@tanakayuto/intmax402-nextjs 0.1.0

package/README.md

@@ -0,0 +1,92 @@
+# @tanakayuto/intmax402-nextjs
+
+INTMAX402 authentication middleware for Next.js App Router.
+
+## Installation
+
+```bash
+npm install @tanakayuto/intmax402-nextjs
+# or
+pnpm add @tanakayuto/intmax402-nextjs
+```
+
+## Usage
+
+### `withIntmax402` — Route Handler wrapper
+
+Wrap individual route handlers to protect them with INTMAX402 authentication.
+
+```typescript
+// app/api/premium/route.ts
+import { withIntmax402 } from '@tanakayuto/intmax402-nextjs'
+
+export const GET = withIntmax402(
+  async (req) => {
+    return Response.json({
+      data: 'premium content',
+      address: req.intmax402.address,
+    })
+  },
+  {
+    secret: process.env.INTMAX402_SECRET!,
+    mode: 'identity',
+  }
+)
+```
+
+#### Payment mode
+
+```typescript
+export const GET = withIntmax402(
+  async (req) => {
+    return Response.json({ data: 'paid content', address: req.intmax402.address })
+  },
+  {
+    secret: process.env.INTMAX402_SECRET!,
+    mode: 'payment',
+    serverAddress: process.env.INTMAX_SERVER_ADDRESS!,
+    amount: '0.001',
+  }
+)
+```
+
+### `intmax402Middleware` — Next.js middleware.ts
+
+Protect entire route groups at the middleware level (Edge Runtime compatible).
+
+```typescript
+// middleware.ts
+import { intmax402Middleware } from '@tanakayuto/intmax402-nextjs'
+
+export default intmax402Middleware({
+  secret: process.env.INTMAX402_SECRET!,
+  mode: 'identity',
+  matcher: ['/api/premium/:path*'],
+})
+
+export const config = {
+  matcher: ['/api/premium/:path*'],
+}
+```
+
+> **Note:** The middleware runs on Edge Runtime and performs full signature verification.
+> Authenticated address is forwarded to route handlers via the `x-intmax402-address` header.
+
+## Environment Variables
+
+| Variable | Description | Required |
+|---|---|---|
+| `INTMAX402_SECRET` | HMAC secret for nonce generation | ✅ |
+| `INTMAX_SERVER_ADDRESS` | Your INTMAX server address (payment mode) | Payment only |
+
+## How it works
+
+1. Client makes a request without `Authorization` header
+2. Server responds with `401`/`402` + `WWW-Authenticate: INTMAX402 nonce=<nonce>, ...`
+3. Client signs the nonce with their Ethereum wallet
+4. Client retries with `Authorization: INTMAX402 address=<addr>,nonce=<nonce>,signature=<sig>`
+5. Server verifies signature and grants access
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,56 @@
+import { INTMAX402Config } from "@tanakayuto/intmax402-core";
+export interface Intmax402Info {
+    address: string;
+    verified: boolean;
+    txHash?: string;
+}
+/** Extended Request type that carries intmax402 context after successful auth */
+export interface Intmax402Request extends Request {
+    intmax402: Intmax402Info;
+}
+export interface WithIntmax402Options extends INTMAX402Config {
+    verifyPayment?: (txHash: string, amount: string, serverAddress: string) => Promise<{
+        valid: boolean;
+        error?: string;
+    }>;
+}
+export interface MiddlewareOptions extends Omit<INTMAX402Config, "mode"> {
+    mode?: INTMAX402Config["mode"];
+    /** Path patterns to intercept. Matched against request.nextUrl.pathname */
+    matcher?: string[];
+}
+type NextRouteHandler = (req: Request, ctx?: unknown) => Promise<Response> | Response;
+type AuthedRouteHandler = (req: Intmax402Request, ctx?: unknown) => Promise<Response> | Response;
+/**
+ * Wraps a Next.js App Router Route Handler with INTMAX402 authentication.
+ *
+ * @example
+ * // app/api/premium/route.ts
+ * import { withIntmax402 } from '@tanakayuto/intmax402-nextjs'
+ *
+ * export const GET = withIntmax402(
+ *   async (req) => {
+ *     return Response.json({ data: 'premium content', address: req.intmax402.address })
+ *   },
+ *   { secret: process.env.INTMAX402_SECRET!, mode: 'identity' }
+ * )
+ */
+export declare function withIntmax402(handler: AuthedRouteHandler, options: WithIntmax402Options): NextRouteHandler;
+/**
+ * Returns a Next.js middleware function for INTMAX402 authentication.
+ * Compatible with Edge Runtime.
+ *
+ * @example
+ * // middleware.ts
+ * import { intmax402Middleware } from '@tanakayuto/intmax402-nextjs'
+ *
+ * export default intmax402Middleware({
+ *   secret: process.env.INTMAX402_SECRET!,
+ *   mode: 'identity',
+ *   matcher: ['/api/premium'],
+ * })
+ *
+ * export const config = { matcher: ['/api/premium/:path*'] }
+ */
+export declare function intmax402Middleware(options: MiddlewareOptions): (request: Request) => Promise<Response>;
+export type { INTMAX402Config, INTMAX402Mode } from "@tanakayuto/intmax402-core";

