@vaultix.ai/nextjs 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/dist/index.js +109 -28
  2. package/dist/index.js.map +1 -1
  3. package/dist/index.mjs +110 -29
  4. package/dist/index.mjs.map +1 -1
  5. package/dist/server.d.mts +35 -22
  6. package/dist/server.d.ts +35 -22
  7. package/dist/server.js +109 -28
  8. package/dist/server.js.map +1 -1
  9. package/dist/server.mjs +110 -29
  10. package/dist/server.mjs.map +1 -1
  11. package/package.json +1 -1
package/dist/server.d.mts CHANGED
@@ -7,45 +7,58 @@ interface AuthObject {
7
7
  sessionId: string | null;
8
8
  riskLevel: "low" | "medium" | "high" | "critical" | null;
9
9
  isSignedIn: boolean;
10
+ /**
11
+ * Throws a redirect if the user is not authenticated.
12
+ * Usage: const { userId } = await auth(); — or call auth().then(a => a.protect())
13
+ */
14
+ protect: (redirectTo?: string) => void;
10
15
  }
11
16
  /**
12
- * Returns the current auth state by reading the headers injected by
13
- * `authMiddleware`. Call this in Server Components, Route Handlers, and
14
- * Server Actions never in Client Components.
17
+ * Returns the current auth state. Works in Server Components, Route Handlers,
18
+ * and Server Actions. Falls back to verifying the session cookie directly
19
+ * if middleware headers are not present.
15
20
  *
16
21
  * @example
17
- * import { auth } from "@smritix.ai/nextjs/server";
22
+ * import { auth } from "@vaultix.ai/nextjs/server";
23
+ *
18
24
  * export default async function Page() {
19
- * const { userId, orgId } = await auth();
20
- *
25
+ * const { userId, protect } = await auth();
26
+ * protect(); // redirects to sign-in if not authenticated
27
+ * return <div>Hello {userId}</div>;
21
28
  * }
22
29
  */
23
30
  declare function auth(): Promise<AuthObject>;
24
31
  /**
25
- * Asserts that the current user is authenticated. Redirects to `/sign-in`
26
- * if not. Returns the auth object for convenience.
32
+ * Returns the full user record for the currently signed-in user.
33
+ * Calls GET /api/v1/me using the session JWT from the cookie as a Bearer token.
34
+ * No extra env vars required.
27
35
  *
28
36
  * @example
29
- * export default async function ProtectedPage() {
30
- * const { userId } = await protect();
31
- *
37
+ * import { currentUser } from "@vaultix.ai/nextjs/server";
38
+ *
39
+ * export default async function Page() {
40
+ * const user = await currentUser();
41
+ * if (!user) redirect("/sign-in");
42
+ * return <div>Hello {user.email}</div>;
32
43
  * }
33
44
  */
34
- declare function protect(redirectTo?: string): Promise<AuthObject>;
45
+ declare function currentUser(): Promise<VaultixUser | null>;
35
46
  /**
36
- * Fetches the full `VaultixUser` record from the auth engine using server-to-server
37
- * credentials (`VAULTIX_API_URL` + `VAULTIX_SECRET_KEY` env vars).
38
- * Returns null when unauthenticated or when env vars are missing.
39
- *
40
- * Responses are never cached (`cache: "no-store"`) — user data must be fresh.
47
+ * Returns the active organization for the current user.
48
+ * Requires VAULTIX_SECRET_KEY env var.
41
49
  */
42
- declare function currentUser(): Promise<VaultixUser | null>;
50
+ declare function currentOrg(): Promise<VaultixOrganization | null>;
43
51
  /**
44
- * Fetches the active `VaultixOrganization` from the auth engine.
45
- * Returns null when the user has no active org or env vars are missing.
52
+ * Asserts the current user is authenticated. Redirects to sign-in if not.
53
+ * Prefer calling `protect()` from the auth object returned by `auth()`.
46
54
  *
47
- * Responses are cached for 30 seconds — org data changes infrequently.
55
+ * @example
56
+ * import { protect } from "@vaultix.ai/nextjs/server";
57
+ * export default async function Page() {
58
+ * const { userId } = await protect();
59
+ * return <div>{userId}</div>;
60
+ * }
48
61
  */
49
- declare function currentOrg(): Promise<VaultixOrganization | null>;
62
+ declare function protect(redirectTo?: string): Promise<AuthObject>;
50
63
 
51
64
  export { type AuthObject, auth, currentOrg, currentUser, protect };
package/dist/server.d.ts CHANGED
@@ -7,45 +7,58 @@ interface AuthObject {
7
7
  sessionId: string | null;
8
8
  riskLevel: "low" | "medium" | "high" | "critical" | null;
9
9
  isSignedIn: boolean;
10
+ /**
11
+ * Throws a redirect if the user is not authenticated.
12
+ * Usage: const { userId } = await auth(); — or call auth().then(a => a.protect())
13
+ */
14
+ protect: (redirectTo?: string) => void;
10
15
  }
11
16
  /**
12
- * Returns the current auth state by reading the headers injected by
13
- * `authMiddleware`. Call this in Server Components, Route Handlers, and
14
- * Server Actions never in Client Components.
17
+ * Returns the current auth state. Works in Server Components, Route Handlers,
18
+ * and Server Actions. Falls back to verifying the session cookie directly
19
+ * if middleware headers are not present.
15
20
  *
16
21
  * @example
17
- * import { auth } from "@smritix.ai/nextjs/server";
22
+ * import { auth } from "@vaultix.ai/nextjs/server";
23
+ *
18
24
  * export default async function Page() {
19
- * const { userId, orgId } = await auth();
20
- *
25
+ * const { userId, protect } = await auth();
26
+ * protect(); // redirects to sign-in if not authenticated
27
+ * return <div>Hello {userId}</div>;
21
28
  * }
22
29
  */
23
30
  declare function auth(): Promise<AuthObject>;
24
31
  /**
25
- * Asserts that the current user is authenticated. Redirects to `/sign-in`
26
- * if not. Returns the auth object for convenience.
32
+ * Returns the full user record for the currently signed-in user.
33
+ * Calls GET /api/v1/me using the session JWT from the cookie as a Bearer token.
34
+ * No extra env vars required.
27
35
  *
28
36
  * @example
29
- * export default async function ProtectedPage() {
30
- * const { userId } = await protect();
31
- *
37
+ * import { currentUser } from "@vaultix.ai/nextjs/server";
38
+ *
39
+ * export default async function Page() {
40
+ * const user = await currentUser();
41
+ * if (!user) redirect("/sign-in");
42
+ * return <div>Hello {user.email}</div>;
32
43
  * }
33
44
  */
34
- declare function protect(redirectTo?: string): Promise<AuthObject>;
45
+ declare function currentUser(): Promise<VaultixUser | null>;
35
46
  /**
36
- * Fetches the full `VaultixUser` record from the auth engine using server-to-server
37
- * credentials (`VAULTIX_API_URL` + `VAULTIX_SECRET_KEY` env vars).
