npm - @stackwright-pro/auth-nextjs - Versions diffs - 0.2.0-alpha.4 → 0.3.0-alpha.0 - Mend

@stackwright-pro/auth-nextjs 0.2.0-alpha.4 → 0.3.0-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/LICENSE +21 -0
package/README.md +36 -4
package/dist/chunk-MFZSH4YL.mjs +58 -0
package/dist/chunk-MFZSH4YL.mjs.map +1 -0
package/dist/index.d.mts +119 -33
package/dist/index.d.ts +119 -33
package/dist/index.js +86 -3
package/dist/index.js.map +1 -1
package/dist/index.mjs +74 -44
package/dist/index.mjs.map +1 -1
package/dist/proxy-Blj2kIJp.d.mts +67 -0
package/dist/proxy-Blj2kIJp.d.ts +67 -0
package/dist/proxy.d.mts +4 -0
package/dist/proxy.d.ts +4 -0
package/dist/proxy.js +83 -0
package/dist/proxy.js.map +1 -0
package/dist/proxy.mjs +7 -0
package/dist/proxy.mjs.map +1 -0
package/package.json +12 -6

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+PROPRIETARY SOFTWARE LICENSE
+Copyright (c) 2024-2026 Per Aspera LLC. All Rights Reserved.
+This software and associated documentation files (the "Software") are the
+proprietary and confidential property of Per Aspera LLC ("Company").
+RESTRICTIONS: You may not use, copy, modify, merge, publish, distribute,
+sublicense, sell, or otherwise exploit this Software or any portion thereof
+without the express prior written consent of the Company.
+GOVERNMENT USE: Use, duplication, or disclosure by the U.S. Government is
+subject to restrictions as set forth in FAR 52.227-19 (Commercial Computer
+Software - Restricted Rights) and DFARS 252.227-7013 (Rights in Technical
+Data and Computer Software), as applicable.
+THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED. IN NO EVENT SHALL THE COMPANY BE LIABLE FOR ANY CLAIM, DAMAGES, OR
+OTHER LIABILITY ARISING FROM THE USE OF THE SOFTWARE.
+For licensing inquiries: legal@peraspera.com

package/README.md CHANGED Viewed

@@ -10,10 +10,35 @@ pnpm add @stackwright-pro/auth-nextjs
 ## Usage
-### Middleware (Route Protection)
+### Proxy (Next.js >=16 — Recommended)
+Next.js 16 deprecated the `middleware.ts` convention in favor of `proxy.ts`. Use `createAuthProxy` for new projects:
 ```typescript
-// middleware.ts
+// proxy.ts (project root)
+import { createAuthProxy } from '@stackwright-pro/auth-nextjs';
+import { sessionManager, rbacEngine, authConfig } from './lib/auth';
+export default createAuthProxy({
+  authConfig,
+  sessionManager,
+  rbacEngine,
+  cookieName: 'my_session',
+  loginUrl: '/login',
+  unauthorizedUrl: '/403',
+});
+export const config = {
+  matcher: ['/((?!_next|api/auth|login).*)'],
+};
+```
+### Middleware (Next.js 14–15 — Legacy)
+> **Deprecated**: For Next.js >=16, use `createAuthProxy` above instead.
+```typescript
+// middleware.ts (project root)
 import { createAuthMiddleware } from '@stackwright-pro/auth-nextjs';
 import { sessionManager, rbacEngine, authConfig } from './lib/auth';
@@ -59,11 +84,18 @@ import { setSessionCookie } from '@stackwright-pro/auth-nextjs';
 export default async function handler(req, res) {
   const session = await authenticateUser(req.body);
   const jwt = await sessionManager.serialize(session);
   setSessionCookie(res, jwt, {
     maxAge: 900, // 15 minutes
   });
   res.json({ success: true });
 }
 ```
+## Subpath Exports
+| Import path                          | Convention                  | Next.js version |
+| ------------------------------------ | --------------------------- | --------------- |
+| `@stackwright-pro/auth-nextjs`       | Both exports available      | All             |
+| `@stackwright-pro/auth-nextjs/proxy` | Proxy only (tree-shakeable) | >=16            |

package/dist/chunk-MFZSH4YL.mjs ADDED Viewed

@@ -0,0 +1,58 @@
+// src/auth-handler.ts
+import { NextResponse } from "next/server";
+function createAuthHandler(config) {
+  const {
+    sessionManager,
+    rbacEngine,
+    cookieName = "stackwright_session",
+    loginUrl = "/login",
+    unauthorizedUrl = "/unauthorized"
+  } = config;
+  return async function authHandler(request) {
+    const { pathname } = request.nextUrl;
+    if (rbacEngine.isPublicRoute(pathname)) {
+      return void 0;
+    }
+    const sessionCookie = request.cookies.get(cookieName);
+    let session = null;
+    if (sessionCookie) {
+      session = await sessionManager.deserialize(sessionCookie.value);
+    }
+    if (!session || sessionManager.isExpired(session)) {
+      const url = request.nextUrl.clone();
+      url.pathname = loginUrl;
+      url.searchParams.set("redirect", pathname);
+      return NextResponse.redirect(url);
+    }
+    if (!rbacEngine.canAccessRoute(session.user, pathname)) {
+      const url = request.nextUrl.clone();
+      url.pathname = unauthorizedUrl;
+      return NextResponse.redirect(url);
+    }
+    if (sessionManager.shouldRefresh(session)) {
+      const refreshed = await sessionManager.refreshSession(session);
+      const newJwt = await sessionManager.serialize(refreshed);
+      const response = NextResponse.next();
+      response.cookies.set(cookieName, newJwt, {
+        httpOnly: true,
+        secure: true,
+        sameSite: "lax",
+        maxAge: 900
+        // 15 minutes
+      });
+      return response;
+    }
+    return void 0;
+  };
+}
+// src/proxy.ts
+function createAuthProxy(config) {
+  return createAuthHandler(config);
+}
+export {
+  createAuthHandler,
+  createAuthProxy
+};
+//# sourceMappingURL=chunk-MFZSH4YL.mjs.map

package/dist/chunk-MFZSH4YL.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/auth-handler.ts","../src/proxy.ts"],"sourcesContent":["import { type NextRequest, NextResponse } from 'next/server';\nimport {\n SessionManager,\n RBACEngine,\n type AuthConfig,\n type AuthSession,\n} from '@stackwright-pro/auth';\n\nexport interface AuthHandlerConfig {\n /**\n * Auth configuration\n */\n authConfig: AuthConfig;\n\n /**\n * Session manager instance\n */\n sessionManager: SessionManager;\n\n /**\n * RBAC engine instance\n */\n rbacEngine: RBACEngine;\n\n /**\n * Cookie name for session (default: 'stackwright_session')\n */\n cookieName?: string;\n\n /**\n * URL to redirect to when authentication fails (default: '/login')\n */\n loginUrl?: string;\n\n /**\n * URL to redirect to when authorization fails (default: '/unauthorized')\n */\n unauthorizedUrl?: string;\n}\n\n/**\n * Core auth handler shared by both the middleware (Next.js <16) and\n * proxy (Next.js >=16) conventions.\n *\n * @internal — consumers should use `createAuthMiddleware` or `createAuthProxy`.\n */\nexport function createAuthHandler(config: AuthHandlerConfig) {\n const {\n sessionManager,\n rbacEngine,\n cookieName = 'stackwright_session',\n loginUrl = '/login',\n unauthorizedUrl = '/unauthorized',\n } = config;\n\n return async function authHandler(request: NextRequest): Promise<NextResponse | undefined> {\n const { pathname } = request.nextUrl;\n\n // Check if route is public\n if (rbacEngine.isPublicRoute(pathname)) {\n return undefined; // Continue to next handler\n }\n\n // Extract session from cookie\n const sessionCookie = request.cookies.get(cookieName);\n let session: AuthSession | null = null;\n\n if (sessionCookie) {\n session = await sessionManager.deserialize(sessionCookie.value);\n }\n\n // Check if session is valid\n if (!session || sessionManager.isExpired(session)) {\n // Redirect to login\n const url = request.nextUrl.clone();\n url.pathname = loginUrl;\n url.searchParams.set('redirect', pathname);\n return NextResponse.redirect(url);\n }\n\n // Check if user can access route\n if (!rbacEngine.canAccessRoute(session.user, pathname)) {\n // Redirect to unauthorized\n const url = request.nextUrl.clone();\n url.pathname = unauthorizedUrl;\n return NextResponse.redirect(url);\n }\n\n // Refresh session if needed\n if (sessionManager.shouldRefresh(session)) {\n const refreshed = await sessionManager.refreshSession(session);\n const newJwt = await sessionManager.serialize(refreshed);\n\n const response = NextResponse.next();\n response.cookies.set(cookieName, newJwt, {\n httpOnly: true,\n secure: true,\n sameSite: 'lax',\n maxAge: 900, // 15 minutes\n });\n\n return response;\n }\n\n // Allow request to continue\n return undefined;\n };\n}\n","import { createAuthHandler, type AuthHandlerConfig } from './auth-handler.js';\n\n/**\n * Configuration for Next.js proxy-based auth (Next.js >=16).\n */\nexport type ProxyConfig = AuthHandlerConfig;\n\n/**\n * Create a Next.js proxy handler for authentication and authorization.\n *\n * For Next.js >=16 projects that use the `proxy.ts` file convention,\n * replacing the deprecated `middleware.ts` convention.\n *\n * @example\n * ```typescript\n * // proxy.ts (Next.js >=16)\n * import { createAuthProxy } from '@stackwright-pro/auth-nextjs';\n *\n * export default createAuthProxy({\n * authConfig,\n * sessionManager,\n * rbacEngine,\n * });\n *\n * export const config = {\n * matcher: ['/((?!_next|api/auth).*)'],\n * };\n * ```\n */\nexport function createAuthProxy(config: ProxyConfig) {\n return createAuthHandler(config);\n}\n"],"mappings":";AAAA,SAA2B,oBAAoB;AA8CxC,SAAS,kBAAkB,QAA2B;AAC3D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb,WAAW;AAAA,IACX,kBAAkB;AAAA,EACpB,IAAI;AAEJ,SAAO,eAAe,YAAY,SAAyD;AACzF,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,WAAW,cAAc,QAAQ,GAAG;AACtC,aAAO;AAAA,IACT;AAGA,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AACpD,QAAI,UAA8B;AAElC,QAAI,eAAe;AACjB,gBAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAAA,IAChE;AAGA,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AAEjD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,UAAI,aAAa,IAAI,YAAY,QAAQ;AACzC,aAAO,aAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,CAAC,WAAW,eAAe,QAAQ,MAAM,QAAQ,GAAG;AAEtD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,aAAO,aAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,eAAe,cAAc,OAAO,GAAG;AACzC,YAAM,YAAY,MAAM,eAAe,eAAe,OAAO;AAC7D,YAAM,SAAS,MAAM,eAAe,UAAU,SAAS;AAEvD,YAAM,WAAW,aAAa,KAAK;AACnC,eAAS,QAAQ,IAAI,YAAY,QAAQ;AAAA,QACvC,UAAU;AAAA,QACV,QAAQ;AAAA,QACR,UAAU;AAAA,QACV,QAAQ;AAAA;AAAA,MACV,CAAC;AAED,aAAO;AAAA,IACT;AAGA,WAAO;AAAA,EACT;AACF;;;AC9EO,SAAS,gBAAgB,QAAqB;AACnD,SAAO,kBAAkB,MAAM;AACjC;","names":[]}

