@thunderid/nextjs 0.2.0 → 0.2.2

package/dist/server/actions/refreshToken.js

@@ -0,0 +1,58 @@
+'use server';
+
+
+import SessionManager_default from "../../utils/SessionManager.js";
+import getClient_default from "../getClient.js";
+import handleRefreshToken_default from "../../utils/handleRefreshToken.js";
+import { ThunderIDAPIError, logger } from "@thunderid/node";
+import { cookies } from "next/headers";
+
+//#region src/server/actions/refreshToken.ts
+/**
+* Server action to refresh the access token using the stored refresh token.
+* Exchanges the refresh token for a new token set and updates the session cookie.
+*
+* Delegates the HTTP exchange to handleRefreshToken so the same logic is shared
+* with the middleware token refresh path.
+*
+* Called from the client side (e.g. ThunderIDClientProvider refreshOnMount) where
+* Next.js allows cookie mutation. When invoked during SSR rendering the cookie
+* write is silently skipped and a warning is logged.
+*/
+const refreshToken = async () => {
+	try {
+		const cookieStore = await cookies();
+		const sessionToken = cookieStore.get(SessionManager_default.getSessionCookieName())?.value;
+		if (!sessionToken) throw new ThunderIDAPIError("No active session found. User must be signed in to refresh the token.", "refreshToken-ServerActionError-002", "nextjs", 401);
+		const sessionPayload = await SessionManager_default.verifySessionTokenForRefresh(sessionToken);
+		const config = await getClient_default().getConfiguration();
+		const result = await handleRefreshToken_default(sessionPayload, {
+			baseUrl: config.baseUrl ?? "",
+			clientId: config.clientId ?? "",
+			clientSecret: config.clientSecret ?? "",
+			sessionCookie: config.sessionCookie
+		});
+		try {
+			cookieStore.set(SessionManager_default.getSessionCookieName(), result.newSessionToken, SessionManager_default.getSessionCookieOptions(result.sessionCookieExpiryTime));
+		} catch {
+			logger.warn("[refreshToken] Could not write session cookie — called from SSR rendering context.");
+		}
+		const rawExpiresIn = result.tokenResponse.expiresIn;
+		const expiresInSeconds = parseInt(rawExpiresIn ?? "", 10);
+		if (Number.isNaN(expiresInSeconds)) throw new Error(`[refreshToken] Invalid expiresIn value received: ${rawExpiresIn}`);
+		const expiresAt = Math.floor(Date.now() / 1e3) + expiresInSeconds;
+		logger.debug("[refreshToken] Token refresh succeeded.");
+		return { expiresAt };
+	} catch (error) {
+		try {
+			(await cookies()).delete(SessionManager_default.getSessionCookieName());
+			logger.debug("[refreshToken] Cleared session cookie after refresh failure.");
+		} catch {}
+		throw new ThunderIDAPIError(`Failed to refresh the session: ${error instanceof Error ? error.message : JSON.stringify(error)}`, "refreshToken-ServerActionError-001", "nextjs", error instanceof ThunderIDAPIError ? error.statusCode : void 0);
+	}
+};
+var refreshToken_default = refreshToken;
+
+//#endregion
+export { refreshToken_default as default };
+//# sourceMappingURL=refreshToken.js.map

