@tern-secure/nextjs 5.1.8 → 5.1.10

package/dist/cjs/app-router/admin/validators.js

@@ -0,0 +1,217 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var validators_exports = {};
+__export(validators_exports, {
+  CorsValidator: () => CorsValidator,
+  CsrfValidator: () => CsrfValidator,
+  RequestValidator: () => RequestValidator,
+  RouteValidator: () => RouteValidator,
+  SecurityValidator: () => SecurityValidator
+});
+module.exports = __toCommonJS(validators_exports);
+var import_server = require("next/server");
+var import_responses = require("./responses");
+class CorsValidator {
+  static async validate(request, corsOptions) {
+    const origin = request.headers.get("origin");
+    const host = request.headers.get("host");
+    if (!origin || host && origin.includes(host)) {
+      return null;
+    }
+    if (corsOptions.allowedOrigins !== "*") {
+      const isAllowed = corsOptions.allowedOrigins.some((allowedOrigin) => {
+        if (allowedOrigin.startsWith("*")) {
+          const domain = allowedOrigin.slice(1);
+          return origin?.endsWith(domain);
+        }
+        return origin === allowedOrigin;
+      });
+      if (!isAllowed) {
+        return (0, import_responses.createApiErrorResponse)("CORS_ORIGIN_NOT_ALLOWED", "Origin not allowed", 403);
+      }
+    }
+    return null;
+  }
+  static createOptionsResponse(corsOptions) {
+    const response = new import_server.NextResponse(null, { status: 204 });
+    if (corsOptions.allowedOrigins === "*") {
+      response.headers.set("Access-Control-Allow-Origin", "*");
+    } else {
+      response.headers.set("Access-Control-Allow-Origin", corsOptions.allowedOrigins.join(","));
+    }
+    response.headers.set(
+      "Access-Control-Allow-Methods",
+      corsOptions.allowedMethods?.join(",") || "GET,POST"
+    );
+    response.headers.set(
+      "Access-Control-Allow-Headers",
+      corsOptions.allowedHeaders?.join(",") || "Content-Type,Authorization"
+    );
+    if (corsOptions.allowCredentials) {
+      response.headers.set("Access-Control-Allow-Credentials", "true");
+    }
+    if (corsOptions.maxAge) {
+      response.headers.set("Access-Control-Max-Age", corsOptions.maxAge.toString());
+    }
+    return response;
+  }
+}
+class SecurityValidator {
+  static async validate(request, securityOptions) {
+    const origin = request.headers.get("origin");
+    const host = request.headers.get("host");
+    const referer = request.headers.get("referer");
+    const userAgent = request.headers.get("user-agent") || "";
+    const csrfResult = this.validateCsrf(request, securityOptions, origin, host, referer);
+    if (csrfResult) return csrfResult;
+    const headersResult = this.validateRequiredHeaders(request, securityOptions);
+    if (headersResult) return headersResult;
+    const userAgentResult = this.validateUserAgent(userAgent, securityOptions);
+    if (userAgentResult) return userAgentResult;
+    return null;
+  }
+  static validateCsrf(request, securityOptions, origin, host, referer) {
+    if (securityOptions.requireCSRF && origin && host && !origin.includes(host)) {
+      const hasCSRFHeader = request.headers.get("x-requested-with") === "XMLHttpRequest";
+      const hasValidReferer = referer && host && referer.includes(host);
+      if (!hasCSRFHeader && !hasValidReferer) {
+        const isAllowedReferer = securityOptions.allowedReferers?.some(
+          (allowedRef) => referer?.includes(allowedRef)
+        );
+        if (!isAllowedReferer) {
+          return (0, import_responses.createApiErrorResponse)("CSRF_PROTECTION", "Access denied", 403);
+        }
+      }
+    }
+    return null;
+  }
+  static validateRequiredHeaders(request, securityOptions) {
+    if (securityOptions.requiredHeaders) {
+      for (const [headerName, expectedValue] of Object.entries(securityOptions.requiredHeaders)) {
+        const actualValue = request.headers.get(headerName);
+        if (actualValue !== expectedValue) {
+          return (0, import_responses.createApiErrorResponse)(
+            "INVALID_HEADERS",
+            "Required header missing or invalid",
+            400
+          );
+        }
+      }
+    }
+    return null;
+  }
+  static validateUserAgent(userAgent, securityOptions) {
+    if (securityOptions.userAgent?.block?.length) {
+      const isBlocked = securityOptions.userAgent.block.some(
+        (blocked) => userAgent.toLowerCase().includes(blocked.toLowerCase())
+      );
+      if (isBlocked) {
+        return (0, import_responses.createApiErrorResponse)("USER_AGENT_BLOCKED", "Access denied", 403);
+      }
+    }
+    if (securityOptions.userAgent?.allow?.length) {
+      const isAllowed = securityOptions.userAgent.allow.some(
+        (allowed) => userAgent.toLowerCase().includes(allowed.toLowerCase())
+      );
+      if (!isAllowed) {
+        return (0, import_responses.createApiErrorResponse)("USER_AGENT_NOT_ALLOWED", "Access denied", 403);
+      }
+    }
+    return null;
+  }
+}
+class CsrfValidator {
+  static validate(csrfToken, csrfCookieValue) {
+    if (!csrfToken) {
+      return (0, import_responses.createApiErrorResponse)("INVALID_CSRF_TOKEN", "CSRF token is required", 400);
+    }
+    if (!csrfCookieValue) {
+      return (0, import_responses.createApiErrorResponse)("CSRF_COOKIE_MISSING", "CSRF token cookie not found", 403);
+    }
+    if (csrfToken !== csrfCookieValue) {
+      return (0, import_responses.createApiErrorResponse)("CSRF_TOKEN_MISMATCH", "CSRF token mismatch", 403);
+    }
+    return null;
+  }
+}
+class RouteValidator {
+  static validatePathStructure(pathSegments) {
+    if (pathSegments.length < 3) {
+      return (0, import_responses.createApiErrorResponse)(
+        "INVALID_ROUTE",
+        "Invalid route structure. Expected: /api/auth/{endpoint}",
+        404
+      );
+    }
+    return null;
+  }
+  static validateEndpoint(_endpoint, endpointConfig, method) {
+    if (!endpointConfig || !endpointConfig.enabled) {
+      return (0, import_responses.createApiErrorResponse)("ENDPOINT_NOT_FOUND", "Endpoint not found", 404);
+    }
+    if (method !== "OPTIONS" && !endpointConfig.methods.includes(method)) {
+      return (0, import_responses.createApiErrorResponse)("METHOD_NOT_ALLOWED", "Method not allowed", 405);
+    }
+    return null;
+  }
+  static validateSubEndpoint(subEndpoint, subEndpointConfig, method) {
+    if (!subEndpoint) {
+      return (0, import_responses.createApiErrorResponse)("SUB_ENDPOINT_REQUIRED", "Session sub-endpoint required", 400);
+    }
+    if (!subEndpointConfig || !subEndpointConfig.enabled) {
+      return (0, import_responses.createApiErrorResponse)("ENDPOINT_NOT_FOUND", "Endpoint not found", 404);
+    }
+    if (!subEndpointConfig.methods?.includes(method)) {
+      return (0, import_responses.createApiErrorResponse)("METHOD_NOT_ALLOWED", "Method not allowed", 405);
+    }
+    return null;
+  }
+}
+class RequestValidator {
+  static async validateSessionRequest(request) {
+    try {
+      const body = await request.json();
+      return { body, idToken: body.idToken, csrfToken: body.csrfToken };
+    } catch (error) {
+      return {
+        body: null,
+        error: (0, import_responses.createApiErrorResponse)("INVALID_REQUEST_FORMAT", "Invalid request format", 400)
+      };
+    }
+  }
+  static validateIdToken(idToken) {
+    if (!idToken) {
+      return (0, import_responses.createApiErrorResponse)(
+        "INVALID_TOKEN",
+        "ID token is required for creating session",
+        400
+      );
+    }
+    return null;
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  CorsValidator,
+  CsrfValidator,
+  RequestValidator,
+  RouteValidator,
+  SecurityValidator
+});
+//# sourceMappingURL=validators.js.map

