@tern-secure/nextjs 5.1.8 → 5.1.10

package/dist/cjs/server/jwt.js

@@ -66,10 +66,6 @@ async function verifyFirebaseToken(token, isSessionCookie = false) {
     if (!decoded) {
       throw new Error("Invalid token format");
     }
-    console.log("Token details:", {
-      header: decoded.header,
-      type: isSessionCookie ? "session_cookie" : "id_token"
-    });
     let retries = 3;
     let lastError = null;
     while (retries > 0) {
@@ -81,14 +77,25 @@ async function verifyFirebaseToken(token, isSessionCookie = false) {
           algorithms: ["RS256"]
         });
         const firebasePayload = payload;
+        const now = Math.floor(Date.now() / 1e3);
+        if (firebasePayload.exp <= now) {
+          throw new Error("Token has expired");
+        }
+        if (firebasePayload.iat > now) {
+          throw new Error("Token issued time is in the future");
+        }
         if (!firebasePayload.sub) {
           throw new Error("Token subject is empty");
         }
+        if (firebasePayload.auth_time > now) {
+          throw new Error("Token auth time is in the future");
+        }
         return {
           valid: true,
           uid: firebasePayload.sub,
           email: firebasePayload.email,
           emailVerified: firebasePayload.email_verified,
+          tenant: firebasePayload.firebase.tenant,
           authTime: firebasePayload.auth_time,
           issuedAt: firebasePayload.iat,
           expiresAt: firebasePayload.exp

