mailsentry-auth 0.1.4 → 0.1.6

package/dist/index.mjs

@@ -83,34 +83,33 @@ var AuthEventType = /* @__PURE__ */ ((AuthEventType3) => {
   return AuthEventType3;
 })(AuthEventType || {});
 var PageType = /* @__PURE__ */ ((PageType3) => {
-  PageType3["LOGIN"] = "login";
+  PageType3["LOGIN"] = "/login";
   PageType3["DASHBOARD"] = "dashboard";
   PageType3["HOME"] = "/";
   return PageType3;
 })(PageType || {});
 var NavigationAction = /* @__PURE__ */ ((NavigationAction2) => {
   NavigationAction2["NONE"] = "none";
-  NavigationAction2["REDIRECT"] = "redirect";
-  NavigationAction2["MODAL"] = "modal";
-  NavigationAction2["CURRENT"] = "current";
+  NavigationAction2["RELOAD"] = "reload";
   return NavigationAction2;
 })(NavigationAction || {});
 var PageTypePatterns = {
-  ["login" /* LOGIN */]: "login" /* LOGIN */,
-  ["dashboard" /* DASHBOARD */]: "dashboard" /* DASHBOARD */
+  ["/login" /* LOGIN */]: "/login" /* LOGIN */,
+  ["dashboard" /* DASHBOARD */]: "dashboard" /* DASHBOARD */,
+  ["/" /* HOME */]: "/" /* HOME */
 };
 var CrossTabBehaviorConfig = {
-  ["login" /* LOGIN */]: {
-    ["auth.logged_in" /* LoggedIn */]: { action: "redirect" /* REDIRECT */, target: "dashboard" /* DASHBOARD */ },
-    ["auth.logged_out" /* LoggedOut */]: { action: "none" /* NONE */ },
+  ["/login" /* LOGIN */]: {
+    ["auth.logged_in" /* LoggedIn */]: { action: "reload" /* RELOAD */ },
+    ["auth.logged_out" /* LoggedOut */]: { action: "reload" /* RELOAD */ },
     ["auth.email_verified" /* EmailVerified */]: { action: "none" /* NONE */ },
     ["auth.signin_required_modal" /* SignInRequiredModal */]: { action: "none" /* NONE */ }
   },
   ["dashboard" /* DASHBOARD */]: {
-    ["auth.logged_in" /* LoggedIn */]: { action: "current" /* CURRENT */ },
-    ["auth.logged_out" /* LoggedOut */]: { action: "current" /* CURRENT */ },
-    ["auth.email_verified" /* EmailVerified */]: { action: "current" /* CURRENT */ },
-    ["auth.signin_required_modal" /* SignInRequiredModal */]: { action: "current" /* CURRENT */ }
+    ["auth.logged_in" /* LoggedIn */]: { action: "reload" /* RELOAD */ },
+    ["auth.logged_out" /* LoggedOut */]: { action: "reload" /* RELOAD */ },
+    ["auth.email_verified" /* EmailVerified */]: { action: "reload" /* RELOAD */ },
+    ["auth.signin_required_modal" /* SignInRequiredModal */]: { action: "none" /* NONE */ }
   },
   ["/" /* HOME */]: {
     ["auth.logged_in" /* LoggedIn */]: { action: "none" /* NONE */ },
@@ -253,12 +252,12 @@ var getVerificationField = (codeLength = 5, options = {}) => ({
 });
 
