mailsentry-auth 0.2.6 → 0.2.7

package/dist/index.d.mts

@@ -1405,22 +1405,38 @@ declare const getForgotPasswordField: (options?: ButtonProps) => BaseFormField;
 /**
  * Middleware configuration constants for routing and protection
  */
+interface ProtectionRule {
+    hostPattern: string | null;
+    pathPattern: string;
+}
 declare class MiddlewareConfig {
     static readonly CONSTANTS: {
         readonly LOGIN_PATH: "/login";
         readonly DASHBOARD_SUBDOMAIN: "dashboard";
-        readonly PUBLIC_PATH: "/public";
-        readonly PUBLIC_API_PATH: "/api/public";
     };
     /**
-     * Get public routes whitelist from environment variable
-     * Expected format: comma-separated paths like "/public,/links/new,/about"
+     * Get dynamic protection rules from environment variable
+     * Format: "host:path" or "path"
      */
-    static getPublicRoutesWhitelist(): string[];
-    static readonly PROTECTED_ROUTES: {
-        INCLUDE: string[];
-        EXCLUDE: string[];
-    };
+    static getProtectedRules(): ProtectionRule[];
+    /**
+     * Get public routes whitelist (Exclusions)
+     * Format: "host:path" or "path"
+     */
+    static getWhitelistRules(): ProtectionRule[];
+    /**
+     * Get guest-only routes (redirects authenticated users away)
+     * Format: "host:path" or "path"
+     */
+    static getGuestOnlyRules(): ProtectionRule[];
+    /**
+     * Generic parser for environment variables containing rule lists
+     */
+    private static parseRules;
+    /**
+     * Parse a single rule string into a ProtectionRule object
+     */
+    private static parseSingleRule;
     static readonly ALLOWED_METHODS: readonly ["GET", "HEAD"];
     static readonly QUERY_PARAMS: {
         readonly LOGIN_REQUIRED: "sign_in_required";
@@ -1442,12 +1458,9 @@ declare class MiddlewareConfig {
 }
 /**
  * Middleware matcher patterns
- * Matches all routes except API routes, Next.js internals, and static assets
+ * Already excludes /api routes and static files automatically
  */
 declare const middlewareMatcher: readonly ["/((?!api|_next/static|_next/image|_next/webpack-hmr|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js)$).*)"];
-/**
- * Middleware configuration
- */
 declare const config: {
     matcher: readonly ["/((?!api|_next/static|_next/image|_next/webpack-hmr|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js)$).*)"];
 };
@@ -1768,4 +1781,4 @@ declare const useAuthFlowModal: () => {
     openModal: () => void;
 };
 
