hylekit 1.0.0

package/dist/index.cjs

@@ -0,0 +1,705 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  DEFAULT_CONFIG: () => DEFAULT_CONFIG,
+  account: () => account,
+  accountRelations: () => accountRelations,
+  createAuth: () => createAuth,
+  createNextClient: () => createNextClient,
+  createSvelteKitClient: () => createSvelteKitClient,
+  nextClient: () => nextClient,
+  oauthAccessToken: () => oauthAccessToken,
+  oauthAccessTokenRelations: () => oauthAccessTokenRelations,
+  oauthApplication: () => oauthApplication,
+  oauthApplicationRelations: () => oauthApplicationRelations,
+  oauthConsent: () => oauthConsent,
+  oauthConsentRelations: () => oauthConsentRelations,
+  session: () => session,
+  sessionRelations: () => sessionRelations,
+  svelteClient: () => svelteClient,
+  user: () => user,
+  userRelations: () => userRelations,
+  verification: () => verification
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/auth.ts
+var import_better_auth = require("better-auth");
+var import_drizzle = require("better-auth/adapters/drizzle");
+
+// src/schema.ts
+var schema_exports = {};
+__export(schema_exports, {
+  account: () => account,
+  accountRelations: () => accountRelations,
+  oauthAccessToken: () => oauthAccessToken,
+  oauthAccessTokenRelations: () => oauthAccessTokenRelations,
+  oauthApplication: () => oauthApplication,
+  oauthApplicationRelations: () => oauthApplicationRelations,
+  oauthConsent: () => oauthConsent,
+  oauthConsentRelations: () => oauthConsentRelations,
+  session: () => session,
+  sessionRelations: () => sessionRelations,
+  user: () => user,
+  userRelations: () => userRelations,
+  verification: () => verification
+});
+var import_drizzle_orm = require("drizzle-orm");
+var import_sqlite_core = require("drizzle-orm/sqlite-core");
+var user = (0, import_sqlite_core.sqliteTable)("user", {
+  id: (0, import_sqlite_core.text)("id").primaryKey(),
+  name: (0, import_sqlite_core.text)("name").notNull(),
+  email: (0, import_sqlite_core.text)("email").notNull().unique(),
+  emailVerified: (0, import_sqlite_core.integer)("email_verified", { mode: "boolean" }).default(false).notNull(),
+  image: (0, import_sqlite_core.text)("image"),
+  createdAt: (0, import_sqlite_core.integer)("created_at", { mode: "timestamp_ms" }).default(import_drizzle_orm.sql`(cast(unixepoch('subsecond') * 1000 as integer))`).notNull(),
+  updatedAt: (0, import_sqlite_core.integer)("updated_at", { mode: "timestamp_ms" }).default(import_drizzle_orm.sql`(cast(unixepoch('subsecond') * 1000 as integer))`).$onUpdate(() => /* @__PURE__ */ new Date()).notNull()
+});
+var session = (0, import_sqlite_core.sqliteTable)(
+  "session",
+  {
+    id: (0, import_sqlite_core.text)("id").primaryKey(),
+    expiresAt: (0, import_sqlite_core.integer)("expires_at", { mode: "timestamp_ms" }).notNull(),
+    token: (0, import_sqlite_core.text)("token").notNull().unique(),
+    createdAt: (0, import_sqlite_core.integer)("created_at", { mode: "timestamp_ms" }).default(import_drizzle_orm.sql`(cast(unixepoch('subsecond') * 1000 as integer))`).notNull(),
+    updatedAt: (0, import_sqlite_core.integer)("updated_at", { mode: "timestamp_ms" }).$onUpdate(() => /* @__PURE__ */ new Date()).notNull(),
+    ipAddress: (0, import_sqlite_core.text)("ip_address"),
+    userAgent: (0, import_sqlite_core.text)("user_agent"),
+    userId: (0, import_sqlite_core.text)("user_id").notNull().references(() => user.id, { onDelete: "cascade" })
+  },