package/dist/index.d.mts CHANGED Viewed

@@ -1,40 +1,29 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { AuthConfig, SessionManager, RBACEngine, AuthSession, CookieOptions } from '@stackwright-pro/auth';
-export { AuthConfig, AuthContext, AuthContextValue, AuthProvider, AuthProviderProps, AuthSession, AuthUser, RBACEngine, useAuth, useRequireAuth } from '@stackwright-pro/auth';
+import * as next_server_js from 'next/server.js';
+import { A as AuthHandlerConfig } from './proxy-Blj2kIJp.mjs';
+export { P as ProxyConfig, c as createAuthHandler, a as createAuthProxy } from './proxy-Blj2kIJp.mjs';
 import { NextApiRequest, NextApiResponse } from 'next';
+import { AuthSession, SessionManager, RBACEngine, CookieOptions } from '@stackwright-pro/auth';
+export { AuthConfig, AuthContext, AuthContextValue, AuthProvider, AuthProviderProps, AuthSession, AuthUser, RBACEngine, useAuth, useRequireAuth } from '@stackwright-pro/auth';
+import { NextRequest, NextResponse } from 'next/server';
-interface MiddlewareConfig {
-    /**
-     * Auth configuration
-     */
-    authConfig: AuthConfig;
-    /**
-     * Session manager instance
-     */
-    sessionManager: SessionManager;
-    /**
-     * RBAC engine instance
-     */
-    rbacEngine: RBACEngine;
-    /**
-     * Cookie name for session (default: 'stackwright_session')
-     */
-    cookieName?: string;
-    /**
-     * URL to redirect to when authentication fails (default: '/login')
-     */
-    loginUrl?: string;
-    /**
-     * URL to redirect to when authorization fails (default: '/unauthorized')
-     */
-    unauthorizedUrl?: string;
-}
 /**
- * Create Next.js middleware for authentication and authorization
+ * Configuration for Next.js middleware-based auth (Next.js <16).
+ *
+ * @deprecated For Next.js >=16, use {@link ProxyConfig} with {@link createAuthProxy} instead.
+ * The `middleware.ts` file convention is deprecated in Next.js 16.
+ */
+type MiddlewareConfig = AuthHandlerConfig;
+/**
+ * Create Next.js middleware for authentication and authorization.
+ *
+ * For Next.js 14–15 projects that use the `middleware.ts` file convention.
+ *
+ * @deprecated For Next.js >=16, use {@link createAuthProxy} instead.
+ * The `middleware.ts` file convention is deprecated in Next.js 16 in favor of `proxy.ts`.
  *
  * @example
  * ```typescript
- * // middleware.ts
+ * // middleware.ts (Next.js 14–15)
  * import { createAuthMiddleware } from '@stackwright-pro/auth-nextjs';
  *
  * export default createAuthMiddleware({
@@ -48,7 +37,7 @@ interface MiddlewareConfig {
  * };
  * ```
  */
-declare function createAuthMiddleware(config: MiddlewareConfig): (request: NextRequest) => Promise<NextResponse | undefined>;
+declare function createAuthMiddleware(config: MiddlewareConfig): (request: next_server_js.NextRequest) => Promise<next_server_js.NextResponse | undefined>;
 interface ProtectedRouteConfig {
     /**
@@ -107,4 +96,101 @@ declare function setSessionCookie(res: NextApiResponse, sessionJwt: string, opti
  */
 declare function clearSessionCookie(res: NextApiResponse, options?: Pick<CookieOptions, 'name' | 'domain' | 'path'>): void;
-export { type AuthenticatedHandler, type MiddlewareConfig, type ProtectedRouteConfig, clearSessionCookie, createAuthMiddleware, protectedRoute, setSessionCookie };
+interface RouteHandlerConfig {
+    /**
+     * Session manager for validating sessions
+     */
+    sessionManager: SessionManager;
+    /**
+     * Required roles (user must have ANY of these)
+     */
+    roles?: string[];
+    /**
+     * Required permissions (user must have ALL of these)
+     */
+    permissions?: string[];
+    /**
+     * Cookie name (default: 'stackwright_session')
+     */
+    cookieName?: string;
+    /**
+     * Optional RBAC engine for wildcard-aware role/permission checking.
+     * When provided, authorization decisions use RBACEngine (consistent
+     * with middleware). Without it, falls back to direct array checks.
+     */
+    rbacEngine?: RBACEngine;
+}
+/**
+ * Handler function with authenticated session — App Router Route Handler signature.
+ */
+type AuthenticatedRouteHandler = (request: NextRequest, context: {
+    params: Record<string, string>;
+}, session: AuthSession) => Promise<Response> | Response;
+/**
+ * Wrap an App Router Route Handler with authentication/authorization.
+ *
+ * This is the App Router equivalent of `protectedRoute()` from `api-helpers.ts`.
+ *
+ * @example
+ * ```typescript
+ * // app/api/equipment/[id]/route.ts
+ * import { protectedRouteHandler } from '@stackwright-pro/auth-nextjs';
+ *
+ * export const GET = protectedRouteHandler(
+ *   async (request, { params }, session) => {
+ *     const equipment = await getEquipment(params.id);
+ *     return NextResponse.json(equipment);
+ *   },
+ *   {
+ *     sessionManager,
+ *     roles: ['ANALYST', 'ADMIN'],
+ *   }
+ * );
+ * ```
+ */
+declare function protectedRouteHandler(handler: AuthenticatedRouteHandler, config: RouteHandlerConfig): (request: NextRequest, context: {
+    params: Record<string, string>;
+}) => Promise<Response>;
+/**
+ * Set the session cookie on a `NextResponse` (App Router).
+ *
+ * This is the App Router equivalent of `setSessionCookie()` from `cookie-utils.ts`.
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/login/route.ts
+ * import { setSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';
+ *
+ * export async function POST(request: NextRequest) {
+ *   const session = await createSession(request);
+ *   const jwt = await sessionManager.serialize(session);
+ *   const response = NextResponse.json({ ok: true });
+ *   return setSessionCookieOnResponse(response, jwt);
+ * }
+ * ```
+ */
+declare function setSessionCookieOnResponse(response: NextResponse, sessionJwt: string, options?: {
+    cookieName?: string;
+    maxAge?: number;
+}): NextResponse;
+/**
+ * Clear the session cookie on a `NextResponse` (App Router).
+ *
+ * This is the App Router equivalent of `clearSessionCookie()` from `cookie-utils.ts`.
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/logout/route.ts
+ * import { clearSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';
+ *
+ * export async function POST() {
+ *   const response = NextResponse.json({ ok: true });
+ *   return clearSessionCookieOnResponse(response);
+ * }
+ * ```
+ */
+declare function clearSessionCookieOnResponse(response: NextResponse, options?: {
+    cookieName?: string;
+}): NextResponse;
+export { AuthHandlerConfig, type AuthenticatedHandler, type AuthenticatedRouteHandler, type MiddlewareConfig, type ProtectedRouteConfig, type RouteHandlerConfig, clearSessionCookie, clearSessionCookieOnResponse, createAuthMiddleware, protectedRoute, protectedRouteHandler, setSessionCookie, setSessionCookieOnResponse };

package/dist/index.d.ts CHANGED Viewed

@@ -1,40 +1,29 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { AuthConfig, SessionManager, RBACEngine, AuthSession, CookieOptions } from '@stackwright-pro/auth';
-export { AuthConfig, AuthContext, AuthContextValue, AuthProvider, AuthProviderProps, AuthSession, AuthUser, RBACEngine, useAuth, useRequireAuth } from '@stackwright-pro/auth';
+import * as next_server_js from 'next/server.js';
+import { A as AuthHandlerConfig } from './proxy-Blj2kIJp.js';
+export { P as ProxyConfig, c as createAuthHandler, a as createAuthProxy } from './proxy-Blj2kIJp.js';
 import { NextApiRequest, NextApiResponse } from 'next';
+import { AuthSession, SessionManager, RBACEngine, CookieOptions } from '@stackwright-pro/auth';
+export { AuthConfig, AuthContext, AuthContextValue, AuthProvider, AuthProviderProps, AuthSession, AuthUser, RBACEngine, useAuth, useRequireAuth } from '@stackwright-pro/auth';
+import { NextRequest, NextResponse } from 'next/server';
-interface MiddlewareConfig {
-    /**
-     * Auth configuration
-     */
-    authConfig: AuthConfig;
-    /**
-     * Session manager instance
-     */
-    sessionManager: SessionManager;
-    /**
-     * RBAC engine instance
-     */
-    rbacEngine: RBACEngine;
-    /**
-     * Cookie name for session (default: 'stackwright_session')
-     */
-    cookieName?: string;
-    /**
-     * URL to redirect to when authentication fails (default: '/login')
-     */
-    loginUrl?: string;
-    /**
-     * URL to redirect to when authorization fails (default: '/unauthorized')
-     */
-    unauthorizedUrl?: string;
-}
 /**
- * Create Next.js middleware for authentication and authorization
+ * Configuration for Next.js middleware-based auth (Next.js <16).
+ *
+ * @deprecated For Next.js >=16, use {@link ProxyConfig} with {@link createAuthProxy} instead.
+ * The `middleware.ts` file convention is deprecated in Next.js 16.
+ */
+type MiddlewareConfig = AuthHandlerConfig;
+/**
+ * Create Next.js middleware for authentication and authorization.
+ *
+ * For Next.js 14–15 projects that use the `middleware.ts` file convention.
+ *
+ * @deprecated For Next.js >=16, use {@link createAuthProxy} instead.
+ * The `middleware.ts` file convention is deprecated in Next.js 16 in favor of `proxy.ts`.
  *
  * @example
  * ```typescript
- * // middleware.ts
+ * // middleware.ts (Next.js 14–15)
  * import { createAuthMiddleware } from '@stackwright-pro/auth-nextjs';
  *
  * export default createAuthMiddleware({
@@ -48,7 +37,7 @@ interface MiddlewareConfig {
  * };
  * ```
  */
-declare function createAuthMiddleware(config: MiddlewareConfig): (request: NextRequest) => Promise<NextResponse | undefined>;
+declare function createAuthMiddleware(config: MiddlewareConfig): (request: next_server_js.NextRequest) => Promise<next_server_js.NextResponse | undefined>;
 interface ProtectedRouteConfig {
     /**
@@ -107,4 +96,101 @@ declare function setSessionCookie(res: NextApiResponse, sessionJwt: string, opti
  */
 declare function clearSessionCookie(res: NextApiResponse, options?: Pick<CookieOptions, 'name' | 'domain' | 'path'>): void;
-export { type AuthenticatedHandler, type MiddlewareConfig, type ProtectedRouteConfig, clearSessionCookie, createAuthMiddleware, protectedRoute, setSessionCookie };
+interface RouteHandlerConfig {
+    /**
+     * Session manager for validating sessions
+     */
+    sessionManager: SessionManager;
+    /**
+     * Required roles (user must have ANY of these)
+     */
+    roles?: string[];
+    /**
+     * Required permissions (user must have ALL of these)
+     */
+    permissions?: string[];
+    /**
+     * Cookie name (default: 'stackwright_session')
+     */
+    cookieName?: string;
+    /**
+     * Optional RBAC engine for wildcard-aware role/permission checking.
+     * When provided, authorization decisions use RBACEngine (consistent
+     * with middleware). Without it, falls back to direct array checks.
+     */
+    rbacEngine?: RBACEngine;
+}
+/**
+ * Handler function with authenticated session — App Router Route Handler signature.
+ */
+type AuthenticatedRouteHandler = (request: NextRequest, context: {
+    params: Record<string, string>;
+}, session: AuthSession) => Promise<Response> | Response;
+/**
+ * Wrap an App Router Route Handler with authentication/authorization.
+ *
+ * This is the App Router equivalent of `protectedRoute()` from `api-helpers.ts`.
+ *
+ * @example
+ * ```typescript
+ * // app/api/equipment/[id]/route.ts
+ * import { protectedRouteHandler } from '@stackwright-pro/auth-nextjs';
+ *
+ * export const GET = protectedRouteHandler(
+ *   async (request, { params }, session) => {
+ *     const equipment = await getEquipment(params.id);
+ *     return NextResponse.json(equipment);
+ *   },
+ *   {
+ *     sessionManager,
+ *     roles: ['ANALYST', 'ADMIN'],
+ *   }
+ * );
+ * ```
+ */
+declare function protectedRouteHandler(handler: AuthenticatedRouteHandler, config: RouteHandlerConfig): (request: NextRequest, context: {
+    params: Record<string, string>;
+}) => Promise<Response>;
+/**
+ * Set the session cookie on a `NextResponse` (App Router).
+ *
+ * This is the App Router equivalent of `setSessionCookie()` from `cookie-utils.ts`.
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/login/route.ts
+ * import { setSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';
+ *
+ * export async function POST(request: NextRequest) {
+ *   const session = await createSession(request);
+ *   const jwt = await sessionManager.serialize(session);
+ *   const response = NextResponse.json({ ok: true });
+ *   return setSessionCookieOnResponse(response, jwt);
+ * }
+ * ```
+ */
+declare function setSessionCookieOnResponse(response: NextResponse, sessionJwt: string, options?: {
+    cookieName?: string;
+    maxAge?: number;
+}): NextResponse;
+/**
+ * Clear the session cookie on a `NextResponse` (App Router).
+ *
+ * This is the App Router equivalent of `clearSessionCookie()` from `cookie-utils.ts`.
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/logout/route.ts
+ * import { clearSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';
+ *
+ * export async function POST() {
+ *   const response = NextResponse.json({ ok: true });
+ *   return clearSessionCookieOnResponse(response);
+ * }
+ * ```
+ */
+declare function clearSessionCookieOnResponse(response: NextResponse, options?: {
+    cookieName?: string;
+}): NextResponse;
+export { AuthHandlerConfig, type AuthenticatedHandler, type AuthenticatedRouteHandler, type MiddlewareConfig, type ProtectedRouteConfig, type RouteHandlerConfig, clearSessionCookie, clearSessionCookieOnResponse, createAuthMiddleware, protectedRoute, protectedRouteHandler, setSessionCookie, setSessionCookieOnResponse };

package/dist/index.js CHANGED Viewed

@@ -24,17 +24,22 @@ __export(index_exports, {
   AuthProvider: () => import_auth3.AuthProvider,
   RBACEngine: () => import_auth2.RBACEngine,
   clearSessionCookie: () => clearSessionCookie,
+  clearSessionCookieOnResponse: () => clearSessionCookieOnResponse,
+  createAuthHandler: () => createAuthHandler,
   createAuthMiddleware: () => createAuthMiddleware,
+  createAuthProxy: () => createAuthProxy,
   protectedRoute: () => protectedRoute,
+  protectedRouteHandler: () => protectedRouteHandler,
   setSessionCookie: () => setSessionCookie,
+  setSessionCookieOnResponse: () => setSessionCookieOnResponse,
   useAuth: () => import_auth3.useAuth,
   useRequireAuth: () => import_auth3.useRequireAuth
 });
 module.exports = __toCommonJS(index_exports);
-// src/middleware.ts
+// src/auth-handler.ts
 var import_server = require("next/server");
-function createAuthMiddleware(config) {
+function createAuthHandler(config) {
   const {
     sessionManager,
     rbacEngine,
@@ -42,7 +47,7 @@ function createAuthMiddleware(config) {
     loginUrl = "/login",
     unauthorizedUrl = "/unauthorized"
   } = config;
-  return async function authMiddleware(request) {
+  return async function authHandler(request) {
     const { pathname } = request.nextUrl;
     if (rbacEngine.isPublicRoute(pathname)) {
       return void 0;
@@ -80,6 +85,16 @@ function createAuthMiddleware(config) {
   };
 }
+// src/middleware.ts
+function createAuthMiddleware(config) {
+  return createAuthHandler(config);
+}
+// src/proxy.ts
+function createAuthProxy(config) {
+  return createAuthHandler(config);
+}
 // src/api-helpers.ts
 function protectedRoute(handler, config) {
   const { sessionManager, roles, permissions, cookieName = "stackwright_session" } = config;
@@ -151,15 +166,83 @@ function clearSessionCookie(res, options = {}) {
 // src/index.ts
 var import_auth2 = require("@stackwright-pro/auth");
 var import_auth3 = require("@stackwright-pro/auth");
+// src/route-handlers.ts
+var import_server2 = require("next/server");
+function protectedRouteHandler(handler, config) {
+  const {
+    sessionManager,
+    roles,
+    permissions,
+    cookieName = "stackwright_session",
+    rbacEngine
+  } = config;
+  return async (request, context) => {
+    const sessionCookie = request.cookies.get(cookieName);
+    if (!sessionCookie) {
+      return import_server2.NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+    }
+    const session = await sessionManager.deserialize(sessionCookie.value);
+    if (!session || sessionManager.isExpired(session)) {
+      return import_server2.NextResponse.json({ error: "Session expired" }, { status: 401 });
+    }
+    if (roles && roles.length > 0) {
+      if (rbacEngine) {
+        if (!rbacEngine.hasAnyRole(session.user, roles)) {
+          return import_server2.NextResponse.json({ error: "Insufficient permissions" }, { status: 403 });
+        }
+      } else {
+        const hasRole = roles.some((role) => session.user.roles.includes(role));
+        if (!hasRole) {
+          return import_server2.NextResponse.json({ error: "Insufficient permissions" }, { status: 403 });
+        }
+      }
+    }
+    if (permissions && permissions.length > 0) {
+      if (rbacEngine) {
+        if (!rbacEngine.hasAllPermissions(session.user, permissions)) {
+          return import_server2.NextResponse.json({ error: "Insufficient permissions" }, { status: 403 });
+        }
+      } else {
+        const hasAllPermissions = permissions.every((p) => session.user.permissions?.includes(p));
+        if (!hasAllPermissions) {
+          return import_server2.NextResponse.json({ error: "Insufficient permissions" }, { status: 403 });
+        }
+      }
+    }
+    return handler(request, context, session);
+  };
+}
+function setSessionCookieOnResponse(response, sessionJwt, options = {}) {
+  const cookieName = options.cookieName ?? "stackwright_session";
+  const maxAge = options.maxAge ?? 900;
+  response.cookies.set(cookieName, sessionJwt, {
+    httpOnly: true,
+    secure: true,
+    sameSite: "lax",
+    maxAge
+  });
+  return response;
+}
+function clearSessionCookieOnResponse(response, options = {}) {
+  const cookieName = options.cookieName ?? "stackwright_session";
+  response.cookies.delete(cookieName);
+  return response;
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AuthContext,
   AuthProvider,
   RBACEngine,
   clearSessionCookie,
+  clearSessionCookieOnResponse,
+  createAuthHandler,
   createAuthMiddleware,
+  createAuthProxy,
   protectedRoute,
+  protectedRouteHandler,
   setSessionCookie,
+  setSessionCookieOnResponse,
   useAuth,
   useRequireAuth
 });

