npm - @thunderid/nextjs - Versions diffs - 0.2.0 → 0.2.2 - Mend

@thunderid/nextjs 0.2.0 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (349) hide show

package/dist/server/proxy/thunderIDProxy.js ADDED Viewed

@@ -0,0 +1,180 @@
+import { REFRESH_BUFFER_SECONDS } from "../../constants/sessionConstants.js";
+import SessionManager_default from "../../utils/SessionManager.js";
+import decorateConfigWithNextEnv_default from "../../utils/decorateConfigWithNextEnv.js";
+import handleRefreshToken_default from "../../utils/handleRefreshToken.js";
+import { getSessionFromRequest, getSessionIdFromRequest } from "../../utils/sessionUtils.js";
+import { NextResponse } from "next/server";
+//#region src/server/proxy/thunderIDProxy.ts
+/**
+* Removes a named cookie from a raw Cookie header string.
+*/
+const removeCookieFromHeader = (cookieHeader, name) => cookieHeader.split(";").map((p) => p.trim()).filter((p) => {
+	const eqIdx = p.indexOf("=");
+	return (eqIdx === -1 ? p : p.slice(0, eqIdx).trim()) !== name;
+}).join("; ");
+/**
+* Replaces the value of a named cookie inside a raw Cookie header string.
+* If the cookie does not already appear in the header it is appended.
+*/
+const replaceCookieInHeader = (cookieHeader, name, value) => {
+	const parts = cookieHeader.split(";").map((p) => p.trim()).filter(Boolean);
+	let found = false;
+	const updated = parts.map((part) => {
+		const eqIdx = part.indexOf("=");
+		if ((eqIdx === -1 ? part : part.slice(0, eqIdx).trim()) === name) {
+			found = true;
+			return `${name}=${value}`;
+		}
+		return part;
+	});
+	if (!found) updated.push(`${name}=${value}`);
+	return updated.join("; ");
+};
+/**
+* ThunderID proxy that integrates authentication into your Next.js application.
+* Similar to Clerk's clerkMiddleware pattern.
+*
+* Proactively refreshes the access token when it is within REFRESH_BUFFER_SECONDS of
+* expiry so that Server Components always receive a fresh session. The refresh also
+* recovers expired tokens as long as a refresh token is present.
+*
+* The updated session cookie is written to:
+*   - The response  → browser stores the new cookie for subsequent requests.
+*   - The forwarded request headers → the same-request Server Component render sees
+*     the fresh token immediately without waiting for the next navigation.
+*
+* Token refresh requires baseUrl, clientId, and clientSecret. These are resolved from
+* the options argument first, then from the standard ThunderID environment variables
+* (NEXT_PUBLIC_THUNDERID_BASE_URL, NEXT_PUBLIC_THUNDERID_CLIENT_ID,
+* THUNDERID_CLIENT_SECRET). If none are available the refresh step is skipped silently.
+*
+* @param handler - Optional handler function to customize proxy behavior
+* @param options - Configuration options for the proxy
+* @returns Next.js middleware function
+*
+* @example
+* ```typescript
+* // middleware.ts - Basic usage (config read from env vars automatically)
+* import { thunderIDProxy } from '@thunderid/nextjs/server';
+*
+* export default thunderIDProxy();
+*
+* export const config = {
+*   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
+* };
+* ```
+*
+* @example
+* ```typescript
+* // With route protection
+* import { thunderIDProxy, createRouteMatcher } from '@thunderid/nextjs/server';
+*
+* const isProtectedRoute = createRouteMatcher(['/dashboard(.*)']);
+*
+* export default thunderIDProxy(async (thunderid, req) => {
+*   if (isProtectedRoute(req)) {
+*     await thunderid.protectRoute();
+*   }
+* });
+* ```
+*/
+const thunderIDProxy = (handler, options) => async (request) => {
+	const resolvedConfig = decorateConfigWithNextEnv_default(typeof options === "function" ? options(request) : options || {});
+	const url = new URL(request.url);
+	const hasCallbackParams = url.searchParams.has("code") && url.searchParams.has("state");
+	let isValidOAuthCallback = false;
+	if (hasCallbackParams && !url.searchParams.has("error")) {
+		const tempSessionToken = request.cookies.get(SessionManager_default.getTempSessionCookieName())?.value;
+		if (tempSessionToken) try {
+			await SessionManager_default.verifyTempSession(tempSessionToken);
+			isValidOAuthCallback = true;
+		} catch {
+			isValidOAuthCallback = false;
+		}
+	}
+	const verifiedSession = await getSessionFromRequest(request);
+	let expiredSession;
+	if (!verifiedSession) {
+		const rawToken = request.cookies.get(SessionManager_default.getSessionCookieName())?.value;
+		if (rawToken) try {
+			const decoded = await SessionManager_default.verifySessionTokenForRefresh(rawToken);
+			if (decoded.refreshToken) expiredSession = decoded;
+		} catch {}
+	}
+	const now = Math.floor(Date.now() / 1e3);
+	const candidateSession = verifiedSession ?? expiredSession;
+	const hasRefreshConfig = !!(resolvedConfig.baseUrl && resolvedConfig.clientId && resolvedConfig.clientSecret);
+	const needsRefresh = !isValidOAuthCallback && hasRefreshConfig && !!candidateSession?.refreshToken && (!!verifiedSession && verifiedSession.exp <= now + REFRESH_BUFFER_SECONDS || !!expiredSession);
+	let activeSession = verifiedSession;
+	let refreshCookieUpdate;
+	if (needsRefresh && candidateSession) try {
+		const { newSessionToken, sessionCookieExpiryTime } = await handleRefreshToken_default(candidateSession, {
+			baseUrl: resolvedConfig.baseUrl,
+			clientId: resolvedConfig.clientId,
+			clientSecret: resolvedConfig.clientSecret,
+			sessionCookie: resolvedConfig.sessionCookie
+		});
+		activeSession = await SessionManager_default.verifySessionToken(newSessionToken);
+		refreshCookieUpdate = {
+			expiry: sessionCookieExpiryTime,
+			token: newSessionToken
+		};
+	} catch {
+		activeSession = void 0;
+	}
+	const rawSessionCookie = request.cookies.get(SessionManager_default.getSessionCookieName())?.value;
+	let shouldClearCookie = false;
+	if (!isValidOAuthCallback && rawSessionCookie && !activeSession && !refreshCookieUpdate) shouldClearCookie = true;
+	const sessionId = activeSession?.sessionId ?? await getSessionIdFromRequest(request);
+	const isAuthenticated = !!activeSession;
+	const handlerResponse = handler ? await handler({
+		getSession: async () => activeSession,
+		getSessionId: () => sessionId,
+		isSignedIn: () => isAuthenticated,
+		protectRoute: async (routeOptions) => {
+			if (isValidOAuthCallback) return;
+			if (!isAuthenticated) {
+				const referer = request.headers.get("referer");
+				let fallbackRedirect = "/";
+				if (referer) try {
+					const refererUrl = new URL(referer);
+					const requestUrl = new URL(request.url);
+					if (refererUrl.origin === requestUrl.origin) fallbackRedirect = refererUrl.pathname + refererUrl.search;
+				} catch {}
+				const redirectUrl = routeOptions?.redirect ?? resolvedConfig.signInUrl ?? fallbackRedirect;
+				return NextResponse.redirect(new URL(redirectUrl, request.url));
+			}
+		}
+	}, request) : void 0;
+	if (shouldClearCookie) {
+		const cookieName$1 = SessionManager_default.getSessionCookieName();
+		if (handlerResponse) {
+			handlerResponse.cookies.delete(cookieName$1);
+			return handlerResponse;
+		}
+		const requestHeaders$1 = new Headers(request.headers);
+		requestHeaders$1.set("cookie", removeCookieFromHeader(request.headers.get("cookie") ?? "", cookieName$1));
+		const cleanResponse = NextResponse.next({ request: { headers: requestHeaders$1 } });
+		cleanResponse.cookies.delete(cookieName$1);
+		return cleanResponse;
+	}
+	if (!refreshCookieUpdate) return handlerResponse ?? NextResponse.next();
+	const cookieName = SessionManager_default.getSessionCookieName();
+	const cookieOptions = SessionManager_default.getSessionCookieOptions(refreshCookieUpdate.expiry);
+	if (handlerResponse) {
+		handlerResponse.cookies.set(cookieName, refreshCookieUpdate.token, cookieOptions);
+		return handlerResponse;
+	}
+	const requestHeaders = new Headers(request.headers);
+	const updatedCookieHeader = replaceCookieInHeader(request.headers.get("cookie") ?? "", cookieName, refreshCookieUpdate.token);
+	requestHeaders.set("cookie", updatedCookieHeader);
+	const response = NextResponse.next({ request: { headers: requestHeaders } });
+	response.cookies.set(cookieName, refreshCookieUpdate.token, cookieOptions);
+	return response;
+};
+var thunderIDProxy_default = thunderIDProxy;
+//#endregion
+export { thunderIDProxy_default as default };
+//# sourceMappingURL=thunderIDProxy.js.map