+  (table) => [(0, import_sqlite_core.index)("session_userId_idx").on(table.userId)]
+);
+var account = (0, import_sqlite_core.sqliteTable)(
+  "account",
+  {
+    id: (0, import_sqlite_core.text)("id").primaryKey(),
+    accountId: (0, import_sqlite_core.text)("account_id").notNull(),
+    providerId: (0, import_sqlite_core.text)("provider_id").notNull(),
+    userId: (0, import_sqlite_core.text)("user_id").notNull().references(() => user.id, { onDelete: "cascade" }),
+    accessToken: (0, import_sqlite_core.text)("access_token"),
+    refreshToken: (0, import_sqlite_core.text)("refresh_token"),
+    idToken: (0, import_sqlite_core.text)("id_token"),
+    accessTokenExpiresAt: (0, import_sqlite_core.integer)("access_token_expires_at", {
+      mode: "timestamp_ms"
+    }),
+    refreshTokenExpiresAt: (0, import_sqlite_core.integer)("refresh_token_expires_at", {
+      mode: "timestamp_ms"
+    }),
+    scope: (0, import_sqlite_core.text)("scope"),
+    password: (0, import_sqlite_core.text)("password"),
+    createdAt: (0, import_sqlite_core.integer)("created_at", { mode: "timestamp_ms" }).default(import_drizzle_orm.sql`(cast(unixepoch('subsecond') * 1000 as integer))`).notNull(),
+    updatedAt: (0, import_sqlite_core.integer)("updated_at", { mode: "timestamp_ms" }).$onUpdate(() => /* @__PURE__ */ new Date()).notNull()
+  },
+  (table) => [(0, import_sqlite_core.index)("account_userId_idx").on(table.userId)]
+);
+var verification = (0, import_sqlite_core.sqliteTable)(
+  "verification",
+  {
+    id: (0, import_sqlite_core.text)("id").primaryKey(),
+    identifier: (0, import_sqlite_core.text)("identifier").notNull(),
+    value: (0, import_sqlite_core.text)("value").notNull(),
+    expiresAt: (0, import_sqlite_core.integer)("expires_at", { mode: "timestamp_ms" }).notNull(),
+    createdAt: (0, import_sqlite_core.integer)("created_at", { mode: "timestamp_ms" }).default(import_drizzle_orm.sql`(cast(unixepoch('subsecond') * 1000 as integer))`).notNull(),
+    updatedAt: (0, import_sqlite_core.integer)("updated_at", { mode: "timestamp_ms" }).default(import_drizzle_orm.sql`(cast(unixepoch('subsecond') * 1000 as integer))`).$onUpdate(() => /* @__PURE__ */ new Date()).notNull()
+  },
+  (table) => [(0, import_sqlite_core.index)("verification_identifier_idx").on(table.identifier)]
+);
+var oauthApplication = (0, import_sqlite_core.sqliteTable)(
+  "oauth_application",
+  {
+    id: (0, import_sqlite_core.text)("id").primaryKey(),
+    name: (0, import_sqlite_core.text)("name"),
+    icon: (0, import_sqlite_core.text)("icon"),
+    metadata: (0, import_sqlite_core.text)("metadata"),
+    clientId: (0, import_sqlite_core.text)("client_id").unique(),
+    clientSecret: (0, import_sqlite_core.text)("client_secret"),
+    redirectUrls: (0, import_sqlite_core.text)("redirect_urls"),
+    type: (0, import_sqlite_core.text)("type"),
+    disabled: (0, import_sqlite_core.integer)("disabled", { mode: "boolean" }).default(false),
+    userId: (0, import_sqlite_core.text)("user_id").references(() => user.id, { onDelete: "cascade" }),
+    createdAt: (0, import_sqlite_core.integer)("created_at", { mode: "timestamp_ms" }),
+    updatedAt: (0, import_sqlite_core.integer)("updated_at", { mode: "timestamp_ms" })
+  },
+  (table) => [(0, import_sqlite_core.index)("oauthApplication_userId_idx").on(table.userId)]
+);
+var oauthAccessToken = (0, import_sqlite_core.sqliteTable)(
+  "oauth_access_token",
+  {
+    id: (0, import_sqlite_core.text)("id").primaryKey(),
