mulguard 1.1.4 → 1.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/core/auth/oauth-state-store-cookie.d.ts +83 -0
- package/dist/core/auth/oauth-state-store.d.ts +1 -0
- package/dist/index/index.js +1 -1
- package/dist/index/index.mjs +617 -510
- package/dist/mulguard.d.ts +8 -0
- package/dist/{oauth-state-LE-qeq-K.mjs → oauth-state-DKle8eCr.mjs} +111 -104
- package/dist/oauth-state-DlvrCV11.js +1 -0
- package/dist/server/index.js +1 -1
- package/dist/server/index.mjs +1 -1
- package/dist/server/oauth-state.d.ts +6 -0
- package/package.json +1 -1
- package/dist/oauth-state-CzIWQq3s.js +0 -1
package/dist/mulguard.d.ts
CHANGED
|
@@ -208,6 +208,14 @@ export interface MulguardInstance {
|
|
|
208
208
|
* Executes custom oauthCallback action from config
|
|
209
209
|
*/
|
|
210
210
|
oauthCallback?(provider: string, code: string, state: string): Promise<AuthResult>;
|
|
211
|
+
/**
|
|
212
|
+
* Store OAuth state for validation (useful when using external backend API)
|
|
213
|
+
* This allows storing state generated by backend APIs in mulguard's state store
|
|
214
|
+
*
|
|
215
|
+
* @param state - OAuth state token
|
|
216
|
+
* @param provider - OAuth provider name
|
|
217
|
+
*/
|
|
218
|
+
storeOAuthState?(state: string, provider: string): Promise<void>;
|
|
211
219
|
/**
|
|
212
220
|
* PassKey methods
|
|
213
221
|
*/
|
|
@@ -1,47 +1,47 @@
|
|
|
1
|
-
import { d as f, g as R, c as
|
|
1
|
+
import { d as f, g as R, c as v } from "./actions-DeCfLtHA.mjs";
|
|
2
2
|
import { redirect as T } from "next/navigation";
|
|
3
|
-
import { NextResponse as
|
|
4
|
-
function
|
|
3
|
+
import { NextResponse as w } from "next/server";
|
|
4
|
+
function p(e) {
|
|
5
5
|
return !e || !e.expiresAt ? !1 : new Date(e.expiresAt) < /* @__PURE__ */ new Date();
|
|
6
6
|
}
|
|
7
|
-
function
|
|
7
|
+
function U(e, t = 5) {
|
|
8
8
|
if (!e || !e.expiresAt)
|
|
9
9
|
return !1;
|
|
10
|
-
const
|
|
11
|
-
return i > 0 && i <
|
|
10
|
+
const r = new Date(e.expiresAt), s = /* @__PURE__ */ new Date(), i = (r.getTime() - s.getTime()) / (1e3 * 60);
|
|
11
|
+
return i > 0 && i < t;
|
|
12
12
|
}
|
|
13
|
-
function
|
|
13
|
+
function q(e) {
|
|
14
14
|
if (!e || !e.expiresAt)
|
|
15
15
|
return null;
|
|
16
|
-
const
|
|
16
|
+
const t = new Date(e.expiresAt), r = /* @__PURE__ */ new Date(), s = (t.getTime() - r.getTime()) / (1e3 * 60);
|
|
17
17
|
return s > 0 ? Math.floor(s) : 0;
|
|
18
18
|
}
|
|
19
|
-
function
|
|
20
|
-
return !(!e || !e.user || !e.user.id || !e.user.email || !e.user.name ||
|
|
19
|
+
function M(e) {
|
|
20
|
+
return !(!e || !e.user || !e.user.id || !e.user.email || !e.user.name || p(e));
|
|
21
21
|
}
|
|
22
22
|
function m(e) {
|
|
23
23
|
if (!e || typeof e != "object")
|
|
24
24
|
return !1;
|
|
25
|
-
const
|
|
26
|
-
if (!
