@tern-secure/nextjs 5.1.8 → 5.1.9

package/dist/esm/app-router/admin/ternsecureNextjsHandler.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/app-router/admin/ternsecureNextjsHandler.ts"],"sourcesContent":["import type { NextRequest, NextResponse } from 'next/server';\n\nimport { TENANT_ID } from './constants';\nimport type { RequestContext } from './fnValidators';\nimport { createRequestContext, createValidators } from './fnValidators';\nimport { createApiErrorResponse } from './responses';\nimport { SessionEndpointHandler } from './sessionHandlers';\nimport type {\n  AuthEndpoint,\n  SessionSubEndpoint,\n  TernSecureHandlerOptions,\n  TernSecureInternalHandlerConfig} from './types';\nimport {\n  DEFAULT_HANDLER_OPTIONS\n} from './types';\nimport { ConfigUtils, LoggingUtils } from './utils';\n\n/**\n * Apply all global validations in a clean, sequential manner\n */\nasync function applyGlobalValidations(\n  config: Required<TernSecureHandlerOptions>,\n  context: RequestContext,\n): Promise<NextResponse | null> {\n  const { validateCors, validateSecurity, createCorsOptionsResponse } = createValidators(context);\n  const corsError = await validateCors(config.cors);\n  if (corsError) return corsError;\n\n  if (context.method === 'OPTIONS') {\n    return createCorsOptionsResponse(config.cors);\n  }\n\n  const securityError = await validateSecurity(config.security);\n  if (securityError) return securityError;\n\n  return null;\n}\n\n/**\n * Route to appropriate endpoint handler based on endpoint type\n */\nasync function routeToEndpointHandler(\n  request: NextRequest,\n  endpoint: AuthEndpoint,\n  subEndpoint: SessionSubEndpoint,\n  config: TernSecureInternalHandlerConfig,\n): Promise<NextResponse> {\n  switch (endpoint) {\n    case 'sessions':\n      return SessionEndpointHandler.handle(request, request.method, subEndpoint, config);\n    default:\n      return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Endpoint not found', 404);\n  }\n}\n\nexport function createTernSecureNextJsHandler(options?: TernSecureHandlerOptions) {\n  const baseConfig: Required<TernSecureHandlerOptions> = ConfigUtils.mergeWithDefaults(\n    DEFAULT_HANDLER_OPTIONS,\n    options,\n  );\n\n  const internalConfig: TernSecureInternalHandlerConfig = {\n    ...baseConfig,\n    tenantId: TENANT_ID,\n  };\n\n  const handler = async (request: NextRequest): Promise<NextResponse> => {\n    const context = createRequestContext(request);\n    const { pathSegments } = context;\n\n    const endpoint = pathSegments[2] as AuthEndpoint;\n    const subEndpoint = pathSegments[3] as SessionSubEndpoint;\n\n    LoggingUtils.logRequest(request, 'Handler');\n\n    try {\n      const validationResult = await applyGlobalValidations(internalConfig, context);\n      if (validationResult) {\n        return validationResult;\n      }\n\n      return await routeToEndpointHandler(request, endpoint, subEndpoint, internalConfig);\n    } catch (error) {\n      LoggingUtils.logError(error, 'Handler');\n      return createApiErrorResponse('INTERNAL_SERVER_ERROR', 'Internal server error', 500);\n    }\n  };\n\n  return {\n    GET: handler,\n    POST: handler,\n  };\n}\n"],"mappings":"AAEA,SAAS,iBAAiB;AAE1B,SAAS,sBAAsB,wBAAwB;AACvD,SAAS,8BAA8B;AACvC,SAAS,8BAA8B;AAMvC;AAAA,EACE;AAAA,OACK;AACP,SAAS,aAAa,oBAAoB;AAK1C,eAAe,uBACb,QACA,SAC8B;AAC9B,QAAM,EAAE,cAAc,kBAAkB,0BAA0B,IAAI,iBAAiB,OAAO;AAC9F,QAAM,YAAY,MAAM,aAAa,OAAO,IAAI;AAChD,MAAI,UAAW,QAAO;AAEtB,MAAI,QAAQ,WAAW,WAAW;AAChC,WAAO,0BAA0B,OAAO,IAAI;AAAA,EAC9C;AAEA,QAAM,gBAAgB,MAAM,iBAAiB,OAAO,QAAQ;AAC5D,MAAI,cAAe,QAAO;AAE1B,SAAO;AACT;AAKA,eAAe,uBACb,SACA,UACA,aACA,QACuB;AACvB,UAAQ,UAAU;AAAA,IAChB,KAAK;AACH,aAAO,uBAAuB,OAAO,SAAS,QAAQ,QAAQ,aAAa,MAAM;AAAA,IACnF;AACE,aAAO,uBAAuB,sBAAsB,sBAAsB,GAAG;AAAA,EACjF;AACF;AAEO,SAAS,8BAA8B,SAAoC;AAChF,QAAM,aAAiD,YAAY;AAAA,IACjE;AAAA,IACA;AAAA,EACF;AAEA,QAAM,iBAAkD;AAAA,IACtD,GAAG;AAAA,IACH,UAAU;AAAA,EACZ;AAEA,QAAM,UAAU,OAAO,YAAgD;AACrE,UAAM,UAAU,qBAAqB,OAAO;AAC5C,UAAM,EAAE,aAAa,IAAI;AAEzB,UAAM,WAAW,aAAa,CAAC;AAC/B,UAAM,cAAc,aAAa,CAAC;AAElC,iBAAa,WAAW,SAAS,SAAS;AAE1C,QAAI;AACF,YAAM,mBAAmB,MAAM,uBAAuB,gBAAgB,OAAO;AAC7E,UAAI,kBAAkB;AACpB,eAAO;AAAA,MACT;AAEA,aAAO,MAAM,uBAAuB,SAAS,UAAU,aAAa,cAAc;AAAA,IACpF,SAAS,OAAO;AACd,mBAAa,SAAS,OAAO,SAAS;AACtC,aAAO,uBAAuB,yBAAyB,yBAAyB,GAAG;AAAA,IACrF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AACF;","names":[]}

package/dist/esm/app-router/admin/types.js

@@ -0,0 +1,98 @@
+const DEFAULT_CORS_OPTIONS = {
+  allowedOrigins: [],
+  allowedMethods: ["GET", "POST"],
+  allowedHeaders: ["Content-Type", "Authorization", "X-Requested-With"],
+  allowCredentials: true,
+  maxAge: 86400
+  // 24 hours
+};
+const DEFAULT_COOKIE_OPTIONS = {
+  name: "__session",
+  path: "/",
+  secure: true,
+  httpOnly: true,
+  sameSite: "lax",
+  maxAge: 3600 * 24 * 7
+  // 7 days
+};
+const DEFAULT_SECURITY_OPTIONS = {
+  requireCSRF: true,
+  allowedReferers: [],
+  requiredHeaders: {},
+  ipWhitelist: [],
+  userAgent: {
+    block: [],
+    allow: []
+  }
+};
+const DEFAULT_ENDPOINT_CONFIG = {
+  enabled: true,
+  methods: ["GET", "POST"],
+  requireAuth: false,
+  security: DEFAULT_SECURITY_OPTIONS
+};
+const DEFAULT_SESSIONS_CONFIG = {
+  ...DEFAULT_ENDPOINT_CONFIG,
+  subEndpoints: {
+    verify: {
+      enabled: true,
+      methods: ["GET"],
+      requireAuth: false,
+      security: {
+        requireCSRF: true,
+        allowedReferers: []
+      }
+    },
+    createsession: {
+      enabled: true,
+      methods: ["POST"],
+      requireAuth: false,
+      security: {
+        requireCSRF: true
+      }
+    },
+    refresh: {
+      enabled: true,
+      methods: ["POST"],
+      requireAuth: true,
+      security: {
+        requireCSRF: true
+      }
+    },
+    revoke: {
+      enabled: true,
+      methods: ["POST"],
+      requireAuth: true,
+      security: {
+        requireCSRF: true
+      }
+    }
+  }
+};
+const DEFAULT_HANDLER_OPTIONS = {
+  cors: DEFAULT_CORS_OPTIONS,
+  cookies: DEFAULT_COOKIE_OPTIONS,
+  rateLimit: {
+    windowMs: 15 * 60 * 1e3,
+    // 15 minutes
+    maxRequests: 100,
+    skipSuccessful: false,
+    skipFailedRequests: false
+  },
+  security: DEFAULT_SECURITY_OPTIONS,
+  endpoints: {
+    sessions: DEFAULT_SESSIONS_CONFIG
+  },
+  debug: false,
+  environment: "production",
+  basePath: "/api/auth"
+};
+export {
+  DEFAULT_COOKIE_OPTIONS,
+  DEFAULT_CORS_OPTIONS,
+  DEFAULT_ENDPOINT_CONFIG,
+  DEFAULT_HANDLER_OPTIONS,
+  DEFAULT_SECURITY_OPTIONS,
+  DEFAULT_SESSIONS_CONFIG
+};
+//# sourceMappingURL=types.js.map

