@vaultix.ai/nextjs 0.5.1 → 0.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/dist/index.js +41 -11
  2. package/dist/index.js.map +1 -1
  3. package/dist/index.mjs +41 -11
  4. package/dist/index.mjs.map +1 -1
  5. package/dist/middleware.js +41 -11
  6. package/dist/middleware.js.map +1 -1
  7. package/dist/middleware.mjs +41 -11
  8. package/dist/middleware.mjs.map +1 -1
  9. package/dist/server.js.map +1 -1
  10. package/dist/server.mjs.map +1 -1
  11. package/package.json +2 -2
package/dist/index.js CHANGED
@@ -87,6 +87,11 @@ function isPublic(pathname, rules) {
87
87
  (rule) => typeof rule === "string" ? pathname === rule || pathname.startsWith(rule) : rule.test(pathname)
88
88
  );
89
89
  }
90
+ function isSecureRequest(req) {
91
+ const forwarded = req.headers.get("x-forwarded-proto");
92
+ if (forwarded) return forwarded.split(",")[0]?.trim() === "https";
93
+ return req.nextUrl.protocol === "https:";
94
+ }
90
95
  async function handleHandshake(req, handshakeToken, apiUrl) {
91
96
  try {
92
97
  const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {
@@ -100,7 +105,7 @@ async function handleHandshake(req, handshakeToken, apiUrl) {
100
105
  cleanUrl.searchParams.delete("__vaultix_handshake");
101
106
  const response = import_server.NextResponse.redirect(cleanUrl);
102
107
  const cookieBase = {
103
- secure: true,
108
+ secure: isSecureRequest(req),
104
109
  sameSite: "lax",
105
110
  path: "/",
106
111
  maxAge: 30 * 24 * 60 * 60
@@ -121,8 +126,8 @@ function authMiddleware(options = {}) {
121
126
  const signInUrl = options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : "/sign-in");
122
127
  const handshakeToken = req.nextUrl.searchParams.get("__vaultix_handshake");
123
128
  if (handshakeToken && apiUrl) {
124
- const response = await handleHandshake(req, handshakeToken, apiUrl);
125
- if (response) return response;
129
+ const response2 = await handleHandshake(req, handshakeToken, apiUrl);
130
+ if (response2) return response2;
126
131
  }
127
132
  let result = {
128
133
  userId: null,
@@ -134,6 +139,7 @@ function authMiddleware(options = {}) {
134
139
  isPublicRoute: publicRoute
135
140
  };
136
141
  const token = req.cookies.get("vaultix-session")?.value ?? req.cookies.get("vaultix-token")?.value ?? extractBearer(req.headers.get("authorization") ?? "");
142
+ let jwtExp;
137
143
  if (token) {
138
144
  const verifyKey = await getVerifyKey(apiUrl);
139
145
  if (verifyKey) {
@@ -141,6 +147,7 @@ function authMiddleware(options = {}) {
141
147
  const { payload } = await (0, import_jose.jwtVerify)(token, verifyKey.key, {
142
148
  algorithms: ["RS256"]
143
149
  });
150
+ jwtExp = payload.exp;
144
151
  result = {
145
152
  userId: payload["uid"] ?? null,
146
153
  orgId: payload["org"] ?? null,
@@ -154,6 +161,23 @@ function authMiddleware(options = {}) {
154
161
  }
155
162
  }
156
163
  }
164
+ let refreshedJwt = null;
165
+ if (result.isSignedIn && apiUrl && jwtExp !== void 0) {
166
+ const secondsLeft = jwtExp - Math.floor(Date.now() / 1e3);
167
+ if (secondsLeft < 120) {
168
+ try {
169
+ const refreshRes = await fetch(`${apiUrl}/api/v1/session/refresh`, {
170
+ method: "POST",
171
+ headers: { Cookie: `vaultix-session=${token}` }
172
+ });
173
+ if (refreshRes.ok) {
174
+ const data = await refreshRes.json();
175
+ refreshedJwt = data.session_jwt ?? null;
176
+ }
177
+ } catch {
178
+ }
179
+ }
180
+ }
157
181
  if (afterAuth) {
158
182
  const override = afterAuth(result, req);
159
183
  if (override) return override;
@@ -163,17 +187,23 @@ function authMiddleware(options = {}) {
163
187
  dest.searchParams.set("redirect_url", req.url);
164
188
  return import_server.NextResponse.redirect(dest);
165
189
  }
166
- const next = new Headers(req.headers);
190
+ const nextHeaders = new Headers(req.headers);
167
191
  if (result.userId) {
168
- next.set(HEADER_USER_ID, result.userId);
169
- next.set(HEADER_ORG_ID, result.orgId ?? "");
170
- next.set(HEADER_ORG_ROLE, result.orgRole ?? "");
171
- next.set(HEADER_SESSION_ID, result.sessionId ?? "");
172
- next.set(HEADER_RISK_LEVEL, result.riskLevel ?? "low");
192
+ nextHeaders.set(HEADER_USER_ID, result.userId);
193
+ nextHeaders.set(HEADER_ORG_ID, result.orgId ?? "");
194
+ nextHeaders.set(HEADER_ORG_ROLE, result.orgRole ?? "");
195
+ nextHeaders.set(HEADER_SESSION_ID, result.sessionId ?? "");
196
+ nextHeaders.set(HEADER_RISK_LEVEL, result.riskLevel ?? "low");
173
197
  } else {
174
- [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL].forEach((h) => next.delete(h));
198
+ [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL].forEach((h) => nextHeaders.delete(h));
175
199
  }
176
- return import_server.NextResponse.next({ request: { headers: next } });
200
+ const response = import_server.NextResponse.next({ request: { headers: nextHeaders } });
201
+ if (refreshedJwt) {
202
+ const cookieBase = { secure: isSecureRequest(req), sameSite: "lax", path: "/", maxAge: 30 * 24 * 60 * 60 };
203
+ response.cookies.set("vaultix-session", refreshedJwt, { ...cookieBase, httpOnly: true });
204
+ response.cookies.set("vaultix-token", refreshedJwt, { ...cookieBase, httpOnly: false });
205
+ }
206
+ return response;
177
207
  };
178
208
  }
179
209
  function extractBearer(header) {
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/middleware.ts","../src/server.ts"],"sourcesContent":["// @smritix.ai/nextjs — barrel export\n// Safe to import in all contexts (client, server, middleware).\n// For server-only utilities: import from \"@smritix.ai/nextjs/server\"\n// For the middleware factory: import from \"@smritix.ai/nextjs/middleware\"\n\n// ── Middleware ────────────────────────────────────────────────────────────────\nexport { authMiddleware } from \"./middleware\";\nexport type { AuthMiddlewareOptions, AuthResult } from \"./middleware\";\n\n// ── Server helpers ────────────────────────────────────────────────────────────\n// Re-exported for convenience; callers on client must use the explicit subpath.\nexport { auth, currentOrg, currentUser, protect } from \"./server\";\nexport type { AuthObject } from \"./server\";\n\n// ── Client SDK re-exports ─────────────────────────────────────────────────────\n// VaultixProvider, hooks, and UI components — safe for Client Components.\nexport {\n OrganizationSwitcher,\n SignIn,\n SignUp,\n VaultixProvider,\n UserButton,\n useOrganization,\n useSession,\n useVaultix,\n useUser,\n} from \"@vaultix.ai/react\";\n\nexport type {\n ChallengeType,\n RiskLevel,\n SessionClaims,\n VaultixContextValue,\n VaultixOrganization,\n VaultixProviderProps,\n VaultixSession,\n VaultixUser,\n} from \"@vaultix.ai/react\";\n","// Edge-runtime compatible. Uses jose for JWT verification.\nimport { createRemoteJWKSet, importSPKI, jwtVerify, type KeyLike } from \"jose\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthResult {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: string | null;\n isSignedIn: boolean;\n isPublicRoute: boolean;\n}\n\nexport interface AuthMiddlewareOptions {\n /**\n * Routes that do not require authentication.\n * Strings: exact match or prefix. RegExps: tested against pathname.\n */\n publicRoutes?: Array<string | RegExp>;\n\n /**\n * Where to redirect unauthenticated users.\n * Defaults to the Vaultix hosted sign-in page (decoded from publishable key).\n * Override with \"/sign-in\" to use your own page.\n */\n signInUrl?: string;\n\n /**\n * Vaultix API origin. Auto-decoded from NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY.\n * Only needed if you're not using the standard publishable key format.\n */\n apiUrl?: string;\n\n /**\n * Custom logic after auth state is resolved.\n * Return a NextResponse to override default behaviour.\n */\n afterAuth?: (auth: AuthResult, req: NextRequest) => NextResponse | Response | undefined | void;\n}\n\n// ─── Header names ─────────────────────────────────────────────────────────────\n\nexport const HEADER_USER_ID = \"x-vaultix-user-id\";\nexport const HEADER_ORG_ID = \"x-vaultix-org-id\";\nexport const HEADER_ORG_ROLE = \"x-vaultix-org-role\";\nexport const HEADER_SESSION_ID = \"x-vaultix-session-id\";\nexport const HEADER_RISK_LEVEL = \"x-vaultix-risk-level\";\n\n// ─── Publishable key → API URL ────────────────────────────────────────────────\n\nfunction decodeApiUrlFromKey(pk: string): string {\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\nfunction resolveApiUrl(options: AuthMiddlewareOptions): string {\n if (options.apiUrl) return options.apiUrl.replace(/\\/$/, \"\");\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n return decodeApiUrlFromKey(pk);\n}\n\n// ─── JWKS cache ───────────────────────────────────────────────────────────────\n// createRemoteJWKSet fetches and caches the key set, re-fetches on rotation.\n// Falls back to a static PEM key if VAULTIX_JWT_PUBLIC_KEY is set (backward compat).\n\nlet remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet remoteJwksUrl: string | null = null;\n\nlet staticKey: KeyLike | null = null;\nlet staticPem: string | null = null;\n\nasync function getVerifyKey(apiUrl: string) {\n // Prefer static PEM (set by env var) for zero-network-call verification\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (staticKey && staticPem === normalized) return { key: staticKey, mode: \"static\" as const };\n staticKey = await importSPKI(normalized, \"RS256\");\n staticPem = normalized;\n return { key: staticKey, mode: \"static\" as const };\n }\n\n // Auto-fetch JWKS from the API — no env var needed\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!remoteJwks || remoteJwksUrl !== jwksUrl) {\n remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n remoteJwksUrl = jwksUrl;\n }\n return { key: remoteJwks, mode: \"remote\" as const };\n}\n\n// ─── Route matching ───────────────────────────────────────────────────────────\n\nfunction isPublic(pathname: string, rules: Array<string | RegExp>): boolean {\n return rules.some((rule) =>\n typeof rule === \"string\"\n ? pathname === rule || pathname.startsWith(rule)\n : rule.test(pathname),\n );\n}\n\n// ─── Handshake exchange ───────────────────────────────────────────────────────\n\nasync function handleHandshake(\n req: NextRequest,\n handshakeToken: string,\n apiUrl: string,\n): Promise<NextResponse | null> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ handshake_token: handshakeToken }),\n });\n if (!res.ok) return null;\n\n const { session_jwt } = (await res.json()) as { session_jwt: string };\n const cleanUrl = req.nextUrl.clone();\n cleanUrl.searchParams.delete(\"__vaultix_handshake\");\n\n const response = NextResponse.redirect(cleanUrl);\n const cookieBase = {\n secure: true,\n sameSite: \"lax\" as const,\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60,\n };\n // httpOnly — for middleware and server-side JWT verification\n response.cookies.set(\"vaultix-session\", session_jwt, { ...cookieBase, httpOnly: true });\n // non-httpOnly — for VaultixProvider (React SDK) to read client-side\n response.cookies.set(\"vaultix-token\", session_jwt, { ...cookieBase, httpOnly: false });\n return response;\n } catch {\n return null;\n }\n}\n\n// ─── authMiddleware ───────────────────────────────────────────────────────────\n\n/**\n * Drop-in auth middleware — works with zero config when\n * NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY is set.\n *\n * @example\n * // middleware.ts\n * import { authMiddleware } from \"@vaultix.ai/nextjs/middleware\";\n * export default authMiddleware({ publicRoutes: [\"/\", \"/about\"] });\n * export const config = { matcher: [\"/((?!_next|.*\\\\..*).*)\"] };\n */\nexport function authMiddleware(options: AuthMiddlewareOptions = {}) {\n const { publicRoutes = [], afterAuth } = options;\n\n return async function middleware(req: NextRequest): Promise<NextResponse> {\n const { pathname } = req.nextUrl;\n const publicRoute = isPublic(pathname, publicRoutes);\n\n const apiUrl = resolveApiUrl(options);\n\n // Default sign-in URL: hosted Vaultix page decoded from publishable key\n const signInUrl =\n options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n\n // ── Handshake exchange ─────────────────────────────────────────────────\n const handshakeToken = req.nextUrl.searchParams.get(\"__vaultix_handshake\");\n if (handshakeToken && apiUrl) {\n const response = await handleHandshake(req, handshakeToken, apiUrl);\n if (response) return response;\n }\n\n // ── JWT verification ───────────────────────────────────────────────────\n let result: AuthResult = {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null,\n isSignedIn: false, isPublicRoute: publicRoute,\n };\n\n const token =\n req.cookies.get(\"vaultix-session\")?.value ??\n req.cookies.get(\"vaultix-token\")?.value ??\n extractBearer(req.headers.get(\"authorization\") ?? \"\");\n\n if (token) {\n const verifyKey = await getVerifyKey(apiUrl);\n if (verifyKey) {\n try {\n const { payload } = await jwtVerify(token, verifyKey.key as Parameters<typeof jwtVerify>[1], {\n algorithms: [\"RS256\"],\n });\n result = {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: (payload[\"risk\"] as string) ?? \"low\",\n isSignedIn: true,\n isPublicRoute: publicRoute,\n };\n } catch {\n // expired / tampered\n }\n }\n }\n\n // ── Custom afterAuth hook ──────────────────────────────────────────────\n if (afterAuth) {\n const override = afterAuth(result, req);\n if (override) return override as NextResponse;\n }\n\n // ── Default: redirect unauthenticated to sign-in ───────────────────────\n if (!result.isSignedIn && !publicRoute) {\n const dest = new URL(signInUrl, req.url);\n dest.searchParams.set(\"redirect_url\", req.url);\n return NextResponse.redirect(dest);\n }\n\n // ── Inject auth headers for Server Components ──────────────────────────\n const next = new Headers(req.headers);\n if (result.userId) {\n next.set(HEADER_USER_ID, result.userId);\n next.set(HEADER_ORG_ID, result.orgId ?? \"\");\n next.set(HEADER_ORG_ROLE, result.orgRole ?? \"\");\n next.set(HEADER_SESSION_ID, result.sessionId ?? \"\");\n next.set(HEADER_RISK_LEVEL, result.riskLevel ?? \"low\");\n } else {\n [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL]\n .forEach((h) => next.delete(h));\n }\n\n return NextResponse.next({ request: { headers: next } });\n };\n}\n\nfunction extractBearer(header: string): string {\n return header.startsWith(\"Bearer \") ? header.slice(7) : \"\";\n}\n","// Server-only. Import from \"@vaultix.ai/nextjs/server\".\n// Never import this in Client Components.\nimport { cookies, headers } from \"next/headers\";\nimport { redirect } from \"next/navigation\";\nimport { createRemoteJWKSet, importSPKI, jwtVerify } from \"jose\";\nimport type { VaultixOrganization, VaultixUser } from \"@vaultix.ai/react\";\nimport {\n HEADER_USER_ID,\n HEADER_ORG_ID,\n HEADER_ORG_ROLE,\n HEADER_SESSION_ID,\n HEADER_RISK_LEVEL,\n} from \"./middleware\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthObject {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: \"low\" | \"medium\" | \"high\" | \"critical\" | null;\n isSignedIn: boolean;\n /**\n * Throws a redirect if the user is not authenticated.\n * Usage: const { userId } = await auth(); — or call auth().then(a => a.protect())\n */\n protect: (redirectTo?: string) => void;\n}\n\n// ─── API URL resolution (mirrors middleware logic) ────────────────────────────\n\nfunction resolveApiUrl(): string {\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n if (!pk) return \"\";\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\n// ─── JWT verification (server-side, no edge constraints) ─────────────────────\n\nlet _remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet _remoteJwksUrl: string | null = null;\nlet _staticKey: Awaited<ReturnType<typeof importSPKI>> | null = null;\nlet _staticPem: string | null = null;\n\nasync function verifyJwt(token: string) {\n // 1. Static PEM key (fastest, no network call)\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (!_staticKey || _staticPem !== normalized) {\n _staticKey = await importSPKI(normalized, \"RS256\");\n _staticPem = normalized;\n }\n try {\n const { payload } = await jwtVerify(token, _staticKey, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n }\n\n // 2. Remote JWKS (auto-fetched, cached)\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!_remoteJwks || _remoteJwksUrl !== jwksUrl) {\n _remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n _remoteJwksUrl = jwksUrl;\n }\n try {\n const { payload } = await jwtVerify(token, _remoteJwks, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n}\n\n// ─── auth() ───────────────────────────────────────────────────────────────────\n\n/**\n * Returns the current auth state. Works in Server Components, Route Handlers,\n * and Server Actions. Falls back to verifying the session cookie directly\n * if middleware headers are not present.\n *\n * @example\n * import { auth } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const { userId, protect } = await auth();\n * protect(); // redirects to sign-in if not authenticated\n * return <div>Hello {userId}</div>;\n * }\n */\nexport async function auth(): Promise<AuthObject> {\n function makeProtect(isSignedIn: boolean) {\n return (redirectTo?: string) => {\n if (!isSignedIn) {\n const apiUrl = resolveApiUrl();\n const dest = redirectTo ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n redirect(dest);\n }\n };\n }\n\n // ── Fast path: headers injected by authMiddleware ──────────────────────\n const h = await headers();\n const userId = h.get(HEADER_USER_ID);\n if (userId) {\n return {\n userId,\n orgId: h.get(HEADER_ORG_ID) || null,\n orgRole: h.get(HEADER_ORG_ROLE) || null,\n sessionId: h.get(HEADER_SESSION_ID) || null,\n riskLevel: (h.get(HEADER_RISK_LEVEL) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n }\n\n // ── Fallback: verify session cookie directly (no middleware needed) ────\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n const payload = await verifyJwt(token);\n if (!payload) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n return {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: ((payload[\"risk\"] as string) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n}\n\n// ─── currentUser() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the full user record for the currently signed-in user.\n * Calls GET /api/v1/me using the session JWT from the cookie as a Bearer token.\n * No extra env vars required.\n *\n * @example\n * import { currentUser } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const user = await currentUser();\n * if (!user) redirect(\"/sign-in\");\n * return <div>Hello {user.email}</div>;\n * }\n */\nexport async function currentUser(): Promise<VaultixUser | null> {\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) return null;\n\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/me`, {\n headers: { Authorization: `Bearer ${token}` },\n cache: \"no-store\",\n });\n if (!res.ok) return null;\n const data = await res.json() as { user: VaultixUser };\n return data.user ?? null;\n } catch {\n return null;\n }\n}\n\n// ─── currentOrg() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the active organization for the current user.\n * Requires VAULTIX_SECRET_KEY env var.\n */\nexport async function currentOrg(): Promise<VaultixOrganization | null> {\n const { orgId } = await auth();\n if (!orgId) return null;\n\n const apiUrl = resolveApiUrl();\n const secret = process.env.VAULTIX_SECRET_KEY;\n if (!apiUrl || !secret) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/orgs/${orgId}`, {\n headers: { Authorization: `Bearer ${secret}` },\n next: { revalidate: 30 },\n } as RequestInit);\n if (!res.ok) return null;\n return (await res.json()) as VaultixOrganization;\n } catch {\n return null;\n }\n}\n\n// ─── protect() — standalone helper ───────────────────────────────────────────\n\n/**\n * Asserts the current user is authenticated. Redirects to sign-in if not.\n * Prefer calling `protect()` from the auth object returned by `auth()`.\n *\n * @example\n * import { protect } from \"@vaultix.ai/nextjs/server\";\n * export default async function Page() {\n * const { userId } = await protect();\n * return <div>{userId}</div>;\n * }\n */\nexport async function protect(redirectTo?: string): Promise<AuthObject> {\n const authObj = await auth();\n authObj.protect(redirectTo);\n return authObj;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACCA,kBAAwE;AACxE,oBAA0C;AA2CnC,IAAM,iBAAoB;AAC1B,IAAM,gBAAoB;AAC1B,IAAM,kBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;AAIjC,SAAS,oBAAoB,IAAoB;AAC/C,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAEA,SAAS,cAAc,SAAwC;AAC7D,MAAI,QAAQ,OAAQ,QAAO,QAAQ,OAAO,QAAQ,OAAO,EAAE;AAC3D,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,SAAO,oBAAoB,EAAE;AAC/B;AAMA,IAAI,aAA2D;AAC/D,IAAI,gBAA+B;AAEnC,IAAI,YAA4B;AAChC,IAAI,YAA2B;AAE/B,eAAe,aAAa,QAAgB;AAE1C,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,aAAa,cAAc,WAAY,QAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAC5F,gBAAY,UAAM,wBAAW,YAAY,OAAO;AAChD,gBAAY;AACZ,WAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAAA,EACnD;AAGA,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,cAAc,kBAAkB,SAAS;AAC5C,qBAAa,gCAAmB,IAAI,IAAI,OAAO,CAAC;AAChD,oBAAgB;AAAA,EAClB;AACA,SAAO,EAAE,KAAK,YAAY,MAAM,SAAkB;AACpD;AAIA,SAAS,SAAS,UAAkB,OAAwC;AAC1E,SAAO,MAAM;AAAA,IAAK,CAAC,SACjB,OAAO,SAAS,WACZ,aAAa,QAAQ,SAAS,WAAW,IAAI,IAC7C,KAAK,KAAK,QAAQ;AAAA,EACxB;AACF;AAIA,eAAe,gBACb,KACA,gBACA,QAC8B;AAC9B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,2BAA2B;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,iBAAiB,eAAe,CAAC;AAAA,IAC1D,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,EAAE,YAAY,IAAK,MAAM,IAAI,KAAK;AACxC,UAAM,WAAW,IAAI,QAAQ,MAAM;AACnC,aAAS,aAAa,OAAO,qBAAqB;AAElD,UAAM,WAAW,2BAAa,SAAS,QAAQ;AAC/C,UAAM,aAAa;AAAA,MACjB,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ,KAAK,KAAK,KAAK;AAAA,IACzB;AAEA,aAAS,QAAQ,IAAI,mBAAmB,aAAa,EAAE,GAAG,YAAY,UAAU,KAAK,CAAC;AAEtF,aAAS,QAAQ,IAAI,iBAAiB,aAAa,EAAE,GAAG,YAAY,UAAU,MAAM,CAAC;AACrF,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAcO,SAAS,eAAe,UAAiC,CAAC,GAAG;AAClE,QAAM,EAAE,eAAe,CAAC,GAAG,UAAU,IAAI;AAEzC,SAAO,eAAe,WAAW,KAAyC;AACxE,UAAM,EAAE,SAAS,IAAI,IAAI;AACzB,UAAM,cAAc,SAAS,UAAU,YAAY;AAEnD,UAAM,SAAS,cAAc,OAAO;AAGpC,UAAM,YACJ,QAAQ,cAAc,SAAS,GAAG,MAAM,kBAAkB;AAG5D,UAAM,iBAAiB,IAAI,QAAQ,aAAa,IAAI,qBAAqB;AACzE,QAAI,kBAAkB,QAAQ;AAC5B,YAAM,WAAW,MAAM,gBAAgB,KAAK,gBAAgB,MAAM;AAClE,UAAI,SAAU,QAAO;AAAA,IACvB;AAGA,QAAI,SAAqB;AAAA,MACvB,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAC5B,YAAY;AAAA,MAAO,eAAe;AAAA,IACpC;AAEA,UAAM,QACJ,IAAI,QAAQ,IAAI,iBAAiB,GAAG,SACpC,IAAI,QAAQ,IAAI,eAAe,GAAG,SAClC,cAAc,IAAI,QAAQ,IAAI,eAAe,KAAK,EAAE;AAEtD,QAAI,OAAO;AACT,YAAM,YAAY,MAAM,aAAa,MAAM;AAC3C,UAAI,WAAW;AACb,YAAI;AACF,gBAAM,EAAE,QAAQ,IAAI,UAAM,uBAAU,OAAO,UAAU,KAAwC;AAAA,YAC3F,YAAY,CAAC,OAAO;AAAA,UACtB,CAAC;AACD,mBAAS;AAAA,YACP,QAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,MAAM,KAAgB;AAAA,YAC1C,YAAY;AAAA,YACZ,eAAe;AAAA,UACjB;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAGA,QAAI,WAAW;AACb,YAAM,WAAW,UAAU,QAAQ,GAAG;AACtC,UAAI,SAAU,QAAO;AAAA,IACvB;AAGA,QAAI,CAAC,OAAO,cAAc,CAAC,aAAa;AACtC,YAAM,OAAO,IAAI,IAAI,WAAW,IAAI,GAAG;AACvC,WAAK,aAAa,IAAI,gBAAgB,IAAI,GAAG;AAC7C,aAAO,2BAAa,SAAS,IAAI;AAAA,IACnC;AAGA,UAAM,OAAO,IAAI,QAAQ,IAAI,OAAO;AACpC,QAAI,OAAO,QAAQ;AACjB,WAAK,IAAI,gBAAmB,OAAO,MAAM;AACzC,WAAK,IAAI,eAAmB,OAAO,SAAS,EAAE;AAC9C,WAAK,IAAI,iBAAmB,OAAO,WAAW,EAAE;AAChD,WAAK,IAAI,mBAAmB,OAAO,aAAa,EAAE;AAClD,WAAK,IAAI,mBAAmB,OAAO,aAAa,KAAK;AAAA,IACvD,OAAO;AACL,OAAC,gBAAgB,eAAe,iBAAiB,mBAAmB,iBAAiB,EAClF,QAAQ,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC;AAAA,IAClC;AAEA,WAAO,2BAAa,KAAK,EAAE,SAAS,EAAE,SAAS,KAAK,EAAE,CAAC;AAAA,EACzD;AACF;AAEA,SAAS,cAAc,QAAwB;AAC7C,SAAO,OAAO,WAAW,SAAS,IAAI,OAAO,MAAM,CAAC,IAAI;AAC1D;;;ACpPA,qBAAiC;AACjC,wBAAyB;AACzB,IAAAA,eAA0D;AA4B1D,SAASC,iBAAwB;AAC/B,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,MAAI,CAAC,GAAI,QAAO;AAChB,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAIA,IAAI,cAA4D;AAChE,IAAI,iBAAgC;AACpC,IAAI,aAA4D;AAChE,IAAI,aAA4B;AAEhC,eAAe,UAAU,OAAe;AAEtC,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,CAAC,cAAc,eAAe,YAAY;AAC5C,mBAAa,UAAM,yBAAW,YAAY,OAAO;AACjD,mBAAa;AAAA,IACf;AACA,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,UAAM,wBAAU,OAAO,YAAY,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AAChF,aAAO;AAAA,IACT,QAAQ;AAAE,aAAO;AAAA,IAAM;AAAA,EACzB;AAGA,QAAM,SAASA,eAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,eAAe,mBAAmB,SAAS;AAC9C,sBAAc,iCAAmB,IAAI,IAAI,OAAO,CAAC;AACjD,qBAAiB;AAAA,EACnB;AACA,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,UAAM,wBAAU,OAAO,aAAa,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AACjF,WAAO;AAAA,EACT,QAAQ;AAAE,WAAO;AAAA,EAAM;AACzB;AAkBA,eAAsB,OAA4B;AAChD,WAAS,YAAY,YAAqB;AACxC,WAAO,CAAC,eAAwB;AAC9B,UAAI,CAAC,YAAY;AACf,cAAM,SAASA,eAAc;AAC7B,cAAM,OAAO,eAAe,SAAS,GAAG,MAAM,kBAAkB;AAChE,wCAAS,IAAI;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAGA,QAAM,IAAI,UAAM,wBAAQ;AACxB,QAAM,SAAS,EAAE,IAAI,cAAc;AACnC,MAAI,QAAQ;AACV,WAAO;AAAA,MACL;AAAA,MACA,OAAW,EAAE,IAAI,aAAa,KAAS;AAAA,MACvC,SAAW,EAAE,IAAI,eAAe,KAAO;AAAA,MACvC,WAAW,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACvC,WAAY,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACxC,YAAY;AAAA,MACZ,SAAS,YAAY,IAAI;AAAA,IAC3B;AAAA,EACF;AAGA,QAAM,MAAM,UAAM,wBAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,QAAM,UAAU,MAAM,UAAU,KAAK;AACrC,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAa,QAAQ,MAAM,KAAgB;AAAA,IAC3C,YAAY;AAAA,IACZ,SAAS,YAAY,IAAI;AAAA,EAC3B;AACF;AAkBA,eAAsB,cAA2C;AAC/D,QAAM,MAAM,UAAM,wBAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAASA,eAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AAEpB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,cAAc;AAAA,MAC7C,SAAS,EAAE,eAAe,UAAU,KAAK,GAAG;AAAA,MAC5C,OAAO;AAAA,IACT,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,WAAO,KAAK,QAAQ;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,aAAkD;AACtE,QAAM,EAAE,MAAM,IAAI,MAAM,KAAK;AAC7B,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAASA,eAAc;AAC7B,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,CAAC,UAAU,CAAC,OAAQ,QAAO;AAE/B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,gBAAgB,KAAK,IAAI;AAAA,MACxD,SAAS,EAAE,eAAe,UAAU,MAAM,GAAG;AAAA,MAC7C,MAAM,EAAE,YAAY,GAAG;AAAA,IACzB,CAAgB;AAChB,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAQ,MAAM,IAAI,KAAK;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAeA,eAAsB,QAAQ,YAA0C;AACtE,QAAM,UAAU,MAAM,KAAK;AAC3B,UAAQ,QAAQ,UAAU;AAC1B,SAAO;AACT;;;AF3NA,mBAUO;","names":["import_jose","resolveApiUrl"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/middleware.ts","../src/server.ts"],"sourcesContent":["// @smritix.ai/nextjs — barrel export\n// Safe to import in all contexts (client, server, middleware).\n// For server-only utilities: import from \"@smritix.ai/nextjs/server\"\n// For the middleware factory: import from \"@smritix.ai/nextjs/middleware\"\n\n// ── Middleware ────────────────────────────────────────────────────────────────\nexport { authMiddleware } from \"./middleware\";\nexport type { AuthMiddlewareOptions, AuthResult } from \"./middleware\";\n\n// ── Server helpers ────────────────────────────────────────────────────────────\n// Re-exported for convenience; callers on client must use the explicit subpath.\nexport { auth, currentOrg, currentUser, protect } from \"./server\";\nexport type { AuthObject } from \"./server\";\n\n// ── Client SDK re-exports ─────────────────────────────────────────────────────\n// VaultixProvider, hooks, and UI components — safe for Client Components.\nexport {\n OrganizationSwitcher,\n SignIn,\n SignUp,\n VaultixProvider,\n UserButton,\n useOrganization,\n useSession,\n useVaultix,\n useUser,\n} from \"@vaultix.ai/react\";\n\nexport type {\n ChallengeType,\n RiskLevel,\n SessionClaims,\n VaultixContextValue,\n VaultixOrganization,\n VaultixProviderProps,\n VaultixSession,\n VaultixUser,\n} from \"@vaultix.ai/react\";\n","// Edge-runtime compatible. Uses jose for JWT verification.\nimport { createRemoteJWKSet, importSPKI, jwtVerify, type KeyLike } from \"jose\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthResult {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: string | null;\n isSignedIn: boolean;\n isPublicRoute: boolean;\n}\n\nexport interface AuthMiddlewareOptions {\n /**\n * Routes that do not require authentication.\n * Strings: exact match or prefix. RegExps: tested against pathname.\n */\n publicRoutes?: Array<string | RegExp>;\n\n /**\n * Where to redirect unauthenticated users.\n * Defaults to the Vaultix hosted sign-in page (decoded from publishable key).\n * Override with \"/sign-in\" to use your own page.\n */\n signInUrl?: string;\n\n /**\n * Vaultix API origin. Auto-decoded from NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY.\n * Only needed if you're not using the standard publishable key format.\n */\n apiUrl?: string;\n\n /**\n * Custom logic after auth state is resolved.\n * Return a NextResponse to override default behaviour.