actor-gate 0.1.0

package/src/next/pages/mcp-oauth-handlers.js

@@ -0,0 +1,341 @@
+import { randomUUID } from 'crypto';
+import { AuthServiceError } from '../../core/services/auth-error';
+import { sendPagesRedirect } from './response';
+import { withPagesAuthRoute } from './wrapper';
+import { appendUrlParams, parseAuthorizeRequest, parseBodyToRecord, parseBoolean, parseOAuthTokenRequest, parsePositiveSafeInteger, toSingleString, } from '../shared/oauth-utils';
+import { buildWellKnownMetadata, resolveRequestOrigin, } from '../shared/well-known-utils';
+function sendMethodNotAllowed(res, allowedMethods) {
+    res.setHeader('Allow', allowedMethods.join(', '));
+    res.status(405).json({
+        error: 'method_not_allowed',
+        error_description: 'HTTP method not allowed for auth route.',
+    });
+}
+function getPagesOrigin(req, fallbackOrigin) {
+    const hostHeader = toSingleString(req.headers.host);
+    const forwardedHostHeader = toSingleString(req.headers['x-forwarded-host']);
+    const forwardedProtoHeader = toSingleString(req.headers['x-forwarded-proto']);
+    return resolveRequestOrigin({
+        ...(req.url === undefined ? {} : { requestUrl: req.url }),
+        ...(hostHeader === undefined ? {} : { hostHeader }),
+        ...(forwardedHostHeader === undefined ? {} : { forwardedHostHeader }),
+        ...(forwardedProtoHeader === undefined ? {} : { forwardedProtoHeader }),
+        ...(fallbackOrigin === undefined ? {} : { fallbackOrigin }),
+    });
+}
+function resolveMetadata(req, options) {
+    const issuerValue = typeof options.issuer === 'function' ? options.issuer(req) : options.issuer;
+    const issuer = issuerValue ?? getPagesOrigin(req, options.fallbackOrigin);
+    const protectedResourceValue = typeof options.protectedResource === 'function'
+        ? options.protectedResource(req)
+        : options.protectedResource;
+    const authorizationServersValue = typeof options.authorizationServers === 'function'
+        ? options.authorizationServers(req)
+        : options.authorizationServers;
+    return buildWellKnownMetadata({
+        issuer,
+        ...(options.authorizationEndpoint === undefined
+            ? {}
+            : { authorizationEndpoint: options.authorizationEndpoint }),
+        ...(options.tokenEndpoint === undefined
+            ? {}
+            : { tokenEndpoint: options.tokenEndpoint }),
+        ...(protectedResourceValue === undefined
+            ? {}
+            : { protectedResource: protectedResourceValue }),
+        ...(authorizationServersValue === undefined
+            ? {}
+            : { authorizationServers: authorizationServersValue }),
+        ...(options.responseTypesSupported === undefined
+            ? {}
+            : { responseTypesSupported: options.responseTypesSupported }),
+        ...(options.grantTypesSupported === undefined
+            ? {}
+            : { grantTypesSupported: options.grantTypesSupported }),
+        ...(options.codeChallengeMethodsSupported === undefined
+            ? {}
+            : {
+                codeChallengeMethodsSupported: options.codeChallengeMethodsSupported,
+            }),
+        ...(options.tokenEndpointAuthMethodsSupported === undefined
+            ? {}
+            : {
+                tokenEndpointAuthMethodsSupported: options.tokenEndpointAuthMethodsSupported,
+            }),
+        ...(options.scopesSupported === undefined
+            ? {}
+            : { scopesSupported: options.scopesSupported }),
+    });
+}
+function buildTokenOutput(input) {
+    const expiresIn = Math.max(0, input.accessClaims.exp - input.accessClaims.iat);
+    return {
+        access_token: input.accessToken,
+        token_type: 'Bearer',
+        expires_in: expiresIn,
+        ...(input.refreshToken === undefined
+            ? {}
+            : { refresh_token: input.refreshToken }),
+    };
+}
+export function createPagesMcpHandler(options) {
+    return withPagesAuthRoute({
+        ...(options.requestIdHeaderName === undefined
+            ? {}
+            : { requestIdHeaderName: options.requestIdHeaderName }),
+        ...(options.authorizationHeaderName === undefined
+            ? {}
+            : { authorizationHeaderName: options.authorizationHeaderName }),
+        challenge: {
+            ...(options.challengeScope === undefined
+                ? {}
+                : { scope: options.challengeScope }),
+            ...(options.resourceMetadataUrl === undefined
+                ? {}
+                : { resourceMetadataUrl: options.resourceMetadataUrl }),
+        },
+        handler: async ({ req, res, requestId, transport }) => {
+            const body = options.parseBody ? options.parseBody(req) : req.body;
+            const authentication = await options.mcpAuthService.authenticateRequest({
+                body,
+                transport,
+                ...(requestId === undefined ? {} : { requestId }),
+                ...(options.expectedAudience === undefined
+                    ? {}
+                    : { expectedAudience: options.expectedAudience }),
+                ...(options.allowedActors === undefined
+                    ? {}