package/dist/cjs/server/jwt.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/server/jwt.ts"],"sourcesContent":["import { jwtVerify, createRemoteJWKSet } from \"jose\"\r\nimport { cache } from \"react\"\r\n\r\ninterface FirebaseIdTokenPayload {\r\n  iss: string\r\n  aud: string\r\n  auth_time: number\r\n  user_id: string\r\n  sub: string\r\n  iat: number\r\n  exp: number\r\n  email?: string\r\n  email_verified?: boolean\r\n  firebase: {\r\n    identities: {\r\n      [key: string]: any\r\n    }\r\n    sign_in_provider: string\r\n  }\r\n}\r\n\r\n// Firebase public key endpoints\r\nconst FIREBASE_ID_TOKEN_URL = \"https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com\"\r\nconst FIREBASE_SESSION_CERT_URL = \"https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys\"\r\n\r\n// Cache the JWKS using React cache\r\nconst getIdTokenJWKS = cache(() => {\r\n  return createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {\r\n    cacheMaxAge: 3600000, // 1 hour\r\n    timeoutDuration: 5000, // 5 seconds\r\n    cooldownDuration: 30000, // 30 seconds between retries\r\n  })\r\n})\r\n\r\nconst getSessionJWKS = cache(() => {\r\n  return createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {\r\n    cacheMaxAge: 3600000, // 1 hour\r\n    timeoutDuration: 5000, // 5 seconds\r\n    cooldownDuration: 30000, // 30 seconds between retries\r\n  })\r\n})\r\n\r\n// Helper to decode JWT without verification\r\nfunction decodeJwt(token: string) {\r\n  try {\r\n    const [headerB64, payloadB64] = token.split(\".\")\r\n    const header = JSON.parse(Buffer.from(headerB64, \"base64\").toString())\r\n    const payload = JSON.parse(Buffer.from(payloadB64, \"base64\").toString())\r\n    return { header, payload }\r\n  } catch (error) {\r\n    console.error(\"Error decoding JWT:\", error)\r\n    return null\r\n  }\r\n}\r\n\r\nexport async function verifyFirebaseToken(token: string, isSessionCookie = false) {\r\n  try {\r\n    const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID\r\n    if (!projectId) {\r\n      throw new Error(\"Firebase Project ID is not configured\")\r\n    }\r\n\r\n    // Decode token for debugging and type checking\r\n    const decoded = decodeJwt(token)\r\n    if (!decoded) {\r\n      throw new Error(\"Invalid token format\")\r\n    }\r\n\r\n    console.log(\"Token details:\", {\r\n      header: decoded.header,\r\n      type: isSessionCookie ? \"session_cookie\" : \"id_token\",\r\n    })\r\n\r\n    let retries = 3\r\n    let lastError: Error | null = null\r\n\r\n    while (retries > 0) {\r\n      try {\r\n        // Use different JWKS based on token type\r\n        const JWKS = isSessionCookie ? await getSessionJWKS() : await getIdTokenJWKS()\r\n\r\n        const { payload } = await jwtVerify(token, JWKS, {\r\n          issuer: isSessionCookie\r\n            ? \"https://session.firebase.google.com/\" + projectId\r\n            : \"https://securetoken.google.com/\" + projectId,\r\n          audience: projectId,\r\n          algorithms: [\"RS256\"],\r\n        })\r\n\r\n        const firebasePayload = payload as unknown as FirebaseIdTokenPayload\r\n\r\n        if (!firebasePayload.sub) {\r\n          throw new Error(\"Token subject is empty\")\r\n        }\r\n\r\n        return {\r\n          valid: true,\r\n          uid: firebasePayload.sub,\r\n          email: firebasePayload.email,\r\n          emailVerified: firebasePayload.email_verified,\r\n          authTime: firebasePayload.auth_time,\r\n          issuedAt: firebasePayload.iat,\r\n          expiresAt: firebasePayload.exp,\r\n        }\r\n      } catch (error) {\r\n        lastError = error as Error\r\n        if (error instanceof Error && error.name === \"JWKSNoMatchingKey\") {\r\n          console.warn(`JWKS retry attempt ${4 - retries}:`, error.message)\r\n          retries--\r\n          if (retries > 0) {\r\n            await new Promise((resolve) => setTimeout(resolve, 1000))\r\n            continue\r\n          }\r\n        }\r\n        throw error\r\n      }\r\n    }\r\n\r\n    throw lastError || new Error(\"Failed to verify token after retries\")\r\n  } catch (error) {\r\n    console.error(\"Token verification details:\", {\r\n      error:\r\n        error instanceof Error\r\n          ? {\r\n              name: error.name,\r\n              message: error.message,\r\n              stack: error.stack,\r\n            }\r\n          : error,\r\n      decoded: decodeJwt(token),\r\n      //projectId,\r\n      isSessionCookie,\r\n    })\r\n\r\n    return {\r\n      valid: false,\r\n      error: error instanceof Error ? error.message : \"Invalid token\",\r\n    }\r\n  }\r\n}"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kBAA8C;AAC9C,mBAAsB;AAqBtB,MAAM,wBAAwB;AAC9B,MAAM,4BAA4B;AAGlC,MAAM,qBAAiB,oBAAM,MAAM;AACjC,aAAO,gCAAmB,IAAI,IAAI,qBAAqB,GAAG;AAAA,IACxD,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH,CAAC;AAED,MAAM,qBAAiB,oBAAM,MAAM;AACjC,aAAO,gCAAmB,IAAI,IAAI,yBAAyB,GAAG;AAAA,IAC5D,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH,CAAC;AAGD,SAAS,UAAU,OAAe;AAChC,MAAI;AACF,UAAM,CAAC,WAAW,UAAU,IAAI,MAAM,MAAM,GAAG;AAC/C,UAAM,SAAS,KAAK,MAAM,OAAO,KAAK,WAAW,QAAQ,EAAE,SAAS,CAAC;AACrE,UAAM,UAAU,KAAK,MAAM,OAAO,KAAK,YAAY,QAAQ,EAAE,SAAS,CAAC;AACvE,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B,SAAS,OAAO;AACd,YAAQ,MAAM,uBAAuB,KAAK;AAC1C,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,oBAAoB,OAAe,kBAAkB,OAAO;AAChF,MAAI;AACF,UAAM,YAAY,QAAQ,IAAI;AAC9B,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACzD;AAGA,UAAM,UAAU,UAAU,KAAK;AAC/B,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AAEA,YAAQ,IAAI,kBAAkB;AAAA,MAC5B,QAAQ,QAAQ;AAAA,MAChB,MAAM,kBAAkB,mBAAmB;AAAA,IAC7C,CAAC;AAED,QAAI,UAAU;AACd,QAAI,YAA0B;AAE9B,WAAO,UAAU,GAAG;AAClB,UAAI;AAEF,cAAM,OAAO,kBAAkB,MAAM,eAAe,IAAI,MAAM,eAAe;AAE7E,cAAM,EAAE,QAAQ,IAAI,UAAM,uBAAU,OAAO,MAAM;AAAA,UAC/C,QAAQ,kBACJ,yCAAyC,YACzC,oCAAoC;AAAA,UACxC,UAAU;AAAA,UACV,YAAY,CAAC,OAAO;AAAA,QACtB,CAAC;AAED,cAAM,kBAAkB;AAExB,YAAI,CAAC,gBAAgB,KAAK;AACxB,gBAAM,IAAI,MAAM,wBAAwB;AAAA,QAC1C;AAEA,eAAO;AAAA,UACL,OAAO;AAAA,UACP,KAAK,gBAAgB;AAAA,UACrB,OAAO,gBAAgB;AAAA,UACvB,eAAe,gBAAgB;AAAA,UAC/B,UAAU,gBAAgB;AAAA,UAC1B,UAAU,gBAAgB;AAAA,UAC1B,WAAW,gBAAgB;AAAA,QAC7B;AAAA,MACF,SAAS,OAAO;AACd,oBAAY;AACZ,YAAI,iBAAiB,SAAS,MAAM,SAAS,qBAAqB;AAChE,kBAAQ,KAAK,sBAAsB,IAAI,OAAO,KAAK,MAAM,OAAO;AAChE;AACA,cAAI,UAAU,GAAG;AACf,kBAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAI,CAAC;AACxD;AAAA,UACF;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAAA,IACF;AAEA,UAAM,aAAa,IAAI,MAAM,sCAAsC;AAAA,EACrE,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B;AAAA,MAC3C,OACE,iBAAiB,QACb;AAAA,QACE,MAAM,MAAM;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,OAAO,MAAM;AAAA,MACf,IACA;AAAA,MACN,SAAS,UAAU,KAAK;AAAA;AAAA,MAExB;AAAA,IACF,CAAC;AAED,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAClD;AAAA,EACF;AACF;","names":[]}
