next-api-layer 0.1.5

package/dist/index.d.cts

@@ -0,0 +1,300 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { R as ResolvedRateLimitConfig, a as ResolvedCsrfConfig, A as AuthProxyConfig, I as InternalProxyConfig, b as AuditEventType, c as ResolvedAuditConfig, T as TokenInfo, d as RefreshResult, C as CookieOptions, E as EndpointConfig } from './createApiClient-CIDYcpNI.cjs';
+export { e as AccessConfig, f as ApiClient, g as ApiClientConfig, h as ApiResponse, i as AuditConfig, j as AuditEvent, k as AuthData, l as AuthResult, m as CookieConfig, n as CsrfConfig, G as GuestTokenConfig, o as I18nConfig, p as RateLimitConfig, q as ResponseMappers, S as SanitizationConfig, U as UserData, r as createApiClient } from './createApiClient-CIDYcpNI.cjs';
+
+/**
+ * Rate Limiting
+ *
+ * Implements token bucket algorithm for rate limiting.
+ * In-memory store by default, designed for single-instance deployments.
+ *
+ * For horizontal scaling (multiple instances), use a custom store
+ * with Redis or similar distributed cache.
+ */
+
+interface RateLimitResult {
+    allowed: boolean;
+    remaining: number;
+    resetAt: number;
+    limit: number;
+}
+/**
+ * Creates a rate limiter with in-memory store
+ */
+declare function createRateLimiter(config: ResolvedRateLimitConfig): {
+    check: (req: NextRequest) => RateLimitResult;
+    applyHeaders: (response: NextResponse, result: RateLimitResult) => NextResponse;
+    createLimitedResponse: (req: NextRequest, result: RateLimitResult) => NextResponse;
+    shouldSkip: (pathname: string) => boolean;
+    reset: (key: string) => void;
+    clear: () => void;
+    size: () => number;
+};
+type RateLimiter = ReturnType<typeof createRateLimiter>;
+
+/**
+ * CSRF Protection
+ *
+ * Implements OWASP recommended CSRF protection:
+ * - Fetch Metadata (Sec-Fetch-Site header) for modern browsers (98%+ coverage)
+ * - Signed HMAC Double-Submit Cookie as fallback
+ *
+ * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+ */
+
+interface CsrfValidationResult {
+    valid: boolean;
+    reason?: string;
+}
+/**
+ * Creates CSRF validator functions
+ */
+declare function createCsrfValidator(config: ResolvedCsrfConfig): {
+    validateRequest: (req: NextRequest) => CsrfValidationResult;
+    generateToken: (sessionId: string) => Promise<string>;
+    attachCsrfCookie: (response: NextResponse, sessionId: string) => Promise<NextResponse>;
+};
+type CsrfValidator = ReturnType<typeof createCsrfValidator>;
+
+/**
+ * Creates an authentication proxy middleware for Next.js
+ *
+ * @example
+ * ```ts
+ * // middleware.ts
+ * import { createAuthProxy } from 'next-api-layer';
+ *
+ * const authProxy = createAuthProxy({
+ *   apiBaseUrl: process.env.API_BASE_URL!,
+ *   cookies: {
+ *     user: 'userAuthToken',
+ *     guest: 'guestAuthToken',
+ *   },
+ *   guestToken: {
+ *     enabled: true,
+ *     credentials: {
+ *       username: process.env.GUEST_USERNAME!,
+ *       password: process.env.GUEST_PASSWORD!,
+ *     },
+ *   },
+ *   access: {
+ *     protectedRoutes: ['/dashboard', '/profile'],
+ *     authRoutes: ['/login', '/register'],
+ *   },
+ *   // Security features
+ *   csrf: { enabled: true },
+ *   rateLimit: { enabled: true, maxRequests: 100 },
+ *   audit: {
+ *     enabled: true,
+ *     logger: (event) => console.log('[AUDIT]', event)
+ *   },
+ * });
+ *
+ * export default authProxy;
+ *
+ * export const config = {
+ *   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
+ * };
+ * ```
+ */
+declare function createAuthProxy(userConfig: AuthProxyConfig): {
+    (req: NextRequest): Promise<NextResponse>;
+    config: InternalProxyConfig;
+    csrf: {
+        validateRequest: (req: NextRequest) => CsrfValidationResult;