-export { AUTH_ENDPOINTS, AlertDisplay, type AlertDisplayProps, type AnyStepProps, type ApiErrorResponse, type ApiKeyConfig, type AuthActionCallbacks, type AuthActionOptions, type AuthActionResult, type AuthActionResultFailure, type AuthActionResultSuccess, type AuthActionState, type AuthEvent, AuthEventType, AuthFlowContainer, type AuthFlowContainerProps, AuthFlowModal, type AuthFlowModalProps, type AuthFlowProps, AuthFlowStep, AuthFlowVariant, AuthInitializer, AuthOrchestrator, AuthOrchestratorFactory, AuthResultFactory, AuthService, type AuthState, AuthenticatedState, type AuthenticatedStateProps, AuthenticationStatusContext, type BaseComponentProps, BaseErrorHandler, BaseEventBus, BaseForm, type BaseFormField, type BaseFormProps, type BaseResponse, BaseService, type BaseStepProps, BroadcastChannelEventBus, Channel, CookieUtils, CrossTabBehaviorConfig, CrossTabBehaviorHandler, CrossTabDemo, DevelopmentLogger, EMAIL_SUBMISSION_NAVIGATION, type EmailCheckResult, type EmailExistResponse, type EmailProviderConfig, EmailProviderUtils, EmailStep, type EmailStepProps, EndpointBuilder, type EventBus, ExistingUserLoginStrategy, type ForgotPasswordStepProps, FormFields, type FormFieldsProps, FormHeader, type FormHeaderProps, GenericErrorHandler, HttpClient, type HttpClientConfig, type HttpError, HttpMethod, type HttpRequestOptions, type HttpResponse, type IAuthOrchestrator, type IAuthService, type IAuthStatusState, type ICleanupStrategy, type IErrorHandler, type ILogger, type ILoginFlowStrategy, type ITokenManager, LocalStorageUtils, LoggerFactory, type LoginData, LoginFlowStrategyFactory, type LoginRequest, type LoginResponse, LoginStrategyResolver, LoginVerificationStrategy, MiddlewareConfig, type MiddlewareContext, type MiddlewareHandler, NavigationAction, NetworkErrorHandler, NextAction, PASSWORD_SUBMISSION_NAVIGATION, PageType, PageTypePatterns, PasswordInputWithStrength, type PasswordInputWithStrengthProps, PasswordStep, type PasswordStepProps, type PasswordStrengthRule, ProductionLogger, ProfileStateRenderer, ProfileUIState, type PropsFactory, type PublicUserProfile, type PublicUserProfileResponse, RoleType, SignupFlowStrategy, type Step, type StepComponent, type StepComponentRetriever, type StepConfig, type StepPropsFactoryRegistry, type StepRegistry, type StepRegistryBaseProps, type StepRegistryConfigs, type StepRegistryHandlers, type StepRegistryParams, type StepRegistryState, type StepperActions, type StepperState$1 as StepperState, StrategyResolutionMode, type StrengthResult, type Subscription, TokenManager, UnauthenticatedState, UrlCleanupHandler, UrlUtils, type UseAuthActionHandler, type UseAuthEventBusProps, type UseFormSubmissionProps, type UseStepRegistryParams, type UseStepperReturn, type UserProfile, type UserProfileResponse, type UserSession, type UserState, UserStorageManager, type UserStoreState, VERIFICATION_SUBMISSION_NAVIGATION, ValidationErrorHandler, VerificationStep, type VerificationStepProps, type VerifyEmailRequest, type VerifyEmailResponse, config, createAuthSteps, createPropsFactoryRegistry, createStepRegistry, getAuthPageStepMessage, getEmailField, getForgotPasswordField, getPasswordField, getStepForEmailSubmission, getStepForPasswordSubmission, getStepForVerificationSubmission, getStepProgressMessage, getTermsCheckboxField, getVerificationField, isPublicUser, isPublicUserEmail, middlewareMatcher, useAuth, useAuthActionHandler, useAuthEventBus, useAuthFlowModal, useAuthInitializer, useIsAuthenticated, useLogout, usePublicUserSession, useRefreshUser, useSharedEventBus, useSignInRequiredParams, useStepRegistry, useStepRenderer, useStepper, useUser, useUserActions, useUserData, useUserError, useUserLoading, useUserProfile, useUserSelectors, useUserStore, userSelectors };
+export { AUTH_ENDPOINTS, AlertDisplay, type AlertDisplayProps, type AnyStepProps, type ApiErrorResponse, type ApiKeyConfig, type AuthActionCallbacks, type AuthActionOptions, type AuthActionResult, type AuthActionResultFailure, type AuthActionResultSuccess, type AuthActionState, type AuthEvent, AuthEventType, AuthFlowContainer, type AuthFlowContainerProps, AuthFlowModal, type AuthFlowModalProps, type AuthFlowProps, AuthFlowStep, AuthFlowVariant, AuthInitializer, AuthOrchestrator, AuthOrchestratorFactory, AuthResultFactory, AuthService, type AuthState, AuthenticatedState, type AuthenticatedStateProps, AuthenticationStatusContext, type BaseComponentProps, BaseErrorHandler, BaseEventBus, BaseForm, type BaseFormField, type BaseFormProps, type BaseResponse, BaseService, type BaseStepProps, BroadcastChannelEventBus, Channel, CookieUtils, CrossTabBehaviorConfig, CrossTabBehaviorHandler, CrossTabDemo, DevelopmentLogger, EMAIL_SUBMISSION_NAVIGATION, type EmailCheckResult, type EmailExistResponse, type EmailProviderConfig, EmailProviderUtils, EmailStep, type EmailStepProps, EndpointBuilder, type EventBus, ExistingUserLoginStrategy, type ForgotPasswordStepProps, FormFields, type FormFieldsProps, FormHeader, type FormHeaderProps, GenericErrorHandler, HttpClient, type HttpClientConfig, type HttpError, HttpMethod, type HttpRequestOptions, type HttpResponse, type IAuthOrchestrator, type IAuthService, type IAuthStatusState, type ICleanupStrategy, type IErrorHandler, type ILogger, type ILoginFlowStrategy, type ITokenManager, LocalStorageUtils, LoggerFactory, type LoginData, LoginFlowStrategyFactory, type LoginRequest, type LoginResponse, LoginStrategyResolver, LoginVerificationStrategy, MiddlewareConfig, type MiddlewareContext, type MiddlewareHandler, NavigationAction, NetworkErrorHandler, NextAction, PASSWORD_SUBMISSION_NAVIGATION, PageType, PageTypePatterns, PasswordInputWithStrength, type PasswordInputWithStrengthProps, PasswordStep, type PasswordStepProps, type PasswordStrengthRule, ProductionLogger, ProfileStateRenderer, ProfileUIState, type PropsFactory, type ProtectionRule, type PublicUserProfile, type PublicUserProfileResponse, RoleType, SignupFlowStrategy, type Step, type StepComponent, type StepComponentRetriever, type StepConfig, type StepPropsFactoryRegistry, type StepRegistry, type StepRegistryBaseProps, type StepRegistryConfigs, type StepRegistryHandlers, type StepRegistryParams, type StepRegistryState, type StepperActions, type StepperState$1 as StepperState, StrategyResolutionMode, type StrengthResult, type Subscription, TokenManager, UnauthenticatedState, UrlCleanupHandler, UrlUtils, type UseAuthActionHandler, type UseAuthEventBusProps, type UseFormSubmissionProps, type UseStepRegistryParams, type UseStepperReturn, type UserProfile, type UserProfileResponse, type UserSession, type UserState, UserStorageManager, type UserStoreState, VERIFICATION_SUBMISSION_NAVIGATION, ValidationErrorHandler, VerificationStep, type VerificationStepProps, type VerifyEmailRequest, type VerifyEmailResponse, config, createAuthSteps, createPropsFactoryRegistry, createStepRegistry, getAuthPageStepMessage, getEmailField, getForgotPasswordField, getPasswordField, getStepForEmailSubmission, getStepForPasswordSubmission, getStepForVerificationSubmission, getStepProgressMessage, getTermsCheckboxField, getVerificationField, isPublicUser, isPublicUserEmail, middlewareMatcher, useAuth, useAuthActionHandler, useAuthEventBus, useAuthFlowModal, useAuthInitializer, useIsAuthenticated, useLogout, usePublicUserSession, useRefreshUser, useSharedEventBus, useSignInRequiredParams, useStepRegistry, useStepRenderer, useStepper, useUser, useUserActions, useUserData, useUserError, useUserLoading, useUserProfile, useUserSelectors, useUserStore, userSelectors };

package/dist/index.d.ts

@@ -1405,22 +1405,38 @@ declare const getForgotPasswordField: (options?: ButtonProps) => BaseFormField;
 /**
  * Middleware configuration constants for routing and protection
  */
+interface ProtectionRule {
+    hostPattern: string | null;
+    pathPattern: string;
+}
 declare class MiddlewareConfig {
     static readonly CONSTANTS: {
         readonly LOGIN_PATH: "/login";
         readonly DASHBOARD_SUBDOMAIN: "dashboard";
-        readonly PUBLIC_PATH: "/public";
-        readonly PUBLIC_API_PATH: "/api/public";
     };
     /**
-     * Get public routes whitelist from environment variable
-     * Expected format: comma-separated paths like "/public,/links/new,/about"
+     * Get dynamic protection rules from environment variable
+     * Format: "host:path" or "path"
      */
-    static getPublicRoutesWhitelist(): string[];
-    static readonly PROTECTED_ROUTES: {
-        INCLUDE: string[];
-        EXCLUDE: string[];
-    };
+    static getProtectedRules(): ProtectionRule[];
+    /**
+     * Get public routes whitelist (Exclusions)
+     * Format: "host:path" or "path"
+     */
+    static getWhitelistRules(): ProtectionRule[];
+    /**
+     * Get guest-only routes (redirects authenticated users away)
+     * Format: "host:path" or "path"
+     */
+    static getGuestOnlyRules(): ProtectionRule[];
+    /**
+     * Generic parser for environment variables containing rule lists
+     */
+    private static parseRules;
+    /**
+     * Parse a single rule string into a ProtectionRule object
+     */
+    private static parseSingleRule;
     static readonly ALLOWED_METHODS: readonly ["GET", "HEAD"];
     static readonly QUERY_PARAMS: {
         readonly LOGIN_REQUIRED: "sign_in_required";
@@ -1442,12 +1458,9 @@ declare class MiddlewareConfig {
 }
 /**
  * Middleware matcher patterns
- * Matches all routes except API routes, Next.js internals, and static assets
+ * Already excludes /api routes and static files automatically
  */
 declare const middlewareMatcher: readonly ["/((?!api|_next/static|_next/image|_next/webpack-hmr|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js)$).*)"];
-/**
- * Middleware configuration
- */
 declare const config: {
     matcher: readonly ["/((?!api|_next/static|_next/image|_next/webpack-hmr|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js)$).*)"];
 };
@@ -1768,4 +1781,4 @@ declare const useAuthFlowModal: () => {
     openModal: () => void;
 };
 