+                    : { allowedActors: options.allowedActors }),
+            });
+            return options.handleRequest({
+                req,
+                res,
+                body,
+                authentication,
+                ...(requestId === undefined ? {} : { requestId }),
+            });
+        },
+    });
+}
+export function createPagesOAuthHandlers(options) {
+    const requiredScope = options.requiredScope ?? 'mcp:access';
+    const generateRequestId = options.generateRequestId ?? (() => randomUUID());
+    const authorizationCodeSessionTtlSeconds = parsePositiveSafeInteger(options.token?.authorizationCodeSessionTtlSeconds ?? 3600, 'authorizationCodeSessionTtlSeconds');
+    const clientCredentialsSessionTtlSeconds = parsePositiveSafeInteger(options.token?.clientCredentials?.sessionTtlSeconds ?? 3600, 'clientCredentials.sessionTtlSeconds');
+    const getAuthorizeLoginLocation = options.getAuthorizeLoginLocation ??
+        (({ requestId }) => `/login?request_id=${requestId}`);
+    const authorize = withPagesAuthRoute({
+        ...(options.requestIdHeaderName === undefined
+            ? {}
+            : { requestIdHeaderName: options.requestIdHeaderName }),
+        handler: async ({ req, res, requestId }) => {
+            if (req.method !== 'GET') {
+                sendMethodNotAllowed(res, ['GET']);
+                return;
+            }
+            const parsed = parseAuthorizeRequest({
+                query: req.query,
+                requiredScope,
+                ...(options.defaultCodeMethod === undefined
+                    ? {}
+                    : { defaultCodeMethod: options.defaultCodeMethod }),
+                ...(options.requireState === undefined
+                    ? {}
+                    : { requireState: options.requireState }),
+            });
+            const oauthRequestId = generateRequestId();
+            const started = await options.oauthService.startAuthorization({
+                requestId: oauthRequestId,
+                clientId: parsed.clientId,
+                redirectUri: parsed.redirectUri,
+                codeChallenge: parsed.codeChallenge,
+                codeMethod: parsed.codeMethod,
+                scopes: parsed.scopes,
+                ...(parsed.state === undefined ? {} : { state: parsed.state }),
+                ...(requestId === undefined ? {} : { auditRequestId: requestId }),
+            });
+            return {
+                location: getAuthorizeLoginLocation({
+                    req,
+                    requestId: oauthRequestId,
+                    expiresAtUnix: started.expiresAtUnix,
+                }),
+                statusCode: 302,
+            };
+        },
+        send: ({ res, output }) => {
+            sendPagesRedirect(res, output);
+        },
+    });
+    const authorizeConfirm = withPagesAuthRoute({
+        ...(options.requestIdHeaderName === undefined
+            ? {}
+            : { requestIdHeaderName: options.requestIdHeaderName }),
+        handler: async ({ req, res, requestId }) => {
+            if (req.method !== 'POST') {
+                sendMethodNotAllowed(res, ['POST']);
+                return;
+            }
+            const body = parseBodyToRecord(req.body);
+            const pendingRequestId = toSingleString(body?.request_id) ??
+                toSingleString(req.query.request_id);
+            if (pendingRequestId === undefined) {
+                throw new AuthServiceError({
+                    code: 'invalid_request',
+                    message: 'Missing required field "request_id".',
+                });
+            }
+            const approved = parseBoolean(body?.approved, true);
+            const userId = await options.resolveUserId({
+                req,
+                res,
+                requestId: pendingRequestId,
+                approved,
+            });
+            if (userId === null) {
+                throw new AuthServiceError({
+                    code: 'unauthorized',
+                    message: 'Authenticated user is required to confirm authorization.',
+                });
+            }
+            const confirmed = await options.oauthService.confirmAuthorization({
+                requestId: pendingRequestId,
+                userId,
+                approved,
+                ...(requestId === undefined ? {} : { auditRequestId: requestId }),
+            });
+            const location = confirmed.approved
+                ? appendUrlParams(confirmed.redirectUri, {
+                    code: confirmed.authorizationCode,
+                    state: confirmed.state,
+                })
+                : appendUrlParams(confirmed.redirectUri, {
+                    error: 'access_denied',
+                    state: confirmed.state,
+                });
+            return {
+                location,
+                statusCode: 302,
+            };
+        },
+        send: ({ res, output }) => {
+            sendPagesRedirect(res, output);
+        },
+    });
+    const token = withPagesAuthRoute({
+        ...(options.requestIdHeaderName === undefined
+            ? {}