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts","../src/middleware.ts","../src/api-helpers.ts","../src/cookie-utils.ts"],"sourcesContent":["export { createAuthMiddleware, type MiddlewareConfig } from './middleware.js';\nexport {\n protectedRoute,\n type ProtectedRouteConfig,\n type AuthenticatedHandler,\n} from './api-helpers.js';\nexport { setSessionCookie, clearSessionCookie } from './cookie-utils.js';\n\n// Re-export commonly used types/classes from core\nexport type { AuthUser, AuthSession, AuthConfig } from '@stackwright-pro/auth';\n\n// Re-export RBAC engine\nexport { RBACEngine } from '@stackwright-pro/auth';\n\n// Re-export React context components for Next.js apps\nexport { AuthProvider, AuthContext, useAuth, useRequireAuth } from '@stackwright-pro/auth';\nexport type { AuthProviderProps, AuthContextValue } from '@stackwright-pro/auth';\n","import { type NextRequest, NextResponse } from 'next/server';\nimport {\n SessionManager,\n RBACEngine,\n type AuthConfig,\n type AuthSession,\n} from '@stackwright-pro/auth';\n\nexport interface MiddlewareConfig {\n /*\n Auth configuration\n /\n authConfig: AuthConfig;\n\n /\n Session manager instance\n /\n sessionManager: SessionManager;\n\n /\n RBAC engine instance\n /\n rbacEngine: RBACEngine;\n\n /\n Cookie name for session (default: 'stackwright_session')\n /\n cookieName?: string;\n\n /\n URL to redirect to when authentication fails (default: '/login')\n /\n loginUrl?: string;\n\n /\n URL to redirect to when authorization fails (default: '/unauthorized')\n /\n unauthorizedUrl?: string;\n}\n\n/\n Create Next.js middleware for authentication and authorization\n \n @example\n * ```typescript\n * // middleware.ts\n * import { createAuthMiddleware } from '@stackwright-pro/auth-nextjs';\n \n export default createAuthMiddleware({\n * authConfig,\n * sessionManager,\n * rbacEngine,\n * });\n \n export const config = {\n * matcher: ['/((?!_next\|api/auth).)'],\n };\n * ```\n /\nexport function createAuthMiddleware(config: MiddlewareConfig) {\n const {\n sessionManager,\n rbacEngine,\n cookieName = 'stackwright_session',\n loginUrl = '/login',\n unauthorizedUrl = '/unauthorized',\n } = config;\n\n return async function authMiddleware(request: NextRequest): Promise<NextResponse \| undefined> {\n const { pathname } = request.nextUrl;\n\n // Check if route is public\n if (rbacEngine.isPublicRoute(pathname)) {\n return undefined; // Continue to next middleware\n }\n\n // Extract session from cookie\n const sessionCookie = request.cookies.get(cookieName);\n let session: AuthSession \| null = null;\n\n if (sessionCookie) {\n session = await sessionManager.deserialize(sessionCookie.value);\n }\n\n // Check if session is valid\n if (!session \|\| sessionManager.isExpired(session)) {\n // Redirect to login\n const url = request.nextUrl.clone();\n url.pathname = loginUrl;\n url.searchParams.set('redirect', pathname);\n return NextResponse.redirect(url);\n }\n\n // Check if user can access route\n if (!rbacEngine.canAccessRoute(session.user, pathname)) {\n // Redirect to unauthorized\n const url = request.nextUrl.clone();\n url.pathname = unauthorizedUrl;\n return NextResponse.redirect(url);\n }\n\n // Refresh session if needed\n if (sessionManager.shouldRefresh(session)) {\n const refreshed = await sessionManager.refreshSession(session);\n const newJwt = await sessionManager.serialize(refreshed);\n\n const response = NextResponse.next();\n response.cookies.set(cookieName, newJwt, {\n httpOnly: true,\n secure: true,\n sameSite: 'lax',\n maxAge: 900, // 15 minutes\n });\n\n return response;\n }\n\n // Allow request to continue\n return undefined;\n };\n}\n","import type { NextApiRequest, NextApiResponse } from 'next';\nimport { SessionManager, RBACEngine, type AuthSession, type AuthUser } from '@stackwright-pro/auth';\n\nexport interface ProtectedRouteConfig {\n /\n Session manager for validating sessions\n /\n sessionManager: SessionManager;\n\n /\n Required roles (user must have ANY of these)\n /\n roles?: string[];\n\n /\n Required permissions (user must have ALL of these)\n /\n permissions?: string[];\n\n /\n Cookie name (default: 'stackwright_session')\n /\n cookieName?: string;\n\n /\n Optional RBAC engine for wildcard-aware role/permission checking.\n * When provided, authorization decisions use RBACEngine (consistent\n * with middleware). Without it, falls back to direct array checks.\n /\n rbacEngine?: RBACEngine;\n}\n\n/\n Handler function with authenticated session\n /\nexport type AuthenticatedHandler<T = any> = (\n req: NextApiRequest,\n res: NextApiResponse<T>,\n session: AuthSession\n) => void \| Promise<void>;\n\n/\n Wrap API route with authentication/authorization\n \n @example\n * ```typescript\n * // pages/api/equipment/[id].ts\n * export default protectedRoute(\n * async (req, res, session) => {\n * const equipment = await getEquipment(req.query.id);\n * res.json(equipment);\n * },\n * {\n * sessionManager,\n * roles: ['ANALYST', 'ADMIN'],\n * }\n * );\n * ```\n /\nexport function protectedRoute<T = any>(\n handler: AuthenticatedHandler<T>,\n config: ProtectedRouteConfig\n): (req: NextApiRequest, res: NextApiResponse) => Promise<void> {\n const { sessionManager, roles, permissions, cookieName = 'stackwright_session' } = config;\n\n return async (req: NextApiRequest, res: NextApiResponse) => {\n // Extract session from cookie\n const sessionCookie = req.cookies[cookieName];\n\n if (!sessionCookie) {\n res.status(401).json({ error: 'Not authenticated' } as any);\n return;\n }\n\n // Verify session\n const session = await sessionManager.deserialize(sessionCookie);\n\n if (!session \|\| sessionManager.isExpired(session)) {\n res.status(401).json({ error: 'Session expired' } as any);\n return;\n }\n\n // Check roles\n if (roles && roles.length > 0) {\n if (config.rbacEngine) {\n // Use RBAC engine for consistent wildcard-aware checking\n if (!config.rbacEngine.hasAnyRole(session.user, roles)) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n } else {\n // Fallback: direct check (no wildcard support)\n const hasRole = roles.some((role) => session.user.roles.includes(role));\n if (!hasRole) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n }\n }\n\n // Check permissions\n if (permissions && permissions.length > 0) {\n if (config.rbacEngine) {\n // Use RBAC engine for wildcard-aware permission checking\n if (!config.rbacEngine.hasAllPermissions(session.user, permissions)) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n } else {\n // Fallback: direct check (no wildcard support)\n const hasAllPermissions = permissions.every((permission) =>\n session.user.permissions?.includes(permission)\n );\n if (!hasAllPermissions) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n }\n }\n\n // Call handler with session\n await handler(req, res, session);\n };\n}\n","import type { NextApiResponse } from 'next';\nimport { serializeCookie, clearCookie, type CookieOptions } from '@stackwright-pro/auth';\n\n/\n Set session cookie in Next.js API response\n /\nexport function setSessionCookie(\n res: NextApiResponse,\n sessionJwt: string,\n options: CookieOptions = {}\n): void {\n const cookieName = options.name \|\| 'stackwright_session';\n const maxAge = options.maxAge \|\| 900; // 15 minutes default\n\n const cookie = serializeCookie(cookieName, sessionJwt, {\n ...options,\n maxAge,\n httpOnly: true,\n secure: true,\n sameSite: 'lax',\n });\n\n res.setHeader('Set-Cookie', cookie);\n}\n\n/\n Clear session cookie in Next.js API response\n */\nexport function clearSessionCookie(\n res: NextApiResponse,\n options: Pick<CookieOptions, 'name' \| 'domain' \| 'path'> = {}\n): void {\n const cookieName = options.name \|\| 'stackwright_session';\n\n const cookie = clearCookie(cookieName, options);\n\n res.setHeader('Set-Cookie', cookie);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,oBAA+C;AA2DxC,SAAS,qBAAqB,QAA0B;AAC7D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb,WAAW;AAAA,IACX,kBAAkB;AAAA,EACpB,IAAI;AAEJ,SAAO,eAAe,eAAe,SAAyD;AAC5F,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,WAAW,cAAc,QAAQ,GAAG;AACtC,aAAO;AAAA,IACT;AAGA,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AACpD,QAAI,UAA8B;AAElC,QAAI,eAAe;AACjB,gBAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAAA,IAChE;AAGA,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AAEjD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,UAAI,aAAa,IAAI,YAAY,QAAQ;AACzC,aAAO,2BAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,CAAC,WAAW,eAAe,QAAQ,MAAM,QAAQ,GAAG;AAEtD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,aAAO,2BAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,eAAe,cAAc,OAAO,GAAG;AACzC,YAAM,YAAY,MAAM,eAAe,eAAe,OAAO;AAC7D,YAAM,SAAS,MAAM,eAAe,UAAU,SAAS;AAEvD,YAAM,WAAW,2BAAa,KAAK;AACnC,eAAS,QAAQ,IAAI,YAAY,QAAQ;AAAA,QACvC,UAAU;AAAA,QACV,QAAQ;AAAA,QACR,UAAU;AAAA,QACV,QAAQ;AAAA;AAAA,MACV,CAAC;AAED,aAAO;AAAA,IACT;AAGA,WAAO;AAAA,EACT;AACF;;;AC7DO,SAAS,eACd,SACA,QAC8D;AAC9D,QAAM,EAAE,gBAAgB,OAAO,aAAa,aAAa,sBAAsB,IAAI;AAEnF,SAAO,OAAO,KAAqB,QAAyB;AAE1D,UAAM,gBAAgB,IAAI,QAAQ,UAAU;AAE5C,QAAI,CAAC,eAAe;AAClB,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,oBAAoB,CAAQ;AAC1D;AAAA,IACF;AAGA,UAAM,UAAU,MAAM,eAAe,YAAY,aAAa;AAE9D,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AACjD,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,kBAAkB,CAAQ;AACxD;AAAA,IACF;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,WAAW,QAAQ,MAAM,KAAK,GAAG;AACtD,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,UAAU,MAAM,KAAK,CAAC,SAAS,QAAQ,KAAK,MAAM,SAAS,IAAI,CAAC;AACtE,YAAI,CAAC,SAAS;AACZ,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,kBAAkB,QAAQ,MAAM,WAAW,GAAG;AACnE,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,oBAAoB,YAAY;AAAA,UAAM,CAAC,eAC3C,QAAQ,KAAK,aAAa,SAAS,UAAU;AAAA,QAC/C;AACA,YAAI,CAAC,mBAAmB;AACtB,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,UAAM,QAAQ,KAAK,KAAK,OAAO;AAAA,EACjC;AACF;;;AC1HA,kBAAiE;AAK1D,SAAS,iBACd,KACA,YACA,UAAyB,CAAC,GACpB;AACN,QAAM,aAAa,QAAQ,QAAQ;AACnC,QAAM,SAAS,QAAQ,UAAU;AAEjC,QAAM,aAAS,6BAAgB,YAAY,YAAY;AAAA,IACrD,GAAG;AAAA,IACH;AAAA,IACA,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,EACZ,CAAC;AAED,MAAI,UAAU,cAAc,MAAM;AACpC;AAKO,SAAS,mBACd,KACA,UAA2D,CAAC,GACtD;AACN,QAAM,aAAa,QAAQ,QAAQ;AAEnC,QAAM,aAAS,yBAAY,YAAY,OAAO;AAE9C,MAAI,UAAU,cAAc,MAAM;AACpC;;;AHzBA,IAAAA,eAA2B;AAG3B,IAAAA,eAAmE;","names":["import_auth"]}
1	+ {"version":3,"sources":["../src/index.ts","../src/auth-handler.ts","../src/middleware.ts","../src/proxy.ts","../src/api-helpers.ts","../src/cookie-utils.ts","../src/route-handlers.ts"],"sourcesContent":["export { createAuthMiddleware, type MiddlewareConfig } from './middleware.js';\nexport { createAuthProxy, type ProxyConfig } from './proxy.js';\nexport { createAuthHandler, type AuthHandlerConfig } from './auth-handler.js';\nexport {\n protectedRoute,\n type ProtectedRouteConfig,\n type AuthenticatedHandler,\n} from './api-helpers.js';\nexport { setSessionCookie, clearSessionCookie } from './cookie-utils.js';\n\n// Re-export commonly used types/classes from core\nexport type { AuthUser, AuthSession, AuthConfig } from '@stackwright-pro/auth';\n\n// Re-export RBAC engine\nexport { RBACEngine } from '@stackwright-pro/auth';\n\n// Re-export React context components for Next.js apps\nexport { AuthProvider, AuthContext, useAuth, useRequireAuth } from '@stackwright-pro/auth';\nexport type { AuthProviderProps, AuthContextValue } from '@stackwright-pro/auth';\n\n// App Router Route Handler helpers (replaces api-helpers for App Router users)\nexport {\n protectedRouteHandler,\n setSessionCookieOnResponse,\n clearSessionCookieOnResponse,\n type RouteHandlerConfig,\n type AuthenticatedRouteHandler,\n} from './route-handlers.js';\n","import { type NextRequest, NextResponse } from 'next/server';\nimport {\n SessionManager,\n RBACEngine,\n type AuthConfig,\n type AuthSession,\n} from '@stackwright-pro/auth';\n\nexport interface AuthHandlerConfig {\n /*\n Auth configuration\n /\n authConfig: AuthConfig;\n\n /\n Session manager instance\n /\n sessionManager: SessionManager;\n\n /\n RBAC engine instance\n /\n rbacEngine: RBACEngine;\n\n /\n Cookie name for session (default: 'stackwright_session')\n /\n cookieName?: string;\n\n /\n URL to redirect to when authentication fails (default: '/login')\n /\n loginUrl?: string;\n\n /\n URL to redirect to when authorization fails (default: '/unauthorized')\n /\n unauthorizedUrl?: string;\n}\n\n/\n Core auth handler shared by both the middleware (Next.js <16) and\n * proxy (Next.js >=16) conventions.\n \n @internal — consumers should use `createAuthMiddleware` or `createAuthProxy`.\n /\nexport function createAuthHandler(config: AuthHandlerConfig) {\n const {\n sessionManager,\n rbacEngine,\n cookieName = 'stackwright_session',\n loginUrl = '/login',\n unauthorizedUrl = '/unauthorized',\n } = config;\n\n return async function authHandler(request: NextRequest): Promise<NextResponse \| undefined> {\n const { pathname } = request.nextUrl;\n\n // Check if route is public\n if (rbacEngine.isPublicRoute(pathname)) {\n return undefined; // Continue to next handler\n }\n\n // Extract session from cookie\n const sessionCookie = request.cookies.get(cookieName);\n let session: AuthSession \| null = null;\n\n if (sessionCookie) {\n session = await sessionManager.deserialize(sessionCookie.value);\n }\n\n // Check if session is valid\n if (!session \|\| sessionManager.isExpired(session)) {\n // Redirect to login\n const url = request.nextUrl.clone();\n url.pathname = loginUrl;\n url.searchParams.set('redirect', pathname);\n return NextResponse.redirect(url);\n }\n\n // Check if user can access route\n if (!rbacEngine.canAccessRoute(session.user, pathname)) {\n // Redirect to unauthorized\n const url = request.nextUrl.clone();\n url.pathname = unauthorizedUrl;\n return NextResponse.redirect(url);\n }\n\n // Refresh session if needed\n if (sessionManager.shouldRefresh(session)) {\n const refreshed = await sessionManager.refreshSession(session);\n const newJwt = await sessionManager.serialize(refreshed);\n\n const response = NextResponse.next();\n response.cookies.set(cookieName, newJwt, {\n httpOnly: true,\n secure: true,\n sameSite: 'lax',\n maxAge: 900, // 15 minutes\n });\n\n return response;\n }\n\n // Allow request to continue\n return undefined;\n };\n}\n","import { createAuthHandler, type AuthHandlerConfig } from './auth-handler.js';\n\n/\n Configuration for Next.js middleware-based auth (Next.js <16).\n \n @deprecated For Next.js >=16, use {@link ProxyConfig} with {@link createAuthProxy} instead.\n * The `middleware.ts` file convention is deprecated in Next.js 16.\n /\nexport type MiddlewareConfig = AuthHandlerConfig;\n\n/\n Create Next.js middleware for authentication and authorization.\n \n For Next.js 14–15 projects that use the `middleware.ts` file convention.