-export { AUTH_ENDPOINTS, AlertDisplay, type AlertDisplayProps, type AnyStepProps, type ApiErrorResponse, type ApiKeyConfig, type AuthActionCallbacks, type AuthActionOptions, type AuthActionResult, type AuthActionResultFailure, type AuthActionResultSuccess, type AuthActionState, type AuthEvent, AuthEventType, AuthFlowContainer, type AuthFlowContainerProps, AuthFlowModal, type AuthFlowModalProps, type AuthFlowProps, AuthFlowStep, AuthFlowVariant, AuthInitializer, AuthOrchestrator, AuthOrchestratorFactory, AuthResultFactory, AuthService, type AuthState, AuthenticatedState, type AuthenticatedStateProps, AuthenticationStatusContext, type BaseComponentProps, BaseErrorHandler, BaseEventBus, BaseForm, type BaseFormField, type BaseFormProps, type BaseResponse, BaseService, type BaseStepProps, BroadcastChannelEventBus, Channel, CookieUtils, CrossTabBehaviorConfig, CrossTabBehaviorHandler, CrossTabDemo, DevelopmentLogger, EMAIL_SUBMISSION_NAVIGATION, type EmailCheckResult, type EmailExistResponse, type EmailProviderConfig, EmailProviderUtils, EmailStep, type EmailStepProps, EndpointBuilder, type EventBus, ExistingUserLoginStrategy, type ForgotPasswordStepProps, FormFields, type FormFieldsProps, FormHeader, type FormHeaderProps, GenericErrorHandler, HttpClient, type HttpClientConfig, type HttpError, HttpMethod, type HttpRequestOptions, type HttpResponse, type IAuthOrchestrator, type IAuthService, type IAuthStatusState, type ICleanupStrategy, type IErrorHandler, type ILogger, type ILoginFlowStrategy, type ITokenManager, LocalStorageUtils, LoggerFactory, type LoginData, LoginFlowStrategyFactory, type LoginRequest, type LoginResponse, LoginStrategyResolver, LoginVerificationStrategy, MiddlewareConfig, type MiddlewareContext, type MiddlewareHandler, NavigationAction, NetworkErrorHandler, NextAction, PASSWORD_SUBMISSION_NAVIGATION, PageType, PageTypePatterns, PasswordInputWithStrength, type PasswordInputWithStrengthProps, PasswordStep, type PasswordStepProps, type PasswordStrengthRule, ProductionLogger, ProfileStateRenderer, ProfileUIState, type PropsFactory, type PublicUserProfile, type PublicUserProfileResponse, RoleType, SignupFlowStrategy, type Step, type StepComponent, type StepComponentRetriever, type StepConfig, type StepPropsFactoryRegistry, type StepRegistry, type StepRegistryBaseProps, type StepRegistryConfigs, type StepRegistryHandlers, type StepRegistryParams, type StepRegistryState, type StepperActions, type StepperState$1 as StepperState, StrategyResolutionMode, type StrengthResult, type Subscription, TokenManager, UnauthenticatedState, UrlCleanupHandler, UrlUtils, type UseAuthActionHandler, type UseAuthEventBusProps, type UseFormSubmissionProps, type UseStepRegistryParams, type UseStepperReturn, type UserProfile, type UserProfileResponse, type UserSession, type UserState, UserStorageManager, type UserStoreState, VERIFICATION_SUBMISSION_NAVIGATION, ValidationErrorHandler, VerificationStep, type VerificationStepProps, type VerifyEmailRequest, type VerifyEmailResponse, config, createAuthSteps, createPropsFactoryRegistry, createStepRegistry, getAuthPageStepMessage, getEmailField, getForgotPasswordField, getPasswordField, getStepForEmailSubmission, getStepForPasswordSubmission, getStepForVerificationSubmission, getStepProgressMessage, getTermsCheckboxField, getVerificationField, isPublicUser, isPublicUserEmail, middlewareMatcher, useAuth, useAuthActionHandler, useAuthEventBus, useAuthFlowModal, useAuthInitializer, useIsAuthenticated, useLogout, usePublicUserSession, useRefreshUser, useSharedEventBus, useSignInRequiredParams, useStepRegistry, useStepRenderer, useStepper, useUser, useUserActions, useUserData, useUserError, useUserLoading, useUserProfile, useUserSelectors, useUserStore, userSelectors };
+export { AUTH_ENDPOINTS, AlertDisplay, type AlertDisplayProps, type AnyStepProps, type ApiErrorResponse, type ApiKeyConfig, type AuthActionCallbacks, type AuthActionOptions, type AuthActionResult, type AuthActionResultFailure, type AuthActionResultSuccess, type AuthActionState, type AuthEvent, AuthEventType, AuthFlowContainer, type AuthFlowContainerProps, AuthFlowModal, type AuthFlowModalProps, type AuthFlowProps, AuthFlowStep, AuthFlowVariant, AuthInitializer, AuthOrchestrator, AuthOrchestratorFactory, AuthResultFactory, AuthService, type AuthState, AuthenticatedState, type AuthenticatedStateProps, AuthenticationStatusContext, type BaseComponentProps, BaseErrorHandler, BaseEventBus, BaseForm, type BaseFormField, type BaseFormProps, type BaseResponse, BaseService, type BaseStepProps, BroadcastChannelEventBus, Channel, CookieUtils, CrossTabBehaviorConfig, CrossTabBehaviorHandler, CrossTabDemo, DevelopmentLogger, EMAIL_SUBMISSION_NAVIGATION, type EmailCheckResult, type EmailExistResponse, type EmailProviderConfig, EmailProviderUtils, EmailStep, type EmailStepProps, EndpointBuilder, type EventBus, ExistingUserLoginStrategy, type ForgotPasswordStepProps, FormFields, type FormFieldsProps, FormHeader, type FormHeaderProps, GenericErrorHandler, HttpClient, type HttpClientConfig, type HttpError, HttpMethod, type HttpRequestOptions, type HttpResponse, type IAuthOrchestrator, type IAuthService, type IAuthStatusState, type ICleanupStrategy, type IErrorHandler, type ILogger, type ILoginFlowStrategy, type ITokenManager, LocalStorageUtils, LoggerFactory, type LoginData, LoginFlowStrategyFactory, type LoginRequest, type LoginResponse, LoginStrategyResolver, LoginVerificationStrategy, MiddlewareConfig, type MiddlewareContext, type MiddlewareHandler, NavigationAction, NetworkErrorHandler, NextAction, PASSWORD_SUBMISSION_NAVIGATION, PageType, PageTypePatterns, PasswordInputWithStrength, type PasswordInputWithStrengthProps, PasswordStep, type PasswordStepProps, type PasswordStrengthRule, ProductionLogger, ProfileStateRenderer, ProfileUIState, type PropsFactory, type ProtectionRule, type PublicUserProfile, type PublicUserProfileResponse, RoleType, SignupFlowStrategy, type Step, type StepComponent, type StepComponentRetriever, type StepConfig, type StepPropsFactoryRegistry, type StepRegistry, type StepRegistryBaseProps, type StepRegistryConfigs, type StepRegistryHandlers, type StepRegistryParams, type StepRegistryState, type StepperActions, type StepperState$1 as StepperState, StrategyResolutionMode, type StrengthResult, type Subscription, TokenManager, UnauthenticatedState, UrlCleanupHandler, UrlUtils, type UseAuthActionHandler, type UseAuthEventBusProps, type UseFormSubmissionProps, type UseStepRegistryParams, type UseStepperReturn, type UserProfile, type UserProfileResponse, type UserSession, type UserState, UserStorageManager, type UserStoreState, VERIFICATION_SUBMISSION_NAVIGATION, ValidationErrorHandler, VerificationStep, type VerificationStepProps, type VerifyEmailRequest, type VerifyEmailResponse, config, createAuthSteps, createPropsFactoryRegistry, createStepRegistry, getAuthPageStepMessage, getEmailField, getForgotPasswordField, getPasswordField, getStepForEmailSubmission, getStepForPasswordSubmission, getStepForVerificationSubmission, getStepProgressMessage, getTermsCheckboxField, getVerificationField, isPublicUser, isPublicUserEmail, middlewareMatcher, useAuth, useAuthActionHandler, useAuthEventBus, useAuthFlowModal, useAuthInitializer, useIsAuthenticated, useLogout, usePublicUserSession, useRefreshUser, useSharedEventBus, useSignInRequiredParams, useStepRegistry, useStepRenderer, useStepper, useUser, useUserActions, useUserData, useUserError, useUserLoading, useUserProfile, useUserSelectors, useUserStore, userSelectors };

