actor-gate 0.1.0

package/src/next/app/wrapper.js

@@ -0,0 +1,78 @@
+import { isAuthServiceError } from '../../core/services/auth-error';
+import { buildAppAccessTokenTransportInput, getAppCookies, getAppRequestId, } from './request';
+import { sendAppAuthError, sendAppSystemError } from './response';
+export function withAppAuthRoute(options) {
+    return async function appAuthRoute(req) {
+        const requestId = getAppRequestId(req, options.requestIdHeaderName);
+        const transport = buildAppAccessTokenTransportInput({
+            req,
+            ...(options.authorizationHeaderName === undefined
+                ? {}
+                : { authorizationHeaderName: options.authorizationHeaderName }),
+        });
+        const cookies = getAppCookies(req);
+        try {
+            const output = await options.handler({
+                req,
+                ...(requestId === undefined ? {} : { requestId }),
+                transport,
+                cookies,
+            });
+            if (output instanceof Response) {
+                return output;
+            }
+            if (output === undefined) {
+                return new Response(null, { status: 204 });
+            }
+            if (options.send) {
+                return options.send({
+                    req,
+                    output,
+                    ...(requestId === undefined ? {} : { requestId }),
+                });
+            }
+            return new Response(JSON.stringify(output), {
+                status: 200,
+                headers: {
+                    'Content-Type': 'application/json',
+                },
+            });
+        }
+        catch (error) {
+            if (isAuthServiceError(error)) {
+                return sendAppAuthError(error, {
+                    ...(requestId === undefined ? {} : { requestId }),
+                    ...(options.challenge?.scope === undefined
+                        ? {}
+                        : { challengeScope: options.challenge.scope }),
+                    ...(options.challenge?.resourceMetadataUrl === undefined
+                        ? {}
+                        : { resourceMetadataUrl: options.challenge.resourceMetadataUrl }),
+                    ...(options.challenge?.includeErrorInWwwAuthenticate === undefined
+                        ? {}
+                        : {
+                            includeChallengeError: options.challenge.includeErrorInWwwAuthenticate,
+                        }),
+                });
+            }
+            if (options.onSystemError) {
+                try {
+                    const hooked = await options.onSystemError({
+                        req,
+                        error,
+                        ...(requestId === undefined ? {} : { requestId }),
+                    });
+                    if (hooked instanceof Response) {
+                        return hooked;
+                    }
+                }
+                catch {
+                    // Wrapper never throws from system-error hooks.
+                }
+            }
+            return sendAppSystemError({
+                ...(requestId === undefined ? {} : { requestId }),
+            });
+        }
+    };
+}

package/src/next/index.d.ts

@@ -0,0 +1,6 @@
+export declare const SUPPORTED_NEXT_ROUTERS: readonly ["pages", "app"];
+export type SupportedNextRouter = (typeof SUPPORTED_NEXT_ROUTERS)[number];
+export * from './pages/index';
+export * from './app/index';
+export * from './shared/auth-routes';
+export * from './rewrites';

package/src/next/index.js

@@ -0,0 +1,5 @@
+export const SUPPORTED_NEXT_ROUTERS = ['pages', 'app'];
+export * from './pages/index';
+export * from './app/index';
+export * from './shared/auth-routes';
+export * from './rewrites';

package/src/next/pages/catch-all.d.ts

@@ -0,0 +1,19 @@
+import type { NextApiHandler, NextApiRequest, NextApiResponse } from 'next';
+import { type AuthRouteAction, type AuthRouteHttpMethod } from '../shared/auth-routes';
+export type PagesAuthCatchAllHandler = (req: NextApiRequest, res: NextApiResponse) => Promise<void> | void;
+export type CreatePagesAuthCatchAllHandlerOptions = {
+    handlers: Partial<Record<AuthRouteAction, PagesAuthCatchAllHandler>>;
+    onUnsupportedRoute?: (input: {
+        req: NextApiRequest;
+        res: NextApiResponse;
+        segments: readonly string[];
+        action?: AuthRouteAction;
+    }) => Promise<void> | void;
+    onMethodNotAllowed?: (input: {
+        req: NextApiRequest;
+        res: NextApiResponse;
+        action: AuthRouteAction;
+        allowedMethods: readonly AuthRouteHttpMethod[];
+    }) => Promise<void> | void;
+};
+export declare function createPagesAuthCatchAllHandler(options: CreatePagesAuthCatchAllHandlerOptions): NextApiHandler;

