@tern-secure/nextjs 4.1.0 → 4.2.1

package/dist/esm/server/edge-session.js

@@ -0,0 +1,54 @@
+import { verifyFirebaseToken } from "./jwt-edge";
+async function verifySession(request) {
+  var _a, _b, _c, _d, _e, _f;
+  try {
+    const sessionCookie = (_a = request.cookies.get("_session_cookie")) == null ? void 0 : _a.value;
+    if (sessionCookie) {
+      const result = await verifyFirebaseToken(sessionCookie, true);
+      if (result.valid) {
+        return {
+          isAuthenticated: true,
+          user: {
+            uid: (_b = result.uid) != null ? _b : "",
+            email: result.email || null,
+            emailVerified: (_c = result.emailVerified) != null ? _c : false,
+            disabled: false
+          }
+        };
+      }
+      console.log("Session cookie verification failed:", result.error);
+    }
+    const idToken = (_d = request.cookies.get("_session_token")) == null ? void 0 : _d.value;
+    if (idToken) {
+      const result = await verifyFirebaseToken(idToken, false);
+      if (result.valid) {
+        return {
+          isAuthenticated: true,
+          user: {
+            uid: (_e = result.uid) != null ? _e : "",
+            email: result.email || null,
+            emailVerified: (_f = result.emailVerified) != null ? _f : false,
+            disabled: false
+          }
+        };
+      }
+      console.log("ID token verification failed:", result.error);
+    }
+    return {
+      isAuthenticated: false,
+      user: null,
+      error: "No valid session found"
+    };
+  } catch (error) {
+    console.error("Session verification error:", error);
+    return {
+      isAuthenticated: false,
+      user: null,
+      error: error instanceof Error ? error.message : "Session verification failed"
+    };
+  }
+}
+export {
+  verifySession
+};
+//# sourceMappingURL=edge-session.js.map

package/dist/esm/server/edge-session.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/edge-session.ts"],"sourcesContent":["import { verifyFirebaseToken } from \"./jwt-edge\"\nimport type { NextRequest } from \"next/server\"\n\nexport interface UserInfo {\n  uid: string\n  email: string | null\n  emailVerified?: boolean\n  authTime?: number\n  disabled?: boolean\n}\n\n\nexport interface SessionResult {\n  isAuthenticated: boolean\n  user: UserInfo | null\n  error?: string\n}\n\n\nexport async function verifySession(request: NextRequest): Promise<SessionResult> {\n  try {\n    //const cookieStore = await cookies()\n\n    // First try session cookie\n    const sessionCookie = request.cookies.get(\"_session_cookie\")?.value\n    if (sessionCookie) {\n      const result = await verifyFirebaseToken(sessionCookie, true)\n      if (result.valid) {\n        return {\n          isAuthenticated: true,\n          user: {\n            uid: result.uid ?? '',\n            email: result.email || null,\n            emailVerified: result.emailVerified ?? false,\n            disabled: false,\n          },\n        }\n      }\n      console.log(\"Session cookie verification failed:\", result.error)\n    }\n\n    // Then try ID token\n    const idToken = request.cookies.get(\"_session_token\")?.value\n    if (idToken) {\n      const result = await verifyFirebaseToken(idToken, false)\n      if (result.valid) {\n        return {\n          isAuthenticated: true,\n          user: {\n            uid: result.uid ?? '',\n            email: result.email || null,\n            emailVerified: result.emailVerified ?? false,\n            disabled: false,\n          },\n        }\n      }\n      console.log(\"ID token verification failed:\", result.error)\n    }\n\n    return {\n      isAuthenticated: false,\n      user: null,\n      error: \"No valid session found\",\n    }\n  } catch (error) {\n    console.error(\"Session verification error:\", error)\n    return {\n      isAuthenticated: false,\n      user: null,\n      error: error instanceof Error ? error.message : \"Session verification failed\",\n    }\n  }\n}"],"mappings":"AAAA,SAAS,2BAA2B;AAmBpC,eAAsB,cAAc,SAA8C;AAnBlF;AAoBE,MAAI;AAIF,UAAM,iBAAgB,aAAQ,QAAQ,IAAI,iBAAiB,MAArC,mBAAwC;AAC9D,QAAI,eAAe;AACjB,YAAM,SAAS,MAAM,oBAAoB,eAAe,IAAI;AAC5D,UAAI,OAAO,OAAO;AAChB,eAAO;AAAA,UACL,iBAAiB;AAAA,UACjB,MAAM;AAAA,YACJ,MAAK,YAAO,QAAP,YAAc;AAAA,YACnB,OAAO,OAAO,SAAS;AAAA,YACvB,gBAAe,YAAO,kBAAP,YAAwB;AAAA,YACvC,UAAU;AAAA,UACZ;AAAA,QACF;AAAA,MACF;AACA,cAAQ,IAAI,uCAAuC,OAAO,KAAK;AAAA,IACjE;AAGA,UAAM,WAAU,aAAQ,QAAQ,IAAI,gBAAgB,MAApC,mBAAuC;AACvD,QAAI,SAAS;AACX,YAAM,SAAS,MAAM,oBAAoB,SAAS,KAAK;AACvD,UAAI,OAAO,OAAO;AAChB,eAAO;AAAA,UACL,iBAAiB;AAAA,UACjB,MAAM;AAAA,YACJ,MAAK,YAAO,QAAP,YAAc;AAAA,YACnB,OAAO,OAAO,SAAS;AAAA,YACvB,gBAAe,YAAO,kBAAP,YAAwB;AAAA,YACvC,UAAU;AAAA,UACZ;AAAA,QACF;AAAA,MACF;AACA,cAAQ,IAAI,iCAAiC,OAAO,KAAK;AAAA,IAC3D;AAEA,WAAO;AAAA,MACL,iBAAiB;AAAA,MACjB,MAAM;AAAA,MACN,OAAO;AAAA,IACT;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B,KAAK;AAClD,WAAO;AAAA,MACL,iBAAiB;AAAA,MACjB,MAAM;AAAA,MACN,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAClD;AAAA,EACF;AACF;","names":[]}

package/dist/esm/server/index.js

@@ -0,0 +1,9 @@
+import { ternSecureMiddleware, createRouteMatcher } from "./ternSecureMiddleware";
+import { auth, getUserInfo } from "./auth";
+export {
+  auth,
+  createRouteMatcher,
+  getUserInfo,
+  ternSecureMiddleware
+};
+//# sourceMappingURL=index.js.map

package/dist/esm/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/index.ts"],"sourcesContent":["\n\nexport { ternSecureMiddleware, createRouteMatcher } from './ternSecureMiddleware'\nexport { auth, getUserInfo } from './auth'\nexport type { AuthResult } from './auth'"],"mappings":"AAEA,SAAS,sBAAsB,0BAA0B;AACzD,SAAS,MAAM,mBAAmB;","names":[]}

