@tern-secure/nextjs 5.2.0-canary.v20250919134427 → 5.2.0-canary.v20251002175916
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/app-router/admin/api/endpoints/abstract.js.map +1 -1
- package/dist/cjs/app-router/admin/{claude-authenticateRequestProcessor.js → c-authenticateRequestProcessor.js} +21 -7
- package/dist/cjs/app-router/admin/c-authenticateRequestProcessor.js.map +1 -0
- package/dist/cjs/app-router/admin/constants.js +18 -0
- package/dist/cjs/app-router/admin/constants.js.map +1 -1
- package/dist/cjs/app-router/admin/endpointRouter.js +10 -11
- package/dist/cjs/app-router/admin/endpointRouter.js.map +1 -1
- package/dist/cjs/app-router/admin/fnValidators.js +10 -24
- package/dist/cjs/app-router/admin/fnValidators.js.map +1 -1
- package/dist/cjs/app-router/admin/index.js +0 -5
- package/dist/cjs/app-router/admin/index.js.map +1 -1
- package/dist/cjs/app-router/admin/request.js +73 -0
- package/dist/cjs/app-router/admin/request.js.map +1 -0
- package/dist/cjs/app-router/admin/sessionHandlers.js +84 -123
- package/dist/cjs/app-router/admin/sessionHandlers.js.map +1 -1
- package/dist/cjs/app-router/admin/ternsecureNextjsHandler.js +21 -34
- package/dist/cjs/app-router/admin/ternsecureNextjsHandler.js.map +1 -1
- package/dist/cjs/app-router/admin/types.js +83 -6
- package/dist/cjs/app-router/admin/types.js.map +1 -1
- package/dist/cjs/server/constant.js +4 -1
- package/dist/cjs/server/constant.js.map +1 -1
- package/dist/cjs/server/ternSecureEdgeMiddleware.js +3 -23
- package/dist/cjs/server/ternSecureEdgeMiddleware.js.map +1 -1
- package/dist/cjs/server/ternsecureClient.js +44 -0
- package/dist/cjs/server/ternsecureClient.js.map +1 -0
- package/dist/esm/app-router/admin/api/endpoints/abstract.js.map +1 -1
- package/dist/esm/app-router/admin/{claude-authenticateRequestProcessor.js → c-authenticateRequestProcessor.js} +18 -4
- package/dist/esm/app-router/admin/c-authenticateRequestProcessor.js.map +1 -0
- package/dist/esm/app-router/admin/constants.js +12 -0
- package/dist/esm/app-router/admin/constants.js.map +1 -1
- package/dist/esm/app-router/admin/endpointRouter.js +11 -12
- package/dist/esm/app-router/admin/endpointRouter.js.map +1 -1
- package/dist/esm/app-router/admin/fnValidators.js +10 -23
- package/dist/esm/app-router/admin/fnValidators.js.map +1 -1
- package/dist/esm/app-router/admin/index.js +0 -3
- package/dist/esm/app-router/admin/index.js.map +1 -1
- package/dist/esm/app-router/admin/request.js +56 -0
- package/dist/esm/app-router/admin/request.js.map +1 -0
- package/dist/esm/app-router/admin/sessionHandlers.js +84 -111
- package/dist/esm/app-router/admin/sessionHandlers.js.map +1 -1
- package/dist/esm/app-router/admin/ternsecureNextjsHandler.js +22 -35
- package/dist/esm/app-router/admin/ternsecureNextjsHandler.js.map +1 -1
- package/dist/esm/app-router/admin/types.js +80 -5
- package/dist/esm/app-router/admin/types.js.map +1 -1
- package/dist/esm/server/constant.js +3 -1
- package/dist/esm/server/constant.js.map +1 -1
- package/dist/esm/server/ternSecureEdgeMiddleware.js +3 -24
- package/dist/esm/server/ternSecureEdgeMiddleware.js.map +1 -1
- package/dist/esm/server/ternsecureClient.js +22 -0
- package/dist/esm/server/ternsecureClient.js.map +1 -0
- package/dist/types/app-router/admin/api/endpoints/abstract.d.ts +6 -4
- package/dist/types/app-router/admin/api/endpoints/abstract.d.ts.map +1 -1
- package/dist/types/app-router/admin/{claude-authenticateRequestProcessor.d.ts → c-authenticateRequestProcessor.d.ts} +13 -5
- package/dist/types/app-router/admin/c-authenticateRequestProcessor.d.ts.map +1 -0
- package/dist/types/app-router/admin/constants.d.ts +6 -0
- package/dist/types/app-router/admin/constants.d.ts.map +1 -1
- package/dist/types/app-router/admin/endpointRouter.d.ts +7 -4
- package/dist/types/app-router/admin/endpointRouter.d.ts.map +1 -1
- package/dist/types/app-router/admin/fnValidators.d.ts +2 -11
- package/dist/types/app-router/admin/fnValidators.d.ts.map +1 -1
- package/dist/types/app-router/admin/index.d.ts +1 -3
- package/dist/types/app-router/admin/index.d.ts.map +1 -1
- package/dist/types/app-router/admin/request.d.ts +4 -0
- package/dist/types/app-router/admin/request.d.ts.map +1 -0
- package/dist/types/app-router/admin/sessionHandlers.d.ts +3 -24
- package/dist/types/app-router/admin/sessionHandlers.d.ts.map +1 -1
- package/dist/types/app-router/admin/ternsecureNextjsHandler.d.ts.map +1 -1
- package/dist/types/app-router/admin/types.d.ts +40 -64
- package/dist/types/app-router/admin/types.d.ts.map +1 -1
- package/dist/types/server/constant.d.ts +2 -1
- package/dist/types/server/constant.d.ts.map +1 -1
- package/dist/types/server/ternSecureEdgeMiddleware.d.ts.map +1 -1
- package/dist/types/server/ternsecureClient.d.ts +3 -0
- package/dist/types/server/ternsecureClient.d.ts.map +1 -0
- package/package.json +5 -5
- package/dist/cjs/app-router/admin/claude-authenticateRequestProcessor.js.map +0 -1
- package/dist/cjs/app-router/admin/handlerUtils.js +0 -63
- package/dist/cjs/app-router/admin/handlerUtils.js.map +0 -1
- package/dist/cjs/server/ternSecureFireMiddleware.js +0 -192
- package/dist/cjs/server/ternSecureFireMiddleware.js.map +0 -1
- package/dist/esm/app-router/admin/claude-authenticateRequestProcessor.js.map +0 -1
- package/dist/esm/app-router/admin/handlerUtils.js +0 -38
- package/dist/esm/app-router/admin/handlerUtils.js.map +0 -1
- package/dist/esm/server/ternSecureFireMiddleware.js +0 -179
- package/dist/esm/server/ternSecureFireMiddleware.js.map +0 -1
- package/dist/types/app-router/admin/claude-authenticateRequestProcessor.d.ts.map +0 -1
- package/dist/types/app-router/admin/handlerUtils.d.ts +0 -19
- package/dist/types/app-router/admin/handlerUtils.d.ts.map +0 -1
- package/dist/types/server/ternSecureFireMiddleware.d.ts +0 -47
- package/dist/types/server/ternSecureFireMiddleware.d.ts.map +0 -1
|
@@ -1,9 +1,7 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __create = Object.create;
|
|
3
2
|
var __defProp = Object.defineProperty;
|
|
4
3
|
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
5
4
|
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
6
|
-
var __getProtoOf = Object.getPrototypeOf;
|
|
7
5
|
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
8
6
|
var __export = (target, all) => {
|
|
9
7
|
for (var name in all)
|
|
@@ -17,153 +15,116 @@ var __copyProps = (to, from, except, desc) => {
|
|
|
17
15
|
}
|
|
18
16
|
return to;
|
|
19
17
|
};
|
|
20
|
-
var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
|
|
21
|
-
// If the importer is in node compatibility mode or this is not an ESM
|
|
22
|
-
// file that has been converted to a CommonJS file using a Babel-
|
|
23
|
-
// compatible transform (i.e. "__esModule" has not been set), then set
|
|
24
|
-
// "default" to the CommonJS "module.exports" for node compatibility.
