@thunderid/nextjs 0.2.1 → 0.2.2

package/dist/models/api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../../src/models/api.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;OAGG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAC;CACd"}

package/dist/models/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/models/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAC,mBAAmB,EAAC,MAAM,iBAAiB,CAAC;AAEpD;;;;;;;;;;GAUG;AACH,MAAM,MAAM,mBAAmB,GAAG,mBAAmB,CAAC"}

package/dist/server/ThunderIDProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ThunderIDProvider.d.ts","sourceRoot":"","sources":["../../src/server/ThunderIDProvider.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAKH,OAAO,EAAC,sBAAsB,EAAC,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAC,EAAE,EAAE,iBAAiB,EAAe,MAAM,OAAO,CAAC;AAmB1D;;GAEG;AACH,MAAM,MAAM,4BAA4B,GAAG,OAAO,CAAC,sBAAsB,CAAC,GAAG;IAC3E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;;;;;;;;;OAYG;IACH,uBAAuB,CAAC,EAAE,MAAM,CAAC;CAClC,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,QAAA,MAAM,uBAAuB,EAAE,EAAE,CAAC,iBAAiB,CAAC,4BAA4B,CAAC,CA0GhF,CAAC;AAEF,eAAe,uBAAuB,CAAC"}

package/dist/server/ThunderIDProvider.js

@@ -0,0 +1,111 @@
+'use server';
+
+
+import getSessionId_default from "./actions/getSessionId.js";
+import getClient_default from "./getClient.js";
+import logger_default from "../utils/logger.js";
+import clearSession_default from "./actions/clearSession.js";
+import getSessionPayload_default from "./actions/getSessionPayload.js";
+import getUserAction_default from "./actions/getUserAction.js";
+import getUserProfileAction_default from "./actions/getUserProfileAction.js";
+import handleOAuthCallbackAction_default from "./actions/handleOAuthCallbackAction.js";
+import isSignedIn_default from "./actions/isSignedIn.js";
+import refreshToken_default from "./actions/refreshToken.js";
+import signInAction_default from "./actions/signInAction.js";
+import signOutAction_default from "./actions/signOutAction.js";
+import signUpAction_default from "./actions/signUpAction.js";
+import updateUserProfileAction_default from "./actions/updateUserProfileAction.js";
+import ThunderIDProvider_default from "../client/contexts/ThunderID/ThunderIDProvider.js";
+import { ThunderIDRuntimeError } from "@thunderid/node";
+import { Fragment, jsx } from "react/jsx-runtime";
+
+//#region src/server/ThunderIDProvider.tsx
+/**
+* Server-side provider component for ThunderID authentication.
+* Wraps the client-side provider and handles server-side authentication logic.
+* Uses the singleton ThunderIDNextClient instance for consistent authentication state.
+*
+* @param props - Props injected into the component.
+*
+* @example
+* ```tsx
+* <ThunderIDServerProvider config={thunderidConfig}>
+*   <YourApp />
+* </ThunderIDServerProvider>
+* ```
+*
+* @returns ThunderIDServerProvider component.
+*/
+const ThunderIDServerProvider = async ({ children, afterSignInUrl, afterSignOutUrl,..._config }) => {
+	const thunderIDClient = getClient_default();
+	let config = {};
+	try {
+		await thunderIDClient.initialize(_config);
+		logger_default.debug("[ThunderIDServerProvider] ThunderID client initialized successfully.");
+		config = await thunderIDClient.getConfiguration();
+	} catch (error) {
+		logger_default.error("[ThunderIDServerProvider] Failed to initialize ThunderID client:", error?.toString());
+		throw new ThunderIDRuntimeError(`Failed to initialize ThunderID client: ${error?.toString()}`, "next-ConfigurationError-001", "next", "An error occurred while initializing the ThunderID client. Please check your configuration.");
+	}
+	if (!thunderIDClient.isInitialized) return /* @__PURE__ */ jsx(Fragment, {});
+	const sessionPayload = await getSessionPayload_default();
+	const sessionId = sessionPayload?.sessionId || await getSessionId_default() || "";
+	const signedIn = await isSignedIn_default(sessionId);
+	let user = {};
+	let userProfile = {
+		flattenedProfile: {},
+		profile: {},
+		schemas: []
+	};
+	if (signedIn) {
+		let updatedBaseUrl = config?.baseUrl;
+		if (sessionPayload?.organizationId) {
+			updatedBaseUrl = `${config?.baseUrl}/o`;
+			config = {
+				...config,
+				baseUrl: updatedBaseUrl
+			};
+		} else if (sessionId) try {
+			if ((await thunderIDClient.getDecodedIdToken(sessionId))?.["user_org"]) {
+				updatedBaseUrl = `${config?.baseUrl}/o`;
+				config = {
+					...config,
+					baseUrl: updatedBaseUrl
+				};
+			}
+		} catch {}
+		if (config?.preferences?.user?.fetchUserProfile !== false) try {
+			const userResponse = await getUserAction_default(sessionId);
+			const userProfileResponse = await getUserProfileAction_default(sessionId);
+			user = userResponse.data?.user || {};
+			userProfile = userProfileResponse.data?.userProfile ?? userProfile;
+		} catch (error) {
+			logger_default.warn("[ThunderIDServerProvider] Failed to fetch user profile from SCIM2:", error?.toString());
+		}
+	}
+	return /* @__PURE__ */ jsx(ThunderIDProvider_default, {
+		organizationHandle: config?.organizationHandle,
+		applicationId: config?.applicationId,
+		baseUrl: config?.baseUrl,
+		signIn: signInAction_default,
+		clearSession: clearSession_default,
+		refreshToken: refreshToken_default,
+		signOut: signOutAction_default,
+		signUp: signUpAction_default,
+		handleOAuthCallback: handleOAuthCallbackAction_default,
+		signInUrl: config?.signInUrl,
+		signUpUrl: config?.signUpUrl,
+		preferences: config?.preferences,
+		clientId: config?.clientId,
+		user,
+		userProfile,
+		updateProfile: updateUserProfileAction_default,
+		isSignedIn: signedIn,
+		children
+	});
+};
+var ThunderIDProvider_default$1 = ThunderIDServerProvider;
+
+//#endregion
+export { ThunderIDProvider_default$1 as default };
+//# sourceMappingURL=ThunderIDProvider.js.map