package/dist/esm/app-router/admin/types.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/app-router/admin/types.ts"],"sourcesContent":["import { type NextResponse } from 'next/server';\n\nexport interface CorsOptions {\n  allowedOrigins: string[] | '*';\n  allowedMethods?: string[];\n  allowedHeaders?: string[];\n  allowCredentials?: boolean;\n  maxAge?: number;\n  skipSameOrigin?: boolean;\n}\n\nexport interface CookieOptions {\n  name?: string;\n  domain?: string;\n  path?: string;\n  secure?: boolean;\n  httpOnly?: boolean;\n  sameSite?: 'strict' | 'lax' | 'none';\n  maxAge?: number;\n}\n\nexport interface RateLimitOptions {\n  windowMs?: number;\n  maxRequests?: number;\n  skipSuccessful?: boolean;\n  skipFailedRequests?: boolean;\n}\n\nexport interface SecurityOptions {\n  requireCSRF?: boolean;\n  allowedReferers?: string[];\n  requiredHeaders?: Record<string, string>;\n  ipWhitelist?: string[];\n  userAgent?: {\n    block?: string[];\n    allow?: string[];\n  };\n}\n\nexport interface EndpointConfig {\n  enabled: boolean;\n  methods: ('GET' | 'POST' | 'PUT' | 'DELETE')[];\n  requireAuth?: boolean;\n  rateLimit?: RateLimitOptions;\n  security?: SecurityOptions;\n  cors?: Partial<CorsOptions>;\n}\n\nexport interface SessionEndpointConfig extends EndpointConfig {\n  subEndpoints?: {\n    [K in SessionSubEndpoint]?: Partial<EndpointConfig>;\n  };\n}\n\nexport interface TernSecureHandlerOptions {\n  cors?: CorsOptions;\n  cookies?: CookieOptions;\n  rateLimit?: RateLimitOptions;\n  security?: SecurityOptions;\n  endpoints?: {\n    sessions?: SessionEndpointConfig;\n  };\n\n  debug?: boolean;\n  environment?: 'development' | 'production' | 'test';\n  basePath?: string;\n}\n\n/**\n * Define an internal config type that extends the public options\n * with server-side only values like tenantId.\n */\nexport type TernSecureInternalHandlerConfig = Required<TernSecureHandlerOptions> & {\n  tenantId?: string;\n};\n\nexport type AuthEndpoint = 'sessions' | 'users';\nexport type SessionSubEndpoint = 'verify' | 'createsession' | 'refresh' | 'revoke';\n\nexport const DEFAULT_CORS_OPTIONS: CorsOptions = {\n  allowedOrigins: [],\n  allowedMethods: ['GET', 'POST'],\n  allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],\n  allowCredentials: true,\n  maxAge: 86400, // 24 hours\n};\n\nexport const DEFAULT_COOKIE_OPTIONS: CookieOptions = {\n  name: '__session',\n  path: '/',\n  secure: true,\n  httpOnly: true,\n  sameSite: 'lax',\n  maxAge: 3600 * 24 * 7, // 7 days\n};\n\nexport const DEFAULT_SECURITY_OPTIONS: SecurityOptions = {\n  requireCSRF: true,\n  allowedReferers: [],\n  requiredHeaders: {},\n  ipWhitelist: [],\n  userAgent: {\n    block: [],\n    allow: [],\n  },\n};\n\nexport const DEFAULT_ENDPOINT_CONFIG: EndpointConfig = {\n  enabled: true,\n  methods: ['GET', 'POST'],\n  requireAuth: false,\n  security: DEFAULT_SECURITY_OPTIONS,\n};\n\nexport const DEFAULT_SESSIONS_CONFIG: SessionEndpointConfig = {\n  ...DEFAULT_ENDPOINT_CONFIG,\n  subEndpoints: {\n    verify: {\n      enabled: true,\n      methods: ['GET'],\n      requireAuth: false,\n      security: {\n        requireCSRF: true,\n        allowedReferers: [],\n      },\n    },\n    createsession: {\n      enabled: true,\n      methods: ['POST'],\n      requireAuth: false,\n      security: {\n        requireCSRF: true,\n      },\n    },\n    refresh: {\n      enabled: true,\n      methods: ['POST'],\n      requireAuth: true,\n      security: {\n        requireCSRF: true,\n      },\n    },\n    revoke: {\n      enabled: true,\n      methods: ['POST'],\n      requireAuth: true,\n      security: {\n        requireCSRF: true,\n      },\n    },\n  },\n};\n\nexport const DEFAULT_HANDLER_OPTIONS: Required<TernSecureHandlerOptions> & {\n  endpoints: Required<NonNullable<TernSecureHandlerOptions['endpoints']>>;\n} = {\n  cors: DEFAULT_CORS_OPTIONS,\n  cookies: DEFAULT_COOKIE_OPTIONS,\n  rateLimit: {\n    windowMs: 15 * 60 * 1000, // 15 minutes\n    maxRequests: 100,\n    skipSuccessful: false,\n    skipFailedRequests: false,\n  },\n  security: DEFAULT_SECURITY_OPTIONS,\n  endpoints: {\n    sessions: DEFAULT_SESSIONS_CONFIG,\n  },\n  debug: false,\n  environment: 'production',\n  basePath: '/api/auth',\n};\n\n\nexport interface ValidationResult {\n  error?: NextResponse;\n  data?: any;\n}\n\nexport interface ValidationConfig {\n  cors?: CorsOptions;\n  security?: SecurityOptions;\n  endpoint?: {\n    name: AuthEndpoint;\n    config: EndpointConfig;\n  };\n  subEndpoint?: {\n    name: SessionSubEndpoint;\n    config: EndpointConfig;\n  };\n  requireIdToken?: boolean;\n  requireCsrfToken?: boolean;\n}\n\nexport interface ComprehensiveValidationResult {\n  isValid: boolean;\n  error?: NextResponse;\n  corsResponse?: NextResponse;\n  sessionData?: {\n    body: any;\n    idToken?: string;\n    csrfToken?: string;\n  };\n}\n"],"mappings":"AA+EO,MAAM,uBAAoC;AAAA,EAC/C,gBAAgB,CAAC;AAAA,EACjB,gBAAgB,CAAC,OAAO,MAAM;AAAA,EAC9B,gBAAgB,CAAC,gBAAgB,iBAAiB,kBAAkB;AAAA,EACpE,kBAAkB;AAAA,EAClB,QAAQ;AAAA;AACV;AAEO,MAAM,yBAAwC;AAAA,EACnD,MAAM;AAAA,EACN,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,UAAU;AAAA,EACV,UAAU;AAAA,EACV,QAAQ,OAAO,KAAK;AAAA;AACtB;AAEO,MAAM,2BAA4C;AAAA,EACvD,aAAa;AAAA,EACb,iBAAiB,CAAC;AAAA,EAClB,iBAAiB,CAAC;AAAA,EAClB,aAAa,CAAC;AAAA,EACd,WAAW;AAAA,IACT,OAAO,CAAC;AAAA,IACR,OAAO,CAAC;AAAA,EACV;AACF;AAEO,MAAM,0BAA0C;AAAA,EACrD,SAAS;AAAA,EACT,SAAS,CAAC,OAAO,MAAM;AAAA,EACvB,aAAa;AAAA,EACb,UAAU;AACZ;AAEO,MAAM,0BAAiD;AAAA,EAC5D,GAAG;AAAA,EACH,cAAc;AAAA,IACZ,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,SAAS,CAAC,KAAK;AAAA,MACf,aAAa;AAAA,MACb,UAAU;AAAA,QACR,aAAa;AAAA,QACb,iBAAiB,CAAC;AAAA,MACpB;AAAA,IACF;AAAA,IACA,eAAe;AAAA,MACb,SAAS;AAAA,MACT,SAAS,CAAC,MAAM;AAAA,MAChB,aAAa;AAAA,MACb,UAAU;AAAA,QACR,aAAa;AAAA,MACf;AAAA,IACF;AAAA,IACA,SAAS;AAAA,MACP,SAAS;AAAA,MACT,SAAS,CAAC,MAAM;AAAA,MAChB,aAAa;AAAA,MACb,UAAU;AAAA,QACR,aAAa;AAAA,MACf;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,SAAS,CAAC,MAAM;AAAA,MAChB,aAAa;AAAA,MACb,UAAU;AAAA,QACR,aAAa;AAAA,MACf;AAAA,IACF;AAAA,EACF;AACF;AAEO,MAAM,0BAET;AAAA,EACF,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,IACT,UAAU,KAAK,KAAK;AAAA;AAAA,IACpB,aAAa;AAAA,IACb,gBAAgB;AAAA,IAChB,oBAAoB;AAAA,EACtB;AAAA,EACA,UAAU;AAAA,EACV,WAAW;AAAA,IACT,UAAU;AAAA,EACZ;AAAA,EACA,OAAO;AAAA,EACP,aAAa;AAAA,EACb,UAAU;AACZ;","names":[]}

package/dist/esm/app-router/admin/utils.js

@@ -0,0 +1,80 @@
+class HttpUtils {
+  /**
+   * Extract client IP address from various headers
+   */
+  static getClientIP(request) {
+    const forwarded = request.headers.get("x-forwarded-for");
+    const realIP = request.headers.get("x-real-ip");
+    const clientIP = request.headers.get("x-client-ip");
+    if (forwarded) {
+      return forwarded.split(",")[0].trim();
+    }
+    return realIP || clientIP || "unknown";
+  }
+  /**
+   * Parse URL path segments for routing
+   */
+  static parsePathSegments(url) {
+    return url.pathname.split("/").filter(Boolean);
+  }
+  /**
+   * Extract authentication headers
+   */
+  static extractAuthHeaders(request) {
+    return {
+      origin: request.headers.get("origin"),
+      host: request.headers.get("host"),
+      referer: request.headers.get("referer"),
+      userAgent: request.headers.get("user-agent") || "",
+      authorization: request.headers.get("authorization"),
+      xRequestedWith: request.headers.get("x-requested-with")
+    };
+  }
+}
+class ConfigUtils {
+  /**
+   * Deep merge handler options with defaults
+   */
+  static mergeWithDefaults(defaults, options) {
+    if (!options) return defaults;
+    const result = { ...defaults };
+    for (const key in options) {
+      const value = options[key];
+      if (value && typeof value === "object" && !Array.isArray(value)) {
+        result[key] = this.mergeWithDefaults(defaults[key] || {}, value);
+      } else {
+        result[key] = value;
+      }
+    }
+    return result;
+  }
+}
+class CookieUtils {
+  static extractSessionCookies(request) {
+    return {
+      sessionCookie: request.cookies.get("_session_cookie")?.value,
+      csrfCookie: request.cookies.get("_session_terncf")?.value,
+      mainSession: request.cookies.get("__session")?.value
+    };
+  }
+}
+class LoggingUtils {
+  static logRequest(request, context) {
+    if (process.env.NODE_ENV === "development") {
+      console.log(`[TernSecure${context ? ` ${context}` : ""}] ${request.method} ${request.url}`);
+    }
+  }
+  static logError(error, context) {
+    console.error(`[TernSecure${context ? ` ${context}` : ""} Error]`, error);
+  }
+  static logWarning(message, context) {
+    console.warn(`[TernSecure${context ? ` ${context}` : ""} Warning]`, message);
+  }
+}
+export {
+  ConfigUtils,
+  CookieUtils,
+  HttpUtils,
+  LoggingUtils
+};
+//# sourceMappingURL=utils.js.map

