@tern-secure/nextjs 5.1.7 → 5.1.9

package/dist/esm/server/jwt.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/server/jwt.ts"],"sourcesContent":["import { jwtVerify, createRemoteJWKSet } from \"jose\"\r\nimport { cache } from \"react\"\r\n\r\ninterface FirebaseIdTokenPayload {\r\n  iss: string\r\n  aud: string\r\n  auth_time: number\r\n  user_id: string\r\n  sub: string\r\n  iat: number\r\n  exp: number\r\n  email?: string\r\n  email_verified?: boolean\r\n  firebase: {\r\n    identities: {\r\n      [key: string]: any\r\n    }\r\n    sign_in_provider: string\r\n  }\r\n}\r\n\r\n// Firebase public key endpoints\r\nconst FIREBASE_ID_TOKEN_URL = \"https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com\"\r\nconst FIREBASE_SESSION_CERT_URL = \"https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys\"\r\n\r\n// Cache the JWKS using React cache\r\nconst getIdTokenJWKS = cache(() => {\r\n  return createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {\r\n    cacheMaxAge: 3600000, // 1 hour\r\n    timeoutDuration: 5000, // 5 seconds\r\n    cooldownDuration: 30000, // 30 seconds between retries\r\n  })\r\n})\r\n\r\nconst getSessionJWKS = cache(() => {\r\n  return createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {\r\n    cacheMaxAge: 3600000, // 1 hour\r\n    timeoutDuration: 5000, // 5 seconds\r\n    cooldownDuration: 30000, // 30 seconds between retries\r\n  })\r\n})\r\n\r\n// Helper to decode JWT without verification\r\nfunction decodeJwt(token: string) {\r\n  try {\r\n    const [headerB64, payloadB64] = token.split(\".\")\r\n    const header = JSON.parse(Buffer.from(headerB64, \"base64\").toString())\r\n    const payload = JSON.parse(Buffer.from(payloadB64, \"base64\").toString())\r\n    return { header, payload }\r\n  } catch (error) {\r\n    console.error(\"Error decoding JWT:\", error)\r\n    return null\r\n  }\r\n}\r\n\r\nexport async function verifyFirebaseToken(token: string, isSessionCookie = false) {\r\n  try {\r\n    const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID\r\n    if (!projectId) {\r\n      throw new Error(\"Firebase Project ID is not configured\")\r\n    }\r\n\r\n    // Decode token for debugging and type checking\r\n    const decoded = decodeJwt(token)\r\n    if (!decoded) {\r\n      throw new Error(\"Invalid token format\")\r\n    }\r\n\r\n    console.log(\"Token details:\", {\r\n      header: decoded.header,\r\n      type: isSessionCookie ? \"session_cookie\" : \"id_token\",\r\n    })\r\n\r\n    let retries = 3\r\n    let lastError: Error | null = null\r\n\r\n    while (retries > 0) {\r\n      try {\r\n        // Use different JWKS based on token type\r\n        const JWKS = isSessionCookie ? await getSessionJWKS() : await getIdTokenJWKS()\r\n\r\n        const { payload } = await jwtVerify(token, JWKS, {\r\n          issuer: isSessionCookie\r\n            ? \"https://session.firebase.google.com/\" + projectId\r\n            : \"https://securetoken.google.com/\" + projectId,\r\n          audience: projectId,\r\n          algorithms: [\"RS256\"],\r\n        })\r\n\r\n        const firebasePayload = payload as unknown as FirebaseIdTokenPayload\r\n\r\n        if (!firebasePayload.sub) {\r\n          throw new Error(\"Token subject is empty\")\r\n        }\r\n\r\n        return {\r\n          valid: true,\r\n          uid: firebasePayload.sub,\r\n          email: firebasePayload.email,\r\n          emailVerified: firebasePayload.email_verified,\r\n          authTime: firebasePayload.auth_time,\r\n          issuedAt: firebasePayload.iat,\r\n          expiresAt: firebasePayload.exp,\r\n        }\r\n      } catch (error) {\r\n        lastError = error as Error\r\n        if (error instanceof Error && error.name === \"JWKSNoMatchingKey\") {\r\n          console.warn(`JWKS retry attempt ${4 - retries}:`, error.message)\r\n          retries--\r\n          if (retries > 0) {\r\n            await new Promise((resolve) => setTimeout(resolve, 1000))\r\n            continue\r\n          }\r\n        }\r\n        throw error\r\n      }\r\n    }\r\n\r\n    throw lastError || new Error(\"Failed to verify token after retries\")\r\n  } catch (error) {\r\n    console.error(\"Token verification details:\", {\r\n      error:\r\n        error instanceof Error\r\n          ? {\r\n              name: error.name,\r\n              message: error.message,\r\n              stack: error.stack,\r\n            }\r\n          : error,\r\n      decoded: decodeJwt(token),\r\n      //projectId,\r\n      isSessionCookie,\r\n    })\r\n\r\n    return {\r\n      valid: false,\r\n      error: error instanceof Error ? error.message : \"Invalid token\",\r\n    }\r\n  }\r\n}"],"mappings":"AAAA,SAAS,WAAW,0BAA0B;AAC9C,SAAS,aAAa;AAqBtB,MAAM,wBAAwB;AAC9B,MAAM,4BAA4B;AAGlC,MAAM,iBAAiB,MAAM,MAAM;AACjC,SAAO,mBAAmB,IAAI,IAAI,qBAAqB,GAAG;AAAA,IACxD,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH,CAAC;AAED,MAAM,iBAAiB,MAAM,MAAM;AACjC,SAAO,mBAAmB,IAAI,IAAI,yBAAyB,GAAG;AAAA,IAC5D,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH,CAAC;AAGD,SAAS,UAAU,OAAe;AAChC,MAAI;AACF,UAAM,CAAC,WAAW,UAAU,IAAI,MAAM,MAAM,GAAG;AAC/C,UAAM,SAAS,KAAK,MAAM,OAAO,KAAK,WAAW,QAAQ,EAAE,SAAS,CAAC;AACrE,UAAM,UAAU,KAAK,MAAM,OAAO,KAAK,YAAY,QAAQ,EAAE,SAAS,CAAC;AACvE,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B,SAAS,OAAO;AACd,YAAQ,MAAM,uBAAuB,KAAK;AAC1C,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,oBAAoB,OAAe,kBAAkB,OAAO;AAChF,MAAI;AACF,UAAM,YAAY,QAAQ,IAAI;AAC9B,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACzD;AAGA,UAAM,UAAU,UAAU,KAAK;AAC/B,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AAEA,YAAQ,IAAI,kBAAkB;AAAA,MAC5B,QAAQ,QAAQ;AAAA,MAChB,MAAM,kBAAkB,mBAAmB;AAAA,IAC7C,CAAC;AAED,QAAI,UAAU;AACd,QAAI,YAA0B;AAE9B,WAAO,UAAU,GAAG;AAClB,UAAI;AAEF,cAAM,OAAO,kBAAkB,MAAM,eAAe,IAAI,MAAM,eAAe;AAE7E,cAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,MAAM;AAAA,UAC/C,QAAQ,kBACJ,yCAAyC,YACzC,oCAAoC;AAAA,UACxC,UAAU;AAAA,UACV,YAAY,CAAC,OAAO;AAAA,QACtB,CAAC;AAED,cAAM,kBAAkB;AAExB,YAAI,CAAC,gBAAgB,KAAK;AACxB,gBAAM,IAAI,MAAM,wBAAwB;AAAA,QAC1C;AAEA,eAAO;AAAA,UACL,OAAO;AAAA,UACP,KAAK,gBAAgB;AAAA,UACrB,OAAO,gBAAgB;AAAA,UACvB,eAAe,gBAAgB;AAAA,UAC/B,UAAU,gBAAgB;AAAA,UAC1B,UAAU,gBAAgB;AAAA,UAC1B,WAAW,gBAAgB;AAAA,QAC7B;AAAA,MACF,SAAS,OAAO;AACd,oBAAY;AACZ,YAAI,iBAAiB,SAAS,MAAM,SAAS,qBAAqB;AAChE,kBAAQ,KAAK,sBAAsB,IAAI,OAAO,KAAK,MAAM,OAAO;AAChE;AACA,cAAI,UAAU,GAAG;AACf,kBAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAI,CAAC;AACxD;AAAA,UACF;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAAA,IACF;AAEA,UAAM,aAAa,IAAI,MAAM,sCAAsC;AAAA,EACrE,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B;AAAA,MAC3C,OACE,iBAAiB,QACb;AAAA,QACE,MAAM,MAAM;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,OAAO,MAAM;AAAA,MACf,IACA;AAAA,MACN,SAAS,UAAU,KAAK;AAAA;AAAA,MAExB;AAAA,IACF,CAAC;AAED,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAClD;AAAA,EACF;AACF;","names":[]}