package/dist/server/ThunderIDProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ThunderIDProvider.js","names":["ThunderIDServerProvider: FC<PropsWithChildren<ThunderIDServerProviderProps>>","getClient","config: Partial<ThunderIDNextConfig>","sessionPayload: SessionTokenPayload | undefined","getSessionPayload","sessionId: string","getSessionId","signedIn: boolean","isSignedIn","user: User","userProfile: UserProfile","updatedBaseUrl: string | undefined","userResponse: {\n          data: {user: User | null};\n          error: string | null;\n          success: boolean;\n        }","getUserAction","userProfileResponse: {\n          data: {userProfile: UserProfile};\n          error: string | null;\n          success: boolean;\n        }","getUserProfileAction","ThunderIDClientProvider","signInAction","clearSession","refreshToken","signOutAction","signUpAction","handleOAuthCallbackAction","updateUserProfileAction"],"sources":["../../src/server/ThunderIDProvider.tsx"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport {ThunderIDRuntimeError, IdToken, User, UserProfile} from '@thunderid/node';\nimport {ThunderIDProviderProps} from '@thunderid/react';\nimport {FC, PropsWithChildren, ReactElement} from 'react';\nimport clearSession from './actions/clearSession';\nimport getSessionId from './actions/getSessionId';\nimport getSessionPayload from './actions/getSessionPayload';\nimport getUserAction from './actions/getUserAction';\nimport getUserProfileAction from './actions/getUserProfileAction';\nimport handleOAuthCallbackAction from './actions/handleOAuthCallbackAction';\nimport isSignedIn from './actions/isSignedIn';\nimport refreshToken from './actions/refreshToken';\nimport signInAction from './actions/signInAction';\nimport signOutAction from './actions/signOutAction';\nimport signUpAction from './actions/signUpAction';\nimport updateUserProfileAction from './actions/updateUserProfileAction';\nimport getClient from './getClient';\nimport ThunderIDClientProvider from '../client/contexts/ThunderID/ThunderIDProvider.js';\nimport {ThunderIDNextConfig} from '../models/config';\nimport logger from '../utils/logger';\nimport {SessionTokenPayload} from '../utils/SessionManager';\n\n/**\n * Props interface of {@link ThunderIDServerProvider}\n */\nexport type ThunderIDServerProviderProps = Partial<ThunderIDProviderProps> & {\n  clientSecret?: string;\n  /**\n   * Session cookie lifetime in seconds. Determines how long the session cookie\n   * remains valid in the browser after sign-in.\n   *\n   * Resolution order (first defined value wins):\n   *   1. This prop — set here when mounting the provider.\n   *   2. `THUNDERID_SESSION_COOKIE_EXPIRY_TIME` environment variable.\n   *   3. Built-in default of 86400 seconds (24 hours).\n   *\n   * @example\n   * // 8-hour session cookie\n   * <ThunderIDServerProvider sessionCookieExpiryTime={28800} ... />\n   */\n  sessionCookieExpiryTime?: number;\n};\n\n/**\n * Server-side provider component for ThunderID authentication.\n * Wraps the client-side provider and handles server-side authentication logic.\n * Uses the singleton ThunderIDNextClient instance for consistent authentication state.\n *\n * @param props - Props injected into the component.\n *\n * @example\n * ```tsx\n * <ThunderIDServerProvider config={thunderidConfig}>\n *   <YourApp />\n * </ThunderIDServerProvider>\n * ```\n *\n * @returns ThunderIDServerProvider component.\n */\nconst ThunderIDServerProvider: FC<PropsWithChildren<ThunderIDServerProviderProps>> = async ({\n  children,\n  afterSignInUrl,\n  afterSignOutUrl,\n  ..._config\n}: PropsWithChildren<ThunderIDServerProviderProps>): Promise<ReactElement> => {\n  const thunderIDClient = getClient();\n  let config: Partial<ThunderIDNextConfig> = {};\n\n  try {\n    await thunderIDClient.initialize(_config as ThunderIDNextConfig);\n\n    logger.debug('[ThunderIDServerProvider] ThunderID client initialized successfully.');\n\n    config = await thunderIDClient.getConfiguration();\n  } catch (error) {\n    logger.error('[ThunderIDServerProvider] Failed to initialize ThunderID client:', error?.toString());\n\n    throw new ThunderIDRuntimeError(\n      `Failed to initialize ThunderID client: ${error?.toString()}`,\n      'next-ConfigurationError-001',\n      'next',\n      'An error occurred while initializing the ThunderID client. Please check your configuration.',\n    );\n  }\n\n  if (!thunderIDClient.isInitialized) {\n    return <></>;\n  }\n\n  // Try to get session information from JWT first, then fall back to legacy\n  const sessionPayload: SessionTokenPayload | undefined = await getSessionPayload();\n  const sessionId: string = sessionPayload?.sessionId || (await getSessionId()) || '';\n  const signedIn: boolean = await isSignedIn(sessionId);\n\n  let user: User = {};\n  let userProfile: UserProfile = {\n    flattenedProfile: {},\n    profile: {},\n    schemas: [],\n  };\n  if (signedIn) {\n    let updatedBaseUrl: string | undefined = config?.baseUrl;\n\n    if (sessionPayload?.organizationId) {\n      updatedBaseUrl = `${config?.baseUrl}/o`;\n      config = {...config, baseUrl: updatedBaseUrl};\n    } else if (sessionId) {\n      try {\n        const idToken: IdToken = await thunderIDClient.getDecodedIdToken(sessionId);\n        if (idToken?.['user_org']) {\n          updatedBaseUrl = `${config?.baseUrl}/o`;\n          config = {...config, baseUrl: updatedBaseUrl};\n        }\n      } catch {\n        // Continue without organization info\n      }\n    }\n\n    // Check if user profile fetching is enabled (default: true)\n    const shouldFetchUserProfile: boolean = config?.preferences?.user?.fetchUserProfile !== false;\n\n    if (shouldFetchUserProfile) {\n      try {\n        const userResponse: {\n          data: {user: User | null};\n          error: string | null;\n          success: boolean;\n        } = await getUserAction(sessionId);\n        const userProfileResponse: {\n          data: {userProfile: UserProfile};\n          error: string | null;\n          success: boolean;\n        } = await getUserProfileAction(sessionId);\n\n        user = userResponse.data?.user || {};\n        userProfile = userProfileResponse.data?.userProfile ?? userProfile;\n      } catch (error) {\n        logger.warn('[ThunderIDServerProvider] Failed to fetch user profile from SCIM2:', error?.toString());\n      }\n    }\n  }\n\n  return (\n    <ThunderIDClientProvider\n      organizationHandle={config?.organizationHandle}\n      applicationId={config?.applicationId}\n      baseUrl={config?.baseUrl}\n      signIn={signInAction}\n      clearSession={clearSession}\n      refreshToken={refreshToken}\n      signOut={signOutAction}\n      signUp={signUpAction}\n      handleOAuthCallback={handleOAuthCallbackAction}\n      signInUrl={config?.signInUrl}\n      signUpUrl={config?.signUpUrl}\n      preferences={config?.preferences}\n      clientId={config?.clientId}\n      user={user}\n      userProfile={userProfile}\n      updateProfile={updateUserProfileAction}\n      isSignedIn={signedIn}\n    >\n      {children}\n    </ThunderIDClientProvider>\n  );\n};\n\nexport default ThunderIDServerProvider;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8EA,MAAMA,0BAA+E,OAAO,EAC1F,UACA,gBACA,gBACA,GAAG,cACyE;CAC5E,MAAM,kBAAkBC,mBAAW;CACnC,IAAIC,SAAuC,EAAE;AAE7C,KAAI;AACF,QAAM,gBAAgB,WAAW,QAA+B;AAEhE,iBAAO,MAAM,uEAAuE;AAEpF,WAAS,MAAM,gBAAgB,kBAAkB;UAC1C,OAAO;AACd,iBAAO,MAAM,oEAAoE,OAAO,UAAU,CAAC;AAEnG,QAAM,IAAI,sBACR,0CAA0C,OAAO,UAAU,IAC3D,+BACA,QACA,8FACD;;AAGH,KAAI,CAAC,gBAAgB,cACnB,QAAO,iCAAK;CAId,MAAMC,iBAAkD,MAAMC,2BAAmB;CACjF,MAAMC,YAAoB,gBAAgB,aAAc,MAAMC,sBAAc,IAAK;CACjF,MAAMC,WAAoB,MAAMC,mBAAW,UAAU;CAErD,IAAIC,OAAa,EAAE;CACnB,IAAIC,cAA2B;EAC7B,kBAAkB,EAAE;EACpB,SAAS,EAAE;EACX,SAAS,EAAE;EACZ;AACD,KAAI,UAAU;EACZ,IAAIC,iBAAqC,QAAQ;AAEjD,MAAI,gBAAgB,gBAAgB;AAClC,oBAAiB,GAAG,QAAQ,QAAQ;AACpC,YAAS;IAAC,GAAG;IAAQ,SAAS;IAAe;aACpC,UACT,KAAI;AAEF,QADyB,MAAM,gBAAgB,kBAAkB,UAAU,IAC7D,aAAa;AACzB,qBAAiB,GAAG,QAAQ,QAAQ;AACpC,aAAS;KAAC,GAAG;KAAQ,SAAS;KAAe;;UAEzC;AAQV,MAFwC,QAAQ,aAAa,MAAM,qBAAqB,MAGtF,KAAI;GACF,MAAMC,eAIF,MAAMC,sBAAc,UAAU;GAClC,MAAMC,sBAIF,MAAMC,6BAAqB,UAAU;AAEzC,UAAO,aAAa,MAAM,QAAQ,EAAE;AACpC,iBAAc,oBAAoB,MAAM,eAAe;WAChD,OAAO;AACd,kBAAO,KAAK,sEAAsE,OAAO,UAAU,CAAC;;;AAK1G,QACE,oBAACC;EACC,oBAAoB,QAAQ;EAC5B,eAAe,QAAQ;EACvB,SAAS,QAAQ;EACjB,QAAQC;EACR,cAAcC;EACd,cAAcC;EACd,SAASC;EACT,QAAQC;EACR,qBAAqBC;EACrB,WAAW,QAAQ;EACnB,WAAW,QAAQ;EACnB,aAAa,QAAQ;EACrB,UAAU,QAAQ;EACZ;EACO;EACb,eAAeC;EACf,YAAY;EAEX;GACuB;;AAI9B,kCAAe"}

