@tern-secure/nextjs 5.2.0-canary.v20251029025859 → 5.2.0-canary.v20251108045933
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/app-router/admin/cookieOptionsHelper.js +28 -16
- package/dist/cjs/app-router/admin/cookieOptionsHelper.js.map +1 -1
- package/dist/cjs/app-router/admin/request.js +6 -1
- package/dist/cjs/app-router/admin/request.js.map +1 -1
- package/dist/cjs/app-router/admin/sessionHandlers.js +2 -1
- package/dist/cjs/app-router/admin/sessionHandlers.js.map +1 -1
- package/dist/cjs/app-router/admin/types.js +19 -10
- package/dist/cjs/app-router/admin/types.js.map +1 -1
- package/dist/cjs/app-router/server/TernSecureProvider.js.map +1 -1
- package/dist/cjs/app-router/server/auth.js.map +1 -1
- package/dist/cjs/boundary/PromiseAuthProvider.js.map +1 -1
- package/dist/cjs/boundary/PromiseAuthProviderNode.js +68 -0
- package/dist/cjs/boundary/PromiseAuthProviderNode.js.map +1 -0
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/server/constant.js +21 -0
- package/dist/cjs/server/constant.js.map +1 -1
- package/dist/cjs/server/data/getAuthDataFromRequest.js +109 -6
- package/dist/cjs/server/data/getAuthDataFromRequest.js.map +1 -1
- package/dist/cjs/server/index.js +6 -3
- package/dist/cjs/server/index.js.map +1 -1
- package/dist/cjs/server/instrumentation.js +52 -0
- package/dist/cjs/server/instrumentation.js.map +1 -0
- package/dist/cjs/server/{ternSecureEdgeMiddleware.js → ternSecureProxy.js} +18 -7
- package/dist/cjs/server/ternSecureProxy.js.map +1 -0
- package/dist/cjs/utils/allNextProviderProps.js +1 -0
- package/dist/cjs/utils/allNextProviderProps.js.map +1 -1
- package/dist/cjs/utils/config.js +1 -0
- package/dist/cjs/utils/config.js.map +1 -1
- package/dist/esm/app-router/admin/cookieOptionsHelper.js +26 -15
- package/dist/esm/app-router/admin/cookieOptionsHelper.js.map +1 -1
- package/dist/esm/app-router/admin/request.js +7 -2
- package/dist/esm/app-router/admin/request.js.map +1 -1
- package/dist/esm/app-router/admin/sessionHandlers.js +2 -1
- package/dist/esm/app-router/admin/sessionHandlers.js.map +1 -1
- package/dist/esm/app-router/admin/types.js +17 -9
- package/dist/esm/app-router/admin/types.js.map +1 -1
- package/dist/esm/app-router/server/TernSecureProvider.js.map +1 -1
- package/dist/esm/app-router/server/auth.js.map +1 -1
- package/dist/esm/boundary/PromiseAuthProvider.js.map +1 -1
- package/dist/esm/boundary/PromiseAuthProviderNode.js +33 -0
- package/dist/esm/boundary/PromiseAuthProviderNode.js.map +1 -0
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/server/constant.js +14 -0
- package/dist/esm/server/constant.js.map +1 -1
- package/dist/esm/server/data/getAuthDataFromRequest.js +113 -5
- package/dist/esm/server/data/getAuthDataFromRequest.js.map +1 -1
- package/dist/esm/server/index.js +5 -3
- package/dist/esm/server/index.js.map +1 -1
- package/dist/esm/server/instrumentation.js +28 -0
- package/dist/esm/server/instrumentation.js.map +1 -0
- package/dist/esm/server/{ternSecureEdgeMiddleware.js → ternSecureProxy.js} +16 -5
- package/dist/esm/server/ternSecureProxy.js.map +1 -0
- package/dist/esm/utils/allNextProviderProps.js +1 -0
- package/dist/esm/utils/allNextProviderProps.js.map +1 -1
- package/dist/esm/utils/config.js +1 -0
- package/dist/esm/utils/config.js.map +1 -1
- package/dist/types/app-router/admin/cookieOptionsHelper.d.ts +2 -10
- package/dist/types/app-router/admin/cookieOptionsHelper.d.ts.map +1 -1
- package/dist/types/app-router/admin/request.d.ts.map +1 -1
- package/dist/types/app-router/admin/sessionHandlers.d.ts.map +1 -1
- package/dist/types/app-router/admin/types.d.ts +2 -1
- package/dist/types/app-router/admin/types.d.ts.map +1 -1
- package/dist/types/app-router/server/auth.d.ts +5 -1
- package/dist/types/app-router/server/auth.d.ts.map +1 -1
- package/dist/types/boundary/PromiseAuthProvider.d.ts +2 -2
- package/dist/types/boundary/PromiseAuthProvider.d.ts.map +1 -1
- package/dist/types/boundary/PromiseAuthProviderNode.d.ts +14 -0
- package/dist/types/boundary/PromiseAuthProviderNode.d.ts.map +1 -0
- package/dist/types/index.d.ts +1 -1
- package/dist/types/index.d.ts.map +1 -1
- package/dist/types/server/constant.d.ts +7 -0
- package/dist/types/server/constant.d.ts.map +1 -1
- package/dist/types/server/data/getAuthDataFromRequest.d.ts +35 -3
- package/dist/types/server/data/getAuthDataFromRequest.d.ts.map +1 -1
- package/dist/types/server/index.d.ts +2 -1
- package/dist/types/server/index.d.ts.map +1 -1
- package/dist/types/server/instrumentation.d.ts +27 -0
- package/dist/types/server/instrumentation.d.ts.map +1 -0
- package/dist/types/server/{ternSecureEdgeMiddleware.d.ts → ternSecureProxy.d.ts} +2 -2
- package/dist/types/server/ternSecureProxy.d.ts.map +1 -0
- package/dist/types/utils/allNextProviderProps.d.ts.map +1 -1
- package/dist/types/utils/config.d.ts.map +1 -1
- package/package.json +8 -9
- package/dist/cjs/server/ternSecureEdgeMiddleware.js.map +0 -1
- package/dist/cjs/utils/admin-init.js +0 -4
- package/dist/cjs/utils/admin-init.js.map +0 -1
- package/dist/cjs/utils/client-init.js +0 -4
- package/dist/cjs/utils/client-init.js.map +0 -1
- package/dist/esm/server/ternSecureEdgeMiddleware.js.map +0 -1
- package/dist/esm/utils/admin-init.js +0 -3
- package/dist/esm/utils/admin-init.js.map +0 -1
- package/dist/esm/utils/client-init.js +0 -3
- package/dist/esm/utils/client-init.js.map +0 -1
- package/dist/types/server/ternSecureEdgeMiddleware.d.ts.map +0 -1
- package/dist/types/utils/admin-init.d.ts +0 -2
- package/dist/types/utils/admin-init.d.ts.map +0 -1
- package/dist/types/utils/client-init.d.ts +0 -2
- package/dist/types/utils/client-init.d.ts.map +0 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../src/app-router/admin/sessionHandlers.ts"],"sourcesContent":["import { clearSessionCookie } from '@tern-secure/backend/admin';\nimport { ternDecodeJwtUnguarded } from '@tern-secure/backend/jwt';\nimport type { CookieSubEndpoint } from '@tern-secure/types';\n\nimport { NextCookieStore } from '../../utils/NextCookieAdapter';\nimport { type RequestProcessorContext } from './c-authenticateRequestProcessor';\nimport { createValidators } from './fnValidators';\nimport { refreshCookieWithIdToken } from './request';\nimport { createApiErrorResponse, createApiSuccessResponse, HttpResponseHelper, SessionResponseHelper } from './responses';\nimport type { SessionSubEndpoint, TernSecureHandlerOptions } from './types';\n\nasync function sessionEndpointHandler(\n context: RequestProcessorContext,\n config: TernSecureHandlerOptions,\n): Promise<Response> {\n const { subEndpoint, method, referrer } = context;\n\n const validators = createValidators(context);\n\n const {\n validateSubEndpoint,\n validateSecurity,\n validateSessionRequest,\n validateCsrfToken,\n validateIdToken,\n } = validators;\n\n if (!subEndpoint) {\n return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Session sub-endpoint required', 400);\n }\n\n const sessionsConfig = config.endpoints?.sessions;\n const subEndpointConfig = sessionsConfig?.subEndpoints?.[subEndpoint];\n\n validateSubEndpoint(subEndpoint, subEndpointConfig);\n\n if (subEndpointConfig?.security) {\n await validateSecurity(subEndpointConfig.security);\n }\n\n const SessionGetHandler = async (subEndpoint: SessionSubEndpoint): Promise<Response> => {\n const handleSessionVerify = async (): Promise<Response> => {\n try {\n const sessionCookie = context.sessionTokenInCookie;\n if (!sessionCookie) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n\n const { data: decodedSession, errors } = ternDecodeJwtUnguarded(sessionCookie);\n if (errors) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n\n return SessionResponseHelper.createVerificationResponse(decodedSession);\n } catch (error) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n };\n\n switch (subEndpoint) {\n case 'verify':\n return handleSessionVerify();\n default:\n return HttpResponseHelper.createNotFoundResponse();\n }\n };\n\n const SessionPostHandler = async (subEndpoint: SessionSubEndpoint): Promise<Response> => {\n const cookieStore = new NextCookieStore();\n\n const { idToken, csrfToken, error } = await validateSessionRequest();\n if (error) return error;\n\n const csrfCookieValue = await cookieStore.get('_session_terncf');\n validateCsrfToken(csrfToken || '', csrfCookieValue.value);\n\n const handleCreateSession = async (\n cookieStore: NextCookieStore,\n idToken: string,\n ): Promise<Response> => {\n try {\n await refreshCookieWithIdToken(idToken, cookieStore, config, referrer);\n return SessionResponseHelper.createSessionCreationResponse({\n success: true,\n message: 'Session created successfully',\n });\n } catch (error) {\n return createApiErrorResponse('SESSION_CREATION_FAILED', 'Session creation failed', 500);\n }\n };\n\n const handleRefreshSession = async (\n cookieStore: NextCookieStore,\n idToken: string,\n ): Promise<Response> => {\n try {\n const decodedSession = ternDecodeJwtUnguarded(idToken);\n if (decodedSession.errors) {\n return createApiErrorResponse('INVALID_SESSION', 'Invalid session for refresh', 401);\n }\n\n const refreshRes = await refreshCookieWithIdToken(idToken, cookieStore, config);\n return SessionResponseHelper.createRefreshResponse(refreshRes);\n } catch (error) {\n return createApiErrorResponse('REFRESH_FAILED', 'Session refresh failed', 500);\n }\n };\n\n const handleRevokeSession = async (cookieStore: NextCookieStore): Promise<Response> => {\n const res = await clearSessionCookie(cookieStore);\n return SessionResponseHelper.createRevokeResponse(res);\n };\n\n switch (subEndpoint) {\n case 'createsession': {\n validateIdToken(idToken);\n //eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return handleCreateSession(cookieStore, idToken!);\n }\n\n case 'refresh':\n //eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return handleRefreshSession(cookieStore, idToken!);\n\n case 'revoke':\n return handleRevokeSession(cookieStore);\n\n default:\n return HttpResponseHelper.createSubEndpointNotSupportedResponse();\n }\n };\n\n switch (method) {\n case 'GET':\n return SessionGetHandler(subEndpoint);\n\n case 'POST':\n return SessionPostHandler(subEndpoint);\n\n default:\n return HttpResponseHelper.createMethodNotAllowedResponse();\n }\n}\n\nasync function cookieEndpointHandler(\n context: RequestProcessorContext,\n config: TernSecureHandlerOptions,\n): Promise<Response> {\n const { subEndpoint, method } = context;\n\n const validators = createValidators(context);\n const { validateSecurity } = validators;\n\n if (!subEndpoint) {\n return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Cookie sub-endpoint required', 400);\n }\n\n const cookiesConfig = config.endpoints?.cookies;\n const subEndpointConfig = cookiesConfig?.subEndpoints?.