+    accessToken: (0, import_sqlite_core.text)("access_token").unique(),
+    refreshToken: (0, import_sqlite_core.text)("refresh_token").unique(),
+    accessTokenExpiresAt: (0, import_sqlite_core.integer)("access_token_expires_at", {
+      mode: "timestamp_ms"
+    }),
+    refreshTokenExpiresAt: (0, import_sqlite_core.integer)("refresh_token_expires_at", {
+      mode: "timestamp_ms"
+    }),
+    clientId: (0, import_sqlite_core.text)("client_id").references(() => oauthApplication.clientId, {
+      onDelete: "cascade"
+    }),
+    userId: (0, import_sqlite_core.text)("user_id").references(() => user.id, { onDelete: "cascade" }),
+    scopes: (0, import_sqlite_core.text)("scopes"),
+    createdAt: (0, import_sqlite_core.integer)("created_at", { mode: "timestamp_ms" }),
+    updatedAt: (0, import_sqlite_core.integer)("updated_at", { mode: "timestamp_ms" })
+  },
+  (table) => [
+    (0, import_sqlite_core.index)("oauthAccessToken_clientId_idx").on(table.clientId),
+    (0, import_sqlite_core.index)("oauthAccessToken_userId_idx").on(table.userId)
+  ]
+);
+var oauthConsent = (0, import_sqlite_core.sqliteTable)(
+  "oauth_consent",
+  {
+    id: (0, import_sqlite_core.text)("id").primaryKey(),
+    clientId: (0, import_sqlite_core.text)("client_id").references(() => oauthApplication.clientId, {
+      onDelete: "cascade"
+    }),
+    userId: (0, import_sqlite_core.text)("user_id").references(() => user.id, { onDelete: "cascade" }),
+    scopes: (0, import_sqlite_core.text)("scopes"),
+    createdAt: (0, import_sqlite_core.integer)("created_at", { mode: "timestamp_ms" }),
+    updatedAt: (0, import_sqlite_core.integer)("updated_at", { mode: "timestamp_ms" }),
+    consentGiven: (0, import_sqlite_core.integer)("consent_given", { mode: "boolean" })
+  },
+  (table) => [
+    (0, import_sqlite_core.index)("oauthConsent_clientId_idx").on(table.clientId),
+    (0, import_sqlite_core.index)("oauthConsent_userId_idx").on(table.userId)
+  ]
+);
+var userRelations = (0, import_drizzle_orm.relations)(user, ({ many }) => ({
+  sessions: many(session),
+  accounts: many(account),
+  oauthApplications: many(oauthApplication),
+  oauthAccessTokens: many(oauthAccessToken),
+  oauthConsents: many(oauthConsent)
+}));
+var sessionRelations = (0, import_drizzle_orm.relations)(session, ({ one }) => ({
+  user: one(user, {
+    fields: [session.userId],
+    references: [user.id]
+  })
+}));
+var accountRelations = (0, import_drizzle_orm.relations)(account, ({ one }) => ({
+  user: one(user, {
+    fields: [account.userId],
+    references: [user.id]
+  })
+}));
+var oauthApplicationRelations = (0, import_drizzle_orm.relations)(
+  oauthApplication,
+  ({ one, many }) => ({
+    user: one(user, {
+      fields: [oauthApplication.userId],
+      references: [user.id]
+    }),
+    oauthAccessTokens: many(oauthAccessToken),
+    oauthConsents: many(oauthConsent)
+  })
+);
+var oauthAccessTokenRelations = (0, import_drizzle_orm.relations)(
+  oauthAccessToken,
+  ({ one }) => ({
+    oauthApplication: one(oauthApplication, {
+      fields: [oauthAccessToken.clientId],
+      references: [oauthApplication.clientId]
+    }),
+    user: one(user, {
+      fields: [oauthAccessToken.userId],
+      references: [user.id]
+    })
+  })
+);
+var oauthConsentRelations = (0, import_drizzle_orm.relations)(oauthConsent, ({ one }) => ({
+  oauthApplication: one(oauthApplication, {
+    fields: [oauthConsent.clientId],
+    references: [oauthApplication.clientId]
+  }),