 // src/config/middleware.ts
-var MiddlewareConfig = class {
+var _MiddlewareConfig = class _MiddlewareConfig {
   /**
    * Get the base domain from environment or use default
    */
   static getBaseDomain() {
-    return process.env.NEXT_PUBLIC_BASE_DOMAIN || "cutly.io";
+    return process.env.NEXT_PUBLIC_BASE_DOMAIN;
   }
   /**
    * Get the protocol based on environment
@@ -266,35 +265,44 @@ var MiddlewareConfig = class {
   static getProtocol() {
     return process.env.NODE_ENV === "production" ? "https" : "http";
   }
-  /**
-   * Get the dashboard subdomain URL
-   */
-  static getDashboardUrl(path = "") {
-    return `${this.getProtocol()}://${this.SUBDOMAINS.DASHBOARD}.${this.getBaseDomain()}${path}`;
-  }
 };
-// Subdomain configuration
-MiddlewareConfig.SUBDOMAINS = {
-  DASHBOARD: "dashboard"
-};
-// Routes
-MiddlewareConfig.ROUTES = {
-  ROOT: "/",
-  LOGIN: "/login"
+// Common constants
+_MiddlewareConfig.CONSTANTS = {
+  LOGIN_PATH: "/login",
+  DASHBOARD_SUBDOMAIN: "dashboard",
+  PUBLIC_PATH: "/public",
+  PUBLIC_API_PATH: "/api/public"
+};
+// Route Protection Configuration
+// PATTERNS_TO_PROTECT: Routes that require authentication (whitelist approach recommended for security)
+// PATTERNS_TO_EXCLUDE: Routes to explicitly exclude from protection (e.g., login page, public assets)
+_MiddlewareConfig.PROTECTED_ROUTES = {
+  // Routes that MUST be protected
+  INCLUDE: [
+    "/"
+    // Protect everything by default (since dashboard.cutly.io/ is the root)
+  ],
+  // Routes that should NEVER be protected (public)
+  EXCLUDE: [
+    _MiddlewareConfig.CONSTANTS.LOGIN_PATH,
+    _MiddlewareConfig.CONSTANTS.PUBLIC_PATH,
+    _MiddlewareConfig.CONSTANTS.PUBLIC_API_PATH
+  ]
 };
 // HTTP methods to process
-MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
+_MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
 // Query parameters
-MiddlewareConfig.QUERY_PARAMS = {
+_MiddlewareConfig.QUERY_PARAMS = {
   LOGIN_REQUIRED: "sign_in_required",
   AUTH_CHECKED: "auth_checked",
   REDIRECT_URL: "redirect_url"
 };
 // Query parameter values
-MiddlewareConfig.QUERY_VALUES = {
+_MiddlewareConfig.QUERY_VALUES = {
   LOGIN_REQUIRED: "true",
   AUTH_CHECKED: "1"
 };
+var MiddlewareConfig = _MiddlewareConfig;
 var middlewareMatcher = [
   "/((?!api|_next/static|_next/image|_next/webpack-hmr|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js)$).*)"
 ];
@@ -406,19 +414,55 @@ function init(converter, defaultAttributes) {
 }
 var api = init(defaultConverter, { path: "/" });
 