package/dist/esm/server/jwt-edge.js

@@ -0,0 +1,64 @@
+import { jwtVerify, createRemoteJWKSet } from "jose";
+const JWKS_URLS = {
+  session: new URL("https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"),
+  token: new URL("https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys")
+};
+const JWKS = {
+  session: createRemoteJWKSet(new URL(JWKS_URLS.session), {
+    cacheMaxAge: 36e5,
+    // 1 hour
+    timeoutDuration: 5e3,
+    // 5 seconds
+    cooldownDuration: 3e4
+    // 30 seconds between retries
+  }),
+  token: createRemoteJWKSet(new URL(JWKS_URLS.token), {
+    cacheMaxAge: 36e5,
+    // 1 hour
+    timeoutDuration: 5e3,
+    // 5 seconds
+    cooldownDuration: 3e4
+    // 30 seconds between retries
+  })
+};
+async function verifyFirebaseToken(token, isSessionCookie = false) {
+  try {
+    const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID;
+    if (!projectId) {
+      throw new Error("Firebase Project ID is not configured");
+    }
+    const keySet = isSessionCookie ? JWKS.session : JWKS.token;
+    const { payload } = await jwtVerify(token, keySet, {
+      issuer: isSessionCookie ? "https://session.firebase.google.com/" + projectId : "https://securetoken.google.com/" + projectId,
+      audience: projectId,
+      algorithms: ["RS256"]
+    });
+    const now = Math.floor(Date.now() / 1e3);
+    if (payload.exp && payload.exp <= now) {
+      throw new Error("Token has expired");
+    }
+    if (payload.iat && payload.iat > now) {
+      throw new Error("Token issued time is in the future");
+    }
+    if (!payload.sub) {
+      throw new Error("Token subject is empty");
+    }
+    return {
+      valid: true,
+      uid: payload.sub,
+      email: payload.email,
+      emailVerified: payload.email_verified,
+      authTime: payload.auth_time
+    };
+  } catch (error) {
+    console.error("Token verification error:", error);
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : "Invalid token"
+    };
+  }
+}
+export {
+  verifyFirebaseToken
+};
+//# sourceMappingURL=jwt-edge.js.map

package/dist/esm/server/jwt-edge.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/jwt-edge.ts"],"sourcesContent":["import { jwtVerify, createRemoteJWKSet } from \"jose\"\n\n// Firebase public key endpoints with simplified configuration for Edge\nconst JWKS_URLS = {\n  session: new URL(\"https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com\"),\n  token: new URL(\"https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys\")\n}\n\n// Simplified JWKS for Edge Runtime\nconst JWKS = {\n    session: createRemoteJWKSet(new URL(JWKS_URLS.session), {\n      cacheMaxAge: 3600000, // 1 hour\n      timeoutDuration: 5000, // 5 seconds\n      cooldownDuration: 30000, // 30 seconds between retries\n    }),\n    token: createRemoteJWKSet(new URL(JWKS_URLS.token), {\n      cacheMaxAge: 3600000, // 1 hour\n      timeoutDuration: 5000, // 5 seconds\n      cooldownDuration: 30000, // 30 seconds between retries\n    })\n  }\n\nexport async function verifyFirebaseToken(token: string, isSessionCookie = false) {\n  try {\n    const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID\n    if (!projectId) {\n      throw new Error(\"Firebase Project ID is not configured\")\n    }\n\n    const keySet = isSessionCookie ? JWKS.session : JWKS.token\n\n\n    const { payload } = await jwtVerify(token, keySet, {\n      issuer: isSessionCookie\n        ? \"https://session.firebase.google.com/\" + projectId\n        : \"https://securetoken.google.com/\" + projectId,\n      audience: projectId,\n      algorithms: [\"RS256\"],\n    })\n\n    const now = Math.floor(Date.now() / 1000)\n    if (payload.exp && payload.exp <= now) {\n      throw new Error(\"Token has expired\")\n    }\n\n    if (payload.iat && payload.iat > now) {\n      throw new Error(\"Token issued time is in the future\")\n    }\n\n    if (!payload.sub) {\n      throw new Error(\"Token subject is empty\")\n    }\n\n    return {\n      valid: true,\n      uid: payload.sub,\n      email: payload.email as string | undefined,\n      emailVerified: payload.email_verified as boolean | undefined,\n      authTime: payload.auth_time as number,\n    }\n  } catch (error) {\n    console.error(\"Token verification error:\", error)\n    return {\n      valid: false,\n      error: error instanceof Error ? error.message : \"Invalid token\",\n    }\n  }\n}"],"mappings":"AAAA,SAAS,WAAW,0BAA0B;AAG9C,MAAM,YAAY;AAAA,EAChB,SAAS,IAAI,IAAI,0FAA0F;AAAA,EAC3G,OAAO,IAAI,IAAI,mEAAmE;AACpF;AAGA,MAAM,OAAO;AAAA,EACT,SAAS,mBAAmB,IAAI,IAAI,UAAU,OAAO,GAAG;AAAA,IACtD,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AAAA,EACD,OAAO,mBAAmB,IAAI,IAAI,UAAU,KAAK,GAAG;AAAA,IAClD,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH;AAEF,eAAsB,oBAAoB,OAAe,kBAAkB,OAAO;AAChF,MAAI;AACF,UAAM,YAAY,QAAQ,IAAI;AAC9B,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACzD;AAEA,UAAM,SAAS,kBAAkB,KAAK,UAAU,KAAK;AAGrD,UAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,QAAQ;AAAA,MACjD,QAAQ,kBACJ,yCAAyC,YACzC,oCAAoC;AAAA,MACxC,UAAU;AAAA,MACV,YAAY,CAAC,OAAO;AAAA,IACtB,CAAC;AAED,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAI,QAAQ,OAAO,QAAQ,OAAO,KAAK;AACrC,YAAM,IAAI,MAAM,mBAAmB;AAAA,IACrC;AAEA,QAAI,QAAQ,OAAO,QAAQ,MAAM,KAAK;AACpC,YAAM,IAAI,MAAM,oCAAoC;AAAA,IACtD;AAEA,QAAI,CAAC,QAAQ,KAAK;AAChB,YAAM,IAAI,MAAM,wBAAwB;AAAA,IAC1C;AAEA,WAAO;AAAA,MACL,OAAO;AAAA,MACP,KAAK,QAAQ;AAAA,MACb,OAAO,QAAQ;AAAA,MACf,eAAe,QAAQ;AAAA,MACvB,UAAU,QAAQ;AAAA,IACpB;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,6BAA6B,KAAK;AAChD,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAClD;AAAA,EACF;AACF;","names":[]}

