mulguard 1.0.1

package/dist/index.d.ts

@@ -0,0 +1,21 @@
+/**
+ * mulguard
+ * Modern authentication library for Next.js
+ *
+ * This is the **server-safe** entrypoint. It must NOT import React
+ * or any client-only hooks/components, otherwise Next.js will treat
+ * anything that imports `mulguard` as a Client Component.
+ *
+ * - Server / shared functionality is exported from here.
+ * - React hooks & components are exposed via subpath exports:
+ *   - `mulguard/client` for hooks & provider
+ *   - (future) `mulguard/components/*` for UI components
+ */
+export * from './core';
+export * from './mulguard';
+export * from './server';
+export * from './handlers/route';
+export * from './handlers/api';
+export * from './middleware';
+export { createProxyMiddleware, checkRole as checkRoleProxy, } from './middleware/proxy';
+export * from './middleware/security';

package/dist/middleware/index.d.ts

@@ -0,0 +1,28 @@
+import { NextResponse, NextRequest } from 'next/server';
+import { MulguardInstance } from '../mulguard';
+export interface AuthMiddlewareConfig {
+    /**
+     * Protected routes - require authentication
+     */
+    protectedRoutes?: string[];
+    /**
+     * Public routes - accessible without authentication
+     */
+    publicRoutes?: string[];
+    /**
+     * Redirect to login if not authenticated
+     */
+    redirectTo?: string;
+    /**
+     * Redirect to home if authenticated (for login/register pages)
+     */
+    redirectIfAuthenticated?: string;
+}
+/**
+ * Create authentication middleware
+ */
+export declare function createAuthMiddleware(auth: MulguardInstance, config?: AuthMiddlewareConfig): (request: NextRequest) => Promise<NextResponse<unknown>>;
+/**
+ * Helper to check if user has required role
+ */
+export declare function checkRole(auth: MulguardInstance, requiredRole: string): Promise<boolean>;

package/dist/middleware/proxy.d.ts

@@ -0,0 +1,53 @@
+import { NextResponse, NextRequest } from 'next/server';
+import { MulguardInstance } from '../mulguard';
+export interface ProxyMiddlewareConfig {
+    /**
+     * Auth instance
+     */
+    auth: MulguardInstance;
+    /**
+     * Protected routes - require authentication
+     */
+    protectedRoutes?: string[];
+    /**
+     * Public routes - accessible without authentication
+     */
+    publicRoutes?: string[];
+    /**
+     * Redirect to login if not authenticated
+     */
+    redirectTo?: string;
+    /**
+     * Redirect to home if authenticated (for login/register pages)
+     */
+    redirectIfAuthenticated?: string;
+    /**
+     * API routes prefix (default: '/api/auth')
+     */
+    apiPrefix?: string;
+}
+/**
+ * Create proxy middleware for authentication
+ *
+ * @example
+ * ```typescript
+ * // middleware.ts
+ * import { auth } from '@/auth'
+ * import { createProxyMiddleware } from 'mulguard/middleware/proxy'
+ *
+ * export default createProxyMiddleware({
+ *   auth,
+ *   protectedRoutes: ['/dashboard', '/profile'],
+ *   redirectTo: '/login',
+ * })
+ *
+ * export const config = {
+ *   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
+ * }
+ * ```
+ */
+export declare function createProxyMiddleware(config: ProxyMiddlewareConfig): (request: NextRequest) => Promise<NextResponse<unknown>>;
+/**
+ * Helper to check if user has required role
+ */
+export declare function checkRole(auth: MulguardInstance, requiredRole: string): Promise<boolean>;

package/dist/middleware/security.d.ts

@@ -0,0 +1,9 @@
+import { NextResponse, NextRequest } from 'next/server';
+/**
+ * Apply security headers to response
+ */
+export declare function withSecurityHeaders(_request: NextRequest, response: NextResponse): NextResponse;
+/**
+ * Security middleware wrapper
+ */
+export declare function createSecurityMiddleware(): (request: NextRequest) => Promise<NextResponse>;