+{"version":3,"sources":["../../../src/server/jwt.ts"],"sourcesContent":["import { createRemoteJWKSet,jwtVerify } from \"jose\";\r\nimport { cache } from \"react\";\r\n\r\ninterface FirebaseIdTokenPayload {\r\n  iss: string;\r\n  aud: string;\r\n  auth_time: number;\r\n  user_id: string;\r\n  sub: string;\r\n  iat: number;\r\n  exp: number;\r\n  email?: string;\r\n  email_verified?: boolean;\r\n  firebase: {\r\n    identities: {\r\n      [key: string]: any;\r\n    };\r\n    sign_in_provider: string;\r\n    tenant?: string;\r\n  };\r\n}\r\n\r\ninterface FirebaseTokenResult {\r\n  valid: boolean;\r\n  tenant?: string;\r\n  uid?: string;\r\n  email?: string | null;\r\n  emailVerified?: boolean;\r\n  authTime?: number;\r\n  issuedAt?: number;\r\n  expiresAt?: number;\r\n  error?: string;\r\n}\r\n\r\n// Firebase public key endpoints\r\nconst FIREBASE_ID_TOKEN_URL =\r\n  \"https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com\";\r\nconst FIREBASE_SESSION_CERT_URL =\r\n  \"https://identitytoolkit.googleapis.com/v1/sessionCookiePublicKeys\";\r\n\r\n// Cache the JWKS using React cache\r\nconst getIdTokenJWKS = cache(() => {\r\n  return createRemoteJWKSet(new URL(FIREBASE_ID_TOKEN_URL), {\r\n    cacheMaxAge: 3600000, // 1 hour\r\n    timeoutDuration: 5000, // 5 seconds\r\n    cooldownDuration: 30000, // 30 seconds between retries\r\n  });\r\n});\r\n\r\nconst getSessionJWKS = cache(() => {\r\n  return createRemoteJWKSet(new URL(FIREBASE_SESSION_CERT_URL), {\r\n    cacheMaxAge: 3600000, // 1 hour\r\n    timeoutDuration: 5000, // 5 seconds\r\n    cooldownDuration: 30000, // 30 seconds between retries\r\n  });\r\n});\r\n\r\n// Helper to decode JWT without verification\r\nfunction decodeJwt(token: string) {\r\n  try {\r\n    const [headerB64, payloadB64] = token.split(\".\");\r\n    const header = JSON.parse(Buffer.from(headerB64, \"base64\").toString());\r\n    const payload = JSON.parse(Buffer.from(payloadB64, \"base64\").toString());\r\n    return { header, payload };\r\n  } catch (error) {\r\n    console.error(\"Error decoding JWT:\", error);\r\n    return null;\r\n  }\r\n}\r\n\r\nexport async function verifyFirebaseToken(\r\n  token: string,\r\n  isSessionCookie = false\r\n): Promise<FirebaseTokenResult> {\r\n  try {\r\n    const projectId = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID;\r\n    if (!projectId) {\r\n      throw new Error(\"Firebase Project ID is not configured\");\r\n    }\r\n\r\n    const decoded = decodeJwt(token);\r\n    if (!decoded) {\r\n      throw new Error(\"Invalid token format\");\r\n    }\r\n\r\n    let retries = 3;\r\n    let lastError: Error | null = null;\r\n\r\n    while (retries > 0) {\r\n      try {\r\n        // Use different JWKS based on token type\r\n        const JWKS = isSessionCookie\r\n          ? await getSessionJWKS()\r\n          : await getIdTokenJWKS();\r\n\r\n        const { payload } = await jwtVerify(token, JWKS, {\r\n          issuer: isSessionCookie\r\n            ? \"https://session.firebase.google.com/\" + projectId\r\n            : \"https://securetoken.google.com/\" + projectId,\r\n          audience: projectId,\r\n          algorithms: [\"RS256\"],\r\n        });\r\n\r\n        const firebasePayload = payload as unknown as FirebaseIdTokenPayload;\r\n        const now = Math.floor(Date.now() / 1000);\r\n\r\n        // Verify token claims\r\n        if (firebasePayload.exp <= now) {\r\n          throw new Error(\"Token has expired\");\r\n        }\r\n\r\n        if (firebasePayload.iat > now) {\r\n          throw new Error(\"Token issued time is in the future\");\r\n        }\r\n\r\n        if (!firebasePayload.sub) {\r\n          throw new Error(\"Token subject is empty\");\r\n        }\r\n\r\n        if (firebasePayload.auth_time > now) {\r\n          throw new Error(\"Token auth time is in the future\");\r\n        }\r\n\r\n        return {\r\n          valid: true,\r\n          uid: firebasePayload.sub,\r\n          email: firebasePayload.email,\r\n          emailVerified: firebasePayload.email_verified,\r\n          tenant: firebasePayload.firebase.tenant,\r\n          authTime: firebasePayload.auth_time,\r\n          issuedAt: firebasePayload.iat,\r\n          expiresAt: firebasePayload.exp,\r\n        };\r\n      } catch (error) {\r\n        lastError = error as Error;\r\n        if (error instanceof Error && error.name === \"JWKSNoMatchingKey\") {\r\n          console.warn(`JWKS retry attempt ${4 - retries}:`, error.message);\r\n          retries--;\r\n          if (retries > 0) {\r\n            await new Promise((resolve) => setTimeout(resolve, 1000));\r\n            continue;\r\n          }\r\n        }\r\n        throw error;\r\n      }\r\n    }\r\n\r\n    throw lastError || new Error(\"Failed to verify token after retries\");\r\n  } catch (error) {\r\n    console.error(\"Token verification details:\", {\r\n      error:\r\n        error instanceof Error\r\n          ? {\r\n              name: error.name,\r\n              message: error.message,\r\n              stack: error.stack,\r\n            }\r\n          : error,\r\n      decoded: decodeJwt(token),\r\n      //projectId,\r\n      isSessionCookie,\r\n    });\r\n\r\n    return {\r\n      valid: false,\r\n      error: error instanceof Error ? error.message : \"Invalid token\",\r\n    };\r\n  }\r\n}\r\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kBAA6C;AAC7C,mBAAsB;AAkCtB,MAAM,wBACJ;AACF,MAAM,4BACJ;AAGF,MAAM,qBAAiB,oBAAM,MAAM;AACjC,aAAO,gCAAmB,IAAI,IAAI,qBAAqB,GAAG;AAAA,IACxD,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH,CAAC;AAED,MAAM,qBAAiB,oBAAM,MAAM;AACjC,aAAO,gCAAmB,IAAI,IAAI,yBAAyB,GAAG;AAAA,IAC5D,aAAa;AAAA;AAAA,IACb,iBAAiB;AAAA;AAAA,IACjB,kBAAkB;AAAA;AAAA,EACpB,CAAC;AACH,CAAC;AAGD,SAAS,UAAU,OAAe;AAChC,MAAI;AACF,UAAM,CAAC,WAAW,UAAU,IAAI,MAAM,MAAM,GAAG;AAC/C,UAAM,SAAS,KAAK,MAAM,OAAO,KAAK,WAAW,QAAQ,EAAE,SAAS,CAAC;AACrE,UAAM,UAAU,KAAK,MAAM,OAAO,KAAK,YAAY,QAAQ,EAAE,SAAS,CAAC;AACvE,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B,SAAS,OAAO;AACd,YAAQ,MAAM,uBAAuB,KAAK;AAC1C,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,oBACpB,OACA,kBAAkB,OACY;AAC9B,MAAI;AACF,UAAM,YAAY,QAAQ,IAAI;AAC9B,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACzD;AAEA,UAAM,UAAU,UAAU,KAAK;AAC/B,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AAEA,QAAI,UAAU;AACd,QAAI,YAA0B;AAE9B,WAAO,UAAU,GAAG;AAClB,UAAI;AAEF,cAAM,OAAO,kBACT,MAAM,eAAe,IACrB,MAAM,eAAe;AAEzB,cAAM,EAAE,QAAQ,IAAI,UAAM,uBAAU,OAAO,MAAM;AAAA,UAC/C,QAAQ,kBACJ,yCAAyC,YACzC,oCAAoC;AAAA,UACxC,UAAU;AAAA,UACV,YAAY,CAAC,OAAO;AAAA,QACtB,CAAC;AAED,cAAM,kBAAkB;AACxB,cAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAGxC,YAAI,gBAAgB,OAAO,KAAK;AAC9B,gBAAM,IAAI,MAAM,mBAAmB;AAAA,QACrC;AAEA,YAAI,gBAAgB,MAAM,KAAK;AAC7B,gBAAM,IAAI,MAAM,oCAAoC;AAAA,QACtD;AAEA,YAAI,CAAC,gBAAgB,KAAK;AACxB,gBAAM,IAAI,MAAM,wBAAwB;AAAA,QAC1C;AAEA,YAAI,gBAAgB,YAAY,KAAK;AACnC,gBAAM,IAAI,MAAM,kCAAkC;AAAA,QACpD;AAEA,eAAO;AAAA,UACL,OAAO;AAAA,UACP,KAAK,gBAAgB;AAAA,UACrB,OAAO,gBAAgB;AAAA,UACvB,eAAe,gBAAgB;AAAA,UAC/B,QAAQ,gBAAgB,SAAS;AAAA,UACjC,UAAU,gBAAgB;AAAA,UAC1B,UAAU,gBAAgB;AAAA,UAC1B,WAAW,gBAAgB;AAAA,QAC7B;AAAA,MACF,SAAS,OAAO;AACd,oBAAY;AACZ,YAAI,iBAAiB,SAAS,MAAM,SAAS,qBAAqB;AAChE,kBAAQ,KAAK,sBAAsB,IAAI,OAAO,KAAK,MAAM,OAAO;AAChE;AACA,cAAI,UAAU,GAAG;AACf,kBAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAI,CAAC;AACxD;AAAA,UACF;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAAA,IACF;AAEA,UAAM,aAAa,IAAI,MAAM,sCAAsC;AAAA,EACrE,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B;AAAA,MAC3C,OACE,iBAAiB,QACb;AAAA,QACE,MAAM,MAAM;AAAA,QACZ,SAAS,MAAM;AAAA,QACf,OAAO,MAAM;AAAA,MACf,IACA;AAAA,MACN,SAAS,UAAU,KAAK;AAAA;AAAA,MAExB;AAAA,IACF,CAAC;AAED,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAClD;AAAA,EACF;AACF;","names":[]}