package/dist/server/actions/refreshToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refreshToken.js","names":["cookieStore: RequestCookies","sessionToken: string | undefined","SessionManager","sessionPayload: SessionTokenPayload","config: ThunderIDNextConfig","getClient","result: HandleRefreshTokenResult","handleRefreshToken","rawExpiresIn: string | undefined","expiresInSeconds: number","expiresAt: number"],"sources":["../../../src/server/actions/refreshToken.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport {ThunderIDAPIError, logger} from '@thunderid/node';\nimport {cookies} from 'next/headers';\nimport {ThunderIDNextConfig} from '../../models/config';\nimport handleRefreshToken, {HandleRefreshTokenResult} from '../../utils/handleRefreshToken';\nimport SessionManager, {SessionTokenPayload} from '../../utils/SessionManager';\nimport getClient from '../getClient';\n\ntype RequestCookies = Awaited<ReturnType<typeof cookies>>;\n\n/**\n * Client-safe result of a token refresh.\n *\n * Intentionally omits accessToken, refreshToken, idToken, and scopes — those stay\n * server-side in the HttpOnly session cookie. Returning tokens from a Server Action\n * serializes them into browser memory, defeating the HttpOnly boundary and exposing\n * them to XSS, browser extensions, and error-tracking SDKs.\n *\n * `expiresAt` is epoch seconds for the new access token; the client uses it to\n * schedule the next refresh.\n */\nexport interface RefreshResult {\n  expiresAt: number;\n}\n\n/**\n * Server action to refresh the access token using the stored refresh token.\n * Exchanges the refresh token for a new token set and updates the session cookie.\n *\n * Delegates the HTTP exchange to handleRefreshToken so the same logic is shared\n * with the middleware token refresh path.\n *\n * Called from the client side (e.g. ThunderIDClientProvider refreshOnMount) where\n * Next.js allows cookie mutation. When invoked during SSR rendering the cookie\n * write is silently skipped and a warning is logged.\n */\nconst refreshToken = async (): Promise<RefreshResult> => {\n  try {\n    const cookieStore: RequestCookies = await cookies();\n    const sessionToken: string | undefined = cookieStore.get(SessionManager.getSessionCookieName())?.value;\n\n    if (!sessionToken) {\n      throw new ThunderIDAPIError(\n        'No active session found. User must be signed in to refresh the token.',\n        'refreshToken-ServerActionError-002',\n        'nextjs',\n        401,\n      );\n    }\n\n    const sessionPayload: SessionTokenPayload = await SessionManager.verifySessionTokenForRefresh(sessionToken);\n    const client = getClient();\n    const config: ThunderIDNextConfig = await client.getConfiguration();\n\n    const result: HandleRefreshTokenResult = await handleRefreshToken(sessionPayload, {\n      baseUrl: config.baseUrl ?? '',\n      clientId: config.clientId ?? '',\n      clientSecret: config.clientSecret ?? '',\n      sessionCookie: config.sessionCookie,\n    });\n\n    try {\n      cookieStore.set(\n        SessionManager.getSessionCookieName(),\n        result.newSessionToken,\n        SessionManager.getSessionCookieOptions(result.sessionCookieExpiryTime),\n      );\n    } catch {\n      // cookies().set() is only permitted inside a Server Action invoked from the client\n      // or a Route Handler. When this action is called during SSR rendering the write\n      // is blocked by Next.js. The middleware refresh path handles that case instead.\n      logger.warn('[refreshToken] Could not write session cookie — called from SSR rendering context.');\n    }\n\n    const rawExpiresIn: string | undefined = result.tokenResponse.expiresIn;\n    const expiresInSeconds: number = parseInt(rawExpiresIn ?? '', 10);\n    if (Number.isNaN(expiresInSeconds)) {\n      throw new Error(`[refreshToken] Invalid expiresIn value received: ${rawExpiresIn}`);\n    }\n    const expiresAt: number = Math.floor(Date.now() / 1000) + expiresInSeconds;\n\n    logger.debug('[refreshToken] Token refresh succeeded.');\n    return {expiresAt};\n  } catch (error) {\n    // Clear the dead session cookie before throwing so the browser is not left\n    // holding a stale credential. This is best-effort — if called from an SSR\n    // rendering context Next.js blocks cookie mutation; the middleware cleanup\n    // path covers that case on the next request.\n    try {\n      const cookieStore: RequestCookies = await cookies();\n      cookieStore.delete(SessionManager.getSessionCookieName());\n      logger.debug('[refreshToken] Cleared session cookie after refresh failure.');\n    } catch {\n      // Intentionally swallowed — middleware handles cleanup when mutation is blocked.\n    }\n\n    throw new ThunderIDAPIError(\n      `Failed to refresh the session: ${error instanceof Error ? error.message : JSON.stringify(error)}`,\n      'refreshToken-ServerActionError-001',\n      'nextjs',\n      error instanceof ThunderIDAPIError ? error.statusCode : undefined,\n    );\n  }\n};\n\nexport default refreshToken;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAuDA,MAAM,eAAe,YAAoC;AACvD,KAAI;EACF,MAAMA,cAA8B,MAAM,SAAS;EACnD,MAAMC,eAAmC,YAAY,IAAIC,uBAAe,sBAAsB,CAAC,EAAE;AAEjG,MAAI,CAAC,aACH,OAAM,IAAI,kBACR,yEACA,sCACA,UACA,IACD;EAGH,MAAMC,iBAAsC,MAAMD,uBAAe,6BAA6B,aAAa;EAE3G,MAAME,SAA8B,MADrBC,mBAAW,CACuB,kBAAkB;EAEnE,MAAMC,SAAmC,MAAMC,2BAAmB,gBAAgB;GAChF,SAAS,OAAO,WAAW;GAC3B,UAAU,OAAO,YAAY;GAC7B,cAAc,OAAO,gBAAgB;GACrC,eAAe,OAAO;GACvB,CAAC;AAEF,MAAI;AACF,eAAY,IACVL,uBAAe,sBAAsB,EACrC,OAAO,iBACPA,uBAAe,wBAAwB,OAAO,wBAAwB,CACvE;UACK;AAIN,UAAO,KAAK,qFAAqF;;EAGnG,MAAMM,eAAmC,OAAO,cAAc;EAC9D,MAAMC,mBAA2B,SAAS,gBAAgB,IAAI,GAAG;AACjE,MAAI,OAAO,MAAM,iBAAiB,CAChC,OAAM,IAAI,MAAM,oDAAoD,eAAe;EAErF,MAAMC,YAAoB,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK,GAAG;AAE1D,SAAO,MAAM,0CAA0C;AACvD,SAAO,EAAC,WAAU;UACX,OAAO;AAKd,MAAI;AAEF,IADoC,MAAM,SAAS,EACvC,OAAOR,uBAAe,sBAAsB,CAAC;AACzD,UAAO,MAAM,+DAA+D;UACtE;AAIR,QAAM,IAAI,kBACR,kCAAkC,iBAAiB,QAAQ,MAAM,UAAU,KAAK,UAAU,MAAM,IAChG,sCACA,UACA,iBAAiB,oBAAoB,MAAM,aAAa,OACzD;;;AAIL,2BAAe"}

package/dist/{types/server → server}/actions/signInAction.d.ts

@@ -15,7 +15,7 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import { EmbeddedSignInFlowHandleRequestPayload, EmbeddedFlowExecuteRequestConfig, EmbeddedSignInFlowInitiateResponse } from '@thunderid/node';
+import { EmbeddedFlowExecuteRequestConfig } from '@thunderid/node';
 /**
  * Server action for signing in a user.
  * Handles the embedded sign-in flow and manages session cookies.
@@ -24,11 +24,11 @@ import { EmbeddedSignInFlowHandleRequestPayload, EmbeddedFlowExecuteRequestConfi
  * @param request - The embedded flow execute request config
  * @returns Promise that resolves when sign-in is complete
  */
-declare const signInAction: (payload?: EmbeddedSignInFlowHandleRequestPayload, request?: EmbeddedFlowExecuteRequestConfig) => Promise<{
+declare const signInAction: (payload?: any, request?: EmbeddedFlowExecuteRequestConfig) => Promise<{
     data?: {
         afterSignInUrl?: string;
         signInUrl?: string;
-    } | EmbeddedSignInFlowInitiateResponse;
+    } | Record<string, unknown>;
     error?: string;
     success: boolean;
 }>;

package/dist/server/actions/signInAction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signInAction.d.ts","sourceRoot":"","sources":["../../../src/server/actions/signInAction.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,EAGL,gCAAgC,EAGjC,MAAM,iBAAiB,CAAC;AASzB;;;;;;;GAOG;AACH,QAAA,MAAM,YAAY,GAChB,UAAU,GAAG,EACb,UAAU,gCAAgC,KACzC,OAAO,CAAC;IACT,IAAI,CAAC,EACD;QACE,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GACD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;CAClB,CAuHA,CAAC;AAEF,eAAe,YAAY,CAAC"}

