@startsimpli/auth 0.1.0 → 0.1.2

package/dist/server/index.mjs

@@ -0,0 +1,191 @@
+import { isTokenExpired, decodeToken } from '../chunk-S6J5FYQY.mjs';
+import { hasRolePermission } from '../chunk-TA46ASDJ.mjs';
+import { cookies } from 'next/headers';
+import { NextResponse } from 'next/server';
+
+async function getServerSession(apiBaseUrl) {
+  const cookieStore = await cookies();
+  const accessToken = cookieStore.get("access_token")?.value;
+  if (!accessToken) {
+    return null;
+  }
+  if (isTokenExpired(accessToken)) {
+    return null;
+  }
+  try {
+    const user = await fetchUser(apiBaseUrl, accessToken);
+    const payload = decodeToken(accessToken);
+    if (!payload) {
+      return null;
+    }
+    return {
+      user,
+      accessToken,
+      expiresAt: payload.exp * 1e3
+    };
+  } catch (error) {
+    console.error("Failed to get server session:", error);
+    return null;
+  }
+}
+async function fetchUser(apiBaseUrl, accessToken) {
+  const response = await fetch(`${apiBaseUrl}/api/v1/auth/me/`, {
+    headers: {
+      Authorization: `Bearer ${accessToken}`
+    },
+    cache: "no-store"
+  });
+  if (!response.ok) {
+    throw new Error("Failed to fetch user");
+  }
+  return response.json();
+}
+async function validateSession(apiBaseUrl) {
+  const session = await getServerSession(apiBaseUrl);
+  return session?.user || null;
+}
+async function requireAuth(apiBaseUrl) {
+  const session = await getServerSession(apiBaseUrl);
+  if (!session) {
+    throw new Error("Unauthorized");
+  }
+  return session;
+}
+async function refreshServerToken(apiBaseUrl) {
+  try {
+    const response = await fetch(`${apiBaseUrl}/api/v1/auth/token/refresh/`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      credentials: "include"
+    });
+    if (!response.ok) {
+      return null;
+    }
+    const data = await response.json();
+    return data.access;
+  } catch (error) {
+    console.error("Token refresh failed:", error);
+    return null;
+  }
+}
+function createAuthMiddleware(config) {
+  const {
+    apiBaseUrl,
+    publicPaths = ["/login", "/register", "/forgot-password"],
+    loginPath = "/login"
+  } = config;
+  return async function authMiddleware(request) {
+    const { pathname } = request.nextUrl;
+    const isPublicPath = publicPaths.some(
+      (path) => pathname.startsWith(path)
+    );
+    if (isPublicPath) {
+      return NextResponse.next();
+    }
+    const accessToken = request.cookies.get("access_token")?.value;
+    if (!accessToken || isTokenExpired(accessToken)) {
+      const url = request.nextUrl.clone();
+      url.pathname = loginPath;
+      url.searchParams.set("from", pathname);
+      return NextResponse.redirect(url);
+    }
+    return NextResponse.next();
+  };
+}
+function hasValidToken(request) {
+  const accessToken = request.cookies.get("access_token")?.value;
+  if (!accessToken) {
+    return false;
+  }
+  return !isTokenExpired(accessToken);
+}
+function getRequestToken(request) {
+  const accessToken = request.cookies.get("access_token")?.value;
+  if (!accessToken) {
+    return null;
+  }
+  if (isTokenExpired(accessToken)) {
+    return null;
+  }
+  return accessToken;
+}
+function getTokenFromRequest(req) {
+  const authHeader = req.headers.get("authorization");
+  if (authHeader?.startsWith("Bearer ")) {
+    const token = authHeader.slice(7).trim();
+    if (token) return token;
+  }
+  const cookieHeader = req.headers.get("cookie");
+  if (cookieHeader) {
+    const match = cookieHeader.split(";").map((part) => part.trim()).find((part) => part.startsWith("access_token="));
+    if (match) {
+      const token = match.slice("access_token=".length).trim();
+      if (token) return token;
+    }
+  }
+  return void 0;
+}
+async function requireAuthGuard(request) {
+  const token = getRequestToken(request);
+  if (!token) {
+    return {
+      authorized: false,
+      response: NextResponse.json(
+        { error: "Unauthorized" },
+        { status: 401 }
+      )
+    };
+  }
+  return {
+    authorized: true,
+    token
+  };
+}
+async function requireRoleGuard(request, requiredRole, getUserRole) {
+  const authResult = await requireAuthGuard(request);
+  if (!authResult.authorized) {
+    return authResult;
+  }
+  const userRole = await getUserRole();
+  if (!userRole || !hasRolePermission(userRole, requiredRole)) {
+    return {
+      authorized: false,
+      response: NextResponse.json(
+        { error: "Forbidden" },
+        { status: 403 }
+      )
+    };
+  }
+  return {
+    authorized: true,
+    token: authResult.token
+  };
+}