+  user: one(user, {
+    fields: [oauthConsent.userId],
+    references: [user.id]
+  })
+}));
+
+// src/auth.ts
+var createAuth = (db, config) => {
+  return (0, import_better_auth.betterAuth)({
+    database: (0, import_drizzle.drizzleAdapter)(db, {
+      provider: "sqlite",
+      schema: {
+        ...schema_exports
+      }
+    }),
+    socialProviders: {
+      google: {
+        enabled: true,
+        clientId: process.env.GOOGLE_CLIENT_ID ?? "",
+        clientSecret: process.env.GOOGLE_CLIENT_SECRET ?? ""
+      }
+    },
+    ...config
+  });
+};
+
+// src/client/types.ts
+var DEFAULT_CONFIG = {
+  authorizeEndpoint: "/api/auth/oauth2/authorize",
+  tokenEndpoint: "/api/auth/oauth2/token",
+  userEndpoint: "/api/auth/oauth2/userinfo",
+  cookieName: "access_token",
+  cookieMaxAge: 60 * 60 * 24 * 7
+  // 7 Days
+};
+function resolveConfig(config) {
+  return {
+    ...DEFAULT_CONFIG,
+    ...config
+  };
+}
+function buildAuthorizationUrl(config, clientConfig, options) {
+  const targetUrl = new URL(config.url + config.authorizeEndpoint);
+  const scopes = ["openid", "profile", "email"];
+  if (options?.additionalScopes) {
+    scopes.push(...options.additionalScopes);
+  }
+  targetUrl.searchParams.set("response_type", "code");
+  targetUrl.searchParams.set("client_id", clientConfig.clientId);
+  targetUrl.searchParams.set("redirect_uri", clientConfig.redirectUri);
+  targetUrl.searchParams.set("scope", scopes.join(" "));
+  if (options?.state) {
+    targetUrl.searchParams.set("state", options.state);
+  }
+  return targetUrl.toString();
+}
+async function exchangeCodeForTokens(config, clientConfig, code) {
+  const response = await fetch(config.url + config.tokenEndpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      client_id: clientConfig.clientId,
+      client_secret: clientConfig.clientSecret,
+      redirect_uri: clientConfig.redirectUri,
+      code
+    })
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Token exchange failed (${response.status}): ${errorText}`);
+  }
+  const tokens = await response.json();
+  if (!tokens.access_token) {
+    throw new Error("No access token in response");
+  }
+  return tokens;
+}
+async function fetchUserInfo(config, accessToken) {
+  try {
+    const response = await fetch(config.url + config.userEndpoint, {
+      headers: {
+        "Authorization": `Bearer ${accessToken}`
+      }
+    });
+    if (!response.ok) {
+      return null;
+    }
+    return await response.json();
+  } catch {
+    return null;
+  }
+}
+
+// src/client/sveltekit.ts
+var import_kit = require("@sveltejs/kit");
+function createSvelteKitClient(centralAuthConfig) {
+  const config = resolveConfig(centralAuthConfig);
+  return {
+    /**
+     * Get the current Central Auth configuration.
+     */
+    getConfig: () => ({ ...config }),
+    /**
+     * Initiates the OAuth2 sign-in flow by redirecting to the Central Auth Server.
+     * Uses SvelteKit's redirect() which throws a redirect response.
+     * 
+     * @param clientConfig - OAuth2 client configuration
+     * @param options - Optional sign-in options
+     * @throws Redirect to the Central Auth authorization endpoint
+     */
+    signIn: (clientConfig, options) => {
+      const authUrl = buildAuthorizationUrl(config, clientConfig, options);
+      (0, import_kit.redirect)(302, authUrl);
+    },
+    /**
+     * Builds the authorization URL without redirecting.
+     * Useful when you need to return the URL for client-side navigation.