+            : { requestIdHeaderName: options.requestIdHeaderName }),
+        ...(options.authorizationHeaderName === undefined
+            ? {}
+            : { authorizationHeaderName: options.authorizationHeaderName }),
+        handler: async ({ req, res, requestId }) => {
+            if (req.method !== 'POST') {
+                sendMethodNotAllowed(res, ['POST']);
+                return;
+            }
+            const authorizationHeader = toSingleString(req.headers[options.authorizationHeaderName ?? 'authorization']);
+            const parsed = parseOAuthTokenRequest({
+                body: req.body,
+                ...(authorizationHeader === undefined ? {} : { authorizationHeader }),
+                ...(options.token?.clientCredentials?.enabled === undefined
+                    ? {}
+                    : {
+                        allowClientCredentials: options.token.clientCredentials.enabled,
+                    }),
+                ...(options.token?.allowGrantTypeInference === undefined
+                    ? {}
+                    : {
+                        allowGrantTypeInference: options.token.allowGrantTypeInference,
+                    }),
+            });
+            if (parsed.grantType === 'authorization_code') {
+                const exchanged = await options.oauthService.exchangeAuthorizationCode({
+                    clientId: parsed.clientId,
+                    clientSecret: parsed.clientSecret,
+                    authorizationCode: parsed.authorizationCode,
+                    redirectUri: parsed.redirectUri,
+                    codeVerifier: parsed.codeVerifier,
+                    sessionTtlSeconds: authorizationCodeSessionTtlSeconds,
+                    ...(options.token?.issueRefreshToken === undefined
+                        ? {}
+                        : { issueRefreshToken: options.token.issueRefreshToken }),
+                    ...(requestId === undefined ? {} : { auditRequestId: requestId }),
+                });
+                return buildTokenOutput({
+                    accessToken: exchanged.accessToken,
+                    accessClaims: exchanged.accessClaims,
+                    ...(exchanged.refreshToken === undefined
+                        ? {}
+                        : { refreshToken: exchanged.refreshToken }),
+                });
+            }
+            if (parsed.grantType === 'refresh_token') {
+                const exchanged = await options.oauthService.exchangeRefreshToken({
+                    clientId: parsed.clientId,
+                    clientSecret: parsed.clientSecret,
+                    refreshToken: parsed.refreshToken,
+                    ...(requestId === undefined ? {} : { auditRequestId: requestId }),
+                });
+                return buildTokenOutput({
+                    accessToken: exchanged.accessToken,
+                    accessClaims: exchanged.accessClaims,
+                    refreshToken: exchanged.refreshToken,
+                });
+            }
+            const exchanged = await options.oauthService.exchangeClientCredentials({
+                clientId: parsed.clientId,
+                clientSecret: parsed.clientSecret,
+                sessionTtlSeconds: clientCredentialsSessionTtlSeconds,
+                ...(requestId === undefined ? {} : { auditRequestId: requestId }),
+            });
+            return buildTokenOutput({
+                accessToken: exchanged.accessToken,
+                accessClaims: exchanged.accessClaims,
+            });
+        },
+    });
+    return {
+        authorize,
+        authorizeConfirm,
+        token,
+    };
+}
+export function createPagesWellKnownHandlers(options = {}) {
+    const cacheControlHeader = options.cacheControlHeader ?? 'no-store';
+    const oauthProtectedResource = (req, res) => {
+        if (req.method !== 'GET') {
+            sendMethodNotAllowed(res, ['GET']);
+            return;
+        }
+        const metadata = resolveMetadata(req, options);
+        res.setHeader('content-type', 'application/json');
+        res.setHeader('cache-control', cacheControlHeader);
+        res.status(200).json(metadata.oauthProtectedResource);
+    };
+    const oauthAuthorizationServer = (req, res) => {
+        if (req.method !== 'GET') {
+            sendMethodNotAllowed(res, ['GET']);
+            return;
+        }
+        const metadata = resolveMetadata(req, options);
+        res.setHeader('content-type', 'application/json');
+        res.setHeader('cache-control', cacheControlHeader);
+        res.status(200).json(metadata.oauthAuthorizationServer);
+    };
+    const openidConfiguration = (req, res) => {
+        if (req.method !== 'GET') {
+            sendMethodNotAllowed(res, ['GET']);
+            return;
+        }
+        const metadata = resolveMetadata(req, options);
+        res.setHeader('content-type', 'application/json');
+        res.setHeader('cache-control', cacheControlHeader);
+        res.status(200).json(metadata.openidConfiguration);
+    };
+    return {
+        oauthProtectedResource,
+        oauthAuthorizationServer,
+        openidConfiguration,
+    };
+}