|
|
25
|
-
isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
|
|
26
|
-
mod
|
|
27
|
-
));
|
|
28
18
|
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
29
19
|
var sessionHandlers_exports = {};
|
|
30
20
|
__export(sessionHandlers_exports, {
|
|
31
|
-
|
|
32
|
-
SessionGetHandler: () => SessionGetHandler,
|
|
33
|
-
SessionPostHandler: () => SessionPostHandler
|
|
21
|
+
sessionEndpointHandler: () => sessionEndpointHandler
|
|
34
22
|
});
|
|
35
23
|
module.exports = __toCommonJS(sessionHandlers_exports);
|
|
36
24
|
var import_admin = require("@tern-secure/backend/admin");
|
|
37
25
|
var import_jwt = require("@tern-secure/backend/jwt");
|
|
38
26
|
var import_headers = require("next/headers");
|
|
39
27
|
var import_NextCookieAdapter = require("../../utils/NextCookieAdapter");
|
|
28
|
+
var import_fnValidators = require("./fnValidators");
|
|
29
|
+
var import_request = require("./request");
|
|
40
30
|
var import_responses = require("./responses");
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
31
|
+
async function sessionEndpointHandler(context, options) {
|
|
32
|
+
const { subEndpoint, method } = context;
|
|
33
|
+
const validators = (0, import_fnValidators.createValidators)(context);
|
|
34
|
+
const {
|
|
35
|
+
validateSubEndpoint,
|
|
36
|
+
validateSecurity,
|
|
37
|
+
validateSessionRequest,
|
|
38
|
+
validateCsrfToken,
|
|
39
|
+
validateIdToken
|
|
40
|
+
} = validators;
|
|
41
|
+
if (!subEndpoint) {
|
|
42
|
+
return (0, import_responses.createApiErrorResponse)("SUB_ENDPOINT_REQUIRED", "Session sub-endpoint required", 400);
|
|
50
43
|
}
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
44
|
+
const sessionsConfig = options.endpoints?.sessions;
|
|
45
|
+
const subEndpointConfig = sessionsConfig?.subEndpoints?.[subEndpoint];
|
|
46
|
+
validateSubEndpoint(subEndpoint, subEndpointConfig);
|
|
47
|
+
if (subEndpointConfig?.security) {
|
|
48
|
+
await validateSecurity(subEndpointConfig.security);
|
|
49
|
+
}
|
|
50
|
+
const SessionGetHandler = async (subEndpoint2) => {
|
|
51
|
+
const handleSessionVerify = async () => {
|
|
52
|
+
try {
|
|
53
|
+
const cookieStore = await (0, import_headers.cookies)();
|
|
54
|
+
const sessionCookie = cookieStore.get("_session_cookie")?.value;
|
|
55
|
+
if (!sessionCookie) {
|
|
56
|
+
return import_responses.SessionResponseHelper.createUnauthorizedResponse();
|
|
57
|
+
}
|
|
58
|
+
const { data: decodedSession, errors } = (0, import_jwt.ternDecodeJwtUnguarded)(sessionCookie);
|
|
59
|
+
if (errors) {
|
|
60
|
+
return import_responses.SessionResponseHelper.createUnauthorizedResponse();
|
|
61
|
+
}
|
|
62
|
+
return import_responses.SessionResponseHelper.createVerificationResponse(decodedSession);
|
|
63
|
+
} catch (error) {
|
|
60
64
|
return import_responses.SessionResponseHelper.createUnauthorizedResponse();
|
|
61
65
|
}
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
66
|
+
};
|
|
67
|
+
switch (subEndpoint2) {
|
|
68
|
+
case "verify":
|
|
69
|
+
return handleSessionVerify();
|
|
70
|
+
default:
|
|
71
|
+
return import_responses.HttpResponseHelper.createNotFoundResponse();
|
|
65
72
|
}
|
|
66
|
-
}
|
|
67
|
-
|
|
68
|
-
class SessionPostHandler {
|
|
69
|
-
static async handle(request, subEndpoint, _config) {
|
|
73
|
+
};
|
|
74
|
+
const SessionPostHandler = async (subEndpoint2) => {
|
|
70
75
|
const cookieStore = new import_NextCookieAdapter.NextCookieStore();
|
|
71
|
-
const { idToken, csrfToken, error } = await
|
|
76
|
+
const { idToken, csrfToken, error } = await validateSessionRequest();
|
|
72
77
|
if (error) return error;
|
|
73
78
|
const csrfCookieValue = await cookieStore.get("_session_terncf");
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
79
|
+
validateCsrfToken(csrfToken || "", csrfCookieValue.value);
|
|
80
|
+
const handleCreateSession = async (cookieStore2, idToken2) => {
|
|
81
|
+
try {
|
|
82
|
+
const res = await (0, import_request.refreshCookieWithIdToken)(idToken2, cookieStore2, options);
|
|
83
|
+
return import_responses.SessionResponseHelper.createSessionCreationResponse(res);
|
|
84
|
+
} catch (error2) {
|
|
85
|
+
return (0, import_responses.createApiErrorResponse)("SESSION_CREATION_FAILED", "Session creation failed", 500);
|
|
86
|
+
}
|
|
78
87
|
};
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
88
|
+
const handleRefreshSession = async (cookieStore2, idToken2) => {
|
|
89
|
+
try {
|
|
90
|
+
const decodedSession = (0, import_jwt.ternDecodeJwtUnguarded)(idToken2);
|
|
91
|
+
if (decodedSession.errors) {
|
|
92
|
+
return (0, import_responses.createApiErrorResponse)("INVALID_SESSION", "Invalid session for refresh", 401);
|
|
93
|
+
}
|
|
94
|
+
const refreshRes = await (0, import_request.refreshCookieWithIdToken)(idToken2, cookieStore2, options);
|
|
95
|
+
return import_responses.SessionResponseHelper.createRefreshResponse(refreshRes);
|
|
96
|
+
} catch (error2) {
|
|
97
|
+
return (0, import_responses.createApiErrorResponse)("REFRESH_FAILED", "Session refresh failed", 500);
|
|
98
|
+
}
|
|
99
|
+
};
|
|
100
|
+
const handleRevokeSession = async (cookieStore2) => {
|
|
101
|
+
const res = await (0, import_admin.clearSessionCookie)(cookieStore2);
|
|
102
|
+
return import_responses.SessionResponseHelper.createRevokeResponse(res);
|
|
103
|
+
};
|
|
104
|
+
switch (subEndpoint2) {
|
|
105
|
+
case "createsession": {
|
|
106
|
+
validateIdToken(idToken);
|
|
107
|
+
