@startsimpli/auth 0.1.4 → 0.1.5

package/dist/server/index.mjs

@@ -1,191 +0,0 @@
-import { isTokenExpired, decodeToken } from '../chunk-AADTGAI2.mjs';
-import { hasRolePermission } from '../chunk-QAXZGJNQ.mjs';
-import { cookies } from 'next/headers';
-import { NextResponse } from 'next/server';
-
-async function getServerSession(apiBaseUrl) {
-  const cookieStore = await cookies();
-  const accessToken = cookieStore.get("access_token")?.value;
-  if (!accessToken) {
-    return null;
-  }
-  if (isTokenExpired(accessToken)) {
-    return null;
-  }
-  try {
-    const user = await fetchUser(apiBaseUrl, accessToken);
-    const payload = decodeToken(accessToken);
-    if (!payload) {
-      return null;
-    }
-    return {
-      user,
-      accessToken,
-      expiresAt: payload.exp * 1e3
-    };
-  } catch (error) {
-    console.error("Failed to get server session:", error);
-    return null;
-  }
-}
-async function fetchUser(apiBaseUrl, accessToken) {
-  const response = await fetch(`${apiBaseUrl}/api/v1/auth/me/`, {
-    headers: {
-      Authorization: `Bearer ${accessToken}`
-    },
-    cache: "no-store"
-  });
-  if (!response.ok) {
-    throw new Error("Failed to fetch user");
-  }
-  return response.json();
-}
-async function validateSession(apiBaseUrl) {
-  const session = await getServerSession(apiBaseUrl);
-  return session?.user || null;
-}
-async function requireAuth(apiBaseUrl) {
-  const session = await getServerSession(apiBaseUrl);
-  if (!session) {
-    throw new Error("Unauthorized");
-  }
-  return session;
-}
-async function refreshServerToken(apiBaseUrl) {
-  try {
-    const response = await fetch(`${apiBaseUrl}/api/v1/auth/token/refresh/`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      credentials: "include"
-    });
-    if (!response.ok) {
-      return null;
-    }
-    const data = await response.json();
-    return data.access;
-  } catch (error) {
-    console.error("Token refresh failed:", error);
-    return null;
-  }
-}
-function createAuthMiddleware(config) {
-  const {
-    apiBaseUrl,
-    publicPaths = ["/login", "/register", "/forgot-password"],
-    loginPath = "/login"
-  } = config;
-  return async function authMiddleware(request) {
-    const { pathname } = request.nextUrl;
-    const isPublicPath = publicPaths.some(
-      (path) => pathname.startsWith(path)
-    );
-    if (isPublicPath) {
-      return NextResponse.next();
-    }
-    const accessToken = request.cookies.get("access_token")?.value;
-    if (!accessToken || isTokenExpired(accessToken)) {
-      const url = request.nextUrl.clone();
-      url.pathname = loginPath;
-      url.searchParams.set("from", pathname);
-      return NextResponse.redirect(url);
-    }
-    return NextResponse.next();
-  };
-}
-function hasValidToken(request) {
-  const accessToken = request.cookies.get("access_token")?.value;
-  if (!accessToken) {
-    return false;
-  }
-  return !isTokenExpired(accessToken);
-}
-function getRequestToken(request) {
-  const accessToken = request.cookies.get("access_token")?.value;
-  if (!accessToken) {
-    return null;
-  }
-  if (isTokenExpired(accessToken)) {
-    return null;
-  }
-  return accessToken;
-}
-function getTokenFromRequest(req) {
-  const authHeader = req.headers.get("authorization");
-  if (authHeader?.startsWith("Bearer ")) {
-    const token = authHeader.slice(7).trim();
-    if (token) return token;
-  }
-  const cookieHeader = req.headers.get("cookie");
-  if (cookieHeader) {
-    const match = cookieHeader.split(";").map((part) => part.trim()).find((part) => part.startsWith("access_token="));
-    if (match) {
-      const token = match.slice("access_token=".length).trim();
-      if (token) return token;
-    }
-  }
-  return void 0;
-}
-async function requireAuthGuard(request) {
-  const token = getRequestToken(request);
-  if (!token) {
-    return {
-      authorized: false,
-      response: NextResponse.json(
-        { error: "Unauthorized" },
-        { status: 401 }
-      )
-    };
-  }
-  return {
-    authorized: true,
-    token
-  };
-}
-async function requireRoleGuard(request, requiredRole, getUserRole) {
-  const authResult = await requireAuthGuard(request);
-  if (!authResult.authorized) {
-    return authResult;
-  }
-  const userRole = await getUserRole();
-  if (!userRole || !hasRolePermission(userRole, requiredRole)) {
-    return {
-      authorized: false,
-      response: NextResponse.json(
-        { error: "Forbidden" },
-        { status: 403 }
-      )
-    };
-  }
-  return {
-    authorized: true,
-    token: authResult.token
-  };
-}
-function withAuth(handler) {