package/src/next/pages/catch-all.js

@@ -0,0 +1,60 @@
+import { isAuthRouteMethodAllowed, normalizeAuthRouteSegments, resolveAuthRoute, } from '../shared/auth-routes';
+function sendUnsupportedRoute(res) {
+    res.status(404).json({
+        error: 'not_found',
+        error_description: 'Unsupported auth route.',
+    });
+}
+function sendMethodNotAllowed(res, allowedMethods) {
+    res.setHeader('Allow', allowedMethods.join(', '));
+    res.status(405).json({
+        error: 'method_not_allowed',
+        error_description: 'HTTP method not allowed for auth route.',
+    });
+}
+export function createPagesAuthCatchAllHandler(options) {
+    return async function pagesAuthCatchAll(req, res) {
+        const segments = normalizeAuthRouteSegments(req.query.auth);
+        const route = resolveAuthRoute(segments);
+        if (!route) {
+            if (options.onUnsupportedRoute) {
+                await options.onUnsupportedRoute({
+                    req,
+                    res,
+                    segments,
+                });
+                return;
+            }
+            sendUnsupportedRoute(res);
+            return;
+        }
+        if (!isAuthRouteMethodAllowed(route, req.method)) {
+            if (options.onMethodNotAllowed) {
+                await options.onMethodNotAllowed({
+                    req,
+                    res,
+                    action: route.action,
+                    allowedMethods: route.methods,
+                });
+                return;
+            }
+            sendMethodNotAllowed(res, route.methods);
+            return;
+        }
+        const handler = options.handlers[route.action];
+        if (!handler) {
+            if (options.onUnsupportedRoute) {
+                await options.onUnsupportedRoute({
+                    req,
+                    res,
+                    segments,
+                    action: route.action,
+                });
+                return;
+            }
+            sendUnsupportedRoute(res);
+            return;
+        }
+        await handler(req, res);
+    };
+}

package/src/next/pages/cookies.d.ts

@@ -0,0 +1,41 @@
+export type CookieSameSite = 'lax' | 'strict' | 'none';
+type SetCookieHeaderValue = string | number | readonly string[] | undefined;
+type SetCookieHeaderResponse = {
+    getHeader(name: 'Set-Cookie'): SetCookieHeaderValue;
+    setHeader(name: 'Set-Cookie', value: string | string[]): void;
+};
+export type PagesCookieOptions = {
+    path?: string;
+    domain?: string;
+    maxAgeSeconds?: number;
+    expires?: Date;
+    secure?: boolean;
+    httpOnly?: boolean;
+    sameSite?: CookieSameSite;
+};
+export declare function serializeSetCookie(input: {
+    name: string;
+    value: string;
+    options?: PagesCookieOptions;
+}): string;
+export declare function appendSetCookieHeader(res: SetCookieHeaderResponse, serializedCookie: string): void;
+export declare function setPagesCookie(res: SetCookieHeaderResponse, input: {
+    name: string;
+    value: string;
+    options?: PagesCookieOptions;
+}): string;
+export declare function setPagesAuthCookie(res: SetCookieHeaderResponse, input: {
+    name: string;
+    value: string;
+    maxAgeSeconds: number;
+    secure?: boolean;
+    sameSite?: CookieSameSite;
+    path?: string;
+}): string;
+export declare function clearPagesAuthCookie(res: SetCookieHeaderResponse, input: {
+    name: string;
+    secure?: boolean;
+    sameSite?: CookieSameSite;
+    path?: string;
+}): string;
+export {};