package/dist/esm/server/jwt.js

@@ -0,0 +1,117 @@
+import { jwtVerify, createRemoteJWKSet } from "jose";
+import { cache } from "react";
+const FIREBASE_ID_TOKEN_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
+const FIREBASE_SESSION_CERT_URL = "https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys";
+const getIdTokenJWKS = cache(() => {
+  return createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {
+    cacheMaxAge: 36e5,
+    // 1 hour
+    timeoutDuration: 5e3,
+    // 5 seconds
+    cooldownDuration: 3e4
+    // 30 seconds between retries
+  });
+});
+const getSessionJWKS = cache(() => {
+  return createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {
+    cacheMaxAge: 36e5,
+    // 1 hour
+    timeoutDuration: 5e3,
+    // 5 seconds
+    cooldownDuration: 3e4
+    // 30 seconds between retries
+  });
+});
+function decodeJwt(token) {
+  try {
+    const [headerB64, payloadB64] = token.split(".");
+    const header = JSON.parse(Buffer.from(headerB64, "base64").toString());
+    const payload = JSON.parse(Buffer.from(payloadB64, "base64").toString());
+    return { header, payload };
+  } catch (error) {
+    console.error("Error decoding JWT:", error);
+    return null;
+  }
+}
+async function verifyFirebaseToken(token, isSessionCookie = false) {
+  try {
+    const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID;
+    if (!projectId) {
+      throw new Error("Firebase Project ID is not configured");
+    }
+    const decoded = decodeJwt(token);
+    if (!decoded) {
+      throw new Error("Invalid token format");
+    }
+    console.log("Token details:", {
+      header: decoded.header,
+      type: isSessionCookie ? "session_cookie" : "id_token"
+    });
+    let retries = 3;
+    let lastError = null;
+    while (retries > 0) {
+      try {
+        const JWKS = isSessionCookie ? await getSessionJWKS() : await getIdTokenJWKS();
+        const { payload } = await jwtVerify(token, JWKS, {
+          issuer: isSessionCookie ? "https://session.firebase.google.com/" + projectId : "https://securetoken.google.com/" + projectId,
+          audience: projectId,
+          algorithms: ["RS256"]
+        });
+        const firebasePayload = payload;
+        const now = Math.floor(Date.now() / 1e3);
+        if (firebasePayload.exp <= now) {
+          throw new Error("Token has expired");
+        }
+        if (firebasePayload.iat > now) {
+          throw new Error("Token issued time is in the future");
+        }
+        if (!firebasePayload.sub) {
+          throw new Error("Token subject is empty");
+        }
+        if (firebasePayload.auth_time > now) {
+          throw new Error("Token auth time is in the future");
+        }
+        return {
+          valid: true,
+          uid: firebasePayload.sub,
+          email: firebasePayload.email,
+          emailVerified: firebasePayload.email_verified,
+          authTime: firebasePayload.auth_time,
+          issuedAt: firebasePayload.iat,
+          expiresAt: firebasePayload.exp
+        };
+      } catch (error) {
+        lastError = error;
+        if (error instanceof Error && error.name === "JWKSNoMatchingKey") {
+          console.warn(`JWKS retry attempt ${4 - retries}:`, error.message);
+          retries--;
+          if (retries > 0) {
+            await new Promise((resolve) => setTimeout(resolve, 1e3));
+            continue;
+          }
+        }
+        throw error;
+      }
+    }
+    throw lastError || new Error("Failed to verify token after retries");
+  } catch (error) {
+    console.error("Token verification details:", {
+      error: error instanceof Error ? {
+        name: error.name,
+        message: error.message,
+        stack: error.stack
+      } : error,
+      decoded: decodeJwt(token),
+      //projectId,
+      isSessionCookie
+    });
+    return {
+      valid: false,
+      error: error instanceof Error ? error.message : "Invalid token"
+    };
+  }
+}
+export {
+  verifyFirebaseToken
+};
+//# sourceMappingURL=jwt.js.map

package/dist/esm/server/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/jwt.ts"],"sourcesContent":["import { jwtVerify, createRemoteJWKSet } from \"jose\"\nimport { cache } from \"react\"\n\ninterface FirebaseIdTokenPayload {\n  iss: string\n  aud: string\n  auth_time: number\n  user_id: string\n  sub: string\n  iat: number\n  exp: number\n  email?: string\n  email_verified?: boolean\n  firebase: {\n    identities: {\n      [key: string]: any\n    }\n    sign_in_provider: string\n  }\n}\n\n// Firebase public key endpoints\nconst FIREBASE_ID_TOKEN_URL = \"https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com\"\nconst FIREBASE_SESSION_CERT_URL = \"https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys\"\n\n// Cache the JWKS using React cache\nconst getIdTokenJWKS = cache(() => {\n  return createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {\n    cacheMaxAge: 3600000, // 1 hour\n    timeoutDuration: 5000, // 5 seconds\n    cooldownDuration: 30000, // 30 seconds between retries\n  })\n})\n\nconst getSessionJWKS = cache(() => {\n  return createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {\n    cacheMaxAge: 3600000, // 1 hour\n    timeoutDuration: 5000, // 5 seconds\n    cooldownDuration: 30000, // 30 seconds between retries\n  })\n})\n\n// Helper to decode JWT without verification\nfunction decodeJwt(token: string) {\n  try {\n    const [headerB64, payloadB64] = token.split(\".\")\n    const header = JSON.parse(Buffer.from(headerB64, \"base64\").toString())\n    const payload = JSON.parse(Buffer.from(payloadB64, \"base64\").toString())\n    return { header, payload }\n  } catch (error) {\n    console.error(\"Error decoding JWT:\", error)\n    return null\n  }\n}\n\nexport async function verifyFirebaseToken(token: string, isSessionCookie = false) {\n  try {\n    const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID\n    if (!projectId) {\n      throw new Error(\"Firebase Project ID is not configured\")\n    }\n\n    // Decode token for debugging and type checking\n    const decoded = decodeJwt(token)\n    if (!decoded) {\n      throw new Error(\"Invalid token format\")\n    }\n\n    console.log(\"Token details:\", {\n      header: decoded.header,\n      type: isSessionCookie ? \"session_cookie\" : \"id_token\",\n    })\n\n    let retries = 3\n    let lastError: Error | null = null\n\n    while (retries > 0) {\n      try {\n        // Use different JWKS based on token type\n        const JWKS = isSessionCookie ? await getSessionJWKS() : await getIdTokenJWKS()\n\n        const { payload } = await jwtVerify(token, JWKS, {\n          issuer: isSessionCookie\n            ? \"https://session.firebase.google.com/\" + projectId\n            : \"https://securetoken.google.com/\" + projectId,\n          audience: projectId,\n          algorithms: [\"RS256\"],\n        })\n\n        const firebasePayload = payload as unknown as FirebaseIdTokenPayload\n        const now = Math.floor(Date.now() / 1000)\n\n        // Verify token claims\n        if (firebasePayload.exp <= now) {\n          throw new Error(\"Token has expired\")\n        }\n\n        if (firebasePayload.iat > now) {\n          throw new Error(\"Token issued time is in the future\")\n        }\n\n        if (!firebasePayload.sub) {\n          throw new Error(\"Token subject is empty\")\n        }\n\n        if (firebasePayload.auth_time > now) {\n          throw new Error(\"Token auth time is in the future\")\n        }\n\n        return {\n          valid: true,\n          uid: firebasePayload.sub,\n          email: firebasePayload.email,\n          emailVerified: firebasePayload.email_verified,\n          authTime: firebasePayload.auth_time,\n          issuedAt: firebasePayload.iat,\n          expiresAt: firebasePayload.exp,\n        }\n      } catch (error) {\n        lastError = error as Error\n        if (error instanceof Error && error.name === \"JWKSNoMatchingKey\") {\n          console.warn(`JWKS retry attempt ${4 - retries}:`, error.message)\n          retries--\n          if (retries > 0) {\n            await new Promise((resolve) => setTimeout(resolve, 1000))\n            continue\n          }\n        }\n        throw error\n      }\n    }\n\n    throw lastError || new Error(\"Failed to verify token after retries\")\n  } catch (error) {\n    console.error(\"Token verification details:\", {\n      error:\n        error instanceof Error\n          ? {\n              name: error.name,\n              message: error.message,\n              stack: error.stack,\n            }\n          : error,\n      decoded: decodeJwt(token),\n      //projectId,\n      isSessionCookie,\n    })\n\n    return {\n      valid: false,\n      error: error instanceof Error ? error.message : \"Invalid token\",\n    }\n  }\n}"],"mappings":"AAAA,SAAS,WAAW,0BAA0B;AAC9C,SAAS,aAAa;AAqBtB,MAAM,wBAAwB;AAC9B,MAAM,4BAA4B;AAGlC,MAAM,iBAAiB,MAAM,MAAM;AACjC,SAAO,mBAAmB,IAAI,IAAI,qBAAqB,GAAG;AAAA,IACxD,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH,CAAC;AAED,MAAM,iBAAiB,MAAM,MAAM;AACjC,SAAO,mBAAmB,IAAI,IAAI,yBAAyB,GAAG;AAAA,IAC5D,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH,CAAC;AAGD,SAAS,UAAU,OAAe;AAChC,MAAI;AACF,UAAM,CAAC,WAAW,UAAU,IAAI,MAAM,MAAM,GAAG;AAC/C,UAAM,SAAS,KAAK,MAAM,OAAO,KAAK,WAAW,QAAQ,EAAE,SAAS,CAAC;AACrE,UAAM,UAAU,KAAK,MAAM,OAAO,KAAK,YAAY,QAAQ,EAAE,SAAS,CAAC;AACvE,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B,SAAS,OAAO;AACd,YAAQ,MAAM,uBAAuB,KAAK;AAC1C,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,oBAAoB,OAAe,kBAAkB,OAAO;AAChF,MAAI;AACF,UAAM,YAAY,QAAQ,IAAI;AAC9B,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACzD;AAGA,UAAM,UAAU,UAAU,KAAK;AAC/B,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AAEA,YAAQ,IAAI,kBAAkB;AAAA,MAC5B,QAAQ,QAAQ;AAAA,MAChB,MAAM,kBAAkB,mBAAmB;AAAA,IAC7C,CAAC;AAED,QAAI,UAAU;AACd,QAAI,YAA0B;AAE9B,WAAO,UAAU,GAAG;AAClB,UAAI;AAEF,cAAM,OAAO,kBAAkB,MAAM,eAAe,IAAI,MAAM,eAAe;AAE7E,cAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,MAAM;AAAA,UAC/C,QAAQ,kBACJ,yCAAyC,YACzC,oCAAoC;AAAA,UACxC,UAAU;AAAA,UACV,YAAY,CAAC,OAAO;AAAA,QACtB,CAAC;AAED,cAAM,kBAAkB;AACxB,cAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAGxC,YAAI,gBAAgB,OAAO,KAAK;AAC9B,gBAAM,IAAI,MAAM,mBAAmB;AAAA,QACrC;AAEA,YAAI,gBAAgB,MAAM,KAAK;AAC7B,gBAAM,IAAI,MAAM,oCAAoC;AAAA,QACtD;AAEA,YAAI,CAAC,gBAAgB,KAAK;AACxB,gBAAM,IAAI,MAAM,wBAAwB;AAAA,QAC1C;AAEA,YAAI,gBAAgB,YAAY,KAAK;AACnC,gBAAM,IAAI,MAAM,kCAAkC;AAAA,QACpD;AAEA,eAAO;AAAA,UACL,OAAO;AAAA,UACP,KAAK,gBAAgB;AAAA,UACrB,OAAO,gBAAgB;AAAA,UACvB,eAAe,gBAAgB;AAAA,UAC/B,UAAU,gBAAgB;AAAA,UAC1B,UAAU,gBAAgB;AAAA,UAC1B,WAAW,gBAAgB;AAAA,QAC7B;AAAA,MACF,SAAS,OAAO;AACd,oBAAY;AACZ,YAAI,iBAAiB,SAAS,MAAM,SAAS,qBAAqB;AAChE,kBAAQ,KAAK,sBAAsB,IAAI,OAAO,KAAK,MAAM,OAAO;AAChE;AACA,cAAI,UAAU,GAAG;AACf,kBAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAI,CAAC;AACxD;AAAA,UACF;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAAA,IACF;AAEA,UAAM,aAAa,IAAI,MAAM,sCAAsC;AAAA,EACrE,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B;AAAA,MAC3C,OACE,iBAAiB,QACb;AAAA,QACE,MAAM,MAAM;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,OAAO,MAAM;AAAA,MACf,IACA;AAAA,MACN,SAAS,UAAU,KAAK;AAAA;AAAA,MAExB;AAAA,IACF,CAAC;AAED,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAClD;AAAA,EACF;AACF;","names":[]}