package/dist/server/proxy/thunderIDProxy.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"thunderIDProxy.js","names":["eqIdx: number","parts: string[]","updated: string[]","resolvedConfig: ThunderIDNextConfig","decorateConfigWithNextEnv","url: URL","hasCallbackParams: boolean","tempSessionToken: string | undefined","SessionManager","verifiedSession: SessionTokenPayload | undefined","expiredSession: SessionTokenPayload | undefined","rawToken: string | undefined","decoded: SessionTokenPayload","now: number","candidateSession: SessionTokenPayload | undefined","needsRefresh: boolean","activeSession: SessionTokenPayload | undefined","refreshCookieUpdate: {expiry: number; token: string} | undefined","handleRefreshToken","rawSessionCookie: string | undefined","sessionId: string | undefined","handlerResponse: NextResponse | void","referer: string | null","refererUrl: URL","requestUrl: URL","redirectUrl: string","cookieName: string","cookieName","requestHeaders: Headers","cleanResponse: NextResponse","requestHeaders","cookieOptions: ReturnType<typeof SessionManager.getSessionCookieOptions>","updatedCookieHeader: string","response: NextResponse"],"sources":["../../../src/server/proxy/thunderIDProxy.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\nimport {NextRequest, NextResponse} from 'next/server';\nimport {REFRESH_BUFFER_SECONDS} from '../../constants/sessionConstants';\nimport {ThunderIDNextConfig} from '../../models/config';\nimport decorateConfigWithNextEnv from '../../utils/decorateConfigWithNextEnv';\nimport handleRefreshToken from '../../utils/handleRefreshToken';\nimport SessionManager, {SessionTokenPayload} from '../../utils/SessionManager';\nimport {getSessionFromRequest, getSessionIdFromRequest} from '../../utils/sessionUtils';\n\nexport type ThunderIDProxyOptions = Partial<ThunderIDNextConfig>;\n\nexport interface ThunderIDProxyContext {\n /** Get the session payload from JWT session if available */\n getSession: () => Promise<SessionTokenPayload | undefined>;\n /** Get the session ID from the current request */\n getSessionId: () => string | undefined;\n /** Check if the current request has a valid ThunderID session */\n isSignedIn: () => boolean;\n /**\n * Protect a route by redirecting unauthenticated users.\n * Redirect URL fallback order:\n * 1. options.redirect\n * 2. resolvedOptions.signInUrl\n * 3. resolvedOptions.defaultRedirect\n * 4. referer (if from same origin)\n * If none are available, falls back to '/'.\n */\n protectRoute: (routeOptions?: {redirect?: string}) => Promise<NextResponse | void>;\n}\n\ntype ThunderIDProxyHandler = (\n thunderid: ThunderIDProxyContext,\n req: NextRequest,\n) => Promise<NextResponse | void> | NextResponse | void;\n\n/**\n * Removes a named cookie from a raw Cookie header string.\n */\nconst removeCookieFromHeader = (cookieHeader: string, name: string): string =>\n cookieHeader\n .split(';')\n .map((p: string) => p.trim())\n .filter((p: string) => {\n const eqIdx: number = p.indexOf('=');\n const partName: string = eqIdx === -1 ? p : p.slice(0, eqIdx).trim();\n return partName !== name;\n })\n .join('; ');\n\n/**\n * Replaces the value of a named cookie inside a raw Cookie header string.\n * If the cookie does not already appear in the header it is appended.\n */\nconst replaceCookieInHeader = (cookieHeader: string, name: string, value: string): string => {\n const parts: string[] = cookieHeader\n .split(';')\n .map((p: string) => p.trim())\n .filter(Boolean);\n\n let found = false;\n const updated: string[] = parts.map((part: string) => {\n const eqIdx: number = part.indexOf('=');\n const partName: string = eqIdx === -1 ? part : part.slice(0, eqIdx).trim();\n if (partName === name) {\n found = true;\n return `${name}=${value}`;\n }\n return part;\n });\n\n if (!found) {\n updated.push(`${name}=${value}`);\n }\n\n return updated.join('; ');\n};\n\n/**\n * ThunderID proxy that integrates authentication into your Next.js application.\n * Similar to Clerk's clerkMiddleware pattern.\n *\n * Proactively refreshes the access token when it is within REFRESH_BUFFER_SECONDS of\n * expiry so that Server Components always receive a fresh session. The refresh also\n * recovers expired tokens as long as a refresh token is present.\n *\n * The updated session cookie is written to:\n * - The response → browser stores the new cookie for subsequent requests.\n * - The forwarded request headers → the same-request Server Component render sees\n * the fresh token immediately without waiting for the next navigation.\n *\n * Token refresh requires baseUrl, clientId, and clientSecret. These are resolved from\n * the options argument first, then from the standard ThunderID environment variables\n * (NEXT_PUBLIC_THUNDERID_BASE_URL, NEXT_PUBLIC_THUNDERID_CLIENT_ID,\n * THUNDERID_CLIENT_SECRET). If none are available the refresh step is skipped silently.\n *\n * @param handler - Optional handler function to customize proxy behavior\n * @param options - Configuration options for the proxy\n * @returns Next.js middleware function\n *\n * @example\n * ```typescript\n * // middleware.ts - Basic usage (config read from env vars automatically)\n * import { thunderIDProxy } from '@thunderid/nextjs/server';\n *\n * export default thunderIDProxy();\n *\n * export const config = {\n * matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],\n * };\n * ```\n *\n * @example\n * ```typescript\n * // With route protection\n * import { thunderIDProxy, createRouteMatcher } from '@thunderid/nextjs/server';\n *\n * const isProtectedRoute = createRouteMatcher(['/dashboard(.*)']);\n *\n * export default thunderIDProxy(async (thunderid, req) => {\n * if (isProtectedRoute(req)) {\n * await thunderid.protectRoute();\n * }\n * });\n * ```\n */\nconst thunderIDProxy =\n (\n handler?: ThunderIDProxyHandler,\n options?: ThunderIDProxyOptions | ((req: NextRequest) => ThunderIDProxyOptions),\n ): ((request: NextRequest) => Promise<NextResponse>) =>\n async (request: NextRequest): Promise<NextResponse> => {\n const resolvedOptions: ThunderIDProxyOptions = typeof options === 'function' ? options(request) : options || {};\n\n // Resolve full config from passed options + environment variable fallbacks.\n const resolvedConfig: ThunderIDNextConfig = decorateConfigWithNextEnv(resolvedOptions as ThunderIDNextConfig);\n\n // ── OAuth callback detection ──────────────────────────────────────────────\n const url: URL = new URL(request.url);\n const hasCallbackParams: boolean = url.searchParams.has('code') && url.searchParams.has('state');\n\n let isValidOAuthCallback = false;\n if (hasCallbackParams && !url.searchParams.has('error')) {\n const tempSessionToken: string | undefined = request.cookies.get(\n SessionManager.getTempSessionCookieName(),\n )?.value;\n if (tempSessionToken) {\n try {\n await SessionManager.verifyTempSession(tempSessionToken);\n isValidOAuthCallback = true;\n } catch {\n isValidOAuthCallback = false;\n }\n }\n }\n\n // ── Session resolution ────────────────────────────────────────────────────\n // Step 1: Attempt to get a fully verified (signature + expiry) session.\n const verifiedSession: SessionTokenPayload | undefined = await getSessionFromRequest(request);\n\n // Step 2: If no verified session exists, verify the raw cookie's signature\n // without enforcing expiry. This allows the proxy to recover from an\n // expired access token as long as the JWT is authentic and a refresh token\n // is present. Skipping the signature check here would let a tampered cookie\n // drive identity-confusion attacks since handleRefreshToken reuses `sub`,\n // `sessionId`, and `organizationId` from the input payload when minting the\n // new session JWT.\n let expiredSession: SessionTokenPayload | undefined;\n if (!verifiedSession) {\n const rawToken: string | undefined = request.cookies.get(SessionManager.getSessionCookieName())?.value;\n if (rawToken) {\n try {\n const decoded: SessionTokenPayload = await SessionManager.verifySessionTokenForRefresh(rawToken);\n if (decoded.refreshToken) {\n expiredSession = decoded;\n }\n } catch {\n // Forged, tampered, wrong type, or malformed — ignore.\n }\n }\n }\n\n // ── Token refresh ─────────────────────────────────────────────────────────\n const now: number = Math.floor(Date.now() / 1000);\n const candidateSession: SessionTokenPayload | undefined = verifiedSession ?? expiredSession;\n\n // Config is required to call the token endpoint.\n const hasRefreshConfig = !!(resolvedConfig.baseUrl && resolvedConfig.clientId && resolvedConfig.clientSecret);\n\n // Refresh when:\n // a) Token is verified but within the proactive buffer window, OR\n // b) Token has already expired but a refresh token is available.