actor-gate 0.1.0

package/src/next/app/mcp-oauth-handlers.d.ts

@@ -0,0 +1,74 @@
+import type { OAuthGrantType } from '../../core/adapters/oauth-grant-type';
+import type { McpAuthService, McpAuthenticationResult, OAuthService } from '../../core/services/index';
+import type { AuthActor } from '../../core/types/auth-contract';
+export type CreateAppMcpHandlerOptions<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>> = {
+    mcpAuthService: McpAuthService<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims>;
+    handleRequest: (input: {
+        req: Request;
+        body: unknown;
+        authentication: McpAuthenticationResult<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims>;
+        requestId?: string;
+    }) => Promise<unknown | Response | void> | unknown | Response | void;
+    parseBody?: (req: Request) => Promise<unknown> | unknown;
+    expectedAudience?: string;
+    allowedActors?: readonly TActor[] | ReadonlySet<TActor>;
+    challengeScope?: string;
+    resourceMetadataUrl?: string;
+    requestIdHeaderName?: string;
+    authorizationHeaderName?: string;
+};
+export declare function createAppMcpHandler<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>>(options: CreateAppMcpHandlerOptions<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims>): (req: Request) => Promise<Response>;
+export type CreateAppOAuthHandlersOptions<TUserId, TActor extends AuthActor = AuthActor, TExtClaims extends Record<string, unknown> = Record<string, never>> = {
+    oauthService: OAuthService<TUserId, TActor, TExtClaims>;
+    resolveUserId: (input: {
+        req: Request;
+        requestId: string;
+        approved: boolean;
+    }) => Promise<TUserId | null> | TUserId | null;
+    requiredScope?: string;
+    requireState?: boolean;
+    defaultCodeMethod?: 'S256' | 'plain';
+    generateRequestId?: () => string;
+    getAuthorizeLoginLocation?: (input: {
+        req: Request;
+        requestId: string;
+        expiresAtUnix: number;
+    }) => string;
+    token?: {
+        authorizationCodeSessionTtlSeconds?: number;
+        issueRefreshToken?: boolean;
+        allowGrantTypeInference?: boolean;
+        clientCredentials?: {
+            enabled?: boolean;
+            sessionTtlSeconds?: number;
+        };
+    };
+    requestIdHeaderName?: string;
+    authorizationHeaderName?: string;
+};
+export type AppOAuthHandlers = {
+    authorize: (req: Request) => Promise<Response>;
+    authorizeConfirm: (req: Request) => Promise<Response>;
+    token: (req: Request) => Promise<Response>;
+};
+export declare function createAppOAuthHandlers<TUserId, TActor extends AuthActor = AuthActor, TExtClaims extends Record<string, unknown> = Record<string, never>>(options: CreateAppOAuthHandlersOptions<TUserId, TActor, TExtClaims>): AppOAuthHandlers;
+export type CreateAppWellKnownHandlersOptions = {
+    issuer?: string | ((req: Request) => string);
+    authorizationEndpoint?: string;
+    tokenEndpoint?: string;
+    protectedResource?: string | ((req: Request) => string);
+    authorizationServers?: ReadonlyArray<string> | ((req: Request) => ReadonlyArray<string>);
+    responseTypesSupported?: readonly string[];
+    grantTypesSupported?: readonly OAuthGrantType[];
+    codeChallengeMethodsSupported?: ReadonlyArray<'S256' | 'plain'>;
+    tokenEndpointAuthMethodsSupported?: readonly string[];
+    scopesSupported?: readonly string[];
+    cacheControlHeader?: string;
+    fallbackOrigin?: string;
+};
+export type AppWellKnownHandlers = {
+    oauthProtectedResource: (req: Request) => Promise<Response> | Response;
+    oauthAuthorizationServer: (req: Request) => Promise<Response> | Response;
+    openidConfiguration: (req: Request) => Promise<Response> | Response;
+};
+export declare function createAppWellKnownHandlers(options?: CreateAppWellKnownHandlersOptions): AppWellKnownHandlers;