-  return async (request) => {
-    const guardResult = await requireAuthGuard(request);
-    if (!guardResult.authorized) {
-      return guardResult.response;
-    }
-    return handler(request, guardResult.token);
-  };
-}
-function withRole(requiredRole, getUserRole, handler) {
-  return async (request) => {
-    const guardResult = await requireRoleGuard(
-      request,
-      requiredRole,
-      getUserRole
-    );
-    if (!guardResult.authorized) {
-      return guardResult.response;
-    }
-    return handler(request, guardResult.token);
-  };
-}
-
-export { createAuthMiddleware, getRequestToken, getServerSession, getTokenFromRequest, hasValidToken, refreshServerToken, requireAuth, requireAuthGuard, requireRoleGuard, validateSession, withAuth, withRole };
-//# sourceMappingURL=index.mjs.map
-//# sourceMappingURL=index.mjs.map

package/dist/server/index.mjs.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../../src/server/session.ts","../../src/server/middleware.ts","../../src/server/guards.ts"],"names":["NextResponse"],"mappings":";;;;;AAYA,eAAsB,iBACpB,UAAA,EACyB;AACzB,EAAA,MAAM,WAAA,GAAc,MAAM,OAAA,EAAQ;AAClC,EAAA,MAAM,WAAA,GAAc,WAAA,CAAY,GAAA,CAAI,cAAc,CAAA,EAAG,KAAA;AAErD,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI,cAAA,CAAe,WAAW,CAAA,EAAG;AAC/B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,IAAA,GAAO,MAAM,SAAA,CAAU,UAAA,EAAY,WAAW,CAAA;AACpD,IAAA,MAAM,OAAA,GAAU,YAAY,WAAW,CAAA;AAEvC,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO;AAAA,MACL,IAAA;AAAA,MACA,WAAA;AAAA,MACA,SAAA,EAAW,QAAQ,GAAA,GAAM;AAAA,KAC3B;AAAA,EACF,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,KAAA,CAAM,iCAAiC,KAAK,CAAA;AACpD,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAKA,eAAe,SAAA,CACb,YACA,WAAA,EACmB;AACnB,EAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,CAAA,EAAG,UAAU,CAAA,gBAAA,CAAA,EAAoB;AAAA,IAC5D,OAAA,EAAS;AAAA,MACP,aAAA,EAAe,UAAU,WAAW,CAAA;AAAA,KACtC;AAAA,IACA,KAAA,EAAO;AAAA,GACR,CAAA;AAED,EAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,IAAA,MAAM,IAAI,MAAM,sBAAsB,CAAA;AAAA,EACxC;AAEA,EAAA,OAAO,SAAS,IAAA,EAAK;AACvB;AAKA,eAAsB,gBACpB,UAAA,EAC0B;AAC1B,EAAA,MAAM,OAAA,GAAU,MAAM,gBAAA,CAAiB,UAAU,CAAA;AACjD,EAAA,OAAO,SAAS,IAAA,IAAQ,IAAA;AAC1B;AAKA,eAAsB,YAAY,UAAA,EAAsC;AACtE,EAAA,MAAM,OAAA,GAAU,MAAM,gBAAA,CAAiB,UAAU,CAAA;AAEjD,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,MAAM,IAAI,MAAM,cAAc,CAAA;AAAA,EAChC;AAEA,EAAA,OAAO,OAAA;AACT;AAKA,eAAsB,mBACpB,UAAA,EACwB;AACxB,EAAA,IAAI;AACF,IAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,CAAA,EAAG,UAAU,CAAA,2BAAA,CAAA,EAA+B;AAAA,MACvE,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB;AAAA,OAClB;AAAA,MACA,WAAA,EAAa;AAAA,KACd,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AACjC,IAAA,OAAO,IAAA,CAAK,MAAA;AAAA,EACd,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,KAAA,CAAM,yBAAyB,KAAK,CAAA;AAC5C,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AClGO,SAAS,qBAAqB,MAAA,EAA8B;AACjE,EAAA,MAAM;AAAA,IACJ,UAAA;AAAA,IACA,WAAA,GAAc,CAAC,QAAA,EAAU,WAAA,EAAa,kBAAkB,CAAA;AAAA,IACxD,SAAA,GAAY;AAAA,GACd,GAAI,MAAA;AAEJ,EAAA,OAAO,eAAe,eAAe,OAAA,EAAsB;AACzD,IAAA,MAAM,EAAE,QAAA,EAAS,GAAI,OAAA,CAAQ,OAAA;AAE7B,IAAA,MAAM,eAAe,WAAA,CAAY,IAAA;AAAA,MAAK,CAAC,IAAA,KACrC,QAAA,CAAS,UAAA,CAAW,IAAI;AAAA,KAC1B;AAEA,IAAA,IAAI,YAAA,EAAc;AAChB,MAAA,OAAO,aAAa,IAAA,EAAK;AAAA,IAC3B;AAEA,IAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,EAAG,KAAA;AAEzD,IAAA,IAAI,CAAC,WAAA,IAAe,cAAA,CAAe,WAAW,CAAA,EAAG;AAC/C,MAAA,MAAM,GAAA,GAAM,OAAA,CAAQ,OAAA,CAAQ,KAAA,EAAM;AAClC,MAAA,GAAA,CAAI,QAAA,GAAW,SAAA;AACf,MAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,MAAA,EAAQ,QAAQ,CAAA;AACrC,MAAA,OAAO,YAAA,CAAa,SAAS,GAAG,CAAA;AAAA,IAClC;AAEA,IAAA,OAAO,aAAa,IAAA,EAAK;AAAA,EAC3B,CAAA;AACF;AAKO,SAAS,cAAc,OAAA,EAA+B;AAC3D,EAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,EAAG,KAAA;AAEzD,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,OAAO,CAAC,eAAe,WAAW,CAAA;AACpC;AAKO,SAAS,gBAAgB,OAAA,EAAqC;AACnE,EAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,EAAG,KAAA;AAEzD,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI,cAAA,CAAe,WAAW,CAAA,EAAG;AAC/B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,OAAO,WAAA;AACT;AAOO,SAAS,oBAAoB,GAAA,EAAkC;AAEpE,EAAA,MAAM,UAAA,GAAa,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAA;AAClD,EAAA,IAAI,UAAA,EAAY,UAAA,CAAW,SAAS,CAAA,EAAG;AACrC,IAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,CAAC,EAAE,IAAA,EAAK;AACvC,IAAA,IAAI,OAAO,OAAO,KAAA;AAAA,EACpB;AAGA,EAAA,MAAM,YAAA,GAAe,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AAC7C,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,MAAM,QAAQ,YAAA,CACX,KAAA,CAAM,GAAG,CAAA,CACT,GAAA,CAAI,CAAC,IAAA,KAAS,IAAA,CAAK,IAAA,EAAM,EACzB,IAAA,CAAK,CAAC,SAAS,IAAA,CAAK,UAAA,CAAW,eAAe,CAAC,CAAA;AAElD,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,MAAM,QAAQ,KAAA,CAAM,KAAA,CAAM,eAAA,CAAgB,MAAM,EAAE,IAAA,EAAK;AACvD,MAAA,IAAI,OAAO,OAAO,KAAA;AAAA,IACpB;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;ACpFA,eAAsB,iBACpB,OAAA,EACsB;AACtB,EAAA,MAAM,KAAA,GAAQ,gBAAgB,OAAO,CAAA;AAErC,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,KAAA;AAAA,MACZ,UAAUA,YAAAA,CAAa,IAAA;AAAA,QACrB,EAAE,OAAO,cAAA,EAAe;AAAA,QACxB,EAAE,QAAQ,GAAA;AAAI;AAChB,KACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,IAAA;AAAA,IACZ;AAAA,GACF;AACF;AAKA,eAAsB,gBAAA,CACpB,OAAA,EACA,YAAA,EACA,WAAA,EACsB;AACtB,EAAA,MAAM,UAAA,GAAa,MAAM,gBAAA,CAAiB,OAAO,CAAA;AAEjD,EAAA,IAAI,CAAC,WAAW,UAAA,EAAY;AAC1B,IAAA,OAAO,UAAA;AAAA,EACT;AAEA,EAAA,MAAM,QAAA,GAAW,MAAM,WAAA,EAAY;AAEnC,EAAA,IAAI,CAAC,QAAA,IAAY,CAAC,iBAAA,CAAkB,QAAA,EAAU,YAAY,CAAA,EAAG;AAC3D,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,KAAA;AAAA,MACZ,UAAUA,YAAAA,CAAa,IAAA;AAAA,QACrB,EAAE,OAAO,WAAA,EAAY;AAAA,QACrB,EAAE,QAAQ,GAAA;AAAI;AAChB,KACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,IAAA;AAAA,IACZ,OAAO,UAAA,CAAW;AAAA,GACpB;AACF;AAKO,SAAS,SACd,OAAA,EACA;AACA,EAAA,OAAO,OAAO,OAAA,KAAgD;AAC5D,IAAA,MAAM,WAAA,GAAc,MAAM,gBAAA,CAAiB,OAAO,CAAA;AAElD,IAAA,IAAI,CAAC,YAAY,UAAA,EAAY;AAC3B,MAAA,OAAO,WAAA,CAAY,QAAA;AAAA,IACrB;AAEA,IAAA,OAAO,OAAA,CAAQ,OAAA,EAAS,WAAA,CAAY,KAAM,CAAA;AAAA,EAC5C,CAAA;AACF;AAKO,SAAS,QAAA,CACd,YAAA,EACA,WAAA,EACA,OAAA,EACA;AACA,EAAA,OAAO,OAAO,OAAA,KAAgD;AAC5D,IAAA,MAAM,cAAc,MAAM,gBAAA;AAAA,MACxB,OAAA;AAAA,MACA,YAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,IAAI,CAAC,YAAY,UAAA,EAAY;AAC3B,MAAA,OAAO,WAAA,CAAY,QAAA;AAAA,IACrB;AAEA,IAAA,OAAO,OAAA,CAAQ,OAAA,EAAS,WAAA,CAAY,KAAM,CAAA;AAAA,EAC5C,CAAA;AACF","file":"index.mjs","sourcesContent":["/**\n * Server-side session validation\n * For Next.js API routes and server components\n */\n\nimport { cookies } from 'next/headers';\nimport type { Session, AuthUser, TokenPayload } from '../types';\nimport { decodeToken, isTokenExpired } from '../utils';\n\n/**\n * Get session from server-side cookies and headers\n */\nexport async function getServerSession(\n  apiBaseUrl: string\n): Promise<Session | null> {\n  const cookieStore = await cookies();\n  const accessToken = cookieStore.get('access_token')?.value;\n\n  if (!accessToken) {\n    return null;\n  }\n\n  if (isTokenExpired(accessToken)) {\n    return null;\n  }\n\n  try {\n    const user = await fetchUser(apiBaseUrl, accessToken);\n    const payload = decodeToken(accessToken);\n\n    if (!payload) {\n      return null;\n    }\n\n    return {\n      user,\n      accessToken,\n      expiresAt: payload.exp * 1000,\n    };\n  } catch (error) {\n    console.error('Failed to get server session:', error);\n    return null;\n  }\n}\n\n/**\n * Fetch user data from Django backend\n */\nasync function fetchUser(\n  apiBaseUrl: string,\n  accessToken: string\n): Promise<AuthUser> {\n  const response = await fetch(`${apiBaseUrl}/api/v1/auth/me/`, {\n    headers: {\n      Authorization: `Bearer ${accessToken}`,\n    },\n    cache: 'no-store',\n  });\n\n  if (!response.ok) {\n    throw new Error('Failed to fetch user');\n  }\n\n  return response.json();\n}\n\n/**\n * Validate session and return user or null\n */\nexport async function validateSession(\n  apiBaseUrl: string\n): Promise<AuthUser | null> {\n  const session = await getServerSession(apiBaseUrl);\n  return session?.user || null;\n}\n\n/**\n * Require authenticated session (throws if not authenticated)\n */\nexport async function requireAuth(apiBaseUrl: string): Promise<Session> {\n  const session = await getServerSession(apiBaseUrl);\n\n  if (!session) {\n    throw new Error('Unauthorized');\n  }\n\n  return session;\n}\n\n/**\n * Refresh access token using refresh token cookie\n */\nexport async function refreshServerToken(\n  apiBaseUrl: string\n): Promise<string | null> {\n  try {\n    const response = await fetch(`${apiBaseUrl}/api/v1/auth/token/refresh/`, {\n      method: 'POST',\n      headers: {\n        'Content-Type': 'application/json',\n      },\n      credentials: 'include',\n    });\n\n    if (!response.ok) {\n      return null;\n    }\n\n    const data = await response.json();\n    return data.access;\n  } catch (error) {\n    console.error('Token refresh failed:', error);\n    return null;\n  }\n}\n","/**\n * Next.js middleware helpers for authentication\n */\n\nimport { NextRequest, NextResponse } from 'next/server';\nimport { isTokenExpired } from '../utils';\n\nexport interface AuthMiddlewareConfig {\n  apiBaseUrl: string;\n  publicPaths?: string[];\n  loginPath?: string;\n}\n\n/**\n * Create auth middleware for Next.js\n */\nexport function createAuthMiddleware(config: AuthMiddlewareConfig) {\n  const {\n    apiBaseUrl,\n    publicPaths = ['/login', '/register', '/forgot-password'],\n    loginPath = '/login',\n  } = config;\n\n  return async function authMiddleware(request: NextRequest) {\n    const { pathname } = request.nextUrl;\n\n    const isPublicPath = publicPaths.some((path) =>\n      pathname.startsWith(path)\n    );\n\n    if (isPublicPath) {\n      return NextResponse.next();\n    }\n\n    const accessToken = request.cookies.get('access_token')?.value;\n\n    if (!accessToken || isTokenExpired(accessToken)) {\n      const url = request.nextUrl.clone();\n      url.pathname = loginPath;\n      url.searchParams.set('from', pathname);\n      return NextResponse.redirect(url);\n    }\n\n    return NextResponse.next();\n  };\n}\n\n/**\n * Check if request has valid auth token\n */\nexport function hasValidToken(request: NextRequest): boolean {\n  const accessToken = request.cookies.get('access_token')?.value;\n\n  if (!accessToken) {\n    return false;\n  }\n\n  return !isTokenExpired(accessToken);\n}\n\n/**\n * Get access token from request\n */\nexport function getRequestToken(request: NextRequest): string | null {\n  const accessToken = request.cookies.get('access_token')?.value;\n\n  if (!accessToken) {\n    return null;\n  }\n\n  if (isTokenExpired(accessToken)) {\n    return null;\n  }\n\n  return accessToken;\n}\n\n/**\n * Extract bearer token from a standard Request (Authorization header or access_token cookie).\n * Framework-agnostic — works with any Request-compatible object (Next.js, Node, edge runtimes).\n * Returns the raw token string without expiry validation.\n */\nexport function getTokenFromRequest(req: Request): string | undefined {\n  // Authorization: Bearer <token>\n  const authHeader = req.headers.get('authorization');\n  if (authHeader?.startsWith('Bearer ')) {\n    const token = authHeader.slice(7).trim();\n    if (token) return token;\n  }\n\n  // Fallback: access_token cookie (parsed from Cookie header)\n  const cookieHeader = req.headers.get('cookie');\n  if (cookieHeader) {\n    const match = cookieHeader\n      .split(';')\n      .map((part) => part.trim())\n      .find((part) => part.startsWith('access_token='));\n\n    if (match) {\n      const token = match.slice('access_token='.length).trim();\n      if (token) return token;\n    }\n  }\n\n  return undefined;\n}\n","/**\n * Auth guards for API routes\n */\n\nimport { NextRequest, NextResponse } from 'next/server';\nimport type { CompanyRole } from '../types';\nimport { hasRolePermission } from '../types';\nimport { getRequestToken } from './middleware';\n\n/**\n * Auth guard result\n */\nexport interface GuardResult {\n  authorized: boolean;\n  response?: NextResponse;\n  token?: string;\n}\n\n/**\n * Require authentication for API route\n */\nexport async function requireAuthGuard(\n  request: NextRequest\n): Promise<GuardResult> {\n  const token = getRequestToken(request);\n\n  if (!token) {\n    return {\n      authorized: false,\n      response: NextResponse.json(\n        { error: 'Unauthorized' },\n        { status: 401 }\n      ),\n    };\n  }\n\n  return {\n    authorized: true,\n    token,\n  };\n}\n\n/**\n * Require specific role for API route\n */\nexport async function requireRoleGuard(\n  request: NextRequest,\n  requiredRole: CompanyRole,\n  getUserRole: () => Promise<CompanyRole | null>\n): Promise<GuardResult> {\n  const authResult = await requireAuthGuard(request);\n\n  if (!authResult.authorized) {\n    return authResult;\n  }\n\n  const userRole = await getUserRole();\n\n  if (!userRole || !hasRolePermission(userRole, requiredRole)) {\n    return {\n      authorized: false,\n      response: NextResponse.json(\n        { error: 'Forbidden' },\n        { status: 403 }\n      ),\n    };\n  }\n\n  return {\n    authorized: true,\n    token: authResult.token,\n  };\n}\n\n/**\n * Higher-order function to wrap API route with auth guard\n */\nexport function withAuth<T = any>(\n  handler: (request: NextRequest, token: string) => Promise<NextResponse<T>>\n) {\n  return async (request: NextRequest): Promise<NextResponse> => {\n    const guardResult = await requireAuthGuard(request);\n\n    if (!guardResult.authorized) {\n      return guardResult.response!;\n    }\n\n    return handler(request, guardResult.token!);\n  };\n}\n\n/**\n * Higher-order function to wrap API route with role guard\n */\nexport function withRole<T = any>(\n  requiredRole: CompanyRole,\n  getUserRole: () => Promise<CompanyRole | null>,\n  handler: (request: NextRequest, token: string) => Promise<NextResponse<T>>\n) {\n  return async (request: NextRequest): Promise<NextResponse> => {\n    const guardResult = await requireRoleGuard(\n      request,\n      requiredRole,\n      getUserRole\n    );\n\n    if (!guardResult.authorized) {\n      return guardResult.response!;\n    }\n\n    return handler(request, guardResult.token!);\n  };\n}\n"]}