|
|
25
|
+
const t = e;
|
|
26
|
+
if (!t.user || typeof t.user != "object")
|
|
27
27
|
return !1;
|
|
28
|
-
const
|
|
29
|
-
if (typeof
|
|
28
|
+
const r = t.user;
|
|
29
|
+
if (typeof r.id != "string" || r.id.length === 0 || typeof r.email != "string" || r.email.length === 0 || typeof r.name != "string" || r.name.length === 0 || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(r.email))
|
|
30
30
|
return !1;
|
|
31
|
-
if (
|
|
32
|
-
if (
|
|
33
|
-
if (isNaN(
|
|
31
|
+
if (t.expiresAt)
|
|
32
|
+
if (t.expiresAt instanceof Date) {
|
|
33
|
+
if (isNaN(t.expiresAt.getTime()))
|
|
34
34
|
return !1;
|
|
35
|
-
} else if (typeof
|
|
36
|
-
const i = new Date(
|
|
35
|
+
} else if (typeof t.expiresAt == "string") {
|
|
36
|
+
const i = new Date(t.expiresAt);
|
|
37
37
|
if (isNaN(i.getTime()))
|
|
38
38
|
return !1;
|
|
39
39
|
} else
|
|
40
40
|
return !1;
|
|
41
41
|
return !0;
|
|
42
42
|
}
|
|
43
|
-
function
|
|
44
|
-
const
|
|
43
|
+
function j(e, t) {
|
|
44
|
+
const r = t.cookieName || "__mulguard_session";
|
|
45
45
|
let s = null, i = 0;
|
|
46
46
|
const h = 6e4;
|
|
47
47
|
return {
|
|
@@ -50,11 +50,11 @@ function q(e, r) {
|
|
|
50
50
|
*/
|
|
51
51
|
async getSession(n) {
|
|
52
52
|
try {
|
|
53
|
-
if (!await R(
|
|
53
|
+
if (!await R(r))
|
|
54
54
|
return s = null, null;
|
|
55
55
|
const o = Date.now();
|
|
56
56
|
if (s && o - i < h) {
|
|
57
|
-
if (!(n != null && n.skipRefresh) && this.shouldRefreshSession(s,
|
|
57
|
+
if (!(n != null && n.skipRefresh) && this.shouldRefreshSession(s, t)) {
|
|
58
58
|
const u = await this.refreshSession();
|
|
59
59
|
if (u)
|
|
60
60
|
return s = u, i = o, u;
|
|
@@ -66,23 +66,23 @@ function q(e, r) {
|
|
|
66
66
|
return s = null, null;
|
|
67
67
|
const l = c.data.session;
|
|
68
68
|
if (!m(l))
|
|
69
|
-
return await f(
|
|
70
|
-
if (
|
|
71
|
-
if (!(n != null && n.skipRefresh) && this.shouldRefreshSession(l,
|
|
69
|
+
return await f(r), s = null, null;
|
|
70
|
+
if (p(l)) {
|
|
71
|
+
if (!(n != null && n.skipRefresh) && this.shouldRefreshSession(l, t)) {
|
|
72
72
|
const u = await this.refreshSession();
|
|
73
73
|
if (u)
|
|
74
74
|
return s = u, i = o, u;
|
|
75
75
|
}
|
|
76
|
-
return await f(
|
|
76
|
+
return await f(r), s = null, null;
|
|
77
77
|
}
|
|
78
|
-
if (!(n != null && n.skipRefresh) && this.shouldRefreshSession(l,
|
|
78
|
+
if (!(n != null && n.skipRefresh) && this.shouldRefreshSession(l, t)) {
|
|
79
79
|
const u = await this.refreshSession();
|
|
80
80
|
if (u)
|
|
81
81
|
return s = u, i = o, u;
|
|
82
82
|
}
|
|
83
83
|
return s = l, i = o, l;
|
|
84
84
|
} catch {
|
|
85
|
-
return await f(
|
|
85
|
+
return await f(r), s = null, null;
|
|
86
86
|
}
|
|
87
87
|
},
|
|
88
88
|
/**
|
|
@@ -94,7 +94,7 @@ function q(e, r) {
|
|
|
94
94
|
* Clear session
|
|
95
95
|
*/
|
|
96
96
|
async clearSession(n) {
|
|
97
|
-
await f(
|
|
97
|
+
await f(r, {
|
|
98
98
|
path: n.path
|
|
99
99
|
}), s = null, i = 0;
|
|
100
100
|
},
|
|
@@ -116,7 +116,7 @@ function q(e, r) {
|
|
|
116
116
|
* Check if session is expired
|
|
117
117
|
*/
|
|
118
118
|
isSessionExpired(n) {
|
|
119
|
-
return
|
|
119
|
+
return p(n);
|
|
120
120
|
},
|
|
121
121
|
/**
|
|
122
122
|
* Check if session should be refreshed (within 5 minutes of expiration)
|
|
@@ -129,65 +129,65 @@ function q(e, r) {
|
|
|
129
129
|
}
|
|
130
130
|
};
|
|
131
131
|
}
|
|
132
|
-
async function
|
|
132
|
+
async function P(e, t) {
|
|
133
133
|
try {
|
|
134
|
-
const
|
|
135
|
-
return
|
|
134
|
+
const r = await e.post("/api/auth/refresh");
|
|
135
|
+
return r.data.session ? r.data.session : null;
|
|
136
136
|
} catch {
|
|
137
137
|
return null;
|
|
138
138
|
}
|
|
139
139
|
}
|
|
140
|
-
async function
|
|
140
|
+
async function g(e) {
|
|
141
141
|
try {
|
|
142
|
-
const
|
|
143
|
-
return !