38
- * Returns null when unauthenticated or when env vars are missing.
39
- *
40
- * Responses are never cached (`cache: "no-store"`) — user data must be fresh.
47
+ * Returns the active organization for the current user.
48
+ * Requires VAULTIX_SECRET_KEY env var.
41
49
  */
42
- declare function currentUser(): Promise<VaultixUser | null>;
50
+ declare function currentOrg(): Promise<VaultixOrganization | null>;
43
51
  /**
44
- * Fetches the active `VaultixOrganization` from the auth engine.
45
- * Returns null when the user has no active org or env vars are missing.
52
+ * Asserts the current user is authenticated. Redirects to sign-in if not.
53
+ * Prefer calling `protect()` from the auth object returned by `auth()`.
46
54
  *
47
- * Responses are cached for 30 seconds — org data changes infrequently.
55
+ * @example
56
+ * import { protect } from "@vaultix.ai/nextjs/server";
57
+ * export default async function Page() {
58
+ * const { userId } = await protect();
59
+ * return <div>{userId}</div>;
60
+ * }
48
61
  */
49
- declare function currentOrg(): Promise<VaultixOrganization | null>;
62
+ declare function protect(redirectTo?: string): Promise<AuthObject>;
50
63
 
51
64
  export { type AuthObject, auth, currentOrg, currentUser, protect };
package/dist/server.js CHANGED
@@ -28,6 +28,7 @@ __export(server_exports, {
28
28
  module.exports = __toCommonJS(server_exports);
29
29
  var import_headers = require("next/headers");
30
30
  var import_navigation = require("next/navigation");
31
+ var import_jose2 = require("jose");
31
32
 
32
33
  // src/middleware.ts
33
34
  var import_jose = require("jose");
@@ -39,48 +40,124 @@ var HEADER_SESSION_ID = "x-vaultix-session-id";
39
40
  var HEADER_RISK_LEVEL = "x-vaultix-risk-level";
40
41
 
41
42
  // src/server.ts
43
+ function resolveApiUrl() {
44
+ if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\/$/, "");
45
+ const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? "";
46
+ if (!pk) return "";
47
+ try {
48
+ const parts = pk.split("_");
49
+ if (parts.length >= 4 && parts[0] === "vaultix" && parts[1] === "pk") {
50
+ return atob(parts.slice(3).join("_")).replace(/\/$/, "");
51
+ }
52
+ } catch {
53
+ }
54
+ return "";
55
+ }
56
+ var _remoteJwks = null;
57
+ var _remoteJwksUrl = null;
58
+ var _staticKey = null;
59
+ var _staticPem = null;
60
+ async function verifyJwt(token) {
61
+ const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;
62
+ if (pem) {
63
+ const normalized = pem.replace(/\\n/g, "\n");
64
+ if (!_staticKey || _staticPem !== normalized) {
65
+ _staticKey = await (0, import_jose2.importSPKI)(normalized, "RS256");
66
+ _staticPem = normalized;
67
+ }
68
+ try {
69
+ const { payload } = await (0, import_jose2.jwtVerify)(token, _staticKey, { algorithms: ["RS256"] });
70
+ return payload;
71
+ } catch {
72
+ return null;
73
+ }
74
+ }
75
+ const apiUrl = resolveApiUrl();
76
+ if (!apiUrl) return null;
77
+ const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;
78
+ if (!_remoteJwks || _remoteJwksUrl !== jwksUrl) {
79
+ _remoteJwks = (0, import_jose2.createRemoteJWKSet)(new URL(jwksUrl));
80
+ _remoteJwksUrl = jwksUrl;
81
+ }
82
+ try {
83
+ const { payload } = await (0, import_jose2.jwtVerify)(token, _remoteJwks, { algorithms: ["RS256"] });
84
+ return payload;
85
+ } catch {
86
+ return null;
87
+ }
88
+ }
42
89
  async function auth() {
90
+ function makeProtect(isSignedIn) {
91
+ return (redirectTo) => {
92
+ if (!isSignedIn) {
93
+ const apiUrl = resolveApiUrl();
94
+ const dest = redirectTo ?? (apiUrl ? `${apiUrl}/auth/sign-in` : "/sign-in");
95
+ (0, import_navigation.redirect)(dest);
96
+ }
97
+ };
98
+ }
43
99
  const h = await (0, import_headers.headers)();
44
100
  const userId = h.get(HEADER_USER_ID);
45
- if (!userId) {
101
+ if (userId) {
102
+ return {
103
+ userId,
104
+ orgId: h.get(HEADER_ORG_ID) || null,
105
+ orgRole: h.get(HEADER_ORG_ROLE) || null,
106
+ sessionId: h.get(HEADER_SESSION_ID) || null,
107
+ riskLevel: h.get(HEADER_RISK_LEVEL) ?? "low",
108
+ isSignedIn: true,
109
+ protect: makeProtect(true)
110
+ };
111
+ }
112
+ const jar = await (0, import_headers.cookies)();
113
+ const token = jar.get("vaultix-session")?.value;
114
+ if (!token) {
115
+ return {
116
+ userId: null,
117
+ orgId: null,
118
+ orgRole: null,
119
+ sessionId: null,
120
+ riskLevel: null,
121
+ isSignedIn: false,
122
+ protect: makeProtect(false)
123
+ };
124
+ }
125
+ const payload = await verifyJwt(token);
126
+ if (!payload) {
46
127
  return {
47
128
  userId: null,
48
129
  orgId: null,
49
130
  orgRole: null,
50
131
  sessionId: null,
51
132
  riskLevel: null,
52
- isSignedIn: false
133
+ isSignedIn: false,
134
+ protect: makeProtect(false)
53
135
  };
54
136
  }
55
137
  return {
56
- userId,
57
- orgId: h.get(HEADER_ORG_ID) || null,
58
- orgRole: h.get(HEADER_ORG_ROLE) || null,
59
- sessionId: h.get(HEADER_SESSION_ID) || null,
60
- riskLevel: h.get(HEADER_RISK_LEVEL) ?? "low",
61
- isSignedIn: true
138
+ userId: payload["uid"] ?? null,
139
+ orgId: payload["org"] ?? null,
140
+ orgRole: payload["rol"] ?? null,
141
+ sessionId: payload["sid"] ?? null,
142
+ riskLevel: payload["risk"] ?? "low",
143
+ isSignedIn: true,
144
+ protect: makeProtect(true)
62
145
  };
63
146
  }
64
- async function protect(redirectTo = "/sign-in") {
65
- const authObj = await auth();
66
- if (!authObj.isSignedIn) {
67
- (0, import_navigation.redirect)(redirectTo);
68
- }
69
- return authObj;
70
- }
71
147
  async function currentUser() {
72
- const { userId } = await auth();
73
- if (!userId) return null;
74
- const apiUrl = process.env["VAULTIX_API_URL"];
75
- const secret = process.env["VAULTIX_SECRET_KEY"];
76
- if (!apiUrl || !secret) return null;
148
+ const jar = await (0, import_headers.cookies)();
149
+ const token = jar.get("vaultix-session")?.value;
150
+ if (!token) return null;
151
+ const apiUrl = resolveApiUrl();
152
+ if (!apiUrl) return null;
77
153
  try {
78
- const res = await fetch(`${apiUrl}/v1/users/${userId}`, {
79
- headers: { Authorization: `Bearer ${secret}` },
154
+ const res = await fetch(`${apiUrl}/api/v1/me`, {
155
+ headers: { Authorization: `Bearer ${token}` },
80
156
  cache: "no-store"
81
157
  });
82
158
  if (!res.ok) return null;
83
- return await res.json();
159
+ const data = await res.json();
