mailsentry-auth 0.2.6 → 0.2.8

package/dist/middleware.mjs

@@ -4,18 +4,54 @@ import Cookies from 'js-cookie';
 // src/middlewares/handlers/base-middleware-handler.ts
 
 // src/config/middleware.ts
-var _MiddlewareConfig = class _MiddlewareConfig {
-  // Route Protection Configuration
-  // PATTERNS_TO_PROTECT: Routes that require authentication (whitelist approach recommended for security)
-  // PATTERNS_TO_EXCLUDE: Routes to explicitly exclude from protection (e.g., login page, public assets)
+var MiddlewareConfig = class {
   /**
-   * Get public routes whitelist from environment variable
-   * Expected format: comma-separated paths like "/public,/links/new,/about"
+   * Get dynamic protection rules from environment variable
+   * Format: "host:path" or "path"
    */
-  static getPublicRoutesWhitelist() {
-    const envWhitelist = process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES || "";
-    const customRoutes = envWhitelist.split(",").map((route) => route.trim()).filter((route) => route.length > 0);
-    return customRoutes;
+  static getProtectedRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_PROTECTED_ROUTES, [
+      { hostPattern: this.CONSTANTS.DASHBOARD_SUBDOMAIN, pathPattern: "*" }
+    ]);
+  }
+  /**
+   * Get public routes whitelist (Exclusions)
+   * Format: "host:path" or "path"
+   */
+  static getWhitelistRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Get guest-only routes (redirects authenticated users away)
+   * Format: "host:path" or "path"
+   */
+  static getGuestOnlyRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_GUEST_ONLY_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Generic parser for environment variables containing rule lists
+   */
+  static parseRules(envVar, defaults) {
+    if (envVar === void 0) return defaults;
+    return envVar.split(",").map((rule) => this.parseSingleRule(rule)).filter((r) => r.pathPattern.length > 0);
+  }
+  /**
+   * Parse a single rule string into a ProtectionRule object
+   */
+  static parseSingleRule(ruleString) {
+    const trimmed = ruleString.trim();
+    const separatorIndex = trimmed.indexOf(":");
+    if (separatorIndex === -1) {
+      return { hostPattern: null, pathPattern: trimmed };
+    }
+    return {
+      hostPattern: trimmed.substring(0, separatorIndex).trim(),
+      pathPattern: trimmed.substring(separatorIndex + 1).trim()
+    };
   }
   /**
    * Get the base domain from environment or use default
@@ -31,41 +67,23 @@ var _MiddlewareConfig = class _MiddlewareConfig {
   }
 };
 // Common constants
-_MiddlewareConfig.CONSTANTS = {
+MiddlewareConfig.CONSTANTS = {
   LOGIN_PATH: "/login",
-  DASHBOARD_SUBDOMAIN: "dashboard",
-  PUBLIC_PATH: "/public",
-  PUBLIC_API_PATH: "/api/public"
-};
-_MiddlewareConfig.PROTECTED_ROUTES = {
-  // Routes that MUST be protected
-  INCLUDE: [
-    "/"
-    // Protect everything by default (since dashboard.cutly.io/ is the root)
-  ],
-  // Routes that should NEVER be protected (public)
-  EXCLUDE: [
-    _MiddlewareConfig.CONSTANTS.LOGIN_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_API_PATH,
-    ..._MiddlewareConfig.getPublicRoutesWhitelist()
-    // Add custom whitelist from env
-  ]
+  DASHBOARD_SUBDOMAIN: "dashboard"
 };
 // HTTP methods to process
-_MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
+MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
 // Query parameters
-_MiddlewareConfig.QUERY_PARAMS = {
+MiddlewareConfig.QUERY_PARAMS = {
   LOGIN_REQUIRED: "sign_in_required",
   AUTH_CHECKED: "auth_checked",
   REDIRECT_URL: "redirect_url"
 };
 // Query parameter values
-_MiddlewareConfig.QUERY_VALUES = {
+MiddlewareConfig.QUERY_VALUES = {
   LOGIN_REQUIRED: "true",
   AUTH_CHECKED: "1"
 };
-var MiddlewareConfig = _MiddlewareConfig;
 var middlewareMatcher = [
   "/((?!api|_next/static|_next/image|_next/webpack-hmr|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js)$).*)"
 ];
@@ -350,23 +368,83 @@ var _CookieUtils = class _CookieUtils {
 _CookieUtils.COOKIE_DOMAIN = _CookieUtils.getRootDomain();
 var CookieUtils = _CookieUtils;
 