package/dist/index.js

@@ -1105,18 +1105,54 @@ function init(converter, defaultAttributes) {
 var api = init(defaultConverter, { path: "/" });
 
 // src/config/middleware.ts
-var _MiddlewareConfig = class _MiddlewareConfig {
-  // Route Protection Configuration
-  // PATTERNS_TO_PROTECT: Routes that require authentication (whitelist approach recommended for security)
-  // PATTERNS_TO_EXCLUDE: Routes to explicitly exclude from protection (e.g., login page, public assets)
+var MiddlewareConfig = class {
   /**
-   * Get public routes whitelist from environment variable
-   * Expected format: comma-separated paths like "/public,/links/new,/about"
+   * Get dynamic protection rules from environment variable
+   * Format: "host:path" or "path"
    */
-  static getPublicRoutesWhitelist() {
-    const envWhitelist = process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES || "";
-    const customRoutes = envWhitelist.split(",").map((route) => route.trim()).filter((route) => route.length > 0);
-    return customRoutes;
+  static getProtectedRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_PROTECTED_ROUTES, [
+      { hostPattern: this.CONSTANTS.DASHBOARD_SUBDOMAIN, pathPattern: "*" }
+    ]);
+  }
+  /**
+   * Get public routes whitelist (Exclusions)
+   * Format: "host:path" or "path"
+   */
+  static getWhitelistRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Get guest-only routes (redirects authenticated users away)
+   * Format: "host:path" or "path"
+   */
+  static getGuestOnlyRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_GUEST_ONLY_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Generic parser for environment variables containing rule lists
+   */
+  static parseRules(envVar, defaults) {
+    if (envVar === void 0) return defaults;
+    return envVar.split(",").map((rule) => this.parseSingleRule(rule)).filter((r) => r.pathPattern.length > 0);
+  }
+  /**
+   * Parse a single rule string into a ProtectionRule object
+   */
+  static parseSingleRule(ruleString) {
+    const trimmed = ruleString.trim();
+    const separatorIndex = trimmed.indexOf(":");
+    if (separatorIndex === -1) {
+      return { hostPattern: null, pathPattern: trimmed };
+    }
+    return {
+      hostPattern: trimmed.substring(0, separatorIndex).trim(),
+      pathPattern: trimmed.substring(separatorIndex + 1).trim()
+    };
   }
   /**
    * Get the base domain from environment or use default
@@ -1132,41 +1168,23 @@ var _MiddlewareConfig = class _MiddlewareConfig {
   }
 };
 // Common constants
-_MiddlewareConfig.CONSTANTS = {
+MiddlewareConfig.CONSTANTS = {
   LOGIN_PATH: "/login",
-  DASHBOARD_SUBDOMAIN: "dashboard",
-  PUBLIC_PATH: "/public",
-  PUBLIC_API_PATH: "/api/public"
-};
-_MiddlewareConfig.PROTECTED_ROUTES = {
-  // Routes that MUST be protected
-  INCLUDE: [
-    "/"
-    // Protect everything by default (since dashboard.cutly.io/ is the root)
-  ],
-  // Routes that should NEVER be protected (public)
-  EXCLUDE: [
-    _MiddlewareConfig.CONSTANTS.LOGIN_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_API_PATH,
-    ..._MiddlewareConfig.getPublicRoutesWhitelist()
-    // Add custom whitelist from env
-  ]
+  DASHBOARD_SUBDOMAIN: "dashboard"
 };
 // HTTP methods to process
-_MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
+MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
 // Query parameters
-_MiddlewareConfig.QUERY_PARAMS = {
+MiddlewareConfig.QUERY_PARAMS = {
   LOGIN_REQUIRED: "sign_in_required",
   AUTH_CHECKED: "auth_checked",
   REDIRECT_URL: "redirect_url"
 };
 // Query parameter values
-_MiddlewareConfig.QUERY_VALUES = {
+MiddlewareConfig.QUERY_VALUES = {
   LOGIN_REQUIRED: "true",
   AUTH_CHECKED: "1"
 };
-var MiddlewareConfig = _MiddlewareConfig;
 var middlewareMatcher = [
   "/((?!api|_next/static|_next/image|_next/webpack-hmr|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js)$).*)"
 ];
@@ -3001,9 +3019,6 @@ var userSelectors = {
 // src/middlewares/handlers/base-middleware-handler.ts
 var _server = require('next/server');
 