package/dist/cjs/server/nextErrors.js

@@ -0,0 +1,131 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var nextErrors_exports = {};
+__export(nextErrors_exports, {
+  HTTP_ERROR_FALLBACK_ERROR_CODE: () => HTTP_ERROR_FALLBACK_ERROR_CODE,
+  isHTTPAccessFallbackError: () => isHTTPAccessFallbackError,
+  isLegacyNextjsNotFoundError: () => isLegacyNextjsNotFoundError,
+  isNextjsNotFoundError: () => isNextjsNotFoundError,
+  isNextjsRedirectError: () => isNextjsRedirectError,
+  isRedirectToSignInError: () => isRedirectToSignInError,
+  isRedirectToSignUpError: () => isRedirectToSignUpError,
+  nextjsRedirectError: () => nextjsRedirectError,
+  redirectToSignInError: () => redirectToSignInError,
+  redirectToSignUpError: () => redirectToSignUpError,
+  whichHTTPAccessFallbackError: () => whichHTTPAccessFallbackError
+});
+module.exports = __toCommonJS(nextErrors_exports);
+const CONTROL_FLOW_ERROR = {
+  REDIRECT_TO_URL: "TERNSECURE_PROTECT_REDIRECT_TO_URL",
+  REDIRECT_TO_SIGN_IN: "TERNSECURE_PROTECT_REDIRECT_TO_SIGN_IN",
+  REDIRECT_TO_SIGN_UP: "TERNSECURE_PROTECT_REDIRECT_TO_SIGN_UP"
+};
+const LEGACY_NOT_FOUND_ERROR_CODE = "NEXT_NOT_FOUND";
+function isLegacyNextjsNotFoundError(error) {
+  if (typeof error !== "object" || error === null || !("digest" in error)) {
+    return false;
+  }
+  return error.digest === LEGACY_NOT_FOUND_ERROR_CODE;
+}
+const HTTPAccessErrorStatusCodes = {
+  NOT_FOUND: 404,
+  FORBIDDEN: 403,
+  UNAUTHORIZED: 401
+};
+const ALLOWED_CODES = new Set(Object.values(HTTPAccessErrorStatusCodes));
+const HTTP_ERROR_FALLBACK_ERROR_CODE = "NEXT_HTTP_ERROR_FALLBACK";
+function isHTTPAccessFallbackError(error) {
+  if (typeof error !== "object" || error === null || !("digest" in error) || typeof error.digest !== "string") {
+    return false;
+  }
+  const [prefix, httpStatus] = error.digest.split(";");
+  return prefix === HTTP_ERROR_FALLBACK_ERROR_CODE && ALLOWED_CODES.has(Number(httpStatus));
+}
+function whichHTTPAccessFallbackError(error) {
+  if (!isHTTPAccessFallbackError(error)) {
+    return void 0;
+  }
+  const [, httpStatus] = error.digest.split(";");
+  return Number(httpStatus);
+}
+function isNextjsNotFoundError(error) {
+  return isLegacyNextjsNotFoundError(error) || // Checks for the error thrown from `notFound()` for canary versions of next@15
+  whichHTTPAccessFallbackError(error) === HTTPAccessErrorStatusCodes.NOT_FOUND;
+}
+const REDIRECT_ERROR_CODE = "NEXT_REDIRECT";
+function nextjsRedirectError(url, extra, type = "replace", statusCode = 307) {
+  const error = new Error(REDIRECT_ERROR_CODE);
+  error.digest = `${REDIRECT_ERROR_CODE};${type};${url};${statusCode};`;
+  error.tern_digest = CONTROL_FLOW_ERROR.REDIRECT_TO_URL;
+  Object.assign(error, extra);
+  throw error;
+}
+function buildReturnBackUrl(url, returnBackUrl) {
+  return returnBackUrl === null ? "" : returnBackUrl || url;
+}
+function redirectToSignInError(url, returnBackUrl) {
+  nextjsRedirectError(url, {
+    tern_digest: CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_IN,
+    returnBackUrl: buildReturnBackUrl(url, returnBackUrl)
+  });
+}
+function redirectToSignUpError(url, returnBackUrl) {
+  nextjsRedirectError(url, {
+    tern_digest: CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_UP,
+    returnBackUrl: buildReturnBackUrl(url, returnBackUrl)
+  });
+}
+function isNextjsRedirectError(error) {
+  if (typeof error !== "object" || error === null || !("digest" in error) || typeof error.digest !== "string") {
+    return false;
+  }
+  const digest = error.digest.split(";");
+  const [errorCode, type] = digest;
+  const destination = digest.slice(2, -2).join(";");
+  const status = digest.at(-2);
+  const statusCode = Number(status);
+  return errorCode === REDIRECT_ERROR_CODE && (type === "replace" || type === "push") && typeof destination === "string" && !isNaN(statusCode) && statusCode === 307;
+}
+function isRedirectToSignInError(error) {
+  if (isNextjsRedirectError(error) && "tern_digest" in error) {
+    return error.tern_digest === CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_IN;
+  }
+  return false;
+}
+function isRedirectToSignUpError(error) {
+  if (isNextjsRedirectError(error) && "tern_digest" in error) {
+    return error.tern_digest === CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_UP;
+  }
+  return false;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  HTTP_ERROR_FALLBACK_ERROR_CODE,
+  isHTTPAccessFallbackError,
+  isLegacyNextjsNotFoundError,
+  isNextjsNotFoundError,
+  isNextjsRedirectError,
+  isRedirectToSignInError,
+  isRedirectToSignUpError,
+  nextjsRedirectError,
+  redirectToSignInError,
+  redirectToSignUpError,
+  whichHTTPAccessFallbackError
+});
+//# sourceMappingURL=nextErrors.js.map