+// src/middlewares/utils/email-validator.ts
+var isPublicUserEmail = (email) => {
+  if (!email || typeof email !== "string") return false;
+  const parts = email.split("@");
+  if (parts.length !== 2) return false;
+  const localPart = parts[0];
+  const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+  const match = localPart.match(ipv4Pattern);
+  if (!match) return false;
+  for (let i = 1; i <= 4; i++) {
+    const octet = parseInt(match[i], 10);
+    if (octet < 0 || octet > 255) return false;
+  }
+  return true;
+};
+
 // src/middlewares/handlers/base-middleware-handler.ts
 var BaseMiddlewareHandler = class {
   /**
    * Check if current route requires authentication
-   * Uses inclusive (PROTECTED_ROUTES.INCLUDE) and exclusive (PROTECTED_ROUTES.EXCLUDE) lists
    */
-  requiresAuthentication(pathname) {
-    const isExcluded = MiddlewareConfig.PROTECTED_ROUTES.EXCLUDE.some(
-      (route) => pathname.startsWith(route) || pathname === route
-    );
-    if (isExcluded) {
+  requiresAuthentication(pathname, hostname) {
+    if (this.isExcludedRoute(pathname, hostname)) {
       return false;
     }
-    return MiddlewareConfig.PROTECTED_ROUTES.INCLUDE.some(
-      (route) => pathname.startsWith(route) || pathname === route
+    return MiddlewareConfig.getProtectedRules().some(
+      (rule) => this.isRuleMatch(rule, pathname, hostname)
     );
   }
+  /**
+   * Check if current route is guest-only (authenticated users should be redirected away)
+   */
+  isGuestOnlyRoute(pathname, hostname) {
+    return MiddlewareConfig.getGuestOnlyRules().some(
+      (rule) => this.isRuleMatch(rule, pathname, hostname)
+    );
+  }
+  /**
+   * Check if the route is explicitly excluded from authentication
+   */
+  isExcludedRoute(pathname, hostname) {
+    return MiddlewareConfig.getWhitelistRules().some(
+      (rule) => this.isRuleMatch(rule, pathname, hostname)
+    );
+  }
+  /**
+   * Check if a single protection rule matches the current request
+   */
+  isRuleMatch(rule, pathname, hostname) {
+    if (rule.hostPattern && (!hostname || !hostname.startsWith(`${rule.hostPattern}.`) && hostname !== rule.hostPattern)) {
+      return false;
+    }
+    return rule.pathPattern === "*" || pathname === rule.pathPattern || pathname.startsWith(rule.pathPattern);
+  }
+  /**
+   * Validates authentication and returns user info if valid
+   * Used by both AuthenticationHandler and GuestOnlyHandler to avoid duplication
+   */
+  async getAuthenticatedUser(cookies) {
+    var _a, _b;
+    if (!this.hasAuthenticationCookies(cookies)) {
+      return null;
+    }
+    try {
+      const authResponse = await this.validateUserAuth(cookies);
+      if (!authResponse.ok) {
+        return null;
+      }
+      const data = await authResponse.json();
+      const userEmail = ((_b = (_a = data == null ? void 0 : data.data) == null ? void 0 : _a.user) == null ? void 0 : _b.email) || "";