package/dist/cjs/app-router/admin/validators.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/app-router/admin/validators.ts"],"sourcesContent":["import type { NextRequest} from 'next/server';\nimport { NextResponse } from 'next/server';\n\nimport { createApiErrorResponse } from './responses';\nimport type { AuthEndpoint, CorsOptions, SecurityOptions, SessionSubEndpoint } from './types';\n\n/**\n * CORS validation utilities\n */\nexport class CorsValidator {\n  static async validate(\n    request: NextRequest,\n    corsOptions: CorsOptions,\n  ): Promise<NextResponse | null> {\n    const origin = request.headers.get('origin');\n    const host = request.headers.get('host');\n\n    // Skip CORS for same-origin requests\n    if (!origin || (host && origin.includes(host))) {\n      return null;\n    }\n\n    if (corsOptions.allowedOrigins !== '*') {\n      const isAllowed = corsOptions.allowedOrigins.some(allowedOrigin => {\n        if (allowedOrigin.startsWith('*')) {\n          const domain = allowedOrigin.slice(1);\n          return origin?.endsWith(domain);\n        }\n        return origin === allowedOrigin;\n      });\n\n      if (!isAllowed) {\n        return createApiErrorResponse('CORS_ORIGIN_NOT_ALLOWED', 'Origin not allowed', 403);\n      }\n    }\n\n    return null;\n  }\n\n  static createOptionsResponse(corsOptions: CorsOptions): NextResponse {\n    const response = new NextResponse(null, { status: 204 });\n\n    if (corsOptions.allowedOrigins === '*') {\n      response.headers.set('Access-Control-Allow-Origin', '*');\n    } else {\n      response.headers.set('Access-Control-Allow-Origin', corsOptions.allowedOrigins.join(','));\n    }\n\n    response.headers.set(\n      'Access-Control-Allow-Methods',\n      corsOptions.allowedMethods?.join(',') || 'GET,POST',\n    );\n    response.headers.set(\n      'Access-Control-Allow-Headers',\n      corsOptions.allowedHeaders?.join(',') || 'Content-Type,Authorization',\n    );\n\n    if (corsOptions.allowCredentials) {\n      response.headers.set('Access-Control-Allow-Credentials', 'true');\n    }\n\n    if (corsOptions.maxAge) {\n      response.headers.set('Access-Control-Max-Age', corsOptions.maxAge.toString());\n    }\n\n    return response;\n  }\n}\n\n/**\n * Security validation utilities\n */\nexport class SecurityValidator {\n  static async validate(\n    request: NextRequest,\n    securityOptions: SecurityOptions,\n  ): Promise<NextResponse | null> {\n    const origin = request.headers.get('origin');\n    const host = request.headers.get('host');\n    const referer = request.headers.get('referer');\n    const userAgent = request.headers.get('user-agent') || '';\n\n    // CSRF Protection for cross-origin requests\n    const csrfResult = this.validateCsrf(request, securityOptions, origin, host, referer);\n    if (csrfResult) return csrfResult;\n\n    // Required headers validation\n    const headersResult = this.validateRequiredHeaders(request, securityOptions);\n    if (headersResult) return headersResult;\n\n    // User Agent filtering\n    const userAgentResult = this.validateUserAgent(userAgent, securityOptions);\n    if (userAgentResult) return userAgentResult;\n\n    return null;\n  }\n\n  private static validateCsrf(\n    request: NextRequest,\n    securityOptions: SecurityOptions,\n    origin: string | null,\n    host: string | null,\n    referer: string | null,\n  ): NextResponse | null {\n    if (securityOptions.requireCSRF && origin && host && !origin.includes(host)) {\n      const hasCSRFHeader = request.headers.get('x-requested-with') === 'XMLHttpRequest';\n      const hasValidReferer = referer && host && referer.includes(host);\n\n      if (!hasCSRFHeader && !hasValidReferer) {\n        const isAllowedReferer = securityOptions.allowedReferers?.some((allowedRef: string) =>\n          referer?.includes(allowedRef),\n        );\n\n        if (!isAllowedReferer) {\n          return createApiErrorResponse('CSRF_PROTECTION', 'Access denied', 403);\n        }\n      }\n    }\n    return null;\n  }\n\n  private static validateRequiredHeaders(\n    request: NextRequest,\n    securityOptions: SecurityOptions,\n  ): NextResponse | null {\n    if (securityOptions.requiredHeaders) {\n      for (const [headerName, expectedValue] of Object.entries(securityOptions.requiredHeaders)) {\n        const actualValue = request.headers.get(headerName);\n        if (actualValue !== expectedValue) {\n          return createApiErrorResponse(\n            'INVALID_HEADERS',\n            'Required header missing or invalid',\n            400,\n          );\n        }\n      }\n    }\n    return null;\n  }\n\n  private static validateUserAgent(\n    userAgent: string,\n    securityOptions: SecurityOptions,\n  ): NextResponse | null {\n    // User Agent blocking\n    if (securityOptions.userAgent?.block?.length) {\n      const isBlocked = securityOptions.userAgent.block.some((blocked: string) =>\n        userAgent.toLowerCase().includes(blocked.toLowerCase()),\n      );\n\n      if (isBlocked) {\n        return createApiErrorResponse('USER_AGENT_BLOCKED', 'Access denied', 403);\n      }\n    }\n\n    // User Agent allowlist\n    if (securityOptions.userAgent?.allow?.length) {\n      const isAllowed = securityOptions.userAgent.allow.some((allowed: string) =>\n        userAgent.toLowerCase().includes(allowed.toLowerCase()),\n      );\n\n      if (!isAllowed) {\n        return createApiErrorResponse('USER_AGENT_NOT_ALLOWED', 'Access denied', 403);\n      }\n    }\n\n    return null;\n  }\n}\n\n/**\n * CSRF token validation utilities\n */\nexport class CsrfValidator {\n  static validate(csrfToken: string, csrfCookieValue: string | undefined): NextResponse | null {\n    if (!csrfToken) {\n      return createApiErrorResponse('INVALID_CSRF_TOKEN', 'CSRF token is required', 400);\n    }\n\n    if (!csrfCookieValue) {\n      return createApiErrorResponse('CSRF_COOKIE_MISSING', 'CSRF token cookie not found', 403);\n    }\n\n    if (csrfToken !