@tern-secure/nextjs 5.1.8 → 5.1.9

package/dist/esm/app-router/admin/fnValidators.js

@@ -0,0 +1,270 @@
+import { NextResponse } from "next/server";
+import { createApiErrorResponse } from "./responses";
+function createRequestContext(request) {
+  const url = new URL(request.url);
+  const pathSegments = url.pathname.split("/").filter(Boolean);
+  return {
+    request,
+    origin: request.headers.get("origin"),
+    host: request.headers.get("host"),
+    referer: request.headers.get("referer"),
+    userAgent: request.headers.get("user-agent") || "",
+    method: request.method,
+    pathSegments
+  };
+}
+function createValidators(context) {
+  const { request, origin, host, referer, userAgent, method, pathSegments } = context;
+  async function validateCors(corsOptions) {
+    if (corsOptions.skipSameOrigin) {
+      if (!origin || host && origin.includes(host)) {
+        return null;
+      }
+    }
+    if (corsOptions.allowedOrigins !== "*") {
+      const isAllowed = corsOptions.allowedOrigins.some((allowedOrigin) => {
+        if (allowedOrigin.startsWith("*")) {
+          const domain = allowedOrigin.slice(1);
+          return origin?.endsWith(domain);
+        }
+        return origin === allowedOrigin;
+      });
+      if (!isAllowed) {
+        return createApiErrorResponse("CORS_ORIGIN_NOT_ALLOWED", "Origin not allowed", 403);
+      }
+    }
+    return null;
+  }
+  function createCorsOptionsResponse(corsOptions) {
+    const response = new NextResponse(null, { status: 204 });
+    if (corsOptions.allowedOrigins === "*") {
+      response.headers.set("Access-Control-Allow-Origin", "*");
+    } else {
+      response.headers.set("Access-Control-Allow-Origin", corsOptions.allowedOrigins.join(","));
+    }
+    response.headers.set(
+      "Access-Control-Allow-Methods",
+      corsOptions.allowedMethods?.join(",") || "GET,POST"
+    );
+    response.headers.set(
+      "Access-Control-Allow-Headers",
+      corsOptions.allowedHeaders?.join(",") || "Content-Type,Authorization"
+    );
+    if (corsOptions.allowCredentials) {
+      response.headers.set("Access-Control-Allow-Credentials", "true");
+    }
+    if (corsOptions.maxAge) {
+      response.headers.set("Access-Control-Max-Age", corsOptions.maxAge.toString());
+    }
+    return response;
+  }
+  async function validateSecurity(securityOptions) {
+    const csrfResult = validateCsrf(securityOptions);
+    if (csrfResult) return csrfResult;
+    const headersResult = validateRequiredHeaders(securityOptions);
+    if (headersResult) return headersResult;
+    const userAgentResult = validateUserAgent(securityOptions);
+    if (userAgentResult) return userAgentResult;
+    return null;
+  }
+  function validateCsrf(securityOptions) {
+    if (securityOptions.requireCSRF && origin && host && !origin.includes(host)) {
+      const hasCSRFHeader = request.headers.get("x-requested-with") === "XMLHttpRequest";
+      const hasValidReferer = referer && host && referer.includes(host);
+      if (!hasCSRFHeader && !hasValidReferer) {
+        const isAllowedReferer = securityOptions.allowedReferers?.some(
+          (allowedRef) => referer?.includes(allowedRef)
+        );
+        if (!isAllowedReferer) {
+          return createApiErrorResponse("CSRF_PROTECTION", "Access denied", 403);
+        }
+      }
+    }
+    return null;
+  }
+  function validateRequiredHeaders(securityOptions) {
+    if (securityOptions.requiredHeaders) {
+      for (const [headerName, expectedValue] of Object.entries(securityOptions.requiredHeaders)) {
+        const actualValue = request.headers.get(headerName);
+        if (actualValue !== expectedValue) {
+          return createApiErrorResponse(
+            "INVALID_HEADERS",
+            "Required header missing or invalid",
+            400
+          );
+        }
+      }
+    }
+    return null;
+  }
+  function validateUserAgent(securityOptions) {
+    if (securityOptions.userAgent?.block?.length) {
+      const isBlocked = securityOptions.userAgent.block.some(
+        (blocked) => userAgent.toLowerCase().includes(blocked.toLowerCase())
+      );
+      if (isBlocked) {
+        return createApiErrorResponse("USER_AGENT_BLOCKED", "Access denied", 403);
+      }
+    }
+    if (securityOptions.userAgent?.allow?.length) {
+      const isAllowed = securityOptions.userAgent.allow.some(
+        (allowed) => userAgent.toLowerCase().includes(allowed.toLowerCase())
+      );
+      if (!isAllowed) {
+        return createApiErrorResponse("USER_AGENT_NOT_ALLOWED", "Access denied", 403);
+      }
+    }
+    return null;
+  }
+  function validateCsrfToken(csrfToken, csrfCookieValue) {
+    if (!csrfToken) {
+      return createApiErrorResponse("INVALID_CSRF_TOKEN", "CSRF token is required", 400);
+    }
+    if (!csrfCookieValue) {
+      return createApiErrorResponse("CSRF_COOKIE_MISSING", "CSRF token cookie not found", 403);
+    }
+    if (csrfToken !== csrfCookieValue) {
+      return createApiErrorResponse("CSRF_TOKEN_MISMATCH", "CSRF token mismatch", 403);
+    }
+    return null;
+  }
+  function validatePathStructure() {
+    if (pathSegments.length < 3) {
+      return createApiErrorResponse(
+        "INVALID_ROUTE",
+        "Invalid route structure. Expected: /api/auth/{endpoint}",
+        404
+      );
+    }
+    return null;
+  }
+  function validateEndpoint(_endpoint, endpointConfig) {
+    if (!endpointConfig || !endpointConfig.enabled) {
+      return createApiErrorResponse("ENDPOINT_NOT_FOUND", "Endpoint not found", 404);
+    }
+    if (method !== "OPTIONS" && !endpointConfig.methods.includes(method)) {
+      return createApiErrorResponse("METHOD_NOT_ALLOWED", "Method not allowed", 405);
+    }
+    return null;
+  }
+  function validateSubEndpoint(subEndpoint, subEndpointConfig) {
+    if (!subEndpoint) {
+      return createApiErrorResponse("SUB_ENDPOINT_REQUIRED", "Session sub-endpoint required", 400);
+    }
+    if (!subEndpointConfig || !subEndpointConfig.enabled) {
+      return createApiErrorResponse("ENDPOINT_NOT_FOUND", "Endpoint not found", 404);
+    }
+    if (!subEndpointConfig.methods?.includes(method)) {
+      return createApiErrorResponse("METHOD_NOT_ALLOWED", "Method not allowed", 405);
+    }
+    return null;
+  }
+  async function validateSessionRequest() {
+    try {
+      const body = await request.json();
+      return { body, idToken: body.idToken, csrfToken: body.csrfToken };
+    } catch (error) {
+      return {
+        body: null,
+        error: createApiErrorResponse("INVALID_REQUEST_FORMAT", "Invalid request format", 400)
+      };
+    }
+  }