160
+ return data.user ?? null;
84
161
  } catch {
85
162
  return null;
86
163
  }
@@ -88,21 +165,25 @@ async function currentUser() {
88
165
  async function currentOrg() {
89
166
  const { orgId } = await auth();
90
167
  if (!orgId) return null;
91
- const apiUrl = process.env["VAULTIX_API_URL"];
92
- const secret = process.env["VAULTIX_SECRET_KEY"];
168
+ const apiUrl = resolveApiUrl();
169
+ const secret = process.env.VAULTIX_SECRET_KEY;
93
170
  if (!apiUrl || !secret) return null;
94
171
  try {
95
- const orgFetchInit = {
172
+ const res = await fetch(`${apiUrl}/api/v1/orgs/${orgId}`, {
96
173
  headers: { Authorization: `Bearer ${secret}` },
97
174
  next: { revalidate: 30 }
98
- };
99
- const res = await fetch(`${apiUrl}/v1/orgs/${orgId}`, orgFetchInit);
175
+ });
100
176
  if (!res.ok) return null;
101
177
  return await res.json();
102
178
  } catch {
103
179
  return null;
104
180
  }
105
181
  }
182
+ async function protect(redirectTo) {
183
+ const authObj = await auth();
184
+ authObj.protect(redirectTo);
185
+ return authObj;
186
+ }
106
187
  // Annotate the CommonJS export names for ESM import in node:
107
188
  0 && (module.exports = {
108
189
  auth,
package/dist/server.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/server.ts","../src/middleware.ts"],"sourcesContent":["// This file is server-only. Import from \"@smritix.ai/nextjs/server\".\n// Do NOT import in Client Components — it will throw at runtime.\nimport { headers } from \"next/headers\";\nimport { redirect } from \"next/navigation\";\nimport type { VaultixOrganization, VaultixUser } from \"@vaultix.ai/react\";\nimport {\n HEADER_ORG_ID,\n HEADER_ORG_ROLE,\n HEADER_RISK_LEVEL,\n HEADER_SESSION_ID,\n HEADER_USER_ID,\n} from \"./middleware\";\n\n// Next.js extends RequestInit with cache and next options for its data cache.\ntype NextRequestInit = RequestInit & {\n cache?: RequestCache;\n next?: { revalidate?: number | false; tags?: string[] };\n};\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthObject {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: \"low\" | \"medium\" | \"high\" | \"critical\" | null;\n isSignedIn: boolean;\n}\n\n// ─── auth() ───────────────────────────────────────────────────────────────────\n\n/**\n * Returns the current auth state by reading the headers injected by\n * `authMiddleware`. Call this in Server Components, Route Handlers, and\n * Server Actions — never in Client Components.\n *\n * @example\n * import { auth } from \"@smritix.ai/nextjs/server\";\n * export default async function Page() {\n * const { userId, orgId } = await auth();\n * …\n * }\n */\nexport async function auth(): Promise<AuthObject> {\n const h = await headers();\n const userId = h.get(HEADER_USER_ID);\n\n if (!userId) {\n return {\n userId: null,\n orgId: null,\n orgRole: null,\n sessionId: null,\n riskLevel: null,\n isSignedIn: false,\n };\n }\n\n return {\n userId,\n orgId: h.get(HEADER_ORG_ID) || null,\n orgRole: h.get(HEADER_ORG_ROLE) || null,\n sessionId: h.get(HEADER_SESSION_ID) || null,\n riskLevel: (h.get(HEADER_RISK_LEVEL) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n };\n}\n\n// ─── protect() ────────────────────────────────────────────────────────────────\n\n/**\n * Asserts that the current user is authenticated. Redirects to `/sign-in`\n * if not. Returns the auth object for convenience.\n *\n * @example\n * export default async function ProtectedPage() {\n * const { userId } = await protect();\n * …\n * }\n */\nexport async function protect(redirectTo = \"/sign-in\"): Promise<AuthObject> {\n const authObj = await auth();\n if (!authObj.isSignedIn) {\n redirect(redirectTo);\n }\n return authObj;\n}\n\n// ─── currentUser() ────────────────────────────────────────────────────────────\n\n/**\n * Fetches the full `VaultixUser` record from the auth engine using server-to-server\n * credentials (`VAULTIX_API_URL` + `VAULTIX_SECRET_KEY` env vars).\n * Returns null when unauthenticated or when env vars are missing.\n *\n * Responses are never cached (`cache: \"no-store\"`) — user data must be fresh.\n */\nexport async function currentUser(): Promise<VaultixUser | null> {\n const { userId } = await auth();\n if (!userId) return null;\n\n const apiUrl = process.env[\"VAULTIX_API_URL\"];\n const secret = process.env[\"VAULTIX_SECRET_KEY\"];\n if (!apiUrl || !secret) return null;\n\n try {\n const res = await fetch(`${apiUrl}/v1/users/${userId}`, {\n headers: { Authorization: `Bearer ${secret}` },\n cache: \"no-store\",\n });\n if (!res.ok) return null;\n return (await res.json()) as VaultixUser;\n } catch {\n return null;\n }\n}\n\n// ─── currentOrg() ────────────────────────────────────────────────────────────\n\n/**\n * Fetches the active `VaultixOrganization` from the auth engine.\n * Returns null when the user has no active org or env vars are missing.\n *\n * Responses are cached for 30 seconds — org data changes infrequently.\n */\nexport async function currentOrg(): Promise<VaultixOrganization | null> {\n const { orgId } = await auth();\n if (!orgId) return null;\n\n const apiUrl = process.env[\"VAULTIX_API_URL\"];\n const secret = process.env[\"VAULTIX_SECRET_KEY\"];\n if (!apiUrl || !secret) return null;\n\n try {\n const orgFetchInit: NextRequestInit = {\n headers: { Authorization: `Bearer ${secret}` },\n next: { revalidate: 30 },\n };\n const res = await fetch(`${apiUrl}/v1/orgs/${orgId}`, orgFetchInit as RequestInit);\n if (!res.ok) return null;\n return (await res.json()) as VaultixOrganization;\n } catch {\n return null;\n }\n}\n","// Edge-runtime compatible. Uses jose for JWT verification.\nimport { createRemoteJWKSet, importSPKI, jwtVerify, type KeyLike } from \"jose\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthResult {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: string | null;\n isSignedIn: boolean;\n isPublicRoute: boolean;\n}\n\nexport interface AuthMiddlewareOptions {\n /**\n * Routes that do not require authentication.\n * Strings: exact match or prefix. RegExps: tested against pathname.\n */\n publicRoutes?: Array<string | RegExp>;\n\n /**\n * Where to redirect unauthenticated users.\n * Defaults to the Vaultix hosted sign-in page (decoded from publishable key).\n * Override with \"/sign-in\" to use your own page.