|
|
144
|
-
} catch (
|
|
145
|
-
return console.error("Failed to get server session:",
|
|
142
|
+
const t = await e.getSession();
|
|
143
|
+
return !t || !m(t) || p(t) ? null : t;
|
|
144
|
+
} catch (t) {
|
|
145
|
+
return console.error("Failed to get server session:", t), null;
|
|
146
146
|
}
|
|
147
147
|
}
|
|
148
|
-
async function
|
|
149
|
-
const
|
|
150
|
-
return
|
|
148
|
+
async function S(e, t = "/login") {
|
|
149
|
+
const r = await g(e);
|
|
150
|
+
return r || T(t), r;
|
|
151
151
|
}
|
|
152
|
-
async function _(e,
|
|
153
|
-
const s = await
|
|
154
|
-
return (!s.user.roles || !s.user.roles.includes(
|
|
152
|
+
async function _(e, t, r = "/unauthorized") {
|
|
153
|
+
const s = await S(e);
|
|
154
|
+
return (!s.user.roles || !s.user.roles.includes(t)) && T(r), s;
|
|
155
155
|
}
|
|
156
|
-
async function
|
|
157
|
-
const
|
|
158
|
-
return (
|
|
156
|
+
async function E(e) {
|
|
157
|
+
const t = await g(e);
|
|
158
|
+
return (t == null ? void 0 : t.user) ?? null;
|
|
159
159
|
}
|
|
160
|
-
function
|
|
160
|
+
function L(e, t) {
|
|
161
161
|
return {
|
|
162
|
-
getSession: () =>
|
|
163
|
-
requireAuth: (
|
|
164
|
-
requireRole: (
|
|
162
|
+
getSession: () => g(e),
|
|
163
|
+
requireAuth: (r) => S(e, r),
|
|
164
|
+
requireRole: (r, s) => _(e, r, s)
|
|
165
165
|
};
|
|
166
166
|
}
|
|
167
|
-
function
|
|
167
|
+
function z(e) {
|
|
168
168
|
return {
|
|
169
|
-
getSession: () =>
|
|
170
|
-
requireAuth: (
|
|
171
|
-
requireRole: (
|
|
172
|
-
getCurrentUser: () =>
|
|
169
|
+
getSession: () => g(e),
|
|
170
|
+
requireAuth: (t) => S(e, t),
|
|
171
|
+
requireRole: (t, r) => _(e, t, r),
|
|
172
|
+
getCurrentUser: () => E(e)
|
|
173
173
|
};
|
|
174
174
|
}
|
|
175
|
-
function x(e,
|
|
175
|
+
function x(e, t = []) {
|
|
176
176
|
return [...[
|
|
177
177
|
"/auth/login",
|
|
178
178
|
"/auth/register",
|
|
179
179
|
"/auth/forgot-password",
|
|
180
180
|
"/auth/reset-password",
|
|
181
181
|
"/auth/verify-email"
|
|
182
|
-
], ...
|
|
182
|
+
], ...t].some((i) => e.startsWith(i));
|
|
183
183
|
}
|
|
184
|
-
function D(e,
|
|
184
|
+
function D(e, t = {}) {
|
|
185
185
|
const {
|
|
186
|
-
redirectTo:
|
|
186
|
+
redirectTo: r = "/auth/login",
|
|
187
187
|
requireAuth: s = !1,
|
|
188
188
|
allowedRoles: i = [],
|
|
189
189
|
publicRoutes: h = []
|
|
190
|
-
} =
|
|
190
|
+
} = t;
|
|
191
191
|
return async (n) => {
|
|
192
192
|
const { pathname: a } = n.nextUrl;
|
|
193
193
|
if (x(a, h) || a.startsWith("/api/") || a.startsWith("/_next/") || a.startsWith("/favicon.ico") || a.match(/\.(ico|png|jpg|jpeg|svg|gif|webp|css|js|woff|woff2|ttf|eot)$/))
|
|
@@ -195,88 +195,95 @@ function D(e, r = {}) {
|
|
|
195
195
|
try {
|
|
196
196
|
const o = await e.getSession();
|
|
197
197
|
if (s && !o) {
|
|
198
|
-
const c = new URL(
|
|
199
|
-
return c.searchParams.set("redirect", a),
|
|
198
|
+
const c = new URL(r, n.url);
|
|
199
|
+
return c.searchParams.set("redirect", a), w.redirect(c);
|
|
200
200
|
}
|
|
201
201
|
if (o && i.length > 0) {
|
|
202
202
|
const c = o.user.roles || [];
|
|
203
203
|
if (!i.some((u) => c.includes(u)))
|
|
204
|
-
return
|
|
204
|
+
return w.redirect(new URL("/unauthorized", n.url));
|
|
205
205
|
}
|
|
206
|
-
return o && x(a, h) ?