package/dist/esm/server/ternSecureMiddleware.js

@@ -0,0 +1,91 @@
+import { NextResponse } from "next/server";
+import { verifySession } from "./edge-session";
+const runtime = "edge";
+function createRouteMatcher(patterns) {
+  return (request) => {
+    const { pathname } = request.nextUrl;
+    return patterns.some((pattern) => {
+      const regexPattern = new RegExp(
+        `^${pattern.replace(/\*/g, ".*").replace(/\((.*)\)/, "(?:$1)?")}$`
+      );
+      return regexPattern.test(pathname);
+    });
+  };
+}
+async function edgeAuth(request) {
+  var _a, _b;
+  async function protect() {
+    throw new Error("Unauthorized access");
+  }
+  try {
+    const sessionResult = await verifySession(request);
+    if (sessionResult.isAuthenticated && sessionResult.user) {
+      return {
+        user: sessionResult.user,
+        token: ((_a = request.cookies.get("_session_cookie")) == null ? void 0 : _a.value) || ((_b = request.cookies.get("_session_token")) == null ? void 0 : _b.value) || null,
+        protect: async () => {
+        }
+      };
+    }
+    return {
+      user: null,
+      token: null,
+      protect
+    };
+  } catch (error) {
+    console.error("Auth check error:", error);
+    return {
+      user: null,
+      token: null,
+      protect
+    };
+  }
+}
+function ternSecureMiddleware(callback) {
+  return async function middleware(request) {
+    try {
+      const auth = await edgeAuth(request);
+      try {
+        await callback(auth, request);
+        const response = NextResponse.next();
+        if (auth.user) {
+          response.headers.set("x-user-id", auth.user.uid);
+          if (auth.user.email) {
+            response.headers.set("x-user-email", auth.user.email);
+          }
+          if (auth.user.emailVerified !== void 0) {
+            response.headers.set("x-email-verified", auth.user.emailVerified.toString());
+          }
+          if (auth.user.authTime) {
+            response.headers.set("x-auth-time", auth.user.authTime.toString());
+          }
+        }
+        return response;
+      } catch (error) {
+        if (error instanceof Error && error.message === "Unauthorized access") {
+          const redirectUrl = new URL("/sign-in", request.url);
+          redirectUrl.searchParams.set("redirect", request.nextUrl.pathname);
+          return NextResponse.redirect(redirectUrl);
+        }
+        throw error;
+      }
+    } catch (error) {
+      console.error("Middleware error:", {
+        error: error instanceof Error ? {
+          name: error.name,
+          message: error.message,
+          stack: error.stack
+        } : error,
+        path: request.nextUrl.pathname
+      });
+      const redirectUrl = new URL("/sign-in", request.url);
+      return NextResponse.redirect(redirectUrl);
+    }
+  };
+}
+export {
+  createRouteMatcher,
+  runtime,
+  ternSecureMiddleware
+};
+//# sourceMappingURL=ternSecureMiddleware.js.map