[subEndpoint as CookieSubEndpoint];\n\n if (!subEndpointConfig || !subEndpointConfig.enabled) {\n return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Cookie endpoint not found or disabled', 404);\n }\n\n if (subEndpointConfig?.security) {\n await validateSecurity(subEndpointConfig.security);\n }\n\n const CookieGetHandler = async (subEndpoint: CookieSubEndpoint): Promise<Response> => {\n const handleGetCookie = async (): Promise<Response> => {\n try {\n const url = new URL(context.ternUrl);\n const tokenName = url.searchParams.get('tokenName');\n\n if (!tokenName) {\n return createApiErrorResponse('TOKEN_NAME_REQUIRED', 'tokenName query parameter is required', 400);\n }\n\n let cookieValue: string | undefined;\n\n switch (tokenName) {\n case 'idToken':\n cookieValue = context.idTokenInCookie;\n break;\n case 'sessionToken':\n cookieValue = context.sessionTokenInCookie;\n break;\n case 'refreshToken':\n cookieValue = context.refreshTokenInCookie;\n break;\n case 'customToken':\n cookieValue = context.customTokenInCookie;\n break;\n default:\n return createApiErrorResponse('INVALID_TOKEN_NAME', 'Invalid token name. Must be one of: idToken, sessionToken, refreshToken, customToken', 400);\n }\n\n if (!cookieValue) {\n return createApiErrorResponse(\n 'TOKEN_NOT_FOUND',\n `${tokenName} not found in httpOnly cookies`,\n 404\n );\n }\n\n return createApiSuccessResponse({\n token: cookieValue,\n });\n } catch (error) {\n return createApiErrorResponse('COOKIE_RETRIEVAL_FAILED', 'Failed to retrieve cookie', 500);\n }\n };\n\n switch (subEndpoint) {\n case 'get':\n return handleGetCookie();\n default:\n return HttpResponseHelper.createNotFoundResponse();\n }\n };\n\n switch (method) {\n case 'GET':\n return CookieGetHandler(subEndpoint as CookieSubEndpoint);\n default:\n return HttpResponseHelper.createMethodNotAllowedResponse();\n }\n}\n\nexport { sessionEndpointHandler, cookieEndpointHandler };\n"],"mappings":"AAAA,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAGvC,SAAS,uBAAuB;AAEhC,SAAS,wBAAwB;AACjC,SAAS,gCAAgC;AACzC,SAAS,wBAAwB,0BAA0B,oBAAoB,6BAA6B;AAG5G,eAAe,uBACb,SACA,QACmB;AACnB,QAAM,EAAE,aAAa,QAAQ,SAAS,IAAI;AAE1C,QAAM,aAAa,iBAAiB,OAAO;AAE3C,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,CAAC,aAAa;AAChB,WAAO,uBAAuB,yBAAyB,iCAAiC,GAAG;AAAA,EAC7F;AAEA,QAAM,iBAAiB,OAAO,WAAW;AACzC,QAAM,oBAAoB,gBAAgB,eAAe,WAAW;AAEpE,sBAAoB,aAAa,iBAAiB;AAElD,MAAI,mBAAmB,UAAU;AAC/B,UAAM,iBAAiB,kBAAkB,QAAQ;AAAA,EACnD;AAEA,QAAM,oBAAoB,OAAOA,iBAAuD;AACtF,UAAM,sBAAsB,YAA+B;AACzD,UAAI;AACF,cAAM,gBAAgB,QAAQ;AAC9B,YAAI,CAAC,eAAe;AAClB,iBAAO,sBAAsB,2BAA2B;AAAA,QAC1D;AAEA,cAAM,EAAE,MAAM,gBAAgB,OAAO,IAAI,uBAAuB,aAAa;AAC7E,YAAI,QAAQ;AACV,iBAAO,sBAAsB,2BAA2B;AAAA,QAC1D;AAEA,eAAO,sBAAsB,2BAA2B,cAAc;AAAA,MACxE,SAAS,OAAO;AACd,eAAO,sBAAsB,2BAA2B;AAAA,MAC1D;AAAA,IACF;AAEA,YAAQA,cAAa;AAAA,MACnB,KAAK;AACH,eAAO,oBAAoB;AAAA,MAC7B;AACE,eAAO,mBAAmB,uBAAuB;AAAA,IACrD;AAAA,EACF;AAEA,QAAM,qBAAqB,OAAOA,iBAAuD;AACvF,UAAM,cAAc,IAAI,gBAAgB;AAExC,UAAM,EAAE,SAAS,WAAW,MAAM,IAAI,MAAM,uBAAuB;AACnE,QAAI,MAAO,QAAO;AAElB,UAAM,kBAAkB,MAAM,YAAY,IAAI,iBAAiB;AAC/D,sBAAkB,aAAa,IAAI,gBAAgB,KAAK;AAExD,UAAM,sBAAsB,OAC1BC,cACAC,aACsB;AACtB,UAAI;AACF,cAAM,yBAAyBA,UAASD,cAAa,QAAQ,QAAQ;AACrE,eAAO,sBAAsB,8BAA8B;AAAA,UACzD,SAAS;AAAA,UACT,SAAS;AAAA,QACX,CAAC;AAAA,MACH,SAASE,QAAO;AACd,eAAO,uBAAuB,2BAA2B,2BAA2B,GAAG;AAAA,MACzF;AAAA,IACF;AAEA,UAAM,uBAAuB,OAC3BF,cACAC,aACsB;AACtB,UAAI;AACF,cAAM,iBAAiB,uBAAuBA,QAAO;AACrD,YAAI,eAAe,QAAQ;AACzB,iBAAO,uBAAuB,mBAAmB,+BAA+B,GAAG;AAAA,QACrF;AAEA,cAAM,aAAa,MAAM,yBAAyBA,UAASD,cAAa,MAAM;AAC9E,eAAO,sBAAsB,sBAAsB,UAAU;AAAA,MAC/D,SAASE,QAAO;AACd,eAAO,uBAAuB,kBAAkB,0BAA0B,GAAG;AAAA,MAC/E;AAAA,IACF;AAEA,UAAM,sBAAsB,OAAOF,iBAAoD;AACrF,YAAM,MAAM,MAAM,mBAAmBA,YAAW;AAChD,aAAO,sBAAsB,qBAAqB,GAAG;AAAA,IACvD;AAEA,YAAQD,cAAa;AAAA,MACnB,KAAK,iBAAiB;AACpB,wBAAgB,OAAO;AAEvB,eAAO,oBAAoB,aAAa,OAAQ;AAAA,MAClD;AAAA,MAEA,KAAK;AAEH,eAAO,qBAAqB,aAAa,OAAQ;AAAA,MAEnD,KAAK;AACH,eAAO,oBAAoB,WAAW;AAAA,MAExC;AACE,eAAO,mBAAmB,sCAAsC;AAAA,IACpE;AAAA,EACF;AAEA,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO,kBAAkB,WAAW;AAAA,IAEtC,KAAK;AACH,aAAO,mBAAmB,WAAW;AAAA,IAEvC;AACE,aAAO,mBAAmB,+BAA+B;AAAA,EAC7D;AACF;AAEA,eAAe,sBACb,SACA,QACmB;AACnB,QAAM,EAAE,aAAa,OAAO,IAAI;AAEhC,QAAM,aAAa,iBAAiB,OAAO;AAC3C,QAAM,EAAE,iBAAiB,IAAI;AAE7B,MAAI,CAAC,aAAa;AAChB,WAAO,uBAAuB,yBAAyB,gCAAgC,GAAG;AAAA,EAC5F;AAEA,QAAM,gBAAgB,OAAO,WAAW;AACxC,QAAM,oBAAoB,eAAe,eAAe,WAAgC;AAExF,MAAI,CAAC,qBAAqB,CAAC,kBAAkB,SAAS;AACpD,WAAO,uBAAuB,sBAAsB,yCAAyC,GAAG;AAAA,EAClG;AAEA,MAAI,mBAAmB,UAAU;AAC/B,UAAM,iBAAiB,kBAAkB,QAAQ;AAAA,EACnD;AAEA,QAAM,mBAAmB,OAAOA,iBAAsD;AACpF,UAAM,kBAAkB,YAA+B;AACrD,UAAI;AACF,cAAM,MAAM,IAAI,IAAI,QAAQ,OAAO;AACnC,cAAM,YAAY,IAAI,aAAa,IAAI,WAAW;AAElD,YAAI,CAAC,WAAW;AACd,iBAAO,uBAAuB,uBAAuB,yCAAyC,GAAG;AAAA,QACnG;AAEA,YAAI;AAEJ,gBAAQ,WAAW;AAAA,UACjB,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF;AACE,mBAAO,uBAAuB,sBAAsB,wFAAwF,GAAG;AAAA,QACnJ;AAEA,YAAI,CAAC,aAAa;AAChB,iBAAO;AAAA,YACL;AAAA,YACA,GAAG,SAAS;AAAA,YACZ;AAAA,UACF;AAAA,QACF;AAEA,eAAO,yBAAyB;AAAA,UAC9B,OAAO;AAAA,QACT,CAAC;AAAA,MACH,SAAS,OAAO;AACd,eAAO,uBAAuB,2BAA2B,6BAA6B,GAAG;AAAA,MAC3F;AAAA,IACF;AAEA,YAAQA,cAAa;AAAA,MACnB,KAAK;AACH,eAAO,gBAAgB;AAAA,MACzB;AACE,eAAO,mBAAmB,uBAAuB;AAAA,IACrD;AAAA,EACF;AAEA,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO,iBAAiB,WAAgC;AAAA,IAC1D;AACE,aAAO,mBAAmB,+BAA+B;AAAA,EAC7D;AACF;","names":["subEndpoint","cookieStore","idToken","error"]}
|
|
1
|
+
{"version":3,"sources":["../../../../src/app-router/admin/sessionHandlers.ts"],"sourcesContent":["import { constants } from '@tern-secure/backend';\nimport { clearSessionCookie } from '@tern-secure/backend/admin';\nimport { ternDecodeJwtUnguarded } from '@tern-secure/backend/jwt';\nimport type { CookieSubEndpoint } from '@tern-secure/types';\n\nimport { NextCookieStore } from '../../utils/NextCookieAdapter';\nimport { type RequestProcessorContext } from './c-authenticateRequestProcessor';\nimport { createValidators } from './fnValidators';\nimport { refreshCookieWithIdToken } from './request';\nimport { createApiErrorResponse, createApiSuccessResponse, HttpResponseHelper, SessionResponseHelper } from './responses';\nimport type { SessionSubEndpoint, TernSecureHandlerOptions } from './types';\n\nasync function sessionEndpointHandler(\n context: RequestProcessorContext,\n config: TernSecureHandlerOptions,\n): Promise<Response> {\n const { subEndpoint, method, referrer } = context;\n\n const validators = createValidators(context);\n\n const {\n validateSubEndpoint,\n validateSecurity,\n validateSessionRequest,\n validateCsrfToken,\n validateIdToken,\n } = validators;\n\n if (!subEndpoint) {\n return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Session sub-endpoint required', 400);\n }\n\n const sessionsConfig = config.endpoints?.sessions;\n const subEndpointConfig = sessionsConfig?.subEndpoints?.[subEndpoint];\n\n validateSubEndpoint(subEndpoint, subEndpointConfig);\n\n if (subEndpointConfig?.security) {\n await validateSecurity(subEndpointConfig.security);\n }\n\n const SessionGetHandler = async (subEndpoint: SessionSubEndpoint): Promise<Response> => {\n const handleSessionVerify = async (): Promise<Response> => {\n try {\n const sessionCookie = context.sessionTokenInCookie;\n if (!sessionCookie) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n\n const { data: decodedSession, errors } = ternDecodeJwtUnguarded(sessionCookie);\n if (errors) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n\n return SessionResponseHelper.createVerificationResponse(decodedSession);\n } catch (error) {\n return SessionResponseHelper.createUnauthorizedResponse();\n }\n };\n\n switch (subEndpoint) {\n case 'verify':\n return handleSessionVerify();\n default:\n return HttpResponseHelper.createNotFoundResponse();\n }\n };\n\n const SessionPostHandler = async (subEndpoint: SessionSubEndpoint): Promise<Response> => {\n const cookieStore = new NextCookieStore();\n\n const { idToken, csrfToken, error } = await validateSessionRequest();\n if (error) return error;\n\n const csrfCookieValue = await cookieStore.get(constants.Cookies.CsrfToken);\n validateCsrfToken(csrfToken || '', csrfCookieValue.value);\n\n const handleCreateSession = async (\n cookieStore: NextCookieStore,\n idToken: string,\n ): Promise<Response> => {\n try {\n await refreshCookieWithIdToken(idToken, cookieStore, config, referrer);\n return SessionResponseHelper.createSessionCreationResponse({\n success: true,\n message: 'Session created successfully',\n });\n } catch (error) {\n return createApiErrorResponse('SESSION_CREATION_FAILED', 'Session creation failed', 500);\n }\n };\n\n const handleRefreshSession = async (\n cookieStore: NextCookieStore,\n idToken: string,\n ): Promise<Response> => {\n try {\n const decodedSession = ternDecodeJwtUnguarded(idToken);\n if (decodedSession.errors) {\n return createApiErrorResponse('INVALID_SESSION', 'Invalid session for refresh', 401);\n }\n\n const refreshRes = await refreshCookieWithIdToken(idToken, cookieStore, config);\n return SessionResponseHelper.createRefreshResponse(refreshRes);\n } catch (error) {\n return createApiErrorResponse('REFRESH_FAILED', 'Session refresh failed', 500);\n }\n };\n\n const handleRevokeSession = async (cookieStore: NextCookieStore): Promise<Response> => {\n const res = await clearSessionCookie(cookieStore);\n return SessionResponseHelper.createRevokeResponse(res);\n };\n\n switch (subEndpoint) {\n case 'createsession': {\n validateIdToken(idToken);\n //eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return handleCreateSession(cookieStore, idToken!);\n }\n\n case 'refresh':\n //eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return handleRefreshSession(cookieStore, idToken!);\n\n case 'revoke':\n return handleRevokeSession(cookieStore);\n\n default:\n return HttpResponseHelper.createSubEndpointNotSupportedResponse();\n }\n };\n\n switch (method) {\n case 'GET':\n return SessionGetHandler(subEndpoint);\n\n case 'POST':\n return SessionPostHandler(subEndpoint);\n\n default:\n return HttpResponseHelper.createMethodNotAllowedResponse();\n }\n}\n\nasync function cookieEndpointHandler(\n context: RequestProcessorContext,\n config: TernSecureHandlerOptions,\n): Promise<Response> {\n const { subEndpoint, method } = context;\n\n const validators = createValidators(context);\n const { validateSecurity } = validators;\n\n if (!subEndpoint) {\n return createApiErrorResponse('SUB_ENDPOINT_REQUIRED', 'Cookie sub-endpoint required', 400);\n }\n\n const cookiesConfig = config.endpoints?.cookies;\n const subEndpointConfig = cookiesConfig?.subEndpoints?.