|
|
206
|
+
return o && x(a, h) ? w.redirect(new URL("/", n.url)) : null;
|
|
207
207
|
} catch (o) {
|
|
208
208
|
return process.env.NODE_ENV === "development" && console.error("[Mulguard Middleware] Error:", o), null;
|
|
209
209
|
}
|
|
210
210
|
};
|
|
211
211
|
}
|
|
212
|
-
function
|
|
212
|
+
function H(e, t = "/auth/login") {
|
|
213
213
|
return D(e, {
|
|
214
214
|
requireAuth: !0,
|
|
215
|
-
redirectTo:
|
|
215
|
+
redirectTo: t
|
|
216
216
|
});
|
|
217
217
|
}
|
|
218
|
-
function
|
|
218
|
+
function V(e, t, r = "/unauthorized") {
|
|
219
219
|
return D(e, {
|
|
220
220
|
requireAuth: !0,
|
|
221
|
-
allowedRoles:
|
|
222
|
-
redirectTo:
|
|
221
|
+
allowedRoles: t,
|
|
222
|
+
redirectTo: r
|
|
223
223
|
});
|
|
224
224
|
}
|
|
225
|
-
const
|
|
226
|
-
async function
|
|
225
|
+
const A = "__mulguard_oauth_state", y = 10 * 60;
|
|
226
|
+
async function k(e, t) {
|
|
227
227
|
try {
|
|
228
|
-
const
|
|
229
|
-
return await
|
|
230
|
-
name:
|
|
231
|
-
value:
|
|
228
|
+
const r = JSON.stringify({ state: e, provider: t, expiresAt: Date.now() + y * 1e3 }), s = process.env.NODE_ENV === "production";
|
|
229
|
+
return await v({
|
|
230
|
+
name: A,
|
|
231
|
+
value: r,
|
|
232
232
|
httpOnly: !0,
|
|
233
233
|
secure: s,
|
|
234
234
|
sameSite: "strict",
|
|
235
235
|
maxAge: y,
|
|
236
236
|
path: "/"
|
|
237
237
|
});
|
|
238
|
-
} catch (
|
|
238
|
+
} catch (r) {
|
|
239
239
|
return {
|
|
240
240
|
success: !1,
|
|
241
|
-
error:
|
|
241
|
+
error: r instanceof Error ? r.message : "Failed to store OAuth state"
|
|
242
242
|
};
|
|
243
243
|
}
|
|
244
244
|
}
|
|
245
|
-
async function
|
|
245
|
+
async function N() {
|
|
246
246
|
try {
|
|
247
|
-
const e = await R(
|
|
247
|
+
const e = await R(A);
|
|
248
248
|
if (!e)
|
|
249
249
|
return null;
|
|
250
|
-
const
|
|
251
|
-
return
|
|
252
|
-
state:
|
|
253
|
-
provider:
|
|
250
|
+
const t = JSON.parse(e);
|
|
251
|
+
return t.expiresAt < Date.now() ? (await d(), null) : (await d(), {
|
|
252
|
+
state: t.state,
|
|
253
|
+
provider: t.provider
|
|
254
254
|
});
|
|
255
255
|
} catch {
|
|
256
|
-
return await
|
|
256
|
+
return await d(), null;
|
|
257
257
|
}
|
|
258
258
|
}
|
|
259
|
-
async function
|
|
260
|
-
await f(
|
|
259
|
+
async function d() {
|
|
260
|
+
await f(A, { path: "/" });
|
|
261
261
|
}
|
|
262
|
+
const W = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
|
|
263
|
+
__proto__: null,
|
|
264
|
+
deleteOAuthStateCookie: d,
|
|
265
|
+
getOAuthStateCookie: N,
|
|
266
|
+
storeOAuthStateCookie: k
|
|
267
|
+
}, Symbol.toStringTag, { value: "Module" }));
|
|
262
268
|
export {
|
|
263
|
-
|
|
264
|
-
|
|
269
|
+
M as a,
|
|
270
|
+
p as b,
|
|
265
271
|
D as c,
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
|
|
269
|
-
|
|
272
|
+
V as d,
|
|
273
|
+
g as e,
|
|
274
|
+
S as f,
|
|
275
|
+
q as g,
|
|
270
276
|
_ as h,
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
|
|
274
|
-
|
|
275
|
-
|
|
276
|
-
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
|
|
280
|
-
|
|
277
|
+
U as i,
|
|
278
|
+
E as j,
|
|
279
|
+
z as k,
|
|
280
|
+
N as l,
|
|
281
|
+
d as m,
|
|
282
|
+
j as n,
|
|
283
|
+
P as o,
|
|
284
|
+
L as p,
|
|
285
|
+
W as q,
|
|
286
|
+
H as r,
|
|
287
|
+
k as s,
|
|
281
288
|
m as v
|
|
282
289
|
};
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