+  function validateIdToken(idToken) {
+    if (!idToken) {
+      return createApiErrorResponse(
+        "INVALID_TOKEN",
+        "ID token is required for creating session",
+        400
+      );
+    }
+    return null;
+  }
+  async function validateRequest(config) {
+    if (method === "OPTIONS" && config.cors) {
+      return {
+        isValid: true,
+        corsResponse: createCorsOptionsResponse(config.cors)
+      };
+    }
+    const pathError = validatePathStructure();
+    if (pathError) {
+      return { isValid: false, error: pathError };
+    }
+    if (config.cors) {
+      const corsError = await validateCors(config.cors);
+      if (corsError) {
+        return { isValid: false, error: corsError };
+      }
+    }
+    if (config.security) {
+      const securityError = await validateSecurity(config.security);
+      if (securityError) {
+        return { isValid: false, error: securityError };
+      }
+    }
+    if (config.endpoint) {
+      const endpointError = validateEndpoint(config.endpoint.name, config.endpoint.config);
+      if (endpointError) {
+        return { isValid: false, error: endpointError };
+      }
+    }
+    if (config.subEndpoint) {
+      const subEndpointError = validateSubEndpoint(
+        config.subEndpoint.name,
+        config.subEndpoint.config
+      );
+      if (subEndpointError) {
+        return { isValid: false, error: subEndpointError };
+      }
+    }
+    let sessionData;
+    if (method === "POST" && (config.requireIdToken || config.requireCsrfToken)) {
+      const sessionResult = await validateSessionRequest();
+      if (sessionResult.error) {
+        return { isValid: false, error: sessionResult.error };
+      }
+      sessionData = sessionResult;
+      if (config.requireIdToken) {
+        const idTokenError = validateIdToken(sessionData.idToken);
+        if (idTokenError) {
+          return { isValid: false, error: idTokenError };
+        }
+      }
+      if (config.requireCsrfToken && sessionData.csrfToken) {
+        const csrfCookieValue = request.cookies.get("csrfToken")?.value;
+        const csrfError = validateCsrfToken(sessionData.csrfToken, csrfCookieValue);
+        if (csrfError) {
+          return { isValid: false, error: csrfError };
+        }
+      }
+    }
+    return {
+      isValid: true,
+      sessionData
+    };
+  }
+  function createValidationConfig(overrides = {}) {
+    return {
+      ...overrides
+    };
+  }
+  return {
+    createValidationConfig,
+    validateRequest,
+    validateCors,
+    validateSecurity,
+    validatePathStructure,
+    validateEndpoint,
+    validateSubEndpoint,
+    validateSessionRequest,
+    validateIdToken,
+    validateCsrfToken,
+    createCorsOptionsResponse
+  };
+}
+export {
+  createRequestContext,
+  createValidators
+};
+//# sourceMappingURL=fnValidators.js.map

package/dist/esm/app-router/admin/fnValidators.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/app-router/admin/fnValidators.ts"],"sourcesContent":["import { type NextRequest, NextResponse } from 'next/server';\n\nimport { createApiErrorResponse } from './responses';\nimport type {\n  AuthEndpoint,\n  ComprehensiveValidationResult,\n  CorsOptions,\n  EndpointConfig,\n  SecurityOptions,\n  SessionSubEndpoint,\n  ValidationConfig,\n} from './types';\n\nexport interface RequestContext {\n  request: NextRequest;\n  origin: string | null;\n  host: string | null;\n  referer: string | null;\n  userAgent: string;\n  method: string;\n  pathSegments: string[];\n}\n\nexport function createRequestContext(request: NextRequest): RequestContext {\n  const url = new URL(request.url);\n  const pathSegments = url.pathname.split('/').filter(Boolean);\n\n  return {\n    request,\n    origin: request.headers.get('origin'),\n    host: request.headers.get('host'),\n    referer: request.headers.get('referer'),\n    userAgent: request.headers.get('user-agent') || '',\n    method: request.method,\n    pathSegments,\n  };\n}\n\n/**\n * Main validators factory function\n * Returns an object containing all validator functions and utilities\n */\nexport function createValidators(context: RequestContext) {\n  const { request, origin, host, referer, userAgent, method, pathSegments } = context;\n\n  async function validateCors(corsOptions: CorsOptions): Promise<NextResponse | null> {\n    if (corsOptions.skipSameOrigin) {\n      if (!origin || (host && origin.includes(host))) {\n        return null;\n      }\n    }\n\n    if (corsOptions.allowedOrigins !== '*') {\n      const isAllowed = corsOptions.allowedOrigins.some(allowedOrigin => {\n        if (allowedOrigin.startsWith('*')) {\n          const domain = allowedOrigin.slice(1);\n          return origin?.endsWith(domain);\n        }\n        return origin === allowedOrigin;\n      });\n\n      if (!isAllowed) {\n        return createApiErrorResponse('CORS_ORIGIN_NOT_ALLOWED', 'Origin not allowed', 403);\n      }\n    }\n\n    return null;\n  }\n\n  function createCorsOptionsResponse(corsOptions: CorsOptions): NextResponse {\n    const response = new NextResponse(null, { status: 204 });\n\n    if (corsOptions.allowedOrigins === '*') {\n      response.headers.set('Access-Control-Allow-Origin', '*');\n    } else {\n      response.headers.set('Access-Control-Allow-Origin', corsOptions.allowedOrigins.join(','));\n    }\n\n    response.headers.set(\n      'Access-Control-Allow-Methods',\n      corsOptions.allowedMethods?.join(',') || 'GET,POST',\n    );\n    response.headers.set(\n      'Access-Control-Allow-Headers',\n      corsOptions.allowedHeaders?.join(',') || 'Content-Type,Authorization',\n    );\n\n    if (corsOptions.allowCredentials) {\n      response.headers.set('Access-Control-Allow-Credentials', 'true');\n    }\n\n    if (corsOptions.maxAge) {\n      response.headers.set('Access-Control-Max-Age', corsOptions.maxAge.toString());\n    }\n\n    return response;\n  }\n\n  async function validateSecurity(securityOptions: SecurityOptions): Promise<NextResponse | null> {\n    const csrfResult = validateCsrf(securityOptions);\n    if (csrfResult) return csrfResult;\n\n    const headersResult = validateRequiredHeaders(securityOptions);\n    if (headersResult) return headersResult;\n\n    const userAgentResult = validateUserAgent(securityOptions);\n    if (userAgentResult) return userAgentResult;\n\n    return null;\n  }\n\n  function validateCsrf(securityOptions: SecurityOptions): NextResponse | null {\n    if (securityOptions.requireCSRF && origin && host && !origin.includes(host)) {\n      const hasCSRFHeader = request.headers.get('x-requested-with') === 'XMLHttpRequest';\n      const hasValidReferer = referer && host && referer.includes(host);\n\n      if (!hasCSRFHeader && !hasValidReferer) {\n        const isAllowedReferer = securityOptions.allowedReferers?.some((allowedRef: string) =>\n          referer?.includes(allowedRef),\n        );\n\n        if (!isAllowedReferer) {\n          return createApiErrorResponse('CSRF_PROTECTION', 'Access denied', 403);\n        }\n      }\n    }\n    return null;\n  }\n\n  function validateRequiredHeaders(securityOptions: SecurityOptions): NextResponse | null {\n    if (securityOptions.requiredHeaders) {\n      for (const [headerName, expectedValue] of Object.entries(securityOptions.requiredHeaders)) {\n        const actualValue = request.headers.get(headerName);\n        if (actualValue !