-// src/middlewares/handlers/middleware-chain.ts
-
-
 // src/middlewares/utils/email-validator.ts
 var isPublicUserEmail = (email) => {
   if (!email || typeof email !== "string") return false;
@@ -3020,6 +3035,12 @@ var isPublicUserEmail = (email) => {
   return true;
 };
 
+// src/middlewares/handlers/authentication-handler.ts
+
+
+// src/middlewares/handlers/middleware-chain.ts
+
+
 // src/hooks/use-user.ts
 var useUser = () => {
   const userState = userSelectors.useUserState();

package/dist/index.mjs

@@ -1105,18 +1105,54 @@ function init(converter, defaultAttributes) {
 var api = init(defaultConverter, { path: "/" });
 
 // src/config/middleware.ts
-var _MiddlewareConfig = class _MiddlewareConfig {
-  // Route Protection Configuration
-  // PATTERNS_TO_PROTECT: Routes that require authentication (whitelist approach recommended for security)
-  // PATTERNS_TO_EXCLUDE: Routes to explicitly exclude from protection (e.g., login page, public assets)
+var MiddlewareConfig = class {
   /**
-   * Get public routes whitelist from environment variable
-   * Expected format: comma-separated paths like "/public,/links/new,/about"
+   * Get dynamic protection rules from environment variable
+   * Format: "host:path" or "path"
    */
-  static getPublicRoutesWhitelist() {
-    const envWhitelist = process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES || "";
-    const customRoutes = envWhitelist.split(",").map((route) => route.trim()).filter((route) => route.length > 0);
-    return customRoutes;
+  static getProtectedRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_PROTECTED_ROUTES, [
+      { hostPattern: this.CONSTANTS.DASHBOARD_SUBDOMAIN, pathPattern: "*" }
+    ]);
+  }
+  /**
+   * Get public routes whitelist (Exclusions)
+   * Format: "host:path" or "path"
+   */
+  static getWhitelistRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Get guest-only routes (redirects authenticated users away)
+   * Format: "host:path" or "path"
+   */
+  static getGuestOnlyRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_GUEST_ONLY_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Generic parser for environment variables containing rule lists
+   */
+  static parseRules(envVar, defaults) {
+    if (envVar === void 0) return defaults;
+    return envVar.split(",").map((rule) => this.parseSingleRule(rule)).filter((r) => r.pathPattern.length > 0);
+  }
+  /**
+   * Parse a single rule string into a ProtectionRule object
+   */
+  static parseSingleRule(ruleString) {
+    const trimmed = ruleString.trim();
+    const separatorIndex = trimmed.indexOf(":");
+    if (separatorIndex === -1) {
+      return { hostPattern: null, pathPattern: trimmed };
+    }
+    return {
+      hostPattern: trimmed.substring(0, separatorIndex).trim(),
+      pathPattern: trimmed.substring(separatorIndex + 1).trim()
+    };
   }
   /**
    * Get the base domain from environment or use default
@@ -1132,41 +1168,23 @@ var _MiddlewareConfig = class _MiddlewareConfig {
   }
 };
 // Common constants
-_MiddlewareConfig.CONSTANTS = {
+MiddlewareConfig.CONSTANTS = {
   LOGIN_PATH: "/login",
-  DASHBOARD_SUBDOMAIN: "dashboard",
-  PUBLIC_PATH: "/public",
-  PUBLIC_API_PATH: "/api/public"
-};
-_MiddlewareConfig.PROTECTED_ROUTES = {
-  // Routes that MUST be protected
-  INCLUDE: [
-    "/"
-    // Protect everything by default (since dashboard.cutly.io/ is the root)
-  ],
-  // Routes that should NEVER be protected (public)
-  EXCLUDE: [
-    _MiddlewareConfig.CONSTANTS.LOGIN_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_API_PATH,
-    ..._MiddlewareConfig.getPublicRoutesWhitelist()
-    // Add custom whitelist from env
-  ]
+  DASHBOARD_SUBDOMAIN: "dashboard"
 };
 // HTTP methods to process
-_MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
+MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
 // Query parameters
-_MiddlewareConfig.QUERY_PARAMS = {
+MiddlewareConfig.QUERY_PARAMS = {
   LOGIN_REQUIRED: "sign_in_required",
   AUTH_CHECKED: "auth_checked",
   REDIRECT_URL: "redirect_url"
 };
 // Query parameter values
-_MiddlewareConfig.QUERY_VALUES = {
+MiddlewareConfig.QUERY_VALUES = {
   LOGIN_REQUIRED: "true",
   AUTH_CHECKED: "1"
 };
-var MiddlewareConfig = _MiddlewareConfig;
 var middlewareMatcher = [
   "/((?!api|_next/static|_next/image|_next/webpack-hmr|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js)$).*)"
 ];
@@ -3001,9 +3019,6 @@ var userSelectors = {
 // src/middlewares/handlers/base-middleware-handler.ts
 import { NextResponse } from "next/server";
 
-// src/middlewares/handlers/middleware-chain.ts
-import { NextResponse as NextResponse2 } from "next/server";
-
 // src/middlewares/utils/email-validator.ts
 var isPublicUserEmail = (email) => {
   if (!email || typeof email !== "string") return false;
@@ -3020,6 +3035,12 @@ var isPublicUserEmail = (email) => {
   return true;
 };
 
+// src/middlewares/handlers/authentication-handler.ts
+import { NextResponse as NextResponse2 } from "next/server";
+
+// src/middlewares/handlers/middleware-chain.ts
+import { NextResponse as NextResponse3 } from "next/server";
+
 // src/hooks/use-user.ts
 var useUser = () => {
   const userState = userSelectors.useUserState();

package/dist/middleware.d.mts

@@ -2,12 +2,9 @@ import { NextRequest, NextResponse } from 'next/server';
 