\n */\n afterAuth?: (auth: AuthResult, req: NextRequest) => NextResponse | Response | undefined | void;\n}\n\n// ─── Header names ─────────────────────────────────────────────────────────────\n\nexport const HEADER_USER_ID = \"x-vaultix-user-id\";\nexport const HEADER_ORG_ID = \"x-vaultix-org-id\";\nexport const HEADER_ORG_ROLE = \"x-vaultix-org-role\";\nexport const HEADER_SESSION_ID = \"x-vaultix-session-id\";\nexport const HEADER_RISK_LEVEL = \"x-vaultix-risk-level\";\n\n// ─── Publishable key → API URL ────────────────────────────────────────────────\n\nfunction decodeApiUrlFromKey(pk: string): string {\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\nfunction resolveApiUrl(options: AuthMiddlewareOptions): string {\n if (options.apiUrl) return options.apiUrl.replace(/\\/$/, \"\");\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n return decodeApiUrlFromKey(pk);\n}\n\n// ─── JWKS cache ───────────────────────────────────────────────────────────────\n// createRemoteJWKSet fetches and caches the key set, re-fetches on rotation.\n// Falls back to a static PEM key if VAULTIX_JWT_PUBLIC_KEY is set (backward compat).\n\nlet remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet remoteJwksUrl: string | null = null;\n\nlet staticKey: KeyLike | null = null;\nlet staticPem: string | null = null;\n\nasync function getVerifyKey(apiUrl: string) {\n // Prefer static PEM (set by env var) for zero-network-call verification\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (staticKey && staticPem === normalized) return { key: staticKey, mode: \"static\" as const };\n staticKey = await importSPKI(normalized, \"RS256\");\n staticPem = normalized;\n return { key: staticKey, mode: \"static\" as const };\n }\n\n // Auto-fetch JWKS from the API — no env var needed\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!remoteJwks || remoteJwksUrl !== jwksUrl) {\n remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n remoteJwksUrl = jwksUrl;\n }\n return { key: remoteJwks, mode: \"remote\" as const };\n}\n\n// ─── Route matching ───────────────────────────────────────────────────────────\n\nfunction isPublic(pathname: string, rules: Array<string | RegExp>): boolean {\n return rules.some((rule) =>\n typeof rule === \"string\"\n ? pathname === rule || pathname.startsWith(rule)\n : rule.test(pathname),\n );\n}\n\n// ─── Secure-cookie detection ──────────────────────────────────────────────────\n// `Secure` cookies are dropped by browsers (notably Safari) over plain http://,\n// which breaks local development on http://localhost. Mark cookies Secure only\n// when the request is actually HTTPS. Prefer x-forwarded-proto because TLS is\n// typically terminated at a proxy (e.g. Vercel) before reaching the function.\n\nfunction isSecureRequest(req: NextRequest): boolean {\n const forwarded = req.headers.get(\"x-forwarded-proto\");\n if (forwarded) return forwarded.split(\",\")[0]?.trim() === \"https\";\n return req.nextUrl.protocol === \"https:\";\n}\n\n// ─── Handshake exchange ───────────────────────────────────────────────────────\n\nasync function handleHandshake(\n req: NextRequest,\n handshakeToken: string,\n apiUrl: string,\n): Promise<NextResponse | null> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ handshake_token: handshakeToken }),\n });\n if (!res.ok) return null;\n\n const { session_jwt } = (await res.json()) as { session_jwt: string };\n const cleanUrl = req.nextUrl.clone();\n cleanUrl.searchParams.delete(\"__vaultix_handshake\");\n\n const response = NextResponse.redirect(cleanUrl);\n const cookieBase = {\n secure: isSecureRequest(req),\n sameSite: \"lax\" as const,\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60,\n };\n // httpOnly — for middleware and server-side JWT verification\n response.cookies.set(\"vaultix-session\", session_jwt, { ...cookieBase, httpOnly: true });\n // non-httpOnly — for VaultixProvider (React SDK) to read client-side\n response.cookies.set(\"vaultix-token\", session_jwt, { ...cookieBase, httpOnly: false });\n return response;\n } catch {\n return null;\n }\n}\n\n// ─── authMiddleware ───────────────────────────────────────────────────────────\n\n/**\n * Drop-in auth middleware — works with zero config when\n * NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY is set.\n *\n * @example\n * // middleware.ts\n * import { authMiddleware } from \"@vaultix.ai/nextjs/middleware\";\n * export default authMiddleware({ publicRoutes: [\"/\", \"/about\"] });\n * export const config = { matcher: [\"/((?!_next|.*\\\\..*).*)\"] };\n */\nexport function authMiddleware(options: AuthMiddlewareOptions = {}) {\n const { publicRoutes = [], afterAuth } = options;\n\n return async function middleware(req: NextRequest): Promise<NextResponse> {\n const { pathname } = req.nextUrl;\n const publicRoute = isPublic(pathname, publicRoutes);\n\n const apiUrl = resolveApiUrl(options);\n\n // Default sign-in URL: hosted Vaultix page decoded from publishable key\n const signInUrl =\n options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n\n // ── Handshake exchange ─────────────────────────────────────────────────\n const handshakeToken = req.nextUrl.searchParams.get(\"__vaultix_handshake\");\n if (handshakeToken && apiUrl) {\n const response = await handleHandshake(req, handshakeToken, apiUrl);\n if (response) return response;\n }\n\n // ── JWT verification ───────────────────────────────────────────────────\n let result: AuthResult = {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null,\n isSignedIn: false, isPublicRoute: publicRoute,\n };\n\n const token =\n req.cookies.get(\"vaultix-session\")?.value ??\n req.cookies.get(\"vaultix-token\")?.value ??\n extractBearer(req.headers.get(\"authorization\") ?? \"\");\n\n let jwtExp: number | undefined;\n\n if (token) {\n const verifyKey = await getVerifyKey(apiUrl);\n if (verifyKey) {\n try {\n const { payload } = await jwtVerify(token, verifyKey.key as Parameters<typeof jwtVerify>[1], {\n algorithms: [\"RS256\"],\n });\n jwtExp = payload.exp as number | undefined;\n result = {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: (payload[\"risk\"] as string) ?? \"low\",\n isSignedIn: true,\n isPublicRoute: publicRoute,\n };\n } catch {\n // expired / tampered\n }\n }\n }\n\n // ── Silent refresh — check DB session and renew JWT when near expiry ───\n // Reduces the window where a revoked-but-signed JWT can be replayed.\n // The refresh endpoint validates the DB session row, so a signed-out user\n // is rejected here even before their JWT's exp elapses.\n let refreshedJwt: string | null = null;\n if (result.isSignedIn && apiUrl && jwtExp !== undefined) {\n const secondsLeft = jwtExp - Math.floor(Date.now() / 1000);\n if (secondsLeft < 120) {\n try {\n const refreshRes = await fetch(`${apiUrl}/api/v1/session/refresh`, {\n method: \"POST\",\n headers: { Cookie: `vaultix-session=${token}` },\n });\n if (refreshRes.ok) {\n const data = await refreshRes.json() as { session_jwt?: string };\n refreshedJwt = data.session_jwt ?? null;\n }\n } catch {\n // Non-blocking — proceed with the existing token on refresh failure\n }\n }\n }\n\n // ── Custom afterAuth hook ──────────────────────────────────────────────\n if (afterAuth) {\n const override = afterAuth(result, req);\n if (override) return override as NextResponse;\n }\n\n // ── Default: redirect unauthenticated to sign-in ───────────────────────\n if (!result.isSignedIn && !publicRoute) {\n const dest = new URL(signInUrl, req.url);\n dest.searchParams.set(\"redirect_url\", req.url);\n return NextResponse.redirect(dest);\n }\n\n // ── Inject auth headers for Server Components ──────────────────────────\n const nextHeaders = new Headers(req.headers);\n if (result.userId) {\n nextHeaders.set(HEADER_USER_ID, result.userId);\n nextHeaders.set(HEADER_ORG_ID, result.orgId ?? \"\");\n nextHeaders.set(HEADER_ORG_ROLE, result.orgRole ?? \"\");\n nextHeaders.set(HEADER_SESSION_ID, result.sessionId ?? \"\");\n nextHeaders.set(HEADER_RISK_LEVEL, result.riskLevel ?? \"low\");\n } else {\n [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL]\n .forEach((h) => nextHeaders.delete(h));\n }\n\n const response = NextResponse.next({ request: { headers: nextHeaders } });\n\n // Propagate refreshed JWT as updated cookies\n if (refreshedJwt) {\n const cookieBase = { secure: isSecureRequest(req), sameSite: \"lax\" as const, path: \"/\", maxAge: 30 * 24 * 60 * 60 };\n response.cookies.set(\"vaultix-session\", refreshedJwt, { ...cookieBase, httpOnly: true });\n response.cookies.set(\"vaultix-token\", refreshedJwt, { ...cookieBase, httpOnly: false });\n }\n\n return response;\n };\n}\n\nfunction extractBearer(header: string): string {\n return header.startsWith(\"Bearer \") ? header.slice(7) : \"\";\n}\n","// Server-only. Import from \"@vaultix.ai/nextjs/server\".\n// Never import this in Client Components.\nimport { cookies, headers } from \"next/headers\";\nimport { redirect } from \"next/navigation\";\nimport { createRemoteJWKSet, importSPKI, jwtVerify } from \"jose\";\nimport type { VaultixOrganization, VaultixUser } from \"@vaultix.ai/react\";\nimport {\n HEADER_USER_ID,\n HEADER_ORG_ID,\n HEADER_ORG_ROLE,\n HEADER_SESSION_ID,\n HEADER_RISK_LEVEL,\n} from \"./middleware\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthObject {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: \"low\" | \"medium\" | \"high\" | \"critical\" | null;\n isSignedIn: boolean;\n /**\n * Throws a redirect if the user is not authenticated.\n * Usage: const { userId } = await auth(); — or call auth().then(a => a.protect())\n */\n protect: (redirectTo?: string) => void;\n}\n\n// ─── API URL resolution (mirrors middleware logic) ────────────────────────────\n\nfunction resolveApiUrl(): string {\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n if (!pk) return \"\";\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\n// ─── JWT verification (server-side, no edge constraints) ─────────────────────\n\nlet _remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet _remoteJwksUrl: string | null = null;\nlet _staticKey: Awaited<ReturnType<typeof importSPKI>> | null = null;\nlet _staticPem: string | null = null;\n\nasync function verifyJwt(token: string) {\n // 1. Static PEM key (fastest, no network call)\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (!_staticKey || _staticPem !== normalized) {\n _staticKey = await importSPKI(normalized, \"RS256\");\n _staticPem = normalized;\n }\n try {\n const { payload } = await jwtVerify(token, _staticKey, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n }\n\n // 2. Remote JWKS (auto-fetched, cached)\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!_remoteJwks || _remoteJwksUrl !== jwksUrl) {\n _remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n _remoteJwksUrl = jwksUrl;\n }\n try {\n const { payload } = await jwtVerify(token, _remoteJwks, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n}\n\n// ─── auth() ───────────────────────────────────────────────────────────────────\n\n/**\n * Returns the current auth state. Works in Server Components, Route Handlers,\n * and Server Actions. Falls back to verifying the session cookie directly\n * if middleware headers are not present.\n *\n * @example\n * import { auth } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const { userId, protect } = await auth();\n * protect(); // redirects to sign-in if not authenticated\n * return <div>Hello {userId}</div>;\n * }\n */\nexport async function auth(): Promise<AuthObject> {\n function makeProtect(isSignedIn: boolean) {\n return (redirectTo?: string) => {\n if (!isSignedIn) {\n const apiUrl = resolveApiUrl();\n const dest = redirectTo ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n redirect(dest);\n }\n };\n }\n\n // ── Fast path: headers injected by authMiddleware ──────────────────────\n const h = await headers();\n const userId = h.get(HEADER_USER_ID);\n if (userId) {\n return {\n userId,\n orgId: h.get(HEADER_ORG_ID) || null,\n orgRole: h.get(HEADER_ORG_ROLE) || null,\n sessionId: h.get(HEADER_SESSION_ID) || null,\n riskLevel: (h.get(HEADER_RISK_LEVEL) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n }\n\n // ── Fallback: verify session cookie directly (no middleware needed) ────\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n const payload = await verifyJwt(token);\n if (!payload) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n return {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: ((payload[\"risk\"] as string) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n}\n\n// ─── currentUser() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the full user record for the currently signed-in user.\n * Calls GET /api/v1/me using the session JWT from the cookie as a Bearer token.\n * No extra env vars required.\n *\n * @example\n * import { currentUser } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const user = await currentUser();\n * if (!user) redirect(\"/sign-in\");\n * return <div>Hello {user.email}</div>;\n * }\n */\nexport async function currentUser(): Promise<VaultixUser | null> {\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) return null;\n\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/me`, {\n headers: { Authorization: `Bearer ${token}` },\n cache: \"no-store\",\n });\n if (!res.ok) return null;\n const data = await res.json() as { user: VaultixUser };\n return data.user ?? null;\n } catch {\n return null;\n }\n}\n\n// ─── currentOrg() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the active organization for the current user.\n * Requires VAULTIX_SECRET_KEY env var.\n */\nexport async function currentOrg(): Promise<VaultixOrganization | null> {\n const { orgId } = await auth();\n if (!orgId) return null;\n\n const apiUrl = resolveApiUrl();\n const secret = process.env.VAULTIX_SECRET_KEY;\n if (!apiUrl || !secret) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/orgs/${orgId}`, {\n headers: { Authorization: `Bearer ${secret}` },\n next: { revalidate: 30 },\n } as RequestInit);\n if (!res.ok) return null;\n return (await res.json()) as VaultixOrganization;\n } catch {\n return null;\n }\n}\n\n// ─── protect() — standalone helper ───────────────────────────────────────────\n\n/**\n * Asserts the current user is authenticated. Redirects to sign-in if not.\n * Prefer calling `protect()` from the auth object returned by `auth()`.\n *\n * @example\n * import { protect } from \"@vaultix.ai/nextjs/server\";\n * export default async function Page() {\n * const { userId } = await protect();\n * return <div>{userId}</div>;\n * }\n */\nexport async function protect(redirectTo?: string): Promise<AuthObject> {\n const authObj = await auth();\n authObj.protect(redirectTo);\n return authObj;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACCA,kBAAwE;AACxE,oBAA0C;AA2CnC,IAAM,iBAAoB;AAC1B,IAAM,gBAAoB;AAC1B,IAAM,kBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;AAIjC,SAAS,oBAAoB,IAAoB;AAC/C,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAEA,SAAS,cAAc,SAAwC;AAC7D,MAAI,QAAQ,OAAQ,QAAO,QAAQ,OAAO,QAAQ,OAAO,EAAE;AAC3D,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,SAAO,oBAAoB,EAAE;AAC/B;AAMA,IAAI,aAA2D;AAC/D,IAAI,gBAA+B;AAEnC,IAAI,YAA4B;AAChC,IAAI,YAA2B;AAE/B,eAAe,aAAa,QAAgB;AAE1C,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,aAAa,cAAc,WAAY,QAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAC5F,gBAAY,UAAM,wBAAW,YAAY,OAAO;AAChD,gBAAY;AACZ,WAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAAA,EACnD;AAGA,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,cAAc,kBAAkB,SAAS;AAC5C,qBAAa,gCAAmB,IAAI,IAAI,OAAO,CAAC;AAChD,oBAAgB;AAAA,EAClB;AACA,SAAO,EAAE,KAAK,YAAY,MAAM,SAAkB;AACpD;AAIA,SAAS,SAAS,UAAkB,OAAwC;AAC1E,SAAO,MAAM;AAAA,IAAK,CAAC,SACjB,OAAO,SAAS,WACZ,aAAa,QAAQ,SAAS,WAAW,IAAI,IAC7C,KAAK,KAAK,QAAQ;AAAA,EACxB;AACF;AAQA,SAAS,gBAAgB,KAA2B;AAClD,QAAM,YAAY,IAAI,QAAQ,IAAI,mBAAmB;AACrD,MAAI,UAAW,QAAO,UAAU,MAAM,GAAG,EAAE,CAAC,GAAG,KAAK,MAAM;AAC1D,SAAO,IAAI,QAAQ,aAAa;AAClC;AAIA,eAAe,gBACb,KACA,gBACA,QAC8B;AAC9B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,2BAA2B;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,iBAAiB,eAAe,CAAC;AAAA,IAC1D,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,EAAE,YAAY,IAAK,MAAM,IAAI,KAAK;AACxC,UAAM,WAAW,IAAI,QAAQ,MAAM;AACnC,aAAS,aAAa,OAAO,qBAAqB;AAElD,UAAM,WAAW,2BAAa,SAAS,QAAQ;AAC/C,UAAM,aAAa;AAAA,MACjB,QAAQ,gBAAgB,GAAG;AAAA,MAC3B,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ,KAAK,KAAK,KAAK;AAAA,IACzB;AAEA,aAAS,QAAQ,IAAI,mBAAmB,aAAa,EAAE,GAAG,YAAY,UAAU,KAAK,CAAC;AAEtF,aAAS,QAAQ,IAAI,iBAAiB,aAAa,EAAE,GAAG,YAAY,UAAU,MAAM,CAAC;AACrF,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAcO,SAAS,eAAe,UAAiC,CAAC,GAAG;AAClE,QAAM,EAAE,eAAe,CAAC,GAAG,UAAU,IAAI;AAEzC,SAAO,eAAe,WAAW,KAAyC;AACxE,UAAM,EAAE,SAAS,IAAI,IAAI;AACzB,UAAM,cAAc,SAAS,UAAU,YAAY;AAEnD,UAAM,SAAS,cAAc,OAAO;AAGpC,UAAM,YACJ,QAAQ,cAAc,SAAS,GAAG,MAAM,kBAAkB;AAG5D,UAAM,iBAAiB,IAAI,QAAQ,aAAa,IAAI,qBAAqB;AACzE,QAAI,kBAAkB,QAAQ;AAC5B,YAAMA,YAAW,MAAM,gBAAgB,KAAK,gBAAgB,MAAM;AAClE,UAAIA,UAAU,QAAOA;AAAA,IACvB;AAGA,QAAI,SAAqB;AAAA,MACvB,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAC5B,YAAY;AAAA,MAAO,eAAe;AAAA,IACpC;AAEA,UAAM,QACJ,IAAI,QAAQ,IAAI,iBAAiB,GAAG,SACpC,IAAI,QAAQ,IAAI,eAAe,GAAG,SAClC,cAAc,IAAI,QAAQ,IAAI,eAAe,KAAK,EAAE;AAEtD,QAAI;AAEJ,QAAI,OAAO;AACT,YAAM,YAAY,MAAM,aAAa,MAAM;AAC3C,UAAI,WAAW;AACb,YAAI;AACF,gBAAM,EAAE,QAAQ,IAAI,UAAM,uBAAU,OAAO,UAAU,KAAwC;AAAA,YAC3F,YAAY,CAAC,OAAO;AAAA,UACtB,CAAC;AACD,mBAAS,QAAQ;AACjB,mBAAS;AAAA,YACP,QAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,MAAM,KAAgB;AAAA,YAC1C,YAAY;AAAA,YACZ,eAAe;AAAA,UACjB;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAMA,QAAI,eAA8B;AAClC,QAAI,OAAO,cAAc,UAAU,WAAW,QAAW;AACvD,YAAM,cAAc,SAAS,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACzD,UAAI,cAAc,KAAK;AACrB,YAAI;AACF,gBAAM,aAAa,MAAM,MAAM,GAAG,MAAM,2BAA2B;AAAA,YACjE,QAAQ;AAAA,YACR,SAAS,EAAE,QAAQ,mBAAmB,KAAK,GAAG;AAAA,UAChD,CAAC;AACD,cAAI,WAAW,IAAI;AACjB,kBAAM,OAAO,MAAM,WAAW,KAAK;AACnC,2BAAe,KAAK,eAAe;AAAA,UACrC;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAGA,QAAI,WAAW;AACb,YAAM,WAAW,UAAU,QAAQ,GAAG;AACtC,UAAI,SAAU,QAAO;AAAA,IACvB;AAGA,QAAI,CAAC,OAAO,cAAc,CAAC,aAAa;AACtC,YAAM,OAAO,IAAI,IAAI,WAAW,IAAI,GAAG;AACvC,WAAK,aAAa,IAAI,gBAAgB,IAAI,GAAG;AAC7C,aAAO,2BAAa,SAAS,IAAI;AAAA,IACnC;AAGA,UAAM,cAAc,IAAI,QAAQ,IAAI,OAAO;AAC3C,QAAI,OAAO,QAAQ;AACjB,kBAAY,IAAI,gBAAmB,OAAO,MAAM;AAChD,kBAAY,IAAI,eAAmB,OAAO,SAAS,EAAE;AACrD,kBAAY,IAAI,iBAAmB,OAAO,WAAW,EAAE;AACvD,kBAAY,IAAI,mBAAmB,OAAO,aAAa,EAAE;AACzD,kBAAY,IAAI,mBAAmB,OAAO,aAAa,KAAK;AAAA,IAC9D,OAAO;AACL,OAAC,gBAAgB,eAAe,iBAAiB,mBAAmB,iBAAiB,EAClF,QAAQ,CAAC,MAAM,YAAY,OAAO,CAAC,CAAC;AAAA,IACzC;AAEA,UAAM,WAAW,2BAAa,KAAK,EAAE,SAAS,EAAE,SAAS,YAAY,EAAE,CAAC;AAGxE,QAAI,cAAc;AAChB,YAAM,aAAa,EAAE,QAAQ,gBAAgB,GAAG,GAAG,UAAU,OAAgB,MAAM,KAAK,QAAQ,KAAK,KAAK,KAAK,GAAG;AAClH,eAAS,QAAQ,IAAI,mBAAmB,cAAc,EAAE,GAAG,YAAY,UAAU,KAAK,CAAC;AACvF,eAAS,QAAQ,IAAI,iBAAmB,cAAc,EAAE,GAAG,YAAY,UAAU,MAAM,CAAC;AAAA,IAC1F;AAEA,WAAO;AAAA,EACT;AACF;AAEA,SAAS,cAAc,QAAwB;AAC7C,SAAO,OAAO,WAAW,SAAS,IAAI,OAAO,MAAM,CAAC,IAAI;AAC1D;;;ACnSA,qBAAiC;AACjC,wBAAyB;AACzB,IAAAC,eAA0D;AA4B1D,SAASC,iBAAwB;AAC/B,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,MAAI,CAAC,GAAI,QAAO;AAChB,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAIA,IAAI,cAA4D;AAChE,IAAI,iBAAgC;AACpC,IAAI,aAA4D;AAChE,IAAI,aAA4B;AAEhC,eAAe,UAAU,OAAe;AAEtC,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,CAAC,cAAc,eAAe,YAAY;AAC5C,mBAAa,UAAM,yBAAW,YAAY,OAAO;AACjD,mBAAa;AAAA,IACf;AACA,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,UAAM,wBAAU,OAAO,YAAY,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AAChF,aAAO;AAAA,IACT,QAAQ;AAAE,aAAO;AAAA,IAAM;AAAA,EACzB;AAGA,QAAM,SAASA,eAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,eAAe,mBAAmB,SAAS;AAC9C,sBAAc,iCAAmB,IAAI,IAAI,OAAO,CAAC;AACjD,qBAAiB;AAAA,EACnB;AACA,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,UAAM,wBAAU,OAAO,aAAa,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AACjF,WAAO;AAAA,EACT,QAAQ;AAAE,WAAO;AAAA,EAAM;AACzB;AAkBA,eAAsB,OAA4B;AAChD,WAAS,YAAY,YAAqB;AACxC,WAAO,CAAC,eAAwB;AAC9B,UAAI,CAAC,YAAY;AACf,cAAM,SAASA,eAAc;AAC7B,cAAM,OAAO,eAAe,SAAS,GAAG,MAAM,kBAAkB;AAChE,wCAAS,IAAI;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAGA,QAAM,IAAI,UAAM,wBAAQ;AACxB,QAAM,SAAS,EAAE,IAAI,cAAc;AACnC,MAAI,QAAQ;AACV,WAAO;AAAA,MACL;AAAA,MACA,OAAW,EAAE,IAAI,aAAa,KAAS;AAAA,MACvC,SAAW,EAAE,IAAI,eAAe,KAAO;AAAA,MACvC,WAAW,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACvC,WAAY,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACxC,YAAY;AAAA,MACZ,SAAS,YAAY,IAAI;AAAA,IAC3B;AAAA,EACF;AAGA,QAAM,MAAM,UAAM,wBAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,QAAM,UAAU,MAAM,UAAU,KAAK;AACrC,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAa,QAAQ,MAAM,KAAgB;AAAA,IAC3C,YAAY;AAAA,IACZ,SAAS,YAAY,IAAI;AAAA,EAC3B;AACF;AAkBA,eAAsB,cAA2C;AAC/D,QAAM,MAAM,UAAM,wBAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAASA,eAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AAEpB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,cAAc;AAAA,MAC7C,SAAS,EAAE,eAAe,UAAU,KAAK,GAAG;AAAA,MAC5C,OAAO;AAAA,IACT,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,WAAO,KAAK,QAAQ;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,aAAkD;AACtE,QAAM,EAAE,MAAM,IAAI,MAAM,KAAK;AAC7B,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAASA,eAAc;AAC7B,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,CAAC,UAAU,CAAC,OAAQ,QAAO;AAE/B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,gBAAgB,KAAK,IAAI;AAAA,MACxD,SAAS,EAAE,eAAe,UAAU,MAAM,GAAG;AAAA,MAC7C,MAAM,EAAE,YAAY,GAAG;AAAA,IACzB,CAAgB;AAChB,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAQ,MAAM,IAAI,KAAK;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAeA,eAAsB,QAAQ,YAA0C;AACtE,QAAM,UAAU,MAAM,KAAK;AAC3B,UAAQ,QAAQ,UAAU;AAC1B,SAAO;AACT;;;AF3NA,mBAUO;","names":["response","import_jose","resolveApiUrl"]}
package/dist/index.mjs CHANGED
@@ -48,6 +48,11 @@ function isPublic(pathname, rules) {
48
48
  (rule) => typeof rule === "string" ? pathname === rule || pathname.startsWith(rule) : rule.test(pathname)
49
49
  );
50
50
  }
51
+ function isSecureRequest(req) {
52
+ const forwarded = req.headers.get("x-forwarded-proto");
53
+ if (forwarded) return forwarded.split(",")[0]?.trim() === "https";
54
+ return req.nextUrl.protocol === "https:";
55
+ }
51
56
  async function handleHandshake(req, handshakeToken, apiUrl) {
52
57
  try {
53
58
  const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {
@@ -61,7 +66,7 @@ async function handleHandshake(req, handshakeToken, apiUrl) {
61
66
  cleanUrl.searchParams.delete("__vaultix_handshake");
62
67
  const response = NextResponse.redirect(cleanUrl);
63
68
  const cookieBase = {
64
- secure: true,
69
+ secure: isSecureRequest(req),
65
70
  sameSite: "lax",
66
71
  path: "/",
67
72
  maxAge: 30 * 24 * 60 * 60
@@ -82,8 +87,8 @@ function authMiddleware(options = {}) {
82
87
  const signInUrl = options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : "/sign-in");
83
88
  const handshakeToken = req.nextUrl.searchParams.get("__vaultix_handshake");
84
89
  if (handshakeToken && apiUrl) {
85
- const response = await handleHandshake(req, handshakeToken, apiUrl);
86
- if (response) return response;
90
+ const response2 = await handleHandshake(req, handshakeToken, apiUrl);
91
+ if (response2) return response2;
87
92
  }
88
93
  let result = {
89
94
  userId: null,
@@ -95,6 +100,7 @@ function authMiddleware(options = {}) {
95
100
  isPublicRoute: publicRoute
96
101
  };
97
102
  const token = req.cookies.get("vaultix-session")?.value ?? req.cookies.get("vaultix-token")?.value ?? extractBearer(req.headers.get("authorization") ?? "");
103
+ let jwtExp;
98
104
  if (token) {
99
105
  const verifyKey = await getVerifyKey(apiUrl);
100
106
  if (verifyKey) {
@@ -102,6 +108,7 @@ function authMiddleware(options = {}) {
102
108
  const { payload } = await jwtVerify(token, verifyKey.key, {
103
109
  algorithms: ["RS256"]
104
110
  });
111
+ jwtExp = payload.exp;
105
112
  result = {
106
113
  userId: payload["uid"] ?? null,
107
114
  orgId: payload["org"] ?? null,
@@ -115,6 +122,23 @@ function authMiddleware(options = {}) {
115
122
  }
116
123
  }
117
124
  }
125
+ let refreshedJwt = null;
126
+ if (result.isSignedIn && apiUrl && jwtExp !== void 0) {
127
+ const secondsLeft = jwtExp - Math.floor(Date.now() / 1e3);
128
+ if (secondsLeft < 120) {
129
+ try {
130
+ const refreshRes = await fetch(`${apiUrl}/api/v1/session/refresh`, {
131
+ method: "POST",
132
+ headers: { Cookie: `vaultix-session=${token}` }
133
+ });
134
+ if (refreshRes.ok) {
135
+ const data = await refreshRes.json();
136
+ refreshedJwt = data.session_jwt ?? null;
137
+ }
138
+ } catch {
139
+ }
140
+ }
141
+ }
118
142
  if (afterAuth) {
119
143
  const override = afterAuth(result, req);
120
144
  if (override) return override;
@@ -124,17 +148,23 @@ function authMiddleware(options = {}) {
124
148
  dest.searchParams.set("redirect_url", req.url);
125
149
  return NextResponse.redirect(dest);
126
150
  }
127
- const next = new Headers(req.headers);
151
+ const nextHeaders = new Headers(req.headers);
128
152
  if (result.userId) {
129
- next.set(HEADER_USER_ID, result.userId);
130
- next.set(HEADER_ORG_ID, result.orgId ?? "");
131
- next.set(HEADER_ORG_ROLE, result.orgRole ?? "");
132
- next.set(HEADER_SESSION_ID, result.sessionId ?? "");
133
- next.set(HEADER_RISK_LEVEL, result.riskLevel ?? "low");
153
+ nextHeaders.set(HEADER_USER_ID, result.userId);
154
+ nextHeaders.set(HEADER_ORG_ID, result.orgId ?? "");
155
+ nextHeaders.set(HEADER_ORG_ROLE, result.orgRole ?? "");
156
+ nextHeaders.set(HEADER_SESSION_ID, result.sessionId ?? "");
157
+ nextHeaders.set(HEADER_RISK_LEVEL, result.riskLevel ?? "low");
134
158
  } else {
135
- [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL].forEach((h) => next.delete(h));
159
+ [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL].forEach((h) => nextHeaders.delete(h));
136
160
  }
137
- return NextResponse.next({ request: { headers: next } });
161
+ const response = NextResponse.next({ request: { headers: nextHeaders } });
162
+ if (refreshedJwt) {
163
+ const cookieBase = { secure: isSecureRequest(req), sameSite: "lax", path: "/", maxAge: 30 * 24 * 60 * 60 };
164
+ response.cookies.set("vaultix-session", refreshedJwt, { ...cookieBase, httpOnly: true });
165
+ response.cookies.set("vaultix-token", refreshedJwt, { ...cookieBase, httpOnly: false });
166
+ }
167
+ return response;
138
168
  };
139
169
  }
140
170
  function extractBearer(header) {
