@tern-secure/nextjs 5.1.8 → 5.1.10

package/dist/esm/server/redirect.js

@@ -0,0 +1,60 @@
+const buildUrl = (_baseUrl, _targetUrl, _returnBackUrl) => {
+  if (_baseUrl === "") {
+    return legacyBuildUrl(_targetUrl.toString(), _returnBackUrl?.toString());
+  }
+  const baseUrl = new URL(_baseUrl);
+  const returnBackUrl = _returnBackUrl ? new URL(_returnBackUrl, baseUrl) : void 0;
+  const res = new URL(_targetUrl, baseUrl);
+  if (returnBackUrl) {
+    res.searchParams.set("redirect_url", returnBackUrl.toString());
+  }
+  return res.toString();
+};
+const legacyBuildUrl = (targetUrl, redirectUrl) => {
+  let url;
+  if (!targetUrl.startsWith("http")) {
+    if (!redirectUrl || !redirectUrl.startsWith("http")) {
+      throw new Error("destination url or return back url should be an absolute path url!");
+    }
+    const baseURL = new URL(redirectUrl);
+    url = new URL(targetUrl, baseURL.origin);
+  } else {
+    url = new URL(targetUrl);
+  }
+  if (redirectUrl) {
+    url.searchParams.set("redirect_url", redirectUrl);
+  }
+  return url.toString();
+};
+const createRedirect = (params) => {
+  const { redirectAdapter, signInUrl, signUpUrl, baseUrl } = params;
+  const redirectToSignUp = ({ returnBackUrl } = {}) => {
+    if (!signUpUrl) {
+      throw new Error("SignUp URL is not defined");
+    }
+    const pathToSignUpUrl = `${baseUrl}/sign-up`;
+    function buildSignUpUrl(signIn) {
+      if (!signIn) {
+        return;
+      }
+      const url = new URL(signIn, baseUrl);
+      url.pathname = `${url.pathname}/create`;
+      return url.toString();
+    }
+    const targetUrl = signUpUrl || buildSignUpUrl(signInUrl) || pathToSignUpUrl;
+    return redirectAdapter(buildUrl(baseUrl, targetUrl, returnBackUrl));
+  };
+  const redirectToSignIn = ({ returnBackUrl } = {}) => {
+    if (!signInUrl) {
+      throw new Error("SignIn URL is not defined");
+    }
+    const pathToSignInUrl = `${baseUrl}/sign-in`;
+    const targetUrl = signInUrl || pathToSignInUrl;
+    return redirectAdapter(buildUrl(baseUrl, targetUrl, returnBackUrl));
+  };
+  return { redirectToSignUp, redirectToSignIn };
+};
+export {
+  createRedirect
+};
+//# sourceMappingURL=redirect.js.map

package/dist/esm/server/redirect.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/redirect.ts"],"sourcesContent":["\nconst buildUrl = (\n  _baseUrl: string | URL,\n  _targetUrl: string | URL,\n  _returnBackUrl?: string | URL | null,\n) => {\n  if (_baseUrl === '') {\n    return legacyBuildUrl(_targetUrl.toString(), _returnBackUrl?.toString());\n  }\n\n  const baseUrl = new URL(_baseUrl);\n  const returnBackUrl = _returnBackUrl ? new URL(_returnBackUrl, baseUrl) : undefined;\n  const res = new URL(_targetUrl, baseUrl);\n\n  if (returnBackUrl) {\n    res.searchParams.set('redirect_url', returnBackUrl.toString());\n  }\n  return res.toString();\n};\n\n\n\nconst legacyBuildUrl = (targetUrl: string, redirectUrl?: string) => {\n  let url;\n  if (!targetUrl.startsWith('http')) {\n    if (!redirectUrl || !redirectUrl.startsWith('http')) {\n      throw new Error('destination url or return back url should be an absolute path url!');\n    }\n\n    const baseURL = new URL(redirectUrl);\n    url = new URL(targetUrl, baseURL.origin);\n  } else {\n    url = new URL(targetUrl);\n  }\n\n  if (redirectUrl) {\n    url.searchParams.set('redirect_url', redirectUrl);\n  }\n\n  return url.toString();\n};\n\n\ntype RedirectAdapter<RedirectReturn> = (url: string) => RedirectReturn;\ntype RedirectToParams = { returnBackUrl?: string | URL | null };\nexport type RedirectFun<ReturnType> = (params?: RedirectToParams) => ReturnType;\n\n/**\n * @internal\n */\ntype CreateRedirect = <ReturnType>(params: {\n  redirectAdapter: RedirectAdapter<ReturnType>;\n  baseUrl: URL | string;\n  signInUrl?: URL | string;\n  signUpUrl?: URL | string;\n}) => {\n  redirectToSignIn: RedirectFun<ReturnType>;\n  redirectToSignUp: RedirectFun<ReturnType>;\n};\n\n\nexport const createRedirect: CreateRedirect = params => {\n  const { redirectAdapter, signInUrl, signUpUrl, baseUrl } = params;\n\n  const redirectToSignUp = ({ returnBackUrl }: RedirectToParams = {}) => {\n    if (!signUpUrl) {\n        throw new Error(\"SignUp URL is not defined\");\n    }\n\n    const pathToSignUpUrl = `${baseUrl}/sign-up`;\n    \n    function buildSignUpUrl(signIn: string | URL | undefined) {\n      if (!signIn) {\n        return;\n      }\n      const url = new URL(signIn, baseUrl);\n      url.pathname = `${url.pathname}/create`;\n      return url.toString();\n    }\n\n    const targetUrl = signUpUrl || buildSignUpUrl(signInUrl) || pathToSignUpUrl;\n\n\n    return redirectAdapter(buildUrl(baseUrl, targetUrl, returnBackUrl));\n  };\n\n  const redirectToSignIn = ({ returnBackUrl }: RedirectToParams = {}) => {\n    if (!signInUrl) {\n      throw new Error(\"SignIn URL is not defined\");\n    }\n\n    const pathToSignInUrl = `${baseUrl}/sign-in`;\n    const targetUrl = signInUrl || pathToSignInUrl;\n\n    return redirectAdapter(buildUrl(baseUrl, targetUrl, returnBackUrl));\n  };\n\n  return { redirectToSignUp, redirectToSignIn };\n};"],"mappings":"AACA,MAAM,WAAW,CACf,UACA,YACA,mBACG;AACH,MAAI,aAAa,IAAI;AACnB,WAAO,eAAe,WAAW,SAAS,GAAG,gBAAgB,SAAS,CAAC;AAAA,EACzE;AAEA,QAAM,UAAU,IAAI,IAAI,QAAQ;AAChC,QAAM,gBAAgB,iBAAiB,IAAI,IAAI,gBAAgB,OAAO,IAAI;AAC1E,QAAM,MAAM,IAAI,IAAI,YAAY,OAAO;AAEvC,MAAI,eAAe;AACjB,QAAI,aAAa,IAAI,gBAAgB,cAAc,SAAS,CAAC;AAAA,EAC/D;AACA,SAAO,IAAI,SAAS;AACtB;AAIA,MAAM,iBAAiB,CAAC,WAAmB,gBAAyB;AAClE,MAAI;AACJ,MAAI,CAAC,UAAU,WAAW,MAAM,GAAG;AACjC,QAAI,CAAC,eAAe,CAAC,YAAY,WAAW,MAAM,GAAG;AACnD,YAAM,IAAI,MAAM,oEAAoE;AAAA,IACtF;AAEA,UAAM,UAAU,IAAI,IAAI,WAAW;AACnC,UAAM,IAAI,IAAI,WAAW,QAAQ,MAAM;AAAA,EACzC,OAAO;AACL,UAAM,IAAI,IAAI,SAAS;AAAA,EACzB;AAEA,MAAI,aAAa;AACf,QAAI,aAAa,IAAI,gBAAgB,WAAW;AAAA,EAClD;AAEA,SAAO,IAAI,SAAS;AACtB;AAqBO,MAAM,iBAAiC,YAAU;AACtD,QAAM,EAAE,iBAAiB,WAAW,WAAW,QAAQ,IAAI;AAE3D,QAAM,mBAAmB,CAAC,EAAE,cAAc,IAAsB,CAAC,MAAM;AACrE,QAAI,CAAC,WAAW;AACZ,YAAM,IAAI,MAAM,2BAA2B;AAAA,IAC/C;AAEA,UAAM,kBAAkB,GAAG,OAAO;AAElC,aAAS,eAAe,QAAkC;AACxD,UAAI,CAAC,QAAQ;AACX;AAAA,MACF;AACA,YAAM,MAAM,IAAI,IAAI,QAAQ,OAAO;AACnC,UAAI,WAAW,GAAG,IAAI,QAAQ;AAC9B,aAAO,IAAI,SAAS;AAAA,IACtB;AAEA,UAAM,YAAY,aAAa,eAAe,SAAS,KAAK;AAG5D,WAAO,gBAAgB,SAAS,SAAS,WAAW,aAAa,CAAC;AAAA,EACpE;AAEA,QAAM,mBAAmB,CAAC,EAAE,cAAc,IAAsB,CAAC,MAAM;AACrE,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,2BAA2B;AAAA,IAC7C;AAEA,UAAM,kBAAkB,GAAG,OAAO;AAClC,UAAM,YAAY,aAAa;AAE/B,WAAO,gBAAgB,SAAS,SAAS,WAAW,aAAa,CAAC;AAAA,EACpE;AAEA,SAAO,EAAE,kBAAkB,iBAAiB;AAC9C;","names":[]}