+     * 
+     * @param clientConfig - OAuth2 client configuration
+     * @param options - Optional sign-in options
+     * @returns The authorization URL string
+     */
+    getSignInUrl: (clientConfig, options) => {
+      return buildAuthorizationUrl(config, clientConfig, options);
+    },
+    /**
+     * Handles the OAuth2 callback, exchanges the code for tokens, and sets the session cookie.
+     * Uses SvelteKit's cookies API for cookie management.
+     * 
+     * @param event - SvelteKit RequestEvent
+     * @param clientConfig - OAuth2 client configuration
+     * @param options - Optional callback options
+     * @throws Redirect on success, throws error on failure
+     */
+    handleSignInCallback: async (event, clientConfig, options) => {
+      const { url, cookies: cookies2 } = event;
+      const code = url.searchParams.get("code");
+      const error = url.searchParams.get("error");
+      const errorDescription = url.searchParams.get("error_description");
+      if (error) {
+        throw new Error(`Authentication failed: ${errorDescription || error}`);
+      }
+      if (!code) {
+        throw new Error("Missing authorization code");
+      }
+      try {
+        const tokens = await exchangeCodeForTokens(config, clientConfig, code);
+        cookies2.set(config.cookieName, tokens.access_token, {
+          httpOnly: true,
+          secure: event.url.protocol === "https:",
+          sameSite: "lax",
+          path: "/",
+          maxAge: config.cookieMaxAge
+        });
+        const successPath = options?.successRedirectPath || "/";
+        (0, import_kit.redirect)(302, successPath);
+      } catch (err) {
+        if (err && typeof err === "object" && "status" in err) {
+          throw err;
+        }
+        console.error("Auth callback error:", err);
+        throw new Error("Authentication failed");
+      }
+    },
+    /**
+     * Signs out the user by clearing the session cookie.
+     * 
+     * @param cookies - SvelteKit Cookies object
+     * @param redirectPath - Path to redirect to after sign out (default: "/")
+     * @throws Redirect to the specified path
+     */
+    signOut: (cookies2, redirectPath = "/") => {
+      cookies2.delete(config.cookieName, { path: "/" });
+      (0, import_kit.redirect)(302, redirectPath);
+    },
+    /**
+     * Clears the session cookie without redirecting.
+     * Useful when you need more control over the response.
+     * 
+     * @param cookies - SvelteKit Cookies object
+     */
+    clearSession: (cookies2) => {
+      cookies2.delete(config.cookieName, { path: "/" });
+    },
+    /**
+     * Retrieves the access token from cookies.
+     * 
+     * @param cookies - SvelteKit Cookies object
+     * @returns The access token or null if not found
+     */
+    getAccessToken: (cookies2) => {
+      return cookies2.get(config.cookieName) ?? null;
+    },
+    /**
+     * Fetches user information from the Central Auth Server.
+     * 
+     * @param accessToken - The access token to use for authentication
+     * @returns The user information or null if the request fails
+     */
+    getUser: async (accessToken) => {
+      return fetchUserInfo(config, accessToken);
+    },
+    /**
+     * Gets the current user session from cookies.
+     * Combines getAccessToken and getUser for convenience.
+     * 
+     * @param cookies - SvelteKit Cookies object
+     * @returns The user information or null if not authenticated
+     */
+    getSession: async (cookies2) => {
+      const accessToken = cookies2.get(config.cookieName);
+      if (!accessToken) return null;
+      return fetchUserInfo(config, accessToken);
+    },
+    /**
+     * Checks if the user is authenticated (has access token in cookies).
+     * Note: This only checks for token presence, not validity.
+     * 
+     * @param cookies - SvelteKit Cookies object
+     * @returns true if an access token is present
+     */
+    isAuthenticated: (cookies2) => {
+      return !!cookies2.get(config.cookieName);
+    },
+    /**
+     * Protects a route by checking authentication and redirecting if needed.
+     * Use in +page.server.ts or +layout.server.ts load functions.