[subEndpoint as CookieSubEndpoint];\n\n if (!subEndpointConfig || !subEndpointConfig.enabled) {\n return createApiErrorResponse('ENDPOINT_NOT_FOUND', 'Cookie endpoint not found or disabled', 404);\n }\n\n if (subEndpointConfig?.security) {\n await validateSecurity(subEndpointConfig.security);\n }\n\n const CookieGetHandler = async (subEndpoint: CookieSubEndpoint): Promise<Response> => {\n const handleGetCookie = async (): Promise<Response> => {\n try {\n const url = new URL(context.ternUrl);\n const tokenName = url.searchParams.get('tokenName');\n\n if (!tokenName) {\n return createApiErrorResponse('TOKEN_NAME_REQUIRED', 'tokenName query parameter is required', 400);\n }\n\n let cookieValue: string | undefined;\n\n switch (tokenName) {\n case 'idToken':\n cookieValue = context.idTokenInCookie;\n break;\n case 'sessionToken':\n cookieValue = context.sessionTokenInCookie;\n break;\n case 'refreshToken':\n cookieValue = context.refreshTokenInCookie;\n break;\n case 'customToken':\n cookieValue = context.customTokenInCookie;\n break;\n default:\n return createApiErrorResponse('INVALID_TOKEN_NAME', 'Invalid token name. Must be one of: idToken, sessionToken, refreshToken, customToken', 400);\n }\n\n if (!cookieValue) {\n return createApiErrorResponse(\n 'TOKEN_NOT_FOUND',\n `${tokenName} not found in httpOnly cookies`,\n 404\n );\n }\n\n return createApiSuccessResponse({\n token: cookieValue,\n });\n } catch (error) {\n return createApiErrorResponse('COOKIE_RETRIEVAL_FAILED', 'Failed to retrieve cookie', 500);\n }\n };\n\n switch (subEndpoint) {\n case 'get':\n return handleGetCookie();\n default:\n return HttpResponseHelper.createNotFoundResponse();\n }\n };\n\n switch (method) {\n case 'GET':\n return CookieGetHandler(subEndpoint as CookieSubEndpoint);\n default:\n return HttpResponseHelper.createMethodNotAllowedResponse();\n }\n}\n\nexport { sessionEndpointHandler, cookieEndpointHandler };\n"],"mappings":"AAAA,SAAS,iBAAiB;AAC1B,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAGvC,SAAS,uBAAuB;AAEhC,SAAS,wBAAwB;AACjC,SAAS,gCAAgC;AACzC,SAAS,wBAAwB,0BAA0B,oBAAoB,6BAA6B;AAG5G,eAAe,uBACb,SACA,QACmB;AACnB,QAAM,EAAE,aAAa,QAAQ,SAAS,IAAI;AAE1C,QAAM,aAAa,iBAAiB,OAAO;AAE3C,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,CAAC,aAAa;AAChB,WAAO,uBAAuB,yBAAyB,iCAAiC,GAAG;AAAA,EAC7F;AAEA,QAAM,iBAAiB,OAAO,WAAW;AACzC,QAAM,oBAAoB,gBAAgB,eAAe,WAAW;AAEpE,sBAAoB,aAAa,iBAAiB;AAElD,MAAI,mBAAmB,UAAU;AAC/B,UAAM,iBAAiB,kBAAkB,QAAQ;AAAA,EACnD;AAEA,QAAM,oBAAoB,OAAOA,iBAAuD;AACtF,UAAM,sBAAsB,YAA+B;AACzD,UAAI;AACF,cAAM,gBAAgB,QAAQ;AAC9B,YAAI,CAAC,eAAe;AAClB,iBAAO,sBAAsB,2BAA2B;AAAA,QAC1D;AAEA,cAAM,EAAE,MAAM,gBAAgB,OAAO,IAAI,uBAAuB,aAAa;AAC7E,YAAI,QAAQ;AACV,iBAAO,sBAAsB,2BAA2B;AAAA,QAC1D;AAEA,eAAO,sBAAsB,2BAA2B,cAAc;AAAA,MACxE,SAAS,OAAO;AACd,eAAO,sBAAsB,2BAA2B;AAAA,MAC1D;AAAA,IACF;AAEA,YAAQA,cAAa;AAAA,MACnB,KAAK;AACH,eAAO,oBAAoB;AAAA,MAC7B;AACE,eAAO,mBAAmB,uBAAuB;AAAA,IACrD;AAAA,EACF;AAEA,QAAM,qBAAqB,OAAOA,iBAAuD;AACvF,UAAM,cAAc,IAAI,gBAAgB;AAExC,UAAM,EAAE,SAAS,WAAW,MAAM,IAAI,MAAM,uBAAuB;AACnE,QAAI,MAAO,QAAO;AAElB,UAAM,kBAAkB,MAAM,YAAY,IAAI,UAAU,QAAQ,SAAS;AACzE,sBAAkB,aAAa,IAAI,gBAAgB,KAAK;AAExD,UAAM,sBAAsB,OAC1BC,cACAC,aACsB;AACtB,UAAI;AACF,cAAM,yBAAyBA,UAASD,cAAa,QAAQ,QAAQ;AACrE,eAAO,sBAAsB,8BAA8B;AAAA,UACzD,SAAS;AAAA,UACT,SAAS;AAAA,QACX,CAAC;AAAA,MACH,SAASE,QAAO;AACd,eAAO,uBAAuB,2BAA2B,2BAA2B,GAAG;AAAA,MACzF;AAAA,IACF;AAEA,UAAM,uBAAuB,OAC3BF,cACAC,aACsB;AACtB,UAAI;AACF,cAAM,iBAAiB,uBAAuBA,QAAO;AACrD,YAAI,eAAe,QAAQ;AACzB,iBAAO,uBAAuB,mBAAmB,+BAA+B,GAAG;AAAA,QACrF;AAEA,cAAM,aAAa,MAAM,yBAAyBA,UAASD,cAAa,MAAM;AAC9E,eAAO,sBAAsB,sBAAsB,UAAU;AAAA,MAC/D,SAASE,QAAO;AACd,eAAO,uBAAuB,kBAAkB,0BAA0B,GAAG;AAAA,MAC/E;AAAA,IACF;AAEA,UAAM,sBAAsB,OAAOF,iBAAoD;AACrF,YAAM,MAAM,MAAM,mBAAmBA,YAAW;AAChD,aAAO,sBAAsB,qBAAqB,GAAG;AAAA,IACvD;AAEA,YAAQD,cAAa;AAAA,MACnB,KAAK,iBAAiB;AACpB,wBAAgB,OAAO;AAEvB,eAAO,oBAAoB,aAAa,OAAQ;AAAA,MAClD;AAAA,MAEA,KAAK;AAEH,eAAO,qBAAqB,aAAa,OAAQ;AAAA,MAEnD,KAAK;AACH,eAAO,oBAAoB,WAAW;AAAA,MAExC;AACE,eAAO,mBAAmB,sCAAsC;AAAA,IACpE;AAAA,EACF;AAEA,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO,kBAAkB,WAAW;AAAA,IAEtC,KAAK;AACH,aAAO,mBAAmB,WAAW;AAAA,IAEvC;AACE,aAAO,mBAAmB,+BAA+B;AAAA,EAC7D;AACF;AAEA,eAAe,sBACb,SACA,QACmB;AACnB,QAAM,EAAE,aAAa,OAAO,IAAI;AAEhC,QAAM,aAAa,iBAAiB,OAAO;AAC3C,QAAM,EAAE,iBAAiB,IAAI;AAE7B,MAAI,CAAC,aAAa;AAChB,WAAO,uBAAuB,yBAAyB,gCAAgC,GAAG;AAAA,EAC5F;AAEA,QAAM,gBAAgB,OAAO,WAAW;AACxC,QAAM,oBAAoB,eAAe,eAAe,WAAgC;AAExF,MAAI,CAAC,qBAAqB,CAAC,kBAAkB,SAAS;AACpD,WAAO,uBAAuB,sBAAsB,yCAAyC,GAAG;AAAA,EAClG;AAEA,MAAI,mBAAmB,UAAU;AAC/B,UAAM,iBAAiB,kBAAkB,QAAQ;AAAA,EACnD;AAEA,QAAM,mBAAmB,OAAOA,iBAAsD;AACpF,UAAM,kBAAkB,YAA+B;AACrD,UAAI;AACF,cAAM,MAAM,IAAI,IAAI,QAAQ,OAAO;AACnC,cAAM,YAAY,IAAI,aAAa,IAAI,WAAW;AAElD,YAAI,CAAC,WAAW;AACd,iBAAO,uBAAuB,uBAAuB,yCAAyC,GAAG;AAAA,QACnG;AAEA,YAAI;AAEJ,gBAAQ,WAAW;AAAA,UACjB,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF,KAAK;AACH,0BAAc,QAAQ;AACtB;AAAA,UACF;AACE,mBAAO,uBAAuB,sBAAsB,wFAAwF,GAAG;AAAA,QACnJ;AAEA,YAAI,CAAC,aAAa;AAChB,iBAAO;AAAA,YACL;AAAA,YACA,GAAG,SAAS;AAAA,YACZ;AAAA,UACF;AAAA,QACF;AAEA,eAAO,yBAAyB;AAAA,UAC9B,OAAO;AAAA,QACT,CAAC;AAAA,MACH,SAAS,OAAO;AACd,eAAO,uBAAuB,2BAA2B,6BAA6B,GAAG;AAAA,MAC3F;AAAA,IACF;AAEA,YAAQA,cAAa;AAAA,MACnB,KAAK;AACH,eAAO,gBAAgB;AAAA,MACzB;AACE,eAAO,mBAAmB,uBAAuB;AAAA,IACrD;AAAA,EACF;AAEA,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO,iBAAiB,WAAgC;AAAA,IAC1D;AACE,aAAO,mBAAmB,+BAA+B;AAAA,EAC7D;AACF;","names":["subEndpoint","cookieStore","idToken","error"]}
|
|
@@ -6,7 +6,16 @@ const DEFAULT_CORS_OPTIONS = {
|
|
|
6
6
|
maxAge: 86400
|
|
7
7
|
// 24 hours
|
|
8
8
|
};
|
|
9
|
-
const
|
|
9
|
+
const DEFAULT_SESSION_COOKIE_OPTIONS = {
|
|
10
|
+
httpOnly: true,
|
|
11
|
+
path: "/",
|
|
12
|
+
secure: process.env.NODE_ENV === "production",
|
|
13
|
+
sameSite: "strict",
|
|
14
|
+
maxAge: 12 * 60 * 60 * 24,
|
|
15
|
+
// twelve days
|
|
16
|
+
priority: "high"
|
|
17
|
+
};
|
|
18
|
+
const DEFAULT_ID_REFRESH_TOKEN_COOKIE_OPTIONS = {
|
|
10
19
|
httpOnly: true,
|
|
11
20
|
path: "/",
|
|
12
21
|
secure: process.env.NODE_ENV === "production",
|
|
@@ -115,7 +124,7 @@ const DEFAULT_SESSIONS_CONFIG = {
|
|
|
115
124
|
};
|
|
116
125
|
const DEFAULT_HANDLER_OPTIONS = {
|
|
117
126
|
cors: DEFAULT_CORS_OPTIONS,
|
|
118
|
-
cookies:
|
|
127
|
+
cookies: DEFAULT_SESSION_COOKIE_OPTIONS,
|
|
119
128
|
rateLimit: {
|
|
120
129
|
windowMs: 15 * 60 * 1e3,
|
|
121
130
|
// 15 minutes
|
|
@@ -149,13 +158,11 @@ class CookieUtils {
|
|
|
149
158
|
};
|
|
150
159
|
}
|
|
151
160
|
static getSessionConfig(cookieOptions) {
|
|
152
|
-
const sessionConfig = cookieOptions.session || {};
|
|
153
|
-
const defaultSession = DEFAULT_COOKIE_OPTIONS.session || {};
|
|
154
161
|
return {
|
|
155
|
-
path:
|
|
156
|
-
httpOnly:
|
|
157
|
-
sameSite:
|
|
158
|
-
maxAge:
|
|
162
|
+
path: cookieOptions.path ?? "/",
|
|
163
|
+
httpOnly: cookieOptions.httpOnly ?? true,
|
|
164
|
+
sameSite: cookieOptions.sameSite ?? "lax",
|
|
165
|
+
maxAge: cookieOptions.maxAge ?? 3600 * 24 * 7
|
|
159
166
|
};
|
|
160
167
|
}
|
|
161
168
|
static getFixedTokenConfig(tokenType) {
|
|
@@ -175,13 +182,14 @@ class CookieUtils {
|
|
|
175
182
|
}
|
|
176
183
|
export {
|
|
177
184
|
CookieUtils,
|
|
178
|
-
DEFAULT_COOKIE_OPTIONS,
|
|
179
185
|
DEFAULT_COOKIE_REQUEST_CONFIG,
|
|
180
186
|
DEFAULT_CORS_OPTIONS,
|
|
181
187
|
DEFAULT_ENDPOINT_CONFIG,
|
|
182
188
|
DEFAULT_HANDLER_OPTIONS,
|
|
189
|
+
DEFAULT_ID_REFRESH_TOKEN_COOKIE_OPTIONS,
|
|
183
190
|
DEFAULT_SECURITY_OPTIONS,
|
|
184
191
|
DEFAULT_SESSIONS_CONFIG,
|
|
192
|
+
DEFAULT_SESSION_COOKIE_OPTIONS,
|
|
185
193
|
FIXED_TOKEN_CONFIGS
|
|
186
194
|
};
|
|
187
195
|
//# sourceMappingURL=types.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../src/app-router/admin/types.ts"],"sourcesContent":["import type {\n AuthEndpoint,\n CookieEndpointConfig,\n CookieOpts as CookieOptions,\n CorsOptions,\n EndpointConfig,\n SecurityOptions,\n SessionEndpointConfig,\n SessionSubEndpoint,\n TernSecureHandlerOptions,\n TokenCookieConfig,\n} from '@tern-secure/types';\nimport { type NextResponse } from 'next/server';\n\nexport const DEFAULT_CORS_OPTIONS: CorsOptions = {\n allowedOrigins: [],\n allowedMethods: ['GET', 'POST'],\n allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],\n allowCredentials: true,\n maxAge: 86400, // 24 hours\n};\n\nexport const
|
|
1
|
+