== expectedValue) {\n          return createApiErrorResponse(\n            'INVALID_HEADERS',\n            'Required header missing or invalid',\n            400,\n          );\n        }\n      }\n    }\n    return null;\n  }\n\n  function validateUserAgent(securityOptions: SecurityOptions): NextResponse | null {\n    if (securityOptions.userAgent?.block?.length) {\n      const isBlocked = securityOptions.userAgent.block.some((blocked: string) =>\n        userAgent.toLowerCase().includes(blocked.toLowerCase()),\n      );\n\n      if (isBlocked) {\n        return createApiErrorResponse('USER_AGENT_BLOCKED', 'Access denied', 403);\n      }\n    }\n\n    if (securityOptions.userAgent?.allow?.length) {\n      const isAllowed = securityOptions.userAgent.allow.some((allowed: string) =>\n        userAgent.toLowerCase().includes(allowed.toLowerCase()),\n      );\n\n      if (!isAllowed) {\n        return createApiErrorResponse('USER_AGENT_NOT_ALLOWED', 'Access denied', 403);\n      }\n    }\n\n    return null;\n  }\n\n  function validateCsrfToken(\n    csrfToken: string,\n    csrfCookieValue: string | undefined,\n  ): NextResponse | null {\n    if (!csrfToken) {\n      return createApiErrorResponse('INVALID_CSRF_TOKEN', 'CSRF token is required', 400);\n    }\n\n    if (!csrfCookieValue) {\n      return createApiErrorResponse('CSRF_COOKIE_MISSING', 'CSRF token cookie not found', 403);\n    }\n\n    if (csrfToken !== csrfCookieValue) {\n      return createApiErrorResponse('CSRF_TOKEN_MISMATCH', 'CSRF token mismatch', 403);\n    }\n\n    return null;\n  }\n\n  function validatePathStructure(): NextResponse | null {\n    if (pathSegments.length < 3) {\n      return createApiErrorResponse(\n        'INVALID_ROUTE',\n        'Invalid route structure. Expected: /api/auth/{endpoint}',\n        404,\n      );\n    }\n    return null;\n  }\n\n  function validateEndpoint(\n    _endpoint: AuthEndpoint,\n    endpointConfig: EndpointConfig,\n  ): NextResponse | null {\n    if (!endpointConfig || !endpointConfig.enabled) {\n      return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Endpoint not found', 404);\n    }\n\n    if (method !== 'OPTIONS' && !endpointConfig.methods.includes(method as any)) {\n      return createApiErrorResponse('METHOD_NOT_ALLOWED', 'Method not allowed', 405);\n    }\n\n    return null;\n  }\n\n  function validateSubEndpoint(\n    subEndpoint: SessionSubEndpoint | undefined,\n    subEndpointConfig: any,\n  ): NextResponse | null {\n    if (!subEndpoint) {\n      return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Session sub-endpoint required', 400);\n    }\n\n    if (!subEndpointConfig || !subEndpointConfig.enabled) {\n      return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Endpoint not found', 404);\n    }\n\n    if (!subEndpointConfig.methods?.includes(method as any)) {\n      return createApiErrorResponse('METHOD_NOT_ALLOWED', 'Method not allowed', 405);\n    }\n\n    return null;\n  }\n\n  async function validateSessionRequest(): Promise<{\n    body: any;\n    idToken?: string;\n    csrfToken?: string;\n    error?: NextResponse;\n  }> {\n    try {\n      const body = await request.json();\n      return { body, idToken: body.idToken, csrfToken: body.csrfToken };\n    } catch (error) {\n      return {\n        body: null,\n        error: createApiErrorResponse('INVALID_REQUEST_FORMAT', 'Invalid request format', 400),\n      };\n    }\n  }\n\n  function validateIdToken(idToken: string | undefined): NextResponse | null {\n    if (!idToken) {\n      return createApiErrorResponse(\n        'INVALID_TOKEN',\n        'ID token is required for creating session',\n        400,\n      );\n    }\n    return null;\n  }\n\n  /**\n   * Main validation orchestrator function\n   * Runs all configured validations in the correct order\n   */\n  async function validateRequest(config: ValidationConfig): Promise<ComprehensiveValidationResult> {\n    if (method === 'OPTIONS' && config.cors) {\n      return {\n        isValid: true,\n        corsResponse: createCorsOptionsResponse(config.cors),\n      };\n    }\n    const pathError = validatePathStructure();\n    if (pathError) {\n      return { isValid: false, error: pathError };\n    }\n\n    if (config.cors) {\n      const corsError = await validateCors(config.cors);\n      if (corsError) {\n        return { isValid: false, error: corsError };\n      }\n    }\n\n    if (config.security) {\n      const securityError = await validateSecurity(config.security);\n      if (securityError) {\n        return { isValid: false, error: securityError };\n      }\n    }\n\n    if (config.endpoint) {\n      const endpointError = validateEndpoint(config.endpoint.name, config.endpoint.config);\n      if (endpointError) {\n        return { isValid: false, error: endpointError };\n      }\n    }\n\n    if (config.subEndpoint) {\n      const subEndpointError = validateSubEndpoint(\n        config.subEndpoint.name,\n        config.subEndpoint.config,\n      );\n      if (subEndpointError) {\n        return { isValid: false, error: subEndpointError };\n      }\n    }\n\n    let sessionData;\n    if (method === 'POST' && (config.requireIdToken || config.requireCsrfToken)) {\n      const sessionResult = await validateSessionRequest();\n      if (sessionResult.error) {\n        return { isValid: false, error: sessionResult.error };\n      }\n\n      sessionData = sessionResult;\n\n      if (config.requireIdToken) {\n        const idTokenError = validateIdToken(sessionData.idToken);\n        if (idTokenError) {\n          return { isValid: false, error: idTokenError };\n        }\n      }\n\n      if (config.requireCsrfToken && sessionData.csrfToken) {\n        const csrfCookieValue = request.cookies.get('csrfToken')?.value;\n        const csrfError = validateCsrfToken(sessionData.csrfToken, csrfCookieValue);\n        if (csrfError) {\n          return { isValid: false, error: csrfError };\n        }\n      }\n    }\n\n    return {\n      isValid: true,\n      sessionData,\n    };\n  }\n\n  /**\n   * Convenience function for quick validation setup\n   */\n  function createValidationConfig(overrides: Partial<ValidationConfig> = {}): ValidationConfig {\n    return {\n      ...overrides,\n    };\n  }\n\n  return {\n    createValidationConfig,\n\n    validateRequest,\n\n    validateCors,\n    validateSecurity,\n    validatePathStructure,\n    validateEndpoint,\n    validateSubEndpoint,\n    validateSessionRequest,\n    validateIdToken,\n    validateCsrfToken,\n\n    createCorsOptionsResponse,\n  };\n}\n"],"mappings":"AAAA,SAA2B,oBAAoB;AAE/C,SAAS,8BAA8B;AAqBhC,SAAS,qBAAqB,SAAsC;AACzE,QAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAC/B,QAAM,eAAe,IAAI,SAAS,MAAM,GAAG,EAAE,OAAO,OAAO;AAE3D,SAAO;AAAA,IACL;AAAA,IACA,QAAQ,QAAQ,QAAQ,IAAI,QAAQ;AAAA,IACpC,MAAM,QAAQ,QAAQ,IAAI,MAAM;AAAA,IAChC,SAAS,QAAQ,QAAQ,IAAI,SAAS;AAAA,IACtC,WAAW,QAAQ,QAAQ,IAAI,YAAY,KAAK;AAAA,IAChD,QAAQ,QAAQ;AAAA,IAChB;AAAA,EACF;AACF;AAMO,SAAS,iBAAiB,SAAyB;AACxD,QAAM,EAAE,SAAS,QAAQ,MAAM,SAAS,WAAW,QAAQ,aAAa,IAAI;AAE5E,iBAAe,aAAa,aAAwD;AAClF,QAAI,YAAY,gBAAgB;AAC9B,UAAI,CAAC,UAAW,QAAQ,OAAO,SAAS,IAAI,GAAI;AAC9C,eAAO;AAAA,MACT;AAAA,IACF;AAEA,QAAI,YAAY,mBAAmB,KAAK;AACtC,YAAM,YAAY,YAAY,eAAe,KAAK,mBAAiB;AACjE,YAAI,cAAc,WAAW,GAAG,GAAG;AACjC,gBAAM,SAAS,cAAc,MAAM,CAAC;AACpC,iBAAO,QAAQ,SAAS,MAAM;AAAA,QAChC;AACA,eAAO,WAAW;AAAA,MACpB,CAAC;AAED,UAAI,CAAC,WAAW;AACd,eAAO,uBAAuB,2BAA2B,sBAAsB,GAAG;AAAA,MACpF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAEA,WAAS,0BAA0B,aAAwC;AACzE,UAAM,WAAW,IAAI,aAAa,MAAM,EAAE,QAAQ,IAAI,CAAC;AAEvD,QAAI,YAAY,mBAAmB,KAAK;AACtC,eAAS,QAAQ,IAAI,+BAA+B,GAAG;AAAA,IACzD,OAAO;AACL,eAAS,QAAQ,IAAI,+BAA+B,YAAY,eAAe,KAAK,GAAG,CAAC;AAAA,IAC1F;AAEA,aAAS,QAAQ;AAAA,MACf;AAAA,MACA,YAAY,gBAAgB,KAAK,GAAG,KAAK;AAAA,IAC3C;AACA,aAAS,QAAQ;AAAA,MACf;AAAA,MACA,YAAY,gBAAgB,KAAK,GAAG,KAAK;AAAA,IAC3C;AAEA,QAAI,YAAY,kBAAkB;AAChC,eAAS,QAAQ,IAAI,oCAAoC,MAAM;AAAA,IACjE;AAEA,QAAI,YAAY,QAAQ;AACtB,eAAS,QAAQ,IAAI,0BAA0B,YAAY,OAAO,SAAS,CAAC;AAAA,IAC9E;AAEA,WAAO;AAAA,EACT;AAEA,iBAAe,iBAAiB,iBAAgE;AAC9F,UAAM,aAAa,aAAa,eAAe;AAC/C,QAAI,WAAY,QAAO;AAEvB,UAAM,gBAAgB,wBAAwB,eAAe;AAC7D,QAAI,cAAe,QAAO;AAE1B,UAAM,kBAAkB,kBAAkB,eAAe;AACzD,QAAI,gBAAiB,QAAO;AAE5B,WAAO;AAAA,EACT;AAEA,WAAS,aAAa,iBAAuD;AAC3E,QAAI,gBAAgB,eAAe,UAAU,QAAQ,CAAC,OAAO,SAAS,IAAI,GAAG;AAC3E,YAAM,gBAAgB,QAAQ,QAAQ,IAAI,kBAAkB,MAAM;AAClE,YAAM,kBAAkB,WAAW,QAAQ,QAAQ,SAAS,IAAI;AAEhE,UAAI,CAAC,iBAAiB,CAAC,iBAAiB;AACtC,cAAM,mBAAmB,gBAAgB,iBAAiB;AAAA,UAAK,CAAC,eAC9D,SAAS,SAAS,UAAU;AAAA,QAC9B;AAEA,YAAI,CAAC,kBAAkB;AACrB,iBAAO,uBAAuB,mBAAmB,iBAAiB,GAAG;AAAA,QACvE;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,WAAS,wBAAwB,iBAAuD;AACtF,QAAI,gBAAgB,iBAAiB;AACnC,iBAAW,CAAC,YAAY,aAAa,KAAK,OAAO,QAAQ,gBAAgB,eAAe,GAAG;AACzF,cAAM,cAAc,QAAQ,QAAQ,IAAI,UAAU;AAClD,YAAI,gBAAgB,eAAe;AACjC,iBAAO;AAAA,YACL;AAAA,YACA;AAAA,YACA;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,WAAS,kBAAkB,iBAAuD;AAChF,QAAI,gBAAgB,WAAW,OAAO,QAAQ;AAC5C,YAAM,YAAY,gBAAgB,UAAU,MAAM;AAAA,QAAK,CAAC,YACtD,UAAU,YAAY,EAAE,SAAS,QAAQ,YAAY,CAAC;AAAA,MACxD;AAEA,UAAI,WAAW;AACb,eAAO,uBAAuB,sBAAsB,iBAAiB,GAAG;AAAA,MAC1E;AAAA,IACF;AAEA,QAAI,gBAAgB,WAAW,OAAO,QAAQ;AAC5C,YAAM,YAAY,gBAAgB,UAAU,MAAM;AAAA,QAAK,CAAC,YACtD,UAAU,YAAY,EAAE,SAAS,QAAQ,YAAY,CAAC;AAAA,MACxD;AAEA,UAAI,CAAC,WAAW;AACd,eAAO,uBAAuB,0BAA0B,iBAAiB,GAAG;AAAA,MAC9E;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAEA,WAAS,kBACP,WACA,iBACqB;AACrB,QAAI,CAAC,WAAW;AACd,aAAO,uBAAuB,sBAAsB,0BAA0B,GAAG;AAAA,IACnF;AAEA,QAAI,CAAC,iBAAiB;AACpB,aAAO,uBAAuB,uBAAuB,+BAA+B,GAAG;AAAA,IACzF;AAEA,QAAI,cAAc,iBAAiB;AACjC,aAAO,uBAAuB,uBAAuB,uBAAuB,GAAG;AAAA,IACjF;AAEA,WAAO;AAAA,EACT;AAEA,WAAS,wBAA6C;AACpD,QAAI,aAAa,SAAS,GAAG;AAC3B,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,WAAS,iBACP,WACA,gBACqB;AACrB,QAAI,CAAC,kBAAkB,CAAC,eAAe,SAAS;AAC9C,aAAO,uBAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,QAAI,WAAW,aAAa,CAAC,eAAe,QAAQ,SAAS,MAAa,GAAG;AAC3E,aAAO,uBAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,WAAO;AAAA,EACT;AAEA,WAAS,oBACP,aACA,mBACqB;AACrB,QAAI,CAAC,aAAa;AAChB,aAAO,uBAAuB,yBAAyB,iCAAiC,GAAG;AAAA,IAC7F;AAEA,QAAI,CAAC,qBAAqB,CAAC,kBAAkB,SAAS;AACpD,aAAO,uBAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,QAAI,CAAC,kBAAkB,SAAS,SAAS,MAAa,GAAG;AACvD,aAAO,uBAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,WAAO;AAAA,EACT;AAEA,iBAAe,yBAKZ;AACD,QAAI;AACF,YAAM,OAAO,MAAM,QAAQ,KAAK;AAChC,aAAO,EAAE,MAAM,SAAS,KAAK,SAAS,WAAW,KAAK,UAAU;AAAA,IAClE,SAAS,OAAO;AACd,aAAO;AAAA,QACL,MAAM;AAAA,QACN,OAAO,uBAAuB,0BAA0B,0BAA0B,GAAG;AAAA,MACvF;AAAA,IACF;AAAA,EACF;AAEA,WAAS,gBAAgB,SAAkD;AACzE,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAMA,iBAAe,gBAAgB,QAAkE;AAC/F,QAAI,WAAW,aAAa,OAAO,MAAM;AACvC,aAAO;AAAA,QACL,SAAS;AAAA,QACT,cAAc,0BAA0B,OAAO,IAAI;AAAA,MACrD;AAAA,IACF;AACA,UAAM,YAAY,sBAAsB;AACxC,QAAI,WAAW;AACb,aAAO,EAAE,SAAS,OAAO,OAAO,UAAU;AAAA,IAC5C;AAEA,QAAI,OAAO,MAAM;AACf,YAAM,YAAY,MAAM,aAAa,OAAO,IAAI;AAChD,UAAI,WAAW;AACb,eAAO,EAAE,SAAS,OAAO,OAAO,UAAU;AAAA,MAC5C;AAAA,IACF;AAEA,QAAI,OAAO,UAAU;AACnB,YAAM,gBAAgB,MAAM,iBAAiB,OAAO,QAAQ;AAC5D,UAAI,eAAe;AACjB,eAAO,EAAE,SAAS,OAAO,OAAO,cAAc;AAAA,MAChD;AAAA,IACF;AAEA,QAAI,OAAO,UAAU;AACnB,YAAM,gBAAgB,iBAAiB,OAAO,SAAS,MAAM,OAAO,SAAS,MAAM;AACnF,UAAI,eAAe;AACjB,eAAO,EAAE,SAAS,OAAO,OAAO,cAAc;AAAA,MAChD;AAAA,IACF;AAEA,QAAI,OAAO,aAAa;AACtB,YAAM,mBAAmB;AAAA,QACvB,OAAO,YAAY;AAAA,QACnB,OAAO,YAAY;AAAA,MACrB;AACA,UAAI,kBAAkB;AACpB,eAAO,EAAE,SAAS,OAAO,OAAO,iBAAiB;AAAA,MACnD;AAAA,IACF;AAEA,QAAI;AACJ,QAAI,WAAW,WAAW,OAAO,kBAAkB,OAAO,mBAAmB;AAC3E,YAAM,gBAAgB,MAAM,uBAAuB;AACnD,UAAI,cAAc,OAAO;AACvB,eAAO,EAAE,SAAS,OAAO,OAAO,cAAc,MAAM;AAAA,MACtD;AAEA,oBAAc;AAEd,UAAI,OAAO,gBAAgB;AACzB,cAAM,eAAe,gBAAgB,YAAY,OAAO;AACxD,YAAI,cAAc;AAChB,iBAAO,EAAE,SAAS,OAAO,OAAO,aAAa;AAAA,QAC/C;AAAA,MACF;AAEA,UAAI,OAAO,oBAAoB,YAAY,WAAW;AACpD,cAAM,kBAAkB,QAAQ,QAAQ,IAAI,WAAW,GAAG;AAC1D,cAAM,YAAY,kBAAkB,YAAY,WAAW,eAAe;AAC1E,YAAI,WAAW;AACb,iBAAO,EAAE,SAAS,OAAO,OAAO,UAAU;AAAA,QAC5C;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,SAAS;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAKA,WAAS,uBAAuB,YAAuC,CAAC,GAAqB;AAC3F,WAAO;AAAA,MACL,GAAG;AAAA,IACL;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IAEA;AAAA,IAEA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IAEA;AAAA,EACF;AACF;","names":[]}

package/dist/esm/app-router/admin/index.js

@@ -1,5 +1,19 @@
-import { createSessionHandler } from "./sessionHandler";
+import { createTernSecureNextJsHandler } from "./ternsecureNextjsHandler";
+import {
+  clearSessionCookieServer,
+  clearNextSessionCookie,
+  createSessionCookieServer,
+  createNextSessionCookie,