+      const isPublic = isPublicUserEmail(userEmail);
+      return { email: userEmail, isPublic };
+    } catch (error) {
+      console.log("Auth validation error:", error instanceof Error ? error.message : "Unknown error");
+      return null;
+    }
+  }
   /**
    * Check if user has both access and refresh tokens
    */
@@ -478,26 +556,27 @@ var MethodFilterHandler = class extends BaseMiddlewareHandler {
     return this.continue();
   }
 };
-
-// src/middlewares/handlers/authentication-handler.ts
 var AuthenticationHandler = class extends BaseMiddlewareHandler {
   async handle(context) {
-    var _a, _b;
-    const { cookies, pathname } = context;
-    if (!this.requiresAuthentication(pathname)) {
-      return this.continue();
-    }
-    const hasAuthCookies = this.hasAuthenticationCookies(cookies);
-    if (!hasAuthCookies) {
-      return this.addLoginModalParams(context);
-    }
+    const { cookies, pathname, hostname } = context;
     try {
-      const authResponse = await this.validateUserAuth(cookies);
-      if (authResponse.ok) {
-        const data = await authResponse.json();
-        const userEmail = ((_b = (_a = data == null ? void 0 : data.data) == null ? void 0 : _a.user) == null ? void 0 : _b.email) || "";
-        const isPublicUserFlag = isPublicUserEmail(userEmail);
-        if (isPublicUserFlag) {
+      const isGuestOnly = this.isGuestOnlyRoute(pathname, hostname);
+      const isProtected = this.requiresAuthentication(pathname, hostname);
+      if (!isGuestOnly && !isProtected) {
+        return this.continue();
+      }
+      const user = this.hasAuthenticationCookies(cookies) ? await this.getAuthenticatedUser(cookies) : null;
+      if (isGuestOnly) {
+        if (user && !user.isPublic) {
+          return NextResponse.redirect(new URL("/", context.request.url));
+        }
+        return this.continue();
+      }
+      if (isProtected) {
+        if (!user) {
+          return this.addLoginModalParams(context);
+        }
+        if (user.isPublic) {
           console.log("Public session user detected (IP-based email) - requiring authentication");
           return this.addLoginModalParams(context);
         }
@@ -506,10 +585,9 @@ var AuthenticationHandler = class extends BaseMiddlewareHandler {
         }
         return this.allow();
       }
-      console.log("Authentication failed - requiring login for protected route");
-      return this.addLoginModalParams(context);
+      return this.continue();
     } catch (error) {
-      console.log("Authentication validation failed:", error instanceof Error ? error.message : "Unknown error");
+      console.error("AuthenticationHandler error:", error);
       return this.addLoginModalParams(context);
     }
   }
@@ -533,22 +611,6 @@ var MiddlewareChain = class {
   }
 };
 