package/src/next/app/mcp-oauth-handlers.js

@@ -0,0 +1,365 @@
+import { randomUUID } from 'crypto';
+import { AuthServiceError } from '../../core/services/auth-error';
+import { sendAppRedirect } from './response';
+import { withAppAuthRoute } from './wrapper';
+import { appendUrlParams, parseAuthorizeRequest, parseBodyToRecord, parseBoolean, parseOAuthTokenRequest, parsePositiveSafeInteger, } from '../shared/oauth-utils';
+import { buildWellKnownMetadata, resolveRequestOrigin, } from '../shared/well-known-utils';
+function jsonResponse(statusCode, body, headers) {
+    const responseHeaders = new Headers(headers);
+    responseHeaders.set('Content-Type', 'application/json');
+    return new Response(JSON.stringify(body), {
+        status: statusCode,
+        headers: responseHeaders,
+    });
+}
+function methodNotAllowedResponse(allowedMethods) {
+    return jsonResponse(405, {
+        error: 'method_not_allowed',
+        error_description: 'HTTP method not allowed for auth route.',
+    }, { Allow: allowedMethods.join(', ') });
+}
+async function readBodyAsRecord(req) {
+    return parseBodyToRecord(await req.text());
+}
+async function defaultReadMcpBody(req) {
+    if (req.method !== 'POST') {
+        return undefined;
+    }
+    const raw = await req.text();
+    const trimmed = raw.trim();
+    if (trimmed.length === 0) {
+        return undefined;
+    }
+    try {
+        return JSON.parse(trimmed);
+    }
+    catch (error) {
+        throw new AuthServiceError({
+            code: 'invalid_request',
+            message: 'MCP request body must be valid JSON.',
+            cause: error,
+        });
+    }
+}
+function getAppOrigin(req, fallbackOrigin) {
+    const hostHeader = req.headers.get('host');
+    const forwardedHostHeader = req.headers.get('x-forwarded-host');
+    const forwardedProtoHeader = req.headers.get('x-forwarded-proto');
+    return resolveRequestOrigin({
+        requestUrl: req.url,
+        ...(hostHeader === null ? {} : { hostHeader }),
+        ...(forwardedHostHeader === null ? {} : { forwardedHostHeader }),
+        ...(forwardedProtoHeader === null ? {} : { forwardedProtoHeader }),
+        ...(fallbackOrigin === undefined ? {} : { fallbackOrigin }),
+    });
+}
+function resolveMetadata(req, options) {
+    const issuerValue = typeof options.issuer === 'function' ? options.issuer(req) : options.issuer;
+    const issuer = issuerValue ?? getAppOrigin(req, options.fallbackOrigin);
+    const protectedResourceValue = typeof options.protectedResource === 'function'
+        ? options.protectedResource(req)
+        : options.protectedResource;
+    const authorizationServersValue = typeof options.authorizationServers === 'function'
+        ? options.authorizationServers(req)
+        : options.authorizationServers;
+    return buildWellKnownMetadata({
+        issuer,
+        ...(options.authorizationEndpoint === undefined
+            ? {}
+            : { authorizationEndpoint: options.authorizationEndpoint }),
+        ...(options.tokenEndpoint === undefined
+            ? {}
+            : { tokenEndpoint: options.tokenEndpoint }),
+        ...(protectedResourceValue === undefined
+            ? {}
+            : { protectedResource: protectedResourceValue }),
+        ...(authorizationServersValue === undefined
+            ? {}
+            : { authorizationServers: authorizationServersValue }),
+        ...(options.responseTypesSupported === undefined
+            ? {}
+            : { responseTypesSupported: options.responseTypesSupported }),
+        ...(options.grantTypesSupported === undefined
+            ? {}
+            : { grantTypesSupported: options.grantTypesSupported }),
+        ...(options.codeChallengeMethodsSupported === undefined
+            ? {}
+            : {
+                codeChallengeMethodsSupported: options.codeChallengeMethodsSupported,
+            }),
+        ...(options.tokenEndpointAuthMethodsSupported === undefined
+            ? {}
+            : {
+                tokenEndpointAuthMethodsSupported: options.tokenEndpointAuthMethodsSupported,
+            }),
+        ...(options.scopesSupported === undefined
+            ? {}
+            : { scopesSupported: options.scopesSupported }),
+    });
+}
+function buildTokenOutput(input) {
+    const expiresIn = Math.max(0, input.accessClaims.exp - input.accessClaims.iat);
+    return {
+        access_token: input.accessToken,
+        token_type: 'Bearer',
+        expires_in: expiresIn,
+        ...(input.refreshToken === undefined
+            ? {}
+            : { refresh_token: input.refreshToken }),
+    };
+}
+export function createAppMcpHandler(options) {
+    return withAppAuthRoute({
+        ...(options.requestIdHeaderName === undefined
+            ? {}
+            : { requestIdHeaderName: options.requestIdHeaderName }),
+        ...(options.authorizationHeaderName === undefined
+            ? {}
+            : { authorizationHeaderName: options.authorizationHeaderName }),
+        challenge: {
+            ...(options.challengeScope === undefined
+                ? {}
+                : { scope: options.challengeScope }),
+            ...(options.resourceMetadataUrl === undefined
+                ? {}
+                : { resourceMetadataUrl: options.resourceMetadataUrl }),
+        },
+        handler: async ({ req, requestId, transport }) => {