\n \n @deprecated For Next.js >=16, use {@link createAuthProxy} instead.\n * The `middleware.ts` file convention is deprecated in Next.js 16 in favor of `proxy.ts`.\n \n @example\n * ```typescript\n * // middleware.ts (Next.js 14–15)\n * import { createAuthMiddleware } from '@stackwright-pro/auth-nextjs';\n \n export default createAuthMiddleware({\n * authConfig,\n * sessionManager,\n * rbacEngine,\n * });\n \n export const config = {\n * matcher: ['/((?!_next\|api/auth).)'],\n };\n * ```\n /\nexport function createAuthMiddleware(config: MiddlewareConfig) {\n return createAuthHandler(config);\n}\n","import { createAuthHandler, type AuthHandlerConfig } from './auth-handler.js';\n\n/\n Configuration for Next.js proxy-based auth (Next.js >=16).\n /\nexport type ProxyConfig = AuthHandlerConfig;\n\n/\n Create a Next.js proxy handler for authentication and authorization.\n \n For Next.js >=16 projects that use the `proxy.ts` file convention,\n * replacing the deprecated `middleware.ts` convention.\n \n @example\n * ```typescript\n * // proxy.ts (Next.js >=16)\n * import { createAuthProxy } from '@stackwright-pro/auth-nextjs';\n \n export default createAuthProxy({\n * authConfig,\n * sessionManager,\n * rbacEngine,\n * });\n \n export const config = {\n * matcher: ['/((?!_next\|api/auth).)'],\n };\n * ```\n /\nexport function createAuthProxy(config: ProxyConfig) {\n return createAuthHandler(config);\n}\n","import type { NextApiRequest, NextApiResponse } from 'next';\nimport { SessionManager, RBACEngine, type AuthSession, type AuthUser } from '@stackwright-pro/auth';\n\nexport interface ProtectedRouteConfig {\n /\n Session manager for validating sessions\n /\n sessionManager: SessionManager;\n\n /\n Required roles (user must have ANY of these)\n /\n roles?: string[];\n\n /\n Required permissions (user must have ALL of these)\n /\n permissions?: string[];\n\n /\n Cookie name (default: 'stackwright_session')\n /\n cookieName?: string;\n\n /\n Optional RBAC engine for wildcard-aware role/permission checking.\n * When provided, authorization decisions use RBACEngine (consistent\n * with middleware). Without it, falls back to direct array checks.\n /\n rbacEngine?: RBACEngine;\n}\n\n/\n Handler function with authenticated session\n /\nexport type AuthenticatedHandler<T = any> = (\n req: NextApiRequest,\n res: NextApiResponse<T>,\n session: AuthSession\n) => void \| Promise<void>;\n\n/\n Wrap API route with authentication/authorization\n \n @example\n * ```typescript\n * // pages/api/equipment/[id].ts\n * export default protectedRoute(\n * async (req, res, session) => {\n * const equipment = await getEquipment(req.query.id);\n * res.json(equipment);\n * },\n * {\n * sessionManager,\n * roles: ['ANALYST', 'ADMIN'],\n * }\n * );\n * ```\n /\nexport function protectedRoute<T = any>(\n handler: AuthenticatedHandler<T>,\n config: ProtectedRouteConfig\n): (req: NextApiRequest, res: NextApiResponse) => Promise<void> {\n const { sessionManager, roles, permissions, cookieName = 'stackwright_session' } = config;\n\n return async (req: NextApiRequest, res: NextApiResponse) => {\n // Extract session from cookie\n const sessionCookie = req.cookies[cookieName];\n\n if (!sessionCookie) {\n res.status(401).json({ error: 'Not authenticated' } as any);\n return;\n }\n\n // Verify session\n const session = await sessionManager.deserialize(sessionCookie);\n\n if (!session \|\| sessionManager.isExpired(session)) {\n res.status(401).json({ error: 'Session expired' } as any);\n return;\n }\n\n // Check roles\n if (roles && roles.length > 0) {\n if (config.rbacEngine) {\n // Use RBAC engine for consistent wildcard-aware checking\n if (!config.rbacEngine.hasAnyRole(session.user, roles)) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n } else {\n // Fallback: direct check (no wildcard support)\n const hasRole = roles.some((role) => session.user.roles.includes(role));\n if (!hasRole) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n }\n }\n\n // Check permissions\n if (permissions && permissions.length > 0) {\n if (config.rbacEngine) {\n // Use RBAC engine for wildcard-aware permission checking\n if (!config.rbacEngine.hasAllPermissions(session.user, permissions)) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n } else {\n // Fallback: direct check (no wildcard support)\n const hasAllPermissions = permissions.every((permission) =>\n session.user.permissions?.includes(permission)\n );\n if (!hasAllPermissions) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n }\n }\n\n // Call handler with session\n await handler(req, res, session);\n };\n}\n","import type { NextApiResponse } from 'next';\nimport { serializeCookie, clearCookie, type CookieOptions } from '@stackwright-pro/auth';\n\n/\n Set session cookie in Next.js API response\n /\nexport function setSessionCookie(\n res: NextApiResponse,\n sessionJwt: string,\n options: CookieOptions = {}\n): void {\n const cookieName = options.name \|\| 'stackwright_session';\n const maxAge = options.maxAge \|\| 900; // 15 minutes default\n\n const cookie = serializeCookie(cookieName, sessionJwt, {\n ...options,\n maxAge,\n httpOnly: true,\n secure: true,\n sameSite: 'lax',\n });\n\n res.setHeader('Set-Cookie', cookie);\n}\n\n/\n Clear session cookie in Next.js API response\n /\nexport function clearSessionCookie(\n res: NextApiResponse,\n options: Pick<CookieOptions, 'name' \| 'domain' \| 'path'> = {}\n): void {\n const cookieName = options.name \|\| 'stackwright_session';\n\n const cookie = clearCookie(cookieName, options);\n\n res.setHeader('Set-Cookie', cookie);\n}\n","import { type NextRequest, NextResponse } from 'next/server';\nimport { SessionManager, RBACEngine, type AuthSession } from '@stackwright-pro/auth';\n\nexport interface RouteHandlerConfig {\n /\n Session manager for validating sessions\n /\n sessionManager: SessionManager;\n\n /\n Required roles (user must have ANY of these)\n /\n roles?: string[];\n\n /\n Required permissions (user must have ALL of these)\n /\n permissions?: string[];\n\n /\n Cookie name (default: 'stackwright_session')\n /\n cookieName?: string;\n\n /\n Optional RBAC engine for wildcard-aware role/permission checking.\n * When provided, authorization decisions use RBACEngine (consistent\n * with middleware). Without it, falls back to direct array checks.\n /\n rbacEngine?: RBACEngine;\n}\n\n/\n Handler function with authenticated session — App Router Route Handler signature.\n /\nexport type AuthenticatedRouteHandler = (\n request: NextRequest,\n context: { params: Record<string, string> },\n session: AuthSession\n) => Promise<Response> \| Response;\n\n/\n Wrap an App Router Route Handler with authentication/authorization.\n \n This is the App Router equivalent of `protectedRoute()` from `api-helpers.ts`.\n \n @example\n * ```typescript\n * // app/api/equipment/[id]/route.ts\n * import { protectedRouteHandler } from '@stackwright-pro/auth-nextjs';\n \n export const GET = protectedRouteHandler(\n * async (request, { params }, session) => {\n * const equipment = await getEquipment(params.id);\n * return NextResponse.json(equipment);\n * },\n * {\n * sessionManager,\n * roles: ['ANALYST', 'ADMIN'],\n * }\n * );\n * ```\n /\nexport function protectedRouteHandler(\n handler: AuthenticatedRouteHandler,\n config: RouteHandlerConfig\n): (request: NextRequest, context: { params: Record<string, string> }) => Promise<Response> {\n const {\n sessionManager,\n roles,\n permissions,\n cookieName = 'stackwright_session',\n rbacEngine,\n } = config;\n\n return async (\n request: NextRequest,\n context: { params: Record<string, string> }\n ): Promise<Response> => {\n // Extract session from cookie\n const sessionCookie = request.cookies.get(cookieName);\n\n if (!sessionCookie) {\n return NextResponse.json({ error: 'Not authenticated' }, { status: 401 });\n }\n\n // Verify session\n const session = await sessionManager.deserialize(sessionCookie.value);\n\n if (!session \|\| sessionManager.isExpired(session)) {\n return NextResponse.json({ error: 'Session expired' }, { status: 401 });\n }\n\n // Check roles\n if (roles && roles.length > 0) {\n if (rbacEngine) {\n if (!rbacEngine.hasAnyRole(session.user, roles)) {\n return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n }\n } else {\n const hasRole = roles.some((role) => session.user.roles.includes(role));\n if (!hasRole) {\n return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n }\n }\n }\n\n // Check permissions\n if (permissions && permissions.length > 0) {\n if (rbacEngine) {\n if (!rbacEngine.hasAllPermissions(session.user, permissions)) {\n return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n }\n } else {\n const hasAllPermissions = permissions.every((p) => session.user.permissions?.includes(p));\n if (!hasAllPermissions) {\n return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n }\n }\n }\n\n return handler(request, context, session);\n };\n}\n\n/\n Set the session cookie on a `NextResponse` (App Router).\n \n This is the App Router equivalent of `setSessionCookie()` from `cookie-utils.ts`.\n \n @example\n * ```typescript\n * // app/api/auth/login/route.ts\n * import { setSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';\n \n export async function POST(request: NextRequest) {\n * const session = await createSession(request);\n * const jwt = await sessionManager.serialize(session);\n * const response = NextResponse.json({ ok: true });\n * return setSessionCookieOnResponse(response, jwt);\n * }\n * ```\n /\nexport function setSessionCookieOnResponse(\n response: NextResponse,\n sessionJwt: string,\n options: {\n cookieName?: string;\n maxAge?: number;\n } = {}\n): NextResponse {\n const cookieName = options.cookieName ?? 'stackwright_session';\n const maxAge = options.maxAge ?? 900; // 15 minutes\n\n response.cookies.set(cookieName, sessionJwt, {\n httpOnly: true,\n secure: true,\n sameSite: 'lax',\n maxAge,\n });\n\n return response;\n}\n\n/\n Clear the session cookie on a `NextResponse` (App Router).\n \n This is the App Router equivalent of `clearSessionCookie()` from `cookie-utils.ts`.\n \n @example\n * ```typescript\n * // app/api/auth/logout/route.ts\n * import { clearSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';\n \n export async function POST() {\n * const response = NextResponse.json({ ok: true });\n * return clearSessionCookieOnResponse(response);\n * }\n * ```\n */\nexport function clearSessionCookieOnResponse(\n response: NextResponse,\n options: {\n cookieName?: string;\n } = {}\n): NextResponse {\n const cookieName = options.cookieName ?? 'stackwright_session';\n response.cookies.delete(cookieName);\n return response;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,oBAA+C;AA8CxC,SAAS,kBAAkB,QAA2B;AAC3D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb,WAAW;AAAA,IACX,kBAAkB;AAAA,EACpB,IAAI;AAEJ,SAAO,eAAe,YAAY,SAAyD;AACzF,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,WAAW,cAAc,QAAQ,GAAG;AACtC,aAAO;AAAA,IACT;AAGA,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AACpD,QAAI,UAA8B;AAElC,QAAI,eAAe;AACjB,gBAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAAA,IAChE;AAGA,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AAEjD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,UAAI,aAAa,IAAI,YAAY,QAAQ;AACzC,aAAO,2BAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,CAAC,WAAW,eAAe,QAAQ,MAAM,QAAQ,GAAG;AAEtD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,aAAO,2BAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,eAAe,cAAc,OAAO,GAAG;AACzC,YAAM,YAAY,MAAM,eAAe,eAAe,OAAO;AAC7D,YAAM,SAAS,MAAM,eAAe,UAAU,SAAS;AAEvD,YAAM,WAAW,2BAAa,KAAK;AACnC,eAAS,QAAQ,IAAI,YAAY,QAAQ;AAAA,QACvC,UAAU;AAAA,QACV,QAAQ;AAAA,QACR,UAAU;AAAA,QACV,QAAQ;AAAA;AAAA,MACV,CAAC;AAED,aAAO;AAAA,IACT;AAGA,WAAO;AAAA,EACT;AACF;;;ACzEO,SAAS,qBAAqB,QAA0B;AAC7D,SAAO,kBAAkB,MAAM;AACjC;;;ACPO,SAAS,gBAAgB,QAAqB;AACnD,SAAO,kBAAkB,MAAM;AACjC;;;AC4BO,SAAS,eACd,SACA,QAC8D;AAC9D,QAAM,EAAE,gBAAgB,OAAO,aAAa,aAAa,sBAAsB,IAAI;AAEnF,SAAO,OAAO,KAAqB,QAAyB;AAE1D,UAAM,gBAAgB,IAAI,QAAQ,UAAU;AAE5C,QAAI,CAAC,eAAe;AAClB,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,oBAAoB,CAAQ;AAC1D;AAAA,IACF;AAGA,UAAM,UAAU,MAAM,eAAe,YAAY,aAAa;AAE9D,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AACjD,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,kBAAkB,CAAQ;AACxD;AAAA,IACF;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,WAAW,QAAQ,MAAM,KAAK,GAAG;AACtD,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,UAAU,MAAM,KAAK,CAAC,SAAS,QAAQ,KAAK,MAAM,SAAS,IAAI,CAAC;AACtE,YAAI,CAAC,SAAS;AACZ,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,kBAAkB,QAAQ,MAAM,WAAW,GAAG;AACnE,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,oBAAoB,YAAY;AAAA,UAAM,CAAC,eAC3C,QAAQ,KAAK,aAAa,SAAS,UAAU;AAAA,QAC/C;AACA,YAAI,CAAC,mBAAmB;AACtB,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,UAAM,QAAQ,KAAK,KAAK,OAAO;AAAA,EACjC;AACF;;;AC1HA,kBAAiE;AAK1D,SAAS,iBACd,KACA,YACA,UAAyB,CAAC,GACpB;AACN,QAAM,aAAa,QAAQ,QAAQ;AACnC,QAAM,SAAS,QAAQ,UAAU;AAEjC,QAAM,aAAS,6BAAgB,YAAY,YAAY;AAAA,IACrD,GAAG;AAAA,IACH;AAAA,IACA,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,EACZ,CAAC;AAED,MAAI,UAAU,cAAc,MAAM;AACpC;AAKO,SAAS,mBACd,KACA,UAA2D,CAAC,GACtD;AACN,QAAM,aAAa,QAAQ,QAAQ;AAEnC,QAAM,aAAS,yBAAY,YAAY,OAAO;AAE9C,MAAI,UAAU,cAAc,MAAM;AACpC;;;ALvBA,IAAAA,eAA2B;AAG3B,IAAAA,eAAmE;;;AMjBnE,IAAAC,iBAA+C;AA+DxC,SAAS,sBACd,SACA,QAC0F;AAC1F,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb;AAAA,EACF,IAAI;AAEJ,SAAO,OACL,SACA,YACsB;AAEtB,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AAEpD,QAAI,CAAC,eAAe;AAClB,aAAO,4BAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC1E;AAGA,UAAM,UAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAEpE,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AACjD,aAAO,4BAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACxE;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,UAAI,YAAY;AACd,YAAI,CAAC,WAAW,WAAW,QAAQ,MAAM,KAAK,GAAG;AAC/C,iBAAO,4BAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF,OAAO;AACL,cAAM,UAAU,MAAM,KAAK,CAAC,SAAS,QAAQ,KAAK,MAAM,SAAS,IAAI,CAAC;AACtE,YAAI,CAAC,SAAS;AACZ,iBAAO,4BAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,UAAI,YAAY;AACd,YAAI,CAAC,WAAW,kBAAkB,QAAQ,MAAM,WAAW,GAAG;AAC5D,iBAAO,4BAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF,OAAO;AACL,cAAM,oBAAoB,YAAY,MAAM,CAAC,MAAM,QAAQ,KAAK,aAAa,SAAS,CAAC,CAAC;AACxF,YAAI,CAAC,mBAAmB;AACtB,iBAAO,4BAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF;AAAA,IACF;AAEA,WAAO,QAAQ,SAAS,SAAS,OAAO;AAAA,EAC1C;AACF;AAoBO,SAAS,2BACd,UACA,YACA,UAGI,CAAC,GACS;AACd,QAAM,aAAa,QAAQ,cAAc;AACzC,QAAM,SAAS,QAAQ,UAAU;AAEjC,WAAS,QAAQ,IAAI,YAAY,YAAY;AAAA,IAC3C,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,IACV;AAAA,EACF,CAAC;AAED,SAAO;AACT;AAkBO,SAAS,6BACd,UACA,UAEI,CAAC,GACS;AACd,QAAM,aAAa,QAAQ,cAAc;AACzC,WAAS,QAAQ,OAAO,UAAU;AAClC,SAAO;AACT;","names":["import_auth","import_server"]}