return handleCreateSession(cookieStore, idToken);
|
|
108
|
+
}
|
|
82
109
|
case "refresh":
|
|
83
|
-
return
|
|
110
|
+
return handleRefreshSession(cookieStore, idToken);
|
|
84
111
|
case "revoke":
|
|
85
|
-
return
|
|
112
|
+
return handleRevokeSession(cookieStore);
|
|
86
113
|
default:
|
|
87
114
|
return import_responses.HttpResponseHelper.createSubEndpointNotSupportedResponse();
|
|
88
115
|
}
|
|
89
|
-
}
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
return (
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
const res = await (0, import_admin.createSessionCookie)(idToken, cookieStore, options);
|
|
98
|
-
return import_responses.SessionResponseHelper.createSessionCreationResponse(res);
|
|
99
|
-
} catch (error) {
|
|
100
|
-
return (0, import_responses.createApiErrorResponse)("SESSION_CREATION_FAILED", "Session creation failed", 500);
|
|
101
|
-
}
|
|
102
|
-
}
|
|
103
|
-
static async handleRefreshSession(cookieStore) {
|
|
104
|
-
const currentSessionCookie = await cookieStore.get("__session");
|
|
105
|
-
if (!currentSessionCookie) {
|
|
106
|
-
return (0, import_responses.createApiErrorResponse)("NO_SESSION", "No session to refresh", 401);
|
|
107
|
-
}
|
|
108
|
-
try {
|
|
109
|
-
const decodedSession = (0, import_jwt.ternDecodeJwtUnguarded)(currentSessionCookie.value || "");
|
|
110
|
-
if (decodedSession.errors) {
|
|
111
|
-
return (0, import_responses.createApiErrorResponse)("INVALID_SESSION", "Invalid session for refresh", 401);
|
|
112
|
-
}
|
|
113
|
-
const refreshRes = await (0, import_admin.createSessionCookie)(
|
|
114
|
-
decodedSession.data?.payload?.sub || "",
|
|
115
|
-
cookieStore
|
|
116
|
-
);
|
|
117
|
-
return import_responses.SessionResponseHelper.createRefreshResponse(refreshRes);
|
|
118
|
-
} catch (error) {
|
|
119
|
-
return (0, import_responses.createApiErrorResponse)("REFRESH_FAILED", "Session refresh failed", 500);
|
|
120
|
-
}
|
|
121
|
-
}
|
|
122
|
-
static async handleRevokeSession(cookieStore) {
|
|
123
|
-
const res = await (0, import_admin.clearSessionCookie)(cookieStore);
|
|
124
|
-
return import_responses.SessionResponseHelper.createRevokeResponse(res);
|
|
125
|
-
}
|
|
126
|
-
}
|
|
127
|
-
class SessionEndpointHandler {
|
|
128
|
-
static async handle(request, method, subEndpoint, config) {
|
|
129
|
-
const sessionsConfig = config.endpoints.sessions;
|
|
130
|
-
if (!subEndpoint) {
|
|
131
|
-
return (0, import_responses.createApiErrorResponse)("SUB_ENDPOINT_REQUIRED", "Session sub-endpoint required", 400);
|
|
132
|
-
}
|
|
133
|
-
const subEndpointConfig = sessionsConfig?.subEndpoints?.[subEndpoint];
|
|
134
|
-
const subEndpointValidation = this.validateSubEndpoint(subEndpoint, subEndpointConfig, method);
|
|
135
|
-
if (subEndpointValidation) return subEndpointValidation;
|
|
136
|
-
if (subEndpointConfig?.security) {
|
|
137
|
-
const { SecurityValidator } = await import("./validators.js");
|
|
138
|
-
const securityResult = await SecurityValidator.validate(request, subEndpointConfig.security);
|
|
139
|
-
if (securityResult) return securityResult;
|
|
140
|
-
}
|
|
141
|
-
switch (method) {
|
|
142
|
-
case "GET":
|
|
143
|
-
return SessionGetHandler.handle(subEndpoint, config);
|
|
144
|
-
case "POST":
|
|
145
|
-
return SessionPostHandler.handle(request, subEndpoint, config);
|
|
146
|
-
default:
|
|
147
|
-
return import_responses.HttpResponseHelper.createMethodNotAllowedResponse();
|
|
148
|
-
}
|
|
149
|
-
}
|
|
150
|
-
static validateSubEndpoint(subEndpoint, subEndpointConfig, method) {
|
|
151
|
-
if (!subEndpoint) {
|
|
152
|
-
return (0, import_responses.createApiErrorResponse)("SUB_ENDPOINT_REQUIRED", "Session sub-endpoint required", 400);
|
|
153
|
-
}
|
|
154
|
-
if (!subEndpointConfig || !subEndpointConfig.enabled) {
|
|
155
|
-
return (0, import_responses.createApiErrorResponse)("ENDPOINT_NOT_FOUND", "Endpoint not found", 404);
|
|
156
|
-
}
|
|
157
|
-
if (!subEndpointConfig.methods?.includes(method)) {
|
|
158
|
-
return (0, import_responses.createApiErrorResponse)("METHOD_NOT_ALLOWED", "Method not allowed", 405);
|
|
159
|
-
}
|
|
160
|
-
return null;
|
|
116
|
+
};
|
|
117
|
+
switch (method) {
|
|
118
|
+
case "GET":
|
|
119
|
+
return SessionGetHandler(subEndpoint);
|
|
120
|
+
case "POST":
|
|
121
|
+
return SessionPostHandler(subEndpoint);
|
|
122
|
+
default:
|
|
123
|
+
return import_responses.HttpResponseHelper.createMethodNotAllowedResponse();
|
|
161
124
|
}
|
|
162
125
|
}
|
|
163
126
|
// Annotate the CommonJS export names for ESM import in node:
|
|
164
127
|
0 && (module.exports = {
|
|
165
|
-
|
|
166
|
-
SessionGetHandler,
|
|
167
|
-
SessionPostHandler
|
|
128
|
+
sessionEndpointHandler
|
|
168
129
|
});
|
|
169
130
|
//# sourceMappingURL=sessionHandlers.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../src/app-router/admin/sessionHandlers.ts"],"sourcesContent":["import
|
|
1
|
+