+{"version":3,"sources":["../../../src/server/jwt.ts"],"sourcesContent":["import { createRemoteJWKSet,jwtVerify } from \"jose\";\r\nimport { cache } from \"react\";\r\n\r\ninterface FirebaseIdTokenPayload {\r\n  iss: string;\r\n  aud: string;\r\n  auth_time: number;\r\n  user_id: string;\r\n  sub: string;\r\n  iat: number;\r\n  exp: number;\r\n  email?: string;\r\n  email_verified?: boolean;\r\n  firebase: {\r\n    identities: {\r\n      [key: string]: any;\r\n    };\r\n    sign_in_provider: string;\r\n    tenant?: string;\r\n  };\r\n}\r\n\r\ninterface FirebaseTokenResult {\r\n  valid: boolean;\r\n  tenant?: string;\r\n  uid?: string;\r\n  email?: string | null;\r\n  emailVerified?: boolean;\r\n  authTime?: number;\r\n  issuedAt?: number;\r\n  expiresAt?: number;\r\n  error?: string;\r\n}\r\n\r\n// Firebase public key endpoints\r\nconst FIREBASE_ID_TOKEN_URL =\r\n  \"https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com\";\r\nconst FIREBASE_SESSION_CERT_URL =\r\n  \"https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys\";\r\n\r\n// Cache the JWKS using React cache\r\nconst getIdTokenJWKS = cache(() => {\r\n  return createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {\r\n    cacheMaxAge: 3600000, // 1 hour\r\n    timeoutDuration: 5000, // 5 seconds\r\n    cooldownDuration: 30000, // 30 seconds between retries\r\n  });\r\n});\r\n\r\nconst getSessionJWKS = cache(() => {\r\n  return createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {\r\n    cacheMaxAge: 3600000, // 1 hour\r\n    timeoutDuration: 5000, // 5 seconds\r\n    cooldownDuration: 30000, // 30 seconds between retries\r\n  });\r\n});\r\n\r\n// Helper to decode JWT without verification\r\nfunction decodeJwt(token: string) {\r\n  try {\r\n    const [headerB64, payloadB64] = token.split(\".\");\r\n    const header = JSON.parse(Buffer.from(headerB64, \"base64\").toString());\r\n    const payload = JSON.parse(Buffer.from(payloadB64, \"base64\").toString());\r\n    return { header, payload };\r\n  } catch (error) {\r\n    console.error(\"Error decoding JWT:\", error);\r\n    return null;\r\n  }\r\n}\r\n\r\nexport async function verifyFirebaseToken(\r\n  token: string,\r\n  isSessionCookie = false\r\n): Promise<FirebaseTokenResult> {\r\n  try {\r\n    const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID;\r\n    if (!projectId) {\r\n      throw new Error(\"Firebase Project ID is not configured\");\r\n    }\r\n\r\n    const decoded = decodeJwt(token);\r\n    if (!decoded) {\r\n      throw new Error(\"Invalid token format\");\r\n    }\r\n\r\n    let retries = 3;\r\n    let lastError: Error | null = null;\r\n\r\n    while (retries > 0) {\r\n      try {\r\n        // Use different JWKS based on token type\r\n        const JWKS = isSessionCookie\r\n          ? await getSessionJWKS()\r\n          : await getIdTokenJWKS();\r\n\r\n        const { payload } = await jwtVerify(token, JWKS, {\r\n          issuer: isSessionCookie\r\n            ? \"https://session.firebase.google.com/\" + projectId\r\n            : \"https://securetoken.google.com/\" + projectId,\r\n          audience: projectId,\r\n          algorithms: [\"RS256\"],\r\n        });\r\n\r\n        const firebasePayload = payload as unknown as FirebaseIdTokenPayload;\r\n        const now = Math.floor(Date.now() / 1000);\r\n\r\n        // Verify token claims\r\n        if (firebasePayload.exp <= now) {\r\n          throw new Error(\"Token has expired\");\r\n        }\r\n\r\n        if (firebasePayload.iat > now) {\r\n          throw new Error(\"Token issued time is in the future\");\r\n        }\r\n\r\n        if (!firebasePayload.sub) {\r\n          throw new Error(\"Token subject is empty\");\r\n        }\r\n\r\n        if (firebasePayload.auth_time > now) {\r\n          throw new Error(\"Token auth time is in the future\");\r\n        }\r\n\r\n        return {\r\n          valid: true,\r\n          uid: firebasePayload.sub,\r\n          email: firebasePayload.email,\r\n          emailVerified: firebasePayload.email_verified,\r\n          tenant: firebasePayload.firebase.tenant,\r\n          authTime: firebasePayload.auth_time,\r\n          issuedAt: firebasePayload.iat,\r\n          expiresAt: firebasePayload.exp,\r\n        };\r\n      } catch (error) {\r\n        lastError = error as Error;\r\n        if (error instanceof Error && error.name === \"JWKSNoMatchingKey\") {\r\n          console.warn(`JWKS retry attempt ${4 - retries}:`, error.message);\r\n          retries--;\r\n          if (retries > 0) {\r\n            await new Promise((resolve) => setTimeout(resolve, 1000));\r\n            continue;\r\n          }\r\n        }\r\n        throw error;\r\n      }\r\n    }\r\n\r\n    throw lastError || new Error(\"Failed to verify token after retries\");\r\n  } catch (error) {\r\n    console.error(\"Token verification details:\", {\r\n      error:\r\n        error instanceof Error\r\n          ? {\r\n              name: error.name,\r\n              message: error.message,\r\n              stack: error.stack,\r\n            }\r\n          : error,\r\n      decoded: decodeJwt(token),\r\n      //projectId,\r\n      isSessionCookie,\r\n    });\r\n\r\n    return {\r\n      valid: false,\r\n      error: error instanceof Error ? error.message : \"Invalid token\",\r\n    };\r\n  }\r\n}\r\n"],"mappings":"AAAA,SAAS,oBAAmB,iBAAiB;AAC7C,SAAS,aAAa;AAkCtB,MAAM,wBACJ;AACF,MAAM,4BACJ;AAGF,MAAM,iBAAiB,MAAM,MAAM;AACjC,SAAO,mBAAmB,IAAI,IAAI,qBAAqB,GAAG;AAAA,IACxD,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH,CAAC;AAED,MAAM,iBAAiB,MAAM,MAAM;AACjC,SAAO,mBAAmB,IAAI,IAAI,yBAAyB,GAAG;AAAA,IAC5D,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH,CAAC;AAGD,SAAS,UAAU,OAAe;AAChC,MAAI;AACF,UAAM,CAAC,WAAW,UAAU,IAAI,MAAM,MAAM,GAAG;AAC/C,UAAM,SAAS,KAAK,MAAM,OAAO,KAAK,WAAW,QAAQ,EAAE,SAAS,CAAC;AACrE,UAAM,UAAU,KAAK,MAAM,OAAO,KAAK,YAAY,QAAQ,EAAE,SAAS,CAAC;AACvE,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B,SAAS,OAAO;AACd,YAAQ,MAAM,uBAAuB,KAAK;AAC1C,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,oBACpB,OACA,kBAAkB,OACY;AAC9B,MAAI;AACF,UAAM,YAAY,QAAQ,IAAI;AAC9B,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACzD;AAEA,UAAM,UAAU,UAAU,KAAK;AAC/B,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AAEA,QAAI,UAAU;AACd,QAAI,YAA0B;AAE9B,WAAO,UAAU,GAAG;AAClB,UAAI;AAEF,cAAM,OAAO,kBACT,MAAM,eAAe,IACrB,MAAM,eAAe;AAEzB,cAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,MAAM;AAAA,UAC/C,QAAQ,kBACJ,yCAAyC,YACzC,oCAAoC;AAAA,UACxC,UAAU;AAAA,UACV,YAAY,CAAC,OAAO;AAAA,QACtB,CAAC;AAED,cAAM,kBAAkB;AACxB,cAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAGxC,YAAI,gBAAgB,OAAO,KAAK;AAC9B,gBAAM,IAAI,MAAM,mBAAmB;AAAA,QACrC;AAEA,YAAI,gBAAgB,MAAM,KAAK;AAC7B,gBAAM,IAAI,MAAM,oCAAoC;AAAA,QACtD;AAEA,YAAI,CAAC,gBAAgB,KAAK;AACxB,gBAAM,IAAI,MAAM,wBAAwB;AAAA,QAC1C;AAEA,YAAI,gBAAgB,YAAY,KAAK;AACnC,gBAAM,IAAI,MAAM,kCAAkC;AAAA,QACpD;AAEA,eAAO;AAAA,UACL,OAAO;AAAA,UACP,KAAK,gBAAgB;AAAA,UACrB,OAAO,gBAAgB;AAAA,UACvB,eAAe,gBAAgB;AAAA,UAC/B,QAAQ,gBAAgB,SAAS;AAAA,UACjC,UAAU,gBAAgB;AAAA,UAC1B,UAAU,gBAAgB;AAAA,UAC1B,WAAW,gBAAgB;AAAA,QAC7B;AAAA,MACF,SAAS,OAAO;AACd,oBAAY;AACZ,YAAI,iBAAiB,SAAS,MAAM,SAAS,qBAAqB;AAChE,kBAAQ,KAAK,sBAAsB,IAAI,OAAO,KAAK,MAAM,OAAO;AAChE;AACA,cAAI,UAAU,GAAG;AACf,kBAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAI,CAAC;AACxD;AAAA,UACF;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAAA,IACF;AAEA,UAAM,aAAa,IAAI,MAAM,sCAAsC;AAAA,EACrE,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B;AAAA,MAC3C,OACE,iBAAiB,QACb;AAAA,QACE,MAAM,MAAM;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,OAAO,MAAM;AAAA,MACf,IACA;AAAA,MACN,SAAS,UAAU,KAAK;AAAA;AAAA,MAExB;AAAA,IACF,CAAC;AAED,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAClD;AAAA,EACF;AACF;","names":[]}