package/src/next/pages/protected-route.d.ts

@@ -0,0 +1,28 @@
+import type { NextApiHandler, NextApiRequest, NextApiResponse } from 'next';
+import type { AccessTokenSource } from '../../core/adapters/access-token-transport-adapter';
+import type { ValidatedAccessTokenResult } from '../../core/services/contracts';
+import type { DirectAuthService } from '../../core/services/direct-auth-service';
+import type { AuthActor } from '../../core/types/auth-contract';
+import { type DirectAccessTokenTransportConfig } from '../shared/direct-auth-utils';
+import { type WithPagesAuthRouteOptions } from './wrapper';
+export type PagesProtectedAuth<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>> = ValidatedAccessTokenResult<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims> & {
+    accessToken: string;
+    accessTokenSource: AccessTokenSource | undefined;
+};
+export type PagesProtectedRouteContext<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>> = {
+    req: NextApiRequest;
+    res: NextApiResponse;
+    requestId: string | undefined;
+    auth: PagesProtectedAuth<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims>;
+};
+export type WithPagesProtectedRouteOptions<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>, TOutput = unknown> = {
+    directAuthService: DirectAuthService<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims>;
+    handler: (input: PagesProtectedRouteContext<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims>) => Promise<TOutput | void> | TOutput | void;
+    expectedAudience?: string;
+    allowedActors?: readonly TActor[] | ReadonlySet<TActor>;
+    accessTokenTransport?: DirectAccessTokenTransportConfig<TActor>;
+    requestIdHeaderName?: string;
+    authorizationHeaderName?: string;
+    challenge?: WithPagesAuthRouteOptions<TOutput>['challenge'];
+};
+export declare function withPagesProtectedRoute<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>, TOutput = unknown>(options: WithPagesProtectedRouteOptions<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims, TOutput>): NextApiHandler;