{"version":3,"sources":["../../../../src/app-router/admin/types.ts"],"sourcesContent":["import type {\n AuthEndpoint,\n CookieEndpointConfig,\n CookieOpts as CookieOptions,\n CorsOptions,\n EndpointConfig,\n SecurityOptions,\n SessionEndpointConfig,\n SessionSubEndpoint,\n TernSecureHandlerOptions,\n TokenCookieConfig,\n} from '@tern-secure/types';\nimport { type NextResponse } from 'next/server';\n\nexport const DEFAULT_CORS_OPTIONS: CorsOptions = {\n allowedOrigins: [],\n allowedMethods: ['GET', 'POST'],\n allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],\n allowCredentials: true,\n maxAge: 86400, // 24 hours\n};\n\nexport const DEFAULT_SESSION_COOKIE_OPTIONS: CookieOptions = {\n httpOnly: true,\n path: '/',\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'strict',\n maxAge: 12 * 60 * 60 * 24, // twelve days\n priority: 'high',\n};\n\nexport const DEFAULT_ID_REFRESH_TOKEN_COOKIE_OPTIONS: CookieOptions = {\n httpOnly: true,\n path: '/',\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'strict',\n maxAge: 12 * 60 * 60 * 24, // twelve days\n priority: 'high',\n};\n\n\nexport const FIXED_TOKEN_CONFIGS = {\n id: {\n path: '/',\n httpOnly: true,\n sameSite: 'lax' as const,\n maxAge: 3600, // 1 hour\n },\n refresh: {\n path: '/',\n httpOnly: true,\n sameSite: 'lax' as const,\n maxAge: 3600 * 24 * 30, // 30 days (changes when user events occur)\n },\n signature: {\n path: '/',\n httpOnly: true,\n sameSite: 'lax' as const,\n maxAge: 3600 * 24 * 7, // 1 week (as needed)\n },\n custom: {\n path: '/',\n httpOnly: true,\n sameSite: 'lax' as const,\n maxAge: 3600 * 24 * 7, // 1 week (as needed)\n },\n} as const;\n\nexport const DEFAULT_SECURITY_OPTIONS: SecurityOptions = {\n requireCSRF: true,\n allowedReferers: [],\n requiredHeaders: {},\n ipWhitelist: [],\n userAgent: {\n block: [],\n allow: [],\n },\n};\n\nexport const DEFAULT_ENDPOINT_CONFIG: EndpointConfig = {\n enabled: true,\n methods: ['GET', 'POST'],\n requireAuth: false,\n security: DEFAULT_SECURITY_OPTIONS,\n};\n\nexport const DEFAULT_COOKIE_REQUEST_CONFIG: CookieEndpointConfig = {\n ...DEFAULT_ENDPOINT_CONFIG,\n subEndpoints: {\n get: {\n enabled: true,\n methods: ['GET'],\n requireAuth: false,\n security: {\n requireCSRF: true,\n allowedReferers: [],\n },\n },\n },\n};\n\nexport const DEFAULT_SESSIONS_CONFIG: SessionEndpointConfig = {\n ...DEFAULT_ENDPOINT_CONFIG,\n subEndpoints: {\n verify: {\n enabled: true,\n methods: ['GET'],\n requireAuth: false,\n security: {\n requireCSRF: true,\n allowedReferers: [],\n },\n },\n createsession: {\n enabled: true,\n methods: ['POST'],\n requireAuth: false,\n security: {\n requireCSRF: true,\n },\n },\n refresh: {\n enabled: true,\n methods: ['POST'],\n requireAuth: true,\n security: {\n requireCSRF: true,\n },\n },\n revoke: {\n enabled: true,\n methods: ['POST'],\n requireAuth: true,\n security: {\n requireCSRF: true,\n },\n },\n },\n};\n\nexport const DEFAULT_HANDLER_OPTIONS: Required<TernSecureHandlerOptions> & {\n endpoints: Required<NonNullable<TernSecureHandlerOptions['endpoints']>>;\n} = {\n cors: DEFAULT_CORS_OPTIONS,\n cookies: DEFAULT_SESSION_COOKIE_OPTIONS,\n rateLimit: {\n windowMs: 15 * 60 * 1000, // 15 minutes\n maxRequests: 100,\n skipSuccessful: false,\n skipFailedRequests: false,\n },\n security: DEFAULT_SECURITY_OPTIONS,\n endpoints: {\n cookies: DEFAULT_COOKIE_REQUEST_CONFIG,\n sessions: DEFAULT_SESSIONS_CONFIG,\n },\n tenantId: '',\n revokeRefreshTokensOnSignOut: true,\n enableCustomToken: false,\n debug: false,\n environment: 'production',\n basePath: '/api/auth',\n};\n\nexport interface ValidationResult {\n error?: NextResponse;\n data?: any;\n}\n\nexport interface ValidationConfig {\n cors?: CorsOptions;\n security?: SecurityOptions;\n endpoint?: {\n name: AuthEndpoint;\n config: EndpointConfig;\n };\n subEndpoint?: {\n name: SessionSubEndpoint;\n config: EndpointConfig;\n };\n requireIdToken?: boolean;\n requireCsrfToken?: boolean;\n}\n\nexport interface ComprehensiveValidationResult {\n isValid: boolean;\n error?: Response;\n corsResponse?: Response;\n sessionData?: {\n body: any;\n idToken?: string;\n csrfToken?: string;\n };\n}\n\nexport type suffix = 'session' | 'id' | 'refresh' | 'signature' | 'custom';\n\nexport class CookieUtils {\n static getCookieName(namePrefix: string, tokenType: suffix): string {\n return `${namePrefix}.${tokenType}`;\n }\n\n static getCookieNames(namePrefix: string) {\n return {\n session: this.getCookieName(namePrefix, 'session'),\n id: this.getCookieName(namePrefix, 'id'),\n refresh: this.getCookieName(namePrefix, 'refresh'),\n signature: this.getCookieName(namePrefix, 'signature'),\n custom: this.getCookieName(namePrefix, 'custom'),\n };\n }\n\n static getSessionConfig(cookieOptions: CookieOptions): TokenCookieConfig {\n return {\n path: cookieOptions.path ?? '/',\n httpOnly: cookieOptions.httpOnly ?? true,\n sameSite: cookieOptions.sameSite ?? 'lax',\n maxAge: cookieOptions.maxAge ?? 3600 * 24 * 7,\n };\n }\n\n static getFixedTokenConfig(\n tokenType: Exclude<suffix, 'session'>,\n ): TokenCookieConfig {\n const fixedConfig = FIXED_TOKEN_CONFIGS[tokenType];\n\n return {\n path: fixedConfig.path,\n httpOnly: fixedConfig.httpOnly,\n sameSite: fixedConfig.sameSite,\n maxAge: fixedConfig.maxAge,\n };\n }\n\n static validateSessionMaxAge(maxAge: number): boolean {\n const minAge = 300; // 5 minutes\n const maxAgeLimit = 3600 * 24 * 14; // 2 weeks\n return maxAge >= minAge && maxAge <= maxAgeLimit;\n }\n}\n\nexport {\n AuthEndpoint,\n CookieOptions,\n CorsOptions,\n SecurityOptions,\n SessionSubEndpoint,\n EndpointConfig,\n SessionEndpointConfig,\n TernSecureHandlerOptions,\n};\n"],"mappings":"AAcO,MAAM,uBAAoC;AAAA,EAC/C,gBAAgB,CAAC;AAAA,EACjB,gBAAgB,CAAC,OAAO,MAAM;AAAA,EAC9B,gBAAgB,CAAC,gBAAgB,iBAAiB,kBAAkB;AAAA,EACpE,kBAAkB;AAAA,EAClB,QAAQ;AAAA;AACV;AAEO,MAAM,iCAAgD;AAAA,EAC3D,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ,QAAQ,IAAI,aAAa;AAAA,EACjC,UAAU;AAAA,EACV,QAAQ,KAAK,KAAK,KAAK;AAAA;AAAA,EACvB,UAAU;AACZ;AAEO,MAAM,0CAAyD;AAAA,EACpE,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ,QAAQ,IAAI,aAAa;AAAA,EACjC,UAAU;AAAA,EACV,QAAQ,KAAK,KAAK,KAAK;AAAA;AAAA,EACvB,UAAU;AACZ;AAGO,MAAM,sBAAsB;AAAA,EACjC,IAAI;AAAA,IACF,MAAM;AAAA,IACN,UAAU;AAAA,IACV,UAAU;AAAA,IACV,QAAQ;AAAA;AAAA,EACV;AAAA,EACA,SAAS;AAAA,IACP,MAAM;AAAA,IACN,UAAU;AAAA,IACV,UAAU;AAAA,IACV,QAAQ,OAAO,KAAK;AAAA;AAAA,EACtB;AAAA,EACA,WAAW;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,IACV,UAAU;AAAA,IACV,QAAQ,OAAO,KAAK;AAAA;AAAA,EACtB;AAAA,EACA,QAAQ;AAAA,IACN,MAAM;AAAA,IACN,UAAU;AAAA,IACV,UAAU;AAAA,IACV,QAAQ,OAAO,KAAK;AAAA;AAAA,EACtB;AACF;AAEO,MAAM,2BAA4C;AAAA,EACvD,aAAa;AAAA,EACb,iBAAiB,CAAC;AAAA,EAClB,iBAAiB,CAAC;AAAA,EAClB,aAAa,CAAC;AAAA,EACd,WAAW;AAAA,IACT,OAAO,CAAC;AAAA,IACR,OAAO,CAAC;AAAA,EACV;AACF;AAEO,MAAM,0BAA0C;AAAA,EACrD,SAAS;AAAA,EACT,SAAS,CAAC,OAAO,MAAM;AAAA,EACvB,aAAa;AAAA,EACb,UAAU;AACZ;AAEO,MAAM,gCAAsD;AAAA,EACjE,GAAG;AAAA,EACH,cAAc;AAAA,IACZ,KAAK;AAAA,MACH,SAAS;AAAA,MACT,SAAS,CAAC,KAAK;AAAA,MACf,aAAa;AAAA,MACb,UAAU;AAAA,QACR,aAAa;AAAA,QACb,iBAAiB,CAAC;AAAA,MACpB;AAAA,IACF;AAAA,EACF;AACF;AAEO,MAAM,0BAAiD;AAAA,EAC5D,GAAG;AAAA,EACH,cAAc;AAAA,IACZ,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,SAAS,CAAC,KAAK;AAAA,MACf,aAAa;AAAA,MACb,UAAU;AAAA,QACR,aAAa;AAAA,QACb,iBAAiB,CAAC;AAAA,MACpB;AAAA,IACF;AAAA,IACA,eAAe;AAAA,MACb,SAAS;AAAA,MACT,SAAS,CAAC,MAAM;AAAA,MAChB,aAAa;AAAA,MACb,UAAU;AAAA,QACR,aAAa;AAAA,MACf;AAAA,IACF;AAAA,IACA,SAAS;AAAA,MACP,SAAS;AAAA,MACT,SAAS,CAAC,MAAM;AAAA,MAChB,aAAa;AAAA,MACb,UAAU;AAAA,QACR,aAAa;AAAA,MACf;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,SAAS,CAAC,MAAM;AAAA,MAChB,aAAa;AAAA,MACb,UAAU;AAAA,QACR,aAAa;AAAA,MACf;AAAA,IACF;AAAA,EACF;AACF;AAEO,MAAM,0BAET;AAAA,EACF,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,IACT,UAAU,KAAK,KAAK;AAAA;AAAA,IACpB,aAAa;AAAA,IACb,gBAAgB;AAAA,IAChB,oBAAoB;AAAA,EACtB;AAAA,EACA,UAAU;AAAA,EACV,WAAW;AAAA,IACT,SAAS;AAAA,IACT,UAAU;AAAA,EACZ;AAAA,EACA,UAAU;AAAA,EACV,8BAA8B;AAAA,EAC9B,mBAAmB;AAAA,EACnB,OAAO;AAAA,EACP,aAAa;AAAA,EACb,UAAU;AACZ;AAmCO,MAAM,YAAY;AAAA,EACvB,OAAO,cAAc,YAAoB,WAA2B;AAClE,WAAO,GAAG,UAAU,IAAI,SAAS;AAAA,EACnC;AAAA,EAEA,OAAO,eAAe,YAAoB;AACxC,WAAO;AAAA,MACL,SAAS,KAAK,cAAc,YAAY,SAAS;AAAA,MACjD,IAAI,KAAK,cAAc,YAAY,IAAI;AAAA,MACvC,SAAS,KAAK,cAAc,YAAY,SAAS;AAAA,MACjD,WAAW,KAAK,cAAc,YAAY,WAAW;AAAA,MACrD,QAAQ,KAAK,cAAc,YAAY,QAAQ;AAAA,IACjD;AAAA,EACF;AAAA,EAEA,OAAO,iBAAiB,eAAiD;AACvE,WAAO;AAAA,MACL,MAAM,cAAc,QAAQ;AAAA,MAC5B,UAAU,cAAc,YAAY;AAAA,MACpC,UAAU,cAAc,YAAY;AAAA,MACpC,QAAQ,cAAc,UAAU,OAAO,KAAK;AAAA,IAC9C;AAAA,EACF;AAAA,EAEA,OAAO,oBACL,WACmB;AACnB,UAAM,cAAc,oBAAoB,SAAS;AAEjD,WAAO;AAAA,MACL,MAAM,YAAY;AAAA,MAClB,UAAU,YAAY;AAAA,MACtB,UAAU,YAAY;AAAA,MACtB,QAAQ,YAAY;AAAA,IACtB;AAAA,EACF;AAAA,EAEA,OAAO,sBAAsB,QAAyB;AACpD,UAAM,SAAS;AACf,UAAM,cAAc,OAAO,KAAK;AAChC,WAAO,UAAU,UAAU,UAAU;AAAA,EACvC;AACF;","names":[]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../src/app-router/server/TernSecureProvider.tsx"],"sourcesContent":["import type {
|
|
1
|
+
{"version":3,"sources":["../../../../src/app-router/server/TernSecureProvider.tsx"],"sourcesContent":["import type { TernSecureInitialState } from '@tern-secure/types';\nimport type { ReactNode } from 'react';\nimport React from 'react';\n\nimport { PromiseAuthProvider } from '../../boundary/PromiseAuthProvider';\nimport { getTernSecureAuthData } from '../../server/data/getAuthDataFromRequest';\nimport { isNext13 } from '../../server/sdk-versions';\nimport type { TernSecureNextProps } from '../../types';\nimport { allNextProviderPropsWithEnv } from '../../utils/allNextProviderProps';\nimport { ClientTernSecureProvider } from '../client/TernSecureProvider';\nimport { buildRequestLike } from './utils';\n\nconst getTernSecureState = React.cache(async function getTernSecureState() {\n const request = await buildRequestLike();\n const data = getTernSecureAuthData(request);\n return data;\n});\n\nexport async function TernSecureProvider(props: TernSecureNextProps) {\n const { children, ...rest } = props;\n const { persistence } = rest;\n\n const browserCookiePersistence = persistence === 'browserCookie';\n\n async function generateStatePromise() {\n if (!browserCookiePersistence) {\n return Promise.resolve(undefined);\n }\n if (isNext13) {\n return Promise.resolve(await getTernSecureState());\n }\n return getTernSecureState();\n }\n\n const providerProps = allNextProviderPropsWithEnv({ ...rest });\n\n let output: ReactNode;\n\n if (browserCookiePersistence) {\n output = (\n <PromiseAuthProvider\n authPromise={generateStatePromise() as unknown as Promise<TernSecureInitialState>}\n >\n <ClientTernSecureProvider\n {...providerProps}\n initialState={await generateStatePromise()}\n >\n {children}\n </ClientTernSecureProvider>\n </PromiseAuthProvider>\n );\n } else {\n output = (\n <ClientTernSecureProvider\n {...providerProps}\n >\n {children}\n </ClientTernSecureProvider>\n );\n }\n\n return output;\n}\n"],"mappings":"AA2CQ;AAzCR,OAAO,WAAW;AAElB,SAAS,2BAA2B;AACpC,SAAS,6BAA6B;AACtC,SAAS,gBAAgB;AAEzB,SAAS,mCAAmC;AAC5C,SAAS,gCAAgC;AACzC,SAAS,wBAAwB;AAEjC,MAAM,qBAAqB,MAAM,MAAM,eAAeA,sBAAqB;AACzE,QAAM,UAAU,MAAM,iBAAiB;AACvC,QAAM,OAAO,sBAAsB,OAAO;AAC1C,SAAO;AACT,CAAC;AAED,eAAsB,mBAAmB,OAA4B;AACnE,QAAM,EAAE,UAAU,GAAG,KAAK,IAAI;AAC9B,QAAM,EAAE,YAAY,IAAI;AAExB,QAAM,2BAA2B,gBAAgB;AAEjD,iBAAe,uBAAuB;AACpC,QAAI,CAAC,0BAA0B;AAC7B,aAAO,QAAQ,QAAQ,MAAS;AAAA,IAClC;AACA,QAAI,UAAU;AACZ,aAAO,QAAQ,QAAQ,MAAM,mBAAmB,CAAC;AAAA,IACnD;AACA,WAAO,mBAAmB;AAAA,EAC5B;AAEA,QAAM,gBAAgB,4BAA4B,EAAE,GAAG,KAAK,CAAC;AAE7D,MAAI;AAEJ,MAAI,0BAA0B;AAC5B,aACE;AAAA,MAAC;AAAA;AAAA,QACC,aAAa,qBAAqB;AAAA,QAElC;AAAA,UAAC;AAAA;AAAA,YACE,GAAG;AAAA,YACJ,cAAc,MAAM,qBAAqB;AAAA,YAExC;AAAA;AAAA,QACH;AAAA;AAAA,IACF;AAAA,EAEJ,OAAO;AACL,aACE;AAAA,MAAC;AAAA;AAAA,QACE,GAAG;AAAA,QAEH;AAAA;AAAA,IACH;AAAA,EAEJ;AAEA,SAAO;AACT;","names":["getTernSecureState"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../src/app-router/server/auth.ts"],"sourcesContent":["import type { AuthObject, RedirectFun } from '@tern-secure/backend';\r\nimport { createRedirect, createTernSecureRequest } from '@tern-secure/backend';\r\nimport { notFound, redirect } from 'next/navigation';\r\n\r\nimport { SIGN_IN_URL, SIGN_UP_URL } from '../../server/constant';\r\nimport { getAuthDataFromRequest } from '../../server/data/getAuthDataFromRequest';\r\nimport { getAuthKeyFromRequest } from '../../server/headers-utils';\r\nimport { type AuthProtect, createProtect } from '../../server/protect';\r\nimport type { BaseUser, RequestLike } from '../../server/types';\r\nimport { buildRequestLike } from './utils';\r\n\r\nexport interface AuthResult {\r\n user: BaseUser | null;\r\n error: Error | null;\r\n}\r\n\r\n/**\r\n * `Auth` object of the currently active user and the `redirectToSignIn()` method.