\n */\n signInUrl?: string;\n\n /**\n * Vaultix API origin. Auto-decoded from NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY.\n * Only needed if you're not using the standard publishable key format.\n */\n apiUrl?: string;\n\n /**\n * Custom logic after auth state is resolved.\n * Return a NextResponse to override default behaviour.\n */\n afterAuth?: (auth: AuthResult, req: NextRequest) => NextResponse | Response | undefined | void;\n}\n\n// ─── Header names ─────────────────────────────────────────────────────────────\n\nexport const HEADER_USER_ID = \"x-vaultix-user-id\";\nexport const HEADER_ORG_ID = \"x-vaultix-org-id\";\nexport const HEADER_ORG_ROLE = \"x-vaultix-org-role\";\nexport const HEADER_SESSION_ID = \"x-vaultix-session-id\";\nexport const HEADER_RISK_LEVEL = \"x-vaultix-risk-level\";\n\n// ─── Publishable key → API URL ────────────────────────────────────────────────\n\nfunction decodeApiUrlFromKey(pk: string): string {\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n return atob(parts.slice(3).join(\"_\")).replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\nfunction resolveApiUrl(options: AuthMiddlewareOptions): string {\n if (options.apiUrl) return options.apiUrl.replace(/\\/$/, \"\");\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n return decodeApiUrlFromKey(pk);\n}\n\n// ─── JWKS cache ───────────────────────────────────────────────────────────────\n// createRemoteJWKSet fetches and caches the key set, re-fetches on rotation.\n// Falls back to a static PEM key if VAULTIX_JWT_PUBLIC_KEY is set (backward compat).\n\nlet remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet remoteJwksUrl: string | null = null;\n\nlet staticKey: KeyLike | null = null;\nlet staticPem: string | null = null;\n\nasync function getVerifyKey(apiUrl: string) {\n // Prefer static PEM (set by env var) for zero-network-call verification\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (staticKey && staticPem === normalized) return { key: staticKey, mode: \"static\" as const };\n staticKey = await importSPKI(normalized, \"RS256\");\n staticPem = normalized;\n return { key: staticKey, mode: \"static\" as const };\n }\n\n // Auto-fetch JWKS from the API — no env var needed\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!remoteJwks || remoteJwksUrl !== jwksUrl) {\n remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n remoteJwksUrl = jwksUrl;\n }\n return { key: remoteJwks, mode: \"remote\" as const };\n}\n\n// ─── Route matching ───────────────────────────────────────────────────────────\n\nfunction isPublic(pathname: string, rules: Array<string | RegExp>): boolean {\n return rules.some((rule) =>\n typeof rule === \"string\"\n ? pathname === rule || pathname.startsWith(rule)\n : rule.test(pathname),\n );\n}\n\n// ─── Handshake exchange ───────────────────────────────────────────────────────\n\nasync function handleHandshake(\n req: NextRequest,\n handshakeToken: string,\n apiUrl: string,\n): Promise<NextResponse | null> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ handshake_token: handshakeToken }),\n });\n if (!res.ok) return null;\n\n const { session_jwt } = (await res.json()) as { session_jwt: string };\n const cleanUrl = req.nextUrl.clone();\n cleanUrl.searchParams.delete(\"__vaultix_handshake\");\n\n const response = NextResponse.redirect(cleanUrl);\n response.cookies.set(\"vaultix-session\", session_jwt, {\n httpOnly: true,\n secure: true,\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60,\n });\n return response;\n } catch {\n return null;\n }\n}\n\n// ─── authMiddleware ───────────────────────────────────────────────────────────\n\n/**\n * Drop-in auth middleware — works with zero config when\n * NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY is set.\n *\n * @example\n * // middleware.ts\n * import { authMiddleware } from \"@vaultix.ai/nextjs/middleware\";\n * export default authMiddleware({ publicRoutes: [\"/\", \"/about\"] });\n * export const config = { matcher: [\"/((?!_next|.*\\\\..*).*)\"] };\n */\nexport function authMiddleware(options: AuthMiddlewareOptions = {}) {\n const { publicRoutes = [], afterAuth } = options;\n\n return async function middleware(req: NextRequest): Promise<NextResponse> {\n const { pathname } = req.nextUrl;\n const publicRoute = isPublic(pathname, publicRoutes);\n\n const apiUrl = resolveApiUrl(options);\n\n // Default sign-in URL: hosted Vaultix page decoded from publishable key\n const signInUrl =\n options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n\n // ── Handshake exchange ─────────────────────────────────────────────────\n const handshakeToken = req.nextUrl.searchParams.get(\"__vaultix_handshake\");\n if (handshakeToken && apiUrl) {\n const response = await handleHandshake(req, handshakeToken, apiUrl);\n if (response) return response;\n }\n\n // ── JWT verification ───────────────────────────────────────────────────\n let result: AuthResult = {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null,\n isSignedIn: false, isPublicRoute: publicRoute,\n };\n\n const token =\n req.cookies.get(\"vaultix-session\")?.value ??\n extractBearer(req.headers.get(\"authorization\") ?? \"\");\n\n if (token) {\n const verifyKey = await getVerifyKey(apiUrl);\n if (verifyKey) {\n try {\n const { payload } = await jwtVerify(token, verifyKey.key as Parameters<typeof jwtVerify>[1], {\n algorithms: [\"RS256\"],\n });\n result = {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: (payload[\"risk\"] as string) ?? \"low\",\n isSignedIn: true,\n isPublicRoute: publicRoute,\n };\n } catch {\n // expired / tampered\n }\n }\n }\n\n // ── Custom afterAuth hook ──────────────────────────────────────────────\n if (afterAuth) {\n const override = afterAuth(result, req);\n if (override) return override as NextResponse;\n }\n\n // ── Default: redirect unauthenticated to sign-in ───────────────────────\n if (!result.isSignedIn && !publicRoute) {\n const dest = new URL(signInUrl, req.url);\n dest.searchParams.set(\"redirect_url\", req.url);\n return NextResponse.redirect(dest);\n }\n\n // ── Inject auth headers for Server Components ──────────────────────────\n const next = new Headers(req.headers);\n if (result.userId) {\n next.set(HEADER_USER_ID, result.userId);\n next.set(HEADER_ORG_ID, result.orgId ?? \"\");\n next.set(HEADER_ORG_ROLE, result.orgRole ?? \"\");\n next.set(HEADER_SESSION_ID, result.sessionId ?? \"\");\n next.set(HEADER_RISK_LEVEL, result.riskLevel ?? \"low\");\n } else {\n [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL]\n .forEach((h) => next.delete(h));\n }\n\n return NextResponse.next({ request: { headers: next } });\n };\n}\n\nfunction extractBearer(header: string): string {\n return header.startsWith(\"Bearer \") ? header.slice(7) : \"\";\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,qBAAwB;AACxB,wBAAyB;;;ACFzB,kBAAwE;AACxE,oBAA0C;AA2CnC,IAAM,iBAAoB;AAC1B,IAAM,gBAAoB;AAC1B,IAAM,kBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;;;ADLjC,eAAsB,OAA4B;AAChD,QAAM,IAAI,UAAM,wBAAQ;AACxB,QAAM,SAAS,EAAE,IAAI,cAAc;AAEnC,MAAI,CAAC,QAAQ;AACX,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,OAAO;AAAA,MACP,SAAS;AAAA,MACT,WAAW;AAAA,MACX,WAAW;AAAA,MACX,YAAY;AAAA,IACd;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,OAAW,EAAE,IAAI,aAAa,KAAS;AAAA,IACvC,SAAW,EAAE,IAAI,eAAe,KAAO;AAAA,IACvC,WAAW,EAAE,IAAI,iBAAiB,KAAK;AAAA,IACvC,WAAY,EAAE,IAAI,iBAAiB,KAAK;AAAA,IACxC,YAAY;AAAA,EACd;AACF;AAcA,eAAsB,QAAQ,aAAa,YAAiC;AAC1E,QAAM,UAAU,MAAM,KAAK;AAC3B,MAAI,CAAC,QAAQ,YAAY;AACvB,oCAAS,UAAU;AAAA,EACrB;AACA,SAAO;AACT;AAWA,eAAsB,cAA2C;AAC/D,QAAM,EAAE,OAAO,IAAI,MAAM,KAAK;AAC9B,MAAI,CAAC,OAAQ,QAAO;AAEpB,QAAM,SAAS,QAAQ,IAAI,iBAAiB;AAC5C,QAAM,SAAS,QAAQ,IAAI,oBAAoB;AAC/C,MAAI,CAAC,UAAU,CAAC,OAAQ,QAAO;AAE/B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,aAAa,MAAM,IAAI;AAAA,MACtD,SAAS,EAAE,eAAe,UAAU,MAAM,GAAG;AAAA,MAC7C,OAAO;AAAA,IACT,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAQ,MAAM,IAAI,KAAK;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAUA,eAAsB,aAAkD;AACtE,QAAM,EAAE,MAAM,IAAI,MAAM,KAAK;AAC7B,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAAS,QAAQ,IAAI,iBAAiB;AAC5C,QAAM,SAAS,QAAQ,IAAI,oBAAoB;AAC/C,MAAI,CAAC,UAAU,CAAC,OAAQ,QAAO;AAE/B,MAAI;AACF,UAAM,eAAgC;AAAA,MACpC,SAAS,EAAE,eAAe,UAAU,MAAM,GAAG;AAAA,MAC7C,MAAM,EAAE,YAAY,GAAG;AAAA,IACzB;AACA,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,YAAY,KAAK,IAAI,YAA2B;AACjF,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAQ,MAAM,IAAI,KAAK;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;","names":[]}
1
+ {"version":3,"sources":["../src/server.ts","../src/middleware.ts"],"sourcesContent":["// Server-only. Import from \"@vaultix.ai/nextjs/server\".\n// Never import this in Client Components.\nimport { cookies, headers } from \"next/headers\";\nimport { redirect } from \"next/navigation\";\nimport { createRemoteJWKSet, importSPKI, jwtVerify } from \"jose\";\nimport type { VaultixOrganization, VaultixUser } from \"@vaultix.ai/react\";\nimport {\n HEADER_USER_ID,\n HEADER_ORG_ID,\n HEADER_ORG_ROLE,\n HEADER_SESSION_ID,\n HEADER_RISK_LEVEL,\n} from \"./middleware\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthObject {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: \"low\" | \"medium\" | \"high\" | \"critical\" | null;\n isSignedIn: boolean;\n /**\n * Throws a redirect if the user is not authenticated.\n * Usage: const { userId } = await auth(); — or call auth().then(a => a.protect())\n */\n protect: (redirectTo?: string) => void;\n}\n\n// ─── API URL resolution (mirrors middleware logic) ────────────────────────────\n\nfunction resolveApiUrl(): string {\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n if (!pk) return \"\";\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n return atob(parts.slice(3).join(\"_\")).replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\n// ─── JWT verification (server-side, no edge constraints) ─────────────────────\n\nlet _remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet _remoteJwksUrl: string | null = null;\nlet _staticKey: Awaited<ReturnType<typeof importSPKI>> | null = null;\nlet _staticPem: string | null = null;\n\nasync function verifyJwt(token: string) {\n // 1. Static PEM key (fastest, no network call)\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (!_staticKey || _staticPem !== normalized) {\n _staticKey = await importSPKI(normalized, \"RS256\");\n _staticPem = normalized;\n }\n try {\n const { payload } = await jwtVerify(token, _staticKey, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n }\n\n // 2. Remote JWKS (auto-fetched, cached)\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!_remoteJwks || _remoteJwksUrl !== jwksUrl) {\n _remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n _remoteJwksUrl = jwksUrl;\n }\n try {\n const { payload } = await jwtVerify(token, _remoteJwks, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n}\n\n// ─── auth() ───────────────────────────────────────────────────────────────────\n\n/**\n * Returns the current auth state. Works in Server Components, Route Handlers,\n * and Server Actions. Falls back to verifying the session cookie directly\n * if middleware headers are not present.\n *\n * @example\n * import { auth } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const { userId, protect } = await auth();\n * protect(); // redirects to sign-in if not authenticated\n * return <div>Hello {userId}</div>;\n * }\n */\nexport async function auth(): Promise<AuthObject> {\n function makeProtect(isSignedIn: boolean) {\n return (redirectTo?: string) => {\n if (!isSignedIn) {\n const apiUrl = resolveApiUrl();\n const dest = redirectTo ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n redirect(dest);\n }\n };\n }\n\n // ── Fast path: headers injected by authMiddleware ──────────────────────\n const h = await headers();\n const userId = h.get(HEADER_USER_ID);\n if (userId) {\n return {\n userId,\n orgId: h.get(HEADER_ORG_ID) || null,\n orgRole: h.get(HEADER_ORG_ROLE) || null,\n sessionId: h.get(HEADER_SESSION_ID) || null,\n riskLevel: (h.get(HEADER_RISK_LEVEL) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n }\n\n // ── Fallback: verify session cookie directly (no middleware needed) ────\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value;\n if (!token) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n const payload = await verifyJwt(token);\n if (!payload) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n return {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: ((payload[\"risk\"] as string) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n}\n\n// ─── currentUser() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the full user record for the currently signed-in user.