package/dist/esm/server/nextErrors.js

@@ -0,0 +1,97 @@
+const CONTROL_FLOW_ERROR = {
+  REDIRECT_TO_URL: "TERNSECURE_PROTECT_REDIRECT_TO_URL",
+  REDIRECT_TO_SIGN_IN: "TERNSECURE_PROTECT_REDIRECT_TO_SIGN_IN",
+  REDIRECT_TO_SIGN_UP: "TERNSECURE_PROTECT_REDIRECT_TO_SIGN_UP"
+};
+const LEGACY_NOT_FOUND_ERROR_CODE = "NEXT_NOT_FOUND";
+function isLegacyNextjsNotFoundError(error) {
+  if (typeof error !== "object" || error === null || !("digest" in error)) {
+    return false;
+  }
+  return error.digest === LEGACY_NOT_FOUND_ERROR_CODE;
+}
+const HTTPAccessErrorStatusCodes = {
+  NOT_FOUND: 404,
+  FORBIDDEN: 403,
+  UNAUTHORIZED: 401
+};
+const ALLOWED_CODES = new Set(Object.values(HTTPAccessErrorStatusCodes));
+const HTTP_ERROR_FALLBACK_ERROR_CODE = "NEXT_HTTP_ERROR_FALLBACK";
+function isHTTPAccessFallbackError(error) {
+  if (typeof error !== "object" || error === null || !("digest" in error) || typeof error.digest !== "string") {
+    return false;
+  }
+  const [prefix, httpStatus] = error.digest.split(";");
+  return prefix === HTTP_ERROR_FALLBACK_ERROR_CODE && ALLOWED_CODES.has(Number(httpStatus));
+}
+function whichHTTPAccessFallbackError(error) {
+  if (!isHTTPAccessFallbackError(error)) {
+    return void 0;
+  }
+  const [, httpStatus] = error.digest.split(";");
+  return Number(httpStatus);
+}
+function isNextjsNotFoundError(error) {
+  return isLegacyNextjsNotFoundError(error) || // Checks for the error thrown from `notFound()` for canary versions of next@15
+  whichHTTPAccessFallbackError(error) === HTTPAccessErrorStatusCodes.NOT_FOUND;
+}
+const REDIRECT_ERROR_CODE = "NEXT_REDIRECT";
+function nextjsRedirectError(url, extra, type = "replace", statusCode = 307) {
+  const error = new Error(REDIRECT_ERROR_CODE);
+  error.digest = `${REDIRECT_ERROR_CODE};${type};${url};${statusCode};`;
+  error.tern_digest = CONTROL_FLOW_ERROR.REDIRECT_TO_URL;
+  Object.assign(error, extra);
+  throw error;
+}
+function buildReturnBackUrl(url, returnBackUrl) {
+  return returnBackUrl === null ? "" : returnBackUrl || url;
+}
+function redirectToSignInError(url, returnBackUrl) {
+  nextjsRedirectError(url, {
+    tern_digest: CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_IN,
+    returnBackUrl: buildReturnBackUrl(url, returnBackUrl)
+  });
+}
+function redirectToSignUpError(url, returnBackUrl) {
+  nextjsRedirectError(url, {
+    tern_digest: CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_UP,
+    returnBackUrl: buildReturnBackUrl(url, returnBackUrl)
+  });
+}
+function isNextjsRedirectError(error) {
+  if (typeof error !== "object" || error === null || !("digest" in error) || typeof error.digest !== "string") {
+    return false;
+  }
+  const digest = error.digest.split(";");
+  const [errorCode, type] = digest;
+  const destination = digest.slice(2, -2).join(";");
+  const status = digest.at(-2);
+  const statusCode = Number(status);
+  return errorCode === REDIRECT_ERROR_CODE && (type === "replace" || type === "push") && typeof destination === "string" && !isNaN(statusCode) && statusCode === 307;
+}
+function isRedirectToSignInError(error) {
+  if (isNextjsRedirectError(error) && "tern_digest" in error) {
+    return error.tern_digest === CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_IN;
+  }
+  return false;
+}
+function isRedirectToSignUpError(error) {
+  if (isNextjsRedirectError(error) && "tern_digest" in error) {
+    return error.tern_digest === CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_UP;
+  }
+  return false;
+}
+export {
+  HTTP_ERROR_FALLBACK_ERROR_CODE,
+  isHTTPAccessFallbackError,
+  isLegacyNextjsNotFoundError,
+  isNextjsNotFoundError,
+  isNextjsRedirectError,
+  isRedirectToSignInError,
+  isRedirectToSignUpError,
+  nextjsRedirectError,
+  redirectToSignInError,
+  redirectToSignUpError,
+  whichHTTPAccessFallbackError
+};
+//# sourceMappingURL=nextErrors.js.map