+  setNextServerSession,
+  setNextServerToken
+} from "./actions";
 export {
-  createSessionHandler
+  clearNextSessionCookie,
+  clearSessionCookieServer,
+  createNextSessionCookie,
+  createSessionCookieServer,
+  createTernSecureNextJsHandler,
+  setNextServerSession,
+  setNextServerToken
 };
 //# sourceMappingURL=index.js.map

package/dist/esm/app-router/admin/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../src/app-router/admin/index.ts"],"sourcesContent":["export { createSessionHandler } from './sessionHandler'"],"mappings":"AAAA,SAAS,4BAA4B;","names":[]}
+{"version":3,"sources":["../../../../src/app-router/admin/index.ts"],"sourcesContent":["export { createTernSecureNextJsHandler } from './ternsecureNextjsHandler'\n\nexport { \n    clearSessionCookieServer,\n    clearNextSessionCookie,\n    createSessionCookieServer,\n    createNextSessionCookie,\n    setNextServerSession,\n    setNextServerToken\n} from './actions'\n\nexport type { TernSecureHandlerOptions } from './types'"],"mappings":"AAAA,SAAS,qCAAqC;AAE9C;AAAA,EACI;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACG;","names":[]}

package/dist/esm/app-router/admin/responses.js

@@ -0,0 +1,93 @@
+import { NextResponse } from "next/server";
+function createApiErrorResponse(code, message, status) {
+  const errors = [
+    {
+      code,
+      message
+    }
+  ];
+  return NextResponse.json(
+    {
+      success: false,
+      message,
+      error: code,
+      errors
+      // Include both formats for compatibility
+    },
+    { status }
+  );
+}
+function createApiSuccessResponse(data, status = 200) {
+  return NextResponse.json(
+    {
+      success: true,
+      ...data
+    },
+    { status }
+  );
+}
+class SessionResponseHelper {
+  static createVerificationResponse(decodedSession) {
+    return createApiSuccessResponse({
+      valid: true,
+      uid: decodedSession.data?.payload?.sub,
+      exp: decodedSession.data?.payload?.exp
+    });
+  }
+  static createUnauthorizedResponse() {
+    return createApiErrorResponse("UNAUTHORIZED", "Authentication required", 401);
+  }
+  static createSessionCreationResponse(res) {
+    if (!res.success) {
+      console.error("[TernSecureAuthHandler] Error creating session:", {
+        error: res.error,
+        message: res.message,
+        cookieSet: res.cookieSet
+      });
+    }
+    const statusCode = res.success ? 200 : res.error === "INVALID_TOKEN" ? 400 : res.error === "EXPIRED_TOKEN" ? 401 : 500;
+    return NextResponse.json(res, { status: statusCode });
+  }
+  static createRefreshResponse(refreshRes) {
+    if (!refreshRes.success) {
+      console.error("[TernSecureAuthHandler] Error refreshing session:", {
+        error: refreshRes.error,
+        message: refreshRes.message
+      });
+    }
+    const statusCode = refreshRes.success ? 200 : 401;
+    return NextResponse.json(refreshRes, { status: statusCode });
+  }
+  static createRevokeResponse(res) {
+    if (!res.success) {
+      console.error("[TernSecureAuthHandler] Error revoking session:", {
+        error: res.error,
+        message: res.message
+      });
+    }
+    const statusCode = res.success ? 200 : 500;
+    return NextResponse.json(res, { status: statusCode });
+  }
+}
+class HttpResponseHelper {
+  static createMethodNotAllowedResponse() {
+    return createApiErrorResponse("METHOD_NOT_ALLOWED", "Method not allowed", 405);
+  }
+  static createNotFoundResponse() {
+    return createApiErrorResponse("NOT_FOUND", "Endpoint not found", 404);
+  }
+  static createSubEndpointNotSupportedResponse() {
+    return createApiErrorResponse(
+      "SUB_ENDPOINT_NOT_SUPPORTED",
+      "Sub-endpoint not supported for POST method",
+      400
+    );
+  }
+}
+export {
+  HttpResponseHelper,
+  SessionResponseHelper,
+  createApiErrorResponse,
+  createApiSuccessResponse
+};
+//# sourceMappingURL=responses.js.map

package/dist/esm/app-router/admin/responses.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/app-router/admin/responses.ts"],"sourcesContent":["import type { TernSecureApiErrorJSON } from '@tern-secure/types';\nimport { NextResponse } from 'next/server';\n\n/**\n * Standardized error response creation\n */\nexport function createApiErrorResponse(\n  code: string,\n  message: string,\n  status: number,\n): NextResponse {\n  const errors: TernSecureApiErrorJSON[] = [\n    {\n      code,\n      message,\n    },\n  ];\n\n  return NextResponse.json(\n    {\n      success: false,\n      message,\n      error: code,\n      errors, // Include both formats for compatibility\n    },\n    { status },\n  );\n}\n\n/**\n * Standardized success response creation\n */\nexport function createApiSuccessResponse<T>(data: T, status: number = 200): NextResponse {\n  return NextResponse.json(\n    {\n      success: true,\n      ...data,\n    },\n    { status },\n  );\n}\n\n/**\n * Session verification response utilities\n */\nexport class SessionResponseHelper {\n  static createVerificationResponse(decodedSession: any): NextResponse {\n    return createApiSuccessResponse({\n      valid: true,\n      uid: decodedSession.data?.payload?.sub,\n      exp: decodedSession.data?.payload?.exp,\n    });\n  }\n\n  static createUnauthorizedResponse(): NextResponse {\n    return createApiErrorResponse('UNAUTHORIZED', 'Authentication required', 401);\n  }\n\n  static createSessionCreationResponse(res: any): NextResponse {\n    if (!res.success) {\n      console.error('[TernSecureAuthHandler] Error creating session:', {\n        error: res.error,\n        message: res.message,\n        cookieSet: res.cookieSet,\n      });\n    }\n\n    const statusCode = res.success\n      ? 200\n      : res.error === 'INVALID_TOKEN'\n        ? 400\n        : res.error === 'EXPIRED_TOKEN'\n          ? 401\n          : 500;\n\n    return NextResponse.json(res, { status: statusCode });\n  }\n\n  static createRefreshResponse(refreshRes: any): NextResponse {\n    if (!refreshRes.success) {\n      console.error('[TernSecureAuthHandler] Error refreshing session:', {\n        error: refreshRes.error,\n        message: refreshRes.message,\n      });\n    }\n\n    const statusCode = refreshRes.success ? 200 : 401;\n    return NextResponse.json(refreshRes, { status: statusCode });\n  }\n\n  static createRevokeResponse(res: any): NextResponse {\n    if (!res.success) {\n      console.error('[TernSecureAuthHandler] Error revoking session:', {\n        error: res.error,\n        message: res.message,\n      });\n    }\n    const statusCode = res.success ? 