najm-auth 1.1.29 → 1.1.31

package/dist/client/react/index.d.ts

@@ -12,8 +12,22 @@ interface AuthProviderProps {
      * Pass `null` to assert "no session" (also skips the boot fetch).
      */
     initialSession?: HydrateSession | null;
+    /**
+     * Auto-refresh the access token in the background when the hydrated
+     * session has a user but no access token. Default: true.
+     * Children always render; the refresh does not gate the tree.
+     */
+    autoRefresh?: boolean;
+}
+declare function AuthProvider({ client, children, initialSession, autoRefresh, }: AuthProviderProps): react_jsx_runtime.JSX.Element;
+
+interface AuthBoundaryProps {
+    children: ReactNode;
+    fallback?: ReactNode;
+    /** Only gate while we truly have no identity; default false. */
+    requireToken?: boolean;
 }
-declare function AuthProvider({ client, children, initialSession }: AuthProviderProps): react_jsx_runtime.JSX.Element;
+declare function AuthBoundary({ children, fallback, requireToken, }: AuthBoundaryProps): react_jsx_runtime.JSX.Element;
 
 declare function useAuthClient(): NajmAuthClient;
 
@@ -523,4 +537,4 @@ interface RedirectToLoginProps {
  */
 declare function RedirectToLogin({ to, preserveFrom }: RedirectToLoginProps): any;
 
-export { type AuthEventEntry, AuthGate, AuthLoading, AuthProvider, Can, IfAuth, LoginButton, PermissionList, Protected, RedirectToLogin, Role, type SessionStatus, SignOutButton, SignedIn, SignedOut, UserAvatar, UserEmail, UserName, UserRole, useAuth, useAuthClient, useAuthEvent, useAuthEvents, useChangePassword, useForgotPassword, useLogin, useLogout, usePermissions, useRegister, useResetPassword, useSession, useUser };
+export { AuthBoundary, type AuthEventEntry, AuthGate, AuthLoading, AuthProvider, Can, IfAuth, LoginButton, PermissionList, Protected, RedirectToLogin, Role, type SessionStatus, SignOutButton, SignedIn, SignedOut, UserAvatar, UserEmail, UserName, UserRole, useAuth, useAuthClient, useAuthEvent, useAuthEvents, useChangePassword, useForgotPassword, useLogin, useLogout, usePermissions, useRegister, useResetPassword, useSession, useUser };

package/dist/client/react/index.js

@@ -3,7 +3,7 @@ var __defProp = Object.defineProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
 
 // src/client/react/AuthProvider.tsx
-import { useRef } from "react";
+import { useEffect, useRef } from "react";
 
 // src/client/react/context.ts
 import { createContext, useContext } from "react";
@@ -17,18 +17,6 @@ function useAuthClient() {
 }
 __name(useAuthClient, "useAuthClient");
 
-// src/client/react/AuthProvider.tsx
-import { jsx } from "react/jsx-runtime";
-function AuthProvider({ client, children, initialSession }) {
-  const hydrated = useRef(false);
-  if (!hydrated.current && initialSession !== void 0) {
-    client.hydrate(initialSession);
-    hydrated.current = true;
-  }
-  return /* @__PURE__ */ jsx(AuthClientContext.Provider, { value: client, children });
-}
-__name(AuthProvider, "AuthProvider");
-
 // src/client/react/useAuth.ts
 import { useSyncExternalStore } from "react";
 function useAuth() {
@@ -41,6 +29,55 @@ function useAuth() {
 }
 __name(useAuth, "useAuth");
 