package/src/next/pages/protected-route.js

@@ -0,0 +1,59 @@
+import { AuthServiceError } from '../../core/services/auth-error';
+import { assertBearerOnlyActorPolicy, resolveAccessTokenTransportAdapter, } from '../shared/direct-auth-utils';
+import { withPagesAuthRoute } from './wrapper';
+export function withPagesProtectedRoute(options) {
+    const accessTokenTransportAdapter = resolveAccessTokenTransportAdapter(options.accessTokenTransport);
+    return withPagesAuthRoute({
+        ...(options.challenge === undefined
+            ? {}
+            : { challenge: options.challenge }),
+        ...(options.requestIdHeaderName === undefined
+            ? {}
+            : { requestIdHeaderName: options.requestIdHeaderName }),
+        ...(options.authorizationHeaderName === undefined
+            ? {}
+            : { authorizationHeaderName: options.authorizationHeaderName }),
+        handler: async ({ req, res, requestId, transport }) => {
+            const extractedAccessToken = accessTokenTransportAdapter.extractAccessToken({
+                transport,
+            });
+            if (!extractedAccessToken.token) {
+                throw new AuthServiceError({
+                    code: 'invalid_token',
+                    message: 'Access token is required.',
+                });
+            }
+            const validatedAccessToken = await options.directAuthService.validateAccessToken({
+                accessToken: extractedAccessToken.token,
+                ...(requestId === undefined ? {} : { requestId }),
+                ...(options.expectedAudience === undefined
+                    ? {}
+                    : { expectedAudience: options.expectedAudience }),
+                ...(options.allowedActors === undefined
+                    ? {}
+                    : { allowedActors: options.allowedActors }),
+            });
+            assertBearerOnlyActorPolicy({
+                actor: validatedAccessToken.claims.actor,
+                ...(extractedAccessToken.source === undefined
+                    ? {}
+                    : { source: extractedAccessToken.source }),
+                ...(options.accessTokenTransport?.requireBearerForActors === undefined
+                    ? {}
+                    : {
+                        requireBearerForActors: options.accessTokenTransport.requireBearerForActors,
+                    }),
+            });
+            return options.handler({
+                req,
+                res,
+                requestId,
+                auth: {
+                    ...validatedAccessToken,
+                    accessToken: extractedAccessToken.token,
+                    accessTokenSource: extractedAccessToken.source,
+                },
+            });
+        },
+    });
+}

package/src/next/pages/request.d.ts

@@ -0,0 +1,14 @@
+import type { AccessTokenTransportInput } from '../../core/adapters/access-token-transport-adapter';
+type RequestLike = {
+    headers: Record<string, string | string[] | undefined>;
+    cookies?: Record<string, string | undefined>;
+};
+export declare function parseCookieHeader(rawCookieHeader: string | undefined): Record<string, string | undefined>;
+export declare function getPagesAuthorizationHeader(req: RequestLike, headerName?: string): string | undefined;
+export declare function getPagesRequestId(req: RequestLike, headerName?: string): string | undefined;
+export declare function getPagesCookies(req: RequestLike): Record<string, string | undefined>;
+export declare function buildPagesAccessTokenTransportInput(input: {
+    req: RequestLike;
+    authorizationHeaderName?: string;
+}): AccessTokenTransportInput;
+export {};