package/dist/mulguard.d.ts

@@ -0,0 +1,263 @@
+import { MulguardConfig, Session, AuthResult, EmailCredentials, RegisterData, Verify2FAData, User, SessionConfig } from './core/types';
+/**
+ * Main Mulguard authentication instance interface
+ *
+ * Provides all authentication methods using Server Actions
+ * User implements custom logic in the config
+ *
+ * @example
+ * ```typescript
+ * const auth = mulguard({
+ *   actions: {
+ *     signIn: {
+ *       email: async (credentials) => {
+ *         // Your custom sign in logic
+ *         const user = await db.user.findUnique({ where: { email: credentials.email } })
+ *         if (!user || !await bcrypt.compare(credentials.password, user.password)) {
+ *           return { success: false, error: 'Invalid credentials' }
+ *         }
+ *         return { success: true, user, session: { user, expiresAt: new Date() } }
+ *       }
+ *     }
+ *   }
+ * })
+ * ```
+ */
+export interface MulguardInstance {
+    /**
+     * Get current session
+     * Uses custom getSession action if provided, otherwise falls back to reading from cookie
+     */
+    getSession(): Promise<Session | null>;
+    /**
+     * Get access token from current session
+     */
+    getAccessToken(): Promise<string | null>;
+    /**
+     * Get refresh token from current session
+     */
+    getRefreshToken(): Promise<string | null>;
+    /**
+     * Check if session has valid tokens
+     */
+    hasValidTokens(): Promise<boolean>;
+    /**
+     * Set session directly (useful for Server Actions)
+     * Saves session to cookie automatically
+     *
+     * @param session - Session object to save
+     * @returns Result indicating success or failure
+     *
+     * @example
+     * ```typescript
+     * const result = await auth.setSession(newSession)
+     * if (!result.success) {
+     *   console.warn('Failed to save session:', result.error)
+     * }
+     * ```
+     */
+    setSession(session: Session): Promise<{
+        success: boolean;
+        error?: string;
+        warning?: string;
+    }>;
+    /**
+     * Internal method to get session config for Server Actions
+     * Used by verify2FAAction to save session cookie directly
+     * @internal
+     */
+    _getSessionConfig(): {
+        cookieName: string;
+        config: SessionConfig;
+    };
+    /**
+     * Internal method to get callbacks for Server Actions
+     * Used by Server Actions to execute callbacks
+     * @internal
+     */
+    _getCallbacks?(): import('./core/types').CallbacksConfig;
+    /**
+     * Internal method to get token refresh manager
+     * Used by HttpClient for automatic token refresh
+     * @internal
+     */
+    _getTokenRefreshManager?(): import('./core/client/token-refresh-manager').TokenRefreshManager | undefined;
+    /**
+     * Sign in methods - uses custom actions from config
+     */
+    signIn: {
+        /**
+         * Sign in with email and password
+         * Executes custom email action from config
+         */
+        email(credentials: EmailCredentials): Promise<AuthResult>;
+        /**
+         * Initiate OAuth sign in flow
+         * Executes custom oauth action from config
+         */
+        oauth?(provider: string): Promise<{
+            url: string;
+            state: string;
+        }>;
+        /**
+         * Sign in with PassKey/WebAuthn
+         * Executes custom passkey action from config
+         */
+        passkey?(options?: {
+            userId?: string;
+        }): Promise<AuthResult>;
+        /**
+         * Sign in with OTP
+         * Executes custom otp action from config
+         */
+        otp?(email: string, code?: string): Promise<AuthResult>;
+    };
+    /**
+     * Sign in methods - uses custom actions from config (legacy interface)
+     */
+    signInMethods: {
+        /**
+         * Sign in with email and password
+         * Executes custom email action from config
+         */
+        email(credentials: EmailCredentials): Promise<AuthResult>;
+        /**
+         * Initiate OAuth sign in flow
+         * Executes custom oauth action from config
+         */