+// src/client/react/AuthProvider.tsx
+import { jsx, jsxs } from "react/jsx-runtime";
+function AuthProvider({
+  client,
+  children,
+  initialSession,
+  autoRefresh = true
+}) {
+  const hydrated = useRef(false);
+  if (!hydrated.current && initialSession !== void 0) {
+    client.hydrate(initialSession);
+    hydrated.current = true;
+  }
+  return /* @__PURE__ */ jsxs(AuthClientContext.Provider, { value: client, children: [
+    autoRefresh ? /* @__PURE__ */ jsx(AutoRefresh, {}) : null,
+    children
+  ] });
+}
+__name(AuthProvider, "AuthProvider");
+function AutoRefresh() {
+  const { isAuthenticated, accessToken } = useAuth();
+  const client = useAuthClient();
+  const triggered = useRef(false);
+  useEffect(() => {
+    if (triggered.current) return;
+    if (isAuthenticated && !accessToken) {
+      triggered.current = true;
+      client.refresh().catch(() => {
+      });
+    }
+  }, [isAuthenticated, accessToken, client]);
+  return null;
+}
+__name(AutoRefresh, "AutoRefresh");
+
+// src/client/react/AuthBoundary.tsx
+import { Fragment, jsx as jsx2 } from "react/jsx-runtime";
+function AuthBoundary({
+  children,
+  fallback = null,
+  requireToken = false
+}) {
+  const { isAuthenticated, isLoading, accessToken } = useAuth();
+  if (isLoading) return /* @__PURE__ */ jsx2(Fragment, { children: fallback });
+  if (requireToken && isAuthenticated && !accessToken) return /* @__PURE__ */ jsx2(Fragment, { children: fallback });
+  return /* @__PURE__ */ jsx2(Fragment, { children });
+}
+__name(AuthBoundary, "AuthBoundary");
+
 // src/client/react/useUser.ts
 function useUser() {
   const { user } = useAuth();
@@ -49,13 +86,13 @@ function useUser() {
 __name(useUser, "useUser");
 
 // src/client/react/useSession.ts
-import { useEffect, useRef as useRef2, useState } from "react";
+import { useEffect as useEffect2, useRef as useRef2, useState } from "react";
 function useSession(opts) {
   const client = useAuthClient();
   const state = useAuth();
   const [isLoading, setIsLoading] = useState(() => !client.isHydrated());
   const didInit = useRef2(false);
-  useEffect(() => {
+  useEffect2(() => {
     if (didInit.current) return;
     didInit.current = true;
     if (client.isHydrated()) {
@@ -66,7 +103,7 @@ function useSession(opts) {
     }
     client.refresh().then(() => client.fetchUser()).catch((err) => opts?.onError?.(err)).finally(() => setIsLoading(false));
   }, [client]);
-  useEffect(() => {
+  useEffect2(() => {
     if (isLoading) return;
     if (!opts?.required) return;
     if (state.isAuthenticated) return;
@@ -262,12 +299,12 @@ function useChangePassword(opts) {
 __name(useChangePassword, "useChangePassword");
 
 // src/client/react/useAuthEvent.ts
-import { useEffect as useEffect2, useRef as useRef3 } from "react";
+import { useEffect as useEffect3, useRef as useRef3 } from "react";
 function useAuthEvent(event, handler) {
   const client = useAuthClient();
   const handlerRef = useRef3(handler);
   handlerRef.current = handler;
-  useEffect2(() => {
+  useEffect3(() => {
     const listener = /* @__PURE__ */ __name((data) => handlerRef.current(data), "listener");
     client.on(event, listener);
     return () => client.off(event, listener);
@@ -276,7 +313,7 @@ function useAuthEvent(event, handler) {
 __name(useAuthEvent, "useAuthEvent");
 
 // src/client/react/useAuthEvents.ts
-import { useEffect as useEffect3, useRef as useRef4, useState as useState8 } from "react";
+import { useEffect as useEffect4, useRef as useRef4, useState as useState8 } from "react";
 var ALL_EVENTS = [
   "login",
   "logout",
@@ -292,7 +329,7 @@ function useAuthEvents(opts) {
   const [entries, setEntries] = useState8([]);
   const maxRef = useRef4(max);
   maxRef.current = max;
-  useEffect3(() => {
+  useEffect4(() => {
     const cleanups = [];
     for (const event of ALL_EVENTS) {
       const handler = /* @__PURE__ */ __name(((data) => {
@@ -313,64 +350,64 @@ function useAuthEvents(opts) {
 __name(useAuthEvents, "useAuthEvents");
 