package/dist/esm/server/routeMatcher.js

@@ -0,0 +1,12 @@
+import { createPathMatcher } from "@tern-secure/shared/pathMatcher";
+const createRouteMatcher = (routes) => {
+  if (typeof routes === "function") {
+    return (request) => routes(request);
+  }
+  const pathMatcher = createPathMatcher(routes);
+  return (request) => pathMatcher(request.nextUrl.pathname);
+};
+export {
+  createRouteMatcher
+};
+//# sourceMappingURL=routeMatcher.js.map

package/dist/esm/server/routeMatcher.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/routeMatcher.ts"],"sourcesContent":["import { createPathMatcher, type WithPathPatternWildcard } from '@tern-secure/shared/pathMatcher';\nimport type { Autocomplete } from '@tern-secure/types';\nimport type Link from 'next/link';\nimport type { NextRequest } from 'next/server';\n\ntype NextTypedRoute<T = Parameters<typeof Link>['0']['href']> = T extends string ? T : never;\ntype RouteMatcherWithNextTypedRoutes = Autocomplete<\n  WithPathPatternWildcard<NextTypedRoute> | NextTypedRoute\n>;\n\nexport type RouteMatcherParams =\n  | Array<RegExp | RouteMatcherWithNextTypedRoutes>\n  | RouteMatcherWithNextTypedRoutes\n  | RegExp\n  | ((req: NextRequest) => boolean);\n/**\n * Create a route matcher function for public paths\n */\nexport const createRouteMatcher = (routes: RouteMatcherParams) => {\n  if (typeof routes === 'function') {\n    return (request: NextRequest) => routes(request);\n  }\n\n  const pathMatcher = createPathMatcher(routes);\n  return (request: NextRequest) => pathMatcher(request.nextUrl.pathname);\n};\n"],"mappings":"AAAA,SAAS,yBAAuD;AAkBzD,MAAM,qBAAqB,CAAC,WAA+B;AAChE,MAAI,OAAO,WAAW,YAAY;AAChC,WAAO,CAAC,YAAyB,OAAO,OAAO;AAAA,EACjD;AAEA,QAAM,cAAc,kBAAkB,MAAM;AAC5C,SAAO,CAAC,YAAyB,YAAY,QAAQ,QAAQ,QAAQ;AACvE;","names":[]}

package/dist/esm/server/sdk-versions.js

@@ -0,0 +1,8 @@
+import nextPkg from "next/package.json";
+const isNext13 = nextPkg.version.startsWith("13.");
+const isNextWithUnstableServerActions = isNext13 || nextPkg.version.startsWith("14.0");
+export {
+  isNext13,
+  isNextWithUnstableServerActions
+};
+//# sourceMappingURL=sdk-versions.js.map

package/dist/esm/server/sdk-versions.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/sdk-versions.ts"],"sourcesContent":["import nextPkg from 'next/package.json';\n\nconst isNext13 = nextPkg.version.startsWith('13.');\n\n/**\n * Those versions are affected by a bundling issue that will break the application if `node:fs` is used inside a server function.\n * The affected versions are >=next@13.5.4 and <=next@14.0.4\n */\nconst isNextWithUnstableServerActions = isNext13 || nextPkg.version.startsWith('14.0');\n\nexport { isNext13, isNextWithUnstableServerActions };\n"],"mappings":"AAAA,OAAO,aAAa;AAEpB,MAAM,WAAW,QAAQ,QAAQ,WAAW,KAAK;AAMjD,MAAM,kCAAkC,YAAY,QAAQ,QAAQ,WAAW,MAAM;","names":[]}

package/dist/esm/server/session-store.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/server/session-store.ts"],"sourcesContent":["import { cache } from \"react\"\r\nimport type { User } from \"./types\"\r\n\r\n/**\r\n * Simple in-memory session store\r\n * In a real app, this would be backed by Redis/etc\r\n */\r\nclass SessionStore {\r\n  private static instance: SessionStore\r\n  private sessions: Map<string, User>\r\n  private currentSessionId: string | null = null\r\n\r\n  private constructor() {\r\n    this.sessions = new Map()\r\n  }\r\n\r\n  static getInstance(): SessionStore {\r\n    if (!SessionStore.instance) {\r\n      SessionStore.instance = new SessionStore()\r\n    }\r\n    return SessionStore.instance\r\n  }\r\n\r\n  setUser(sessionId: string, user: User) {\r\n    console.log(\"SessionStore: Setting user:\", { sessionId, user })\r\n    this.sessions.set(sessionId, user)\r\n    this.currentSessionId = sessionId\r\n  }\r\n\r\n  getUser(sessionId: string): User | null {\r\n    return this.sessions.get(sessionId) || null\r\n  }\r\n\r\n  getCurrentUser(): User | null {\r\n    if (!this.currentSessionId) return null\r\n    return this.sessions.get(this.currentSessionId) || null\r\n  }\r\n\r\n  removeUser(sessionId: string) {\r\n    this.sessions.delete(sessionId)\r\n  }\r\n\r\n  clear() {\r\n    this.sessions.clear()\r\n  }\r\n\r\n  debug() {\r\n    return {\r\n      sessionsCount: this.sessions.size,\r\n      currentSessionId: this.currentSessionId,\r\n      sessions: Array.from(this.sessions.entries())\r\n    }\r\n}\r\n}\r\n\r\n// Export singleton instance\r\nexport const sessionStore = SessionStore.getInstance()\r\n\r\n/**\r\n * Cached function to get user from session store\r\n * Uses React cache for SSR optimization\r\n */\r\nexport const getVerifiedUser = cache((sessionId: string): User | null => {\r\n  return sessionStore.getUser(sessionId)\r\n})\r\n\r\n"],"mappings":"AAAA,SAAS,aAAa;AAOtB,MAAM,aAAa;AAAA,EACjB,OAAe;AAAA,EACP;AAAA,EACA,mBAAkC;AAAA,EAElC,cAAc;AACpB,SAAK,WAAW,oBAAI,IAAI;AAAA,EAC1B;AAAA,EAEA,OAAO,cAA4B;AACjC,QAAI,CAAC,aAAa,UAAU;AAC1B,mBAAa,WAAW,IAAI,aAAa;AAAA,IAC3C;AACA,WAAO,aAAa;AAAA,EACtB;AAAA,EAEA,QAAQ,WAAmB,MAAY;AACrC,YAAQ,IAAI,+BAA+B,EAAE,WAAW,KAAK,CAAC;AAC9D,SAAK,SAAS,IAAI,WAAW,IAAI;AACjC,SAAK,mBAAmB;AAAA,EAC1B;AAAA,EAEA,QAAQ,WAAgC;AACtC,WAAO,KAAK,SAAS,IAAI,SAAS,KAAK;AAAA,EACzC;AAAA,EAEA,iBAA8B;AAC5B,QAAI,CAAC,KAAK,iBAAkB,QAAO;AACnC,WAAO,KAAK,SAAS,IAAI,KAAK,gBAAgB,KAAK;AAAA,EACrD;AAAA,EAEA,WAAW,WAAmB;AAC5B,SAAK,SAAS,OAAO,SAAS;AAAA,EAChC;AAAA,EAEA,QAAQ;AACN,SAAK,SAAS,MAAM;AAAA,EACtB;AAAA,EAEA,QAAQ;AACN,WAAO;AAAA,MACL,eAAe,KAAK,SAAS;AAAA,MAC7B,kBAAkB,KAAK;AAAA,MACvB,UAAU,MAAM,KAAK,KAAK,SAAS,QAAQ,CAAC;AAAA,IAC9C;AAAA,EACJ;AACA;AAGO,MAAM,eAAe,aAAa,YAAY;AAM9C,MAAM,kBAAkB,MAAM,CAAC,cAAmC;AACvE,SAAO,aAAa,QAAQ,SAAS;AACvC,CAAC;","names":[]}
+{"version":3,"sources":["../../../src/server/session-store.ts"],"sourcesContent":["import { cache } from \"react\"\r\n\r\nimport type { User } from \"./types\"\r\n\r\n/**\r\n * Simple in-memory session store\r\n * In a real app, this would be backed by Redis/etc\r\n */\r\nclass SessionStore {\r\n  private static instance: SessionStore\r\n  private sessions: Map<string, User>\r\n  private currentSessionId: string | null = null\r\n\r\n  private constructor() {\r\n    this.sessions = new Map()\r\n  }\r\n\r\n  static getInstance(): SessionStore {\r\n    if (!SessionStore.instance) {\r\n      SessionStore.instance = new SessionStore()\r\n    }\r\n    return SessionStore.instance\r\n  }\r\n\r\n  setUser(sessionId: string, user: User) {\r\n    console.log(\"SessionStore: Setting user:\", { sessionId, user })\r\n    this.sessions.set(sessionId, user)\r\n    this.currentSessionId = sessionId\r\n  }\r\n\r\n  getUser(sessionId: string): User | null {\r\n    return this.sessions.get(sessionId) || null\r\n  }\r\n\r\n  getCurrentUser(): User | null {\r\n    if (!this.currentSessionId) return null\r\n    return this.sessions.get(this.currentSessionId) || null\r\n  }\r\n\r\n  removeUser(sessionId: string) {\r\n    this.sessions.delete(sessionId)\r\n  }\r\n\r\n  clear() {\r\n    this.sessions.clear()\r\n  }\r\n\r\n  debug() {\r\n    return {\r\n      sessionsCount: this.sessions.size,\r\n      currentSessionId: this.currentSessionId,\r\n      sessions: Array.from(this.sessions.entries())\r\n    }\r\n}\r\n}\r\n\r\n// Export singleton instance\r\nexport const sessionStore = SessionStore.getInstance()\r\n\r\n/**\r\n * Cached function to get user from session store\r\n * Uses React cache for SSR optimization\r\n */\r\nexport const getVerifiedUser = cache((sessionId: string): User | null => {\r\n  return sessionStore.getUser(sessionId)\r\n})\r\n\r\n"],"mappings":"AAAA,SAAS,aAAa;AAQtB,MAAM,aAAa;AAAA,EACjB,OAAe;AAAA,EACP;AAAA,EACA,mBAAkC;AAAA,EAElC,cAAc;AACpB,SAAK,WAAW,oBAAI,IAAI;AAAA,EAC1B;AAAA,EAEA,OAAO,cAA4B;AACjC,QAAI,CAAC,aAAa,UAAU;AAC1B,mBAAa,WAAW,IAAI,aAAa;AAAA,IAC3C;AACA,WAAO,aAAa;AAAA,EACtB;AAAA,EAEA,QAAQ,WAAmB,MAAY;AACrC,YAAQ,IAAI,+BAA+B,EAAE,WAAW,KAAK,CAAC;AAC9D,SAAK,SAAS,IAAI,WAAW,IAAI;AACjC,SAAK,mBAAmB;AAAA,EAC1B;AAAA,EAEA,QAAQ,WAAgC;AACtC,WAAO,KAAK,SAAS,IAAI,SAAS,KAAK;AAAA,EACzC;AAAA,EAEA,iBAA8B;AAC5B,QAAI,CAAC,KAAK,iBAAkB,QAAO;AACnC,WAAO,KAAK,SAAS,IAAI,KAAK,gBAAgB,KAAK;AAAA,EACrD;AAAA,EAEA,WAAW,WAAmB;AAC5B,SAAK,SAAS,OAAO,SAAS;AAAA,EAChC;AAAA,EAEA,QAAQ;AACN,SAAK,SAAS,MAAM;AAAA,EACtB;AAAA,EAEA,QAAQ;AACN,WAAO;AAAA,MACL,eAAe,KAAK,SAAS;AAAA,MAC7B,kBAAkB,KAAK;AAAA,MACvB,UAAU,MAAM,KAAK,KAAK,SAAS,QAAQ,CAAC;AAAA,IAC9C;AAAA,EACJ;AACA;AAGO,MAAM,eAAe,aAAa,YAAY;AAM9C,MAAM,kBAAkB,MAAM,CAAC,cAAmC;AACvE,SAAO,aAAa,QAAQ,SAAS;AACvC,CAAC;","names":[]}