package/dist/cjs/server/nextErrors.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/nextErrors.ts"],"sourcesContent":["\nconst CONTROL_FLOW_ERROR = {\n  REDIRECT_TO_URL: 'TERNSECURE_PROTECT_REDIRECT_TO_URL',\n  REDIRECT_TO_SIGN_IN: 'TERNSECURE_PROTECT_REDIRECT_TO_SIGN_IN',\n  REDIRECT_TO_SIGN_UP: 'TERNSECURE_PROTECT_REDIRECT_TO_SIGN_UP',\n};\n\n/**\n * In-house implementation of `notFound()`\n * https://github.com/vercel/next.js/blob/canary/packages/next/src/client/components/not-found.ts\n */\nconst LEGACY_NOT_FOUND_ERROR_CODE = 'NEXT_NOT_FOUND';\n\ntype LegacyNotFoundError = Error & {\n  digest: typeof LEGACY_NOT_FOUND_ERROR_CODE;\n};\n\n/**\n * Checks for the error thrown from `notFound()` for versions <= next@15.0.4\n */\nfunction isLegacyNextjsNotFoundError(error: unknown): error is LegacyNotFoundError {\n  if (typeof error !== 'object' || error === null || !('digest' in error)) {\n    return false;\n  }\n\n  return error.digest === LEGACY_NOT_FOUND_ERROR_CODE;\n}\n\nconst HTTPAccessErrorStatusCodes = {\n  NOT_FOUND: 404,\n  FORBIDDEN: 403,\n  UNAUTHORIZED: 401,\n};\n\nconst ALLOWED_CODES = new Set(Object.values(HTTPAccessErrorStatusCodes));\n\nexport const HTTP_ERROR_FALLBACK_ERROR_CODE = 'NEXT_HTTP_ERROR_FALLBACK';\n\nexport type HTTPAccessFallbackError = Error & {\n  digest: `${typeof HTTP_ERROR_FALLBACK_ERROR_CODE};${string}`;\n};\n\nexport function isHTTPAccessFallbackError(error: unknown): error is HTTPAccessFallbackError {\n  if (typeof error !== 'object' || error === null || !('digest' in error) || typeof error.digest !== 'string') {\n    return false;\n  }\n  const [prefix, httpStatus] = error.digest.split(';');\n\n  return prefix === HTTP_ERROR_FALLBACK_ERROR_CODE && ALLOWED_CODES.has(Number(httpStatus));\n}\n\nexport function whichHTTPAccessFallbackError(error: unknown): number | undefined {\n  if (!isHTTPAccessFallbackError(error)) {\n    return undefined;\n  }\n\n  const [, httpStatus] = error.digest.split(';');\n  return Number(httpStatus);\n}\n\nfunction isNextjsNotFoundError(error: unknown): error is LegacyNotFoundError | HTTPAccessFallbackError {\n  return (\n    isLegacyNextjsNotFoundError(error) ||\n    // Checks for the error thrown from `notFound()` for canary versions of next@15\n    whichHTTPAccessFallbackError(error) === HTTPAccessErrorStatusCodes.NOT_FOUND\n  );\n}\n\n/**\n * In-house implementation of `redirect()` extended with a `tern_digest` property\n * https://github.com/vercel/next.js/blob/canary/packages/next/src/client/components/redirect.ts\n */\n\nconst REDIRECT_ERROR_CODE = 'NEXT_REDIRECT';\n\ntype RedirectError<T = unknown> = Error & {\n  digest: `${typeof REDIRECT_ERROR_CODE};${'replace'};${string};${307};`;\n  tern_digest: typeof CONTROL_FLOW_ERROR.REDIRECT_TO_URL | typeof CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_IN;\n} & T;\n\nfunction nextjsRedirectError(\n  url: string,\n  extra: Record<string, unknown>,\n  type: 'replace' = 'replace',\n  statusCode: 307 = 307,\n): never {\n  const error = new Error(REDIRECT_ERROR_CODE) as RedirectError;\n  error.digest = `${REDIRECT_ERROR_CODE};${type};${url};${statusCode};`;\n  error.tern_digest = CONTROL_FLOW_ERROR.REDIRECT_TO_URL;\n  Object.assign(error, extra);\n  throw error;\n}\n\nfunction buildReturnBackUrl(url: string, returnBackUrl?: string | URL | null): string | URL {\n  return returnBackUrl === null ? '' : returnBackUrl || url;\n}\n\nfunction redirectToSignInError(url: string, returnBackUrl?: string | URL | null): never {\n  nextjsRedirectError(url, {\n    tern_digest: CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_IN,\n    returnBackUrl: buildReturnBackUrl(url, returnBackUrl),\n  });\n}\n\nfunction redirectToSignUpError(url: string, returnBackUrl?: string | URL | null): never {\n  nextjsRedirectError(url, {\n    tern_digest: CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_UP,\n    returnBackUrl: buildReturnBackUrl(url, returnBackUrl),\n  });\n}\n\n/**\n * Checks an error to determine if it's an error generated by the\n * `redirect(url)` helper.\n *\n * @param error the error that may reference a redirect error\n * @returns true if the error is a redirect error\n */\nfunction isNextjsRedirectError(error: unknown): error is RedirectError<{ redirectUrl: string | URL }> {\n  if (typeof error !== 'object' || error === null || !('digest' in error) || typeof error.digest !== 'string') {\n    return false;\n  }\n\n  const digest = error.digest.split(';');\n  const [errorCode, type] = digest;\n  const destination = digest.slice(2, -2).join(';');\n  const status = digest.at(-2);\n\n  const statusCode = Number(status);\n\n  return (\n    errorCode === REDIRECT_ERROR_CODE &&\n    (type === 'replace' || type === 'push') &&\n    typeof destination === 'string' &&\n    !isNaN(statusCode) &&\n    statusCode === 307\n  );\n}\n\nfunction isRedirectToSignInError(error: unknown): error is RedirectError<{ returnBackUrl: string | URL }> {\n  if (isNextjsRedirectError(error) && 'tern_digest' in error) {\n    return error.tern_digest === CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_IN;\n  }\n\n  return false;\n}\n\nfunction isRedirectToSignUpError(error: unknown): error is RedirectError<{ returnBackUrl: string | URL }> {\n  if (isNextjsRedirectError(error) && 'tern_digest' in error) {\n    return error.tern_digest === CONTROL_FLOW_ERROR.REDIRECT_TO_SIGN_UP;\n  }\n\n  return false;\n}\n\nexport {\n  isNextjsNotFoundError,\n  isLegacyNextjsNotFoundError,\n  redirectToSignInError,\n  redirectToSignUpError,\n  nextjsRedirectError,\n  isNextjsRedirectError,\n  isRedirectToSignInError,\n  isRedirectToSignUpError,\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,MAAM,qBAAqB;AAAA,EACzB,iBAAiB;AAAA,EACjB,qBAAqB;AAAA,EACrB,qBAAqB;AACvB;AAMA,MAAM,8BAA8B;AASpC,SAAS,4BAA4B,OAA8C;AACjF,MAAI,OAAO,UAAU,YAAY,UAAU,QAAQ,EAAE,YAAY,QAAQ;AACvE,WAAO;AAAA,EACT;AAEA,SAAO,MAAM,WAAW;AAC1B;AAEA,MAAM,6BAA6B;AAAA,EACjC,WAAW;AAAA,EACX,WAAW;AAAA,EACX,cAAc;AAChB;AAEA,MAAM,gBAAgB,IAAI,IAAI,OAAO,OAAO,0BAA0B,CAAC;AAEhE,MAAM,iCAAiC;AAMvC,SAAS,0BAA0B,OAAkD;AAC1F,MAAI,OAAO,UAAU,YAAY,UAAU,QAAQ,EAAE,YAAY,UAAU,OAAO,MAAM,WAAW,UAAU;AAC3G,WAAO;AAAA,EACT;AACA,QAAM,CAAC,QAAQ,UAAU,IAAI,MAAM,OAAO,MAAM,GAAG;AAEnD,SAAO,WAAW,kCAAkC,cAAc,IAAI,OAAO,UAAU,CAAC;AAC1F;AAEO,SAAS,6BAA6B,OAAoC;AAC/E,MAAI,CAAC,0BAA0B,KAAK,GAAG;AACrC,WAAO;AAAA,EACT;AAEA,QAAM,CAAC,EAAE,UAAU,IAAI,MAAM,OAAO,MAAM,GAAG;AAC7C,SAAO,OAAO,UAAU;AAC1B;AAEA,SAAS,sBAAsB,OAAwE;AACrG,SACE,4BAA4B,KAAK;AAAA,EAEjC,6BAA6B,KAAK,MAAM,2BAA2B;AAEvE;AAOA,MAAM,sBAAsB;AAO5B,SAAS,oBACP,KACA,OACA,OAAkB,WAClB,aAAkB,KACX;AACP,QAAM,QAAQ,IAAI,MAAM,mBAAmB;AAC3C,QAAM,SAAS,GAAG,mBAAmB,IAAI,IAAI,IAAI,GAAG,IAAI,UAAU;AAClE,QAAM,cAAc,mBAAmB;AACvC,SAAO,OAAO,OAAO,KAAK;AAC1B,QAAM;AACR;AAEA,SAAS,mBAAmB,KAAa,eAAmD;AAC1F,SAAO,kBAAkB,OAAO,KAAK,iBAAiB;AACxD;AAEA,SAAS,sBAAsB,KAAa,eAA4C;AACtF,sBAAoB,KAAK;AAAA,IACvB,aAAa,mBAAmB;AAAA,IAChC,eAAe,mBAAmB,KAAK,aAAa;AAAA,EACtD,CAAC;AACH;AAEA,SAAS,sBAAsB,KAAa,eAA4C;AACtF,sBAAoB,KAAK;AAAA,IACvB,aAAa,mBAAmB;AAAA,IAChC,eAAe,mBAAmB,KAAK,aAAa;AAAA,EACtD,CAAC;AACH;AASA,SAAS,sBAAsB,OAAuE;AACpG,MAAI,OAAO,UAAU,YAAY,UAAU,QAAQ,EAAE,YAAY,UAAU,OAAO,MAAM,WAAW,UAAU;AAC3G,WAAO;AAAA,EACT;AAEA,QAAM,SAAS,MAAM,OAAO,MAAM,GAAG;AACrC,QAAM,CAAC,WAAW,IAAI,IAAI;AAC1B,QAAM,cAAc,OAAO,MAAM,GAAG,EAAE,EAAE,KAAK,GAAG;AAChD,QAAM,SAAS,OAAO,GAAG,EAAE;AAE3B,QAAM,aAAa,OAAO,MAAM;AAEhC,SACE,cAAc,wBACb,SAAS,aAAa,SAAS,WAChC,OAAO,gBAAgB,YACvB,CAAC,MAAM,UAAU,KACjB,eAAe;AAEnB;AAEA,SAAS,wBAAwB,OAAyE;AACxG,MAAI,sBAAsB,KAAK,KAAK,iBAAiB,OAAO;AAC1D,WAAO,MAAM,gBAAgB,mBAAmB;AAAA,EAClD;AAEA,SAAO;AACT;AAEA,SAAS,wBAAwB,OAAyE;AACxG,MAAI,sBAAsB,KAAK,KAAK,iBAAiB,OAAO;AAC1D,WAAO,MAAM,gBAAgB,mBAAmB;AAAA,EAClD;AAEA,SAAO;AACT;","names":[]}