\n * Calls GET /api/v1/me using the session JWT from the cookie as a Bearer token.\n * No extra env vars required.\n *\n * @example\n * import { currentUser } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const user = await currentUser();\n * if (!user) redirect(\"/sign-in\");\n * return <div>Hello {user.email}</div>;\n * }\n */\nexport async function currentUser(): Promise<VaultixUser | null> {\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value;\n if (!token) return null;\n\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/me`, {\n headers: { Authorization: `Bearer ${token}` },\n cache: \"no-store\",\n });\n if (!res.ok) return null;\n const data = await res.json() as { user: VaultixUser };\n return data.user ?? null;\n } catch {\n return null;\n }\n}\n\n// ─── currentOrg() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the active organization for the current user.\n * Requires VAULTIX_SECRET_KEY env var.\n */\nexport async function currentOrg(): Promise<VaultixOrganization | null> {\n const { orgId } = await auth();\n if (!orgId) return null;\n\n const apiUrl = resolveApiUrl();\n const secret = process.env.VAULTIX_SECRET_KEY;\n if (!apiUrl || !secret) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/orgs/${orgId}`, {\n headers: { Authorization: `Bearer ${secret}` },\n next: { revalidate: 30 },\n } as RequestInit);\n if (!res.ok) return null;\n return (await res.json()) as VaultixOrganization;\n } catch {\n return null;\n }\n}\n\n// ─── protect() — standalone helper ───────────────────────────────────────────\n\n/**\n * Asserts the current user is authenticated. Redirects to sign-in if not.\n * Prefer calling `protect()` from the auth object returned by `auth()`.\n *\n * @example\n * import { protect } from \"@vaultix.ai/nextjs/server\";\n * export default async function Page() {\n * const { userId } = await protect();\n * return <div>{userId}</div>;\n * }\n */\nexport async function protect(redirectTo?: string): Promise<AuthObject> {\n const authObj = await auth();\n authObj.protect(redirectTo);\n return authObj;\n}\n","// Edge-runtime compatible. Uses jose for JWT verification.\nimport { createRemoteJWKSet, importSPKI, jwtVerify, type KeyLike } from \"jose\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthResult {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: string | null;\n isSignedIn: boolean;\n isPublicRoute: boolean;\n}\n\nexport interface AuthMiddlewareOptions {\n /**\n * Routes that do not require authentication.\n * Strings: exact match or prefix. RegExps: tested against pathname.\n */\n publicRoutes?: Array<string | RegExp>;\n\n /**\n * Where to redirect unauthenticated users.\n * Defaults to the Vaultix hosted sign-in page (decoded from publishable key).\n * Override with \"/sign-in\" to use your own page.\n */\n signInUrl?: string;\n\n /**\n * Vaultix API origin. Auto-decoded from NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY.\n * Only needed if you're not using the standard publishable key format.\n */\n apiUrl?: string;\n\n /**\n * Custom logic after auth state is resolved.\n * Return a NextResponse to override default behaviour.\n */\n afterAuth?: (auth: AuthResult, req: NextRequest) => NextResponse | Response | undefined | void;\n}\n\n// ─── Header names ─────────────────────────────────────────────────────────────\n\nexport const HEADER_USER_ID = \"x-vaultix-user-id\";\nexport const HEADER_ORG_ID = \"x-vaultix-org-id\";\nexport const HEADER_ORG_ROLE = \"x-vaultix-org-role\";\nexport const HEADER_SESSION_ID = \"x-vaultix-session-id\";\nexport const HEADER_RISK_LEVEL = \"x-vaultix-risk-level\";\n\n// ─── Publishable key → API URL ────────────────────────────────────────────────\n\nfunction decodeApiUrlFromKey(pk: string): string {\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n return atob(parts.slice(3).join(\"_\")).replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\nfunction resolveApiUrl(options: AuthMiddlewareOptions): string {\n if (options.apiUrl) return options.apiUrl.replace(/\\/$/, \"\");\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n return decodeApiUrlFromKey(pk);\n}\n\n// ─── JWKS cache ───────────────────────────────────────────────────────────────\n// createRemoteJWKSet fetches and caches the key set, re-fetches on rotation.\n// Falls back to a static PEM key if VAULTIX_JWT_PUBLIC_KEY is set (backward compat).\n\nlet remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet remoteJwksUrl: string | null = null;\n\nlet staticKey: KeyLike | null = null;\nlet staticPem: string | null = null;\n\nasync function getVerifyKey(apiUrl: string) {\n // Prefer static PEM (set by env var) for zero-network-call verification\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (staticKey && staticPem === normalized) return { key: staticKey, mode: \"static\" as const };\n staticKey = await importSPKI(normalized, \"RS256\");\n staticPem = normalized;\n return { key: staticKey, mode: \"static\" as const };\n }\n\n // Auto-fetch JWKS from the API — no env var needed\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!remoteJwks || remoteJwksUrl !== jwksUrl) {\n remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n remoteJwksUrl = jwksUrl;\n }\n return { key: remoteJwks, mode: \"remote\" as const };\n}\n\n// ─── Route matching ───────────────────────────────────────────────────────────\n\nfunction isPublic(pathname: string, rules: Array<string | RegExp>): boolean {\n return rules.some((rule) =>\n typeof rule === \"string\"\n ? pathname === rule || pathname.startsWith(rule)\n : rule.test(pathname),\n );\n}\n\n// ─── Handshake exchange ───────────────────────────────────────────────────────\n\nasync function handleHandshake(\n req: NextRequest,\n handshakeToken: string,\n apiUrl: string,\n): Promise<NextResponse | null> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ handshake_token: handshakeToken }),\n });\n if (!res.ok) return null;\n\n const { session_jwt } = (await res.json()) as { session_jwt: string };\n const cleanUrl = req.nextUrl.clone();\n cleanUrl.searchParams.delete(\"__vaultix_handshake\");\n\n const response = NextResponse.redirect(cleanUrl);\n response.cookies.set(\"vaultix-session\", session_jwt, {\n httpOnly: true,\n secure: true,\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60,\n });\n return response;\n } catch {\n return null;\n }\n}\n\n// ─── authMiddleware ───────────────────────────────────────────────────────────\n\n/**\n * Drop-in auth middleware — works with zero config when\n * NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY is set.