package/dist/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/middleware.ts","../src/server.ts","../src/index.ts"],"sourcesContent":["// Edge-runtime compatible. Uses jose for JWT verification.\nimport { createRemoteJWKSet, importSPKI, jwtVerify, type KeyLike } from \"jose\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthResult {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: string | null;\n isSignedIn: boolean;\n isPublicRoute: boolean;\n}\n\nexport interface AuthMiddlewareOptions {\n /**\n * Routes that do not require authentication.\n * Strings: exact match or prefix. RegExps: tested against pathname.\n */\n publicRoutes?: Array<string | RegExp>;\n\n /**\n * Where to redirect unauthenticated users.\n * Defaults to the Vaultix hosted sign-in page (decoded from publishable key).\n * Override with \"/sign-in\" to use your own page.\n */\n signInUrl?: string;\n\n /**\n * Vaultix API origin. Auto-decoded from NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY.\n * Only needed if you're not using the standard publishable key format.\n */\n apiUrl?: string;\n\n /**\n * Custom logic after auth state is resolved.\n * Return a NextResponse to override default behaviour.\n */\n afterAuth?: (auth: AuthResult, req: NextRequest) => NextResponse | Response | undefined | void;\n}\n\n// ─── Header names ─────────────────────────────────────────────────────────────\n\nexport const HEADER_USER_ID = \"x-vaultix-user-id\";\nexport const HEADER_ORG_ID = \"x-vaultix-org-id\";\nexport const HEADER_ORG_ROLE = \"x-vaultix-org-role\";\nexport const HEADER_SESSION_ID = \"x-vaultix-session-id\";\nexport const HEADER_RISK_LEVEL = \"x-vaultix-risk-level\";\n\n// ─── Publishable key → API URL ────────────────────────────────────────────────\n\nfunction decodeApiUrlFromKey(pk: string): string {\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\nfunction resolveApiUrl(options: AuthMiddlewareOptions): string {\n if (options.apiUrl) return options.apiUrl.replace(/\\/$/, \"\");\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n return decodeApiUrlFromKey(pk);\n}\n\n// ─── JWKS cache ───────────────────────────────────────────────────────────────\n// createRemoteJWKSet fetches and caches the key set, re-fetches on rotation.\n// Falls back to a static PEM key if VAULTIX_JWT_PUBLIC_KEY is set (backward compat).\n\nlet remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet remoteJwksUrl: string | null = null;\n\nlet staticKey: KeyLike | null = null;\nlet staticPem: string | null = null;\n\nasync function getVerifyKey(apiUrl: string) {\n // Prefer static PEM (set by env var) for zero-network-call verification\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (staticKey && staticPem === normalized) return { key: staticKey, mode: \"static\" as const };\n staticKey = await importSPKI(normalized, \"RS256\");\n staticPem = normalized;\n return { key: staticKey, mode: \"static\" as const };\n }\n\n // Auto-fetch JWKS from the API — no env var needed\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!remoteJwks || remoteJwksUrl !== jwksUrl) {\n remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n remoteJwksUrl = jwksUrl;\n }\n return { key: remoteJwks, mode: \"remote\" as const };\n}\n\n// ─── Route matching ───────────────────────────────────────────────────────────\n\nfunction isPublic(pathname: string, rules: Array<string | RegExp>): boolean {\n return rules.some((rule) =>\n typeof rule === \"string\"\n ? pathname === rule || pathname.startsWith(rule)\n : rule.test(pathname),\n );\n}\n\n// ─── Handshake exchange ───────────────────────────────────────────────────────\n\nasync function handleHandshake(\n req: NextRequest,\n handshakeToken: string,\n apiUrl: string,\n): Promise<NextResponse | null> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ handshake_token: handshakeToken }),\n });\n if (!res.ok) return null;\n\n const { session_jwt } = (await res.json()) as { session_jwt: string };\n const cleanUrl = req.nextUrl.clone();\n cleanUrl.searchParams.delete(\"__vaultix_handshake\");\n\n const response = NextResponse.redirect(cleanUrl);\n const cookieBase = {\n secure: true,\n sameSite: \"lax\" as const,\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60,\n };\n // httpOnly — for middleware and server-side JWT verification\n response.cookies.set(\"vaultix-session\", session_jwt, { ...cookieBase, httpOnly: true });\n // non-httpOnly — for VaultixProvider (React SDK) to read client-side\n response.cookies.set(\"vaultix-token\", session_jwt, { ...cookieBase, httpOnly: false });\n return response;\n } catch {\n return null;\n }\n}\n\n// ─── authMiddleware ───────────────────────────────────────────────────────────\n\n/**\n * Drop-in auth middleware — works with zero config when\n * NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY is set.\n *\n * @example\n * // middleware.ts\n * import { authMiddleware } from \"@vaultix.ai/nextjs/middleware\";\n * export default authMiddleware({ publicRoutes: [\"/\", \"/about\"] });\n * export const config = { matcher: [\"/((?!_next|.*\\\\..*).*)\"] };\n */\nexport function authMiddleware(options: AuthMiddlewareOptions = {}) {\n const { publicRoutes = [], afterAuth } = options;\n\n return async function middleware(req: NextRequest): Promise<NextResponse> {\n const { pathname } = req.nextUrl;\n const publicRoute = isPublic(pathname, publicRoutes);\n\n const apiUrl = resolveApiUrl(options);\n\n // Default sign-in URL: hosted Vaultix page decoded from publishable key\n const signInUrl =\n options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n\n // ── Handshake exchange ─────────────────────────────────────────────────\n const handshakeToken = req.nextUrl.searchParams.get(\"__vaultix_handshake\");\n if (handshakeToken && apiUrl) {\n const response = await handleHandshake(req, handshakeToken, apiUrl);\n if (response) return response;\n }\n\n // ── JWT verification ───────────────────────────────────────────────────\n let result: AuthResult = {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null,\n isSignedIn: false, isPublicRoute: publicRoute,\n };\n\n const token =\n req.cookies.get(\"vaultix-session\")?.value ??\n req.cookies.get(\"vaultix-token\")?.value ??\n extractBearer(req.headers.get(\"authorization\") ?? \"\");\n\n if (token) {\n const verifyKey = await getVerifyKey(apiUrl);\n if (verifyKey) {\n try {\n const { payload } = await jwtVerify(token, verifyKey.key as Parameters<typeof jwtVerify>[1], {\n algorithms: [\"RS256\"],\n });\n result = {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: (payload[\"risk\"] as string) ?? \"low\",\n isSignedIn: true,\n isPublicRoute: publicRoute,\n };\n } catch {\n // expired / tampered\n }\n }\n }\n\n // ── Custom afterAuth hook ──────────────────────────────────────────────\n if (afterAuth) {\n const override = afterAuth(result, req);\n if (override) return override as NextResponse;\n }\n\n // ── Default: redirect unauthenticated to sign-in ───────────────────────\n if (!result.isSignedIn && !publicRoute) {\n const dest = new URL(signInUrl, req.url);\n dest.searchParams.set(\"redirect_url\", req.url);\n return NextResponse.redirect(dest);\n }\n\n // ── Inject auth headers for Server Components ──────────────────────────\n const next = new Headers(req.headers);\n if (result.userId) {\n next.set(HEADER_USER_ID, result.userId);\n next.set(HEADER_ORG_ID, result.orgId ?? \"\");\n next.set(HEADER_ORG_ROLE, result.orgRole ?? \"\");\n next.set(HEADER_SESSION_ID, result.sessionId ?? \"\");\n next.set(HEADER_RISK_LEVEL, result.riskLevel ?? \"low\");\n } else {\n [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL]\n .forEach((h) => next.delete(h));\n }\n\n return NextResponse.next({ request: { headers: next } });\n };\n}\n\nfunction extractBearer(header: string): string {\n return header.startsWith(\"Bearer \") ? header.slice(7) : \"\";\n}\n","// Server-only. Import from \"@vaultix.ai/nextjs/server\".\n// Never import this in Client Components.\nimport { cookies, headers } from \"next/headers\";\nimport { redirect } from \"next/navigation\";\nimport { createRemoteJWKSet, importSPKI, jwtVerify } from \"jose\";\nimport type { VaultixOrganization, VaultixUser } from \"@vaultix.ai/react\";\nimport {\n HEADER_USER_ID,\n HEADER_ORG_ID,\n HEADER_ORG_ROLE,\n HEADER_SESSION_ID,\n HEADER_RISK_LEVEL,\n} from \"./middleware\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthObject {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: \"low\" | \"medium\" | \"high\" | \"critical\" | null;\n isSignedIn: boolean;\n /**\n * Throws a redirect if the user is not authenticated.\n * Usage: const { userId } = await auth(); — or call auth().then(a => a.protect())\n */\n protect: (redirectTo?: string) => void;\n}\n\n// ─── API URL resolution (mirrors middleware logic) ────────────────────────────\n\nfunction resolveApiUrl(): string {\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n if (!pk) return \"\";\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\n// ─── JWT verification (server-side, no edge constraints) ─────────────────────\n\nlet _remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet _remoteJwksUrl: string | null = null;\nlet _staticKey: Awaited<ReturnType<typeof importSPKI>> | null = null;\nlet _staticPem: string | null = null;\n\nasync function verifyJwt(token: string) {\n // 1. Static PEM key (fastest, no network call)\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (!_staticKey || _staticPem !== normalized) {\n _staticKey = await importSPKI(normalized, \"RS256\");\n _staticPem = normalized;\n }\n try {\n const { payload } = await jwtVerify(token, _staticKey, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n }\n\n // 2. Remote JWKS (auto-fetched, cached)\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!_remoteJwks || _remoteJwksUrl !== jwksUrl) {\n _remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n _remoteJwksUrl = jwksUrl;\n }\n try {\n const { payload } = await jwtVerify(token, _remoteJwks, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n}\n\n// ─── auth() ───────────────────────────────────────────────────────────────────\n\n/**\n * Returns the current auth state. Works in Server Components, Route Handlers,\n * and Server Actions. Falls back to verifying the session cookie directly\n * if middleware headers are not present.\n *\n * @example\n * import { auth } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const { userId, protect } = await auth();\n * protect(); // redirects to sign-in if not authenticated\n * return <div>Hello {userId}</div>;\n * }\n */\nexport async function auth(): Promise<AuthObject> {\n function makeProtect(isSignedIn: boolean) {\n return (redirectTo?: string) => {\n if (!isSignedIn) {\n const apiUrl = resolveApiUrl();\n const dest = redirectTo ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n redirect(dest);\n }\n };\n }\n\n // ── Fast path: headers injected by authMiddleware ──────────────────────\n const h = await headers();\n const userId = h.get(HEADER_USER_ID);\n if (userId) {\n return {\n userId,\n orgId: h.get(HEADER_ORG_ID) || null,\n orgRole: h.get(HEADER_ORG_ROLE) || null,\n sessionId: h.get(HEADER_SESSION_ID) || null,\n riskLevel: (h.get(HEADER_RISK_LEVEL) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n }\n\n // ── Fallback: verify session cookie directly (no middleware needed) ────\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n const payload = await verifyJwt(token);\n if (!payload) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n return {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: ((payload[\"risk\"] as string) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n}\n\n// ─── currentUser() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the full user record for the currently signed-in user.\n * Calls GET /api/v1/me using the session JWT from the cookie as a Bearer token.\n * No extra env vars required.\n *\n * @example\n * import { currentUser } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const user = await currentUser();\n * if (!user) redirect(\"/sign-in\");\n * return <div>Hello {user.email}</div>;\n * }\n */\nexport async function currentUser(): Promise<VaultixUser | null> {\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) return null;\n\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/me`, {\n headers: { Authorization: `Bearer ${token}` },\n cache: \"no-store\",\n });\n if (!res.ok) return null;\n const data = await res.json() as { user: VaultixUser };\n return data.user ?? null;\n } catch {\n return null;\n }\n}\n\n// ─── currentOrg() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the active organization for the current user.\n * Requires VAULTIX_SECRET_KEY env var.\n */\nexport async function currentOrg(): Promise<VaultixOrganization | null> {\n const { orgId } = await auth();\n if (!orgId) return null;\n\n const apiUrl = resolveApiUrl();\n const secret = process.env.VAULTIX_SECRET_KEY;\n if (!apiUrl || !secret) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/orgs/${orgId}`, {\n headers: { Authorization: `Bearer ${secret}` },\n next: { revalidate: 30 },\n } as RequestInit);\n if (!res.ok) return null;\n return (await res.json()) as VaultixOrganization;\n } catch {\n return null;\n }\n}\n\n// ─── protect() — standalone helper ───────────────────────────────────────────\n\n/**\n * Asserts the current user is authenticated. Redirects to sign-in if not.\n * Prefer calling `protect()` from the auth object returned by `auth()`.\n *\n * @example\n * import { protect } from \"@vaultix.ai/nextjs/server\";\n * export default async function Page() {\n * const { userId } = await protect();\n * return <div>{userId}</div>;\n * }\n */\nexport async function protect(redirectTo?: string): Promise<AuthObject> {\n const authObj = await auth();\n authObj.protect(redirectTo);\n return authObj;\n}\n","// @smritix.ai/nextjs — barrel export\n// Safe to import in all contexts (client, server, middleware).\n// For server-only utilities: import from \"@smritix.ai/nextjs/server\"\n// For the middleware factory: import from \"@smritix.ai/nextjs/middleware\"\n\n// ── Middleware ────────────────────────────────────────────────────────────────\nexport { authMiddleware } from \"./middleware\";\nexport type { AuthMiddlewareOptions, AuthResult } from \"./middleware\";\n\n// ── Server helpers ────────────────────────────────────────────────────────────\n// Re-exported for convenience; callers on client must use the explicit subpath.\nexport { auth, currentOrg, currentUser, protect } from \"./server\";\nexport type { AuthObject } from \"./server\";\n\n// ── Client SDK re-exports ─────────────────────────────────────────────────────\n// VaultixProvider, hooks, and UI components — safe for Client Components.\nexport {\n OrganizationSwitcher,\n SignIn,\n SignUp,\n VaultixProvider,\n UserButton,\n useOrganization,\n useSession,\n useVaultix,\n useUser,\n} from \"@vaultix.ai/react\";\n\nexport type {\n ChallengeType,\n RiskLevel,\n SessionClaims,\n VaultixContextValue,\n VaultixOrganization,\n VaultixProviderProps,\n VaultixSession,\n VaultixUser,\n} from \"@vaultix.ai/react\";\n"],"mappings":";AACA,SAAS,oBAAoB,YAAY,iBAA+B;AACxE,SAAsB,oBAAoB;AA2CnC,IAAM,iBAAoB;AAC1B,IAAM,gBAAoB;AAC1B,IAAM,kBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;AAIjC,SAAS,oBAAoB,IAAoB;AAC/C,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAEA,SAAS,cAAc,SAAwC;AAC7D,MAAI,QAAQ,OAAQ,QAAO,QAAQ,OAAO,QAAQ,OAAO,EAAE;AAC3D,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,SAAO,oBAAoB,EAAE;AAC/B;AAMA,IAAI,aAA2D;AAC/D,IAAI,gBAA+B;AAEnC,IAAI,YAA4B;AAChC,IAAI,YAA2B;AAE/B,eAAe,aAAa,QAAgB;AAE1C,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,aAAa,cAAc,WAAY,QAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAC5F,gBAAY,MAAM,WAAW,YAAY,OAAO;AAChD,gBAAY;AACZ,WAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAAA,EACnD;AAGA,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,cAAc,kBAAkB,SAAS;AAC5C,iBAAa,mBAAmB,IAAI,IAAI,OAAO,CAAC;AAChD,oBAAgB;AAAA,EAClB;AACA,SAAO,EAAE,KAAK,YAAY,MAAM,SAAkB;AACpD;AAIA,SAAS,SAAS,UAAkB,OAAwC;AAC1E,SAAO,MAAM;AAAA,IAAK,CAAC,SACjB,OAAO,SAAS,WACZ,aAAa,QAAQ,SAAS,WAAW,IAAI,IAC7C,KAAK,KAAK,QAAQ;AAAA,EACxB;AACF;AAIA,eAAe,gBACb,KACA,gBACA,QAC8B;AAC9B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,2BAA2B;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,iBAAiB,eAAe,CAAC;AAAA,IAC1D,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,EAAE,YAAY,IAAK,MAAM,IAAI,KAAK;AACxC,UAAM,WAAW,IAAI,QAAQ,MAAM;AACnC,aAAS,aAAa,OAAO,qBAAqB;AAElD,UAAM,WAAW,aAAa,SAAS,QAAQ;AAC/C,UAAM,aAAa;AAAA,MACjB,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ,KAAK,KAAK,KAAK;AAAA,IACzB;AAEA,aAAS,QAAQ,IAAI,mBAAmB,aAAa,EAAE,GAAG,YAAY,UAAU,KAAK,CAAC;AAEtF,aAAS,QAAQ,IAAI,iBAAiB,aAAa,EAAE,GAAG,YAAY,UAAU,MAAM,CAAC;AACrF,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAcO,SAAS,eAAe,UAAiC,CAAC,GAAG;AAClE,QAAM,EAAE,eAAe,CAAC,GAAG,UAAU,IAAI;AAEzC,SAAO,eAAe,WAAW,KAAyC;AACxE,UAAM,EAAE,SAAS,IAAI,IAAI;AACzB,UAAM,cAAc,SAAS,UAAU,YAAY;AAEnD,UAAM,SAAS,cAAc,OAAO;AAGpC,UAAM,YACJ,QAAQ,cAAc,SAAS,GAAG,MAAM,kBAAkB;AAG5D,UAAM,iBAAiB,IAAI,QAAQ,aAAa,IAAI,qBAAqB;AACzE,QAAI,kBAAkB,QAAQ;AAC5B,YAAM,WAAW,MAAM,gBAAgB,KAAK,gBAAgB,MAAM;AAClE,UAAI,SAAU,QAAO;AAAA,IACvB;AAGA,QAAI,SAAqB;AAAA,MACvB,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAC5B,YAAY;AAAA,MAAO,eAAe;AAAA,IACpC;AAEA,UAAM,QACJ,IAAI,QAAQ,IAAI,iBAAiB,GAAG,SACpC,IAAI,QAAQ,IAAI,eAAe,GAAG,SAClC,cAAc,IAAI,QAAQ,IAAI,eAAe,KAAK,EAAE;AAEtD,QAAI,OAAO;AACT,YAAM,YAAY,MAAM,aAAa,MAAM;AAC3C,UAAI,WAAW;AACb,YAAI;AACF,gBAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,UAAU,KAAwC;AAAA,YAC3F,YAAY,CAAC,OAAO;AAAA,UACtB,CAAC;AACD,mBAAS;AAAA,YACP,QAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,MAAM,KAAgB;AAAA,YAC1C,YAAY;AAAA,YACZ,eAAe;AAAA,UACjB;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAGA,QAAI,WAAW;AACb,YAAM,WAAW,UAAU,QAAQ,GAAG;AACtC,UAAI,SAAU,QAAO;AAAA,IACvB;AAGA,QAAI,CAAC,OAAO,cAAc,CAAC,aAAa;AACtC,YAAM,OAAO,IAAI,IAAI,WAAW,IAAI,GAAG;AACvC,WAAK,aAAa,IAAI,gBAAgB,IAAI,GAAG;AAC7C,aAAO,aAAa,SAAS,IAAI;AAAA,IACnC;AAGA,UAAM,OAAO,IAAI,QAAQ,IAAI,OAAO;AACpC,QAAI,OAAO,QAAQ;AACjB,WAAK,IAAI,gBAAmB,OAAO,MAAM;AACzC,WAAK,IAAI,eAAmB,OAAO,SAAS,EAAE;AAC9C,WAAK,IAAI,iBAAmB,OAAO,WAAW,EAAE;AAChD,WAAK,IAAI,mBAAmB,OAAO,aAAa,EAAE;AAClD,WAAK,IAAI,mBAAmB,OAAO,aAAa,KAAK;AAAA,IACvD,OAAO;AACL,OAAC,gBAAgB,eAAe,iBAAiB,mBAAmB,iBAAiB,EAClF,QAAQ,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC;AAAA,IAClC;AAEA,WAAO,aAAa,KAAK,EAAE,SAAS,EAAE,SAAS,KAAK,EAAE,CAAC;AAAA,EACzD;AACF;AAEA,SAAS,cAAc,QAAwB;AAC7C,SAAO,OAAO,WAAW,SAAS,IAAI,OAAO,MAAM,CAAC,IAAI;AAC1D;;;ACpPA,SAAS,SAAS,eAAe;AACjC,SAAS,gBAAgB;AACzB,SAAS,sBAAAA,qBAAoB,cAAAC,aAAY,aAAAC,kBAAiB;AA4B1D,SAASC,iBAAwB;AAC/B,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,MAAI,CAAC,GAAI,QAAO;AAChB,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAIA,IAAI,cAA4D;AAChE,IAAI,iBAAgC;AACpC,IAAI,aAA4D;AAChE,IAAI,aAA4B;AAEhC,eAAe,UAAU,OAAe;AAEtC,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,CAAC,cAAc,eAAe,YAAY;AAC5C,mBAAa,MAAMC,YAAW,YAAY,OAAO;AACjD,mBAAa;AAAA,IACf;AACA,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,MAAMC,WAAU,OAAO,YAAY,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AAChF,aAAO;AAAA,IACT,QAAQ;AAAE,aAAO;AAAA,IAAM;AAAA,EACzB;AAGA,QAAM,SAASF,eAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,eAAe,mBAAmB,SAAS;AAC9C,kBAAcG,oBAAmB,IAAI,IAAI,OAAO,CAAC;AACjD,qBAAiB;AAAA,EACnB;AACA,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,MAAMD,WAAU,OAAO,aAAa,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AACjF,WAAO;AAAA,EACT,QAAQ;AAAE,WAAO;AAAA,EAAM;AACzB;AAkBA,eAAsB,OAA4B;AAChD,WAAS,YAAY,YAAqB;AACxC,WAAO,CAAC,eAAwB;AAC9B,UAAI,CAAC,YAAY;AACf,cAAM,SAASF,eAAc;AAC7B,cAAM,OAAO,eAAe,SAAS,GAAG,MAAM,kBAAkB;AAChE,iBAAS,IAAI;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAGA,QAAM,IAAI,MAAM,QAAQ;AACxB,QAAM,SAAS,EAAE,IAAI,cAAc;AACnC,MAAI,QAAQ;AACV,WAAO;AAAA,MACL;AAAA,MACA,OAAW,EAAE,IAAI,aAAa,KAAS;AAAA,MACvC,SAAW,EAAE,IAAI,eAAe,KAAO;AAAA,MACvC,WAAW,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACvC,WAAY,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACxC,YAAY;AAAA,MACZ,SAAS,YAAY,IAAI;AAAA,IAC3B;AAAA,EACF;AAGA,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,QAAM,UAAU,MAAM,UAAU,KAAK;AACrC,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAa,QAAQ,MAAM,KAAgB;AAAA,IAC3C,YAAY;AAAA,IACZ,SAAS,YAAY,IAAI;AAAA,EAC3B;AACF;AAkBA,eAAsB,cAA2C;AAC/D,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAASA,eAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AAEpB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,cAAc;AAAA,MAC7C,SAAS,EAAE,eAAe,UAAU,KAAK,GAAG;AAAA,MAC5C,OAAO;AAAA,IACT,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,WAAO,KAAK,QAAQ;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,aAAkD;AACtE,QAAM,EAAE,MAAM,IAAI,MAAM,KAAK;AAC7B,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAASA,eAAc;AAC7B,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,CAAC,UAAU,CAAC,OAAQ,QAAO;AAE/B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,gBAAgB,KAAK,IAAI;AAAA,MACxD,SAAS,EAAE,eAAe,UAAU,MAAM,GAAG;AAAA,MAC7C,MAAM,EAAE,YAAY,GAAG;AAAA,IACzB,CAAgB;AAChB,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAQ,MAAM,IAAI,KAAK;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAeA,eAAsB,QAAQ,YAA0C;AACtE,QAAM,UAAU,MAAM,KAAK;AAC3B,UAAQ,QAAQ,UAAU;AAC1B,SAAO;AACT;;;AC3NA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;","names":["createRemoteJWKSet","importSPKI","jwtVerify","resolveApiUrl","importSPKI","jwtVerify","createRemoteJWKSet"]}
1
+ {"version":3,"sources":["../src/middleware.ts","../src/server.ts","../src/index.ts"],"sourcesContent":["// Edge-runtime compatible. Uses jose for JWT verification.\nimport { createRemoteJWKSet, importSPKI, jwtVerify, type KeyLike } from \"jose\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthResult {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: string | null;\n isSignedIn: boolean;\n isPublicRoute: boolean;\n}\n\nexport interface AuthMiddlewareOptions {\n /**\n * Routes that do not require authentication.\n * Strings: exact match or prefix. RegExps: tested against pathname.\n */\n publicRoutes?: Array<string | RegExp>;\n\n /**\n * Where to redirect unauthenticated users.\n * Defaults to the Vaultix hosted sign-in page (decoded from publishable key).\n * Override with \"/sign-in\" to use your own page.\n */\n signInUrl?: string;\n\n /**\n * Vaultix API origin. Auto-decoded from NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY.\n * Only needed if you're not using the standard publishable key format.\n */\n apiUrl?: string;\n\n /**\n * Custom logic after auth state is resolved.\n * Return a NextResponse to override default behaviour.\n */\n afterAuth?: (auth: AuthResult, req: NextRequest) => NextResponse | Response | undefined | void;\n}\n\n// ─── Header names ─────────────────────────────────────────────────────────────\n\nexport const HEADER_USER_ID = \"x-vaultix-user-id\";\nexport const HEADER_ORG_ID = \"x-vaultix-org-id\";\nexport const HEADER_ORG_ROLE = \"x-vaultix-org-role\";\nexport const HEADER_SESSION_ID = \"x-vaultix-session-id\";\nexport const HEADER_RISK_LEVEL = \"x-vaultix-risk-level\";\n\n// ─── Publishable key → API URL ────────────────────────────────────────────────\n\nfunction decodeApiUrlFromKey(pk: string): string {\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\nfunction resolveApiUrl(options: AuthMiddlewareOptions): string {\n if (options.apiUrl) return options.apiUrl.replace(/\\/$/, \"\");\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n return decodeApiUrlFromKey(pk);\n}\n\n// ─── JWKS cache ───────────────────────────────────────────────────────────────\n// createRemoteJWKSet fetches and caches the key set, re-fetches on rotation.\n// Falls back to a static PEM key if VAULTIX_JWT_PUBLIC_KEY is set (backward compat).\n\nlet remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet remoteJwksUrl: string | null = null;\n\nlet staticKey: KeyLike | null = null;\nlet staticPem: string | null = null;\n\nasync function getVerifyKey(apiUrl: string) {\n // Prefer static PEM (set by env var) for zero-network-call verification\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (staticKey && staticPem === normalized) return { key: staticKey, mode: \"static\" as const };\n staticKey = await importSPKI(normalized, \"RS256\");\n staticPem = normalized;\n return { key: staticKey, mode: \"static\" as const };\n }\n\n // Auto-fetch JWKS from the API — no env var needed\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!remoteJwks || remoteJwksUrl !== jwksUrl) {\n remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n remoteJwksUrl = jwksUrl;\n }\n return { key: remoteJwks, mode: \"remote\" as const };\n}\n\n// ─── Route matching ───────────────────────────────────────────────────────────\n\nfunction isPublic(pathname: string, rules: Array<string | RegExp>): boolean {\n return rules.some((rule) =>\n typeof rule === \"string\"\n ? pathname === rule || pathname.startsWith(rule)\n : rule.test(pathname),\n );\n}\n\n// ─── Secure-cookie detection ──────────────────────────────────────────────────\n// `Secure` cookies are dropped by browsers (notably Safari) over plain http://,\n// which breaks local development on http://localhost. Mark cookies Secure only\n// when the request is actually HTTPS. Prefer x-forwarded-proto because TLS is\n// typically terminated at a proxy (e.g. Vercel) before reaching the function.\n\nfunction isSecureRequest(req: NextRequest): boolean {\n const forwarded = req.headers.get(\"x-forwarded-proto\");\n if (forwarded) return forwarded.split(\",\")[0]?.trim() === \"https\";\n return req.nextUrl.protocol === \"https:\";\n}\n\n// ─── Handshake exchange ───────────────────────────────────────────────────────\n\nasync function handleHandshake(\n req: NextRequest,\n handshakeToken: string,\n apiUrl: string,\n): Promise<NextResponse | null> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ handshake_token: handshakeToken }),\n });\n if (!res.ok) return null;\n\n const { session_jwt } = (await res.json()) as { session_jwt: string };\n const cleanUrl = req.nextUrl.clone();\n cleanUrl.searchParams.delete(\"__vaultix_handshake\");\n\n const response = NextResponse.redirect(cleanUrl);\n const cookieBase = {\n secure: isSecureRequest(req),\n sameSite: \"lax\" as const,\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60,\n };\n // httpOnly — for middleware and server-side JWT verification\n response.cookies.set(\"vaultix-session\", session_jwt, { ...cookieBase, httpOnly: true });\n // non-httpOnly — for VaultixProvider (React SDK) to read client-side\n response.cookies.set(\"vaultix-token\", session_jwt, { ...cookieBase, httpOnly: false });\n return response;\n } catch {\n return null;\n }\n}\n\n// ─── authMiddleware ───────────────────────────────────────────────────────────\n\n/**\n * Drop-in auth middleware — works with zero config when\n * NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY is set.\n *\n * @example\n * // middleware.ts\n * import { authMiddleware } from \"@vaultix.ai/nextjs/middleware\";\n * export default authMiddleware({ publicRoutes: [\"/\", \"/about\"] });\n * export const config = { matcher: [\"/((?!_next|.*\\\\..*).*)\"] };\n */\nexport function authMiddleware(options: AuthMiddlewareOptions = {}) {\n const { publicRoutes = [], afterAuth } = options;\n\n return async function middleware(req: NextRequest): Promise<NextResponse> {\n const { pathname } = req.nextUrl;\n const publicRoute = isPublic(pathname, publicRoutes);\n\n const apiUrl = resolveApiUrl(options);\n\n // Default sign-in URL: hosted Vaultix page decoded from publishable key\n const signInUrl =\n options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n\n // ── Handshake exchange ─────────────────────────────────────────────────\n const handshakeToken = req.nextUrl.searchParams.get(\"__vaultix_handshake\");\n if (handshakeToken && apiUrl) {\n const response = await handleHandshake(req, handshakeToken, apiUrl);\n if (response) return response;\n }\n\n // ── JWT verification ───────────────────────────────────────────────────\n let result: AuthResult = {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null,\n isSignedIn: false, isPublicRoute: publicRoute,\n };\n\n const token =\n req.cookies.get(\"vaultix-session\")?.value ??\n req.cookies.get(\"vaultix-token\")?.value ??\n extractBearer(req.headers.get(\"authorization\") ?? \"\");\n\n let jwtExp: number | undefined;\n\n if (token) {\n const verifyKey = await getVerifyKey(apiUrl);\n if (verifyKey) {\n try {\n const { payload } = await jwtVerify(token, verifyKey.key as Parameters<typeof jwtVerify>[1], {\n algorithms: [\"RS256\"],\n });\n jwtExp = payload.exp as number | undefined;\n result = {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: (payload[\"risk\"] as string) ?? \"low\",\n isSignedIn: true,\n isPublicRoute: publicRoute,\n };\n } catch {\n // expired / tampered\n }\n }\n }\n\n // ── Silent refresh — check DB session and renew JWT when near expiry ───\n // Reduces the window where a revoked-but-signed JWT can be replayed.\n // The refresh endpoint validates the DB session row, so a signed-out user\n // is rejected here even before their JWT's exp elapses.\n let refreshedJwt: string | null = null;\n if (result.isSignedIn && apiUrl && jwtExp !== undefined) {\n const secondsLeft = jwtExp - Math.floor(Date.now() / 1000);\n if (secondsLeft < 120) {\n try {\n const refreshRes = await fetch(`${apiUrl}/api/v1/session/refresh`, {\n method: \"POST\",\n headers: { Cookie: `vaultix-session=${token}` },\n });\n if (refreshRes.ok) {\n const data = await refreshRes.json() as { session_jwt?: string };\n refreshedJwt = data.session_jwt ?? null;\n }\n } catch {\n // Non-blocking — proceed with the existing token on refresh failure\n }\n }\n }\n\n // ── Custom afterAuth hook ──────────────────────────────────────────────\n if (afterAuth) {\n const override = afterAuth(result, req);\n if (override) return override as NextResponse;\n }\n\n // ── Default: redirect unauthenticated to sign-in ───────────────────────\n if (!result.isSignedIn && !publicRoute) {\n const dest = new URL(signInUrl, req.url);\n dest.searchParams.set(\"redirect_url\", req.url);\n return NextResponse.redirect(dest);\n }\n\n // ── Inject auth headers for Server Components ──────────────────────────\n const nextHeaders = new Headers(req.headers);\n if (result.userId) {\n nextHeaders.set(HEADER_USER_ID, result.userId);\n nextHeaders.set(HEADER_ORG_ID, result.orgId ?? \"\");\n nextHeaders.set(HEADER_ORG_ROLE, result.orgRole ?? \"\");\n nextHeaders.set(HEADER_SESSION_ID, result.sessionId ?? \"\");\n nextHeaders.set(HEADER_RISK_LEVEL, result.riskLevel ?? \"low\");\n } else {\n [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL]\n .forEach((h) => nextHeaders.delete(h));\n }\n\n const response = NextResponse.next({ request: { headers: nextHeaders } });\n\n // Propagate refreshed JWT as updated cookies\n if (refreshedJwt) {\n const cookieBase = { secure: isSecureRequest(req), sameSite: \"lax\" as const, path: \"/\", maxAge: 30 * 24 * 60 * 60 };\n response.cookies.set(\"vaultix-session\", refreshedJwt, { ...cookieBase, httpOnly: true });\n response.cookies.set(\"vaultix-token\", refreshedJwt, { ...cookieBase, httpOnly: false });\n }\n\n return response;\n };\n}\n\nfunction extractBearer(header: string): string {\n return header.startsWith(\"Bearer \") ? header.slice(7) : \"\";\n}\n","// Server-only. Import from \"@vaultix.ai/nextjs/server\".\n// Never import this in Client Components.\nimport { cookies, headers } from \"next/headers\";\nimport { redirect } from \"next/navigation\";\nimport { createRemoteJWKSet, importSPKI, jwtVerify } from \"jose\";\nimport type { VaultixOrganization, VaultixUser } from \"@vaultix.ai/react\";\nimport {\n HEADER_USER_ID,\n HEADER_ORG_ID,\n HEADER_ORG_ROLE,\n HEADER_SESSION_ID,\n HEADER_RISK_LEVEL,\n} from \"./middleware\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthObject {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: \"low\" | \"medium\" | \"high\" | \"critical\" | null;\n isSignedIn: boolean;\n /**\n * Throws a redirect if the user is not authenticated.\n * Usage: const { userId } = await auth(); — or call auth().then(a => a.protect())\n */\n protect: (redirectTo?: string) => void;\n}\n\n// ─── API URL resolution (mirrors middleware logic) ────────────────────────────\n\nfunction resolveApiUrl(): string {\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n if (!pk) return \"\";\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\n// ─── JWT verification (server-side, no edge constraints) ─────────────────────\n\nlet _remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet _remoteJwksUrl: string | null = null;\nlet _staticKey: Awaited<ReturnType<typeof importSPKI>> | null = null;\nlet _staticPem: string | null = null;\n\nasync function verifyJwt(token: string) {\n // 1. Static PEM key (fastest, no network call)\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (!_staticKey || _staticPem !== normalized) {\n _staticKey = await importSPKI(normalized, \"RS256\");\n _staticPem = normalized;\n }\n try {\n const { payload } = await jwtVerify(token, _staticKey, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n }\n\n // 2. Remote JWKS (auto-fetched, cached)\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!_remoteJwks || _remoteJwksUrl !== jwksUrl) {\n _remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n _remoteJwksUrl = jwksUrl;\n }\n try {\n const { payload } = await jwtVerify(token, _remoteJwks, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n}\n\n// ─── auth() ───────────────────────────────────────────────────────────────────\n\n/**\n * Returns the current auth state. Works in Server Components, Route Handlers,\n * and Server Actions. Falls back to verifying the session cookie directly\n * if middleware headers are not present.\n *\n * @example\n * import { auth } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const { userId, protect } = await auth();\n * protect(); // redirects to sign-in if not authenticated\n * return <div>Hello {userId}</div>;\n * }\n */\nexport async function auth(): Promise<AuthObject> {\n function makeProtect(isSignedIn: boolean) {\n return (redirectTo?: string) => {\n if (!isSignedIn) {\n const apiUrl = resolveApiUrl();\n const dest = redirectTo ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n redirect(dest);\n }\n };\n }\n\n // ── Fast path: headers injected by authMiddleware ──────────────────────\n const h = await headers();\n const userId = h.get(HEADER_USER_ID);\n if (userId) {\n return {\n userId,\n orgId: h.get(HEADER_ORG_ID) || null,\n orgRole: h.get(HEADER_ORG_ROLE) || null,\n sessionId: h.get(HEADER_SESSION_ID) || null,\n riskLevel: (h.get(HEADER_RISK_LEVEL) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n }\n\n // ── Fallback: verify session cookie directly (no middleware needed) ────\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n const payload = await verifyJwt(token);\n if (!payload) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n return {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: ((payload[\"risk\"] as string) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n}\n\n// ─── currentUser() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the full user record for the currently signed-in user.\n * Calls GET /api/v1/me using the session JWT from the cookie as a Bearer token.\n * No extra env vars required.\n *\n * @example\n * import { currentUser } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const user = await currentUser();\n * if (!user) redirect(\"/sign-in\");\n * return <div>Hello {user.email}</div>;\n * }\n */\nexport async function currentUser(): Promise<VaultixUser | null> {\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) return null;\n\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/me`, {\n headers: { Authorization: `Bearer ${token}` },\n cache: \"no-store\",\n });\n if (!res.ok) return null;\n const data = await res.json() as { user: VaultixUser };\n return data.user ?? null;\n } catch {\n return null;\n }\n}\n\n// ─── currentOrg() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the active organization for the current user.\n * Requires VAULTIX_SECRET_KEY env var.\n */\nexport async function currentOrg(): Promise<VaultixOrganization | null> {\n const { orgId } = await auth();\n if (!orgId) return null;\n\n const apiUrl = resolveApiUrl();\n const secret = process.env.VAULTIX_SECRET_KEY;\n if (!apiUrl || !secret) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/orgs/${orgId}`, {\n headers: { Authorization: `Bearer ${secret}` },\n next: { revalidate: 30 },\n } as RequestInit);\n if (!res.ok) return null;\n return (await res.json()) as VaultixOrganization;\n } catch {\n return null;\n }\n}\n\n// ─── protect() — standalone helper ───────────────────────────────────────────\n\n/**\n * Asserts the current user is authenticated. Redirects to sign-in if not.\n * Prefer calling `protect()` from the auth object returned by `auth()`.\n *\n * @example\n * import { protect } from \"@vaultix.ai/nextjs/server\";\n * export default async function Page() {\n * const { userId } = await protect();\n * return <div>{userId}</div>;\n * }\n */\nexport async function protect(redirectTo?: string): Promise<AuthObject> {\n const authObj = await auth();\n authObj.protect(redirectTo);\n return authObj;\n}\n","// @smritix.ai/nextjs — barrel export\n// Safe to import in all contexts (client, server, middleware).\n// For server-only utilities: import from \"@smritix.ai/nextjs/server\"\n// For the middleware factory: import from \"@smritix.ai/nextjs/middleware\"\n\n// ── Middleware ────────────────────────────────────────────────────────────────\nexport { authMiddleware } from \"./middleware\";\nexport type { AuthMiddlewareOptions, AuthResult } from \"./middleware\";\n\n// ── Server helpers ────────────────────────────────────────────────────────────\n// Re-exported for convenience; callers on client must use the explicit subpath.\nexport { auth, currentOrg, currentUser, protect } from \"./server\";\nexport type { AuthObject } from \"./server\";\n\n// ── Client SDK re-exports ─────────────────────────────────────────────────────\n// VaultixProvider, hooks, and UI components — safe for Client Components.\nexport {\n OrganizationSwitcher,\n SignIn,\n SignUp,\n VaultixProvider,\n UserButton,\n useOrganization,\n useSession,\n useVaultix,\n useUser,\n} from \"@vaultix.ai/react\";\n\nexport type {\n ChallengeType,\n RiskLevel,\n SessionClaims,\n VaultixContextValue,\n VaultixOrganization,\n VaultixProviderProps,\n VaultixSession,\n VaultixUser,\n} from \"@vaultix.ai/react\";\n"],"mappings":";AACA,SAAS,oBAAoB,YAAY,iBAA+B;AACxE,SAAsB,oBAAoB;AA2CnC,IAAM,iBAAoB;AAC1B,IAAM,gBAAoB;AAC1B,IAAM,kBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;AAIjC,SAAS,oBAAoB,IAAoB;AAC/C,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAEA,SAAS,cAAc,SAAwC;AAC7D,MAAI,QAAQ,OAAQ,QAAO,QAAQ,OAAO,QAAQ,OAAO,EAAE;AAC3D,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,SAAO,oBAAoB,EAAE;AAC/B;AAMA,IAAI,aAA2D;AAC/D,IAAI,gBAA+B;AAEnC,IAAI,YAA4B;AAChC,IAAI,YAA2B;AAE/B,eAAe,aAAa,QAAgB;AAE1C,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,aAAa,cAAc,WAAY,QAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAC5F,gBAAY,MAAM,WAAW,YAAY,OAAO;AAChD,gBAAY;AACZ,WAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAAA,EACnD;AAGA,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,cAAc,kBAAkB,SAAS;AAC5C,iBAAa,mBAAmB,IAAI,IAAI,OAAO,CAAC;AAChD,oBAAgB;AAAA,EAClB;AACA,SAAO,EAAE,KAAK,YAAY,MAAM,SAAkB;AACpD;AAIA,SAAS,SAAS,UAAkB,OAAwC;AAC1E,SAAO,MAAM;AAAA,IAAK,CAAC,SACjB,OAAO,SAAS,WACZ,aAAa,QAAQ,SAAS,WAAW,IAAI,IAC7C,KAAK,KAAK,QAAQ;AAAA,EACxB;AACF;AAQA,SAAS,gBAAgB,KAA2B;AAClD,QAAM,YAAY,IAAI,QAAQ,IAAI,mBAAmB;AACrD,MAAI,UAAW,QAAO,UAAU,MAAM,GAAG,EAAE,CAAC,GAAG,KAAK,MAAM;AAC1D,SAAO,IAAI,QAAQ,aAAa;AAClC;AAIA,eAAe,gBACb,KACA,gBACA,QAC8B;AAC9B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,2BAA2B;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,iBAAiB,eAAe,CAAC;AAAA,IAC1D,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,EAAE,YAAY,IAAK,MAAM,IAAI,KAAK;AACxC,UAAM,WAAW,IAAI,QAAQ,MAAM;AACnC,aAAS,aAAa,OAAO,qBAAqB;AAElD,UAAM,WAAW,aAAa,SAAS,QAAQ;AAC/C,UAAM,aAAa;AAAA,MACjB,QAAQ,gBAAgB,GAAG;AAAA,MAC3B,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ,KAAK,KAAK,KAAK;AAAA,IACzB;AAEA,aAAS,QAAQ,IAAI,mBAAmB,aAAa,EAAE,GAAG,YAAY,UAAU,KAAK,CAAC;AAEtF,aAAS,QAAQ,IAAI,iBAAiB,aAAa,EAAE,GAAG,YAAY,UAAU,MAAM,CAAC;AACrF,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAcO,SAAS,eAAe,UAAiC,CAAC,GAAG;AAClE,QAAM,EAAE,eAAe,CAAC,GAAG,UAAU,IAAI;AAEzC,SAAO,eAAe,WAAW,KAAyC;AACxE,UAAM,EAAE,SAAS,IAAI,IAAI;AACzB,UAAM,cAAc,SAAS,UAAU,YAAY;AAEnD,UAAM,SAAS,cAAc,OAAO;AAGpC,UAAM,YACJ,QAAQ,cAAc,SAAS,GAAG,MAAM,kBAAkB;AAG5D,UAAM,iBAAiB,IAAI,QAAQ,aAAa,IAAI,qBAAqB;AACzE,QAAI,kBAAkB,QAAQ;AAC5B,YAAMA,YAAW,MAAM,gBAAgB,KAAK,gBAAgB,MAAM;AAClE,UAAIA,UAAU,QAAOA;AAAA,IACvB;AAGA,QAAI,SAAqB;AAAA,MACvB,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAC5B,YAAY;AAAA,MAAO,eAAe;AAAA,IACpC;AAEA,UAAM,QACJ,IAAI,QAAQ,IAAI,iBAAiB,GAAG,SACpC,IAAI,QAAQ,IAAI,eAAe,GAAG,SAClC,cAAc,IAAI,QAAQ,IAAI,eAAe,KAAK,EAAE;AAEtD,QAAI;AAEJ,QAAI,OAAO;AACT,YAAM,YAAY,MAAM,aAAa,MAAM;AAC3C,UAAI,WAAW;AACb,YAAI;AACF,gBAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,UAAU,KAAwC;AAAA,YAC3F,YAAY,CAAC,OAAO;AAAA,UACtB,CAAC;AACD,mBAAS,QAAQ;AACjB,mBAAS;AAAA,YACP,QAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,MAAM,KAAgB;AAAA,YAC1C,YAAY;AAAA,YACZ,eAAe;AAAA,UACjB;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAMA,QAAI,eAA8B;AAClC,QAAI,OAAO,cAAc,UAAU,WAAW,QAAW;AACvD,YAAM,cAAc,SAAS,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACzD,UAAI,cAAc,KAAK;AACrB,YAAI;AACF,gBAAM,aAAa,MAAM,MAAM,GAAG,MAAM,2BAA2B;AAAA,YACjE,QAAQ;AAAA,YACR,SAAS,EAAE,QAAQ,mBAAmB,KAAK,GAAG;AAAA,UAChD,CAAC;AACD,cAAI,WAAW,IAAI;AACjB,kBAAM,OAAO,MAAM,WAAW,KAAK;AACnC,2BAAe,KAAK,eAAe;AAAA,UACrC;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAGA,QAAI,WAAW;AACb,YAAM,WAAW,UAAU,QAAQ,GAAG;AACtC,UAAI,SAAU,QAAO;AAAA,IACvB;AAGA,QAAI,CAAC,OAAO,cAAc,CAAC,aAAa;AACtC,YAAM,OAAO,IAAI,IAAI,WAAW,IAAI,GAAG;AACvC,WAAK,aAAa,IAAI,gBAAgB,IAAI,GAAG;AAC7C,aAAO,aAAa,SAAS,IAAI;AAAA,IACnC;AAGA,UAAM,cAAc,IAAI,QAAQ,IAAI,OAAO;AAC3C,QAAI,OAAO,QAAQ;AACjB,kBAAY,IAAI,gBAAmB,OAAO,MAAM;AAChD,kBAAY,IAAI,eAAmB,OAAO,SAAS,EAAE;AACrD,kBAAY,IAAI,iBAAmB,OAAO,WAAW,EAAE;AACvD,kBAAY,IAAI,mBAAmB,OAAO,aAAa,EAAE;AACzD,kBAAY,IAAI,mBAAmB,OAAO,aAAa,KAAK;AAAA,IAC9D,OAAO;AACL,OAAC,gBAAgB,eAAe,iBAAiB,mBAAmB,iBAAiB,EAClF,QAAQ,CAAC,MAAM,YAAY,OAAO,CAAC,CAAC;AAAA,IACzC;AAEA,UAAM,WAAW,aAAa,KAAK,EAAE,SAAS,EAAE,SAAS,YAAY,EAAE,CAAC;AAGxE,QAAI,cAAc;AAChB,YAAM,aAAa,EAAE,QAAQ,gBAAgB,GAAG,GAAG,UAAU,OAAgB,MAAM,KAAK,QAAQ,KAAK,KAAK,KAAK,GAAG;AAClH,eAAS,QAAQ,IAAI,mBAAmB,cAAc,EAAE,GAAG,YAAY,UAAU,KAAK,CAAC;AACvF,eAAS,QAAQ,IAAI,iBAAmB,cAAc,EAAE,GAAG,YAAY,UAAU,MAAM,CAAC;AAAA,IAC1F;AAEA,WAAO;AAAA,EACT;AACF;AAEA,SAAS,cAAc,QAAwB;AAC7C,SAAO,OAAO,WAAW,SAAS,IAAI,OAAO,MAAM,CAAC,IAAI;AAC1D;;;ACnSA,SAAS,SAAS,eAAe;AACjC,SAAS,gBAAgB;AACzB,SAAS,sBAAAC,qBAAoB,cAAAC,aAAY,aAAAC,kBAAiB;AA4B1D,SAASC,iBAAwB;AAC/B,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,MAAI,CAAC,GAAI,QAAO;AAChB,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAIA,IAAI,cAA4D;AAChE,IAAI,iBAAgC;AACpC,IAAI,aAA4D;AAChE,IAAI,aAA4B;AAEhC,eAAe,UAAU,OAAe;AAEtC,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,CAAC,cAAc,eAAe,YAAY;AAC5C,mBAAa,MAAMC,YAAW,YAAY,OAAO;AACjD,mBAAa;AAAA,IACf;AACA,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,MAAMC,WAAU,OAAO,YAAY,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AAChF,aAAO;AAAA,IACT,QAAQ;AAAE,aAAO;AAAA,IAAM;AAAA,EACzB;AAGA,QAAM,SAASF,eAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,eAAe,mBAAmB,SAAS;AAC9C,kBAAcG,oBAAmB,IAAI,IAAI,OAAO,CAAC;AACjD,qBAAiB;AAAA,EACnB;AACA,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,MAAMD,WAAU,OAAO,aAAa,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AACjF,WAAO;AAAA,EACT,QAAQ;AAAE,WAAO;AAAA,EAAM;AACzB;AAkBA,eAAsB,OAA4B;AAChD,WAAS,YAAY,YAAqB;AACxC,WAAO,CAAC,eAAwB;AAC9B,UAAI,CAAC,YAAY;AACf,cAAM,SAASF,eAAc;AAC7B,cAAM,OAAO,eAAe,SAAS,GAAG,MAAM,kBAAkB;AAChE,iBAAS,IAAI;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAGA,QAAM,IAAI,MAAM,QAAQ;AACxB,QAAM,SAAS,EAAE,IAAI,cAAc;AACnC,MAAI,QAAQ;AACV,WAAO;AAAA,MACL;AAAA,MACA,OAAW,EAAE,IAAI,aAAa,KAAS;AAAA,MACvC,SAAW,EAAE,IAAI,eAAe,KAAO;AAAA,MACvC,WAAW,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACvC,WAAY,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACxC,YAAY;AAAA,MACZ,SAAS,YAAY,IAAI;AAAA,IAC3B;AAAA,EACF;AAGA,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,QAAM,UAAU,MAAM,UAAU,KAAK;AACrC,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAa,QAAQ,MAAM,KAAgB;AAAA,IAC3C,YAAY;AAAA,IACZ,SAAS,YAAY,IAAI;AAAA,EAC3B;AACF;AAkBA,eAAsB,cAA2C;AAC/D,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAASA,eAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AAEpB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,cAAc;AAAA,MAC7C,SAAS,EAAE,eAAe,UAAU,KAAK,GAAG;AAAA,MAC5C,OAAO;AAAA,IACT,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,WAAO,KAAK,QAAQ;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,aAAkD;AACtE,QAAM,EAAE,MAAM,IAAI,MAAM,KAAK;AAC7B,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAASA,eAAc;AAC7B,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,CAAC,UAAU,CAAC,OAAQ,QAAO;AAE/B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,gBAAgB,KAAK,IAAI;AAAA,MACxD,SAAS,EAAE,eAAe,UAAU,MAAM,GAAG;AAAA,MAC7C,MAAM,EAAE,YAAY,GAAG;AAAA,IACzB,CAAgB;AAChB,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAQ,MAAM,IAAI,KAAK;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAeA,eAAsB,QAAQ,YAA0C;AACtE,QAAM,UAAU,MAAM,KAAK;AAC3B,UAAQ,QAAQ,UAAU;AAC1B,SAAO;AACT;;;AC3NA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;","names":["response","createRemoteJWKSet","importSPKI","jwtVerify","resolveApiUrl","importSPKI","jwtVerify","createRemoteJWKSet"]}
package/dist/middleware.js CHANGED
@@ -77,6 +77,11 @@ function isPublic(pathname, rules) {
77
77
  (rule) => typeof rule === "string" ? pathname === rule || pathname.startsWith(rule) : rule.test(pathname)
78
78
  );
79
79
  }
80
+ function isSecureRequest(req) {
81
+ const forwarded = req.headers.get("x-forwarded-proto");
82
+ if (forwarded) return forwarded.split(",")[0]?.trim() === "https";
83
+ return req.nextUrl.protocol === "https:";
84
+ }
80
85
  async function handleHandshake(req, handshakeToken, apiUrl) {
81
86
  try {
82
87
  const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {
@@ -90,7 +95,7 @@ async function handleHandshake(req, handshakeToken, apiUrl) {
90
95
  cleanUrl.searchParams.delete("__vaultix_handshake");
91
96
  const response = import_server.NextResponse.redirect(cleanUrl);
92
97
  const cookieBase = {
93
- secure: true,
98
+ secure: isSecureRequest(req),
94
99
  sameSite: "lax",
95
100
  path: "/",
96
101
  maxAge: 30 * 24 * 60 * 60
@@ -111,8 +116,8 @@ function authMiddleware(options = {}) {
111
116
  const signInUrl = options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : "/sign-in");
112
117
  const handshakeToken = req.nextUrl.searchParams.get("__vaultix_handshake");
113
118
  if (handshakeToken && apiUrl) {
114
- const response = await handleHandshake(req, handshakeToken, apiUrl);
115
- if (response) return response;
119
+ const response2 = await handleHandshake(req, handshakeToken, apiUrl);
120
+ if (response2) return response2;
116
121
  }
117
122
  let result = {
118
123
  userId: null,
@@ -124,6 +129,7 @@ function authMiddleware(options = {}) {
124
129
  isPublicRoute: publicRoute
125
130
  };
126
131
  const token = req.cookies.get("vaultix-session")?.value ?? req.cookies.get("vaultix-token")?.value ?? extractBearer(req.headers.get("authorization") ?? "");
132
+ let jwtExp;
127
133
  if (token) {
128
134
  const verifyKey = await getVerifyKey(apiUrl);
129
135
  if (verifyKey) {
@@ -131,6 +137,7 @@ function authMiddleware(options = {}) {
131
137
  const { payload } = await (0, import_jose.jwtVerify)(token, verifyKey.key, {
132
138
  algorithms: ["RS256"]
133
139
  });
140
+ jwtExp = payload.exp;
134
141
  result = {
135
142
  userId: payload["uid"] ?? null,
136
143
  orgId: payload["org"] ?? null,
@@ -144,6 +151,23 @@ function authMiddleware(options = {}) {
144
151
  }
145
152
  }
146
153
  }
154
+ let refreshedJwt = null;
155
+ if (result.isSignedIn && apiUrl && jwtExp !== void 0) {
156
+ const secondsLeft = jwtExp - Math.floor(Date.now() / 1e3);
157
+ if (secondsLeft < 120) {
158
+ try {
159
+ const refreshRes = await fetch(`${apiUrl}/api/v1/session/refresh`, {
160
+ method: "POST",
161
+ headers: { Cookie: `vaultix-session=${token}` }
162
+ });
163
+ if (refreshRes.ok) {
164
+ const data = await refreshRes.json();
165
+ refreshedJwt = data.session_jwt ?? null;
166
+ }
167
+ } catch {
168
+ }
169
+ }
170
+ }
147
171
  if (afterAuth) {
148
172
  const override = afterAuth(result, req);
149
173
  if (override) return override;
@@ -153,17 +177,23 @@ function authMiddleware(options = {}) {
153
177
  dest.searchParams.set("redirect_url", req.url);
154
178
  return import_server.NextResponse.redirect(dest);
155
179
  }
156
- const next = new Headers(req.headers);
180
+ const nextHeaders = new Headers(req.headers);
157
181
  if (result.userId) {
158
- next.set(HEADER_USER_ID, result.userId);
159
- next.set(HEADER_ORG_ID, result.orgId ?? "");
160
- next.set(HEADER_ORG_ROLE, result.orgRole ?? "");
161
- next.set(HEADER_SESSION_ID, result.sessionId ?? "");
162
- next.set(HEADER_RISK_LEVEL, result.riskLevel ?? "low");
182
+ nextHeaders.set(HEADER_USER_ID, result.userId);
183
+ nextHeaders.set(HEADER_ORG_ID, result.orgId ?? "");
184
+ nextHeaders.set(HEADER_ORG_ROLE, result.orgRole ?? "");
185
+ nextHeaders.set(HEADER_SESSION_ID, result.sessionId ?? "");
186
+ nextHeaders.set(HEADER_RISK_LEVEL, result.riskLevel ?? "low");
163
187
  } else {
164
- [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL].forEach((h) => next.delete(h));
188
+ [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL].forEach((h) => nextHeaders.delete(h));
165
189
  }
166
- return import_server.NextResponse.next({ request: { headers: next } });
190
+ const response = import_server.NextResponse.next({ request: { headers: nextHeaders } });
191
+ if (refreshedJwt) {
192
+ const cookieBase = { secure: isSecureRequest(req), sameSite: "lax", path: "/", maxAge: 30 * 24 * 60 * 60 };
193
+ response.cookies.set("vaultix-session", refreshedJwt, { ...cookieBase, httpOnly: true });
194
+ response.cookies.set("vaultix-token", refreshedJwt, { ...cookieBase, httpOnly: false });
195
+ }
196
+ return response;
167
197
  };
168
198
  }
169
199
  function extractBearer(header) {
package/dist/middleware.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/middleware.ts"],"sourcesContent":["// Edge-runtime compatible. Uses jose for JWT verification.\nimport { createRemoteJWKSet, importSPKI, jwtVerify, type KeyLike } from \"jose\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthResult {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: string | null;\n isSignedIn: boolean;\n isPublicRoute: boolean;\n}\n\nexport interface AuthMiddlewareOptions {\n /**\n * Routes that do not require authentication.\n * Strings: exact match or prefix. RegExps: tested against pathname.\n */\n publicRoutes?: Array<string | RegExp>;\n\n /**\n * Where to redirect unauthenticated users.\n * Defaults to the Vaultix hosted sign-in page (decoded from publishable key).\n * Override with \"/sign-in\" to use your own page.\n */\n signInUrl?: string;\n\n /**\n * Vaultix API origin. Auto-decoded from NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY.\n * Only needed if you're not using the standard publishable key format.\n */\n apiUrl?: string;\n\n /**\n * Custom logic after auth state is resolved.\n * Return a NextResponse to override default behaviour.\n */\n afterAuth?: (auth: AuthResult, req: NextRequest) => NextResponse | Response | undefined | void;\n}\n\n// ─── Header names ─────────────────────────────────────────────────────────────\n\nexport const HEADER_USER_ID = \"x-vaultix-user-id\";\nexport const HEADER_ORG_ID = \"x-vaultix-org-id\";\nexport const HEADER_ORG_ROLE = \"x-vaultix-org-role\";\nexport const HEADER_SESSION_ID = \"x-vaultix-session-id\";\nexport const HEADER_RISK_LEVEL = \"x-vaultix-risk-level\";\n\n// ─── Publishable key → API URL ────────────────────────────────────────────────\n\nfunction decodeApiUrlFromKey(pk: string): string {\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\nfunction resolveApiUrl(options: AuthMiddlewareOptions): string {\n if (options.apiUrl) return options.apiUrl.replace(/\\/$/, \"\");\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n return decodeApiUrlFromKey(pk);\n}\n\n// ─── JWKS cache ───────────────────────────────────────────────────────────────\n// createRemoteJWKSet fetches and caches the key set, re-fetches on rotation.\n// Falls back to a static PEM key if VAULTIX_JWT_PUBLIC_KEY is set (backward compat).\n\nlet remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet remoteJwksUrl: string | null = null;\n\nlet staticKey: KeyLike | null = null;\nlet staticPem: string | null = null;\n\nasync function getVerifyKey(apiUrl: string) {\n // Prefer static PEM (set by env var) for zero-network-call verification\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (staticKey && staticPem === normalized) return { key: staticKey, mode: \"static\" as const };\n staticKey = await importSPKI(normalized, \"RS256\");\n staticPem = normalized;\n return { key: staticKey, mode: \"static\" as const };\n }\n\n // Auto-fetch JWKS from the API — no env var needed\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!remoteJwks || remoteJwksUrl !== jwksUrl) {\n remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n remoteJwksUrl = jwksUrl;\n }\n return { key: remoteJwks, mode: \"remote\" as const };\n}\n\n// ─── Route matching ───────────────────────────────────────────────────────────\n\nfunction isPublic(pathname: string, rules: Array<string | RegExp>): boolean {\n return rules.some((rule) =>\n typeof rule === \"string\"\n ? pathname === rule || pathname.startsWith(rule)\n : rule.test(pathname),\n );\n}\n\n// ─── Handshake exchange ───────────────────────────────────────────────────────\n\nasync function handleHandshake(\n req: NextRequest,\n handshakeToken: string,\n apiUrl: string,\n): Promise<NextResponse | null> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ handshake_token: handshakeToken }),\n });\n if (!res.ok) return null;\n\n const { session_jwt } = (await res.json()) as { session_jwt: string };\n const cleanUrl = req.nextUrl.clone();\n cleanUrl.searchParams.delete(\"__vaultix_handshake\");\n\n const response = NextResponse.redirect(cleanUrl);\n const cookieBase = {\n secure: true,\n sameSite: \"lax\" as const,\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60,\n };\n // httpOnly — for middleware and server-side JWT verification\n response.cookies.set(\"vaultix-session\", session_jwt, { ...cookieBase, httpOnly: true });\n // non-httpOnly — for VaultixProvider (React SDK) to read client-side\n response.cookies.set(\"vaultix-token\", session_jwt, { ...cookieBase, httpOnly: false });\n return response;\n } catch {\n return null;\n }\n}\n\n// ─── authMiddleware ───────────────────────────────────────────────────────────\n\n/**\n * Drop-in auth middleware — works with zero config when\n * NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY is set.\n *\n * @example\n * // middleware.ts\n * import { authMiddleware } from \"@vaultix.ai/nextjs/middleware\";\n * export default authMiddleware({ publicRoutes: [\"/\", \"/about\"] });\n * export const config = { matcher: [\"/((?!_next|.*\\\\..*).*)\"] };\n */\nexport function authMiddleware(options: AuthMiddlewareOptions = {}) {\n const { publicRoutes = [], afterAuth } = options;\n\n return async function middleware(req: NextRequest): Promise<NextResponse> {\n const { pathname } = req.nextUrl;\n const publicRoute = isPublic(pathname, publicRoutes);\n\n const apiUrl = resolveApiUrl(options);\n\n // Default sign-in URL: hosted Vaultix page decoded from publishable key\n const signInUrl =\n options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n\n // ── Handshake exchange ─────────────────────────────────────────────────\n const handshakeToken = req.nextUrl.searchParams.get(\"__vaultix_handshake\");\n if (handshakeToken && apiUrl) {\n const response = await handleHandshake(req, handshakeToken, apiUrl);\n if (response) return response;\n }\n\n // ── JWT verification ───────────────────────────────────────────────────\n let result: AuthResult = {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null,\n isSignedIn: false, isPublicRoute: publicRoute,\n };\n\n const token =\n req.cookies.get(\"vaultix-session\")?.value ??\n req.cookies.get(\"vaultix-token\")?.value ??\n extractBearer(req.headers.get(\"authorization\") ?? \"\");\n\n if (token) {\n const verifyKey = await getVerifyKey(apiUrl);\n if (verifyKey) {\n try {\n const { payload } = await jwtVerify(token, verifyKey.key as Parameters<typeof jwtVerify>[1], {\n algorithms: [\"RS256\"],\n });\n result = {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: (payload[\"risk\"] as string) ?? \"low\",\n isSignedIn: true,\n isPublicRoute: publicRoute,\n };\n } catch {\n // expired / tampered\n }\n }\n }\n\n // ── Custom afterAuth hook ──────────────────────────────────────────────\n if (afterAuth) {\n const override = afterAuth(result, req);\n if (override) return override as NextResponse;\n }\n\n // ── Default: redirect unauthenticated to sign-in ───────────────────────\n if (!result.isSignedIn && !publicRoute) {\n const dest = new URL(signInUrl, req.url);\n dest.searchParams.set(\"redirect_url\", req.url);\n return NextResponse.redirect(dest);\n }\n\n // ── Inject auth headers for Server Components ──────────────────────────\n const next = new Headers(req.headers);\n if (result.userId) {\n next.set(HEADER_USER_ID, result.userId);\n next.set(HEADER_ORG_ID, result.orgId ?? \"\");\n next.set(HEADER_ORG_ROLE, result.orgRole ?? \"\");\n next.set(HEADER_SESSION_ID, result.sessionId ?? \"\");\n next.set(HEADER_RISK_LEVEL, result.riskLevel ?? \"low\");\n } else {\n [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL]\n .forEach((h) => next.delete(h));\n }\n\n return NextResponse.next({ request: { headers: next } });\n };\n}\n\nfunction extractBearer(header: string): string {\n return header.startsWith(\"Bearer \") ? header.slice(7) : \"\";\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,kBAAwE;AACxE,oBAA0C;AA2CnC,IAAM,iBAAoB;AAC1B,IAAM,gBAAoB;AAC1B,IAAM,kBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;AAIjC,SAAS,oBAAoB,IAAoB;AAC/C,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAEA,SAAS,cAAc,SAAwC;AAC7D,MAAI,QAAQ,OAAQ,QAAO,QAAQ,OAAO,QAAQ,OAAO,EAAE;AAC3D,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,SAAO,oBAAoB,EAAE;AAC/B;AAMA,IAAI,aAA2D;AAC/D,IAAI,gBAA+B;AAEnC,IAAI,YAA4B;AAChC,IAAI,YAA2B;AAE/B,eAAe,aAAa,QAAgB;AAE1C,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,aAAa,cAAc,WAAY,QAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAC5F,gBAAY,UAAM,wBAAW,YAAY,OAAO;AAChD,gBAAY;AACZ,WAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAAA,EACnD;AAGA,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,cAAc,kBAAkB,SAAS;AAC5C,qBAAa,gCAAmB,IAAI,IAAI,OAAO,CAAC;AAChD,oBAAgB;AAAA,EAClB;AACA,SAAO,EAAE,KAAK,YAAY,MAAM,SAAkB;AACpD;AAIA,SAAS,SAAS,UAAkB,OAAwC;AAC1E,SAAO,MAAM;AAAA,IAAK,CAAC,SACjB,OAAO,SAAS,WACZ,aAAa,QAAQ,SAAS,WAAW,IAAI,IAC7C,KAAK,KAAK,QAAQ;AAAA,EACxB;AACF;AAIA,eAAe,gBACb,KACA,gBACA,QAC8B;AAC9B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,2BAA2B;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,iBAAiB,eAAe,CAAC;AAAA,IAC1D,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,EAAE,YAAY,IAAK,MAAM,IAAI,KAAK;AACxC,UAAM,WAAW,IAAI,QAAQ,MAAM;AACnC,aAAS,aAAa,OAAO,qBAAqB;AAElD,UAAM,WAAW,2BAAa,SAAS,QAAQ;AAC/C,UAAM,aAAa;AAAA,MACjB,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ,KAAK,KAAK,KAAK;AAAA,IACzB;AAEA,aAAS,QAAQ,IAAI,mBAAmB,aAAa,EAAE,GAAG,YAAY,UAAU,KAAK,CAAC;AAEtF,aAAS,QAAQ,IAAI,iBAAiB,aAAa,EAAE,GAAG,YAAY,UAAU,MAAM,CAAC;AACrF,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAcO,SAAS,eAAe,UAAiC,CAAC,GAAG;AAClE,QAAM,EAAE,eAAe,CAAC,GAAG,UAAU,IAAI;AAEzC,SAAO,eAAe,WAAW,KAAyC;AACxE,UAAM,EAAE,SAAS,IAAI,IAAI;AACzB,UAAM,cAAc,SAAS,UAAU,YAAY;AAEnD,UAAM,SAAS,cAAc,OAAO;AAGpC,UAAM,YACJ,QAAQ,cAAc,SAAS,GAAG,MAAM,kBAAkB;AAG5D,UAAM,iBAAiB,IAAI,QAAQ,aAAa,IAAI,qBAAqB;AACzE,QAAI,kBAAkB,QAAQ;AAC5B,YAAM,WAAW,MAAM,gBAAgB,KAAK,gBAAgB,MAAM;AAClE,UAAI,SAAU,QAAO;AAAA,IACvB;AAGA,QAAI,SAAqB;AAAA,MACvB,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAC5B,YAAY;AAAA,MAAO,eAAe;AAAA,IACpC;AAEA,UAAM,QACJ,IAAI,QAAQ,IAAI,iBAAiB,GAAG,SACpC,IAAI,QAAQ,IAAI,eAAe,GAAG,SAClC,cAAc,IAAI,QAAQ,IAAI,eAAe,KAAK,EAAE;AAEtD,QAAI,OAAO;AACT,YAAM,YAAY,MAAM,aAAa,MAAM;AAC3C,UAAI,WAAW;AACb,YAAI;AACF,gBAAM,EAAE,QAAQ,IAAI,UAAM,uBAAU,OAAO,UAAU,KAAwC;AAAA,YAC3F,YAAY,CAAC,OAAO;AAAA,UACtB,CAAC;AACD,mBAAS;AAAA,YACP,QAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,MAAM,KAAgB;AAAA,YAC1C,YAAY;AAAA,YACZ,eAAe;AAAA,UACjB;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAGA,QAAI,WAAW;AACb,YAAM,WAAW,UAAU,QAAQ,GAAG;AACtC,UAAI,SAAU,QAAO;AAAA,IACvB;AAGA,QAAI,CAAC,OAAO,cAAc,CAAC,aAAa;AACtC,YAAM,OAAO,IAAI,IAAI,WAAW,IAAI,GAAG;AACvC,WAAK,aAAa,IAAI,gBAAgB,IAAI,GAAG;AAC7C,aAAO,2BAAa,SAAS,IAAI;AAAA,IACnC;AAGA,UAAM,OAAO,IAAI,QAAQ,IAAI,OAAO;AACpC,QAAI,OAAO,QAAQ;AACjB,WAAK,IAAI,gBAAmB,OAAO,MAAM;AACzC,WAAK,IAAI,eAAmB,OAAO,SAAS,EAAE;AAC9C,WAAK,IAAI,iBAAmB,OAAO,WAAW,EAAE;AAChD,WAAK,IAAI,mBAAmB,OAAO,aAAa,EAAE;AAClD,WAAK,IAAI,mBAAmB,OAAO,aAAa,KAAK;AAAA,IACvD,OAAO;AACL,OAAC,gBAAgB,eAAe,iBAAiB,mBAAmB,iBAAiB,EAClF,QAAQ,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC;AAAA,IAClC;AAEA,WAAO,2BAAa,KAAK,EAAE,SAAS,EAAE,SAAS,KAAK,EAAE,CAAC;AAAA,EACzD;AACF;AAEA,SAAS,cAAc,QAAwB;AAC7C,SAAO,OAAO,WAAW,SAAS,IAAI,OAAO,MAAM,CAAC,IAAI;AAC1D;","names":[]}
1