+        generateToken: (sessionId: string) => Promise<string>;
+        attachCsrfCookie: (response: NextResponse, sessionId: string) => Promise<NextResponse>;
+    };
+    rateLimiter: {
+        check: (req: NextRequest) => RateLimitResult;
+        applyHeaders: (response: NextResponse, result: RateLimitResult) => NextResponse;
+        createLimitedResponse: (req: NextRequest, result: RateLimitResult) => NextResponse;
+        shouldSkip: (pathname: string) => boolean;
+        reset: (key: string) => void;
+        clear: () => void;
+        size: () => number;
+    };
+    audit: {
+        emit: (type: AuditEventType, req: NextRequest, options: {
+            success: boolean;
+            userId?: string;
+            metadata?: Record<string, unknown>;
+        }) => Promise<void>;
+        isEnabled: (type: AuditEventType) => boolean;
+        authSuccess: (req: NextRequest, userId?: string, metadata?: Record<string, unknown>) => Promise<void>;
+        authFail: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+        authRefresh: (req: NextRequest, userId?: string, metadata?: Record<string, unknown>) => Promise<void>;
+        authGuest: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+        accessDenied: (req: NextRequest, userId?: string, metadata?: Record<string, unknown>) => Promise<void>;
+        csrfFail: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+        rateLimitExceeded: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+        error: (req: NextRequest, err: Error, metadata?: Record<string, unknown>) => Promise<void>;
+    };
+};
+type AuthProxy = ReturnType<typeof createAuthProxy>;
+
+/**
+ * createProxyHandler
+ * Factory function to create Next.js API route handlers that proxy requests to backend
+ */
+
+interface ProxyHandlerConfig {
+    /** Base URL of the backend API */
+    apiBaseUrl: string;
+    /** Cookie name for user auth token */
+    userCookieName?: string;
+    /** Cookie name for guest auth token */
+    guestCookieName?: string;
+    /**
+     * Default behavior for auth - if true, all requests skip auth by default
+     * Individual requests can override with X-Skip-Auth header
+     */
+    skipAuthByDefault?: boolean;
+    /**
+     * Public endpoints that should never include auth token (glob patterns)
+     * e.g., ['news/*', 'public/**', 'categories']
+     */
+    publicEndpoints?: string[];
+    /** Headers to forward from client request */
+    forwardHeaders?: string[];
+    /** Headers to exclude from forwarding */
+    excludeHeaders?: string[];
+    /** Custom request transformer */
+    transformRequest?: (req: NextRequest, headers: Headers) => Headers | Promise<Headers>;
+    /** Custom response transformer */
+    transformResponse?: (response: Response) => Response | Promise<Response>;
+}
+/**
+ * Creates a proxy handler for Next.js API routes
+ *
+ * @example
+ * ```ts
+ * // app/api/[...path]/route.ts
+ * import { createProxyHandler } from 'next-api-layer';
+ *
+ * const handler = createProxyHandler({
+ *   apiBaseUrl: process.env.API_BASE_URL!,
+ *   userCookieName: 'auth_token',
+ *   guestCookieName: 'guest_token',
+ *   publicEndpoints: ['news/*', 'categories', 'public/**'],
+ * });
+ *
+ * export const GET = handler;
+ * export const POST = handler;
+ * export const PUT = handler;
+ * export const PATCH = handler;
+ * export const DELETE = handler;
+ * ```
+ */
+declare function createProxyHandler(config: ProxyHandlerConfig): {
+    (req: NextRequest): Promise<NextResponse>;
+    config: ProxyHandlerConfig;
+};
+type ProxyHandler = ReturnType<typeof createProxyHandler>;
+
+/**
+ * Audit Logging
+ *
+ * Event-based security audit logging system.
+ * Emits events for authentication, access control, and security violations.