package/dist/esm/app-router/admin/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/app-router/admin/utils.ts"],"sourcesContent":["import type { NextRequest } from 'next/server';\n\n/**\n * HTTP utilities\n */\nexport class HttpUtils {\n  /**\n   * Extract client IP address from various headers\n   */\n  static getClientIP(request: NextRequest): string {\n    const forwarded = request.headers.get('x-forwarded-for');\n    const realIP = request.headers.get('x-real-ip');\n    const clientIP = request.headers.get('x-client-ip');\n\n    if (forwarded) {\n      return forwarded.split(',')[0].trim();\n    }\n\n    return realIP || clientIP || 'unknown';\n  }\n\n  /**\n   * Parse URL path segments for routing\n   */\n  static parsePathSegments(url: URL): string[] {\n    return url.pathname.split('/').filter(Boolean);\n  }\n\n  /**\n   * Extract authentication headers\n   */\n  static extractAuthHeaders(request: NextRequest) {\n    return {\n      origin: request.headers.get('origin'),\n      host: request.headers.get('host'),\n      referer: request.headers.get('referer'),\n      userAgent: request.headers.get('user-agent') || '',\n      authorization: request.headers.get('authorization'),\n      xRequestedWith: request.headers.get('x-requested-with'),\n    };\n  }\n}\n\n/**\n * Configuration utilities\n */\nexport class ConfigUtils {\n  /**\n   * Deep merge handler options with defaults\n   */\n  static mergeWithDefaults(\n    defaults: any,\n    options?: any\n  ): any {\n    if (!options) return defaults;\n\n    const result = { ...defaults };\n    \n    for (const key in options) {\n      const value = options[key];\n      if (value && typeof value === 'object' && !Array.isArray(value)) {\n        result[key] = this.mergeWithDefaults(defaults[key] || {}, value);\n      } else {\n        result[key] = value;\n      }\n    }\n\n    return result;\n  }\n}\n\n/**\n * Cookie utilities\n */\nexport class CookieUtils {\n  static extractSessionCookies(request: NextRequest) {\n    return {\n      sessionCookie: request.cookies.get('_session_cookie')?.value,\n      csrfCookie: request.cookies.get('_session_terncf')?.value,\n      mainSession: request.cookies.get('__session')?.value,\n    };\n  }\n}\n\n/**\n * Logging utilities for debugging\n */\nexport class LoggingUtils {\n  static logRequest(request: NextRequest, context?: string) {\n    if (process.env.NODE_ENV === 'development') {\n      console.log(`[TernSecure${context ? ` ${context}` : ''}] ${request.method} ${request.url}`);\n    }\n  }\n\n  static logError(error: any, context?: string) {\n    console.error(`[TernSecure${context ? ` ${context}` : ''} Error]`, error);\n  }\n\n  static logWarning(message: string, context?: string) {\n    console.warn(`[TernSecure${context ? ` ${context}` : ''} Warning]`, message);\n  }\n}"],"mappings":"AAKO,MAAM,UAAU;AAAA;AAAA;AAAA;AAAA,EAIrB,OAAO,YAAY,SAA8B;AAC/C,UAAM,YAAY,QAAQ,QAAQ,IAAI,iBAAiB;AACvD,UAAM,SAAS,QAAQ,QAAQ,IAAI,WAAW;AAC9C,UAAM,WAAW,QAAQ,QAAQ,IAAI,aAAa;AAElD,QAAI,WAAW;AACb,aAAO,UAAU,MAAM,GAAG,EAAE,CAAC,EAAE,KAAK;AAAA,IACtC;AAEA,WAAO,UAAU,YAAY;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,kBAAkB,KAAoB;AAC3C,WAAO,IAAI,SAAS,MAAM,GAAG,EAAE,OAAO,OAAO;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,mBAAmB,SAAsB;AAC9C,WAAO;AAAA,MACL,QAAQ,QAAQ,QAAQ,IAAI,QAAQ;AAAA,MACpC,MAAM,QAAQ,QAAQ,IAAI,MAAM;AAAA,MAChC,SAAS,QAAQ,QAAQ,IAAI,SAAS;AAAA,MACtC,WAAW,QAAQ,QAAQ,IAAI,YAAY,KAAK;AAAA,MAChD,eAAe,QAAQ,QAAQ,IAAI,eAAe;AAAA,MAClD,gBAAgB,QAAQ,QAAQ,IAAI,kBAAkB;AAAA,IACxD;AAAA,EACF;AACF;AAKO,MAAM,YAAY;AAAA;AAAA;AAAA;AAAA,EAIvB,OAAO,kBACL,UACA,SACK;AACL,QAAI,CAAC,QAAS,QAAO;AAErB,UAAM,SAAS,EAAE,GAAG,SAAS;AAE7B,eAAW,OAAO,SAAS;AACzB,YAAM,QAAQ,QAAQ,GAAG;AACzB,UAAI,SAAS,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ,KAAK,GAAG;AAC/D,eAAO,GAAG,IAAI,KAAK,kBAAkB,SAAS,GAAG,KAAK,CAAC,GAAG,KAAK;AAAA,MACjE,OAAO;AACL,eAAO,GAAG,IAAI;AAAA,MAChB;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;AAKO,MAAM,YAAY;AAAA,EACvB,OAAO,sBAAsB,SAAsB;AACjD,WAAO;AAAA,MACL,eAAe,QAAQ,QAAQ,IAAI,iBAAiB,GAAG;AAAA,MACvD,YAAY,QAAQ,QAAQ,IAAI,iBAAiB,GAAG;AAAA,MACpD,aAAa,QAAQ,QAAQ,IAAI,WAAW,GAAG;AAAA,IACjD;AAAA,EACF;AACF;AAKO,MAAM,aAAa;AAAA,EACxB,OAAO,WAAW,SAAsB,SAAkB;AACxD,QAAI,QAAQ,IAAI,aAAa,eAAe;AAC1C,cAAQ,IAAI,cAAc,UAAU,IAAI,OAAO,KAAK,EAAE,KAAK,QAAQ,MAAM,IAAI,QAAQ,GAAG,EAAE;AAAA,IAC5F;AAAA,EACF;AAAA,EAEA,OAAO,SAAS,OAAY,SAAkB;AAC5C,YAAQ,MAAM,cAAc,UAAU,IAAI,OAAO,KAAK,EAAE,WAAW,KAAK;AAAA,EAC1E;AAAA,EAEA,OAAO,WAAW,SAAiB,SAAkB;AACnD,YAAQ,KAAK,cAAc,UAAU,IAAI,OAAO,KAAK,EAAE,aAAa,OAAO;AAAA,EAC7E;AACF;","names":[]}