 /**
  * Middleware matcher patterns
- * Matches all routes except API routes, Next.js internals, and static assets
+ * Already excludes /api routes and static files automatically
  */
 declare const middlewareMatcher: readonly ["/((?!api|_next/static|_next/image|_next/webpack-hmr|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js)$).*)"];
-/**
- * Middleware configuration
- */
 declare const config: {
     matcher: readonly ["/((?!api|_next/static|_next/image|_next/webpack-hmr|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js)$).*)"];
 };
@@ -16,7 +13,7 @@ declare const config: {
  * Authentication middleware for subdomain-based routing
  * Chain order:
  * 1. MethodFilterHandler - filters HTTP methods (GET/HEAD only)
- * 2. AuthenticationHandler - validates JWT and adds login params if needed
+ * 2. AuthenticationHandler - handles guest-only redirection and auth protection
  */
 declare function middleware(req: NextRequest): Promise<NextResponse>;
 

package/dist/middleware.mjs

@@ -4,18 +4,54 @@ import Cookies from 'js-cookie';
 // src/middlewares/handlers/base-middleware-handler.ts
 
 // src/config/middleware.ts
-var _MiddlewareConfig = class _MiddlewareConfig {
-  // Route Protection Configuration
-  // PATTERNS_TO_PROTECT: Routes that require authentication (whitelist approach recommended for security)
-  // PATTERNS_TO_EXCLUDE: Routes to explicitly exclude from protection (e.g., login page, public assets)
+var MiddlewareConfig = class {
   /**
-   * Get public routes whitelist from environment variable
-   * Expected format: comma-separated paths like "/public,/links/new,/about"
+   * Get dynamic protection rules from environment variable
+   * Format: "host:path" or "path"
    */
-  static getPublicRoutesWhitelist() {
-    const envWhitelist = process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES || "";
-    const customRoutes = envWhitelist.split(",").map((route) => route.trim()).filter((route) => route.length > 0);
-    return customRoutes;
+  static getProtectedRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_PROTECTED_ROUTES, [
+      { hostPattern: this.CONSTANTS.DASHBOARD_SUBDOMAIN, pathPattern: "*" }
+    ]);
+  }
+  /**
+   * Get public routes whitelist (Exclusions)
+   * Format: "host:path" or "path"
+   */
+  static getWhitelistRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Get guest-only routes (redirects authenticated users away)
+   * Format: "host:path" or "path"
+   */
+  static getGuestOnlyRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_GUEST_ONLY_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Generic parser for environment variables containing rule lists
+   */
+  static parseRules(envVar, defaults) {
+    if (envVar === void 0) return defaults;
+    return envVar.split(",").map((rule) => this.parseSingleRule(rule)).filter((r) => r.pathPattern.length > 0);
+  }
+  /**
+   * Parse a single rule string into a ProtectionRule object
+   */
+  static parseSingleRule(ruleString) {
+    const trimmed = ruleString.trim();
+    const separatorIndex = trimmed.indexOf(":");
+    if (separatorIndex === -1) {
+      return { hostPattern: null, pathPattern: trimmed };
+    }
+    return {
+      hostPattern: trimmed.substring(0, separatorIndex).trim(),
+      pathPattern: trimmed.substring(separatorIndex + 1).trim()
+    };
   }
   /**
    * Get the base domain from environment or use default
@@ -31,41 +67,23 @@ var _MiddlewareConfig = class _MiddlewareConfig {
   }
 };
 // Common constants
-_MiddlewareConfig.CONSTANTS = {
+MiddlewareConfig.CONSTANTS = {
   LOGIN_PATH: "/login",
-  DASHBOARD_SUBDOMAIN: "dashboard",
-  PUBLIC_PATH: "/public",
-  PUBLIC_API_PATH: "/api/public"
-};
-_MiddlewareConfig.PROTECTED_ROUTES = {
-  // Routes that MUST be protected
-  INCLUDE: [
-    "/"
-    // Protect everything by default (since dashboard.cutly.io/ is the root)
-  ],
-  // Routes that should NEVER be protected (public)
-  EXCLUDE: [
-    _MiddlewareConfig.CONSTANTS.LOGIN_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_API_PATH,
-    ..._MiddlewareConfig.getPublicRoutesWhitelist()
-    // Add custom whitelist from env
-  ]
+  DASHBOARD_SUBDOMAIN: "dashboard"
 };
 // HTTP methods to process
-_MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
+MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
 // Query parameters
-_MiddlewareConfig.QUERY_PARAMS = {
+MiddlewareConfig.QUERY_PARAMS = {
   LOGIN_REQUIRED: "sign_in_required",
   AUTH_CHECKED: "auth_checked",
   REDIRECT_URL: "redirect_url"
 };
 // Query parameter values
-_MiddlewareConfig.QUERY_VALUES = {
+MiddlewareConfig.QUERY_VALUES = {
   LOGIN_REQUIRED: "true",
   AUTH_CHECKED: "1"
 };
-var MiddlewareConfig = _MiddlewareConfig;
 var middlewareMatcher = [
   "/((?!api|_next/static|_next/image|_next/webpack-hmr|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js)$).*)"
 ];
@@ -350,23 +368,83 @@ var _CookieUtils = class _CookieUtils {
 _CookieUtils.COOKIE_DOMAIN = _CookieUtils.getRootDomain();
 var CookieUtils = _CookieUtils;
 