+// src/services/utils/url-utils.ts
+var UrlUtils = class {
+  /**
+   * Extract subdomain from hostname
+   * Example: "dashboard.cutly.io" -> "dashboard"
+   */
+  static getSubdomain(hostname) {
+    if (!hostname || /^\d{1,3}(\.\d{1,3}){3}/.test(hostname) || hostname.startsWith(MiddlewareConfig.getBaseDomain())) {
+      return null;
+    }
+    const parts = hostname.split(".");
+    return parts.length >= 2 ? parts[0] : null;
+  }
+  /**
+   * Get root domain for cookie scope
+   * Example: "dashboard.cutly.io" -> ".cutly.io"
+   * Example: "cutly.io" -> ".cutly.io"
+   */
+  static getRootDomain(hostname) {
+    if (!hostname || /^\d+\.\d+\.\d+\.\d+$/.test(hostname)) {
+      return null;
+    }
+    const parts = hostname.split(".");
+    if (parts.length >= 2) {
+      return `.${parts.slice(-2).join(".")}`;
+    }
+    return null;
+  }
+  /**
+   * Check if URL has auth-related query parameters
+   */
+  static hasAuthParams(url) {
+    return url.includes(MiddlewareConfig.QUERY_PARAMS.AUTH_CHECKED);
+  }
+};
+
 // src/services/utils/cookie-utils.ts
 var _CookieUtils = class _CookieUtils {
   /**
-   * Get the access token cookie key from environment variables
+   * Get the access token cookie key
    */
   static getAccessTokenKey() {
-    return process.env.AUTH_ACCESS_TOKEN_KEY || "auth_access_token";
+    return "auth_access_token";
   }
   /**
-   * Get the refresh token cookie key from environment variables
+   * Get the refresh token cookie key
    */
   static getRefreshTokenKey() {
-    return process.env.AUTH_REFRESH_TOKEN_KEY || "auth_refresh_token";
+    return "auth_refresh_token";
   }
   /**
    * Get root domain for subdomain support
@@ -426,26 +470,10 @@ var _CookieUtils = class _CookieUtils {
    */
   static getRootDomain() {
     if (typeof window === "undefined") {
-      const baseDomain = process.env.NEXT_PUBLIC_BASE_DOMAIN;
-      if (baseDomain && process.env.NODE_ENV === "production") {
-        return `.${baseDomain}`;
-      }
-      return void 0;
-    }
-    const hostname = window.location.hostname;
-    if (hostname === "localhost" || hostname === "127.0.0.1") {
-      return void 0;
-    }
-    if (/^\d+\.\d+\.\d+\.\d+$/.test(hostname)) {
       return void 0;
     }
-    const parts = hostname.split(".");
-    if (parts.length >= 2) {
-      return `.${parts.slice(-2).join(".")}`;
-    }
-    return void 0;
+    return UrlUtils.getRootDomain(window.location.hostname) || void 0;
   }
-  // Use current domain in development
   /**
    * Get common cookie options
    */
@@ -644,7 +672,7 @@ var _CookieUtils = class _CookieUtils {
   }
 };
 // Domain configuration - computed once
-_CookieUtils.COOKIE_DOMAIN = process.env.NODE_ENV === "production" ? _CookieUtils.getRootDomain() : void 0;
+_CookieUtils.COOKIE_DOMAIN = _CookieUtils.getRootDomain();
 var CookieUtils = _CookieUtils;
 
 // src/services/utils/localstorage-utils.ts
@@ -782,33 +810,6 @@ var BroadcastChannelEventBus = class _BroadcastChannelEventBus {
   }
 };
 
-// src/services/utils/url-utils.ts
-var UrlUtils = class {
-  /**
-   * Extract subdomain from hostname or URL
-   * Example: "dashboard.cutly.io" -> "dashboard"
-   * Example: "dashboard.localhost" -> "dashboard"
-   */
-  static getSubdomain(url) {
-    try {
-      const domain = new URL(`http://${url}`).hostname;
-      const parts = domain.split(".");
-      if (parts.length < 2 || domain === "localhost" || /^\d{1,3}(\.\d{1,3}){3}/.test(domain) || domain.startsWith(MiddlewareConfig.getBaseDomain())) {
-        return null;
-      }
-      return parts[0] || null;
-    } catch (e) {
-      return null;
-    }
-  }
-  /**
-   * Check if URL has auth-related query parameters
-   */
-  static hasAuthParams(url) {
-    return url.includes(MiddlewareConfig.QUERY_PARAMS.AUTH_CHECKED);
-  }
-};
-
 // src/services/utils/cross-tab-behavior-handler.ts
 var CrossTabBehaviorHandler = class {
   /**
@@ -821,8 +822,8 @@ var CrossTabBehaviorHandler = class {
       const pathname = window.location.pathname;
       const subdomain = UrlUtils.getSubdomain(window.location.hostname);
       const pageTypeMatchers = {
-        ["login" /* LOGIN */]: pathname === MiddlewareConfig.ROUTES.LOGIN,
-        ["dashboard" /* DASHBOARD */]: subdomain === MiddlewareConfig.SUBDOMAINS.DASHBOARD
+        ["/login" /* LOGIN */]: pathname === MiddlewareConfig.CONSTANTS.LOGIN_PATH,
+        ["dashboard" /* DASHBOARD */]: subdomain === MiddlewareConfig.CONSTANTS.DASHBOARD_SUBDOMAIN
       };
       const matchedPageType = (_a = Object.entries(pageTypeMatchers).find(([, matches]) => matches)) == null ? void 0 : _a[0];
       return matchedPageType != null ? matchedPageType : "dashboard" /* DASHBOARD */;
@@ -837,14 +838,6 @@ var CrossTabBehaviorHandler = class {
     var _a, _b;
     return (_b = (_a = CrossTabBehaviorConfig[currentPageType]) == null ? void 0 : _a[eventType]) != null ? _b : { action: "none" /* NONE */ };
   }
-  /**
-   * Check if current route requires redirect for given event
-   * Returns PageType to redirect to, or null if no redirect needed
-   */
-  static shouldRedirect(currentPageType, eventType) {
-    const action = this.getAction(currentPageType, eventType);
-    return action.action === "redirect" /* REDIRECT */ ? action.target : null;
-  }
 };
 