package/dist/server/actions/clearSession.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"clearSession.d.ts","sourceRoot":"","sources":["../../../src/server/actions/clearSession.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAUH;;;;;;;;;;;;;;;;;;;GAmBG;AACH,QAAA,MAAM,YAAY,QAAa,OAAO,CAAC,IAAI,CAK1C,CAAC;AAEF,eAAe,YAAY,CAAC"}

package/dist/server/actions/clearSession.js

@@ -0,0 +1,39 @@
+'use server';
+
+
+import SessionManager_default from "../../utils/SessionManager.js";
+import logger_default from "../../utils/logger.js";
+import { cookies } from "next/headers";
+
+//#region src/server/actions/clearSession.ts
+/**
+* Deletes all ThunderID session cookies from the browser without contacting the
+* identity server.
+*
+* Use this for error-recovery scenarios where the local session must be wiped
+* immediately: refresh token failures, corrupt sessions, or forced local sign-out
+* when the identity server is unreachable.
+*
+* For a complete sign-out that also revokes the server-side session and obtains the
+* after-sign-out redirect URL, use `signOutAction` instead.
+*
+* @example
+* ```typescript
+* import { clearSession } from '@thunderid/nextjs/server';
+*
+* // Inside a Server Action or Route Handler:
+* await clearSession();
+* redirect('/sign-in');
+* ```
+*/
+const clearSession = async () => {
+	const cookieStore = await cookies();
+	cookieStore.delete(SessionManager_default.getSessionCookieName());
+	cookieStore.delete(SessionManager_default.getTempSessionCookieName());
+	logger_default.debug("[clearSession] Session cookies cleared.");
+};
+var clearSession_default = clearSession;
+
+//#endregion
+export { clearSession_default as default };
+//# sourceMappingURL=clearSession.js.map

package/dist/server/actions/clearSession.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"clearSession.js","names":["cookieStore: RequestCookies","SessionManager"],"sources":["../../../src/server/actions/clearSession.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport {cookies} from 'next/headers';\nimport logger from '../../utils/logger';\nimport SessionManager from '../../utils/SessionManager';\n\ntype RequestCookies = Awaited<ReturnType<typeof cookies>>;\n\n/**\n * Deletes all ThunderID session cookies from the browser without contacting the\n * identity server.\n *\n * Use this for error-recovery scenarios where the local session must be wiped\n * immediately: refresh token failures, corrupt sessions, or forced local sign-out\n * when the identity server is unreachable.\n *\n * For a complete sign-out that also revokes the server-side session and obtains the\n * after-sign-out redirect URL, use `signOutAction` instead.\n *\n * @example\n * ```typescript\n * import { clearSession } from '@thunderid/nextjs/server';\n *\n * // Inside a Server Action or Route Handler:\n * await clearSession();\n * redirect('/sign-in');\n * ```\n */\nconst clearSession = async (): Promise<void> => {\n  const cookieStore: RequestCookies = await cookies();\n  cookieStore.delete(SessionManager.getSessionCookieName());\n  cookieStore.delete(SessionManager.getTempSessionCookieName());\n  logger.debug('[clearSession] Session cookies cleared.');\n};\n\nexport default clearSession;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8CA,MAAM,eAAe,YAA2B;CAC9C,MAAMA,cAA8B,MAAM,SAAS;AACnD,aAAY,OAAOC,uBAAe,sBAAsB,CAAC;AACzD,aAAY,OAAOA,uBAAe,0BAA0B,CAAC;AAC7D,gBAAO,MAAM,0CAA0C;;AAGzD,2BAAe"}

package/dist/server/actions/getAccessToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getAccessToken.d.ts","sourceRoot":"","sources":["../../../src/server/actions/getAccessToken.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AASH;;;;GAIG;AACH,QAAA,MAAM,cAAc,QAAa,OAAO,CAAC,MAAM,GAAG,SAAS,CAgB1D,CAAC;AAEF,eAAe,cAAc,CAAC"}

package/dist/{getAccessToken-oRxArjVC.js → server/actions/getAccessToken.js}

@@ -1,15 +1,17 @@
-import { h as __toESM } from "./dynamic-rendering-CXn-s32e.js";
-import { n as require_headers, t as SessionManager_default } from "./SessionManager-BvmZ19QF.js";
+'use server';
+
+
+import SessionManager_default from "../../utils/SessionManager.js";
+import { cookies } from "next/headers";
 