+ {"version":3,"sources":["../src/middleware.ts"],"sourcesContent":["// Edge-runtime compatible. Uses jose for JWT verification.\nimport { createRemoteJWKSet, importSPKI, jwtVerify, type KeyLike } from \"jose\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthResult {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: string | null;\n isSignedIn: boolean;\n isPublicRoute: boolean;\n}\n\nexport interface AuthMiddlewareOptions {\n /**\n * Routes that do not require authentication.\n * Strings: exact match or prefix. RegExps: tested against pathname.\n */\n publicRoutes?: Array<string | RegExp>;\n\n /**\n * Where to redirect unauthenticated users.\n * Defaults to the Vaultix hosted sign-in page (decoded from publishable key).\n * Override with \"/sign-in\" to use your own page.\n */\n signInUrl?: string;\n\n /**\n * Vaultix API origin. Auto-decoded from NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY.\n * Only needed if you're not using the standard publishable key format.\n */\n apiUrl?: string;\n\n /**\n * Custom logic after auth state is resolved.\n * Return a NextResponse to override default behaviour.\n */\n afterAuth?: (auth: AuthResult, req: NextRequest) => NextResponse | Response | undefined | void;\n}\n\n// ─── Header names ─────────────────────────────────────────────────────────────\n\nexport const HEADER_USER_ID = \"x-vaultix-user-id\";\nexport const HEADER_ORG_ID = \"x-vaultix-org-id\";\nexport const HEADER_ORG_ROLE = \"x-vaultix-org-role\";\nexport const HEADER_SESSION_ID = \"x-vaultix-session-id\";\nexport const HEADER_RISK_LEVEL = \"x-vaultix-risk-level\";\n\n// ─── Publishable key → API URL ────────────────────────────────────────────────\n\nfunction decodeApiUrlFromKey(pk: string): string {\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\nfunction resolveApiUrl(options: AuthMiddlewareOptions): string {\n if (options.apiUrl) return options.apiUrl.replace(/\\/$/, \"\");\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n return decodeApiUrlFromKey(pk);\n}\n\n// ─── JWKS cache ───────────────────────────────────────────────────────────────\n// createRemoteJWKSet fetches and caches the key set, re-fetches on rotation.\n// Falls back to a static PEM key if VAULTIX_JWT_PUBLIC_KEY is set (backward compat).\n\nlet remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet remoteJwksUrl: string | null = null;\n\nlet staticKey: KeyLike | null = null;\nlet staticPem: string | null = null;\n\nasync function getVerifyKey(apiUrl: string) {\n // Prefer static PEM (set by env var) for zero-network-call verification\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (staticKey && staticPem === normalized) return { key: staticKey, mode: \"static\" as const };\n staticKey = await importSPKI(normalized, \"RS256\");\n staticPem = normalized;\n return { key: staticKey, mode: \"static\" as const };\n }\n\n // Auto-fetch JWKS from the API — no env var needed\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!remoteJwks || remoteJwksUrl !== jwksUrl) {\n remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n remoteJwksUrl = jwksUrl;\n }\n return { key: remoteJwks, mode: \"remote\" as const };\n}\n\n// ─── Route matching ───────────────────────────────────────────────────────────\n\nfunction isPublic(pathname: string, rules: Array<string | RegExp>): boolean {\n return rules.some((rule) =>\n typeof rule === \"string\"\n ? pathname === rule || pathname.startsWith(rule)\n : rule.test(pathname),\n );\n}\n\n// ─── Secure-cookie detection ──────────────────────────────────────────────────\n// `Secure` cookies are dropped by browsers (notably Safari) over plain http://,\n// which breaks local development on http://localhost. Mark cookies Secure only\n// when the request is actually HTTPS. Prefer x-forwarded-proto because TLS is\n// typically terminated at a proxy (e.g. Vercel) before reaching the function.\n\nfunction isSecureRequest(req: NextRequest): boolean {\n const forwarded = req.headers.get(\"x-forwarded-proto\");\n if (forwarded) return forwarded.split(\",\")[0]?.trim() === \"https\";\n return req.nextUrl.protocol === \"https:\";\n}\n\n// ─── Handshake exchange ───────────────────────────────────────────────────────\n\nasync function handleHandshake(\n req: NextRequest,\n handshakeToken: string,\n apiUrl: string,\n): Promise<NextResponse | null> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ handshake_token: handshakeToken }),\n });\n if (!res.ok) return null;\n\n const { session_jwt } = (await res.json()) as { session_jwt: string };\n const cleanUrl = req.nextUrl.clone();\n cleanUrl.searchParams.delete(\"__vaultix_handshake\");\n\n const response = NextResponse.redirect(cleanUrl);\n const cookieBase = {\n secure: isSecureRequest(req),\n sameSite: \"lax\" as const,\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60,\n };\n // httpOnly — for middleware and server-side JWT verification\n response.cookies.set(\"vaultix-session\", session_jwt, { ...cookieBase, httpOnly: true });\n // non-httpOnly — for VaultixProvider (React SDK) to read client-side\n response.cookies.set(\"vaultix-token\", session_jwt, { ...cookieBase, httpOnly: false });\n return response;\n } catch {\n return null;\n }\n}\n\n// ─── authMiddleware ───────────────────────────────────────────────────────────\n\n/**\n * Drop-in auth middleware — works with zero config when\n * NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY is set.\n *\n * @example\n * // middleware.ts\n * import { authMiddleware } from \"@vaultix.ai/nextjs/middleware\";\n * export default authMiddleware({ publicRoutes: [\"/\", \"/about\"] });\n * export const config = { matcher: [\"/((?!_next|.*\\\\..*).*)\"] };\n */\nexport function authMiddleware(options: AuthMiddlewareOptions = {}) {\n const { publicRoutes = [], afterAuth } = options;\n\n return async function middleware(req: NextRequest): Promise<NextResponse> {\n const { pathname } = req.nextUrl;\n const publicRoute = isPublic(pathname, publicRoutes);\n\n const apiUrl = resolveApiUrl(options);\n\n // Default sign-in URL: hosted Vaultix page decoded from publishable key\n const signInUrl =\n options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n\n // ── Handshake exchange ─────────────────────────────────────────────────\n const handshakeToken = req.nextUrl.searchParams.get(\"__vaultix_handshake\");\n if (handshakeToken && apiUrl) {\n const response = await handleHandshake(req, handshakeToken, apiUrl);\n if (response) return response;\n }\n\n // ── JWT verification ───────────────────────────────────────────────────\n let result: AuthResult = {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null,\n isSignedIn: false, isPublicRoute: publicRoute,\n };\n\n const token =\n req.cookies.get(\"vaultix-session\")?.value ??\n req.cookies.get(\"vaultix-token\")?.value ??\n extractBearer(req.headers.get(\"authorization\") ?? \"\");\n\n let jwtExp: number | undefined;\n\n if (token) {\n const verifyKey = await getVerifyKey(apiUrl);\n if (verifyKey) {\n try {\n const { payload } = await jwtVerify(token, verifyKey.key as Parameters<typeof jwtVerify>[1], {\n algorithms: [\"RS256\"],\n });\n jwtExp = payload.exp as number | undefined;\n result = {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: (payload[\"risk\"] as string) ?? \"low\",\n isSignedIn: true,\n isPublicRoute: publicRoute,\n };\n } catch {\n // expired / tampered\n }\n }\n }\n\n // ── Silent refresh — check DB session and renew JWT when near expiry ───\n // Reduces the window where a revoked-but-signed JWT can be replayed.\n // The refresh endpoint validates the DB session row, so a signed-out user\n // is rejected here even before their JWT's exp elapses.\n let refreshedJwt: string | null = null;\n if (result.isSignedIn && apiUrl && jwtExp !== undefined) {\n const secondsLeft = jwtExp - Math.floor(Date.now() / 1000);\n if (secondsLeft < 120) {\n try {\n const refreshRes = await fetch(`${apiUrl}/api/v1/session/refresh`, {\n method: \"POST\",\n headers: { Cookie: `vaultix-session=${token}` },\n });\n if (refreshRes.ok) {\n const data = await refreshRes.json() as { session_jwt?: string };\n refreshedJwt = data.session_jwt ?? null;\n }\n } catch {\n // Non-blocking — proceed with the existing token on refresh failure\n }\n }\n }\n\n // ── Custom afterAuth hook ──────────────────────────────────────────────\n if (afterAuth) {\n const override = afterAuth(result, req);\n if (override) return override as NextResponse;\n }\n\n // ── Default: redirect unauthenticated to sign-in ───────────────────────\n if (!result.isSignedIn && !publicRoute) {\n const dest = new URL(signInUrl, req.url);\n dest.searchParams.set(\"redirect_url\", req.url);\n return NextResponse.redirect(dest);\n }\n\n // ── Inject auth headers for Server Components ──────────────────────────\n const nextHeaders = new Headers(req.headers);\n if (result.userId) {\n nextHeaders.set(HEADER_USER_ID, result.userId);\n nextHeaders.set(HEADER_ORG_ID, result.orgId ?? \"\");\n nextHeaders.set(HEADER_ORG_ROLE, result.orgRole ?? \"\");\n nextHeaders.set(HEADER_SESSION_ID, result.sessionId ?? \"\");\n nextHeaders.set(HEADER_RISK_LEVEL, result.riskLevel ?? \"low\");\n } else {\n [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL]\n .forEach((h) => nextHeaders.delete(h));\n }\n\n const response = NextResponse.next({ request: { headers: nextHeaders } });\n\n // Propagate refreshed JWT as updated cookies\n if (refreshedJwt) {\n const cookieBase = { secure: isSecureRequest(req), sameSite: \"lax\" as const, path: \"/\", maxAge: 30 * 24 * 60 * 60 };\n response.cookies.set(\"vaultix-session\", refreshedJwt, { ...cookieBase, httpOnly: true });\n response.cookies.set(\"vaultix-token\", refreshedJwt, { ...cookieBase, httpOnly: false });\n }\n\n return response;\n };\n}\n\nfunction extractBearer(header: string): string {\n return header.startsWith(\"Bearer \") ? header.slice(7) : \"\";\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,kBAAwE;AACxE,oBAA0C;AA2CnC,IAAM,iBAAoB;AAC1B,IAAM,gBAAoB;AAC1B,IAAM,kBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;AAIjC,SAAS,oBAAoB,IAAoB;AAC/C,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAEA,SAAS,cAAc,SAAwC;AAC7D,MAAI,QAAQ,OAAQ,QAAO,QAAQ,OAAO,QAAQ,OAAO,EAAE;AAC3D,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,SAAO,oBAAoB,EAAE;AAC/B;AAMA,IAAI,aAA2D;AAC/D,IAAI,gBAA+B;AAEnC,IAAI,YAA4B;AAChC,IAAI,YAA2B;AAE/B,eAAe,aAAa,QAAgB;AAE1C,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,aAAa,cAAc,WAAY,QAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAC5F,gBAAY,UAAM,wBAAW,YAAY,OAAO;AAChD,gBAAY;AACZ,WAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAAA,EACnD;AAGA,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,cAAc,kBAAkB,SAAS;AAC5C,qBAAa,gCAAmB,IAAI,IAAI,OAAO,CAAC;AAChD,oBAAgB;AAAA,EAClB;AACA,SAAO,EAAE,KAAK,YAAY,MAAM,SAAkB;AACpD;AAIA,SAAS,SAAS,UAAkB,OAAwC;AAC1E,SAAO,MAAM;AAAA,IAAK,CAAC,SACjB,OAAO,SAAS,WACZ,aAAa,QAAQ,SAAS,WAAW,IAAI,IAC7C,KAAK,KAAK,QAAQ;AAAA,EACxB;AACF;AAQA,SAAS,gBAAgB,KAA2B;AAClD,QAAM,YAAY,IAAI,QAAQ,IAAI,mBAAmB;AACrD,MAAI,UAAW,QAAO,UAAU,MAAM,GAAG,EAAE,CAAC,GAAG,KAAK,MAAM;AAC1D,SAAO,IAAI,QAAQ,aAAa;AAClC;AAIA,eAAe,gBACb,KACA,gBACA,QAC8B;AAC9B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,2BAA2B;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,iBAAiB,eAAe,CAAC;AAAA,IAC1D,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,EAAE,YAAY,IAAK,MAAM,IAAI,KAAK;AACxC,UAAM,WAAW,IAAI,QAAQ,MAAM;AACnC,aAAS,aAAa,OAAO,qBAAqB;AAElD,UAAM,WAAW,2BAAa,SAAS,QAAQ;AAC/C,UAAM,aAAa;AAAA,MACjB,QAAQ,gBAAgB,GAAG;AAAA,MAC3B,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ,KAAK,KAAK,KAAK;AAAA,IACzB;AAEA,aAAS,QAAQ,IAAI,mBAAmB,aAAa,EAAE,GAAG,YAAY,UAAU,KAAK,CAAC;AAEtF,aAAS,QAAQ,IAAI,iBAAiB,aAAa,EAAE,GAAG,YAAY,UAAU,MAAM,CAAC;AACrF,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAcO,SAAS,eAAe,UAAiC,CAAC,GAAG;AAClE,QAAM,EAAE,eAAe,CAAC,GAAG,UAAU,IAAI;AAEzC,SAAO,eAAe,WAAW,KAAyC;AACxE,UAAM,EAAE,SAAS,IAAI,IAAI;AACzB,UAAM,cAAc,SAAS,UAAU,YAAY;AAEnD,UAAM,SAAS,cAAc,OAAO;AAGpC,UAAM,YACJ,QAAQ,cAAc,SAAS,GAAG,MAAM,kBAAkB;AAG5D,UAAM,iBAAiB,IAAI,QAAQ,aAAa,IAAI,qBAAqB;AACzE,QAAI,kBAAkB,QAAQ;AAC5B,YAAMA,YAAW,MAAM,gBAAgB,KAAK,gBAAgB,MAAM;AAClE,UAAIA,UAAU,QAAOA;AAAA,IACvB;AAGA,QAAI,SAAqB;AAAA,MACvB,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAC5B,YAAY;AAAA,MAAO,eAAe;AAAA,IACpC;AAEA,UAAM,QACJ,IAAI,QAAQ,IAAI,iBAAiB,GAAG,SACpC,IAAI,QAAQ,IAAI,eAAe,GAAG,SAClC,cAAc,IAAI,QAAQ,IAAI,eAAe,KAAK,EAAE;AAEtD,QAAI;AAEJ,QAAI,OAAO;AACT,YAAM,YAAY,MAAM,aAAa,MAAM;AAC3C,UAAI,WAAW;AACb,YAAI;AACF,gBAAM,EAAE,QAAQ,IAAI,UAAM,uBAAU,OAAO,UAAU,KAAwC;AAAA,YAC3F,YAAY,CAAC,OAAO;AAAA,UACtB,CAAC;AACD,mBAAS,QAAQ;AACjB,mBAAS;AAAA,YACP,QAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,MAAM,KAAgB;AAAA,YAC1C,YAAY;AAAA,YACZ,eAAe;AAAA,UACjB;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAMA,QAAI,eAA8B;AAClC,QAAI,OAAO,cAAc,UAAU,WAAW,QAAW;AACvD,YAAM,cAAc,SAAS,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACzD,UAAI,cAAc,KAAK;AACrB,YAAI;AACF,gBAAM,aAAa,MAAM,MAAM,GAAG,MAAM,2BAA2B;AAAA,YACjE,QAAQ;AAAA,YACR,SAAS,EAAE,QAAQ,mBAAmB,KAAK,GAAG;AAAA,UAChD,CAAC;AACD,cAAI,WAAW,IAAI;AACjB,kBAAM,OAAO,MAAM,WAAW,KAAK;AACnC,2BAAe,KAAK,eAAe;AAAA,UACrC;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAGA,QAAI,WAAW;AACb,YAAM,WAAW,UAAU,QAAQ,GAAG;AACtC,UAAI,SAAU,QAAO;AAAA,IACvB;AAGA,QAAI,CAAC,OAAO,cAAc,CAAC,aAAa;AACtC,YAAM,OAAO,IAAI,IAAI,WAAW,IAAI,GAAG;AACvC,WAAK,aAAa,IAAI,gBAAgB,IAAI,GAAG;AAC7C,aAAO,2BAAa,SAAS,IAAI;AAAA,IACnC;AAGA,UAAM,cAAc,IAAI,QAAQ,IAAI,OAAO;AAC3C,QAAI,OAAO,QAAQ;AACjB,kBAAY,IAAI,gBAAmB,OAAO,MAAM;AAChD,kBAAY,IAAI,eAAmB,OAAO,SAAS,EAAE;AACrD,kBAAY,IAAI,iBAAmB,OAAO,WAAW,EAAE;AACvD,kBAAY,IAAI,mBAAmB,OAAO,aAAa,EAAE;AACzD,kBAAY,IAAI,mBAAmB,OAAO,aAAa,KAAK;AAAA,IAC9D,OAAO;AACL,OAAC,gBAAgB,eAAe,iBAAiB,mBAAmB,iBAAiB,EAClF,QAAQ,CAAC,MAAM,YAAY,OAAO,CAAC,CAAC;AAAA,IACzC;AAEA,UAAM,WAAW,2BAAa,KAAK,EAAE,SAAS,EAAE,SAAS,YAAY,EAAE,CAAC;AAGxE,QAAI,cAAc;AAChB,YAAM,aAAa,EAAE,QAAQ,gBAAgB,GAAG,GAAG,UAAU,OAAgB,MAAM,KAAK,QAAQ,KAAK,KAAK,KAAK,GAAG;AAClH,eAAS,QAAQ,IAAI,mBAAmB,cAAc,EAAE,GAAG,YAAY,UAAU,KAAK,CAAC;AACvF,eAAS,QAAQ,IAAI,iBAAmB,cAAc,EAAE,GAAG,YAAY,UAAU,MAAM,CAAC;AAAA,IAC1F;AAEA,WAAO;AAAA,EACT;AACF;AAEA,SAAS,cAAc,QAAwB;AAC7C,SAAO,OAAO,WAAW,SAAS,IAAI,OAAO,MAAM,CAAC,IAAI;AAC1D;","names":["response"]}
package/dist/middleware.mjs CHANGED
@@ -48,6 +48,11 @@ function isPublic(pathname, rules) {
48
48
  (rule) => typeof rule === "string" ? pathname === rule || pathname.startsWith(rule) : rule.test(pathname)
49
49
  );
50
50
  }
51
+ function isSecureRequest(req) {
52
+ const forwarded = req.headers.get("x-forwarded-proto");
53
+ if (forwarded) return forwarded.split(",")[0]?.trim() === "https";
54
+ return req.nextUrl.protocol === "https:";
55
+ }
51
56
  async function handleHandshake(req, handshakeToken, apiUrl) {
52
57
  try {
53
58
  const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {
@@ -61,7 +66,7 @@ async function handleHandshake(req, handshakeToken, apiUrl) {
61
66
  cleanUrl.searchParams.delete("__vaultix_handshake");
62
67
  const response = NextResponse.redirect(cleanUrl);
63
68
  const cookieBase = {
64
- secure: true,
69
+ secure: isSecureRequest(req),
65
70
  sameSite: "lax",
66
71
  path: "/",
67
72
  maxAge: 30 * 24 * 60 * 60
@@ -82,8 +87,8 @@ function authMiddleware(options = {}) {
82
87
  const signInUrl = options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : "/sign-in");
83
88
  const handshakeToken = req.nextUrl.searchParams.get("__vaultix_handshake");
84
89
  if (handshakeToken && apiUrl) {
85
- const response = await handleHandshake(req, handshakeToken, apiUrl);
86
- if (response) return response;
90
+ const response2 = await handleHandshake(req, handshakeToken, apiUrl);
91
+ if (response2) return response2;
87
92
  }
88
93
  let result = {
89
94
  userId: null,
@@ -95,6 +100,7 @@ function authMiddleware(options = {}) {
95
100
  isPublicRoute: publicRoute
96
101
  };
97
102
  const token = req.cookies.get("vaultix-session")?.value ?? req.cookies.get("vaultix-token")?.value ?? extractBearer(req.headers.get("authorization") ?? "");
103
+ let jwtExp;
98
104
  if (token) {
99
105
  const verifyKey = await getVerifyKey(apiUrl);
100
106
  if (verifyKey) {
@@ -102,6 +108,7 @@ function authMiddleware(options = {}) {
102
108
  const { payload } = await jwtVerify(token, verifyKey.key, {
103
109
  algorithms: ["RS256"]
104
110
  });
111
+ jwtExp = payload.exp;
105
112
  result = {
106
113
  userId: payload["uid"] ?? null,
107
114
  orgId: payload["org"] ?? null,
@@ -115,6 +122,23 @@ function authMiddleware(options = {}) {
115
122
  }
116
123
  }
117
124
  }
125
+ let refreshedJwt = null;
126
+ if (result.isSignedIn && apiUrl && jwtExp !== void 0) {
127
+ const secondsLeft = jwtExp - Math.floor(Date.now() / 1e3);
128
+ if (secondsLeft < 120) {
129
+ try {
130
+ const refreshRes = await fetch(`${apiUrl}/api/v1/session/refresh`, {
131
+ method: "POST",
132
+ headers: { Cookie: `vaultix-session=${token}` }
133
+ });
134
+ if (refreshRes.ok) {
135
+ const data = await refreshRes.json();
136
+ refreshedJwt = data.session_jwt ?? null;
137
+ }
138
+ } catch {
139
+ }
140
+ }
141
+ }
118
142
  if (afterAuth) {
119
143
  const override = afterAuth(result, req);
120
144
  if (override) return override;
@@ -124,17 +148,23 @@ function authMiddleware(options = {}) {
124
148
  dest.searchParams.set("redirect_url", req.url);
125
149
  return NextResponse.redirect(dest);
126
150
  }
127
- const next = new Headers(req.headers);
151
+ const nextHeaders = new Headers(req.headers);
128
152
  if (result.userId) {
129
- next.set(HEADER_USER_ID, result.userId);
130
- next.set(HEADER_ORG_ID, result.orgId ?? "");
131
- next.set(HEADER_ORG_ROLE, result.orgRole ?? "");
132
- next.set(HEADER_SESSION_ID, result.sessionId ?? "");
133
- next.set(HEADER_RISK_LEVEL, result.riskLevel ?? "low");
153
+ nextHeaders.set(HEADER_USER_ID, result.userId);
154
+ nextHeaders.set(HEADER_ORG_ID, result.orgId ?? "");
155
+ nextHeaders.set(HEADER_ORG_ROLE, result.orgRole ?? "");
156
+ nextHeaders.set(HEADER_SESSION_ID, result.sessionId ?? "");
157
+ nextHeaders.set(HEADER_RISK_LEVEL, result.riskLevel ?? "low");
134
158
  } else {
135
- [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL].forEach((h) => next.delete(h));
159
+ [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL].forEach((h) => nextHeaders.delete(h));
136
160
  }
137
- return NextResponse.next({ request: { headers: next } });
161
+ const response = NextResponse.next({ request: { headers: nextHeaders } });
162
+ if (refreshedJwt) {
163
+ const cookieBase = { secure: isSecureRequest(req), sameSite: "lax", path: "/", maxAge: 30 * 24 * 60 * 60 };
164
+ response.cookies.set("vaultix-session", refreshedJwt, { ...cookieBase, httpOnly: true });
165
+ response.cookies.set("vaultix-token", refreshedJwt, { ...cookieBase, httpOnly: false });
166
+ }
167
+ return response;
138
168
  };
139
169
  }
140
170
  function extractBearer(header) {
package/dist/middleware.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/middleware.ts"],"sourcesContent":["// Edge-runtime compatible. Uses jose for JWT verification.\nimport { createRemoteJWKSet, importSPKI, jwtVerify, type KeyLike } from \"jose\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthResult {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: string | null;\n isSignedIn: boolean;\n isPublicRoute: boolean;\n}\n\nexport interface AuthMiddlewareOptions {\n /**\n * Routes that do not require authentication.\n * Strings: exact match or prefix. RegExps: tested against pathname.\n */\n publicRoutes?: Array<string | RegExp>;\n\n /**\n * Where to redirect unauthenticated users.\n * Defaults to the Vaultix hosted sign-in page (decoded from publishable key).\n * Override with \"/sign-in\" to use your own page.\n */\n signInUrl?: string;\n\n /**\n * Vaultix API origin. Auto-decoded from NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY.\n * Only needed if you're not using the standard publishable key format.\n */\n apiUrl?: string;\n\n /**\n * Custom logic after auth state is resolved.\n * Return a NextResponse to override default behaviour.\n */\n afterAuth?: (auth: AuthResult, req: NextRequest) => NextResponse | Response | undefined | void;\n}\n\n// ─── Header names ─────────────────────────────────────────────────────────────\n\nexport const HEADER_USER_ID = \"x-vaultix-user-id\";\nexport const HEADER_ORG_ID = \"x-vaultix-org-id\";\nexport const HEADER_ORG_ROLE = \"x-vaultix-org-role\";\nexport const HEADER_SESSION_ID = \"x-vaultix-session-id\";\nexport const HEADER_RISK_LEVEL = \"x-vaultix-risk-level\";\n\n// ─── Publishable key → API URL ────────────────────────────────────────────────\n\nfunction decodeApiUrlFromKey(pk: string): string {\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\nfunction resolveApiUrl(options: AuthMiddlewareOptions): string {\n if (options.apiUrl) return options.apiUrl.replace(/\\/$/, \"\");\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n return decodeApiUrlFromKey(pk);\n}\n\n// ─── JWKS cache ───────────────────────────────────────────────────────────────\n// createRemoteJWKSet fetches and caches the key set, re-fetches on rotation.\n// Falls back to a static PEM key if VAULTIX_JWT_PUBLIC_KEY is set (backward compat).\n\nlet remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet remoteJwksUrl: string | null = null;\n\nlet staticKey: KeyLike | null = null;\nlet staticPem: string | null = null;\n\nasync function getVerifyKey(apiUrl: string) {\n // Prefer static PEM (set by env var) for zero-network-call verification\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (staticKey && staticPem === normalized) return { key: staticKey, mode: \"static\" as const };\n staticKey = await importSPKI(normalized, \"RS256\");\n staticPem = normalized;\n return { key: staticKey, mode: \"static\" as const };\n }\n\n // Auto-fetch JWKS from the API — no env var needed\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!remoteJwks || remoteJwksUrl !== jwksUrl) {\n remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n remoteJwksUrl = jwksUrl;\n }\n return { key: remoteJwks, mode: \"remote\" as const };\n}\n\n// ─── Route matching ───────────────────────────────────────────────────────────\n\nfunction isPublic(pathname: string, rules: Array<string | RegExp>): boolean {\n return rules.some((rule) =>\n typeof rule === \"string\"\n ? pathname === rule || pathname.startsWith(rule)\n : rule.test(pathname),\n );\n}\n\n// ─── Handshake exchange ───────────────────────────────────────────────────────\n\nasync function handleHandshake(\n req: NextRequest,\n handshakeToken: string,\n apiUrl: string,\n): Promise<NextResponse | null> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ handshake_token: handshakeToken }),\n });\n if (!res.ok) return null;\n\n const { session_jwt } = (await res.json()) as { session_jwt: string };\n const cleanUrl = req.nextUrl.clone();\n cleanUrl.searchParams.delete(\"__vaultix_handshake\");\n\n const response = NextResponse.redirect(cleanUrl);\n const cookieBase = {\n secure: true,\n sameSite: \"lax\" as const,\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60,\n };\n // httpOnly — for middleware and server-side JWT verification\n response.cookies.set(\"vaultix-session\", session_jwt, { ...cookieBase, httpOnly: true });\n // non-httpOnly — for VaultixProvider (React SDK) to read client-side\n response.cookies.set(\"vaultix-token\", session_jwt, { ...cookieBase, httpOnly: false });\n return response;\n } catch {\n return null;\n }\n}\n\n// ─── authMiddleware ───────────────────────────────────────────────────────────\n\n/**\n * Drop-in auth middleware — works with zero config when\n * NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY is set.\n *\n * @example\n * // middleware.ts\n * import { authMiddleware } from \"@vaultix.ai/nextjs/middleware\";\n * export default authMiddleware({ publicRoutes: [\"/\", \"/about\"] });\n * export const config = { matcher: [\"/((?!_next|.*\\\\..*).*)\"] };\n */\nexport function authMiddleware(options: AuthMiddlewareOptions = {}) {\n const { publicRoutes = [], afterAuth } = options;\n\n return async function middleware(req: NextRequest): Promise<NextResponse> {\n const { pathname } = req.nextUrl;\n const publicRoute = isPublic(pathname, publicRoutes);\n\n const apiUrl = resolveApiUrl(options);\n\n // Default sign-in URL: hosted Vaultix page decoded from publishable key\n const signInUrl =\n options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n\n // ── Handshake exchange ─────────────────────────────────────────────────\n const handshakeToken = req.nextUrl.searchParams.get(\"__vaultix_handshake\");\n if (handshakeToken && apiUrl) {\n const response = await handleHandshake(req, handshakeToken, apiUrl);\n if (response) return response;\n }\n\n // ── JWT verification ───────────────────────────────────────────────────\n let result: AuthResult = {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null,\n isSignedIn: false, isPublicRoute: publicRoute,\n };\n\n const token =\n req.cookies.get(\"vaultix-session\")?.value ??\n req.cookies.get(\"vaultix-token\")?.value ??\n extractBearer(req.headers.get(\"authorization\") ?? \"\");\n\n if (token) {\n const verifyKey = await getVerifyKey(apiUrl);\n if (verifyKey) {\n try {\n const { payload } = await jwtVerify(token, verifyKey.key as Parameters<typeof jwtVerify>[1], {\n algorithms: [\"RS256\"],\n });\n result = {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: (payload[\"risk\"] as string) ?? \"low\",\n isSignedIn: true,\n isPublicRoute: publicRoute,\n };\n } catch {\n // expired / tampered\n }\n }\n }\n\n // ── Custom afterAuth hook ──────────────────────────────────────────────\n if (afterAuth) {\n const override = afterAuth(result, req);\n if (override) return override as NextResponse;\n }\n\n // ── Default: redirect unauthenticated to sign-in ───────────────────────\n if (!result.isSignedIn && !publicRoute) {\n const dest = new URL(signInUrl, req.url);\n dest.searchParams.set(\"redirect_url\", req.url);\n return NextResponse.redirect(dest);\n }\n\n // ── Inject auth headers for Server Components ──────────────────────────\n const next = new Headers(req.headers);\n if (result.userId) {\n next.set(HEADER_USER_ID, result.userId);\n next.set(HEADER_ORG_ID, result.orgId ?? \"\");\n next.set(HEADER_ORG_ROLE, result.orgRole ?? \"\");\n next.set(HEADER_SESSION_ID, result.sessionId ?? \"\");\n next.set(HEADER_RISK_LEVEL, result.riskLevel ?? \"low\");\n } else {\n [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL]\n .forEach((h) => next.delete(h));\n }\n\n return NextResponse.next({ request: { headers: next } });\n };\n}\n\nfunction extractBearer(header: string): string {\n return header.startsWith(\"Bearer \") ? header.slice(7) : \"\";\n}\n"],"mappings":";AACA,SAAS,oBAAoB,YAAY,iBAA+B;AACxE,SAAsB,oBAAoB;AA2CnC,IAAM,iBAAoB;AAC1B,IAAM,gBAAoB;AAC1B,IAAM,kBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;AAIjC,SAAS,oBAAoB,IAAoB;AAC/C,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAEA,SAAS,cAAc,SAAwC;AAC7D,MAAI,QAAQ,OAAQ,QAAO,QAAQ,OAAO,QAAQ,OAAO,EAAE;AAC3D,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,SAAO,oBAAoB,EAAE;AAC/B;AAMA,IAAI,aAA2D;AAC/D,IAAI,gBAA+B;AAEnC,IAAI,YAA4B;AAChC,IAAI,YAA2B;AAE/B,eAAe,aAAa,QAAgB;AAE1C,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,aAAa,cAAc,WAAY,QAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAC5F,gBAAY,MAAM,WAAW,YAAY,OAAO;AAChD,gBAAY;AACZ,WAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAAA,EACnD;AAGA,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,cAAc,kBAAkB,SAAS;AAC5C,iBAAa,mBAAmB,IAAI,IAAI,OAAO,CAAC;AAChD,oBAAgB;AAAA,EAClB;AACA,SAAO,EAAE,KAAK,YAAY,MAAM,SAAkB;AACpD;AAIA,SAAS,SAAS,UAAkB,OAAwC;AAC1E,SAAO,MAAM;AAAA,IAAK,CAAC,SACjB,OAAO,SAAS,WACZ,aAAa,QAAQ,SAAS,WAAW,IAAI,IAC7C,KAAK,KAAK,QAAQ;AAAA,EACxB;AACF;AAIA,eAAe,gBACb,KACA,gBACA,QAC8B;AAC9B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,2BAA2B;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,iBAAiB,eAAe,CAAC;AAAA,IAC1D,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,EAAE,YAAY,IAAK,MAAM,IAAI,KAAK;AACxC,UAAM,WAAW,IAAI,QAAQ,MAAM;AACnC,aAAS,aAAa,OAAO,qBAAqB;AAElD,UAAM,WAAW,aAAa,SAAS,QAAQ;AAC/C,UAAM,aAAa;AAAA,MACjB,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ,KAAK,KAAK,KAAK;AAAA,IACzB;AAEA,aAAS,QAAQ,IAAI,mBAAmB,aAAa,EAAE,GAAG,YAAY,UAAU,KAAK,CAAC;AAEtF,aAAS,QAAQ,IAAI,iBAAiB,aAAa,EAAE,GAAG,YAAY,UAAU,MAAM,CAAC;AACrF,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAcO,SAAS,eAAe,UAAiC,CAAC,GAAG;AAClE,QAAM,EAAE,eAAe,CAAC,GAAG,UAAU,IAAI;AAEzC,SAAO,eAAe,WAAW,KAAyC;AACxE,UAAM,EAAE,SAAS,IAAI,IAAI;AACzB,UAAM,cAAc,SAAS,UAAU,YAAY;AAEnD,UAAM,SAAS,cAAc,OAAO;AAGpC,UAAM,YACJ,QAAQ,cAAc,SAAS,GAAG,MAAM,kBAAkB;AAG5D,UAAM,iBAAiB,IAAI,QAAQ,aAAa,IAAI,qBAAqB;AACzE,QAAI,kBAAkB,QAAQ;AAC5B,YAAM,WAAW,MAAM,gBAAgB,KAAK,gBAAgB,MAAM;AAClE,UAAI,SAAU,QAAO;AAAA,IACvB;AAGA,QAAI,SAAqB;AAAA,MACvB,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAC5B,YAAY;AAAA,MAAO,eAAe;AAAA,IACpC;AAEA,UAAM,QACJ,IAAI,QAAQ,IAAI,iBAAiB,GAAG,SACpC,IAAI,QAAQ,IAAI,eAAe,GAAG,SAClC,cAAc,IAAI,QAAQ,IAAI,eAAe,KAAK,EAAE;AAEtD,QAAI,OAAO;AACT,YAAM,YAAY,MAAM,aAAa,MAAM;AAC3C,UAAI,WAAW;AACb,YAAI;AACF,gBAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,UAAU,KAAwC;AAAA,YAC3F,YAAY,CAAC,OAAO;AAAA,UACtB,CAAC;AACD,mBAAS;AAAA,YACP,QAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,MAAM,KAAgB;AAAA,YAC1C,YAAY;AAAA,YACZ,eAAe;AAAA,UACjB;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAGA,QAAI,WAAW;AACb,YAAM,WAAW,UAAU,QAAQ,GAAG;AACtC,UAAI,SAAU,QAAO;AAAA,IACvB;AAGA,QAAI,CAAC,OAAO,cAAc,CAAC,aAAa;AACtC,YAAM,OAAO,IAAI,IAAI,WAAW,IAAI,GAAG;AACvC,WAAK,aAAa,IAAI,gBAAgB,IAAI,GAAG;AAC7C,aAAO,aAAa,SAAS,IAAI;AAAA,IACnC;AAGA,UAAM,OAAO,IAAI,QAAQ,IAAI,OAAO;AACpC,QAAI,OAAO,QAAQ;AACjB,WAAK,IAAI,gBAAmB,OAAO,MAAM;AACzC,WAAK,IAAI,eAAmB,OAAO,SAAS,EAAE;AAC9C,WAAK,IAAI,iBAAmB,OAAO,WAAW,EAAE;AAChD,WAAK,IAAI,mBAAmB,OAAO,aAAa,EAAE;AAClD,WAAK,IAAI,mBAAmB,OAAO,aAAa,KAAK;AAAA,IACvD,OAAO;AACL,OAAC,gBAAgB,eAAe,iBAAiB,mBAAmB,iBAAiB,EAClF,QAAQ,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC;AAAA,IAClC;AAEA,WAAO,aAAa,KAAK,EAAE,SAAS,EAAE,SAAS,KAAK,EAAE,CAAC;AAAA,EACzD;AACF;AAEA,SAAS,cAAc,QAAwB;AAC7C,SAAO,OAAO,WAAW,SAAS,IAAI,OAAO,MAAM,CAAC,IAAI;AAC1D;","names":[]}