 // src/client/react/SignedIn.tsx
-import { Fragment, jsx as jsx2 } from "react/jsx-runtime";
+import { Fragment as Fragment2, jsx as jsx3 } from "react/jsx-runtime";
 function SignedIn({ children }) {
   const { status } = useSession();
   if (status !== "authenticated") return null;
-  return /* @__PURE__ */ jsx2(Fragment, { children });
+  return /* @__PURE__ */ jsx3(Fragment2, { children });
 }
 __name(SignedIn, "SignedIn");
 
 // src/client/react/SignedOut.tsx
-import { Fragment as Fragment2, jsx as jsx3 } from "react/jsx-runtime";
+import { Fragment as Fragment3, jsx as jsx4 } from "react/jsx-runtime";
 function SignedOut({ children }) {
   const { status } = useSession();
   if (status !== "unauthenticated") return null;
-  return /* @__PURE__ */ jsx3(Fragment2, { children });
+  return /* @__PURE__ */ jsx4(Fragment3, { children });
 }
 __name(SignedOut, "SignedOut");
 
 // src/client/react/AuthLoading.tsx
-import { Fragment as Fragment3, jsx as jsx4 } from "react/jsx-runtime";
+import { Fragment as Fragment4, jsx as jsx5 } from "react/jsx-runtime";
 function AuthLoading({ children }) {
   const { status } = useSession();
   if (status !== "loading") return null;
-  return /* @__PURE__ */ jsx4(Fragment3, { children });
+  return /* @__PURE__ */ jsx5(Fragment4, { children });
 }
 __name(AuthLoading, "AuthLoading");
 
 // src/client/react/Can.tsx
-import { Fragment as Fragment4, jsx as jsx5 } from "react/jsx-runtime";
+import { Fragment as Fragment5, jsx as jsx6 } from "react/jsx-runtime";
 function Can({ permission, role, children, fallback = null }) {
   const { can, hasRole } = usePermissions();
   const allowed = permission ? can(permission) : role ? hasRole(role) : false;
-  return /* @__PURE__ */ jsx5(Fragment4, { children: allowed ? children : fallback });
+  return /* @__PURE__ */ jsx6(Fragment5, { children: allowed ? children : fallback });
 }
 __name(Can, "Can");
 
 // src/client/react/Role.tsx
-import { Fragment as Fragment5, jsx as jsx6 } from "react/jsx-runtime";
+import { Fragment as Fragment6, jsx as jsx7 } from "react/jsx-runtime";
 function Role(props) {
   const { is, any: anyRole, children, fallback = null } = props;
   const { hasRole, hasAnyRole } = usePermissions();
   const allowed = is ? hasRole(is) : anyRole ? hasAnyRole(anyRole) : false;
-  return /* @__PURE__ */ jsx6(Fragment5, { children: allowed ? children : fallback });
+  return /* @__PURE__ */ jsx7(Fragment6, { children: allowed ? children : fallback });
 }
 __name(Role, "Role");
 
 // src/client/react/IfAuth.tsx
-import { Fragment as Fragment6, jsx as jsx7 } from "react/jsx-runtime";
+import { Fragment as Fragment7, jsx as jsx8 } from "react/jsx-runtime";
 function IfAuth({ authenticated, unauthenticated, loading }) {
   const { status } = useSession();
   const user = useUser();
-  if (status === "loading") return /* @__PURE__ */ jsx7(Fragment6, { children: loading?.() ?? null });
-  if (status === "authenticated" && user) return /* @__PURE__ */ jsx7(Fragment6, { children: authenticated(user) });
-  return /* @__PURE__ */ jsx7(Fragment6, { children: unauthenticated?.() ?? null });
+  if (status === "loading") return /* @__PURE__ */ jsx8(Fragment7, { children: loading?.() ?? null });
+  if (status === "authenticated" && user) return /* @__PURE__ */ jsx8(Fragment7, { children: authenticated(user) });
+  return /* @__PURE__ */ jsx8(Fragment7, { children: unauthenticated?.() ?? null });
 }
 __name(IfAuth, "IfAuth");
 