 // src/services/auth/manager/token-manager.ts
@@ -2376,23 +2369,8 @@ var useAuthEventBus = ({ onLoggedOut, onLoggedIn } = {}) => {
       const handler = eventHandlers[e.type];
       const action = CrossTabBehaviorHandler.getAction(currentPageType, e.type);
       const actionHandlers = {
-        ["redirect" /* REDIRECT */]: () => {
-          const target = CrossTabBehaviorHandler.shouldRedirect(currentPageType, e.type);
-          if (target) {
-            window.location.replace(target);
-          }
-        },
-        ["current" /* CURRENT */]: () => {
-          const isAuthAction = e.type === "auth.logged_in" /* LoggedIn */ || e.type === "auth.logged_out" /* LoggedOut */;
-          const hasParams = UrlUtils.hasAuthParams(window.location.href);
-          if (isAuthAction || !hasParams) {
-            window.location.reload();
-          }
-        },
-        ["modal" /* MODAL */]: () => {
-          if (e.type === "auth.logged_in" /* LoggedIn */) {
-            window.location.replace(window.location.href);
-          }
+        ["reload" /* RELOAD */]: () => {
+          window.location.replace(window.location.href);
         },
         ["none" /* NONE */]: () => {
         }

package/dist/middleware.mjs

@@ -22,12 +22,12 @@ var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
 import { NextResponse } from "next/server";
 
 // src/config/middleware.ts
-var MiddlewareConfig = class {
+var _MiddlewareConfig = class _MiddlewareConfig {
   /**
    * Get the base domain from environment or use default
    */
   static getBaseDomain() {
-    return process.env.NEXT_PUBLIC_BASE_DOMAIN || "cutly.io";
+    return process.env.NEXT_PUBLIC_BASE_DOMAIN;
   }
   /**
    * Get the protocol based on environment
@@ -35,35 +35,44 @@ var MiddlewareConfig = class {
   static getProtocol() {
     return process.env.NODE_ENV === "production" ? "https" : "http";
   }
-  /**
-   * Get the dashboard subdomain URL
-   */
-  static getDashboardUrl(path = "") {
-    return `${this.getProtocol()}://${this.SUBDOMAINS.DASHBOARD}.${this.getBaseDomain()}${path}`;
-  }
 };
-// Subdomain configuration
-MiddlewareConfig.SUBDOMAINS = {
-  DASHBOARD: "dashboard"
+// Common constants
+_MiddlewareConfig.CONSTANTS = {
+  LOGIN_PATH: "/login",
+  DASHBOARD_SUBDOMAIN: "dashboard",
+  PUBLIC_PATH: "/public",
+  PUBLIC_API_PATH: "/api/public"
 };
-// Routes
-MiddlewareConfig.ROUTES = {
-  ROOT: "/",
-  LOGIN: "/login"
+// Route Protection Configuration
+// PATTERNS_TO_PROTECT: Routes that require authentication (whitelist approach recommended for security)
+// PATTERNS_TO_EXCLUDE: Routes to explicitly exclude from protection (e.g., login page, public assets)
+_MiddlewareConfig.PROTECTED_ROUTES = {
+  // Routes that MUST be protected
+  INCLUDE: [
+    "/"
+    // Protect everything by default (since dashboard.cutly.io/ is the root)
+  ],
+  // Routes that should NEVER be protected (public)
+  EXCLUDE: [
+    _MiddlewareConfig.CONSTANTS.LOGIN_PATH,
+    _MiddlewareConfig.CONSTANTS.PUBLIC_PATH,
+    _MiddlewareConfig.CONSTANTS.PUBLIC_API_PATH
+  ]
 };
 // HTTP methods to process
-MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
+_MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
 // Query parameters
-MiddlewareConfig.QUERY_PARAMS = {
+_MiddlewareConfig.QUERY_PARAMS = {
   LOGIN_REQUIRED: "sign_in_required",
   AUTH_CHECKED: "auth_checked",
   REDIRECT_URL: "redirect_url"
 };
 // Query parameter values
-MiddlewareConfig.QUERY_VALUES = {
+_MiddlewareConfig.QUERY_VALUES = {
   LOGIN_REQUIRED: "true",
   AUTH_CHECKED: "1"
 };
+var MiddlewareConfig = _MiddlewareConfig;
 var middlewareMatcher = [
   "/((?!api|_next/static|_next/image|_next/webpack-hmr|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js)$).*)"
 ];
@@ -73,18 +82,56 @@ var config = {
 