+            const body = options.parseBody
+                ? await options.parseBody(req)
+                : await defaultReadMcpBody(req);
+            const authentication = await options.mcpAuthService.authenticateRequest({
+                body,
+                transport,
+                ...(requestId === undefined ? {} : { requestId }),
+                ...(options.expectedAudience === undefined
+                    ? {}
+                    : { expectedAudience: options.expectedAudience }),
+                ...(options.allowedActors === undefined
+                    ? {}
+                    : { allowedActors: options.allowedActors }),
+            });
+            return options.handleRequest({
+                req,
+                body,
+                authentication,
+                ...(requestId === undefined ? {} : { requestId }),
+            });
+        },
+    });
+}
+export function createAppOAuthHandlers(options) {
+    const requiredScope = options.requiredScope ?? 'mcp:access';
+    const generateRequestId = options.generateRequestId ?? (() => randomUUID());
+    const authorizationCodeSessionTtlSeconds = parsePositiveSafeInteger(options.token?.authorizationCodeSessionTtlSeconds ?? 3600, 'authorizationCodeSessionTtlSeconds');
+    const clientCredentialsSessionTtlSeconds = parsePositiveSafeInteger(options.token?.clientCredentials?.sessionTtlSeconds ?? 3600, 'clientCredentials.sessionTtlSeconds');
+    const getAuthorizeLoginLocation = options.getAuthorizeLoginLocation ??
+        (({ requestId }) => `/login?request_id=${requestId}`);
+    const authorize = withAppAuthRoute({
+        ...(options.requestIdHeaderName === undefined
+            ? {}
+            : { requestIdHeaderName: options.requestIdHeaderName }),
+        handler: async ({ req, requestId }) => {
+            if (req.method !== 'GET') {
+                return methodNotAllowedResponse(['GET']);
+            }
+            const query = Object.fromEntries(new URL(req.url).searchParams.entries());
+            const parsed = parseAuthorizeRequest({
+                query,
+                requiredScope,
+                ...(options.defaultCodeMethod === undefined
+                    ? {}
+                    : { defaultCodeMethod: options.defaultCodeMethod }),
+                ...(options.requireState === undefined
+                    ? {}
+                    : { requireState: options.requireState }),
+            });
+            const oauthRequestId = generateRequestId();
+            const started = await options.oauthService.startAuthorization({
+                requestId: oauthRequestId,
+                clientId: parsed.clientId,
+                redirectUri: parsed.redirectUri,
+                codeChallenge: parsed.codeChallenge,
+                codeMethod: parsed.codeMethod,
+                scopes: parsed.scopes,
+                ...(parsed.state === undefined ? {} : { state: parsed.state }),
+                ...(requestId === undefined ? {} : { auditRequestId: requestId }),
+            });
+            return {
+                location: getAuthorizeLoginLocation({
+                    req,
+                    requestId: oauthRequestId,
+                    expiresAtUnix: started.expiresAtUnix,
+                }),
+                statusCode: 302,
+            };
+        },
+        send: ({ output }) => sendAppRedirect(output),
+    });
+    const authorizeConfirm = withAppAuthRoute({
+        ...(options.requestIdHeaderName === undefined
+            ? {}
+            : { requestIdHeaderName: options.requestIdHeaderName }),
+        handler: async ({ req, requestId }) => {
+            if (req.method !== 'POST') {
+                return methodNotAllowedResponse(['POST']);
+            }
+            const body = await readBodyAsRecord(req);
+            const query = new URL(req.url).searchParams;
+            const pendingRequestId = (typeof body.request_id === 'string' ? body.request_id : undefined) ??
+                query.get('request_id') ??
+                undefined;
+            if (!pendingRequestId) {
+                throw new AuthServiceError({
+                    code: 'invalid_request',
+                    message: 'Missing required field "request_id".',
+                });
+            }
+            const approved = parseBoolean(body.approved, true);
+            const userId = await options.resolveUserId({
+                req,
+                requestId: pendingRequestId,
+                approved,
+            });
+            if (userId === null) {
+                throw new AuthServiceError({
+                    code: 'unauthorized',
+                    message: 'Authenticated user is required to confirm authorization.',
+                });
+            }
+            const confirmed = await options.oauthService.confirmAuthorization({
+                requestId: pendingRequestId,
+                userId,
+                approved,
+                ...(requestId === undefined ? {} : { auditRequestId: requestId }),
+            });
+            const location = confirmed.approved
+                ? appendUrlParams(confirmed.redirectUri, {
+                    code: confirmed.authorizationCode,
+                    state: confirmed.state,
+                })
+                : appendUrlParams(confirmed.redirectUri, {