1
+ {"version":3,"sources":["../src/middleware.ts"],"sourcesContent":["// Edge-runtime compatible. Uses jose for JWT verification.\nimport { createRemoteJWKSet, importSPKI, jwtVerify, type KeyLike } from \"jose\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthResult {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: string | null;\n isSignedIn: boolean;\n isPublicRoute: boolean;\n}\n\nexport interface AuthMiddlewareOptions {\n /**\n * Routes that do not require authentication.\n * Strings: exact match or prefix. RegExps: tested against pathname.\n */\n publicRoutes?: Array<string | RegExp>;\n\n /**\n * Where to redirect unauthenticated users.\n * Defaults to the Vaultix hosted sign-in page (decoded from publishable key).\n * Override with \"/sign-in\" to use your own page.\n */\n signInUrl?: string;\n\n /**\n * Vaultix API origin. Auto-decoded from NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY.\n * Only needed if you're not using the standard publishable key format.\n */\n apiUrl?: string;\n\n /**\n * Custom logic after auth state is resolved.\n * Return a NextResponse to override default behaviour.\n */\n afterAuth?: (auth: AuthResult, req: NextRequest) => NextResponse | Response | undefined | void;\n}\n\n// ─── Header names ─────────────────────────────────────────────────────────────\n\nexport const HEADER_USER_ID = \"x-vaultix-user-id\";\nexport const HEADER_ORG_ID = \"x-vaultix-org-id\";\nexport const HEADER_ORG_ROLE = \"x-vaultix-org-role\";\nexport const HEADER_SESSION_ID = \"x-vaultix-session-id\";\nexport const HEADER_RISK_LEVEL = \"x-vaultix-risk-level\";\n\n// ─── Publishable key → API URL ────────────────────────────────────────────────\n\nfunction decodeApiUrlFromKey(pk: string): string {\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\nfunction resolveApiUrl(options: AuthMiddlewareOptions): string {\n if (options.apiUrl) return options.apiUrl.replace(/\\/$/, \"\");\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n return decodeApiUrlFromKey(pk);\n}\n\n// ─── JWKS cache ───────────────────────────────────────────────────────────────\n// createRemoteJWKSet fetches and caches the key set, re-fetches on rotation.\n// Falls back to a static PEM key if VAULTIX_JWT_PUBLIC_KEY is set (backward compat).\n\nlet remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet remoteJwksUrl: string | null = null;\n\nlet staticKey: KeyLike | null = null;\nlet staticPem: string | null = null;\n\nasync function getVerifyKey(apiUrl: string) {\n // Prefer static PEM (set by env var) for zero-network-call verification\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (staticKey && staticPem === normalized) return { key: staticKey, mode: \"static\" as const };\n staticKey = await importSPKI(normalized, \"RS256\");\n staticPem = normalized;\n return { key: staticKey, mode: \"static\" as const };\n }\n\n // Auto-fetch JWKS from the API — no env var needed\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!remoteJwks || remoteJwksUrl !== jwksUrl) {\n remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n remoteJwksUrl = jwksUrl;\n }\n return { key: remoteJwks, mode: \"remote\" as const };\n}\n\n// ─── Route matching ───────────────────────────────────────────────────────────\n\nfunction isPublic(pathname: string, rules: Array<string | RegExp>): boolean {\n return rules.some((rule) =>\n typeof rule === \"string\"\n ? pathname === rule || pathname.startsWith(rule)\n : rule.test(pathname),\n );\n}\n\n// ─── Secure-cookie detection ──────────────────────────────────────────────────\n// `Secure` cookies are dropped by browsers (notably Safari) over plain http://,\n// which breaks local development on http://localhost. Mark cookies Secure only\n// when the request is actually HTTPS. Prefer x-forwarded-proto because TLS is\n// typically terminated at a proxy (e.g. Vercel) before reaching the function.\n\nfunction isSecureRequest(req: NextRequest): boolean {\n const forwarded = req.headers.get(\"x-forwarded-proto\");\n if (forwarded) return forwarded.split(\",\")[0]?.trim() === \"https\";\n return req.nextUrl.protocol === \"https:\";\n}\n\n// ─── Handshake exchange ───────────────────────────────────────────────────────\n\nasync function handleHandshake(\n req: NextRequest,\n handshakeToken: string,\n apiUrl: string,\n): Promise<NextResponse | null> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ handshake_token: handshakeToken }),\n });\n if (!res.ok) return null;\n\n const { session_jwt } = (await res.json()) as { session_jwt: string };\n const cleanUrl = req.nextUrl.clone();\n cleanUrl.searchParams.delete(\"__vaultix_handshake\");\n\n const response = NextResponse.redirect(cleanUrl);\n const cookieBase = {\n secure: isSecureRequest(req),\n sameSite: \"lax\" as const,\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60,\n };\n // httpOnly — for middleware and server-side JWT verification\n response.cookies.set(\"vaultix-session\", session_jwt, { ...cookieBase, httpOnly: true });\n // non-httpOnly — for VaultixProvider (React SDK) to read client-side\n response.cookies.set(\"vaultix-token\", session_jwt, { ...cookieBase, httpOnly: false });\n return response;\n } catch {\n return null;\n }\n}\n\n// ─── authMiddleware ───────────────────────────────────────────────────────────\n\n/**\n * Drop-in auth middleware — works with zero config when\n * NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY is set.\n *\n * @example\n * // middleware.ts\n * import { authMiddleware } from \"@vaultix.ai/nextjs/middleware\";\n * export default authMiddleware({ publicRoutes: [\"/\", \"/about\"] });\n * export const config = { matcher: [\"/((?!_next|.*\\\\..*).*)\"] };\n */\nexport function authMiddleware(options: AuthMiddlewareOptions = {}) {\n const { publicRoutes = [], afterAuth } = options;\n\n return async function middleware(req: NextRequest): Promise<NextResponse> {\n const { pathname } = req.nextUrl;\n const publicRoute = isPublic(pathname, publicRoutes);\n\n const apiUrl = resolveApiUrl(options);\n\n // Default sign-in URL: hosted Vaultix page decoded from publishable key\n const signInUrl =\n options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n\n // ── Handshake exchange ─────────────────────────────────────────────────\n const handshakeToken = req.nextUrl.searchParams.get(\"__vaultix_handshake\");\n if (handshakeToken && apiUrl) {\n const response = await handleHandshake(req, handshakeToken, apiUrl);\n if (response) return response;\n }\n\n // ── JWT verification ───────────────────────────────────────────────────\n let result: AuthResult = {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null,\n isSignedIn: false, isPublicRoute: publicRoute,\n };\n\n const token =\n req.cookies.get(\"vaultix-session\")?.value ??\n req.cookies.get(\"vaultix-token\")?.value ??\n extractBearer(req.headers.get(\"authorization\") ?? \"\");\n\n let jwtExp: number | undefined;\n\n if (token) {\n const verifyKey = await getVerifyKey(apiUrl);\n if (verifyKey) {\n try {\n const { payload } = await jwtVerify(token, verifyKey.key as Parameters<typeof jwtVerify>[1], {\n algorithms: [\"RS256\"],\n });\n jwtExp = payload.exp as number | undefined;\n result = {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: (payload[\"risk\"] as string) ?? \"low\",\n isSignedIn: true,\n isPublicRoute: publicRoute,\n };\n } catch {\n // expired / tampered\n }\n }\n }\n\n // ── Silent refresh — check DB session and renew JWT when near expiry ───\n // Reduces the window where a revoked-but-signed JWT can be replayed.\n // The refresh endpoint validates the DB session row, so a signed-out user\n // is rejected here even before their JWT's exp elapses.\n let refreshedJwt: string | null = null;\n if (result.isSignedIn && apiUrl && jwtExp !== undefined) {\n const secondsLeft = jwtExp - Math.floor(Date.now() / 1000);\n if (secondsLeft < 120) {\n try {\n const refreshRes = await fetch(`${apiUrl}/api/v1/session/refresh`, {\n method: \"POST\",\n headers: { Cookie: `vaultix-session=${token}` },\n });\n if (refreshRes.ok) {\n const data = await refreshRes.json() as { session_jwt?: string };\n refreshedJwt = data.session_jwt ?? null;\n }\n } catch {\n // Non-blocking — proceed with the existing token on refresh failure\n }\n }\n }\n\n // ── Custom afterAuth hook ──────────────────────────────────────────────\n if (afterAuth) {\n const override = afterAuth(result, req);\n if (override) return override as NextResponse;\n }\n\n // ── Default: redirect unauthenticated to sign-in ───────────────────────\n if (!result.isSignedIn && !publicRoute) {\n const dest = new URL(signInUrl, req.url);\n dest.searchParams.set(\"redirect_url\", req.url);\n return NextResponse.redirect(dest);\n }\n\n // ── Inject auth headers for Server Components ──────────────────────────\n const nextHeaders = new Headers(req.headers);\n if (result.userId) {\n nextHeaders.set(HEADER_USER_ID, result.userId);\n nextHeaders.set(HEADER_ORG_ID, result.orgId ?? \"\");\n nextHeaders.set(HEADER_ORG_ROLE, result.orgRole ?? \"\");\n nextHeaders.set(HEADER_SESSION_ID, result.sessionId ?? \"\");\n nextHeaders.set(HEADER_RISK_LEVEL, result.riskLevel ?? \"low\");\n } else {\n [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL]\n .forEach((h) => nextHeaders.delete(h));\n }\n\n const response = NextResponse.next({ request: { headers: nextHeaders } });\n\n // Propagate refreshed JWT as updated cookies\n if (refreshedJwt) {\n const cookieBase = { secure: isSecureRequest(req), sameSite: \"lax\" as const, path: \"/\", maxAge: 30 * 24 * 60 * 60 };\n response.cookies.set(\"vaultix-session\", refreshedJwt, { ...cookieBase, httpOnly: true });\n response.cookies.set(\"vaultix-token\", refreshedJwt, { ...cookieBase, httpOnly: false });\n }\n\n return response;\n };\n}\n\nfunction extractBearer(header: string): string {\n return header.startsWith(\"Bearer \") ? header.slice(7) : \"\";\n}\n"],"mappings":";AACA,SAAS,oBAAoB,YAAY,iBAA+B;AACxE,SAAsB,oBAAoB;AA2CnC,IAAM,iBAAoB;AAC1B,IAAM,gBAAoB;AAC1B,IAAM,kBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;AAIjC,SAAS,oBAAoB,IAAoB;AAC/C,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAEA,SAAS,cAAc,SAAwC;AAC7D,MAAI,QAAQ,OAAQ,QAAO,QAAQ,OAAO,QAAQ,OAAO,EAAE;AAC3D,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,SAAO,oBAAoB,EAAE;AAC/B;AAMA,IAAI,aAA2D;AAC/D,IAAI,gBAA+B;AAEnC,IAAI,YAA4B;AAChC,IAAI,YAA2B;AAE/B,eAAe,aAAa,QAAgB;AAE1C,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,aAAa,cAAc,WAAY,QAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAC5F,gBAAY,MAAM,WAAW,YAAY,OAAO;AAChD,gBAAY;AACZ,WAAO,EAAE,KAAK,WAAW,MAAM,SAAkB;AAAA,EACnD;AAGA,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,cAAc,kBAAkB,SAAS;AAC5C,iBAAa,mBAAmB,IAAI,IAAI,OAAO,CAAC;AAChD,oBAAgB;AAAA,EAClB;AACA,SAAO,EAAE,KAAK,YAAY,MAAM,SAAkB;AACpD;AAIA,SAAS,SAAS,UAAkB,OAAwC;AAC1E,SAAO,MAAM;AAAA,IAAK,CAAC,SACjB,OAAO,SAAS,WACZ,aAAa,QAAQ,SAAS,WAAW,IAAI,IAC7C,KAAK,KAAK,QAAQ;AAAA,EACxB;AACF;AAQA,SAAS,gBAAgB,KAA2B;AAClD,QAAM,YAAY,IAAI,QAAQ,IAAI,mBAAmB;AACrD,MAAI,UAAW,QAAO,UAAU,MAAM,GAAG,EAAE,CAAC,GAAG,KAAK,MAAM;AAC1D,SAAO,IAAI,QAAQ,aAAa;AAClC;AAIA,eAAe,gBACb,KACA,gBACA,QAC8B;AAC9B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,2BAA2B;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,iBAAiB,eAAe,CAAC;AAAA,IAC1D,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,EAAE,YAAY,IAAK,MAAM,IAAI,KAAK;AACxC,UAAM,WAAW,IAAI,QAAQ,MAAM;AACnC,aAAS,aAAa,OAAO,qBAAqB;AAElD,UAAM,WAAW,aAAa,SAAS,QAAQ;AAC/C,UAAM,aAAa;AAAA,MACjB,QAAQ,gBAAgB,GAAG;AAAA,MAC3B,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ,KAAK,KAAK,KAAK;AAAA,IACzB;AAEA,aAAS,QAAQ,IAAI,mBAAmB,aAAa,EAAE,GAAG,YAAY,UAAU,KAAK,CAAC;AAEtF,aAAS,QAAQ,IAAI,iBAAiB,aAAa,EAAE,GAAG,YAAY,UAAU,MAAM,CAAC;AACrF,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAcO,SAAS,eAAe,UAAiC,CAAC,GAAG;AAClE,QAAM,EAAE,eAAe,CAAC,GAAG,UAAU,IAAI;AAEzC,SAAO,eAAe,WAAW,KAAyC;AACxE,UAAM,EAAE,SAAS,IAAI,IAAI;AACzB,UAAM,cAAc,SAAS,UAAU,YAAY;AAEnD,UAAM,SAAS,cAAc,OAAO;AAGpC,UAAM,YACJ,QAAQ,cAAc,SAAS,GAAG,MAAM,kBAAkB;AAG5D,UAAM,iBAAiB,IAAI,QAAQ,aAAa,IAAI,qBAAqB;AACzE,QAAI,kBAAkB,QAAQ;AAC5B,YAAMA,YAAW,MAAM,gBAAgB,KAAK,gBAAgB,MAAM;AAClE,UAAIA,UAAU,QAAOA;AAAA,IACvB;AAGA,QAAI,SAAqB;AAAA,MACvB,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAC5B,YAAY;AAAA,MAAO,eAAe;AAAA,IACpC;AAEA,UAAM,QACJ,IAAI,QAAQ,IAAI,iBAAiB,GAAG,SACpC,IAAI,QAAQ,IAAI,eAAe,GAAG,SAClC,cAAc,IAAI,QAAQ,IAAI,eAAe,KAAK,EAAE;AAEtD,QAAI;AAEJ,QAAI,OAAO;AACT,YAAM,YAAY,MAAM,aAAa,MAAM;AAC3C,UAAI,WAAW;AACb,YAAI;AACF,gBAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,UAAU,KAAwC;AAAA,YAC3F,YAAY,CAAC,OAAO;AAAA,UACtB,CAAC;AACD,mBAAS,QAAQ;AACjB,mBAAS;AAAA,YACP,QAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,YAC1C,WAAY,QAAQ,MAAM,KAAgB;AAAA,YAC1C,YAAY;AAAA,YACZ,eAAe;AAAA,UACjB;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAMA,QAAI,eAA8B;AAClC,QAAI,OAAO,cAAc,UAAU,WAAW,QAAW;AACvD,YAAM,cAAc,SAAS,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACzD,UAAI,cAAc,KAAK;AACrB,YAAI;AACF,gBAAM,aAAa,MAAM,MAAM,GAAG,MAAM,2BAA2B;AAAA,YACjE,QAAQ;AAAA,YACR,SAAS,EAAE,QAAQ,mBAAmB,KAAK,GAAG;AAAA,UAChD,CAAC;AACD,cAAI,WAAW,IAAI;AACjB,kBAAM,OAAO,MAAM,WAAW,KAAK;AACnC,2BAAe,KAAK,eAAe;AAAA,UACrC;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAGA,QAAI,WAAW;AACb,YAAM,WAAW,UAAU,QAAQ,GAAG;AACtC,UAAI,SAAU,QAAO;AAAA,IACvB;AAGA,QAAI,CAAC,OAAO,cAAc,CAAC,aAAa;AACtC,YAAM,OAAO,IAAI,IAAI,WAAW,IAAI,GAAG;AACvC,WAAK,aAAa,IAAI,gBAAgB,IAAI,GAAG;AAC7C,aAAO,aAAa,SAAS,IAAI;AAAA,IACnC;AAGA,UAAM,cAAc,IAAI,QAAQ,IAAI,OAAO;AAC3C,QAAI,OAAO,QAAQ;AACjB,kBAAY,IAAI,gBAAmB,OAAO,MAAM;AAChD,kBAAY,IAAI,eAAmB,OAAO,SAAS,EAAE;AACrD,kBAAY,IAAI,iBAAmB,OAAO,WAAW,EAAE;AACvD,kBAAY,IAAI,mBAAmB,OAAO,aAAa,EAAE;AACzD,kBAAY,IAAI,mBAAmB,OAAO,aAAa,KAAK;AAAA,IAC9D,OAAO;AACL,OAAC,gBAAgB,eAAe,iBAAiB,mBAAmB,iBAAiB,EAClF,QAAQ,CAAC,MAAM,YAAY,OAAO,CAAC,CAAC;AAAA,IACzC;AAEA,UAAM,WAAW,aAAa,KAAK,EAAE,SAAS,EAAE,SAAS,YAAY,EAAE,CAAC;AAGxE,QAAI,cAAc;AAChB,YAAM,aAAa,EAAE,QAAQ,gBAAgB,GAAG,GAAG,UAAU,OAAgB,MAAM,KAAK,QAAQ,KAAK,KAAK,KAAK,GAAG;AAClH,eAAS,QAAQ,IAAI,mBAAmB,cAAc,EAAE,GAAG,YAAY,UAAU,KAAK,CAAC;AACvF,eAAS,QAAQ,IAAI,iBAAmB,cAAc,EAAE,GAAG,YAAY,UAAU,MAAM,CAAC;AAAA,IAC1F;AAEA,WAAO;AAAA,EACT;AACF;AAEA,SAAS,cAAc,QAAwB;AAC7C,SAAO,OAAO,WAAW,SAAS,IAAI,OAAO,MAAM,CAAC,IAAI;AAC1D;","names":["response"]}
package/dist/server.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/server.ts","../src/middleware.ts"],"sourcesContent":["// Server-only. Import from \"@vaultix.ai/nextjs/server\".\n// Never import this in Client Components.\nimport { cookies, headers } from \"next/headers\";\nimport { redirect } from \"next/navigation\";\nimport { createRemoteJWKSet, importSPKI, jwtVerify } from \"jose\";\nimport type { VaultixOrganization, VaultixUser } from \"@vaultix.ai/react\";\nimport {\n HEADER_USER_ID,\n HEADER_ORG_ID,\n HEADER_ORG_ROLE,\n HEADER_SESSION_ID,\n HEADER_RISK_LEVEL,\n} from \"./middleware\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthObject {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: \"low\" | \"medium\" | \"high\" | \"critical\" | null;\n isSignedIn: boolean;\n /**\n * Throws a redirect if the user is not authenticated.\n * Usage: const { userId } = await auth(); — or call auth().then(a => a.protect())\n */\n protect: (redirectTo?: string) => void;\n}\n\n// ─── API URL resolution (mirrors middleware logic) ────────────────────────────\n\nfunction resolveApiUrl(): string {\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n if (!pk) return \"\";\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\n// ─── JWT verification (server-side, no edge constraints) ─────────────────────\n\nlet _remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet _remoteJwksUrl: string | null = null;\nlet _staticKey: Awaited<ReturnType<typeof importSPKI>> | null = null;\nlet _staticPem: string | null = null;\n\nasync function verifyJwt(token: string) {\n // 1. Static PEM key (fastest, no network call)\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (!_staticKey || _staticPem !== normalized) {\n _staticKey = await importSPKI(normalized, \"RS256\");\n _staticPem = normalized;\n }\n try {\n const { payload } = await jwtVerify(token, _staticKey, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n }\n\n // 2. Remote JWKS (auto-fetched, cached)\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!_remoteJwks || _remoteJwksUrl !== jwksUrl) {\n _remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n _remoteJwksUrl = jwksUrl;\n }\n try {\n const { payload } = await jwtVerify(token, _remoteJwks, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n}\n\n// ─── auth() ───────────────────────────────────────────────────────────────────\n\n/**\n * Returns the current auth state. Works in Server Components, Route Handlers,\n * and Server Actions. Falls back to verifying the session cookie directly\n * if middleware headers are not present.\n *\n * @example\n * import { auth } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const { userId, protect } = await auth();\n * protect(); // redirects to sign-in if not authenticated\n * return <div>Hello {userId}</div>;\n * }\n */\nexport async function auth(): Promise<AuthObject> {\n function makeProtect(isSignedIn: boolean) {\n return (redirectTo?: string) => {\n if (!isSignedIn) {\n const apiUrl = resolveApiUrl();\n const dest = redirectTo ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n redirect(dest);\n }\n };\n }\n\n // ── Fast path: headers injected by authMiddleware ──────────────────────\n const h = await headers();\n const userId = h.get(HEADER_USER_ID);\n if (userId) {\n return {\n userId,\n orgId: h.get(HEADER_ORG_ID) || null,\n orgRole: h.get(HEADER_ORG_ROLE) || null,\n sessionId: h.get(HEADER_SESSION_ID) || null,\n riskLevel: (h.get(HEADER_RISK_LEVEL) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n }\n\n // ── Fallback: verify session cookie directly (no middleware needed) ────\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n const payload = await verifyJwt(token);\n if (!payload) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n return {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: ((payload[\"risk\"] as string) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n}\n\n// ─── currentUser() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the full user record for the currently signed-in user.\n * Calls GET /api/v1/me using the session JWT from the cookie as a Bearer token.\n * No extra env vars required.\n *\n * @example\n * import { currentUser } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const user = await currentUser();\n * if (!user) redirect(\"/sign-in\");\n * return <div>Hello {user.email}</div>;\n * }\n */\nexport async function currentUser(): Promise<VaultixUser | null> {\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) return null;\n\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/me`, {\n headers: { Authorization: `Bearer ${token}` },\n cache: \"no-store\",\n });\n if (!res.ok) return null;\n const data = await res.json() as { user: VaultixUser };\n return data.user ?? null;\n } catch {\n return null;\n }\n}\n\n// ─── currentOrg() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the active organization for the current user.\n * Requires VAULTIX_SECRET_KEY env var.\n */\nexport async function currentOrg(): Promise<VaultixOrganization | null> {\n const { orgId } = await auth();\n if (!orgId) return null;\n\n const apiUrl = resolveApiUrl();\n const secret = process.env.VAULTIX_SECRET_KEY;\n if (!apiUrl || !secret) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/orgs/${orgId}`, {\n headers: { Authorization: `Bearer ${secret}` },\n next: { revalidate: 30 },\n } as RequestInit);\n if (!res.ok) return null;\n return (await res.json()) as VaultixOrganization;\n } catch {\n return null;\n }\n}\n\n// ─── protect() — standalone helper ───────────────────────────────────────────\n\n/**\n * Asserts the current user is authenticated. Redirects to sign-in if not.\n * Prefer calling `protect()` from the auth object returned by `auth()`.\n *\n * @example\n * import { protect } from \"@vaultix.ai/nextjs/server\";\n * export default async function Page() {\n * const { userId } = await protect();\n * return <div>{userId}</div>;\n * }\n */\nexport async function protect(redirectTo?: string): Promise<AuthObject> {\n const authObj = await auth();\n authObj.protect(redirectTo);\n return authObj;\n}\n","// Edge-runtime compatible. Uses jose for JWT verification.\nimport { createRemoteJWKSet, importSPKI, jwtVerify, type KeyLike } from \"jose\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthResult {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: string | null;\n isSignedIn: boolean;\n isPublicRoute: boolean;\n}\n\nexport interface AuthMiddlewareOptions {\n /**\n * Routes that do not require authentication.\n * Strings: exact match or prefix. RegExps: tested against pathname.\n */\n publicRoutes?: Array<string | RegExp>;\n\n /**\n * Where to redirect unauthenticated users.\n * Defaults to the Vaultix hosted sign-in page (decoded from publishable key).\n * Override with \"/sign-in\" to use your own page.\n */\n signInUrl?: string;\n\n /**\n * Vaultix API origin. Auto-decoded from NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY.\n * Only needed if you're not using the standard publishable key format.\n */\n apiUrl?: string;\n\n /**\n * Custom logic after auth state is resolved.\n * Return a NextResponse to override default behaviour.\n */\n afterAuth?: (auth: AuthResult, req: NextRequest) => NextResponse | Response | undefined | void;\n}\n\n// ─── Header names ─────────────────────────────────────────────────────────────\n\nexport const HEADER_USER_ID = \"x-vaultix-user-id\";\nexport const HEADER_ORG_ID = \"x-vaultix-org-id\";\nexport const HEADER_ORG_ROLE = \"x-vaultix-org-role\";\nexport const HEADER_SESSION_ID = \"x-vaultix-session-id\";\nexport const HEADER_RISK_LEVEL = \"x-vaultix-risk-level\";\n\n// ─── Publishable key → API URL ────────────────────────────────────────────────\n\nfunction decodeApiUrlFromKey(pk: string): string {\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\nfunction resolveApiUrl(options: AuthMiddlewareOptions): string {\n if (options.apiUrl) return options.apiUrl.replace(/\\/$/, \"\");\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n return decodeApiUrlFromKey(pk);\n}\n\n// ─── JWKS cache ───────────────────────────────────────────────────────────────\n// createRemoteJWKSet fetches and caches the key set, re-fetches on rotation.\n// Falls back to a static PEM key if VAULTIX_JWT_PUBLIC_KEY is set (backward compat).\n\nlet remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet remoteJwksUrl: string | null = null;\n\nlet staticKey: KeyLike | null = null;\nlet staticPem: string | null = null;\n\nasync function getVerifyKey(apiUrl: string) {\n // Prefer static PEM (set by env var) for zero-network-call verification\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (staticKey && staticPem === normalized) return { key: staticKey, mode: \"static\" as const };\n staticKey = await importSPKI(normalized, \"RS256\");\n staticPem = normalized;\n return { key: staticKey, mode: \"static\" as const };\n }\n\n // Auto-fetch JWKS from the API — no env var needed\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!remoteJwks || remoteJwksUrl !== jwksUrl) {\n remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n remoteJwksUrl = jwksUrl;\n }\n return { key: remoteJwks, mode: \"remote\" as const };\n}\n\n// ─── Route matching ───────────────────────────────────────────────────────────\n\nfunction isPublic(pathname: string, rules: Array<string | RegExp>): boolean {\n return rules.some((rule) =>\n typeof rule === \"string\"\n ? pathname === rule || pathname.startsWith(rule)\n : rule.test(pathname),\n );\n}\n\n// ─── Handshake exchange ───────────────────────────────────────────────────────\n\nasync function handleHandshake(\n req: NextRequest,\n handshakeToken: string,\n apiUrl: string,\n): Promise<NextResponse | null> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ handshake_token: handshakeToken }),\n });\n if (!res.ok) return null;\n\n const { session_jwt } = (await res.json()) as { session_jwt: string };\n const cleanUrl = req.nextUrl.clone();\n cleanUrl.searchParams.delete(\"__vaultix_handshake\");\n\n const response = NextResponse.redirect(cleanUrl);\n const cookieBase = {\n secure: true,\n sameSite: \"lax\" as const,\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60,\n };\n // httpOnly — for middleware and server-side JWT verification\n response.cookies.set(\"vaultix-session\", session_jwt, { ...cookieBase, httpOnly: true });\n // non-httpOnly — for VaultixProvider (React SDK) to read client-side\n response.cookies.set(\"vaultix-token\", session_jwt, { ...cookieBase, httpOnly: false });\n return response;\n } catch {\n return null;\n }\n}\n\n// ─── authMiddleware ───────────────────────────────────────────────────────────\n\n/**\n * Drop-in auth middleware — works with zero config when\n * NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY is set.\n *\n * @example\n * // middleware.ts\n * import { authMiddleware } from \"@vaultix.ai/nextjs/middleware\";\n * export default authMiddleware({ publicRoutes: [\"/\", \"/about\"] });\n * export const config = { matcher: [\"/((?!_next|.*\\\\..*).*)\"] };\n */\nexport function authMiddleware(options: AuthMiddlewareOptions = {}) {\n const { publicRoutes = [], afterAuth } = options;\n\n return async function middleware(req: NextRequest): Promise<NextResponse> {\n const { pathname } = req.nextUrl;\n const publicRoute = isPublic(pathname, publicRoutes);\n\n const apiUrl = resolveApiUrl(options);\n\n // Default sign-in URL: hosted Vaultix page decoded from publishable key\n const signInUrl =\n options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n\n // ── Handshake exchange ─────────────────────────────────────────────────\n const handshakeToken = req.nextUrl.searchParams.get(\"__vaultix_handshake\");\n if (handshakeToken && apiUrl) {\n const response = await handleHandshake(req, handshakeToken, apiUrl);\n if (response) return response;\n }\n\n // ── JWT verification ───────────────────────────────────────────────────\n let result: AuthResult = {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null,\n isSignedIn: false, isPublicRoute: publicRoute,\n };\n\n const token =\n req.cookies.get(\"vaultix-session\")?.value ??\n req.cookies.get(\"vaultix-token\")?.value ??\n extractBearer(req.headers.get(\"authorization\") ?? \"\");\n\n if (token) {\n const verifyKey = await getVerifyKey(apiUrl);\n if (verifyKey) {\n try {\n const { payload } = await jwtVerify(token, verifyKey.key as Parameters<typeof jwtVerify>[1], {\n algorithms: [\"RS256\"],\n });\n result = {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: (payload[\"risk\"] as string) ?? \"low\",\n isSignedIn: true,\n isPublicRoute: publicRoute,\n };\n } catch {\n // expired / tampered\n }\n }\n }\n\n // ── Custom afterAuth hook ──────────────────────────────────────────────\n if (afterAuth) {\n const override = afterAuth(result, req);\n if (override) return override as NextResponse;\n }\n\n // ── Default: redirect unauthenticated to sign-in ───────────────────────\n if (!result.isSignedIn && !publicRoute) {\n const dest = new URL(signInUrl, req.url);\n dest.searchParams.set(\"redirect_url\", req.url);\n return NextResponse.redirect(dest);\n }\n\n // ── Inject auth headers for Server Components ──────────────────────────\n const next = new Headers(req.headers);\n if (result.userId) {\n next.set(HEADER_USER_ID, result.userId);\n next.set(HEADER_ORG_ID, result.orgId ?? \"\");\n next.set(HEADER_ORG_ROLE, result.orgRole ?? \"\");\n next.set(HEADER_SESSION_ID, result.sessionId ?? \"\");\n next.set(HEADER_RISK_LEVEL, result.riskLevel ?? \"low\");\n } else {\n [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL]\n .forEach((h) => next.delete(h));\n }\n\n return NextResponse.next({ request: { headers: next } });\n };\n}\n\nfunction extractBearer(header: string): string {\n return header.startsWith(\"Bearer \") ? header.slice(7) : \"\";\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,qBAAiC;AACjC,wBAAyB;AACzB,IAAAA,eAA0D;;;ACH1D,kBAAwE;AACxE,oBAA0C;AA2CnC,IAAM,iBAAoB;AAC1B,IAAM,gBAAoB;AAC1B,IAAM,kBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;;;ADjBjC,SAAS,gBAAwB;AAC/B,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,MAAI,CAAC,GAAI,QAAO;AAChB,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAIA,IAAI,cAA4D;AAChE,IAAI,iBAAgC;AACpC,IAAI,aAA4D;AAChE,IAAI,aAA4B;AAEhC,eAAe,UAAU,OAAe;AAEtC,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,CAAC,cAAc,eAAe,YAAY;AAC5C,mBAAa,UAAM,yBAAW,YAAY,OAAO;AACjD,mBAAa;AAAA,IACf;AACA,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,UAAM,wBAAU,OAAO,YAAY,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AAChF,aAAO;AAAA,IACT,QAAQ;AAAE,aAAO;AAAA,IAAM;AAAA,EACzB;AAGA,QAAM,SAAS,cAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,eAAe,mBAAmB,SAAS;AAC9C,sBAAc,iCAAmB,IAAI,IAAI,OAAO,CAAC;AACjD,qBAAiB;AAAA,EACnB;AACA,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,UAAM,wBAAU,OAAO,aAAa,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AACjF,WAAO;AAAA,EACT,QAAQ;AAAE,WAAO;AAAA,EAAM;AACzB;AAkBA,eAAsB,OAA4B;AAChD,WAAS,YAAY,YAAqB;AACxC,WAAO,CAAC,eAAwB;AAC9B,UAAI,CAAC,YAAY;AACf,cAAM,SAAS,cAAc;AAC7B,cAAM,OAAO,eAAe,SAAS,GAAG,MAAM,kBAAkB;AAChE,wCAAS,IAAI;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAGA,QAAM,IAAI,UAAM,wBAAQ;AACxB,QAAM,SAAS,EAAE,IAAI,cAAc;AACnC,MAAI,QAAQ;AACV,WAAO;AAAA,MACL;AAAA,MACA,OAAW,EAAE,IAAI,aAAa,KAAS;AAAA,MACvC,SAAW,EAAE,IAAI,eAAe,KAAO;AAAA,MACvC,WAAW,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACvC,WAAY,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACxC,YAAY;AAAA,MACZ,SAAS,YAAY,IAAI;AAAA,IAC3B;AAAA,EACF;AAGA,QAAM,MAAM,UAAM,wBAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,QAAM,UAAU,MAAM,UAAU,KAAK;AACrC,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAa,QAAQ,MAAM,KAAgB;AAAA,IAC3C,YAAY;AAAA,IACZ,SAAS,YAAY,IAAI;AAAA,EAC3B;AACF;AAkBA,eAAsB,cAA2C;AAC/D,QAAM,MAAM,UAAM,wBAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAAS,cAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AAEpB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,cAAc;AAAA,MAC7C,SAAS,EAAE,eAAe,UAAU,KAAK,GAAG;AAAA,MAC5C,OAAO;AAAA,IACT,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,WAAO,KAAK,QAAQ;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,aAAkD;AACtE,QAAM,EAAE,MAAM,IAAI,MAAM,KAAK;AAC7B,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAAS,cAAc;AAC7B,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,CAAC,UAAU,CAAC,OAAQ,QAAO;AAE/B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,gBAAgB,KAAK,IAAI;AAAA,MACxD,SAAS,EAAE,eAAe,UAAU,MAAM,GAAG;AAAA,MAC7C,MAAM,EAAE,YAAY,GAAG;AAAA,IACzB,CAAgB;AAChB,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAQ,MAAM,IAAI,KAAK;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAeA,eAAsB,QAAQ,YAA0C;AACtE,QAAM,UAAU,MAAM,KAAK;AAC3B,UAAQ,QAAQ,UAAU;AAC1B,SAAO;AACT;","names":["import_jose"]}