\n const needsRefresh: boolean =\n !isValidOAuthCallback &&\n hasRefreshConfig &&\n !!candidateSession?.refreshToken &&\n ((!!verifiedSession && verifiedSession.exp <= now + REFRESH_BUFFER_SECONDS) || !!expiredSession);\n\n let activeSession: SessionTokenPayload | undefined = verifiedSession;\n let refreshCookieUpdate: {expiry: number; token: string} | undefined;\n\n if (needsRefresh && candidateSession) {\n try {\n const {newSessionToken, sessionCookieExpiryTime} = await handleRefreshToken(candidateSession, {\n baseUrl: resolvedConfig.baseUrl!,\n clientId: resolvedConfig.clientId!,\n clientSecret: resolvedConfig.clientSecret!,\n sessionCookie: resolvedConfig.sessionCookie,\n });\n // Verify the newly minted token so activeSession reflects fresh claims.\n activeSession = await SessionManager.verifySessionToken(newSessionToken);\n refreshCookieUpdate = {expiry: sessionCookieExpiryTime, token: newSessionToken};\n } catch {\n // Refresh failed — clear the irrecoverable session.\n activeSession = undefined;\n }\n }\n\n // ── Session cleanup detection ─────────────────────────────────────────────\n // Mark stale cookies for deletion when the session is irrecoverable. Skipped\n // during OAuth callbacks where a session cookie may not exist yet.\n const rawSessionCookie: string | undefined = request.cookies.get(SessionManager.getSessionCookieName())?.value;\n\n let shouldClearCookie = false;\n\n if (!isValidOAuthCallback && rawSessionCookie && !activeSession && !refreshCookieUpdate) {\n // A cookie was present but all resolution paths (verify, decode, refresh)\n // failed — the session is dead and cannot be recovered.\n shouldClearCookie = true;\n }\n\n const sessionId: string | undefined = activeSession?.sessionId ?? (await getSessionIdFromRequest(request));\n const isAuthenticated = !!activeSession;\n\n // ── Proxy context ─────────────────────────────────────────────────────────\n const thunderid: ThunderIDProxyContext = {\n getSession: async (): Promise<SessionTokenPayload | undefined> => activeSession,\n getSessionId: (): string | undefined => sessionId,\n isSignedIn: (): boolean => isAuthenticated,\n protectRoute: async (routeOptions?: {redirect?: string}): Promise<NextResponse | void> => {\n // Skip during a valid OAuth callback to avoid redirecting before the\n // callback action has had a chance to complete.\n if (isValidOAuthCallback) {\n return undefined;\n }\n\n if (!isAuthenticated) {\n const referer: string | null = request.headers.get('referer');\n let fallbackRedirect = '/';\n\n if (referer) {\n try {\n const refererUrl: URL = new URL(referer);\n const requestUrl: URL = new URL(request.url);\n if (refererUrl.origin === requestUrl.origin) {\n fallbackRedirect = refererUrl.pathname + refererUrl.search;\n }\n } catch {\n // Invalid referer — ignore.\n }\n }\n\n const redirectUrl: string = routeOptions?.redirect ?? resolvedConfig.signInUrl! ?? fallbackRedirect;\n\n return NextResponse.redirect(new URL(redirectUrl, request.url));\n }\n\n return undefined;\n },\n };\n\n // ── Handler ───────────────────────────────────────────────────────────────\n const handlerResponse: NextResponse | void = handler ? await handler(thunderid, request) : undefined;\n\n // ── Build final response ──────────────────────────────────────────────────\n if (shouldClearCookie) {\n const cookieName: string = SessionManager.getSessionCookieName();\n\n if (handlerResponse) {\n // Handler returned a response (e.g. a redirect from protectRoute).\n // Attach the deletion so the browser discards the stale cookie.\n handlerResponse.cookies.delete(cookieName);\n return handlerResponse;\n }\n\n // Pass-through: strip the dead cookie from the forwarded request headers\n // so the same-request Server Component render sees no session at all.\n const requestHeaders: Headers = new Headers(request.headers);\n requestHeaders.set('cookie', removeCookieFromHeader(request.headers.get('cookie') ?? '', cookieName));\n const cleanResponse: NextResponse = NextResponse.next({request: {headers: requestHeaders}});\n cleanResponse.cookies.delete(cookieName);\n return cleanResponse;\n }\n\n if (!refreshCookieUpdate) {\n return handlerResponse ?? NextResponse.next();\n }\n\n // A token refresh occurred — the new session cookie must be applied to:\n // 1. The HTTP response so the browser stores the updated cookie.\n // 2. The forwarded request headers so the same-request Server Component\n // render reads the fresh session token instead of the expired one.\n const cookieName: string = SessionManager.getSessionCookieName();\n const cookieOptions: ReturnType<typeof SessionManager.getSessionCookieOptions> =\n SessionManager.getSessionCookieOptions(refreshCookieUpdate.expiry);\n\n if (handlerResponse) {\n // Handler returned a response (e.g. a redirect from protectRoute).\n // Attach the refresh cookie so the browser receives it even on redirects.\n handlerResponse.cookies.set(cookieName, refreshCookieUpdate.token, cookieOptions);\n return handlerResponse;\n }\n\n // Default pass-through: update both the response cookie and the request\n // Cookie header so the downstream Server Component render is not stale.\n const requestHeaders: Headers = new Headers(request.headers);\n const updatedCookieHeader: string = replaceCookieInHeader(\n request.headers.get('cookie') ?? '',\n cookieName,\n refreshCookieUpdate.token,\n );\n requestHeaders.set('cookie', updatedCookieHeader);\n\n const response: NextResponse = NextResponse.next({request: {headers: requestHeaders}});\n response.cookies.set(cookieName, refreshCookieUpdate.token, cookieOptions);\n return response;\n };\n\nexport default thunderIDProxy;\n"],"mappings":";;;;;;;;;;;AAuDA,MAAM,0BAA0B,cAAsB,SACpD,aACG,MAAM,IAAI,CACV,KAAK,MAAc,EAAE,MAAM,CAAC,CAC5B,QAAQ,MAAc;CACrB,MAAMA,QAAgB,EAAE,QAAQ,IAAI;AAEpC,SADyB,UAAU,KAAK,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,MAChD;EACpB,CACD,KAAK,KAAK;;;;;AAMf,MAAM,yBAAyB,cAAsB,MAAc,UAA0B;CAC3F,MAAMC,QAAkB,aACrB,MAAM,IAAI,CACV,KAAK,MAAc,EAAE,MAAM,CAAC,CAC5B,OAAO,QAAQ;CAElB,IAAI,QAAQ;CACZ,MAAMC,UAAoB,MAAM,KAAK,SAAiB;EACpD,MAAMF,QAAgB,KAAK,QAAQ,IAAI;AAEvC,OADyB,UAAU,KAAK,OAAO,KAAK,MAAM,GAAG,MAAM,CAAC,MAAM,MACzD,MAAM;AACrB,WAAQ;AACR,UAAO,GAAG,KAAK,GAAG;;AAEpB,SAAO;GACP;AAEF,KAAI,CAAC,MACH,SAAQ,KAAK,GAAG,KAAK,GAAG,QAAQ;AAGlC,QAAO,QAAQ,KAAK,KAAK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmD3B,MAAM,kBAEF,SACA,YAEF,OAAO,YAAgD;CAIrD,MAAMG,iBAAsCC,kCAHG,OAAO,YAAY,aAAa,QAAQ,QAAQ,GAAG,WAAW,EAAE,CAGF;CAG7G,MAAMC,MAAW,IAAI,IAAI,QAAQ,IAAI;CACrC,MAAMC,oBAA6B,IAAI,aAAa,IAAI,OAAO,IAAI,IAAI,aAAa,IAAI,QAAQ;CAEhG,IAAI,uBAAuB;AAC3B,KAAI,qBAAqB,CAAC,IAAI,aAAa,IAAI,QAAQ,EAAE;EACvD,MAAMC,mBAAuC,QAAQ,QAAQ,IAC3DC,uBAAe,0BAA0B,CAC1C,EAAE;AACH,MAAI,iBACF,KAAI;AACF,SAAMA,uBAAe,kBAAkB,iBAAiB;AACxD,0BAAuB;UACjB;AACN,0BAAuB;;;CAO7B,MAAMC,kBAAmD,MAAM,sBAAsB,QAAQ;CAS7F,IAAIC;AACJ,KAAI,CAAC,iBAAiB;EACpB,MAAMC,WAA+B,QAAQ,QAAQ,IAAIH,uBAAe,sBAAsB,CAAC,EAAE;AACjG,MAAI,SACF,KAAI;GACF,MAAMI,UAA+B,MAAMJ,uBAAe,6BAA6B,SAAS;AAChG,OAAI,QAAQ,aACV,kBAAiB;UAEb;;CAOZ,MAAMK,MAAc,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;CACjD,MAAMC,mBAAoD,mBAAmB;CAG7E,MAAM,mBAAmB,CAAC,EAAE,eAAe,WAAW,eAAe,YAAY,eAAe;CAKhG,MAAMC,eACJ,CAAC,wBACD,oBACA,CAAC,CAAC,kBAAkB,iBAClB,CAAC,CAAC,mBAAmB,gBAAgB,OAAO,MAAM,0BAA2B,CAAC,CAAC;CAEnF,IAAIC,gBAAiD;CACrD,IAAIC;AAEJ,KAAI,gBAAgB,iBAClB,KAAI;EACF,MAAM,EAAC,iBAAiB,4BAA2B,MAAMC,2BAAmB,kBAAkB;GAC5F,SAAS,eAAe;GACxB,UAAU,eAAe;GACzB,cAAc,eAAe;GAC7B,eAAe,eAAe;GAC/B,CAAC;AAEF,kBAAgB,MAAMV,uBAAe,mBAAmB,gBAAgB;AACxE,wBAAsB;GAAC,QAAQ;GAAyB,OAAO;GAAgB;SACzE;AAEN,kBAAgB;;CAOpB,MAAMW,mBAAuC,QAAQ,QAAQ,IAAIX,uBAAe,sBAAsB,CAAC,EAAE;CAEzG,IAAI,oBAAoB;AAExB,KAAI,CAAC,wBAAwB,oBAAoB,CAAC,iBAAiB,CAAC,oBAGlE,qBAAoB;CAGtB,MAAMY,YAAgC,eAAe,aAAc,MAAM,wBAAwB,QAAQ;CACzG,MAAM,kBAAkB,CAAC,CAAC;CAwC1B,MAAMC,kBAAuC,UAAU,MAAM,QArCpB;EACvC,YAAY,YAAsD;EAClE,oBAAwC;EACxC,kBAA2B;EAC3B,cAAc,OAAO,iBAAqE;AAGxF,OAAI,qBACF;AAGF,OAAI,CAAC,iBAAiB;IACpB,MAAMC,UAAyB,QAAQ,QAAQ,IAAI,UAAU;IAC7D,IAAI,mBAAmB;AAEvB,QAAI,QACF,KAAI;KACF,MAAMC,aAAkB,IAAI,IAAI,QAAQ;KACxC,MAAMC,aAAkB,IAAI,IAAI,QAAQ,IAAI;AAC5C,SAAI,WAAW,WAAW,WAAW,OACnC,oBAAmB,WAAW,WAAW,WAAW;YAEhD;IAKV,MAAMC,cAAsB,cAAc,YAAY,eAAe,aAAc;AAEnF,WAAO,aAAa,SAAS,IAAI,IAAI,aAAa,QAAQ,IAAI,CAAC;;;EAKpE,EAG+E,QAAQ,GAAG;AAG3F,KAAI,mBAAmB;EACrB,MAAMC,eAAqBlB,uBAAe,sBAAsB;AAEhE,MAAI,iBAAiB;AAGnB,mBAAgB,QAAQ,OAAOmB,aAAW;AAC1C,UAAO;;EAKT,MAAMC,mBAA0B,IAAI,QAAQ,QAAQ,QAAQ;AAC5D,mBAAe,IAAI,UAAU,uBAAuB,QAAQ,QAAQ,IAAI,SAAS,IAAI,IAAID,aAAW,CAAC;EACrG,MAAME,gBAA8B,aAAa,KAAK,EAAC,SAAS,EAAC,SAASC,kBAAe,EAAC,CAAC;AAC3F,gBAAc,QAAQ,OAAOH,aAAW;AACxC,SAAO;;AAGT,KAAI,CAAC,oBACH,QAAO,mBAAmB,aAAa,MAAM;CAO/C,MAAMD,aAAqBlB,uBAAe,sBAAsB;CAChE,MAAMuB,gBACJvB,uBAAe,wBAAwB,oBAAoB,OAAO;AAEpE,KAAI,iBAAiB;AAGnB,kBAAgB,QAAQ,IAAI,YAAY,oBAAoB,OAAO,cAAc;AACjF,SAAO;;CAKT,MAAMoB,iBAA0B,IAAI,QAAQ,QAAQ,QAAQ;CAC5D,MAAMI,sBAA8B,sBAClC,QAAQ,QAAQ,IAAI,SAAS,IAAI,IACjC,YACA,oBAAoB,MACrB;AACD,gBAAe,IAAI,UAAU,oBAAoB;CAEjD,MAAMC,WAAyB,aAAa,KAAK,EAAC,SAAS,EAAC,SAAS,gBAAe,EAAC,CAAC;AACtF,UAAS,QAAQ,IAAI,YAAY,oBAAoB,OAAO,cAAc;AAC1E,QAAO;;AAGX,6BAAe"}

