@startsimpli/auth 0.1.6 → 0.1.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/client/functions.ts +16 -0
- package/src/server/middleware.ts +36 -29
package/package.json
CHANGED
package/src/client/functions.ts
CHANGED
|
@@ -100,11 +100,27 @@ export function setAccessToken(token: string | null): void {
|
|
|
100
100
|
} else {
|
|
101
101
|
sessionStorage.setItem(TOKEN_STORAGE_KEY, token);
|
|
102
102
|
}
|
|
103
|
+
// Sync to a cookie so Next.js middleware can check auth state.
|
|
104
|
+
// Vercel rewrites don't reliably pass through HttpOnly Set-Cookie
|
|
105
|
+
// headers from the Django backend, so we set our own.
|
|
106
|
+
_syncAuthCookie(token);
|
|
103
107
|
return;
|
|
104
108
|
}
|
|
105
109
|
_memToken = token;
|
|
106
110
|
}
|
|
107
111
|
|
|
112
|
+
const AUTH_COOKIE_NAME = 'auth_session';
|
|
113
|
+
|
|
114
|
+
function _syncAuthCookie(token: string | null): void {
|
|
115
|
+
if (typeof document === 'undefined') return;
|
|
116
|
+
if (token) {
|
|
117
|
+
const secure = window.location.protocol === 'https:' ? '; Secure' : '';
|
|
118
|
+
document.cookie = `${AUTH_COOKIE_NAME}=${token}; path=/; max-age=1800; SameSite=Lax${secure}`;
|
|
119
|
+
} else {
|
|
120
|
+
document.cookie = `${AUTH_COOKIE_NAME}=; path=/; max-age=0`;
|
|
121
|
+
}
|
|
122
|
+
}
|
|
123
|
+
|
|
108
124
|
// --- Internal helpers ---
|
|
109
125
|
|
|
110
126
|
const AUTH_TIMEOUT_MS = 15_000;
|
package/src/server/middleware.ts
CHANGED
|
@@ -1,27 +1,46 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Next.js middleware helpers for authentication
|
|
2
|
+
* Next.js middleware helpers for authentication.
|
|
3
|
+
*
|
|
4
|
+
* Checks multiple cookie sources in priority order:
|
|
5
|
+
* 1. `auth_session` – non-HttpOnly cookie set by the client after login.
|
|
6
|
+
* Works reliably on Vercel where rewrites don't pass through Set-Cookie.
|
|
7
|
+
* 2. `refresh_token` – HttpOnly cookie set by Django. Works locally where
|
|
8
|
+
* the rewrite proxy forwards Set-Cookie headers.
|
|
9
|
+
* 3. `access_token` – legacy/alternative cookie name.
|
|
3
10
|
*/
|
|
4
11
|
|
|
5
12
|
import { NextRequest, NextResponse } from 'next/server';
|
|
6
13
|
import { isTokenExpired } from '../utils';
|
|
7
14
|
|
|
15
|
+
/** Cookie names checked for a valid JWT, in priority order. */
|
|
16
|
+
const AUTH_COOKIE_NAMES = ['auth_session', 'refresh_token', 'access_token'] as const;
|
|
17
|
+
|
|
18
|
+
/** Find the first valid (non-expired) JWT from known auth cookies. */
|
|
19
|
+
function findValidToken(request: NextRequest): string | null {
|
|
20
|
+
for (const name of AUTH_COOKIE_NAMES) {
|
|
21
|
+
const value = request.cookies.get(name)?.value;
|
|
22
|
+
if (value && !isTokenExpired(value)) return value;
|
|
23
|
+
}
|
|
24
|
+
return null;
|
|
25
|
+
}
|
|
26
|
+
|
|
8
27
|
export interface AuthMiddlewareConfig {
|
|
9
|
-
apiBaseUrl: string;
|
|
10
28
|
publicPaths?: string[];
|
|
11
29
|
loginPath?: string;
|
|
30
|
+
callbackParam?: string;
|
|
12
31
|
}
|
|
13
32
|
|
|
14
33
|
/**
|
|
15
34
|
* Create auth middleware for Next.js
|
|
16
35
|
*/
|
|
17
|
-
export function createAuthMiddleware(config: AuthMiddlewareConfig) {
|
|
36
|
+
export function createAuthMiddleware(config: AuthMiddlewareConfig = {}) {
|
|
18
37
|
const {
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
38
|
+
publicPaths = ['/auth/signin', '/auth/signup', '/auth/forgot-password', '/auth/reset-password', '/auth/verify-email', '/auth/callback'],
|
|
39
|
+
loginPath = '/auth/signin',
|
|
40
|
+
callbackParam = 'callbackUrl',
|
|
22
41
|
} = config;
|
|
23
42
|
|
|
24
|
-
return
|
|
43
|
+
return function authMiddleware(request: NextRequest) {
|
|
25
44
|
const { pathname } = request.nextUrl;
|
|
26
45
|
|
|
27
46
|
const isPublicPath = publicPaths.some((path) =>
|
|
@@ -29,15 +48,19 @@ export function createAuthMiddleware(config: AuthMiddlewareConfig) {
|
|
|
29
48
|
);
|
|
30
49
|
|
|
31
50
|
if (isPublicPath) {
|
|
51
|
+
// Redirect authenticated users away from login/signup
|
|
52
|
+
if (findValidToken(request) && (pathname.startsWith(loginPath) || pathname === '/auth/signup')) {
|
|
53
|
+
const url = request.nextUrl.clone();
|
|
54
|
+
url.pathname = '/dashboard';
|
|
55
|
+
return NextResponse.redirect(url);
|
|
56
|
+
}
|
|
32
57
|
return NextResponse.next();
|
|
33
58
|
}
|
|
34
59
|
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
if (!accessToken || isTokenExpired(accessToken)) {
|
|
60
|
+
if (!findValidToken(request)) {
|
|
38
61
|
const url = request.nextUrl.clone();
|
|
39
62
|
url.pathname = loginPath;
|
|
40
|
-
url.searchParams.set(
|
|
63
|
+
url.searchParams.set(callbackParam, pathname);
|
|
41
64
|
return NextResponse.redirect(url);
|
|
42
65
|
}
|
|
43
66
|
|
|
@@ -49,30 +72,14 @@ export function createAuthMiddleware(config: AuthMiddlewareConfig) {
|
|
|
49
72
|
* Check if request has valid auth token
|
|
50
73
|
*/
|
|
51
74
|
export function hasValidToken(request: NextRequest): boolean {
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
if (!accessToken) {
|
|
55
|
-
return false;
|
|
56
|
-
}
|
|
57
|
-
|
|
58
|
-
return !isTokenExpired(accessToken);
|
|
75
|
+
return findValidToken(request) !== null;
|
|
59
76
|
}
|
|
60
77
|
|
|
61
78
|
/**
|
|
62
79
|
* Get access token from request
|
|
63
80
|
*/
|
|
64
81
|
export function getRequestToken(request: NextRequest): string | null {
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
if (!accessToken) {
|
|
68
|
-
return null;
|
|
69
|
-
}
|
|
70
|
-
|
|
71
|
-
if (isTokenExpired(accessToken)) {
|
|
72
|
-
return null;
|
|
73
|
-
}
|
|
74
|
-
|
|
75
|
-
return accessToken;
|
|
82
|
+
return findValidToken(request);
|
|
76
83
|
}
|
|
77
84
|
|
|
78
85
|
/**
|