200 : 500;\n    return NextResponse.json(res, { status: statusCode });\n  }\n}\n\n/**\n * HTTP method response utilities\n */\nexport class HttpResponseHelper {\n  static createMethodNotAllowedResponse(): NextResponse {\n    return createApiErrorResponse('METHOD_NOT_ALLOWED', 'Method not allowed', 405);\n  }\n\n  static createNotFoundResponse(): NextResponse {\n    return createApiErrorResponse('NOT_FOUND', 'Endpoint not found', 404);\n  }\n\n  static createSubEndpointNotSupportedResponse(): NextResponse {\n    return createApiErrorResponse(\n      'SUB_ENDPOINT_NOT_SUPPORTED',\n      'Sub-endpoint not supported for POST method',\n      400,\n    );\n  }\n}\n"],"mappings":"AACA,SAAS,oBAAoB;AAKtB,SAAS,uBACd,MACA,SACA,QACc;AACd,QAAM,SAAmC;AAAA,IACvC;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SAAO,aAAa;AAAA,IAClB;AAAA,MACE,SAAS;AAAA,MACT;AAAA,MACA,OAAO;AAAA,MACP;AAAA;AAAA,IACF;AAAA,IACA,EAAE,OAAO;AAAA,EACX;AACF;AAKO,SAAS,yBAA4B,MAAS,SAAiB,KAAmB;AACvF,SAAO,aAAa;AAAA,IAClB;AAAA,MACE,SAAS;AAAA,MACT,GAAG;AAAA,IACL;AAAA,IACA,EAAE,OAAO;AAAA,EACX;AACF;AAKO,MAAM,sBAAsB;AAAA,EACjC,OAAO,2BAA2B,gBAAmC;AACnE,WAAO,yBAAyB;AAAA,MAC9B,OAAO;AAAA,MACP,KAAK,eAAe,MAAM,SAAS;AAAA,MACnC,KAAK,eAAe,MAAM,SAAS;AAAA,IACrC,CAAC;AAAA,EACH;AAAA,EAEA,OAAO,6BAA2C;AAChD,WAAO,uBAAuB,gBAAgB,2BAA2B,GAAG;AAAA,EAC9E;AAAA,EAEA,OAAO,8BAA8B,KAAwB;AAC3D,QAAI,CAAC,IAAI,SAAS;AAChB,cAAQ,MAAM,mDAAmD;AAAA,QAC/D,OAAO,IAAI;AAAA,QACX,SAAS,IAAI;AAAA,QACb,WAAW,IAAI;AAAA,MACjB,CAAC;AAAA,IACH;AAEA,UAAM,aAAa,IAAI,UACnB,MACA,IAAI,UAAU,kBACZ,MACA,IAAI,UAAU,kBACZ,MACA;AAER,WAAO,aAAa,KAAK,KAAK,EAAE,QAAQ,WAAW,CAAC;AAAA,EACtD;AAAA,EAEA,OAAO,sBAAsB,YAA+B;AAC1D,QAAI,CAAC,WAAW,SAAS;AACvB,cAAQ,MAAM,qDAAqD;AAAA,QACjE,OAAO,WAAW;AAAA,QAClB,SAAS,WAAW;AAAA,MACtB,CAAC;AAAA,IACH;AAEA,UAAM,aAAa,WAAW,UAAU,MAAM;AAC9C,WAAO,aAAa,KAAK,YAAY,EAAE,QAAQ,WAAW,CAAC;AAAA,EAC7D;AAAA,EAEA,OAAO,qBAAqB,KAAwB;AAClD,QAAI,CAAC,IAAI,SAAS;AAChB,cAAQ,MAAM,mDAAmD;AAAA,QAC/D,OAAO,IAAI;AAAA,QACX,SAAS,IAAI;AAAA,MACf,CAAC;AAAA,IACH;AACA,UAAM,aAAa,IAAI,UAAU,MAAM;AACvC,WAAO,aAAa,KAAK,KAAK,EAAE,QAAQ,WAAW,CAAC;AAAA,EACtD;AACF;AAKO,MAAM,mBAAmB;AAAA,EAC9B,OAAO,iCAA+C;AACpD,WAAO,uBAAuB,sBAAsB,sBAAsB,GAAG;AAAA,EAC/E;AAAA,EAEA,OAAO,yBAAuC;AAC5C,WAAO,uBAAuB,aAAa,sBAAsB,GAAG;AAAA,EACtE;AAAA,EAEA,OAAO,wCAAsD;AAC3D,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;","names":[]}

package/dist/esm/app-router/admin/sessionHandlers.js

@@ -0,0 +1,131 @@
+import { clearSessionCookie, createSessionCookie } from "@tern-secure/backend/admin";
+import { ternDecodeJwtUnguarded } from "@tern-secure/backend/jwt";
+import { NextCookieStore } from "../../utils/NextCookieAdapter";
+import { createApiErrorResponse, HttpResponseHelper, SessionResponseHelper } from "./responses";
+import { CsrfValidator, RequestValidator } from "./validators";
+class SessionGetHandler {
+  static async handle(request, subEndpoint, _config) {
+    switch (subEndpoint) {
+      case "verify":
+        return this.handleVerify(request);
+      default:
+        return HttpResponseHelper.createNotFoundResponse();
+    }
+  }
+  static async handleVerify(request) {
+    try {
+      const sessionCookie = request.cookies.get("_session_cookie")?.value;
+      if (!sessionCookie) {
+        return SessionResponseHelper.createUnauthorizedResponse();
+      }
+      const decodedSession = ternDecodeJwtUnguarded(sessionCookie);
+      if (decodedSession.errors) {
+        return SessionResponseHelper.createUnauthorizedResponse();
+      }
+      return SessionResponseHelper.createVerificationResponse(decodedSession);
+    } catch (error) {
+      return SessionResponseHelper.createUnauthorizedResponse();
+    }
+  }
+}
+class SessionPostHandler {
+  static async handle(request, subEndpoint, _config) {
+    const cookieStore = new NextCookieStore();
+    const { idToken, csrfToken, error } = await RequestValidator.validateSessionRequest(request);
+    if (error) return error;
+    const csrfCookieValue = request.cookies.get("_session_terncf")?.value;
+    const csrfValidationError = CsrfValidator.validate(csrfToken || "", csrfCookieValue);
+    if (csrfValidationError) return csrfValidationError;
+    const options = {
+      tenantId: _config.tenantId
+    };
+    switch (subEndpoint) {
+      case "createsession":
+        return this.handleCreateSession(options, idToken, cookieStore);
+      case "refresh":
+        return this.handleRefreshSession(request, cookieStore);
+      case "revoke":
+        return this.handleRevokeSession(cookieStore);
+      default:
+        return HttpResponseHelper.createSubEndpointNotSupportedResponse();
+    }
+  }
+  static async handleCreateSession(options, idToken, cookieStore) {
+    const validationError = RequestValidator.validateIdToken(idToken);
+    if (validationError) return validationError;
+    if (!idToken) {
+      return createApiErrorResponse("ID_TOKEN_REQUIRED", "ID token is required", 400);
+    }
+    try {
+      const res = await createSessionCookie(idToken, cookieStore, options);
+      return SessionResponseHelper.createSessionCreationResponse(res);
+    } catch (error) {
+      return createApiErrorResponse("SESSION_CREATION_FAILED", "Session creation failed", 500);
+    }
+  }
+  static async handleRefreshSession(request, cookieStore) {
+    const currentSessionCookie = request.cookies.get("__session")?.value;
+    if (!currentSessionCookie) {
+      return createApiErrorResponse("NO_SESSION", "No session to refresh", 401);
+    }
+    try {
+      const decodedSession = ternDecodeJwtUnguarded(currentSessionCookie);
+      if (decodedSession.errors) {
+        return createApiErrorResponse("INVALID_SESSION", "Invalid session for refresh", 401);
+      }
+      const refreshRes = await createSessionCookie(
+        decodedSession.data?.payload?.sub || "",
+        cookieStore
+      );
+      return SessionResponseHelper.createRefreshResponse(refreshRes);
+    } catch (error) {
+      return createApiErrorResponse("REFRESH_FAILED", "Session refresh failed", 500);
+    }
+  }
+  static async handleRevokeSession(cookieStore) {
+    const res = await clearSessionCookie(cookieStore);
+    return SessionResponseHelper.createRevokeResponse(res);
+  }
+}
+class SessionEndpointHandler {
+  static async handle(request, method, subEndpoint, config) {
+    const sessionsConfig = config.endpoints.sessions;
+    if (!subEndpoint) {
+      return createApiErrorResponse("SUB_ENDPOINT_REQUIRED", "Session sub-endpoint required", 400);
+    }
+    const subEndpointConfig = sessionsConfig?.subEndpoints?.[subEndpoint];
+    const subEndpointValidation = this.validateSubEndpoint(subEndpoint, subEndpointConfig, method);
+    if (subEndpointValidation) return subEndpointValidation;
+    if (subEndpointConfig?.security) {