package/dist/esm/server/ternSecureMiddleware.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/ternSecureMiddleware.ts"],"sourcesContent":["import { NextRequest, NextResponse } from 'next/server';\nimport { verifySession, type UserInfo } from './edge-session'\n\nexport const runtime = \"edge\"\n\n\ninterface Auth {\n  user: UserInfo | null\n  token: string | null\n  protect: () => Promise<void>\n}\n\ntype MiddlewareCallback = (\n  auth: Auth,\n  request: NextRequest\n) => Promise<void>\n\n\n/**\n * Create a route matcher function for public paths\n */\nexport function createRouteMatcher(patterns: string[]) {\n  return (request: NextRequest): boolean => {\n    const { pathname } = request.nextUrl\n    return patterns.some(pattern => {\n      // Convert route pattern to regex\n      const regexPattern = new RegExp(\n        `^${pattern.replace(/\\*/g, '.*').replace(/\\((.*)\\)/, '(?:$1)?')}$`\n      )\n      return regexPattern.test(pathname)\n    })\n  }\n}\n\n\n/**\n * Edge-compatible auth check\n */\nasync function edgeAuth(request: NextRequest): Promise<Auth> {\n  async function protect() {\n    throw new Error(\"Unauthorized access\")\n  }\n\n  try {\n    const sessionResult = await verifySession(request)\n\n    if (sessionResult.isAuthenticated && sessionResult.user) {\n      return {\n        user: sessionResult.user,\n        token: request.cookies.get(\"_session_cookie\")?.value || request.cookies.get(\"_session_token\")?.value || null,\n        protect: async () => {},\n      }\n    }\n\n    return {\n      user: null,\n      token: null,\n      protect,\n    }\n  } catch (error) {\n    console.error(\"Auth check error:\", error)\n    return {\n      user: null,\n      token: null,\n      protect,\n    }\n  }\n}\n\n\n\n/**\n * Middleware factory that handles authentication and custom logic\n * @param customHandler Optional function for additional custom logic\n */\n\nexport function ternSecureMiddleware(callback: MiddlewareCallback) {\n  return async function middleware(request: NextRequest) {\n    try {\n      const auth = await edgeAuth(request)\n\n      try {\n        \n        await callback(auth, request)\n\n        const response = NextResponse.next()\n\n        if (auth.user) {\n          // Set auth headers\n          response.headers.set(\"x-user-id\", auth.user.uid)\n          if (auth.user.email) {\n            response.headers.set(\"x-user-email\", auth.user.email)\n          }\n          if (auth.user.emailVerified !== undefined) {\n            response.headers.set(\"x-email-verified\", auth.user.emailVerified.toString())\n          }\n          if (auth.user.authTime) {\n            response.headers.set(\"x-auth-time\", auth.user.authTime.toString())\n          }\n        }\n\n        return response\n      } catch (error) {\n        // Handle unauthorized access\n        if (error instanceof Error && error.message === 'Unauthorized access') {\n          const redirectUrl = new URL('/sign-in', request.url)\n          redirectUrl.searchParams.set('redirect', request.nextUrl.pathname)\n          return NextResponse.redirect(redirectUrl)\n        }\n        throw error\n      }\n\n    } catch (error) {\n      console.error(\"Middleware error:\", {\n        error:\n          error instanceof Error\n            ? {\n                name: error.name,\n                message: error.message,\n                stack: error.stack,\n              }\n            : error,\n        path: request.nextUrl.pathname,\n      })\n\n      const redirectUrl = new URL(\"/sign-in\", request.url)\n      return NextResponse.redirect(redirectUrl)\n    }\n  }\n}"],"mappings":"AAAA,SAAsB,oBAAoB;AAC1C,SAAS,qBAAoC;AAEtC,MAAM,UAAU;AAkBhB,SAAS,mBAAmB,UAAoB;AACrD,SAAO,CAAC,YAAkC;AACxC,UAAM,EAAE,SAAS,IAAI,QAAQ;AAC7B,WAAO,SAAS,KAAK,aAAW;AAE9B,YAAM,eAAe,IAAI;AAAA,QACvB,IAAI,QAAQ,QAAQ,OAAO,IAAI,EAAE,QAAQ,YAAY,SAAS,CAAC;AAAA,MACjE;AACA,aAAO,aAAa,KAAK,QAAQ;AAAA,IACnC,CAAC;AAAA,EACH;AACF;AAMA,eAAe,SAAS,SAAqC;AAtC7D;AAuCE,iBAAe,UAAU;AACvB,UAAM,IAAI,MAAM,qBAAqB;AAAA,EACvC;AAEA,MAAI;AACF,UAAM,gBAAgB,MAAM,cAAc,OAAO;AAEjD,QAAI,cAAc,mBAAmB,cAAc,MAAM;AACvD,aAAO;AAAA,QACL,MAAM,cAAc;AAAA,QACpB,SAAO,aAAQ,QAAQ,IAAI,iBAAiB,MAArC,mBAAwC,YAAS,aAAQ,QAAQ,IAAI,gBAAgB,MAApC,mBAAuC,UAAS;AAAA,QACxG,SAAS,YAAY;AAAA,QAAC;AAAA,MACxB;AAAA,IACF;AAEA,WAAO;AAAA,MACL,MAAM;AAAA,MACN,OAAO;AAAA,MACP;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,qBAAqB,KAAK;AACxC,WAAO;AAAA,MACL,MAAM;AAAA,MACN,OAAO;AAAA,MACP;AAAA,IACF;AAAA,EACF;AACF;AASO,SAAS,qBAAqB,UAA8B;AACjE,SAAO,eAAe,WAAW,SAAsB;AACrD,QAAI;AACF,YAAM,OAAO,MAAM,SAAS,OAAO;AAEnC,UAAI;AAEF,cAAM,SAAS,MAAM,OAAO;AAE5B,cAAM,WAAW,aAAa,KAAK;AAEnC,YAAI,KAAK,MAAM;AAEb,mBAAS,QAAQ,IAAI,aAAa,KAAK,KAAK,GAAG;AAC/C,cAAI,KAAK,KAAK,OAAO;AACnB,qBAAS,QAAQ,IAAI,gBAAgB,KAAK,KAAK,KAAK;AAAA,UACtD;AACA,cAAI,KAAK,KAAK,kBAAkB,QAAW;AACzC,qBAAS,QAAQ,IAAI,oBAAoB,KAAK,KAAK,cAAc,SAAS,CAAC;AAAA,UAC7E;AACA,cAAI,KAAK,KAAK,UAAU;AACtB,qBAAS,QAAQ,IAAI,eAAe,KAAK,KAAK,SAAS,SAAS,CAAC;AAAA,UACnE;AAAA,QACF;AAEA,eAAO;AAAA,MACT,SAAS,OAAO;AAEd,YAAI,iBAAiB,SAAS,MAAM,YAAY,uBAAuB;AACrE,gBAAM,cAAc,IAAI,IAAI,YAAY,QAAQ,GAAG;AACnD,sBAAY,aAAa,IAAI,YAAY,QAAQ,QAAQ,QAAQ;AACjE,iBAAO,aAAa,SAAS,WAAW;AAAA,QAC1C;AACA,cAAM;AAAA,MACR;AAAA,IAEF,SAAS,OAAO;AACd,cAAQ,MAAM,qBAAqB;AAAA,QACjC,OACE,iBAAiB,QACb;AAAA,UACE,MAAM,MAAM;AAAA,UACZ,SAAS,MAAM;AAAA,UACf,OAAO,MAAM;AAAA,QACf,IACA;AAAA,QACN,MAAM,QAAQ,QAAQ;AAAA,MACxB,CAAC;AAED,YAAM,cAAc,IAAI,IAAI,YAAY,QAAQ,GAAG;AACnD,aAAO,aAAa,SAAS,WAAW;AAAA,IAC1C;AAAA,EACF;AACF;","names":[]}

package/dist/types/app-router/{server → admin}/index.d.ts

@@ -1,5 +1,3 @@
-export { adminTernSecureAuth, adminTernSecureDb } from '../../utils/admin-init';
-export { ternSecureMiddleware } from './ternSecureMiddleware';
 export { verifyTernSessionCookie, createSessionCookie } from './sessionTernSecure';
-export { auth } from './auth';
+export { adminTernSecureAuth, adminTernSecureDb } from '../../utils/admin-init';
 //# sourceMappingURL=index.d.ts.map

package/dist/types/app-router/admin/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/app-router/admin/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAA;AAClF,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA"}

package/dist/types/app-router/{server → admin}/sessionTernSecure.d.ts

@@ -19,7 +19,10 @@ export declare function getIdToken(): Promise<{
     token: string;
     userId: string;
 }>;
-export declare function setServerSession(token: string): Promise<void>;
+export declare function setServerSession(token: string): Promise<{
+    success: boolean;
+    message: string;
+}>;
 export declare function verifyTernIdToken(token: string): Promise<{
     valid: boolean;
     uid?: string;