 //#region src/server/actions/getAccessToken.ts
-var import_headers = /* @__PURE__ */ __toESM(require_headers(), 1);
 /**
 * Get the access token from the session cookie.
 *
 * @returns The access token if it exists, undefined otherwise
 */
 const getAccessToken = async () => {
-	const sessionToken = (await (0, import_headers.cookies)()).get(SessionManager_default.getSessionCookieName())?.value;
+	const sessionToken = (await cookies()).get(SessionManager_default.getSessionCookieName())?.value;
 	if (sessionToken) try {
 		return (await SessionManager_default.verifySessionToken(sessionToken))["accessToken"];
 	} catch (error) {
@@ -19,4 +21,5 @@ const getAccessToken = async () => {
 var getAccessToken_default = getAccessToken;
 
 //#endregion
-export { getAccessToken_default as default };
+export { getAccessToken_default as default };
+//# sourceMappingURL=getAccessToken.js.map

package/dist/server/actions/getAccessToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getAccessToken.js","names":["sessionToken: string | undefined","SessionManager"],"sources":["../../../src/server/actions/getAccessToken.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport {cookies} from 'next/headers';\nimport SessionManager, {SessionTokenPayload} from '../../utils/SessionManager';\n\ntype RequestCookies = Awaited<ReturnType<typeof cookies>>;\n\n/**\n * Get the access token from the session cookie.\n *\n * @returns The access token if it exists, undefined otherwise\n */\nconst getAccessToken = async (): Promise<string | undefined> => {\n  const cookieStore: RequestCookies = await cookies();\n\n  const sessionToken: string | undefined = cookieStore.get(SessionManager.getSessionCookieName())?.value;\n\n  if (sessionToken) {\n    try {\n      const sessionPayload: SessionTokenPayload = await SessionManager.verifySessionToken(sessionToken);\n\n      return sessionPayload['accessToken'] as string;\n    } catch (error) {\n      return undefined;\n    }\n  }\n\n  return undefined;\n};\n\nexport default getAccessToken;\n"],"mappings":";;;;;;;;;;;;AA8BA,MAAM,iBAAiB,YAAyC;CAG9D,MAAMA,gBAF8B,MAAM,SAAS,EAEE,IAAIC,uBAAe,sBAAsB,CAAC,EAAE;AAEjG,KAAI,aACF,KAAI;AAGF,UAF4C,MAAMA,uBAAe,mBAAmB,aAAa,EAE3E;UACf,OAAO;AACd;;;AAON,6BAAe"}

package/dist/server/actions/getClientOrigin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getClientOrigin.d.ts","sourceRoot":"","sources":["../../../src/server/actions/getClientOrigin.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAOH,QAAA,MAAM,eAAe,QAAa,OAAO,CAAC,MAAM,CAK/C,CAAC;AAEF,eAAe,eAAe,CAAC"}

package/dist/server/actions/getClientOrigin.js

@@ -0,0 +1,16 @@
+'use server';
+
+
+import { headers } from "next/headers";
+
+//#region src/server/actions/getClientOrigin.ts
+const getClientOrigin = async () => {
+	const headersList = await headers();
+	const host = headersList.get("host");
+	return `${headersList.get("x-forwarded-proto") ?? "http"}://${host}`;
+};
+var getClientOrigin_default = getClientOrigin;
+
+//#endregion
+export { getClientOrigin_default as default };
+//# sourceMappingURL=getClientOrigin.js.map

package/dist/server/actions/getClientOrigin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getClientOrigin.js","names":["headersList: ReadonlyHeaders","host: string | null"],"sources":["../../../src/server/actions/getClientOrigin.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport {ReadonlyHeaders} from 'next/dist/server/web/spec-extension/adapters/headers';\nimport {headers} from 'next/headers';\n\nconst getClientOrigin = async (): Promise<string> => {\n  const headersList: ReadonlyHeaders = await headers();\n  const host: string | null = headersList.get('host');\n  const protocol: string = headersList.get('x-forwarded-proto') ?? 'http';\n  return `${protocol}://${host}`;\n};\n\nexport default getClientOrigin;\n"],"mappings":";;;;;;AAuBA,MAAM,kBAAkB,YAA6B;CACnD,MAAMA,cAA+B,MAAM,SAAS;CACpD,MAAMC,OAAsB,YAAY,IAAI,OAAO;AAEnD,QAAO,GADkB,YAAY,IAAI,oBAAoB,IAAI,OAC9C,KAAK;;AAG1B,8BAAe"}

package/dist/server/actions/getSessionId.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getSessionId.d.ts","sourceRoot":"","sources":["../../../src/server/actions/getSessionId.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AASH;;;;;GAKG;AACH,QAAA,MAAM,YAAY,QAAa,OAAO,CAAC,MAAM,GAAG,SAAS,CAgBxD,CAAC;AAEF,eAAe,YAAY,CAAC"}

package/dist/{getSessionId-_7hj8QSX.js → server/actions/getSessionId.js}

@@ -1,8 +1,10 @@
-import { h as __toESM } from "./dynamic-rendering-CXn-s32e.js";
-import { n as require_headers, t as SessionManager_default } from "./SessionManager-BvmZ19QF.js";
+'use server';
+
+
+import SessionManager_default from "../../utils/SessionManager.js";
+import { cookies } from "next/headers";
 
 //#region src/server/actions/getSessionId.ts
-var import_headers = /* @__PURE__ */ __toESM(require_headers(), 1);
 /**
 * Get the session ID from cookies.
 * Tries JWT session first, then falls back to legacy session ID.
@@ -10,7 +12,7 @@ var import_headers = /* @__PURE__ */ __toESM(require_headers(), 1);
 * @returns The session ID if it exists, undefined otherwise
 */
 const getSessionId = async () => {
-	const sessionToken = (await (0, import_headers.cookies)()).get(SessionManager_default.getSessionCookieName())?.value;
+	const sessionToken = (await cookies()).get(SessionManager_default.getSessionCookieName())?.value;
 	if (sessionToken) try {
 		return (await SessionManager_default.verifySessionToken(sessionToken)).sessionId;
 	} catch (error) {
@@ -20,4 +22,5 @@ const getSessionId = async () => {
 var getSessionId_default = getSessionId;
 