-// src/middlewares/utils/email-validator.ts
-var isPublicUserEmail = (email) => {
-  if (!email || typeof email !== "string") return false;
-  const parts = email.split("@");
-  if (parts.length !== 2) return false;
-  const localPart = parts[0];
-  const ipv4Pattern = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
-  const match = localPart.match(ipv4Pattern);
-  if (!match) return false;
-  for (let i = 1; i <= 4; i++) {
-    const octet = parseInt(match[i], 10);
-    if (octet < 0 || octet > 255) return false;
-  }
-  return true;
-};
-
 // src/middleware.ts
 async function middleware(req) {
   const hostname = req.headers.get("host") || req.nextUrl.hostname;

package/dist/utils/cookie-utils.js

@@ -2,18 +2,54 @@
 var _jscookie = require('js-cookie'); var _jscookie2 = _interopRequireDefault(_jscookie);
 
 // src/config/middleware.ts
-var _MiddlewareConfig = class _MiddlewareConfig {
-  // Route Protection Configuration
-  // PATTERNS_TO_PROTECT: Routes that require authentication (whitelist approach recommended for security)
-  // PATTERNS_TO_EXCLUDE: Routes to explicitly exclude from protection (e.g., login page, public assets)
+var MiddlewareConfig = class {
   /**
-   * Get public routes whitelist from environment variable
-   * Expected format: comma-separated paths like "/public,/links/new,/about"
+   * Get dynamic protection rules from environment variable
+   * Format: "host:path" or "path"
    */
-  static getPublicRoutesWhitelist() {
-    const envWhitelist = process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES || "";
-    const customRoutes = envWhitelist.split(",").map((route) => route.trim()).filter((route) => route.length > 0);
-    return customRoutes;
+  static getProtectedRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_PROTECTED_ROUTES, [
+      { hostPattern: this.CONSTANTS.DASHBOARD_SUBDOMAIN, pathPattern: "*" }
+    ]);
+  }
+  /**
+   * Get public routes whitelist (Exclusions)
+   * Format: "host:path" or "path"
+   */
+  static getWhitelistRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Get guest-only routes (redirects authenticated users away)
+   * Format: "host:path" or "path"
+   */
+  static getGuestOnlyRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_GUEST_ONLY_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Generic parser for environment variables containing rule lists
+   */
+  static parseRules(envVar, defaults) {
+    if (envVar === void 0) return defaults;
+    return envVar.split(",").map((rule) => this.parseSingleRule(rule)).filter((r) => r.pathPattern.length > 0);
+  }
+  /**
+   * Parse a single rule string into a ProtectionRule object
+   */
+  static parseSingleRule(ruleString) {
+    const trimmed = ruleString.trim();
+    const separatorIndex = trimmed.indexOf(":");
+    if (separatorIndex === -1) {
+      return { hostPattern: null, pathPattern: trimmed };
+    }
+    return {
+      hostPattern: trimmed.substring(0, separatorIndex).trim(),
+      pathPattern: trimmed.substring(separatorIndex + 1).trim()
+    };
   }
   /**
    * Get the base domain from environment or use default
@@ -29,41 +65,23 @@ var _MiddlewareConfig = class _MiddlewareConfig {
   }
 };
 // Common constants
-_MiddlewareConfig.CONSTANTS = {
+MiddlewareConfig.CONSTANTS = {
   LOGIN_PATH: "/login",
-  DASHBOARD_SUBDOMAIN: "dashboard",
-  PUBLIC_PATH: "/public",
-  PUBLIC_API_PATH: "/api/public"
-};
-_MiddlewareConfig.PROTECTED_ROUTES = {
-  // Routes that MUST be protected
-  INCLUDE: [
-    "/"
-    // Protect everything by default (since dashboard.cutly.io/ is the root)
-  ],
-  // Routes that should NEVER be protected (public)
-  EXCLUDE: [
-    _MiddlewareConfig.CONSTANTS.LOGIN_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_API_PATH,
-    ..._MiddlewareConfig.getPublicRoutesWhitelist()
-    // Add custom whitelist from env
-  ]
+  DASHBOARD_SUBDOMAIN: "dashboard"
 };
 // HTTP methods to process
-_MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
+MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
 // Query parameters
-_MiddlewareConfig.QUERY_PARAMS = {
+MiddlewareConfig.QUERY_PARAMS = {
   LOGIN_REQUIRED: "sign_in_required",
   AUTH_CHECKED: "auth_checked",
   REDIRECT_URL: "redirect_url"
 };
 // Query parameter values
-_MiddlewareConfig.QUERY_VALUES = {
+MiddlewareConfig.QUERY_VALUES = {
   LOGIN_REQUIRED: "true",
   AUTH_CHECKED: "1"
 };
-var MiddlewareConfig = _MiddlewareConfig;
 
 // src/services/utils/url-utils.ts
 var UrlUtils = class {

package/dist/utils/cookie-utils.mjs

@@ -2,18 +2,54 @@
 import Cookies from "js-cookie";
 