package/dist/server/thunderid.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"thunderid.d.ts","sourceRoot":"","sources":["../../src/server/thunderid.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAC,0BAA0B,EAAE,aAAa,EAAC,MAAM,iBAAiB,CAAC;AAG1E,OAAO,EAAC,mBAAmB,EAAC,MAAM,kBAAkB,CAAC;AAErD,QAAA,MAAM,SAAS,QAAa,OAAO,CAAC;IAClC,aAAa,EAAE,CAAC,MAAM,EAAE,0BAA0B,EAAE,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,aAAa,GAAG,QAAQ,CAAC,CAAC;IAC5G,cAAc,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACvD,YAAY,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IAChD,YAAY,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,mBAAmB,CAAC,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;CAC1E,CA2BA,CAAC;AAEF,eAAe,SAAS,CAAC"}

package/dist/server/thunderid.js ADDED Viewed

@@ -0,0 +1,27 @@
+import getSessionId_default from "./actions/getSessionId.js";
+import getClient_default from "./getClient.js";
+//#region src/server/thunderid.ts
+const thunderid = async () => {
+	const getAccessToken = async (sessionId) => {
+		return getClient_default().getAccessToken(sessionId);
+	};
+	const getSessionId = async () => getSessionId_default();
+	const exchangeToken = async (config, sessionId) => {
+		return getClient_default().exchangeToken(config, sessionId);
+	};
+	const reInitialize = async (config) => {
+		return getClient_default().reInitialize(config);
+	};
+	return {
+		exchangeToken,
+		getAccessToken,
+		getSessionId,
+		reInitialize
+	};
+};
+var thunderid_default = thunderid;
+//#endregion
+export { thunderid_default as default };
+//# sourceMappingURL=thunderid.js.map

package/dist/server/thunderid.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"thunderid.js","names":["getClient","getSessionIdAction"],"sources":["../../src/server/thunderid.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\nimport {TokenExchangeRequestConfig, TokenResponse} from '@thunderid/node';\nimport getSessionIdAction from './actions/getSessionId';\nimport getClient from './getClient';\nimport {ThunderIDNextConfig} from '../models/config';\n\nconst thunderid = async (): Promise<{\n exchangeToken: (config: TokenExchangeRequestConfig, sessionId: string) => Promise<TokenResponse | Response>;\n getAccessToken: (sessionId: string) => Promise<string>;\n getSessionId: () => Promise<string | undefined>;\n reInitialize: (config: Partial<ThunderIDNextConfig>) => Promise<boolean>;\n}> => {\n const getAccessToken = async (sessionId: string): Promise<string> => {\n const client = getClient();\n return client.getAccessToken(sessionId);\n };\n\n const getSessionId = async (): Promise<string | undefined> => getSessionIdAction();\n\n const exchangeToken = async (\n config: TokenExchangeRequestConfig,\n sessionId: string,\n ): Promise<TokenResponse | Response> => {\n const client = getClient();\n return client.exchangeToken(config, sessionId);\n };\n\n const reInitialize = async (config: Partial<ThunderIDNextConfig>): Promise<boolean> => {\n const client = getClient();\n return client.reInitialize(config);\n };\n\n return {\n exchangeToken,\n getAccessToken,\n getSessionId,\n reInitialize,\n };\n};\n\nexport default thunderid;\n"],"mappings":";;;;AAuBA,MAAM,YAAY,YAKZ;CACJ,MAAM,iBAAiB,OAAO,cAAuC;AAEnE,SADeA,mBAAW,CACZ,eAAe,UAAU;;CAGzC,MAAM,eAAe,YAAyCC,sBAAoB;CAElF,MAAM,gBAAgB,OACpB,QACA,cACsC;AAEtC,SADeD,mBAAW,CACZ,cAAc,QAAQ,UAAU;;CAGhD,MAAM,eAAe,OAAO,WAA2D;AAErF,SADeA,mBAAW,CACZ,aAAa,OAAO;;AAGpC,QAAO;EACL;EACA;EACA;EACA;EACD;;AAGH,wBAAe"}

package/dist/utils/SessionManager.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SessionManager.d.ts","sourceRoot":"","sources":["../../src/utils/SessionManager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAGH,OAAO,EAAoC,UAAU,EAAC,MAAM,MAAM,CAAC;AAGnE;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,UAAU;IACrD,8FAA8F;IAC9F,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,oCAAoC;IACpC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,yEAAyE;IACzE,YAAY,EAAE,MAAM,CAAC;IACrB,mBAAmB;IACnB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,iBAAiB;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,0EAA0E;IAC1E,IAAI,EAAE,SAAS,CAAC;CACjB;AAED;;GAEG;AACH,cAAM,cAAc;IAClB;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,SAAS;IAqBxB;;OAEG;WACU,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAelE;;;;;;;OAOG;IACH,MAAM,CAAC,0BAA0B,CAAC,gBAAgB,CAAC,EAAE,MAAM,GAAG,MAAM;WAkBvD,kBAAkB,CAC7B,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,qBAAqB,EAAE,MAAM,EAC7B,YAAY,EAAE,MAAM,EACpB,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC,MAAM,CAAC;IAoBlB;;OAEG;WACU,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAoB5E;;;;;;;;;;OAUG;WACU,4BAA4B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAqBtF;;OAEG;WACU,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAC,CAAC;IAoB3E;;OAEG;IACH,MAAM,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG;QAC9C,QAAQ,EAAE,OAAO,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,KAAK,CAAC;QAChB,MAAM,EAAE,OAAO,CAAC;KACjB;IAUD;;OAEG;IACH,MAAM,CAAC,2BAA2B,IAAI;QACpC,QAAQ,EAAE,OAAO,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,KAAK,CAAC;QAChB,MAAM,EAAE,OAAO,CAAC;KACjB;IAUD;;OAEG;IACH,MAAM,CAAC,oBAAoB,IAAI,MAAM;IAIrC;;OAEG;IACH,MAAM,CAAC,wBAAwB,IAAI,MAAM;CAG1C;AAED,eAAe,cAAc,CAAC"}