+     * 
+     * @param cookies - SvelteKit Cookies object
+     * @param loginPath - Path to redirect to for login (default: "/login")
+     * @throws Redirect to login path if not authenticated
+     */
+    requireAuth: (cookies2, loginPath = "/login") => {
+      if (!cookies2.get(config.cookieName)) {
+        (0, import_kit.redirect)(302, loginPath);
+      }
+    }
+  };
+}
+var svelteClient = createSvelteKitClient;
+
+// src/client/nextjs.ts
+var import_headers = require("next/headers");
+var import_navigation = require("next/navigation");
+var import_server = require("next/server");
+function createNextClient(centralAuthConfig) {
+  const config = resolveConfig(centralAuthConfig);
+  return {
+    /**
+     * Get the current Central Auth configuration.
+     */
+    getConfig: () => ({ ...config }),
+    /**
+     * Initiates the OAuth2 sign-in flow by returning a redirect Response.
+     * Use in Route Handlers (App Router).
+     * 
+     * @param clientConfig - OAuth2 client configuration
+     * @param options - Optional sign-in options
+     * @returns NextResponse redirect to the Central Auth authorization endpoint
+     */
+    signIn: (clientConfig, options) => {
+      const authUrl = buildAuthorizationUrl(config, clientConfig, options);
+      return import_server.NextResponse.redirect(authUrl);
+    },
+    /**
+     * Builds the authorization URL without redirecting.
+     * Useful for client-side navigation or custom redirect logic.
+     * 
+     * @param clientConfig - OAuth2 client configuration
+     * @param options - Optional sign-in options
+     * @returns The authorization URL string
+     */
+    getSignInUrl: (clientConfig, options) => {
+      return buildAuthorizationUrl(config, clientConfig, options);
+    },
+    /**
+     * Handles the OAuth2 callback in Route Handlers.
+     * Exchanges the code for tokens and sets the session cookie.
+     * 
+     * @param request - NextRequest object
+     * @param clientConfig - OAuth2 client configuration
+     * @param options - Optional callback options
+     * @returns NextResponse with redirect and cookie set
+     */
+    handleSignInCallback: async (request, clientConfig, options) => {
+      const { searchParams } = new URL(request.url);
+      const code = searchParams.get("code");
+      const error = searchParams.get("error");
+      const errorDescription = searchParams.get("error_description");
+      if (error) {
+        return import_server.NextResponse.json(
+          { error: errorDescription || error },
+          { status: 400 }
+        );
+      }
+      if (!code) {
+        return import_server.NextResponse.json(
+          { error: "Missing authorization code" },
+          { status: 400 }
+        );
+      }
+      try {
+        const tokens = await exchangeCodeForTokens(config, clientConfig, code);
+        const successPath = options?.successRedirectPath || "/";
+        const successUrl = new URL(successPath, clientConfig.appUrl);
+        const response = import_server.NextResponse.redirect(successUrl);
+        response.cookies.set(config.cookieName, tokens.access_token, {
+          httpOnly: true,
+          secure: process.env.NODE_ENV === "production",
+          sameSite: "lax",
+          path: "/",
+          maxAge: config.cookieMaxAge
+        });
+        return response;
+      } catch (err) {
+        console.error("Auth callback error:", err);
+        return import_server.NextResponse.json(
+          { error: "Authentication failed" },
+          { status: 500 }
+        );
+      }
+    },
+    /**
+     * Signs out the user by clearing the session cookie.
+     * Use in Route Handlers.
+     * 
+     * @param clientConfig - OAuth2 client configuration
+     * @param redirectPath - Path to redirect to after sign out (default: "/")
+     * @returns NextResponse with redirect and cookie cleared
+     */
+    signOut: (clientConfig, redirectPath = "/") => {
+      const redirectUrl = new URL(redirectPath, clientConfig.appUrl);
+      const response = import_server.NextResponse.redirect(redirectUrl);
+      response.cookies.set(config.cookieName, "", {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === "production",
+        sameSite: "lax",
+        path: "/",
+        maxAge: 0
+      });
+      return response;
+    },
+    /**
+     * Retrieves the access token from cookies.
+     * Use in Server Components or Route Handlers.