 //#endregion
-export { getSessionId_default as t };
+export { getSessionId_default as default };
+//# sourceMappingURL=getSessionId.js.map

package/dist/server/actions/getSessionId.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getSessionId.js","names":["sessionToken: string | undefined","SessionManager"],"sources":["../../../src/server/actions/getSessionId.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport {cookies} from 'next/headers';\nimport SessionManager, {SessionTokenPayload} from '../../utils/SessionManager';\n\ntype RequestCookies = Awaited<ReturnType<typeof cookies>>;\n\n/**\n * Get the session ID from cookies.\n * Tries JWT session first, then falls back to legacy session ID.\n *\n * @returns The session ID if it exists, undefined otherwise\n */\nconst getSessionId = async (): Promise<string | undefined> => {\n  const cookieStore: RequestCookies = await cookies();\n\n  const sessionToken: string | undefined = cookieStore.get(SessionManager.getSessionCookieName())?.value;\n\n  if (sessionToken) {\n    try {\n      const sessionPayload: SessionTokenPayload = await SessionManager.verifySessionToken(sessionToken);\n\n      return sessionPayload.sessionId;\n    } catch (error) {\n      return undefined;\n    }\n  }\n\n  return undefined;\n};\n\nexport default getSessionId;\n"],"mappings":";;;;;;;;;;;;;AA+BA,MAAM,eAAe,YAAyC;CAG5D,MAAMA,gBAF8B,MAAM,SAAS,EAEE,IAAIC,uBAAe,sBAAsB,CAAC,EAAE;AAEjG,KAAI,aACF,KAAI;AAGF,UAF4C,MAAMA,uBAAe,mBAAmB,aAAa,EAE3E;UACf,OAAO;AACd;;;AAON,2BAAe"}

package/dist/server/actions/getSessionPayload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getSessionPayload.d.ts","sourceRoot":"","sources":["../../../src/server/actions/getSessionPayload.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAKH,OAAuB,EAAC,mBAAmB,EAAC,MAAM,4BAA4B,CAAC;AAI/E;;;;;GAKG;AACH,QAAA,MAAM,iBAAiB,QAAa,OAAO,CAAC,mBAAmB,GAAG,SAAS,CAa1E,CAAC;AAEF,eAAe,iBAAiB,CAAC"}

package/dist/server/actions/getSessionPayload.js

@@ -0,0 +1,27 @@
+'use server';
+
+
+import SessionManager_default from "../../utils/SessionManager.js";
+import { cookies } from "next/headers";
+
+//#region src/server/actions/getSessionPayload.ts
+/**
+* Get the session payload from JWT session cookie.
+* This includes user ID, session ID, scopes, and organization ID.
+*
+* @returns The session payload if valid JWT session exists, undefined otherwise
+*/
+const getSessionPayload = async () => {
+	const sessionToken = (await cookies()).get(SessionManager_default.getSessionCookieName())?.value;
+	if (!sessionToken) return;
+	try {
+		return await SessionManager_default.verifySessionToken(sessionToken);
+	} catch {
+		return;
+	}
+};
+var getSessionPayload_default = getSessionPayload;
+
+//#endregion
+export { getSessionPayload_default as default };
+//# sourceMappingURL=getSessionPayload.js.map

package/dist/server/actions/getSessionPayload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getSessionPayload.js","names":["sessionToken: string | undefined","SessionManager"],"sources":["../../../src/server/actions/getSessionPayload.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport {cookies} from 'next/headers';\nimport SessionManager, {SessionTokenPayload} from '../../utils/SessionManager';\n\ntype RequestCookies = Awaited<ReturnType<typeof cookies>>;\n\n/**\n * Get the session payload from JWT session cookie.\n * This includes user ID, session ID, scopes, and organization ID.\n *\n * @returns The session payload if valid JWT session exists, undefined otherwise\n */\nconst getSessionPayload = async (): Promise<SessionTokenPayload | undefined> => {\n  const cookieStore: RequestCookies = await cookies();\n\n  const sessionToken: string | undefined = cookieStore.get(SessionManager.getSessionCookieName())?.value;\n  if (!sessionToken) {\n    return undefined;\n  }\n\n  try {\n    return await SessionManager.verifySessionToken(sessionToken);\n  } catch {\n    return undefined;\n  }\n};\n\nexport default getSessionPayload;\n"],"mappings":";;;;;;;;;;;;;AA+BA,MAAM,oBAAoB,YAAsD;CAG9E,MAAMA,gBAF8B,MAAM,SAAS,EAEE,IAAIC,uBAAe,sBAAsB,CAAC,EAAE;AACjG,KAAI,CAAC,aACH;AAGF,KAAI;AACF,SAAO,MAAMA,uBAAe,mBAAmB,aAAa;SACtD;AACN;;;AAIJ,gCAAe"}

package/dist/server/actions/getUserAction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getUserAction.d.ts","sourceRoot":"","sources":["../../../src/server/actions/getUserAction.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,EAAC,IAAI,EAAC,MAAM,iBAAiB,CAAC;AAGrC;;;GAGG;AACH,QAAA,MAAM,aAAa,GACjB,WAAW,MAAM,KAChB,OAAO,CAAC;IAAC,IAAI,EAAE;QAAC,IAAI,EAAE,IAAI,GAAG,IAAI,CAAA;KAAC,CAAC;IAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAC,CAQ7E,CAAC;AAEF,eAAe,aAAa,CAAC"}

package/dist/server/actions/getUserAction.js

@@ -0,0 +1,30 @@
+'use server';
+
+
+import getClient_default from "../getClient.js";
+
+//#region src/server/actions/getUserAction.ts
+/**
+* Server action to get the current user.
+* Returns the user profile if signed in.
+*/
+const getUserAction = async (sessionId) => {
+	try {
+		return {
+			data: { user: await getClient_default().getUser(sessionId) },
+			error: null,
+			success: true
+		};
+	} catch (error) {
+		return {
+			data: { user: null },
+			error: "Failed to get user",
+			success: false
+		};
+	}
+};
+var getUserAction_default = getUserAction;
+
+//#endregion
+export { getUserAction_default as default };
+//# sourceMappingURL=getUserAction.js.map

package/dist/server/actions/getUserAction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getUserAction.js","names":["getClient"],"sources":["../../../src/server/actions/getUserAction.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport {User} from '@thunderid/node';\nimport getClient from '../getClient';\n\n/**\n * Server action to get the current user.\n * Returns the user profile if signed in.\n */\nconst getUserAction = async (\n  sessionId: string,\n): Promise<{data: {user: User | null}; error: string | null; success: boolean}> => {\n  try {\n    const client = getClient();\n    const user: User = await client.getUser(sessionId);\n    return {data: {user}, error: null, success: true};\n  } catch (error) {\n    return {data: {user: null}, error: 'Failed to get user', success: false};\n  }\n};\n\nexport default getUserAction;\n"],"mappings":";;;;;;;;;;AA2BA,MAAM,gBAAgB,OACpB,cACiF;AACjF,KAAI;AAGF,SAAO;GAAC,MAAM,EAAC,MADI,MADJA,mBAAW,CACM,QAAQ,UAAU,EAC9B;GAAE,OAAO;GAAM,SAAS;GAAK;UAC1C,OAAO;AACd,SAAO;GAAC,MAAM,EAAC,MAAM,MAAK;GAAE,OAAO;GAAsB,SAAS;GAAM;;;AAI5E,4BAAe"}