package/dist/types/index.d.mts

@@ -1,209 +0,0 @@
-/**
- * Authentication types for StartSimpli apps
- */
-/**
- * Generic token pair (access + optional refresh)
- */
-interface TokenPair {
-    access: string;
-    refresh?: string;
-}
-/**
- * Generic decoded JWT payload — framework and backend agnostic
- */
-interface DecodedToken {
-    sub?: string;
-    email?: string;
-    exp?: number;
-    iat?: number;
-    [key: string]: unknown;
-}
-/**
- * Generic auth session — framework agnostic
- */
-interface AuthSession {
-    user: {
-        id: string;
-        email: string;
-        [key: string]: unknown;
-    };
-    accessToken: string;
-    refreshToken?: string;
-}
-/**
- * User profile from Django backend
- */
-interface AuthUser {
-    id: string;
-    email: string;
-    firstName: string;
-    lastName: string;
-    isEmailVerified: boolean;
-    createdAt: string;
-    updatedAt: string;
-    companies?: Array<{
-        id: string;
-        name: string;
-        role: 'owner' | 'admin' | 'member' | 'viewer';
-    }>;
-    currentCompanyId?: string;
-}
-/**
- * JWT token payload structure
- */
-interface TokenPayload {
-    token_type: 'access';
-    exp: number;
-    iat: number;
-    jti: string;
-    user_id: string;
-}
-/**
- * Session data stored in client
- */
-interface Session {
-    user: AuthUser;
-    accessToken: string;
-    expiresAt: number;
-}
-/**
- * Login response from Django backend
- */
-interface LoginResponse {
-    access: string;
-    user: AuthUser;
-}
-/**
- * Token refresh response
- */
-interface RefreshResponse {
-    access: string;
-}
-/**
- * Permission check result
- */
-interface PermissionCheck {
-    hasPermission: boolean;
-    reason?: string;
-}
-/**
- * Auth configuration options
- */
-interface AuthConfig {
-    apiBaseUrl: string;
-    tokenRefreshInterval?: number;
-    onSessionExpired?: () => void;
-    onUnauthorized?: () => void;
-}
-/**
- * Auth state for React context
- */
-interface AuthState {
-    session: Session | null;
-    isLoading: boolean;
-    isAuthenticated: boolean;
-}
-/**
- * Company role hierarchy
- */
-type CompanyRole = 'owner' | 'admin' | 'member' | 'viewer';
-/**
- * Role hierarchy map (higher number = more permissions)
- */
-declare const ROLE_HIERARCHY: Record<CompanyRole, number>;
-/**
- * Check if role has sufficient permissions
- */
-declare function hasRolePermission(userRole: CompanyRole, requiredRole: CompanyRole): boolean;
-/**
- * Password reset request payload
- * Initiates password reset flow by sending reset email
- */
-interface PasswordResetRequest {
-    email: string;
-    clientMetadata?: Record<string, any>;
-}
-/**
- * Password reset confirmation payload
- * Completes password reset with token and new password
- */
-interface PasswordResetConfirm {
-    token: string;
-    password: string;
-    passwordConfirm: string;
-}
-/**
- * Email verification request payload
- * Verifies user email with token from verification email
- */
-interface EmailVerificationRequest {
-    token: string;
-}
-/**
- * Email verification response
- * Returns updated user data after successful verification
- */
-interface EmailVerificationResponse {
-    detail: string;
-    user: {
-        id: string;
-        email: string;
-        isEmailVerified: boolean;
-    };
-}
-/**
- * API error response from Django backend
- * Standard error format for all API errors
- */
-interface ApiErrorResponse {
-    detail?: string;
-    message?: string;
-    errors?: Record<string, string[]>;
-    code?: string;
-    status?: number;
-}
-/**
- * Validation error detail
- * Individual field validation error
- */
-interface ValidationError {
-    field: string;
-    message: string;
-    code?: string;
-}
-/**
- * Validation errors map
- * Maps field names to error messages
- */
-type ValidationErrorsMap = Record<string, string[]>;
-/**
- * Password validation error codes
- */
-declare enum PasswordErrorCode {
-    TOO_SHORT = "password_too_short",
-    TOO_COMMON = "password_too_common",
-    ENTIRELY_NUMERIC = "password_entirely_numeric",
-    TOO_SIMILAR = "password_too_similar",
-    MISMATCH = "password_mismatch",
-    REQUIRED = "password_required"
-}
-/**