package/dist/esm/server/nextErrors.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/nextErrors.ts"],"sourcesContent":["\nconst CONTROL_FLOW_ERROR = {\n  REDIRECT_TO_URL: 'TERNSECURE_PROTECT_REDIRECT_TO_URL',\n  REDIRECT_TO_SIGN_IN: 'TERNSECURE_PROTECT_REDIRECT_TO_SIGN_IN',\n  REDIRECT_TO_SIGN_UP: 'TERNSECURE_PROTECT_REDIRECT_TO_SIGN_UP',\n};\n\n/**\n * In-house implementation of `notFound()`\n * https://github.com/vercel/next.js/blob/canary/packages/next/src/client/components/not-found.ts\n */\nconst LEGACY_NOT_FOUND_ERROR_CODE = 'NEXT_NOT_FOUND';\n\ntype LegacyNotFoundError = Error & {\n  digest: typeof LEGACY_NOT_FOUND_ERROR_CODE;\n};\n\n/**\n * Checks for the error thrown from `notFound()` for versions <= next@15.0.4\n */\nfunction isLegacyNextjsNotFoundError(error: unknown): error is LegacyNotFoundError {\n  if (typeof error !== 'object' || error === null || !('digest' in error)) {\n    return false;\n  }\n\n  return error.digest === LEGACY_NOT_FOUND_ERROR_CODE;\n}\n\nconst HTTPAccessErrorStatusCodes = {\n  NOT_FOUND: 404,\n  FORBIDDEN: 403,\n  UNAUTHORIZED: 401,\n};\n\nconst ALLOWED_CODES = new Set(Object.values(HTTPAccessErrorStatusCodes));\n\nexport const HTTP_ERROR_FALLBACK_ERROR_CODE = 'NEXT_HTTP_ERROR_FALLBACK';\n\nexport type HTTPAccessFallbackError = Error & {\n  digest: `${typeof HTTP_ERROR_FALLBACK_ERROR_CODE};${string}`;\n};\n\nexport function isHTTPAccessFallbackError(error: unknown): error is HTTPAccessFallbackError {\n  if (typeof error !== 'object' || error === null || !('digest' in error) || typeof error.digest !== 'string') {\n    return false;\n  }\n  const [prefix, httpStatus] = error.digest.split(';');\n\n  return prefix === HTTP_ERROR_FALLBACK_ERROR_CODE && ALLOWED_CODES.has(Number(httpStatus));\n}\n\nexport function whichHTTPAccessFallbackError(error: unknown): number | undefined {\n  if (!isHTTPAccessFallbackError(error)) {\n    return undefined;\n  }\n\n  const [, httpStatus] = error.digest.split(';');\n  return Number(httpStatus);\n}\n\nfunction isNextjsNotFoundError(error: unknown): error is LegacyNotFoundError | HTTPAccessFallbackError {\n  return (\n    isLegacyNextjsNotFoundError(error) ||\n    // Checks for the error thrown from `notFound()` for canary versions of next@15\n    whichHTTPAccessFallbackError(error) === HTTPAccessErrorStatusCodes.NOT_FOUND\n  );\n}\n\n/**\n * In-house implementation of `redirect()` extended with a `tern_digest` property\n * https://github.com/vercel/next.js/blob/canary/packages/next/src/client/components/redirect.ts\n */\n\nconst REDIRECT_ERROR_CODE = 'NEXT_REDIRECT';\n\ntype RedirectError<T = unknown> = Error & {\n  digest: `${typeof REDIRECT_ERROR_CODE};${'replace'};${string};${307};`;\n  tern_digest: typeof CONTROL_FLOW_ERROR.REDIRECT_TO_URL | typeof CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_IN;\n} & T;\n\nfunction nextjsRedirectError(\n  url: string,\n  extra: Record<string, unknown>,\n  type: 'replace' = 'replace',\n  statusCode: 307 = 307,\n): never {\n  const error = new Error(REDIRECT_ERROR_CODE) as RedirectError;\n  error.digest = `${REDIRECT_ERROR_CODE};${type};${url};${statusCode};`;\n  error.tern_digest = CONTROL_FLOW_ERROR.REDIRECT_TO_URL;\n  Object.assign(error, extra);\n  throw error;\n}\n\nfunction buildReturnBackUrl(url: string, returnBackUrl?: string | URL | null): string | URL {\n  return returnBackUrl === null ? '' : returnBackUrl || url;\n}\n\nfunction redirectToSignInError(url: string, returnBackUrl?: string | URL | null): never {\n  nextjsRedirectError(url, {\n    tern_digest: CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_IN,\n    returnBackUrl: buildReturnBackUrl(url, returnBackUrl),\n  });\n}\n\nfunction redirectToSignUpError(url: string, returnBackUrl?: string | URL | null): never {\n  nextjsRedirectError(url, {\n    tern_digest: CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_UP,\n    returnBackUrl: buildReturnBackUrl(url, returnBackUrl),\n  });\n}\n\n/**\n * Checks an error to determine if it's an error generated by the\n * `redirect(url)` helper.\n *\n * @param error the error that may reference a redirect error\n * @returns true if the error is a redirect error\n */\nfunction isNextjsRedirectError(error: unknown): error is RedirectError<{ redirectUrl: string | URL }> {\n  if (typeof error !== 'object' || error === null || !('digest' in error) || typeof error.digest !== 'string') {\n    return false;\n  }\n\n  const digest = error.digest.split(';');\n  const [errorCode, type] = digest;\n  const destination = digest.slice(2, -2).join(';');\n  const status = digest.at(-2);\n\n  const statusCode = Number(status);\n\n  return (\n    errorCode === REDIRECT_ERROR_CODE &&\n    (type === 'replace' || type === 'push') &&\n    typeof destination === 'string' &&\n    !isNaN(statusCode) &&\n    statusCode === 307\n  );\n}\n\nfunction isRedirectToSignInError(error: unknown): error is RedirectError<{ returnBackUrl: string | URL }> {\n  if (isNextjsRedirectError(error) && 'tern_digest' in error) {\n    return error.tern_digest === CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_IN;\n  }\n\n  return false;\n}\n\nfunction isRedirectToSignUpError(error: unknown): error is RedirectError<{ returnBackUrl: string | URL }> {\n  if (isNextjsRedirectError(error) && 'tern_digest' in error) {\n    return error.tern_digest === CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_UP;\n  }\n\n  return false;\n}\n\nexport {\n  isNextjsNotFoundError,\n  isLegacyNextjsNotFoundError,\n  redirectToSignInError,\n  redirectToSignUpError,\n  nextjsRedirectError,\n  isNextjsRedirectError,\n  isRedirectToSignInError,\n  isRedirectToSignUpError,\n};\n"],"mappings":"AACA,MAAM,qBAAqB;AAAA,EACzB,iBAAiB;AAAA,EACjB,qBAAqB;AAAA,EACrB,qBAAqB;AACvB;AAMA,MAAM,8BAA8B;AASpC,SAAS,4BAA4B,OAA8C;AACjF,MAAI,OAAO,UAAU,YAAY,UAAU,QAAQ,EAAE,YAAY,QAAQ;AACvE,WAAO;AAAA,EACT;AAEA,SAAO,MAAM,WAAW;AAC1B;AAEA,MAAM,6BAA6B;AAAA,EACjC,WAAW;AAAA,EACX,WAAW;AAAA,EACX,cAAc;AAChB;AAEA,MAAM,gBAAgB,IAAI,IAAI,OAAO,OAAO,0BAA0B,CAAC;AAEhE,MAAM,iCAAiC;AAMvC,SAAS,0BAA0B,OAAkD;AAC1F,MAAI,OAAO,UAAU,YAAY,UAAU,QAAQ,EAAE,YAAY,UAAU,OAAO,MAAM,WAAW,UAAU;AAC3G,WAAO;AAAA,EACT;AACA,QAAM,CAAC,QAAQ,UAAU,IAAI,MAAM,OAAO,MAAM,GAAG;AAEnD,SAAO,WAAW,kCAAkC,cAAc,IAAI,OAAO,UAAU,CAAC;AAC1F;AAEO,SAAS,6BAA6B,OAAoC;AAC/E,MAAI,CAAC,0BAA0B,KAAK,GAAG;AACrC,WAAO;AAAA,EACT;AAEA,QAAM,CAAC,EAAE,UAAU,IAAI,MAAM,OAAO,MAAM,GAAG;AAC7C,SAAO,OAAO,UAAU;AAC1B;AAEA,SAAS,sBAAsB,OAAwE;AACrG,SACE,4BAA4B,KAAK;AAAA,EAEjC,6BAA6B,KAAK,MAAM,2BAA2B;AAEvE;AAOA,MAAM,sBAAsB;AAO5B,SAAS,oBACP,KACA,OACA,OAAkB,WAClB,aAAkB,KACX;AACP,QAAM,QAAQ,IAAI,MAAM,mBAAmB;AAC3C,QAAM,SAAS,GAAG,mBAAmB,IAAI,IAAI,IAAI,GAAG,IAAI,UAAU;AAClE,QAAM,cAAc,mBAAmB;AACvC,SAAO,OAAO,OAAO,KAAK;AAC1B,QAAM;AACR;AAEA,SAAS,mBAAmB,KAAa,eAAmD;AAC1F,SAAO,kBAAkB,OAAO,KAAK,iBAAiB;AACxD;AAEA,SAAS,sBAAsB,KAAa,eAA4C;AACtF,sBAAoB,KAAK;AAAA,IACvB,aAAa,mBAAmB;AAAA,IAChC,eAAe,mBAAmB,KAAK,aAAa;AAAA,EACtD,CAAC;AACH;AAEA,SAAS,sBAAsB,KAAa,eAA4C;AACtF,sBAAoB,KAAK;AAAA,IACvB,aAAa,mBAAmB;AAAA,IAChC,eAAe,mBAAmB,KAAK,aAAa;AAAA,EACtD,CAAC;AACH;AASA,SAAS,sBAAsB,OAAuE;AACpG,MAAI,OAAO,UAAU,YAAY,UAAU,QAAQ,EAAE,YAAY,UAAU,OAAO,MAAM,WAAW,UAAU;AAC3G,WAAO;AAAA,EACT;AAEA,QAAM,SAAS,MAAM,OAAO,MAAM,GAAG;AACrC,QAAM,CAAC,WAAW,IAAI,IAAI;AAC1B,QAAM,cAAc,OAAO,MAAM,GAAG,EAAE,EAAE,KAAK,GAAG;AAChD,QAAM,SAAS,OAAO,GAAG,EAAE;AAE3B,QAAM,aAAa,OAAO,MAAM;AAEhC,SACE,cAAc,wBACb,SAAS,aAAa,SAAS,WAChC,OAAO,gBAAgB,YACvB,CAAC,MAAM,UAAU,KACjB,eAAe;AAEnB;AAEA,SAAS,wBAAwB,OAAyE;AACxG,MAAI,sBAAsB,KAAK,KAAK,iBAAiB,OAAO;AAC1D,WAAO,MAAM,gBAAgB,mBAAmB;AAAA,EAClD;AAEA,SAAO;AACT;AAEA,SAAS,wBAAwB,OAAyE;AACxG,MAAI,sBAAsB,KAAK,KAAK,iBAAiB,OAAO;AAC1D,WAAO,MAAM,gBAAgB,mBAAmB;AAAA,EAClD;AAEA,SAAO;AACT;","names":[]}