 // src/client/react/Protected.tsx
-import { Fragment as Fragment7, jsx as jsx8 } from "react/jsx-runtime";
+import { Fragment as Fragment8, jsx as jsx9 } from "react/jsx-runtime";
 function Protected({
   children,
   redirectTo,
@@ -388,17 +425,17 @@ function Protected({
     onUnauthenticated
   });
   const { can, hasRole } = usePermissions();
-  if (isLoading) return /* @__PURE__ */ jsx8(Fragment7, { children: resolvedLoading });
-  if (!isAuthenticated) return /* @__PURE__ */ jsx8(Fragment7, { children: resolvedFallback });
-  if (role && !hasRole(role)) return /* @__PURE__ */ jsx8(Fragment7, { children: resolvedFallback });
-  if (permission && !can(permission)) return /* @__PURE__ */ jsx8(Fragment7, { children: resolvedFallback });
-  return /* @__PURE__ */ jsx8(Fragment7, { children });
+  if (isLoading) return /* @__PURE__ */ jsx9(Fragment8, { children: resolvedLoading });
+  if (!isAuthenticated) return /* @__PURE__ */ jsx9(Fragment8, { children: resolvedFallback });
+  if (role && !hasRole(role)) return /* @__PURE__ */ jsx9(Fragment8, { children: resolvedFallback });
+  if (permission && !can(permission)) return /* @__PURE__ */ jsx9(Fragment8, { children: resolvedFallback });
+  return /* @__PURE__ */ jsx9(Fragment8, { children });
 }
 __name(Protected, "Protected");
 
 // src/client/react/AuthGate.tsx
-import { useEffect as useEffect4, useSyncExternalStore as useSyncExternalStore2 } from "react";
-import { Fragment as Fragment8, jsx as jsx9 } from "react/jsx-runtime";
+import { useEffect as useEffect5, useSyncExternalStore as useSyncExternalStore2 } from "react";
+import { Fragment as Fragment9, jsx as jsx10 } from "react/jsx-runtime";
 function AuthGate({
   children,
   loader = null,
@@ -415,13 +452,13 @@ function AuthGate({
     () => client.getState()
   );
   const hydrated = client.isHydrated();
-  useEffect4(() => {
+  useEffect5(() => {
     if (hydrated) return;
     client.refresh().then(() => client.fetchUser()).catch(() => {
     });
   }, [client, hydrated]);
   if (!hydrated && !state.isAuthenticated) {
-    return /* @__PURE__ */ jsx9(Fragment8, { children: loader });
+    return /* @__PURE__ */ jsx10(Fragment9, { children: loader });
   }
   if (!state.isAuthenticated) {
     if (onUnauthenticated) {
@@ -429,46 +466,46 @@ function AuthGate({
     } else if (redirectTo && typeof window !== "undefined") {
       window.location.href = redirectTo;
     }
-    return /* @__PURE__ */ jsx9(Fragment8, { children: loader });
+    return /* @__PURE__ */ jsx10(Fragment9, { children: loader });
   }
   if (role && !client.hasRole(role)) {
-    return /* @__PURE__ */ jsx9(Fragment8, { children: denied });
+    return /* @__PURE__ */ jsx10(Fragment9, { children: denied });
   }
   if (permission && !client.can(permission)) {
-    return /* @__PURE__ */ jsx9(Fragment8, { children: denied });
+    return /* @__PURE__ */ jsx10(Fragment9, { children: denied });
   }
-  return /* @__PURE__ */ jsx9(Fragment8, { children });
+  return /* @__PURE__ */ jsx10(Fragment9, { children });
 }
 __name(AuthGate, "AuthGate");
 