{"version":3,"sources":["../../../../src/app-router/admin/sessionHandlers.ts"],"sourcesContent":["import { clearSessionCookie } from '@tern-secure/backend/admin';\nimport { ternDecodeJwtUnguarded } from '@tern-secure/backend/jwt';\nimport { cookies } from 'next/headers';\n\nimport { NextCookieStore } from '../../utils/NextCookieAdapter';\nimport { type RequestProcessorContext } from './c-authenticateRequestProcessor';\nimport { createValidators } from './fnValidators';\nimport { refreshCookieWithIdToken } from './request';\nimport { createApiErrorResponse, HttpResponseHelper, SessionResponseHelper } from './responses';\nimport type { SessionSubEndpoint, TernSecureHandlerOptions } from './types';\n\nexport async function sessionEndpointHandler(\n context: RequestProcessorContext,\n options: TernSecureHandlerOptions,\n): Promise<Response> {\n const { subEndpoint, method } = context;\n \n const validators = createValidators(context);\n\n const {\n validateSubEndpoint,\n validateSecurity,\n validateSessionRequest,\n validateCsrfToken,\n validateIdToken,\n } = validators;\n\n if (!subEndpoint) {\n return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Session sub-endpoint required', 400);\n }\n\n const sessionsConfig = options.endpoints?.sessions;\n const subEndpointConfig = sessionsConfig?.subEndpoints?.[subEndpoint];\n\n validateSubEndpoint(subEndpoint, subEndpointConfig);\n\n if (subEndpointConfig?.security) {\n await validateSecurity(subEndpointConfig.security);\n }\n\n const SessionGetHandler = async (subEndpoint: SessionSubEndpoint): Promise<Response> => {\n const handleSessionVerify = async (): Promise<Response> => {\n try {\n const cookieStore = await cookies();\n const sessionCookie = cookieStore.get('_session_cookie')?.value;\n if (!sessionCookie) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n\n const { data: decodedSession, errors } = ternDecodeJwtUnguarded(sessionCookie);\n if (errors) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n\n return SessionResponseHelper.createVerificationResponse(decodedSession);\n } catch (error) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n };\n\n switch (subEndpoint) {\n case 'verify':\n return handleSessionVerify();\n default:\n return HttpResponseHelper.createNotFoundResponse();\n }\n };\n\n const SessionPostHandler = async (subEndpoint: SessionSubEndpoint): Promise<Response> => {\n const cookieStore = new NextCookieStore();\n\n const { idToken, csrfToken, error } = await validateSessionRequest();\n if (error) return error;\n\n const csrfCookieValue = await cookieStore.get('_session_terncf');\n validateCsrfToken(csrfToken || '', csrfCookieValue.value);\n\n const handleCreateSession = async (\n cookieStore: NextCookieStore,\n idToken: string,\n ): Promise<Response> => {\n try {\n const res = await refreshCookieWithIdToken(idToken, cookieStore, options);\n return SessionResponseHelper.createSessionCreationResponse(res);\n } catch (error) {\n return createApiErrorResponse('SESSION_CREATION_FAILED', 'Session creation failed', 500);\n }\n };\n\n const handleRefreshSession = async (\n cookieStore: NextCookieStore,\n idToken: string,\n ): Promise<Response> => {\n try {\n const decodedSession = ternDecodeJwtUnguarded(idToken);\n if (decodedSession.errors) {\n return createApiErrorResponse('INVALID_SESSION', 'Invalid session for refresh', 401);\n }\n\n const refreshRes = await refreshCookieWithIdToken(idToken, cookieStore, options);\n return SessionResponseHelper.createRefreshResponse(refreshRes);\n } catch (error) {\n return createApiErrorResponse('REFRESH_FAILED', 'Session refresh failed', 500);\n }\n };\n\n const handleRevokeSession = async (cookieStore: NextCookieStore): Promise<Response> => {\n const res = await clearSessionCookie(cookieStore);\n return SessionResponseHelper.createRevokeResponse(res);\n };\n\n switch (subEndpoint) {\n case 'createsession': {\n validateIdToken(idToken);\n //eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return handleCreateSession(cookieStore, idToken!);\n }\n\n case 'refresh':\n //eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return handleRefreshSession(cookieStore, idToken!);\n\n case 'revoke':\n return handleRevokeSession(cookieStore);\n\n default:\n return HttpResponseHelper.createSubEndpointNotSupportedResponse();\n }\n };\n\n switch (method) {\n case 'GET':\n return SessionGetHandler(subEndpoint);\n\n case 'POST':\n return SessionPostHandler(subEndpoint);\n\n default:\n return HttpResponseHelper.createMethodNotAllowedResponse();\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mBAAmC;AACnC,iBAAuC;AACvC,qBAAwB;AAExB,+BAAgC;AAEhC,0BAAiC;AACjC,qBAAyC;AACzC,uBAAkF;AAGlF,eAAsB,uBACpB,SACA,SACmB;AACnB,QAAM,EAAE,aAAa,OAAO,IAAI;AAEhC,QAAM,iBAAa,sCAAiB,OAAO;AAE3C,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,CAAC,aAAa;AAChB,eAAO,yCAAuB,yBAAyB,iCAAiC,GAAG;AAAA,EAC7F;AAEA,QAAM,iBAAiB,QAAQ,WAAW;AAC1C,QAAM,oBAAoB,gBAAgB,eAAe,WAAW;AAEpE,sBAAoB,aAAa,iBAAiB;AAElD,MAAI,mBAAmB,UAAU;AAC/B,UAAM,iBAAiB,kBAAkB,QAAQ;AAAA,EACnD;AAEA,QAAM,oBAAoB,OAAOA,iBAAuD;AACtF,UAAM,sBAAsB,YAA+B;AACzD,UAAI;AACF,cAAM,cAAc,UAAM,wBAAQ;AAClC,cAAM,gBAAgB,YAAY,IAAI,iBAAiB,GAAG;AAC1D,YAAI,CAAC,eAAe;AAClB,iBAAO,uCAAsB,2BAA2B;AAAA,QAC1D;AAEA,cAAM,EAAE,MAAM,gBAAgB,OAAO,QAAI,mCAAuB,aAAa;AAC7E,YAAI,QAAQ;AACV,iBAAO,uCAAsB,2BAA2B;AAAA,QAC1D;AAEA,eAAO,uCAAsB,2BAA2B,cAAc;AAAA,MACxE,SAAS,OAAO;AACd,eAAO,uCAAsB,2BAA2B;AAAA,MAC1D;AAAA,IACF;AAEA,YAAQA,cAAa;AAAA,MACnB,KAAK;AACH,eAAO,oBAAoB;AAAA,MAC7B;AACE,eAAO,oCAAmB,uBAAuB;AAAA,IACrD;AAAA,EACF;AAEA,QAAM,qBAAqB,OAAOA,iBAAuD;AACvF,UAAM,cAAc,IAAI,yCAAgB;AAExC,UAAM,EAAE,SAAS,WAAW,MAAM,IAAI,MAAM,uBAAuB;AACnE,QAAI,MAAO,QAAO;AAElB,UAAM,kBAAkB,MAAM,YAAY,IAAI,iBAAiB;AAC/D,sBAAkB,aAAa,IAAI,gBAAgB,KAAK;AAExD,UAAM,sBAAsB,OAC1BC,cACAC,aACsB;AACtB,UAAI;AACF,cAAM,MAAM,UAAM,yCAAyBA,UAASD,cAAa,OAAO;AACxE,eAAO,uCAAsB,8BAA8B,GAAG;AAAA,MAChE,SAASE,QAAO;AACd,mBAAO,yCAAuB,2BAA2B,2BAA2B,GAAG;AAAA,MACzF;AAAA,IACF;AAEA,UAAM,uBAAuB,OAC