 // src/services/utils/cookie-utils.ts
 import Cookies from "js-cookie";
+
+// src/services/utils/url-utils.ts
+var UrlUtils = class {
+  /**
+   * Extract subdomain from hostname
+   * Example: "dashboard.cutly.io" -> "dashboard"
+   */
+  static getSubdomain(hostname) {
+    if (!hostname || /^\d{1,3}(\.\d{1,3}){3}/.test(hostname) || hostname.startsWith(MiddlewareConfig.getBaseDomain())) {
+      return null;
+    }
+    const parts = hostname.split(".");
+    return parts.length >= 2 ? parts[0] : null;
+  }
+  /**
+   * Get root domain for cookie scope
+   * Example: "dashboard.cutly.io" -> ".cutly.io"
+   * Example: "cutly.io" -> ".cutly.io"
+   */
+  static getRootDomain(hostname) {
+    if (!hostname || /^\d+\.\d+\.\d+\.\d+$/.test(hostname)) {
+      return null;
+    }
+    const parts = hostname.split(".");
+    if (parts.length >= 2) {
+      return `.${parts.slice(-2).join(".")}`;
+    }
+    return null;
+  }
+  /**
+   * Check if URL has auth-related query parameters
+   */
+  static hasAuthParams(url) {
+    return url.includes(MiddlewareConfig.QUERY_PARAMS.AUTH_CHECKED);
+  }
+};
+
+// src/services/utils/cookie-utils.ts
 var _CookieUtils = class _CookieUtils {
   /**
-   * Get the access token cookie key from environment variables
+   * Get the access token cookie key
    */
   static getAccessTokenKey() {
-    return process.env.AUTH_ACCESS_TOKEN_KEY || "auth_access_token";
+    return "auth_access_token";
   }
   /**
-   * Get the refresh token cookie key from environment variables
+   * Get the refresh token cookie key
    */
   static getRefreshTokenKey() {
-    return process.env.AUTH_REFRESH_TOKEN_KEY || "auth_refresh_token";
+    return "auth_refresh_token";
   }
   /**
    * Get root domain for subdomain support
@@ -92,26 +139,10 @@ var _CookieUtils = class _CookieUtils {
    */
   static getRootDomain() {
     if (typeof window === "undefined") {
-      const baseDomain = process.env.NEXT_PUBLIC_BASE_DOMAIN;
-      if (baseDomain && process.env.NODE_ENV === "production") {
-        return `.${baseDomain}`;
-      }
       return void 0;
     }
-    const hostname = window.location.hostname;
-    if (hostname === "localhost" || hostname === "127.0.0.1") {
-      return void 0;
-    }
-    if (/^\d+\.\d+\.\d+\.\d+$/.test(hostname)) {
-      return void 0;
-    }
-    const parts = hostname.split(".");
-    if (parts.length >= 2) {
-      return `.${parts.slice(-2).join(".")}`;
-    }
-    return void 0;
+    return UrlUtils.getRootDomain(window.location.hostname) || void 0;
   }
-  // Use current domain in development
   /**
    * Get common cookie options
    */
@@ -310,7 +341,7 @@ var _CookieUtils = class _CookieUtils {
   }
 };
 // Domain configuration - computed once
-_CookieUtils.COOKIE_DOMAIN = process.env.NODE_ENV === "production" ? _CookieUtils.getRootDomain() : void 0;
+_CookieUtils.COOKIE_DOMAIN = _CookieUtils.getRootDomain();
 var CookieUtils = _CookieUtils;
 