package/dist/server/actions/signInAction.js

@@ -0,0 +1,92 @@
+'use server';
+
+
+import SessionManager_default from "../../utils/SessionManager.js";
+import getClient_default from "../getClient.js";
+import logger_default from "../../utils/logger.js";
+import { EmbeddedSignInFlowStatus, generateSessionId, isEmpty } from "@thunderid/node";
+import { cookies } from "next/headers";
+
+//#region src/server/actions/signInAction.ts
+/**
+* Server action for signing in a user.
+* Handles the embedded sign-in flow and manages session cookies.
+*
+* @param payload - The embedded sign-in flow payload
+* @param request - The embedded flow execute request config
+* @returns Promise that resolves when sign-in is complete
+*/
+const signInAction = async (payload, request) => {
+	try {
+		const client = getClient_default();
+		const cookieStore = await cookies();
+		let sessionId;
+		const existingSessionToken = cookieStore.get(SessionManager_default.getSessionCookieName())?.value;
+		if (existingSessionToken) try {
+			sessionId = (await SessionManager_default.verifySessionToken(existingSessionToken)).sessionId;
+		} catch {}
+		if (!sessionId) {
+			const tempSessionToken = cookieStore.get(SessionManager_default.getTempSessionCookieName())?.value;
+			if (tempSessionToken) try {
+				sessionId = (await SessionManager_default.verifyTempSession(tempSessionToken)).sessionId;
+			} catch {}
+		}
+		if (!sessionId) {
+			sessionId = generateSessionId();
+			const tempSessionToken = await SessionManager_default.createTempSession(sessionId);
+			cookieStore.set(SessionManager_default.getTempSessionCookieName(), tempSessionToken, SessionManager_default.getTempSessionCookieOptions());
+		}
+		if (!payload || isEmpty(payload)) {
+			const defaultSignInUrl = await client.getAuthorizeRequestUrl({}, sessionId);
+			return {
+				data: { signInUrl: String(defaultSignInUrl) },
+				success: true
+			};
+		}
+		const response = await client.signIn(payload, request, sessionId);
+		if (response.flowStatus === EmbeddedSignInFlowStatus.Complete) {
+			const signInResult = await client.signIn({
+				code: response?.authData?.code,
+				session_state: response?.authData?.session_state,
+				state: response?.authData?.state
+			}, {}, sessionId);
+			if (signInResult) {
+				const idToken = await client.getDecodedIdToken(sessionId, signInResult["idToken"] || signInResult["id_token"]);
+				const userIdFromToken = idToken.sub || signInResult["sub"] || sessionId;
+				const { accessToken } = signInResult;
+				const refreshToken = signInResult["refreshToken"] ?? "";
+				const scopes = signInResult["scope"];
+				const organizationId = idToken["user_org"] || idToken["organization_id"];
+				const rawExpiresIn = signInResult["expiresIn"] ?? signInResult["expires_in"];
+				const expiresIn = Number(rawExpiresIn);
+				if (Number.isNaN(expiresIn)) throw new Error(`[signInAction] Invalid expiresIn value received: ${rawExpiresIn}`);
+				const config = await client.getConfiguration();
+				const sessionCookieExpiryTime = SessionManager_default.resolveSessionCookieExpiry(config.sessionCookie?.expiryTime);
+				const sessionToken = await SessionManager_default.createSessionToken(accessToken, userIdFromToken, sessionId, scopes, expiresIn, refreshToken, organizationId);
+				cookieStore.set(SessionManager_default.getSessionCookieName(), sessionToken, SessionManager_default.getSessionCookieOptions(sessionCookieExpiryTime));
+				cookieStore.delete(SessionManager_default.getTempSessionCookieName());
+			}
+			const afterSignInUrl = await (await client.getStorageManager()).getConfigDataParameter("afterSignInUrl");
+			return {
+				data: { afterSignInUrl: String(afterSignInUrl) },
+				success: true
+			};
+		}
+		return {
+			data: response,
+			success: true
+		};
+	} catch (error) {
+		const message = error instanceof Error ? error.message : typeof error?.message === "string" ? error.message : String(error);
+		logger_default.error(`[signInAction] Error during sign-in: ${message}`);
+		return {
+			error: message,
+			success: false
+		};
+	}
+};
+var signInAction_default = signInAction;
+
+//#endregion
+export { signInAction_default as default };
+//# sourceMappingURL=signInAction.js.map