package/dist/index.mjs CHANGED Viewed

@@ -1,49 +1,11 @@
+import {
+  createAuthHandler,
+  createAuthProxy
+} from "./chunk-MFZSH4YL.mjs";
 // src/middleware.ts
-import { NextResponse } from "next/server";
 function createAuthMiddleware(config) {
-  const {
-    sessionManager,
-    rbacEngine,
-    cookieName = "stackwright_session",
-    loginUrl = "/login",
-    unauthorizedUrl = "/unauthorized"
-  } = config;
-  return async function authMiddleware(request) {
-    const { pathname } = request.nextUrl;
-    if (rbacEngine.isPublicRoute(pathname)) {
-      return void 0;
-    }
-    const sessionCookie = request.cookies.get(cookieName);
-    let session = null;
-    if (sessionCookie) {
-      session = await sessionManager.deserialize(sessionCookie.value);
-    }
-    if (!session || sessionManager.isExpired(session)) {
-      const url = request.nextUrl.clone();
-      url.pathname = loginUrl;
-      url.searchParams.set("redirect", pathname);
-      return NextResponse.redirect(url);
-    }
-    if (!rbacEngine.canAccessRoute(session.user, pathname)) {
-      const url = request.nextUrl.clone();
-      url.pathname = unauthorizedUrl;
-      return NextResponse.redirect(url);
-    }
-    if (sessionManager.shouldRefresh(session)) {
-      const refreshed = await sessionManager.refreshSession(session);
-      const newJwt = await sessionManager.serialize(refreshed);
-      const response = NextResponse.next();
-      response.cookies.set(cookieName, newJwt, {
-        httpOnly: true,
-        secure: true,
-        sameSite: "lax",
-        maxAge: 900
-        // 15 minutes
-      });
-      return response;
-    }
-    return void 0;
-  };
+  return createAuthHandler(config);
 }
 // src/api-helpers.ts
@@ -117,14 +79,82 @@ function clearSessionCookie(res, options = {}) {
 // src/index.ts
 import { RBACEngine } from "@stackwright-pro/auth";
 import { AuthProvider, AuthContext, useAuth, useRequireAuth } from "@stackwright-pro/auth";
+// src/route-handlers.ts
+import { NextResponse } from "next/server";
+function protectedRouteHandler(handler, config) {
+  const {
+    sessionManager,
+    roles,
+    permissions,
+    cookieName = "stackwright_session",
+    rbacEngine
+  } = config;
+  return async (request, context) => {
+    const sessionCookie = request.cookies.get(cookieName);
+    if (!sessionCookie) {
+      return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+    }
+    const session = await sessionManager.deserialize(sessionCookie.value);
+    if (!session || sessionManager.isExpired(session)) {
+      return NextResponse.json({ error: "Session expired" }, { status: 401 });
+    }
+    if (roles && roles.length > 0) {
+      if (rbacEngine) {
+        if (!rbacEngine.hasAnyRole(session.user, roles)) {
+          return NextResponse.json({ error: "Insufficient permissions" }, { status: 403 });
+        }
+      } else {
+        const hasRole = roles.some((role) => session.user.roles.includes(role));
+        if (!hasRole) {
+          return NextResponse.json({ error: "Insufficient permissions" }, { status: 403 });
+        }
+      }
+    }
+    if (permissions && permissions.length > 0) {
+      if (rbacEngine) {
+        if (!rbacEngine.hasAllPermissions(session.user, permissions)) {
+          return NextResponse.json({ error: "Insufficient permissions" }, { status: 403 });
+        }
+      } else {
+        const hasAllPermissions = permissions.every((p) => session.user.permissions?.includes(p));
+        if (!hasAllPermissions) {
+          return NextResponse.json({ error: "Insufficient permissions" }, { status: 403 });
+        }
+      }
+    }
+    return handler(request, context, session);
+  };
+}
+function setSessionCookieOnResponse(response, sessionJwt, options = {}) {
+  const cookieName = options.cookieName ?? "stackwright_session";
+  const maxAge = options.maxAge ?? 900;
+  response.cookies.set(cookieName, sessionJwt, {
+    httpOnly: true,
+    secure: true,
+    sameSite: "lax",
+    maxAge
+  });
+  return response;
+}
+function clearSessionCookieOnResponse(response, options = {}) {
+  const cookieName = options.cookieName ?? "stackwright_session";
+  response.cookies.delete(cookieName);
+  return response;
+}
 export {
   AuthContext,
   AuthProvider,
   RBACEngine,
   clearSessionCookie,
+  clearSessionCookieOnResponse,
+  createAuthHandler,
   createAuthMiddleware,
+  createAuthProxy,
   protectedRoute,
+  protectedRouteHandler,
   setSessionCookie,
+  setSessionCookieOnResponse,
   useAuth,
   useRequireAuth
 };