+                    error: 'access_denied',
+                    state: confirmed.state,
+                });
+            return {
+                location,
+                statusCode: 302,
+            };
+        },
+        send: ({ output }) => sendAppRedirect(output),
+    });
+    const token = withAppAuthRoute({
+        ...(options.requestIdHeaderName === undefined
+            ? {}
+            : { requestIdHeaderName: options.requestIdHeaderName }),
+        ...(options.authorizationHeaderName === undefined
+            ? {}
+            : { authorizationHeaderName: options.authorizationHeaderName }),
+        handler: async ({ req, requestId }) => {
+            if (req.method !== 'POST') {
+                return methodNotAllowedResponse(['POST']);
+            }
+            const body = await readBodyAsRecord(req);
+            const authorizationHeader = req.headers.get(options.authorizationHeaderName ?? 'authorization');
+            const parsed = parseOAuthTokenRequest({
+                body,
+                ...(authorizationHeader === null ? {} : { authorizationHeader }),
+                ...(options.token?.clientCredentials?.enabled === undefined
+                    ? {}
+                    : {
+                        allowClientCredentials: options.token.clientCredentials.enabled,
+                    }),
+                ...(options.token?.allowGrantTypeInference === undefined
+                    ? {}
+                    : {
+                        allowGrantTypeInference: options.token.allowGrantTypeInference,
+                    }),
+            });
+            if (parsed.grantType === 'authorization_code') {
+                const exchanged = await options.oauthService.exchangeAuthorizationCode({
+                    clientId: parsed.clientId,
+                    clientSecret: parsed.clientSecret,
+                    authorizationCode: parsed.authorizationCode,
+                    redirectUri: parsed.redirectUri,
+                    codeVerifier: parsed.codeVerifier,
+                    sessionTtlSeconds: authorizationCodeSessionTtlSeconds,
+                    ...(options.token?.issueRefreshToken === undefined
+                        ? {}
+                        : { issueRefreshToken: options.token.issueRefreshToken }),
+                    ...(requestId === undefined ? {} : { auditRequestId: requestId }),
+                });
+                return buildTokenOutput({
+                    accessToken: exchanged.accessToken,
+                    accessClaims: exchanged.accessClaims,
+                    ...(exchanged.refreshToken === undefined
+                        ? {}
+                        : { refreshToken: exchanged.refreshToken }),
+                });
+            }
+            if (parsed.grantType === 'refresh_token') {
+                const exchanged = await options.oauthService.exchangeRefreshToken({
+                    clientId: parsed.clientId,
+                    clientSecret: parsed.clientSecret,
+                    refreshToken: parsed.refreshToken,
+                    ...(requestId === undefined ? {} : { auditRequestId: requestId }),
+                });
+                return buildTokenOutput({
+                    accessToken: exchanged.accessToken,
+                    accessClaims: exchanged.accessClaims,
+                    refreshToken: exchanged.refreshToken,
+                });
+            }
+            const exchanged = await options.oauthService.exchangeClientCredentials({
+                clientId: parsed.clientId,
+                clientSecret: parsed.clientSecret,
+                sessionTtlSeconds: clientCredentialsSessionTtlSeconds,
+                ...(requestId === undefined ? {} : { auditRequestId: requestId }),
+            });
+            return buildTokenOutput({
+                accessToken: exchanged.accessToken,
+                accessClaims: exchanged.accessClaims,
+            });
+        },
+    });
+    return {
+        authorize,
+        authorizeConfirm,
+        token,
+    };
+}
+export function createAppWellKnownHandlers(options = {}) {
+    const cacheControlHeader = options.cacheControlHeader ?? 'no-store';
+    const oauthProtectedResource = (req) => {
+        if (req.method !== 'GET') {
+            return methodNotAllowedResponse(['GET']);
+        }
+        const metadata = resolveMetadata(req, options);
+        return jsonResponse(200, metadata.oauthProtectedResource, {
+            'Cache-Control': cacheControlHeader,
+        });
+    };
+    const oauthAuthorizationServer = (req) => {
+        if (req.method !== 'GET') {
+            return methodNotAllowedResponse(['GET']);
+        }
+        const metadata = resolveMetadata(req, options);
+        return jsonResponse(200, metadata.oauthAuthorizationServer, {
+            'Cache-Control': cacheControlHeader,
+        });
+    };
+    const openidConfiguration = (req) => {
+        if (req.method !== 'GET') {
+            return methodNotAllowedResponse(['GET']);
+        }
+        const metadata = resolveMetadata(req, options);
+        return jsonResponse(200, metadata.openidConfiguration, {
+            'Cache-Control': cacheControlHeader,
+        });
+    };
+    return {
+        oauthProtectedResource,
+        oauthAuthorizationServer,
+        openidConfiguration,
+    };
+}