package/dist/server/actions/signInAction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signInAction.js","names":["getClient","cookieStore: RequestCookies","sessionId: string | undefined","existingSessionToken: string | undefined","SessionManager","tempSessionToken: string | undefined","tempSessionToken: string","defaultSignInUrl: string","response: any","signInResult: Record<string, unknown>","idToken: IdToken","userIdFromToken: string","refreshToken: string","scopes: string","organizationId: string | undefined","rawExpiresIn: unknown","config: ThunderIDNextConfig","sessionCookieExpiryTime: number","sessionToken: string","afterSignInUrl: string"],"sources":["../../../src/server/actions/signInAction.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport {\n  generateSessionId,\n  EmbeddedSignInFlowStatus,\n  EmbeddedFlowExecuteRequestConfig,\n  IdToken,\n  isEmpty,\n} from '@thunderid/node';\nimport {cookies} from 'next/headers';\nimport {ThunderIDNextConfig} from '../../models/config';\nimport logger from '../../utils/logger';\nimport SessionManager, {SessionTokenPayload} from '../../utils/SessionManager';\nimport getClient from '../getClient';\n\ntype RequestCookies = Awaited<ReturnType<typeof cookies>>;\n\n/**\n * Server action for signing in a user.\n * Handles the embedded sign-in flow and manages session cookies.\n *\n * @param payload - The embedded sign-in flow payload\n * @param request - The embedded flow execute request config\n * @returns Promise that resolves when sign-in is complete\n */\nconst signInAction = async (\n  payload?: any,\n  request?: EmbeddedFlowExecuteRequestConfig,\n): Promise<{\n  data?:\n    | {\n        afterSignInUrl?: string;\n        signInUrl?: string;\n      }\n    | Record<string, unknown>;\n  error?: string;\n  success: boolean;\n}> => {\n  try {\n    const client = getClient();\n    const cookieStore: RequestCookies = await cookies();\n\n    let sessionId: string | undefined;\n\n    const existingSessionToken: string | undefined = cookieStore.get(SessionManager.getSessionCookieName())?.value;\n\n    if (existingSessionToken) {\n      try {\n        const sessionPayload: SessionTokenPayload = await SessionManager.verifySessionToken(existingSessionToken);\n        sessionId = sessionPayload.sessionId;\n      } catch {\n        // Invalid session token, will create new temp session\n      }\n    }\n\n    if (!sessionId) {\n      const tempSessionToken: string | undefined = cookieStore.get(SessionManager.getTempSessionCookieName())?.value;\n\n      if (tempSessionToken) {\n        try {\n          const tempSession: {sessionId: string} = await SessionManager.verifyTempSession(tempSessionToken);\n          sessionId = tempSession.sessionId;\n        } catch {\n          // Invalid temp session, will create new one\n        }\n      }\n    }\n\n    if (!sessionId) {\n      sessionId = generateSessionId();\n\n      const tempSessionToken: string = await SessionManager.createTempSession(sessionId);\n\n      cookieStore.set(\n        SessionManager.getTempSessionCookieName(),\n        tempSessionToken,\n        SessionManager.getTempSessionCookieOptions(),\n      );\n    }\n\n    // If no payload provided, redirect to sign-in URL for redirect-based sign-in.\n    if (!payload || isEmpty(payload)) {\n      const defaultSignInUrl: string = await client.getAuthorizeRequestUrl({}, sessionId);\n      return {data: {signInUrl: String(defaultSignInUrl)}, success: true};\n    }\n\n    // Handle embedded sign-in flow\n    const response: any = await client.signIn(payload, request!, sessionId);\n\n    if (response.flowStatus === EmbeddedSignInFlowStatus.Complete) {\n      const signInResult: Record<string, unknown> = await client.signIn(\n        {\n          code: response?.authData?.code,\n          session_state: response?.authData?.session_state,\n          state: response?.authData?.state,\n        } as any,\n        {},\n        sessionId,\n      );\n\n      if (signInResult) {\n        const idToken: IdToken = await client.getDecodedIdToken(\n          sessionId,\n          (signInResult['idToken'] || signInResult['id_token']) as string,\n        );\n        const userIdFromToken: string = (idToken.sub || signInResult['sub'] || sessionId) as string;\n        const {accessToken}: {accessToken: string} = signInResult as {accessToken: string};\n        const refreshToken: string = (signInResult['refreshToken'] as string | undefined) ?? '';\n        const scopes: string = signInResult['scope'] as string;\n        const organizationId: string | undefined = (idToken['user_org'] || idToken['organization_id']) as\n          | string\n          | undefined;\n        const rawExpiresIn: unknown = signInResult['expiresIn'] ?? signInResult['expires_in'];\n        const expiresIn = Number(rawExpiresIn);\n        if (Number.isNaN(expiresIn)) {\n          throw new Error(`[signInAction] Invalid expiresIn value received: ${rawExpiresIn}`);\n        }\n        const config: ThunderIDNextConfig = await client.getConfiguration();\n        const sessionCookieExpiryTime: number = SessionManager.resolveSessionCookieExpiry(\n          config.sessionCookie?.expiryTime,\n        );\n\n        const sessionToken: string = await SessionManager.createSessionToken(\n          accessToken,\n          userIdFromToken,\n          sessionId,\n          scopes,\n          expiresIn,\n          refreshToken,\n          organizationId,\n        );\n\n        cookieStore.set(\n          SessionManager.getSessionCookieName(),\n          sessionToken,\n          SessionManager.getSessionCookieOptions(sessionCookieExpiryTime),\n        );\n\n        cookieStore.delete(SessionManager.getTempSessionCookieName());\n      }\n\n      const afterSignInUrl: string = await (await client.getStorageManager()).getConfigDataParameter('afterSignInUrl');\n      return {data: {afterSignInUrl: String(afterSignInUrl)}, success: true};\n    }\n\n    return {data: response as Record<string, unknown>, success: true};\n  } catch (error) {\n    const message =\n      error instanceof Error\n        ? error.message\n        : typeof (error as any)?.message === 'string'\n          ? (error as any).message\n          : String(error);\n    logger.error(`[signInAction] Error during sign-in: ${message}`);\n    return {error: message, success: false};\n  }\n};\n\nexport default signInAction;\n"],"mappings":";;;;;;;;;;;;;;;;;;AA2CA,MAAM,eAAe,OACnB,SACA,YAUI;AACJ,KAAI;EACF,MAAM,SAASA,mBAAW;EAC1B,MAAMC,cAA8B,MAAM,SAAS;EAEnD,IAAIC;EAEJ,MAAMC,uBAA2C,YAAY,IAAIC,uBAAe,sBAAsB,CAAC,EAAE;AAEzG,MAAI,qBACF,KAAI;AAEF,gBAD4C,MAAMA,uBAAe,mBAAmB,qBAAqB,EAC9E;UACrB;AAKV,MAAI,CAAC,WAAW;GACd,MAAMC,mBAAuC,YAAY,IAAID,uBAAe,0BAA0B,CAAC,EAAE;AAEzG,OAAI,iBACF,KAAI;AAEF,iBADyC,MAAMA,uBAAe,kBAAkB,iBAAiB,EACzE;WAClB;;AAMZ,MAAI,CAAC,WAAW;AACd,eAAY,mBAAmB;GAE/B,MAAME,mBAA2B,MAAMF,uBAAe,kBAAkB,UAAU;AAElF,eAAY,IACVA,uBAAe,0BAA0B,EACzC,kBACAA,uBAAe,6BAA6B,CAC7C;;AAIH,MAAI,CAAC,WAAW,QAAQ,QAAQ,EAAE;GAChC,MAAMG,mBAA2B,MAAM,OAAO,uBAAuB,EAAE,EAAE,UAAU;AACnF,UAAO;IAAC,MAAM,EAAC,WAAW,OAAO,iBAAiB,EAAC;IAAE,SAAS;IAAK;;EAIrE,MAAMC,WAAgB,MAAM,OAAO,OAAO,SAAS,SAAU,UAAU;AAEvE,MAAI,SAAS,eAAe,yBAAyB,UAAU;GAC7D,MAAMC,eAAwC,MAAM,OAAO,OACzD;IACE,MAAM,UAAU,UAAU;IAC1B,eAAe,UAAU,UAAU;IACnC,OAAO,UAAU,UAAU;IAC5B,EACD,EAAE,EACF,UACD;AAED,OAAI,cAAc;IAChB,MAAMC,UAAmB,MAAM,OAAO,kBACpC,WACC,aAAa,cAAc,aAAa,YAC1C;IACD,MAAMC,kBAA2B,QAAQ,OAAO,aAAa,UAAU;IACvE,MAAM,EAAC,gBAAsC;IAC7C,MAAMC,eAAwB,aAAa,mBAA0C;IACrF,MAAMC,SAAiB,aAAa;IACpC,MAAMC,iBAAsC,QAAQ,eAAe,QAAQ;IAG3E,MAAMC,eAAwB,aAAa,gBAAgB,aAAa;IACxE,MAAM,YAAY,OAAO,aAAa;AACtC,QAAI,OAAO,MAAM,UAAU,CACzB,OAAM,IAAI,MAAM,oDAAoD,eAAe;IAErF,MAAMC,SAA8B,MAAM,OAAO,kBAAkB;IACnE,MAAMC,0BAAkCb,uBAAe,2BACrD,OAAO,eAAe,WACvB;IAED,MAAMc,eAAuB,MAAMd,uBAAe,mBAChD,aACA,iBACA,WACA,QACA,WACA,cACA,eACD;AAED,gBAAY,IACVA,uBAAe,sBAAsB,EACrC,cACAA,uBAAe,wBAAwB,wBAAwB,CAChE;AAED,gBAAY,OAAOA,uBAAe,0BAA0B,CAAC;;GAG/D,MAAMe,iBAAyB,OAAO,MAAM,OAAO,mBAAmB,EAAE,uBAAuB,iBAAiB;AAChH,UAAO;IAAC,MAAM,EAAC,gBAAgB,OAAO,eAAe,EAAC;IAAE,SAAS;IAAK;;AAGxE,SAAO;GAAC,MAAM;GAAqC,SAAS;GAAK;UAC1D,OAAO;EACd,MAAM,UACJ,iBAAiB,QACb,MAAM,UACN,OAAQ,OAAe,YAAY,WAChC,MAAc,UACf,OAAO,MAAM;AACrB,iBAAO,MAAM,wCAAwC,UAAU;AAC/D,SAAO;GAAC,OAAO;GAAS,SAAS;GAAM;;;AAI3C,2BAAe"}