 // src/config/middleware.ts
-var _MiddlewareConfig = class _MiddlewareConfig {
-  // Route Protection Configuration
-  // PATTERNS_TO_PROTECT: Routes that require authentication (whitelist approach recommended for security)
-  // PATTERNS_TO_EXCLUDE: Routes to explicitly exclude from protection (e.g., login page, public assets)
+var MiddlewareConfig = class {
   /**
-   * Get public routes whitelist from environment variable
-   * Expected format: comma-separated paths like "/public,/links/new,/about"
+   * Get dynamic protection rules from environment variable
+   * Format: "host:path" or "path"
    */
-  static getPublicRoutesWhitelist() {
-    const envWhitelist = process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES || "";
-    const customRoutes = envWhitelist.split(",").map((route) => route.trim()).filter((route) => route.length > 0);
-    return customRoutes;
+  static getProtectedRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_PROTECTED_ROUTES, [
+      { hostPattern: this.CONSTANTS.DASHBOARD_SUBDOMAIN, pathPattern: "*" }
+    ]);
+  }
+  /**
+   * Get public routes whitelist (Exclusions)
+   * Format: "host:path" or "path"
+   */
+  static getWhitelistRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_AUTH_WHITELIST_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Get guest-only routes (redirects authenticated users away)
+   * Format: "host:path" or "path"
+   */
+  static getGuestOnlyRules() {
+    return this.parseRules(process.env.NEXT_PUBLIC_GUEST_ONLY_ROUTES, [
+      { hostPattern: null, pathPattern: this.CONSTANTS.LOGIN_PATH }
+    ]);
+  }
+  /**
+   * Generic parser for environment variables containing rule lists
+   */
+  static parseRules(envVar, defaults) {
+    if (envVar === void 0) return defaults;
+    return envVar.split(",").map((rule) => this.parseSingleRule(rule)).filter((r) => r.pathPattern.length > 0);
+  }
+  /**
+   * Parse a single rule string into a ProtectionRule object
+   */
+  static parseSingleRule(ruleString) {
+    const trimmed = ruleString.trim();
+    const separatorIndex = trimmed.indexOf(":");
+    if (separatorIndex === -1) {
+      return { hostPattern: null, pathPattern: trimmed };
+    }
+    return {
+      hostPattern: trimmed.substring(0, separatorIndex).trim(),
+      pathPattern: trimmed.substring(separatorIndex + 1).trim()
+    };
   }
   /**
    * Get the base domain from environment or use default
@@ -29,41 +65,23 @@ var _MiddlewareConfig = class _MiddlewareConfig {
   }
 };
 // Common constants
-_MiddlewareConfig.CONSTANTS = {
+MiddlewareConfig.CONSTANTS = {
   LOGIN_PATH: "/login",
-  DASHBOARD_SUBDOMAIN: "dashboard",
-  PUBLIC_PATH: "/public",
-  PUBLIC_API_PATH: "/api/public"
-};
-_MiddlewareConfig.PROTECTED_ROUTES = {
-  // Routes that MUST be protected
-  INCLUDE: [
-    "/"
-    // Protect everything by default (since dashboard.cutly.io/ is the root)
-  ],
-  // Routes that should NEVER be protected (public)
-  EXCLUDE: [
-    _MiddlewareConfig.CONSTANTS.LOGIN_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_PATH,
-    _MiddlewareConfig.CONSTANTS.PUBLIC_API_PATH,
-    ..._MiddlewareConfig.getPublicRoutesWhitelist()
-    // Add custom whitelist from env
-  ]
+  DASHBOARD_SUBDOMAIN: "dashboard"
 };
 // HTTP methods to process
-_MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
+MiddlewareConfig.ALLOWED_METHODS = ["GET", "HEAD"];
 // Query parameters
-_MiddlewareConfig.QUERY_PARAMS = {
+MiddlewareConfig.QUERY_PARAMS = {
   LOGIN_REQUIRED: "sign_in_required",
   AUTH_CHECKED: "auth_checked",
   REDIRECT_URL: "redirect_url"
 };
 // Query parameter values
-_MiddlewareConfig.QUERY_VALUES = {
+MiddlewareConfig.QUERY_VALUES = {
   LOGIN_REQUIRED: "true",
   AUTH_CHECKED: "1"
 };
-var MiddlewareConfig = _MiddlewareConfig;
 
 // src/services/utils/url-utils.ts
 var UrlUtils = class {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mailsentry-auth",
-  "version": "0.2.6",
+  "version": "0.2.8",
   "description": "Next.js 15 authentication package with multi-step auth flow, cross-tab sync, and Zustand state management",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",