package/dist/server/actions/getUserProfileAction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getUserProfileAction.d.ts","sourceRoot":"","sources":["../../../src/server/actions/getUserProfileAction.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,EAAC,WAAW,EAAC,MAAM,iBAAiB,CAAC;AAG5C;;;GAGG;AACH,QAAA,MAAM,oBAAoB,GACxB,WAAW,MAAM,KAChB,OAAO,CAAC;IAAC,IAAI,EAAE;QAAC,WAAW,EAAE,WAAW,CAAA;KAAC,CAAC;IAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAC,CAkBpF,CAAC;AAEF,eAAe,oBAAoB,CAAC"}

package/dist/server/actions/getUserProfileAction.js

@@ -0,0 +1,34 @@
+'use server';
+
+
+import getClient_default from "../getClient.js";
+
+//#region src/server/actions/getUserProfileAction.ts
+/**
+* Server action to get the current user.
+* Returns the user profile if signed in.
+*/
+const getUserProfileAction = async (sessionId) => {
+	try {
+		return {
+			data: { userProfile: await getClient_default().getUserProfile(sessionId) },
+			error: null,
+			success: true
+		};
+	} catch (error) {
+		return {
+			data: { userProfile: {
+				flattenedProfile: {},
+				profile: {},
+				schemas: []
+			} },
+			error: "Failed to get user profile",
+			success: false
+		};
+	}
+};
+var getUserProfileAction_default = getUserProfileAction;
+
+//#endregion
+export { getUserProfileAction_default as default };
+//# sourceMappingURL=getUserProfileAction.js.map

package/dist/server/actions/getUserProfileAction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getUserProfileAction.js","names":["getClient"],"sources":["../../../src/server/actions/getUserProfileAction.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport {UserProfile} from '@thunderid/node';\nimport getClient from '../getClient';\n\n/**\n * Server action to get the current user.\n * Returns the user profile if signed in.\n */\nconst getUserProfileAction = async (\n  sessionId: string,\n): Promise<{data: {userProfile: UserProfile}; error: string | null; success: boolean}> => {\n  try {\n    const client = getClient();\n    const updatedProfile: UserProfile = await client.getUserProfile(sessionId);\n    return {data: {userProfile: updatedProfile}, error: null, success: true};\n  } catch (error) {\n    return {\n      data: {\n        userProfile: {\n          flattenedProfile: {},\n          profile: {},\n          schemas: [],\n        },\n      },\n      error: 'Failed to get user profile',\n      success: false,\n    };\n  }\n};\n\nexport default getUserProfileAction;\n"],"mappings":";;;;;;;;;;AA2BA,MAAM,uBAAuB,OAC3B,cACwF;AACxF,KAAI;AAGF,SAAO;GAAC,MAAM,EAAC,aADqB,MADrBA,mBAAW,CACuB,eAAe,UAAU,EAC/B;GAAE,OAAO;GAAM,SAAS;GAAK;UACjE,OAAO;AACd,SAAO;GACL,MAAM,EACJ,aAAa;IACX,kBAAkB,EAAE;IACpB,SAAS,EAAE;IACX,SAAS,EAAE;IACZ,EACF;GACD,OAAO;GACP,SAAS;GACV;;;AAIL,mCAAe"}

package/dist/server/actions/handleOAuthCallbackAction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handleOAuthCallbackAction.d.ts","sourceRoot":"","sources":["../../../src/server/actions/handleOAuthCallbackAction.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAaH;;;;;;;;;GASG;AACH,QAAA,MAAM,yBAAyB,GAC7B,MAAM,MAAM,EACZ,OAAO,MAAM,EACb,eAAe,MAAM,KACpB,OAAO,CAAC;IACT,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,OAAO,CAAC;CAClB,CAyHA,CAAC;AAEF,eAAe,yBAAyB,CAAC"}

package/dist/server/actions/handleOAuthCallbackAction.js

@@ -0,0 +1,87 @@
+'use server';
+
+
+import SessionManager_default from "../../utils/SessionManager.js";
+import getClient_default from "../getClient.js";
+import logger_default from "../../utils/logger.js";
+import { cookies } from "next/headers";
+
+//#region src/server/actions/handleOAuthCallbackAction.ts
+/**
+* Server action to handle OAuth callback with authorization code.
+* This action processes the authorization code received from the OAuth provider
+* and exchanges it for tokens to complete the authentication flow.
+*
+* @param code - Authorization code from OAuth provider
+* @param state - State parameter from OAuth provider for CSRF protection
+* @param sessionState - Session state parameter from OAuth provider
+* @returns Promise that resolves with success status and optional error message
+*/
+const handleOAuthCallbackAction = async (code, state, sessionState) => {
+	try {
+		if (!code || !state) return {
+			error: "Missing required OAuth parameters: code and state are required",
+			success: false
+		};
+		const thunderIDClient = getClient_default();
+		if (!thunderIDClient.isInitialized) return {
+			error: "ThunderID client is not initialized",
+			success: false
+		};
+		const cookieStore = await cookies();
+		let sessionId;
+		const tempSessionToken = cookieStore.get(SessionManager_default.getTempSessionCookieName())?.value;
+		if (tempSessionToken) try {
+			sessionId = (await SessionManager_default.verifyTempSession(tempSessionToken)).sessionId;
+		} catch {
+			logger_default.error("[handleOAuthCallbackAction] Invalid temporary session token, falling back to session ID from cookies.");
+		}
+		if (!sessionId) {
+			logger_default.error("[handleOAuthCallbackAction] No session ID found in cookies or temporary session token.");
+			return {
+				error: "No session found. Please start the authentication flow again.",
+				success: false
+			};
+		}
+		const signInResult = await thunderIDClient.signIn({
+			code,
+			session_state: sessionState,
+			state
+		}, {}, sessionId);
+		const config = await thunderIDClient.getConfiguration();
+		if (signInResult) try {
+			const idToken = await thunderIDClient.getDecodedIdToken(sessionId, signInResult["id_token"] || signInResult["idToken"]);
+			const accessToken = signInResult["accessToken"] || signInResult["access_token"];
+			const refreshToken = signInResult["refreshToken"] ?? "";
+			const userIdFromToken = idToken.sub || signInResult["sub"] || sessionId;
+			const scopes = signInResult["scope"];
+			const organizationId = idToken["user_org"] || idToken["organization_id"];
+			const expiresIn = signInResult["expiresIn"];
+			const sessionCookieExpiryTime = SessionManager_default.resolveSessionCookieExpiry(config.sessionCookie?.expiryTime);
+			const sessionToken = await SessionManager_default.createSessionToken(accessToken, userIdFromToken, sessionId, scopes, expiresIn, refreshToken, organizationId);
+			cookieStore.set(SessionManager_default.getSessionCookieName(), sessionToken, SessionManager_default.getSessionCookieOptions(sessionCookieExpiryTime));
+			cookieStore.delete(SessionManager_default.getTempSessionCookieName());
+		} catch (error) {
+			logger_default.error(`[handleOAuthCallbackAction] Failed to create JWT session, continuing with legacy session:
+          ${typeof error === "string" ? error : JSON.stringify(error)}`);
+		}
+		return {
+			redirectUrl: config.afterSignInUrl || "/",
+			success: true
+		};
+	} catch (error) {
+		let errorMessage = "Authentication failed";
+		if (error instanceof Error) errorMessage = error.message;
+		else if (error && typeof error === "object" && "message" in error) errorMessage = String(error.message);
+		else if (typeof error === "string") errorMessage = error;
+		return {
+			error: errorMessage,
+			success: false
+		};
+	}
+};
+var handleOAuthCallbackAction_default = handleOAuthCallbackAction;
+
+//#endregion
+export { handleOAuthCallbackAction_default as default };
+//# sourceMappingURL=handleOAuthCallbackAction.js.map