== csrfCookieValue) {\n      return createApiErrorResponse('CSRF_TOKEN_MISMATCH', 'CSRF token mismatch', 403);\n    }\n\n    return null;\n  }\n}\n\n/**\n * Route validation utilities\n */\nexport class RouteValidator {\n  static validatePathStructure(pathSegments: string[]): NextResponse | null {\n    if (pathSegments.length < 3) {\n      return createApiErrorResponse(\n        'INVALID_ROUTE',\n        'Invalid route structure. Expected: /api/auth/{endpoint}',\n        404,\n      );\n    }\n    return null;\n  }\n\n  static validateEndpoint(\n    _endpoint: AuthEndpoint,\n    endpointConfig: any,\n    method: string,\n  ): NextResponse | null {\n    if (!endpointConfig || !endpointConfig.enabled) {\n      return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Endpoint not found', 404);\n    }\n\n    if (method !== 'OPTIONS' && !endpointConfig.methods.includes(method as any)) {\n      return createApiErrorResponse('METHOD_NOT_ALLOWED', 'Method not allowed', 405);\n    }\n\n    return null;\n  }\n\n  static validateSubEndpoint(\n    subEndpoint: SessionSubEndpoint | undefined,\n    subEndpointConfig: any,\n    method: string,\n  ): NextResponse | null {\n    if (!subEndpoint) {\n      return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Session sub-endpoint required', 400);\n    }\n\n    if (!subEndpointConfig || !subEndpointConfig.enabled) {\n      return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Endpoint not found', 404);\n    }\n\n    if (!subEndpointConfig.methods?.includes(method as any)) {\n      return createApiErrorResponse('METHOD_NOT_ALLOWED', 'Method not allowed', 405);\n    }\n\n    return null;\n  }\n}\n\n/**\n * Request body validation utilities\n */\nexport class RequestValidator {\n  static async validateSessionRequest(request: NextRequest): Promise<{\n    body: any;\n    idToken?: string;\n    csrfToken?: string;\n    error?: NextResponse;\n  }> {\n    try {\n      const body = await request.json();\n      return { body, idToken: body.idToken, csrfToken: body.csrfToken };\n    } catch (error) {\n      return {\n        body: null,\n        error: createApiErrorResponse('INVALID_REQUEST_FORMAT', 'Invalid request format', 400),\n      };\n    }\n  }\n\n  static validateIdToken(idToken: string | undefined): NextResponse | null {\n    if (!idToken) {\n      return createApiErrorResponse(\n        'INVALID_TOKEN',\n        'ID token is required for creating session',\n        400,\n      );\n    }\n    return null;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,oBAA6B;AAE7B,uBAAuC;AAMhC,MAAM,cAAc;AAAA,EACzB,aAAa,SACX,SACA,aAC8B;AAC9B,UAAM,SAAS,QAAQ,QAAQ,IAAI,QAAQ;AAC3C,UAAM,OAAO,QAAQ,QAAQ,IAAI,MAAM;AAGvC,QAAI,CAAC,UAAW,QAAQ,OAAO,SAAS,IAAI,GAAI;AAC9C,aAAO;AAAA,IACT;AAEA,QAAI,YAAY,mBAAmB,KAAK;AACtC,YAAM,YAAY,YAAY,eAAe,KAAK,mBAAiB;AACjE,YAAI,cAAc,WAAW,GAAG,GAAG;AACjC,gBAAM,SAAS,cAAc,MAAM,CAAC;AACpC,iBAAO,QAAQ,SAAS,MAAM;AAAA,QAChC;AACA,eAAO,WAAW;AAAA,MACpB,CAAC;AAED,UAAI,CAAC,WAAW;AACd,mBAAO,yCAAuB,2BAA2B,sBAAsB,GAAG;AAAA,MACpF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,OAAO,sBAAsB,aAAwC;AACnE,UAAM,WAAW,IAAI,2BAAa,MAAM,EAAE,QAAQ,IAAI,CAAC;AAEvD,QAAI,YAAY,mBAAmB,KAAK;AACtC,eAAS,QAAQ,IAAI,+BAA+B,GAAG;AAAA,IACzD,OAAO;AACL,eAAS,QAAQ,IAAI,+BAA+B,YAAY,eAAe,KAAK,GAAG,CAAC;AAAA,IAC1F;AAEA,aAAS,QAAQ;AAAA,MACf;AAAA,MACA,YAAY,gBAAgB,KAAK,GAAG,KAAK;AAAA,IAC3C;AACA,aAAS,QAAQ;AAAA,MACf;AAAA,MACA,YAAY,gBAAgB,KAAK,GAAG,KAAK;AAAA,IAC3C;AAEA,QAAI,YAAY,kBAAkB;AAChC,eAAS,QAAQ,IAAI,oCAAoC,MAAM;AAAA,IACjE;AAEA,QAAI,YAAY,QAAQ;AACtB,eAAS,QAAQ,IAAI,0BAA0B,YAAY,OAAO,SAAS,CAAC;AAAA,IAC9E;AAEA,WAAO;AAAA,EACT;AACF;AAKO,MAAM,kBAAkB;AAAA,EAC7B,aAAa,SACX,SACA,iBAC8B;AAC9B,UAAM,SAAS,QAAQ,QAAQ,IAAI,QAAQ;AAC3C,UAAM,OAAO,QAAQ,QAAQ,IAAI,MAAM;AACvC,UAAM,UAAU,QAAQ,QAAQ,IAAI,SAAS;AAC7C,UAAM,YAAY,QAAQ,QAAQ,IAAI,YAAY,KAAK;AAGvD,UAAM,aAAa,KAAK,aAAa,SAAS,iBAAiB,QAAQ,MAAM,OAAO;AACpF,QAAI,WAAY,QAAO;AAGvB,UAAM,gBAAgB,KAAK,wBAAwB,SAAS,eAAe;AAC3E,QAAI,cAAe,QAAO;AAG1B,UAAM,kBAAkB,KAAK,kBAAkB,WAAW,eAAe;AACzE,QAAI,gBAAiB,QAAO;AAE5B,WAAO;AAAA,EACT;AAAA,EAEA,OAAe,aACb,SACA,iBACA,QACA,MACA,SACqB;AACrB,QAAI,gBAAgB,eAAe,UAAU,QAAQ,CAAC,OAAO,SAAS,IAAI,GAAG;AAC3E,YAAM,gBAAgB,QAAQ,QAAQ,IAAI,kBAAkB,MAAM;AAClE,YAAM,kBAAkB,WAAW,QAAQ,QAAQ,SAAS,IAAI;AAEhE,UAAI,CAAC,iBAAiB,CAAC,iBAAiB;AACtC,cAAM,mBAAmB,gBAAgB,iBAAiB;AAAA,UAAK,CAAC,eAC9D,SAAS,SAAS,UAAU;AAAA,QAC9B;AAEA,YAAI,CAAC,kBAAkB;AACrB,qBAAO,yCAAuB,mBAAmB,iBAAiB,GAAG;AAAA,QACvE;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEA,OAAe,wBACb,SACA,iBACqB;AACrB,QAAI,gBAAgB,iBAAiB;AACnC,iBAAW,CAAC,YAAY,aAAa,KAAK,OAAO,QAAQ,gBAAgB,eAAe,GAAG;AACzF,cAAM,cAAc,QAAQ,QAAQ,IAAI,UAAU;AAClD,YAAI,gBAAgB,eAAe;AACjC,qBAAO;AAAA,YACL;AAAA,YACA;AAAA,YACA;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEA,OAAe,kBACb,WACA,iBACqB;AAErB,QAAI,gBAAgB,WAAW,OAAO,QAAQ;AAC5C,YAAM,YAAY,gBAAgB,UAAU,MAAM;AAAA,QAAK,CAAC,YACtD,UAAU,YAAY,EAAE,SAAS,QAAQ,YAAY,CAAC;AAAA,MACxD;AAEA,UAAI,WAAW;AACb,mBAAO,yCAAuB,sBAAsB,iBAAiB,GAAG;AAAA,MAC1E;AAAA,IACF;AAGA,QAAI,gBAAgB,WAAW,OAAO,QAAQ;AAC5C,YAAM,YAAY,gBAAgB,UAAU,MAAM;AAAA,QAAK,CAAC,YACtD,UAAU,YAAY,EAAE,SAAS,QAAQ,YAAY,CAAC;AAAA,MACxD;AAEA,UAAI,CAAC,WAAW;AACd,mBAAO,yCAAuB,0BAA0B,iBAAiB,GAAG;AAAA,MAC9E;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;AAKO,MAAM,cAAc;AAAA,EACzB,OAAO,SAAS,WAAmB,iBAA0D;AAC3F,QAAI,CAAC,WAAW;AACd,iBAAO,yCAAuB,sBAAsB,0BAA0B,GAAG;AAAA,IACnF;AAEA,QAAI,CAAC,iBAAiB;AACpB,iBAAO,yCAAuB,uBAAuB,+BAA+B,GAAG;AAAA,IACzF;AAEA,QAAI,cAAc,iBAAiB;AACjC,iBAAO,yCAAuB,uBAAuB,uBAAuB,GAAG;AAAA,IACjF;AAEA,WAAO;AAAA,EACT;AACF;AAKO,MAAM,eAAe;AAAA,EAC1B,OAAO,sBAAsB,cAA6C;AACxE,QAAI,aAAa,SAAS,GAAG;AAC3B,iBAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEA,OAAO,iBACL,WACA,gBACA,QACqB;AACrB,QAAI,CAAC,kBAAkB,CAAC,eAAe,SAAS;AAC9C,iBAAO,yCAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,QAAI,WAAW,aAAa,CAAC,eAAe,QAAQ,SAAS,MAAa,GAAG;AAC3E,iBAAO,yCAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,OAAO,oBACL,aACA,mBACA,QACqB;AACrB,QAAI,CAAC,aAAa;AAChB,iBAAO,yCAAuB,yBAAyB,iCAAiC,GAAG;AAAA,IAC7F;AAEA,QAAI,CAAC,qBAAqB,CAAC,kBAAkB,SAAS;AACpD,iBAAO,yCAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,QAAI,CAAC,kBAAkB,SAAS,SAAS,MAAa,GAAG;AACvD,iBAAO,yCAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,WAAO;AAAA,EACT;AACF;AAKO,MAAM,iBAAiB;AAAA,EAC5B,aAAa,uBAAuB,SAKjC;AACD,QAAI;AACF,YAAM,OAAO,MAAM,QAAQ,KAAK;AAChC,aAAO,EAAE,MAAM,SAAS,KAAK,SAAS,WAAW,KAAK,UAAU;AAAA,IAClE,SAAS,OAAO;AACd,aAAO;AAAA,QACL,MAAM;AAAA,QACN,WAAO,yCAAuB,0BAA0B,0BAA0B,GAAG;AAAA,MACvF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,OAAO,gBAAgB,SAAkD;AACvE,QAAI,CAAC,SAAS;AACZ,iBAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/cjs/app-router/client/TernSecureProvider.js