+function withAuth(handler) {
+  return async (request) => {
+    const guardResult = await requireAuthGuard(request);
+    if (!guardResult.authorized) {
+      return guardResult.response;
+    }
+    return handler(request, guardResult.token);
+  };
+}
+function withRole(requiredRole, getUserRole, handler) {
+  return async (request) => {
+    const guardResult = await requireRoleGuard(
+      request,
+      requiredRole,
+      getUserRole
+    );
+    if (!guardResult.authorized) {
+      return guardResult.response;
+    }
+    return handler(request, guardResult.token);
+  };
+}
+
+export { createAuthMiddleware, getRequestToken, getServerSession, getTokenFromRequest, hasValidToken, refreshServerToken, requireAuth, requireAuthGuard, requireRoleGuard, validateSession, withAuth, withRole };
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map

package/dist/server/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/server/session.ts","../../src/server/middleware.ts","../../src/server/guards.ts"],"names":["NextResponse"],"mappings":";;;;;AAYA,eAAsB,iBACpB,UAAA,EACyB;AACzB,EAAA,MAAM,WAAA,GAAc,MAAM,OAAA,EAAQ;AAClC,EAAA,MAAM,WAAA,GAAc,WAAA,CAAY,GAAA,CAAI,cAAc,CAAA,EAAG,KAAA;AAErD,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI,cAAA,CAAe,WAAW,CAAA,EAAG;AAC/B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,IAAA,GAAO,MAAM,SAAA,CAAU,UAAA,EAAY,WAAW,CAAA;AACpD,IAAA,MAAM,OAAA,GAAU,YAAY,WAAW,CAAA;AAEvC,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO;AAAA,MACL,IAAA;AAAA,MACA,WAAA;AAAA,MACA,SAAA,EAAW,QAAQ,GAAA,GAAM;AAAA,KAC3B;AAAA,EACF,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,KAAA,CAAM,iCAAiC,KAAK,CAAA;AACpD,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAKA,eAAe,SAAA,CACb,YACA,WAAA,EACmB;AACnB,EAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,CAAA,EAAG,UAAU,CAAA,gBAAA,CAAA,EAAoB;AAAA,IAC5D,OAAA,EAAS;AAAA,MACP,aAAA,EAAe,UAAU,WAAW,CAAA;AAAA,KACtC;AAAA,IACA,KAAA,EAAO;AAAA,GACR,CAAA;AAED,EAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,IAAA,MAAM,IAAI,MAAM,sBAAsB,CAAA;AAAA,EACxC;AAEA,EAAA,OAAO,SAAS,IAAA,EAAK;AACvB;AAKA,eAAsB,gBACpB,UAAA,EAC0B;AAC1B,EAAA,MAAM,OAAA,GAAU,MAAM,gBAAA,CAAiB,UAAU,CAAA;AACjD,EAAA,OAAO,SAAS,IAAA,IAAQ,IAAA;AAC1B;AAKA,eAAsB,YAAY,UAAA,EAAsC;AACtE,EAAA,MAAM,OAAA,GAAU,MAAM,gBAAA,CAAiB,UAAU,CAAA;AAEjD,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,MAAM,IAAI,MAAM,cAAc,CAAA;AAAA,EAChC;AAEA,EAAA,OAAO,OAAA;AACT;AAKA,eAAsB,mBACpB,UAAA,EACwB;AACxB,EAAA,IAAI;AACF,IAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,CAAA,EAAG,UAAU,CAAA,2BAAA,CAAA,EAA+B;AAAA,MACvE,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB;AAAA,OAClB;AAAA,MACA,WAAA,EAAa;AAAA,KACd,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AACjC,IAAA,OAAO,IAAA,CAAK,MAAA;AAAA,EACd,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,KAAA,CAAM,yBAAyB,KAAK,CAAA;AAC5C,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AClGO,SAAS,qBAAqB,MAAA,EAA8B;AACjE,EAAA,MAAM;AAAA,IACJ,UAAA;AAAA,IACA,WAAA,GAAc,CAAC,QAAA,EAAU,WAAA,EAAa,kBAAkB,CAAA;AAAA,IACxD,SAAA,GAAY;AAAA,GACd,GAAI,MAAA;AAEJ,EAAA,OAAO,eAAe,eAAe,OAAA,EAAsB;AACzD,IAAA,MAAM,EAAE,QAAA,EAAS,GAAI,OAAA,CAAQ,OAAA;AAE7B,IAAA,MAAM,eAAe,WAAA,CAAY,IAAA;AAAA,MAAK,CAAC,IAAA,KACrC,QAAA,CAAS,UAAA,CAAW,IAAI;AAAA,KAC1B;AAEA,IAAA,IAAI,YAAA,EAAc;AAChB,MAAA,OAAO,aAAa,IAAA,EAAK;AAAA,IAC3B;AAEA,IAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,EAAG,KAAA;AAEzD,IAAA,IAAI,CAAC,WAAA,IAAe,cAAA,CAAe,WAAW,CAAA,EAAG;AAC/C,MAAA,MAAM,GAAA,GAAM,OAAA,CAAQ,OAAA,CAAQ,KAAA,EAAM;AAClC,MAAA,GAAA,CAAI,QAAA,GAAW,SAAA;AACf,MAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,MAAA,EAAQ,QAAQ,CAAA;AACrC,MAAA,OAAO,YAAA,CAAa,SAAS,GAAG,CAAA;AAAA,IAClC;AAEA,IAAA,OAAO,aAAa,IAAA,EAAK;AAAA,EAC3B,CAAA;AACF;AAKO,SAAS,cAAc,OAAA,EAA+B;AAC3D,EAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,EAAG,KAAA;AAEzD,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,OAAO,CAAC,eAAe,WAAW,CAAA;AACpC;AAKO,SAAS,gBAAgB,OAAA,EAAqC;AACnE,EAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,EAAG,KAAA;AAEzD,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI,cAAA,CAAe,WAAW,CAAA,EAAG;AAC/B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,OAAO,WAAA;AACT;AAOO,SAAS,oBAAoB,GAAA,EAAkC;AAEpE,EAAA,MAAM,UAAA,GAAa,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAA;AAClD,EAAA,IAAI,UAAA,EAAY,UAAA,CAAW,SAAS,CAAA,EAAG;AACrC,IAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,CAAC,EAAE,IAAA,EAAK;AACvC,IAAA,IAAI,OAAO,OAAO,KAAA;AAAA,EACpB;AAGA,EAAA,MAAM,YAAA,GAAe,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AAC7C,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,MAAM,QAAQ,YAAA,CACX,KAAA,CAAM,GAAG,CAAA,CACT,GAAA,CAAI,CAAC,IAAA,KAAS,IAAA,CAAK,IAAA,EAAM,EACzB,IAAA,CAAK,CAAC,SAAS,IAAA,CAAK,UAAA,CAAW,eAAe,CAAC,CAAA;AAElD,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,MAAM,QAAQ,KAAA,CAAM,KAAA,CAAM,eAAA,CAAgB,MAAM,EAAE,IAAA,EAAK;AACvD,MAAA,IAAI,OAAO,OAAO,KAAA;AAAA,IACpB;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;ACpFA,eAAsB,iBACpB,OAAA,EACsB;AACtB,EAAA,MAAM,KAAA,GAAQ,gBAAgB,OAAO,CAAA;AAErC,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,KAAA;AAAA,MACZ,UAAUA,YAAAA,CAAa,IAAA;AAAA,QACrB,EAAE,OAAO,cAAA,EAAe;AAAA,QACxB,EAAE,QAAQ,GAAA;AAAI;AAChB,KACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,IAAA;AAAA,IACZ;AAAA,GACF;AACF;AAKA,eAAsB,gBAAA,CACpB,OAAA,EACA,YAAA,EACA,WAAA,EACsB;AACtB,EAAA,MAAM,UAAA,GAAa,MAAM,gBAAA,CAAiB,OAAO,CAAA;AAEjD,EAAA,IAAI,CAAC,WAAW,UAAA,EAAY;AAC1B,IAAA,OAAO,UAAA;AAAA,EACT;AAEA,EAAA,MAAM,QAAA,GAAW,MAAM,WAAA,EAAY;AAEnC,EAAA,IAAI,CAAC,QAAA,IAAY,CAAC,iBAAA,CAAkB,QAAA,EAAU,YAAY,CAAA,EAAG;AAC3D,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,KAAA;AAAA,MACZ,UAAUA,YAAAA,CAAa,IAAA;AAAA,QACrB,EAAE,OAAO,WAAA,EAAY;AAAA,QACrB,EAAE,QAAQ,GAAA;AAAI;AAChB,KACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,IAAA;AAAA,IACZ,OAAO,UAAA,CAAW;AAAA,GACpB;AACF;AAKO,SAAS,SACd,OAAA,EACA;AACA,EAAA,OAAO,OAAO,OAAA,KAAgD;AAC5D,IAAA,MAAM,WAAA,GAAc,MAAM,gBAAA,CAAiB,OAAO,CAAA;AAElD,IAAA,IAAI,CAAC,YAAY,UAAA,EAAY;AAC3B,MAAA,OAAO,WAAA,CAAY,QAAA;AAAA,IACrB;AAEA,IAAA,OAAO,OAAA,CAAQ,OAAA,EAAS,WAAA,CAAY,KAAM,CAAA;AAAA,EAC5C,CAAA;AACF;AAKO,SAAS,QAAA,CACd,YAAA,EACA,WAAA,EACA,OAAA,EACA;AACA,EAAA,OAAO,OAAO,OAAA,KAAgD;AAC5D,IAAA,MAAM,cAAc,MAAM,gBAAA;AAAA,MACxB,OAAA;AAAA,MACA,YAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,IAAI,CAAC,YAAY,UAAA,EAAY;AAC3B,MAAA,OAAO,WAAA,CAAY,QAAA;AAAA,IACrB;AAEA,IAAA,OAAO,OAAA,CAAQ,OAAA,EAAS,WAAA,CAAY,KAAM,CAAA;AAAA,EAC5C,CAAA;AACF","file":"index.mjs","sourcesContent":["/**\n * Server-side session validation\n * For Next.js API routes and server components\n */\n\nimport { cookies } from 'next/headers';\nimport type { Session, AuthUser, TokenPayload } from '../types';\nimport { decodeToken, isTokenExpired } from '../utils';\n\n/**\n * Get session from server-side cookies and headers\n */\nexport async function getServerSession(\n  apiBaseUrl: string\n): Promise<Session | null> {\n  const cookieStore = await cookies();\n  const accessToken = cookieStore.get('access_token')?.value;\n\n  if (!accessToken) {\n    return null;\n  }\n\n  if (isTokenExpired(accessToken)) {\n    return null;\n  }\n\n  try {\n    const user = await fetchUser(apiBaseUrl, accessToken);\n    const payload = decodeToken(accessToken);\n\n    if (!payload) {\n      return null;\n    }\n\n    return {\n      user,\n      accessToken,\n      expiresAt: payload.exp * 1000,\n    };\n  } catch (error) {\n    console.error('Failed to get server session:', error);\n    return null;\n  }\n}\n\n/**\n * Fetch user data from Django backend\n */\nasync function fetchUser(\n  apiBaseUrl: string,\n  accessToken: string\n): Promise<AuthUser> {\n  const response = await fetch(`${apiBaseUrl}/api/v1/auth/me/`, {\n    headers: {\n      Authorization: `Bearer ${accessToken}`,\n    },\n    cache: 'no-store',\n  });\n\n  if (!response.ok) {\n    throw new Error('Failed to fetch user');\n  }\n\n  return response.json();\n}\n\n/**\n * Validate session and return user or null\n */\nexport async function validateSession(\n  apiBaseUrl: string\n): Promise<AuthUser | null> {\n  const session = await getServerSession(apiBaseUrl);\n  return session?.user || null;\n}\n\n/**\n * Require authenticated session (throws if not authenticated)\n */\nexport async function requireAuth(apiBaseUrl: string): Promise<Session> {\n  const session = await getServerSession(apiBaseUrl);\n\n  if (!session) {\n    throw new Error('Unauthorized');\n  }\n\n  return session;\n}\n\n/**\n * Refresh access token using refresh token cookie\n */\nexport async function refreshServerToken(\n  apiBaseUrl: string\n): Promise<string | null> {\n  try {\n    const response = await fetch(`${apiBaseUrl}/api/v1/auth/token/refresh/`, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/json',\n      },\n      credentials: 'include',\n    });\n\n    if (!response.ok) {\n      return null;\n    }\n\n    const data = await response.json();\n    return data.access;\n  } catch (error) {\n    console.error('Token refresh failed:', error);\n    return null;\n  }\n}\n","/**\n * Next.js middleware helpers for authentication\n */\n\nimport { NextRequest, NextResponse } from 'next/server';\nimport { isTokenExpired } from '../utils';\n\nexport interface AuthMiddlewareConfig {\n  apiBaseUrl: string;\n  publicPaths?: string[];\n  loginPath?: string;\n}\n\n/**\n * Create auth middleware for Next.js\n */\nexport function createAuthMiddleware(config: AuthMiddlewareConfig) {\n  const {\n    apiBaseUrl,\n    publicPaths = ['/login', '/register', '/forgot-password'],\n    loginPath = '/login',\n  } = config;\n\n  return async function authMiddleware(request: NextRequest) {\n    const { pathname } = request.nextUrl;\n\n    const isPublicPath = publicPaths.some((path) =>\n      pathname.startsWith(path)\n    );\n\n    if (isPublicPath) {\n      return NextResponse.next();\n    }\n\n    const accessToken = request.cookies.get('access_token')?.value;\n\n    if (!accessToken || isTokenExpired(accessToken)) {\n      const url = request.nextUrl.clone();\n      url.pathname = loginPath;\n      url.searchParams.set('from', pathname);\n      return NextResponse.redirect(url);\n    }\n\n    return NextResponse.next();\n  };\n}\n\n/**\n * Check if request has valid auth token\n */\nexport function hasValidToken(request: NextRequest): boolean {\n  const accessToken = request.cookies.get('access_token')?.value;\n\n  if (!accessToken) {\n    return false;\n  }\n\n  return !isTokenExpired(accessToken);\n}\n\n/**\n * Get access token from request\n */\nexport function getRequestToken(request: NextRequest): string | null {\n  const accessToken = request.cookies.get('access_token')?.value;\n\n  if (!accessToken) {\n    return null;\n  }\n\n  if (isTokenExpired(accessToken)) {\n    return null;\n  }\n\n  return accessToken;\n}\n\n/**\n * Extract bearer token from a standard Request (Authorization header or access_token cookie).\n * Framework-agnostic — works with any Request-compatible object (Next.js, Node, edge runtimes).\n * Returns the raw token string without expiry validation.\n */\nexport function getTokenFromRequest(req: Request): string | undefined {\n  // Authorization: Bearer <token>\n  const authHeader = req.headers.get('authorization');\n  if (authHeader?.startsWith('Bearer ')) {\n    const token = authHeader.slice(7).trim();\n    if (token) return token;\n  }\n\n  // Fallback: access_token cookie (parsed from Cookie header)\n  const cookieHeader = req.headers.get('cookie');\n  if (cookieHeader) {\n    const match = cookieHeader\n      .split(';')\n      .map((part) => part.trim())\n      .find((part) => part.startsWith('access_token='));\n\n    if (match) {\n      const token = match.slice('access_token='.length).trim();\n      if (token) return token;\n    }\n  }\n\n  return undefined;\n}\n","/**\n * Auth guards for API routes\n */\n\nimport { NextRequest, NextResponse } from 'next/server';\nimport type { CompanyRole } from '../types';\nimport { hasRolePermission } from '../types';\nimport { getRequestToken } from './middleware';\n\n/**\n * Auth guard result\n */\nexport interface GuardResult {\n  authorized: boolean;\n  response?: NextResponse;\n  token?: string;\n}\n\n/**\n * Require authentication for API route\n */\nexport async function requireAuthGuard(\n  request: NextRequest\n): Promise<GuardResult> {\n  const token = getRequestToken(request);\n\n  if (!token) {\n    return {\n      authorized: false,\n      response: NextResponse.json(\n        { error: 'Unauthorized' },\n        { status: 401 }\n      ),\n    };\n  }\n\n  return {\n    authorized: true,\n    token,\n  };\n}\n\n/**\n * Require specific role for API route\n */\nexport async function requireRoleGuard(\n  request: NextRequest,\n  requiredRole: CompanyRole,\n  getUserRole: () => Promise<CompanyRole | null>\n): Promise<GuardResult> {\n  const authResult = await requireAuthGuard(request);\n\n  if (!authResult.authorized) {\n    return authResult;\n  }\n\n  const userRole = await getUserRole();\n\n  if (!userRole || !hasRolePermission(userRole, requiredRole)) {\n    return {\n      authorized: false,\n      response: NextResponse.json(\n        { error: 'Forbidden' },\n        { status: 403 }\n      ),\n    };\n  }\n\n  return {\n    authorized: true,\n    token: authResult.token,\n  };\n}\n\n/**\n * Higher-order function to wrap API route with auth guard\n */\nexport function withAuth<T = any>(\n  handler: (request: NextRequest, token: string) => Promise<NextResponse<T>>\n) {\n  return async (request: NextRequest): Promise<NextResponse> => {\n    const guardResult = await requireAuthGuard(request);\n\n    if (!guardResult.authorized) {\n      return guardResult.response!;\n    }\n\n    return handler(request, guardResult.token!);\n  };\n}\n\n/**\n * Higher-order function to wrap API route with role guard\n */\nexport function withRole<T = any>(\n  requiredRole: CompanyRole,\n  getUserRole: () => Promise<CompanyRole | null>,\n  handler: (request: NextRequest, token: string) => Promise<NextResponse<T>>\n) {\n  return async (request: NextRequest): Promise<NextResponse> => {\n    const guardResult = await requireRoleGuard(\n      request,\n      requiredRole,\n      getUserRole\n    );\n\n    if (!guardResult.authorized) {\n      return guardResult.response!;\n    }\n\n    return handler(request, guardResult.token!);\n  };\n}\n"]}