package/dist/esm/server/ternSecureEdgeMiddleware.js

@@ -0,0 +1,286 @@
+import {
+  constants,
+  createBackendInstanceClient,
+  createTernSecureRequest,
+  enableDebugLogging
+} from "@tern-secure/backend";
+import { notFound as nextjsNotFound } from "next/navigation";
+import { NextResponse } from "next/server";
+import { isRedirect, setHeader } from "../utils/response";
+import { serverRedirectWithAuth } from "../utils/serverRedirectAuth";
+import { createEdgeCompatibleLogger } from "../utils/withLogger";
+import { API_URL, API_VERSION, SIGN_IN_URL, SIGN_UP_URL } from "./constant";
+import {
+  isNextjsNotFoundError,
+  isNextjsRedirectError,
+  isRedirectToSignInError,
+  isRedirectToSignUpError,
+  nextjsRedirectError,
+  redirectToSignInError,
+  redirectToSignUpError
+} from "./nextErrors";
+import { createProtect } from "./protect";
+import { createRedirect } from "./redirect";
+import { decorateRequest } from "./utils";
+const backendClientDefaultOptions = {
+  apiUrl: API_URL,
+  apiVersion: API_VERSION
+};
+const ternSecureBackendClient = async () => {
+  return createBackendClientWithOptions({});
+};
+const createBackendClientWithOptions = (options) => {
+  return createBackendInstanceClient({
+    ...backendClientDefaultOptions,
+    ...options
+  });
+};
+const ternSecureMiddleware = (...args) => {
+  const [request, event] = parseRequestAndEvent(args);
+  const [handler, params] = parseHandlerAndOptions(args);
+  const middleware = () => {
+    const withAuthNextMiddleware = async (request2, event2) => {
+      const resolvedParams = typeof params === "function" ? await params(request2) : params;
+      const signInUrl = resolvedParams.signInUrl || SIGN_IN_URL;
+      const signUpUrl = resolvedParams.signUpUrl || SIGN_UP_URL;
+      const options = {
+        signInUrl,
+        signUpUrl,
+        ...resolvedParams
+      };
+      const logger = createEdgeCompatibleLogger(options.debug);
+      if (options.debug) {
+        enableDebugLogging();
+      }
+      const reqBackendClient = await ternSecureBackendClient();
+      const ternSecureRequest = createTernSecureRequest(request2);
+      const requestStateClient = await reqBackendClient.authenticateRequest(
+        ternSecureRequest,
+        options
+      );
+      const authObjectClient = requestStateClient.auth();
+      const { redirectToSignIn } = createMiddlewareRedirects(ternSecureRequest);
+      const { redirectToSignUp } = createMiddlewareRedirects(ternSecureRequest);
+      const protect = await createMiddlewareProtect(
+        ternSecureRequest,
+        authObjectClient,
+        redirectToSignIn
+      );
+      const authObj = Object.assign(authObjectClient, {
+        redirectToSignIn,
+        redirectToSignUp
+      });
+      const authHandler = () => Promise.resolve(authObj);
+      authHandler.protect = protect;
+      let handlerResult = NextResponse.next();
+      try {
+        const userHandlerResult = await handler?.(authHandler, request2, event2);
+        handlerResult = userHandlerResult || handlerResult;
+      } catch (error) {
+        handlerResult = handleControlError(error, ternSecureRequest, request2);
+      }
+      if (requestStateClient.headers) {
+        requestStateClient.headers.forEach((value, key) => {
+          handlerResult.headers.append(key, value);
+        });
+      }
+      if (isRedirect(handlerResult)) {
+        return serverRedirectWithAuth(ternSecureRequest, handlerResult);
+      }
+      decorateRequest(ternSecureRequest, handlerResult, requestStateClient);
+      return handlerResult;
+    };
+    const fireNextMiddleware = async (request2) => {
+      console.log("[TernSecureMiddleware] Firebase Request URL:", request2.url);
+      if (isFirebaseCookieRequest(request2)) {
+        const options = typeof params === "function" ? await params(request2) : params;
+        rewriteFirebaseRequest(options, request2);
+        return handleFirebaseAuthRequest(request2);
+      }
+    };
+    const nextMiddleware = async (request2, event2) => {
+      if (isFirebaseRequest(request2)) {
+        return fireNextMiddleware(request2, event2);
+      }
+      return withAuthNextMiddleware(request2, event2);
+    };
+    if (request && event) {
+      return nextMiddleware(request, event);
+    }
+    return nextMiddleware;
+  };
+  return middleware();
+};
+const parseRequestAndEvent = (args) => {
+  return [
+    args[0] instanceof Request ? args[0] : void 0,
+    args[0] instanceof Request ? args[1] : void 0
+  ];
+};
+const parseHandlerAndOptions = (args) => {
+  return [
+    typeof args[0] === "function" ? args[0] : void 0,
+    (args.length === 2 ? args[1] : typeof args[0] === "function" ? {} : args[0]) || {}
+  ];
+};
+const isFirebaseRequest = (request) => request.nextUrl.pathname.startsWith("/__/");
+const rewriteFirebaseRequest = (options, request) => {
+  const newUrl = new URL(request.url);
+  newUrl.host = options.firebaseOptions?.authDomain || "";
+  newUrl.port = "";
+  return NextResponse.rewrite(newUrl);
+};
+const finalTarget = (request) => {
+  const finalTargetUrl = request.nextUrl.searchParams.get("finalTarget");
+  return finalTargetUrl ? new URL(finalTargetUrl, request.url) : void 0;
+};
+const isFirebaseCookieRequest = (request) => request.nextUrl.pathname === "/__cookies__";
+const createMiddlewareRedirects = (ternSecureRequest) => {
+  const redirectToSignIn = (opts = {}) => {
+    const url = ternSecureRequest.ternUrl.toString();
+    redirectToSignInError(url, opts.returnBackUrl);
+  };
+  const redirectToSignUp = (opts = {}) => {
+    const url = ternSecureRequest.ternUrl.toString();
+    redirectToSignUpError(url, opts.returnBackUrl);
+  };
+  return { redirectToSignIn, redirectToSignUp };
+};
+const createMiddlewareProtect = (ternSecureRequest, authObject, redirectToSignIn) => {
+  return async (params, options) => {
+    const notFound = () => nextjsNotFound();
+    const redirect = (url) => nextjsRedirectError(url, {
+      redirectUrl: url
+    });
+    return createProtect({
+      request: ternSecureRequest,
+      redirect,
+      notFound,
+      authObject,
+      redirectToSignIn
+    })(params, options);
+  };
+};
+const redirectAdapter = (url) => {
+  return NextResponse.redirect(url, {
+    headers: { [constants.Headers.TernSecureRedirectTo]: "true" }
+  });
+};
+const handleControlError = (error, ternSecureRequest, nextrequest) => {
+  if (isNextjsNotFoundError(error)) {
+    return setHeader(
+      NextResponse.rewrite(new URL(`/tern_${Date.now()}`, nextrequest.url)),
+      constants.Headers.AuthReason,
+      "protect-rewrite"
+    );
+  }
+  const isRedirectToSignIn = isRedirectToSignInError(error);
+  const isRedirectToSignUp = isRedirectToSignUpError(error);
+  if (isRedirectToSignIn || isRedirectToSignUp) {
+    const redirect = createRedirect({
+      redirectAdapter,
+      baseUrl: ternSecureRequest.ternUrl,
+      signInUrl: SIGN_IN_URL,
+      signUpUrl: SIGN_UP_URL
+    });
+    const { returnBackUrl } = error;
+    return redirect[isRedirectToSignIn ? "redirectToSignIn" : "redirectToSignUp"]({
+      returnBackUrl
+    });
+  }
+  if (isNextjsRedirectError(error)) {
+    return redirectAdapter(error.redirectUrl);
+  }
+  throw error;
+};
+const handleFirebaseAuthRequest = async (request) => {
+  console.log("Checking for __cookies__ path");
+  const isDevMode = process.env.NODE_ENV === "development";
+  const ID_TOKEN_COOKIE_NAME = isDevMode ? `__dev_FIREBASE_[DEFAULT]` : `__HOST-FIREBASE_[DEFAULT]`;
+  const REFRESH_TOKEN_COOKIE_NAME = isDevMode ? "__dev_FIREBASEID_[DEFAULT]" : `__HOST-FIREBASEID_[DEFAULT]`;
+  const ID_TOKEN_COOKIE = {
+    path: "/",
+    secure: !isDevMode,
+    sameSite: "strict",
+    partitioned: true,
+    name: ID_TOKEN_COOKIE_NAME,
+    maxAge: 3456e4,
+    priority: "high"
+  };
+  const REFRESH_TOKEN_COOKIE = {
+    ...ID_TOKEN_COOKIE,
+    httpOnly: true,
+    name: REFRESH_TOKEN_COOKIE_NAME
+  };
+  if (request.nextUrl.pathname === "/__cookies__") {
+    console.log("Handling /__cookies__ request");
+    const method = request.method;
+    if (method === "DELETE") {
+      const response2 = new NextResponse("");
+      response2.cookies.delete({ ...ID_TOKEN_COOKIE, maxAge: 0 });
+      response2.cookies.delete({ ...REFRESH_TOKEN_COOKIE, maxAge: 0 });
+      return response2;
+    }
+    const headers = {};
+    const headerNames = [
+      "content-type",
+      "X-Firebase-Client",
+      "X-Firebase-gmpid",
+      "X-Firebase-AppCheck",
+      "X-Client-Version"
+    ];
+    headerNames.forEach((headerName) => {
+      const headerValue = request.headers.get(headerName);
+      if (headerValue) {
+        headers[headerName] = headerValue;
+      }
+    });
+    const finalTargetParam = request.nextUrl.searchParams.get("finalTarget");
+    const url = new URL(finalTargetParam || "");
+    let body = request.body;
+    const isTokenRequest = !!url.pathname.match(/^(\/securetoken\.googleapis\.com)?\/v1\/token/);
+    const isSignInRequest = !!url.pathname.match(
+      /^(\/identitytoolkit\.googleapis\.com)?\/v1\/accounts:signInWith/
+    );
+    if (!isTokenRequest && !isSignInRequest)
+      throw new Error("Could not determine the request type to proxy");
+    if (isTokenRequest) {
+      body = await request.text();
+      const bodyParams = new URLSearchParams(body.trim());
+      if (bodyParams.has("refresh_token")) {
+        const refreshToken2 = request.cookies.get(REFRESH_TOKEN_COOKIE.name)?.value;
+        if (refreshToken2) {
+          bodyParams.set("refresh_token", refreshToken2);
+          body = bodyParams.toString();
+        }
+      }
+    }
+    const response = await fetch(url, { method, body, headers });
+    const json = await response.json();
+    if (!response.ok) {
+      return NextResponse.json(json, { status: response.status, statusText: response.statusText });
+    }
+    let refreshToken, idToken, maxAge;
+    if (isSignInRequest) {
+      refreshToken = json.refreshToken;
+      idToken = json.idToken;
+      maxAge = json.expiresIn;
+      json.refreshToken = "REDACTED";
+    } else {
+      refreshToken = json.refresh_token;
+      idToken = json.id_token;
+      maxAge = json.expires_in;
+      json.refresh_token = "REDACTED";
+    }
+    const nextResponse = NextResponse.json(json);
+    if (idToken) nextResponse.cookies.set({ ...ID_TOKEN_COOKIE, maxAge, value: idToken });
+    if (refreshToken) nextResponse.cookies.set({ ...REFRESH_TOKEN_COOKIE, value: refreshToken });
+    return nextResponse;
+  }
+  return null;
+};
+export {
+  redirectAdapter,
+  ternSecureMiddleware
+};
+//# sourceMappingURL=ternSecureEdgeMiddleware.js.map