@@ -22,16 +22,12 @@ __export(TernSecureProvider_exports, {
 });
 module.exports = __toCommonJS(TernSecureProvider_exports);
 var import_jsx_runtime = require("react/jsx-runtime");
-var import_react2 = require("@tern-secure/react");
+var import_react = require("@tern-secure/react");
 var import_allNextProviderProps = require("../../utils/allNextProviderProps");
-var import_tern_ui_script = require("../../utils/tern-ui-script");
 function TernSecureProvider(props) {
   const { children, enableServiceWorker, ...nextProps } = props;
   const providerProps = (0, import_allNextProviderProps.allNextProviderPropsWithEnv)(nextProps);
-  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(import_react2.TernSecureProvider, { ...providerProps, children: [
-    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(import_tern_ui_script.TernUIScript, { router: "app" }),
-    children
-  ] });
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(import_react.TernSecureProvider, { ...providerProps, children });
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/cjs/app-router/client/TernSecureProvider.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../src/app-router/client/TernSecureProvider.tsx"],"sourcesContent":["import React from \"react\"\r\nimport { \r\n  TernSecureProvider as TernSecureReactProvider \r\n} from \"@tern-secure/react\"\r\nimport type { TernSecureNextProps } from \"../../types\"\r\nimport { allNextProviderPropsWithEnv } from \"../../utils/allNextProviderProps\"\r\nimport { TernUIScript } from \"../../utils/tern-ui-script\";\r\n\r\n\r\n\r\n// Loading fallback component\r\n/*function TernSecureLoadingFallback() {\r\n  return (\r\n    <div>\r\n      <span className=\"sr-only\">Loading...</span>\r\n    </div>\r\n  )\r\n}*/\r\n/**\r\n * Root Provider for TernSecure\r\n * Use this in your Next.js App Router root layout\r\n * Automatically handles client/server boundary and authentication state\r\n * \r\n * @example\r\n * /// app/layout.tsx\r\n * import { TernSecureProvider } from '@tern/secure'\r\n * \r\n * export default function RootLayout({ children }) {\r\n *   return (\r\n *     <html>\r\n *       <body>\r\n *         <TernSecureProvider>\r\n *           {children}\r\n *         </TernSecureProvider>\r\n *       </body>\r\n *     </html>\r\n *   )\r\n * }\r\n */\r\nexport function TernSecureProvider(props: React.PropsWithChildren<TernSecureNextProps>) {\r\n  const {children, enableServiceWorker, ...nextProps } = props;\r\n  const providerProps = allNextProviderPropsWithEnv(nextProps);\r\n  return (\r\n    <TernSecureReactProvider {...providerProps}>\r\n      <TernUIScript router='app' />\r\n        {children}\r\n    </TernSecureReactProvider>\r\n  )\r\n}"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AA2CI;AA1CJ,IAAAA,gBAEO;AAEP,kCAA4C;AAC5C,4BAA6B;AAiCtB,SAAS,mBAAmB,OAAqD;AACtF,QAAM,EAAC,UAAU,qBAAqB,GAAG,UAAU,IAAI;AACvD,QAAM,oBAAgB,yDAA4B,SAAS;AAC3D,SACE,6CAAC,cAAAC,oBAAA,EAAyB,GAAG,eAC3B;AAAA,gDAAC,sCAAa,QAAO,OAAM;AAAA,IACxB;AAAA,KACL;AAEJ;","names":["import_react","TernSecureReactProvider"]}
+{"version":3,"sources":["../../../../src/app-router/client/TernSecureProvider.tsx"],"sourcesContent":["import { \r\n  TernSecureProvider as TernSecureReactProvider \r\n} from \"@tern-secure/react\"\r\nimport React from \"react\"\r\n\r\nimport type { TernSecureNextProps } from \"../../types\"\r\nimport { allNextProviderPropsWithEnv } from \"../../utils/allNextProviderProps\"\r\n\r\n\r\n\r\n// Loading fallback component\r\n/*function TernSecureLoadingFallback() {\r\n  return (\r\n    <div>\r\n      <span className=\"sr-only\">Loading...</span>\r\n    </div>\r\n  )\r\n}*/\r\n/**\r\n * Root Provider for TernSecure\r\n * Use this in your Next.js App Router root layout\r\n * Automatically handles client/server boundary and authentication state\r\n * \r\n * @example\r\n * /// app/layout.tsx\r\n * import { TernSecureProvider } from '@tern/secure'\r\n * \r\n * export default function RootLayout({ children }) {\r\n *   return (\r\n *     <html>\r\n *       <body>\r\n *         <TernSecureProvider>\r\n *           {children}\r\n *         </TernSecureProvider>\r\n *       </body>\r\n *     </html>\r\n *   )\r\n * }\r\n */\r\nexport function TernSecureProvider(props: React.PropsWithChildren<TernSecureNextProps>) {\r\n  const {children, enableServiceWorker, ...nextProps } = props;\r\n  const providerProps = allNextProviderPropsWithEnv(nextProps);\r\n  return (\r\n    <TernSecureReactProvider {...providerProps}>\r\n        {children}\r\n    </TernSecureReactProvider>\r\n  )\r\n}"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AA2CI;AA3CJ,mBAEO;AAIP,kCAA4C;AAiCrC,SAAS,mBAAmB,OAAqD;AACtF,QAAM,EAAC,UAAU,qBAAqB,GAAG,UAAU,IAAI;AACvD,QAAM,oBAAgB,yDAA4B,SAAS;AAC3D,SACE,4CAAC,aAAAA,oBAAA,EAAyB,GAAG,eACxB,UACL;AAEJ;","names":["TernSecureReactProvider"]}