+        oauth?(provider: string): Promise<{
+            url: string;
+            state: string;
+        }>;
+        /**
+         * Sign in with PassKey/WebAuthn
+         * Executes custom passkey action from config
+         */
+        passkey?(options?: {
+            userId?: string;
+        }): Promise<AuthResult>;
+        /**
+         * Sign in with OTP
+         * Executes custom otp action from config
+         */
+        otp?(email: string, code?: string): Promise<AuthResult>;
+    };
+    /**
+     * Register new user
+     * Executes custom signUp action from config
+     */
+    signUp?(data: RegisterData): Promise<AuthResult>;
+    /**
+     * Sign out current session
+     * Executes custom signOut action from config
+     */
+    signOut(): Promise<{
+        success: boolean;
+        error?: string;
+    }>;
+    /**
+     * Request password reset
+     * Executes custom resetPassword action from config
+     */
+    resetPassword?(email: string): Promise<{
+        success: boolean;
+        error?: string;
+    }>;
+    /**
+     * Verify email address with token
+     * Executes custom verifyEmail action from config
+     */
+    verifyEmail?(token: string): Promise<{
+        success: boolean;
+        error?: string;
+    }>;
+    /**
+     * Refresh session
+     * Executes custom refreshSession action from config with improved error handling
+     */
+    refreshSession?(): Promise<Session | null>;
+    /**
+     * OAuth callback handler
+     * Executes custom oauthCallback action from config
+     */
+    oauthCallback?(provider: string, code: string, state: string): Promise<AuthResult>;
+    /**
+     * PassKey methods
+     */
+    passkey?: {
+        register?(options?: {
+            name?: string;
+            userId?: string;
+        }): Promise<{
+            success: boolean;
+            passkeyId?: string;
+            error?: string;
+        }>;
+        authenticate?(options?: {
+            userId?: string;
+        }): Promise<AuthResult>;
+        list?(): Promise<Array<{
+            id: string;
+            name: string;
+            createdAt: Date;
+            lastUsedAt?: Date;
+        }>>;
+        remove?(passKeyId: string): Promise<{
+            success: boolean;
+            error?: string;
+        }>;
+    };
+    /**
+     * Two-Factor Authentication methods
+     */
+    twoFactor?: {
+        enable?(): Promise<{
+            success: boolean;
+            qrCode?: string;
+            secret?: string;
+            error?: string;
+        }>;
+        verify?(code: string): Promise<{
+            success: boolean;
+            backupCodes?: string[];
+            error?: string;
+        }>;
+        disable?(): Promise<{
+            success: boolean;
+            error?: string;
+        }>;
+        generateBackupCodes?(): Promise<{
+            success: boolean;
+            backupCodes?: string[];
+            error?: string;
+        }>;
+        isEnabled?(): Promise<boolean>;
+        /**
+         * Verify 2FA code after initial sign in
+         * Used when signIn returns requires2FA: true
+         */
+        verify2FA?(data: Verify2FAData): Promise<AuthResult>;
+    };
+    /**
+     * Verify 2FA code after initial sign in
+     * Used when signIn returns requires2FA: true
+     *
+     * @param data - 2FA verification data
+     * @param options - Optional configuration
+     * @param options.skipCookieSave - If true, skip automatic cookie saving (useful for Server Actions)
+     */
+    verify2FA?(data: Verify2FAData, options?: {
+        skipCookieSave?: boolean;
+    }): Promise<AuthResult>;
+    /**
+     * Account Picker methods (optional)
+     * For remembering last logged-in users
+     */
+    accountPicker?: {
+        getLastUsers(): Promise<import('./core/types').RememberedUser[]>;
+        rememberUser(user: User, provider?: 'email' | 'oauth' | 'passkey'): Promise<void>;
+        clearUser(userId: string): Promise<void>;
+        clearAll(): Promise<void>;
+    };
+}
+export declare function mulguard(config: MulguardConfig): MulguardInstance;