package/dist/esm/server/ternSecureEdgeMiddleware.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/ternSecureEdgeMiddleware.ts"],"sourcesContent":["import type {\r\n  AuthObject,\r\n  RequestOptions,\r\n  TernSecureRequest,\r\n} from '@tern-secure/backend';\r\nimport {\r\n  constants,\r\n  createBackendInstanceClient,\r\n  createTernSecureRequest,\r\n  enableDebugLogging,\r\n} from '@tern-secure/backend';\r\nimport type {\r\n  TernSecureConfig,\r\n} from '@tern-secure/types';\r\nimport { notFound as nextjsNotFound } from 'next/navigation';\r\nimport type { NextMiddleware,NextRequest } from 'next/server';\r\nimport { NextResponse } from 'next/server';\r\n\r\nimport { isRedirect, setHeader } from '../utils/response';\r\nimport { serverRedirectWithAuth } from '../utils/serverRedirectAuth';\r\nimport { createEdgeCompatibleLogger } from '../utils/withLogger';\r\nimport { API_URL, API_VERSION,SIGN_IN_URL, SIGN_UP_URL } from './constant';\r\nimport {\r\n  isNextjsNotFoundError,\r\n  isNextjsRedirectError,\r\n  isRedirectToSignInError,\r\n  isRedirectToSignUpError,\r\n  nextjsRedirectError,\r\n  redirectToSignInError,\r\n  redirectToSignUpError,\r\n} from './nextErrors';\r\nimport { type AuthProtect,createProtect } from './protect';\r\nimport { createRedirect, type RedirectFun } from './redirect';\r\nimport type {\r\n  NextMiddlewareEvtParam,\r\n  NextMiddlewareRequestParam,\r\n  NextMiddlewareReturn,\r\n} from './types';\r\nimport { decorateRequest } from './utils';\r\n\r\nexport type MiddlewareAuthObject = AuthObject & {\r\n  redirectToSignIn: RedirectFun<Response>;\r\n  redirectToSignUp: RedirectFun<Response>;\r\n};\r\n\r\nexport interface MiddlewareAuth {\r\n  (): Promise<MiddlewareAuthObject>;\r\n\r\n  protect: AuthProtect;\r\n}\r\n\r\ntype MiddlewareHandler = (\r\n  auth: MiddlewareAuth,\r\n  request: NextMiddlewareRequestParam,\r\n  event: NextMiddlewareEvtParam,\r\n) => NextMiddlewareReturn;\r\n\r\nexport interface MiddlewareOptions extends RequestOptions {\r\n  debug?: boolean;\r\n  firebaseOptions?: TernSecureConfig;\r\n}\r\ntype MiddlewareOptionsCallback = (\r\n  req: NextRequest,\r\n) => MiddlewareOptions | Promise<MiddlewareOptions>;\r\n\r\ninterface TernSecureMiddleware {\r\n  /**\r\n   * @example\r\n   * export default ternSecureMiddleware((auth, request, event) => { ... }, options);\r\n   */\r\n  (handler: MiddlewareHandler, options?: MiddlewareOptions): NextMiddleware;\r\n\r\n  /**\r\n   * @example\r\n   * export default ternSecureMiddleware((auth, request, event) => { ... }, (req) => options);\r\n   */\r\n  (handler: MiddlewareHandler, options?: MiddlewareOptionsCallback): NextMiddleware;\r\n\r\n  /**\r\n   * @example\r\n   * export default ternSecureMiddleware(options);\r\n   */\r\n  (options?: MiddlewareOptions): NextMiddleware;\r\n  /**\r\n   * @example\r\n   * export default ternSecureMiddleware;\r\n   */\r\n  (request: NextMiddlewareRequestParam, event: NextMiddlewareEvtParam): NextMiddlewareReturn;\r\n}\r\n\r\nconst backendClientDefaultOptions = {\r\n  apiUrl: API_URL,\r\n  apiVersion: API_VERSION,\r\n};\r\n\r\nconst ternSecureBackendClient = async () => {\r\n  return createBackendClientWithOptions({});\r\n};\r\n\r\nconst createBackendClientWithOptions: typeof createBackendInstanceClient = options => {\r\n  return createBackendInstanceClient({\r\n    ...backendClientDefaultOptions,\r\n    ...options,\r\n  });\r\n};\r\n\r\nexport const ternSecureMiddleware = ((\r\n  ...args: unknown[]\r\n): NextMiddleware | NextMiddlewareReturn => {\r\n  const [request, event] = parseRequestAndEvent(args);\r\n  const [handler, params] = parseHandlerAndOptions(args);\r\n\r\n  const middleware = () => {\r\n    const withAuthNextMiddleware: NextMiddleware = async (request, event) => {\r\n      const resolvedParams = typeof params === 'function' ? await params(request) : params;\r\n      const signInUrl = resolvedParams.signInUrl || SIGN_IN_URL;\r\n      const signUpUrl = resolvedParams.signUpUrl || SIGN_UP_URL;\r\n\r\n      const options = {\r\n        signInUrl,\r\n        signUpUrl,\r\n        ...resolvedParams,\r\n      };\r\n\r\n      const logger = createEdgeCompatibleLogger(options.debug);\r\n\r\n      if (options.debug) {\r\n        enableDebugLogging();\r\n      }\r\n\r\n      //const { authObject, headers: authHeaders } =\r\n      //  await authenticateMiddlewareRequest(request, checkRevoked, logger);\r\n\r\n      //const reqBackend = await createBackendInstanceEdge(request, checkRevoked);\r\n      const reqBackendClient = await ternSecureBackendClient();\r\n      //const requestState = reqBackend.requestState;\r\n      //const authObject = requestState.auth();\r\n      //const authHeaders = requestState.headers;\r\n\r\n      const ternSecureRequest = createTernSecureRequest(request);\r\n\r\n      const requestStateClient = await reqBackendClient.authenticateRequest(\r\n        ternSecureRequest,\r\n        options,\r\n      );\r\n\r\n      const authObjectClient = requestStateClient.auth();\r\n\r\n      const { redirectToSignIn } = createMiddlewareRedirects(ternSecureRequest);\r\n\r\n      const { redirectToSignUp } = createMiddlewareRedirects(ternSecureRequest);\r\n\r\n      const protect = await createMiddlewareProtect(\r\n        ternSecureRequest,\r\n        authObjectClient,\r\n        redirectToSignIn,\r\n      );\r\n\r\n      const authObj: MiddlewareAuthObject = Object.assign(authObjectClient, {\r\n        redirectToSignIn,\r\n        redirectToSignUp,\r\n      });\r\n\r\n      const authHandler = () => Promise.resolve(authObj);\r\n      authHandler.protect = protect;\r\n\r\n      let handlerResult: Response = NextResponse.next();\r\n\r\n      try {\r\n        const userHandlerResult = await handler?.