package/dist/cjs/app-router/server/auth.js

@@ -0,0 +1,100 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var auth_exports = {};
+__export(auth_exports, {
+  auth: () => auth
+});
+module.exports = __toCommonJS(auth_exports);
+var import_backend = require("@tern-secure/backend");
+var import_jwt = require("@tern-secure/backend/jwt");
+var import_navigation = require("next/navigation");
+var import_constant = require("../../server/constant");
+var import_headers_utils = require("../../server/headers-utils");
+var import_protect = require("../../server/protect");
+var import_redirect = require("../../server/redirect");
+var import_utils = require("./utils");
+const createAuthObject = () => {
+  return async (req) => {
+    return getAuthDataFromRequest(req);
+  };
+};
+function getAuthDataFromRequest(req) {
+  const authStatus = (0, import_headers_utils.getAuthKeyFromRequest)(req, "AuthStatus");
+  const authToken = (0, import_headers_utils.getAuthKeyFromRequest)(req, "AuthToken");
+  const authSignature = (0, import_headers_utils.getAuthKeyFromRequest)(req, "AuthSignature");
+  const authReason = (0, import_headers_utils.getAuthKeyFromRequest)(req, "AuthReason");
+  let authObject;
+  if (!authStatus || authStatus !== import_backend.AuthStatus.SignedIn) {
+    authObject = (0, import_backend.signedOutAuthObject)();
+  } else {
+    const jwt = (0, import_jwt.ternDecodeJwt)(authToken);
+    authObject = (0, import_backend.signedInAuthObject)(jwt.raw.text, jwt.payload);
+  }
+  return authObject;
+}
+const auth = async () => {
+  require("server-only");
+  const request = await (0, import_utils.buildRequestLike)();
+  const authObject = await createAuthObject()(request);
+  const ternUrl = (0, import_headers_utils.getAuthKeyFromRequest)(request, "TernSecureUrl");
+  const createRedirectForRequest = (...args) => {
+    const { returnBackUrl } = args[0] || {};
+    const ternSecureRequest = (0, import_backend.createTernSecureRequest)(request);
+    return [
+      (0, import_redirect.createRedirect)({
+        redirectAdapter: import_navigation.redirect,
+        baseUrl: ternSecureRequest.ternUrl.toString(),
+        signInUrl: import_constant.SIGN_IN_URL,
+        signUpUrl: import_constant.SIGN_UP_URL
+      }),
+      returnBackUrl === null ? "" : returnBackUrl || ternUrl?.toString()
+    ];
+  };
+  const redirectToSignIn = (opts = {}) => {
+    const [r, returnBackUrl] = createRedirectForRequest(opts);
+    return r.redirectToSignIn({
+      returnBackUrl
+    });
+  };
+  const redirectToSignUp = (opts = {}) => {
+    const [r, returnBackUrl] = createRedirectForRequest(opts);
+    return r.redirectToSignUp({
+      returnBackUrl
+    });
+  };
+  return Object.assign(authObject, { redirectToSignIn, redirectToSignUp });
+};
+auth.protect = async (...args) => {
+  require("server-only");
+  const request = await (0, import_utils.buildRequestLike)();
+  const authObject = await auth();
+  const protect = (0, import_protect.createProtect)({
+    request,
+    authObject,
+    redirectToSignIn: authObject.redirectToSignIn,
+    notFound: import_navigation.notFound,
+    redirect: import_navigation.redirect
+  });
+  return protect(...args);
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  auth
+});
+//# sourceMappingURL=auth.js.map