\r\n */\r\ntype Auth = AuthObject & {\r\n redirectToSignIn: RedirectFun<ReturnType<typeof redirect>>;\r\n redirectToSignUp: RedirectFun<ReturnType<typeof redirect>>;\r\n};\r\n\r\nexport interface AuthFn {\r\n (): Promise<Auth>;\r\n\r\n protect: AuthProtect;\r\n}\r\n\r\nconst createAuthObject = () => {\r\n return async (req: RequestLike) => {\r\n return getAuthDataFromRequest(req);\r\n };\r\n};\r\n\r\n/**\r\n * Get the current authenticated user from the session or token\r\n */\r\nexport const auth: AuthFn = async () => {\r\n // eslint-disable-next-line @typescript-eslint/no-require-imports\r\n require('server-only');\r\n\r\n const request = await buildRequestLike();\r\n\r\n const authObject = await createAuthObject()(request);\r\n\r\n const ternUrl = getAuthKeyFromRequest(request, 'TernSecureUrl');\r\n\r\n const createRedirectForRequest = (...args: Parameters<RedirectFun<never>>) => {\r\n const { returnBackUrl } = args[0] || {};\r\n const ternSecureRequest = createTernSecureRequest(request);\r\n\r\n return [\r\n createRedirect({\r\n redirectAdapter: redirect,\r\n baseUrl: ternSecureRequest.ternUrl.toString(),\r\n signInUrl: SIGN_IN_URL,\r\n signUpUrl: SIGN_UP_URL,\r\n }),\r\n returnBackUrl === null ? '' : returnBackUrl || ternUrl?.toString(),\r\n ] as const;\r\n };\r\n\r\n const redirectToSignIn: RedirectFun<never> = (opts = {}) => {\r\n const [r, returnBackUrl] = createRedirectForRequest(opts);\r\n return r.redirectToSignIn({\r\n returnBackUrl,\r\n });\r\n };\r\n\r\n const redirectToSignUp: RedirectFun<never> = (opts = {}) => {\r\n const [r, returnBackUrl] = createRedirectForRequest(opts);\r\n return r.redirectToSignUp({\r\n returnBackUrl,\r\n });\r\n };\r\n\r\n return Object.assign(authObject, { redirectToSignIn, redirectToSignUp });\r\n};\r\n\r\nauth.protect = async (...args: any[]) => {\r\n // eslint-disable-next-line @typescript-eslint/no-require-imports\r\n require('server-only');\r\n\r\n const request = await buildRequestLike();\r\n const authObject = await auth();\r\n\r\n const protect = createProtect({\r\n request,\r\n authObject,\r\n redirectToSignIn: authObject.redirectToSignIn,\r\n notFound,\r\n redirect,\r\n });\r\n\r\n return protect(...args);\r\n};\r\n"],"mappings":"AACA,SAAS,gBAAgB,+BAA+B;AACxD,SAAS,UAAU,gBAAgB;AAEnC,SAAS,aAAa,mBAAmB;AACzC,
|
|
1
|
+
{"version":3,"sources":["../../../../src/app-router/server/auth.ts"],"sourcesContent":["import type { AuthObject, RedirectFun } from '@tern-secure/backend';\r\nimport { createRedirect, createTernSecureRequest } from '@tern-secure/backend';\r\nimport { notFound, redirect } from 'next/navigation';\r\n\r\nimport { SIGN_IN_URL, SIGN_UP_URL } from '../../server/constant';\r\nimport { type Aobj, getAuthDataFromRequest } from '../../server/data/getAuthDataFromRequest';\r\nimport { getAuthKeyFromRequest } from '../../server/headers-utils';\r\nimport { type AuthProtect, createProtect } from '../../server/protect';\r\nimport type { BaseUser, RequestLike } from '../../server/types';\r\nimport { buildRequestLike } from './utils';\r\n\r\n/**\r\n * @deprecated will be removed in future versions.\r\n*/\r\nexport interface AuthResult {\r\n user: BaseUser | null;\r\n error: Error | null;\r\n}\r\n\r\n/**\r\n * `Auth` object of the currently active user and the `redirectToSignIn()` method.\r\n */\r\ntype Auth = AuthObject & Aobj & {\r\n redirectToSignIn: RedirectFun<ReturnType<typeof redirect>>;\r\n redirectToSignUp: RedirectFun<ReturnType<typeof redirect>>;\r\n};\r\n\r\nexport interface AuthFn {\r\n (): Promise<Auth>;\r\n\r\n protect: AuthProtect;\r\n}\r\n\r\nconst createAuthObject = () => {\r\n return async (req: RequestLike) => {\r\n return getAuthDataFromRequest(req);\r\n };\r\n};\r\n\r\n/**\r\n * Get the current authenticated user from the session or token\r\n */\r\nexport const auth: AuthFn = async () => {\r\n // eslint-disable-next-line @typescript-eslint/no-require-imports\r\n require('server-only');\r\n\r\n const request = await buildRequestLike();\r\n\r\n const authObject = await createAuthObject()(request);\r\n\r\n const ternUrl = getAuthKeyFromRequest(request, 'TernSecureUrl');\r\n\r\n const createRedirectForRequest = (...args: Parameters<RedirectFun<never>>) => {\r\n const { returnBackUrl } = args[0] || {};\r\n const ternSecureRequest = createTernSecureRequest(request);\r\n\r\n return [\r\n createRedirect({\r\n redirectAdapter: redirect,\r\n baseUrl: ternSecureRequest.ternUrl.toString(),\r\n signInUrl: SIGN_IN_URL,\r\n signUpUrl: SIGN_UP_URL,\r\n }),\r\n returnBackUrl === null ? '' : returnBackUrl || ternUrl?.toString(),\r\n ] as const;\r\n };\r\n\r\n const redirectToSignIn: RedirectFun<never> = (opts = {}) => {\r\n const [r, returnBackUrl] = createRedirectForRequest(opts);\r\n return r.redirectToSignIn({\r\n returnBackUrl,\r\n });\r\n };\r\n\r\n const redirectToSignUp: RedirectFun<never> = (opts = {}) => {\r\n const [r, returnBackUrl] = createRedirectForRequest(opts);\r\n return r.redirectToSignUp({\r\n returnBackUrl,\r\n });\r\n };\r\n\r\n return Object.assign(authObject, { redirectToSignIn, redirectToSignUp });\r\n};\r\n\r\nauth.protect = async (...args: any[]) => {\r\n // eslint-disable-next-line @typescript-eslint/no-require-imports\r\n require('server-only');\r\n\r\n const request = await buildRequestLike();\r\n const authObject = await auth();\r\n\r\n const protect = createProtect({\r\n request,\r\n authObject,\r\n redirectToSignIn: authObject.redirectToSignIn,\r\n notFound,\r\n redirect,\r\n });\r\n\r\n return protect(...args);\r\n};\r\n"],"mappings":"AACA,SAAS,gBAAgB,+BAA+B;AACxD,SAAS,UAAU,gBAAgB;AAEnC,SAAS,aAAa,mBAAmB;AACzC,SAAoB,8BAA8B;AAClD,SAAS,6BAA6B;AACtC,SAA2B,qBAAqB;AAEhD,SAAS,wBAAwB;AAwBjC,MAAM,mBAAmB,MAAM;AAC7B,SAAO,OAAO,QAAqB;AACjC,WAAO,uBAAuB,GAAG;AAAA,EACnC;AACF;AAKO,MAAM,OAAe,YAAY;AAEtC,UAAQ,aAAa;AAErB,QAAM,UAAU,MAAM,iBAAiB;AAEvC,QAAM,aAAa,MAAM,iBAAiB,EAAE,OAAO;AAEnD,QAAM,UAAU,sBAAsB,SAAS,eAAe;AAE9D,QAAM,2BAA2B,IAAI,SAAyC;AAC5E,UAAM,EAAE,cAAc,IAAI,KAAK,CAAC,KAAK,CAAC;AACtC,UAAM,oBAAoB,wBAAwB,OAAO;AAEzD,WAAO;AAAA,MACL,eAAe;AAAA,QACb,iBAAiB;AAAA,QACjB,SAAS,kBAAkB,QAAQ,SAAS;AAAA,QAC5C,WAAW;AAAA,QACX,WAAW;AAAA,MACb,CAAC;AAAA,MACD,kBAAkB,OAAO,KAAK,iBAAiB,SAAS,SAAS;AAAA,IACnE;AAAA,EACF;AAEA,QAAM,mBAAuC,CAAC,OAAO,CAAC,MAAM;AAC1D,UAAM,CAAC,GAAG,aAAa,IAAI,yBAAyB,IAAI;AACxD,WAAO,EAAE,iBAAiB;AAAA,MACxB;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,mBAAuC,CAAC,OAAO,CAAC,MAAM;AAC1D,UAAM,CAAC,GAAG,aAAa,IAAI,yBAAyB,IAAI;AACxD,WAAO,EAAE,iBAAiB;AAAA,MACxB;AAAA,IACF,CAAC;AAAA,EACH;AAEA,SAAO,OAAO,OAAO,YAAY,EAAE,kBAAkB,iBAAiB,CAAC;AACzE;AAEA,KAAK,UAAU,UAAU,SAAgB;AAEvC,UAAQ,aAAa;AAErB,QAAM,UAAU,MAAM,iBAAiB;AACvC,QAAM,aAAa,MAAM,KAAK;AAE9B,QAAM,UAAU,cAAc;AAAA,IAC5B;AAAA,IACA;AAAA,IACA,kBAAkB,WAAW;AAAA,IAC7B;AAAA,IACA;AAAA,EACF,CAAC;AAED,SAAO,QAAQ,GAAG,IAAI;AACxB;","names":[]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../src/boundary/PromiseAuthProvider.tsx"],"sourcesContent":["'use client';\n\nimport { useAuth, useDeriveAuth } from '@tern-secure/react';\nimport type {
|
|
1
|
+
{"version":3,"sources":["../../../src/boundary/PromiseAuthProvider.tsx"],"sourcesContent":["'use client';\n\nimport { useAuth, useDeriveAuth } from '@tern-secure/react';\nimport type { TernSecureInitialState } from '@tern-secure/types';\nimport { useRouter } from 'next/compat/router';\nimport React from 'react';\n\nconst PromiseAuthContext = React.createContext<\n Promise<TernSecureInitialState> | TernSecureInitialState | null\n>(null);\n\nexport function PromiseAuthProvider({\n authPromise,\n children,\n}: {\n authPromise: Promise<TernSecureInitialState> | TernSecureInitialState;\n children: React.ReactNode;\n}) {\n return <PromiseAuthContext.Provider value={authPromise}>{children}</PromiseAuthContext.Provider>;\n}\n\nexport function usePromiseAuth() {\n const isPagesRouter = useRouter();\n const valueFromContext = React.useContext(PromiseAuthContext);\n\n let resolvedData = valueFromContext;\n if (valueFromContext && 'then' in valueFromContext) {\n resolvedData = React.use(valueFromContext);\n }\n\n if (typeof window === 'undefined') {\n // Pages router should always use useAuth as it is able to grab initial auth state from context during SSR.\n if (isPagesRouter) {\n return useAuth();\n }\n\n return useDeriveAuth({ ...resolvedData });\n } else {\n return useAuth();\n }\n}\n"],"mappings":";AAkBS;AAhBT,SAAS,SAAS,qBAAqB;AAEvC,SAAS,iBAAiB;AAC1B,OAAO,WAAW;AAElB,MAAM,qBAAqB,MAAM,cAE/B,IAAI;AAEC,SAAS,oBAAoB;AAAA,EAClC;AAAA,EACA;AACF,GAGG;AACD,SAAO,oBAAC,mBAAmB,UAAnB,EAA4B,OAAO,aAAc,UAAS;AACpE;AAEO,SAAS,iBAAiB;AAC/B,QAAM,gBAAgB,UAAU;AAChC,QAAM,mBAAmB,MAAM,WAAW,kBAAkB;AAE5D,MAAI,eAAe;AACnB,MAAI,oBAAoB,UAAU,kBAAkB;AAClD,mBAAe,MAAM,IAAI,gBAAgB;AAAA,EAC3C;AAEA,MAAI,OAAO,WAAW,aAAa;AAEjC,QAAI,eAAe;AACjB,aAAO,QAAQ;AAAA,IACjB;AAEA,WAAO,cAAc,EAAE,GAAG,aAAa,CAAC;AAAA,EAC1C,OAAO;AACL,WAAO,QAAQ;AAAA,EACjB;AACF;","names":[]}
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
"use client";
|
|
2
|
+
import { jsx } from "react/jsx-runtime";
|
|
3
|
+
import { useAuth, useDeriveAuth } from "@tern-secure/react";
|
|
4
|
+
import { useRouter } from "next/compat/router";
|
|
5
|
+
import React from "react";
|
|
6
|
+
const PromiseAuthContext = React.createContext(null);
|
|
7
|
+
function PromiseAuthProviderNode({
|
|
8
|
+
authPromise,
|
|
9
|
+
children
|
|
10
|
+
}) {
|
|
11
|
+
return /* @__PURE__ */ jsx(PromiseAuthContext.Provider, { value: authPromise, children });
|
|
12
|
+
}
|
|
13
|
+
function usePromiseAuthNode() {
|
|
14
|
+
const isPagesRouter = useRouter();
|
|
15
|
+
const valueFromContext = React.useContext(PromiseAuthContext);