+ */
+
+/**
+ * Creates an audit logger instance
+ */
+declare function createAuditLogger(config: ResolvedAuditConfig): {
+    emit: (type: AuditEventType, req: NextRequest, options: {
+        success: boolean;
+        userId?: string;
+        metadata?: Record<string, unknown>;
+    }) => Promise<void>;
+    isEnabled: (type: AuditEventType) => boolean;
+    authSuccess: (req: NextRequest, userId?: string, metadata?: Record<string, unknown>) => Promise<void>;
+    authFail: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+    authRefresh: (req: NextRequest, userId?: string, metadata?: Record<string, unknown>) => Promise<void>;
+    authGuest: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+    accessDenied: (req: NextRequest, userId?: string, metadata?: Record<string, unknown>) => Promise<void>;
+    csrfFail: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+    rateLimitExceeded: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+    error: (req: NextRequest, err: Error, metadata?: Record<string, unknown>) => Promise<void>;
+};
+type AuditLogger = ReturnType<typeof createAuditLogger>;
+
+/**
+ * Token Validation
+ * Handles token validation and refresh with backend API
+ */
+
+/**
+ * Creates token validation functions
+ */
+declare function createTokenValidation(config: InternalProxyConfig): {
+    validateToken: (token: string) => Promise<TokenInfo>;
+    getTokenInfo: (token: string) => Promise<TokenInfo>;
+    refreshToken: (oldToken: string) => Promise<RefreshResult>;
+    createGuestToken: () => Promise<string | null>;
+};
+type TokenValidation = ReturnType<typeof createTokenValidation>;
+
+/**
+ * Proxy Handlers
+ * Request handling logic for different scenarios
+ */
+
+/**
+ * Creates proxy handlers
+ */
+declare function createHandlers(config: InternalProxyConfig, validation: TokenValidation): {
+    deleteAllAuthCookies: (req: NextRequest, response: NextResponse) => NextResponse;
+    jsonError: (message: string, status?: number) => NextResponse;
+    isAuthPage: (pathname: string) => boolean;
+    isProtectedRoute: (pathname: string) => boolean;
+    isPublicRoute: (pathname: string) => boolean;
+    isTokenTypeAllowed: (tokenType: string | null) => boolean;
+    handleNoToken: (req: NextRequest, isApiRoute: boolean) => Promise<NextResponse>;
+    handleValidationResult: (req: NextRequest, tokenInfo: TokenInfo, isUserToken: boolean, currentToken: string, isApiRoute: boolean) => Promise<NextResponse>;
+};
+
+/**
+ * Shared Constants
+ * Default values and constant configurations
+ */
+
+declare const DEFAULT_COOKIE_OPTIONS: Required<CookieOptions>;
+declare const DEFAULT_ENDPOINTS: Required<EndpointConfig>;
+declare const TOKEN_TYPES: {
+    readonly GUEST: "guest";
+};
+declare const ERROR_MESSAGES: {
+    readonly NO_TOKEN: "Token bulunamadı.";
+    readonly INVALID_TOKEN: "Token geçersiz veya süresi dolmuş.";
+    readonly CONNECTION_ERROR: "Bağlantı hatası oluştu.";
+    readonly UNAUTHORIZED: "Bu işlem için yetkiniz yok.";
+};
+declare const HEADERS: {
+    readonly AUTH_USER: "x-auth-user";
+    readonly REFRESHED_TOKEN: "x-refreshed-token";
+    readonly AUTHORIZATION: "Authorization";
+    readonly CONTENT_TYPE: "Content-Type";
+    readonly SKIP_AUTH: "x-skip-auth";
+    readonly LOCALE: "x-locale";
+};
+/** CSRF safe methods that don't need validation */
+declare const CSRF_SAFE_METHODS: readonly ["GET", "HEAD", "OPTIONS"];
+declare const DEFAULT_CSRF_CONFIG: {
+    readonly strategy: "both";
+    readonly cookieName: "__csrf";
+    readonly headerName: "x-csrf-token";
+    readonly ignoreMethods: readonly ["GET", "HEAD", "OPTIONS"];
+    readonly trustSameSite: false;
+};
+declare const DEFAULT_RATE_LIMIT_CONFIG: {
+    readonly windowMs: number;
+    readonly maxRequests: 100;
+    readonly skipRoutes: string[];
+};
+declare const DEFAULT_AUDIT_CONFIG: {
+    readonly events: readonly ["auth:success", "auth:fail", "auth:refresh", "access:denied", "csrf:fail", "rateLimit:exceeded", "error"];
+};
+
+export { AuditEventType, type AuditLogger, type AuthProxy, AuthProxyConfig, CSRF_SAFE_METHODS, CookieOptions, type CsrfValidator, DEFAULT_AUDIT_CONFIG, DEFAULT_COOKIE_OPTIONS, DEFAULT_CSRF_CONFIG, DEFAULT_ENDPOINTS, DEFAULT_RATE_LIMIT_CONFIG, ERROR_MESSAGES, EndpointConfig, HEADERS, type ProxyHandler, type ProxyHandlerConfig, type RateLimiter, TOKEN_TYPES, TokenInfo, createAuditLogger, createAuthProxy, createCsrfValidator, createHandlers, createProxyHandler, createRateLimiter, createTokenValidation };

package/dist/index.d.ts

@@ -0,0 +1,300 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { R as ResolvedRateLimitConfig, a as ResolvedCsrfConfig, A as AuthProxyConfig, I as InternalProxyConfig, b as AuditEventType, c as ResolvedAuditConfig, T as TokenInfo, d as RefreshResult, C as CookieOptions, E as EndpointConfig } from './createApiClient-CIDYcpNI.js';
+export { e as AccessConfig, f as ApiClient, g as ApiClientConfig, h as ApiResponse, i as AuditConfig, j as AuditEvent, k as AuthData, l as AuthResult, m as CookieConfig, n as CsrfConfig, G as GuestTokenConfig, o as I18nConfig, p as RateLimitConfig, q as ResponseMappers, S as SanitizationConfig, U as UserData, r as createApiClient } from './createApiClient-CIDYcpNI.js';
+
+/**
+ * Rate Limiting
+ *
+ * Implements token bucket algorithm for rate limiting.