"use strict";const f=require("./actions-CExpv_dD.js"),C=require("next/navigation"),A=require("next/server");function d(e){return!e||!e.expiresAt?!1:new Date(e.expiresAt)<new Date}function E(e,t=5){if(!e||!e.expiresAt)return!1;const r=new Date(e.expiresAt),s=new Date,i=(r.getTime()-s.getTime())/(1e3*60);return i>0&&i<t}function D(e){if(!e||!e.expiresAt)return null;const t=new Date(e.expiresAt),r=new Date,s=(t.getTime()-r.getTime())/(1e3*60);return s>0?Math.floor(s):0}function N(e){return!(!e||!e.user||!e.user.id||!e.user.email||!e.user.name||d(e))}function S(e){if(!e||typeof e!="object")return!1;const t=e;if(!t.user||typeof t.user!="object")return!1;const r=t.user;if(typeof r.id!="string"||r.id.length===0||typeof r.email!="string"||r.email.length===0||typeof r.name!="string"||r.name.length===0||!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(r.email))return!1;if(t.expiresAt)if(t.expiresAt instanceof Date){if(isNaN(t.expiresAt.getTime()))return!1}else if(typeof t.expiresAt=="string"){const i=new Date(t.expiresAt);if(isNaN(i.getTime()))return!1}else return!1;return!0}function O(e,t){const r=t.cookieName||"__mulguard_session";let s=null,i=0;const p=6e4;return{async getSession(n){try{if(!await f.getCookie(r))return s=null,null;const a=Date.now();if(s&&a-i<p){if(!(n!=null&&n.skipRefresh)&&this.shouldRefreshSession(s,t)){const o=await this.refreshSession();if(o)return s=o,i=a,o}return s}const c=await e.get("/api/auth/session");if(!c.data.session)return s=null,null;const l=c.data.session;if(!S(l))return await f.deleteCookie(r),s=null,null;if(d(l)){if(!(n!=null&&n.skipRefresh)&&this.shouldRefreshSession(l,t)){const o=await this.refreshSession();if(o)return s=o,i=a,o}return await f.deleteCookie(r),s=null,null}if(!(n!=null&&n.skipRefresh)&&this.shouldRefreshSession(l,t)){const o=await this.refreshSession();if(o)return s=o,i=a,o}return s=l,i=a,l}catch{return await f.deleteCookie(r),s=null,null}},setSession(n,u){},async clearSession(n){await f.deleteCookie(r,{path:n.path}),s=null,i=0},async refreshSession(){try{const n=await e.post("/api/auth/refresh");if(!n.data.session)return s=null,null;const u=n.data.session;return S(u)?(s=u,i=Date.now(),u):(s=null,null)}catch{return s=null,null}},isSessionExpired(n){return d(n)},shouldRefreshSession(n,u){if(!n.expiresAt)return!1;const a=new Date(n.expiresAt),c=new Date,l=a.getTime()-c.getTime(),o=5*60*1e3;return l>0&&l<o}}}async function q(e,t){try{const r=await e.post("/api/auth/refresh");return r.data.session?r.data.session:null}catch{return null}}async function g(e){try{const t=await e.getSession();return!t||!S(t)||d(t)?null:t}catch(t){return console.error("Failed to get server session:",t),null}}async function w(e,t="/login"){const r=await g(e);return r||C.redirect(t),r}async function m(e,t,r="/unauthorized"){const s=await w(e);return(!s.user.roles||!s.user.roles.includes(t))&&C.redirect(r),s}async function _(e){const t=await g(e);return(t==null?void 0:t.user)??null}function M(e,t){return{getSession:()=>g(e),requireAuth:r=>w(e,r),requireRole:(r,s)=>m(e,r,s)}}function U(e){return{getSession:()=>g(e),requireAuth:t=>w(e,t),requireRole:(t,r)=>m(e,t,r),getCurrentUser:()=>_(e)}}function y(e,t=[]){return[...["/auth/login","/auth/register","/auth/forgot-password","/auth/reset-password","/auth/verify-email"],...t].some(i=>e.startsWith(i))}function x(e,t={}){const{redirectTo:r="/auth/login",requireAuth:s=!1,allowedRoles:i=[],publicRoutes:p=[]}=t;return async n=>{const{pathname:u}=n.nextUrl;if(y(u,p)||u.startsWith("/api/")||u.startsWith("/_next/")||u.startsWith("/favicon.ico")||u.match(/\.