package/src/next/pages/request.js

@@ -0,0 +1,66 @@
+function getFirstHeaderValue(value) {
+    if (Array.isArray(value)) {
+        for (const item of value) {
+            if (item.length > 0) {
+                return item;
+            }
+        }
+        return undefined;
+    }
+    if (typeof value === 'string' && value.length > 0) {
+        return value;
+    }
+    return undefined;
+}
+function decodeCookieComponent(value) {
+    try {
+        return decodeURIComponent(value);
+    }
+    catch {
+        return value;
+    }
+}
+export function parseCookieHeader(rawCookieHeader) {
+    if (!rawCookieHeader) {
+        return {};
+    }
+    const cookies = {};
+    for (const segment of rawCookieHeader.split(';')) {
+        const separatorIndex = segment.indexOf('=');
+        if (separatorIndex < 0) {
+            continue;
+        }
+        const rawName = segment.slice(0, separatorIndex).trim();
+        if (rawName.length === 0) {
+            continue;
+        }
+        const rawValue = segment.slice(separatorIndex + 1).trim();
+        cookies[decodeCookieComponent(rawName)] = decodeCookieComponent(rawValue);
+    }
+    return cookies;
+}
+export function getPagesAuthorizationHeader(req, headerName = 'authorization') {
+    return getFirstHeaderValue(req.headers[headerName]);
+}
+export function getPagesRequestId(req, headerName = 'x-request-id') {
+    const requestId = getFirstHeaderValue(req.headers[headerName]);
+    if (!requestId) {
+        return undefined;
+    }
+    const trimmed = requestId.trim();
+    return trimmed.length > 0 ? trimmed : undefined;
+}
+export function getPagesCookies(req) {
+    if (req.cookies && Object.keys(req.cookies).length > 0) {
+        return { ...req.cookies };
+    }
+    return parseCookieHeader(getFirstHeaderValue(req.headers.cookie));
+}
+export function buildPagesAccessTokenTransportInput(input) {
+    const authorizationHeader = getPagesAuthorizationHeader(input.req, input.authorizationHeaderName);
+    const cookies = getPagesCookies(input.req);
+    return {
+        ...(authorizationHeader === undefined ? {} : { authorizationHeader }),
+        ...(Object.keys(cookies).length === 0 ? {} : { cookies }),
+    };
+}

package/src/next/pages/response.d.ts

@@ -0,0 +1,28 @@
+import type { AuthServiceError } from '../../core/services/auth-error';
+import { type AuthErrorResponseBody } from '../shared/auth-http';
+export type PagesAuthErrorResponseBody = AuthErrorResponseBody;
+type StatusJsonResponse = {
+    status(code: number): {
+        json(body: PagesAuthErrorResponseBody): void;
+    };
+};
+type AuthErrorResponse = StatusJsonResponse & {
+    setHeader(name: 'WWW-Authenticate', value: string): void;
+};
+type RedirectResponse = {
+    redirect(statusCode: number, location: string): void;
+};
+export declare function sendPagesAuthError(res: AuthErrorResponse, error: AuthServiceError, options?: {
+    requestId?: string;
+    includeChallengeError?: boolean;
+    challengeScope?: string;
+    resourceMetadataUrl?: string;
+}): void;
+export declare function sendPagesSystemError(res: StatusJsonResponse, options?: {
+    requestId?: string;
+}): void;
+export declare function sendPagesRedirect(res: RedirectResponse, input: {
+    location: string;
+    statusCode?: number;
+}): void;
+export {};

package/src/next/pages/response.js

@@ -0,0 +1,29 @@
+import { buildAuthErrorHttpResponse, buildSystemErrorHttpResponse, } from '../shared/auth-http';
+export function sendPagesAuthError(res, error, options) {
+    const mapped = buildAuthErrorHttpResponse({
+        error,
+        ...(options?.requestId === undefined
+            ? {}
+            : { requestId: options.requestId }),
+        ...(options?.includeChallengeError === undefined
+            ? {}
+            : { includeChallengeError: options.includeChallengeError }),
+        ...(options?.challengeScope === undefined
+            ? {}
+            : { challengeScope: options.challengeScope }),
+        ...(options?.resourceMetadataUrl === undefined
+            ? {}
+            : { resourceMetadataUrl: options.resourceMetadataUrl }),
+    });
+    if (mapped.challengeHeader !== undefined) {
+        res.setHeader('WWW-Authenticate', mapped.challengeHeader);
+    }
+    res.status(mapped.statusCode).json(mapped.body);
+}
+export function sendPagesSystemError(res, options) {
+    const mapped = buildSystemErrorHttpResponse(options);
+    res.status(mapped.statusCode).json(mapped.body);
+}
+export function sendPagesRedirect(res, input) {
+    res.redirect(input.statusCode ?? 302, input.location);
+}