package/dist/oauth-state-CzIWQq3s.js

@@ -0,0 +1 @@
+"use strict";const f=require("./actions-CExpv_dD.js"),C=require("next/navigation"),A=require("next/server");function h(e){return!e||!e.expiresAt?!1:new Date(e.expiresAt)<new Date}function v(e,t=5){if(!e||!e.expiresAt)return!1;const r=new Date(e.expiresAt),s=new Date,i=(r.getTime()-s.getTime())/(1e3*60);return i>0&&i<t}function E(e){if(!e||!e.expiresAt)return null;const t=new Date(e.expiresAt),r=new Date,s=(t.getTime()-r.getTime())/(1e3*60);return s>0?Math.floor(s):0}function _(e){return!(!e||!e.user||!e.user.id||!e.user.email||!e.user.name||h(e))}function w(e){if(!e||typeof e!="object")return!1;const t=e;if(!t.user||typeof t.user!="object")return!1;const r=t.user;if(typeof r.id!="string"||r.id.length===0||typeof r.email!="string"||r.email.length===0||typeof r.name!="string"||r.name.length===0||!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(r.email))return!1;if(t.expiresAt)if(t.expiresAt instanceof Date){if(isNaN(t.expiresAt.getTime()))return!1}else if(typeof t.expiresAt=="string"){const i=new Date(t.expiresAt);if(isNaN(i.getTime()))return!1}else return!1;return!0}function D(e,t){const r=t.cookieName||"__mulguard_session";let s=null,i=0;const g=6e4;return{async getSession(n){try{if(!await f.getCookie(r))return s=null,null;const a=Date.now();if(s&&a-i<g){if(!(n!=null&&n.skipRefresh)&&this.shouldRefreshSession(s,t)){const o=await this.refreshSession();if(o)return s=o,i=a,o}return s}const c=await e.get("/api/auth/session");if(!c.data.session)return s=null,null;const l=c.data.session;if(!w(l))return await f.deleteCookie(r),s=null,null;if(h(l)){if(!(n!=null&&n.skipRefresh)&&this.shouldRefreshSession(l,t)){const o=await this.refreshSession();if(o)return s=o,i=a,o}return await f.deleteCookie(r),s=null,null}if(!(n!=null&&n.skipRefresh)&&this.shouldRefreshSession(l,t)){const o=await this.refreshSession();if(o)return s=o,i=a,o}return s=l,i=a,l}catch{return await f.deleteCookie(r),s=null,null}},setSession(n,u){},async clearSession(n){await f.deleteCookie(r,{path:n.path}),s=null,i=0},async refreshSession(){try{const n=await e.post("/api/auth/refresh");if(!n.data.session)return s=null,null;const u=n.data.session;return w(u)?(s=u,i=Date.now(),u):(s=null,null)}catch{return s=null,null}},isSessionExpired(n){return h(n)},shouldRefreshSession(n,u){if(!n.expiresAt)return!1;const a=new Date(n.expiresAt),c=new Date,l=a.getTime()-c.getTime(),o=5*60*1e3;return l>0&&l<o}}}async function N(e,t){try{const r=await e.post("/api/auth/refresh");return r.data.session?r.data.session:null}catch{return null}}async function d(e){try{const t=await e.getSession();return!t||!w(t)||h(t)?null:t}catch(t){return console.error("Failed to get server session:",t),null}}async function S(e,t="/login"){const