@startsimpli/auth 0.1.7 → 0.1.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@startsimpli/auth",
-  "version": "0.1.7",
+  "version": "0.1.8",
   "description": "Shared authentication package for StartSimpli Next.js apps",
   "main": "./src/index.ts",
   "types": "./src/index.ts",

package/src/server/middleware.ts

@@ -1,27 +1,46 @@
 /**
- * Next.js middleware helpers for authentication
+ * Next.js middleware helpers for authentication.
+ *
+ * Checks multiple cookie sources in priority order:
+ *   1. `auth_session`  – non-HttpOnly cookie set by the client after login.
+ *      Works reliably on Vercel where rewrites don't pass through Set-Cookie.
+ *   2. `refresh_token` – HttpOnly cookie set by Django. Works locally where
+ *      the rewrite proxy forwards Set-Cookie headers.
+ *   3. `access_token`  – legacy/alternative cookie name.
  */
 
 import { NextRequest, NextResponse } from 'next/server';
 import { isTokenExpired } from '../utils';
 
+/** Cookie names checked for a valid JWT, in priority order. */
+const AUTH_COOKIE_NAMES = ['auth_session', 'refresh_token', 'access_token'] as const;
+
+/** Find the first valid (non-expired) JWT from known auth cookies. */
+function findValidToken(request: NextRequest): string | null {
+  for (const name of AUTH_COOKIE_NAMES) {
+    const value = request.cookies.get(name)?.value;
+    if (value && !isTokenExpired(value)) return value;
+  }
+  return null;
+}
+
 export interface AuthMiddlewareConfig {
-  apiBaseUrl: string;
   publicPaths?: string[];
   loginPath?: string;
+  callbackParam?: string;
 }
 
 /**
  * Create auth middleware for Next.js
  */
-export function createAuthMiddleware(config: AuthMiddlewareConfig) {
+export function createAuthMiddleware(config: AuthMiddlewareConfig = {}) {
   const {
-    apiBaseUrl,
-    publicPaths = ['/login', '/register', '/forgot-password'],
-    loginPath = '/login',
+    publicPaths = ['/auth/signin', '/auth/signup', '/auth/forgot-password', '/auth/reset-password', '/auth/verify-email', '/auth/callback'],
+    loginPath = '/auth/signin',
+    callbackParam = 'callbackUrl',
   } = config;
 
-  return async function authMiddleware(request: NextRequest) {
+  return function authMiddleware(request: NextRequest) {
     const { pathname } = request.nextUrl;
 
     const isPublicPath = publicPaths.some((path) =>
@@ -29,15 +48,19 @@ export function createAuthMiddleware(config: AuthMiddlewareConfig) {
     );
 
     if (isPublicPath) {
+      // Redirect authenticated users away from login/signup
+      if (findValidToken(request) && (pathname.startsWith(loginPath) || pathname === '/auth/signup')) {
+        const url = request.nextUrl.clone();
+        url.pathname = '/dashboard';
+        return NextResponse.redirect(url);
+      }
       return NextResponse.next();
     }
 
-    const accessToken = request.cookies.get('access_token')?.value;
-
-    if (!accessToken || isTokenExpired(accessToken)) {
+    if (!findValidToken(request)) {
       const url = request.nextUrl.clone();
       url.pathname = loginPath;
-      url.searchParams.set('from', pathname);
+      url.searchParams.set(callbackParam, pathname);
       return NextResponse.redirect(url);
     }
 
@@ -49,30 +72,14 @@ export function createAuthMiddleware(config: AuthMiddlewareConfig) {
  * Check if request has valid auth token
  */
 export function hasValidToken(request: NextRequest): boolean {
-  const accessToken = request.cookies.get('access_token')?.value;
-
-  if (!accessToken) {
-    return false;
-  }
-
-  return !isTokenExpired(accessToken);
+  return findValidToken(request) !== null;
 }
 
 /**
  * Get access token from request
  */
 export function getRequestToken(request: NextRequest): string | null {
-  const accessToken = request.cookies.get('access_token')?.value;
-
-  if (!accessToken) {
-    return null;
-  }
-
-  if (isTokenExpired(accessToken)) {
-    return null;
-  }
-
-  return accessToken;
+  return findValidToken(request);
 }
 
 /**