package/dist/esm/server/nextFetcher.js

@@ -0,0 +1,7 @@
+function isNextFetcher(fetch) {
+  return "__nextPatched" in fetch && fetch.__nextPatched === true;
+}
+export {
+  isNextFetcher
+};
+//# sourceMappingURL=nextFetcher.js.map

package/dist/esm/server/nextFetcher.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/nextFetcher.ts"],"sourcesContent":["type Fetcher = typeof globalThis.fetch;\n\n/**\n * Based on nextjs internal implementation https://github.com/vercel/next.js/blob/6185444e0a944a82e7719ac37dad8becfed86acd/packages/next/src/server/lib/patch-fetch.ts#L23\n */\ntype NextFetcher = Fetcher & {\n  readonly __nextPatched: true;\n  readonly __nextGetStaticStore: () => { getStore: () => StaticGenerationAsyncStorage | undefined };\n};\n\n/**\n * Full type can be found https://github.com/vercel/next.js/blob/6185444e0a944a82e7719ac37dad8becfed86acd/packages/next/src/client/components/static-generation-async-storage.external.ts#L4\n */\ninterface StaticGenerationAsyncStorage {\n  /**\n   * Available for Next 14\n   */\n  readonly pagePath?: string;\n  /**\n   * Available for Next 15\n   */\n  readonly page?: string;\n}\n\nfunction isNextFetcher(fetch: Fetcher | NextFetcher): fetch is NextFetcher {\n  return '__nextPatched' in fetch && fetch.__nextPatched === true;\n}\n\nexport { isNextFetcher };\n"],"mappings":"AAwBA,SAAS,cAAc,OAAoD;AACzE,SAAO,mBAAmB,SAAS,MAAM,kBAAkB;AAC7D;","names":[]}

package/dist/esm/server/node/SessionTernSecure.js

@@ -0,0 +1,31 @@
+"use server";
+import { VerifyNextTernSessionCookie } from "@tern-secure/backend/admin";
+async function verifyFirebaseToken(token) {
+  if (!token) {
+    return {
+      valid: false,
+      error: {
+        success: false,
+        code: "INVALID_TOKEN",
+        message: "Token is required for verification"
+      }
+    };
+  }
+  try {
+    return await VerifyNextTernSessionCookie(token);
+  } catch (error) {
+    console.error("Error verifying token:", error);
+    return {
+      valid: false,
+      error: {
+        success: false,
+        code: "INVALID_TOKEN",
+        message: error instanceof Error ? error.message : "Token verification failed"
+      }
+    };
+  }
+}
+export {
+  verifyFirebaseToken
+};
+//# sourceMappingURL=SessionTernSecure.js.map

package/dist/esm/server/node/SessionTernSecure.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/server/node/SessionTernSecure.ts"],"sourcesContent":["\"use server\";\n\nimport { VerifyNextTernSessionCookie } from \"@tern-secure/backend/admin\";\nimport type { TernVerificationResult } from \"@tern-secure/types\";\n\nexport async function verifyFirebaseToken(\n  token: string\n): Promise<TernVerificationResult> {\n  if (!token) {\n    return {\n      valid: false,\n      error: {\n        success: false,\n        code: \"INVALID_TOKEN\",\n        message: \"Token is required for verification\",\n      },\n    };\n  }\n\n  try {\n    return await VerifyNextTernSessionCookie(token);\n  } catch (error) {\n    console.error(\"Error verifying token:\", error);\n    return {\n      valid: false,\n      error: {\n        success: false,\n        code: \"INVALID_TOKEN\",\n        message:\n          error instanceof Error ? error.message : \"Token verification failed\",\n      },\n    };\n  }\n}\n"],"mappings":";AAEA,SAAS,mCAAmC;AAG5C,eAAsB,oBACpB,OACiC;AACjC,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,QACL,SAAS;AAAA,QACT,MAAM;AAAA,QACN,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AAEA,MAAI;AACF,WAAO,MAAM,4BAA4B,KAAK;AAAA,EAChD,SAAS,OAAO;AACd,YAAQ,MAAM,0BAA0B,KAAK;AAC7C,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,QACL,SAAS;AAAA,QACT,MAAM;AAAA,QACN,SACE,iBAAiB,QAAQ,MAAM,UAAU;AAAA,MAC7C;AAAA,IACF;AAAA,EACF;AACF;","names":[]}

package/dist/esm/server/{auth.js → node/auth.js}

@@ -1,31 +1,19 @@
-import { cache } from "react";
 import { cookies } from "next/headers";
-import { verifyFirebaseToken } from "./jwt-edge";
-import { TernSecureError } from "../errors";
+import { cache } from "react";
+import { TernSecureError } from "../../errors";
+import { verifyFirebaseToken } from "./SessionTernSecure";
 const auth = cache(async () => {
   try {
-    console.log("auth: Starting auth check...");
     const cookieStore = await cookies();
     const sessionCookie = cookieStore.get("_session_cookie")?.value;
     if (sessionCookie) {
-      const result = await verifyFirebaseToken(sessionCookie, true);
-      if (result.valid) {
-        const user = {
-          uid: result.uid ?? "",
-          email: result.email || null,
-          authTime: result.authTime
-        };
-        return { user, error: null };
-      }
-    }
-    const idToken = cookieStore.get("_session_token")?.value;
-    if (idToken) {
-      const result = await verifyFirebaseToken(idToken, false);
+      const result = await verifyFirebaseToken(sessionCookie);
       if (result.valid) {
         const user = {
           uid: result.uid ?? "",
-          email: result.email || null,
-          authTime: result.authTime
+          email: result.email && typeof result.email === "string" ? result.email : null,
+          tenantId: result.tenant || "default",
+          authTime: result.authTime && typeof result.authTime === "number" ? result.authTime : void 0
         };
         return { user, error: null };
       }
@@ -44,7 +32,10 @@ const auth = cache(async () => {
     }
     return {
       user: null,
-      error: new TernSecureError("INTERNAL_ERROR", "An unexpected error occurred")
+      error: new TernSecureError(
+        "INTERNAL_ERROR",
+        "An unexpected error occurred"
+      )
     };
   }
 });