package/dist/cjs/server/nextFetcher.js

@@ -0,0 +1,31 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var nextFetcher_exports = {};
+__export(nextFetcher_exports, {
+  isNextFetcher: () => isNextFetcher
+});
+module.exports = __toCommonJS(nextFetcher_exports);
+function isNextFetcher(fetch) {
+  return "__nextPatched" in fetch && fetch.__nextPatched === true;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  isNextFetcher
+});
+//# sourceMappingURL=nextFetcher.js.map

package/dist/cjs/server/nextFetcher.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/server/nextFetcher.ts"],"sourcesContent":["type Fetcher = typeof globalThis.fetch;\n\n/**\n * Based on nextjs internal implementation https://github.com/vercel/next.js/blob/6185444e0a944a82e7719ac37dad8becfed86acd/packages/next/src/server/lib/patch-fetch.ts#L23\n */\ntype NextFetcher = Fetcher & {\n  readonly __nextPatched: true;\n  readonly __nextGetStaticStore: () => { getStore: () => StaticGenerationAsyncStorage | undefined };\n};\n\n/**\n * Full type can be found https://github.com/vercel/next.js/blob/6185444e0a944a82e7719ac37dad8becfed86acd/packages/next/src/client/components/static-generation-async-storage.external.ts#L4\n */\ninterface StaticGenerationAsyncStorage {\n  /**\n   * Available for Next 14\n   */\n  readonly pagePath?: string;\n  /**\n   * Available for Next 15\n   */\n  readonly page?: string;\n}\n\nfunction isNextFetcher(fetch: Fetcher | NextFetcher): fetch is NextFetcher {\n  return '__nextPatched' in fetch && fetch.__nextPatched === true;\n}\n\nexport { isNextFetcher };\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAwBA,SAAS,cAAc,OAAoD;AACzE,SAAO,mBAAmB,SAAS,MAAM,kBAAkB;AAC7D;","names":[]}

package/dist/cjs/server/node/SessionTernSecure.js

@@ -0,0 +1,55 @@
+"use strict";
+"use server";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var SessionTernSecure_exports = {};
+__export(SessionTernSecure_exports, {
+  verifyFirebaseToken: () => verifyFirebaseToken
+});
+module.exports = __toCommonJS(SessionTernSecure_exports);
+var import_admin = require("@tern-secure/backend/admin");
+async function verifyFirebaseToken(token) {
+  if (!token) {
+    return {
+      valid: false,
+      error: {
+        success: false,
+        code: "INVALID_TOKEN",
+        message: "Token is required for verification"
+      }
+    };
+  }
+  try {
+    return await (0, import_admin.VerifyNextTernSessionCookie)(token);
+  } catch (error) {
+    console.error("Error verifying token:", error);
+    return {
+      valid: false,
+      error: {
+        success: false,
+        code: "INVALID_TOKEN",
+        message: error instanceof Error ? error.message : "Token verification failed"
+      }
+    };
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  verifyFirebaseToken
+});
+//# sourceMappingURL=SessionTernSecure.js.map