 // src/client/react/UserName.tsx
-import { Fragment as Fragment9, jsx as jsx10 } from "react/jsx-runtime";
+import { Fragment as Fragment10, jsx as jsx11 } from "react/jsx-runtime";
 function UserName({ fallback = "" }) {
   const user = useUser();
-  if (!user) return /* @__PURE__ */ jsx10(Fragment9, { children: fallback });
+  if (!user) return /* @__PURE__ */ jsx11(Fragment10, { children: fallback });
   const name = user.name ?? user.email ?? fallback;
-  return /* @__PURE__ */ jsx10(Fragment9, { children: name });
+  return /* @__PURE__ */ jsx11(Fragment10, { children: name });
 }
 __name(UserName, "UserName");
 
 // src/client/react/UserEmail.tsx
-import { Fragment as Fragment10, jsx as jsx11 } from "react/jsx-runtime";
+import { Fragment as Fragment11, jsx as jsx12 } from "react/jsx-runtime";
 function UserEmail({ fallback = "" }) {
   const user = useUser();
-  return /* @__PURE__ */ jsx11(Fragment10, { children: user?.email ?? fallback });
+  return /* @__PURE__ */ jsx12(Fragment11, { children: user?.email ?? fallback });
 }
 __name(UserEmail, "UserEmail");
 
 // src/client/react/UserRole.tsx
-import { Fragment as Fragment11, jsx as jsx12 } from "react/jsx-runtime";
+import { Fragment as Fragment12, jsx as jsx13 } from "react/jsx-runtime";
 function UserRole({ fallback = "" }) {
   const { roles } = usePermissions();
-  return /* @__PURE__ */ jsx12(Fragment11, { children: roles[0] ?? fallback });
+  return /* @__PURE__ */ jsx13(Fragment12, { children: roles[0] ?? fallback });
 }
 __name(UserRole, "UserRole");
 
 // src/client/react/UserAvatar.tsx
-import { jsx as jsx13 } from "react/jsx-runtime";
+import { jsx as jsx14 } from "react/jsx-runtime";
 function UserAvatar({ size = 32, className, style, alt }) {
   const user = useUser();
   const baseStyle = {
@@ -491,7 +528,7 @@ function UserAvatar({ size = 32, className, style, alt }) {
   const initial = label ? label[0].toUpperCase() : "?";
   const altText = alt ?? label ?? "User avatar";
   if (src) {
-    return /* @__PURE__ */ jsx13(
+    return /* @__PURE__ */ jsx14(
       "img",
       {
         src,
@@ -503,7 +540,7 @@ function UserAvatar({ size = 32, className, style, alt }) {
       }
     );
   }
-  return /* @__PURE__ */ jsx13(
+  return /* @__PURE__ */ jsx14(
     "span",
     {
       role: "img",
@@ -517,11 +554,11 @@ function UserAvatar({ size = 32, className, style, alt }) {
 __name(UserAvatar, "UserAvatar");
 
 // src/client/react/PermissionList.tsx
-import { Fragment as Fragment12, jsx as jsx14 } from "react/jsx-runtime";
+import { Fragment as Fragment13, jsx as jsx15 } from "react/jsx-runtime";
 function PermissionList({ children, fallback = null }) {
   const { permissions } = usePermissions();
-  if (permissions.length === 0) return /* @__PURE__ */ jsx14(Fragment12, { children: fallback });
-  return /* @__PURE__ */ jsx14(Fragment12, { children: permissions.map((perm, i) => children(perm, i)) });
+  if (permissions.length === 0) return /* @__PURE__ */ jsx15(Fragment13, { children: fallback });
+  return /* @__PURE__ */ jsx15(Fragment13, { children: permissions.map((perm, i) => children(perm, i)) });
 }
 __name(PermissionList, "PermissionList");
 
@@ -560,9 +597,9 @@ function LoginButton({ href = "/login", children }) {
 __name(LoginButton, "LoginButton");
 