package/dist/types/app-router/admin/sessionTernSecure.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessionTernSecure.d.ts","sourceRoot":"","sources":["../../../../src/app-router/admin/sessionTernSecure.ts"],"names":[],"mappings":"AASA,MAAM,WAAW,IAAI;IACjB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAEH,MAAM,WAAW,OAAO;IACpB,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;IAClB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;CACvB;AAED,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,MAAM;;;GAgBxD;AAID,wBAAsB,sBAAsB;;;GAkB3C;AAGD,wBAAsB,UAAU;;;GAkB/B;AAED,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,MAAM;;;GAcnD;AAEC,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAuBhH;AAGD,wBAAsB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,GAAG,CAAC,EAAE,GAAG,CAAC;IAAC,KAAK,CAAC,EAAE,GAAG,CAAA;CAAE,CAAC,CAWlH;AAGD,wBAAsB,kBAAkB;;;GAwBvC"}

package/dist/types/server/auth.d.ts

@@ -0,0 +1,19 @@
+import type { UserInfo } from "./edge-session";
+export interface AuthResult {
+    user: UserInfo | null;
+    token: string | null;
+    error: Error | null;
+}
+/**
+ * Get the current authenticated user from the session or token
+ */
+export declare function auth(): Promise<AuthResult>;
+/**
+ * Type guard to check if user is authenticated
+ */
+export declare function isAuthenticated(): Promise<boolean>;
+/**
+ * Get user info from auth result
+ */
+export declare function getUserInfo(): Promise<UserInfo | null>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/types/server/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/server/auth.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAiB,MAAM,gBAAgB,CAAA;AAG7D,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAA;IACrB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;IACpB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;CACpB;AAGC;;GAEG;AACH,wBAAsB,IAAI,IAAI,OAAO,CAAC,UAAU,CAAC,CAuClD;AAED;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC,CAGxD;AAED;;GAEG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAY1D"}

package/dist/types/server/edge-session.d.ts

@@ -0,0 +1,15 @@
+import type { NextRequest } from "next/server";
+export interface UserInfo {
+    uid: string;
+    email: string | null;
+    emailVerified?: boolean;
+    authTime?: number;
+    disabled?: boolean;
+}
+export interface SessionResult {
+    isAuthenticated: boolean;
+    user: UserInfo | null;
+    error?: string;
+}
+export declare function verifySession(request: NextRequest): Promise<SessionResult>;
+//# sourceMappingURL=edge-session.d.ts.map

package/dist/types/server/edge-session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"edge-session.d.ts","sourceRoot":"","sources":["../../../src/server/edge-session.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAE9C,MAAM,WAAW,QAAQ;IACvB,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;IACpB,aAAa,CAAC,EAAE,OAAO,CAAA;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAA;CACnB;AAGD,MAAM,WAAW,aAAa;IAC5B,eAAe,EAAE,OAAO,CAAA;IACxB,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAA;IACrB,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAGD,wBAAsB,aAAa,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,aAAa,CAAC,CAqDhF"}

package/dist/types/server/index.d.ts

@@ -0,0 +1,4 @@
+export { ternSecureMiddleware, createRouteMatcher } from './ternSecureMiddleware';
+export { auth, getUserInfo } from './auth';
+export type { AuthResult } from './auth';
+//# sourceMappingURL=index.d.ts.map

package/dist/types/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAA;AACjF,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAA;AAC1C,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA"}

package/dist/types/server/jwt-edge.d.ts

@@ -0,0 +1,16 @@
+export declare function verifyFirebaseToken(token: string, isSessionCookie?: boolean): Promise<{
+    valid: boolean;
+    uid: string;
+    email: string | undefined;
+    emailVerified: boolean | undefined;
+    authTime: number;
+    error?: undefined;
+} | {
+    valid: boolean;
+    error: string;
+    uid?: undefined;
+    email?: undefined;
+    emailVerified?: undefined;
+    authTime?: undefined;
+}>;
+//# sourceMappingURL=jwt-edge.d.ts.map

package/dist/types/server/jwt-edge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-edge.d.ts","sourceRoot":"","sources":["../../../src/server/jwt-edge.ts"],"names":[],"mappings":"AAsBA,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,eAAe,UAAQ;;;WAkClD,MAAM,GAAG,SAAS;mBACD,OAAO,GAAG,SAAS;cAC7B,MAAM;;;;;;;;;GAS1C"}

package/dist/types/server/jwt.d.ts

@@ -0,0 +1,20 @@
+export declare function verifyFirebaseToken(token: string, isSessionCookie?: boolean): Promise<{
+    valid: boolean;
+    uid: string;
+    email: string | undefined;
+    emailVerified: boolean | undefined;
+    authTime: number;
+    issuedAt: number;
+    expiresAt: number;
+    error?: undefined;
+} | {
+    valid: boolean;
+    error: string;
+    uid?: undefined;
+    email?: undefined;
+    emailVerified?: undefined;
+    authTime?: undefined;
+    issuedAt?: undefined;
+    expiresAt?: undefined;
+}>;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/types/server/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/server/jwt.ts"],"names":[],"mappings":"AAuDA,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,eAAe,UAAQ;;;;;;;;;;;;;;;;;;GAkG/E"}

package/dist/types/server/ternSecureMiddleware.d.ts

@@ -0,0 +1,20 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { type UserInfo } from './edge-session';
+export declare const runtime = "edge";
+interface Auth {
+    user: UserInfo | null;
+    token: string | null;
+    protect: () => Promise<void>;
+}
+type MiddlewareCallback = (auth: Auth, request: NextRequest) => Promise<void>;
+/**
+ * Create a route matcher function for public paths
+ */
+export declare function createRouteMatcher(patterns: string[]): (request: NextRequest) => boolean;
+/**
+ * Middleware factory that handles authentication and custom logic
+ * @param customHandler Optional function for additional custom logic
+ */
+export declare function ternSecureMiddleware(callback: MiddlewareCallback): (request: NextRequest) => Promise<NextResponse<unknown>>;
+export {};
+//# sourceMappingURL=ternSecureMiddleware.d.ts.map

package/dist/types/server/ternSecureMiddleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ternSecureMiddleware.d.ts","sourceRoot":"","sources":["../../../src/server/ternSecureMiddleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAiB,KAAK,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAE7D,eAAO,MAAM,OAAO,SAAS,CAAA;AAG7B,UAAU,IAAI;IACZ,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAA;IACrB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;IACpB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAC7B;AAED,KAAK,kBAAkB,GAAG,CACxB,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,WAAW,KACjB,OAAO,CAAC,IAAI,CAAC,CAAA;AAGlB;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,aAClC,WAAW,KAAG,OAAO,CAUvC;AAuCD;;;GAGG;AAEH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,kBAAkB,aACrB,WAAW,oCAoDtD"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tern-secure/nextjs",
-  "version": "4.1.0",
+  "version": "4.2.1",
   "packageManager": "npm@11.0.0",
   "publishConfig": {
     "access": "public"
@@ -44,7 +44,9 @@
   },
   "types": "./dist/types/index.d.ts",
   "files": [
-    "dist"
+    "dist",
+    "server",
+    "admin"
   ],
   "sideEffects": false,
   "peerDependencies": {
@@ -61,9 +63,14 @@
       "require": "./dist/cjs/index.js"
     },
     "./server": {
-      "types": "./dist/types/app-router/server/index.d.ts",
-      "import": "./dist/esm/app-router/server/index.js",
-      "require": "./dist/cjs/app-router/server/index.js"
+      "types": "./dist/types/server/index.d.ts",
+      "import": "./dist/esm/server/index.js",
+      "require": "./dist/cjs/server/index.js"
+    },
+    "./admin": {
+      "types": "./dist/types/app-router/admin/index.d.ts",
+      "import": "./dist/esm/app-router/admin/index.js",
+      "require": "./dist/cjs/app-router/admin/index.js"
     }
   },
   "dependencies": {
@@ -72,6 +79,7 @@
     "@radix-ui/react-slot": "^1.1.1",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
+    "jose": "^5.9.6",
     "lucide-react": "^0.468.0",
     "tailwind-merge": "^2.5.5",
     "tailwindcss-animate": "^1.0.7"