package/dist/server/actions/handleOAuthCallbackAction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handleOAuthCallbackAction.js","names":["getClient","cookieStore: RequestCookies","sessionId: string | undefined","tempSessionToken: string | undefined","SessionManager","signInResult: Record<string, unknown>","config: ThunderIDNextConfig","idToken: IdToken","accessToken: string","refreshToken: string","userIdFromToken: string","scopes: string","organizationId: string | undefined","expiresIn: number","sessionCookieExpiryTime: number","sessionToken: string"],"sources":["../../../src/server/actions/handleOAuthCallbackAction.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport {IdToken} from '@thunderid/node';\nimport {cookies} from 'next/headers';\nimport {ThunderIDNextConfig} from '../../models/config';\nimport logger from '../../utils/logger';\nimport SessionManager from '../../utils/SessionManager';\nimport getClient from '../getClient';\n\ntype RequestCookies = Awaited<ReturnType<typeof cookies>>;\n\n/**\n * Server action to handle OAuth callback with authorization code.\n * This action processes the authorization code received from the OAuth provider\n * and exchanges it for tokens to complete the authentication flow.\n *\n * @param code - Authorization code from OAuth provider\n * @param state - State parameter from OAuth provider for CSRF protection\n * @param sessionState - Session state parameter from OAuth provider\n * @returns Promise that resolves with success status and optional error message\n */\nconst handleOAuthCallbackAction = async (\n  code: string,\n  state: string,\n  sessionState?: string,\n): Promise<{\n  error?: string;\n  redirectUrl?: string;\n  success: boolean;\n}> => {\n  try {\n    if (!code || !state) {\n      return {\n        error: 'Missing required OAuth parameters: code and state are required',\n        success: false,\n      };\n    }\n\n    const thunderIDClient = getClient();\n\n    if (!thunderIDClient.isInitialized) {\n      return {\n        error: 'ThunderID client is not initialized',\n        success: false,\n      };\n    }\n\n    const cookieStore: RequestCookies = await cookies();\n    let sessionId: string | undefined;\n\n    const tempSessionToken: string | undefined = cookieStore.get(SessionManager.getTempSessionCookieName())?.value;\n\n    if (tempSessionToken) {\n      try {\n        const tempSession: {sessionId: string} = await SessionManager.verifyTempSession(tempSessionToken);\n        sessionId = tempSession.sessionId;\n      } catch {\n        logger.error(\n          '[handleOAuthCallbackAction] Invalid temporary session token, falling back to session ID from cookies.',\n        );\n      }\n    }\n\n    if (!sessionId) {\n      logger.error('[handleOAuthCallbackAction] No session ID found in cookies or temporary session token.');\n\n      return {\n        error: 'No session found. Please start the authentication flow again.',\n        success: false,\n      };\n    }\n\n    // Exchange the authorization code for tokens\n    const signInResult: Record<string, unknown> = await thunderIDClient.signIn(\n      {\n        code,\n        session_state: sessionState,\n        state,\n      } as any,\n      {},\n      sessionId,\n    );\n\n    const config: ThunderIDNextConfig = await thunderIDClient.getConfiguration();\n\n    if (signInResult) {\n      try {\n        const idToken: IdToken = await thunderIDClient.getDecodedIdToken(\n          sessionId,\n          (signInResult['id_token'] || signInResult['idToken']) as string,\n        );\n        const accessToken: string = (signInResult['accessToken'] || signInResult['access_token']) as string;\n        const refreshToken: string = (signInResult['refreshToken'] as string | undefined) ?? '';\n        const userIdFromToken: string = (idToken.sub || signInResult['sub'] || sessionId) as string;\n        const scopes: string = signInResult['scope'] as string;\n        const organizationId: string | undefined = (idToken['user_org'] || idToken['organization_id']) as\n          | string\n          | undefined;\n        const expiresIn: number = signInResult['expiresIn'] as number;\n        const sessionCookieExpiryTime: number = SessionManager.resolveSessionCookieExpiry(\n          config.sessionCookie?.expiryTime,\n        );\n\n        const sessionToken: string = await SessionManager.createSessionToken(\n          accessToken,\n          userIdFromToken,\n          sessionId,\n          scopes,\n          expiresIn,\n          refreshToken,\n          organizationId,\n        );\n\n        cookieStore.set(\n          SessionManager.getSessionCookieName(),\n          sessionToken,\n          SessionManager.getSessionCookieOptions(sessionCookieExpiryTime),\n        );\n\n        cookieStore.delete(SessionManager.getTempSessionCookieName());\n      } catch (error) {\n        logger.error(\n          `[handleOAuthCallbackAction] Failed to create JWT session, continuing with legacy session:\n          ${typeof error === 'string' ? error : JSON.stringify(error)}`,\n        );\n      }\n    }\n\n    const afterSignInUrl: string = config.afterSignInUrl || '/';\n\n    return {\n      redirectUrl: afterSignInUrl,\n      success: true,\n    };\n  } catch (error) {\n    let errorMessage = 'Authentication failed';\n\n    if (error instanceof Error) {\n      errorMessage = error.message;\n    } else if (error && typeof error === 'object' && 'message' in error) {\n      errorMessage = String((error as {message: unknown}).message);\n    } else if (typeof error === 'string') {\n      errorMessage = error;\n    }\n\n    return {\n      error: errorMessage,\n      success: false,\n    };\n  }\n};\n\nexport default handleOAuthCallbackAction;\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAuCA,MAAM,4BAA4B,OAChC,MACA,OACA,iBAKI;AACJ,KAAI;AACF,MAAI,CAAC,QAAQ,CAAC,MACZ,QAAO;GACL,OAAO;GACP,SAAS;GACV;EAGH,MAAM,kBAAkBA,mBAAW;AAEnC,MAAI,CAAC,gBAAgB,cACnB,QAAO;GACL,OAAO;GACP,SAAS;GACV;EAGH,MAAMC,cAA8B,MAAM,SAAS;EACnD,IAAIC;EAEJ,MAAMC,mBAAuC,YAAY,IAAIC,uBAAe,0BAA0B,CAAC,EAAE;AAEzG,MAAI,iBACF,KAAI;AAEF,gBADyC,MAAMA,uBAAe,kBAAkB,iBAAiB,EACzE;UAClB;AACN,kBAAO,MACL,wGACD;;AAIL,MAAI,CAAC,WAAW;AACd,kBAAO,MAAM,yFAAyF;AAEtG,UAAO;IACL,OAAO;IACP,SAAS;IACV;;EAIH,MAAMC,eAAwC,MAAM,gBAAgB,OAClE;GACE;GACA,eAAe;GACf;GACD,EACD,EAAE,EACF,UACD;EAED,MAAMC,SAA8B,MAAM,gBAAgB,kBAAkB;AAE5E,MAAI,aACF,KAAI;GACF,MAAMC,UAAmB,MAAM,gBAAgB,kBAC7C,WACC,aAAa,eAAe,aAAa,WAC3C;GACD,MAAMC,cAAuB,aAAa,kBAAkB,aAAa;GACzE,MAAMC,eAAwB,aAAa,mBAA0C;GACrF,MAAMC,kBAA2B,QAAQ,OAAO,aAAa,UAAU;GACvE,MAAMC,SAAiB,aAAa;GACpC,MAAMC,iBAAsC,QAAQ,eAAe,QAAQ;GAG3E,MAAMC,YAAoB,aAAa;GACvC,MAAMC,0BAAkCV,uBAAe,2BACrD,OAAO,eAAe,WACvB;GAED,MAAMW,eAAuB,MAAMX,uBAAe,mBAChD,aACA,iBACA,WACA,QACA,WACA,cACA,eACD;AAED,eAAY,IACVA,uBAAe,sBAAsB,EACrC,cACAA,uBAAe,wBAAwB,wBAAwB,CAChE;AAED,eAAY,OAAOA,uBAAe,0BAA0B,CAAC;WACtD,OAAO;AACd,kBAAO,MACL;YACE,OAAO,UAAU,WAAW,QAAQ,KAAK,UAAU,MAAM,GAC5D;;AAML,SAAO;GACL,aAH6B,OAAO,kBAAkB;GAItD,SAAS;GACV;UACM,OAAO;EACd,IAAI,eAAe;AAEnB,MAAI,iBAAiB,MACnB,gBAAe,MAAM;WACZ,SAAS,OAAO,UAAU,YAAY,aAAa,MAC5D,gBAAe,OAAQ,MAA6B,QAAQ;WACnD,OAAO,UAAU,SAC1B,gBAAe;AAGjB,SAAO;GACL,OAAO;GACP,SAAS;GACV;;;AAIL,wCAAe"}