+      const { SecurityValidator } = await import("./validators.js");
+      const securityResult = await SecurityValidator.validate(request, subEndpointConfig.security);
+      if (securityResult) return securityResult;
+    }
+    switch (method) {
+      case "GET":
+        return SessionGetHandler.handle(request, subEndpoint, config);
+      case "POST":
+        return SessionPostHandler.handle(request, subEndpoint, config);
+      default:
+        return HttpResponseHelper.createMethodNotAllowedResponse();
+    }
+  }
+  static validateSubEndpoint(subEndpoint, subEndpointConfig, method) {
+    if (!subEndpoint) {
+      return createApiErrorResponse("SUB_ENDPOINT_REQUIRED", "Session sub-endpoint required", 400);
+    }
+    if (!subEndpointConfig || !subEndpointConfig.enabled) {
+      return createApiErrorResponse("ENDPOINT_NOT_FOUND", "Endpoint not found", 404);
+    }
+    if (!subEndpointConfig.methods?.includes(method)) {
+      return createApiErrorResponse("METHOD_NOT_ALLOWED", "Method not allowed", 405);
+    }
+    return null;
+  }
+}
+export {
+  SessionEndpointHandler,
+  SessionGetHandler,
+  SessionPostHandler
+};
+//# sourceMappingURL=sessionHandlers.js.map

package/dist/esm/app-router/admin/sessionHandlers.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/app-router/admin/sessionHandlers.ts"],"sourcesContent":["import type { RequestOptions } from '@tern-secure/backend';\nimport { clearSessionCookie, createSessionCookie } from '@tern-secure/backend/admin';\nimport { ternDecodeJwtUnguarded } from '@tern-secure/backend/jwt';\nimport type { NextRequest, NextResponse } from 'next/server';\n\nimport { NextCookieStore } from '../../utils/NextCookieAdapter';\nimport { createApiErrorResponse, HttpResponseHelper, SessionResponseHelper } from './responses';\nimport type {\n  SessionSubEndpoint,\n  TernSecureHandlerOptions,\n  TernSecureInternalHandlerConfig,\n} from './types';\nimport { CsrfValidator, RequestValidator } from './validators';\n\n/**\n * Session GET request handlers\n */\nexport class SessionGetHandler {\n  static async handle(\n    request: NextRequest,\n    subEndpoint: SessionSubEndpoint,\n    _config: Required<TernSecureHandlerOptions>,\n  ): Promise<NextResponse> {\n    switch (subEndpoint) {\n      case 'verify':\n        return this.handleVerify(request);\n      default:\n        return HttpResponseHelper.createNotFoundResponse();\n    }\n  }\n\n  private static async handleVerify(request: NextRequest): Promise<NextResponse> {\n    try {\n      const sessionCookie = request.cookies.get('_session_cookie')?.value;\n      if (!sessionCookie) {\n        return SessionResponseHelper.createUnauthorizedResponse();\n      }\n\n      const decodedSession = ternDecodeJwtUnguarded(sessionCookie);\n      if (decodedSession.errors) {\n        return SessionResponseHelper.createUnauthorizedResponse();\n      }\n\n      return SessionResponseHelper.createVerificationResponse(decodedSession);\n    } catch (error) {\n      return SessionResponseHelper.createUnauthorizedResponse();\n    }\n  }\n}\n\n/**\n * Session POST request handlers\n */\nexport class SessionPostHandler {\n  static async handle(\n    request: NextRequest,\n    subEndpoint: SessionSubEndpoint,\n    _config: TernSecureInternalHandlerConfig,\n  ): Promise<NextResponse> {\n    const cookieStore = new NextCookieStore();\n\n    const { idToken, csrfToken, error } = await RequestValidator.validateSessionRequest(request);\n    if (error) return error;\n\n    const csrfCookieValue = request.cookies.get('_session_terncf')?.value;\n    const csrfValidationError = CsrfValidator.validate(csrfToken || '', csrfCookieValue);\n    if (csrfValidationError) return csrfValidationError;\n\n    const options = {\n      tenantId: _config.tenantId,\n    };\n\n    switch (subEndpoint) {\n      case 'createsession':\n        return this.handleCreateSession(options, idToken, cookieStore);\n      case 'refresh':\n        return this.handleRefreshSession(request, cookieStore);\n      case 'revoke':\n        return this.handleRevokeSession(cookieStore);\n      default:\n        return HttpResponseHelper.createSubEndpointNotSupportedResponse();\n    }\n  }\n\n  private static async handleCreateSession(\n    options: RequestOptions,\n    idToken: string | undefined,\n    cookieStore: NextCookieStore,\n  ): Promise<NextResponse> {\n    const validationError = RequestValidator.validateIdToken(idToken);\n    if (validationError) return validationError;\n    if (!idToken) {\n      return createApiErrorResponse('ID_TOKEN_REQUIRED', 'ID token is required', 400);\n    }\n\n    try {\n      const res = await createSessionCookie(idToken, cookieStore, options);\n      return SessionResponseHelper.createSessionCreationResponse(res);\n    } catch (error) {\n      return createApiErrorResponse('SESSION_CREATION_FAILED', 'Session creation failed', 500);\n    }\n  }\n\n  private static async handleRefreshSession(\n    request: NextRequest,\n    cookieStore: NextCookieStore,\n  ): Promise<NextResponse> {\n    const currentSessionCookie = request.cookies.get('__session')?.value;\n    if (!currentSessionCookie) {\n      return createApiErrorResponse('NO_SESSION', 'No session to refresh', 401);\n    }\n\n    try {\n      const decodedSession = ternDecodeJwtUnguarded(currentSessionCookie);\n      if (decodedSession.errors) {\n        return createApiErrorResponse('INVALID_SESSION', 'Invalid session for refresh', 401);\n      }\n\n      const refreshRes = await createSessionCookie(\n        decodedSession.data?.payload?.sub || '',\n        cookieStore,\n      );\n\n      return SessionResponseHelper.createRefreshResponse(refreshRes);\n    } catch (error) {\n      return createApiErrorResponse('REFRESH_FAILED', 'Session refresh failed', 500);\n    }\n  }\n\n  private static async handleRevokeSession(cookieStore: NextCookieStore): Promise<NextResponse> {\n    const res = await clearSessionCookie(cookieStore);\n    return SessionResponseHelper.createRevokeResponse(res);\n  }\n}\n\n/**\n * Main session endpoint orchestrator\n */\nexport class SessionEndpointHandler {\n  static async handle(\n    request: NextRequest,\n    method: string,\n    subEndpoint: SessionSubEndpoint | undefined,\n    config: Required<TernSecureHandlerOptions>,\n  ): Promise<NextResponse> {\n    const sessionsConfig = config.endpoints.sessions;\n\n    if (!subEndpoint) {\n      return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Session sub-endpoint required', 400);\n    }\n\n    const subEndpointConfig = sessionsConfig?.subEndpoints?.