package/dist/utils/SessionManager.js ADDED Viewed

@@ -0,0 +1,147 @@
+import { DEFAULT_SESSION_COOKIE_EXPIRY_TIME } from "../constants/sessionConstants.js";
+import { CookieConfig, ThunderIDRuntimeError } from "@thunderid/node";
+import { SignJWT, compactVerify, jwtVerify } from "jose";
+//#region src/utils/SessionManager.ts
+/**
+* Session management utility class for JWT-based session cookies
+*/
+var SessionManager = class {
+	/**
+	* Get the signing secret from environment variable
+	* Throws error in production if not set
+	*/
+	static getSecret() {
+		const secret = process.env["THUNDERID_SECRET"];
+		if (!secret) {
+			if (process.env["NODE_ENV"] === "production") throw new ThunderIDRuntimeError("THUNDERID_SECRET environment variable is required in production", "session-secret-required", "nextjs", "Set the THUNDERID_SECRET environment variable with a secure random string");
+			console.warn("Using default secret for development. Set THUNDERID_SECRET for production!");
+			return new TextEncoder().encode("development-secret-not-for-production");
+		}
+		return new TextEncoder().encode(secret);
+	}
+	/**
+	* Create a temporary session cookie for login initiation
+	*/
+	static async createTempSession(sessionId) {
+		const secret = this.getSecret();
+		return await new SignJWT({
+			sessionId,
+			type: "temp"
+		}).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime("15m").sign(secret);
+	}
+	/**
+	* Resolve the session cookie expiry time in seconds.
+	*
+	* Resolution order (first defined value wins):
+	*   1. `configuredExpiry` — value from `ThunderIDNodeConfig.sessionCookie?.expiryTime`
+	*   2. `THUNDERID_SESSION_COOKIE_EXPIRY_TIME` environment variable
+	*   3. `DEFAULT_SESSION_COOKIE_EXPIRY_TIME` (24 hours)
+	*/
+	static resolveSessionCookieExpiry(configuredExpiry) {
+		if (configuredExpiry != null && configuredExpiry > 0) return configuredExpiry;
+		const envValue = process.env["THUNDERID_SESSION_COOKIE_EXPIRY_TIME"];
+		if (envValue) {
+			const parsed = parseInt(envValue, 10);
+			if (!Number.isNaN(parsed) && parsed > 0) return parsed;
+		}
+		return DEFAULT_SESSION_COOKIE_EXPIRY_TIME;
+	}
+	static async createSessionToken(accessToken, userId, sessionId, scopes, accessTokenTtlSeconds, refreshToken, organizationId) {
+		const secret = this.getSecret();
+		return await new SignJWT({
+			accessToken,
+			organizationId,
+			refreshToken,
+			scopes,
+			sessionId,
+			type: "session"
+		}).setProtectedHeader({ alg: "HS256" }).setSubject(userId).setIssuedAt().setExpirationTime(Math.floor(Date.now() / 1e3) + accessTokenTtlSeconds).sign(secret);
+	}
+	/**
+	* Verify and decode a session token
+	*/
+	static async verifySessionToken(token) {
+		try {
+			const { payload } = await jwtVerify(token, this.getSecret());
+			if (payload["type"] !== "session") throw new Error("Invalid token type");
+			return payload;
+		} catch (error) {
+			throw new ThunderIDRuntimeError(`Invalid session token: ${error instanceof Error ? error.message : "Unknown error"}`, "invalid-session-token", "nextjs", "Session token verification failed");
+		}
+	}
+	/**
+	* Verify a session token for refresh. Validates the HMAC signature and the
+	* `type === 'session'` discriminant but intentionally skips the `exp` check
+	* so an expired access token can still be exchanged for a new one.
+	*
+	* Session lifetime is still bounded — the cookie's `maxAge` is set from
+	* `sessionCookieExpiryTime`, so the browser drops an over-age session regardless
+	* of the access-token exp embedded in the JWT.
+	*
+	* Never use the returned payload for authorization.
+	*/
+	static async verifySessionTokenForRefresh(token) {
+		try {
+			const { payload: rawPayload } = await compactVerify(token, this.getSecret());
+			const payload = JSON.parse(new TextDecoder().decode(rawPayload));
+			if (payload.type !== "session") throw new Error("Invalid token type");
+			return payload;
+		} catch (error) {
+			throw new ThunderIDRuntimeError(`Invalid session token: ${error instanceof Error ? error.message : "Unknown error"}`, "invalid-session-token-for-refresh", "nextjs", "Session token signature or type check failed during refresh");
+		}
+	}
+	/**
+	* Verify and decode a temporary session token
+	*/
+	static async verifyTempSession(token) {
+		try {
+			const { payload } = await jwtVerify(token, this.getSecret());
+			if (payload["type"] !== "temp") throw new Error("Invalid token type");
+			return { sessionId: payload["sessionId"] };
+		} catch (error) {
+			throw new ThunderIDRuntimeError(`Invalid temporary session token: ${error instanceof Error ? error.message : "Unknown error"}`, "invalid-temp-session-token", "nextjs", "Temporary session token verification failed");
+		}
+	}
+	/**
+	* Get session cookie options
+	*/
+	static getSessionCookieOptions(maxAge) {
+		return {
+			httpOnly: true,
+			maxAge,
+			path: "/",
+			sameSite: "lax",
+			secure: process.env["NODE_ENV"] === "production"
+		};
+	}
+	/**
+	* Get temporary session cookie options
+	*/
+	static getTempSessionCookieOptions() {
+		return {
+			httpOnly: true,
+			maxAge: 900,
+			path: "/",
+			sameSite: "lax",
+			secure: process.env["NODE_ENV"] === "production"
+		};
+	}
+	/**
+	* Get session cookie name
+	*/
+	static getSessionCookieName() {
+		return CookieConfig.SESSION_COOKIE_NAME;
+	}
+	/**
+	* Get temporary session cookie name
+	*/
+	static getTempSessionCookieName() {
+		return CookieConfig.TEMP_SESSION_COOKIE_NAME;
+	}
+};
+var SessionManager_default = SessionManager;
+//#endregion
+export { SessionManager_default as default };
+//# sourceMappingURL=SessionManager.js.map