package/src/next/app/protected-route.d.ts

@@ -0,0 +1,27 @@
+import type { AccessTokenSource } from '../../core/adapters/access-token-transport-adapter';
+import type { ValidatedAccessTokenResult } from '../../core/services/contracts';
+import type { DirectAuthService } from '../../core/services/direct-auth-service';
+import type { AuthActor } from '../../core/types/auth-contract';
+import { type DirectAccessTokenTransportConfig } from '../shared/direct-auth-utils';
+import { type WithAppAuthRouteOptions } from './wrapper';
+export type AppProtectedAuth<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>> = ValidatedAccessTokenResult<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims> & {
+    accessToken: string;
+    accessTokenSource: AccessTokenSource | undefined;
+};
+export type AppProtectedRouteContext<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>> = {
+    req: Request;
+    requestId: string | undefined;
+    cookies: Record<string, string | undefined>;
+    auth: AppProtectedAuth<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims>;
+};
+export type WithAppProtectedRouteOptions<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>, TOutput = unknown> = {
+    directAuthService: DirectAuthService<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims>;
+    handler: (input: AppProtectedRouteContext<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims>) => Promise<TOutput | Response | void> | TOutput | Response | void;
+    expectedAudience?: string;
+    allowedActors?: readonly TActor[] | ReadonlySet<TActor>;
+    accessTokenTransport?: DirectAccessTokenTransportConfig<TActor>;
+    requestIdHeaderName?: string;
+    authorizationHeaderName?: string;
+    challenge?: WithAppAuthRouteOptions<TOutput>['challenge'];
+};
+export declare function withAppProtectedRoute<TSessionId, TUserId, TActor extends AuthActor = AuthActor, TServerSessionData extends Record<string, unknown> = Record<string, never>, TClientSessionData extends Record<string, unknown> = Record<string, never>, TExtClaims extends Record<string, unknown> = Record<string, never>, TOutput = unknown>(options: WithAppProtectedRouteOptions<TSessionId, TUserId, TActor, TServerSessionData, TClientSessionData, TExtClaims, TOutput>): (req: Request) => Promise<Response>;