package/server/package.json

@@ -0,0 +1,5 @@
+{
+    "main": "../dist/cjs/app-router/server/index.js",
+    "module": "../dist/esm/app-router/server/index.js",
+    "types": "../dist/types/app-router/server/index.d.ts"
+  }

package/dist/cjs/app-router/server/auth.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../../../../src/app-router/server/auth.ts"],"sourcesContent":["'use server'\n\nimport { cookies } from 'next/headers';\nimport {  verifyTernIdToken, verifyTernSessionCookie } from './sessionTernSecure';\n\nexport interface AuthResult {\n  userId: string | null;\n  token: string | null;\n  error: Error | null;\n}\n\nexport async function auth(): Promise<AuthResult> {\n  try {\n    const cookieStore = await cookies();\n    const sessionCookie = cookieStore.get('_session_cookie')?.value;\n    if (sessionCookie) {\n      const sessionResult = await verifyTernSessionCookie(sessionCookie);\n      if (sessionResult.valid) {\n        return {\n          userId: sessionResult.uid,\n          token: sessionCookie,\n          error: null\n        };\n      }\n    }\n\n    // If session cookie is not present or invalid, try the ID token\n    const idToken = cookieStore.get('_session_token')?.value;\n    if (idToken) {\n      const tokenResult = await verifyTernIdToken(idToken);\n      if (tokenResult.valid) {\n        return {\n          userId: tokenResult.uid ?? null,\n          token: idToken,\n          error: null\n        };\n      }\n    }\n\n    /// If both checks fail, return null values\n    return {\n      userId: null,\n      token: null,\n      error: new Error('No valid session or token found')\n    };\n  } catch (error) {\n    console.error('Error in auth function:', error);\n    return {\n      userId: null,\n      token: null,\n      error: error instanceof Error ? error : new Error('An unknown error occurred')\n    };\n  }\n}\n\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,qBAAwB;AACxB,+BAA4D;AAQ5D,eAAsB,OAA4B;AAXlD;AAYE,MAAI;AACF,UAAM,cAAc,UAAM,wBAAQ;AAClC,UAAM,iBAAgB,iBAAY,IAAI,iBAAiB,MAAjC,mBAAoC;AAC1D,QAAI,eAAe;AACjB,YAAM,gBAAgB,UAAM,kDAAwB,aAAa;AACjE,UAAI,cAAc,OAAO;AACvB,eAAO;AAAA,UACL,QAAQ,cAAc;AAAA,UACtB,OAAO;AAAA,UACP,OAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAGA,UAAM,WAAU,iBAAY,IAAI,gBAAgB,MAAhC,mBAAmC;AACnD,QAAI,SAAS;AACX,YAAM,cAAc,UAAM,4CAAkB,OAAO;AACnD,UAAI,YAAY,OAAO;AACrB,eAAO;AAAA,UACL,SAAQ,iBAAY,QAAZ,YAAmB;AAAA,UAC3B,OAAO;AAAA,UACP,OAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAGA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,OAAO;AAAA,MACP,OAAO,IAAI,MAAM,iCAAiC;AAAA,IACpD;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,2BAA2B,KAAK;AAC9C,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,OAAO;AAAA,MACP,OAAO,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,2BAA2B;AAAA,IAC/E;AAAA,EACF;AACF;","names":[]}

package/dist/cjs/app-router/server/index.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../../../../src/app-router/server/index.ts"],"sourcesContent":["export { adminTernSecureAuth, adminTernSecureDb } from '../../utils/admin-init'\nexport { ternSecureMiddleware } from './ternSecureMiddleware'\nexport { verifyTernSessionCookie, createSessionCookie } from './sessionTernSecure'\nexport { auth } from './auth'"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAuD;AACvD,kCAAqC;AACrC,+BAA6D;AAC7D,kBAAqB;","names":[]}