+ * In-memory store by default, designed for single-instance deployments.
+ *
+ * For horizontal scaling (multiple instances), use a custom store
+ * with Redis or similar distributed cache.
+ */
+
+interface RateLimitResult {
+    allowed: boolean;
+    remaining: number;
+    resetAt: number;
+    limit: number;
+}
+/**
+ * Creates a rate limiter with in-memory store
+ */
+declare function createRateLimiter(config: ResolvedRateLimitConfig): {
+    check: (req: NextRequest) => RateLimitResult;
+    applyHeaders: (response: NextResponse, result: RateLimitResult) => NextResponse;
+    createLimitedResponse: (req: NextRequest, result: RateLimitResult) => NextResponse;
+    shouldSkip: (pathname: string) => boolean;
+    reset: (key: string) => void;
+    clear: () => void;
+    size: () => number;
+};
+type RateLimiter = ReturnType<typeof createRateLimiter>;
+
+/**
+ * CSRF Protection
+ *
+ * Implements OWASP recommended CSRF protection:
+ * - Fetch Metadata (Sec-Fetch-Site header) for modern browsers (98%+ coverage)
+ * - Signed HMAC Double-Submit Cookie as fallback
+ *
+ * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+ */
+
+interface CsrfValidationResult {
+    valid: boolean;
+    reason?: string;
+}
+/**
+ * Creates CSRF validator functions
+ */
+declare function createCsrfValidator(config: ResolvedCsrfConfig): {
+    validateRequest: (req: NextRequest) => CsrfValidationResult;
+    generateToken: (sessionId: string) => Promise<string>;
+    attachCsrfCookie: (response: NextResponse, sessionId: string) => Promise<NextResponse>;
+};
+type CsrfValidator = ReturnType<typeof createCsrfValidator>;
+
+/**
+ * Creates an authentication proxy middleware for Next.js
+ *
+ * @example
+ * ```ts
+ * // middleware.ts
+ * import { createAuthProxy } from 'next-api-layer';
+ *
+ * const authProxy = createAuthProxy({
+ *   apiBaseUrl: process.env.API_BASE_URL!,
+ *   cookies: {
+ *     user: 'userAuthToken',
+ *     guest: 'guestAuthToken',
+ *   },
+ *   guestToken: {
+ *     enabled: true,
+ *     credentials: {
+ *       username: process.env.GUEST_USERNAME!,
+ *       password: process.env.GUEST_PASSWORD!,
+ *     },
+ *   },
+ *   access: {
+ *     protectedRoutes: ['/dashboard', '/profile'],
+ *     authRoutes: ['/login', '/register'],
+ *   },
+ *   // Security features
+ *   csrf: { enabled: true },
+ *   rateLimit: { enabled: true, maxRequests: 100 },
+ *   audit: {
+ *     enabled: true,
+ *     logger: (event) => console.log('[AUDIT]', event)
+ *   },
+ * });
+ *
+ * export default authProxy;
+ *
+ * export const config = {
+ *   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
+ * };
+ * ```
+ */
+declare function createAuthProxy(userConfig: AuthProxyConfig): {
+    (req: NextRequest): Promise<NextResponse>;
+    config: InternalProxyConfig;
+    csrf: {
+        validateRequest: (req: NextRequest) => CsrfValidationResult;
+        generateToken: (sessionId: string) => Promise<string>;
+        attachCsrfCookie: (response: NextResponse, sessionId: string) => Promise<NextResponse>;
+    };
+    rateLimiter: {
+        check: (req: NextRequest) => RateLimitResult;
+        applyHeaders: (response: NextResponse, result: RateLimitResult) => NextResponse;
+        createLimitedResponse: (req: NextRequest, result: RateLimitResult) => NextResponse;
+        shouldSkip: (pathname: string) => boolean;
+        reset: (key: string) => void;
+        clear: () => void;
+        size: () => number;
+    };
+    audit: {
+        emit: (type: AuditEventType, req: NextRequest, options: {
+            success: boolean;
+            userId?: string;
+            metadata?: Record<string, unknown>;
+        }) => Promise<void>;
+        isEnabled: (type: AuditEventType) => boolean;
+        authSuccess: (req: NextRequest, userId?: string, metadata?: Record<string, unknown>) => Promise<void>;
+        authFail: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+        authRefresh: (req: NextRequest, userId?: string, metadata?: Record<string, unknown>) => Promise<void>;