package/src/next/pages/wrapper.d.ts

@@ -0,0 +1,29 @@
+import type { NextApiHandler, NextApiRequest, NextApiResponse } from 'next';
+import type { AccessTokenTransportInput } from '../../core/adapters/access-token-transport-adapter';
+export type PagesAuthRouteContext = {
+    req: NextApiRequest;
+    res: NextApiResponse;
+    requestId?: string;
+    transport: AccessTokenTransportInput;
+};
+export type WithPagesAuthRouteOptions<TOutput> = {
+    handler: (input: PagesAuthRouteContext) => Promise<TOutput | void> | TOutput | void;
+    send?: (input: {
+        res: NextApiResponse;
+        output: TOutput;
+    }) => void;
+    requestIdHeaderName?: string;
+    authorizationHeaderName?: string;
+    challenge?: {
+        includeErrorInWwwAuthenticate?: boolean;
+        scope?: string;
+        resourceMetadataUrl?: string;
+    };
+    onSystemError?: (input: {
+        req: NextApiRequest;
+        res: NextApiResponse;
+        error: unknown;
+        requestId?: string;
+    }) => Promise<void> | void;
+};
+export declare function withPagesAuthRoute<TOutput>(options: WithPagesAuthRouteOptions<TOutput>): NextApiHandler;

package/src/next/pages/wrapper.js

@@ -0,0 +1,74 @@
+import { isAuthServiceError } from '../../core/services/auth-error';
+import { buildPagesAccessTokenTransportInput, getPagesRequestId, } from './request';
+import { sendPagesAuthError, sendPagesSystemError } from './response';
+export function withPagesAuthRoute(options) {
+    return async function pagesAuthRoute(req, res) {
+        const requestId = getPagesRequestId(req, options.requestIdHeaderName);
+        const transport = buildPagesAccessTokenTransportInput({
+            req,
+            ...(options.authorizationHeaderName === undefined
+                ? {}
+                : { authorizationHeaderName: options.authorizationHeaderName }),
+        });
+        try {
+            const output = await options.handler({
+                req,
+                res,
+                ...(requestId === undefined ? {} : { requestId }),
+                transport,
+            });
+            if (res.writableEnded) {
+                return;
+            }
+            if (output === undefined) {
+                res.status(204).end();
+                return;
+            }
+            if (options.send) {
+                options.send({ res, output });
+                return;
+            }
+            res.status(200).json(output);
+        }
+        catch (error) {
+            if (res.writableEnded) {
+                return;
+            }
+            if (isAuthServiceError(error)) {
+                sendPagesAuthError(res, error, {
+                    ...(requestId === undefined ? {} : { requestId }),
+                    ...(options.challenge?.scope === undefined
+                        ? {}
+                        : { challengeScope: options.challenge.scope }),
+                    ...(options.challenge?.resourceMetadataUrl === undefined
+                        ? {}
+                        : { resourceMetadataUrl: options.challenge.resourceMetadataUrl }),
+                    ...(options.challenge?.includeErrorInWwwAuthenticate === undefined
+                        ? {}
+                        : {
+                            includeChallengeError: options.challenge.includeErrorInWwwAuthenticate,
+                        }),
+                });
+                return;
+            }
+            if (options.onSystemError) {
+                try {
+                    await options.onSystemError({
+                        req,
+                        res,
+                        error,
+                        ...(requestId === undefined ? {} : { requestId }),
+                    });
+                }
+                catch {
+                    // Wrapper never throws from system-error hooks.
+                }
+            }
+            if (!res.writableEnded) {
+                sendPagesSystemError(res, {
+                    ...(requestId === undefined ? {} : { requestId }),
+                });
+            }
+        }
+    };
+}