package/dist/esm/server/node/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/server/node/auth.ts"],"sourcesContent":["import { cookies } from \"next/headers\";\nimport { cache } from \"react\";\n\nimport { TernSecureError } from \"../../errors\";\nimport type { BaseUser } from \"../../types\";\nimport { verifyFirebaseToken } from \"./SessionTernSecure\";\n\nexport interface AuthResult {\n  user: BaseUser | null;\n  error: Error | null;\n}\n\n/**\n * Get the current authenticated user from the session cookies\n */\nexport const auth = cache(async (): Promise<AuthResult> => {\n  try {\n    const cookieStore = await cookies();\n\n    const sessionCookie = cookieStore.get(\"_session_cookie\")?.value;\n    if (sessionCookie) {\n      const result = await verifyFirebaseToken(sessionCookie);\n      if (result.valid) {\n        const user: BaseUser = {\n          uid: result.uid ?? \"\",\n          email:\n            result.email && typeof result.email === \"string\"\n              ? result.email\n              : null,\n          tenantId: result.tenant || \"default\",\n          authTime:\n            result.authTime && typeof result.authTime === \"number\"\n              ? result.authTime\n              : undefined,\n        };\n        return { user, error: null };\n      }\n    }\n\n    return {\n      user: null,\n      error: new TernSecureError(\"UNAUTHENTICATED\", \"No valid session found\"),\n    };\n  } catch (error) {\n    console.error(\"Error in Auth:\", error);\n    if (error instanceof TernSecureError) {\n      return {\n        user: null,\n        error,\n      };\n    }\n    return {\n      user: null,\n      error: new TernSecureError(\n        \"INTERNAL_ERROR\",\n        \"An unexpected error occurred\"\n      ),\n    };\n  }\n});\n\n/**\n * Type guard to check if user is authenticated\n */\nexport const isAuthenticated = cache(async (): Promise<boolean> => {\n  const { user } = await auth();\n  return user !== null;\n});\n\n/**\n * Get user info from auth result\n */\nexport const getUser = cache(async (): Promise<BaseUser | null> => {\n  const { user } = await auth();\n  return user;\n});\n\n/**\n * Require authentication\n * Throws error if not authenticated\n */\nexport const requireAuth = cache(async (): Promise<BaseUser> => {\n  const { user, error } = await auth();\n\n  if (!user) {\n    throw error || new Error(\"Authentication required\");\n  }\n\n  return user;\n});\n"],"mappings":"AAAA,SAAS,eAAe;AACxB,SAAS,aAAa;AAEtB,SAAS,uBAAuB;AAEhC,SAAS,2BAA2B;AAU7B,MAAM,OAAO,MAAM,YAAiC;AACzD,MAAI;AACF,UAAM,cAAc,MAAM,QAAQ;AAElC,UAAM,gBAAgB,YAAY,IAAI,iBAAiB,GAAG;AAC1D,QAAI,eAAe;AACjB,YAAM,SAAS,MAAM,oBAAoB,aAAa;AACtD,UAAI,OAAO,OAAO;AAChB,cAAM,OAAiB;AAAA,UACrB,KAAK,OAAO,OAAO;AAAA,UACnB,OACE,OAAO,SAAS,OAAO,OAAO,UAAU,WACpC,OAAO,QACP;AAAA,UACN,UAAU,OAAO,UAAU;AAAA,UAC3B,UACE,OAAO,YAAY,OAAO,OAAO,aAAa,WAC1C,OAAO,WACP;AAAA,QACR;AACA,eAAO,EAAE,MAAM,OAAO,KAAK;AAAA,MAC7B;AAAA,IACF;AAEA,WAAO;AAAA,MACL,MAAM;AAAA,MACN,OAAO,IAAI,gBAAgB,mBAAmB,wBAAwB;AAAA,IACxE;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,kBAAkB,KAAK;AACrC,QAAI,iBAAiB,iBAAiB;AACpC,aAAO;AAAA,QACL,MAAM;AAAA,QACN;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,MACL,MAAM;AAAA,MACN,OAAO,IAAI;AAAA,QACT;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF,CAAC;AAKM,MAAM,kBAAkB,MAAM,YAA8B;AACjE,QAAM,EAAE,KAAK,IAAI,MAAM,KAAK;AAC5B,SAAO,SAAS;AAClB,CAAC;AAKM,MAAM,UAAU,MAAM,YAAsC;AACjE,QAAM,EAAE,KAAK,IAAI,MAAM,KAAK;AAC5B,SAAO;AACT,CAAC;AAMM,MAAM,cAAc,MAAM,YAA+B;AAC9D,QAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK;AAEnC,MAAI,CAAC,MAAM;AACT,UAAM,SAAS,IAAI,MAAM,yBAAyB;AAAA,EACpD;AAEA,SAAO;AACT,CAAC;","names":[]}

package/dist/esm/server/node/index.js

@@ -0,0 +1,19 @@
+import {
+  ternSecureMiddleware,
+  createRouteMatcher
+} from "./ternSecureNodeMiddleware";
+import {
+  auth,
+  getUser,
+  isAuthenticated,
+  requireAuth
+} from "./auth";
+export {
+  auth,
+  createRouteMatcher,
+  getUser,
+  isAuthenticated,
+  requireAuth,
+  ternSecureMiddleware
+};
+//# sourceMappingURL=index.js.map

package/dist/esm/server/node/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/server/node/index.ts"],"sourcesContent":["export {\n  ternSecureMiddleware,\n  createRouteMatcher,\n} from \"./ternSecureNodeMiddleware\";\nexport {\n  auth,\n  getUser,\n  isAuthenticated,\n  requireAuth,\n  type AuthResult,\n} from \"./auth\";"],"mappings":"AAAA;AAAA,EACE;AAAA,EACA;AAAA,OACK;AACP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;","names":[]}

package/dist/esm/server/node/node-session.js

@@ -0,0 +1,36 @@
+import { verifyFirebaseToken } from "./SessionTernSecure";
+async function verifySession(request) {
+  try {
+    const sessionCookie = request.cookies.get("_session_cookie")?.value;
+    if (sessionCookie) {
+      const result = await verifyFirebaseToken(sessionCookie);
+      if (result.valid) {
+        return {
+          isAuthenticated: true,
+          user: {
+            uid: result.uid ?? "",
+            email: result.email || null,
+            tenantId: result.tenant || "default",
+            disabled: false
+          }
+        };
+      }
+    }
+    return {
+      isAuthenticated: false,
+      user: null,
+      error: "No valid session found"
+    };
+  } catch (error) {
+    console.error("Session verification error:", error);
+    return {
+      isAuthenticated: false,
+      user: null,
+      error: error instanceof Error ? error.message : "Session verification failed"
+    };
+  }
+}
+export {
+  verifySession
+};
+//# sourceMappingURL=node-session.js.map

package/dist/esm/server/node/node-session.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/server/node/node-session.ts"],"sourcesContent":["import type { NextRequest } from \"next/server\";\n\nimport type { SessionResult } from \"../types\";\nimport { verifyFirebaseToken } from \"./SessionTernSecure\";\n\nexport async function verifySession(\n  request: NextRequest\n): Promise<SessionResult> {\n  try {\n    const sessionCookie = request.cookies.get(\"_session_cookie\")?.value;\n    if (sessionCookie) {\n      const result = await verifyFirebaseToken(sessionCookie);\n      if (result.valid) {\n        //const disabledKey = `disabled_user:${result.uid}`;\n        //const disabledUser: DisabledUserRecord | null =\n        // await redis.get(disabledKey);\n        //const isDisabled = !!disabledUser;\n        return {\n          isAuthenticated: true,\n          user: {\n            uid: result.uid ?? \"\",\n            email: result.email || null,\n            tenantId: result.tenant || \"default\",\n            disabled: false,\n          },\n        };\n      }\n    }\n    return {\n      isAuthenticated: false,\n      user: null,\n      error: \"No valid session found\",\n    };\n  } catch (error) {\n    console.error(\"Session verification error:\", error);\n    return {\n      isAuthenticated: false,\n      user: null,\n      error:\n        error instanceof Error ? error.message : \"Session verification failed\",\n    };\n  }\n}\n"],"mappings":"AAGA,SAAS,2BAA2B;AAEpC,eAAsB,cACpB,SACwB;AACxB,MAAI;AACF,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB,GAAG;AAC9D,QAAI,eAAe;AACjB,YAAM,SAAS,MAAM,oBAAoB,aAAa;AACtD,UAAI,OAAO,OAAO;AAKhB,eAAO;AAAA,UACL,iBAAiB;AAAA,UACjB,MAAM;AAAA,YACJ,KAAK,OAAO,OAAO;AAAA,YACnB,OAAO,OAAO,SAAS;AAAA,YACvB,UAAU,OAAO,UAAU;AAAA,YAC3B,UAAU;AAAA,UACZ;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,MACL,iBAAiB;AAAA,MACjB,MAAM;AAAA,MACN,OAAO;AAAA,IACT;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B,KAAK;AAClD,WAAO;AAAA,MACL,iBAAiB;AAAA,MACjB,MAAM;AAAA,MACN,OACE,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAC7C;AAAA,EACF;AACF;","names":[]}

package/dist/esm/server/node/ternSecureNodeMiddleware.js

@@ -0,0 +1,165 @@
+import { createTernSecureRequest } from "@tern-secure/backend";
+import {
+  createBackendInstance
+} from "@tern-secure/backend/admin";
+import { NextResponse } from "next/server";
+import { SIGN_IN_URL, SIGN_UP_URL } from "../constant";
+import {
+  isNextjsNotFoundError,
+  isRedirectToSignInError,
+  isRedirectToSignUpError,
+  redirectToSignInError,
+  redirectToSignUpError
+} from "../nextErrors";
+import { createRedirect } from "../redirect";
+const createRouteMatcher = (patterns) => {
+  return (request) => {
+    const { pathname } = request.nextUrl;
+    return patterns.some((pattern) => {
+      const regexPattern = pattern.replace(/[.*+?^${}()|[\]\\]/g, "\\$&").replace(/\\\*/g, ".*");
+      return new RegExp(`^${regexPattern}$`).test(pathname);
+    });
+  };
+};
+const authenticateMiddlewareRequest = async (request) => {
+  try {
+    const requestState = await createBackendInstance(request);
+    const authResult = requestState.requestState.auth();
+    return {
+      user: {
+        uid: authResult.session.uid,
+        email: authResult.session.email || null,
+        tenantId: authResult.session.firebase?.tenant || "default",
+        authTime: authResult.session.auth_time
+      },
+      session: requestState.requestState.token
+    };
+  } catch (error) {
+    console.error(
+      "Auth check error:",
+      error instanceof Error ? error.message : "Unknown error"
+    );
+    return {
+      user: null,
+      session: null
+    };
+  }
+};
+const ternSecureMiddleware = (...args) => {
+  const [request, event] = parseRequestAndEvent(args);
+  const [handler, params] = parseHandlerAndOptions(args);
+  const middleware = () => {
+    const withAuthNextMiddleware = async (request2, event2) => {
+      const resolvedParams = typeof params === "function" ? await params(request2) : params;
+      const signInUrl = resolvedParams.signInUrl || SIGN_IN_URL;
+      const signUpUrl = resolvedParams.signUpUrl || SIGN_UP_URL;
+      let handlerResult = NextResponse.next();
+      if (handler) {
+        const createAuthHandler = async () => {
+          const authObject = await authenticateMiddlewareRequest(request2);
+          const getAuth = async () => {
+            const ternSecureRequest = createTernSecureRequest(request2);
+            const { redirectToSignIn, redirectToSignUp } = createMiddlewareRedirects(
+              ternSecureRequest,
+              signInUrl,
+              signUpUrl
+            );
+            return {
+              ...authObject,
+              redirectToSignIn,
+              redirectToSignUp
+            };
+          };
+          const protect = async () => {
+            if (!authObject.user || !authObject.session) {
+              const redirectUrl = new URL(signInUrl || "/sign-in", request2.url);
+              redirectUrl.searchParams.set(
+                "redirect",
+                request2.nextUrl.pathname
+              );
+              redirectToSignInError(redirectUrl.toString());
+            }
+          };
+          const authHandler = Object.assign(getAuth, {
+            protect,
+            user: authObject.user,
+            session: authObject.session
+          });
+          return authHandler;
+        };
+        try {
+          const auth = await createAuthHandler();
+          const userHandlerResult = await handler(auth, request2, event2);
+          handlerResult = userHandlerResult || handlerResult;
+        } catch (error) {
+          const ternSecureRequest = createTernSecureRequest(request2);
+          handlerResult = handleControlError(error, ternSecureRequest, request2);
+        }
+        return handlerResult;
+      }
+      return handlerResult;
+    };
+    const nextMiddleware = async (request2, event2) => {
+      return withAuthNextMiddleware(request2, event2);
+    };
+    if (request && event) {
+      return nextMiddleware(request, event);
+    }
+    return nextMiddleware;
+  };
+  return middleware();
+};
+const parseRequestAndEvent = (args) => {
+  return [
+    args[0] instanceof Request ? args[0] : void 0,
+    args[0] instanceof Request ? args[1] : void 0
+  ];
+};
+const parseHandlerAndOptions = (args) => {
+  return [
+    typeof args[0] === "function" ? args[0] : void 0,
+    (args.length === 2 ? args[1] : typeof args[0] === "function" ? {} : args[0]) || {}
+  ];
+};
+const createMiddlewareRedirects = (ternSecureRequest, signInUrl, signUpUrl) => {
+  const redirectToSignIn = (opts = {}) => {
+    const url = signInUrl || ternSecureRequest.ternUrl.toString();
+    redirectToSignInError(url, opts.returnBackUrl);
+  };
+  const redirectToSignUp = (opts = {}) => {
+    const url = signUpUrl || ternSecureRequest.ternUrl.toString();
+    redirectToSignUpError(url, opts.returnBackUrl);
+  };
+  return { redirectToSignIn, redirectToSignUp };
+};
+const handleControlError = (error, ternSecureRequest, nextrequest) => {
+  if (isNextjsNotFoundError(error)) {
+    return NextResponse.rewrite(new URL("/404", nextrequest.url));
+  }
+  if (isRedirectToSignInError(error)) {
+    const redirectAdapter = (url) => NextResponse.redirect(new URL(url, nextrequest.url));
+    const { redirectToSignIn } = createRedirect({
+      redirectAdapter,
+      baseUrl: ternSecureRequest.ternUrl.origin,
+      signInUrl: SIGN_IN_URL,
+      signUpUrl: SIGN_UP_URL
+    });
+    return redirectToSignIn({ returnBackUrl: error.returnBackUrl });
+  }
+  if (isRedirectToSignUpError(error)) {
+    const redirectAdapter = (url) => NextResponse.redirect(new URL(url, nextrequest.url));
+    const { redirectToSignUp } = createRedirect({
+      redirectAdapter,
+      baseUrl: ternSecureRequest.ternUrl.origin,
+      signInUrl: SIGN_IN_URL,
+      signUpUrl: SIGN_UP_URL
+    });
+    return redirectToSignUp({ returnBackUrl: error.returnBackUrl });
+  }
+  throw error;
+};
+export {
+  createRouteMatcher,
+  ternSecureMiddleware
+};
+//# sourceMappingURL=ternSecureNodeMiddleware.js.map