r=await d(e);return r||C.redirect(t),r}async function m(e,t,r="/unauthorized"){const s=await S(e);return(!s.user.roles||!s.user.roles.includes(t))&&C.redirect(r),s}async function k(e){const t=await d(e);return(t==null?void 0:t.user)??null}function q(e,t){return{getSession:()=>d(e),requireAuth:r=>S(e,r),requireRole:(r,s)=>m(e,r,s)}}function O(e){return{getSession:()=>d(e),requireAuth:t=>S(e,t),requireRole:(t,r)=>m(e,t,r),getCurrentUser:()=>k(e)}}function y(e,t=[]){return[...["/auth/login","/auth/register","/auth/forgot-password","/auth/reset-password","/auth/verify-email"],...t].some(i=>e.startsWith(i))}function x(e,t={}){const{redirectTo:r="/auth/login",requireAuth:s=!1,allowedRoles:i=[],publicRoutes:g=[]}=t;return async n=>{const{pathname:u}=n.nextUrl;if(y(u,g)||u.startsWith("/api/")||u.startsWith("/_next/")||u.startsWith("/favicon.ico")||u.match(/\.(ico|png|jpg|jpeg|svg|gif|webp|css|js|woff|woff2|ttf|eot)$/))return null;try{const a=await e.getSession();if(s&&!a){const c=new URL(r,n.url);return c.searchParams.set("redirect",u),A.NextResponse.redirect(c)}if(a&&i.length>0){const c=a.user.roles||[];if(!i.some(o=>c.includes(o)))return A.NextResponse.redirect(new URL("/unauthorized",n.url))}return a&&y(u,g)?A.NextResponse.redirect(new URL("/",n.url)):null}catch(a){return process.env.NODE_ENV==="development"&&console.error("[Mulguard Middleware] Error:",a),null}}}function U(e,t="/auth/login"){return x(e,{requireAuth:!0,redirectTo:t})}function M(e,t,r="/unauthorized"){return x(e,{requireAuth:!0,allowedRoles:t,redirectTo:r})}const R="__mulguard_oauth_state",T=10*60;async function b(e,t){try{const r=JSON.stringify({state:e,provider:t,expiresAt:Date.now()+T*1e3}),s=process.env.NODE_ENV==="production";return await f.setCookie({name:R,value:r,httpOnly:!0,secure:s,sameSite:"strict",maxAge:T,path:"/"})}catch(r){return{success:!1,error:r instanceof Error?r.message:"Failed to store OAuth state"}}}async function P(){try{const e=await f.getCookie(R);if(!e)return null;const t=JSON.parse(e);return t.expiresAt<Date.now()?(await p(),null):(await p(),{state:t.state,provider:t.provider})}catch{return await p(),null}}async function p(){await f.deleteCookie(R,{path:"/"})}exports.createAuthMiddleware=x;exports.createServerHelpers=q;exports.createServerUtils=O;exports.createSessionManager=D;exports.deleteOAuthStateCookie=p;exports.getCurrentUser=k;exports.getOAuthStateCookie=P;exports.getServerSession=d;exports.getSessionTimeUntilExpiry=E;exports.isSessionExpiredNullable=h;exports.isSessionExpiringSoon=v;exports.isSessionValid=_;exports.refreshSession=N;exports.requireAuth=S;exports.requireAuthMiddleware=U;exports.requireRole=m;exports.requireRoleMiddleware=M;exports.storeOAuthStateCookie=b;exports.validateSessionStructure=w;