3BF,cACAC,aACsB;AACtB,UAAI;AACF,cAAM,qBAAiB,mCAAuBA,QAAO;AACrD,YAAI,eAAe,QAAQ;AACzB,qBAAO,yCAAuB,mBAAmB,+BAA+B,GAAG;AAAA,QACrF;AAEA,cAAM,aAAa,UAAM,yCAAyBA,UAASD,cAAa,OAAO;AAC/E,eAAO,uCAAsB,sBAAsB,UAAU;AAAA,MAC/D,SAASE,QAAO;AACd,mBAAO,yCAAuB,kBAAkB,0BAA0B,GAAG;AAAA,MAC/E;AAAA,IACF;AAEA,UAAM,sBAAsB,OAAOF,iBAAoD;AACrF,YAAM,MAAM,UAAM,iCAAmBA,YAAW;AAChD,aAAO,uCAAsB,qBAAqB,GAAG;AAAA,IACvD;AAEA,YAAQD,cAAa;AAAA,MACnB,KAAK,iBAAiB;AACpB,wBAAgB,OAAO;AAEvB,eAAO,oBAAoB,aAAa,OAAQ;AAAA,MAClD;AAAA,MAEA,KAAK;AAEH,eAAO,qBAAqB,aAAa,OAAQ;AAAA,MAEnD,KAAK;AACH,eAAO,oBAAoB,WAAW;AAAA,MAExC;AACE,eAAO,oCAAmB,sCAAsC;AAAA,IACpE;AAAA,EACF;AAEA,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO,kBAAkB,WAAW;AAAA,IAEtC,KAAK;AACH,aAAO,mBAAmB,WAAW;AAAA,IAEvC;AACE,aAAO,oCAAmB,+BAA+B;AAAA,EAC7D;AACF;","names":["subEndpoint","cookieStore","idToken","error"]}
|
|
@@ -21,52 +21,39 @@ __export(ternsecureNextjsHandler_exports, {
|
|
|
21
21
|
createTernSecureNextJsHandler: () => createTernSecureNextJsHandler
|
|
22
22
|
});
|
|
23
23
|
module.exports = __toCommonJS(ternsecureNextjsHandler_exports);
|
|
24
|
+
var import_backend = require("@tern-secure/backend");
|
|
25
|
+
var import_c_authenticateRequestProcessor = require("./c-authenticateRequestProcessor");
|
|
24
26
|
var import_constants = require("./constants");
|
|
25
27
|
var import_endpointRouter = require("./endpointRouter");
|
|
26
28
|
var import_fnValidators = require("./fnValidators");
|
|
27
|
-
var import_handlerUtils = require("./handlerUtils");
|
|
28
29
|
var import_responses = require("./responses");
|
|
29
30
|
var import_types = require("./types");
|
|
30
31
|
var import_utils = require("./utils");
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
};
|
|
41
|
-
}
|
|
32
|
+
function createHandlerConfig(options) {
|
|
33
|
+
const baseConfig = import_utils.ConfigUtils.mergeWithDefaults(
|
|
34
|
+
import_types.DEFAULT_HANDLER_OPTIONS,
|
|
35
|
+
options
|
|
36
|
+
);
|
|
37
|
+
return {
|
|
38
|
+
...baseConfig,
|
|
39
|
+
tenantId: import_constants.TENANT_ID
|
|
40
|
+
};
|
|
42
41
|
}
|
|
43
|
-
|
|
44
|
-
config;
|
|
45
|
-
|
|
46
|
-
this.config = config;
|
|
47
|
-
}
|
|
48
|
-
async handle(request) {
|
|
49
|
-
const handlerContext = import_handlerUtils.RequestContextBuilder.create(request);
|
|
50
|
-
const validationContext = (0, import_fnValidators.createRequestContext)(request);
|
|
42
|
+
function createTernSecureNextJsHandler(options) {
|
|
43
|
+
const config = createHandlerConfig(options);
|
|
44
|
+
const handler = async (request) => {
|
|
51
45
|
try {
|
|
52
|
-
const
|
|
53
|
-
|
|
54
|
-
|
|
46
|
+
const context = (0, import_c_authenticateRequestProcessor.createRequestProcessor)((0, import_backend.createTernSecureRequest)(request), options);
|
|
47
|
+
const { validateSecurity } = (0, import_fnValidators.createValidators)(context);
|
|
48
|
+
await validateSecurity(options.security || {});
|
|
49
|
+
if (!context.endpoint) {
|
|
50
|
+
return (0, import_responses.createApiErrorResponse)("ENDPOINT_REQUIRED", "Endpoint is required", 400);
|
|
55
51
|
}
|
|
56
|
-
return await import_endpointRouter.EndpointRouter.route(
|
|
52
|
+
return await import_endpointRouter.EndpointRouter.route(context, config);
|
|
57
53
|
} catch (error) {
|
|
58
54
|
return (0, import_responses.createApiErrorResponse)("INTERNAL_SERVER_ERROR", "Internal server error", 500);
|
|
59
55
|
}
|
|
60
|
-
}
|
|
61
|
-
async executeValidation(validationContext) {
|
|
62
|
-
const validationPipeline = new import_handlerUtils.ValidationPipeline(this.config, validationContext);
|
|
63
|
-
return validationPipeline.execute();
|
|
64
|
-
}
|
|
65
|
-
}
|
|
66
|
-
function createTernSecureNextJsHandler(options) {
|
|
67
|
-
const config = HandlerConfigFactory.create(options);
|
|
68
|
-
const requestHandler = new TernSecureRequestHandler(config);
|
|
69
|
-
const handler = async (request) => await requestHandler.handle(request);
|
|
56
|
+
};
|
|
70
57
|
return {
|
|
71
58
|
GET: handler,
|
|
72
59
|
POST: handler
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../src/app-router/admin/ternsecureNextjsHandler.ts"],"sourcesContent":["\nimport {
|
|
1
|
+
{"version":3,"sources":["../../../../src/app-router/admin/ternsecureNextjsHandler.ts"],"sourcesContent":["import { createTernSecureRequest } from '@tern-secure/backend';\n\nimport { createRequestProcessor } from './c-authenticateRequestProcessor';\nimport { TENANT_ID } from './constants';\nimport { EndpointRouter } from './endpointRouter';\nimport { createValidators } from './fnValidators';\nimport { createApiErrorResponse } from './responses';\nimport type { TernSecureHandlerOptions } from './types';\nimport { DEFAULT_HANDLER_OPTIONS } from './types';\nimport { ConfigUtils } from './utils';\n\nfunction createHandlerConfig(options?: TernSecureHandlerOptions): TernSecureHandlerOptions {\n const baseConfig: Required<TernSecureHandlerOptions> = ConfigUtils.mergeWithDefaults(\n DEFAULT_HANDLER_OPTIONS,\n options,\n );\n\n return {\n ...baseConfig,\n tenantId: TENANT_ID,\n };\n}\n\nexport function createTernSecureNextJsHandler(options: TernSecureHandlerOptions) {\n const config = createHandlerConfig(options);\n\n const handler = async (request: Request): Promise<Response> => {\n try {\n const context = createRequestProcessor(createTernSecureRequest(request), options);\n\n const { validateSecurity } = createValidators(context);\n await