package/dist/server/actions/signOutAction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signOutAction.d.ts","sourceRoot":"","sources":["../../../src/server/actions/signOutAction.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAYH;;;;;GAKG;AACH,QAAA,MAAM,aAAa,QAAa,OAAO,CAAC;IAAC,IAAI,CAAC,EAAE;QAAC,eAAe,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC;IAAC,KAAK,CAAC,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAC,CA8C7G,CAAC;AAEF,eAAe,aAAa,CAAC"}

package/dist/server/actions/signOutAction.js

@@ -0,0 +1,55 @@
+'use server';
+
+
+import SessionManager_default from "../../utils/SessionManager.js";
+import getSessionId_default from "./getSessionId.js";
+import getClient_default from "../getClient.js";
+import logger_default from "../../utils/logger.js";
+import { cookies } from "next/headers";
+
+//#region src/server/actions/signOutAction.ts
+/**
+* Server action for signing out a user.
+* Clears both JWT and legacy session cookies.
+*
+* @returns Promise that resolves with success status and optional after sign-out URL
+*/
+const signOutAction = async () => {
+	logger_default.debug("[signOutAction] Initiating sign out process from the server action.");
+	const clearSessionCookies = async () => {
+		const cookieStore = await cookies();
+		cookieStore.delete(SessionManager_default.getSessionCookieName());
+		cookieStore.delete(SessionManager_default.getTempSessionCookieName());
+	};
+	try {
+		const client = getClient_default();
+		const sessionId = await getSessionId_default();
+		let afterSignOutUrl = "/";
+		if (sessionId) {
+			logger_default.debug("[signOutAction] Session ID found, invoking the `signOut` to obtain the `afterSignOutUrl`.");
+			afterSignOutUrl = await client.signOut({}, sessionId);
+		}
+		await clearSessionCookies();
+		return {
+			data: { afterSignOutUrl },
+			success: true
+		};
+	} catch (error) {
+		logger_default.error("[signOutAction] Error during sign out from the server action:", error);
+		logger_default.debug("[signOutAction] Clearing session cookies due to error as a fallback.");
+		await clearSessionCookies();
+		let errorMessage;
+		if (typeof error === "string") errorMessage = error;
+		else if (error instanceof Error) errorMessage = error.message;
+		else errorMessage = JSON.stringify(error);
+		return {
+			error: errorMessage,
+			success: false
+		};
+	}
+};
+var signOutAction_default = signOutAction;
+
+//#endregion
+export { signOutAction_default as default };
+//# sourceMappingURL=signOutAction.js.map

package/dist/server/actions/signOutAction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signOutAction.js","names":["cookieStore: RequestCookies","SessionManager","getClient","sessionId: string | undefined","getSessionId","errorMessage: unknown"],"sources":["../../../src/server/actions/signOutAction.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport {cookies} from 'next/headers';\nimport getSessionId from './getSessionId';\nimport logger from '../../utils/logger';\nimport SessionManager from '../../utils/SessionManager';\nimport getClient from '../getClient';\n\ntype RequestCookies = Awaited<ReturnType<typeof cookies>>;\n\n/**\n * Server action for signing out a user.\n * Clears both JWT and legacy session cookies.\n *\n * @returns Promise that resolves with success status and optional after sign-out URL\n */\nconst signOutAction = async (): Promise<{data?: {afterSignOutUrl?: string}; error?: unknown; success: boolean}> => {\n  logger.debug('[signOutAction] Initiating sign out process from the server action.');\n\n  const clearSessionCookies = async (): Promise<void> => {\n    const cookieStore: RequestCookies = await cookies();\n\n    cookieStore.delete(SessionManager.getSessionCookieName());\n    cookieStore.delete(SessionManager.getTempSessionCookieName());\n  };\n\n  try {\n    const client = getClient();\n    const sessionId: string | undefined = await getSessionId();\n\n    let afterSignOutUrl = '/';\n\n    if (sessionId) {\n      logger.debug('[signOutAction] Session ID found, invoking the `signOut` to obtain the `afterSignOutUrl`.');\n\n      afterSignOutUrl = await client.signOut({}, sessionId);\n    }\n\n    await clearSessionCookies();\n\n    return {data: {afterSignOutUrl}, success: true};\n  } catch (error) {\n    logger.error('[signOutAction] Error during sign out from the server action:', error);\n\n    logger.debug('[signOutAction] Clearing session cookies due to error as a fallback.');\n\n    await clearSessionCookies();\n\n    let errorMessage: unknown;\n    if (typeof error === 'string') {\n      errorMessage = error;\n    } else if (error instanceof Error) {\n      errorMessage = error.message;\n    } else {\n      errorMessage = JSON.stringify(error);\n    }\n\n    return {\n      error: errorMessage,\n      success: false,\n    };\n  }\n};\n\nexport default signOutAction;\n"],"mappings":";;;;;;;;;;;;;;;;AAkCA,MAAM,gBAAgB,YAA6F;AACjH,gBAAO,MAAM,sEAAsE;CAEnF,MAAM,sBAAsB,YAA2B;EACrD,MAAMA,cAA8B,MAAM,SAAS;AAEnD,cAAY,OAAOC,uBAAe,sBAAsB,CAAC;AACzD,cAAY,OAAOA,uBAAe,0BAA0B,CAAC;;AAG/D,KAAI;EACF,MAAM,SAASC,mBAAW;EAC1B,MAAMC,YAAgC,MAAMC,sBAAc;EAE1D,IAAI,kBAAkB;AAEtB,MAAI,WAAW;AACb,kBAAO,MAAM,4FAA4F;AAEzG,qBAAkB,MAAM,OAAO,QAAQ,EAAE,EAAE,UAAU;;AAGvD,QAAM,qBAAqB;AAE3B,SAAO;GAAC,MAAM,EAAC,iBAAgB;GAAE,SAAS;GAAK;UACxC,OAAO;AACd,iBAAO,MAAM,iEAAiE,MAAM;AAEpF,iBAAO,MAAM,uEAAuE;AAEpF,QAAM,qBAAqB;EAE3B,IAAIC;AACJ,MAAI,OAAO,UAAU,SACnB,gBAAe;WACN,iBAAiB,MAC1B,gBAAe,MAAM;MAErB,gBAAe,KAAK,UAAU,MAAM;AAGtC,SAAO;GACL,OAAO;GACP,SAAS;GACV;;;AAIL,4BAAe"}

package/dist/{types/server/actions/getMyOrganizations.d.ts → server/actions/signUpAction.d.ts}