+// src/middlewares/utils/email-validator.ts
+var isPublicUserEmail = (email) => {
+  if (!email || typeof email !== "string") return false;
+  const parts = email.split("@");
+  if (parts.length !== 2) return false;
+  const localPart = parts[0];
+  const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+  const match = localPart.match(ipv4Pattern);
+  if (!match) return false;
+  for (let i = 1; i <= 4; i++) {
+    const octet = parseInt(match[i], 10);
+    if (octet < 0 || octet > 255) return false;
+  }
+  return true;
+};
+
 // src/middlewares/handlers/base-middleware-handler.ts
 var BaseMiddlewareHandler = class {
   /**
    * Check if current route requires authentication
-   * Uses inclusive (PROTECTED_ROUTES.INCLUDE) and exclusive (PROTECTED_ROUTES.EXCLUDE) lists
    */
-  requiresAuthentication(pathname) {
-    const isExcluded = MiddlewareConfig.PROTECTED_ROUTES.EXCLUDE.some(
-      (route) => pathname.startsWith(route) || pathname === route
-    );
-    if (isExcluded) {
+  requiresAuthentication(pathname, hostname) {
+    if (this.isExcludedRoute(pathname, hostname)) {
       return false;
     }
-    return MiddlewareConfig.PROTECTED_ROUTES.INCLUDE.some(
-      (route) => pathname.startsWith(route) || pathname === route
+    return MiddlewareConfig.getProtectedRules().some(
+      (rule) => this.isRuleMatch(rule, pathname, hostname)
     );
   }
+  /**
+   * Check if current route is guest-only (authenticated users should be redirected away)
+   */
+  isGuestOnlyRoute(pathname, hostname) {
+    return MiddlewareConfig.getGuestOnlyRules().some(
+      (rule) => this.isRuleMatch(rule, pathname, hostname)
+    );
+  }
+  /**
+   * Check if the route is explicitly excluded from authentication
+   */
+  isExcludedRoute(pathname, hostname) {
+    return MiddlewareConfig.getWhitelistRules().some(
+      (rule) => this.isRuleMatch(rule, pathname, hostname)
+    );
+  }
+  /**
+   * Check if a single protection rule matches the current request
+   */
+  isRuleMatch(rule, pathname, hostname) {
+    if (rule.hostPattern && (!hostname || !hostname.startsWith(`${rule.hostPattern}.`) && hostname !== rule.hostPattern)) {
+      return false;
+    }
+    return rule.pathPattern === "*" || pathname === rule.pathPattern || pathname.startsWith(rule.pathPattern);
+  }
+  /**
+   * Validates authentication and returns user info if valid
+   * Used by both AuthenticationHandler and GuestOnlyHandler to avoid duplication
+   */
+  async getAuthenticatedUser(cookies) {
+    var _a, _b;
+    if (!this.hasAuthenticationCookies(cookies)) {
+      return null;
+    }
+    try {
+      const authResponse = await this.validateUserAuth(cookies);
+      if (!authResponse.ok) {
+        return null;
+      }
+      const data = await authResponse.json();
+      const userEmail = ((_b = (_a = data == null ? void 0 : data.data) == null ? void 0 : _a.user) == null ? void 0 : _b.email) || "";
+      const isPublic = isPublicUserEmail(userEmail);
+      return { email: userEmail, isPublic };
+    } catch (error) {
+      console.log("Auth validation error:", error instanceof Error ? error.message : "Unknown error");
+      return null;
+    }
+  }
   /**
    * Check if user has both access and refresh tokens
    */
@@ -478,26 +556,27 @@ var MethodFilterHandler = class extends BaseMiddlewareHandler {
     return this.continue();
   }
 };
-
-// src/middlewares/handlers/authentication-handler.ts
 var AuthenticationHandler = class extends BaseMiddlewareHandler {
   async handle(context) {
-    var _a, _b;
-    const { cookies, pathname } = context;
-    if (!this.requiresAuthentication(pathname)) {
-      return this.continue();
-    }
-    const hasAuthCookies = this.hasAuthenticationCookies(cookies);
-    if (!hasAuthCookies) {
-      return this.addLoginModalParams(context);
-    }
+    const { cookies, pathname, hostname } = context;
     try {
-      const authResponse = await this.validateUserAuth(cookies);
-      if (authResponse.ok) {
-        const data = await authResponse.json();
-        const userEmail = ((_b = (_a = data == null ? void 0 : data.data) == null ? void 0 : _a.user) == null ? void 0 : _b.email) || "";
-        const isPublicUserFlag = isPublicUserEmail(userEmail);
-        if (isPublicUserFlag) {
+      const isGuestOnly = this.isGuestOnlyRoute(pathname, hostname);
+      const isProtected = this.requiresAuthentication(pathname, hostname);
+      if (!isGuestOnly && !isProtected) {
+        return this.continue();
+      }
+      const user = this.hasAuthenticationCookies(cookies) ? await this.getAuthenticatedUser(cookies) : null;
+      if (isGuestOnly) {
+        if (user && !user.isPublic) {
+          return NextResponse.redirect(new URL("/", context.request.url));
+        }
+        return this.continue();
+      }
+      if (isProtected) {
+        if (!user) {
+          return this.addLoginModalParams(context);
+        }
+        if (user.isPublic) {
           console.log("Public session user detected (IP-based email) - requiring authentication");
           return this.addLoginModalParams(context);
         }
@@ -506,10 +585,9 @@ var AuthenticationHandler = class extends BaseMiddlewareHandler {
         }
         return this.allow();
       }
-      console.log("Authentication failed - requiring login for protected route");
-      return this.addLoginModalParams(context);
+      return this.continue();
     } catch (error) {
-      console.log("Authentication validation failed:", error instanceof Error ? error.message : "Unknown error");
+      console.error("AuthenticationHandler error:", error);
       return this.addLoginModalParams(context);
     }
   }
@@ -533,22 +611,6 @@ var MiddlewareChain = class {
   }
 };
 
-// src/middlewares/utils/email-validator.ts
-var isPublicUserEmail = (email) => {
-  if (!email || typeof email !== "string") return false;
-  const parts = email.split("@");
-  if (parts.length !== 2) return false;
-  const localPart = parts[0];
-  const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
-  const match = localPart.match(ipv4Pattern);
-  if (!match) return false;
-  for (let i = 1; i <= 4; i++) {
-    const octet = parseInt(match[i], 10);
-    if (octet < 0 || octet > 255) return false;
-  }
-  return true;
-};
-
 // src/middleware.ts
 async function middleware(req) {
   const hostname = req.headers.get("host") || req.nextUrl.hostname;

package/dist/utils/cookie-utils.js

@@ -2,18 +2,54 @@
 var _jscookie = require('js-cookie'); var _jscookie2 = _interopRequireDefault(_jscookie);
 