validateSecurity(options.security || {});\n\n if (!context.endpoint) {\n return createApiErrorResponse('ENDPOINT_REQUIRED', 'Endpoint is required', 400);\n }\n\n return await EndpointRouter.route(context, config);\n } catch (error) {\n return createApiErrorResponse('INTERNAL_SERVER_ERROR', 'Internal server error', 500);\n }\n };\n\n return {\n GET: handler,\n POST: handler,\n } as const;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAAwC;AAExC,4CAAuC;AACvC,uBAA0B;AAC1B,4BAA+B;AAC/B,0BAAiC;AACjC,uBAAuC;AAEvC,mBAAwC;AACxC,mBAA4B;AAE5B,SAAS,oBAAoB,SAA8D;AACzF,QAAM,aAAiD,yBAAY;AAAA,IACjE;AAAA,IACA;AAAA,EACF;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,UAAU;AAAA,EACZ;AACF;AAEO,SAAS,8BAA8B,SAAmC;AAC/E,QAAM,SAAS,oBAAoB,OAAO;AAE1C,QAAM,UAAU,OAAO,YAAwC;AAC7D,QAAI;AACF,YAAM,cAAU,kEAAuB,wCAAwB,OAAO,GAAG,OAAO;AAEhF,YAAM,EAAE,iBAAiB,QAAI,sCAAiB,OAAO;AACrD,YAAM,iBAAiB,QAAQ,YAAY,CAAC,CAAC;AAE7C,UAAI,CAAC,QAAQ,UAAU;AACrB,mBAAO,yCAAuB,qBAAqB,wBAAwB,GAAG;AAAA,MAChF;AAEA,aAAO,MAAM,qCAAe,MAAM,SAAS,MAAM;AAAA,IACnD,SAAS,OAAO;AACd,iBAAO,yCAAuB,yBAAyB,yBAAyB,GAAG;AAAA,IACrF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AACF;","names":[]}
|
|
@@ -18,12 +18,14 @@ var __copyProps = (to, from, except, desc) => {
|
|
|
18
18
|
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
19
19
|
var types_exports = {};
|
|
20
20
|
__export(types_exports, {
|
|
21
|
+
CookieUtils: () => CookieUtils,
|
|
21
22
|
DEFAULT_COOKIE_OPTIONS: () => DEFAULT_COOKIE_OPTIONS,
|
|
22
23
|
DEFAULT_CORS_OPTIONS: () => DEFAULT_CORS_OPTIONS,
|
|
23
24
|
DEFAULT_ENDPOINT_CONFIG: () => DEFAULT_ENDPOINT_CONFIG,
|
|
24
25
|
DEFAULT_HANDLER_OPTIONS: () => DEFAULT_HANDLER_OPTIONS,
|
|
25
26
|
DEFAULT_SECURITY_OPTIONS: () => DEFAULT_SECURITY_OPTIONS,
|
|
26
|
-
DEFAULT_SESSIONS_CONFIG: () => DEFAULT_SESSIONS_CONFIG
|
|
27
|
+
DEFAULT_SESSIONS_CONFIG: () => DEFAULT_SESSIONS_CONFIG,
|
|
28
|
+
FIXED_TOKEN_CONFIGS: () => FIXED_TOKEN_CONFIGS
|
|
27
29
|
});
|
|
28
30
|
module.exports = __toCommonJS(types_exports);
|
|
29
31
|
const DEFAULT_CORS_OPTIONS = {
|
|
@@ -35,12 +37,43 @@ const DEFAULT_CORS_OPTIONS = {
|
|
|
35
37
|
// 24 hours
|
|
36
38
|
};
|
|
37
39
|
const DEFAULT_COOKIE_OPTIONS = {
|
|
38
|
-
|
|
40
|
+
//namePrefix: '__session',
|
|
39
41
|
path: "/",
|
|
40
42
|
httpOnly: true,
|
|
41
|
-
sameSite: "lax"
|
|
42
|
-
|
|
43
|
-
// 7
|
|
43
|
+
sameSite: "lax"
|
|
44
|
+
//session: {
|
|
45
|
+
// maxAge: 3600 * 24 * 7, // Default: 1 week (consumer can set 5 mins to 2 weeks)
|
|
46
|
+
//},
|
|
47
|
+
};
|
|
48
|
+
const FIXED_TOKEN_CONFIGS = {
|
|
49
|
+
id: {
|
|
50
|
+
path: "/",
|
|
51
|
+
httpOnly: true,
|
|
52
|
+
sameSite: "lax",
|
|
53
|
+
maxAge: 3600
|
|
54
|
+
// 1 hour
|
|
55
|
+
},
|
|
56
|
+
refresh: {
|
|
57
|
+
path: "/",
|
|
58
|
+
httpOnly: true,
|
|
59
|
+
sameSite: "lax",
|
|
60
|
+
maxAge: 3600 * 24 * 30
|
|
61
|
+
// 30 days (changes when user events occur)
|
|
62
|
+
},
|
|
63
|
+
signature: {
|
|
64
|
+
path: "/",
|
|
65
|
+
httpOnly: true,
|
|
66
|
+
sameSite: "lax",
|
|
67
|
+
maxAge: 3600 * 24 * 7
|
|
68
|
+
// 1 week (as needed)
|
|
69
|
+
},
|
|
70
|
+
custom: {
|
|
71
|
+
path: "/",
|
|
72
|
+
httpOnly: true,
|
|
73
|
+
sameSite: "lax",
|
|
74
|
+
maxAge: 3600 * 24 * 7
|
|
75
|
+
// 1 week (as needed)
|
|
76
|
+
}
|
|
44
77
|
};
|
|
45
78
|
const DEFAULT_SECURITY_OPTIONS = {
|
|
46
79
|
requireCSRF: true,
|
|
@@ -110,17 +143,61 @@ const DEFAULT_HANDLER_OPTIONS = {
|
|
|
110
143
|
endpoints: {
|
|
111
144
|
sessions: DEFAULT_SESSIONS_CONFIG
|
|
112
145
|
},
|
|
146
|
+
tenantId: "",
|
|
147
|
+
enableCustomToken: false,
|
|
113
148
|
debug: false,
|
|
114
149
|
environment: "production",
|
|
115
150
|
basePath: "/api/auth"
|
|
116
151
|
};
|
|
152
|
+
class CookieUtils {
|
|
153
|
+
static getCookieName(namePrefix, tokenType) {
|
|
154
|
+
return `${namePrefix}.${tokenType}`;
|
|
155
|
+
}
|
|
156
|
+
static getCookieNames(namePrefix) {
|
|
157
|
+
return {
|
|
158
|
+
session: this.getCookieName(namePrefix, "session"),
|
|
159
|
+
id: this.getCookieName(namePrefix, "id"),
|
|
160
|
+
refresh: this.getCookieName(namePrefix, "refresh"),
|
|
161
|
+
signature: this.getCookieName(namePrefix, "signature"),
|
|
162
|
+
custom: this.getCookieName(namePrefix, "custom")
|
|
163
|
+
};
|
|
164
|
+
}
|
|
165
|
+
static getSessionConfig(cookieOptions) {
|
|
166
|
+
const sessionConfig = cookieOptions.session || {};
|
|
167
|
+
const defaultSession = DEFAULT_COOKIE_OPTIONS.session || {};
|
|
168
|
+
return {
|
|
169
|
+
domain: sessionConfig.domain ?? cookieOptions.domain,
|
|
170
|
+
path: sessionConfig.path ?? cookieOptions.path ?? "/",
|
|
171
|
+
httpOnly: sessionConfig.httpOnly ?? cookieOptions.httpOnly ?? true,
|
|
172
|
+
sameSite: sessionConfig.sameSite ?? cookieOptions.sameSite ?? "lax",
|
|
173
|
+
maxAge: sessionConfig.maxAge ?? defaultSession.maxAge ?? 3600 * 24 * 7
|
|
174
|
+
};
|
|
175
|
+
}
|
|
176
|
+
static getFixedTokenConfig(cookieOptions, tokenType) {
|
|
177
|
+
const fixedConfig = FIXED_TOKEN_CONFIGS[tokenType];
|
|
178
|
+
return {
|
|
179
|
+
domain: cookieOptions.domain,
|
|
180
|
+
path: fixedConfig.path,
|
|
181
|
+
httpOnly: fixedConfig.httpOnly,
|
|
182
|
+
sameSite: fixedConfig.sameSite,
|
|
183
|
+
maxAge: fixedConfig.maxAge
|
|
184
|
+
};
|
|
185
|
+
}
|
|
186
|
+
static validateSessionMaxAge(maxAge) {
|
|
187
|
+
const minAge = 300;
|
|
188
|
+
const maxAgeLimit = 3600 * 24 * 14;
|
|
189
|
+