@@ -15,10 +15,15 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import { Organization } from '@thunderid/node';
 /**
- * Server action to get organizations.
+ * Server action for initiating the sign-up redirect flow.
  */
-declare const getMyOrganizations: (options?: any, sessionId?: string) => Promise<Organization[]>;
-export default getMyOrganizations;
-//# sourceMappingURL=getMyOrganizations.d.ts.map
+declare const signUpAction: () => Promise<{
+    data?: {
+        signUpUrl?: string;
+    };
+    error?: string;
+    success: boolean;
+}>;
+export default signUpAction;
+//# sourceMappingURL=signUpAction.d.ts.map

package/dist/server/actions/signUpAction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signUpAction.d.ts","sourceRoot":"","sources":["../../../src/server/actions/signUpAction.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAMH;;GAEG;AACH,QAAA,MAAM,YAAY,QAAa,OAAO,CAAC;IACrC,IAAI,CAAC,EAAE;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;CAClB,CAUA,CAAC;AAEF,eAAe,YAAY,CAAC"}

package/dist/server/actions/signUpAction.js

@@ -0,0 +1,27 @@
+'use server';
+
+
+import getClient_default from "../getClient.js";
+
+//#region src/server/actions/signUpAction.ts
+/**
+* Server action for initiating the sign-up redirect flow.
+*/
+const signUpAction = async () => {
+	try {
+		return {
+			data: { signUpUrl: getClient_default().getConfiguration()?.signUpUrl ?? "" },
+			success: true
+		};
+	} catch (error) {
+		return {
+			error: String(error),
+			success: false
+		};
+	}
+};
+var signUpAction_default = signUpAction;
+
+//#endregion
+export { signUpAction_default as default };
+//# sourceMappingURL=signUpAction.js.map

package/dist/server/actions/signUpAction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signUpAction.js","names":["getClient"],"sources":["../../../src/server/actions/signUpAction.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport getClient from '../getClient';\n\n/**\n * Server action for initiating the sign-up redirect flow.\n */\nconst signUpAction = async (): Promise<{\n  data?: {signUpUrl?: string};\n  error?: string;\n  success: boolean;\n}> => {\n  try {\n    const client = getClient();\n    const config = client.getConfiguration() as any;\n    const signUpUrl: string = config?.signUpUrl ?? '';\n\n    return {data: {signUpUrl}, success: true};\n  } catch (error) {\n    return {error: String(error), success: false};\n  }\n};\n\nexport default signUpAction;\n"],"mappings":";;;;;;;;;AAyBA,MAAM,eAAe,YAIf;AACJ,KAAI;AAKF,SAAO;GAAC,MAAM,EAAC,WAJAA,mBAAW,CACJ,kBAAkB,EACN,aAAa,IAEtB;GAAE,SAAS;GAAK;UAClC,OAAO;AACd,SAAO;GAAC,OAAO,OAAO,MAAM;GAAE,SAAS;GAAM;;;AAIjD,2BAAe"}

package/dist/server/actions/updateUserProfileAction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"updateUserProfileAction.d.ts","sourceRoot":"","sources":["../../../src/server/actions/updateUserProfileAction.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,EAAC,qBAAqB,EAAE,IAAI,EAAC,MAAM,iBAAiB,CAAC;AAG5D;;;GAGG;AACH,QAAA,MAAM,uBAAuB,GAC3B,SAAS,qBAAqB,EAC9B,YAAY,MAAM,KACjB,OAAO,CAAC;IAAC,IAAI,EAAE;QAAC,IAAI,EAAE,IAAI,CAAA;KAAC,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAC,CAc/D,CAAC;AAEF,eAAe,uBAAuB,CAAC"}

package/dist/server/actions/updateUserProfileAction.js

@@ -0,0 +1,30 @@
+'use server';
+
+
+import getClient_default from "../getClient.js";
+
+//#region src/server/actions/updateUserProfileAction.ts
+/**
+* Server action to get the current user.
+* Returns the user profile if signed in.
+*/
+const updateUserProfileAction = async (payload, sessionId) => {
+	try {
+		return {
+			data: { user: await getClient_default().updateUserProfile(payload, sessionId) },
+			error: "",
+			success: true
+		};
+	} catch (error) {
+		return {
+			data: { user: {} },
+			error: `Failed to get user profile: ${error instanceof Error ? error.message : String(error)}`,
+			success: false
+		};
+	}
+};
+var updateUserProfileAction_default = updateUserProfileAction;
+
+//#endregion
+export { updateUserProfileAction_default as default };
+//# sourceMappingURL=updateUserProfileAction.js.map

package/dist/server/actions/updateUserProfileAction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"updateUserProfileAction.js","names":["getClient"],"sources":["../../../src/server/actions/updateUserProfileAction.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport {UpdateMeProfileConfig, User} from '@thunderid/node';\nimport getClient from '../getClient';\n\n/**\n * Server action to get the current user.\n * Returns the user profile if signed in.\n */\nconst updateUserProfileAction = async (\n  payload: UpdateMeProfileConfig,\n  sessionId?: string,\n): Promise<{data: {user: User}; error: string; success: boolean}> => {\n  try {\n    const client = getClient();\n    const user: User = await client.updateUserProfile(payload, sessionId);\n    return {data: {user}, error: '', success: true};\n  } catch (error) {\n    return {\n      data: {\n        user: {},\n      },\n      error: `Failed to get user profile: ${error instanceof Error ? error.message : String(error)}`,\n      success: false,\n    };\n  }\n};\n\nexport default updateUserProfileAction;\n"],"mappings":";;;;;;;;;;AA2BA,MAAM,0BAA0B,OAC9B,SACA,cACmE;AACnE,KAAI;AAGF,SAAO;GAAC,MAAM,EAAC,MADI,MADJA,mBAAW,CACM,kBAAkB,SAAS,UAAU,EACjD;GAAE,OAAO;GAAI,SAAS;GAAK;UACxC,OAAO;AACd,SAAO;GACL,MAAM,EACJ,MAAM,EAAE,EACT;GACD,OAAO,+BAA+B,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;GAC5F,SAAS;GACV;;;AAIL,sCAAe"}

package/dist/server/getClient.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getClient.d.ts","sourceRoot":"","sources":["../../src/server/getClient.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,mBAAmB,MAAM,wBAAwB,CAAC;AAIzD;;;;;GAKG;AACH,QAAA,MAAM,SAAS,QAAO,mBAKrB,CAAC;AAEF,eAAe,SAAS,CAAC"}