package/dist/utils/SessionManager.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"SessionManager.js","names":["secret: string | undefined","secret: Uint8Array","envValue: string | undefined","parsed: number","payload: SessionTokenPayload"],"sources":["../../src/utils/SessionManager.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\nimport {ThunderIDRuntimeError, CookieConfig} from '@thunderid/node';\nimport {SignJWT, jwtVerify, compactVerify, JWTPayload} from 'jose';\nimport {DEFAULT_SESSION_COOKIE_EXPIRY_TIME} from '../constants/sessionConstants';\n\n/**\n * Session token payload interface\n */\nexport interface SessionTokenPayload extends JWTPayload {\n /** Expiration timestamp — doubles as the access token expiry (JWT exp == access token exp) */\n exp: number;\n /** Issued at timestamp */\n iat: number;\n /** Organization ID if applicable */\n organizationId?: string;\n /** The refresh token; empty string if not provided by the auth server */\n refreshToken: string;\n /** OAuth scopes */\n scopes: string[];\n /** Session ID */\n sessionId: string;\n /** User ID */\n sub: string;\n /** Token type discriminant — must be 'session' for access-session JWTs */\n type: 'session';\n}\n\n/**\n * Session management utility class for JWT-based session cookies\n */\nclass SessionManager {\n /**\n * Get the signing secret from environment variable\n * Throws error in production if not set\n */\n private static getSecret(): Uint8Array {\n const secret: string | undefined = process.env['THUNDERID_SECRET'];\n\n if (!secret) {\n if (process.env['NODE_ENV'] === 'production') {\n throw new ThunderIDRuntimeError(\n 'THUNDERID_SECRET environment variable is required in production',\n 'session-secret-required',\n 'nextjs',\n 'Set the THUNDERID_SECRET environment variable with a secure random string',\n );\n }\n // Use a default secret for development (not secure)\n // eslint-disable-next-line no-console\n console.warn('Using default secret for development. Set THUNDERID_SECRET for production!');\n return new TextEncoder().encode('development-secret-not-for-production');\n }\n\n return new TextEncoder().encode(secret);\n }\n\n /**\n * Create a temporary session cookie for login initiation\n */\n static async createTempSession(sessionId: string): Promise<string> {\n const secret: Uint8Array = this.getSecret();\n\n const jwt: string = await new SignJWT({\n sessionId,\n type: 'temp',\n })\n .setProtectedHeader({alg: 'HS256'})\n .setIssuedAt()\n .setExpirationTime('15m')\n .sign(secret);\n\n return jwt;\n }\n\n /**\n * Resolve the session cookie expiry time in seconds.\n *\n * Resolution order (first defined value wins):\n * 1. `configuredExpiry` — value from `ThunderIDNodeConfig.sessionCookie?.expiryTime`\n * 2. `THUNDERID_SESSION_COOKIE_EXPIRY_TIME` environment variable\n * 3. `DEFAULT_SESSION_COOKIE_EXPIRY_TIME` (24 hours)\n */\n static resolveSessionCookieExpiry(configuredExpiry?: number): number {\n if (configuredExpiry != null && configuredExpiry > 0) {\n return configuredExpiry;\n }\n\n const envValue: string | undefined = process.env['THUNDERID_SESSION_COOKIE_EXPIRY_TIME'];\n\n if (envValue) {\n const parsed: number = parseInt(envValue, 10);\n\n if (!Number.isNaN(parsed) && parsed > 0) {\n return parsed;\n }\n }\n\n return DEFAULT_SESSION_COOKIE_EXPIRY_TIME;\n }\n\n static async createSessionToken(\n accessToken: string,\n userId: string,\n sessionId: string,\n scopes: string,\n accessTokenTtlSeconds: number,\n refreshToken: string,\n organizationId?: string,\n ): Promise<string> {\n const secret: Uint8Array = this.getSecret();\n\n const jwt: string = await new SignJWT({\n accessToken,\n organizationId,\n refreshToken,\n scopes,\n sessionId,\n type: 'session',\n } as Omit<SessionTokenPayload, 'sub' | 'iat' | 'exp'>)\n .setProtectedHeader({alg: 'HS256'})\n .setSubject(userId)\n .setIssuedAt()\n .setExpirationTime(Math.floor(Date.now() / 1000) + accessTokenTtlSeconds)\n .sign(secret);\n\n return jwt;\n }\n\n /**\n * Verify and decode a session token\n */\n static async verifySessionToken(token: string): Promise<SessionTokenPayload> {\n try {\n const secret: Uint8Array = this.getSecret();\n const {payload} = await jwtVerify(token, secret);\n\n if (payload['type'] !== 'session') {\n throw new Error('Invalid token type');\n }\n\n return payload as SessionTokenPayload;\n } catch (error) {\n throw new ThunderIDRuntimeError(\n `Invalid session token: ${error instanceof Error ? error.message : 'Unknown error'}`,\n 'invalid-session-token',\n 'nextjs',\n 'Session token verification failed',\n );\n }\n }\n\n /**\n * Verify a session token for refresh. Validates the HMAC signature and the\n * `type === 'session'` discriminant but intentionally skips the `exp` check\n * so an expired access token can still be exchanged for a new one.\n *\n * Session lifetime is still bounded — the cookie's `maxAge` is set from\n * `sessionCookieExpiryTime`, so the browser drops an over-age session regardless\n * of the access-token exp embedded in the JWT.\n *\n * Never use the returned payload for authorization.\n */\n static async verifySessionTokenForRefresh(token: string): Promise<SessionTokenPayload> {\n try {\n const secret: Uint8Array = this.getSecret();\n const {payload: rawPayload} = await compactVerify(token, secret);\n const payload: SessionTokenPayload = JSON.parse(new TextDecoder().decode(rawPayload)) as SessionTokenPayload;\n\n if (payload.type !== 'session') {\n throw new Error('Invalid token type');\n }\n\n return payload;\n } catch (error) {\n throw new ThunderIDRuntimeError(\n `Invalid session token: ${error instanceof Error ? error.message : 'Unknown error'}`,\n 'invalid-session-token-for-refresh',\n 'nextjs',\n 'Session token signature or type check failed during refresh',\n );\n }\n }\n\n /**\n * Verify and decode a temporary session token\n */\n static async verifyTempSession(token: string): Promise<{sessionId: string}> {\n try {\n const secret: Uint8Array = this.getSecret();\n const {payload} = await jwtVerify(token, secret);\n\n if (payload['type'] !== 'temp') {\n throw new Error('Invalid token type');\n }\n\n return {sessionId: payload['sessionId'] as string};\n } catch (error) {\n throw new ThunderIDRuntimeError(\n `Invalid temporary session token: ${error instanceof Error ? error.message : 'Unknown error'}`,\n 'invalid-temp-session-token',\n 'nextjs',\n 'Temporary session token verification failed',\n );\n }\n }\n\n /**\n * Get session cookie options\n */\n static getSessionCookieOptions(maxAge: number): {\n httpOnly: boolean;\n maxAge: number;\n path: string;\n sameSite: 'lax';\n secure: boolean;\n } {\n return {\n httpOnly: true,\n maxAge,\n path: '/',\n sameSite: 'lax' as const,\n secure: process.env['NODE_ENV'] === 'production',\n };\n }\n\n /**\n * Get temporary session cookie options\n */\n static getTempSessionCookieOptions(): {\n httpOnly: boolean;\n maxAge: number;\n path: string;\n sameSite: 'lax';\n secure: boolean;\n } {\n return {\n httpOnly: true,\n maxAge: 15 * 60,\n path: '/',\n sameSite: 'lax' as const,\n secure: process.env['NODE_ENV'] === 'production',\n };\n }\n\n /**\n * Get session cookie name\n */\n static getSessionCookieName(): string {\n return CookieConfig.SESSION_COOKIE_NAME;\n }\n\n /**\n * Get temporary session cookie name\n */\n static getTempSessionCookieName(): string {\n return CookieConfig.TEMP_SESSION_COOKIE_NAME;\n }\n}\n\nexport default SessionManager;\n"],"mappings":";;;;;;;;AA+CA,IAAM,iBAAN,MAAqB;;;;;CAKnB,OAAe,YAAwB;EACrC,MAAMA,SAA6B,QAAQ,IAAI;AAE/C,MAAI,CAAC,QAAQ;AACX,OAAI,QAAQ,IAAI,gBAAgB,aAC9B,OAAM,IAAI,sBACR,mEACA,2BACA,UACA,4EACD;AAIH,WAAQ,KAAK,6EAA6E;AAC1F,UAAO,IAAI,aAAa,CAAC,OAAO,wCAAwC;;AAG1E,SAAO,IAAI,aAAa,CAAC,OAAO,OAAO;;;;;CAMzC,aAAa,kBAAkB,WAAoC;EACjE,MAAMC,SAAqB,KAAK,WAAW;AAW3C,SAToB,MAAM,IAAI,QAAQ;GACpC;GACA,MAAM;GACP,CAAC,CACC,mBAAmB,EAAC,KAAK,SAAQ,CAAC,CAClC,aAAa,CACb,kBAAkB,MAAM,CACxB,KAAK,OAAO;;;;;;;;;;CAajB,OAAO,2BAA2B,kBAAmC;AACnE,MAAI,oBAAoB,QAAQ,mBAAmB,EACjD,QAAO;EAGT,MAAMC,WAA+B,QAAQ,IAAI;AAEjD,MAAI,UAAU;GACZ,MAAMC,SAAiB,SAAS,UAAU,GAAG;AAE7C,OAAI,CAAC,OAAO,MAAM,OAAO,IAAI,SAAS,EACpC,QAAO;;AAIX,SAAO;;CAGT,aAAa,mBACX,aACA,QACA,WACA,QACA,uBACA,cACA,gBACiB;EACjB,MAAMF,SAAqB,KAAK,WAAW;AAgB3C,SAdoB,MAAM,IAAI,QAAQ;GACpC;GACA;GACA;GACA;GACA;GACA,MAAM;GACP,CAAqD,CACnD,mBAAmB,EAAC,KAAK,SAAQ,CAAC,CAClC,WAAW,OAAO,CAClB,aAAa,CACb,kBAAkB,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK,GAAG,sBAAsB,CACxE,KAAK,OAAO;;;;;CAQjB,aAAa,mBAAmB,OAA6C;AAC3E,MAAI;GAEF,MAAM,EAAC,YAAW,MAAM,UAAU,OADP,KAAK,WAAW,CACK;AAEhD,OAAI,QAAQ,YAAY,UACtB,OAAM,IAAI,MAAM,qBAAqB;AAGvC,UAAO;WACA,OAAO;AACd,SAAM,IAAI,sBACR,0BAA0B,iBAAiB,QAAQ,MAAM,UAAU,mBACnE,yBACA,UACA,oCACD;;;;;;;;;;;;;;CAeL,aAAa,6BAA6B,OAA6C;AACrF,MAAI;GAEF,MAAM,EAAC,SAAS,eAAc,MAAM,cAAc,OADvB,KAAK,WAAW,CACqB;GAChE,MAAMG,UAA+B,KAAK,MAAM,IAAI,aAAa,CAAC,OAAO,WAAW,CAAC;AAErF,OAAI,QAAQ,SAAS,UACnB,OAAM,IAAI,MAAM,qBAAqB;AAGvC,UAAO;WACA,OAAO;AACd,SAAM,IAAI,sBACR,0BAA0B,iBAAiB,QAAQ,MAAM,UAAU,mBACnE,qCACA,UACA,8DACD;;;;;;CAOL,aAAa,kBAAkB,OAA6C;AAC1E,MAAI;GAEF,MAAM,EAAC,YAAW,MAAM,UAAU,OADP,KAAK,WAAW,CACK;AAEhD,OAAI,QAAQ,YAAY,OACtB,OAAM,IAAI,MAAM,qBAAqB;AAGvC,UAAO,EAAC,WAAW,QAAQ,cAAuB;WAC3C,OAAO;AACd,SAAM,IAAI,sBACR,oCAAoC,iBAAiB,QAAQ,MAAM,UAAU,mBAC7E,8BACA,UACA,8CACD;;;;;;CAOL,OAAO,wBAAwB,QAM7B;AACA,SAAO;GACL,UAAU;GACV;GACA,MAAM;GACN,UAAU;GACV,QAAQ,QAAQ,IAAI,gBAAgB;GACrC;;;;;CAMH,OAAO,8BAML;AACA,SAAO;GACL,UAAU;GACV,QAAQ;GACR,MAAM;GACN,UAAU;GACV,QAAQ,QAAQ,IAAI,gBAAgB;GACrC;;;;;CAMH,OAAO,uBAA+B;AACpC,SAAO,aAAa;;;;;CAMtB,OAAO,2BAAmC;AACxC,SAAO,aAAa;;;AAIxB,6BAAe"}

package/dist/utils/createRouteMatcher.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"createRouteMatcher.d.ts","sourceRoot":"","sources":["../../src/utils/createRouteMatcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAC,WAAW,EAAC,MAAM,aAAa,CAAC;AAExC;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,kBAAkB,GAAI,UAAU,MAAM,EAAE,KAAG,CAAC,CAAC,GAAG,EAAE,WAAW,KAAK,OAAO,CAerF,CAAC"}

package/dist/utils/decorateConfigWithNextEnv.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"decorateConfigWithNextEnv.d.ts","sourceRoot":"","sources":["../../src/utils/decorateConfigWithNextEnv.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAC,mBAAmB,EAAC,MAAM,kBAAkB,CAAC;AAErD,QAAA,MAAM,yBAAyB,GAAI,QAAQ,mBAAmB,KAAG,mBAoChE,CAAC;AAEF,eAAe,yBAAyB,CAAC"}