package/dist/esm/app-router/admin/validators.js

@@ -0,0 +1,189 @@
+import { NextResponse } from "next/server";
+import { createApiErrorResponse } from "./responses";
+class CorsValidator {
+  static async validate(request, corsOptions) {
+    const origin = request.headers.get("origin");
+    const host = request.headers.get("host");
+    if (!origin || host && origin.includes(host)) {
+      return null;
+    }
+    if (corsOptions.allowedOrigins !== "*") {
+      const isAllowed = corsOptions.allowedOrigins.some((allowedOrigin) => {
+        if (allowedOrigin.startsWith("*")) {
+          const domain = allowedOrigin.slice(1);
+          return origin?.endsWith(domain);
+        }
+        return origin === allowedOrigin;
+      });
+      if (!isAllowed) {
+        return createApiErrorResponse("CORS_ORIGIN_NOT_ALLOWED", "Origin not allowed", 403);
+      }
+    }
+    return null;
+  }
+  static createOptionsResponse(corsOptions) {
+    const response = new NextResponse(null, { status: 204 });
+    if (corsOptions.allowedOrigins === "*") {
+      response.headers.set("Access-Control-Allow-Origin", "*");
+    } else {
+      response.headers.set("Access-Control-Allow-Origin", corsOptions.allowedOrigins.join(","));
+    }
+    response.headers.set(
+      "Access-Control-Allow-Methods",
+      corsOptions.allowedMethods?.join(",") || "GET,POST"
+    );
+    response.headers.set(
+      "Access-Control-Allow-Headers",
+      corsOptions.allowedHeaders?.join(",") || "Content-Type,Authorization"
+    );
+    if (corsOptions.allowCredentials) {
+      response.headers.set("Access-Control-Allow-Credentials", "true");
+    }
+    if (corsOptions.maxAge) {
+      response.headers.set("Access-Control-Max-Age", corsOptions.maxAge.toString());
+    }
+    return response;
+  }
+}
+class SecurityValidator {
+  static async validate(request, securityOptions) {
+    const origin = request.headers.get("origin");
+    const host = request.headers.get("host");
+    const referer = request.headers.get("referer");
+    const userAgent = request.headers.get("user-agent") || "";
+    const csrfResult = this.validateCsrf(request, securityOptions, origin, host, referer);
+    if (csrfResult) return csrfResult;
+    const headersResult = this.validateRequiredHeaders(request, securityOptions);
+    if (headersResult) return headersResult;
+    const userAgentResult = this.validateUserAgent(userAgent, securityOptions);
+    if (userAgentResult) return userAgentResult;
+    return null;
+  }
+  static validateCsrf(request, securityOptions, origin, host, referer) {
+    if (securityOptions.requireCSRF && origin && host && !origin.includes(host)) {
+      const hasCSRFHeader = request.headers.get("x-requested-with") === "XMLHttpRequest";
+      const hasValidReferer = referer && host && referer.includes(host);
+      if (!hasCSRFHeader && !hasValidReferer) {
+        const isAllowedReferer = securityOptions.allowedReferers?.some(
+          (allowedRef) => referer?.includes(allowedRef)
+        );
+        if (!isAllowedReferer) {
+          return createApiErrorResponse("CSRF_PROTECTION", "Access denied", 403);
+        }
+      }
+    }
+    return null;
+  }
+  static validateRequiredHeaders(request, securityOptions) {
+    if (securityOptions.requiredHeaders) {
+      for (const [headerName, expectedValue] of Object.entries(securityOptions.requiredHeaders)) {
+        const actualValue = request.headers.get(headerName);
+        if (actualValue !== expectedValue) {
+          return createApiErrorResponse(
+            "INVALID_HEADERS",
+            "Required header missing or invalid",
+            400
+          );
+        }
+      }
+    }
+    return null;
+  }
+  static validateUserAgent(userAgent, securityOptions) {
+    if (securityOptions.userAgent?.block?.length) {
+      const isBlocked = securityOptions.userAgent.block.some(
+        (blocked) => userAgent.toLowerCase().includes(blocked.toLowerCase())
+      );
+      if (isBlocked) {
+        return createApiErrorResponse("USER_AGENT_BLOCKED", "Access denied", 403);
+      }
+    }
+    if (securityOptions.userAgent?.allow?.length) {
+      const isAllowed = securityOptions.userAgent.allow.some(
+        (allowed) => userAgent.toLowerCase().includes(allowed.toLowerCase())
+      );
+      if (!isAllowed) {
+        return createApiErrorResponse("USER_AGENT_NOT_ALLOWED", "Access denied", 403);
+      }
+    }
+    return null;
+  }
+}
+class CsrfValidator {
+  static validate(csrfToken, csrfCookieValue) {
+    if (!csrfToken) {
+      return createApiErrorResponse("INVALID_CSRF_TOKEN", "CSRF token is required", 400);
+    }
+    if (!csrfCookieValue) {
+      return createApiErrorResponse("CSRF_COOKIE_MISSING", "CSRF token cookie not found", 403);
+    }
+    if (csrfToken !== csrfCookieValue) {
+      return createApiErrorResponse("CSRF_TOKEN_MISMATCH", "CSRF token mismatch", 403);
+    }
+    return null;
+  }
+}
+class RouteValidator {
+  static validatePathStructure(pathSegments) {
+    if (pathSegments.length < 3) {
+      return createApiErrorResponse(
+        "INVALID_ROUTE",
+        "Invalid route structure. Expected: /api/auth/{endpoint}",
+        404
+      );
+    }
+    return null;
+  }
+  static validateEndpoint(_endpoint, endpointConfig, method) {
+    if (!endpointConfig || !endpointConfig.enabled) {
+      return createApiErrorResponse("ENDPOINT_NOT_FOUND", "Endpoint not found", 404);
+    }
+    if (method !== "OPTIONS" && !endpointConfig.methods.includes(method)) {
+      return createApiErrorResponse("METHOD_NOT_ALLOWED", "Method not allowed", 405);
+    }
+    return null;
+  }
+  static validateSubEndpoint(subEndpoint, subEndpointConfig, method) {
+    if (!subEndpoint) {
+      return createApiErrorResponse("SUB_ENDPOINT_REQUIRED", "Session sub-endpoint required", 400);
+    }
+    if (!subEndpointConfig || !subEndpointConfig.enabled) {
+      return createApiErrorResponse("ENDPOINT_NOT_FOUND", "Endpoint not found", 404);
+    }
+    if (!subEndpointConfig.methods?.includes(method)) {
+      return createApiErrorResponse("METHOD_NOT_ALLOWED", "Method not allowed", 405);
+    }
+    return null;
+  }
+}
+class RequestValidator {
+  static async validateSessionRequest(request) {
+    try {
+      const body = await request.json();
+      return { body, idToken: body.idToken, csrfToken: body.csrfToken };
+    } catch (error) {
+      return {
+        body: null,
+        error: createApiErrorResponse("INVALID_REQUEST_FORMAT", "Invalid request format", 400)
+      };
+    }
+  }
+  static validateIdToken(idToken) {
+    if (!idToken) {
+      return createApiErrorResponse(
+        "INVALID_TOKEN",
+        "ID token is required for creating session",
+        400
+      );
+    }
+    return null;
+  }
+}
+export {
+  CorsValidator,
+  CsrfValidator,
+  RequestValidator,
+  RouteValidator,
+  SecurityValidator
+};
+//# sourceMappingURL=validators.js.map