package/src/next/pages/cookies.js

@@ -0,0 +1,87 @@
+export function serializeSetCookie(input) {
+    if (input.name.length === 0) {
+        throw new Error('Cookie name must be a non-empty string.');
+    }
+    const options = input.options ?? {};
+    if (options.maxAgeSeconds !== undefined &&
+        (!Number.isSafeInteger(options.maxAgeSeconds) || options.maxAgeSeconds < 0)) {
+        throw new Error('maxAgeSeconds must be a non-negative safe integer.');
+    }
+    const parts = [
+        `${encodeURIComponent(input.name)}=${encodeURIComponent(input.value)}`,
+    ];
+    if (options.path !== undefined) {
+        parts.push(`Path=${options.path}`);
+    }
+    if (options.domain !== undefined) {
+        parts.push(`Domain=${options.domain}`);
+    }
+    if (options.maxAgeSeconds !== undefined) {
+        parts.push(`Max-Age=${String(options.maxAgeSeconds)}`);
+    }
+    if (options.expires !== undefined) {
+        parts.push(`Expires=${options.expires.toUTCString()}`);
+    }
+    if (options.httpOnly) {
+        parts.push('HttpOnly');
+    }
+    if (options.secure) {
+        parts.push('Secure');
+    }
+    if (options.sameSite !== undefined) {
+        const formattedSameSite = options.sameSite.charAt(0).toUpperCase() + options.sameSite.slice(1);
+        parts.push(`SameSite=${formattedSameSite}`);
+    }
+    return parts.join('; ');
+}
+export function appendSetCookieHeader(res, serializedCookie) {
+    const existingValue = res.getHeader('Set-Cookie');
+    if (existingValue === undefined) {
+        res.setHeader('Set-Cookie', serializedCookie);
+        return;
+    }
+    if (Array.isArray(existingValue)) {
+        res.setHeader('Set-Cookie', [
+            ...existingValue.map(String),
+            serializedCookie,
+        ]);
+        return;
+    }
+    if (typeof existingValue === 'string') {
+        res.setHeader('Set-Cookie', [existingValue, serializedCookie]);
+        return;
+    }
+    res.setHeader('Set-Cookie', [String(existingValue), serializedCookie]);
+}
+export function setPagesCookie(res, input) {
+    const serializedCookie = serializeSetCookie(input);
+    appendSetCookieHeader(res, serializedCookie);
+    return serializedCookie;
+}
+export function setPagesAuthCookie(res, input) {
+    return setPagesCookie(res, {
+        name: input.name,
+        value: input.value,
+        options: {
+            path: input.path ?? '/',
+            maxAgeSeconds: input.maxAgeSeconds,
+            secure: input.secure ?? false,
+            httpOnly: true,
+            sameSite: input.sameSite ?? 'lax',
+        },
+    });
+}
+export function clearPagesAuthCookie(res, input) {
+    return setPagesCookie(res, {
+        name: input.name,
+        value: '',
+        options: {
+            path: input.path ?? '/',
+            maxAgeSeconds: 0,
+            expires: new Date(0),
+            secure: input.secure ?? false,
+            httpOnly: true,
+            sameSite: input.sameSite ?? 'lax',
+        },
+    });
+}

package/src/next/pages/direct-auth-handlers.d.ts

@@ -0,0 +1,58 @@
+import type { NextApiHandler, NextApiRequest, NextApiResponse } from 'next';
+import type { LoginMethodAdapter } from '../../core/adapters/login-method-adapter';
+import type { DirectAuthService } from '../../core/services/direct-auth-service';
+import type { AuthActor } from '../../core/types/auth-contract';
+import { type CookieSameSite } from './cookies';
+import { type DirectAccessTokenTransportConfig, type DirectCsrfConfig, type RefreshTokenSource } from '../shared/direct-auth-utils';
+export type DirectCookieConfig = {
+    enabled?: boolean;
+    accessTokenCookieName?: string;
+    refreshTokenCookieName?: string;
+    path?: string;
+    sameSite?: CookieSameSite;
+    secure?: boolean;
+    secureInProduction?: boolean;
+    refreshTokenMaxAgeSeconds?: number;
+};
+export type PagesDirectLoginIssueResult = {
+    accessToken?: string;
+    accessClaims?: {
+        exp: number;
+        iat: number;
+    };
+    refreshToken?: string;
+    clientSession?: unknown;
+    body?: Record<string, unknown>;
+    redirectTo?: string;
+    statusCode?: number;
+};
+export type CreatePagesDirectAuthHandlersOptions<TSessionId, TUserId, TActor extends AuthActor = AuthActor> = {
+    directAuthService: DirectAuthService<TSessionId, TUserId, TActor>;
+    loginMethods?: Readonly<Record<string, LoginMethodAdapter<TUserId>>>;
+    issueLogin?: (input: {
+        req: NextApiRequest;
+        res: NextApiResponse;
+        requestId?: string;
+        method: string;
+        userId: TUserId;
+    }) => Promise<PagesDirectLoginIssueResult | void> | PagesDirectLoginIssueResult | void;
+    defaultLoginMethod?: string;
+    parseSessionId?: (value: unknown) => TSessionId | undefined;
+    accessTokenTransport?: DirectAccessTokenTransportConfig<TActor>;
+    refreshTokenFieldName?: string;
+    refreshTokenPriority?: readonly RefreshTokenSource[];
+    expectedAudience?: string;
+    allowedActors?: readonly TActor[] | ReadonlySet<TActor>;
+    csrf?: DirectCsrfConfig;
+    cookies?: DirectCookieConfig;
+    logoutAllowMissingCredentials?: boolean;
+    requestIdHeaderName?: string;
+    authorizationHeaderName?: string;
+};
+export type PagesDirectAuthHandlers = {
+    refresh: NextApiHandler;
+    logout: NextApiHandler;
+    loginStart: NextApiHandler;
+    loginFinish: NextApiHandler;
+};
+export declare function createPagesDirectAuthHandlers<TSessionId, TUserId, TActor extends AuthActor = AuthActor>(options: CreatePagesDirectAuthHandlersOptions<TSessionId, TUserId, TActor>): PagesDirectAuthHandlers;