package/dist/index.js

@@ -0,0 +1,242 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.withIntmax402 = withIntmax402;
+exports.intmax402Middleware = intmax402Middleware;
+const intmax402_fetch_1 = require("@tanakayuto/intmax402-fetch");
+const intmax402_core_1 = require("@tanakayuto/intmax402-core");
+const ethers_1 = require("ethers");
+// ──────────────────────────────────────────────────────────────────────────────
+// Edge-compatible utilities (Web Crypto API — no Node.js crypto)
+// ──────────────────────────────────────────────────────────────────────────────
+const WINDOW_MS = 30_000;
+async function hmacHex(secret, data) {
+    const enc = new TextEncoder();
+    const key = await crypto.subtle.importKey("raw", enc.encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+    const sig = await crypto.subtle.sign("HMAC", key, enc.encode(data));
+    return Array.from(new Uint8Array(sig))
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+async function generateNonceEdge(secret, ip, path, bindIp = false) {
+    const window = Math.floor(Date.now() / WINDOW_MS);
+    const data = bindIp ? `${window}:${ip}:${path}` : `${window}:${path}`;
+    return hmacHex(secret, data);
+}
+async function verifyNonceEdge(nonce, secret, ip, path, bindIp = false) {
+    if (!/^[0-9a-f]+$/i.test(nonce))
+        return false;
+    const window = Math.floor(Date.now() / WINDOW_MS);
+    for (const w of [window, window - 1]) {
+        const data = bindIp ? `${w}:${ip}:${path}` : `${w}:${path}`;
+        const expected = await hmacHex(secret, data);
+        if (expected === nonce)
+            return true;
+    }
+    return false;
+}
+function verifySignatureEdge(signature, message, claimedAddress) {
+    try {
+        const recovered = ethers_1.ethers.verifyMessage(message, signature);
+        return recovered.toLowerCase() === claimedAddress.toLowerCase();
+    }
+    catch {
+        return false;
+    }
+}
+function parseAuthorizationEdge(header) {
+    // Format: INTMAX402 address=<addr>,nonce=<nonce>,signature=<sig>[,txHash=<hash>]
+    const match = header.match(/^INTMAX402\s+(.+)$/i);
+    if (!match)
+        return null;
+    const params = {};
+    for (const part of match[1].split(",")) {
+        const eq = part.indexOf("=");
+        if (eq === -1)
+            continue;
+        const k = part.slice(0, eq).trim();
+        const v = part.slice(eq + 1).trim();
+        params[k] = v;
+    }
+    if (!params.address || !params.nonce || !params.signature)
+        return null;
+    return {
+        address: params.address,
+        nonce: params.nonce,
+        signature: params.signature,
+        txHash: params.txHash,
+    };
+}
+/**
+ * Wraps a Next.js App Router Route Handler with INTMAX402 authentication.
+ *
+ * @example
+ * // app/api/premium/route.ts
+ * import { withIntmax402 } from '@tanakayuto/intmax402-nextjs'
+ *
+ * export const GET = withIntmax402(
+ *   async (req) => {
+ *     return Response.json({ data: 'premium content', address: req.intmax402.address })
+ *   },
+ *   { secret: process.env.INTMAX402_SECRET!, mode: 'identity' }
+ * )
+ */
+function withIntmax402(handler, options) {
+    return async (req, ctx) => {
+        const config = {
+            mode: options.mode,
+            secret: options.secret,
+            serverAddress: options.serverAddress,
+            amount: options.amount,
+            tokenAddress: options.tokenAddress,
+            chainId: options.chainId,
+            environment: options.environment,
+            allowList: options.allowList,
+            bindIp: options.bindIp,
+        };
+        const result = await (0, intmax402_fetch_1.handleIntmax402)(req, config);
+        if (result.response !== null) {
+            return result.response;
+        }
+        // Attach auth context to request (cast to extended type)
+        const authedReq = req;
+        authedReq.intmax402 = result.context;
+        return handler(authedReq, ctx);
+    };
+}
+// ──────────────────────────────────────────────────────────────────────────────
+// intmax402Middleware — Next.js middleware.ts (Edge Runtime compatible)
+// ──────────────────────────────────────────────────────────────────────────────
+/**
+ * Returns a Next.js middleware function for INTMAX402 authentication.
+ * Compatible with Edge Runtime.
+ *
+ * @example
+ * // middleware.ts
+ * import { intmax402Middleware } from '@tanakayuto/intmax402-nextjs'
+ *
+ * export default intmax402Middleware({
+ *   secret: process.env.INTMAX402_SECRET!,
+ *   mode: 'identity',
+ *   matcher: ['/api/premium'],
+ * })
+ *
+ * export const config = { matcher: ['/api/premium/:path*'] }
+ */
+function intmax402Middleware(options) {