 // src/client/react/RedirectToLogin.tsx
-import { useEffect as useEffect5 } from "react";
+import { useEffect as useEffect6 } from "react";
 function RedirectToLogin({ to = "/login", preserveFrom = true }) {
-  useEffect5(() => {
+  useEffect6(() => {
     if (typeof window === "undefined") return;
     const target = preserveFrom ? `${to}?from=${encodeURIComponent(window.location.pathname + window.location.search)}` : to;
     window.location.href = target;
@@ -571,6 +608,7 @@ function RedirectToLogin({ to = "/login", preserveFrom = true }) {
 }
 __name(RedirectToLogin, "RedirectToLogin");
 export {
+  AuthBoundary,
   AuthGate,
   AuthLoading,
   AuthProvider,

package/dist/client/server/index.d.ts

@@ -74,8 +74,16 @@ interface AuthMiddlewareConfig {
     roleRoutes?: Record<string, string[]>;
     /** Refresh token cookie name (default: 'refreshToken') */
     cookieName?: string;
+    /** Session cookie name to clear on redirect (default: 'najm.session') */
+    sessionCookieName?: string;
     /** URL of the verify endpoint (default: derived from request) */
     verifyURL?: string;
+    /**
+     * When true, call the verify endpoint on EVERY protected route (not just
+     * roleRoutes). Redirects to loginRoute if the session is invalid. Adds one
+     * fetch per navigation — trade latency for stronger guarantees.
+     */
+    verifyAlways?: boolean;
 }
 /**
  * Create a Next.js middleware function that protects routes based on auth state.
@@ -230,6 +238,12 @@ interface DefineAuthConfig {
     sessionSecret?: string;
     /** Next.js middleware matcher (default: exclude _next, favicon, api) */
     matcher?: string[];
+    /**
+     * When true, call the verify endpoint on every protected route (not just
+     * roleRoutes). Redirects to loginRoute if the session is invalid. One extra
+     * fetch per navigation in exchange for guaranteed fresh auth state.
+     */
+    verifyAlways?: boolean;
 }
 interface AuthKit {
     /**