1
+ {"version":3,"sources":["../src/server.ts","../src/middleware.ts"],"sourcesContent":["// Server-only. Import from \"@vaultix.ai/nextjs/server\".\n// Never import this in Client Components.\nimport { cookies, headers } from \"next/headers\";\nimport { redirect } from \"next/navigation\";\nimport { createRemoteJWKSet, importSPKI, jwtVerify } from \"jose\";\nimport type { VaultixOrganization, VaultixUser } from \"@vaultix.ai/react\";\nimport {\n HEADER_USER_ID,\n HEADER_ORG_ID,\n HEADER_ORG_ROLE,\n HEADER_SESSION_ID,\n HEADER_RISK_LEVEL,\n} from \"./middleware\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthObject {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: \"low\" | \"medium\" | \"high\" | \"critical\" | null;\n isSignedIn: boolean;\n /**\n * Throws a redirect if the user is not authenticated.\n * Usage: const { userId } = await auth(); — or call auth().then(a => a.protect())\n */\n protect: (redirectTo?: string) => void;\n}\n\n// ─── API URL resolution (mirrors middleware logic) ────────────────────────────\n\nfunction resolveApiUrl(): string {\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n if (!pk) return \"\";\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\n// ─── JWT verification (server-side, no edge constraints) ─────────────────────\n\nlet _remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet _remoteJwksUrl: string | null = null;\nlet _staticKey: Awaited<ReturnType<typeof importSPKI>> | null = null;\nlet _staticPem: string | null = null;\n\nasync function verifyJwt(token: string) {\n // 1. Static PEM key (fastest, no network call)\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (!_staticKey || _staticPem !== normalized) {\n _staticKey = await importSPKI(normalized, \"RS256\");\n _staticPem = normalized;\n }\n try {\n const { payload } = await jwtVerify(token, _staticKey, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n }\n\n // 2. Remote JWKS (auto-fetched, cached)\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!_remoteJwks || _remoteJwksUrl !== jwksUrl) {\n _remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n _remoteJwksUrl = jwksUrl;\n }\n try {\n const { payload } = await jwtVerify(token, _remoteJwks, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n}\n\n// ─── auth() ───────────────────────────────────────────────────────────────────\n\n/**\n * Returns the current auth state. Works in Server Components, Route Handlers,\n * and Server Actions. Falls back to verifying the session cookie directly\n * if middleware headers are not present.\n *\n * @example\n * import { auth } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const { userId, protect } = await auth();\n * protect(); // redirects to sign-in if not authenticated\n * return <div>Hello {userId}</div>;\n * }\n */\nexport async function auth(): Promise<AuthObject> {\n function makeProtect(isSignedIn: boolean) {\n return (redirectTo?: string) => {\n if (!isSignedIn) {\n const apiUrl = resolveApiUrl();\n const dest = redirectTo ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n redirect(dest);\n }\n };\n }\n\n // ── Fast path: headers injected by authMiddleware ──────────────────────\n const h = await headers();\n const userId = h.get(HEADER_USER_ID);\n if (userId) {\n return {\n userId,\n orgId: h.get(HEADER_ORG_ID) || null,\n orgRole: h.get(HEADER_ORG_ROLE) || null,\n sessionId: h.get(HEADER_SESSION_ID) || null,\n riskLevel: (h.get(HEADER_RISK_LEVEL) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n }\n\n // ── Fallback: verify session cookie directly (no middleware needed) ────\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n const payload = await verifyJwt(token);\n if (!payload) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n return {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: ((payload[\"risk\"] as string) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n}\n\n// ─── currentUser() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the full user record for the currently signed-in user.\n * Calls GET /api/v1/me using the session JWT from the cookie as a Bearer token.\n * No extra env vars required.\n *\n * @example\n * import { currentUser } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const user = await currentUser();\n * if (!user) redirect(\"/sign-in\");\n * return <div>Hello {user.email}</div>;\n * }\n */\nexport async function currentUser(): Promise<VaultixUser | null> {\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) return null;\n\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/me`, {\n headers: { Authorization: `Bearer ${token}` },\n cache: \"no-store\",\n });\n if (!res.ok) return null;\n const data = await res.json() as { user: VaultixUser };\n return data.user ?? null;\n } catch {\n return null;\n }\n}\n\n// ─── currentOrg() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the active organization for the current user.\n * Requires VAULTIX_SECRET_KEY env var.\n */\nexport async function currentOrg(): Promise<VaultixOrganization | null> {\n const { orgId } = await auth();\n if (!orgId) return null;\n\n const apiUrl = resolveApiUrl();\n const secret = process.env.VAULTIX_SECRET_KEY;\n if (!apiUrl || !secret) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/orgs/${orgId}`, {\n headers: { Authorization: `Bearer ${secret}` },\n next: { revalidate: 30 },\n } as RequestInit);\n if (!res.ok) return null;\n return (await res.json()) as VaultixOrganization;\n } catch {\n return null;\n }\n}\n\n// ─── protect() — standalone helper ───────────────────────────────────────────\n\n/**\n * Asserts the current user is authenticated. Redirects to sign-in if not.\n * Prefer calling `protect()` from the auth object returned by `auth()`.\n *\n * @example\n * import { protect } from \"@vaultix.ai/nextjs/server\";\n * export default async function Page() {\n * const { userId } = await protect();\n * return <div>{userId}</div>;\n * }\n */\nexport async function protect(redirectTo?: string): Promise<AuthObject> {\n const authObj = await auth();\n authObj.protect(redirectTo);\n return authObj;\n}\n","// Edge-runtime compatible. Uses jose for JWT verification.\nimport { createRemoteJWKSet, importSPKI, jwtVerify, type KeyLike } from \"jose\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthResult {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: string | null;\n isSignedIn: boolean;\n isPublicRoute: boolean;\n}\n\nexport interface AuthMiddlewareOptions {\n /**\n * Routes that do not require authentication.\n * Strings: exact match or prefix. RegExps: tested against pathname.\n */\n publicRoutes?: Array<string | RegExp>;\n\n /**\n * Where to redirect unauthenticated users.\n * Defaults to the Vaultix hosted sign-in page (decoded from publishable key).\n * Override with \"/sign-in\" to use your own page.\n */\n signInUrl?: string;\n\n /**\n * Vaultix API origin. Auto-decoded from NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY.\n * Only needed if you're not using the standard publishable key format.\n */\n apiUrl?: string;\n\n /**\n * Custom logic after auth state is resolved.\n * Return a NextResponse to override default behaviour.\n */\n afterAuth?: (auth: AuthResult, req: NextRequest) => NextResponse | Response | undefined | void;\n}\n\n// ─── Header names ─────────────────────────────────────────────────────────────\n\nexport const HEADER_USER_ID = \"x-vaultix-user-id\";\nexport const HEADER_ORG_ID = \"x-vaultix-org-id\";\nexport const HEADER_ORG_ROLE = \"x-vaultix-org-role\";\nexport const HEADER_SESSION_ID = \"x-vaultix-session-id\";\nexport const HEADER_RISK_LEVEL = \"x-vaultix-risk-level\";\n\n// ─── Publishable key → API URL ────────────────────────────────────────────────\n\nfunction decodeApiUrlFromKey(pk: string): string {\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\nfunction resolveApiUrl(options: AuthMiddlewareOptions): string {\n if (options.apiUrl) return options.apiUrl.replace(/\\/$/, \"\");\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n return decodeApiUrlFromKey(pk);\n}\n\n// ─── JWKS cache ───────────────────────────────────────────────────────────────\n// createRemoteJWKSet fetches and caches the key set, re-fetches on rotation.\n// Falls back to a static PEM key if VAULTIX_JWT_PUBLIC_KEY is set (backward compat).\n\nlet remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet remoteJwksUrl: string | null = null;\n\nlet staticKey: KeyLike | null = null;\nlet staticPem: string | null = null;\n\nasync function getVerifyKey(apiUrl: string) {\n // Prefer static PEM (set by env var) for zero-network-call verification\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (staticKey && staticPem === normalized) return { key: staticKey, mode: \"static\" as const };\n staticKey = await importSPKI(normalized, \"RS256\");\n staticPem = normalized;\n return { key: staticKey, mode: \"static\" as const };\n }\n\n // Auto-fetch JWKS from the API — no env var needed\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!remoteJwks || remoteJwksUrl !== jwksUrl) {\n remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n remoteJwksUrl = jwksUrl;\n }\n return { key: remoteJwks, mode: \"remote\" as const };\n}\n\n// ─── Route matching ───────────────────────────────────────────────────────────\n\nfunction isPublic(pathname: string, rules: Array<string | RegExp>): boolean {\n return rules.some((rule) =>\n typeof rule === \"string\"\n ? pathname === rule || pathname.startsWith(rule)\n : rule.test(pathname),\n );\n}\n\n// ─── Secure-cookie detection ──────────────────────────────────────────────────\n// `Secure` cookies are dropped by browsers (notably Safari) over plain http://,\n// which breaks local development on http://localhost. Mark cookies Secure only\n// when the request is actually HTTPS. Prefer x-forwarded-proto because TLS is\n// typically terminated at a proxy (e.g. Vercel) before reaching the function.\n\nfunction isSecureRequest(req: NextRequest): boolean {\n const forwarded = req.headers.get(\"x-forwarded-proto\");\n if (forwarded) return forwarded.split(\",\")[0]?.trim() === \"https\";\n return req.nextUrl.protocol === \"https:\";\n}\n\n// ─── Handshake exchange ───────────────────────────────────────────────────────\n\nasync function handleHandshake(\n req: NextRequest,\n handshakeToken: string,\n apiUrl: string,\n): Promise<NextResponse | null> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ handshake_token: handshakeToken }),\n });\n if (!res.ok) return null;\n\n const { session_jwt } = (await res.json()) as { session_jwt: string };\n const cleanUrl = req.nextUrl.clone();\n cleanUrl.searchParams.delete(\"__vaultix_handshake\");\n\n const response = NextResponse.redirect(cleanUrl);\n const cookieBase = {\n secure: isSecureRequest(req),\n sameSite: \"lax\" as const,\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60,\n };\n // httpOnly — for middleware and server-side JWT verification\n response.cookies.set(\"vaultix-session\", session_jwt, { ...cookieBase, httpOnly: true });\n // non-httpOnly — for VaultixProvider (React SDK) to read client-side\n response.cookies.set(\"vaultix-token\", session_jwt, { ...cookieBase, httpOnly: false });\n return response;\n } catch {\n return null;\n }\n}\n\n// ─── authMiddleware ───────────────────────────────────────────────────────────\n\n/**\n * Drop-in auth middleware — works with zero config when\n * NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY is set.\n *\n * @example\n * // middleware.ts\n * import { authMiddleware } from \"@vaultix.ai/nextjs/middleware\";\n * export default authMiddleware({ publicRoutes: [\"/\", \"/about\"] });\n * export const config = { matcher: [\"/((?!_next|.*\\\\..*).*)\"] };\n */\nexport function authMiddleware(options: AuthMiddlewareOptions = {}) {\n const { publicRoutes = [], afterAuth } = options;\n\n return async function middleware(req: NextRequest): Promise<NextResponse> {\n const { pathname } = req.nextUrl;\n const publicRoute = isPublic(pathname, publicRoutes);\n\n const apiUrl = resolveApiUrl(options);\n\n // Default sign-in URL: hosted Vaultix page decoded from publishable key\n const signInUrl =\n options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n\n // ── Handshake exchange ─────────────────────────────────────────────────\n const handshakeToken = req.nextUrl.searchParams.get(\"__vaultix_handshake\");\n if (handshakeToken && apiUrl) {\n const response = await handleHandshake(req, handshakeToken, apiUrl);\n if (response) return response;\n }\n\n // ── JWT verification ───────────────────────────────────────────────────\n let result: AuthResult = {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null,\n isSignedIn: false, isPublicRoute: publicRoute,\n };\n\n const token =\n req.cookies.get(\"vaultix-session\")?.value ??\n req.cookies.get(\"vaultix-token\")?.value ??\n extractBearer(req.headers.get(\"authorization\") ?? \"\");\n\n let jwtExp: number | undefined;\n\n if (token) {\n const verifyKey = await getVerifyKey(apiUrl);\n if (verifyKey) {\n try {\n const { payload } = await jwtVerify(token, verifyKey.key as Parameters<typeof jwtVerify>[1], {\n algorithms: [\"RS256\"],\n });\n jwtExp = payload.exp as number | undefined;\n result = {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: (payload[\"risk\"] as string) ?? \"low\",\n isSignedIn: true,\n isPublicRoute: publicRoute,\n };\n } catch {\n // expired / tampered\n }\n }\n }\n\n // ── Silent refresh — check DB session and renew JWT when near expiry ───\n // Reduces the window where a revoked-but-signed JWT can be replayed.\n // The refresh endpoint validates the DB session row, so a signed-out user\n // is rejected here even before their JWT's exp elapses.\n let refreshedJwt: string | null = null;\n if (result.isSignedIn && apiUrl && jwtExp !== undefined) {\n const secondsLeft = jwtExp - Math.floor(Date.now() / 1000);\n if (secondsLeft < 120) {\n try {\n const refreshRes = await fetch(`${apiUrl}/api/v1/session/refresh`, {\n method: \"POST\",\n headers: { Cookie: `vaultix-session=${token}` },\n });\n if (refreshRes.ok) {\n const data = await refreshRes.json() as { session_jwt?: string };\n refreshedJwt = data.session_jwt ?? null;\n }\n } catch {\n // Non-blocking — proceed with the existing token on refresh failure\n }\n }\n }\n\n // ── Custom afterAuth hook ──────────────────────────────────────────────\n if (afterAuth) {\n const override = afterAuth(result, req);\n if (override) return override as NextResponse;\n }\n\n // ── Default: redirect unauthenticated to sign-in ───────────────────────\n if (!result.isSignedIn && !publicRoute) {\n const dest = new URL(signInUrl, req.url);\n dest.searchParams.set(\"redirect_url\", req.url);\n return NextResponse.redirect(dest);\n }\n\n // ── Inject auth headers for Server Components ──────────────────────────\n const nextHeaders = new Headers(req.headers);\n if (result.userId) {\n nextHeaders.set(HEADER_USER_ID, result.userId);\n nextHeaders.set(HEADER_ORG_ID, result.orgId ?? \"\");\n nextHeaders.set(HEADER_ORG_ROLE, result.orgRole ?? \"\");\n nextHeaders.set(HEADER_SESSION_ID, result.sessionId ?? \"\");\n nextHeaders.set(HEADER_RISK_LEVEL, result.riskLevel ?? \"low\");\n } else {\n [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL]\n .forEach((h) => nextHeaders.delete(h));\n }\n\n const response = NextResponse.next({ request: { headers: nextHeaders } });\n\n // Propagate refreshed JWT as updated cookies\n if (refreshedJwt) {\n const cookieBase = { secure: isSecureRequest(req), sameSite: \"lax\" as const, path: \"/\", maxAge: 30 * 24 * 60 * 60 };\n response.cookies.set(\"vaultix-session\", refreshedJwt, { ...cookieBase, httpOnly: true });\n response.cookies.set(\"vaultix-token\", refreshedJwt, { ...cookieBase, httpOnly: false });\n }\n\n return response;\n };\n}\n\nfunction extractBearer(header: string): string {\n return header.startsWith(\"Bearer \") ? header.slice(7) : \"\";\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,qBAAiC;AACjC,wBAAyB;AACzB,IAAAA,eAA0D;;;ACH1D,kBAAwE;AACxE,oBAA0C;AA2CnC,IAAM,iBAAoB;AAC1B,IAAM,gBAAoB;AAC1B,IAAM,kBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;;;ADjBjC,SAAS,gBAAwB;AAC/B,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,MAAI,CAAC,GAAI,QAAO;AAChB,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAIA,IAAI,cAA4D;AAChE,IAAI,iBAAgC;AACpC,IAAI,aAA4D;AAChE,IAAI,aAA4B;AAEhC,eAAe,UAAU,OAAe;AAEtC,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,CAAC,cAAc,eAAe,YAAY;AAC5C,mBAAa,UAAM,yBAAW,YAAY,OAAO;AACjD,mBAAa;AAAA,IACf;AACA,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,UAAM,wBAAU,OAAO,YAAY,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AAChF,aAAO;AAAA,IACT,QAAQ;AAAE,aAAO;AAAA,IAAM;AAAA,EACzB;AAGA,QAAM,SAAS,cAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,eAAe,mBAAmB,SAAS;AAC9C,sBAAc,iCAAmB,IAAI,IAAI,OAAO,CAAC;AACjD,qBAAiB;AAAA,EACnB;AACA,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,UAAM,wBAAU,OAAO,aAAa,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AACjF,WAAO;AAAA,EACT,QAAQ;AAAE,WAAO;AAAA,EAAM;AACzB;AAkBA,eAAsB,OAA4B;AAChD,WAAS,YAAY,YAAqB;AACxC,WAAO,CAAC,eAAwB;AAC9B,UAAI,CAAC,YAAY;AACf,cAAM,SAAS,cAAc;AAC7B,cAAM,OAAO,eAAe,SAAS,GAAG,MAAM,kBAAkB;AAChE,wCAAS,IAAI;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAGA,QAAM,IAAI,UAAM,wBAAQ;AACxB,QAAM,SAAS,EAAE,IAAI,cAAc;AACnC,MAAI,QAAQ;AACV,WAAO;AAAA,MACL;AAAA,MACA,OAAW,EAAE,IAAI,aAAa,KAAS;AAAA,MACvC,SAAW,EAAE,IAAI,eAAe,KAAO;AAAA,MACvC,WAAW,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACvC,WAAY,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACxC,YAAY;AAAA,MACZ,SAAS,YAAY,IAAI;AAAA,IAC3B;AAAA,EACF;AAGA,QAAM,MAAM,UAAM,wBAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,QAAM,UAAU,MAAM,UAAU,KAAK;AACrC,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAa,QAAQ,MAAM,KAAgB;AAAA,IAC3C,YAAY;AAAA,IACZ,SAAS,YAAY,IAAI;AAAA,EAC3B;AACF;AAkBA,eAAsB,cAA2C;AAC/D,QAAM,MAAM,UAAM,wBAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAAS,cAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AAEpB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,cAAc;AAAA,MAC7C,SAAS,EAAE,eAAe,UAAU,KAAK,GAAG;AAAA,MAC5C,OAAO;AAAA,IACT,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,WAAO,KAAK,QAAQ;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,aAAkD;AACtE,QAAM,EAAE,MAAM,IAAI,MAAM,KAAK;AAC7B,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAAS,cAAc;AAC7B,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,CAAC,UAAU,CAAC,OAAQ,QAAO;AAE/B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,gBAAgB,KAAK,IAAI;AAAA,MACxD,SAAS,EAAE,eAAe,UAAU,MAAM,GAAG;AAAA,MAC7C,MAAM,EAAE,YAAY,GAAG;AAAA,IACzB,CAAgB;AAChB,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAQ,MAAM,IAAI,KAAK;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAeA,eAAsB,QAAQ,YAA0C;AACtE,QAAM,UAAU,MAAM,KAAK;AAC3B,UAAQ,QAAQ,UAAU;AAC1B,SAAO;AACT;","names":["import_jose"]}
package/dist/server.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/server.ts","../src/middleware.ts"],"sourcesContent":["// Server-only. Import from \"@vaultix.ai/nextjs/server\".\n// Never import this in Client Components.\nimport { cookies, headers } from \"next/headers\";\nimport { redirect } from \"next/navigation\";\nimport { createRemoteJWKSet, importSPKI, jwtVerify } from \"jose\";\nimport type { VaultixOrganization, VaultixUser } from \"@vaultix.ai/react\";\nimport {\n HEADER_USER_ID,\n HEADER_ORG_ID,\n HEADER_ORG_ROLE,\n HEADER_SESSION_ID,\n HEADER_RISK_LEVEL,\n} from \"./middleware\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthObject {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: \"low\" | \"medium\" | \"high\" | \"critical\" | null;\n isSignedIn: boolean;\n /**\n * Throws a redirect if the user is not authenticated.\n * Usage: const { userId } = await auth(); — or call auth().then(a => a.protect())\n */\n protect: (redirectTo?: string) => void;\n}\n\n// ─── API URL resolution (mirrors middleware logic) ────────────────────────────\n\nfunction resolveApiUrl(): string {\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n if (!pk) return \"\";\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\n// ─── JWT verification (server-side, no edge constraints) ─────────────────────\n\nlet _remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet _remoteJwksUrl: string | null = null;\nlet _staticKey: Awaited<ReturnType<typeof importSPKI>> | null = null;\nlet _staticPem: string | null = null;\n\nasync function verifyJwt(token: string) {\n // 1. Static PEM key (fastest, no network call)\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (!_staticKey || _staticPem !== normalized) {\n _staticKey = await importSPKI(normalized, \"RS256\");\n _staticPem = normalized;\n }\n try {\n const { payload } = await jwtVerify(token, _staticKey, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n }\n\n // 2. Remote JWKS (auto-fetched, cached)\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!_remoteJwks || _remoteJwksUrl !== jwksUrl) {\n _remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n _remoteJwksUrl = jwksUrl;\n }\n try {\n const { payload } = await jwtVerify(token, _remoteJwks, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n}\n\n// ─── auth() ───────────────────────────────────────────────────────────────────\n\n/**\n * Returns the current auth state. Works in Server Components, Route Handlers,\n * and Server Actions. Falls back to verifying the session cookie directly\n * if middleware headers are not present.\n *\n * @example\n * import { auth } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const { userId, protect } = await auth();\n * protect(); // redirects to sign-in if not authenticated\n * return <div>Hello {userId}</div>;\n * }\n */\nexport async function auth(): Promise<AuthObject> {\n function makeProtect(isSignedIn: boolean) {\n return (redirectTo?: string) => {\n if (!isSignedIn) {\n const apiUrl = resolveApiUrl();\n const dest = redirectTo ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n redirect(dest);\n }\n };\n }\n\n // ── Fast path: headers injected by authMiddleware ──────────────────────\n const h = await headers();\n const userId = h.get(HEADER_USER_ID);\n if (userId) {\n return {\n userId,\n orgId: h.get(HEADER_ORG_ID) || null,\n orgRole: h.get(HEADER_ORG_ROLE) || null,\n sessionId: h.get(HEADER_SESSION_ID) || null,\n riskLevel: (h.get(HEADER_RISK_LEVEL) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n }\n\n // ── Fallback: verify session cookie directly (no middleware needed) ────\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n const payload = await verifyJwt(token);\n if (!payload) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n return {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: ((payload[\"risk\"] as string) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n}\n\n// ─── currentUser() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the full user record for the currently signed-in user.\n * Calls GET /api/v1/me using the session JWT from the cookie as a Bearer token.\n * No extra env vars required.\n *\n * @example\n * import { currentUser } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const user = await currentUser();\n * if (!user) redirect(\"/sign-in\");\n * return <div>Hello {user.email}</div>;\n * }\n */\nexport async function currentUser(): Promise<VaultixUser | null> {\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) return null;\n\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/me`, {\n headers: { Authorization: `Bearer ${token}` },\n cache: \"no-store\",\n });\n if (!res.ok) return null;\n const data = await res.json() as { user: VaultixUser };\n return data.user ?? null;\n } catch {\n return null;\n }\n}\n\n// ─── currentOrg() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the active organization for the current user.\n * Requires VAULTIX_SECRET_KEY env var.\n */\nexport async function currentOrg(): Promise<VaultixOrganization | null> {\n const { orgId } = await auth();\n if (!orgId) return null;\n\n const apiUrl = resolveApiUrl();\n const secret = process.env.VAULTIX_SECRET_KEY;\n if (!apiUrl || !secret) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/orgs/${orgId}`, {\n headers: { Authorization: `Bearer ${secret}` },\n next: { revalidate: 30 },\n } as RequestInit);\n if (!res.ok) return null;\n return (await res.json()) as VaultixOrganization;\n } catch {\n return null;\n }\n}\n\n// ─── protect() — standalone helper ───────────────────────────────────────────\n\n/**\n * Asserts the current user is authenticated. Redirects to sign-in if not.\n * Prefer calling `protect()` from the auth object returned by `auth()`.\n *\n * @example\n * import { protect } from \"@vaultix.ai/nextjs/server\";\n * export default async function Page() {\n * const { userId } = await protect();\n * return <div>{userId}</div>;\n * }\n */\nexport async function protect(redirectTo?: string): Promise<AuthObject> {\n const authObj = await auth();\n authObj.protect(redirectTo);\n return authObj;\n}\n","// Edge-runtime compatible. Uses jose for JWT verification.\nimport { createRemoteJWKSet, importSPKI, jwtVerify, type KeyLike } from \"jose\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthResult {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: string | null;\n isSignedIn: boolean;\n isPublicRoute: boolean;\n}\n\nexport interface AuthMiddlewareOptions {\n /**\n * Routes that do not require authentication.\n * Strings: exact match or prefix. RegExps: tested against pathname.\n */\n publicRoutes?: Array<string | RegExp>;\n\n /**\n * Where to redirect unauthenticated users.\n * Defaults to the Vaultix hosted sign-in page (decoded from publishable key).\n * Override with \"/sign-in\" to use your own page.\n */\n signInUrl?: string;\n\n /**\n * Vaultix API origin. Auto-decoded from NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY.\n * Only needed if you're not using the standard publishable key format.\n */\n apiUrl?: string;\n\n /**\n * Custom logic after auth state is resolved.\n * Return a NextResponse to override default behaviour.\n */\n afterAuth?: (auth: AuthResult, req: NextRequest) => NextResponse | Response | undefined | void;\n}\n\n// ─── Header names ─────────────────────────────────────────────────────────────\n\nexport const HEADER_USER_ID = \"x-vaultix-user-id\";\nexport const HEADER_ORG_ID = \"x-vaultix-org-id\";\nexport const HEADER_ORG_ROLE = \"x-vaultix-org-role\";\nexport const HEADER_SESSION_ID = \"x-vaultix-session-id\";\nexport const HEADER_RISK_LEVEL = \"x-vaultix-risk-level\";\n\n// ─── Publishable key → API URL ────────────────────────────────────────────────\n\nfunction decodeApiUrlFromKey(pk: string): string {\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\nfunction resolveApiUrl(options: AuthMiddlewareOptions): string {\n if (options.apiUrl) return options.apiUrl.replace(/\\/$/, \"\");\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n return decodeApiUrlFromKey(pk);\n}\n\n// ─── JWKS cache ───────────────────────────────────────────────────────────────\n// createRemoteJWKSet fetches and caches the key set, re-fetches on rotation.\n// Falls back to a static PEM key if VAULTIX_JWT_PUBLIC_KEY is set (backward compat).\n\nlet remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet remoteJwksUrl: string | null = null;\n\nlet staticKey: KeyLike | null = null;\nlet staticPem: string | null = null;\n\nasync function getVerifyKey(apiUrl: string) {\n // Prefer static PEM (set by env var) for zero-network-call verification\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (staticKey && staticPem === normalized) return { key: staticKey, mode: \"static\" as const };\n staticKey = await importSPKI(normalized, \"RS256\");\n staticPem = normalized;\n return { key: staticKey, mode: \"static\" as const };\n }\n\n // Auto-fetch JWKS from the API — no env var needed\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!remoteJwks || remoteJwksUrl !