(ico|png|jpg|jpeg|svg|gif|webp|css|js|woff|woff2|ttf|eot)$/))return null;try{const a=await e.getSession();if(s&&!a){const c=new URL(r,n.url);return c.searchParams.set("redirect",u),A.NextResponse.redirect(c)}if(a&&i.length>0){const c=a.user.roles||[];if(!i.some(o=>c.includes(o)))return A.NextResponse.redirect(new URL("/unauthorized",n.url))}return a&&y(u,p)?A.NextResponse.redirect(new URL("/",n.url)):null}catch(a){return process.env.NODE_ENV==="development"&&console.error("[Mulguard Middleware] Error:",a),null}}}function b(e,t="/auth/login"){return x(e,{requireAuth:!0,redirectTo:t})}function P(e,t,r="/unauthorized"){return x(e,{requireAuth:!0,allowedRoles:t,redirectTo:r})}const R="__mulguard_oauth_state",T=10*60;async function k(e,t){try{const r=JSON.stringify({state:e,provider:t,expiresAt:Date.now()+T*1e3}),s=process.env.NODE_ENV==="production";return await f.setCookie({name:R,value:r,httpOnly:!0,secure:s,sameSite:"strict",maxAge:T,path:"/"})}catch(r){return{success:!1,error:r instanceof Error?r.message:"Failed to store OAuth state"}}}async function v(){try{const e=await f.getCookie(R);if(!e)return null;const t=JSON.parse(e);return t.expiresAt<Date.now()?(await h(),null):(await h(),{state:t.state,provider:t.provider})}catch{return await h(),null}}async function h(){await f.deleteCookie(R,{path:"/"})}const j=Object.freeze(Object.defineProperty({__proto__:null,deleteOAuthStateCookie:h,getOAuthStateCookie:v,storeOAuthStateCookie:k},Symbol.toStringTag,{value:"Module"}));exports.createAuthMiddleware=x;exports.createServerHelpers=M;exports.createServerUtils=U;exports.createSessionManager=O;exports.deleteOAuthStateCookie=h;exports.getCurrentUser=_;exports.getOAuthStateCookie=v;exports.getServerSession=g;exports.getSessionTimeUntilExpiry=D;exports.isSessionExpiredNullable=d;exports.isSessionExpiringSoon=E;exports.isSessionValid=N;exports.oauthState=j;exports.refreshSession=q;exports.requireAuth=w;exports.requireAuthMiddleware=b;exports.requireRole=m;exports.requireRoleMiddleware=P;exports.storeOAuthStateCookie=k;exports.validateSessionStructure=S;
|
package/dist/server/index.js
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
"use strict";Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const i=require("../actions-CExpv_dD.js"),e=require("../oauth-state-
|
|
1
|
+
"use strict";Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const i=require("../actions-CExpv_dD.js"),e=require("../oauth-state-DlvrCV11.js");exports.buildCookieOptions=i.buildCookieOptions;exports.deleteCookie=i.deleteCookie;exports.getCookie=i.getCookie;exports.setCookie=i.setCookie;exports.signInEmailAction=i.signInEmailAction;exports.signOutAction=i.signOutAction;exports.signUpAction=i.signUpAction;exports.verify2FAAction=i.verify2FAAction;exports.createServerAuthMiddleware=e.createAuthMiddleware;exports.createServerHelpers=e.createServerHelpers;exports.createServerUtils=e.createServerUtils;exports.createSessionManager=e.createSessionManager;exports.deleteOAuthStateCookie=e.deleteOAuthStateCookie;exports.getCurrentUser=e.getCurrentUser;exports.getOAuthStateCookie=e.getOAuthStateCookie;exports.getServerSession=e.getServerSession;exports.getSessionTimeUntilExpiry=e.getSessionTimeUntilExpiry;exports.isSessionExpiredNullable=e.isSessionExpiredNullable;exports.isSessionExpiringSoon=e.isSessionExpiringSoon;exports.isSessionValid=e.isSessionValid;exports.refreshSession=e.refreshSession;exports.requireAuth=e.requireAuth;exports.requireRole=e.requireRole;exports.requireServerAuthMiddleware=e.requireAuthMiddleware;exports.requireServerRoleMiddleware=e.requireRoleMiddleware;exports.storeOAuthStateCookie=e.storeOAuthStateCookie;exports.validateSessionStructure=e.validateSessionStructure;