package/dist/cjs/server/node/SessionTernSecure.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/server/node/SessionTernSecure.ts"],"sourcesContent":["\"use server\";\n\nimport { VerifyNextTernSessionCookie } from \"@tern-secure/backend/admin\";\nimport type { TernVerificationResult } from \"@tern-secure/types\";\n\nexport async function verifyFirebaseToken(\n  token: string\n): Promise<TernVerificationResult> {\n  if (!token) {\n    return {\n      valid: false,\n      error: {\n        success: false,\n        code: \"INVALID_TOKEN\",\n        message: \"Token is required for verification\",\n      },\n    };\n  }\n\n  try {\n    return await VerifyNextTernSessionCookie(token);\n  } catch (error) {\n    console.error(\"Error verifying token:\", error);\n    return {\n      valid: false,\n      error: {\n        success: false,\n        code: \"INVALID_TOKEN\",\n        message:\n          error instanceof Error ? error.message : \"Token verification failed\",\n      },\n    };\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,mBAA4C;AAG5C,eAAsB,oBACpB,OACiC;AACjC,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,QACL,SAAS;AAAA,QACT,MAAM;AAAA,QACN,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AAEA,MAAI;AACF,WAAO,UAAM,0CAA4B,KAAK;AAAA,EAChD,SAAS,OAAO;AACd,YAAQ,MAAM,0BAA0B,KAAK;AAC7C,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,QACL,SAAS;AAAA,QACT,MAAM;AAAA,QACN,SACE,iBAAiB,QAAQ,MAAM,UAAU;AAAA,MAC7C;AAAA,IACF;AAAA,EACF;AACF;","names":[]}

package/dist/cjs/server/{auth.js → node/auth.js}

@@ -24,34 +24,22 @@ __export(auth_exports, {
   requireAuth: () => requireAuth
 });
 module.exports = __toCommonJS(auth_exports);
-var import_react = require("react");
 var import_headers = require("next/headers");
-var import_jwt_edge = require("./jwt-edge");
-var import_errors = require("../errors");
+var import_react = require("react");
+var import_errors = require("../../errors");
+var import_SessionTernSecure = require("./SessionTernSecure");
 const auth = (0, import_react.cache)(async () => {
   try {
-    console.log("auth: Starting auth check...");
     const cookieStore = await (0, import_headers.cookies)();
     const sessionCookie = cookieStore.get("_session_cookie")?.value;
     if (sessionCookie) {
-      const result = await (0, import_jwt_edge.verifyFirebaseToken)(sessionCookie, true);
-      if (result.valid) {
-        const user = {
-          uid: result.uid ?? "",
-          email: result.email || null,
-          authTime: result.authTime
-        };
-        return { user, error: null };
-      }
-    }
-    const idToken = cookieStore.get("_session_token")?.value;
-    if (idToken) {
-      const result = await (0, import_jwt_edge.verifyFirebaseToken)(idToken, false);
+      const result = await (0, import_SessionTernSecure.verifyFirebaseToken)(sessionCookie);
       if (result.valid) {
         const user = {
           uid: result.uid ?? "",
-          email: result.email || null,
-          authTime: result.authTime
+          email: result.email && typeof result.email === "string" ? result.email : null,
+          tenantId: result.tenant || "default",
+          authTime: result.authTime && typeof result.authTime === "number" ? result.authTime : void 0
         };
         return { user, error: null };
       }
@@ -70,7 +58,10 @@ const auth = (0, import_react.cache)(async () => {
     }
     return {
       user: null,
-      error: new import_errors.TernSecureError("INTERNAL_ERROR", "An unexpected error occurred")
+      error: new import_errors.TernSecureError(
+        "INTERNAL_ERROR",
+        "An unexpected error occurred"
+      )
     };
   }
 });

package/dist/cjs/server/node/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/server/node/auth.ts"],"sourcesContent":["import { cookies } from \"next/headers\";\nimport { cache } from \"react\";\n\nimport { TernSecureError } from \"../../errors\";\nimport type { BaseUser } from \"../../types\";\nimport { verifyFirebaseToken } from \"./SessionTernSecure\";\n\nexport interface AuthResult {\n  user: BaseUser | null;\n  error: Error | null;\n}\n\n/**\n * Get the current authenticated user from the session cookies\n */\nexport const auth = cache(async (): Promise<AuthResult> => {\n  try {\n    const cookieStore = await cookies();\n\n    const sessionCookie = cookieStore.get(\"_session_cookie\")?.value;\n    if (sessionCookie) {\n      const result = await verifyFirebaseToken(sessionCookie);\n      if (result.valid) {\n        const user: BaseUser = {\n          uid: result.uid ?? \"\",\n          email:\n            result.email && typeof result.email === \"string\"\n              ? result.email\n              : null,\n          tenantId: result.tenant || \"default\",\n          authTime:\n            result.authTime && typeof result.authTime === \"number\"\n              ? result.authTime\n              : undefined,\n        };\n        return { user, error: null };\n      }\n    }\n\n    return {\n      user: null,\n      error: new TernSecureError(\"UNAUTHENTICATED\", \"No valid session found\"),\n    };\n  } catch (error) {\n    console.error(\"Error in Auth:\", error);\n    if (error instanceof TernSecureError) {\n      return {\n        user: null,\n        error,\n      };\n    }\n    return {\n      user: null,\n      error: new TernSecureError(\n        \"INTERNAL_ERROR\",\n        \"An unexpected error occurred\"\n      ),\n    };\n  }\n});\n\n/**\n * Type guard to check if user is authenticated\n */\nexport const isAuthenticated = cache(async (): Promise<boolean> => {\n  const { user } = await auth();\n  return user !== null;\n});\n\n/**\n * Get user info from auth result\n */\nexport const getUser = cache(async (): Promise<BaseUser | null> => {\n  const { user } = await auth();\n  return user;\n});\n\n/**\n * Require authentication\n * Throws error if not authenticated\n */\nexport const requireAuth = cache(async (): Promise<BaseUser> => {\n  const { user, error } = await auth();\n\n  if (!user) {\n    throw error || new Error(\"Authentication required\");\n  }\n\n  return user;\n});\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAAwB;AACxB,mBAAsB;AAEtB,oBAAgC;AAEhC,+BAAoC;AAU7B,MAAM,WAAO,oBAAM,YAAiC;AACzD,MAAI;AACF,UAAM,cAAc,UAAM,wBAAQ;AAElC,UAAM,gBAAgB,YAAY,IAAI,iBAAiB,GAAG;AAC1D,QAAI,eAAe;AACjB,YAAM,SAAS,UAAM,8CAAoB,aAAa;AACtD,UAAI,OAAO,OAAO;AAChB,cAAM,OAAiB;AAAA,UACrB,KAAK,OAAO,OAAO;AAAA,UACnB,OACE,OAAO,SAAS,OAAO,OAAO,UAAU,WACpC,OAAO,QACP;AAAA,UACN,UAAU,OAAO,UAAU;AAAA,UAC3B,UACE,OAAO,YAAY,OAAO,OAAO,aAAa,WAC1C,OAAO,WACP;AAAA,QACR;AACA,eAAO,EAAE,MAAM,OAAO,KAAK;AAAA,MAC7B;AAAA,IACF;AAEA,WAAO;AAAA,MACL,MAAM;AAAA,MACN,OAAO,IAAI,8BAAgB,mBAAmB,wBAAwB;AAAA,IACxE;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,kBAAkB,KAAK;AACrC,QAAI,iBAAiB,+BAAiB;AACpC,aAAO;AAAA,QACL,MAAM;AAAA,QACN;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,MACL,MAAM;AAAA,MACN,OAAO,IAAI;AAAA,QACT;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF,CAAC;AAKM,MAAM,sBAAkB,oBAAM,YAA8B;AACjE,QAAM,EAAE,KAAK,IAAI,MAAM,KAAK;AAC5B,SAAO,SAAS;AAClB,CAAC;AAKM,MAAM,cAAU,oBAAM,YAAsC;AACjE,QAAM,EAAE,KAAK,IAAI,MAAM,KAAK;AAC5B,SAAO;AACT,CAAC;AAMM,MAAM,kBAAc,oBAAM,YAA+B;AAC9D,QAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK;AAEnC,MAAI,CAAC,MAAM;AACT,UAAM,SAAS,IAAI,MAAM,yBAAyB;AAAA,EACpD;AAEA,SAAO;AACT,CAAC;","names":[]}