package/dist/oauth-state-LE-qeq-K.mjs

@@ -0,0 +1,282 @@
+import { d as f, g as R, c as E } from "./actions-DeCfLtHA.mjs";
+import { redirect as T } from "next/navigation";
+import { NextResponse as g } from "next/server";
+function d(e) {
+  return !e || !e.expiresAt ? !1 : new Date(e.expiresAt) < /* @__PURE__ */ new Date();
+}
+function O(e, r = 5) {
+  if (!e || !e.expiresAt)
+    return !1;
+  const t = new Date(e.expiresAt), s = /* @__PURE__ */ new Date(), i = (t.getTime() - s.getTime()) / (1e3 * 60);
+  return i > 0 && i < r;
+}
+function U(e) {
+  if (!e || !e.expiresAt)
+    return null;
+  const r = new Date(e.expiresAt), t = /* @__PURE__ */ new Date(), s = (r.getTime() - t.getTime()) / (1e3 * 60);
+  return s > 0 ? Math.floor(s) : 0;
+}
+function b(e) {
+  return !(!e || !e.user || !e.user.id || !e.user.email || !e.user.name || d(e));
+}
+function m(e) {
+  if (!e || typeof e != "object")
+    return !1;
+  const r = e;
+  if (!r.user || typeof r.user != "object")
+    return !1;
+  const t = r.user;
+  if (typeof t.id != "string" || t.id.length === 0 || typeof t.email != "string" || t.email.length === 0 || typeof t.name != "string" || t.name.length === 0 || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(t.email))
+    return !1;
+  if (r.expiresAt)
+    if (r.expiresAt instanceof Date) {
+      if (isNaN(r.expiresAt.getTime()))
+        return !1;
+    } else if (typeof r.expiresAt == "string") {
+      const i = new Date(r.expiresAt);
+      if (isNaN(i.getTime()))
+        return !1;
+    } else
+      return !1;
+  return !0;
+}
+function q(e, r) {
+  const t = r.cookieName || "__mulguard_session";
+  let s = null, i = 0;
+  const h = 6e4;
+  return {
+    /**
+     * Get current session from backend with automatic refresh
+     */
+    async getSession(n) {
+      try {
+        if (!await R(t))
+          return s = null, null;
+        const o = Date.now();
+        if (s && o - i < h) {
+          if (!(n != null && n.skipRefresh) && this.shouldRefreshSession(s, r)) {
+            const u = await this.refreshSession();
+            if (u)
+              return s = u, i = o, u;
+          }
+          return s;
+        }
+        const c = await e.get("/api/auth/session");
+        if (!c.data.session)
+          return s = null, null;
+        const l = c.data.session;
+        if (!m(l))
+          return await f(t), s = null, null;
+        if (d(l)) {
+          if (!(n != null && n.skipRefresh) && this.shouldRefreshSession(l, r)) {
+            const u = await this.refreshSession();
+            if (u)
+              return s = u, i = o, u;
+          }
+          return await f(t), s = null, null;
+        }
+        if (!(n != null && n.skipRefresh) && this.shouldRefreshSession(l, r)) {
+          const u = await this.refreshSession();
+          if (u)
+            return s = u, i = o, u;
+        }
+        return s = l, i = o, l;
+      } catch {
+        return await f(t), s = null, null;
+      }
+    },
+    /**
+     * Set session cookie
+     */
+    setSession(n, a) {
+    },
+    /**
+     * Clear session
+     */
+    async clearSession(n) {
+      await f(t, {
+        path: n.path
+      }), s = null, i = 0;
+    },
+    /**
+     * Refresh session
+     */
+    async refreshSession() {
+      try {
+        const n = await e.post("/api/auth/refresh");
+        if (!n.data.session)
+          return s = null, null;
+        const a = n.data.session;
+        return m(a) ? (s = a, i = Date.now(), a) : (s = null, null);
+      } catch {
+        return s = null, null;
+      }
+    },
+    /**
+     * Check if session is expired
+     */
+    isSessionExpired(n) {
+      return d(n);
+    },
+    /**
+     * Check if session should be refreshed (within 5 minutes of expiration)
+     */
+    shouldRefreshSession(n, a) {