 // src/config/middleware.ts
-var _MiddlewareConfig = class _MiddlewareConfig {
-  // Route Protection Configuration
-  // PATTERNS_TO_PROTECT: Routes that require authentication (whitelist approach recommended for security)
-  // PATTERNS_TO_EXCLUDE: Routes to explicitly exclude from protection (e.g., login page, public assets)
+var MiddlewareConfig = class {
   /**
-   * Get public routes whitelist from environment variable
-   * Expected format: comma-separated paths like "/public,/links/new,/about"
+   * Get dynamic protection rules from environment variable
+   * Format: "host:path" or "path"
    */
-  static getPublicRoutesWhitelist() {
-    const envWhitelist = process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES || "";
-    const customRoutes = envWhitelist.split(",").map((route) => route.trim()).filter((route) => route.length > 0);
-    return customRoutes;
+  static getProtectedRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_PROTECTED_ROUTES, [
+      { hostPattern: this.CONSTANTS.DASHBOARD_SUBDOMAIN, pathPattern: "*" }
+    ]);
+  }
+  /**
+   * Get public routes whitelist (Exclusions)
+   * Format: "host:path" or "path"
+   */
+  static getWhitelistRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Get guest-only routes (redirects authenticated users away)
+   * Format: "host:path" or "path"
+   */
+  static getGuestOnlyRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_GUEST_ONLY_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Generic parser for environment variables containing rule lists
+   */
+  static parseRules(envVar, defaults) {
+    if (envVar === void 0) return defaults;
+    return envVar.split(",").map((rule) => this.parseSingleRule(rule)).filter((r) => r.pathPattern.length > 0);
+  }
+  /**
+   * Parse a single rule string into a ProtectionRule object
+   */
+  static parseSingleRule(ruleString) {
+    const trimmed = ruleString.trim();
+    const separatorIndex = trimmed.indexOf(":");
+    if (separatorIndex === -1) {
+      return { hostPattern: null, pathPattern: trimmed };
+    }
+    return {
+      hostPattern: trimmed.substring(0, separatorIndex).trim(),
+      pathPattern: trimmed.substring(separatorIndex + 1).trim()
+    };
   }
   /**
    * Get the base domain from environment or use default
@@ -29,41 +65,23 @@ var _MiddlewareConfig = class _MiddlewareConfig {
   }
 };
 // Common constants
-_MiddlewareConfig.CONSTANTS = {
+MiddlewareConfig.CONSTANTS = {
   LOGIN_PATH: "/login",
-  DASHBOARD_SUBDOMAIN: "dashboard",
-  PUBLIC_PATH: "/public",
-  PUBLIC_API_PATH: "/api/public"
-};
-_MiddlewareConfig.PROTECTED_ROUTES = {
-  // Routes that MUST be protected
-  INCLUDE: [
-    "/"
-    // Protect everything by default (since dashboard.cutly.io/ is the root)
-  ],
-  // Routes that should NEVER be protected (public)
-  EXCLUDE: [
-    _MiddlewareConfig.CONSTANTS.LOGIN_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_API_PATH,
-    ..._MiddlewareConfig.getPublicRoutesWhitelist()
-    // Add custom whitelist from env
-  ]
+  DASHBOARD_SUBDOMAIN: "dashboard"
 };
 // HTTP methods to process
-_MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
+MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
 // Query parameters
-_MiddlewareConfig.QUERY_PARAMS = {
+MiddlewareConfig.QUERY_PARAMS = {
   LOGIN_REQUIRED: "sign_in_required",
   AUTH_CHECKED: "auth_checked",
   REDIRECT_URL: "redirect_url"
 };
 // Query parameter values
-_MiddlewareConfig.QUERY_VALUES = {
+MiddlewareConfig.QUERY_VALUES = {
   LOGIN_REQUIRED: "true",
   AUTH_CHECKED: "1"
 };
-var MiddlewareConfig = _MiddlewareConfig;
 
 // src/services/utils/url-utils.ts
 var UrlUtils = class {

package/dist/utils/cookie-utils.mjs

@@ -2,18 +2,54 @@
 import Cookies from "js-cookie";
 
 // src/config/middleware.ts
-var _MiddlewareConfig = class _MiddlewareConfig {
-  // Route Protection Configuration
-  // PATTERNS_TO_PROTECT: Routes that require authentication (whitelist approach recommended for security)
-  // PATTERNS_TO_EXCLUDE: Routes to explicitly exclude from protection (e.g., login page, public assets)
+var MiddlewareConfig = class {
   /**
-   * Get public routes whitelist from environment variable
-   * Expected format: comma-separated paths like "/public,/links/new,/about"
+   * Get dynamic protection rules from environment variable
+   * Format: "host:path" or "path"
    */
-  static getPublicRoutesWhitelist() {
-    const envWhitelist = process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES || "";
-    const customRoutes = envWhitelist.split(",").map((route) => route.trim()).filter((route) => route.length > 0);
-    return customRoutes;
+  static getProtectedRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_PROTECTED_ROUTES, [
+      { hostPattern: this.CONSTANTS.DASHBOARD_SUBDOMAIN, pathPattern: "*" }
+    ]);
+  }
+  /**
+   * Get public routes whitelist (Exclusions)
+   * Format: "host:path" or "path"
+   */
+  static getWhitelistRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Get guest-only routes (redirects authenticated users away)
+   * Format: "host:path" or "path"
+   */
+  static getGuestOnlyRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_GUEST_ONLY_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Generic parser for environment variables containing rule lists
+   */
+  static parseRules(envVar, defaults) {
+    if (envVar === void 0) return defaults;
+    return envVar.split(",").map((rule) => this.parseSingleRule(rule)).filter((r) => r.pathPattern.length > 0);
+  }
+  /**
+   * Parse a single rule string into a ProtectionRule object
+   */
+  static parseSingleRule(ruleString) {
+    const trimmed = ruleString.trim();
+    const separatorIndex = trimmed.indexOf(":");
+    if (separatorIndex === -1) {
+      return { hostPattern: null, pathPattern: trimmed };
+    }
+    return {
+      hostPattern: trimmed.substring(0, separatorIndex).trim(),
+      pathPattern: trimmed.substring(separatorIndex + 1).trim()
+    };
   }
   /**
    * Get the base domain from environment or use default
@@ -29,41 +65,23 @@ var _MiddlewareConfig = class _MiddlewareConfig {
   }
 };
 // Common constants
-_MiddlewareConfig.CONSTANTS = {
+MiddlewareConfig.CONSTANTS = {
   LOGIN_PATH: "/login",
-  DASHBOARD_SUBDOMAIN: "dashboard",
-  PUBLIC_PATH: "/public",
-  PUBLIC_API_PATH: "/api/public"
-};
-_MiddlewareConfig.PROTECTED_ROUTES = {
-  // Routes that MUST be protected
-  INCLUDE: [
-    "/"
-    // Protect everything by default (since dashboard.cutly.io/ is the root)
-  ],
-  // Routes that should NEVER be protected (public)
-  EXCLUDE: [
-    _MiddlewareConfig.CONSTANTS.LOGIN_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_API_PATH,
-    ..._MiddlewareConfig.getPublicRoutesWhitelist()
-    // Add custom whitelist from env
-  ]
+  DASHBOARD_SUBDOMAIN: "dashboard"
 };
 // HTTP methods to process
-_MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
+MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
 // Query parameters
-_MiddlewareConfig.QUERY_PARAMS = {
+MiddlewareConfig.QUERY_PARAMS = {
   LOGIN_REQUIRED: "sign_in_required",
   AUTH_CHECKED: "auth_checked",
   REDIRECT_URL: "redirect_url"
 };
 // Query parameter values
-_MiddlewareConfig.QUERY_VALUES = {
+MiddlewareConfig.QUERY_VALUES = {
   LOGIN_REQUIRED: "true",
   AUTH_CHECKED: "1"
 };
-var MiddlewareConfig = _MiddlewareConfig;
 
 // src/services/utils/url-utils.ts
 var UrlUtils = class {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mailsentry-auth",
-  "version": "0.2.6",
+  "version": "0.2.7",
   "description": "Next.js 15 authentication package with multi-step auth flow, cross-tab sync, and Zustand state management",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",