package/dist/utils/decorateConfigWithNextEnv.js ADDED Viewed

@@ -0,0 +1,27 @@
+//#region src/utils/decorateConfigWithNextEnv.ts
+const decorateConfigWithNextEnv = (config) => {
+	const { organizationHandle, scopes, applicationId, baseUrl, clientId, clientSecret, signInUrl, signUpUrl, afterSignInUrl, afterSignOutUrl,...rest } = config;
+	const envExpiryTime = process.env["THUNDERID_SESSION_COOKIE_EXPIRY_TIME"] ? parseInt(process.env["THUNDERID_SESSION_COOKIE_EXPIRY_TIME"], 10) : void 0;
+	return {
+		...rest,
+		afterSignInUrl: afterSignInUrl || process.env["NEXT_PUBLIC_THUNDERID_AFTER_SIGN_IN_URL"],
+		afterSignOutUrl: afterSignOutUrl || process.env["NEXT_PUBLIC_THUNDERID_AFTER_SIGN_OUT_URL"],
+		applicationId: applicationId || process.env["NEXT_PUBLIC_THUNDERID_APPLICATION_ID"],
+		baseUrl: baseUrl || process.env["NEXT_PUBLIC_THUNDERID_BASE_URL"],
+		clientId: clientId || process.env["NEXT_PUBLIC_THUNDERID_CLIENT_ID"],
+		clientSecret: clientSecret || process.env["THUNDERID_CLIENT_SECRET"],
+		organizationHandle: organizationHandle || process.env["NEXT_PUBLIC_THUNDERID_ORGANIZATION_HANDLE"],
+		scopes: scopes || process.env["NEXT_PUBLIC_THUNDERID_SCOPES"],
+		sessionCookie: {
+			...rest.sessionCookie,
+			expiryTime: rest.sessionCookie?.expiryTime || envExpiryTime
+		},
+		signInUrl: signInUrl || process.env["NEXT_PUBLIC_THUNDERID_SIGN_IN_URL"],
+		signUpUrl: signUpUrl || process.env["NEXT_PUBLIC_THUNDERID_SIGN_UP_URL"]
+	};
+};
+var decorateConfigWithNextEnv_default = decorateConfigWithNextEnv;
+//#endregion
+export { decorateConfigWithNextEnv_default as default };
+//# sourceMappingURL=decorateConfigWithNextEnv.js.map

package/dist/utils/decorateConfigWithNextEnv.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"decorateConfigWithNextEnv.js","names":[],"sources":["../../src/utils/decorateConfigWithNextEnv.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\nimport {ThunderIDNextConfig} from '../models/config';\n\nconst decorateConfigWithNextEnv = (config: ThunderIDNextConfig): ThunderIDNextConfig => {\n const {\n organizationHandle,\n scopes,\n applicationId,\n baseUrl,\n clientId,\n clientSecret,\n signInUrl,\n signUpUrl,\n afterSignInUrl,\n afterSignOutUrl,\n ...rest\n } = config;\n\n const envExpiryTime = process.env['THUNDERID_SESSION_COOKIE_EXPIRY_TIME']\n ? parseInt(process.env['THUNDERID_SESSION_COOKIE_EXPIRY_TIME'], 10)\n : undefined;\n\n return {\n ...rest,\n afterSignInUrl: afterSignInUrl || process.env['NEXT_PUBLIC_THUNDERID_AFTER_SIGN_IN_URL']!,\n afterSignOutUrl: afterSignOutUrl || process.env['NEXT_PUBLIC_THUNDERID_AFTER_SIGN_OUT_URL']!,\n applicationId: applicationId || process.env['NEXT_PUBLIC_THUNDERID_APPLICATION_ID']!,\n baseUrl: baseUrl || process.env['NEXT_PUBLIC_THUNDERID_BASE_URL']!,\n clientId: clientId || process.env['NEXT_PUBLIC_THUNDERID_CLIENT_ID']!,\n clientSecret: clientSecret || process.env['THUNDERID_CLIENT_SECRET']!,\n organizationHandle: organizationHandle || process.env['NEXT_PUBLIC_THUNDERID_ORGANIZATION_HANDLE']!,\n scopes: scopes || process.env['NEXT_PUBLIC_THUNDERID_SCOPES']!,\n sessionCookie: {\n ...rest.sessionCookie,\n expiryTime: rest.sessionCookie?.expiryTime || envExpiryTime,\n },\n signInUrl: signInUrl || process.env['NEXT_PUBLIC_THUNDERID_SIGN_IN_URL']!,\n signUpUrl: signUpUrl || process.env['NEXT_PUBLIC_THUNDERID_SIGN_UP_URL']!,\n };\n};\n\nexport default decorateConfigWithNextEnv;\n"],"mappings":";AAoBA,MAAM,6BAA6B,WAAqD;CACtF,MAAM,EACJ,oBACA,QACA,eACA,SACA,UACA,cACA,WACA,WACA,gBACA,gBACA,GAAG,SACD;CAEJ,MAAM,gBAAgB,QAAQ,IAAI,0CAC9B,SAAS,QAAQ,IAAI,yCAAyC,GAAG,GACjE;AAEJ,QAAO;EACL,GAAG;EACH,gBAAgB,kBAAkB,QAAQ,IAAI;EAC9C,iBAAiB,mBAAmB,QAAQ,IAAI;EAChD,eAAe,iBAAiB,QAAQ,IAAI;EAC5C,SAAS,WAAW,QAAQ,IAAI;EAChC,UAAU,YAAY,QAAQ,IAAI;EAClC,cAAc,gBAAgB,QAAQ,IAAI;EAC1C,oBAAoB,sBAAsB,QAAQ,IAAI;EACtD,QAAQ,UAAU,QAAQ,IAAI;EAC9B,eAAe;GACb,GAAG,KAAK;GACR,YAAY,KAAK,eAAe,cAAc;GAC/C;EACD,WAAW,aAAa,QAAQ,IAAI;EACpC,WAAW,aAAa,QAAQ,IAAI;EACrC;;AAGH,wCAAe"}

package/dist/utils/handleRefreshToken.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"handleRefreshToken.d.ts","sourceRoot":"","sources":["../../src/utils/handleRefreshToken.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAC,aAAa,EAAE,mBAAmB,EAAC,MAAM,iBAAiB,CAAC;AACxE,OAAuB,EAAC,mBAAmB,EAAC,MAAM,kBAAkB,CAAC;AAErE;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,mBAAmB,CAAC;CACrC;AAED;;;GAGG;AACH,MAAM,WAAW,wBAAwB;IACvC,eAAe,EAAE,MAAM,CAAC;IACxB,uBAAuB,EAAE,MAAM,CAAC;IAChC,aAAa,EAAE,aAAa,CAAC;CAC9B;AAED;;;;;;GAMG;AACH,QAAA,MAAM,kBAAkB,GACtB,gBAAgB,mBAAmB,EACnC,QAAQ,wBAAwB,KAC/B,OAAO,CAAC,wBAAwB,CA2ElC,CAAC;AAEF,eAAe,kBAAkB,CAAC"}

package/dist/utils/handleRefreshToken.js ADDED Viewed

@@ -0,0 +1,62 @@
+import SessionManager_default from "./SessionManager.js";
+//#region src/utils/handleRefreshToken.ts
+/**
+* Handles the OAuth refresh_token grant and builds a new session JWT string.
+*
+* Intentionally decoupled from cookie APIs so it can be called from both the Edge
+* Runtime (Next.js middleware) and the Node.js Runtime (server actions).
+* Cookie persistence is the caller's responsibility.
+*/
+const handleRefreshToken = async (sessionPayload, config) => {
+	const { baseUrl, clientId, clientSecret, sessionCookie } = config;
+	const { refreshToken: storedRefreshToken, sessionId, sub, scopes, organizationId } = sessionPayload;
+	if (!storedRefreshToken) throw new Error("No refresh token found in session payload.");
+	const tokenEndpoint = `${baseUrl}/oauth2/token`;
+	const body = new URLSearchParams({
+		client_id: clientId ?? "",
+		client_secret: clientSecret ?? "",
+		grant_type: "refresh_token",
+		refresh_token: storedRefreshToken
+	});
+	let response;
+	try {
+		response = await fetch(tokenEndpoint, {
+			body: body.toString(),
+			headers: { "Content-Type": "application/x-www-form-urlencoded" },
+			method: "POST"
+		});
+	} catch (fetchError) {
+		throw new Error(`Token refresh network error: ${fetchError instanceof Error ? fetchError.message : String(fetchError)}`);
+	}
+	if (!response.ok) throw new Error(`Token endpoint rejected refresh (HTTP ${response.status}).`);
+	let tokenData;
+	try {
+		tokenData = await response.json();
+	} catch {
+		throw new Error("Failed to parse token endpoint response as JSON.");
+	}
+	const newAccessToken = tokenData["access_token"];
+	const expiresIn = tokenData["expires_in"];
+	const newRefreshToken = tokenData["refresh_token"] ?? storedRefreshToken;
+	const newScopes = tokenData["scope"] ?? (Array.isArray(scopes) ? scopes.join(" ") : scopes ?? "");
+	const resolvedSessionCookieExpiry = SessionManager_default.resolveSessionCookieExpiry(sessionCookie?.expiryTime);
+	return {
+		newSessionToken: await SessionManager_default.createSessionToken(newAccessToken, sub, sessionId, newScopes, expiresIn, newRefreshToken, organizationId),
+		sessionCookieExpiryTime: resolvedSessionCookieExpiry,
+		tokenResponse: {
+			accessToken: newAccessToken,
+			createdAt: Math.floor(Date.now() / 1e3),
+			expiresIn: String(expiresIn),
+			idToken: tokenData["id_token"] ?? "",
+			refreshToken: newRefreshToken,
+			scope: newScopes,
+			tokenType: tokenData["token_type"] ?? "Bearer"
+		}
+	};
+};
+var handleRefreshToken_default = handleRefreshToken;
+//#endregion
+export { handleRefreshToken_default as default };
+//# sourceMappingURL=handleRefreshToken.js.map