- * Email validation error codes
- */
-declare enum EmailErrorCode {
-    INVALID_FORMAT = "email_invalid_format",
-    REQUIRED = "email_required",
-    NOT_FOUND = "email_not_found",
-    ALREADY_EXISTS = "email_already_exists"
-}
-/**
- * General validation error codes
- */
-declare enum ValidationErrorCode {
-    REQUIRED = "required",
-    INVALID = "invalid",
-    TOO_SHORT = "too_short",
-    TOO_LONG = "too_long"
-}
-
-export { type ApiErrorResponse, type AuthConfig, type AuthSession, type AuthState, type AuthUser, type CompanyRole, type DecodedToken, EmailErrorCode, type EmailVerificationRequest, type EmailVerificationResponse, type LoginResponse, PasswordErrorCode, type PasswordResetConfirm, type PasswordResetRequest, type PermissionCheck, ROLE_HIERARCHY, type RefreshResponse, type Session, type TokenPair, type TokenPayload, type ValidationError, ValidationErrorCode, type ValidationErrorsMap, hasRolePermission };

package/dist/types/index.d.ts

@@ -1,209 +0,0 @@
-/**
- * Authentication types for StartSimpli apps
- */
-/**
- * Generic token pair (access + optional refresh)
- */
-interface TokenPair {
-    access: string;
-    refresh?: string;
-}
-/**
- * Generic decoded JWT payload — framework and backend agnostic
- */
-interface DecodedToken {
-    sub?: string;
-    email?: string;
-    exp?: number;
-    iat?: number;
-    [key: string]: unknown;
-}
-/**
- * Generic auth session — framework agnostic
- */
-interface AuthSession {
-    user: {
-        id: string;
-        email: string;
-        [key: string]: unknown;
-    };
-    accessToken: string;
-    refreshToken?: string;
-}
-/**
- * User profile from Django backend
- */
-interface AuthUser {
-    id: string;
-    email: string;
-    firstName: string;
-    lastName: string;
-    isEmailVerified: boolean;
-    createdAt: string;
-    updatedAt: string;
-    companies?: Array<{
-        id: string;
-        name: string;
-        role: 'owner' | 'admin' | 'member' | 'viewer';
-    }>;
-    currentCompanyId?: string;
-}
-/**
- * JWT token payload structure
- */
-interface TokenPayload {
-    token_type: 'access';
-    exp: number;
-    iat: number;
-    jti: string;
-    user_id: string;
-}
-/**
- * Session data stored in client
- */
-interface Session {
-    user: AuthUser;
-    accessToken: string;
-    expiresAt: number;
-}
-/**
- * Login response from Django backend
- */
-interface LoginResponse {
-    access: string;
-    user: AuthUser;
-}
-/**
- * Token refresh response
- */
-interface RefreshResponse {
-    access: string;
-}
-/**
- * Permission check result
- */
-interface PermissionCheck {
-    hasPermission: boolean;
-    reason?: string;
-}
-/**
- * Auth configuration options
- */
-interface AuthConfig {
-    apiBaseUrl: string;
-    tokenRefreshInterval?: number;
-    onSessionExpired?: () => void;
-    onUnauthorized?: () => void;
-}
-/**
- * Auth state for React context
- */
-interface AuthState {
-    session: Session | null;
-    isLoading: boolean;
-    isAuthenticated: boolean;
-}
-/**
- * Company role hierarchy
- */
-type CompanyRole = 'owner' | 'admin' | 'member' | 'viewer';
-/**
- * Role hierarchy map (higher number = more permissions)
- */
-declare const ROLE_HIERARCHY: Record<CompanyRole, number>;
-/**
- * Check if role has sufficient permissions
- */
-declare function hasRolePermission(userRole: CompanyRole, requiredRole: CompanyRole): boolean;
-/**
- * Password reset request payload
- * Initiates password reset flow by sending reset email
- */
-interface PasswordResetRequest {
-    email: string;
-    clientMetadata?: Record<string, any>;
-}
-/**
- * Password reset confirmation payload
- * Completes password reset with token and new password
- */
-interface PasswordResetConfirm {
-    token: string;
-    password: string;
-    passwordConfirm: string;
-}
-/**
- * Email verification request payload
- * Verifies user email with token from verification email
- */
-interface EmailVerificationRequest {
-    token: string;
-}
-/**
- * Email verification response
- * Returns updated user data after successful verification
- */
-interface EmailVerificationResponse {
-    detail: string;
-    user: {
-        id: string;
-        email: string;
-        isEmailVerified: boolean;
-    };
-}
-/**
- * API error response from Django backend
- * Standard error format for all API errors
- */
-interface ApiErrorResponse {
-    detail?: string;
-    message?: string;
-    errors?: Record<string, string[]>;
-    code?: string;
-    status?: number;
-}
-/**
- * Validation error detail
- * Individual field validation error
- */
-interface ValidationError {
-    field: string;