(authHandler, request, event);\r\n        handlerResult = userHandlerResult || handlerResult;\r\n      } catch (error: any) {\r\n        handlerResult = handleControlError(error, ternSecureRequest, request);\r\n      }\r\n\r\n      if (requestStateClient.headers) {\r\n        requestStateClient.headers.forEach((value, key) => {\r\n          handlerResult.headers.append(key, value);\r\n        });\r\n      }\r\n\r\n      if (isRedirect(handlerResult)) {\r\n        return serverRedirectWithAuth(ternSecureRequest, handlerResult);\r\n      }\r\n\r\n      decorateRequest(ternSecureRequest, handlerResult, requestStateClient);\r\n      return handlerResult;\r\n    };\r\n\r\n    const fireNextMiddleware: NextMiddleware = async (request) => {\r\n      console.log('[TernSecureMiddleware] Firebase Request URL:', request.url);\r\n      if (isFirebaseCookieRequest(request)) {\r\n        const options = typeof params === 'function' ? await params(request) : params;\r\n        rewriteFirebaseRequest(options, request);\r\n        return handleFirebaseAuthRequest(request);\r\n      }\r\n    };\r\n\r\n    const nextMiddleware: NextMiddleware = async (request, event) => {\r\n       if (isFirebaseRequest(request)) {\r\n        return fireNextMiddleware(request, event);\r\n       }\r\n      return withAuthNextMiddleware(request, event);\r\n    };\r\n\r\n    if (request && event) {\r\n      return nextMiddleware(request, event);\r\n    }\r\n\r\n    return nextMiddleware;\r\n  };\r\n  return middleware();\r\n}) as TernSecureMiddleware;\r\n\r\nconst parseRequestAndEvent = (args: unknown[]) => {\r\n  return [\r\n    args[0] instanceof Request ? args[0] : undefined,\r\n    args[0] instanceof Request ? args[1] : undefined,\r\n  ] as [NextMiddlewareRequestParam | undefined, NextMiddlewareEvtParam | undefined];\r\n};\r\n\r\nconst parseHandlerAndOptions = (args: unknown[]) => {\r\n  return [\r\n    typeof args[0] === 'function' ? args[0] : undefined,\r\n    (args.length === 2 ? args[1] : typeof args[0] === 'function' ? {} : args[0]) || {},\r\n  ] as [MiddlewareHandler | undefined, MiddlewareOptions | MiddlewareOptionsCallback];\r\n};\r\n\r\nconst isFirebaseRequest = (request: NextMiddlewareRequestParam) =>\r\n  request.nextUrl.pathname.startsWith('/__/');\r\n\r\nconst rewriteFirebaseRequest = (options: MiddlewareOptions, request: NextMiddlewareRequestParam) => {\r\n  const newUrl = new URL(request.url);\r\n  newUrl.host = options.firebaseOptions?.authDomain || '';\r\n  newUrl.port = '';\r\n  return NextResponse.rewrite(newUrl);\r\n}\r\n\r\nconst finalTarget = (request: NextMiddlewareRequestParam) => {\r\n  const finalTargetUrl = request.nextUrl.searchParams.get('finalTarget');\r\n  return finalTargetUrl ? new URL(finalTargetUrl, request.url) : undefined;\r\n};\r\n\r\nconst isFirebaseCookieRequest = (request: NextMiddlewareRequestParam) =>\r\n  request.nextUrl.pathname === '/__cookies__';\r\n\r\n/**\r\n * Create middleware redirect functions\r\n */\r\nconst createMiddlewareRedirects = (ternSecureRequest: TernSecureRequest) => {\r\n  const redirectToSignIn: MiddlewareAuthObject['redirectToSignIn'] = (opts = {}) => {\r\n    const url = ternSecureRequest.ternUrl.toString();\r\n    redirectToSignInError(url, opts.returnBackUrl);\r\n  };\r\n\r\n  const redirectToSignUp: MiddlewareAuthObject['redirectToSignUp'] = (opts = {}) => {\r\n    const url = ternSecureRequest.ternUrl.toString();\r\n    redirectToSignUpError(url, opts.returnBackUrl);\r\n  };\r\n\r\n  return { redirectToSignIn, redirectToSignUp };\r\n};\r\n\r\nconst createMiddlewareProtect = (\r\n  ternSecureRequest: TernSecureRequest,\r\n  authObject: AuthObject,\r\n  redirectToSignIn: RedirectFun<Response>,\r\n) => {\r\n  return (async (params: any, options: any) => {\r\n    const notFound = () => nextjsNotFound();\r\n\r\n    const redirect = (url: string) =>\r\n      nextjsRedirectError(url, {\r\n        redirectUrl: url,\r\n      });\r\n\r\n    return createProtect({\r\n      request: ternSecureRequest,\r\n      redirect,\r\n      notFound,\r\n      authObject,\r\n      redirectToSignIn,\r\n    })(params, options);\r\n  }) as unknown as Promise<AuthProtect>;\r\n};\r\n\r\nexport const redirectAdapter = (url: string | URL) => {\r\n  return NextResponse.redirect(url, {\r\n    headers: { [constants.Headers.TernSecureRedirectTo]: 'true' },\r\n  });\r\n};\r\n\r\n/**\r\n * Handle control flow errors in middleware\r\n */\r\nconst handleControlError = (\r\n  error: any,\r\n  ternSecureRequest: TernSecureRequest,\r\n  nextrequest: NextRequest,\r\n): Response => {\r\n  if (isNextjsNotFoundError(error)) {\r\n    return setHeader(\r\n      NextResponse.rewrite(new URL(`/tern_${Date.now()}`, nextrequest.url)),\r\n      constants.Headers.AuthReason,\r\n      'protect-rewrite',\r\n    );\r\n  }\r\n\r\n  const isRedirectToSignIn = isRedirectToSignInError(error);\r\n  const isRedirectToSignUp = isRedirectToSignUpError(error);\r\n\r\n  if (isRedirectToSignIn || isRedirectToSignUp) {\r\n    const redirect = createRedirect({\r\n      redirectAdapter,\r\n      baseUrl: ternSecureRequest.ternUrl,\r\n      signInUrl: SIGN_IN_URL,\r\n      signUpUrl: SIGN_UP_URL,\r\n    });\r\n\r\n    const { returnBackUrl } = error;\r\n\r\n    return redirect[isRedirectToSignIn ? 