package/dist/esm/app-router/admin/validators.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/app-router/admin/validators.ts"],"sourcesContent":["import type { NextRequest} from 'next/server';\nimport { NextResponse } from 'next/server';\n\nimport { createApiErrorResponse } from './responses';\nimport type { AuthEndpoint, CorsOptions, SecurityOptions, SessionSubEndpoint } from './types';\n\n/**\n * CORS validation utilities\n */\nexport class CorsValidator {\n  static async validate(\n    request: NextRequest,\n    corsOptions: CorsOptions,\n  ): Promise<NextResponse | null> {\n    const origin = request.headers.get('origin');\n    const host = request.headers.get('host');\n\n    // Skip CORS for same-origin requests\n    if (!origin || (host && origin.includes(host))) {\n      return null;\n    }\n\n    if (corsOptions.allowedOrigins !== '*') {\n      const isAllowed = corsOptions.allowedOrigins.some(allowedOrigin => {\n        if (allowedOrigin.startsWith('*')) {\n          const domain = allowedOrigin.slice(1);\n          return origin?.endsWith(domain);\n        }\n        return origin === allowedOrigin;\n      });\n\n      if (!isAllowed) {\n        return createApiErrorResponse('CORS_ORIGIN_NOT_ALLOWED', 'Origin not allowed', 403);\n      }\n    }\n\n    return null;\n  }\n\n  static createOptionsResponse(corsOptions: CorsOptions): NextResponse {\n    const response = new NextResponse(null, { status: 204 });\n\n    if (corsOptions.allowedOrigins === '*') {\n      response.headers.set('Access-Control-Allow-Origin', '*');\n    } else {\n      response.headers.set('Access-Control-Allow-Origin', corsOptions.allowedOrigins.join(','));\n    }\n\n    response.headers.set(\n      'Access-Control-Allow-Methods',\n      corsOptions.allowedMethods?.join(',') || 'GET,POST',\n    );\n    response.headers.set(\n      'Access-Control-Allow-Headers',\n      corsOptions.allowedHeaders?.join(',') || 'Content-Type,Authorization',\n    );\n\n    if (corsOptions.allowCredentials) {\n      response.headers.set('Access-Control-Allow-Credentials', 'true');\n    }\n\n    if (corsOptions.maxAge) {\n      response.headers.set('Access-Control-Max-Age', corsOptions.maxAge.toString());\n    }\n\n    return response;\n  }\n}\n\n/**\n * Security validation utilities\n */\nexport class SecurityValidator {\n  static async validate(\n    request: NextRequest,\n    securityOptions: SecurityOptions,\n  ): Promise<NextResponse | null> {\n    const origin = request.headers.get('origin');\n    const host = request.headers.get('host');\n    const referer = request.headers.get('referer');\n    const userAgent = request.headers.get('user-agent') || '';\n\n    // CSRF Protection for cross-origin requests\n    const csrfResult = this.validateCsrf(request, securityOptions, origin, host, referer);\n    if (csrfResult) return csrfResult;\n\n    // Required headers validation\n    const headersResult = this.validateRequiredHeaders(request, securityOptions);\n    if (headersResult) return headersResult;\n\n    // User Agent filtering\n    const userAgentResult = this.validateUserAgent(userAgent, securityOptions);\n    if (userAgentResult) return userAgentResult;\n\n    return null;\n  }\n\n  private static validateCsrf(\n    request: NextRequest,\n    securityOptions: SecurityOptions,\n    origin: string | null,\n    host: string | null,\n    referer: string | null,\n  ): NextResponse | null {\n    if (securityOptions.requireCSRF && origin && host && !origin.includes(host)) {\n      const hasCSRFHeader = request.headers.get('x-requested-with') === 'XMLHttpRequest';\n      const hasValidReferer = referer && host && referer.includes(host);\n\n      if (!hasCSRFHeader && !hasValidReferer) {\n        const isAllowedReferer = securityOptions.allowedReferers?.some((allowedRef: string) =>\n          referer?.includes(allowedRef),\n        );\n\n        if (!isAllowedReferer) {\n          return createApiErrorResponse('CSRF_PROTECTION', 'Access denied', 403);\n        }\n      }\n    }\n    return null;\n  }\n\n  private static validateRequiredHeaders(\n    request: NextRequest,\n    securityOptions: SecurityOptions,\n  ): NextResponse | null {\n    if (securityOptions.requiredHeaders) {\n      for (const [headerName, expectedValue] of Object.entries(securityOptions.requiredHeaders)) {\n        const actualValue = request.headers.get(headerName);\n        if (actualValue !== expectedValue) {\n          return createApiErrorResponse(\n            'INVALID_HEADERS',\n            'Required header missing or invalid',\n            400,\n          );\n        }\n      }\n    }\n    return null;\n  }\n\n  private static validateUserAgent(\n    userAgent: string,\n    securityOptions: SecurityOptions,\n  ): NextResponse | null {\n    // User Agent blocking\n    if (securityOptions.userAgent?.block?.length) {\n      const isBlocked = securityOptions.userAgent.block.some((blocked: string) =>\n        userAgent.toLowerCase().includes(blocked.toLowerCase()),\n      );\n\n      if (isBlocked) {\n        return createApiErrorResponse('USER_AGENT_BLOCKED', 'Access denied', 403);\n      }\n    }\n\n    // User Agent allowlist\n    if (securityOptions.userAgent?.allow?.length) {\n      const isAllowed = securityOptions.userAgent.allow.some((allowed: string) =>\n        userAgent.toLowerCase().includes(allowed.toLowerCase()),\n      );\n\n      if (!isAllowed) {\n        return createApiErrorResponse('USER_AGENT_NOT_ALLOWED', 'Access denied', 403);\n      }\n    }\n\n    return null;\n  }\n}\n\n/**\n * CSRF token validation utilities\n */\nexport class CsrfValidator {\n  static validate(csrfToken: string, csrfCookieValue: string | undefined): NextResponse | null {\n    if (!csrfToken) {\n      return createApiErrorResponse('INVALID_CSRF_TOKEN', 'CSRF token is required', 400);\n    }\n\n    if (!csrfCookieValue) {\n      return createApiErrorResponse('CSRF_COOKIE_MISSING', 'CSRF token cookie not found', 403);\n    }\n\n    if (csrfToken !== csrfCookieValue) {\n      return createApiErrorResponse('CSRF_TOKEN_MISMATCH', 'CSRF token mismatch', 403);\n    }\n\n    return null;\n  }\n}\n\n/**\n * Route validation utilities\n */\nexport class RouteValidator {\n  static validatePathStructure(pathSegments: string[]): NextResponse | null {\n    if (pathSegments.length < 3) {\n      return createApiErrorResponse(\n        'INVALID_ROUTE',\n        'Invalid route structure. Expected: /api/auth/{endpoint}',\n        404,\n      );\n    }\n    return null;\n  }\n\n  static validateEndpoint(\n    _endpoint: AuthEndpoint,\n    endpointConfig: any,\n    method: string,\n  ): NextResponse | null {\n    if (!endpointConfig || !endpointConfig.enabled) {\n      return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Endpoint not found', 404);\n    }\n\n    if (method !== 'OPTIONS' && !endpointConfig.methods.includes(method as any)) {\n      return createApiErrorResponse('METHOD_NOT_ALLOWED', 'Method not allowed', 405);\n    }\n\n    return null;\n  }\n\n  static validateSubEndpoint(\n    subEndpoint: SessionSubEndpoint | undefined,\n    subEndpointConfig: any,\n    method: string,\n  ): NextResponse | null {\n    if (!subEndpoint) {\n      return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Session sub-endpoint required', 400);\n    }\n\n    if (!subEndpointConfig || !subEndpointConfig.enabled) {\n      return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Endpoint not found', 404);\n    }\n\n    if (!subEndpointConfig.methods?.includes(method as any)) {\n      return createApiErrorResponse('METHOD_NOT_ALLOWED', 'Method not allowed', 405);\n    }\n\n    return null;\n  }\n}\n\n/**\n * Request body validation utilities\n */\nexport class RequestValidator {\n  static async validateSessionRequest(request: NextRequest): Promise<{\n    body: any;\n    idToken?: string;\n    csrfToken?: string;\n    error?: NextResponse;\n  }> {\n    try {\n      const body = await request.json();\n      return { body, idToken: body.idToken, csrfToken: body.csrfToken };\n    } catch (error) {\n      return {\n        body: null,\n        error: createApiErrorResponse('INVALID_REQUEST_FORMAT', 'Invalid request format', 400),\n      };\n    }\n  }\n\n  static validateIdToken(idToken: string | undefined): NextResponse | null {\n    if (!idToken) {\n      return createApiErrorResponse(\n        'INVALID_TOKEN',\n        'ID token is required for creating session',\n        400,\n      );\n    }\n    return null;\n  }\n}\n"],"mappings":"AACA,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AAMhC,MAAM,cAAc;AAAA,EACzB,aAAa,SACX,SACA,aAC8B;AAC9B,UAAM,SAAS,QAAQ,QAAQ,IAAI,QAAQ;AAC3C,UAAM,OAAO,QAAQ,QAAQ,IAAI,MAAM;AAGvC,QAAI,CAAC,UAAW,QAAQ,OAAO,SAAS,IAAI,GAAI;AAC9C,aAAO;AAAA,IACT;AAEA,QAAI,YAAY,mBAAmB,KAAK;AACtC,YAAM,YAAY,YAAY,eAAe,KAAK,mBAAiB;AACjE,YAAI,cAAc,WAAW,GAAG,GAAG;AACjC,gBAAM,SAAS,cAAc,MAAM,CAAC;AACpC,iBAAO,QAAQ,SAAS,MAAM;AAAA,QAChC;AACA,eAAO,WAAW;AAAA,MACpB,CAAC;AAED,UAAI,CAAC,WAAW;AACd,eAAO,uBAAuB,2BAA2B,sBAAsB,GAAG;AAAA,MACpF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,OAAO,sBAAsB,aAAwC;AACnE,UAAM,WAAW,IAAI,aAAa,MAAM,EAAE,QAAQ,IAAI,CAAC;AAEvD,QAAI,YAAY,mBAAmB,KAAK;AACtC,eAAS,QAAQ,IAAI,+BAA+B,GAAG;AAAA,IACzD,OAAO;AACL,eAAS,QAAQ,IAAI,+BAA+B,YAAY,eAAe,KAAK,GAAG,CAAC;AAAA,IAC1F;AAEA,aAAS,QAAQ;AAAA,MACf;AAAA,MACA,YAAY,gBAAgB,KAAK,GAAG,KAAK;AAAA,IAC3C;AACA,aAAS,QAAQ;AAAA,MACf;AAAA,MACA,YAAY,gBAAgB,KAAK,GAAG,KAAK;AAAA,IAC3C;AAEA,QAAI,YAAY,kBAAkB;AAChC,eAAS,QAAQ,IAAI,oCAAoC,MAAM;AAAA,IACjE;AAEA,QAAI,YAAY,QAAQ;AACtB,eAAS,QAAQ,IAAI,0BAA0B,YAAY,OAAO,SAAS,CAAC;AAAA,IAC9E;AAEA,WAAO;AAAA,EACT;AACF;AAKO,MAAM,kBAAkB;AAAA,EAC7B,aAAa,SACX,SACA,iBAC8B;AAC9B,UAAM,SAAS,QAAQ,QAAQ,IAAI,QAAQ;AAC3C,UAAM,OAAO,QAAQ,QAAQ,IAAI,MAAM;AACvC,UAAM,UAAU,QAAQ,QAAQ,IAAI,SAAS;AAC7C,UAAM,YAAY,QAAQ,QAAQ,IAAI,YAAY,KAAK;AAGvD,UAAM,aAAa,KAAK,aAAa,SAAS,iBAAiB,QAAQ,MAAM,OAAO;AACpF,QAAI,WAAY,QAAO;AAGvB,UAAM,gBAAgB,KAAK,wBAAwB,SAAS,eAAe;AAC3E,QAAI,cAAe,QAAO;AAG1B,UAAM,kBAAkB,KAAK,kBAAkB,WAAW,eAAe;AACzE,QAAI,gBAAiB,QAAO;AAE5B,WAAO;AAAA,EACT;AAAA,EAEA,OAAe,aACb,SACA,iBACA,QACA,MACA,SACqB;AACrB,QAAI,gBAAgB,eAAe,UAAU,QAAQ,CAAC,OAAO,SAAS,IAAI,GAAG;AAC3E,YAAM,gBAAgB,QAAQ,QAAQ,IAAI,kBAAkB,MAAM;AAClE,YAAM,kBAAkB,WAAW,QAAQ,QAAQ,SAAS,IAAI;AAEhE,UAAI,CAAC,iBAAiB,CAAC,iBAAiB;AACtC,cAAM,mBAAmB,gBAAgB,iBAAiB;AAAA,UAAK,CAAC,eAC9D,SAAS,SAAS,UAAU;AAAA,QAC9B;AAEA,YAAI,CAAC,kBAAkB;AACrB,iBAAO,uBAAuB,mBAAmB,iBAAiB,GAAG;AAAA,QACvE;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEA,OAAe,wBACb,SACA,iBACqB;AACrB,QAAI,gBAAgB,iBAAiB;AACnC,iBAAW,CAAC,YAAY,aAAa,KAAK,OAAO,QAAQ,gBAAgB,eAAe,GAAG;AACzF,cAAM,cAAc,QAAQ,QAAQ,IAAI,UAAU;AAClD,YAAI,gBAAgB,eAAe;AACjC,iBAAO;AAAA,YACL;AAAA,YACA;AAAA,YACA;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEA,OAAe,kBACb,WACA,iBACqB;AAErB,QAAI,gBAAgB,WAAW,OAAO,QAAQ;AAC5C,YAAM,YAAY,gBAAgB,UAAU,MAAM;AAAA,QAAK,CAAC,YACtD,UAAU,YAAY,EAAE,SAAS,QAAQ,YAAY,CAAC;AAAA,MACxD;AAEA,UAAI,WAAW;AACb,eAAO,uBAAuB,sBAAsB,iBAAiB,GAAG;AAAA,MAC1E;AAAA,IACF;AAGA,QAAI,gBAAgB,WAAW,OAAO,QAAQ;AAC5C,YAAM,YAAY,gBAAgB,UAAU,MAAM;AAAA,QAAK,CAAC,YACtD,UAAU,YAAY,EAAE,SAAS,QAAQ,YAAY,CAAC;AAAA,MACxD;AAEA,UAAI,CAAC,WAAW;AACd,eAAO,uBAAuB,0BAA0B,iBAAiB,GAAG;AAAA,MAC9E;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;AAKO,MAAM,cAAc;AAAA,EACzB,OAAO,SAAS,WAAmB,iBAA0D;AAC3F,QAAI,CAAC,WAAW;AACd,aAAO,uBAAuB,sBAAsB,0BAA0B,GAAG;AAAA,IACnF;AAEA,QAAI,CAAC,iBAAiB;AACpB,aAAO,uBAAuB,uBAAuB,+BAA+B,GAAG;AAAA,IACzF;AAEA,QAAI,cAAc,iBAAiB;AACjC,aAAO,uBAAuB,uBAAuB,uBAAuB,GAAG;AAAA,IACjF;AAEA,WAAO;AAAA,EACT;AACF;AAKO,MAAM,eAAe;AAAA,EAC1B,OAAO,sBAAsB,cAA6C;AACxE,QAAI,aAAa,SAAS,GAAG;AAC3B,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEA,OAAO,iBACL,WACA,gBACA,QACqB;AACrB,QAAI,CAAC,kBAAkB,CAAC,eAAe,SAAS;AAC9C,aAAO,uBAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,QAAI,WAAW,aAAa,CAAC,eAAe,QAAQ,SAAS,MAAa,GAAG;AAC3E,aAAO,uBAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,OAAO,oBACL,aACA,mBACA,QACqB;AACrB,QAAI,CAAC,aAAa;AAChB,aAAO,uBAAuB,yBAAyB,iCAAiC,GAAG;AAAA,IAC7F;AAEA,QAAI,CAAC,qBAAqB,CAAC,kBAAkB,SAAS;AACpD,aAAO,uBAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,QAAI,CAAC,kBAAkB,SAAS,SAAS,MAAa,GAAG;AACvD,aAAO,uBAAuB,sBAAsB,sBAAsB,GAAG;AAAA,IAC/E;AAEA,WAAO;AAAA,EACT;AACF;AAKO,MAAM,iBAAiB;AAAA,EAC5B,aAAa,uBAAuB,SAKjC;AACD,QAAI;AACF,YAAM,OAAO,MAAM,QAAQ,KAAK;AAChC,aAAO,EAAE,MAAM,SAAS,KAAK,SAAS,WAAW,KAAK,UAAU;AAAA,IAClE,SAAS,OAAO;AACd,aAAO;AAAA,QACL,MAAM;AAAA,QACN,OAAO,uBAAuB,0BAA0B,0BAA0B,GAAG;AAAA,MACvF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,OAAO,gBAAgB,SAAkD;AACvE,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/esm/app-router/client/TernSecureProvider.js