\n *\n * @example\n * // middleware.ts\n * import { authMiddleware } from \"@vaultix.ai/nextjs/middleware\";\n * export default authMiddleware({ publicRoutes: [\"/\", \"/about\"] });\n * export const config = { matcher: [\"/((?!_next|.*\\\\..*).*)\"] };\n */\nexport function authMiddleware(options: AuthMiddlewareOptions = {}) {\n const { publicRoutes = [], afterAuth } = options;\n\n return async function middleware(req: NextRequest): Promise<NextResponse> {\n const { pathname } = req.nextUrl;\n const publicRoute = isPublic(pathname, publicRoutes);\n\n const apiUrl = resolveApiUrl(options);\n\n // Default sign-in URL: hosted Vaultix page decoded from publishable key\n const signInUrl =\n options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n\n // ── Handshake exchange ─────────────────────────────────────────────────\n const handshakeToken = req.nextUrl.searchParams.get(\"__vaultix_handshake\");\n if (handshakeToken && apiUrl) {\n const response = await handleHandshake(req, handshakeToken, apiUrl);\n if (response) return response;\n }\n\n // ── JWT verification ───────────────────────────────────────────────────\n let result: AuthResult = {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null,\n isSignedIn: false, isPublicRoute: publicRoute,\n };\n\n const token =\n req.cookies.get(\"vaultix-session\")?.value ??\n extractBearer(req.headers.get(\"authorization\") ?? \"\");\n\n if (token) {\n const verifyKey = await getVerifyKey(apiUrl);\n if (verifyKey) {\n try {\n const { payload } = await jwtVerify(token, verifyKey.key as Parameters<typeof jwtVerify>[1], {\n algorithms: [\"RS256\"],\n });\n result = {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: (payload[\"risk\"] as string) ?? \"low\",\n isSignedIn: true,\n isPublicRoute: publicRoute,\n };\n } catch {\n // expired / tampered\n }\n }\n }\n\n // ── Custom afterAuth hook ──────────────────────────────────────────────\n if (afterAuth) {\n const override = afterAuth(result, req);\n if (override) return override as NextResponse;\n }\n\n // ── Default: redirect unauthenticated to sign-in ───────────────────────\n if (!result.isSignedIn && !publicRoute) {\n const dest = new URL(signInUrl, req.url);\n dest.searchParams.set(\"redirect_url\", req.url);\n return NextResponse.redirect(dest);\n }\n\n // ── Inject auth headers for Server Components ──────────────────────────\n const next = new Headers(req.headers);\n if (result.userId) {\n next.set(HEADER_USER_ID, result.userId);\n next.set(HEADER_ORG_ID, result.orgId ?? \"\");\n next.set(HEADER_ORG_ROLE, result.orgRole ?? \"\");\n next.set(HEADER_SESSION_ID, result.sessionId ?? \"\");\n next.set(HEADER_RISK_LEVEL, result.riskLevel ?? \"low\");\n } else {\n [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL]\n .forEach((h) => next.delete(h));\n }\n\n return NextResponse.next({ request: { headers: next } });\n };\n}\n\nfunction extractBearer(header: string): string {\n return header.startsWith(\"Bearer \") ? header.slice(7) : \"\";\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,qBAAiC;AACjC,wBAAyB;AACzB,IAAAA,eAA0D;;;ACH1D,kBAAwE;AACxE,oBAA0C;AA2CnC,IAAM,iBAAoB;AAC1B,IAAM,gBAAoB;AAC1B,IAAM,kBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;;;ADjBjC,SAAS,gBAAwB;AAC/B,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,MAAI,CAAC,GAAI,QAAO;AAChB,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AACpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,OAAO,EAAE;AAAA,IACzD;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAIA,IAAI,cAA4D;AAChE,IAAI,iBAAgC;AACpC,IAAI,aAA4D;AAChE,IAAI,aAA4B;AAEhC,eAAe,UAAU,OAAe;AAEtC,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,CAAC,cAAc,eAAe,YAAY;AAC5C,mBAAa,UAAM,yBAAW,YAAY,OAAO;AACjD,mBAAa;AAAA,IACf;AACA,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,UAAM,wBAAU,OAAO,YAAY,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AAChF,aAAO;AAAA,IACT,QAAQ;AAAE,aAAO;AAAA,IAAM;AAAA,EACzB;AAGA,QAAM,SAAS,cAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,eAAe,mBAAmB,SAAS;AAC9C,sBAAc,iCAAmB,IAAI,IAAI,OAAO,CAAC;AACjD,qBAAiB;AAAA,EACnB;AACA,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,UAAM,wBAAU,OAAO,aAAa,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AACjF,WAAO;AAAA,EACT,QAAQ;AAAE,WAAO;AAAA,EAAM;AACzB;AAkBA,eAAsB,OAA4B;AAChD,WAAS,YAAY,YAAqB;AACxC,WAAO,CAAC,eAAwB;AAC9B,UAAI,CAAC,YAAY;AACf,cAAM,SAAS,cAAc;AAC7B,cAAM,OAAO,eAAe,SAAS,GAAG,MAAM,kBAAkB;AAChE,wCAAS,IAAI;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAGA,QAAM,IAAI,UAAM,wBAAQ;AACxB,QAAM,SAAS,EAAE,IAAI,cAAc;AACnC,MAAI,QAAQ;AACV,WAAO;AAAA,MACL;AAAA,MACA,OAAW,EAAE,IAAI,aAAa,KAAS;AAAA,MACvC,SAAW,EAAE,IAAI,eAAe,KAAO;AAAA,MACvC,WAAW,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACvC,WAAY,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACxC,YAAY;AAAA,MACZ,SAAS,YAAY,IAAI;AAAA,IAC3B;AAAA,EACF;AAGA,QAAM,MAAM,UAAM,wBAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG;AAC1C,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,QAAM,UAAU,MAAM,UAAU,KAAK;AACrC,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAa,QAAQ,MAAM,KAAgB;AAAA,IAC3C,YAAY;AAAA,IACZ,SAAS,YAAY,IAAI;AAAA,EAC3B;AACF;AAkBA,eAAsB,cAA2C;AAC/D,QAAM,MAAM,UAAM,wBAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG;AAC1C,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAAS,cAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AAEpB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,cAAc;AAAA,MAC7C,SAAS,EAAE,eAAe,UAAU,KAAK,GAAG;AAAA,MAC5C,OAAO;AAAA,IACT,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,WAAO,KAAK,QAAQ;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,aAAkD;AACtE,QAAM,EAAE,MAAM,IAAI,MAAM,KAAK;AAC7B,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAAS,cAAc;AAC7B,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,CAAC,UAAU,CAAC,OAAQ,QAAO;AAE/B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,gBAAgB,KAAK,IAAI;AAAA,MACxD,SAAS,EAAE,eAAe,UAAU,MAAM,GAAG;AAAA,MAC7C,MAAM,EAAE,YAAY,GAAG;AAAA,IACzB,CAAgB;AAChB,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAQ,MAAM,IAAI,KAAK;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAeA,eAAsB,QAAQ,YAA0C;AACtE,QAAM,UAAU,MAAM,KAAK;AAC3B,UAAQ,QAAQ,UAAU;AAC1B,SAAO;AACT;","names":["import_jose"]}