'redirectToSignIn' : 'redirectToSignUp']({\r\n      returnBackUrl,\r\n    });\r\n  }\r\n\r\n  if (isNextjsRedirectError(error)) {\r\n    return redirectAdapter(error.redirectUrl);\r\n  }\r\n\r\n  throw error;\r\n};\r\n\r\nconst handleFirebaseAuthRequest = async (\r\n  request: NextRequest,\r\n): Promise<NextResponse | null> => {\r\n\r\n  console.log('Checking for __cookies__ path');\r\n\r\n  const isDevMode = process.env.NODE_ENV === 'development';\r\n  const ID_TOKEN_COOKIE_NAME = isDevMode ? `__dev_FIREBASE_[DEFAULT]` : `__HOST-FIREBASE_[DEFAULT]`;\r\n  const REFRESH_TOKEN_COOKIE_NAME = isDevMode\r\n    ? '__dev_FIREBASEID_[DEFAULT]'\r\n    : `__HOST-FIREBASEID_[DEFAULT]`;\r\n  const ID_TOKEN_COOKIE = {\r\n    path: '/',\r\n    secure: !isDevMode,\r\n    sameSite: 'strict',\r\n    partitioned: true,\r\n    name: ID_TOKEN_COOKIE_NAME,\r\n    maxAge: 34560000,\r\n    priority: 'high',\r\n  } as const;\r\n  const REFRESH_TOKEN_COOKIE = {\r\n    ...ID_TOKEN_COOKIE,\r\n    httpOnly: true,\r\n    name: REFRESH_TOKEN_COOKIE_NAME,\r\n  } as const;\r\n\r\n  if (request.nextUrl.pathname === '/__cookies__') {\r\n    console.log('Handling /__cookies__ request');\r\n    const method = request.method;\r\n    if (method === 'DELETE') {\r\n      const response = new NextResponse('');\r\n      response.cookies.delete({ ...ID_TOKEN_COOKIE, maxAge: 0 });\r\n      response.cookies.delete({ ...REFRESH_TOKEN_COOKIE, maxAge: 0 });\r\n      return response;\r\n    }\r\n\r\n    const headers: Record<string, string> = {};\r\n        const headerNames = [\r\n      'content-type',\r\n      'X-Firebase-Client',\r\n      'X-Firebase-gmpid',\r\n      'X-Firebase-AppCheck',\r\n      'X-Client-Version',\r\n    ];\r\n\r\n    headerNames.forEach(headerName => {\r\n      const headerValue = request.headers.get(headerName);\r\n      if (headerValue) {\r\n        headers[headerName] = headerValue;\r\n      }\r\n    });\r\n\r\n    const finalTargetParam = request.nextUrl.searchParams.get('finalTarget');\r\n\r\n    const url = new URL(finalTargetParam || '');\r\n    let body: ReadableStream<any> | string | null = request.body;\r\n\r\n    const isTokenRequest = !!url.pathname.match(/^(\\/securetoken\\.googleapis\\.com)?\\/v1\\/token/);\r\n    const isSignInRequest = !!url.pathname.match(\r\n      /^(\\/identitytoolkit\\.googleapis\\.com)?\\/v1\\/accounts:signInWith/,\r\n    );\r\n\r\n    if (!isTokenRequest && !isSignInRequest)\r\n      throw new Error('Could not determine the request type to proxy');\r\n\r\n    if (isTokenRequest) {\r\n      body = await request.text();\r\n      const bodyParams = new URLSearchParams(body.trim());\r\n      if (bodyParams.has('refresh_token')) {\r\n        const refreshToken = request.cookies.get(REFRESH_TOKEN_COOKIE.name)?.value;\r\n        if (refreshToken) {\r\n          bodyParams.set('refresh_token', refreshToken);\r\n          body = bodyParams.toString();\r\n        }\r\n      }\r\n    }\r\n\r\n    const response = await fetch(url, { method, body, headers });\r\n    const json = await response.json();\r\n\r\n    if (!response.ok) {\r\n      return NextResponse.json(json, { status: response.status, statusText: response.statusText });\r\n    }\r\n\r\n    let refreshToken, idToken, maxAge;\r\n    if (isSignInRequest) {\r\n      refreshToken = json.refreshToken;\r\n      idToken = json.idToken;\r\n      maxAge = json.expiresIn;\r\n      json.refreshToken = 'REDACTED';\r\n    } else {\r\n      refreshToken = json.refresh_token;\r\n      idToken = json.id_token;\r\n      maxAge = json.expires_in;\r\n      json.refresh_token = 'REDACTED';\r\n    }\r\n\r\n    const nextResponse = NextResponse.json(json);\r\n    if (idToken) nextResponse.cookies.set({ ...ID_TOKEN_COOKIE, maxAge, value: idToken });\r\n    if (refreshToken) nextResponse.cookies.set({ ...REFRESH_TOKEN_COOKIE, value: refreshToken });\r\n    return nextResponse;\r\n  }\r\n  return null;\r\n};\r\n"],"mappings":"AAKA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAIP,SAAS,YAAY,sBAAsB;AAE3C,SAAS,oBAAoB;AAE7B,SAAS,YAAY,iBAAiB;AACtC,SAAS,8BAA8B;AACvC,SAAS,kCAAkC;AAC3C,SAAS,SAAS,aAAY,aAAa,mBAAmB;AAC9D;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAA0B,qBAAqB;AAC/C,SAAS,sBAAwC;AAMjD,SAAS,uBAAuB;AAoDhC,MAAM,8BAA8B;AAAA,EAClC,QAAQ;AAAA,EACR,YAAY;AACd;AAEA,MAAM,0BAA0B,YAAY;AAC1C,SAAO,+BAA+B,CAAC,CAAC;AAC1C;AAEA,MAAM,iCAAqE,aAAW;AACpF,SAAO,4BAA4B;AAAA,IACjC,GAAG;AAAA,IACH,GAAG;AAAA,EACL,CAAC;AACH;AAEO,MAAM,uBAAwB,IAChC,SACuC;AAC1C,QAAM,CAAC,SAAS,KAAK,IAAI,qBAAqB,IAAI;AAClD,QAAM,CAAC,SAAS,MAAM,IAAI,uBAAuB,IAAI;AAErD,QAAM,aAAa,MAAM;AACvB,UAAM,yBAAyC,OAAOA,UAASC,WAAU;AACvE,YAAM,iBAAiB,OAAO,WAAW,aAAa,MAAM,OAAOD,QAAO,IAAI;AAC9E,YAAM,YAAY,eAAe,aAAa;AAC9C,YAAM,YAAY,eAAe,aAAa;AAE9C,YAAM,UAAU;AAAA,QACd;AAAA,QACA;AAAA,QACA,GAAG;AAAA,MACL;AAEA,YAAM,SAAS,2BAA2B,QAAQ,KAAK;AAEvD,UAAI,QAAQ,OAAO;AACjB,2BAAmB;AAAA,MACrB;AAMA,YAAM,mBAAmB,MAAM,wBAAwB;AAKvD,YAAM,oBAAoB,wBAAwBA,QAAO;AAEzD,YAAM,qBAAqB,MAAM,iBAAiB;AAAA,QAChD;AAAA,QACA;AAAA,MACF;AAEA,