return maxAge >= minAge && maxAge <= maxAgeLimit;
|
|
190
|
+
}
|
|
191
|
+
}
|
|
117
192
|
// Annotate the CommonJS export names for ESM import in node:
|
|
118
193
|
0 && (module.exports = {
|
|
194
|
+
CookieUtils,
|
|
119
195
|
DEFAULT_COOKIE_OPTIONS,
|
|
120
196
|
DEFAULT_CORS_OPTIONS,
|
|
121
197
|
DEFAULT_ENDPOINT_CONFIG,
|
|
122
198
|
DEFAULT_HANDLER_OPTIONS,
|
|
123
199
|
DEFAULT_SECURITY_OPTIONS,
|
|
124
|
-
DEFAULT_SESSIONS_CONFIG
|
|
200
|
+
DEFAULT_SESSIONS_CONFIG,
|
|
201
|
+
FIXED_TOKEN_CONFIGS
|
|
125
202
|
});
|
|
126
203
|
//# sourceMappingURL=types.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../src/app-router/admin/types.ts"],"sourcesContent":["import { type NextResponse } from 'next/server';\n\nexport
|
|
1
|
+
{"version":3,"sources":["../../../../src/app-router/admin/types.ts"],"sourcesContent":["import type {\n AuthEndpoint,\n CookieOpts as CookieOptions,\n CorsOptions,\n EndpointConfig,\n SecurityOptions,\n SessionEndpointConfig,\n SessionSubEndpoint,\n TernSecureHandlerOptions,\n TokenCookieConfig,\n} from '@tern-secure/types';\nimport { type NextResponse } from 'next/server';\n\nexport const DEFAULT_CORS_OPTIONS: CorsOptions = {\n allowedOrigins: [],\n allowedMethods: ['GET', 'POST'],\n allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],\n allowCredentials: true,\n maxAge: 86400, // 24 hours\n};\n\nexport const DEFAULT_COOKIE_OPTIONS: CookieOptions = {\n //namePrefix: '__session',\n path: '/',\n httpOnly: true,\n sameSite: 'lax',\n //session: {\n // maxAge: 3600 * 24 * 7, // Default: 1 week (consumer can set 5 mins to 2 weeks)\n //},\n};\n\nexport const FIXED_TOKEN_CONFIGS = {\n id: {\n path: '/',\n httpOnly: true,\n sameSite: 'lax' as const,\n maxAge: 3600, // 1 hour\n },\n refresh: {\n path: '/',\n httpOnly: true,\n sameSite: 'lax' as const,\n maxAge: 3600 * 24 * 30, // 30 days (changes when user events occur)\n },\n signature: {\n path: '/',\n httpOnly: true,\n sameSite: 'lax' as const,\n maxAge: 3600 * 24 * 7, // 1 week (as needed)\n },\n custom: {\n path: '/',\n httpOnly: true,\n sameSite: 'lax' as const,\n maxAge: 3600 * 24 * 7, // 1 week (as needed)\n },\n} as const;\n\nexport const DEFAULT_SECURITY_OPTIONS: SecurityOptions = {\n requireCSRF: true,\n allowedReferers: [],\n requiredHeaders: {},\n ipWhitelist: [],\n userAgent: {\n block: [],\n allow: [],\n },\n};\n\nexport const DEFAULT_ENDPOINT_CONFIG: EndpointConfig = {\n enabled: true,\n methods: ['GET', 'POST'],\n requireAuth: false,\n security: DEFAULT_SECURITY_OPTIONS,\n};\n\nexport const DEFAULT_SESSIONS_CONFIG: SessionEndpointConfig = {\n ...DEFAULT_ENDPOINT_CONFIG,\n subEndpoints: {\n verify: {\n enabled: true,\n methods: ['GET'],\n requireAuth: false,\n security: {\n requireCSRF: true,\n allowedReferers: [],\n },\n },\n createsession: {\n enabled: true,\n methods: ['POST'],\n requireAuth: false,\n security: {\n requireCSRF: true,\n },\n },\n refresh: {\n enabled: true,\n methods: ['POST'],\n requireAuth: true,\n security: {\n requireCSRF: true,\n },\n },\n revoke: {\n enabled: true,\n methods: ['POST'],\n requireAuth: true,\n security: {\n requireCSRF: true,\n },\n },\n },\n};\n\nexport const DEFAULT_HANDLER_OPTIONS: Required<TernSecureHandlerOptions> & {\n endpoints: Required<NonNullable<TernSecureHandlerOptions['endpoints']>>;\n} = {\n cors: DEFAULT_CORS_OPTIONS,\n cookies: DEFAULT_COOKIE_OPTIONS,\n rateLimit: {\n windowMs: 15 * 60 * 1000, // 15 minutes\n maxRequests: 100,\n skipSuccessful: false,\n skipFailedRequests: false,\n },\n security: DEFAULT_SECURITY_OPTIONS,\n endpoints: {\n sessions: DEFAULT_SESSIONS_CONFIG,\n },\n tenantId: '',\n enableCustomToken: false,\n debug: false,\n environment: 'production',\n basePath: '/api/auth',\n};\n\nexport interface ValidationResult {\n error?: NextResponse;\n data?: any;\n}\n\nexport interface ValidationConfig {\n cors?: CorsOptions;\n security?: SecurityOptions;\n endpoint?: {\n name: AuthEndpoint;\n config: EndpointConfig;\n };\n subEndpoint?: {\n name: SessionSubEndpoint;\n config: EndpointConfig;\n };\n requireIdToken?: boolean;\n requireCsrfToken?: boolean;\n}\n\nexport interface ComprehensiveValidationResult {\n isValid: boolean;\n error?: Response;\n corsResponse?: Response;\n sessionData?: {\n body: any;\n idToken?: string;\n csrfToken?: string;\n };\n}\n\nexport type suffix = 'session' | 'id' | 'refresh' | 'signature' | 'custom';\n\nexport class CookieUtils {\n static getCookieName(namePrefix: string, tokenType: suffix): string {\n return `${namePrefix}.${tokenType}`;\n }\n\n static getCookieNames(namePrefix: string) {\n return {\n session: this.getCookieName(namePrefix, 'session'),\n id: this.getCookieName(namePrefix, 'id'),\n refresh: this.getCookieName(namePrefix, 'refresh'),\n signature: this.getCookieName(namePrefix, 'signature'),\n custom: this.getCookieName(namePrefix, 'custom'),\n };\n }\n\n static getSessionConfig(cookieOptions: CookieOptions): TokenCookieConfig {\n const sessionConfig = cookieOptions.session || {};\n const defaultSession = DEFAULT_COOKIE_OPTIONS.session || {};\n\n return {\n domain: sessionConfig.domain ?? cookieOptions.domain,\n path: sessionConfig.path ?? cookieOptions.path ?? '/',\n httpOnly: sessionConfig.httpOnly ?? cookieOptions.httpOnly ?? true,\n sameSite: sessionConfig.sameSite ?? cookieOptions.sameSite ?? 'lax',\n maxAge: sessionConfig.maxAge ?? defaultSession.maxAge ?? 