 // src/services/utils/localstorage-utils.ts
@@ -394,32 +425,33 @@ LocalStorageUtils.USER_PROFILE_STORAGE_KEY = "user_profile_data";
 LocalStorageUtils.USER_PROFILE_TIMESTAMP_KEY = "user_profile_timestamp";
 LocalStorageUtils.DEFAULT_CACHE_DURATION = 5 * 60 * 1e3;
 
-// src/services/utils/url-utils.ts
-var UrlUtils = class {
-  /**
-   * Extract subdomain from hostname or URL
-   * Example: "dashboard.cutly.io" -> "dashboard"
-   * Example: "dashboard.localhost" -> "dashboard"
-   */
-  static getSubdomain(url) {
-    try {
-      const domain = new URL(`http://${url}`).hostname;
-      const parts = domain.split(".");
-      if (parts.length < 2 || domain === "localhost" || /^\d{1,3}(\.\d{1,3}){3}/.test(domain) || domain.startsWith(MiddlewareConfig.getBaseDomain())) {
-        return null;
-      }
-      return parts[0] || null;
-    } catch (e) {
-      return null;
-    }
-  }
-  /**
-   * Check if URL has auth-related query parameters
-   */
-  static hasAuthParams(url) {
-    return url.includes(MiddlewareConfig.QUERY_PARAMS.AUTH_CHECKED);
-  }
+// src/config/auth-steps.tsx
+import React2 from "react";
+import {
+  MailOutlined,
+  LockOutlined,
+  CheckCircleOutlined
+} from "@ant-design/icons";
+
+// src/config/step-navigation.ts
+var EMAIL_SUBMISSION_NAVIGATION = {
+  ["login-verification" /* LOGIN_VERIFICATION */]: "verification" /* VERIFICATION */,
+  ["login" /* LOGIN */]: "password" /* PASSWORD */,
+  ["signup" /* SIGNUP */]: "password" /* PASSWORD */
+};
+var PASSWORD_SUBMISSION_NAVIGATION = {
+  VERIFIED: "verification" /* VERIFICATION */,
+  UNVERIFIED: "verification" /* VERIFICATION */
 };
+var VERIFICATION_SUBMISSION_NAVIGATION = {
+  SUCCESS: "verification" /* VERIFICATION */,
+  ERROR: "verification" /* VERIFICATION */
+  // Stay on verification step on error
+};
+
+// src/config/form-fields.tsx
+import { Input } from "antd";
+import { MailOutlined as MailOutlined2, LockOutlined as LockOutlined2, CheckCircleOutlined as CheckCircleOutlined2 } from "@ant-design/icons";
 