package/dist/cjs/server/node/index.js

@@ -0,0 +1,40 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var node_exports = {};
+__export(node_exports, {
+  auth: () => import_auth.auth,
+  createRouteMatcher: () => import_ternSecureNodeMiddleware.createRouteMatcher,
+  getUser: () => import_auth.getUser,
+  isAuthenticated: () => import_auth.isAuthenticated,
+  requireAuth: () => import_auth.requireAuth,
+  ternSecureMiddleware: () => import_ternSecureNodeMiddleware.ternSecureMiddleware
+});
+module.exports = __toCommonJS(node_exports);
+var import_ternSecureNodeMiddleware = require("./ternSecureNodeMiddleware");
+var import_auth = require("./auth");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  auth,
+  createRouteMatcher,
+  getUser,
+  isAuthenticated,
+  requireAuth,
+  ternSecureMiddleware
+});
+//# sourceMappingURL=index.js.map

package/dist/cjs/server/node/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/server/node/index.ts"],"sourcesContent":["export {\n  ternSecureMiddleware,\n  createRouteMatcher,\n} from \"./ternSecureNodeMiddleware\";\nexport {\n  auth,\n  getUser,\n  isAuthenticated,\n  requireAuth,\n  type AuthResult,\n} from \"./auth\";"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,sCAGO;AACP,kBAMO;","names":[]}

package/dist/cjs/server/node/node-session.js

@@ -0,0 +1,60 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var node_session_exports = {};
+__export(node_session_exports, {
+  verifySession: () => verifySession
+});
+module.exports = __toCommonJS(node_session_exports);
+var import_SessionTernSecure = require("./SessionTernSecure");
+async function verifySession(request) {
+  try {
+    const sessionCookie = request.cookies.get("_session_cookie")?.value;
+    if (sessionCookie) {
+      const result = await (0, import_SessionTernSecure.verifyFirebaseToken)(sessionCookie);
+      if (result.valid) {
+        return {
+          isAuthenticated: true,
+          user: {
+            uid: result.uid ?? "",
+            email: result.email || null,
+            tenantId: result.tenant || "default",
+            disabled: false
+          }
+        };
+      }
+    }
+    return {
+      isAuthenticated: false,
+      user: null,
+      error: "No valid session found"
+    };
+  } catch (error) {
+    console.error("Session verification error:", error);
+    return {
+      isAuthenticated: false,
+      user: null,
+      error: error instanceof Error ? error.message : "Session verification failed"
+    };
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  verifySession
+});
+//# sourceMappingURL=node-session.js.map

package/dist/cjs/server/node/node-session.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/server/node/node-session.ts"],"sourcesContent":["import type { NextRequest } from \"next/server\";\n\nimport type { SessionResult } from \"../types\";\nimport { verifyFirebaseToken } from \"./SessionTernSecure\";\n\nexport async function verifySession(\n  request: NextRequest\n): Promise<SessionResult> {\n  try {\n    const sessionCookie = request.cookies.get(\"_session_cookie\")?.value;\n    if (sessionCookie) {\n      const result = await verifyFirebaseToken(sessionCookie);\n      if (result.valid) {\n        //const disabledKey = `disabled_user:${result.uid}`;\n        //const disabledUser: DisabledUserRecord | null =\n        // await redis.get(disabledKey);\n        //const isDisabled = !!disabledUser;\n        return {\n          isAuthenticated: true,\n          user: {\n            uid: result.uid ?? \"\",\n            email: result.email || null,\n            tenantId: result.tenant || \"default\",\n            disabled: false,\n          },\n        };\n      }\n    }\n    return {\n      isAuthenticated: false,\n      user: null,\n      error: \"No valid session found\",\n    };\n  } catch (error) {\n    console.error(\"Session verification error:\", error);\n    return {\n      isAuthenticated: false,\n      user: null,\n      error:\n        error instanceof Error ? error.message : \"Session verification failed\",\n    };\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,+BAAoC;AAEpC,eAAsB,cACpB,SACwB;AACxB,MAAI;AACF,UAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB,GAAG;AAC9D,QAAI,eAAe;AACjB,YAAM,SAAS,UAAM,8CAAoB,aAAa;AACtD,UAAI,OAAO,OAAO;AAKhB,eAAO;AAAA,UACL,iBAAiB;AAAA,UACjB,MAAM;AAAA,YACJ,KAAK,OAAO,OAAO;AAAA,YACnB,OAAO,OAAO,SAAS;AAAA,YACvB,UAAU,OAAO,UAAU;AAAA,YAC3B,UAAU;AAAA,UACZ;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,MACL,iBAAiB;AAAA,MACjB,MAAM;AAAA,MACN,OAAO;AAAA,IACT;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,+BAA+B,KAAK;AAClD,WAAO;AAAA,MACL,iBAAiB;AAAA,MACjB,MAAM;AAAA,MACN,OACE,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAC7C;AAAA,EACF;AACF;","names":[]}