package/dist/cjs/app-router/server/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/app-router/server/auth.ts"],"sourcesContent":["import type { AuthObject } from '@tern-secure/backend';\r\nimport {\r\n  AuthStatus,\r\n  createTernSecureRequest,\r\n  signedInAuthObject,\r\n  signedOutAuthObject,\r\n} from '@tern-secure/backend';\r\nimport { ternDecodeJwt } from '@tern-secure/backend/jwt';\r\nimport { notFound, redirect } from 'next/navigation';\r\n\r\nimport { SIGN_IN_URL, SIGN_UP_URL } from '../../server/constant';\r\nimport { getAuthKeyFromRequest } from '../../server/headers-utils';\r\nimport { type AuthProtect,createProtect } from '../../server/protect';\r\nimport { createRedirect, type RedirectFun } from '../../server/redirect';\r\nimport type { BaseUser, RequestLike } from '../../server/types';\r\nimport { buildRequestLike } from './utils';\r\n\r\nexport interface AuthResult {\r\n  user: BaseUser | null;\r\n  error: Error | null;\r\n}\r\n\r\n/**\r\n * `Auth` object of the currently active user and the `redirectToSignIn()` method.\r\n */\r\ntype Auth = AuthObject & {\r\n  redirectToSignIn: RedirectFun<ReturnType<typeof redirect>>;\r\n  redirectToSignUp: RedirectFun<ReturnType<typeof redirect>>;\r\n};\r\n\r\nexport interface AuthFn {\r\n  (): Promise<Auth>;\r\n\r\n  protect: AuthProtect;\r\n}\r\n\r\nconst createAuthObject = () => {\r\n  return async (req: RequestLike) => {\r\n    return getAuthDataFromRequest(req);\r\n  };\r\n};\r\n\r\nfunction getAuthDataFromRequest(req: RequestLike): AuthObject {\r\n  const authStatus = getAuthKeyFromRequest(req, 'AuthStatus');\r\n  const authToken = getAuthKeyFromRequest(req, 'AuthToken');\r\n  const authSignature = getAuthKeyFromRequest(req, 'AuthSignature');\r\n  const authReason = getAuthKeyFromRequest(req, 'AuthReason');\r\n\r\n  let authObject;\r\n  if (!authStatus || authStatus !== AuthStatus.SignedIn) {\r\n    authObject = signedOutAuthObject();\r\n  } else {\r\n    const jwt = ternDecodeJwt(authToken as string);\r\n\r\n    authObject = signedInAuthObject(jwt.raw.text, jwt.payload);\r\n  }\r\n  return authObject;\r\n}\r\n\r\n/**\r\n * Get the current authenticated user from the session or token\r\n */\r\nexport const auth: AuthFn = async () => {\r\n  // eslint-disable-next-line @typescript-eslint/no-require-imports\r\n  require('server-only');\r\n\r\n  const request = await buildRequestLike();\r\n\r\n  const authObject = await createAuthObject()(request);\r\n\r\n  const ternUrl = getAuthKeyFromRequest(request, 'TernSecureUrl');\r\n\r\n  const createRedirectForRequest = (...args: Parameters<RedirectFun<never>>) => {\r\n    const { returnBackUrl } = args[0] || {};\r\n    const ternSecureRequest = createTernSecureRequest(request);\r\n\r\n    return [\r\n      createRedirect({\r\n        redirectAdapter: redirect,\r\n        baseUrl: ternSecureRequest.ternUrl.toString(),\r\n        signInUrl: SIGN_IN_URL,\r\n        signUpUrl: SIGN_UP_URL,\r\n      }),\r\n      returnBackUrl === null ? '' : returnBackUrl || ternUrl?.toString(),\r\n    ] as const;\r\n  };\r\n\r\n  const redirectToSignIn: RedirectFun<never> = (opts = {}) => {\r\n    const [r, returnBackUrl] = createRedirectForRequest(opts);\r\n    return r.redirectToSignIn({\r\n      returnBackUrl,\r\n    });\r\n  };\r\n\r\n  const redirectToSignUp: RedirectFun<never> = (opts = {}) => {\r\n    const [r, returnBackUrl] = createRedirectForRequest(opts);\r\n    return r.redirectToSignUp({\r\n      returnBackUrl,\r\n    });\r\n  };\r\n\r\n  return Object.assign(authObject, { redirectToSignIn, redirectToSignUp });\r\n};\r\n\r\nauth.protect = async (...args: any[]) => {\r\n  // eslint-disable-next-line @typescript-eslint/no-require-imports\r\n  require('server-only');\r\n\r\n  const request = await buildRequestLike();\r\n  const authObject = await auth();\r\n\r\n  const protect = createProtect({\r\n    request,\r\n    authObject,\r\n    redirectToSignIn: authObject.redirectToSignIn,\r\n    notFound,\r\n    redirect,\r\n  });\r\n\r\n  return protect(...args);\r\n};\r\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,qBAKO;AACP,iBAA8B;AAC9B,wBAAmC;AAEnC,sBAAyC;AACzC,2BAAsC;AACtC,qBAA+C;AAC/C,sBAAiD;AAEjD,mBAAiC;AAqBjC,MAAM,mBAAmB,MAAM;AAC7B,SAAO,OAAO,QAAqB;AACjC,WAAO,uBAAuB,GAAG;AAAA,EACnC;AACF;AAEA,SAAS,uBAAuB,KAA8B;AAC5D,QAAM,iBAAa,4CAAsB,KAAK,YAAY;AAC1D,QAAM,gBAAY,4CAAsB,KAAK,WAAW;AACxD,QAAM,oBAAgB,4CAAsB,KAAK,eAAe;AAChE,QAAM,iBAAa,4CAAsB,KAAK,YAAY;AAE1D,MAAI;AACJ,MAAI,CAAC,cAAc,eAAe,0BAAW,UAAU;AACrD,qBAAa,oCAAoB;AAAA,EACnC,OAAO;AACL,UAAM,UAAM,0BAAc,SAAmB;AAE7C,qBAAa,mCAAmB,IAAI,IAAI,MAAM,IAAI,OAAO;AAAA,EAC3D;AACA,SAAO;AACT;AAKO,MAAM,OAAe,YAAY;AAEtC,UAAQ,aAAa;AAErB,QAAM,UAAU,UAAM,+BAAiB;AAEvC,QAAM,aAAa,MAAM,iBAAiB,EAAE,OAAO;AAEnD,QAAM,cAAU,4CAAsB,SAAS,eAAe;AAE9D,QAAM,2BAA2B,IAAI,SAAyC;AAC5E,UAAM,EAAE,cAAc,IAAI,KAAK,CAAC,KAAK,CAAC;AACtC,UAAM,wBAAoB,wCAAwB,OAAO;AAEzD,WAAO;AAAA,UACL,gCAAe;AAAA,QACb,iBAAiB;AAAA,QACjB,SAAS,kBAAkB,QAAQ,SAAS;AAAA,QAC5C,WAAW;AAAA,QACX,WAAW;AAAA,MACb,CAAC;AAAA,MACD,kBAAkB,OAAO,KAAK,iBAAiB,SAAS,SAAS;AAAA,IACnE;AAAA,EACF;AAEA,QAAM,mBAAuC,CAAC,OAAO,CAAC,MAAM;AAC1D,UAAM,CAAC,GAAG,aAAa,IAAI,yBAAyB,IAAI;AACxD,WAAO,EAAE,iBAAiB;AAAA,MACxB;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,mBAAuC,CAAC,OAAO,CAAC,MAAM;AAC1D,UAAM,CAAC,GAAG,aAAa,IAAI,yBAAyB,IAAI;AACxD,WAAO,EAAE,iBAAiB;AAAA,MACxB;AAAA,IACF,CAAC;AAAA,EACH;AAEA,SAAO,OAAO,OAAO,YAAY,EAAE,kBAAkB,iBAAiB,CAAC;AACzE;AAEA,KAAK,UAAU,UAAU,SAAgB;AAEvC,UAAQ,aAAa;AAErB,QAAM,UAAU,UAAM,+BAAiB;AACvC,QAAM,aAAa,MAAM,KAAK;AAE9B,QAAM,cAAU,8BAAc;AAAA,IAC5B;AAAA,IACA;AAAA,IACA,kBAAkB,WAAW;AAAA,IAC7B;AAAA,IACA;AAAA,EACF,CAAC;AAED,SAAO,QAAQ,GAAG,IAAI;AACxB;","names":[]}