package/dist/esm/server/node/ternSecureNodeMiddleware.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/server/node/ternSecureNodeMiddleware.ts"],"sourcesContent":["import {createTernSecureRequest,  type TernSecureRequest } from \"@tern-secure/backend\";\nimport {\n  createBackendInstance,\n} from \"@tern-secure/backend/admin\";\nimport type { NextMiddleware,NextRequest } from \"next/server\";\nimport {NextResponse } from \"next/server\";\n\nimport { SIGN_IN_URL, SIGN_UP_URL } from \"../constant\";\nimport {\n  isNextjsNotFoundError,\n  isRedirectToSignInError,\n  isRedirectToSignUpError,\n  redirectToSignInError,\n  redirectToSignUpError,\n} from \"../nextErrors\";\nimport { createRedirect } from \"../redirect\";\nimport type { BaseUser ,\n  NextMiddlewareEvtParam,\n  NextMiddlewareRequestParam,\n  NextMiddlewareReturn,\n} from \"../types\";\n\ntype RedirectToParams = { returnBackUrl?: string | URL | null };\nexport type RedirectFun<ReturnType> = (params?: RedirectToParams) => ReturnType;\n\nexport type AuthObject = {\n  user: BaseUser | null;\n  session: string | null;\n};\n\nexport interface MiddlewareAuth extends AuthObject {\n  (): Promise<MiddlewareAuthObject>;\n  protect: () => Promise<void>;\n}\n\ntype MiddlewareHandler = (\n  auth: MiddlewareAuth,\n  request: NextMiddlewareRequestParam,\n  event: NextMiddlewareEvtParam\n) => NextMiddlewareReturn;\n\nexport type MiddlewareAuthObject = AuthObject & {\n  redirectToSignIn: RedirectFun<Response>;\n  redirectToSignUp: RedirectFun<Response>;\n};\n\n/**\n * Create a route matcher function for public paths\n */\nexport const createRouteMatcher = (patterns: string[]) => {\n  return (request: NextRequest): boolean => {\n    const { pathname } = request.nextUrl;\n    return patterns.some((pattern) => {\n      const regexPattern = pattern\n        .replace(/[.*+?^${}()|[\\]\\\\]/g, \"\\\\$&\")\n        .replace(/\\\\\\*/g, \".*\");\n\n      return new RegExp(`^${regexPattern}$`).test(pathname);\n    });\n  };\n};\n\nconst authenticateMiddlewareRequest = async (\n  request: NextRequest\n): Promise<AuthObject> => {\n  try {\n    const requestState = await createBackendInstance(request);\n    const authResult = requestState.requestState.auth();\n\n    return {\n      user: {\n        uid: authResult.session.uid,\n        email: authResult.session.email || null,\n        tenantId: authResult.session.firebase?.tenant || \"default\",\n        authTime: authResult.session.auth_time,\n      },\n      session: requestState.requestState.token,\n    };\n  } catch (error) {\n    console.error(\n      \"Auth check error:\",\n      error instanceof Error ? error.message : \"Unknown error\"\n    );\n    return {\n      user: null,\n      session: null,\n    };\n  }\n};\n\nexport interface MiddlewareOptions {\n  signInUrl?: string;\n  signUpUrl?: string;\n  debug?: boolean;\n}\ntype MiddlewareOptionsCallback = (\n  req: NextRequest\n) => MiddlewareOptions | Promise<MiddlewareOptions>;\n\ninterface TernSecureMiddleware {\n  /**\n   * @example\n   * export default ternSecureMiddleware((auth, request, event) => { ... }, options);\n   */\n  (handler: MiddlewareHandler, options?: MiddlewareOptions): NextMiddleware;\n\n  /**\n   * @example\n   * export default ternSecureMiddleware((auth, request, event) => { ... }, (req) => options);\n   */\n  (\n    handler: MiddlewareHandler,\n    options?: MiddlewareOptionsCallback\n  ): NextMiddleware;\n\n  /**\n   * @example\n   * export default ternSecureMiddleware(options);\n   */\n  (options?: MiddlewareOptions): NextMiddleware;\n  /**\n   * @example\n   * export default ternSecureMiddleware;\n   */\n  (\n    request: NextMiddlewareRequestParam,\n    event: NextMiddlewareEvtParam\n  ): NextMiddlewareReturn;\n}\n\nexport const ternSecureMiddleware = ((\n  ...args: unknown[]\n): NextMiddleware | NextMiddlewareReturn => {\n  const [request, event] = parseRequestAndEvent(args);\n  const [handler, params] = parseHandlerAndOptions(args);\n\n  const middleware = () => {\n    const withAuthNextMiddleware: NextMiddleware = async (request, event) => {\n      const resolvedParams =\n        typeof params === \"function\" ? await params(request) : params;\n\n      const signInUrl = resolvedParams.signInUrl || SIGN_IN_URL;\n      const signUpUrl = resolvedParams.signUpUrl || SIGN_UP_URL;\n\n      let handlerResult: Response = NextResponse.next();\n\n      if (handler) {\n        const createAuthHandler = async (): Promise<MiddlewareAuth> => {\n          const authObject = await authenticateMiddlewareRequest(request);\n\n          const getAuth = async (): Promise<MiddlewareAuthObject> => {\n            const ternSecureRequest = createTernSecureRequest(request);\n            const { redirectToSignIn, redirectToSignUp } =\n              createMiddlewareRedirects(\n                ternSecureRequest,\n                signInUrl,\n                signUpUrl\n              );\n\n            return {\n              ...authObject,\n              redirectToSignIn,\n              redirectToSignUp,\n            };\n          };\n\n          const protect = async (): Promise<void> => {\n            if (!authObject.user || !authObject.session) {\n              const redirectUrl = new URL(signInUrl || \"/sign-in\", request.url);\n              redirectUrl.searchParams.set(\n                \"redirect\",\n                request.nextUrl.pathname\n              );\n              redirectToSignInError(redirectUrl.toString());\n            }\n          };\n\n          // Return the MiddlewareAuth object with direct property access\n          const authHandler = Object.assign(getAuth, {\n            protect,\n            user: authObject.user,\n            session: authObject.session,\n          });\n\n          return authHandler as MiddlewareAuth;\n        };\n\n        try {\n          const auth = await createAuthHandler();\n          const userHandlerResult = await handler(auth, request, event);\n          handlerResult = userHandlerResult || handlerResult;\n        } catch (error) {\n          const ternSecureRequest = createTernSecureRequest(request);\n          handlerResult = handleControlError(error, ternSecureRequest, request);\n        }\n\n        return handlerResult;\n      }\n\n      return handlerResult;\n    };\n\n    const nextMiddleware: NextMiddleware = async (request, event) => {\n      return withAuthNextMiddleware(request, event);\n    };\n\n    if (request && event) {\n      return nextMiddleware(request, event);\n    }\n\n    return nextMiddleware;\n  };\n  return middleware();\n}) as TernSecureMiddleware;\n\nconst parseRequestAndEvent = (args: unknown[]) => {\n  return [\n    args[0] instanceof Request ? args[0] : undefined,\n    args[0] instanceof Request ? args[1] : undefined,\n  ] as [\n    NextMiddlewareRequestParam | undefined,\n    NextMiddlewareEvtParam | undefined,\n  ];\n};\n\nconst parseHandlerAndOptions = (args: unknown[]) => {\n  return [\n    typeof args[0] === \"function\" ? args[0] : undefined,\n    (args.length === 2\n      ? args[1]\n      : typeof args[0] === \"function\"\n        ? {}\n        : args[0]) || {},\n  ] as [\n    MiddlewareHandler | undefined,\n    MiddlewareOptions | MiddlewareOptionsCallback,\n  ];\n};\n\n/**\n * Create middleware redirect functions\n */\nconst createMiddlewareRedirects = (\n  ternSecureRequest: TernSecureRequest,\n  signInUrl: string,\n  signUpUrl: string\n) => {\n  const redirectToSignIn: MiddlewareAuthObject[\"redirectToSignIn\"] = (\n    opts = {}\n  ) => {\n    const url = signInUrl || ternSecureRequest.ternUrl.toString();\n    redirectToSignInError(url, opts.returnBackUrl);\n  };\n\n  const redirectToSignUp: MiddlewareAuthObject[\"redirectToSignUp\"] = (\n    opts = {}\n  ) => {\n    const url = signUpUrl || ternSecureRequest.ternUrl.toString();\n    redirectToSignUpError(url, opts.returnBackUrl);\n  };\n\n  return { redirectToSignIn, redirectToSignUp };\n};\n\n/**\n * Handle control flow errors in middleware\n */\nconst handleControlError = (\n  error: any,\n  ternSecureRequest: TernSecureRequest,\n  nextrequest: NextRequest\n): Response => {\n  if (isNextjsNotFoundError(error)) {\n    return NextResponse.rewrite(new URL(\"/404\", nextrequest.url));\n  }\n\n  // Handle redirect to sign in errors\n  if (isRedirectToSignInError(error)) {\n    const redirectAdapter = (url: string) =>\n      NextResponse.redirect(new URL(url, nextrequest.url));\n    const { redirectToSignIn } = createRedirect({\n      redirectAdapter,\n      baseUrl: ternSecureRequest.ternUrl.origin,\n      signInUrl: SIGN_IN_URL,\n      signUpUrl: SIGN_UP_URL,\n    });\n\n    return redirectToSignIn({ returnBackUrl: error.returnBackUrl });\n  }\n\n  // Handle redirect to sign up errors\n  if (isRedirectToSignUpError(error)) {\n    const redirectAdapter = (url: string) =>\n      NextResponse.redirect(new URL(url, nextrequest.url));\n    const { redirectToSignUp } = createRedirect({\n      redirectAdapter,\n      baseUrl: ternSecureRequest.ternUrl.origin,\n      signInUrl: SIGN_IN_URL,\n      signUpUrl: SIGN_UP_URL,\n    });\n\n    return redirectToSignUp({ returnBackUrl: error.returnBackUrl });\n  }\n\n  throw error;\n};\n"],"mappings":"AAAA,SAAQ,+BAAwD;AAChE;AAAA,EACE;AAAA,OACK;AAEP,SAAQ,oBAAoB;AAE5B,SAAS,aAAa,mBAAmB;AACzC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,sBAAsB;AAkCxB,MAAM,qBAAqB,CAAC,aAAuB;AACxD,SAAO,CAAC,YAAkC;AACxC,UAAM,EAAE,SAAS,IAAI,QAAQ;AAC7B,WAAO,SAAS,KAAK,CAAC,YAAY;AAChC,YAAM,eAAe,QAClB,QAAQ,uBAAuB,MAAM,EACrC,QAAQ,SAAS,IAAI;AAExB,aAAO,IAAI,OAAO,IAAI,YAAY,GAAG,EAAE,KAAK,QAAQ;AAAA,IACtD,CAAC;AAAA,EACH;AACF;AAEA,MAAM,gCAAgC,OACpC,YACwB;AACxB,MAAI;AACF,UAAM,eAAe,MAAM,sBAAsB,OAAO;AACxD,UAAM,aAAa,aAAa,aAAa,KAAK;AAElD,WAAO;AAAA,MACL,MAAM;AAAA,QACJ,KAAK,WAAW,QAAQ;AAAA,QACxB,OAAO,WAAW,QAAQ,SAAS;AAAA,QACnC,UAAU,WAAW,QAAQ,UAAU,UAAU;AAAA,QACjD,UAAU,WAAW,QAAQ;AAAA,MAC/B;AAAA,MACA,SAAS,aAAa,aAAa;AAAA,IACrC;AAAA,EACF,SAAS,OAAO;AACd,YAAQ;AAAA,MACN;AAAA,MACA,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAC3C;AACA,WAAO;AAAA,MACL,MAAM;AAAA,MACN,SAAS;AAAA,IACX;AAAA,EACF;AACF;AA0CO,MAAM,uBAAwB,IAChC,SACuC;AAC1C,QAAM,CAAC,SAAS,KAAK,IAAI,qBAAqB,IAAI;AAClD,QAAM,CAAC,SAAS,MAAM,IAAI,uBAAuB,IAAI;AAErD,QAAM,aAAa,MAAM;AACvB,UAAM,yBAAyC,OAAOA,UAASC,WAAU;AACvE,YAAM,iBACJ,OAAO,WAAW,aAAa,MAAM,OAAOD,QAAO,IAAI;AAEzD,YAAM,YAAY,eAAe,aAAa;AAC9C,YAAM,YAAY,eAAe,aAAa;AAE9C,UAAI,gBAA0B,aAAa,KAAK;AAEhD,UAAI,SAAS;AACX,cAAM,oBAAoB,YAAqC;AAC7D,gBAAM,aAAa,MAAM,8BAA8BA,QAAO;AAE9D,gBAAM,UAAU,YAA2C;AACzD,kBAAM,oBAAoB,wBAAwBA,QAAO;AACzD,kBAAM,EAAE,kBAAkB,iBAAiB,IACzC;AAAA,cACE;AAAA,cACA;AAAA,cACA;AAAA,YACF;AAEF,mBAAO;AAAA,cACL,GAAG;AAAA,cACH;AAAA,cACA;AAAA,YACF;AAAA,UACF;AAEA,gBAAM,UAAU,YAA2B;AACzC,gBAAI,CAAC,WAAW,QAAQ,CAAC,WAAW,SAAS;AAC3C,oBAAM,cAAc,IAAI,IAAI,aAAa,YAAYA,SAAQ,GAAG;AAChE,0BAAY,aAAa;AAAA,gBACvB;AAAA,gBACAA,SAAQ,QAAQ;AAAA,cAClB;AACA,oCAAsB,YAAY,SAAS,CAAC;AAAA,YAC9C;AAAA,UACF;AAGA,gBAAM,cAAc,OAAO,OAAO,SAAS;AAAA,YACzC;AAAA,YACA,MAAM,WAAW;AAAA,YACjB,SAAS,WAAW;AAAA,UACtB,CAAC;AAED,iBAAO;AAAA,QACT;AAEA,YAAI;AACF,gBAAM,OAAO,MAAM,kBAAkB;AACrC,gBAAM,oBAAoB,MAAM,QAAQ,MAAMA,UAASC,MAAK;AAC5D,0BAAgB,qBAAqB;AAAA,QACvC,SAAS,OAAO;AACd,gBAAM,oBAAoB,wBAAwBD,QAAO;AACzD,0BAAgB,mBAAmB,OAAO,mBAAmBA,QAAO;AAAA,QACtE;AAEA,eAAO;AAAA,MACT;AAEA,aAAO;AAAA,IACT;AAEA,UAAM,iBAAiC,OAAOA,UAASC,WAAU;AAC/D,aAAO,uBAAuBD,UAASC,MAAK;AAAA,IAC9C;AAEA,QAAI,WAAW,OAAO;AACpB,aAAO,eAAe,SAAS,KAAK;AAAA,IACtC;AAEA,WAAO;AAAA,EACT;AACA,SAAO,WAAW;AACpB;AAEA,MAAM,uBAAuB,CAAC,SAAoB;AAChD,SAAO;AAAA,IACL,KAAK,CAAC,aAAa,UAAU,KAAK,CAAC,IAAI;AAAA,IACvC,KAAK,CAAC,aAAa,UAAU,KAAK,CAAC,IAAI;AAAA,EACzC;AAIF;AAEA,MAAM,yBAAyB,CAAC,SAAoB;AAClD,SAAO;AAAA,IACL,OAAO,KAAK,CAAC,MAAM,aAAa,KAAK,CAAC,IAAI;AAAA,KACzC,KAAK,WAAW,IACb,KAAK,CAAC,IACN,OAAO,KAAK,CAAC,MAAM,aACjB,CAAC,IACD,KAAK,CAAC,MAAM,CAAC;AAAA,EACrB;AAIF;AAKA,MAAM,4BAA4B,CAChC,mBACA,WACA,cACG;AACH,QAAM,mBAA6D,CACjE,OAAO,CAAC,MACL;AACH,UAAM,MAAM,aAAa,kBAAkB,QAAQ,SAAS;AAC5D,0BAAsB,KAAK,KAAK,aAAa;AAAA,EAC/C;AAEA,QAAM,mBAA6D,CACjE,OAAO,CAAC,MACL;AACH,UAAM,MAAM,aAAa,kBAAkB,QAAQ,SAAS;AAC5D,0BAAsB,KAAK,KAAK,aAAa;AAAA,EAC/C;AAEA,SAAO,EAAE,kBAAkB,iBAAiB;AAC9C;AAKA,MAAM,qBAAqB,CACzB,OACA,mBACA,gBACa;AACb,MAAI,sBAAsB,KAAK,GAAG;AAChC,WAAO,aAAa,QAAQ,IAAI,IAAI,QAAQ,YAAY,GAAG,CAAC;AAAA,EAC9D;AAGA,MAAI,wBAAwB,KAAK,GAAG;AAClC,UAAM,kBAAkB,CAAC,QACvB,aAAa,SAAS,IAAI,IAAI,KAAK,YAAY,GAAG,CAAC;AACrD,UAAM,EAAE,iBAAiB,IAAI,eAAe;AAAA,MAC1C;AAAA,MACA,SAAS,kBAAkB,QAAQ;AAAA,MACnC,WAAW;AAAA,MACX,WAAW;AAAA,IACb,CAAC;AAED,WAAO,iBAAiB,EAAE,eAAe,MAAM,cAAc,CAAC;AAAA,EAChE;AAGA,MAAI,wBAAwB,KAAK,GAAG;AAClC,UAAM,kBAAkB,CAAC,QACvB,aAAa,SAAS,IAAI,IAAI,KAAK,YAAY,GAAG,CAAC;AACrD,UAAM,EAAE,iBAAiB,IAAI,eAAe;AAAA,MAC1C;AAAA,MACA,SAAS,kBAAkB,QAAQ;AAAA,MACnC,WAAW;AAAA,MACX,WAAW;AAAA,IACb,CAAC;AAED,WAAO,iBAAiB,EAAE,eAAe,MAAM,cAAc,CAAC;AAAA,EAChE;AAEA,QAAM;AACR;","names":["request","event"]}