YAAM,mBAAmB,mBAAmB,KAAK;AAEjD,YAAM,EAAE,iBAAiB,IAAI,0BAA0B,iBAAiB;AAExE,YAAM,EAAE,iBAAiB,IAAI,0BAA0B,iBAAiB;AAExE,YAAM,UAAU,MAAM;AAAA,QACpB;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,YAAM,UAAgC,OAAO,OAAO,kBAAkB;AAAA,QACpE;AAAA,QACA;AAAA,MACF,CAAC;AAED,YAAM,cAAc,MAAM,QAAQ,QAAQ,OAAO;AACjD,kBAAY,UAAU;AAEtB,UAAI,gBAA0B,aAAa,KAAK;AAEhD,UAAI;AACF,cAAM,oBAAoB,MAAM,UAAU,aAAaA,UAASC,MAAK;AACrE,wBAAgB,qBAAqB;AAAA,MACvC,SAAS,OAAY;AACnB,wBAAgB,mBAAmB,OAAO,mBAAmBD,QAAO;AAAA,MACtE;AAEA,UAAI,mBAAmB,SAAS;AAC9B,2BAAmB,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AACjD,wBAAc,QAAQ,OAAO,KAAK,KAAK;AAAA,QACzC,CAAC;AAAA,MACH;AAEA,UAAI,WAAW,aAAa,GAAG;AAC7B,eAAO,uBAAuB,mBAAmB,aAAa;AAAA,MAChE;AAEA,sBAAgB,mBAAmB,eAAe,kBAAkB;AACpE,aAAO;AAAA,IACT;AAEA,UAAM,qBAAqC,OAAOA,aAAY;AAC5D,cAAQ,IAAI,gDAAgDA,SAAQ,GAAG;AACvE,UAAI,wBAAwBA,QAAO,GAAG;AACpC,cAAM,UAAU,OAAO,WAAW,aAAa,MAAM,OAAOA,QAAO,IAAI;AACvE,+BAAuB,SAASA,QAAO;AACvC,eAAO,0BAA0BA,QAAO;AAAA,MAC1C;AAAA,IACF;AAEA,UAAM,iBAAiC,OAAOA,UAASC,WAAU;AAC9D,UAAI,kBAAkBD,QAAO,GAAG;AAC/B,eAAO,mBAAmBA,UAASC,MAAK;AAAA,MACzC;AACD,aAAO,uBAAuBD,UAASC,MAAK;AAAA,IAC9C;AAEA,QAAI,WAAW,OAAO;AACpB,aAAO,eAAe,SAAS,KAAK;AAAA,IACtC;AAEA,WAAO;AAAA,EACT;AACA,SAAO,WAAW;AACpB;AAEA,MAAM,uBAAuB,CAAC,SAAoB;AAChD,SAAO;AAAA,IACL,KAAK,CAAC,aAAa,UAAU,KAAK,CAAC,IAAI;AAAA,IACvC,KAAK,CAAC,aAAa,UAAU,KAAK,CAAC,IAAI;AAAA,EACzC;AACF;AAEA,MAAM,yBAAyB,CAAC,SAAoB;AAClD,SAAO;AAAA,IACL,OAAO,KAAK,CAAC,MAAM,aAAa,KAAK,CAAC,IAAI;AAAA,KACzC,KAAK,WAAW,IAAI,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,MAAM,aAAa,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC;AAAA,EACnF;AACF;AAEA,MAAM,oBAAoB,CAAC,YACzB,QAAQ,QAAQ,SAAS,WAAW,MAAM;AAE5C,MAAM,yBAAyB,CAAC,SAA4B,YAAwC;AAClG,QAAM,SAAS,IAAI,IAAI,QAAQ,GAAG;AAClC,SAAO,OAAO,QAAQ,iBAAiB,cAAc;AACrD,SAAO,OAAO;AACd,SAAO,aAAa,QAAQ,MAAM;AACpC;AAEA,MAAM,cAAc,CAAC,YAAwC;AAC3D,QAAM,iBAAiB,QAAQ,QAAQ,aAAa,IAAI,aAAa;AACrE,SAAO,iBAAiB,IAAI,IAAI,gBAAgB,QAAQ,GAAG,IAAI;AACjE;AAEA,MAAM,0BAA0B,CAAC,YAC/B,QAAQ,QAAQ,aAAa;AAK/B,MAAM,4BAA4B,CAAC,sBAAyC;AAC1E,QAAM,mBAA6D,CAAC,OAAO,CAAC,MAAM;AAChF,UAAM,MAAM,kBAAkB,QAAQ,SAAS;AAC/C,0BAAsB,KAAK,KAAK,aAAa;AAAA,EAC/C;AAEA,QAAM,mBAA6D,CAAC,OAAO,CAAC,MAAM;AAChF,UAAM,MAAM,kBAAkB,QAAQ,SAAS;AAC/C,0BAAsB,KAAK,KAAK,aAAa;AAAA,EAC/C;AAEA,SAAO,EAAE,kBAAkB,iBAAiB;AAC9C;AAEA,MAAM,0BAA0B,CAC9B,mBACA,YACA,qBACG;AACH,SAAQ,OAAO,QAAa,YAAiB;AAC3C,UAAM,WAAW,MAAM,eAAe;AAEtC,UAAM,WAAW,CAAC,QAChB,oBAAoB,KAAK;AAAA,MACvB,aAAa;AAAA,IACf,CAAC;AAEH,WAAO,cAAc;AAAA,MACnB,SAAS;AAAA,MACT;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC,EAAE,QAAQ,OAAO;AAAA,EACpB;AACF;AAEO,MAAM,kBAAkB,CAAC,QAAsB;AACpD,SAAO,aAAa,SAAS,KAAK;AAAA,IAChC,SAAS,EAAE,CAAC,UAAU,QAAQ,oBAAoB,GAAG,OAAO;AAAA,EAC9D,CAAC;AACH;AAKA,MAAM,qBAAqB,CACzB,OACA,mBACA,gBACa;AACb,MAAI,sBAAsB,KAAK,GAAG;AAChC,WAAO;AAAA,MACL,aAAa,QAAQ,IAAI,IAAI,SAAS,KAAK,IAAI,CAAC,IAAI,YAAY,GAAG,CAAC;AAAA,MACpE,UAAU,QAAQ;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAEA,QAAM,qBAAqB,wBAAwB,KAAK;AACxD,QAAM,qBAAqB,wBAAwB,KAAK;AAExD,MAAI,sBAAsB,oBAAoB;AAC5C,UAAM,WAAW,eAAe;AAAA,MAC9B;AAAA,MACA,SAAS,kBAAkB;AAAA,MAC3B,WAAW;AAAA,MACX,WAAW;AAAA,IACb,CAAC;AAED,UAAM,EAAE,cAAc,IAAI;AAE1B,WAAO,SAAS,qBAAqB,qBAAqB,kBAAkB,EAAE;AAAA,MAC5E;AAAA,IACF,CAAC;AAAA,EACH;AAEA,MAAI,sBAAsB,KAAK,GAAG;AAChC,WAAO,gBAAgB,MAAM,WAAW;AAAA,EAC1C;AAEA,QAAM;AACR;AAEA,MAAM,4BAA4B,OAChC,YACiC;AAEjC,UAAQ,IAAI,+BAA+B;AAE3C,QAAM,YAAY,QAAQ,IAAI,aAAa;AAC3C,QAAM,uBAAuB,YAAY,6BAA6B;AACtE,QAAM,4BAA4B,YAC9B,+BACA;AACJ,QAAM,kBAAkB;AAAA,IACtB,MAAM;AAAA,IACN,QAAQ,CAAC;AAAA,IACT,UAAU;AAAA,IACV,aAAa;AAAA,IACb,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,UAAU;AAAA,EACZ;AACA,QAAM,uBAAuB;AAAA,IAC3B,GAAG;AAAA,IACH,UAAU;AAAA,IACV,MAAM;AAAA,EACR;AAEA,MAAI,QAAQ,QAAQ,aAAa,gBAAgB;AAC/C,YAAQ,IAAI,+BAA+B;AAC3C,UAAM,SAAS,QAAQ;AACvB,QAAI,WAAW,UAAU;AACvB,YAAMC,YAAW,IAAI,aAAa,EAAE;AACpC,MAAAA,UAAS,QAAQ,OAAO,EAAE,GAAG,iBAAiB,QAAQ,EAAE,CAAC;AACzD,MAAAA,UAAS,QAAQ,OAAO,EAAE,GAAG,sBAAsB,QAAQ,EAAE,CAAC;AAC9D,aAAOA;AAAA,IACT;AAEA,UAAM,UAAkC,CAAC;AACrC,UAAM,cAAc;AAAA,MACtB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,gBAAY,QAAQ,gBAAc;AAChC,YAAM,cAAc,QAAQ,QAAQ,IAAI,UAAU;AAClD,UAAI,aAAa;AACf,gBAAQ,UAAU,IAAI;AAAA,MACxB;AAAA,IACF,CAAC;AAED,UAAM,mBAAmB,QAAQ,QAAQ,aAAa,IAAI,aAAa;AAEvE,UAAM,MAAM,IAAI,IAAI,oBAAoB,EAAE;AAC1C,QAAI,OAA4C,QAAQ;AAExD,UAAM,iBAAiB,CAAC,CAAC,IAAI,SAAS,MAAM,+CAA+C;AAC3F,UAAM,kBAAkB,CAAC,CAAC,IAAI,SAAS;AAAA,MACrC;AAAA,IACF;AAEA,QAAI,CAAC,kBAAkB,CAAC;AACtB,YAAM,IAAI,MAAM,+CAA+C;AAEjE,QAAI,gBAAgB;AAClB,aAAO,MAAM,QAAQ,KAAK;AAC1B,YAAM,aAAa,IAAI,gBAAgB,KAAK,KAAK,CAAC;AAClD,UAAI,WAAW,IAAI,eAAe,GAAG;AACnC,cAAMC,gBAAe,QAAQ,QAAQ,IAAI,qBAAqB,IAAI,GAAG;AACrE,YAAIA,eAAc;AAChB,qBAAW,IAAI,iBAAiBA,aAAY;AAC5C,iBAAO,WAAW,SAAS;AAAA,QAC7B;AAAA,MACF;AAAA,IACF;AAEA,UAAM,WAAW,MAAM,MAAM,KAAK,EAAE,QAAQ,MAAM,QAAQ,CAAC;AAC3D,UAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,QAAI,CAAC,SAAS,IAAI;AAChB,aAAO,aAAa,KAAK,MAAM,EAAE,QAAQ,SAAS,QAAQ,YAAY,SAAS,WAAW,CAAC;AAAA,IAC7F;AAEA,QAAI,cAAc,SAAS;AAC3B,QAAI,iBAAiB;AACnB,qBAAe,KAAK;AACpB,gBAAU,KAAK;AACf,eAAS,KAAK;AACd,WAAK,eAAe;AAAA,IACtB,OAAO;AACL,qBAAe,KAAK;AACpB,gBAAU,KAAK;AACf,eAAS,KAAK;AACd,WAAK,gBAAgB;AAAA,IACvB;AAEA,UAAM,eAAe,aAAa,KAAK,IAAI;AAC3C,QAAI,QAAS,cAAa,QAAQ,IAAI,EAAE,GAAG,iBAAiB,QAAQ,OAAO,QAAQ,CAAC;AACpF,QAAI,aAAc,cAAa,QAAQ,IAAI,EAAE,GAAG,sBAAsB,OAAO,aAAa,CAAC;AAC3F,WAAO;AAAA,EACT;AACA,SAAO;AACT;","names":["request","event","response","refreshToken"]}