package/dist/index.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/middleware.ts","../src/api-helpers.ts","../src/cookie-utils.ts","../src/index.ts"],"sourcesContent":["import { type NextRequest, NextResponse } from 'next/server';\nimport {\n SessionManager,\n RBACEngine,\n type AuthConfig,\n type AuthSession,\n} from '@stackwright-pro/auth';\n\nexport interface MiddlewareConfig {\n /*\n Auth configuration\n /\n authConfig: AuthConfig;\n\n /\n Session manager instance\n /\n sessionManager: SessionManager;\n\n /\n RBAC engine instance\n /\n rbacEngine: RBACEngine;\n\n /\n Cookie name for session (default: 'stackwright_session')\n /\n cookieName?: string;\n\n /\n URL to redirect to when authentication fails (default: '/login')\n /\n loginUrl?: string;\n\n /\n URL to redirect to when authorization fails (default: '/unauthorized')\n /\n unauthorizedUrl?: string;\n}\n\n/\n Create Next.js middleware for authentication and authorization\n \n @example\n * ```typescript\n * // middleware.ts\n * import { createAuthMiddleware } from '@stackwright-pro/auth-nextjs';\n \n export default createAuthMiddleware({\n * authConfig,\n * sessionManager,\n * rbacEngine,\n * });\n \n export const config = {\n * matcher: ['/((?!_next\|api/auth).)'],\n };\n * ```\n /\nexport function createAuthMiddleware(config: MiddlewareConfig) {\n const {\n sessionManager,\n rbacEngine,\n cookieName = 'stackwright_session',\n loginUrl = '/login',\n unauthorizedUrl = '/unauthorized',\n } = config;\n\n return async function authMiddleware(request: NextRequest): Promise<NextResponse \| undefined> {\n const { pathname } = request.nextUrl;\n\n // Check if route is public\n if (rbacEngine.isPublicRoute(pathname)) {\n return undefined; // Continue to next middleware\n }\n\n // Extract session from cookie\n const sessionCookie = request.cookies.get(cookieName);\n let session: AuthSession \| null = null;\n\n if (sessionCookie) {\n session = await sessionManager.deserialize(sessionCookie.value);\n }\n\n // Check if session is valid\n if (!session \|\| sessionManager.isExpired(session)) {\n // Redirect to login\n const url = request.nextUrl.clone();\n url.pathname = loginUrl;\n url.searchParams.set('redirect', pathname);\n return NextResponse.redirect(url);\n }\n\n // Check if user can access route\n if (!rbacEngine.canAccessRoute(session.user, pathname)) {\n // Redirect to unauthorized\n const url = request.nextUrl.clone();\n url.pathname = unauthorizedUrl;\n return NextResponse.redirect(url);\n }\n\n // Refresh session if needed\n if (sessionManager.shouldRefresh(session)) {\n const refreshed = await sessionManager.refreshSession(session);\n const newJwt = await sessionManager.serialize(refreshed);\n\n const response = NextResponse.next();\n response.cookies.set(cookieName, newJwt, {\n httpOnly: true,\n secure: true,\n sameSite: 'lax',\n maxAge: 900, // 15 minutes\n });\n\n return response;\n }\n\n // Allow request to continue\n return undefined;\n };\n}\n","import type { NextApiRequest, NextApiResponse } from 'next';\nimport { SessionManager, RBACEngine, type AuthSession, type AuthUser } from '@stackwright-pro/auth';\n\nexport interface ProtectedRouteConfig {\n /\n Session manager for validating sessions\n /\n sessionManager: SessionManager;\n\n /\n Required roles (user must have ANY of these)\n /\n roles?: string[];\n\n /\n Required permissions (user must have ALL of these)\n /\n permissions?: string[];\n\n /\n Cookie name (default: 'stackwright_session')\n /\n cookieName?: string;\n\n /\n Optional RBAC engine for wildcard-aware role/permission checking.\n * When provided, authorization decisions use RBACEngine (consistent\n * with middleware). Without it, falls back to direct array checks.\n /\n rbacEngine?: RBACEngine;\n}\n\n/\n Handler function with authenticated session\n /\nexport type AuthenticatedHandler<T = any> = (\n req: NextApiRequest,\n res: NextApiResponse<T>,\n session: AuthSession\n) => void \| Promise<void>;\n\n/\n Wrap API route with authentication/authorization\n \n @example\n * ```typescript\n * // pages/api/equipment/[id].ts\n * export default protectedRoute(\n * async (req, res, session) => {\n * const equipment = await getEquipment(req.query.id);\n * res.json(equipment);\n * },\n * {\n * sessionManager,\n * roles: ['ANALYST', 'ADMIN'],\n * }\n * );\n * ```\n /\nexport function protectedRoute<T = any>(\n handler: AuthenticatedHandler<T>,\n config: ProtectedRouteConfig\n): (req: NextApiRequest, res: NextApiResponse) => Promise<void> {\n const { sessionManager, roles, permissions, cookieName = 'stackwright_session' } = config;\n\n return async (req: NextApiRequest, res: NextApiResponse) => {\n // Extract session from cookie\n const sessionCookie = req.cookies[cookieName];\n\n if (!sessionCookie) {\n res.status(401).json({ error: 'Not authenticated' } as any);\n return;\n }\n\n // Verify session\n const session = await sessionManager.deserialize(sessionCookie);\n\n if (!session \|\| sessionManager.isExpired(session)) {\n res.status(401).json({ error: 'Session expired' } as any);\n return;\n }\n\n // Check roles\n if (roles && roles.length > 0) {\n if (config.rbacEngine) {\n // Use RBAC engine for consistent wildcard-aware checking\n if (!config.rbacEngine.hasAnyRole(session.user, roles)) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n } else {\n // Fallback: direct check (no wildcard support)\n const hasRole = roles.some((role) => session.user.roles.includes(role));\n if (!hasRole) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n }\n }\n\n // Check permissions\n if (permissions && permissions.length > 0) {\n if (config.rbacEngine) {\n // Use RBAC engine for wildcard-aware permission checking\n if (!config.rbacEngine.hasAllPermissions(session.user, permissions)) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n } else {\n // Fallback: direct check (no wildcard support)\n const hasAllPermissions = permissions.every((permission) =>\n session.user.permissions?.includes(permission)\n );\n if (!hasAllPermissions) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n }\n }\n\n // Call handler with session\n await handler(req, res, session);\n };\n}\n","import type { NextApiResponse } from 'next';\nimport { serializeCookie, clearCookie, type CookieOptions } from '@stackwright-pro/auth';\n\n/\n Set session cookie in Next.js API response\n /\nexport function setSessionCookie(\n res: NextApiResponse,\n sessionJwt: string,\n options: CookieOptions = {}\n): void {\n const cookieName = options.name \|\| 'stackwright_session';\n const maxAge = options.maxAge \|\| 900; // 15 minutes default\n\n const cookie = serializeCookie(cookieName, sessionJwt, {\n ...options,\n maxAge,\n httpOnly: true,\n secure: true,\n sameSite: 'lax',\n });\n\n res.setHeader('Set-Cookie', cookie);\n}\n\n/\n Clear session cookie in Next.js API response\n */\nexport function clearSessionCookie(\n res: NextApiResponse,\n options: Pick<CookieOptions, 'name' \| 'domain' \| 'path'> = {}\n): void {\n const cookieName = options.name \|\| 'stackwright_session';\n\n const cookie = clearCookie(cookieName, options);\n\n res.setHeader('Set-Cookie', cookie);\n}\n","export { createAuthMiddleware, type MiddlewareConfig } from './middleware.js';\nexport {\n protectedRoute,\n type ProtectedRouteConfig,\n type AuthenticatedHandler,\n} from './api-helpers.js';\nexport { setSessionCookie, clearSessionCookie } from './cookie-utils.js';\n\n// Re-export commonly used types/classes from core\nexport type { AuthUser, AuthSession, AuthConfig } from '@stackwright-pro/auth';\n\n// Re-export RBAC engine\nexport { RBACEngine } from '@stackwright-pro/auth';\n\n// Re-export React context components for Next.js apps\nexport { AuthProvider, AuthContext, useAuth, useRequireAuth } from '@stackwright-pro/auth';\nexport type { AuthProviderProps, AuthContextValue } from '@stackwright-pro/auth';\n"],"mappings":";AAAA,SAA2B,oBAAoB;AA2DxC,SAAS,qBAAqB,QAA0B;AAC7D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb,WAAW;AAAA,IACX,kBAAkB;AAAA,EACpB,IAAI;AAEJ,SAAO,eAAe,eAAe,SAAyD;AAC5F,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,WAAW,cAAc,QAAQ,GAAG;AACtC,aAAO;AAAA,IACT;AAGA,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AACpD,QAAI,UAA8B;AAElC,QAAI,eAAe;AACjB,gBAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAAA,IAChE;AAGA,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AAEjD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,UAAI,aAAa,IAAI,YAAY,QAAQ;AACzC,aAAO,aAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,CAAC,WAAW,eAAe,QAAQ,MAAM,QAAQ,GAAG;AAEtD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,aAAO,aAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,eAAe,cAAc,OAAO,GAAG;AACzC,YAAM,YAAY,MAAM,eAAe,eAAe,OAAO;AAC7D,YAAM,SAAS,MAAM,eAAe,UAAU,SAAS;AAEvD,YAAM,WAAW,aAAa,KAAK;AACnC,eAAS,QAAQ,IAAI,YAAY,QAAQ;AAAA,QACvC,UAAU;AAAA,QACV,QAAQ;AAAA,QACR,UAAU;AAAA,QACV,QAAQ;AAAA;AAAA,MACV,CAAC;AAED,aAAO;AAAA,IACT;AAGA,WAAO;AAAA,EACT;AACF;;;AC7DO,SAAS,eACd,SACA,QAC8D;AAC9D,QAAM,EAAE,gBAAgB,OAAO,aAAa,aAAa,sBAAsB,IAAI;AAEnF,SAAO,OAAO,KAAqB,QAAyB;AAE1D,UAAM,gBAAgB,IAAI,QAAQ,UAAU;AAE5C,QAAI,CAAC,eAAe;AAClB,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,oBAAoB,CAAQ;AAC1D;AAAA,IACF;AAGA,UAAM,UAAU,MAAM,eAAe,YAAY,aAAa;AAE9D,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AACjD,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,kBAAkB,CAAQ;AACxD;AAAA,IACF;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,WAAW,QAAQ,MAAM,KAAK,GAAG;AACtD,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,UAAU,MAAM,KAAK,CAAC,SAAS,QAAQ,KAAK,MAAM,SAAS,IAAI,CAAC;AACtE,YAAI,CAAC,SAAS;AACZ,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,kBAAkB,QAAQ,MAAM,WAAW,GAAG;AACnE,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,oBAAoB,YAAY;AAAA,UAAM,CAAC,eAC3C,QAAQ,KAAK,aAAa,SAAS,UAAU;AAAA,QAC/C;AACA,YAAI,CAAC,mBAAmB;AACtB,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,UAAM,QAAQ,KAAK,KAAK,OAAO;AAAA,EACjC;AACF;;;AC1HA,SAAS,iBAAiB,mBAAuC;AAK1D,SAAS,iBACd,KACA,YACA,UAAyB,CAAC,GACpB;AACN,QAAM,aAAa,QAAQ,QAAQ;AACnC,QAAM,SAAS,QAAQ,UAAU;AAEjC,QAAM,SAAS,gBAAgB,YAAY,YAAY;AAAA,IACrD,GAAG;AAAA,IACH;AAAA,IACA,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,EACZ,CAAC;AAED,MAAI,UAAU,cAAc,MAAM;AACpC;AAKO,SAAS,mBACd,KACA,UAA2D,CAAC,GACtD;AACN,QAAM,aAAa,QAAQ,QAAQ;AAEnC,QAAM,SAAS,YAAY,YAAY,OAAO;AAE9C,MAAI,UAAU,cAAc,MAAM;AACpC;;;ACzBA,SAAS,kBAAkB;AAG3B,SAAS,cAAc,aAAa,SAAS,sBAAsB;","names":[]}
1	+ {"version":3,"sources":["../src/middleware.ts","../src/api-helpers.ts","../src/cookie-utils.ts","../src/index.ts","../src/route-handlers.ts"],"sourcesContent":["import { createAuthHandler, type AuthHandlerConfig } from './auth-handler.js';\n\n/*\n Configuration for Next.js middleware-based auth (Next.js <16).\n \n @deprecated For Next.js >=16, use {@link ProxyConfig} with {@link createAuthProxy} instead.\n * The `middleware.ts` file convention is deprecated in Next.js 16.\n /\nexport type MiddlewareConfig = AuthHandlerConfig;\n\n/\n Create Next.js middleware for authentication and authorization.\n \n For Next.js 14–15 projects that use the `middleware.ts` file convention.\n \n @deprecated For Next.js >=16, use {@link createAuthProxy} instead.\n * The `middleware.ts` file convention is deprecated in Next.js 16 in favor of `proxy.ts`.\n \n @example\n * ```typescript\n * // middleware.ts (Next.js 14–15)\n * import { createAuthMiddleware } from '@stackwright-pro/auth-nextjs';\n \n export default createAuthMiddleware({\n * authConfig,\n * sessionManager,\n * rbacEngine,\n * });\n \n export const config = {\n * matcher: ['/((?!_next\|api/auth).)'],\n };\n * ```\n /\nexport function createAuthMiddleware(config: MiddlewareConfig) {\n return createAuthHandler(config);\n}\n","import type { NextApiRequest, NextApiResponse } from 'next';\nimport { SessionManager, RBACEngine, type AuthSession, type AuthUser } from '@stackwright-pro/auth';\n\nexport interface ProtectedRouteConfig {\n /\n Session manager for validating sessions\n /\n sessionManager: SessionManager;\n\n /\n Required roles (user must have ANY of these)\n /\n roles?: string[];\n\n /\n Required permissions (user must have ALL of these)\n /\n permissions?: string[];\n\n /\n Cookie name (default: 'stackwright_session')\n /\n cookieName?: string;\n\n /\n Optional RBAC engine for wildcard-aware role/permission checking.\n * When provided, authorization decisions use RBACEngine (consistent\n * with middleware). Without it, falls back to direct array checks.\n /\n rbacEngine?: RBACEngine;\n}\n\n/\n Handler function with authenticated session\n /\nexport type AuthenticatedHandler<T = any> = (\n req: NextApiRequest,\n res: NextApiResponse<T>,\n session: AuthSession\n) => void \| Promise<void>;\n\n/\n Wrap API route with authentication/authorization\n \n @example\n * ```typescript\n * // pages/api/equipment/[id].ts\n * export default protectedRoute(\n * async (req, res, session) => {\n * const equipment = await getEquipment(req.query.id);\n * res.json(equipment);\n * },\n * {\n * sessionManager,\n * roles: ['ANALYST', 'ADMIN'],\n * }\n * );\n * ```\n /\nexport function protectedRoute<T = any>(\n handler: AuthenticatedHandler<T>,\n config: ProtectedRouteConfig\n): (req: NextApiRequest, res: NextApiResponse) => Promise<void> {\n const { sessionManager, roles, permissions, cookieName = 'stackwright_session' } = config;\n\n return async (req: NextApiRequest, res: NextApiResponse) => {\n // Extract session from cookie\n const sessionCookie = req.cookies[cookieName];\n\n if (!sessionCookie) {\n res.status(401).json({ error: 'Not authenticated' } as any);\n return;\n }\n\n // Verify session\n const session = await sessionManager.deserialize(sessionCookie);\n\n if (!session \|\| sessionManager.isExpired(session)) {\n res.status(401).json({ error: 'Session expired' } as any);\n return;\n }\n\n // Check roles\n if (roles && roles.length > 0) {\n if (config.rbacEngine) {\n // Use RBAC engine for consistent wildcard-aware checking\n if (!config.rbacEngine.hasAnyRole(session.user, roles)) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n } else {\n // Fallback: direct check (no wildcard support)\n const hasRole = roles.some((role) => session.user.roles.includes(role));\n if (!hasRole) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n }\n }\n\n // Check permissions\n if (permissions && permissions.length > 0) {\n if (config.rbacEngine) {\n // Use RBAC engine for wildcard-aware permission checking\n if (!config.rbacEngine.hasAllPermissions(session.user, permissions)) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n } else {\n // Fallback: direct check (no wildcard support)\n const hasAllPermissions = permissions.every((permission) =>\n session.user.permissions?.includes(permission)\n );\n if (!hasAllPermissions) {\n res.status(403).json({ error: 'Insufficient permissions' } as any);\n return;\n }\n }\n }\n\n // Call handler with session\n await handler(req, res, session);\n };\n}\n","import type { NextApiResponse } from 'next';\nimport { serializeCookie, clearCookie, type CookieOptions } from '@stackwright-pro/auth';\n\n/\n Set session cookie in Next.js API response\n /\nexport function setSessionCookie(\n res: NextApiResponse,\n sessionJwt: string,\n options: CookieOptions = {}\n): void {\n const cookieName = options.name \|\| 'stackwright_session';\n const maxAge = options.maxAge \|\| 900; // 15 minutes default\n\n const cookie = serializeCookie(cookieName, sessionJwt, {\n ...options,\n maxAge,\n httpOnly: true,\n secure: true,\n sameSite: 'lax',\n });\n\n res.setHeader('Set-Cookie', cookie);\n}\n\n/\n Clear session cookie in Next.js API response\n /\nexport function clearSessionCookie(\n res: NextApiResponse,\n options: Pick<CookieOptions, 'name' \| 'domain' \| 'path'> = {}\n): void {\n const cookieName = options.name \|\| 'stackwright_session';\n\n const cookie = clearCookie(cookieName, options);\n\n res.setHeader('Set-Cookie', cookie);\n}\n","export { createAuthMiddleware, type MiddlewareConfig } from './middleware.js';\nexport { createAuthProxy, type ProxyConfig } from './proxy.js';\nexport { createAuthHandler, type AuthHandlerConfig } from './auth-handler.js';\nexport {\n protectedRoute,\n type ProtectedRouteConfig,\n type AuthenticatedHandler,\n} from './api-helpers.js';\nexport { setSessionCookie, clearSessionCookie } from './cookie-utils.js';\n\n// Re-export commonly used types/classes from core\nexport type { AuthUser, AuthSession, AuthConfig } from '@stackwright-pro/auth';\n\n// Re-export RBAC engine\nexport { RBACEngine } from '@stackwright-pro/auth';\n\n// Re-export React context components for Next.js apps\nexport { AuthProvider, AuthContext, useAuth, useRequireAuth } from '@stackwright-pro/auth';\nexport type { AuthProviderProps, AuthContextValue } from '@stackwright-pro/auth';\n\n// App Router Route Handler helpers (replaces api-helpers for App Router users)\nexport {\n protectedRouteHandler,\n setSessionCookieOnResponse,\n clearSessionCookieOnResponse,\n type RouteHandlerConfig,\n type AuthenticatedRouteHandler,\n} from './route-handlers.js';\n","import { type NextRequest, NextResponse } from 'next/server';\nimport { SessionManager, RBACEngine, type AuthSession } from '@stackwright-pro/auth';\n\nexport interface RouteHandlerConfig {\n /\n Session manager for validating sessions\n /\n sessionManager: SessionManager;\n\n /\n Required roles (user must have ANY of these)\n /\n roles?: string[];\n\n /\n Required permissions (user must have ALL of these)\n /\n permissions?: string[];\n\n /\n Cookie name (default: 'stackwright_session')\n /\n cookieName?: string;\n\n /\n Optional RBAC engine for wildcard-aware role/permission checking.\n * When provided, authorization decisions use RBACEngine (consistent\n * with middleware). Without it, falls back to direct array checks.\n /\n rbacEngine?: RBACEngine;\n}\n\n/\n Handler function with authenticated session — App Router Route Handler signature.\n /\nexport type AuthenticatedRouteHandler = (\n request: NextRequest,\n context: { params: Record<string, string> },\n session: AuthSession\n) => Promise<Response> \| Response;\n\n/\n Wrap an App Router Route Handler with authentication/authorization.\n \n This is the App Router equivalent of `protectedRoute()` from `api-helpers.ts`.\n \n @example\n * ```typescript\n * // app/api/equipment/[id]/route.ts\n * import { protectedRouteHandler } from '@stackwright-pro/auth-nextjs';\n \n export const GET = protectedRouteHandler(\n * async (request, { params }, session) => {\n * const equipment = await getEquipment(params.id);\n * return NextResponse.json(equipment);\n * },\n * {\n * sessionManager,\n * roles: ['ANALYST', 'ADMIN'],\n * }\n * );\n * ```\n /\nexport function protectedRouteHandler(\n handler: AuthenticatedRouteHandler,\n config: RouteHandlerConfig\n): (request: NextRequest, context: { params: Record<string, string> }) => Promise<Response> {\n const {\n sessionManager,\n roles,\n permissions,\n cookieName = 'stackwright_session',\n rbacEngine,\n } = config;\n\n return async (\n request: NextRequest,\n context: { params: Record<string, string> }\n ): Promise<Response> => {\n // Extract session from cookie\n const sessionCookie = request.cookies.get(cookieName);\n\n if (!sessionCookie) {\n return NextResponse.json({ error: 'Not authenticated' }, { status: 401 });\n }\n\n // Verify session\n const session = await sessionManager.deserialize(sessionCookie.value);\n\n if (!session \|\| sessionManager.isExpired(session)) {\n return NextResponse.json({ error: 'Session expired' }, { status: 401 });\n }\n\n // Check roles\n if (roles && roles.length > 0) {\n if (rbacEngine) {\n if (!rbacEngine.hasAnyRole(session.user, roles)) {\n return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n }\n } else {\n const hasRole = roles.some((role) => session.user.roles.includes(role));\n if (!hasRole) {\n return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n }\n }\n }\n\n // Check permissions\n if (permissions && permissions.length > 0) {\n if (rbacEngine) {\n if (!rbacEngine.hasAllPermissions(session.user, permissions)) {\n return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n }\n } else {\n const hasAllPermissions = permissions.every((p) => session.user.permissions?.includes(p));\n if (!hasAllPermissions) {\n return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });\n }\n }\n }\n\n return handler(request, context, session);\n };\n}\n\n/\n Set the session cookie on a `NextResponse` (App Router).\n \n This is the App Router equivalent of `setSessionCookie()` from `cookie-utils.ts`.\n \n @example\n * ```typescript\n * // app/api/auth/login/route.ts\n * import { setSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';\n \n export async function POST(request: NextRequest) {\n * const session = await createSession(request);\n * const jwt = await sessionManager.serialize(session);\n * const response = NextResponse.json({ ok: true });\n * return setSessionCookieOnResponse(response, jwt);\n * }\n * ```\n /\nexport function setSessionCookieOnResponse(\n response: NextResponse,\n sessionJwt: string,\n options: {\n cookieName?: string;\n maxAge?: number;\n } = {}\n): NextResponse {\n const cookieName = options.cookieName ?? 'stackwright_session';\n const maxAge = options.maxAge ?? 900; // 15 minutes\n\n response.cookies.set(cookieName, sessionJwt, {\n httpOnly: true,\n secure: true,\n sameSite: 'lax',\n maxAge,\n });\n\n return response;\n}\n\n/\n Clear the session cookie on a `NextResponse` (App Router).\n \n This is the App Router equivalent of `clearSessionCookie()` from `cookie-utils.ts`.\n \n @example\n * ```typescript\n * // app/api/auth/logout/route.ts\n * import { clearSessionCookieOnResponse } from '@stackwright-pro/auth-nextjs';\n \n export async function POST() {\n * const response = NextResponse.json({ ok: true });\n * return clearSessionCookieOnResponse(response);\n * }\n * ```\n */\nexport function clearSessionCookieOnResponse(\n response: NextResponse,\n options: {\n cookieName?: string;\n } = {}\n): NextResponse {\n const cookieName = options.cookieName ?? 'stackwright_session';\n response.cookies.delete(cookieName);\n return response;\n}\n"],"mappings":";;;;;;AAkCO,SAAS,qBAAqB,QAA0B;AAC7D,SAAO,kBAAkB,MAAM;AACjC;;;ACuBO,SAAS,eACd,SACA,QAC8D;AAC9D,QAAM,EAAE,gBAAgB,OAAO,aAAa,aAAa,sBAAsB,IAAI;AAEnF,SAAO,OAAO,KAAqB,QAAyB;AAE1D,UAAM,gBAAgB,IAAI,QAAQ,UAAU;AAE5C,QAAI,CAAC,eAAe;AAClB,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,oBAAoB,CAAQ;AAC1D;AAAA,IACF;AAGA,UAAM,UAAU,MAAM,eAAe,YAAY,aAAa;AAE9D,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AACjD,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,kBAAkB,CAAQ;AACxD;AAAA,IACF;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,WAAW,QAAQ,MAAM,KAAK,GAAG;AACtD,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,UAAU,MAAM,KAAK,CAAC,SAAS,QAAQ,KAAK,MAAM,SAAS,IAAI,CAAC;AACtE,YAAI,CAAC,SAAS;AACZ,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,UAAI,OAAO,YAAY;AAErB,YAAI,CAAC,OAAO,WAAW,kBAAkB,QAAQ,MAAM,WAAW,GAAG;AACnE,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF,OAAO;AAEL,cAAM,oBAAoB,YAAY;AAAA,UAAM,CAAC,eAC3C,QAAQ,KAAK,aAAa,SAAS,UAAU;AAAA,QAC/C;AACA,YAAI,CAAC,mBAAmB;AACtB,cAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,2BAA2B,CAAQ;AACjE;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,UAAM,QAAQ,KAAK,KAAK,OAAO;AAAA,EACjC;AACF;;;AC1HA,SAAS,iBAAiB,mBAAuC;AAK1D,SAAS,iBACd,KACA,YACA,UAAyB,CAAC,GACpB;AACN,QAAM,aAAa,QAAQ,QAAQ;AACnC,QAAM,SAAS,QAAQ,UAAU;AAEjC,QAAM,SAAS,gBAAgB,YAAY,YAAY;AAAA,IACrD,GAAG;AAAA,IACH;AAAA,IACA,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,EACZ,CAAC;AAED,MAAI,UAAU,cAAc,MAAM;AACpC;AAKO,SAAS,mBACd,KACA,UAA2D,CAAC,GACtD;AACN,QAAM,aAAa,QAAQ,QAAQ;AAEnC,QAAM,SAAS,YAAY,YAAY,OAAO;AAE9C,MAAI,UAAU,cAAc,MAAM;AACpC;;;ACvBA,SAAS,kBAAkB;AAG3B,SAAS,cAAc,aAAa,SAAS,sBAAsB;;;ACjBnE,SAA2B,oBAAoB;AA+DxC,SAAS,sBACd,SACA,QAC0F;AAC1F,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb;AAAA,EACF,IAAI;AAEJ,SAAO,OACL,SACA,YACsB;AAEtB,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AAEpD,QAAI,CAAC,eAAe;AAClB,aAAO,aAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC1E;AAGA,UAAM,UAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAEpE,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AACjD,aAAO,aAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACxE;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,UAAI,YAAY;AACd,YAAI,CAAC,WAAW,WAAW,QAAQ,MAAM,KAAK,GAAG;AAC/C,iBAAO,aAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF,OAAO;AACL,cAAM,UAAU,MAAM,KAAK,CAAC,SAAS,QAAQ,KAAK,MAAM,SAAS,IAAI,CAAC;AACtE,YAAI,CAAC,SAAS;AACZ,iBAAO,aAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,eAAe,YAAY,SAAS,GAAG;AACzC,UAAI,YAAY;AACd,YAAI,CAAC,WAAW,kBAAkB,QAAQ,MAAM,WAAW,GAAG;AAC5D,iBAAO,aAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF,OAAO;AACL,cAAM,oBAAoB,YAAY,MAAM,CAAC,MAAM,QAAQ,KAAK,aAAa,SAAS,CAAC,CAAC;AACxF,YAAI,CAAC,mBAAmB;AACtB,iBAAO,aAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACjF;AAAA,MACF;AAAA,IACF;AAEA,WAAO,QAAQ,SAAS,SAAS,OAAO;AAAA,EAC1C;AACF;AAoBO,SAAS,2BACd,UACA,YACA,UAGI,CAAC,GACS;AACd,QAAM,aAAa,QAAQ,cAAc;AACzC,QAAM,SAAS,QAAQ,UAAU;AAEjC,WAAS,QAAQ,IAAI,YAAY,YAAY;AAAA,IAC3C,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,IACV;AAAA,EACF,CAAC;AAED,SAAO;AACT;AAkBO,SAAS,6BACd,UACA,UAEI,CAAC,GACS;AACd,QAAM,aAAa,QAAQ,cAAc;AACzC,WAAS,QAAQ,OAAO,UAAU;AAClC,SAAO;AACT;","names":[]}