package/dist/types/index.d.mts

@@ -0,0 +1,209 @@
+/**
+ * Authentication types for StartSimpli apps
+ */
+/**
+ * Generic token pair (access + optional refresh)
+ */
+interface TokenPair {
+    access: string;
+    refresh?: string;
+}
+/**
+ * Generic decoded JWT payload — framework and backend agnostic
+ */
+interface DecodedToken {
+    sub?: string;
+    email?: string;
+    exp?: number;
+    iat?: number;
+    [key: string]: unknown;
+}
+/**
+ * Generic auth session — framework agnostic
+ */
+interface AuthSession {
+    user: {
+        id: string;
+        email: string;
+        [key: string]: unknown;
+    };
+    accessToken: string;
+    refreshToken?: string;
+}
+/**
+ * User profile from Django backend
+ */
+interface AuthUser {
+    id: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+    isEmailVerified: boolean;
+    createdAt: string;
+    updatedAt: string;
+    companies?: Array<{
+        id: string;
+        name: string;
+        role: 'owner' | 'admin' | 'member' | 'viewer';
+    }>;
+    currentCompanyId?: string;
+}
+/**
+ * JWT token payload structure
+ */
+interface TokenPayload {
+    token_type: 'access';
+    exp: number;
+    iat: number;
+    jti: string;
+    user_id: string;
+}
+/**
+ * Session data stored in client
+ */
+interface Session {
+    user: AuthUser;
+    accessToken: string;
+    expiresAt: number;
+}
+/**
+ * Login response from Django backend
+ */
+interface LoginResponse {
+    access: string;
+    user: AuthUser;
+}
+/**
+ * Token refresh response
+ */
+interface RefreshResponse {
+    access: string;
+}
+/**
+ * Permission check result
+ */
+interface PermissionCheck {
+    hasPermission: boolean;
+    reason?: string;
+}
+/**
+ * Auth configuration options
+ */
+interface AuthConfig {
+    apiBaseUrl: string;
+    tokenRefreshInterval?: number;
+    onSessionExpired?: () => void;
+    onUnauthorized?: () => void;
+}
+/**
+ * Auth state for React context
+ */
+interface AuthState {
+    session: Session | null;
+    isLoading: boolean;
+    isAuthenticated: boolean;
+}
+/**
+ * Company role hierarchy
+ */
+type CompanyRole = 'owner' | 'admin' | 'member' | 'viewer';
+/**
+ * Role hierarchy map (higher number = more permissions)
+ */
+declare const ROLE_HIERARCHY: Record<CompanyRole, number>;
+/**
+ * Check if role has sufficient permissions
+ */
+declare function hasRolePermission(userRole: CompanyRole, requiredRole: CompanyRole): boolean;
+/**
+ * Password reset request payload
+ * Initiates password reset flow by sending reset email
+ */
+interface PasswordResetRequest {
+    email: string;
+    clientMetadata?: Record<string, any>;
+}
+/**
+ * Password reset confirmation payload
+ * Completes password reset with token and new password
+ */
+interface PasswordResetConfirm {
+    token: string;
+    password: string;
+    passwordConfirm: string;
+}
+/**
+ * Email verification request payload
+ * Verifies user email with token from verification email
+ */
+interface EmailVerificationRequest {
+    token: string;
+}
+/**
+ * Email verification response
+ * Returns updated user data after successful verification
+ */
+interface EmailVerificationResponse {
+    detail: string;
+    user: {
+        id: string;
+        email: string;
+        isEmailVerified: boolean;
+    };
+}
+/**
+ * API error response from Django backend
+ * Standard error format for all API errors
+ */
+interface ApiErrorResponse {
+    detail?: string;
+    message?: string;
+    errors?: Record<string, string[]>;
+    code?: string;
+    status?: number;
+}
+/**
+ * Validation error detail
+ * Individual field validation error
+ */
+interface ValidationError {
+    field: string;
+    message: string;
+    code?: string;
+}
+/**
+ * Validation errors map
+ * Maps field names to error messages
+ */
+type ValidationErrorsMap = Record<string, string[]>;
+/**
+ * Password validation error codes
+ */
+declare enum PasswordErrorCode {
+    TOO_SHORT = "password_too_short",
+    TOO_COMMON = "password_too_common",
+    ENTIRELY_NUMERIC = "password_entirely_numeric",
+    TOO_SIMILAR = "password_too_similar",
+    MISMATCH = "password_mismatch",