package/dist/esm/server/ternSecureFireMiddleware.js

@@ -0,0 +1,179 @@
+import {
+  constants,
+  createFireClient,
+  createTernSecureRequest
+} from "@tern-secure/backend";
+import { notFound as nextjsNotFound } from "next/navigation";
+import { NextResponse } from "next/server";
+import { isRedirect, setHeader } from "../utils/response";
+import { serverRedirectWithAuth } from "../utils/serverRedirectAuth";
+import { API_URL, API_VERSION, SIGN_IN_URL, SIGN_UP_URL } from "./constant";
+import {
+  isNextjsNotFoundError,
+  isNextjsRedirectError,
+  isRedirectToSignInError,
+  isRedirectToSignUpError,
+  nextjsRedirectError,
+  redirectToSignInError,
+  redirectToSignUpError
+} from "./nextErrors";
+import { createProtect } from "./protect";
+import { createRedirect } from "./redirect";
+import { decorateRequest } from "./utils";
+const backendClientDefaultOptions = {
+  apiUrl: API_URL,
+  apiVersion: API_VERSION
+};
+const ternSecureFireClient = async () => {
+  return createFireClientWithOptions({});
+};
+const createFireClientWithOptions = (options) => {
+  return createFireClient({
+    ...backendClientDefaultOptions,
+    ...options
+  });
+};
+const ternSecureMiddleware = (...args) => {
+  const [request, event] = parseRequestAndEvent(args);
+  const [handler, params] = parseHandlerAndOptions(args);
+  const middleware = () => {
+    const runMiddleware = async (request2, event2) => {
+      const resolvedParams = typeof params === "function" ? await params(request2) : params;
+      const signInUrl = resolvedParams.signInUrl || SIGN_IN_URL;
+      const signUpUrl = resolvedParams.signUpUrl || SIGN_UP_URL;
+      const options = {
+        signInUrl,
+        signUpUrl,
+        ...resolvedParams
+      };
+      const reqBackendClient = await ternSecureFireClient();
+      const ternSecureRequest = createTernSecureRequest(request2);
+      const requestStateClient = await reqBackendClient.authenticateRequest(
+        ternSecureRequest,
+        options
+      );
+      const authObjectClient = requestStateClient.auth();
+      const { redirectToSignIn } = createMiddlewareRedirects(ternSecureRequest);
+      const { redirectToSignUp } = createMiddlewareRedirects(ternSecureRequest);
+      const protect = await createMiddlewareProtect(
+        ternSecureRequest,
+        authObjectClient,
+        redirectToSignIn
+      );
+      const authObj = Object.assign(authObjectClient, {
+        redirectToSignIn,
+        redirectToSignUp
+      });
+      const authHandler = () => Promise.resolve(authObj);
+      authHandler.protect = protect;
+      let handlerResult = NextResponse.next();
+      try {
+        const userHandlerResult = await handler?.(authHandler, request2, event2);
+        handlerResult = userHandlerResult || handlerResult;
+      } catch (error) {
+        handlerResult = handleControlError(error, ternSecureRequest, request2);
+      }
+      if (requestStateClient.headers) {
+        requestStateClient.headers.forEach((value, key) => {
+          handlerResult.headers.append(key, value);
+        });
+      }
+      if (isRedirect(handlerResult)) {
+        return serverRedirectWithAuth(ternSecureRequest, handlerResult);
+      }
+      decorateRequest(ternSecureRequest, handlerResult, requestStateClient);
+      return handlerResult;
+    };
+    const nextMiddleware = async (request2, event2) => {
+      console.log("[TernSecureMiddleware] Request URL:", request2.url);
+      console.log("[TernSecureMiddleware] Request pathname:", request2.nextUrl.pathname);
+      return runMiddleware(request2, event2);
+    };
+    if (request && event) {
+      return nextMiddleware(request, event);
+    }
+    return nextMiddleware;
+  };
+  return middleware();
+};
+const parseRequestAndEvent = (args) => {
+  return [
+    args[0] instanceof Request ? args[0] : void 0,
+    args[0] instanceof Request ? args[1] : void 0
+  ];
+};
+const parseHandlerAndOptions = (args) => {
+  return [
+    typeof args[0] === "function" ? args[0] : void 0,
+    (args.length === 2 ? args[1] : typeof args[0] === "function" ? {} : args[0]) || {}
+  ];
+};
+const isFirebaseRequest = (request) => request.nextUrl.pathname.startsWith("/__/");
+const finalTarget = (request) => {
+  const finalTargetUrl = request.nextUrl.searchParams.get("finalTarget");
+  return finalTargetUrl ? new URL(finalTargetUrl, request.url) : void 0;
+};
+const isFirebaseCookieRequest = (request) => request.nextUrl.pathname === "/__cookies__";
+const createMiddlewareRedirects = (ternSecureRequest) => {
+  const redirectToSignIn = (opts = {}) => {
+    const url = ternSecureRequest.ternUrl.toString();
+    redirectToSignInError(url, opts.returnBackUrl);
+  };
+  const redirectToSignUp = (opts = {}) => {
+    const url = ternSecureRequest.ternUrl.toString();
+    redirectToSignUpError(url, opts.returnBackUrl);
+  };
+  return { redirectToSignIn, redirectToSignUp };
+};
+const createMiddlewareProtect = (ternSecureRequest, authObject, redirectToSignIn) => {
+  return async (params, options) => {
+    const notFound = () => nextjsNotFound();
+    const redirect = (url) => nextjsRedirectError(url, {
+      redirectUrl: url
+    });
+    return createProtect({
+      request: ternSecureRequest,
+      redirect,
+      notFound,
+      authObject,
+      redirectToSignIn
+    })(params, options);
+  };
+};
+const redirectAdapter = (url) => {
+  return NextResponse.redirect(url, {
+    headers: { [constants.Headers.TernSecureRedirectTo]: "true" }
+  });
+};
+const handleControlError = (error, ternSecureRequest, nextrequest) => {
+  if (isNextjsNotFoundError(error)) {
+    return setHeader(
+      NextResponse.rewrite(new URL(`/tern_${Date.now()}`, nextrequest.url)),
+      constants.Headers.AuthReason,
+      "protect-rewrite"
+    );
+  }
+  const isRedirectToSignIn = isRedirectToSignInError(error);
+  const isRedirectToSignUp = isRedirectToSignUpError(error);
+  if (isRedirectToSignIn || isRedirectToSignUp) {
+    const redirect = createRedirect({
+      redirectAdapter,
+      baseUrl: ternSecureRequest.ternUrl,
+      signInUrl: SIGN_IN_URL,
+      signUpUrl: SIGN_UP_URL
+    });
+    const { returnBackUrl } = error;
+    return redirect[isRedirectToSignIn ? "redirectToSignIn" : "redirectToSignUp"]({
+      returnBackUrl
+    });
+  }
+  if (isNextjsRedirectError(error)) {
+    return redirectAdapter(error.redirectUrl);
+  }
+  throw error;
+};
+export {
+  redirectAdapter,
+  ternSecureMiddleware
+};
+//# sourceMappingURL=ternSecureFireMiddleware.js.map