package/dist/proxy-Blj2kIJp.d.mts ADDED Viewed

@@ -0,0 +1,67 @@
+import * as next_server_js from 'next/server.js';
+import { NextRequest, NextResponse } from 'next/server';
+import { AuthConfig, SessionManager, RBACEngine } from '@stackwright-pro/auth';
+interface AuthHandlerConfig {
+    /**
+     * Auth configuration
+     */
+    authConfig: AuthConfig;
+    /**
+     * Session manager instance
+     */
+    sessionManager: SessionManager;
+    /**
+     * RBAC engine instance
+     */
+    rbacEngine: RBACEngine;
+    /**
+     * Cookie name for session (default: 'stackwright_session')
+     */
+    cookieName?: string;
+    /**
+     * URL to redirect to when authentication fails (default: '/login')
+     */
+    loginUrl?: string;
+    /**
+     * URL to redirect to when authorization fails (default: '/unauthorized')
+     */
+    unauthorizedUrl?: string;
+}
+/**
+ * Core auth handler shared by both the middleware (Next.js <16) and
+ * proxy (Next.js >=16) conventions.
+ *
+ * @internal — consumers should use `createAuthMiddleware` or `createAuthProxy`.
+ */
+declare function createAuthHandler(config: AuthHandlerConfig): (request: NextRequest) => Promise<NextResponse | undefined>;
+/**
+ * Configuration for Next.js proxy-based auth (Next.js >=16).
+ */
+type ProxyConfig = AuthHandlerConfig;
+/**
+ * Create a Next.js proxy handler for authentication and authorization.
+ *
+ * For Next.js >=16 projects that use the `proxy.ts` file convention,
+ * replacing the deprecated `middleware.ts` convention.
+ *
+ * @example
+ * ```typescript
+ * // proxy.ts (Next.js >=16)
+ * import { createAuthProxy } from '@stackwright-pro/auth-nextjs';
+ *
+ * export default createAuthProxy({
+ *   authConfig,
+ *   sessionManager,
+ *   rbacEngine,
+ * });
+ *
+ * export const config = {
+ *   matcher: ['/((?!_next|api/auth).*)'],
+ * };
+ * ```
+ */
+declare function createAuthProxy(config: ProxyConfig): (request: next_server_js.NextRequest) => Promise<next_server_js.NextResponse | undefined>;
+export { type AuthHandlerConfig as A, type ProxyConfig as P, createAuthProxy as a, createAuthHandler as c };