|
|
16
|
+
let resolvedData = valueFromContext;
|
|
17
|
+
if (valueFromContext && "then" in valueFromContext) {
|
|
18
|
+
resolvedData = React.use(valueFromContext);
|
|
19
|
+
}
|
|
20
|
+
if (typeof window === "undefined") {
|
|
21
|
+
if (isPagesRouter) {
|
|
22
|
+
return useAuth();
|
|
23
|
+
}
|
|
24
|
+
return useDeriveAuth({ ...resolvedData });
|
|
25
|
+
} else {
|
|
26
|
+
return useAuth({ ...resolvedData });
|
|
27
|
+
}
|
|
28
|
+
}
|
|
29
|
+
export {
|
|
30
|
+
PromiseAuthProviderNode,
|
|
31
|
+
usePromiseAuthNode
|
|
32
|
+
};
|
|
33
|
+
//# sourceMappingURL=PromiseAuthProviderNode.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../../../src/boundary/PromiseAuthProviderNode.tsx"],"sourcesContent":["'use client';\n\nimport { useAuth, useDeriveAuth } from '@tern-secure/react';\nimport type { DecodedIdToken, TernSecureUser } from '@tern-secure/types';\nimport { useRouter } from 'next/compat/router';\nimport React from 'react';\n\ntype TernSecureInitialState = {\n user?: TernSecureUser | null;\n token?: string | null;\n sessionClaims?: DecodedIdToken | null;\n};\n\nconst PromiseAuthContext = React.createContext<\n Promise<TernSecureInitialState> | TernSecureInitialState | null\n>(null);\n\nexport function PromiseAuthProviderNode({\n authPromise,\n children,\n}: {\n authPromise: Promise<TernSecureInitialState> | TernSecureInitialState;\n children: React.ReactNode;\n}) {\n return <PromiseAuthContext.Provider value={authPromise}>{children}</PromiseAuthContext.Provider>;\n}\n\nexport function usePromiseAuthNode() {\n const isPagesRouter = useRouter();\n const valueFromContext = React.useContext(PromiseAuthContext);\n\n let resolvedData = valueFromContext;\n if (valueFromContext && 'then' in valueFromContext) {\n resolvedData = React.use(valueFromContext);\n }\n\n if (typeof window === 'undefined') {\n // Pages router should always use useAuth as it is able to grab initial auth state from context during SSR.\n if (isPagesRouter) {\n return useAuth();\n }\n\n return useDeriveAuth({ ...resolvedData });\n } else {\n return useAuth({ ...resolvedData });\n }\n}"],"mappings":";AAwBS;AAtBT,SAAS,SAAS,qBAAqB;AAEvC,SAAS,iBAAiB;AAC1B,OAAO,WAAW;AAQlB,MAAM,qBAAqB,MAAM,cAE/B,IAAI;AAEC,SAAS,wBAAwB;AAAA,EACtC;AAAA,EACA;AACF,GAGG;AACD,SAAO,oBAAC,mBAAmB,UAAnB,EAA4B,OAAO,aAAc,UAAS;AACpE;AAEO,SAAS,qBAAqB;AACnC,QAAM,gBAAgB,UAAU;AAChC,QAAM,mBAAmB,MAAM,WAAW,kBAAkB;AAE5D,MAAI,eAAe;AACnB,MAAI,oBAAoB,UAAU,kBAAkB;AAClD,mBAAe,MAAM,IAAI,gBAAgB;AAAA,EAC3C;AAEA,MAAI,OAAO,WAAW,aAAa;AAEjC,QAAI,eAAe;AACjB,aAAO,QAAQ;AAAA,IACjB;AAEA,WAAO,cAAc,EAAE,GAAG,aAAa,CAAC;AAAA,EAC1C,OAAO;AACL,WAAO,QAAQ,EAAE,GAAG,aAAa,CAAC;AAAA,EACpC;AACF;","names":[]}
|
package/dist/esm/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/index.ts"],"sourcesContent":["export { TernSecureProvider } from './app-router/server/TernSecureProvider';\r\nexport {\r\n useAuth,\r\n useIdToken,\r\n useSession,\r\n useSignIn,\r\n useSignUp,\r\n signIn,\r\n useSignInContext,\r\n useSignUpContext,\r\n useTernSecure,\r\n SignInProvider,\r\n SignUpProvider,\r\n
|
|
1
|
+
{"version":3,"sources":["../../src/index.ts"],"sourcesContent":["export { TernSecureProvider } from './app-router/server/TernSecureProvider';\r\nexport {\r\n useAuth,\r\n useIdToken,\r\n useSession,\r\n useSignIn,\r\n useSignUp,\r\n signIn,\r\n useSignInContext,\r\n useSignUpContext,\r\n useTernSecure,\r\n SignInProvider,\r\n SignUpProvider,\r\n} from './boundary/components';\r\n\r\nexport type {\r\n TernSecureUser,\r\n SignInResponse,\r\n SignUpResponse,\r\n SocialProviderOptions,\r\n} from '@tern-secure/types';\r\n\r\nexport type { UserInfo, SessionResult } from './types';\r\n"],"mappings":"AAAA,SAAS,0BAA0B;AACnC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;","names":[]}
|
|
@@ -1,3 +1,10 @@
|
|
|
1
|
+
const FIREBASE_API_KEY = process.env.NEXT_PUBLIC_FIREBASE_API_KEY || "";
|
|
2
|
+
const FIREBASE_AUTH_DOMAIN = process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN || "";
|
|
3
|
+
const FIREBASE_PROJECT_ID = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID || "";
|
|
4
|
+
const FIREBASE_STORAGE_BUCKET = process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET || "";
|
|
5
|
+
const FIREBASE_MESSAGING_SENDER_ID = process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID || "";
|
|
6
|
+
const FIREBASE_APP_ID = process.env.NEXT_PUBLIC_FIREBASE_APP_ID || "";
|
|
7
|
+
const FIREBASE_MEASUREMENT_ID = process.env.NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID || "";
|
|
1
8
|
const API_KEY = process.env.NEXT_PUBLIC_FIREBASE_API_KEY || "";
|
|
2
9
|
const API_URL = process.env.TERNSECURE_API_URL || "";
|
|
3
10
|
const API_VERSION = process.env.TERNSECURE_API_VERSION || "v1";
|
|
@@ -7,6 +14,13 @@ export {
|
|
|
7
14
|
API_KEY,
|
|
8
15
|
API_URL,
|
|
9
16
|
API_VERSION,
|
|
17
|
+
FIREBASE_API_KEY,
|
|
18
|
+
FIREBASE_APP_ID,
|
|
19
|
+
FIREBASE_AUTH_DOMAIN,
|
|
20
|
+
FIREBASE_MEASUREMENT_ID,
|
|
21
|
+
FIREBASE_MESSAGING_SENDER_ID,
|
|
22
|
+
FIREBASE_PROJECT_ID,
|
|
23
|
+
FIREBASE_STORAGE_BUCKET,
|
|
10
24
|
SIGN_IN_URL,
|
|
11
25
|
SIGN_UP_URL
|
|
12
26
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../src/server/constant.ts"],"sourcesContent":["export const API_KEY = process.env.NEXT_PUBLIC_FIREBASE_API_KEY || '';\nexport const API_URL = process.env.TERNSECURE_API_URL || '';\nexport const API_VERSION = process.env.TERNSECURE_API_VERSION || 'v1';\nexport const SIGN_IN_URL = process.env.NEXT_PUBLIC_SIGN_IN_URL || '';\nexport const SIGN_UP_URL = process.env.NEXT_PUBLIC_SIGN_UP_URL || '';"],"mappings":"AAAO,MAAM,UAAU,QAAQ,IAAI,gCAAgC;AAC5D,MAAM,UAAU,QAAQ,IAAI,sBAAsB;AAClD,MAAM,cAAc,QAAQ,IAAI,0BAA0B;AAC1D,MAAM,cAAc,QAAQ,IAAI,2BAA2B;AAC3D,MAAM,cAAc,QAAQ,IAAI,2BAA2B;","names":[]}
|
|
1
|
+
{"version":3,"sources":["../../../src/server/constant.ts"],"sourcesContent":["export const FIREBASE_API_KEY = process.env.NEXT_PUBLIC_FIREBASE_API_KEY || '';\nexport const FIREBASE_AUTH_DOMAIN = process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN || '';\nexport const FIREBASE_PROJECT_ID = process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID || '';\nexport const FIREBASE_STORAGE_BUCKET = process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET || '';\nexport const FIREBASE_MESSAGING_SENDER_ID = process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID || '';\nexport const FIREBASE_APP_ID = process.env.NEXT_PUBLIC_FIREBASE_APP_ID || '';\nexport const FIREBASE_MEASUREMENT_ID = process.env.NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID || '';\n\nexport const API_KEY = process.env.NEXT_PUBLIC_FIREBASE_API_KEY || '';\nexport const API_URL = process.env.TERNSECURE_API_URL || '';\nexport const API_VERSION = process.env.TERNSECURE_API_VERSION || 'v1';\nexport const SIGN_IN_URL = process.env.NEXT_PUBLIC_SIGN_IN_URL || '';\nexport const SIGN_UP_URL = process.env.NEXT_PUBLIC_SIGN_UP_URL || '';"],"mappings":"AAAO,MAAM,mBAAmB,QAAQ,IAAI,gCAAgC;AACrE,MAAM,uBAAuB,QAAQ,IAAI,oCAAoC;AAC7E,MAAM,sBAAsB,QAAQ,IAAI,mCAAmC;AAC3E,MAAM,0BAA0B,QAAQ,IAAI,uCAAuC;AACnF,MAAM,+BAA+B,QAAQ,IAAI,4CAA4C;AAC7F,MAAM,kBAAkB,QAAQ,IAAI,+BAA+B;AACnE,MAAM,0BAA0B,QAAQ,IAAI,uCAAuC;AAEnF,MAAM,UAAU,QAAQ,IAAI,gCAAgC;AAC5D,MAAM,UAAU,QAAQ,IAAI,sBAAsB;AAClD,MAAM,cAAc,QAAQ,IAAI,0BAA0B;AAC1D,MAAM,cAAc,QAAQ,IAAI,2BAA2B;AAC3D,MAAM,cAAc,QAAQ,IAAI,2BAA2B;","names":[]}
|
|
@@ -1,15 +1,26 @@
|
|
|
1
1
|
import { AuthStatus, signedInAuthObject, signedOutAuthObject } from "@tern-secure/backend";
|
|
2
2
|
import { ternDecodeJwt } from "@tern-secure/backend/jwt";
|
|
3
|
+
import { initializeServerApp } from "firebase/app";
|
|
4
|
+
import { getAuth } from "firebase/auth";
|
|
3
5
|
import { getAuthKeyFromRequest } from "../../server/headers-utils";
|
|
4
|
-
|
|
6
|
+
import {
|
|
7
|
+
FIREBASE_API_KEY,
|
|
8
|
+
FIREBASE_APP_ID,
|
|
9
|
+
FIREBASE_AUTH_DOMAIN,
|
|
10
|
+
FIREBASE_MEASUREMENT_ID,
|
|
11
|
+
FIREBASE_MESSAGING_SENDER_ID,
|
|
12
|
+
FIREBASE_PROJECT_ID,
|
|
13
|
+
FIREBASE_STORAGE_BUCKET
|
|
14
|
+
} from "../constant";
|
|
15
|
+
const authObjectToSerializableJwt = (obj) => {
|
|
5
16
|
const { require: require2, ...rest } = obj;
|
|
6
17
|
return rest;
|
|
7
18
|
};
|
|
8
|
-
function
|
|
9
|
-
const authObject =
|
|
19
|
+
function getTernSecureAuthDataJwt(req, initialState = {}) {
|
|
20
|
+
const authObject = getAuthDataFromRequestJwt(req);
|
|
10
21
|
return authObjectToSerializable({ ...initialState, ...authObject });
|
|
11
22
|
}
|
|
12
|
-
function
|
|
23
|
+
function getAuthDataFromRequestJwt(req) {
|
|
13
24
|
const authStatus = getAuthKeyFromRequest(req, "AuthStatus");
|
|
14
25
|
const authToken = getAuthKeyFromRequest(req, "AuthToken");
|
|
15
26
|
const authSignature = getAuthKeyFromRequest(req, "AuthSignature");
|
|
@@ -23,9 +34,106 @@ function getAuthDataFromRequest(req) {
|
|
|
23
34
|
}
|
|
24
35
|
return authObject;
|
|
25
36
|
}
|
|
37
|
+
const authObjectToSerializable = (obj) => {
|
|
38
|
+
const { require: require2, ...rest } = obj;
|
|
39
|
+
return rest;
|
|
40
|
+
};
|
|
41
|
+
async function getTernSecureAuthData(req, initialState = {}) {
|
|
42
|
+
const authObject = await getAuthDataFromRequest(req);
|
|
43
|
+
return authObjectToSerializable({ ...initialState, ...authObject });
|
|
44
|
+
}
|
|
45
|
+
async function getAuthDataFromRequest(req) {
|
|
46
|
+
const authStatus = getAuthKeyFromRequest(req, "AuthStatus");
|
|
47
|
+
const authToken = getAuthKeyFromRequest(req, "AuthToken");
|
|
48
|
+
if (!authStatus || authStatus !== AuthStatus.SignedIn) {
|
|
49
|
+
return {
|
|
50
|
+
...signedOutAuthObject(),
|
|
51
|
+
user: null,
|
|
52
|
+
userId: null
|
|
53
|
+
};
|
|
54
|
+
}
|
|
55
|
+
const firebaseUser = await authenticateRequest(authToken, req);
|
|
56
|
+
if (!firebaseUser || !firebaseUser.claims) {
|
|
57
|
+
return {
|
|
58
|
+
...signedOutAuthObject(),
|
|
59
|
+
user: null,
|
|
60
|
+
userId: null
|
|
61
|
+
};
|
|
62
|
+
}
|
|
63
|
+
const { user, claims } = firebaseUser;
|
|
64
|
+
const authObject = signedInAuthObject(authToken, claims);
|
|
65
|
+
return {
|
|
66
|
+
...authObject,
|
|
67
|
+
user: user || null
|
|
68
|
+
};
|
|
69
|
+
}
|
|
70
|
+
const authenticateRequest = async (token, request) => {
|
|
71
|
+
try {
|
|
72
|
+
const origin = new URL(request.url).origin;
|
|
73
|
+
const requestHeaders = new Headers(request.headers);
|
|
74
|
+
requestHeaders.set("referer", origin);