package/dist/server.mjs CHANGED
@@ -1,6 +1,7 @@
1
1
  // src/server.ts
2
- import { headers } from "next/headers";
2
+ import { cookies, headers } from "next/headers";
3
3
  import { redirect } from "next/navigation";
4
+ import { createRemoteJWKSet as createRemoteJWKSet2, importSPKI as importSPKI2, jwtVerify as jwtVerify2 } from "jose";
4
5
 
5
6
  // src/middleware.ts
6
7
  import { createRemoteJWKSet, importSPKI, jwtVerify } from "jose";
@@ -12,48 +13,124 @@ var HEADER_SESSION_ID = "x-vaultix-session-id";
12
13
  var HEADER_RISK_LEVEL = "x-vaultix-risk-level";
13
14
 
14
15
  // src/server.ts
16
+ function resolveApiUrl() {
17
+ if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\/$/, "");
18
+ const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? "";
19
+ if (!pk) return "";
20
+ try {
21
+ const parts = pk.split("_");
22
+ if (parts.length >= 4 && parts[0] === "vaultix" && parts[1] === "pk") {
23
+ return atob(parts.slice(3).join("_")).replace(/\/$/, "");
24
+ }
25
+ } catch {
26
+ }
27
+ return "";
28
+ }
29
+ var _remoteJwks = null;
30
+ var _remoteJwksUrl = null;
31
+ var _staticKey = null;
32
+ var _staticPem = null;
33
+ async function verifyJwt(token) {
34
+ const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;
35
+ if (pem) {
36
+ const normalized = pem.replace(/\\n/g, "\n");
37
+ if (!_staticKey || _staticPem !== normalized) {
38
+ _staticKey = await importSPKI2(normalized, "RS256");
39
+ _staticPem = normalized;
40
+ }
41
+ try {
42
+ const { payload } = await jwtVerify2(token, _staticKey, { algorithms: ["RS256"] });
43
+ return payload;
44
+ } catch {
45
+ return null;
46
+ }
47
+ }
48
+ const apiUrl = resolveApiUrl();
49
+ if (!apiUrl) return null;
50
+ const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;
51
+ if (!_remoteJwks || _remoteJwksUrl !== jwksUrl) {
52
+ _remoteJwks = createRemoteJWKSet2(new URL(jwksUrl));
53
+ _remoteJwksUrl = jwksUrl;
54
+ }
55
+ try {
56
+ const { payload } = await jwtVerify2(token, _remoteJwks, { algorithms: ["RS256"] });
57
+ return payload;
58
+ } catch {
59
+ return null;
60
+ }
61
+ }
15
62
  async function auth() {
63
+ function makeProtect(isSignedIn) {
64
+ return (redirectTo) => {
65
+ if (!isSignedIn) {
66
+ const apiUrl = resolveApiUrl();
67
+ const dest = redirectTo ?? (apiUrl ? `${apiUrl}/auth/sign-in` : "/sign-in");
68
+ redirect(dest);
69
+ }
70
+ };
71
+ }
16
72
  const h = await headers();
17
73
  const userId = h.get(HEADER_USER_ID);
18
- if (!userId) {
74
+ if (userId) {
75
+ return {
76
+ userId,
77
+ orgId: h.get(HEADER_ORG_ID) || null,
78
+ orgRole: h.get(HEADER_ORG_ROLE) || null,
79
+ sessionId: h.get(HEADER_SESSION_ID) || null,
80
+ riskLevel: h.get(HEADER_RISK_LEVEL) ?? "low",
81
+ isSignedIn: true,
82
+ protect: makeProtect(true)
83
+ };
84
+ }
85
+ const jar = await cookies();
86
+ const token = jar.get("vaultix-session")?.value;
87
+ if (!token) {
88
+ return {
89
+ userId: null,
90
+ orgId: null,
91
+ orgRole: null,
92
+ sessionId: null,
93
+ riskLevel: null,
94
+ isSignedIn: false,
95
+ protect: makeProtect(false)
96
+ };
97
+ }
98
+ const payload = await verifyJwt(token);
99
+ if (!payload) {
19
100
  return {
20
101
  userId: null,
21
102
  orgId: null,
22
103
  orgRole: null,
23
104
  sessionId: null,
24
105
  riskLevel: null,
25
- isSignedIn: false
106
+ isSignedIn: false,
107
+ protect: makeProtect(false)
26
108
  };
27
109
  }
28
110
  return {
29
- userId,
30
- orgId: h.get(HEADER_ORG_ID) || null,
31
- orgRole: h.get(HEADER_ORG_ROLE) || null,
32
- sessionId: h.get(HEADER_SESSION_ID) || null,
33
- riskLevel: h.get(HEADER_RISK_LEVEL) ?? "low",
34
- isSignedIn: true
111
+ userId: payload["uid"] ?? null,
112
+ orgId: payload["org"] ?? null,
113
+ orgRole: payload["rol"] ?? null,
114
+ sessionId: payload["sid"] ?? null,
115
+ riskLevel: payload["risk"] ?? "low",
116
+ isSignedIn: true,
117
+ protect: makeProtect(true)
35
118
  };
36
119
  }
37
- async function protect(redirectTo = "/sign-in") {
38
- const authObj = await auth();
39
- if (!authObj.isSignedIn) {
40
- redirect(redirectTo);
41
- }
42
- return authObj;
43
- }
44
120
  async function currentUser() {
45
- const { userId } = await auth();
46
- if (!userId) return null;
47
- const apiUrl = process.env["VAULTIX_API_URL"];
48
- const secret = process.env["VAULTIX_SECRET_KEY"];
49
- if (!apiUrl || !secret) return null;
121
+ const jar = await cookies();
122
+ const token = jar.get("vaultix-session")?.value;
123
+ if (!token) return null;
124
+ const apiUrl = resolveApiUrl();
125
+ if (!apiUrl) return null;
50
126
  try {
51
- const res = await fetch(`${apiUrl}/v1/users/${userId}`, {
52
- headers: { Authorization: `Bearer ${secret}` },
127
+ const res = await fetch(`${apiUrl}/api/v1/me`, {
128
+ headers: { Authorization: `Bearer ${token}` },
53
129
  cache: "no-store"
54
130
  });
55
131
  if (!res.ok) return null;
56
- return await res.json();
132
+ const data = await res.json();
133
+ return data.user ?? null;
57
134
  } catch {
58
135
  return null;
59
136
  }
@@ -61,21 +138,25 @@ async function currentUser() {
61
138
  async function currentOrg() {
62
139
  const { orgId } = await auth();
63
140
  if (!orgId) return null;
64
- const apiUrl = process.env["VAULTIX_API_URL"];
65
- const secret = process.env["VAULTIX_SECRET_KEY"];
141
+ const apiUrl = resolveApiUrl();
142
+ const secret = process.env.VAULTIX_SECRET_KEY;
66
143
  if (!apiUrl || !secret) return null;
67
144
  try {
68
- const orgFetchInit = {
145
+ const res = await fetch(`${apiUrl}/api/v1/orgs/${orgId}`, {
69
146
  headers: { Authorization: `Bearer ${secret}` },
70
147
  next: { revalidate: 30 }
71
- };
72
- const res = await fetch(`${apiUrl}/v1/orgs/${orgId}`, orgFetchInit);
148
+ });
73
149
  if (!res.ok) return null;
74
150
  return await res.json();
75
151
  } catch {
76
152
  return null;
77
153
  }
78
154
  }
155
+ async function protect(redirectTo) {
156
+ const authObj = await auth();
157
+ authObj.protect(redirectTo);
158
+ return authObj;
159
+ }
79
160
  export {
80
161
  auth,
81
162
  currentOrg,