[subEndpoint];\n\n    const subEndpointValidation = this.validateSubEndpoint(subEndpoint, subEndpointConfig, method);\n    if (subEndpointValidation) return subEndpointValidation;\n\n    if (subEndpointConfig?.security) {\n      const { SecurityValidator } = await import('./validators.js');\n      const securityResult = await SecurityValidator.validate(request, subEndpointConfig.security);\n      if (securityResult) return securityResult;\n    }\n\n    switch (method) {\n      case 'GET':\n        return SessionGetHandler.handle(request, subEndpoint, config);\n      case 'POST':\n        return SessionPostHandler.handle(request, subEndpoint, config);\n      default:\n        return HttpResponseHelper.createMethodNotAllowedResponse();\n    }\n  }\n\n  private static validateSubEndpoint(\n    subEndpoint: SessionSubEndpoint | undefined,\n    subEndpointConfig: any,\n    method: string,\n  ): NextResponse | null {\n    if (!subEndpoint) {\n      return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Session sub-endpoint required', 400);\n    }\n\n    if (!subEndpointConfig || !subEndpointConfig.enabled) {\n      return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Endpoint not found', 404);\n    }\n\n    if (!subEndpointConfig.methods?.includes(method as any)) {\n      return createApiErrorResponse('METHOD_NOT_ALLOWED', 'Method not allowed', 405);\n    }\n\n    return null;\n  }\n}\n"],"mappings":"AACA,SAAS,oBAAoB,2BAA2B;AACxD,SAAS,8BAA8B;AAGvC,SAAS,uBAAuB;AAChC,SAAS,wBAAwB,oBAAoB,6BAA6B;AAMlF,SAAS,eAAe,wBAAwB;AAKzC,MAAM,kBAAkB;AAAA,EAC7B,aAAa,OACX,SACA,aACA,SACuB;AACvB,YAAQ,aAAa;AAAA,MACnB,KAAK;AACH,eAAO,KAAK,aAAa,OAAO;AAAA,MAClC;AACE,eAAO,mBAAmB,uBAAuB;AAAA,IACrD;AAAA,EACF;AAAA,EAEA,aAAqB,aAAa,SAA6C;AAC7E,QAAI;AACF,YAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB,GAAG;AAC9D,UAAI,CAAC,eAAe;AAClB,eAAO,sBAAsB,2BAA2B;AAAA,MAC1D;AAEA,YAAM,iBAAiB,uBAAuB,aAAa;AAC3D,UAAI,eAAe,QAAQ;AACzB,eAAO,sBAAsB,2BAA2B;AAAA,MAC1D;AAEA,aAAO,sBAAsB,2BAA2B,cAAc;AAAA,IACxE,SAAS,OAAO;AACd,aAAO,sBAAsB,2BAA2B;AAAA,IAC1D;AAAA,EACF;AACF;AAKO,MAAM,mBAAmB;AAAA,EAC9B,aAAa,OACX,SACA,aACA,SACuB;AACvB,UAAM,cAAc,IAAI,gBAAgB;AAExC,UAAM,EAAE,SAAS,WAAW,MAAM,IAAI,MAAM,iBAAiB,uBAAuB,OAAO;AAC3F,QAAI,MAAO,QAAO;AAElB,UAAM,kBAAkB,QAAQ,QAAQ,IAAI,iBAAiB,GAAG;AAChE,UAAM,sBAAsB,cAAc,SAAS,aAAa,IAAI,eAAe;AACnF,QAAI,oBAAqB,QAAO;AAEhC,UAAM,UAAU;AAAA,MACd,UAAU,QAAQ;AAAA,IACpB;AAEA,YAAQ,aAAa;AAAA,MACnB,KAAK;AACH,eAAO,KAAK,oBAAoB,SAAS,SAAS,WAAW;AAAA,MAC/D,KAAK;AACH,eAAO,KAAK,qBAAqB,SAAS,WAAW;AAAA,MACvD,KAAK;AACH,eAAO,KAAK,oBAAoB,WAAW;AAAA,MAC7C;AACE,eAAO,mBAAmB,sCAAsC;AAAA,IACpE;AAAA,EACF;AAAA,EAEA,aAAqB,oBACnB,SACA,SACA,aACuB;AACvB,UAAM,kBAAkB,iBAAiB,gBAAgB,OAAO;AAChE,QAAI,gBAAiB,QAAO;AAC5B,QAAI,CAAC,SAAS;AACZ,aAAO,uBAAuB,qBAAqB,wBAAwB,GAAG;AAAA,IAChF;AAEA,QAAI;AACF,YAAM,MAAM,MAAM,oBAAoB,SAAS,aAAa,OAAO;AACnE,aAAO,sBAAsB,8BAA8B,GAAG;AAAA,IAChE,SAAS,OAAO;AACd,aAAO,uBAAuB,2BAA2B,2BAA2B,GAAG;AAAA,IACzF;AAAA,EACF;AAAA,EAEA,aAAqB,qBACnB,SACA,aACuB;AACvB,UAAM,uBAAuB,QAAQ,QAAQ,IAAI,WAAW,GAAG;AAC/D,QAAI,CAAC,sBAAsB;AACzB,aAAO,uBAAuB,cAAc,yBAAyB,GAAG;AAAA,IAC1E;AAEA,QAAI;AACF,YAAM,iBAAiB,uBAAuB,oBAAoB;AAClE,UAAI,eAAe,QAAQ;AACzB,eAAO,uBAAuB,mBAAmB,+BAA+B,GAAG;AAAA,MACrF;AAEA,YAAM,aAAa,MAAM;AAAA,QACvB,eAAe,MAAM,SAAS,OAAO;AAAA,QACrC;AAAA,MACF;AAEA,aAAO,sBAAsB,sBAAsB,UAAU;AAAA,IAC/D,SAAS,OAAO;AACd,aAAO,uBAAuB,kBAAkB,0BAA0B,GAAG;AAAA,IAC/E;AAAA,EACF;AAAA,EAEA,aAAqB,oBAAoB,aAAqD;AAC5F,UAAM,MAAM,MAAM,mBAAmB,WAAW;AAChD,WAAO,sBAAsB,qBAAqB,GAAG;AAAA,EACvD;AACF;AAKO,MAAM,uBAAuB;AAAA,EAClC,aAAa,OACX,SACA,QACA,aACA,QACuB;AACvB,UAAM,iBAAiB,OAAO,UAAU;AAExC,QAAI,CAAC,aAAa;AAChB,aAAO,uBAAuB,yBAAyB,iCAAiC,GAAG;AAAA,IAC7F;AAEA,UAAM,oBAAoB,gBAAgB,eAAe,WAAW;AAEpE,UAAM,wBAAwB,KAAK,oBAAoB,aAAa,mBAAmB,MAAM;AAC7F,QAAI,sBAAuB,QAAO;AAElC,QAAI,mBAAmB,UAAU;AAC/B,YAAM,EAAE,kBAAkB,IAAI,MAAM,OAAO,iBAAiB;AAC5D,YAAM,iBAAiB,MAAM,kBAAkB,SAAS,SAAS,kBAAkB,QAAQ;AAC3F,UAAI,eAAgB,QAAO;AAAA,IAC7B;AAEA,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO,kBAAkB,OAAO,SAAS,aAAa,MAAM;AAAA,MAC9D,KAAK;AACH,eAAO,mBAAmB,OAAO,SAAS,aAAa,MAAM;AAAA,MAC/D;AACE,eAAO,mBAAmB,+BAA+B;AAAA,IAC7D;AAAA,EACF;AAAA,EAEA,OAAe,oBACb,aACA,mBACA,QACqB;AACrB,QAAI,CAAC,aAAa;AAChB,aAAO,uBAAuB,yBAAyB,iCAAiC,GAAG;AAAA,IAC7F;AAEA,QAAI,CAAC,qBAAqB,CAAC,kBAAkB,SAAS;AACpD,aAAO,uBAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,QAAI,CAAC,kBAAkB,SAAS,SAAS,MAAa,GAAG;AACvD,aAAO,uBAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/esm/app-router/admin/ternsecureNextjsHandler.js

@@ -0,0 +1,62 @@
+import { TENANT_ID } from "./constants";
+import { createRequestContext, createValidators } from "./fnValidators";
+import { createApiErrorResponse } from "./responses";
+import { SessionEndpointHandler } from "./sessionHandlers";
+import {
+  DEFAULT_HANDLER_OPTIONS
+} from "./types";
+import { ConfigUtils, LoggingUtils } from "./utils";
+async function applyGlobalValidations(config, context) {
+  const { validateCors, validateSecurity, createCorsOptionsResponse } = createValidators(context);
+  const corsError = await validateCors(config.cors);
+  if (corsError) return corsError;
+  if (context.method === "OPTIONS") {
+    return createCorsOptionsResponse(config.cors);
+  }
+  const securityError = await validateSecurity(config.security);
+  if (securityError) return securityError;
+  return null;
+}
+async function routeToEndpointHandler(request, endpoint, subEndpoint, config) {
+  switch (endpoint) {
+    case "sessions":
+      return SessionEndpointHandler.handle(request, request.method, subEndpoint, config);
+    default:
+      return createApiErrorResponse("ENDPOINT_NOT_FOUND", "Endpoint not found", 404);
+  }
+}
+function createTernSecureNextJsHandler(options) {
+  const baseConfig = ConfigUtils.mergeWithDefaults(
+    DEFAULT_HANDLER_OPTIONS,
+    options
+  );
+  const internalConfig = {
+    ...baseConfig,
+    tenantId: TENANT_ID
+  };
+  const handler = async (request) => {
+    const context = createRequestContext(request);
+    const { pathSegments } = context;
+    const endpoint = pathSegments[2];
+    const subEndpoint = pathSegments[3];
+    LoggingUtils.logRequest(request, "Handler");
+    try {
+      const validationResult = await applyGlobalValidations(internalConfig, context);
+      if (validationResult) {
+        return validationResult;
+      }
+      return await routeToEndpointHandler(request, endpoint, subEndpoint, internalConfig);
+    } catch (error) {
+      LoggingUtils.logError(error, "Handler");
+      return createApiErrorResponse("INTERNAL_SERVER_ERROR", "Internal server error", 500);
+    }
+  };
+  return {
+    GET: handler,
+    POST: handler
+  };
+}
+export {
+  createTernSecureNextJsHandler
+};
+//# sourceMappingURL=ternsecureNextjsHandler.js.map