package/dist/server/getClient.js

@@ -0,0 +1,19 @@
+import ThunderIDNextClient_default from "../ThunderIDNextClient.js";
+
+//#region src/server/getClient.ts
+let _instance;
+/**
+* Returns the shared `ThunderIDNextClient` instance for this Node.js process.
+* Creates a new instance on first call; subsequent calls return the same instance.
+*
+* @returns The shared ThunderIDNextClient instance.
+*/
+const getClient = () => {
+	if (!_instance) _instance = new ThunderIDNextClient_default();
+	return _instance;
+};
+var getClient_default = getClient;
+
+//#endregion
+export { getClient_default as default };
+//# sourceMappingURL=getClient.js.map

package/dist/server/getClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getClient.js","names":["_instance: ThunderIDNextClient | undefined","ThunderIDNextClient"],"sources":["../../src/server/getClient.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\nimport ThunderIDNextClient from '../ThunderIDNextClient';\n\nlet _instance: ThunderIDNextClient | undefined;\n\n/**\n * Returns the shared `ThunderIDNextClient` instance for this Node.js process.\n * Creates a new instance on first call; subsequent calls return the same instance.\n *\n * @returns The shared ThunderIDNextClient instance.\n */\nconst getClient = (): ThunderIDNextClient => {\n  if (!_instance) {\n    _instance = new ThunderIDNextClient();\n  }\n  return _instance;\n};\n\nexport default getClient;\n"],"mappings":";;;AAoBA,IAAIA;;;;;;;AAQJ,MAAM,kBAAuC;AAC3C,KAAI,CAAC,UACH,aAAY,IAAIC,6BAAqB;AAEvC,QAAO;;AAGT,wBAAe"}

package/dist/{types/server → server}/index.d.ts

@@ -18,4 +18,7 @@
 export { default as thunderid } from './thunderid';
 export { default as ThunderIDProvider } from './ThunderIDProvider.js';
 export * from './ThunderIDProvider.js';
+export { default as thunderIDProxy } from './proxy/thunderIDProxy';
+export * from './proxy/thunderIDProxy';
+export { default as createRouteMatcher } from './proxy/createRouteMatcher';
 //# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,EAAC,OAAO,IAAI,SAAS,EAAC,MAAM,aAAa,CAAC;AAEjD,OAAO,EAAC,OAAO,IAAI,iBAAiB,EAAC,MAAM,wBAAwB,CAAC;AACpE,cAAc,wBAAwB,CAAC;AAEvC,OAAO,EAAC,OAAO,IAAI,cAAc,EAAC,MAAM,wBAAwB,CAAC;AACjE,cAAc,wBAAwB,CAAC;AAEvC,OAAO,EAAC,OAAO,IAAI,kBAAkB,EAAC,MAAM,4BAA4B,CAAC"}

package/dist/server/index.js

@@ -0,0 +1,6 @@
+import thunderid_default from "./thunderid.js";
+import ThunderIDProvider_default from "./ThunderIDProvider.js";
+import thunderIDProxy_default from "./proxy/thunderIDProxy.js";
+import createRouteMatcher_default from "./proxy/createRouteMatcher.js";
+
+export { ThunderIDProvider_default as ThunderIDProvider, createRouteMatcher_default as createRouteMatcher, thunderIDProxy_default as thunderIDProxy, thunderid_default as thunderid };

package/dist/server/proxy/createRouteMatcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"createRouteMatcher.d.ts","sourceRoot":"","sources":["../../../src/server/proxy/createRouteMatcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAC,WAAW,EAAC,MAAM,aAAa,CAAC;AAExC;;;;;;;;;;;;;;;;;;GAkBG;AACH,QAAA,MAAM,kBAAkB,GAAI,UAAU,MAAM,EAAE,KAAG,CAAC,CAAC,GAAG,EAAE,WAAW,KAAK,OAAO,CAe9E,CAAC;AAEF,eAAe,kBAAkB,CAAC"}

package/dist/server/proxy/createRouteMatcher.js

@@ -0,0 +1,35 @@
+//#region src/server/proxy/createRouteMatcher.ts
+/**
+* Creates a route matcher function that tests if a request matches any of the given patterns.
+*
+* @param patterns - Array of route patterns to match. Supports glob-like patterns.
+* @returns Function that tests if a request matches any of the patterns
+*
+* @example
+* ```typescript
+* const isProtectedRoute = createRouteMatcher([
+*   '/dashboard(.*)',
+*   '/admin(.*)',
+*   '/profile'
+* ]);
+*
+* if (isProtectedRoute(req)) {
+*   // Route is protected
+* }
+* ```
+*/
+const createRouteMatcher = (patterns) => {
+	const regexPatterns = patterns.map((pattern) => {
+		const regexPattern = pattern.replace(/\./g, "\\.").replace(/\*/g, ".*").replace(/\(\.\*\)/g, "(.*)");
+		return /* @__PURE__ */ new RegExp(`^${regexPattern}$`);
+	});
+	return (req) => {
+		const { pathname } = req.nextUrl;
+		return regexPatterns.some((regex) => regex.test(pathname));
+	};
+};
+var createRouteMatcher_default = createRouteMatcher;
+
+//#endregion
+export { createRouteMatcher_default as default };
+//# sourceMappingURL=createRouteMatcher.js.map

package/dist/server/proxy/createRouteMatcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"createRouteMatcher.js","names":["regexPatterns: RegExp[]","regexPattern: string"],"sources":["../../../src/server/proxy/createRouteMatcher.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\nimport {NextRequest} from 'next/server';\n\n/**\n * Creates a route matcher function that tests if a request matches any of the given patterns.\n *\n * @param patterns - Array of route patterns to match. Supports glob-like patterns.\n * @returns Function that tests if a request matches any of the patterns\n *\n * @example\n * ```typescript\n * const isProtectedRoute = createRouteMatcher([\n *   '/dashboard(.*)',\n *   '/admin(.*)',\n *   '/profile'\n * ]);\n *\n * if (isProtectedRoute(req)) {\n *   // Route is protected\n * }\n * ```\n */\nconst createRouteMatcher = (patterns: string[]): ((req: NextRequest) => boolean) => {\n  const regexPatterns: RegExp[] = patterns.map((pattern: string): RegExp => {\n    // Convert glob-like patterns to regex\n    const regexPattern: string = pattern\n      .replace(/\\./g, '\\\\.') // Escape dots\n      .replace(/\\*/g, '.*') // Convert * to .*\n      .replace(/\\(\\.\\*\\)/g, '(.*)'); // Handle explicit (.*) patterns\n\n    return new RegExp(`^${regexPattern}$`);\n  });\n\n  return (req: NextRequest): boolean => {\n    const {pathname} = req.nextUrl;\n    return regexPatterns.some((regex: RegExp): boolean => regex.test(pathname));\n  };\n};\n\nexport default createRouteMatcher;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAuCA,MAAM,sBAAsB,aAAwD;CAClF,MAAMA,gBAA0B,SAAS,KAAK,YAA4B;EAExE,MAAMC,eAAuB,QAC1B,QAAQ,OAAO,MAAM,CACrB,QAAQ,OAAO,KAAK,CACpB,QAAQ,aAAa,OAAO;AAE/B,yBAAO,IAAI,OAAO,IAAI,aAAa,GAAG;GACtC;AAEF,SAAQ,QAA8B;EACpC,MAAM,EAAC,aAAY,IAAI;AACvB,SAAO,cAAc,MAAM,UAA2B,MAAM,KAAK,SAAS,CAAC;;;AAI/E,iCAAe"}