+    const mode = options.mode ?? "identity";
+    const config = { ...options, mode };
+    return async function middleware(request) {
+        // Dynamic import of NextResponse to avoid bundling issues in non-Next environments
+        const { NextResponse } = await Promise.resolve().then(() => __importStar(require("next/server")));
+        const url = new URL(request.url);
+        const pathname = url.pathname;
+        // Path matching
+        if (options.matcher && options.matcher.length > 0) {
+            const matched = options.matcher.some((pattern) => matchPath(pattern, pathname));
+            if (!matched) {
+                return NextResponse.next();
+            }
+        }
+        const ip = request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ??
+            request.headers.get("x-real-ip") ??
+            "unknown";
+        const authHeader = request.headers.get("authorization");
+        if (!authHeader) {
+            // Generate challenge nonce (Edge-compatible)
+            const nonce = await generateNonceEdge(config.secret, ip, pathname, config.bindIp ?? false);
+            const statusCode = mode === "payment" ? 402 : 401;
+            return new Response(JSON.stringify({
+                error: mode === "payment" ? "Payment Required" : "Unauthorized",
+                protocol: "INTMAX402",
+                mode,
+            }), {
+                status: statusCode,
+                headers: {
+                    "Content-Type": "application/json",
+                    "WWW-Authenticate": (0, intmax402_core_1.buildWWWAuthenticate)(nonce, config),
+                },
+            });
+        }
+        // Verify the authorization header
+        const credential = parseAuthorizationEdge(authHeader);
+        if (!credential) {
+            return edgeError(401, "Invalid authorization header");
+        }
+        const nonceValid = await verifyNonceEdge(credential.nonce, config.secret, ip, pathname, config.bindIp ?? false);
+        if (!nonceValid) {
+            return edgeError(401, "Invalid or expired nonce");
+        }
+        if (config.allowList && config.allowList.length > 0) {
+            const normalized = config.allowList.map((a) => a.toLowerCase());
+            if (!normalized.includes(credential.address.toLowerCase())) {
+                return edgeError(403, "Address not in allow list");
+            }
+        }
+        const sigValid = verifySignatureEdge(credential.signature, credential.nonce, credential.address);
+        if (!sigValid) {
+            return edgeError(401, "Invalid signature");
+        }
+        // For payment mode in middleware, we skip on-chain verification (do it in route handler)
+        // Pass auth info downstream via headers
+        const response = NextResponse.next();
+        response.headers.set("x-intmax402-address", credential.address);
+        response.headers.set("x-intmax402-verified", "true");
+        if (credential.txHash) {
+            response.headers.set("x-intmax402-tx-hash", credential.txHash);
+        }
+        return response;
+    };
+}
+function edgeError(status, message) {
+    return new Response(JSON.stringify({ error: message }), {
+        status,
+        headers: { "Content-Type": "application/json" },
+    });
+}
+/**
+ * Simple path pattern matcher.
+ * Supports wildcards: `/api/premium/:path*` → matches `/api/premium/anything`
+ */
+function matchPath(pattern, pathname) {
+    // Convert pattern to regex
+    const regexStr = pattern
+        .replace(/[.+?^${}()|[\]\\]/g, "\\$&") // escape special chars
+        .replace(/:([^/]+)\*/g, ".*") // :param* → .*
+        .replace(/:([^/]+)/g, "[^/]+") // :param → [^/]+
+        .replace(/\*/g, ".*"); // * → .*
+    const regex = new RegExp(`^${regexStr}$`);
+    return regex.test(pathname);
+}

package/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "@tanakayuto/intmax402-nextjs",
+  "version": "0.1.0",
+  "description": "INTMAX402 middleware for Next.js App Router",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": ["dist", "README.md"],
+  "publishConfig": { "access": "public" },
+  "repository": { "type": "git", "url": "https://github.com/zaq2989/intmax402" },
+  "keywords": ["intmax", "http-402", "payment", "nextjs", "app-router", "middleware", "ai-agent"],
+  "license": "MIT",
+  "peerDependencies": {
+    "next": ">=14.0.0"
+  },
+  "dependencies": {
+    "@tanakayuto/intmax402-core": "workspace:*",
+    "@tanakayuto/intmax402-fetch": "workspace:*",
+    "ethers": "^6.0.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.4.0",
+    "@types/node": "^20.0.0",
+    "next": "^14.0.0"
+  },
+  "scripts": {
+    "build": "tsc",
+    "clean": "rm -rf dist"
+  }
+}