package/dist/proxy-Blj2kIJp.d.ts ADDED Viewed

@@ -0,0 +1,67 @@
+import * as next_server_js from 'next/server.js';
+import { NextRequest, NextResponse } from 'next/server';
+import { AuthConfig, SessionManager, RBACEngine } from '@stackwright-pro/auth';
+interface AuthHandlerConfig {
+    /**
+     * Auth configuration
+     */
+    authConfig: AuthConfig;
+    /**
+     * Session manager instance
+     */
+    sessionManager: SessionManager;
+    /**
+     * RBAC engine instance
+     */
+    rbacEngine: RBACEngine;
+    /**
+     * Cookie name for session (default: 'stackwright_session')
+     */
+    cookieName?: string;
+    /**
+     * URL to redirect to when authentication fails (default: '/login')
+     */
+    loginUrl?: string;
+    /**
+     * URL to redirect to when authorization fails (default: '/unauthorized')
+     */
+    unauthorizedUrl?: string;
+}
+/**
+ * Core auth handler shared by both the middleware (Next.js <16) and
+ * proxy (Next.js >=16) conventions.
+ *
+ * @internal — consumers should use `createAuthMiddleware` or `createAuthProxy`.
+ */
+declare function createAuthHandler(config: AuthHandlerConfig): (request: NextRequest) => Promise<NextResponse | undefined>;
+/**
+ * Configuration for Next.js proxy-based auth (Next.js >=16).
+ */
+type ProxyConfig = AuthHandlerConfig;
+/**
+ * Create a Next.js proxy handler for authentication and authorization.
+ *
+ * For Next.js >=16 projects that use the `proxy.ts` file convention,
+ * replacing the deprecated `middleware.ts` convention.
+ *
+ * @example
+ * ```typescript
+ * // proxy.ts (Next.js >=16)
+ * import { createAuthProxy } from '@stackwright-pro/auth-nextjs';
+ *
+ * export default createAuthProxy({
+ *   authConfig,
+ *   sessionManager,
+ *   rbacEngine,
+ * });
+ *
+ * export const config = {
+ *   matcher: ['/((?!_next|api/auth).*)'],
+ * };
+ * ```
+ */
+declare function createAuthProxy(config: ProxyConfig): (request: next_server_js.NextRequest) => Promise<next_server_js.NextResponse | undefined>;
+export { type AuthHandlerConfig as A, type ProxyConfig as P, createAuthProxy as a, createAuthHandler as c };

package/dist/proxy.d.mts ADDED Viewed

@@ -0,0 +1,4 @@
+import 'next/server.js';
+export { P as ProxyConfig, a as createAuthProxy } from './proxy-Blj2kIJp.mjs';
+import 'next/server';
+import '@stackwright-pro/auth';

package/dist/proxy.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import 'next/server.js';
+export { P as ProxyConfig, a as createAuthProxy } from './proxy-Blj2kIJp.js';
+import 'next/server';
+import '@stackwright-pro/auth';

package/dist/proxy.js ADDED Viewed

@@ -0,0 +1,83 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/proxy.ts
+var proxy_exports = {};
+__export(proxy_exports, {
+  createAuthProxy: () => createAuthProxy
+});
+module.exports = __toCommonJS(proxy_exports);
+// src/auth-handler.ts
+var import_server = require("next/server");
+function createAuthHandler(config) {
+  const {
+    sessionManager,
+    rbacEngine,
+    cookieName = "stackwright_session",
+    loginUrl = "/login",
+    unauthorizedUrl = "/unauthorized"
+  } = config;
+  return async function authHandler(request) {
+    const { pathname } = request.nextUrl;
+    if (rbacEngine.isPublicRoute(pathname)) {
+      return void 0;
+    }
+    const sessionCookie = request.cookies.get(cookieName);
+    let session = null;
+    if (sessionCookie) {
+      session = await sessionManager.deserialize(sessionCookie.value);
+    }
+    if (!session || sessionManager.isExpired(session)) {
+      const url = request.nextUrl.clone();
+      url.pathname = loginUrl;
+      url.searchParams.set("redirect", pathname);
+      return import_server.NextResponse.redirect(url);
+    }
+    if (!rbacEngine.canAccessRoute(session.user, pathname)) {
+      const url = request.nextUrl.clone();
+      url.pathname = unauthorizedUrl;
+      return import_server.NextResponse.redirect(url);
+    }
+    if (sessionManager.shouldRefresh(session)) {
+      const refreshed = await sessionManager.refreshSession(session);
+      const newJwt = await sessionManager.serialize(refreshed);
+      const response = import_server.NextResponse.next();
+      response.cookies.set(cookieName, newJwt, {
+        httpOnly: true,
+        secure: true,
+        sameSite: "lax",
+        maxAge: 900
+        // 15 minutes
+      });
+      return response;
+    }
+    return void 0;
+  };
+}
+// src/proxy.ts
+function createAuthProxy(config) {
+  return createAuthHandler(config);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAuthProxy
+});
+//# sourceMappingURL=proxy.js.map

package/dist/proxy.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/proxy.ts","../src/auth-handler.ts"],"sourcesContent":["import { createAuthHandler, type AuthHandlerConfig } from './auth-handler.js';\n\n/**\n * Configuration for Next.js proxy-based auth (Next.js >=16).\n */\nexport type ProxyConfig = AuthHandlerConfig;\n\n/**\n * Create a Next.js proxy handler for authentication and authorization.\n *\n * For Next.js >=16 projects that use the `proxy.ts` file convention,\n * replacing the deprecated `middleware.ts` convention.\n *\n * @example\n * ```typescript\n * // proxy.ts (Next.js >=16)\n * import { createAuthProxy } from '@stackwright-pro/auth-nextjs';\n *\n * export default createAuthProxy({\n * authConfig,\n * sessionManager,\n * rbacEngine,\n * });\n *\n * export const config = {\n * matcher: ['/((?!_next|api/auth).*)'],\n * };\n * ```\n */\nexport function createAuthProxy(config: ProxyConfig) {\n return createAuthHandler(config);\n}\n","import { type NextRequest, NextResponse } from 'next/server';\nimport {\n SessionManager,\n RBACEngine,\n type AuthConfig,\n type AuthSession,\n} from '@stackwright-pro/auth';\n\nexport interface AuthHandlerConfig {\n /**\n * Auth configuration\n */\n authConfig: AuthConfig;\n\n /**\n * Session manager instance\n */\n sessionManager: SessionManager;\n\n /**\n * RBAC engine instance\n */\n rbacEngine: RBACEngine;\n\n /**\n * Cookie name for session (default: 'stackwright_session')\n */\n cookieName?: string;\n\n /**\n * URL to redirect to when authentication fails (default: '/login')\n */\n loginUrl?: string;\n\n /**\n * URL to redirect to when authorization fails (default: '/unauthorized')\n */\n unauthorizedUrl?: string;\n}\n\n/**\n * Core auth handler shared by both the middleware (Next.js <16) and\n * proxy (Next.js >=16) conventions.\n *\n * @internal — consumers should use `createAuthMiddleware` or `createAuthProxy`.\n */\nexport function createAuthHandler(config: AuthHandlerConfig) {\n const {\n sessionManager,\n rbacEngine,\n cookieName = 'stackwright_session',\n loginUrl = '/login',\n unauthorizedUrl = '/unauthorized',\n } = config;\n\n return async function authHandler(request: NextRequest): Promise<NextResponse | undefined> {\n const { pathname } = request.nextUrl;\n\n // Check if route is public\n if (rbacEngine.isPublicRoute(pathname)) {\n return undefined; // Continue to next handler\n }\n\n // Extract session from cookie\n const sessionCookie = request.cookies.get(cookieName);\n let session: AuthSession | null = null;\n\n if (sessionCookie) {\n session = await sessionManager.deserialize(sessionCookie.value);\n }\n\n // Check if session is valid\n if (!session || sessionManager.isExpired(session)) {\n // Redirect to login\n const url = request.nextUrl.clone();\n url.pathname = loginUrl;\n url.searchParams.set('redirect', pathname);\n return NextResponse.redirect(url);\n }\n\n // Check if user can access route\n if (!rbacEngine.canAccessRoute(session.user, pathname)) {\n // Redirect to unauthorized\n const url = request.nextUrl.clone();\n url.pathname = unauthorizedUrl;\n return NextResponse.redirect(url);\n }\n\n // Refresh session if needed\n if (sessionManager.shouldRefresh(session)) {\n const refreshed = await sessionManager.refreshSession(session);\n const newJwt = await sessionManager.serialize(refreshed);\n\n const response = NextResponse.next();\n response.cookies.set(cookieName, newJwt, {\n httpOnly: true,\n secure: true,\n sameSite: 'lax',\n maxAge: 900, // 15 minutes\n });\n\n return response;\n }\n\n // Allow request to continue\n return undefined;\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,oBAA+C;AA8CxC,SAAS,kBAAkB,QAA2B;AAC3D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb,WAAW;AAAA,IACX,kBAAkB;AAAA,EACpB,IAAI;AAEJ,SAAO,eAAe,YAAY,SAAyD;AACzF,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,WAAW,cAAc,QAAQ,GAAG;AACtC,aAAO;AAAA,IACT;AAGA,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,UAAU;AACpD,QAAI,UAA8B;AAElC,QAAI,eAAe;AACjB,gBAAU,MAAM,eAAe,YAAY,cAAc,KAAK;AAAA,IAChE;AAGA,QAAI,CAAC,WAAW,eAAe,UAAU,OAAO,GAAG;AAEjD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,UAAI,aAAa,IAAI,YAAY,QAAQ;AACzC,aAAO,2BAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,CAAC,WAAW,eAAe,QAAQ,MAAM,QAAQ,GAAG;AAEtD,YAAM,MAAM,QAAQ,QAAQ,MAAM;AAClC,UAAI,WAAW;AACf,aAAO,2BAAa,SAAS,GAAG;AAAA,IAClC;AAGA,QAAI,eAAe,cAAc,OAAO,GAAG;AACzC,YAAM,YAAY,MAAM,eAAe,eAAe,OAAO;AAC7D,YAAM,SAAS,MAAM,eAAe,UAAU,SAAS;AAEvD,YAAM,WAAW,2BAAa,KAAK;AACnC,eAAS,QAAQ,IAAI,YAAY,QAAQ;AAAA,QACvC,UAAU;AAAA,QACV,QAAQ;AAAA,QACR,UAAU;AAAA,QACV,QAAQ;AAAA;AAAA,MACV,CAAC;AAED,aAAO;AAAA,IACT;AAGA,WAAO;AAAA,EACT;AACF;;;AD9EO,SAAS,gBAAgB,QAAqB;AACnD,SAAO,kBAAkB,MAAM;AACjC;","names":[]}

package/dist/proxy.mjs ADDED Viewed

@@ -0,0 +1,7 @@
+import {
+  createAuthProxy
+} from "./chunk-MFZSH4YL.mjs";
+export {
+  createAuthProxy
+};
+//# sourceMappingURL=proxy.mjs.map

package/dist/proxy.mjs.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/package.json CHANGED Viewed

@@ -1,8 +1,8 @@
 {
   "name": "@stackwright-pro/auth-nextjs",
-  "version": "0.2.0-alpha.4",
+  "version": "0.3.0-alpha.0",
   "description": "Next.js adapter for Stackwright Pro authentication",
-  "license": "PROPRIETARY",
+  "license": "SEE LICENSE IN LICENSE",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
   "types": "./dist/index.d.ts",
@@ -11,19 +11,25 @@
       "types": "./dist/index.d.ts",
       "import": "./dist/index.mjs",
       "require": "./dist/index.js"
+    },
+    "./proxy": {
+      "types": "./dist/proxy.d.ts",
+      "import": "./dist/proxy.mjs",
+      "require": "./dist/proxy.js"
     }
   },
   "files": [
     "dist"
   ],
   "dependencies": {
-    "@stackwright-pro/auth": "0.2.0-alpha.4"
+    "@stackwright-pro/auth": "0.2.0-alpha.11"
   },
   "devDependencies": {
-    "@types/node": "^25.4.0",
+    "@types/node": "^25.9.2",
+    "reflect-metadata": "^0.2.2",
     "tsup": "^8.5.1",
-    "typescript": "^5.8.3",
-    "vitest": "^4.0.18"
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.8"
   },
   "peerDependencies": {
     "next": ">=14.0.0 <16.0.0-beta.0 || >=16.2.3",