package/dist/cjs/app-router/server/utils.js

@@ -0,0 +1,87 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var utils_exports = {};
+__export(utils_exports, {
+  buildRequestLike: () => buildRequestLike,
+  getScriptNonceFromHeader: () => getScriptNonceFromHeader,
+  isPrerenderingBailout: () => isPrerenderingBailout
+});
+module.exports = __toCommonJS(utils_exports);
+var import_server = require("next/server");
+const isPrerenderingBailout = (e) => {
+  if (!(e instanceof Error) || !("message" in e)) {
+    return false;
+  }
+  const { message } = e;
+  const lowerCaseInput = message.toLowerCase();
+  const dynamicServerUsage = lowerCaseInput.includes("dynamic server usage");
+  const bailOutPrerendering = lowerCaseInput.includes("this page needs to bail out of prerendering");
+  const routeRegex = /Route .*? needs to bail out of prerendering at this point because it used .*?./;
+  return routeRegex.test(message) || dynamicServerUsage || bailOutPrerendering;
+};
+async function buildRequestLike() {
+  try {
+    const { headers } = await import("next/headers");
+    const resolvedHeaders = await headers();
+    return new import_server.NextRequest("https://placeholder.com", { headers: resolvedHeaders });
+  } catch (e) {
+    if (e && isPrerenderingBailout(e)) {
+      throw e;
+    }
+    throw new Error(
+      `Clerk: auth(), currentUser() and clerkClient(), are only supported in App Router (/app directory).
+If you're using /pages, try getAuth() instead.
+Original error: ${e}`
+    );
+  }
+}
+function getScriptNonceFromHeader(cspHeaderValue) {
+  const directives = cspHeaderValue.split(";").map((directive2) => directive2.trim());
+  const directive = directives.find((dir) => dir.startsWith("script-src")) || directives.find((dir) => dir.startsWith("default-src"));
+  if (!directive) {
+    return;
+  }
+  const nonce = directive.split(" ").slice(1).map((source) => source.trim()).find((source) => source.startsWith("'nonce-") && source.length > 8 && source.endsWith("'"))?.slice(7, -1);
+  if (!nonce) {
+    return;
+  }
+  if (/[&><\u2028\u2029]/g.test(nonce)) {
+    throw new Error(
+      "Nonce value from Content-Security-Policy contained invalid HTML escape characters, which is disallowed for security reasons. Make sure that your nonce value does not contain the following characters: `<`, `>`, `&`"
+    );
+  }
+  return nonce;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  buildRequestLike,
+  getScriptNonceFromHeader,
+  isPrerenderingBailout
+});
+//# sourceMappingURL=utils.js.map

package/dist/cjs/app-router/server/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/app-router/server/utils.ts"],"sourcesContent":["import { NextRequest } from 'next/server';\r\n\r\nexport const isPrerenderingBailout = (e: unknown) => {\r\n  if (!(e instanceof Error) || !('message' in e)) {\r\n    return false;\r\n  }\r\n\r\n  const { message } = e;\r\n\r\n  const lowerCaseInput = message.toLowerCase();\r\n  const dynamicServerUsage = lowerCaseInput.includes('dynamic server usage');\r\n  const bailOutPrerendering = lowerCaseInput.includes('this page needs to bail out of prerendering');\r\n\r\n  // note: new error message syntax introduced in next@14.1.1-canary.21\r\n  // but we still want to support older versions.\r\n  // https://github.com/vercel/next.js/pull/61332 (dynamic-rendering.ts:153)\r\n  const routeRegex = /Route .*? needs to bail out of prerendering at this point because it used .*?./;\r\n\r\n  return routeRegex.test(message) || dynamicServerUsage || bailOutPrerendering;\r\n};\r\n\r\nexport async function buildRequestLike(): Promise<NextRequest> {\r\n  try {\r\n    // Dynamically import next/headers, otherwise Next12 apps will break\r\n    // @ts-expect-error: Cannot find module 'next/headers' or its corresponding type declarations.ts(2307)\r\n    const { headers } = await import('next/headers');\r\n    const resolvedHeaders = await headers();\r\n    return new NextRequest('https://placeholder.com', { headers: resolvedHeaders });\r\n  } catch (e: any) {\r\n    // rethrow the error when react throws a prerendering bailout\r\n    // https://nextjs.org/docs/messages/ppr-caught-error\r\n    if (e && isPrerenderingBailout(e)) {\r\n      throw e;\r\n    }\r\n\r\n    throw new Error(\r\n      `Clerk: auth(), currentUser() and clerkClient(), are only supported in App Router (/app directory).\\nIf you're using /pages, try getAuth() instead.\\nOriginal error: ${e}`,\r\n    );\r\n  }\r\n}\r\n\r\n// Original source: https://github.com/vercel/next.js/blob/canary/packages/next/src/server/app-render/get-script-nonce-from-header.tsx\r\nexport function getScriptNonceFromHeader(cspHeaderValue: string): string | undefined {\r\n  const directives = cspHeaderValue\r\n    // Directives are split by ';'.\r\n    .split(';')\r\n    .map(directive => directive.trim());\r\n\r\n  // First try to find the directive for the 'script-src', otherwise try to\r\n  // fallback to the 'default-src'.\r\n  const directive =\r\n    directives.find(dir => dir.startsWith('script-src')) || directives.find(dir => dir.startsWith('default-src'));\r\n\r\n  // If no directive could be found, then we're done.\r\n  if (!directive) {\r\n    return;\r\n  }\r\n\r\n  // Extract the nonce from the directive\r\n  const nonce = directive\r\n    .split(' ')\r\n    // Remove the 'strict-src'/'default-src' string, this can't be the nonce.\r\n    .slice(1)\r\n    .map(source => source.trim())\r\n    // Find the first source with the 'nonce-' prefix.\r\n    .find(source => source.startsWith(\"'nonce-\") && source.length > 8 && source.endsWith(\"'\"))\r\n    // Grab the nonce by trimming the 'nonce-' prefix.\r\n    ?.slice(7, -1);\r\n\r\n  // If we couldn't find the nonce, then we're done.\r\n  if (!nonce) {\r\n    return;\r\n  }\r\n\r\n  // Don't accept the nonce value if it contains HTML escape characters.\r\n  // Technically, the spec requires a base64'd value, but this is just an\r\n  // extra layer.\r\n  if (/[&><\\u2028\\u2029]/g.test(nonce)) {\r\n    throw new Error(\r\n      'Nonce value from Content-Security-Policy contained invalid HTML escape characters, which is disallowed for security reasons. Make sure that your nonce value does not contain the following characters: `<`, `>`, `&`',\r\n    );\r\n  }\r\n\r\n  return nonce;\r\n}\r\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAA4B;AAErB,MAAM,wBAAwB,CAAC,MAAe;AACnD,MAAI,EAAE,aAAa,UAAU,EAAE,aAAa,IAAI;AAC9C,WAAO;AAAA,EACT;AAEA,QAAM,EAAE,QAAQ,IAAI;AAEpB,QAAM,iBAAiB,QAAQ,YAAY;AAC3C,QAAM,qBAAqB,eAAe,SAAS,sBAAsB;AACzE,QAAM,sBAAsB,eAAe,SAAS,6CAA6C;AAKjG,QAAM,aAAa;AAEnB,SAAO,WAAW,KAAK,OAAO,KAAK,sBAAsB;AAC3D;AAEA,eAAsB,mBAAyC;AAC7D,MAAI;AAGF,UAAM,EAAE,QAAQ,IAAI,MAAM,OAAO,cAAc;AAC/C,UAAM,kBAAkB,MAAM,QAAQ;AACtC,WAAO,IAAI,0BAAY,2BAA2B,EAAE,SAAS,gBAAgB,CAAC;AAAA,EAChF,SAAS,GAAQ;AAGf,QAAI,KAAK,sBAAsB,CAAC,GAAG;AACjC,YAAM;AAAA,IACR;AAEA,UAAM,IAAI;AAAA,MACR;AAAA;AAAA,kBAAuK,CAAC;AAAA,IAC1K;AAAA,EACF;AACF;AAGO,SAAS,yBAAyB,gBAA4C;AACnF,QAAM,aAAa,eAEhB,MAAM,GAAG,EACT,IAAI,CAAAA,eAAaA,WAAU,KAAK,CAAC;AAIpC,QAAM,YACJ,WAAW,KAAK,SAAO,IAAI,WAAW,YAAY,CAAC,KAAK,WAAW,KAAK,SAAO,IAAI,WAAW,aAAa,CAAC;AAG9G,MAAI,CAAC,WAAW;AACd;AAAA,EACF;AAGA,QAAM,QAAQ,UACX,MAAM,GAAG,EAET,MAAM,CAAC,EACP,IAAI,YAAU,OAAO,KAAK,CAAC,EAE3B,KAAK,YAAU,OAAO,WAAW,SAAS,KAAK,OAAO,SAAS,KAAK,OAAO,SAAS,GAAG,CAAC,GAEvF,MAAM,GAAG,EAAE;AAGf,MAAI,CAAC,OAAO;AACV;AAAA,EACF;AAKA,MAAI,qBAAqB,KAAK,KAAK,GAAG;AACpC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;","names":["directive"]}