+     * 
+     * @returns The access token or null if not found
+     */
+    getAccessToken: async () => {
+      const cookieStore = await (0, import_headers.cookies)();
+      return cookieStore.get(config.cookieName)?.value ?? null;
+    },
+    /**
+     * Retrieves the access token from a NextRequest.
+     * Use in middleware or Route Handlers when you have the request object.
+     * 
+     * @param request - NextRequest object
+     * @returns The access token or null if not found
+     */
+    getAccessTokenFromRequest: (request) => {
+      return request.cookies.get(config.cookieName)?.value ?? null;
+    },
+    /**
+     * Fetches user information from the Central Auth Server.
+     * 
+     * @param accessToken - The access token to use for authentication
+     * @returns The user information or null if the request fails
+     */
+    getUser: async (accessToken) => {
+      return fetchUserInfo(config, accessToken);
+    },
+    /**
+     * Gets the current user session.
+     * Use in Server Components.
+     * 
+     * @returns The user information or null if not authenticated
+     */
+    getSession: async () => {
+      const cookieStore = await (0, import_headers.cookies)();
+      const accessToken = cookieStore.get(config.cookieName)?.value;
+      if (!accessToken) return null;
+      return fetchUserInfo(config, accessToken);
+    },
+    /**
+     * Gets the current user session from a request.
+     * Use in middleware or Route Handlers.
+     * 
+     * @param request - NextRequest object
+     * @returns The user information or null if not authenticated
+     */
+    getSessionFromRequest: async (request) => {
+      const accessToken = request.cookies.get(config.cookieName)?.value;
+      if (!accessToken) return null;
+      return fetchUserInfo(config, accessToken);
+    },
+    /**
+     * Checks if the user is authenticated.
+     * Use in Server Components.
+     * 
+     * @returns true if an access token is present
+     */
+    isAuthenticated: async () => {
+      const cookieStore = await (0, import_headers.cookies)();
+      return !!cookieStore.get(config.cookieName)?.value;
+    },
+    /**
+     * Checks if the request is authenticated.
+     * Use in middleware.
+     * 
+     * @param request - NextRequest object
+     * @returns true if an access token is present
+     */
+    isAuthenticatedRequest: (request) => {
+      return !!request.cookies.get(config.cookieName)?.value;
+    },
+    /**
+     * Protects a route by checking authentication and redirecting if needed.
+     * Use in Server Components.
+     * 
+     * @param loginPath - Path to redirect to for login (default: "/login")
+     * @throws Redirect to login path if not authenticated
+     */
+    requireAuth: async (loginPath = "/login") => {
+      const cookieStore = await (0, import_headers.cookies)();
+      if (!cookieStore.get(config.cookieName)?.value) {
+        (0, import_navigation.redirect)(loginPath);
+      }
+    },
+    /**
+     * Creates a middleware-compatible auth check.
+     * Returns a NextResponse redirect if not authenticated.
+     * 
+     * @param request - NextRequest object  
+     * @param loginPath - Path to redirect to for login (default: "/login")
+     * @returns NextResponse redirect if not authenticated, null otherwise
+     */
+    middlewareAuth: (request, loginPath = "/login") => {
+      if (!request.cookies.get(config.cookieName)?.value) {
+        const loginUrl = new URL(loginPath, request.url);
+        loginUrl.searchParams.set("from", request.nextUrl.pathname);
+        return import_server.NextResponse.redirect(loginUrl);
+      }
+      return null;
+    }
+  };
+}
+var nextClient = createNextClient;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  DEFAULT_CONFIG,
+  account,
+  accountRelations,
+  createAuth,
+  createNextClient,
+  createSvelteKitClient,
+  nextClient,
+  oauthAccessToken,
+  oauthAccessTokenRelations,
+  oauthApplication,
+  oauthApplicationRelations,
+  oauthConsent,
+  oauthConsentRelations,
+  session,
+  sessionRelations,
+  svelteClient,
+  user,
+  userRelations,
+  verification
+});
+//# sourceMappingURL=index.cjs.map