package/dist/client/server/index.js

@@ -361,10 +361,22 @@ function withAuthMiddleware(config) {
     publicRoutes = [],
     loginRoute = "/login",
     roleRoutes = {},
-    cookieName = "refreshToken"
+    cookieName = "refreshToken",
+    sessionCookieName = "najm.session",
+    verifyAlways = false
   } = config;
   return /* @__PURE__ */ __name(async function middleware(request) {
     const { NextResponse } = await import("next/server");
+    const redirectToLogin = /* @__PURE__ */ __name((pathname2, clearCookies) => {
+      const loginUrl = new URL(loginRoute, request.url);
+      loginUrl.searchParams.set("from", pathname2);
+      const res = NextResponse.redirect(loginUrl);
+      if (clearCookies) {
+        res.cookies.delete(cookieName);
+        res.cookies.delete(sessionCookieName);
+      }
+      return res;
+    }, "redirectToLogin");
     const url = new URL(request.url);
     const pathname = url.pathname;
     if (matchesAny(pathname, publicRoutes)) {
@@ -375,30 +387,28 @@ function withAuthMiddleware(config) {
     const cookie = request.headers.get("cookie") ?? "";
     const hasToken = cookieRegex(cookieName).test(cookie);
     if (!hasToken) {
-      const loginUrl = new URL(loginRoute, request.url);
-      loginUrl.searchParams.set("from", pathname);
-      return NextResponse.redirect(loginUrl);
+      return redirectToLogin(pathname, true);
     }
     const requiredRoles = findMatchingRoles(pathname, roleRoutes);
-    if (requiredRoles) {
+    const needsVerify = verifyAlways || !!requiredRoles;
+    if (needsVerify) {
       const verifyURL = config.verifyURL ?? `${url.origin}/api/auth/me`;
       try {
         const res = await fetch(verifyURL, {
           headers: { "Cookie": cookie, "Accept": "application/json" }
         });
         if (!res.ok) {
-          const loginUrl = new URL(loginRoute, request.url);
-          loginUrl.searchParams.set("from", pathname);
-          return NextResponse.redirect(loginUrl);
+          return redirectToLogin(pathname, true);
         }
-        const body = await res.json();
-        const userRole = body?.data?.role;
-        if (!userRole || !requiredRoles.includes(userRole)) {
-          return new NextResponse(null, { status: 403 });
+        if (requiredRoles) {
+          const body = await res.json();
+          const userRole = body?.data?.role;
+          if (!userRole || !requiredRoles.includes(userRole)) {
+            return new NextResponse(null, { status: 403 });
+          }
         }
       } catch {
-        const loginUrl = new URL(loginRoute, request.url);
-        return NextResponse.redirect(loginUrl);
+        return redirectToLogin(pathname, true);
       }
     }
     return NextResponse.next();
@@ -909,6 +919,7 @@ function defineAuth(authConfig = {}) {
     sessionCookieName = "najm.session",
     sessionSecret,
     matcher = ["/((?!_next/static|_next/image|favicon.ico|api).*)"],
+    verifyAlways = false,
     refreshThreshold,
     tabSync,
     channelName,
@@ -967,6 +978,16 @@ function defineAuth(authConfig = {}) {
     const { NextResponse } = await import("next/server");
     const url = new URL(request.url);
     const pathname = url.pathname;
+    const redirectToLogin = /* @__PURE__ */ __name((clearCookies) => {
+      const loginUrl = new URL(loginRoute, request.url);
+      loginUrl.searchParams.set("from", pathname);
+      const res = NextResponse.redirect(loginUrl);
+      if (clearCookies) {
+        res.cookies.delete(cookieName);
+        res.cookies.delete(sessionCookieName);
+      }
+      return res;
+    }, "redirectToLogin");
     if (matchesAny2(pathname, publicRoutes)) {
       return NextResponse.next();
     }
@@ -975,31 +996,28 @@ function defineAuth(authConfig = {}) {
     const cookie = request.headers.get("cookie") ?? "";
     const hasToken = cookieRegex2(cookieName).test(cookie);
     if (!hasToken) {
-      const loginUrl = new URL(loginRoute, request.url);
-      loginUrl.searchParams.set("from", pathname);
-      return NextResponse.redirect(loginUrl);
+      return redirectToLogin(true);
     }
     const requiredRoles = findMatchingRoles2(pathname, roleRoutes);
-    if (requiredRoles) {
+    const needsVerify = verifyAlways || !!requiredRoles;
+    if (needsVerify) {
       const verifyURL = `${url.origin}${apiBaseURL}${authPrefix}/me`;
       try {
         const res = await fetch(verifyURL, {
           headers: { Cookie: cookie, Accept: "application/json" }
         });
         if (!res.ok) {
-          const loginUrl = new URL(loginRoute, request.url);
-          loginUrl.searchParams.set("from", pathname);
-          return NextResponse.redirect(loginUrl);
+          return redirectToLogin(true);
         }
-        const body = await res.json();
-        const userRole = body?.data?.role;
-        if (!userRole || !requiredRoles.includes(userRole)) {
-          return new NextResponse(null, { status: 403 });
+        if (requiredRoles) {
+          const body = await res.json();
+          const userRole = body?.data?.role;
+          if (!userRole || !requiredRoles.includes(userRole)) {
+            return new NextResponse(null, { status: 403 });
+          }
         }
       } catch {
-        const loginUrl = new URL(loginRoute, request.url);
-        loginUrl.searchParams.set("from", pathname);
-        return NextResponse.redirect(loginUrl);
+        return redirectToLogin(true);
       }
     }
     return NextResponse.next();

package/dist/index.js

@@ -2314,7 +2314,7 @@ var AuthResolver = class AuthResolver2 {
     this.app.use("*", async (c, next) => {
       const raw = c.req.header("authorization") ?? "";
       const token = raw.replace(/^Bearer\s+/i, "").trim();
-      const result = token ? await this.resolve(token) : await this.resolveFromCookie();
+      const result = token ? await this.resolve(token) || await this.resolveFromCookie() : await this.resolveFromCookie();
       if (result) {
         if (this.container.isActive()) {
           this.container.set(USER, result.user);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "najm-auth",
-  "version": "1.1.29",
+  "version": "1.1.31",
   "description": "Authentication and authorization library for najm framework",
   "type": "module",
   "files": [