+    REQUIRED = "password_required"
+}
+/**
+ * Email validation error codes
+ */
+declare enum EmailErrorCode {
+    INVALID_FORMAT = "email_invalid_format",
+    REQUIRED = "email_required",
+    NOT_FOUND = "email_not_found",
+    ALREADY_EXISTS = "email_already_exists"
+}
+/**
+ * General validation error codes
+ */
+declare enum ValidationErrorCode {
+    REQUIRED = "required",
+    INVALID = "invalid",
+    TOO_SHORT = "too_short",
+    TOO_LONG = "too_long"
+}
+
+export { type ApiErrorResponse, type AuthConfig, type AuthSession, type AuthState, type AuthUser, type CompanyRole, type DecodedToken, EmailErrorCode, type EmailVerificationRequest, type EmailVerificationResponse, type LoginResponse, PasswordErrorCode, type PasswordResetConfirm, type PasswordResetRequest, type PermissionCheck, ROLE_HIERARCHY, type RefreshResponse, type Session, type TokenPair, type TokenPayload, type ValidationError, ValidationErrorCode, type ValidationErrorsMap, hasRolePermission };

package/dist/types/index.d.ts

@@ -0,0 +1,209 @@
+/**
+ * Authentication types for StartSimpli apps
+ */
+/**
+ * Generic token pair (access + optional refresh)
+ */
+interface TokenPair {
+    access: string;
+    refresh?: string;
+}
+/**
+ * Generic decoded JWT payload — framework and backend agnostic
+ */
+interface DecodedToken {
+    sub?: string;
+    email?: string;
+    exp?: number;
+    iat?: number;
+    [key: string]: unknown;
+}
+/**
+ * Generic auth session — framework agnostic
+ */
+interface AuthSession {
+    user: {
+        id: string;
+        email: string;
+        [key: string]: unknown;
+    };
+    accessToken: string;
+    refreshToken?: string;
+}
+/**
+ * User profile from Django backend
+ */
+interface AuthUser {
+    id: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+    isEmailVerified: boolean;
+    createdAt: string;
+    updatedAt: string;
+    companies?: Array<{
+        id: string;
+        name: string;
+        role: 'owner' | 'admin' | 'member' | 'viewer';
+    }>;
+    currentCompanyId?: string;
+}
+/**
+ * JWT token payload structure
+ */
+interface TokenPayload {
+    token_type: 'access';
+    exp: number;
+    iat: number;
+    jti: string;
+    user_id: string;
+}
+/**
+ * Session data stored in client
+ */
+interface Session {
+    user: AuthUser;
+    accessToken: string;
+    expiresAt: number;
+}
+/**
+ * Login response from Django backend
+ */
+interface LoginResponse {
+    access: string;
+    user: AuthUser;
+}
+/**
+ * Token refresh response
+ */
+interface RefreshResponse {
+    access: string;
+}
+/**
+ * Permission check result
+ */
+interface PermissionCheck {
+    hasPermission: boolean;
+    reason?: string;
+}
+/**
+ * Auth configuration options
+ */
+interface AuthConfig {
+    apiBaseUrl: string;
+    tokenRefreshInterval?: number;
+    onSessionExpired?: () => void;
+    onUnauthorized?: () => void;
+}
+/**
+ * Auth state for React context
+ */
+interface AuthState {
+    session: Session | null;
+    isLoading: boolean;
+    isAuthenticated: boolean;
+}
+/**
+ * Company role hierarchy
+ */
+type CompanyRole = 'owner' | 'admin' | 'member' | 'viewer';
+/**
+ * Role hierarchy map (higher number = more permissions)
+ */
+declare const ROLE_HIERARCHY: Record<CompanyRole, number>;
+/**
+ * Check if role has sufficient permissions
+ */
+declare function hasRolePermission(userRole: CompanyRole, requiredRole: CompanyRole): boolean;
+/**
+ * Password reset request payload
+ * Initiates password reset flow by sending reset email
+ */
+interface PasswordResetRequest {
+    email: string;
+    clientMetadata?: Record<string, any>;
+}
+/**
+ * Password reset confirmation payload
+ * Completes password reset with token and new password
+ */
+interface PasswordResetConfirm {
+    token: string;
+    password: string;
+    passwordConfirm: string;
+}
+/**
+ * Email verification request payload
+ * Verifies user email with token from verification email
+ */
+interface EmailVerificationRequest {
+    token: string;
+}
+/**
+ * Email verification response
+ * Returns updated user data after successful verification
+ */
+interface EmailVerificationResponse {
+    detail: string;
+    user: {
+        id: string;
+        email: string;
+        isEmailVerified: boolean;
+    };
+}
+/**
+ * API error response from Django backend
+ * Standard error format for all API errors
+ */
+interface ApiErrorResponse {
+    detail?: string;
+    message?: string;
+    errors?: Record<string, string[]>;
+    code?: string;
+    status?: number;
+}
+/**
+ * Validation error detail
+ * Individual field validation error
+ */