package/dist/cjs/boundary/components.js

@@ -1,5 +1,4 @@
 "use strict";
-"use client";
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
@@ -19,22 +18,20 @@ var __copyProps = (to, from, except, desc) => {
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var components_exports = {};
 __export(components_exports, {
-  SignIn: () => import_react.SignIn,
-  SignUp: () => import_react.SignUp,
+  signIn: () => import_react.signIn,
   useAuth: () => import_react.useAuth,
   useIdToken: () => import_react.useIdToken,
   useSession: () => import_react.useSession,
-  useSignUp: () => import_react.useSignUp
+  useSignIn: () => import_react.useSignIn
 });
 module.exports = __toCommonJS(components_exports);
 var import_react = require("@tern-secure/react");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  SignIn,
-  SignUp,
+  signIn,
   useAuth,
   useIdToken,
   useSession,
-  useSignUp
+  useSignIn
 });
 //# sourceMappingURL=components.js.map

package/dist/cjs/boundary/components.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/boundary/components.ts"],"sourcesContent":["'use client'\n\nexport { \n    useAuth,\n    useIdToken,\n    useSignUp,\n    useSession,\n    SignIn,\n    //SignOut,\n    //SignOutButton,\n    SignUp,\n} from '@tern-secure/react' "],"mappings":";;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,mBASO;","names":[]}
+{"version":3,"sources":["../../../src/boundary/components.ts"],"sourcesContent":["export { \n    useAuth,\n    useIdToken,\n    useSession,\n    useSignIn,\n    signIn,\n} from '@tern-secure/react' "],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mBAMO;","names":[]}

package/dist/cjs/{components/uiComponents.js → constants.js}

@@ -1,5 +1,4 @@
 "use strict";
-"use client";
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
@@ -17,26 +16,26 @@ var __copyProps = (to, from, except, desc) => {
   return to;
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var uiComponents_exports = {};
-__export(uiComponents_exports, {
-  SignIn: () => SignIn,
-  SignUp: () => SignUp,
-  UserButton: () => import_react2.UserButton
+var constants_exports = {};
+__export(constants_exports, {
+  constants: () => constants
 });
-module.exports = __toCommonJS(uiComponents_exports);
-var import_jsx_runtime = require("react/jsx-runtime");
-var import_react = require("@tern-secure/react");
-var import_react2 = require("@tern-secure/react");
-const SignIn = (props) => {
-  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(import_react.SignIn, { ...props });
+module.exports = __toCommonJS(constants_exports);
+const Headers = {
+  NextRewrite: "x-middleware-rewrite",
+  NextResume: "x-middleware-next",
+  NextRedirect: "Location",
+  // Used by next to identify internal navigation for app router
+  NextUrl: "next-url",
+  NextAction: "next-action",
+  // Used by next to identify internal navigation for pages router
+  NextjsData: "x-nextjs-data"
 };
-const SignUp = (props) => {
-  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(import_react.SignUp, { ...props });
+const constants = {
+  Headers
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  SignIn,
-  SignUp,
-  UserButton
+  constants
 });
-//# sourceMappingURL=uiComponents.js.map
+//# sourceMappingURL=constants.js.map

package/dist/cjs/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/constants.ts"],"sourcesContent":["const Headers = {\n  NextRewrite: 'x-middleware-rewrite',\n  NextResume: 'x-middleware-next',\n  NextRedirect: 'Location',\n  // Used by next to identify internal navigation for app router\n  NextUrl: 'next-url',\n  NextAction: 'next-action',\n  // Used by next to identify internal navigation for pages router\n  NextjsData: 'x-nextjs-data',\n} as const;\n\nexport const constants = {\n  Headers,\n} as const;\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAAM,UAAU;AAAA,EACd,aAAa;AAAA,EACb,YAAY;AAAA,EACZ,cAAc;AAAA;AAAA,EAEd,SAAS;AAAA,EACT,YAAY;AAAA;AAAA,EAEZ,YAAY;AACd;AAEO,MAAM,YAAY;AAAA,EACvB;AACF;","names":[]}