|
|
75
|
+
requestHeaders.set("Referer", origin);
|
|
76
|
+
const mockRequest = {
|
|
77
|
+
headers: requestHeaders
|
|
78
|
+
};
|
|
79
|
+
const config = {
|
|
80
|
+
apiKey: FIREBASE_API_KEY,
|
|
81
|
+
authDomain: FIREBASE_AUTH_DOMAIN,
|
|
82
|
+
projectId: FIREBASE_PROJECT_ID,
|
|
83
|
+
storageBucket: FIREBASE_STORAGE_BUCKET,
|
|
84
|
+
messagingSenderId: FIREBASE_MESSAGING_SENDER_ID,
|
|
85
|
+
appId: FIREBASE_APP_ID,
|
|
86
|
+
measurementId: FIREBASE_MEASUREMENT_ID
|
|
87
|
+
};
|
|
88
|
+
const firebaseServerApp = initializeServerApp(
|
|
89
|
+
config,
|
|
90
|
+
{
|
|
91
|
+
authIdToken: token,
|
|
92
|
+
releaseOnDeref: mockRequest
|
|
93
|
+
}
|
|
94
|
+
);
|
|
95
|
+
const auth = getAuth(firebaseServerApp);
|
|
96
|
+
await auth.authStateReady();
|
|
97
|
+
if (auth.currentUser) {
|
|
98
|
+
const idTokenResult = await auth.currentUser.getIdTokenResult();
|
|
99
|
+
const claims = idTokenResult.claims;
|
|
100
|
+
const userObj = {
|
|
101
|
+
uid: auth.currentUser.uid,
|
|
102
|
+
email: auth.currentUser.email,
|
|
103
|
+
emailVerified: auth.currentUser.emailVerified,
|
|
104
|
+
displayName: auth.currentUser.displayName,
|
|
105
|
+
isAnonymous: auth.currentUser.isAnonymous,
|
|
106
|
+
phoneNumber: auth.currentUser.phoneNumber,
|
|
107
|
+
photoURL: auth.currentUser.photoURL,
|
|
108
|
+
providerId: auth.currentUser.providerId,
|
|
109
|
+
tenantId: auth.currentUser.tenantId,
|
|
110
|
+
refreshToken: auth.currentUser.refreshToken,
|
|
111
|
+
metadata: {
|
|
112
|
+
creationTime: auth.currentUser.metadata.creationTime,
|
|
113
|
+
lastSignInTime: auth.currentUser.metadata.lastSignInTime
|
|
114
|
+
},
|
|
115
|
+
providerData: auth.currentUser.providerData.map((provider) => ({
|
|
116
|
+
uid: provider.uid,
|
|
117
|
+
displayName: provider.displayName,
|
|
118
|
+
email: provider.email,
|
|
119
|
+
phoneNumber: provider.phoneNumber,
|
|
120
|
+
photoURL: provider.photoURL,
|
|
121
|
+
providerId: provider.providerId
|
|
122
|
+
}))
|
|
123
|
+
};
|
|
124
|
+
return { user: userObj, claims };
|
|
125
|
+
}
|
|
126
|
+
return null;
|
|
127
|
+
} catch (error) {
|
|
128
|
+
return null;
|
|
129
|
+
}
|
|
130
|
+
};
|
|
26
131
|
export {
|
|
27
132
|
authObjectToSerializable,
|
|
133
|
+
authObjectToSerializableJwt,
|
|
28
134
|
getAuthDataFromRequest,
|
|
29
|
-
|
|
135
|
+
getAuthDataFromRequestJwt,
|
|
136
|
+
getTernSecureAuthData,
|
|
137
|
+
getTernSecureAuthDataJwt
|
|
30
138
|
};
|
|
31
139
|
//# sourceMappingURL=getAuthDataFromRequest.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../src/server/data/getAuthDataFromRequest.ts"],"sourcesContent":["import type { AuthObject } from '@tern-secure/backend';\nimport { AuthStatus, signedInAuthObject, signedOutAuthObject } from '@tern-secure/backend';\nimport { ternDecodeJwt } from '@tern-secure/backend/jwt';\n\nimport { getAuthKeyFromRequest } from '../../server/headers-utils';\nimport type { RequestLike } from '../../server/types';\n\n\n/**\n * Auth objects moving through the server -> client boundary need to be serializable\n * as we need to ensure that they can be transferred via the network as pure strings.\n * Some frameworks like Remix or Next (/pages dir only) handle this serialization by simply\n * ignoring any non-serializable keys, however Nextjs /app directory is stricter and\n * throws an error if a non-serializable value is found.\n * @internal\n */\nexport const
|
|
1
|
+
{"version":3,"sources":["../../../../src/server/data/getAuthDataFromRequest.ts"],"sourcesContent":["import type { AuthObject } from '@tern-secure/backend';\nimport { AuthStatus, signedInAuthObject, signedOutAuthObject } from '@tern-secure/backend';\nimport { ternDecodeJwt } from '@tern-secure/backend/jwt';\nimport type { ParsedToken, TernSecureConfig, TernSecureUser } from '@tern-secure/types';\nimport type { FirebaseServerApp } from \"firebase/app\";\nimport { initializeServerApp } from \"firebase/app\";\nimport type { Auth } from \"firebase/auth\";\nimport { getAuth } from \"firebase/auth\";\n\nimport { getAuthKeyFromRequest } from '../../server/headers-utils';\nimport type { RequestLike } from '../../server/types';\nimport {\n FIREBASE_API_KEY,\n FIREBASE_APP_ID,\n FIREBASE_AUTH_DOMAIN,\n FIREBASE_MEASUREMENT_ID,\n FIREBASE_MESSAGING_SENDER_ID,\n FIREBASE_PROJECT_ID,\n FIREBASE_STORAGE_BUCKET\n} from \"../constant\";\n\n\n/**\n * Auth objects moving through the server -> client boundary need to be serializable\n * as we need to ensure that they can be transferred via the network as pure strings.\n * Some frameworks like Remix or Next (/pages dir only) handle this serialization by simply\n * ignoring any non-serializable keys, however Nextjs /app directory is stricter and\n * throws an error if a non-serializable value is found.\n * @internal\n */\nexport const authObjectToSerializableJwt = <T extends Record<string, unknown>>(obj: T): T => {\n // remove any non-serializable props from the returned object\n\n const { require, ...rest } = obj as unknown as AuthObject;\n return rest as unknown as T;\n};\n\nexport function getTernSecureAuthDataJwt(req: RequestLike, initialState = {}) {\n const authObject = getAuthDataFromRequestJwt(req);\n return authObjectToSerializable({ ...initialState, ...authObject });\n}\n\nexport function getAuthDataFromRequestJwt(req: RequestLike): AuthObject {\n const authStatus = getAuthKeyFromRequest(req, 'AuthStatus');\n const authToken = getAuthKeyFromRequest(req, 'AuthToken');\n const authSignature = getAuthKeyFromRequest(req, 'AuthSignature');\n const authReason = getAuthKeyFromRequest(req, 'AuthReason');\n\n let authObject;\n if (!authStatus || authStatus !== AuthStatus.SignedIn) {\n authObject = signedOutAuthObject();\n } else {\n const jwt = ternDecodeJwt(authToken as string);\n\n authObject = signedInAuthObject(jwt.raw.text, jwt.payload);\n }\n return authObject;\n}\n\n\nexport type SerializableTernSecureUser = Omit<TernSecureUser, 'delete' | 'getIdToken' | 'getIdTokenResult' | 'reload' | 'toJSON'>;\n\nexport type Aobj = {\n user: SerializableTernSecureUser | null\n userId: string | null\n}\n\n\n// Serializable auth object type\n/**\n * Auth objects moving through the server -> client boundary need to be serializable\n * as we need to ensure that they can be transferred via the network as pure strings.\n * Some frameworks like Remix or Next (/pages dir only) handle this serialization by simply\n * ignoring any non-serializable keys, however Nextjs /app directory is stricter and\n * throws an error if a non-serializable value is found.\n * @internal\n */\nexport const authObjectToSerializable = <T extends Record<string, unknown>>(\n obj: T\n): T => {\n // remove any non-serializable props from the returned object\n\n const { require, ...rest } = obj as unknown as AuthObject;\n return rest as unknown as T;\n};\n\nexport async function getTernSecureAuthData(\n req: RequestLike,\n initialState = {}\n) {\n const authObject = await getAuthDataFromRequest(req);\n return authObjectToSerializable({ ...initialState, ...authObject });\n}\n\nexport async function getAuthDataFromRequest(req: RequestLike): Promise<AuthObject & Aobj> {\n const authStatus = getAuthKeyFromRequest(req, \"AuthStatus\");\n const authToken = getAuthKeyFromRequest(req, \"AuthToken\");\n\n if (!authStatus || authStatus !== AuthStatus.SignedIn) {\n return {\n ...signedOutAuthObject(),\n user: null,\n userId: null\n }\n }\n\n const firebaseUser = await authenticateRequest(authToken as string, req as any);\n if (!firebaseUser || !firebaseUser.claims) {\n return {\n ...signedOutAuthObject(),\n user: null,\n userId: null\n }\n }\n const { user, claims } = firebaseUser;\n const authObject = signedInAuthObject(authToken as string, claims as any);\n return {\n ...authObject,\n user: user || null,\n };\n}\n\nconst authenticateRequest = async (\n token: string,\n request: Request\n): Promise<{ user: SerializableTernSecureUser; claims: ParsedToken } | null> => {\n try {\n const origin = new URL(request.url).origin;\n\n const requestHeaders = new Headers(request.headers);\n requestHeaders.set(\"referer\", origin);\n requestHeaders.set(\"Referer\", origin);\n\n const mockRequest = {\n headers: requestHeaders,\n };\n\n const config: TernSecureConfig = {\n apiKey: FIREBASE_API_KEY,\n authDomain: FIREBASE_AUTH_DOMAIN,\n projectId: FIREBASE_PROJECT_ID,\n storageBucket: FIREBASE_STORAGE_BUCKET,\n messagingSenderId: FIREBASE_MESSAGING_SENDER_ID,\n appId: FIREBASE_APP_ID,\n measurementId: FIREBASE_MEASUREMENT_ID,\n };\n\n const firebaseServerApp: FirebaseServerApp = initializeServerApp(\n config,\n {\n authIdToken: token,\n releaseOnDeref: mockRequest,\n }\n );\n\n const auth: Auth = getAuth(firebaseServerApp);\n await auth.authStateReady();\n\n if (auth.currentUser) {\n const idTokenResult = await auth.currentUser.getIdTokenResult();\n const claims = idTokenResult.claims;\n\n const userObj: SerializableTernSecureUser = {\n uid: auth.currentUser.uid,\n email: auth.currentUser.email,\n emailVerified: auth.currentUser.emailVerified,\n displayName: auth.currentUser.displayName,\n isAnonymous: auth.currentUser.isAnonymous,\n phoneNumber: auth.currentUser.phoneNumber,\n photoURL: auth.currentUser.photoURL,\n providerId: auth.currentUser.providerId,\n tenantId: auth.currentUser.tenantId,\n refreshToken: auth.currentUser.refreshToken,\n metadata: {\n creationTime: auth.currentUser.metadata.creationTime,\n lastSignInTime: auth.currentUser.metadata.lastSignInTime,\n },\n providerData: auth.currentUser.providerData.map((provider) => ({\n uid: provider.uid,\n displayName: provider.displayName,\n email: provider.email,\n phoneNumber: provider.phoneNumber,\n photoURL: provider.photoURL,\n providerId: provider.providerId,\n })),\n };\n\n return { user: userObj, claims };\n }\n\n return null;\n } catch (error) {\n return null;\n }\n};\n\nexport { TernSecureUser }\n"],"mappings":"AACA,SAAS,YAAY,oBAAoB,2BAA2B;AACpE,SAAS,qBAAqB;AAG9B,SAAS,2BAA2B;AAEpC,SAAS,eAAe;AAExB,SAAS,6BAA6B;AAEtC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAWA,MAAM,8BAA8B,CAAoC,QAAc;AAG3F,QAAM,EAAE,SAAAA,UAAS,GAAG,KAAK,IAAI;AAC7B,SAAO;AACT;AAEO,SAAS,yBAAyB,KAAkB,eAAe,CAAC,GAAG;AAC5E,QAAM,aAAa,0BAA0B,GAAG;AAChD,SAAO,yBAAyB,EAAE,GAAG,cAAc,GAAG,WAAW,CAAC;AACpE;AAEO,SAAS,0BAA0B,KAA8B;AACtE,QAAM,aAAa,sBAAsB,KAAK,YAAY;AAC1D,QAAM,YAAY,sBAAsB,KAAK,WAAW;AACxD,QAAM,gBAAgB,sBAAsB,KAAK,eAAe;AAChE,QAAM,aAAa,sBAAsB,KAAK,YAAY;AAE1D,MAAI;AACJ,MAAI,CAAC,cAAc,eAAe,WAAW,UAAU;AACrD,iBAAa,oBAAoB;AAAA,EACnC,OAAO;AACL,UAAM,MAAM,cAAc,SAAmB;AAE7C,iBAAa,mBAAmB,IAAI,IAAI,MAAM,IAAI,OAAO;AAAA,EAC3D;AACA,SAAO;AACT;AAoBO,MAAM,2BAA2B,CACtC,QACM;AAGN,QAAM,EAAE,SAAAA,UAAS,GAAG,KAAK,IAAI;AAC7B,SAAO;AACT;AAEA,eAAsB,sBACpB,KACA,eAAe,CAAC,GAChB;AACA,QAAM,aAAa,MAAM,uBAAuB,GAAG;AACnD,SAAO,yBAAyB,EAAE,GAAG,cAAc,GAAG,WAAW,CAAC;AACpE;AAEA,eAAsB,uBAAuB,KAA8C;AACzF,QAAM,aAAa,sBAAsB,KAAK,YAAY;AAC1D,QAAM,YAAY,sBAAsB,KAAK,WAAW;AAExD,MAAI,CAAC,cAAc,eAAe,WAAW,UAAU;AACrD,WAAO;AAAA,MACL,GAAG,oBAAoB;AAAA,MACvB,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,QAAM,eAAe,MAAM,oBAAoB,WAAqB,GAAU;AAC9E,MAAI,CAAC,gBAAgB,CAAC,aAAa,QAAQ;AACzC,WAAO;AAAA,MACL,GAAG,oBAAoB;AAAA,MACvB,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AAAA,EACF;AACA,QAAM,EAAE,MAAM,OAAO,IAAI;AACzB,QAAM,aAAa,mBAAmB,WAAqB,MAAa;AACxE,SAAO;AAAA,IACL,GAAG;AAAA,IACH,MAAM,QAAQ;AAAA,EAChB;AACF;AAEA,MAAM,sBAAsB,OAC1B,OACA,YAC8E;AAC9E,MAAI;AACF,UAAM,SAAS,IAAI,IAAI,QAAQ,GAAG,EAAE;AAEpC,UAAM,iBAAiB,IAAI,QAAQ,QAAQ,OAAO;AAClD,mBAAe,IAAI,WAAW,MAAM;AACpC,mBAAe,IAAI,WAAW,MAAM;AAEpC,UAAM,cAAc;AAAA,MAClB,SAAS;AAAA,IACX;AAEA,UAAM,SAA2B;AAAA,MAC/B,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,WAAW;AAAA,MACX,eAAe;AAAA,MACf,mBAAmB;AAAA,MACnB,OAAO;AAAA,MACP,eAAe;AAAA,IACjB;AAEA,UAAM,oBAAuC;AAAA,MAC3C;AAAA,MACA;AAAA,QACE,aAAa;AAAA,QACb,gBAAgB;AAAA,MAClB;AAAA,IACF;AAEA,UAAM,OAAa,QAAQ,iBAAiB;AAC5C,UAAM,KAAK,eAAe;AAE1B,QAAI,KAAK,aAAa;AACpB,YAAM,gBAAgB,MAAM,KAAK,YAAY,iBAAiB;AAC9D,YAAM,SAAS,cAAc;AAE7B,YAAM,UAAsC;AAAA,QAC1C,KAAK,KAAK,YAAY;AAAA,QACtB,OAAO,KAAK,YAAY;AAAA,QACxB,eAAe,KAAK,YAAY;AAAA,QAChC,aAAa,KAAK,YAAY;AAAA,QAC9B,aAAa,KAAK,YAAY;AAAA,QAC9B,aAAa,KAAK,YAAY;AAAA,QAC9B,UAAU,KAAK,YAAY;AAAA,QAC3B,YAAY,KAAK,YAAY;AAAA,QAC7B,UAAU,KAAK,YAAY;AAAA,QAC3B,cAAc,KAAK,YAAY;AAAA,QAC/B,UAAU;AAAA,UACR,cAAc,KAAK,YAAY,SAAS;AAAA,UACxC,gBAAgB,KAAK,YAAY,SAAS;AAAA,QAC5C;AAAA,QACA,cAAc,KAAK,YAAY,aAAa,IAAI,CAAC,cAAc;AAAA,UAC7D,KAAK,SAAS;AAAA,UACd,aAAa,SAAS;AAAA,UACtB,OAAO,SAAS;AAAA,UAChB,aAAa,SAAS;AAAA,UACtB,UAAU,SAAS;AAAA,UACnB,YAAY,SAAS;AAAA,QACvB,EAAE;AAAA,MACJ;AAEA,aAAO,EAAE,MAAM,SAAS,OAAO;AAAA,IACjC;AAEA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,WAAO;AAAA,EACT;AACF;","names":["require"]}
|
package/dist/esm/server/index.js
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import {
|
|
2
|
-
|
|
3
|
-
} from "./
|
|
2
|
+
ternSecureProxy
|
|
3
|
+
} from "./ternSecureProxy";
|
|
4
|
+
import { ternSecureInstrumentation } from "./instrumentation";
|
|
4
5
|
import { createRouteMatcher } from "./routeMatcher";
|
|
5
6
|
import { ternSecureBackendClient } from "./ternsecureClient";
|
|
6
7
|
import {
|
|
@@ -12,6 +13,7 @@ export {
|
|
|
12
13
|
auth,
|
|
13
14
|
createRouteMatcher,
|
|
14
15
|
ternSecureBackendClient,
|
|
15
|
-
|
|
16
|
+
ternSecureInstrumentation,
|
|
17
|
+
ternSecureProxy
|
|
16
18
|
};
|
|
17
19
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../src/server/index.ts"],"sourcesContent":["export {\r\n
|
|
1
|
+
{"version":3,"sources":["../../../src/server/index.ts"],"sourcesContent":["export {\r\n ternSecureProxy,\r\n} from \"./ternSecureProxy\";\r\nexport { ternSecureInstrumentation } from \"./instrumentation\";\r\nexport { createRouteMatcher } from \"./routeMatcher\";\r\nexport { ternSecureBackendClient } from \"./ternsecureClient\";\r\nexport {\r\n auth\r\n} from \"../app-router/server/auth\";\r\nexport type { AuthResult } from \"../app-router/server/auth\";\r\nexport type { BaseUser, SessionResult } from \"./types\";\r\nexport { NextCookieStore } from \"../utils/NextCookieAdapter\";\r\n"],"mappings":"AAAA;AAAA,EACE;AAAA,OACK;AACP,SAAS,iCAAiC;AAC1C,SAAS,0BAA0B;AACnC,SAAS,+BAA+B;AACxC;AAAA,EACE;AAAA,OACK;AAGP,SAAS,uBAAuB;","names":[]}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
function ternSecureInstrumentation(appUrl) {
|
|
2
|
+
const resolvedAppUrl = appUrl || process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN;
|
|
3
|
+
if (!resolvedAppUrl) {
|
|
4
|
+
throw new Error(
|
|
5
|
+
"ternSecureInstrumentation: appUrl must be provided either as a parameter or via NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN environment variable."
|
|
6
|
+
);
|
|
7
|
+
}
|
|
8
|
+
const originalFetch = global.fetch;
|
|
9
|
+
global.fetch = async (input, init) => {
|
|
10
|
+
const url = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
|
|
11
|
+
const urlObj = new URL(url);
|
|
12
|
+
if (urlObj.hostname === "identitytoolkit.googleapis.com") {
|
|
13
|
+
const modifiedInit = {
|
|
14
|
+
...init,
|
|
15
|
+
headers: {
|
|
16
|
+
...init?.headers || {},
|
|
17
|
+
Referer: resolvedAppUrl
|
|
18
|
+
}
|
|
19
|
+
};
|
|
20
|
+
return originalFetch(input, modifiedInit);
|
|
21
|
+
}
|
|
22
|
+
return originalFetch(input, init);
|
|
23
|
+
};
|
|
24
|
+
}
|
|
25
|
+
export {
|
|
26
|
+
ternSecureInstrumentation
|
|
27
|
+
};
|
|
28
|
+
//# sourceMappingURL=instrumentation.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../../../src/server/instrumentation.ts"],"sourcesContent":["/**\n * Patches global.fetch to add Referer header for Firebase Identity Toolkit requests.\n * This is required for Firebase Auth to work properly on the server side.\n * \n * @param appUrl - Optional URL of your application. If not provided, uses NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN env variable.\n * You must provide either the parameter or set the environment variable.\n * \n * @throws {Error} If no appUrl is provided and NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN is not set.\n * \n * @example\n * ```typescript\n * // In your app's instrumentation.ts\n * import { ternSecureInstrumentation } from '@tern-secure/nextjs/server';\n * \n * export async function register() {\n * if (process.env.NEXT_RUNTIME === 'nodejs') {\n * // Option 1: Use environment variable\n * ternSecureInstrumentation();\n * \n * // Option 2: Provide URL explicitly\n * ternSecureInstrumentation('http://localhost:3000');\n * }\n * }\n * ```\n */\nexport function ternSecureInstrumentation(appUrl?: string): void {\n const resolvedAppUrl = appUrl || process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN;\n\n if (!resolvedAppUrl) {\n throw new Error(\n 'ternSecureInstrumentation: appUrl must be provided either as a parameter or via NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN environment variable.'\n );\n }\n\n const originalFetch = global.fetch;\n\n global.fetch = async (input: RequestInfo | URL, init?: RequestInit) => {\n const url =\n typeof input === \"string\"\n ? input\n : input instanceof URL\n ? input.href\n : input.url;\n const urlObj = new URL(url);\n\n if (urlObj.hostname === \"identitytoolkit.googleapis.com\") {\n const modifiedInit = {\n ...init,\n headers: {\n ...(init?.headers || {}),\n Referer: resolvedAppUrl,\n },\n };\n return originalFetch(input, modifiedInit);\n }\n return originalFetch(input, init);\n };\n}"],"mappings":"AAyBO,SAAS,0BAA0B,QAAuB;AAC7D,QAAM,iBAAiB,UAAU,QAAQ,IAAI;AAE7C,MAAI,CAAC,gBAAgB;AACjB,UAAM,IAAI;AAAA,MACN;AAAA,IACJ;AAAA,EACJ;AAEA,QAAM,gBAAgB,OAAO;AAE7B,SAAO,QAAQ,OAAO,OAA0B,SAAuB;AACnE,UAAM,MACF,OAAO,UAAU,WACX,QACA,iBAAiB,MACb,MAAM,OACN,MAAM;AACpB,UAAM,SAAS,IAAI,IAAI,GAAG;AAE1B,QAAI,OAAO,aAAa,kCAAkC;AACtD,YAAM,eAAe;AAAA,QACjB,GAAG;AAAA,QACH,SAAS;AAAA,UACL,GAAI,MAAM,WAAW,CAAC;AAAA,UACtB,SAAS;AAAA,QACb;AAAA,MACJ;AACA,aAAO,cAAc,OAAO,YAAY;AAAA,IAC5C;AACA,WAAO,cAAc,OAAO,IAAI;AAAA,EACpC;AACJ;","names":[]}
|
|
@@ -1,9 +1,9 @@
|
|
|
1
|
-
import { constants, createRedirect, createTernSecureRequest } from "@tern-secure/backend";
|
|
1
|
+
import { AuthStatus, constants, createRedirect, createTernSecureRequest } from "@tern-secure/backend";
|
|
2
2
|
import { notFound as nextjsNotFound } from "next/navigation";
|
|
3
3
|
import { NextResponse } from "next/server";
|
|
4
4
|
import { isRedirect, setHeader } from "../utils/response";
|
|
5
5
|
import { serverRedirectWithAuth } from "../utils/serverRedirectAuth";
|
|
6
|
-
import { SIGN_IN_URL, SIGN_UP_URL } from "./constant";
|
|
6
|
+
import { FIREBASE_API_KEY, SIGN_IN_URL, SIGN_UP_URL } from "./constant";
|
|
7
7
|
import {
|
|
8
8
|
isNextjsNotFoundError,
|
|
9
9
|
isNextjsRedirectError,
|
|
@@ -16,7 +16,7 @@ import {
|
|
|
16
16
|
import { createProtect } from "./protect";
|
|
17
17
|
import { ternSecureBackendClient } from "./ternsecureClient";
|
|
18
18
|
import { decorateRequest } from "./utils";
|
|
19
|
-
const
|
|
19
|
+
const ternSecureProxy = (...args) => {
|
|
20
20
|
const [request, event] = parseRequestAndEvent(args);
|
|
21
21
|
const [handler, params] = parseHandlerAndOptions(args);
|
|
22
22
|
const middleware = () => {
|
|
@@ -24,9 +24,11 @@ const ternSecureMiddleware = (...args) => {
|
|
|
24
24
|
const resolvedParams = typeof params === "function" ? await params(request2) : params;
|
|
25
25
|
const signInUrl = resolvedParams.signInUrl || SIGN_IN_URL;
|
|
26
26
|
const signUpUrl = resolvedParams.signUpUrl || SIGN_UP_URL;
|
|
27
|
+
const apiKey = resolvedParams.apiKey || FIREBASE_API_KEY;
|
|
27
28
|
const options = {
|
|
28
29
|
signInUrl,
|
|
29
30
|
signUpUrl,
|
|
31
|
+
apiKey,
|
|
30
32
|
...resolvedParams
|
|
31
33
|
};
|
|
32
34
|
const reqBackendClient = await ternSecureBackendClient();
|
|
@@ -35,6 +37,15 @@ const ternSecureMiddleware = (...args) => {
|
|
|
35
37
|
ternSecureRequest,
|
|
36
38
|
options
|
|
37
39
|
);
|
|
40
|
+
const locationHeader = requestStateClient.headers.get(constants.Headers.Location);
|
|
41
|
+
if (locationHeader) {
|
|
42
|
+
return new Response(null, {
|
|
43
|
+
status: 307,
|
|
44
|
+
headers: requestStateClient.headers
|
|
45
|
+
});
|
|
46
|
+
} else if (requestStateClient.status === AuthStatus.Handshake) {
|
|
47
|
+
throw new Error("TernSecure: handshake status without redirect is not supported.");
|
|
48
|
+
}
|
|
38
49
|
const authObjectClient = requestStateClient.auth();
|
|
39
50
|
const { redirectToSignIn } = createMiddlewareRedirects(ternSecureRequest);
|
|
40
51
|
const { redirectToSignUp } = createMiddlewareRedirects(ternSecureRequest);
|
|
@@ -149,6 +160,6 @@ const handleControlError = (error, ternSecureRequest, nextrequest, requestState)
|
|
|
149
160
|
};
|
|
150
161
|
export {
|
|
151
162
|
redirectAdapter,
|
|
152
|
-
|
|
163
|
+
ternSecureProxy
|
|
153
164
|
};
|
|
154
|
-
//# sourceMappingURL=
|
|
165
|
+
//# sourceMappingURL=ternSecureProxy.js.map
|