@@ -1,16 +1,12 @@
-import { jsx, jsxs } from "react/jsx-runtime";
+import { jsx } from "react/jsx-runtime";
 import {
   TernSecureProvider as TernSecureReactProvider
 } from "@tern-secure/react";
 import { allNextProviderPropsWithEnv } from "../../utils/allNextProviderProps";
-import { TernUIScript } from "../../utils/tern-ui-script";
 function TernSecureProvider(props) {
   const { children, enableServiceWorker, ...nextProps } = props;
   const providerProps = allNextProviderPropsWithEnv(nextProps);
-  return /* @__PURE__ */ jsxs(TernSecureReactProvider, { ...providerProps, children: [
-    /* @__PURE__ */ jsx(TernUIScript, { router: "app" }),
-    children
-  ] });
+  return /* @__PURE__ */ jsx(TernSecureReactProvider, { ...providerProps, children });
 }
 export {
   TernSecureProvider

package/dist/esm/app-router/client/TernSecureProvider.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../src/app-router/client/TernSecureProvider.tsx"],"sourcesContent":["import React from \"react\"\r\nimport { \r\n  TernSecureProvider as TernSecureReactProvider \r\n} from \"@tern-secure/react\"\r\nimport type { TernSecureNextProps } from \"../../types\"\r\nimport { allNextProviderPropsWithEnv } from \"../../utils/allNextProviderProps\"\r\nimport { TernUIScript } from \"../../utils/tern-ui-script\";\r\n\r\n\r\n\r\n// Loading fallback component\r\n/*function TernSecureLoadingFallback() {\r\n  return (\r\n    <div>\r\n      <span className=\"sr-only\">Loading...</span>\r\n    </div>\r\n  )\r\n}*/\r\n/**\r\n * Root Provider for TernSecure\r\n * Use this in your Next.js App Router root layout\r\n * Automatically handles client/server boundary and authentication state\r\n * \r\n * @example\r\n * /// app/layout.tsx\r\n * import { TernSecureProvider } from '@tern/secure'\r\n * \r\n * export default function RootLayout({ children }) {\r\n *   return (\r\n *     <html>\r\n *       <body>\r\n *         <TernSecureProvider>\r\n *           {children}\r\n *         </TernSecureProvider>\r\n *       </body>\r\n *     </html>\r\n *   )\r\n * }\r\n */\r\nexport function TernSecureProvider(props: React.PropsWithChildren<TernSecureNextProps>) {\r\n  const {children, enableServiceWorker, ...nextProps } = props;\r\n  const providerProps = allNextProviderPropsWithEnv(nextProps);\r\n  return (\r\n    <TernSecureReactProvider {...providerProps}>\r\n      <TernUIScript router='app' />\r\n        {children}\r\n    </TernSecureReactProvider>\r\n  )\r\n}"],"mappings":"AA2CI,SACE,KADF;AA1CJ;AAAA,EACE,sBAAsB;AAAA,OACjB;AAEP,SAAS,mCAAmC;AAC5C,SAAS,oBAAoB;AAiCtB,SAAS,mBAAmB,OAAqD;AACtF,QAAM,EAAC,UAAU,qBAAqB,GAAG,UAAU,IAAI;AACvD,QAAM,gBAAgB,4BAA4B,SAAS;AAC3D,SACE,qBAAC,2BAAyB,GAAG,eAC3B;AAAA,wBAAC,gBAAa,QAAO,OAAM;AAAA,IACxB;AAAA,KACL;AAEJ;","names":[]}
+{"version":3,"sources":["../../../../src/app-router/client/TernSecureProvider.tsx"],"sourcesContent":["import { \r\n  TernSecureProvider as TernSecureReactProvider \r\n} from \"@tern-secure/react\"\r\nimport React from \"react\"\r\n\r\nimport type { TernSecureNextProps } from \"../../types\"\r\nimport { allNextProviderPropsWithEnv } from \"../../utils/allNextProviderProps\"\r\n\r\n\r\n\r\n// Loading fallback component\r\n/*function TernSecureLoadingFallback() {\r\n  return (\r\n    <div>\r\n      <span className=\"sr-only\">Loading...</span>\r\n    </div>\r\n  )\r\n}*/\r\n/**\r\n * Root Provider for TernSecure\r\n * Use this in your Next.js App Router root layout\r\n * Automatically handles client/server boundary and authentication state\r\n * \r\n * @example\r\n * /// app/layout.tsx\r\n * import { TernSecureProvider } from '@tern/secure'\r\n * \r\n * export default function RootLayout({ children }) {\r\n *   return (\r\n *     <html>\r\n *       <body>\r\n *         <TernSecureProvider>\r\n *           {children}\r\n *         </TernSecureProvider>\r\n *       </body>\r\n *     </html>\r\n *   )\r\n * }\r\n */\r\nexport function TernSecureProvider(props: React.PropsWithChildren<TernSecureNextProps>) {\r\n  const {children, enableServiceWorker, ...nextProps } = props;\r\n  const providerProps = allNextProviderPropsWithEnv(nextProps);\r\n  return (\r\n    <TernSecureReactProvider {...providerProps}>\r\n        {children}\r\n    </TernSecureReactProvider>\r\n  )\r\n}"],"mappings":"AA2CI;AA3CJ;AAAA,EACE,sBAAsB;AAAA,OACjB;AAIP,SAAS,mCAAmC;AAiCrC,SAAS,mBAAmB,OAAqD;AACtF,QAAM,EAAC,UAAU,qBAAqB,GAAG,UAAU,IAAI;AACvD,QAAM,gBAAgB,4BAA4B,SAAS;AAC3D,SACE,oBAAC,2BAAyB,GAAG,eACxB,UACL;AAEJ;","names":[]}