package/dist/esm/server/protect.js

@@ -0,0 +1,66 @@
+import { constants } from "@tern-secure/backend";
+import { constants as nextConstants } from "../constants";
+import { isNextFetcher } from "./nextFetcher";
+function createProtect(opts) {
+  const { redirectToSignIn, authObject, redirect, notFound, request } = opts;
+  return async (...args) => {
+    const optionValuesAsParam = args[0]?.unauthenticatedUrl || args[0]?.unauthorizedUrl;
+    const paramsOrFunction = optionValuesAsParam ? void 0 : args[0];
+    const unauthenticatedUrl = args[0]?.unauthenticatedUrl || args[1]?.unauthenticatedUrl;
+    const unauthorizedUrl = args[0]?.unauthorizedUrl || args[1]?.unauthorizedUrl;
+    const handleUnauthenticated = () => {
+      if (unauthenticatedUrl) {
+        redirect(unauthenticatedUrl);
+      }
+      if (isPageRequest(request)) {
+        return redirectToSignIn();
+      }
+      return notFound();
+    };
+    const handleUnauthorized = () => {
+      if (unauthorizedUrl) {
+        redirect(unauthorizedUrl);
+      }
+      notFound();
+    };
+    if (!authObject.userId) {
+      handleUnauthenticated();
+    }
+    if (!paramsOrFunction) {
+      return authObject;
+    }
+    if (typeof paramsOrFunction === "function") {
+      if (paramsOrFunction(authObject.require)) {
+        return authObject;
+      }
+      return handleUnauthorized();
+    }
+    if (authObject.require(paramsOrFunction)) {
+      return authObject;
+    }
+  };
+}
+const isServerActionRequest = (req) => {
+  return !!req.headers.get(nextConstants.Headers.NextUrl) && (req.headers.get(constants.Headers.Accept)?.includes("text/x-component") || req.headers.get(constants.Headers.ContentType)?.includes("multipart/form-data") || !!req.headers.get(nextConstants.Headers.NextAction));
+};
+const isPageRequest = (req) => {
+  return req.headers.get(constants.Headers.SecFetchDest) === "document" || req.headers.get(constants.Headers.SecFetchDest) === "iframe" || req.headers.get(constants.Headers.Accept)?.includes("text/html") || isAppRouterInternalNavigation(req) || isPagesRouterInternalNavigation(req);
+};
+const isAppRouterInternalNavigation = (req) => !!req.headers.get(nextConstants.Headers.NextUrl) && !isServerActionRequest(req) || isPagePathAvailable();
+const isPagePathAvailable = () => {
+  const __fetch = globalThis.fetch;
+  if (!isNextFetcher(__fetch)) {
+    return false;
+  }
+  const { page, pagePath } = __fetch.__nextGetStaticStore().getStore() || {};
+  return Boolean(
+    // available on next@14
+    pagePath || // available on next@15
+    page
+  );
+};
+const isPagesRouterInternalNavigation = (req) => !!req.headers.get(nextConstants.Headers.NextjsData);
+export {
+  createProtect
+};
+//# sourceMappingURL=protect.js.map

package/dist/esm/server/protect.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/protect.ts"],"sourcesContent":["import type { AuthObject, SignedInAuthObject } from \"@tern-secure/backend\";\nimport { constants } from \"@tern-secure/backend\";\nimport type { CheckAuthorizationFromSessionClaims } from \"@tern-secure/types\";\n\nimport { constants as nextConstants } from \"../constants\";\nimport { isNextFetcher } from \"./nextFetcher\";\nimport type { RedirectFun } from \"./redirect\";\n\ntype AuthProtectOptions = {\n  /**\n   * The URL to redirect the user to if they are not authorized.\n   */\n  unauthorizedUrl?: string;\n  /**\n   * The URL to redirect the user to if they are not authenticated.\n   */\n  unauthenticatedUrl?: string;\n};\n\nexport interface AuthProtect {\n  (\n    params?: (require: CheckAuthorizationFromSessionClaims) => boolean,\n    options?: AuthProtectOptions\n  ): Promise<SignedInAuthObject>;\n  (options?: AuthProtectOptions): Promise<SignedInAuthObject>;\n}\n\nexport function createProtect(opts: {\n  request: Request;\n  authObject: AuthObject;\n  notFound: () => never;\n  redirect: (url: string) => void;\n  redirectToSignIn: RedirectFun<unknown>;\n}): AuthProtect {\n  const { redirectToSignIn, authObject, redirect, notFound, request } = opts;\n\n  return (async (...args: any[]) => {\n    const optionValuesAsParam =\n      args[0]?.unauthenticatedUrl || args[0]?.unauthorizedUrl;\n    const paramsOrFunction = optionValuesAsParam ? undefined : (args[0] as \n      | CheckAuthorizationFromSessionClaims\n      | ((require: CheckAuthorizationFromSessionClaims) => boolean));\n    const unauthenticatedUrl = (args[0]?.unauthenticatedUrl ||\n      args[1]?.unauthenticatedUrl) as string | undefined;\n    const unauthorizedUrl = (args[0]?.unauthorizedUrl ||\n      args[1]?.unauthorizedUrl) as string | undefined;\n\n    const handleUnauthenticated = () => {\n      if (unauthenticatedUrl) {\n        redirect(unauthenticatedUrl);\n      }\n      if (isPageRequest(request)) {\n        return redirectToSignIn();\n      }\n      return notFound();\n    };\n\n    const handleUnauthorized = () => {\n      if (unauthorizedUrl) {\n        redirect(unauthorizedUrl);\n      }\n      notFound();\n    };\n\n    if (!authObject.userId) {\n      handleUnauthenticated();\n    }\n\n    if (!paramsOrFunction) {\n      return authObject;\n    }\n\n    if (typeof paramsOrFunction === \"function\") {\n      if (paramsOrFunction(authObject.require)) {\n        return authObject;\n      }\n      return handleUnauthorized();\n    }\n\n    if (authObject.require(paramsOrFunction)) {\n      return authObject;\n    }\n  }) as AuthProtect;\n}\n\nconst isServerActionRequest = (req: Request) => {\n  return (\n    !!req.headers.get(nextConstants.Headers.NextUrl) &&\n    (req.headers.get(constants.Headers.Accept)?.includes(\"text/x-component\") ||\n      req.headers\n        .get(constants.Headers.ContentType)\n        ?.includes(\"multipart/form-data\") ||\n      !!req.headers.get(nextConstants.Headers.NextAction))\n  );\n};\n\nconst isPageRequest = (req: Request): boolean => {\n  return (\n    req.headers.get(constants.Headers.SecFetchDest) === \"document\" ||\n    req.headers.get(constants.Headers.SecFetchDest) === \"iframe\" ||\n    req.headers.get(constants.Headers.Accept)?.includes(\"text/html\") ||\n    isAppRouterInternalNavigation(req) ||\n    isPagesRouterInternalNavigation(req)\n  );\n};\n\nconst isAppRouterInternalNavigation = (req: Request) =>\n  (!!req.headers.get(nextConstants.Headers.NextUrl) &&\n    !isServerActionRequest(req)) ||\n  isPagePathAvailable();\n\nconst isPagePathAvailable = () => {\n  const __fetch = globalThis.fetch;\n\n  if (!isNextFetcher(__fetch)) {\n    return false;\n  }\n\n  const { page, pagePath } = __fetch.__nextGetStaticStore().getStore() || {};\n\n  return Boolean(\n    // available on next@14\n    pagePath ||\n      // available on next@15\n      page\n  );\n};\n\nconst isPagesRouterInternalNavigation = (req: Request) =>\n  !!req.headers.get(nextConstants.Headers.NextjsData);\n"],"mappings":"AACA,SAAS,iBAAiB;AAG1B,SAAS,aAAa,qBAAqB;AAC3C,SAAS,qBAAqB;AAsBvB,SAAS,cAAc,MAMd;AACd,QAAM,EAAE,kBAAkB,YAAY,UAAU,UAAU,QAAQ,IAAI;AAEtE,SAAQ,UAAU,SAAgB;AAChC,UAAM,sBACJ,KAAK,CAAC,GAAG,sBAAsB,KAAK,CAAC,GAAG;AAC1C,UAAM,mBAAmB,sBAAsB,SAAa,KAAK,CAAC;AAGlE,UAAM,qBAAsB,KAAK,CAAC,GAAG,sBACnC,KAAK,CAAC,GAAG;AACX,UAAM,kBAAmB,KAAK,CAAC,GAAG,mBAChC,KAAK,CAAC,GAAG;AAEX,UAAM,wBAAwB,MAAM;AAClC,UAAI,oBAAoB;AACtB,iBAAS,kBAAkB;AAAA,MAC7B;AACA,UAAI,cAAc,OAAO,GAAG;AAC1B,eAAO,iBAAiB;AAAA,MAC1B;AACA,aAAO,SAAS;AAAA,IAClB;AAEA,UAAM,qBAAqB,MAAM;AAC/B,UAAI,iBAAiB;AACnB,iBAAS,eAAe;AAAA,MAC1B;AACA,eAAS;AAAA,IACX;AAEA,QAAI,CAAC,WAAW,QAAQ;AACtB,4BAAsB;AAAA,IACxB;AAEA,QAAI,CAAC,kBAAkB;AACrB,aAAO;AAAA,IACT;AAEA,QAAI,OAAO,qBAAqB,YAAY;AAC1C,UAAI,iBAAiB,WAAW,OAAO,GAAG;AACxC,eAAO;AAAA,MACT;AACA,aAAO,mBAAmB;AAAA,IAC5B;AAEA,QAAI,WAAW,QAAQ,gBAAgB,GAAG;AACxC,aAAO;AAAA,IACT;AAAA,EACF;AACF;AAEA,MAAM,wBAAwB,CAAC,QAAiB;AAC9C,SACE,CAAC,CAAC,IAAI,QAAQ,IAAI,cAAc,QAAQ,OAAO,MAC9C,IAAI,QAAQ,IAAI,UAAU,QAAQ,MAAM,GAAG,SAAS,kBAAkB,KACrE,IAAI,QACD,IAAI,UAAU,QAAQ,WAAW,GAChC,SAAS,qBAAqB,KAClC,CAAC,CAAC,IAAI,QAAQ,IAAI,cAAc,QAAQ,UAAU;AAExD;AAEA,MAAM,gBAAgB,CAAC,QAA0B;AAC/C,SACE,IAAI,QAAQ,IAAI,UAAU,QAAQ,YAAY,MAAM,cACpD,IAAI,QAAQ,IAAI,UAAU,QAAQ,YAAY,MAAM,YACpD,IAAI,QAAQ,IAAI,UAAU,QAAQ,MAAM,GAAG,SAAS,WAAW,KAC/D,8BAA8B,GAAG,KACjC,gCAAgC,GAAG;AAEvC;AAEA,MAAM,gCAAgC,CAAC,QACpC,CAAC,CAAC,IAAI,QAAQ,IAAI,cAAc,QAAQ,OAAO,KAC9C,CAAC,sBAAsB,GAAG,KAC5B,oBAAoB;AAEtB,MAAM,sBAAsB,MAAM;AAChC,QAAM,UAAU,WAAW;AAE3B,MAAI,CAAC,cAAc,OAAO,GAAG;AAC3B,WAAO;AAAA,EACT;AAEA,QAAM,EAAE,MAAM,SAAS,IAAI,QAAQ,qBAAqB,EAAE,SAAS,KAAK,CAAC;AAEzE,SAAO;AAAA;AAAA,IAEL;AAAA,IAEE;AAAA,EACJ;AACF;AAEA,MAAM,kCAAkC,CAAC,QACvC,CAAC,CAAC,IAAI,QAAQ,IAAI,cAAc,QAAQ,UAAU;","names":[]}