+interface ValidationError {
+    field: string;
+    message: string;
+    code?: string;
+}
+/**
+ * Validation errors map
+ * Maps field names to error messages
+ */
+type ValidationErrorsMap = Record<string, string[]>;
+/**
+ * Password validation error codes
+ */
+declare enum PasswordErrorCode {
+    TOO_SHORT = "password_too_short",
+    TOO_COMMON = "password_too_common",
+    ENTIRELY_NUMERIC = "password_entirely_numeric",
+    TOO_SIMILAR = "password_too_similar",
+    MISMATCH = "password_mismatch",
+    REQUIRED = "password_required"
+}
+/**
+ * Email validation error codes
+ */
+declare enum EmailErrorCode {
+    INVALID_FORMAT = "email_invalid_format",
+    REQUIRED = "email_required",
+    NOT_FOUND = "email_not_found",
+    ALREADY_EXISTS = "email_already_exists"
+}
+/**
+ * General validation error codes
+ */
+declare enum ValidationErrorCode {
+    REQUIRED = "required",
+    INVALID = "invalid",
+    TOO_SHORT = "too_short",
+    TOO_LONG = "too_long"
+}
+
+export { type ApiErrorResponse, type AuthConfig, type AuthSession, type AuthState, type AuthUser, type CompanyRole, type DecodedToken, EmailErrorCode, type EmailVerificationRequest, type EmailVerificationResponse, type LoginResponse, PasswordErrorCode, type PasswordResetConfirm, type PasswordResetRequest, type PermissionCheck, ROLE_HIERARCHY, type RefreshResponse, type Session, type TokenPair, type TokenPayload, type ValidationError, ValidationErrorCode, type ValidationErrorsMap, hasRolePermission };

package/dist/types/index.js

@@ -0,0 +1,43 @@
+'use strict';
+
+// src/types/index.ts
+var ROLE_HIERARCHY = {
+  owner: 4,
+  admin: 3,
+  member: 2,
+  viewer: 1
+};
+function hasRolePermission(userRole, requiredRole) {
+  return ROLE_HIERARCHY[userRole] >= ROLE_HIERARCHY[requiredRole];
+}
+var PasswordErrorCode = /* @__PURE__ */ ((PasswordErrorCode2) => {
+  PasswordErrorCode2["TOO_SHORT"] = "password_too_short";
+  PasswordErrorCode2["TOO_COMMON"] = "password_too_common";
+  PasswordErrorCode2["ENTIRELY_NUMERIC"] = "password_entirely_numeric";
+  PasswordErrorCode2["TOO_SIMILAR"] = "password_too_similar";
+  PasswordErrorCode2["MISMATCH"] = "password_mismatch";
+  PasswordErrorCode2["REQUIRED"] = "password_required";
+  return PasswordErrorCode2;
+})(PasswordErrorCode || {});
+var EmailErrorCode = /* @__PURE__ */ ((EmailErrorCode2) => {
+  EmailErrorCode2["INVALID_FORMAT"] = "email_invalid_format";
+  EmailErrorCode2["REQUIRED"] = "email_required";
+  EmailErrorCode2["NOT_FOUND"] = "email_not_found";
+  EmailErrorCode2["ALREADY_EXISTS"] = "email_already_exists";
+  return EmailErrorCode2;
+})(EmailErrorCode || {});
+var ValidationErrorCode = /* @__PURE__ */ ((ValidationErrorCode2) => {
+  ValidationErrorCode2["REQUIRED"] = "required";
+  ValidationErrorCode2["INVALID"] = "invalid";
+  ValidationErrorCode2["TOO_SHORT"] = "too_short";
+  ValidationErrorCode2["TOO_LONG"] = "too_long";
+  return ValidationErrorCode2;
+})(ValidationErrorCode || {});
+
+exports.EmailErrorCode = EmailErrorCode;
+exports.PasswordErrorCode = PasswordErrorCode;
+exports.ROLE_HIERARCHY = ROLE_HIERARCHY;
+exports.ValidationErrorCode = ValidationErrorCode;
+exports.hasRolePermission = hasRolePermission;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/types/index.ts"],"names":["PasswordErrorCode","EmailErrorCode","ValidationErrorCode"],"mappings":";;;AA8HO,IAAM,cAAA,GAA8C;AAAA,EACzD,KAAA,EAAO,CAAA;AAAA,EACP,KAAA,EAAO,CAAA;AAAA,EACP,MAAA,EAAQ,CAAA;AAAA,EACR,MAAA,EAAQ;AACV;AAKO,SAAS,iBAAA,CACd,UACA,YAAA,EACS;AACT,EAAA,OAAO,cAAA,CAAe,QAAQ,CAAA,IAAK,cAAA,CAAe,YAAY,CAAA;AAChE;AAyEO,IAAK,iBAAA,qBAAAA,kBAAAA,KAAL;AACL,EAAAA,mBAAA,WAAA,CAAA,GAAY,oBAAA;AACZ,EAAAA,mBAAA,YAAA,CAAA,GAAa,qBAAA;AACb,EAAAA,mBAAA,kBAAA,CAAA,GAAmB,2BAAA;AACnB,EAAAA,mBAAA,aAAA,CAAA,GAAc,sBAAA;AACd,EAAAA,mBAAA,UAAA,CAAA,GAAW,mBAAA;AACX,EAAAA,mBAAA,UAAA,CAAA,GAAW,mBAAA;AAND,EAAA,OAAAA,kBAAAA;AAAA,CAAA,EAAA,iBAAA,IAAA,EAAA;AAYL,IAAK,cAAA,qBAAAC,eAAAA,KAAL;AACL,EAAAA,gBAAA,gBAAA,CAAA,GAAiB,sBAAA;AACjB,EAAAA,gBAAA,UAAA,CAAA,GAAW,gBAAA;AACX,EAAAA,gBAAA,WAAA,CAAA,GAAY,iBAAA;AACZ,EAAAA,gBAAA,gBAAA,CAAA,GAAiB,sBAAA;AAJP,EAAA,OAAAA,eAAAA;AAAA,CAAA,EAAA,cAAA,IAAA,EAAA;AAUL,IAAK,mBAAA,qBAAAC,oBAAAA,KAAL;AACL,EAAAA,qBAAA,UAAA,CAAA,GAAW,UAAA;AACX,EAAAA,qBAAA,SAAA,CAAA,GAAU,SAAA;AACV,EAAAA,qBAAA,WAAA,CAAA,GAAY,WAAA;AACZ,EAAAA,qBAAA,UAAA,CAAA,GAAW,UAAA;AAJD,EAAA,OAAAA,oBAAAA;AAAA,CAAA,EAAA,mBAAA,IAAA,EAAA","file":"index.js","sourcesContent":["/**\n * Authentication types for StartSimpli apps\n */\n\n/**\n * Generic token pair (access + optional refresh)\n */\nexport interface TokenPair {\n  access: string;\n  refresh?: string;\n}\n\n/**\n * Generic decoded JWT payload — framework and backend agnostic\n */\nexport interface DecodedToken {\n  sub?: string;\n  email?: string;\n  exp?: number;\n  iat?: number;\n  [key: string]: unknown;\n}\n\n/**\n * Generic auth session — framework agnostic\n */\nexport interface AuthSession {\n  user: {\n    id: string;\n    email: string;\n    [key: string]: unknown;\n  };\n  accessToken: string;\n  refreshToken?: string;\n}\n\n/**\n * User profile from Django backend\n */\nexport interface AuthUser {\n  id: string;\n  email: string;\n  firstName: string;\n  lastName: string;\n  isEmailVerified: boolean;\n  createdAt: string;\n  updatedAt: string;\n  // Company/team context (if applicable)\n  companies?: Array<{\n    id: string;\n    name: string;\n    role: 'owner' | 'admin' | 'member' | 'viewer';\n  }>;\n  currentCompanyId?: string;\n}\n\n/**\n * JWT token payload structure\n */\nexport interface TokenPayload {\n  token_type: 'access';\n  exp: number;\n  iat: number;\n  jti: string;\n  user_id: string;\n}\n\n/**\n * Session data stored in client\n */\nexport interface Session {\n  user: AuthUser;\n  accessToken: string;\n  expiresAt: number;\n}\n\n/**\n * Login response from Django backend\n */\nexport interface LoginResponse {\n  access: string;\n  user: AuthUser;\n}\n\n/**\n * Token refresh response\n */\nexport interface RefreshResponse {\n  access: string;\n}\n\n/**\n * Permission check result\n */\nexport interface PermissionCheck {\n  hasPermission: boolean;\n  reason?: string;\n}\n\n/**\n * Auth configuration options\n */\nexport interface AuthConfig {\n  apiBaseUrl: string;\n  tokenRefreshInterval?: number; // milliseconds, default 4 minutes\n  onSessionExpired?: () => void;\n  onUnauthorized?: () => void;\n}\n\n/**\n * Auth state for React context\n */\nexport interface AuthState {\n  session: Session | null;\n  isLoading: boolean;\n  isAuthenticated: boolean;\n}\n\n/**\n * Company role hierarchy\n */\nexport type CompanyRole = 'owner' | 'admin' | 'member' | 'viewer';\n\n/**\n * Role hierarchy map (higher number = more permissions)\n */\nexport const ROLE_HIERARCHY: Record<CompanyRole, number> = {\n  owner: 4,\n  admin: 3,\n  member: 2,\n  viewer: 1,\n};\n\n/**\n * Check if role has sufficient permissions\n */\nexport function hasRolePermission(\n  userRole: CompanyRole,\n  requiredRole: CompanyRole\n): boolean {\n  return ROLE_HIERARCHY[userRole] >= ROLE_HIERARCHY[requiredRole];\n}\n\n/**\n * Password reset request payload\n * Initiates password reset flow by sending reset email\n */\nexport interface PasswordResetRequest {\n  email: string;\n  clientMetadata?: Record<string, any>;\n}\n\n/**\n * Password reset confirmation payload\n * Completes password reset with token and new password\n */\nexport interface PasswordResetConfirm {\n  token: string;\n  password: string;\n  passwordConfirm: string;\n}\n\n/**\n * Email verification request payload\n * Verifies user email with token from verification email\n */\nexport interface EmailVerificationRequest {\n  token: string;\n}\n\n/**\n * Email verification response\n * Returns updated user data after successful verification\n */\nexport interface EmailVerificationResponse {\n  detail: string;\n  user: {\n    id: string;\n    email: string;\n    isEmailVerified: boolean;\n  };\n}\n\n/**\n * API error response from Django backend\n * Standard error format for all API errors\n */\nexport interface ApiErrorResponse {\n  detail?: string;\n  message?: string;\n  errors?: Record<string, string[]>;\n  code?: string;\n  status?: number;\n}\n\n/**\n * Validation error detail\n * Individual field validation error\n */\nexport interface ValidationError {\n  field: string;\n  message: string;\n  code?: string;\n}\n\n/**\n * Validation errors map\n * Maps field names to error messages\n */\nexport type ValidationErrorsMap = Record<string, string[]>;\n\n/**\n * Password validation error codes\n */\nexport enum PasswordErrorCode {\n  TOO_SHORT = 'password_too_short',\n  TOO_COMMON = 'password_too_common',\n  ENTIRELY_NUMERIC = 'password_entirely_numeric',\n  TOO_SIMILAR = 'password_too_similar',\n  MISMATCH = 'password_mismatch',\n  REQUIRED = 'password_required',\n}\n\n/**\n * Email validation error codes\n */\nexport enum EmailErrorCode {\n  INVALID_FORMAT = 'email_invalid_format',\n  REQUIRED = 'email_required',\n  NOT_FOUND = 'email_not_found',\n  ALREADY_EXISTS = 'email_already_exists',\n}\n\n/**\n * General validation error codes\n */\nexport enum ValidationErrorCode {\n  REQUIRED = 'required',\n  INVALID = 'invalid',\n  TOO_SHORT = 'too_short',\n  TOO_LONG = 'too_long',\n}\n"]}