 // src/services/api/endpoints.ts
 var AUTH_ENDPOINTS = {
@@ -633,10 +665,19 @@ AuthenticationStatusContext.states = /* @__PURE__ */ new Map([
 // src/middlewares/handlers/base-middleware-handler.ts
 var BaseMiddlewareHandler = class {
   /**
-   * Check if current request is on dashboard subdomain
+   * Check if current route requires authentication
+   * Uses inclusive (PROTECTED_ROUTES.INCLUDE) and exclusive (PROTECTED_ROUTES.EXCLUDE) lists
    */
-  isDashboardSubdomain(hostname) {
-    return UrlUtils.getSubdomain(hostname) === MiddlewareConfig.SUBDOMAINS.DASHBOARD;
+  requiresAuthentication(pathname) {
+    const isExcluded = MiddlewareConfig.PROTECTED_ROUTES.EXCLUDE.some(
+      (route) => pathname.startsWith(route) || pathname === route
+    );
+    if (isExcluded) {
+      return false;
+    }
+    return MiddlewareConfig.PROTECTED_ROUTES.INCLUDE.some(
+      (route) => pathname.startsWith(route) || pathname === route
+    );
   }
   /**
    * Check if user has both access and refresh tokens
@@ -647,11 +688,12 @@ var BaseMiddlewareHandler = class {
   }
   /**
    * Get authentication cookie keys from environment variables
+   * Now uses CookieUtils for consistent retrieval
    */
   getAuthCookieKeys() {
     return {
-      accessTokenKey: process.env.AUTH_ACCESS_TOKEN_KEY || "",
-      refreshTokenKey: process.env.AUTH_REFRESH_TOKEN_KEY || ""
+      accessTokenKey: CookieUtils.getAccessTokenKey(),
+      refreshTokenKey: CookieUtils.getRefreshTokenKey()
     };
   }
   /**
@@ -752,8 +794,8 @@ var MethodFilterHandler = class extends BaseMiddlewareHandler {
 // src/middlewares/handlers/authentication-handler.ts
 var AuthenticationHandler = class extends BaseMiddlewareHandler {
   async handle(context) {
-    const { cookies, hostname } = context;
-    if (!this.isDashboardSubdomain(hostname)) {
+    const { cookies, pathname } = context;
+    if (!this.requiresAuthentication(pathname)) {
       return this.continue();
     }
     const hasAuthCookies = this.hasAuthenticationCookies(cookies);

package/dist/utils/cookie-utils.d.mts

@@ -0,0 +1,86 @@
+/**
+ * Cookie utility for managing authentication tokens with automatic SSR and client-side support
+ * Automatically chooses the right method based on environment
+ */
+declare class CookieUtils {
+    /**
+     * Get the access token cookie key
+     */
+    static getAccessTokenKey(): string;
+    /**
+     * Get the refresh token cookie key
+     */
+    static getRefreshTokenKey(): string;
+    /**
+     * Get root domain for subdomain support
+     * Must match the domain used by backend when setting cookies
+     */
+    private static getRootDomain;
+    private static readonly COOKIE_DOMAIN;
+    /**
+     * Get common cookie options
+     */
+    private static getCookieOptions;
+    /**
+     * Check if running on client side
+     */
+    private static isClientSide;
+    /**
+     * Check if running on server side
+     */
+    private static isServerSide;
+    /**
+     * Dynamically import server action for server-side operations
+     */
+    private static getServerTokens;
+    /**
+     * Set access token in cookie (client-side only)
+     */
+    static setAccessToken(token: string): void;
+    /**
+     * Set refresh token in cookie (client-side only)
+     */
+    static setRefreshToken(token: string): void;
+    /**
+     * Get access token - automatically handles client/server side
+     */
+    static getAccessToken(): Promise<string | null>;
+    /**
+     * Get refresh token - automatically handles client/server side
+     */
+    static getRefreshToken(): Promise<string | null>;
+    /**
+     * Get both tokens - automatically handles client/server side
+     */
+    static getTokens(): Promise<{
+        accessToken: string | null;
+        refreshToken: string | null;
+    }>;
+    /**
+     * Clear all authentication cookies (client-side only)
+     * Clears cookies from both current domain and root domain
+     */
+    static clearAuthCookies(): void;
+    /**
+     * Check if cookies are supported/enabled (client-side only)
+     */
+    static areCookiesEnabled(): boolean;
+    /**
+     * Get all authentication cookies - automatically handles client/server side
+     */
+    static getAllAuthCookies(): Promise<Record<string, string>>;
+    /**
+     * Set multiple tokens at once (client-side only)
+     */
+    static setTokens(accessToken: string, refreshToken: string): void;
+    /**
+     * Check if user has valid tokens - automatically handles client/server side
+     */
+    static hasValidTokens(): Promise<boolean>;
+    /**
+     * Get current domain information for debugging
+     */
+    static getDomainInfo(): Record<string, string>;
+}
+
+export { CookieUtils };