== jwksUrl) {\n remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n remoteJwksUrl = jwksUrl;\n }\n return { key: remoteJwks, mode: \"remote\" as const };\n}\n\n// ─── Route matching ───────────────────────────────────────────────────────────\n\nfunction isPublic(pathname: string, rules: Array<string | RegExp>): boolean {\n return rules.some((rule) =>\n typeof rule === \"string\"\n ? pathname === rule || pathname.startsWith(rule)\n : rule.test(pathname),\n );\n}\n\n// ─── Handshake exchange ───────────────────────────────────────────────────────\n\nasync function handleHandshake(\n req: NextRequest,\n handshakeToken: string,\n apiUrl: string,\n): Promise<NextResponse | null> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ handshake_token: handshakeToken }),\n });\n if (!res.ok) return null;\n\n const { session_jwt } = (await res.json()) as { session_jwt: string };\n const cleanUrl = req.nextUrl.clone();\n cleanUrl.searchParams.delete(\"__vaultix_handshake\");\n\n const response = NextResponse.redirect(cleanUrl);\n const cookieBase = {\n secure: true,\n sameSite: \"lax\" as const,\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60,\n };\n // httpOnly — for middleware and server-side JWT verification\n response.cookies.set(\"vaultix-session\", session_jwt, { ...cookieBase, httpOnly: true });\n // non-httpOnly — for VaultixProvider (React SDK) to read client-side\n response.cookies.set(\"vaultix-token\", session_jwt, { ...cookieBase, httpOnly: false });\n return response;\n } catch {\n return null;\n }\n}\n\n// ─── authMiddleware ───────────────────────────────────────────────────────────\n\n/**\n * Drop-in auth middleware — works with zero config when\n * NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY is set.\n *\n * @example\n * // middleware.ts\n * import { authMiddleware } from \"@vaultix.ai/nextjs/middleware\";\n * export default authMiddleware({ publicRoutes: [\"/\", \"/about\"] });\n * export const config = { matcher: [\"/((?!_next|.*\\\\..*).*)\"] };\n */\nexport function authMiddleware(options: AuthMiddlewareOptions = {}) {\n const { publicRoutes = [], afterAuth } = options;\n\n return async function middleware(req: NextRequest): Promise<NextResponse> {\n const { pathname } = req.nextUrl;\n const publicRoute = isPublic(pathname, publicRoutes);\n\n const apiUrl = resolveApiUrl(options);\n\n // Default sign-in URL: hosted Vaultix page decoded from publishable key\n const signInUrl =\n options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n\n // ── Handshake exchange ─────────────────────────────────────────────────\n const handshakeToken = req.nextUrl.searchParams.get(\"__vaultix_handshake\");\n if (handshakeToken && apiUrl) {\n const response = await handleHandshake(req, handshakeToken, apiUrl);\n if (response) return response;\n }\n\n // ── JWT verification ───────────────────────────────────────────────────\n let result: AuthResult = {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null,\n isSignedIn: false, isPublicRoute: publicRoute,\n };\n\n const token =\n req.cookies.get(\"vaultix-session\")?.value ??\n req.cookies.get(\"vaultix-token\")?.value ??\n extractBearer(req.headers.get(\"authorization\") ?? \"\");\n\n if (token) {\n const verifyKey = await getVerifyKey(apiUrl);\n if (verifyKey) {\n try {\n const { payload } = await jwtVerify(token, verifyKey.key as Parameters<typeof jwtVerify>[1], {\n algorithms: [\"RS256\"],\n });\n result = {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: (payload[\"risk\"] as string) ?? \"low\",\n isSignedIn: true,\n isPublicRoute: publicRoute,\n };\n } catch {\n // expired / tampered\n }\n }\n }\n\n // ── Custom afterAuth hook ──────────────────────────────────────────────\n if (afterAuth) {\n const override = afterAuth(result, req);\n if (override) return override as NextResponse;\n }\n\n // ── Default: redirect unauthenticated to sign-in ───────────────────────\n if (!result.isSignedIn && !publicRoute) {\n const dest = new URL(signInUrl, req.url);\n dest.searchParams.set(\"redirect_url\", req.url);\n return NextResponse.redirect(dest);\n }\n\n // ── Inject auth headers for Server Components ──────────────────────────\n const next = new Headers(req.headers);\n if (result.userId) {\n next.set(HEADER_USER_ID, result.userId);\n next.set(HEADER_ORG_ID, result.orgId ?? \"\");\n next.set(HEADER_ORG_ROLE, result.orgRole ?? \"\");\n next.set(HEADER_SESSION_ID, result.sessionId ?? \"\");\n next.set(HEADER_RISK_LEVEL, result.riskLevel ?? \"low\");\n } else {\n [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL]\n .forEach((h) => next.delete(h));\n }\n\n return NextResponse.next({ request: { headers: next } });\n };\n}\n\nfunction extractBearer(header: string): string {\n return header.startsWith(\"Bearer \") ? header.slice(7) : \"\";\n}\n"],"mappings":";AAEA,SAAS,SAAS,eAAe;AACjC,SAAS,gBAAgB;AACzB,SAAS,sBAAAA,qBAAoB,cAAAC,aAAY,aAAAC,kBAAiB;;;ACH1D,SAAS,oBAAoB,YAAY,iBAA+B;AACxE,SAAsB,oBAAoB;AA2CnC,IAAM,iBAAoB;AAC1B,IAAM,gBAAoB;AAC1B,IAAM,kBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;;;ADjBjC,SAAS,gBAAwB;AAC/B,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,MAAI,CAAC,GAAI,QAAO;AAChB,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAIA,IAAI,cAA4D;AAChE,IAAI,iBAAgC;AACpC,IAAI,aAA4D;AAChE,IAAI,aAA4B;AAEhC,eAAe,UAAU,OAAe;AAEtC,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,CAAC,cAAc,eAAe,YAAY;AAC5C,mBAAa,MAAMC,YAAW,YAAY,OAAO;AACjD,mBAAa;AAAA,IACf;AACA,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,MAAMC,WAAU,OAAO,YAAY,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AAChF,aAAO;AAAA,IACT,QAAQ;AAAE,aAAO;AAAA,IAAM;AAAA,EACzB;AAGA,QAAM,SAAS,cAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,eAAe,mBAAmB,SAAS;AAC9C,kBAAcC,oBAAmB,IAAI,IAAI,OAAO,CAAC;AACjD,qBAAiB;AAAA,EACnB;AACA,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,MAAMD,WAAU,OAAO,aAAa,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AACjF,WAAO;AAAA,EACT,QAAQ;AAAE,WAAO;AAAA,EAAM;AACzB;AAkBA,eAAsB,OAA4B;AAChD,WAAS,YAAY,YAAqB;AACxC,WAAO,CAAC,eAAwB;AAC9B,UAAI,CAAC,YAAY;AACf,cAAM,SAAS,cAAc;AAC7B,cAAM,OAAO,eAAe,SAAS,GAAG,MAAM,kBAAkB;AAChE,iBAAS,IAAI;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAGA,QAAM,IAAI,MAAM,QAAQ;AACxB,QAAM,SAAS,EAAE,IAAI,cAAc;AACnC,MAAI,QAAQ;AACV,WAAO;AAAA,MACL;AAAA,MACA,OAAW,EAAE,IAAI,aAAa,KAAS;AAAA,MACvC,SAAW,EAAE,IAAI,eAAe,KAAO;AAAA,MACvC,WAAW,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACvC,WAAY,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACxC,YAAY;AAAA,MACZ,SAAS,YAAY,IAAI;AAAA,IAC3B;AAAA,EACF;AAGA,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,QAAM,UAAU,MAAM,UAAU,KAAK;AACrC,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAa,QAAQ,MAAM,KAAgB;AAAA,IAC3C,YAAY;AAAA,IACZ,SAAS,YAAY,IAAI;AAAA,EAC3B;AACF;AAkBA,eAAsB,cAA2C;AAC/D,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAAS,cAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AAEpB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,cAAc;AAAA,MAC7C,SAAS,EAAE,eAAe,UAAU,KAAK,GAAG;AAAA,MAC5C,OAAO;AAAA,IACT,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,WAAO,KAAK,QAAQ;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,aAAkD;AACtE,QAAM,EAAE,MAAM,IAAI,MAAM,KAAK;AAC7B,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAAS,cAAc;AAC7B,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,CAAC,UAAU,CAAC,OAAQ,QAAO;AAE/B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,gBAAgB,KAAK,IAAI;AAAA,MACxD,SAAS,EAAE,eAAe,UAAU,MAAM,GAAG;AAAA,MAC7C,MAAM,EAAE,YAAY,GAAG;AAAA,IACzB,CAAgB;AAChB,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAQ,MAAM,IAAI,KAAK;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAeA,eAAsB,QAAQ,YAA0C;AACtE,QAAM,UAAU,MAAM,KAAK;AAC3B,UAAQ,QAAQ,UAAU;AAC1B,SAAO;AACT;","names":["createRemoteJWKSet","importSPKI","jwtVerify","importSPKI","jwtVerify","createRemoteJWKSet"]}
1
+ {"version":3,"sources":["../src/server.ts","../src/middleware.ts"],"sourcesContent":["// Server-only. Import from \"@vaultix.ai/nextjs/server\".\n// Never import this in Client Components.\nimport { cookies, headers } from \"next/headers\";\nimport { redirect } from \"next/navigation\";\nimport { createRemoteJWKSet, importSPKI, jwtVerify } from \"jose\";\nimport type { VaultixOrganization, VaultixUser } from \"@vaultix.ai/react\";\nimport {\n HEADER_USER_ID,\n HEADER_ORG_ID,\n HEADER_ORG_ROLE,\n HEADER_SESSION_ID,\n HEADER_RISK_LEVEL,\n} from \"./middleware\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthObject {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: \"low\" | \"medium\" | \"high\" | \"critical\" | null;\n isSignedIn: boolean;\n /**\n * Throws a redirect if the user is not authenticated.\n * Usage: const { userId } = await auth(); — or call auth().then(a => a.protect())\n */\n protect: (redirectTo?: string) => void;\n}\n\n// ─── API URL resolution (mirrors middleware logic) ────────────────────────────\n\nfunction resolveApiUrl(): string {\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n if (!pk) return \"\";\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\n// ─── JWT verification (server-side, no edge constraints) ─────────────────────\n\nlet _remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet _remoteJwksUrl: string | null = null;\nlet _staticKey: Awaited<ReturnType<typeof importSPKI>> | null = null;\nlet _staticPem: string | null = null;\n\nasync function verifyJwt(token: string) {\n // 1. Static PEM key (fastest, no network call)\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (!_staticKey || _staticPem !== normalized) {\n _staticKey = await importSPKI(normalized, \"RS256\");\n _staticPem = normalized;\n }\n try {\n const { payload } = await jwtVerify(token, _staticKey, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n }\n\n // 2. Remote JWKS (auto-fetched, cached)\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!_remoteJwks || _remoteJwksUrl !== jwksUrl) {\n _remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n _remoteJwksUrl = jwksUrl;\n }\n try {\n const { payload } = await jwtVerify(token, _remoteJwks, { algorithms: [\"RS256\"] });\n return payload;\n } catch { return null; }\n}\n\n// ─── auth() ───────────────────────────────────────────────────────────────────\n\n/**\n * Returns the current auth state. Works in Server Components, Route Handlers,\n * and Server Actions. Falls back to verifying the session cookie directly\n * if middleware headers are not present.\n *\n * @example\n * import { auth } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const { userId, protect } = await auth();\n * protect(); // redirects to sign-in if not authenticated\n * return <div>Hello {userId}</div>;\n * }\n */\nexport async function auth(): Promise<AuthObject> {\n function makeProtect(isSignedIn: boolean) {\n return (redirectTo?: string) => {\n if (!isSignedIn) {\n const apiUrl = resolveApiUrl();\n const dest = redirectTo ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n redirect(dest);\n }\n };\n }\n\n // ── Fast path: headers injected by authMiddleware ──────────────────────\n const h = await headers();\n const userId = h.get(HEADER_USER_ID);\n if (userId) {\n return {\n userId,\n orgId: h.get(HEADER_ORG_ID) || null,\n orgRole: h.get(HEADER_ORG_ROLE) || null,\n sessionId: h.get(HEADER_SESSION_ID) || null,\n riskLevel: (h.get(HEADER_RISK_LEVEL) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n }\n\n // ── Fallback: verify session cookie directly (no middleware needed) ────\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n const payload = await verifyJwt(token);\n if (!payload) {\n return {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null, isSignedIn: false,\n protect: makeProtect(false),\n };\n }\n\n return {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: ((payload[\"risk\"] as string) ?? \"low\") as AuthObject[\"riskLevel\"],\n isSignedIn: true,\n protect: makeProtect(true),\n };\n}\n\n// ─── currentUser() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the full user record for the currently signed-in user.\n * Calls GET /api/v1/me using the session JWT from the cookie as a Bearer token.\n * No extra env vars required.\n *\n * @example\n * import { currentUser } from \"@vaultix.ai/nextjs/server\";\n *\n * export default async function Page() {\n * const user = await currentUser();\n * if (!user) redirect(\"/sign-in\");\n * return <div>Hello {user.email}</div>;\n * }\n */\nexport async function currentUser(): Promise<VaultixUser | null> {\n const jar = await cookies();\n const token = jar.get(\"vaultix-session\")?.value ?? jar.get(\"vaultix-token\")?.value;\n if (!token) return null;\n\n const apiUrl = resolveApiUrl();\n if (!apiUrl) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/me`, {\n headers: { Authorization: `Bearer ${token}` },\n cache: \"no-store\",\n });\n if (!res.ok) return null;\n const data = await res.json() as { user: VaultixUser };\n return data.user ?? null;\n } catch {\n return null;\n }\n}\n\n// ─── currentOrg() ────────────────────────────────────────────────────────────\n\n/**\n * Returns the active organization for the current user.\n * Requires VAULTIX_SECRET_KEY env var.\n */\nexport async function currentOrg(): Promise<VaultixOrganization | null> {\n const { orgId } = await auth();\n if (!orgId) return null;\n\n const apiUrl = resolveApiUrl();\n const secret = process.env.VAULTIX_SECRET_KEY;\n if (!apiUrl || !secret) return null;\n\n try {\n const res = await fetch(`${apiUrl}/api/v1/orgs/${orgId}`, {\n headers: { Authorization: `Bearer ${secret}` },\n next: { revalidate: 30 },\n } as RequestInit);\n if (!res.ok) return null;\n return (await res.json()) as VaultixOrganization;\n } catch {\n return null;\n }\n}\n\n// ─── protect() — standalone helper ───────────────────────────────────────────\n\n/**\n * Asserts the current user is authenticated. Redirects to sign-in if not.\n * Prefer calling `protect()` from the auth object returned by `auth()`.\n *\n * @example\n * import { protect } from \"@vaultix.ai/nextjs/server\";\n * export default async function Page() {\n * const { userId } = await protect();\n * return <div>{userId}</div>;\n * }\n */\nexport async function protect(redirectTo?: string): Promise<AuthObject> {\n const authObj = await auth();\n authObj.protect(redirectTo);\n return authObj;\n}\n","// Edge-runtime compatible. Uses jose for JWT verification.\nimport { createRemoteJWKSet, importSPKI, jwtVerify, type KeyLike } from \"jose\";\nimport { NextRequest, NextResponse } from \"next/server\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\nexport interface AuthResult {\n userId: string | null;\n orgId: string | null;\n orgRole: string | null;\n sessionId: string | null;\n riskLevel: string | null;\n isSignedIn: boolean;\n isPublicRoute: boolean;\n}\n\nexport interface AuthMiddlewareOptions {\n /**\n * Routes that do not require authentication.\n * Strings: exact match or prefix. RegExps: tested against pathname.\n */\n publicRoutes?: Array<string | RegExp>;\n\n /**\n * Where to redirect unauthenticated users.\n * Defaults to the Vaultix hosted sign-in page (decoded from publishable key).\n * Override with \"/sign-in\" to use your own page.\n */\n signInUrl?: string;\n\n /**\n * Vaultix API origin. Auto-decoded from NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY.\n * Only needed if you're not using the standard publishable key format.\n */\n apiUrl?: string;\n\n /**\n * Custom logic after auth state is resolved.\n * Return a NextResponse to override default behaviour.\n */\n afterAuth?: (auth: AuthResult, req: NextRequest) => NextResponse | Response | undefined | void;\n}\n\n// ─── Header names ─────────────────────────────────────────────────────────────\n\nexport const HEADER_USER_ID = \"x-vaultix-user-id\";\nexport const HEADER_ORG_ID = \"x-vaultix-org-id\";\nexport const HEADER_ORG_ROLE = \"x-vaultix-org-role\";\nexport const HEADER_SESSION_ID = \"x-vaultix-session-id\";\nexport const HEADER_RISK_LEVEL = \"x-vaultix-risk-level\";\n\n// ─── Publishable key → API URL ────────────────────────────────────────────────\n\nfunction decodeApiUrlFromKey(pk: string): string {\n try {\n const parts = pk.split(\"_\");\n if (parts.length >= 4 && parts[0] === \"vaultix\" && parts[1] === \"pk\") {\n // Strip optional \"|uniqueId\" suffix (new key format) then trailing slash\n return atob(parts.slice(3).join(\"_\")).replace(/\\|.+$/, \"\").replace(/\\/$/, \"\");\n }\n } catch {}\n return \"\";\n}\n\nfunction resolveApiUrl(options: AuthMiddlewareOptions): string {\n if (options.apiUrl) return options.apiUrl.replace(/\\/$/, \"\");\n if (process.env.VAULTIX_API_URL) return process.env.VAULTIX_API_URL.replace(/\\/$/, \"\");\n const pk = process.env.NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY ?? \"\";\n return decodeApiUrlFromKey(pk);\n}\n\n// ─── JWKS cache ───────────────────────────────────────────────────────────────\n// createRemoteJWKSet fetches and caches the key set, re-fetches on rotation.\n// Falls back to a static PEM key if VAULTIX_JWT_PUBLIC_KEY is set (backward compat).\n\nlet remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null;\nlet remoteJwksUrl: string | null = null;\n\nlet staticKey: KeyLike | null = null;\nlet staticPem: string | null = null;\n\nasync function getVerifyKey(apiUrl: string) {\n // Prefer static PEM (set by env var) for zero-network-call verification\n const pem = process.env.VAULTIX_JWT_PUBLIC_KEY;\n if (pem) {\n const normalized = pem.replace(/\\\\n/g, \"\\n\");\n if (staticKey && staticPem === normalized) return { key: staticKey, mode: \"static\" as const };\n staticKey = await importSPKI(normalized, \"RS256\");\n staticPem = normalized;\n return { key: staticKey, mode: \"static\" as const };\n }\n\n // Auto-fetch JWKS from the API — no env var needed\n if (!apiUrl) return null;\n const jwksUrl = `${apiUrl}/api/v1/.well-known/jwks.json`;\n if (!remoteJwks || remoteJwksUrl !== jwksUrl) {\n remoteJwks = createRemoteJWKSet(new URL(jwksUrl));\n remoteJwksUrl = jwksUrl;\n }\n return { key: remoteJwks, mode: \"remote\" as const };\n}\n\n// ─── Route matching ───────────────────────────────────────────────────────────\n\nfunction isPublic(pathname: string, rules: Array<string | RegExp>): boolean {\n return rules.some((rule) =>\n typeof rule === \"string\"\n ? pathname === rule || pathname.startsWith(rule)\n : rule.test(pathname),\n );\n}\n\n// ─── Secure-cookie detection ──────────────────────────────────────────────────\n// `Secure` cookies are dropped by browsers (notably Safari) over plain http://,\n// which breaks local development on http://localhost. Mark cookies Secure only\n// when the request is actually HTTPS. Prefer x-forwarded-proto because TLS is\n// typically terminated at a proxy (e.g. Vercel) before reaching the function.\n\nfunction isSecureRequest(req: NextRequest): boolean {\n const forwarded = req.headers.get(\"x-forwarded-proto\");\n if (forwarded) return forwarded.split(\",\")[0]?.trim() === \"https\";\n return req.nextUrl.protocol === \"https:\";\n}\n\n// ─── Handshake exchange ───────────────────────────────────────────────────────\n\nasync function handleHandshake(\n req: NextRequest,\n handshakeToken: string,\n apiUrl: string,\n): Promise<NextResponse | null> {\n try {\n const res = await fetch(`${apiUrl}/api/v1/tokens/exchange`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ handshake_token: handshakeToken }),\n });\n if (!res.ok) return null;\n\n const { session_jwt } = (await res.json()) as { session_jwt: string };\n const cleanUrl = req.nextUrl.clone();\n cleanUrl.searchParams.delete(\"__vaultix_handshake\");\n\n const response = NextResponse.redirect(cleanUrl);\n const cookieBase = {\n secure: isSecureRequest(req),\n sameSite: \"lax\" as const,\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60,\n };\n // httpOnly — for middleware and server-side JWT verification\n response.cookies.set(\"vaultix-session\", session_jwt, { ...cookieBase, httpOnly: true });\n // non-httpOnly — for VaultixProvider (React SDK) to read client-side\n response.cookies.set(\"vaultix-token\", session_jwt, { ...cookieBase, httpOnly: false });\n return response;\n } catch {\n return null;\n }\n}\n\n// ─── authMiddleware ───────────────────────────────────────────────────────────\n\n/**\n * Drop-in auth middleware — works with zero config when\n * NEXT_PUBLIC_VAULTIX_PUBLISHABLE_KEY is set.\n *\n * @example\n * // middleware.ts\n * import { authMiddleware } from \"@vaultix.ai/nextjs/middleware\";\n * export default authMiddleware({ publicRoutes: [\"/\", \"/about\"] });\n * export const config = { matcher: [\"/((?!_next|.*\\\\..*).*)\"] };\n */\nexport function authMiddleware(options: AuthMiddlewareOptions = {}) {\n const { publicRoutes = [], afterAuth } = options;\n\n return async function middleware(req: NextRequest): Promise<NextResponse> {\n const { pathname } = req.nextUrl;\n const publicRoute = isPublic(pathname, publicRoutes);\n\n const apiUrl = resolveApiUrl(options);\n\n // Default sign-in URL: hosted Vaultix page decoded from publishable key\n const signInUrl =\n options.signInUrl ?? (apiUrl ? `${apiUrl}/auth/sign-in` : \"/sign-in\");\n\n // ── Handshake exchange ─────────────────────────────────────────────────\n const handshakeToken = req.nextUrl.searchParams.get(\"__vaultix_handshake\");\n if (handshakeToken && apiUrl) {\n const response = await handleHandshake(req, handshakeToken, apiUrl);\n if (response) return response;\n }\n\n // ── JWT verification ───────────────────────────────────────────────────\n let result: AuthResult = {\n userId: null, orgId: null, orgRole: null,\n sessionId: null, riskLevel: null,\n isSignedIn: false, isPublicRoute: publicRoute,\n };\n\n const token =\n req.cookies.get(\"vaultix-session\")?.value ??\n req.cookies.get(\"vaultix-token\")?.value ??\n extractBearer(req.headers.get(\"authorization\") ?? \"\");\n\n let jwtExp: number | undefined;\n\n if (token) {\n const verifyKey = await getVerifyKey(apiUrl);\n if (verifyKey) {\n try {\n const { payload } = await jwtVerify(token, verifyKey.key as Parameters<typeof jwtVerify>[1], {\n algorithms: [\"RS256\"],\n });\n jwtExp = payload.exp as number | undefined;\n result = {\n userId: (payload[\"uid\"] as string) ?? null,\n orgId: (payload[\"org\"] as string) ?? null,\n orgRole: (payload[\"rol\"] as string) ?? null,\n sessionId: (payload[\"sid\"] as string) ?? null,\n riskLevel: (payload[\"risk\"] as string) ?? \"low\",\n isSignedIn: true,\n isPublicRoute: publicRoute,\n };\n } catch {\n // expired / tampered\n }\n }\n }\n\n // ── Silent refresh — check DB session and renew JWT when near expiry ───\n // Reduces the window where a revoked-but-signed JWT can be replayed.\n // The refresh endpoint validates the DB session row, so a signed-out user\n // is rejected here even before their JWT's exp elapses.\n let refreshedJwt: string | null = null;\n if (result.isSignedIn && apiUrl && jwtExp !== undefined) {\n const secondsLeft = jwtExp - Math.floor(Date.now() / 1000);\n if (secondsLeft < 120) {\n try {\n const refreshRes = await fetch(`${apiUrl}/api/v1/session/refresh`, {\n method: \"POST\",\n headers: { Cookie: `vaultix-session=${token}` },\n });\n if (refreshRes.ok) {\n const data = await refreshRes.json() as { session_jwt?: string };\n refreshedJwt = data.session_jwt ?? null;\n }\n } catch {\n // Non-blocking — proceed with the existing token on refresh failure\n }\n }\n }\n\n // ── Custom afterAuth hook ──────────────────────────────────────────────\n if (afterAuth) {\n const override = afterAuth(result, req);\n if (override) return override as NextResponse;\n }\n\n // ── Default: redirect unauthenticated to sign-in ───────────────────────\n if (!result.isSignedIn && !publicRoute) {\n const dest = new URL(signInUrl, req.url);\n dest.searchParams.set(\"redirect_url\", req.url);\n return NextResponse.redirect(dest);\n }\n\n // ── Inject auth headers for Server Components ──────────────────────────\n const nextHeaders = new Headers(req.headers);\n if (result.userId) {\n nextHeaders.set(HEADER_USER_ID, result.userId);\n nextHeaders.set(HEADER_ORG_ID, result.orgId ?? \"\");\n nextHeaders.set(HEADER_ORG_ROLE, result.orgRole ?? \"\");\n nextHeaders.set(HEADER_SESSION_ID, result.sessionId ?? \"\");\n nextHeaders.set(HEADER_RISK_LEVEL, result.riskLevel ?? \"low\");\n } else {\n [HEADER_USER_ID, HEADER_ORG_ID, HEADER_ORG_ROLE, HEADER_SESSION_ID, HEADER_RISK_LEVEL]\n .forEach((h) => nextHeaders.delete(h));\n }\n\n const response = NextResponse.next({ request: { headers: nextHeaders } });\n\n // Propagate refreshed JWT as updated cookies\n if (refreshedJwt) {\n const cookieBase = { secure: isSecureRequest(req), sameSite: \"lax\" as const, path: \"/\", maxAge: 30 * 24 * 60 * 60 };\n response.cookies.set(\"vaultix-session\", refreshedJwt, { ...cookieBase, httpOnly: true });\n response.cookies.set(\"vaultix-token\", refreshedJwt, { ...cookieBase, httpOnly: false });\n }\n\n return response;\n };\n}\n\nfunction extractBearer(header: string): string {\n return header.startsWith(\"Bearer \") ? header.slice(7) : \"\";\n}\n"],"mappings":";AAEA,SAAS,SAAS,eAAe;AACjC,SAAS,gBAAgB;AACzB,SAAS,sBAAAA,qBAAoB,cAAAC,aAAY,aAAAC,kBAAiB;;;ACH1D,SAAS,oBAAoB,YAAY,iBAA+B;AACxE,SAAsB,oBAAoB;AA2CnC,IAAM,iBAAoB;AAC1B,IAAM,gBAAoB;AAC1B,IAAM,kBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;;;ADjBjC,SAAS,gBAAwB;AAC/B,MAAI,QAAQ,IAAI,gBAAiB,QAAO,QAAQ,IAAI,gBAAgB,QAAQ,OAAO,EAAE;AACrF,QAAM,KAAK,QAAQ,IAAI,uCAAuC;AAC9D,MAAI,CAAC,GAAI,QAAO;AAChB,MAAI;AACF,UAAM,QAAQ,GAAG,MAAM,GAAG;AAC1B,QAAI,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,MAAM,MAAM;AAEpE,aAAO,KAAK,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,OAAO,EAAE;AAAA,IAC9E;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO;AACT;AAIA,IAAI,cAA4D;AAChE,IAAI,iBAAgC;AACpC,IAAI,aAA4D;AAChE,IAAI,aAA4B;AAEhC,eAAe,UAAU,OAAe;AAEtC,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,KAAK;AACP,UAAM,aAAa,IAAI,QAAQ,QAAQ,IAAI;AAC3C,QAAI,CAAC,cAAc,eAAe,YAAY;AAC5C,mBAAa,MAAMC,YAAW,YAAY,OAAO;AACjD,mBAAa;AAAA,IACf;AACA,QAAI;AACF,YAAM,EAAE,QAAQ,IAAI,MAAMC,WAAU,OAAO,YAAY,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AAChF,aAAO;AAAA,IACT,QAAQ;AAAE,aAAO;AAAA,IAAM;AAAA,EACzB;AAGA,QAAM,SAAS,cAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,GAAG,MAAM;AACzB,MAAI,CAAC,eAAe,mBAAmB,SAAS;AAC9C,kBAAcC,oBAAmB,IAAI,IAAI,OAAO,CAAC;AACjD,qBAAiB;AAAA,EACnB;AACA,MAAI;AACF,UAAM,EAAE,QAAQ,IAAI,MAAMD,WAAU,OAAO,aAAa,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;AACjF,WAAO;AAAA,EACT,QAAQ;AAAE,WAAO;AAAA,EAAM;AACzB;AAkBA,eAAsB,OAA4B;AAChD,WAAS,YAAY,YAAqB;AACxC,WAAO,CAAC,eAAwB;AAC9B,UAAI,CAAC,YAAY;AACf,cAAM,SAAS,cAAc;AAC7B,cAAM,OAAO,eAAe,SAAS,GAAG,MAAM,kBAAkB;AAChE,iBAAS,IAAI;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAGA,QAAM,IAAI,MAAM,QAAQ;AACxB,QAAM,SAAS,EAAE,IAAI,cAAc;AACnC,MAAI,QAAQ;AACV,WAAO;AAAA,MACL;AAAA,MACA,OAAW,EAAE,IAAI,aAAa,KAAS;AAAA,MACvC,SAAW,EAAE,IAAI,eAAe,KAAO;AAAA,MACvC,WAAW,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACvC,WAAY,EAAE,IAAI,iBAAiB,KAAK;AAAA,MACxC,YAAY;AAAA,MACZ,SAAS,YAAY,IAAI;AAAA,IAC3B;AAAA,EACF;AAGA,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,QAAM,UAAU,MAAM,UAAU,KAAK;AACrC,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL,QAAQ;AAAA,MAAM,OAAO;AAAA,MAAM,SAAS;AAAA,MACpC,WAAW;AAAA,MAAM,WAAW;AAAA,MAAM,YAAY;AAAA,MAC9C,SAAS,YAAY,KAAK;AAAA,IAC5B;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,OAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,SAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAY,QAAQ,KAAK,KAAiB;AAAA,IAC1C,WAAa,QAAQ,MAAM,KAAgB;AAAA,IAC3C,YAAY;AAAA,IACZ,SAAS,YAAY,IAAI;AAAA,EAC3B;AACF;AAkBA,eAAsB,cAA2C;AAC/D,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,iBAAiB,GAAG,SAAS,IAAI,IAAI,eAAe,GAAG;AAC7E,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAAS,cAAc;AAC7B,MAAI,CAAC,OAAQ,QAAO;AAEpB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,cAAc;AAAA,MAC7C,SAAS,EAAE,eAAe,UAAU,KAAK,GAAG;AAAA,MAC5C,OAAO;AAAA,IACT,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,WAAO,KAAK,QAAQ;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,aAAkD;AACtE,QAAM,EAAE,MAAM,IAAI,MAAM,KAAK;AAC7B,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,SAAS,cAAc;AAC7B,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,CAAC,UAAU,CAAC,OAAQ,QAAO;AAE/B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,gBAAgB,KAAK,IAAI;AAAA,MACxD,SAAS,EAAE,eAAe,UAAU,MAAM,GAAG;AAAA,MAC7C,MAAM,EAAE,YAAY,GAAG;AAAA,IACzB,CAAgB;AAChB,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAQ,MAAM,IAAI,KAAK;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAeA,eAAsB,QAAQ,YAA0C;AACtE,QAAM,UAAU,MAAM,KAAK;AAC3B,UAAQ,QAAQ,UAAU;AAC1B,SAAO;AACT;","names":["createRemoteJWKSet","importSPKI","jwtVerify","importSPKI","jwtVerify","createRemoteJWKSet"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vaultix.ai/nextjs",
3
- "version": "0.5.1",
3
+ "version": "0.5.3",
4
4
  "description": "Vaultix-ID Next.js SDK — edge middleware and server utilities",
5
5
  "main": "./dist/index.js",
6
6
  "module": "./dist/index.mjs",
@@ -36,7 +36,7 @@
36
36
  "next": ">=14.0.0"
37
37
  },
38
38
  "dependencies": {
39
- "@vaultix.ai/react": "^0.3.3",
39
+ "@vaultix.ai/react": "^0.3.7",
40
40
  "jose": "^5.6.0"
41
41
  },
42
42
  "devDependencies": {