package/dist/{types/server/middleware/thunderIDMiddleware.d.ts → server/proxy/thunderIDProxy.d.ts}

@@ -18,8 +18,8 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { ThunderIDNextConfig } from '../../models/config';
 import { SessionTokenPayload } from '../../utils/SessionManager';
-export type ThunderIDMiddlewareOptions = Partial<ThunderIDNextConfig>;
-export interface ThunderIDMiddlewareContext {
+export type ThunderIDProxyOptions = Partial<ThunderIDNextConfig>;
+export interface ThunderIDProxyContext {
     /** Get the session payload from JWT session if available */
     getSession: () => Promise<SessionTokenPayload | undefined>;
     /** Get the session ID from the current request */
@@ -39,9 +39,9 @@ export interface ThunderIDMiddlewareContext {
         redirect?: string;
     }) => Promise<NextResponse | void>;
 }
-type ThunderIDMiddlewareHandler = (thunderid: ThunderIDMiddlewareContext, req: NextRequest) => Promise<NextResponse | void> | NextResponse | void;
+type ThunderIDProxyHandler = (thunderid: ThunderIDProxyContext, req: NextRequest) => Promise<NextResponse | void> | NextResponse | void;
 /**
- * ThunderID middleware that integrates authentication into your Next.js application.
+ * ThunderID proxy that integrates authentication into your Next.js application.
  * Similar to Clerk's clerkMiddleware pattern.
  *
  * Proactively refreshes the access token when it is within REFRESH_BUFFER_SECONDS of
@@ -58,16 +58,16 @@ type ThunderIDMiddlewareHandler = (thunderid: ThunderIDMiddlewareContext, req: N
  * (NEXT_PUBLIC_THUNDERID_BASE_URL, NEXT_PUBLIC_THUNDERID_CLIENT_ID,
  * THUNDERID_CLIENT_SECRET). If none are available the refresh step is skipped silently.
  *
- * @param handler - Optional handler function to customize middleware behavior
- * @param options - Configuration options for the middleware
+ * @param handler - Optional handler function to customize proxy behavior
+ * @param options - Configuration options for the proxy
  * @returns Next.js middleware function
  *
  * @example
  * ```typescript
  * // middleware.ts - Basic usage (config read from env vars automatically)
- * import { thunderIDMiddleware } from '@thunderid/nextjs';
+ * import { thunderIDProxy } from '@thunderid/nextjs/server';
  *
- * export default thunderIDMiddleware();
+ * export default thunderIDProxy();
  *
  * export const config = {
  *   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
@@ -77,17 +77,17 @@ type ThunderIDMiddlewareHandler = (thunderid: ThunderIDMiddlewareContext, req: N
  * @example
  * ```typescript
  * // With route protection
- * import { thunderIDMiddleware, createRouteMatcher } from '@thunderid/nextjs';
+ * import { thunderIDProxy, createRouteMatcher } from '@thunderid/nextjs/server';
  *
  * const isProtectedRoute = createRouteMatcher(['/dashboard(.*)']);
  *
- * export default thunderIDMiddleware(async (thunderid, req) => {
+ * export default thunderIDProxy(async (thunderid, req) => {
  *   if (isProtectedRoute(req)) {
  *     await thunderid.protectRoute();
  *   }
  * });
  * ```
  */
-declare const thunderIDMiddleware: (handler?: ThunderIDMiddlewareHandler, options?: ThunderIDMiddlewareOptions | ((req: NextRequest) => ThunderIDMiddlewareOptions)) => ((request: NextRequest) => Promise<NextResponse>);
-export default thunderIDMiddleware;
-//# sourceMappingURL=thunderIDMiddleware.d.ts.map
+declare const thunderIDProxy: (handler?: ThunderIDProxyHandler, options?: ThunderIDProxyOptions | ((req: NextRequest) => ThunderIDProxyOptions)) => ((request: NextRequest) => Promise<NextResponse>);
+export default thunderIDProxy;
+//# sourceMappingURL=thunderIDProxy.d.ts.map

package/dist/server/proxy/thunderIDProxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"thunderIDProxy.d.ts","sourceRoot":"","sources":["../../../src/server/proxy/thunderIDProxy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAC,WAAW,EAAE,YAAY,EAAC,MAAM,aAAa,CAAC;AAEtD,OAAO,EAAC,mBAAmB,EAAC,MAAM,qBAAqB,CAAC;AAGxD,OAAuB,EAAC,mBAAmB,EAAC,MAAM,4BAA4B,CAAC;AAG/E,MAAM,MAAM,qBAAqB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;AAEjE,MAAM,WAAW,qBAAqB;IACpC,4DAA4D;IAC5D,UAAU,EAAE,MAAM,OAAO,CAAC,mBAAmB,GAAG,SAAS,CAAC,CAAC;IAC3D,kDAAkD;IAClD,YAAY,EAAE,MAAM,MAAM,GAAG,SAAS,CAAC;IACvC,iEAAiE;IACjE,UAAU,EAAE,MAAM,OAAO,CAAC;IAC1B;;;;;;;;OAQG;IACH,YAAY,EAAE,CAAC,YAAY,CAAC,EAAE;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAC,KAAK,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;CACpF;AAED,KAAK,qBAAqB,GAAG,CAC3B,SAAS,EAAE,qBAAqB,EAChC,GAAG,EAAE,WAAW,KACb,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,YAAY,GAAG,IAAI,CAAC;AA4CxD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+CG;AACH,QAAA,MAAM,cAAc,GAEhB,UAAU,qBAAqB,EAC/B,UAAU,qBAAqB,GAAG,CAAC,CAAC,GAAG,EAAE,WAAW,KAAK,qBAAqB,CAAC,KAC9E,CAAC,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,YAAY,CAAC,CAoMlD,CAAC;AAEJ,eAAe,cAAc,CAAC"}