACI;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAGG;AACP,SAAS,WAAW;AACpB,SAAS,cAAc;AAuEvB,eAAsB,YAClB,MACA,SAEJ;AAEI,MAAI;AAEJ,MAAI,SAAS,WAAW,QACxB;AAEI,aAAS,OAAO,QAAQ,WAAW,WAC7B,QAAQ,SACR,cAAc,QAAQ,MAAM;AAAA,EACtC,OAEA;AAEI,aAAS,cAAc;AAAA,EAC3B;AAEA,QAAM,QAAQ,MAAM,YAAY,MAAM,MAAM;AAC5C,QAAM,cAAc,MAAM,QAAQ;AAElC,cAAY,IAAI,aAAa,SAAS,OAAO;AAAA,IACzC,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN;AAAA,EACJ,CAAC;AACL;AAOA,eAAsB,aACtB;AACI,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,gBAAgB,YAAY,IAAI,aAAa,OAAO;AAE1D,MAAI,CAAC,eACL;AACI,WAAO;AAAA,EACX;AAEA,MACA;AACI,WAAO,MAAM,6BAA6B,EAAE,QAAQ,cAAc,MAAM,CAAC;AACzE,UAAM,UAAU,MAAM,cAAc,cAAc,KAAK;AAEvD,WAAO;AAAA,MACH,QAAQ,QAAQ;AAAA,IACpB;AAAA,EACJ,SACO,OACP;AAII,WAAO,MAAM,6BAA6B;AAAA,MACtC,OAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,IAChE,CAAC;AAED,WAAO;AAAA,EACX;AACJ;AAKA,eAAsB,eACtB;AACI,QAAM,cAAc,MAAM,QAAQ;AAClC,cAAY,OAAO,aAAa,OAAO;AACvC,cAAY,OAAO,aAAa,cAAc;AAClD;AASA,eAAe,uBACf;AACI,QAAM,SAAS,IAAI;AACnB,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,OAAO,QAAQ,OAAO,iBAAiB,MAAM,EAAE;AACrD,QAAM,aAAa,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI;AAC7D,SAAO,IAAI,WAAW,UAAU;AACpC;AAQA,eAAsB,mBAClB,MACA,MAAc,KAElB;AACI,QAAM,MAAM,MAAM,qBAAqB;AAEvC,SAAO,MAAM,IAAS,gBAAW,EAAE,KAAK,CAAC,EACpC,mBAAmB,EAAE,KAAK,OAAO,KAAK,UAAU,CAAC,EACjD,YAAY,EACZ,kBAAkB,GAAG,GAAG,GAAG,EAC3B,UAAU,WAAW,EACrB,YAAY,YAAY,EACxB,QAAQ,GAAG;AACpB;AAOA,eAAsB,qBAAqB,KAC3C;AACI,QAAM,MAAM,MAAM,qBAAqB;AAEvC,QAAM,EAAE,QAAQ,IAAI,MAAW,gBAAW,KAAK,KAAK;AAAA,IAChD,QAAQ;AAAA,IACR,UAAU;AAAA,EACd,CAAC;AAED,SAAO,QAAQ;AACnB;AAKA,eAAsB,oBACtB;AACI,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,gBAAgB,YAAY,IAAI,aAAa,aAAa;AAEhE,MAAI,CAAC,eACL;AACI,WAAO;AAAA,EACX;AAEA,MACA;AACI,WAAO,MAAM,qBAAqB,cAAc,KAAK;AAAA,EACzD,SACO,OACP;AACI,WAAO,MAAM,qCAAqC;AAAA,MAC9C,OAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,IAChE,CAAC;AACD,WAAO;AAAA,EACX;AACJ;AAKA,eAAsB,sBACtB;AACI,QAAM,cAAc,MAAM,QAAQ;AAClC,cAAY,OAAO,aAAa,aAAa;AACjD;;;ADrMmB;AAZnB,eAAsB,YAAY;AAAA,EAC9B;AAAA,EACA,aAAa;AAAA,EACb;AACJ,GACA;AACI,QAAM,UAAU,MAAM,WAAW;AAEjC,MAAI,CAAC,SACL;AACI,QAAI,UACJ;AACI,aAAO,gCAAG,oBAAS;AAAA,IACvB;AAEA,aAAS,UAAU;AAAA,EACvB;AAEA,SAAO,gCAAG,UAAS;AACvB;;;AE7DA,SAAS,YAAAA,iBAAgB;;;ACAzB,SAAS,eAAe;AACxB,SAAS,kBAAkB;AAK3B,eAAe,qBACf;AACI,MACA;AACI,UAAM,UAAU,MAAM,QAAQ,eAAe,KAAK;AAClD,eAAW,WAAW,MAAM,0BAA0B,EAAE,MAAM,QAAQ,MAAM,KAAK,CAAC;AAElF,WAAO;AAAA,EACX,SACO,OACP;AACI,eAAW,WAAW,MAAM,8BAA8B,EAAE,MAAM,CAAC;AACnE,WAAO;AAAA,EACX;AACJ;AAKA,eAAsB,cACtB;AACI,QAAM,UAAU,MAAM,mBAAmB;AACzC,SAAO,SAAS,MAAM,QAAQ;AAClC;AAKA,eAAsB,qBACtB;AACI,QAAM,UAAU,MAAM,mBAAmB;AAEzC,MAAI,CAAC,SACL;AACI,WAAO,CAAC;AAAA,EACZ;AAEA,SAAO,QAAQ,aAAa,IAAI,CAAC,MAAW,EAAE,IAAI,KAAK,CAAC;AAC5D;AAKA,eAAsB,WAAW,eACjC;AACI,QAAM,UAAU,MAAM,mBAAmB;AACzC,MAAI,CAAC,SACL;AACI,WAAO;AAAA,EACX;AAEA,SAAO,cAAc,SAAS,QAAQ,MAAM,IAAI;AACpD;AAKA,eAAsB,iBAAiB,qBACvC;AACI,QAAM,UAAU,MAAM,mBAAmB;AAEzC,MAAI,CAAC,SACL;AACI,WAAO;AAAA,EACX;AAEA,QAAM,sBAAsB,QAAQ,aAAa,IAAI,CAAC,MAAW,EAAE,IAAI,KAAK,CAAC;AAC7E,SAAO,oBAAoB,KAAK,gBAAc,oBAAoB,SAAS,UAAU,CAAC;AAC1F;;;ADLmB,qBAAAC,WAAA,OAAAC,YAAA;AAdnB,eAAsB,YAAY;AAAA,EAC9B;AAAA,EACA;AAAA,EACA,aAAa;AAAA,EACb;AACJ,GACA;AACI,QAAM,UAAU,MAAM,WAAW;AAGjC,MAAI,CAAC,SACL;AACI,QAAI,UACJ;AACI,aAAO,gBAAAA,KAAAD,WAAA,EAAG,oBAAS;AAAA,IACvB;AAEA,IAAAE,UAAS,QAAQ;AAAA,EACrB;AAGA,QAAM,gBAAgB,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK;AAG3D,QAAM,UAAU,MAAM,WAAW,aAAa;AAE9C,MAAI,CAAC,SACL;AACI,QAAI,UACJ;AACI,aAAO,gBAAAD,KAAAD,WAAA,EAAG,oBAAS;AAAA,IACvB;AAEA,IAAAE,UAAS,UAAU;AAAA,EACvB;AAEA,SAAO,gBAAAD,KAAAD,WAAA,EAAG,UAAS;AACvB;;;AE5FA,SAAS,YAAAG,iBAAgB;AAqEN,qBAAAC,WAAA,OAAAC,YAAA;AAdnB,eAAsB,kBAAkB;AAAA,EACpC;AAAA,EACA;AAAA,EACA,aAAa;AAAA,EACb;AACJ,GACA;AACI,QAAM,UAAU,MAAM,WAAW;AAGjC,MAAI,CAAC,SACL;AACI,QAAI,UACJ;AACI,aAAO,gBAAAA,KAAAD,WAAA,EAAG,oBAAS;AAAA,IACvB;AAEA,IAAAE,UAAS,QAAQ;AAAA,EACrB;AAGA,QAAM,sBAAsB,MAAM,QAAQ,WAAW,IAAI,cAAc,CAAC,WAAW;AAGnF,QAAM,gBAAgB,MAAM,iBAAiB,mBAAmB;AAEhE,MAAI,CAAC,eACL;AACI,QAAI,UACJ;AACI,aAAO,gBAAAD,KAAAD,WAAA,EAAG,oBAAS;AAAA,IACvB;AAEA,IAAAE,UAAS,UAAU;AAAA,EACvB;AAEA,SAAO,gBAAAD,KAAAD,WAAA,EAAG,UAAS;AACvB;;;AC5FA,SAAsB,oBAAoB;AAC1C,SAAS,WAAAG,gBAAe;AACxB,SAAS,eAAAC,cAAa,gBAAAC,eAAc,iBAAAC,sBAAqB;AACzD,SAAS,OAAAC,YAAW;AACpB,SAAS,UAAAC,eAAc;AAkChB,SAAS,2BAA2B,SAC3C;AACI,QAAM,kBAAkB,SAAS,sBAAsB;AACvD,QAAM,gBAAgB,SAAS,oBAAoB;AAEnD,SAAO,OAAO,YACd;AACI,UAAM,eAAe,QAAQ,QAAQ;AACrC,UAAM,SAAS,aAAa,IAAI,QAAQ;AACxC,UAAM,QAAQ,aAAa,IAAI,OAAO;AACtC,UAAM,YAAY,aAAa,IAAI,WAAW,KAAK;AACnD,UAAM,QAAQ,aAAa,IAAI,OAAO;AAGtC,QAAI,OACJ;AACI,YAAM,WAAW,IAAI,IAAI,eAAe,QAAQ,GAAG;AACnD,eAAS,aAAa,IAAI,SAAS,KAAK;AACxC,aAAO,aAAa,SAAS,QAAQ;AAAA,IACzC;AAGA,QAAI,CAAC,UAAU,CAAC,OAChB;AACI,MAAAC,QAAO,MAAM,0CAA0C,EAAE,QAAQ,CAAC,CAAC,QAAQ,OAAO,CAAC,CAAC,MAAM,CAAC;AAC3F,YAAM,WAAW,IAAI,IAAI,eAAe,QAAQ,GAAG;AACnD,eAAS,aAAa,IAAI,SAAS,6BAA6B;AAChE,aAAO,aAAa,SAAS,QAAQ;AAAA,IACzC;AAEA,QACA;AAEI,YAAM,cAAc,MAAMC,SAAQ;AAClC,YAAM,gBAAgB,YAAY,IAAIC,cAAa,aAAa;AAEhE,UAAI,CAAC,eACL;AACI,cAAM,IAAI,MAAM,0CAA0C;AAAA,MAC9D;AAEA,YAAM,iBAAiB,MAAM,qBAAqB,cAAc,KAAK;AAGrE,UAAI,eAAe,UAAU,OAC7B;AACI,cAAM,IAAI,MAAM,qCAAqC;AAAA,MACzD;AAGA,YAAM,MAAMC,eAAc;AAC1B,YAAM,eAAe,MAAMC,aAAY;AAAA,QACnC;AAAA,QACA,YAAY,eAAe;AAAA,QAC3B,OAAO,eAAe;AAAA,QACtB,WAAW,eAAe;AAAA,MAC9B,GAAG,GAAG;AAGN,YAAM,cAAc,IAAI,IAAI,WAAW,QAAQ,GAAG;AAClD,YAAM,WAAW,aAAa,SAAS,WAAW;AAGlD,eAAS,QAAQ,IAAIF,cAAa,SAAS,cAAc;AAAA,QACrD,UAAU;AAAA,QACV,QAAQG,KAAI,aAAa;AAAA,QACzB,UAAU;AAAA,QACV,QAAQ;AAAA,QACR,MAAM;AAAA,MACV,CAAC;AAGD,eAAS,QAAQ,IAAIH,cAAa,gBAAgB,OAAO;AAAA,QACrD,UAAU;AAAA,QACV,QAAQG,KAAI,aAAa;AAAA,QACzB,UAAU;AAAA,QACV,QAAQ;AAAA,QACR,MAAM;AAAA,MACV,CAAC;AAGD,eAAS,QAAQ,OAAOH,cAAa,aAAa;AAElD,MAAAF,QAAO,MAAM,4BAA4B,EAAE,QAAQ,MAAM,CAAC;AAE1D,aAAO;AAAA,IACX,SACOM,QACP;AACI,YAAM,MAAMA;AACZ,MAAAN,QAAO,MAAM,yBAAyB,EAAE,OAAO,IAAI,QAAQ,CAAC;AAE5D,YAAM,WAAW,IAAI,IAAI,eAAe,QAAQ,GAAG;AACnD,eAAS,aAAa,IAAI,SAAS,IAAI,OAAO;AAC9C,aAAO,aAAa,SAAS,QAAQ;AAAA,IACzC;AAAA,EACJ;AACJ;","names":["redirect","Fragment","jsx","redirect","redirect","Fragment","jsx","redirect","cookies","sealSession","COOKIE_NAMES","getSessionTtl","env","logger","logger","cookies","COOKIE_NAMES","getSessionTtl","sealSession","env","error"]}