package/dist/esm/app-router/server/auth.js

@@ -0,0 +1,81 @@
+import {
+  AuthStatus,
+  createTernSecureRequest,
+  signedInAuthObject,
+  signedOutAuthObject
+} from "@tern-secure/backend";
+import { ternDecodeJwt } from "@tern-secure/backend/jwt";
+import { notFound, redirect } from "next/navigation";
+import { SIGN_IN_URL, SIGN_UP_URL } from "../../server/constant";
+import { getAuthKeyFromRequest } from "../../server/headers-utils";
+import { createProtect } from "../../server/protect";
+import { createRedirect } from "../../server/redirect";
+import { buildRequestLike } from "./utils";
+const createAuthObject = () => {
+  return async (req) => {
+    return getAuthDataFromRequest(req);
+  };
+};
+function getAuthDataFromRequest(req) {
+  const authStatus = getAuthKeyFromRequest(req, "AuthStatus");
+  const authToken = getAuthKeyFromRequest(req, "AuthToken");
+  const authSignature = getAuthKeyFromRequest(req, "AuthSignature");
+  const authReason = getAuthKeyFromRequest(req, "AuthReason");
+  let authObject;
+  if (!authStatus || authStatus !== AuthStatus.SignedIn) {
+    authObject = signedOutAuthObject();
+  } else {
+    const jwt = ternDecodeJwt(authToken);
+    authObject = signedInAuthObject(jwt.raw.text, jwt.payload);
+  }
+  return authObject;
+}
+const auth = async () => {
+  require("server-only");
+  const request = await buildRequestLike();
+  const authObject = await createAuthObject()(request);
+  const ternUrl = getAuthKeyFromRequest(request, "TernSecureUrl");
+  const createRedirectForRequest = (...args) => {
+    const { returnBackUrl } = args[0] || {};
+    const ternSecureRequest = createTernSecureRequest(request);
+    return [
+      createRedirect({
+        redirectAdapter: redirect,
+        baseUrl: ternSecureRequest.ternUrl.toString(),
+        signInUrl: SIGN_IN_URL,
+        signUpUrl: SIGN_UP_URL
+      }),
+      returnBackUrl === null ? "" : returnBackUrl || ternUrl?.toString()
+    ];
+  };
+  const redirectToSignIn = (opts = {}) => {
+    const [r, returnBackUrl] = createRedirectForRequest(opts);
+    return r.redirectToSignIn({
+      returnBackUrl
+    });
+  };
+  const redirectToSignUp = (opts = {}) => {
+    const [r, returnBackUrl] = createRedirectForRequest(opts);
+    return r.redirectToSignUp({
+      returnBackUrl
+    });
+  };
+  return Object.assign(authObject, { redirectToSignIn, redirectToSignUp });
+};
+auth.protect = async (...args) => {
+  require("server-only");
+  const request = await buildRequestLike();
+  const authObject = await auth();
+  const protect = createProtect({
+    request,
+    authObject,
+    redirectToSignIn: authObject.redirectToSignIn,
+    notFound,
+    redirect
+  });
+  return protect(...args);
+};
+export {
+  auth
+};
+//# sourceMappingURL=auth.js.map

package/dist/esm/app-router/server/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/app-router/server/auth.ts"],"sourcesContent":["import type { AuthObject } from '@tern-secure/backend';\r\nimport {\r\n  AuthStatus,\r\n  createTernSecureRequest,\r\n  signedInAuthObject,\r\n  signedOutAuthObject,\r\n} from '@tern-secure/backend';\r\nimport { ternDecodeJwt } from '@tern-secure/backend/jwt';\r\nimport { notFound, redirect } from 'next/navigation';\r\n\r\nimport { SIGN_IN_URL, SIGN_UP_URL } from '../../server/constant';\r\nimport { getAuthKeyFromRequest } from '../../server/headers-utils';\r\nimport { type AuthProtect,createProtect } from '../../server/protect';\r\nimport { createRedirect, type RedirectFun } from '../../server/redirect';\r\nimport type { BaseUser, RequestLike } from '../../server/types';\r\nimport { buildRequestLike } from './utils';\r\n\r\nexport interface AuthResult {\r\n  user: BaseUser | null;\r\n  error: Error | null;\r\n}\r\n\r\n/**\r\n * `Auth` object of the currently active user and the `redirectToSignIn()` method.\r\n */\r\ntype Auth = AuthObject & {\r\n  redirectToSignIn: RedirectFun<ReturnType<typeof redirect>>;\r\n  redirectToSignUp: RedirectFun<ReturnType<typeof redirect>>;\r\n};\r\n\r\nexport interface AuthFn {\r\n  (): Promise<Auth>;\r\n\r\n  protect: AuthProtect;\r\n}\r\n\r\nconst createAuthObject = () => {\r\n  return async (req: RequestLike) => {\r\n    return getAuthDataFromRequest(req);\r\n  };\r\n};\r\n\r\nfunction getAuthDataFromRequest(req: RequestLike): AuthObject {\r\n  const authStatus = getAuthKeyFromRequest(req, 'AuthStatus');\r\n  const authToken = getAuthKeyFromRequest(req, 'AuthToken');\r\n  const authSignature = getAuthKeyFromRequest(req, 'AuthSignature');\r\n  const authReason = getAuthKeyFromRequest(req, 'AuthReason');\r\n\r\n  let authObject;\r\n  if (!authStatus || authStatus !== AuthStatus.SignedIn) {\r\n    authObject = signedOutAuthObject();\r\n  } else {\r\n    const jwt = ternDecodeJwt(authToken as string);\r\n\r\n    authObject = signedInAuthObject(jwt.raw.text, jwt.payload);\r\n  }\r\n  return authObject;\r\n}\r\n\r\n/**\r\n * Get the current authenticated user from the session or token\r\n */\r\nexport const auth: AuthFn = async () => {\r\n  // eslint-disable-next-line @typescript-eslint/no-require-imports\r\n  require('server-only');\r\n\r\n  const request = await buildRequestLike();\r\n\r\n  const authObject = await createAuthObject()(request);\r\n\r\n  const ternUrl = getAuthKeyFromRequest(request, 'TernSecureUrl');\r\n\r\n  const createRedirectForRequest = (...args: Parameters<RedirectFun<never>>) => {\r\n    const { returnBackUrl } = args[0] || {};\r\n    const ternSecureRequest = createTernSecureRequest(request);\r\n\r\n    return [\r\n      createRedirect({\r\n        redirectAdapter: redirect,\r\n        baseUrl: ternSecureRequest.ternUrl.toString(),\r\n        signInUrl: SIGN_IN_URL,\r\n        signUpUrl: SIGN_UP_URL,\r\n      }),\r\n      returnBackUrl === null ? '' : returnBackUrl || ternUrl?.toString(),\r\n    ] as const;\r\n  };\r\n\r\n  const redirectToSignIn: RedirectFun<never> = (opts = {}) => {\r\n    const [r, returnBackUrl] = createRedirectForRequest(opts);\r\n    return r.redirectToSignIn({\r\n      returnBackUrl,\r\n    });\r\n  };\r\n\r\n  const redirectToSignUp: RedirectFun<never> = (opts = {}) => {\r\n    const [r, returnBackUrl] = createRedirectForRequest(opts);\r\n    return r.redirectToSignUp({\r\n      returnBackUrl,\r\n    });\r\n  };\r\n\r\n  return Object.assign(authObject, { redirectToSignIn, redirectToSignUp });\r\n};\r\n\r\nauth.protect = async (...args: any[]) => {\r\n  // eslint-disable-next-line @typescript-eslint/no-require-imports\r\n  require('server-only');\r\n\r\n  const request = await buildRequestLike();\r\n  const authObject = await auth();\r\n\r\n  const protect = createProtect({\r\n    request,\r\n    authObject,\r\n    redirectToSignIn: authObject.redirectToSignIn,\r\n    notFound,\r\n    redirect,\r\n  });\r\n\r\n  return protect(...args);\r\n};\r\n"],"mappings":"AACA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,qBAAqB;AAC9B,SAAS,UAAU,gBAAgB;AAEnC,SAAS,aAAa,mBAAmB;AACzC,SAAS,6BAA6B;AACtC,SAA0B,qBAAqB;AAC/C,SAAS,sBAAwC;AAEjD,SAAS,wBAAwB;AAqBjC,MAAM,mBAAmB,MAAM;AAC7B,SAAO,OAAO,QAAqB;AACjC,WAAO,uBAAuB,GAAG;AAAA,EACnC;AACF;AAEA,SAAS,uBAAuB,KAA8B;AAC5D,QAAM,aAAa,sBAAsB,KAAK,YAAY;AAC1D,QAAM,YAAY,sBAAsB,KAAK,WAAW;AACxD,QAAM,gBAAgB,sBAAsB,KAAK,eAAe;AAChE,QAAM,aAAa,sBAAsB,KAAK,YAAY;AAE1D,MAAI;AACJ,MAAI,CAAC,cAAc,eAAe,WAAW,UAAU;AACrD,iBAAa,oBAAoB;AAAA,EACnC,OAAO;AACL,UAAM,MAAM,cAAc,SAAmB;AAE7C,iBAAa,mBAAmB,IAAI,IAAI,MAAM,IAAI,OAAO;AAAA,EAC3D;AACA,SAAO;AACT;AAKO,MAAM,OAAe,YAAY;AAEtC,UAAQ,aAAa;AAErB,QAAM,UAAU,MAAM,iBAAiB;AAEvC,QAAM,aAAa,MAAM,iBAAiB,EAAE,OAAO;AAEnD,QAAM,UAAU,sBAAsB,SAAS,eAAe;AAE9D,QAAM,2BAA2B,IAAI,SAAyC;AAC5E,UAAM,EAAE,cAAc,IAAI,KAAK,CAAC,KAAK,CAAC;AACtC,UAAM,oBAAoB,wBAAwB,OAAO;AAEzD,WAAO;AAAA,MACL,eAAe;AAAA,QACb,iBAAiB;AAAA,QACjB,SAAS,kBAAkB,QAAQ,SAAS;AAAA,QAC5C,WAAW;AAAA,QACX,WAAW;AAAA,MACb,CAAC;AAAA,MACD,kBAAkB,OAAO,KAAK,iBAAiB,SAAS,SAAS;AAAA,IACnE;AAAA,EACF;AAEA,QAAM,mBAAuC,CAAC,OAAO,CAAC,MAAM;AAC1D,UAAM,CAAC,GAAG,aAAa,IAAI,yBAAyB,IAAI;AACxD,WAAO,EAAE,iBAAiB;AAAA,MACxB;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,mBAAuC,CAAC,OAAO,CAAC,MAAM;AAC1D,UAAM,CAAC,GAAG,aAAa,IAAI,yBAAyB,IAAI;AACxD,WAAO,EAAE,iBAAiB;AAAA,MACxB;AAAA,IACF,CAAC;AAAA,EACH;AAEA,SAAO,OAAO,OAAO,YAAY,EAAE,kBAAkB,iBAAiB,CAAC;AACzE;AAEA,KAAK,UAAU,UAAU,SAAgB;AAEvC,UAAQ,aAAa;AAErB,QAAM,UAAU,MAAM,iBAAiB;AACvC,QAAM,aAAa,MAAM,KAAK;AAE9B,QAAM,UAAU,cAAc;AAAA,IAC5B;AAAA,IACA;AAAA,IACA,kBAAkB,WAAW;AAAA,IAC7B;AAAA,IACA;AAAA,EACF,CAAC;AAED,SAAO,QAAQ,GAAG,IAAI;AACxB;","names":[]}