package/dist/cjs/app-router/server/sessionTernSecure.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../../../../src/app-router/server/sessionTernSecure.ts"],"sourcesContent":["'use server'\n\nimport { cookies } from 'next/headers';\nimport { adminTernSecureAuth as adminAuth } from '../../utils/admin-init';\n\ninterface FirebaseAuthError extends Error {\n  code?: string;\n}\n\nexport interface User {\n    uid: string | null;\n    email: string | null;\n  }\n\nexport interface Session {\n    user: User | null;\n    token: string | null;\n    error: Error | null;\n}\n\nexport async function createSessionCookie(idToken: string) {\n  try {\n    const expiresIn = 60 * 60 * 24 * 5 * 1000;\n      const sessionCookie = await adminAuth.createSessionCookie(idToken, { expiresIn });\n\n      const cookieStore = await cookies();\n      cookieStore.set('_session_cookie', sessionCookie, {\n          maxAge: expiresIn,\n          httpOnly: true,\n          secure: process.env.NODE_ENV === 'production',\n          path: '/',\n      });\n      return { success: true, message: 'Session created' };\n  } catch (error) {\n      return { success: false, message: 'Failed to create session' };\n  }\n}\n\n\n\nexport async function getServerSessionCookie() {\n  const cookieStore = await cookies();\n  const sessionCookie = cookieStore.get('_session_cookie')?.value;\n\n  if (!sessionCookie) {\n    throw new Error('No session cookie found')\n  }\n    \n  try {\n    const decondeClaims = await adminAuth.verifySessionCookie(sessionCookie, true)\n    return {\n      token: sessionCookie,\n      userId: decondeClaims.uid\n    }\n  } catch (error) {\n    console.error('Error verifying session:', error)\n    throw new Error('Invalid Session')\n  }\n}\n\n\nexport async function getIdToken() {\n  const cookieStore = await cookies();\n  const token = cookieStore.get('_session_token')?.value;\n\n  if (!token) {\n    throw new Error('No session cookie found')\n  }\n    \n  try {\n    const decodedClaims = await adminAuth.verifyIdToken(token)\n    return {\n      token: token,\n      userId: decodedClaims.uid\n    }\n  } catch (error) {\n    console.error('Error verifying session:', error)\n    throw new Error('Invalid Session')\n  }\n}\n\nexport async function setServerSession(token: string) {\n    const cookieStore = await cookies();\n    cookieStore.set('_session', token, {\n      httpOnly: true,\n      secure: process.env.NODE_ENV === 'production',\n      sameSite: 'strict',\n      maxAge: 60 * 60, // 1 hour\n      path: '/',\n    });\n  }\n\n  export async function verifyTernIdToken(token: string): Promise<{ valid: boolean; uid?: string; error?: string }> {\n    try {\n      const decodedToken = await adminAuth.verifyIdToken(token, true);\n      return { valid: true, uid: decodedToken.uid };\n    } catch (error) {\n      if (error instanceof Error) {\n        const firebaseError = error as FirebaseAuthError;\n        if (error.name === 'FirebaseAuthError') {\n          // Handle specific Firebase Auth errors\n          switch (firebaseError.code) {\n            case 'auth/id-token-expired':\n              return { valid: false, error: 'Token has expired' };\n            case 'auth/id-token-revoked':\n              return { valid: false, error: 'Token has been revoked' };\n            case 'auth/user-disabled':\n              return { valid: false, error: 'User account has been disabled' };\n            default:\n              return { valid: false, error: 'Invalid token' };\n          }\n        }\n      }\n      return { valid: false, error: 'Error verifying token' };\n    }\n  }\n  \n\n  export async function verifyTernSessionCookie(session: string): Promise<{ valid: boolean; uid?: any; error?: any }>{\n    try {\n      const res = await adminAuth.verifySessionCookie(session, true);\n      if (res) {\n        return { valid: true, uid: res.uid };\n      } else {\n        return { valid: false, error: 'Invalid session'};\n      }\n    } catch (error) {\n      return {error: error, valid: false}\n    }\n  }\n\n\n  export async function clearSessionCookie() {\n    const cookieStore = await cookies()\n    \n    cookieStore.delete('_session_cookie')\n    cookieStore.delete('_session_token')\n    cookieStore.delete('_session')\n  \n    try {\n      // Verify if there's an active session before revoking\n      const sessionCookie = cookieStore.get('_session_cookie')?.value\n      if (sessionCookie) {\n        // Get the decoded claims to get the user's ID\n        const decodedClaims = await adminAuth.verifySessionCookie(sessionCookie)\n        \n        // Revoke all sessions for the user\n        await adminAuth.revokeRefreshTokens(decodedClaims.uid)\n      }\n      \n      return { success: true, message: 'Session cleared successfully' }\n    } catch (error) {\n      console.error('Error clearing session:', error)\n      // Still return success even if revoking fails, as cookies are cleared\n      return { success: true, message: 'Session cookies cleared' }\n    }\n  }\n\n\n\n/*\n  export async function GET(request: NextRequest) {\n    const cookieStore = await cookies();\n    const sessionCookie = cookieStore.get('session')?.value\n  \n    if (!sessionCookie) {\n      return NextResponse.json({ isAuthenticated: false }, { status: 401 })\n    }\n  \n    try {\n      const decodedClaims = await adminAuth.verifySessionCookie(sessionCookie, true)\n      return NextResponse.json({ isAuthenticated: true, user: decodedClaims }, { status: 200 })\n    } catch (error) {\n      console.error('Error verifying session cookie:', error)\n      return NextResponse.json({ isAuthenticated: false }, { status: 401 })\n    }\n  }\n\n*/"],"mappings":";;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,qBAAwB;AACxB,wBAAiD;AAiBjD,eAAsB,oBAAoB,SAAiB;AACzD,MAAI;AACF,UAAM,YAAY,KAAK,KAAK,KAAK,IAAI;AACnC,UAAM,gBAAgB,MAAM,kBAAAA,oBAAU,oBAAoB,SAAS,EAAE,UAAU,CAAC;AAEhF,UAAM,cAAc,UAAM,wBAAQ;AAClC,gBAAY,IAAI,mBAAmB,eAAe;AAAA,MAC9C,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,MAAM;AAAA,IACV,CAAC;AACD,WAAO,EAAE,SAAS,MAAM,SAAS,kBAAkB;AAAA,EACvD,SAAS,OAAO;AACZ,WAAO,EAAE,SAAS,OAAO,SAAS,2BAA2B;AAAA,EACjE;AACF;AAIA,eAAsB,yBAAyB;AAxC/C;AAyCE,QAAM,cAAc,UAAM,wBAAQ;AAClC,QAAM,iBAAgB,iBAAY,IAAI,iBAAiB,MAAjC,mBAAoC;AAE1D,MAAI,CAAC,eAAe;AAClB,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAEA,MAAI;AACF,UAAM,gBAAgB,MAAM,kBAAAA,oBAAU,oBAAoB,eAAe,IAAI;AAC7E,WAAO;AAAA,MACL,OAAO;AAAA,MACP,QAAQ,cAAc;AAAA,IACxB;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,4BAA4B,KAAK;AAC/C,UAAM,IAAI,MAAM,iBAAiB;AAAA,EACnC;AACF;AAGA,eAAsB,aAAa;AA7DnC;AA8DE,QAAM,cAAc,UAAM,wBAAQ;AAClC,QAAM,SAAQ,iBAAY,IAAI,gBAAgB,MAAhC,mBAAmC;AAEjD,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAEA,MAAI;AACF,UAAM,gBAAgB,MAAM,kBAAAA,oBAAU,cAAc,KAAK;AACzD,WAAO;AAAA,MACL;AAAA,MACA,QAAQ,cAAc;AAAA,IACxB;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,4BAA4B,KAAK;AAC/C,UAAM,IAAI,MAAM,iBAAiB;AAAA,EACnC;AACF;AAEA,eAAsB,iBAAiB,OAAe;AAClD,QAAM,cAAc,UAAM,wBAAQ;AAClC,cAAY,IAAI,YAAY,OAAO;AAAA,IACjC,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,QAAQ,KAAK;AAAA;AAAA,IACb,MAAM;AAAA,EACR,CAAC;AACH;AAEA,eAAsB,kBAAkB,OAA0E;AAChH,MAAI;AACF,UAAM,eAAe,MAAM,kBAAAA,oBAAU,cAAc,OAAO,IAAI;AAC9D,WAAO,EAAE,OAAO,MAAM,KAAK,aAAa,IAAI;AAAA,EAC9C,SAAS,OAAO;AACd,QAAI,iBAAiB,OAAO;AAC1B,YAAM,gBAAgB;AACtB,UAAI,MAAM,SAAS,qBAAqB;AAEtC,gBAAQ,cAAc,MAAM;AAAA,UAC1B,KAAK;AACH,mBAAO,EAAE,OAAO,OAAO,OAAO,oBAAoB;AAAA,UACpD,KAAK;AACH,mBAAO,EAAE,OAAO,OAAO,OAAO,yBAAyB;AAAA,UACzD,KAAK;AACH,mBAAO,EAAE,OAAO,OAAO,OAAO,iCAAiC;AAAA,UACjE;AACE,mBAAO,EAAE,OAAO,OAAO,OAAO,gBAAgB;AAAA,QAClD;AAAA,MACF;AAAA,IACF;AACA,WAAO,EAAE,OAAO,OAAO,OAAO,wBAAwB;AAAA,EACxD;AACF;AAGA,eAAsB,wBAAwB,SAAqE;AACjH,MAAI;AACF,UAAM,MAAM,MAAM,kBAAAA,oBAAU,oBAAoB,SAAS,IAAI;AAC7D,QAAI,KAAK;AACP,aAAO,EAAE,OAAO,MAAM,KAAK,IAAI,IAAI;AAAA,IACrC,OAAO;AACL,aAAO,EAAE,OAAO,OAAO,OAAO,kBAAiB;AAAA,IACjD;AAAA,EACF,SAAS,OAAO;AACd,WAAO,EAAC,OAAc,OAAO,MAAK;AAAA,EACpC;AACF;AAGA,eAAsB,qBAAqB;AApI7C;AAqII,QAAM,cAAc,UAAM,wBAAQ;AAElC,cAAY,OAAO,iBAAiB;AACpC,cAAY,OAAO,gBAAgB;AACnC,cAAY,OAAO,UAAU;AAE7B,MAAI;AAEF,UAAM,iBAAgB,iBAAY,IAAI,iBAAiB,MAAjC,mBAAoC;AAC1D,QAAI,eAAe;AAEjB,YAAM,gBAAgB,MAAM,kBAAAA,oBAAU,oBAAoB,aAAa;AAGvE,YAAM,kBAAAA,oBAAU,oBAAoB,cAAc,GAAG;AAAA,IACvD;AAEA,WAAO,EAAE,SAAS,MAAM,SAAS,+BAA+B;AAAA,EAClE,SAAS,OAAO;AACd,YAAQ,MAAM,2BAA2B,KAAK;AAE9C,WAAO,EAAE,SAAS,MAAM,SAAS,0BAA0B;AAAA,EAC7D;AACF;","names":["adminAuth"]}