-    message: string;
-    code?: string;
-}
-/**
- * Validation errors map
- * Maps field names to error messages
- */
-type ValidationErrorsMap = Record<string, string[]>;
-/**
- * Password validation error codes
- */
-declare enum PasswordErrorCode {
-    TOO_SHORT = "password_too_short",
-    TOO_COMMON = "password_too_common",
-    ENTIRELY_NUMERIC = "password_entirely_numeric",
-    TOO_SIMILAR = "password_too_similar",
-    MISMATCH = "password_mismatch",
-    REQUIRED = "password_required"
-}
-/**
- * Email validation error codes
- */
-declare enum EmailErrorCode {
-    INVALID_FORMAT = "email_invalid_format",
-    REQUIRED = "email_required",
-    NOT_FOUND = "email_not_found",
-    ALREADY_EXISTS = "email_already_exists"
-}
-/**
- * General validation error codes
- */
-declare enum ValidationErrorCode {
-    REQUIRED = "required",
-    INVALID = "invalid",
-    TOO_SHORT = "too_short",
-    TOO_LONG = "too_long"
-}
-
-export { type ApiErrorResponse, type AuthConfig, type AuthSession, type AuthState, type AuthUser, type CompanyRole, type DecodedToken, EmailErrorCode, type EmailVerificationRequest, type EmailVerificationResponse, type LoginResponse, PasswordErrorCode, type PasswordResetConfirm, type PasswordResetRequest, type PermissionCheck, ROLE_HIERARCHY, type RefreshResponse, type Session, type TokenPair, type TokenPayload, type ValidationError, ValidationErrorCode, type ValidationErrorsMap, hasRolePermission };

package/dist/types/index.js

@@ -1,43 +0,0 @@
-'use strict';
-
-// src/types/index.ts
-var ROLE_HIERARCHY = {
-  owner: 4,
-  admin: 3,
-  member: 2,
-  viewer: 1
-};
-function hasRolePermission(userRole, requiredRole) {
-  return ROLE_HIERARCHY[userRole] >= ROLE_HIERARCHY[requiredRole];
-}
-var PasswordErrorCode = /* @__PURE__ */ ((PasswordErrorCode2) => {
-  PasswordErrorCode2["TOO_SHORT"] = "password_too_short";
-  PasswordErrorCode2["TOO_COMMON"] = "password_too_common";
-  PasswordErrorCode2["ENTIRELY_NUMERIC"] = "password_entirely_numeric";
-  PasswordErrorCode2["TOO_SIMILAR"] = "password_too_similar";
-  PasswordErrorCode2["MISMATCH"] = "password_mismatch";
-  PasswordErrorCode2["REQUIRED"] = "password_required";
-  return PasswordErrorCode2;
-})(PasswordErrorCode || {});
-var EmailErrorCode = /* @__PURE__ */ ((EmailErrorCode2) => {
-  EmailErrorCode2["INVALID_FORMAT"] = "email_invalid_format";
-  EmailErrorCode2["REQUIRED"] = "email_required";
-  EmailErrorCode2["NOT_FOUND"] = "email_not_found";
-  EmailErrorCode2["ALREADY_EXISTS"] = "email_already_exists";
-  return EmailErrorCode2;
-})(EmailErrorCode || {});
-var ValidationErrorCode = /* @__PURE__ */ ((ValidationErrorCode2) => {
-  ValidationErrorCode2["REQUIRED"] = "required";
-  ValidationErrorCode2["INVALID"] = "invalid";
-  ValidationErrorCode2["TOO_SHORT"] = "too_short";
-  ValidationErrorCode2["TOO_LONG"] = "too_long";
-  return ValidationErrorCode2;
-})(ValidationErrorCode || {});
-
-exports.EmailErrorCode = EmailErrorCode;
-exports.PasswordErrorCode = PasswordErrorCode;
-exports.ROLE_HIERARCHY = ROLE_HIERARCHY;
-exports.ValidationErrorCode = ValidationErrorCode;
-exports.hasRolePermission = hasRolePermission;
-//# sourceMappingURL=index.js.map
-//# sourceMappingURL=index.js.map

package/dist/types/index.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../../src/types/index.ts"],"names":["PasswordErrorCode","EmailErrorCode","ValidationErrorCode"],"mappings":";;;AA8HO,IAAM,cAAA,GAA8C;AAAA,EACzD,KAAA,EAAO,CAAA;AAAA,EACP,KAAA,EAAO,CAAA;AAAA,EACP,MAAA,EAAQ,CAAA;AAAA,EACR,MAAA,EAAQ;AACV;AAKO,SAAS,iBAAA,CACd,UACA,YAAA,EACS;AACT,EAAA,OAAO,cAAA,CAAe,QAAQ,CAAA,IAAK,cAAA,CAAe,YAAY,CAAA;AAChE;AAyEO,IAAK,iBAAA,qBAAAA,kBAAAA,KAAL;AACL,EAAAA,mBAAA,WAAA,CAAA,GAAY,oBAAA;AACZ,EAAAA,mBAAA,YAAA,CAAA,GAAa,qBAAA;AACb,EAAAA,mBAAA,kBAAA,CAAA,GAAmB,2BAAA;AACnB,EAAAA,mBAAA,aAAA,CAAA,GAAc,sBAAA;AACd,EAAAA,mBAAA,UAAA,CAAA,GAAW,mBAAA;AACX,EAAAA,mBAAA,UAAA,CAAA,GAAW,mBAAA;AAND,EAAA,OAAAA,kBAAAA;AAAA,CAAA,EAAA,iBAAA,IAAA,EAAA;AAYL,IAAK,cAAA,qBAAAC,eAAAA,KAAL;AACL,EAAAA,gBAAA,gBAAA,CAAA,GAAiB,sBAAA;AACjB,EAAAA,gBAAA,UAAA,CAAA,GAAW,gBAAA;AACX,EAAAA,gBAAA,WAAA,CAAA,GAAY,iBAAA;AACZ,EAAAA,gBAAA,gBAAA,CAAA,GAAiB,sBAAA;AAJP,EAAA,OAAAA,eAAAA;AAAA,CAAA,EAAA,cAAA,IAAA,EAAA;AAUL,IAAK,mBAAA,qBAAAC,oBAAAA,KAAL;AACL,EAAAA,qBAAA,UAAA,CAAA,GAAW,UAAA;AACX,EAAAA,qBAAA,SAAA,CAAA,GAAU,SAAA;AACV,EAAAA,qBAAA,WAAA,CAAA,GAAY,WAAA;AACZ,EAAAA,qBAAA,UAAA,CAAA,GAAW,UAAA;AAJD,EAAA,OAAAA,oBAAAA;AAAA,CAAA,EAAA,mBAAA,IAAA,EAAA","file":"index.js","sourcesContent":["/**\n * Authentication types for StartSimpli apps\n */\n\n/**\n * Generic token pair (access + optional refresh)\n */\nexport interface TokenPair {\n  access: string;\n  refresh?: string;\n}\n\n/**\n * Generic decoded JWT payload — framework and backend agnostic\n */\nexport interface DecodedToken {\n  sub?: string;\n  email?: string;\n  exp?: number;\n  iat?: number;\n  [key: string]: unknown;\n}\n\n/**\n * Generic auth session — framework agnostic\n */\nexport interface AuthSession {\n  user: {\n    id: string;\n    email: string;\n    [key: string]: unknown;\n  };\n  accessToken: string;\n  refreshToken?: string;\n}\n\n/**\n * User profile from Django backend\n */\nexport interface AuthUser {\n  id: string;\n  email: string;\n  firstName: string;\n  lastName: string;\n  isEmailVerified: boolean;\n  createdAt: string;\n  updatedAt: string;\n  // Company/team context (if applicable)\n  companies?: Array<{\n    id: string;\n    name: string;\n    role: 'owner' | 'admin' | 'member' | 'viewer';\n  }>;\n  currentCompanyId?: string;\n}\n\n/**\n * JWT token payload structure\n */\nexport interface TokenPayload {\n  token_type: 'access';\n  exp: number;\n  iat: number;\n  jti: string;\n  user_id: string;\n}\n\n/**\n * Session data stored in client\n */\nexport interface Session {\n  user: AuthUser;\n  accessToken: string;\n  expiresAt: number;\n}\n\n/**\n * Login response from Django backend\n */\nexport interface LoginResponse {\n  access: string;\n  user: AuthUser;\n}\n\n/**\n * Token refresh response\n */\nexport interface RefreshResponse {\n  access: string;\n}\n\n/**\n * Permission check result\n */\nexport interface PermissionCheck {\n  hasPermission: boolean;\n  reason?: string;\n}\n\n/**\n * Auth configuration options\n */\nexport interface AuthConfig {\n  apiBaseUrl: string;\n  tokenRefreshInterval?: number; // milliseconds, default 4 minutes\n  onSessionExpired?: () => void;\n  onUnauthorized?: () => void;\n}\n\n/**\n * Auth state for React context\n */\nexport interface AuthState {\n  session: Session | null;\n  isLoading: boolean;\n  isAuthenticated: boolean;\n}\n\n/**\n * Company role hierarchy\n */\nexport type CompanyRole = 'owner' | 'admin' | 'member' | 'viewer';\n\n/**\n * Role hierarchy map (higher number = more permissions)\n */\nexport const ROLE_HIERARCHY: Record<CompanyRole, number> = {\n  owner: 4,\n  admin: 3,\n  member: 2,\n  viewer: 1,\n};\n\n/**\n * Check if role has sufficient permissions\n */\nexport function hasRolePermission(\n  userRole: CompanyRole,\n  requiredRole: CompanyRole\n): boolean {\n  return ROLE_HIERARCHY[userRole] >= ROLE_HIERARCHY[requiredRole];\n}\n\n/**\n * Password reset request payload\n * Initiates password reset flow by sending reset email\n */\nexport interface PasswordResetRequest {\n  email: string;\n  clientMetadata?: Record<string, any>;\n}\n\n/**\n * Password reset confirmation payload\n * Completes password reset with token and new password\n */\nexport interface PasswordResetConfirm {\n  token: string;\n  password: string;\n  passwordConfirm: string;\n}\n\n/**\n * Email verification request payload\n * Verifies user email with token from verification email\n */\nexport interface EmailVerificationRequest {\n  token: string;\n}\n\n/**\n * Email verification response\n * Returns updated user data after successful verification\n */\nexport interface EmailVerificationResponse {\n  detail: string;\n  user: {\n    id: string;\n    email: string;\n    isEmailVerified: boolean;\n  };\n}\n\n/**\n * API error response from Django backend\n * Standard error format for all API errors\n */\nexport interface ApiErrorResponse {\n  detail?: string;\n  message?: string;\n  errors?: Record<string, string[]>;\n  code?: string;\n  status?: number;\n}\n\n/**\n * Validation error detail\n * Individual field validation error\n */\nexport interface ValidationError {\n  field: string;\n  message: string;\n  code?: string;\n}\n\n/**\n * Validation errors map\n * Maps field names to error messages\n */\nexport type ValidationErrorsMap = Record<string, string[]>;\n\n/**\n * Password validation error codes\n */\nexport enum PasswordErrorCode {\n  TOO_SHORT = 'password_too_short',\n  TOO_COMMON = 'password_too_common',\n  ENTIRELY_NUMERIC = 'password_entirely_numeric',\n  TOO_SIMILAR = 'password_too_similar',\n  MISMATCH = 'password_mismatch',\n  REQUIRED = 'password_required',\n}\n\n/**\n * Email validation error codes\n */\nexport enum EmailErrorCode {\n  INVALID_FORMAT = 'email_invalid_format',\n  REQUIRED = 'email_required',\n  NOT_FOUND = 'email_not_found',\n  ALREADY_EXISTS = 'email_already_exists',\n}\n\n/**\n * General validation error codes\n */\nexport enum ValidationErrorCode {\n  REQUIRED = 'required',\n  INVALID = 'invalid',\n  TOO_SHORT = 'too_short',\n  TOO_LONG = 'too_long',\n}\n"]}