package/src/next/app/protected-route.js

@@ -0,0 +1,59 @@
+import { AuthServiceError } from '../../core/services/auth-error';
+import { assertBearerOnlyActorPolicy, resolveAccessTokenTransportAdapter, } from '../shared/direct-auth-utils';
+import { withAppAuthRoute } from './wrapper';
+export function withAppProtectedRoute(options) {
+    const accessTokenTransportAdapter = resolveAccessTokenTransportAdapter(options.accessTokenTransport);
+    return withAppAuthRoute({
+        ...(options.challenge === undefined
+            ? {}
+            : { challenge: options.challenge }),
+        ...(options.requestIdHeaderName === undefined
+            ? {}
+            : { requestIdHeaderName: options.requestIdHeaderName }),
+        ...(options.authorizationHeaderName === undefined
+            ? {}
+            : { authorizationHeaderName: options.authorizationHeaderName }),
+        handler: async ({ req, requestId, transport, cookies }) => {
+            const extractedAccessToken = accessTokenTransportAdapter.extractAccessToken({
+                transport,
+            });
+            if (!extractedAccessToken.token) {
+                throw new AuthServiceError({
+                    code: 'invalid_token',
+                    message: 'Access token is required.',
+                });
+            }
+            const validatedAccessToken = await options.directAuthService.validateAccessToken({
+                accessToken: extractedAccessToken.token,
+                ...(requestId === undefined ? {} : { requestId }),
+                ...(options.expectedAudience === undefined
+                    ? {}
+                    : { expectedAudience: options.expectedAudience }),
+                ...(options.allowedActors === undefined
+                    ? {}
+                    : { allowedActors: options.allowedActors }),
+            });
+            assertBearerOnlyActorPolicy({
+                actor: validatedAccessToken.claims.actor,
+                ...(extractedAccessToken.source === undefined
+                    ? {}
+                    : { source: extractedAccessToken.source }),
+                ...(options.accessTokenTransport?.requireBearerForActors === undefined
+                    ? {}
+                    : {
+                        requireBearerForActors: options.accessTokenTransport.requireBearerForActors,
+                    }),
+            });
+            return options.handler({
+                req,
+                requestId,
+                cookies,
+                auth: {
+                    ...validatedAccessToken,
+                    accessToken: extractedAccessToken.token,
+                    accessTokenSource: extractedAccessToken.source,
+                },
+            });
+        },
+    });
+}

package/src/next/app/request.d.ts

@@ -0,0 +1,12 @@
+import type { AccessTokenTransportInput } from '../../core/adapters/access-token-transport-adapter';
+type RequestLike = {
+    headers: Headers;
+};
+export declare function getAppAuthorizationHeader(req: RequestLike, headerName?: string): string | undefined;
+export declare function getAppRequestId(req: RequestLike, headerName?: string): string | undefined;
+export declare function getAppCookies(req: RequestLike): Record<string, string | undefined>;
+export declare function buildAppAccessTokenTransportInput(input: {
+    req: RequestLike;
+    authorizationHeaderName?: string;
+}): AccessTokenTransportInput;
+export {};

package/src/next/app/request.js

@@ -0,0 +1,30 @@
+import { parseCookieHeader } from '../pages/request';
+function getHeaderValue(headers, headerName) {
+    const value = headers.get(headerName);
+    if (value === null || value.length === 0) {
+        return undefined;
+    }
+    return value;
+}
+export function getAppAuthorizationHeader(req, headerName = 'authorization') {
+    return getHeaderValue(req.headers, headerName);
+}
+export function getAppRequestId(req, headerName = 'x-request-id') {
+    const requestId = getHeaderValue(req.headers, headerName);
+    if (!requestId) {
+        return undefined;
+    }
+    const trimmed = requestId.trim();
+    return trimmed.length > 0 ? trimmed : undefined;
+}
+export function getAppCookies(req) {
+    return parseCookieHeader(getHeaderValue(req.headers, 'cookie'));
+}
+export function buildAppAccessTokenTransportInput(input) {
+    const authorizationHeader = getAppAuthorizationHeader(input.req, input.authorizationHeaderName);
+    const cookies = getAppCookies(input.req);
+    return {
+        ...(authorizationHeader === undefined ? {} : { authorizationHeader }),
+        ...(Object.keys(cookies).length === 0 ? {} : { cookies }),
+    };
+}