package/dist/esm/app-router/server/utils.js

@@ -0,0 +1,51 @@
+import { NextRequest } from "next/server";
+const isPrerenderingBailout = (e) => {
+  if (!(e instanceof Error) || !("message" in e)) {
+    return false;
+  }
+  const { message } = e;
+  const lowerCaseInput = message.toLowerCase();
+  const dynamicServerUsage = lowerCaseInput.includes("dynamic server usage");
+  const bailOutPrerendering = lowerCaseInput.includes("this page needs to bail out of prerendering");
+  const routeRegex = /Route .*? needs to bail out of prerendering at this point because it used .*?./;
+  return routeRegex.test(message) || dynamicServerUsage || bailOutPrerendering;
+};
+async function buildRequestLike() {
+  try {
+    const { headers } = await import("next/headers");
+    const resolvedHeaders = await headers();
+    return new NextRequest("https://placeholder.com", { headers: resolvedHeaders });
+  } catch (e) {
+    if (e && isPrerenderingBailout(e)) {
+      throw e;
+    }
+    throw new Error(
+      `Clerk: auth(), currentUser() and clerkClient(), are only supported in App Router (/app directory).
+If you're using /pages, try getAuth() instead.
+Original error: ${e}`
+    );
+  }
+}
+function getScriptNonceFromHeader(cspHeaderValue) {
+  const directives = cspHeaderValue.split(";").map((directive2) => directive2.trim());
+  const directive = directives.find((dir) => dir.startsWith("script-src")) || directives.find((dir) => dir.startsWith("default-src"));
+  if (!directive) {
+    return;
+  }
+  const nonce = directive.split(" ").slice(1).map((source) => source.trim()).find((source) => source.startsWith("'nonce-") && source.length > 8 && source.endsWith("'"))?.slice(7, -1);
+  if (!nonce) {
+    return;
+  }
+  if (/[&><\u2028\u2029]/g.test(nonce)) {
+    throw new Error(
+      "Nonce value from Content-Security-Policy contained invalid HTML escape characters, which is disallowed for security reasons. Make sure that your nonce value does not contain the following characters: `<`, `>`, `&`"
+    );
+  }
+  return nonce;
+}
+export {
+  buildRequestLike,
+  getScriptNonceFromHeader,
+  isPrerenderingBailout
+};
+//# sourceMappingURL=utils.js.map

package/dist/esm/app-router/server/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/app-router/server/utils.ts"],"sourcesContent":["import { NextRequest } from 'next/server';\r\n\r\nexport const isPrerenderingBailout = (e: unknown) => {\r\n  if (!(e instanceof Error) || !('message' in e)) {\r\n    return false;\r\n  }\r\n\r\n  const { message } = e;\r\n\r\n  const lowerCaseInput = message.toLowerCase();\r\n  const dynamicServerUsage = lowerCaseInput.includes('dynamic server usage');\r\n  const bailOutPrerendering = lowerCaseInput.includes('this page needs to bail out of prerendering');\r\n\r\n  // note: new error message syntax introduced in next@14.1.1-canary.21\r\n  // but we still want to support older versions.\r\n  // https://github.com/vercel/next.js/pull/61332 (dynamic-rendering.ts:153)\r\n  const routeRegex = /Route .*? needs to bail out of prerendering at this point because it used .*?./;\r\n\r\n  return routeRegex.test(message) || dynamicServerUsage || bailOutPrerendering;\r\n};\r\n\r\nexport async function buildRequestLike(): Promise<NextRequest> {\r\n  try {\r\n    // Dynamically import next/headers, otherwise Next12 apps will break\r\n    // @ts-expect-error: Cannot find module 'next/headers' or its corresponding type declarations.ts(2307)\r\n    const { headers } = await import('next/headers');\r\n    const resolvedHeaders = await headers();\r\n    return new NextRequest('https://placeholder.com', { headers: resolvedHeaders });\r\n  } catch (e: any) {\r\n    // rethrow the error when react throws a prerendering bailout\r\n    // https://nextjs.org/docs/messages/ppr-caught-error\r\n    if (e && isPrerenderingBailout(e)) {\r\n      throw e;\r\n    }\r\n\r\n    throw new Error(\r\n      `Clerk: auth(), currentUser() and clerkClient(), are only supported in App Router (/app directory).\\nIf you're using /pages, try getAuth() instead.\\nOriginal error: ${e}`,\r\n    );\r\n  }\r\n}\r\n\r\n// Original source: https://github.com/vercel/next.js/blob/canary/packages/next/src/server/app-render/get-script-nonce-from-header.tsx\r\nexport function getScriptNonceFromHeader(cspHeaderValue: string): string | undefined {\r\n  const directives = cspHeaderValue\r\n    // Directives are split by ';'.\r\n    .split(';')\r\n    .map(directive => directive.trim());\r\n\r\n  // First try to find the directive for the 'script-src', otherwise try to\r\n  // fallback to the 'default-src'.\r\n  const directive =\r\n    directives.find(dir => dir.startsWith('script-src')) || directives.find(dir => dir.startsWith('default-src'));\r\n\r\n  // If no directive could be found, then we're done.\r\n  if (!directive) {\r\n    return;\r\n  }\r\n\r\n  // Extract the nonce from the directive\r\n  const nonce = directive\r\n    .split(' ')\r\n    // Remove the 'strict-src'/'default-src' string, this can't be the nonce.\r\n    .slice(1)\r\n    .map(source => source.trim())\r\n    // Find the first source with the 'nonce-' prefix.\r\n    .find(source => source.startsWith(\"'nonce-\") && source.length > 8 && source.endsWith(\"'\"))\r\n    // Grab the nonce by trimming the 'nonce-' prefix.\r\n    ?.slice(7, -1);\r\n\r\n  // If we couldn't find the nonce, then we're done.\r\n  if (!nonce) {\r\n    return;\r\n  }\r\n\r\n  // Don't accept the nonce value if it contains HTML escape characters.\r\n  // Technically, the spec requires a base64'd value, but this is just an\r\n  // extra layer.\r\n  if (/[&><\\u2028\\u2029]/g.test(nonce)) {\r\n    throw new Error(\r\n      'Nonce value from Content-Security-Policy contained invalid HTML escape characters, which is disallowed for security reasons. Make sure that your nonce value does not contain the following characters: `<`, `>`, `&`',\r\n    );\r\n  }\r\n\r\n  return nonce;\r\n}\r\n"],"mappings":"AAAA,SAAS,mBAAmB;AAErB,MAAM,wBAAwB,CAAC,MAAe;AACnD,MAAI,EAAE,aAAa,UAAU,EAAE,aAAa,IAAI;AAC9C,WAAO;AAAA,EACT;AAEA,QAAM,EAAE,QAAQ,IAAI;AAEpB,QAAM,iBAAiB,QAAQ,YAAY;AAC3C,QAAM,qBAAqB,eAAe,SAAS,sBAAsB;AACzE,QAAM,sBAAsB,eAAe,SAAS,6CAA6C;AAKjG,QAAM,aAAa;AAEnB,SAAO,WAAW,KAAK,OAAO,KAAK,sBAAsB;AAC3D;AAEA,eAAsB,mBAAyC;AAC7D,MAAI;AAGF,UAAM,EAAE,QAAQ,IAAI,MAAM,OAAO,cAAc;AAC/C,UAAM,kBAAkB,MAAM,QAAQ;AACtC,WAAO,IAAI,YAAY,2BAA2B,EAAE,SAAS,gBAAgB,CAAC;AAAA,EAChF,SAAS,GAAQ;AAGf,QAAI,KAAK,sBAAsB,CAAC,GAAG;AACjC,YAAM;AAAA,IACR;AAEA,UAAM,IAAI;AAAA,MACR;AAAA;AAAA,kBAAuK,CAAC;AAAA,IAC1K;AAAA,EACF;AACF;AAGO,SAAS,yBAAyB,gBAA4C;AACnF,QAAM,aAAa,eAEhB,MAAM,GAAG,EACT,IAAI,CAAAA,eAAaA,WAAU,KAAK,CAAC;AAIpC,QAAM,YACJ,WAAW,KAAK,SAAO,IAAI,WAAW,YAAY,CAAC,KAAK,WAAW,KAAK,SAAO,IAAI,WAAW,aAAa,CAAC;AAG9G,MAAI,CAAC,WAAW;AACd;AAAA,EACF;AAGA,QAAM,QAAQ,UACX,MAAM,GAAG,EAET,MAAM,CAAC,EACP,IAAI,YAAU,OAAO,KAAK,CAAC,EAE3B,KAAK,YAAU,OAAO,WAAW,SAAS,KAAK,OAAO,SAAS,KAAK,OAAO,SAAS,GAAG,CAAC,GAEvF,MAAM,GAAG,EAAE;AAGf,MAAI,CAAC,OAAO;AACV;AAAA,EACF;AAKA,MAAI,qBAAqB,KAAK,KAAK,GAAG;AACpC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;","names":["directive"]}

package/dist/esm/boundary/components.js

@@ -1,18 +1,15 @@
-"use client";
 import {
   useAuth,
   useIdToken,
-  useSignUp,
   useSession,
-  SignIn,
-  SignUp
+  useSignIn,
+  signIn
 } from "@tern-secure/react";
 export {
-  SignIn,
-  SignUp,
+  signIn,
   useAuth,
   useIdToken,
   useSession,
-  useSignUp
+  useSignIn
 };
 //# sourceMappingURL=components.js.map