package/dist/server/actions/isSignedIn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isSignedIn.d.ts","sourceRoot":"","sources":["../../../src/server/actions/isSignedIn.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AASH;;;;;;;;;;;GAWG;AACH,QAAA,MAAM,UAAU,GAAU,YAAY,MAAM,KAAG,OAAO,CAAC,OAAO,CA0B7D,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/server/actions/isSignedIn.js

@@ -0,0 +1,40 @@
+'use server';
+
+
+import getSessionId_default from "./getSessionId.js";
+import getClient_default from "../getClient.js";
+import getSessionPayload_default from "./getSessionPayload.js";
+
+//#region src/server/actions/isSignedIn.ts
+/**
+* Check if the user is currently signed in.
+*
+* For JWT-based sessions: the session JWT exp claim is now tied to the access
+* token expiry. A successful jwtVerify (inside getSessionPayload) already proves
+* exp > now, so no separate timestamp comparison is needed here.
+*
+* Falls back to the legacy SDK in-memory check when no JWT session cookie exists.
+*
+* @param sessionId - Optional session ID (used only for the legacy fallback path)
+* @returns True if the user is signed in with a valid, non-expired token
+*/
+const isSignedIn = async (sessionId) => {
+	try {
+		if (await getSessionPayload_default()) return true;
+		const resolvedSessionId = sessionId || await getSessionId_default();
+		if (!resolvedSessionId) return false;
+		const client = getClient_default();
+		try {
+			return !!await client.getAccessToken(resolvedSessionId);
+		} catch {
+			return false;
+		}
+	} catch {
+		return false;
+	}
+};
+var isSignedIn_default = isSignedIn;
+
+//#endregion
+export { isSignedIn_default as default };
+//# sourceMappingURL=isSignedIn.js.map

package/dist/server/actions/isSignedIn.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isSignedIn.js","names":["getSessionPayload","resolvedSessionId: string | undefined","getSessionId","getClient"],"sources":["../../../src/server/actions/isSignedIn.ts"],"sourcesContent":["/**\n * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).\n *\n * WSO2 LLC. licenses this file to you under the Apache License,\n * Version 2.0 (the \"License\"); you may not use this file except\n * in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing,\n * software distributed under the License is distributed on an\n * \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n * KIND, either express or implied. See the License for the\n * specific language governing permissions and limitations\n * under the License.\n */\n\n'use server';\n\nimport getSessionId from './getSessionId';\nimport getSessionPayload from './getSessionPayload';\nimport {SessionTokenPayload} from '../../utils/SessionManager';\nimport getClient from '../getClient';\n\n/**\n * Check if the user is currently signed in.\n *\n * For JWT-based sessions: the session JWT exp claim is now tied to the access\n * token expiry. A successful jwtVerify (inside getSessionPayload) already proves\n * exp > now, so no separate timestamp comparison is needed here.\n *\n * Falls back to the legacy SDK in-memory check when no JWT session cookie exists.\n *\n * @param sessionId - Optional session ID (used only for the legacy fallback path)\n * @returns True if the user is signed in with a valid, non-expired token\n */\nconst isSignedIn = async (sessionId?: string): Promise<boolean> => {\n  try {\n    const sessionPayload: SessionTokenPayload | undefined = await getSessionPayload();\n\n    if (sessionPayload) {\n      return true;\n    }\n\n    // No JWT session — fall back to the legacy SDK in-memory store check.\n    const resolvedSessionId: string | undefined = sessionId || (await getSessionId());\n\n    if (!resolvedSessionId) {\n      return false;\n    }\n\n    const client = getClient();\n\n    try {\n      const accessToken: string = await client.getAccessToken(resolvedSessionId);\n      return !!accessToken;\n    } catch {\n      return false;\n    }\n  } catch {\n    return false;\n  }\n};\n\nexport default isSignedIn;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAqCA,MAAM,aAAa,OAAO,cAAyC;AACjE,KAAI;AAGF,MAFwD,MAAMA,2BAAmB,CAG/E,QAAO;EAIT,MAAMC,oBAAwC,aAAc,MAAMC,sBAAc;AAEhF,MAAI,CAAC,kBACH,QAAO;EAGT,MAAM,SAASC,mBAAW;AAE1B,MAAI;AAEF,UAAO,CAAC,CADoB,MAAM,OAAO,eAAe,kBAAkB;UAEpE;AACN,UAAO;;SAEH;AACN,SAAO;;;AAIX,yBAAe"}

package/dist/server/actions/refreshToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refreshToken.d.ts","sourceRoot":"","sources":["../../../src/server/actions/refreshToken.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAaH;;;;;;;;;;GAUG;AACH,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;GAUG;AACH,QAAA,MAAM,YAAY,QAAa,OAAO,CAAC,aAAa,CAmEnD,CAAC;AAEF,eAAe,YAAY,CAAC"}