|
package/dist/server/index.mjs
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { e as a, d as i, g as r, c as t, a as o, s as n, b as S, v as l } from "../actions-DeCfLtHA.mjs";
|
|
2
|
-
import { c as d, p as g, k as c, n as A, m as v, j as p, l as h, e as k, g as C, b as f, i as m, a as x, o as O, f as b, h as q, r as E, d as M, s as U, v as w } from "../oauth-state-
|
|
2
|
+
import { c as d, p as g, k as c, n as A, m as v, j as p, l as h, e as k, g as C, b as f, i as m, a as x, o as O, f as b, h as q, r as E, d as M, s as U, v as w } from "../oauth-state-DKle8eCr.mjs";
|
|
3
3
|
export {
|
|
4
4
|
a as buildCookieOptions,
|
|
5
5
|
d as createServerAuthMiddleware,
|
|
@@ -1,6 +1,12 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Server-side OAuth state management
|
|
3
3
|
* Stores OAuth state in httpOnly cookies for security
|
|
4
|
+
*
|
|
5
|
+
* ✅ SECURE: Uses httpOnly cookies to prevent XSS attacks
|
|
6
|
+
* ✅ PRODUCTION-READY: Works with Next.js Server Actions
|
|
7
|
+
*
|
|
8
|
+
* ⚠️ NOTE: For production with multiple server instances, use Redis or Database store instead.
|
|
9
|
+
* See: mulguard/core/auth/oauth-state-store-redis
|
|
4
10
|
*/
|
|
5
11
|
/**
|
|
6
12
|
* Store OAuth state in httpOnly cookie
|
package/package.json
CHANGED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
"use strict";const f=require("./actions-CExpv_dD.js"),C=require("next/navigation"),A=require("next/server");function h(e){return!e||!e.expiresAt?!1:new Date(e.expiresAt)<new Date}function v(e,t=5){if(!e||!e.expiresAt)return!1;const r=new Date(e.expiresAt),s=new Date,i=(r.getTime()-s.getTime())/(1e3*60);return i>0&&i<t}function E(e){if(!e||!e.expiresAt)return null;const t=new Date(e.expiresAt),r=new Date,s=(t.getTime()-r.getTime())/(1e3*60);return s>0?Math.floor(s):0}function _(e){return!(!e||!e.user||!e.user.id||!e.user.email||!e.user.name||h(e))}function w(e){if(!e||typeof e!="object")return!1;const t=e;if(!t.user||typeof t.user!="object")return!1;const r=t.user;if(typeof r.id!="string"||r.id.length===0||typeof r.email!="string"||r.email.length===0||typeof r.name!="string"||r.name.length===0||!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(r.email))return!1;if(t.expiresAt)if(t.expiresAt instanceof Date){if(isNaN(t.expiresAt.getTime()))return!1}else if(typeof t.expiresAt=="string"){const i=new Date(t.expiresAt);if(isNaN(i.getTime()))return!1}else return!1;return!0}function D(e,t){const r=t.cookieName||"__mulguard_session";let s=null,i=0;const g=6e4;return{async getSession(n){try{if(!await f.getCookie(r))return s=null,null;const a=Date.now();if(s&&a-i<g){if(!(n!=null&&n.skipRefresh)&&this.shouldRefreshSession(s,t)){const o=await this.refreshSession();if(o)return s=o,i=a,o}return s}const c=await e.get("/api/auth/session");if(!c.data.session)return s=null,null;const l=c.data.session;if(!w(l))return await f.deleteCookie(r),s=null,null;if(h(l)){if(!(n!=null&&n.skipRefresh)&&this.shouldRefreshSession(l,t)){const o=await this.refreshSession();if(o)return s=o,i=a,o}return await f.deleteCookie(r),s=null,null}if(!(n!=null&&n.skipRefresh)&&this.shouldRefreshSession(l,t)){const o=await this.refreshSession();if(o)return s=o,i=a,o}return s=l,i=a,l}catch{return await f.deleteCookie(r),s=null,null}},setSession(n,u){},async clearSession(n){await f.deleteCookie(r,{path:n.path}),s=null,i=0},async refreshSession(){try{const n=await e.post("/api/auth/refresh");if(!n.data.session)return s=null,null;const u=n.data.session;return w(u)?