package/dist/utils/handleRefreshToken.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"handleRefreshToken.js","names":["body: URLSearchParams","response: Response","tokenData: Record<string, unknown>","newAccessToken: string","expiresIn: number","newRefreshToken: string","newScopes: string","resolvedSessionCookieExpiry: number","SessionManager"],"sources":["../../src/utils/handleRefreshToken.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\nimport type {TokenResponse, SessionCookieConfig} from '@thunderid/node';\nimport SessionManager, {SessionTokenPayload} from './SessionManager';\n\n/**\n * Config required to call the token endpoint.\n */\nexport interface HandleRefreshTokenConfig {\n baseUrl: string;\n clientId: string;\n clientSecret: string;\n sessionCookie?: SessionCookieConfig;\n}\n\n/**\n * Result returned by handleRefreshToken.\n * Callers are responsible for persisting newSessionToken in the appropriate cookie context.\n */\nexport interface HandleRefreshTokenResult {\n newSessionToken: string;\n sessionCookieExpiryTime: number;\n tokenResponse: TokenResponse;\n}\n\n/**\n * Handles the OAuth refresh_token grant and builds a new session JWT string.\n *\n * Intentionally decoupled from cookie APIs so it can be called from both the Edge\n * Runtime (Next.js middleware) and the Node.js Runtime (server actions).\n * Cookie persistence is the caller's responsibility.\n */\nconst handleRefreshToken = async (\n sessionPayload: SessionTokenPayload,\n config: HandleRefreshTokenConfig,\n): Promise<HandleRefreshTokenResult> => {\n const {baseUrl, clientId, clientSecret, sessionCookie} = config;\n const {refreshToken: storedRefreshToken, sessionId, sub, scopes, organizationId} = sessionPayload;\n\n if (!storedRefreshToken) {\n throw new Error('No refresh token found in session payload.');\n }\n\n const tokenEndpoint = `${baseUrl}/oauth2/token`;\n const body: URLSearchParams = new URLSearchParams({\n client_id: clientId ?? '',\n client_secret: clientSecret ?? '',\n grant_type: 'refresh_token',\n refresh_token: storedRefreshToken,\n });\n\n let response: Response;\n\n try {\n response = await fetch(tokenEndpoint, {\n body: body.toString(),\n headers: {'Content-Type': 'application/x-www-form-urlencoded'},\n method: 'POST',\n });\n } catch (fetchError) {\n throw new Error(\n `Token refresh network error: ${fetchError instanceof Error ? fetchError.message : String(fetchError)}`,\n );\n }\n\n if (!response.ok) {\n throw new Error(`Token endpoint rejected refresh (HTTP ${response.status}).`);\n }\n\n let tokenData: Record<string, unknown>;\n\n try {\n tokenData = (await response.json()) as Record<string, unknown>;\n } catch {\n throw new Error('Failed to parse token endpoint response as JSON.');\n }\n\n const newAccessToken: string = tokenData['access_token'] as string;\n const expiresIn: number = tokenData['expires_in'] as number;\n // Use the rotated refresh token if the server provided one; otherwise keep the existing one.\n const newRefreshToken: string = (tokenData['refresh_token'] as string | undefined) ?? storedRefreshToken;\n const newScopes: string =\n (tokenData['scope'] as string | undefined) ??\n (Array.isArray(scopes) ? scopes.join(' ') : ((scopes as string) ?? ''));\n\n const resolvedSessionCookieExpiry: number = SessionManager.resolveSessionCookieExpiry(sessionCookie?.expiryTime);\n\n const newSessionToken: string = await SessionManager.createSessionToken(\n newAccessToken,\n sub,\n sessionId,\n newScopes,\n expiresIn,\n newRefreshToken,\n organizationId,\n );\n\n return {\n newSessionToken,\n sessionCookieExpiryTime: resolvedSessionCookieExpiry,\n tokenResponse: {\n accessToken: newAccessToken,\n createdAt: Math.floor(Date.now() / 1000),\n expiresIn: String(expiresIn),\n idToken: (tokenData['id_token'] as string | undefined) ?? '',\n refreshToken: newRefreshToken,\n scope: newScopes,\n tokenType: (tokenData['token_type'] as string | undefined) ?? 'Bearer',\n },\n };\n};\n\nexport default handleRefreshToken;\n"],"mappings":";;;;;;;;;;AAgDA,MAAM,qBAAqB,OACzB,gBACA,WACsC;CACtC,MAAM,EAAC,SAAS,UAAU,cAAc,kBAAiB;CACzD,MAAM,EAAC,cAAc,oBAAoB,WAAW,KAAK,QAAQ,mBAAkB;AAEnF,KAAI,CAAC,mBACH,OAAM,IAAI,MAAM,6CAA6C;CAG/D,MAAM,gBAAgB,GAAG,QAAQ;CACjC,MAAMA,OAAwB,IAAI,gBAAgB;EAChD,WAAW,YAAY;EACvB,eAAe,gBAAgB;EAC/B,YAAY;EACZ,eAAe;EAChB,CAAC;CAEF,IAAIC;AAEJ,KAAI;AACF,aAAW,MAAM,MAAM,eAAe;GACpC,MAAM,KAAK,UAAU;GACrB,SAAS,EAAC,gBAAgB,qCAAoC;GAC9D,QAAQ;GACT,CAAC;UACK,YAAY;AACnB,QAAM,IAAI,MACR,gCAAgC,sBAAsB,QAAQ,WAAW,UAAU,OAAO,WAAW,GACtG;;AAGH,KAAI,CAAC,SAAS,GACZ,OAAM,IAAI,MAAM,yCAAyC,SAAS,OAAO,IAAI;CAG/E,IAAIC;AAEJ,KAAI;AACF,cAAa,MAAM,SAAS,MAAM;SAC5B;AACN,QAAM,IAAI,MAAM,mDAAmD;;CAGrE,MAAMC,iBAAyB,UAAU;CACzC,MAAMC,YAAoB,UAAU;CAEpC,MAAMC,kBAA2B,UAAU,oBAA2C;CACtF,MAAMC,YACH,UAAU,aACV,MAAM,QAAQ,OAAO,GAAG,OAAO,KAAK,IAAI,GAAK,UAAqB;CAErE,MAAMC,8BAAsCC,uBAAe,2BAA2B,eAAe,WAAW;AAYhH,QAAO;EACL,iBAX8B,MAAMA,uBAAe,mBACnD,gBACA,KACA,WACA,WACA,WACA,iBACA,eACD;EAIC,yBAAyB;EACzB,eAAe;GACb,aAAa;GACb,WAAW,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;GACxC,WAAW,OAAO,UAAU;GAC5B,SAAU,UAAU,eAAsC;GAC1D,cAAc;GACd,OAAO;GACP,WAAY,UAAU,iBAAwC;GAC/D;EACF;;AAGH,iCAAe"}

package/dist/utils/logger.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/utils/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,QAAA,MAAM,MAAM,EAAE,GAEZ,CAAC;AAEH,eAAe,MAAM,CAAC"}

package/dist/utils/logger.js ADDED Viewed

@@ -0,0 +1,9 @@
+import { createLogger } from "@thunderid/node";
+//#region src/utils/logger.ts
+const logger$1 = createLogger({ level: "error" });
+var logger_default = logger$1;
+//#endregion
+export { logger_default as default };
+//# sourceMappingURL=logger.js.map

package/dist/utils/logger.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"logger.js","names":["logger: any","logger"],"sources":["../../src/utils/logger.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\nimport {createLogger} from '@thunderid/node';\n\nconst logger: any = createLogger({\n level: 'error',\n});\n\nexport default logger;\n"],"mappings":";;;AAoBA,MAAMA,WAAc,aAAa,EAC/B,OAAO,SACR,CAAC;AAEF,qBAAeC"}

package/dist/utils/sessionUtils.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sessionUtils.d.ts","sourceRoot":"","sources":["../../src/utils/sessionUtils.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAC,WAAW,EAAC,MAAM,aAAa,CAAC;AACxC,OAAuB,EAAC,mBAAmB,EAAC,MAAM,kBAAkB,CAAC;AAErE;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,WAAW,KAAG,OAAO,CAAC,OAAO,CAY3E,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,GAAU,SAAS,WAAW,KAAG,OAAO,CAAC,mBAAmB,GAAG,SAAS,CAWzG,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,uBAAuB,GAAU,SAAS,WAAW,KAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAY9F,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,yBAAyB,GAAU,SAAS,WAAW,KAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAYhG,CAAC"}

package/dist/utils/sessionUtils.js ADDED Viewed

@@ -0,0 +1,39 @@
+import SessionManager_default from "./SessionManager.js";
+//#region src/utils/sessionUtils.ts
+/**
+* Gets the session payload from the request cookies.
+* This includes user ID, session ID, and scopes.
+*
+* @param request - The Next.js request object
+* @returns The session payload if valid, undefined otherwise
+*/
+const getSessionFromRequest = async (request) => {
+	try {
+		const sessionToken = request.cookies.get(SessionManager_default.getSessionCookieName())?.value;
+		if (!sessionToken) return;
+		return await SessionManager_default.verifySessionToken(sessionToken);
+	} catch {
+		return;
+	}
+};
+/**
+* Gets the session ID from the request cookies (legacy support).
+* First tries to get from JWT session, then falls back to legacy session ID cookie.
+*
+* @param request - The Next.js request object
+* @returns The session ID if it exists, undefined otherwise
+*/
+const getSessionIdFromRequest = async (request) => {
+	try {
+		const sessionPayload = await getSessionFromRequest(request);
+		if (sessionPayload) return sessionPayload.sessionId;
+		return await Promise.resolve(void 0);
+	} catch {
+		return Promise.resolve(void 0);
+	}
+};
+//#endregion
+export { getSessionFromRequest, getSessionIdFromRequest };
+//# sourceMappingURL=sessionUtils.js.map