3600 * 24 * 7,\n };\n }\n\n static getFixedTokenConfig(\n cookieOptions: CookieOptions,\n tokenType: Exclude<suffix, 'session'>,\n ): TokenCookieConfig {\n const fixedConfig = FIXED_TOKEN_CONFIGS[tokenType];\n\n return {\n domain: cookieOptions.domain,\n path: fixedConfig.path,\n httpOnly: fixedConfig.httpOnly,\n sameSite: fixedConfig.sameSite,\n maxAge: fixedConfig.maxAge,\n };\n }\n\n static validateSessionMaxAge(maxAge: number): boolean {\n const minAge = 300; // 5 minutes\n const maxAgeLimit = 3600 * 24 * 14; // 2 weeks\n return maxAge >= minAge && maxAge <= maxAgeLimit;\n }\n}\n\nexport {\n AuthEndpoint,\n CookieOptions,\n CorsOptions,\n SecurityOptions,\n SessionSubEndpoint,\n EndpointConfig,\n SessionEndpointConfig,\n TernSecureHandlerOptions,\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAaO,MAAM,uBAAoC;AAAA,EAC/C,gBAAgB,CAAC;AAAA,EACjB,gBAAgB,CAAC,OAAO,MAAM;AAAA,EAC9B,gBAAgB,CAAC,gBAAgB,iBAAiB,kBAAkB;AAAA,EACpE,kBAAkB;AAAA,EAClB,QAAQ;AAAA;AACV;AAEO,MAAM,yBAAwC;AAAA;AAAA,EAEnD,MAAM;AAAA,EACN,UAAU;AAAA,EACV,UAAU;AAAA;AAAA;AAAA;AAIZ;AAEO,MAAM,sBAAsB;AAAA,EACjC,IAAI;AAAA,IACF,MAAM;AAAA,IACN,UAAU;AAAA,IACV,UAAU;AAAA,IACV,QAAQ;AAAA;AAAA,EACV;AAAA,EACA,SAAS;AAAA,IACP,MAAM;AAAA,IACN,UAAU;AAAA,IACV,UAAU;AAAA,IACV,QAAQ,OAAO,KAAK;AAAA;AAAA,EACtB;AAAA,EACA,WAAW;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,IACV,UAAU;AAAA,IACV,QAAQ,OAAO,KAAK;AAAA;AAAA,EACtB;AAAA,EACA,QAAQ;AAAA,IACN,MAAM;AAAA,IACN,UAAU;AAAA,IACV,UAAU;AAAA,IACV,QAAQ,OAAO,KAAK;AAAA;AAAA,EACtB;AACF;AAEO,MAAM,2BAA4C;AAAA,EACvD,aAAa;AAAA,EACb,iBAAiB,CAAC;AAAA,EAClB,iBAAiB,CAAC;AAAA,EAClB,aAAa,CAAC;AAAA,EACd,WAAW;AAAA,IACT,OAAO,CAAC;AAAA,IACR,OAAO,CAAC;AAAA,EACV;AACF;AAEO,MAAM,0BAA0C;AAAA,EACrD,SAAS;AAAA,EACT,SAAS,CAAC,OAAO,MAAM;AAAA,EACvB,aAAa;AAAA,EACb,UAAU;AACZ;AAEO,MAAM,0BAAiD;AAAA,EAC5D,GAAG;AAAA,EACH,cAAc;AAAA,IACZ,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,SAAS,CAAC,KAAK;AAAA,MACf,aAAa;AAAA,MACb,UAAU;AAAA,QACR,aAAa;AAAA,QACb,iBAAiB,CAAC;AAAA,MACpB;AAAA,IACF;AAAA,IACA,eAAe;AAAA,MACb,SAAS;AAAA,MACT,SAAS,CAAC,MAAM;AAAA,MAChB,aAAa;AAAA,MACb,UAAU;AAAA,QACR,aAAa;AAAA,MACf;AAAA,IACF;AAAA,IACA,SAAS;AAAA,MACP,SAAS;AAAA,MACT,SAAS,CAAC,MAAM;AAAA,MAChB,aAAa;AAAA,MACb,UAAU;AAAA,QACR,aAAa;AAAA,MACf;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,SAAS,CAAC,MAAM;AAAA,MAChB,aAAa;AAAA,MACb,UAAU;AAAA,QACR,aAAa;AAAA,MACf;AAAA,IACF;AAAA,EACF;AACF;AAEO,MAAM,0BAET;AAAA,EACF,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,IACT,UAAU,KAAK,KAAK;AAAA;AAAA,IACpB,aAAa;AAAA,IACb,gBAAgB;AAAA,IAChB,oBAAoB;AAAA,EACtB;AAAA,EACA,UAAU;AAAA,EACV,WAAW;AAAA,IACT,UAAU;AAAA,EACZ;AAAA,EACA,UAAU;AAAA,EACV,mBAAmB;AAAA,EACnB,OAAO;AAAA,EACP,aAAa;AAAA,EACb,UAAU;AACZ;AAmCO,MAAM,YAAY;AAAA,EACvB,OAAO,cAAc,YAAoB,WAA2B;AAClE,WAAO,GAAG,UAAU,IAAI,SAAS;AAAA,EACnC;AAAA,EAEA,OAAO,eAAe,YAAoB;AACxC,WAAO;AAAA,MACL,SAAS,KAAK,cAAc,YAAY,SAAS;AAAA,MACjD,IAAI,KAAK,cAAc,YAAY,IAAI;AAAA,MACvC,SAAS,KAAK,cAAc,YAAY,SAAS;AAAA,MACjD,WAAW,KAAK,cAAc,YAAY,WAAW;AAAA,MACrD,QAAQ,KAAK,cAAc,YAAY,QAAQ;AAAA,IACjD;AAAA,EACF;AAAA,EAEA,OAAO,iBAAiB,eAAiD;AACvE,UAAM,gBAAgB,cAAc,WAAW,CAAC;AAChD,UAAM,iBAAiB,uBAAuB,WAAW,CAAC;AAE1D,WAAO;AAAA,MACL,QAAQ,cAAc,UAAU,cAAc;AAAA,MAC9C,MAAM,cAAc,QAAQ,cAAc,QAAQ;AAAA,MAClD,UAAU,cAAc,YAAY,cAAc,YAAY;AAAA,MAC9D,UAAU,cAAc,YAAY,cAAc,YAAY;AAAA,MAC9D,QAAQ,cAAc,UAAU,eAAe,UAAU,OAAO,KAAK;AAAA,IACvE;AAAA,EACF;AAAA,EAEA,OAAO,oBACL,eACA,WACmB;AACnB,UAAM,cAAc,oBAAoB,SAAS;AAEjD,WAAO;AAAA,MACL,QAAQ,cAAc;AAAA,MACtB,MAAM,YAAY;AAAA,MAClB,UAAU,YAAY;AAAA,MACtB,UAAU,YAAY;AAAA,MACtB,QAAQ,YAAY;AAAA,IACtB;AAAA,EACF;AAAA,EAEA,OAAO,sBAAsB,QAAyB;AACpD,UAAM,SAAS;AACf,UAAM,cAAc,OAAO,KAAK;AAChC,WAAO,UAAU,UAAU,UAAU;AAAA,EACvC;AACF;","names":[]}
|
|
@@ -18,18 +18,21 @@ var __copyProps = (to, from, except, desc) => {
|
|
|
18
18
|
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
19
19
|
var constant_exports = {};
|
|
20
20
|
__export(constant_exports, {
|
|
21
|
+
API_KEY: () => API_KEY,
|
|
21
22
|
API_URL: () => API_URL,
|
|
22
23
|
API_VERSION: () => API_VERSION,
|
|
23
24
|
SIGN_IN_URL: () => SIGN_IN_URL,
|
|
24
25
|
SIGN_UP_URL: () => SIGN_UP_URL
|
|
25
26
|
});
|
|
26
27
|
module.exports = __toCommonJS(constant_exports);
|
|
27
|
-
const
|
|
28
|
+
const API_KEY = process.env.NEXT_PUBLIC_FIREBASE_API_KEY || "";
|
|
29
|
+
const API_URL = process.env.TERNSECURE_API_URL || "";
|
|
28
30
|
const API_VERSION = process.env.TERNSECURE_API_VERSION || "v1";
|
|
29
31
|
const SIGN_IN_URL = process.env.NEXT_PUBLIC_SIGN_IN_URL || "";
|
|
30
32
|
const SIGN_UP_URL = process.env.NEXT_PUBLIC_SIGN_UP_URL || "";
|
|
31
33
|
// Annotate the CommonJS export names for ESM import in node:
|
|
32
34
|
0 && (module.exports = {
|
|
35
|
+
API_KEY,
|
|
33
36
|
API_URL,
|
|
34
37
|
API_VERSION,
|
|
35
38
|
SIGN_IN_URL,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../src/server/constant.ts"],"sourcesContent":["
|
|
1
|
+
{"version":3,"sources":["../../../src/server/constant.ts"],"sourcesContent":["export const API_KEY = process.env.NEXT_PUBLIC_FIREBASE_API_KEY || '';\nexport const API_URL = process.env.TERNSECURE_API_URL || '';\nexport const API_VERSION = process.env.TERNSECURE_API_VERSION || 'v1';\nexport const SIGN_IN_URL = process.env.NEXT_PUBLIC_SIGN_IN_URL || '';\nexport const SIGN_UP_URL = process.env.NEXT_PUBLIC_SIGN_UP_URL || '';"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAO,MAAM,UAAU,QAAQ,IAAI,gCAAgC;AAC5D,MAAM,UAAU,QAAQ,IAAI,sBAAsB;AAClD,MAAM,cAAc,QAAQ,IAAI,0BAA0B;AAC1D,MAAM,cAAc,QAAQ,IAAI,2BAA2B;AAC3D,MAAM,cAAc,QAAQ,IAAI,2BAA2B;","names":[]}
|