package/src/next/app/response.d.ts

@@ -0,0 +1,16 @@
+import type { AuthServiceError } from '../../core/services/auth-error';
+import { type AuthErrorResponseBody } from '../shared/auth-http';
+export type AppAuthErrorResponseBody = AuthErrorResponseBody;
+export declare function sendAppAuthError(error: AuthServiceError, options?: {
+    requestId?: string;
+    includeChallengeError?: boolean;
+    challengeScope?: string;
+    resourceMetadataUrl?: string;
+}): Response;
+export declare function sendAppSystemError(options?: {
+    requestId?: string;
+}): Response;
+export declare function sendAppRedirect(input: {
+    location: string;
+    statusCode?: number;
+}): Response;

package/src/next/app/response.js

@@ -0,0 +1,48 @@
+import { buildAuthErrorHttpResponse, buildSystemErrorHttpResponse, } from '../shared/auth-http';
+function createJsonResponse(input) {
+    const headers = new Headers(input.headers);
+    headers.set('Content-Type', 'application/json');
+    return new Response(JSON.stringify(input.body), {
+        status: input.statusCode,
+        headers,
+    });
+}
+export function sendAppAuthError(error, options) {
+    const mapped = buildAuthErrorHttpResponse({
+        error,
+        ...(options?.requestId === undefined
+            ? {}
+            : { requestId: options.requestId }),
+        ...(options?.includeChallengeError === undefined
+            ? {}
+            : { includeChallengeError: options.includeChallengeError }),
+        ...(options?.challengeScope === undefined
+            ? {}
+            : { challengeScope: options.challengeScope }),
+        ...(options?.resourceMetadataUrl === undefined
+            ? {}
+            : { resourceMetadataUrl: options.resourceMetadataUrl }),
+    });
+    return createJsonResponse({
+        statusCode: mapped.statusCode,
+        body: mapped.body,
+        ...(mapped.challengeHeader === undefined
+            ? {}
+            : { headers: { 'WWW-Authenticate': mapped.challengeHeader } }),
+    });
+}
+export function sendAppSystemError(options) {
+    const mapped = buildSystemErrorHttpResponse(options);
+    return createJsonResponse({
+        statusCode: mapped.statusCode,
+        body: mapped.body,
+    });
+}
+export function sendAppRedirect(input) {
+    return new Response(null, {
+        status: input.statusCode ?? 302,
+        headers: {
+            Location: input.location,
+        },
+    });
+}

package/src/next/app/wrapper.d.ts

@@ -0,0 +1,28 @@
+import type { AccessTokenTransportInput } from '../../core/adapters/access-token-transport-adapter';
+export type AppAuthRouteContext = {
+    req: Request;
+    requestId?: string;
+    transport: AccessTokenTransportInput;
+    cookies: Record<string, string | undefined>;
+};
+export type WithAppAuthRouteOptions<TOutput> = {
+    handler: (input: AppAuthRouteContext) => Promise<TOutput | Response | void> | TOutput | Response | void;
+    send?: (input: {
+        req: Request;
+        output: TOutput;
+        requestId?: string;
+    }) => Promise<Response> | Response;
+    requestIdHeaderName?: string;
+    authorizationHeaderName?: string;
+    challenge?: {
+        includeErrorInWwwAuthenticate?: boolean;
+        scope?: string;
+        resourceMetadataUrl?: string;
+    };
+    onSystemError?: (input: {
+        req: Request;
+        error: unknown;
+        requestId?: string;
+    }) => Promise<Response | void> | Response | void;
+};
+export declare function withAppAuthRoute<TOutput>(options: WithAppAuthRouteOptions<TOutput>): (req: Request) => Promise<Response>;