(s=u,i=Date.now(),u):(s=null,null)}catch{return s=null,null}},isSessionExpired(n){return h(n)},shouldRefreshSession(n,u){if(!n.expiresAt)return!1;const a=new Date(n.expiresAt),c=new Date,l=a.getTime()-c.getTime(),o=5*60*1e3;return l>0&&l<o}}}async function N(e,t){try{const r=await e.post("/api/auth/refresh");return r.data.session?r.data.session:null}catch{return null}}async function d(e){try{const t=await e.getSession();return!t||!w(t)||h(t)?null:t}catch(t){return console.error("Failed to get server session:",t),null}}async function S(e,t="/login"){const r=await d(e);return r||C.redirect(t),r}async function m(e,t,r="/unauthorized"){const s=await S(e);return(!s.user.roles||!s.user.roles.includes(t))&&C.redirect(r),s}async function k(e){const t=await d(e);return(t==null?void 0:t.user)??null}function q(e,t){return{getSession:()=>d(e),requireAuth:r=>S(e,r),requireRole:(r,s)=>m(e,r,s)}}function O(e){return{getSession:()=>d(e),requireAuth:t=>S(e,t),requireRole:(t,r)=>m(e,t,r),getCurrentUser:()=>k(e)}}function y(e,t=[]){return[...["/auth/login","/auth/register","/auth/forgot-password","/auth/reset-password","/auth/verify-email"],...t].some(i=>e.startsWith(i))}function x(e,t={}){const{redirectTo:r="/auth/login",requireAuth:s=!1,allowedRoles:i=[],publicRoutes:g=[]}=t;return async n=>{const{pathname:u}=n.nextUrl;if(y(u,g)||u.startsWith("/api/")||u.startsWith("/_next/")||u.startsWith("/favicon.ico")||u.match(/\.(ico|png|jpg|jpeg|svg|gif|webp|css|js|woff|woff2|ttf|eot)$/))return null;try{const a=await e.getSession();if(s&&!a){const c=new URL(r,n.url);return c.searchParams.set("redirect",u),A.NextResponse.redirect(c)}if(a&&i.length>0){const c=a.user.roles||[];if(!i.some(o=>c.includes(o)))return A.NextResponse.redirect(new URL("/unauthorized",n.url))}return a&&y(u,g)?A.NextResponse.redirect(new URL("/",n.url)):null}catch(a){return process.env.NODE_ENV==="development"&&console.error("[Mulguard Middleware] Error:",a),null}}}function U(e,t="/auth/login"){return x(e,{requireAuth:!0,redirectTo:t})}function M(e,t,r="/unauthorized"){return x(e,{requireAuth:!0,allowedRoles:t,redirectTo:r})}const R="__mulguard_oauth_state",T=10*60;async function b(e,t){try{const r=JSON.stringify({state:e,provider:t,expiresAt:Date.now()+T*1e3}),s=process.env.NODE_ENV==="production";return await f.setCookie({name:R,value:r,httpOnly:!0,secure:s,sameSite:"strict",maxAge:T,path:"/"})}catch(r){return{success:!1,error:r instanceof Error?r.message:"Failed to store OAuth state"}}}async function P(){try{const e=await f.getCookie(R);if(!e)return null;const t=JSON.parse(e);return t.expiresAt<Date.now()?(await p(),null):(await p(),{state:t.state,provider:t.provider})}catch{return await p(),null}}async function p(){await f.deleteCookie(R,{path:"/"})}exports.createAuthMiddleware=x;exports.createServerHelpers=q;exports.createServerUtils=O;exports.createSessionManager=D;exports.deleteOAuthStateCookie=p;exports.getCurrentUser=k;exports.getOAuthStateCookie=P;exports.getServerSession=d;exports.getSessionTimeUntilExpiry=E;exports.isSessionExpiredNullable=h;exports.isSessionExpiringSoon=v;exports.isSessionValid=_;exports.refreshSession=N;exports.requireAuth=S;exports.requireAuthMiddleware=U;exports.requireRole=m;exports.requireRoleMiddleware=M;exports.storeOAuthStateCookie=b;exports.validateSessionStructure=w;
|