+      if (!n.expiresAt)
+        return !1;
+      const o = new Date(n.expiresAt), c = /* @__PURE__ */ new Date(), l = o.getTime() - c.getTime(), u = 5 * 60 * 1e3;
+      return l > 0 && l < u;
+    }
+  };
+}
+async function M(e, r) {
+  try {
+    const t = await e.post("/api/auth/refresh");
+    return t.data.session ? t.data.session : null;
+  } catch {
+    return null;
+  }
+}
+async function p(e) {
+  try {
+    const r = await e.getSession();
+    return !r || !m(r) || d(r) ? null : r;
+  } catch (r) {
+    return console.error("Failed to get server session:", r), null;
+  }
+}
+async function A(e, r = "/login") {
+  const t = await p(e);
+  return t || T(r), t;
+}
+async function _(e, r, t = "/unauthorized") {
+  const s = await A(e);
+  return (!s.user.roles || !s.user.roles.includes(r)) && T(t), s;
+}
+async function k(e) {
+  const r = await p(e);
+  return (r == null ? void 0 : r.user) ?? null;
+}
+function P(e, r) {
+  return {
+    getSession: () => p(e),
+    requireAuth: (t) => A(e, t),
+    requireRole: (t, s) => _(e, t, s)
+  };
+}
+function j(e) {
+  return {
+    getSession: () => p(e),
+    requireAuth: (r) => A(e, r),
+    requireRole: (r, t) => _(e, r, t),
+    getCurrentUser: () => k(e)
+  };
+}
+function x(e, r = []) {
+  return [...[
+    "/auth/login",
+    "/auth/register",
+    "/auth/forgot-password",
+    "/auth/reset-password",
+    "/auth/verify-email"
+  ], ...r].some((i) => e.startsWith(i));
+}
+function D(e, r = {}) {
+  const {
+    redirectTo: t = "/auth/login",
+    requireAuth: s = !1,
+    allowedRoles: i = [],
+    publicRoutes: h = []
+  } = r;
+  return async (n) => {
+    const { pathname: a } = n.nextUrl;
+    if (x(a, h) || a.startsWith("/api/") || a.startsWith("/_next/") || a.startsWith("/favicon.ico") || a.match(/\.(ico|png|jpg|jpeg|svg|gif|webp|css|js|woff|woff2|ttf|eot)$/))
+      return null;
+    try {
+      const o = await e.getSession();
+      if (s && !o) {
+        const c = new URL(t, n.url);
+        return c.searchParams.set("redirect", a), g.redirect(c);
+      }
+      if (o && i.length > 0) {
+        const c = o.user.roles || [];
+        if (!i.some((u) => c.includes(u)))
+          return g.redirect(new URL("/unauthorized", n.url));
+      }
+      return o && x(a, h) ? g.redirect(new URL("/", n.url)) : null;
+    } catch (o) {
+      return process.env.NODE_ENV === "development" && console.error("[Mulguard Middleware] Error:", o), null;
+    }
+  };
+}
+function L(e, r = "/auth/login") {
+  return D(e, {
+    requireAuth: !0,
+    redirectTo: r
+  });
+}
+function H(e, r, t = "/unauthorized") {
+  return D(e, {
+    requireAuth: !0,
+    allowedRoles: r,
+    redirectTo: t
+  });
+}
+const S = "__mulguard_oauth_state", y = 10 * 60;
+async function V(e, r) {
+  try {
+    const t = JSON.stringify({ state: e, provider: r, expiresAt: Date.now() + y * 1e3 }), s = process.env.NODE_ENV === "production";
+    return await E({
+      name: S,
+      value: t,
+      httpOnly: !0,
+      secure: s,
+      sameSite: "strict",
+      maxAge: y,
+      path: "/"
+    });
+  } catch (t) {
+    return {
+      success: !1,
+      error: t instanceof Error ? t.message : "Failed to store OAuth state"
+    };
+  }
+}
+async function W() {
+  try {
+    const e = await R(S);
+    if (!e)
+      return null;
+    const r = JSON.parse(e);
+    return r.expiresAt < Date.now() ? (await w(), null) : (await w(), {
+      state: r.state,
+      provider: r.provider
+    });
+  } catch {
+    return await w(), null;
+  }
+}
+async function w() {
+  await f(S, { path: "/" });
+}
+export {
+  b as a,
+  d as b,
+  D as c,
+  H as d,
+  p as e,
+  A as f,
+  U as g,
+  _ as h,
+  O as i,
+  k as j,
+  j as k,
+  W as l,
+  w as m,
+  q as n,
+  M as o,
+  P as p,
+  L as r,
+  V as s,
+  m as v
+};