+        authGuest: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+        accessDenied: (req: NextRequest, userId?: string, metadata?: Record<string, unknown>) => Promise<void>;
+        csrfFail: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+        rateLimitExceeded: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+        error: (req: NextRequest, err: Error, metadata?: Record<string, unknown>) => Promise<void>;
+    };
+};
+type AuthProxy = ReturnType<typeof createAuthProxy>;
+
+/**
+ * createProxyHandler
+ * Factory function to create Next.js API route handlers that proxy requests to backend
+ */
+
+interface ProxyHandlerConfig {
+    /** Base URL of the backend API */
+    apiBaseUrl: string;
+    /** Cookie name for user auth token */
+    userCookieName?: string;
+    /** Cookie name for guest auth token */
+    guestCookieName?: string;
+    /**
+     * Default behavior for auth - if true, all requests skip auth by default
+     * Individual requests can override with X-Skip-Auth header
+     */
+    skipAuthByDefault?: boolean;
+    /**
+     * Public endpoints that should never include auth token (glob patterns)
+     * e.g., ['news/*', 'public/**', 'categories']
+     */
+    publicEndpoints?: string[];
+    /** Headers to forward from client request */
+    forwardHeaders?: string[];
+    /** Headers to exclude from forwarding */
+    excludeHeaders?: string[];
+    /** Custom request transformer */
+    transformRequest?: (req: NextRequest, headers: Headers) => Headers | Promise<Headers>;
+    /** Custom response transformer */
+    transformResponse?: (response: Response) => Response | Promise<Response>;
+}
+/**
+ * Creates a proxy handler for Next.js API routes
+ *
+ * @example
+ * ```ts
+ * // app/api/[...path]/route.ts
+ * import { createProxyHandler } from 'next-api-layer';
+ *
+ * const handler = createProxyHandler({
+ *   apiBaseUrl: process.env.API_BASE_URL!,
+ *   userCookieName: 'auth_token',
+ *   guestCookieName: 'guest_token',
+ *   publicEndpoints: ['news/*', 'categories', 'public/**'],
+ * });
+ *
+ * export const GET = handler;
+ * export const POST = handler;
+ * export const PUT = handler;
+ * export const PATCH = handler;
+ * export const DELETE = handler;
+ * ```
+ */
+declare function createProxyHandler(config: ProxyHandlerConfig): {
+    (req: NextRequest): Promise<NextResponse>;
+    config: ProxyHandlerConfig;
+};
+type ProxyHandler = ReturnType<typeof createProxyHandler>;
+
+/**
+ * Audit Logging
+ *
+ * Event-based security audit logging system.
+ * Emits events for authentication, access control, and security violations.
+ */
+
+/**
+ * Creates an audit logger instance
+ */
+declare function createAuditLogger(config: ResolvedAuditConfig): {
+    emit: (type: AuditEventType, req: NextRequest, options: {
+        success: boolean;
+        userId?: string;
+        metadata?: Record<string, unknown>;
+    }) => Promise<void>;
+    isEnabled: (type: AuditEventType) => boolean;
+    authSuccess: (req: NextRequest, userId?: string, metadata?: Record<string, unknown>) => Promise<void>;
+    authFail: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+    authRefresh: (req: NextRequest, userId?: string, metadata?: Record<string, unknown>) => Promise<void>;
+    authGuest: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+    accessDenied: (req: NextRequest, userId?: string, metadata?: Record<string, unknown>) => Promise<void>;
+    csrfFail: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+    rateLimitExceeded: (req: NextRequest, metadata?: Record<string, unknown>) => Promise<void>;
+    error: (req: NextRequest, err: Error, metadata?: Record<string, unknown>) => Promise<void>;
+};
+type AuditLogger = ReturnType<typeof createAuditLogger>;
+
+/**
+ * Token Validation
+ * Handles token validation and refresh with backend API
+ */
+
+/**
+ * Creates token validation functions
+ */
+declare function createTokenValidation(config: InternalProxyConfig): {
+    validateToken: (token: string) => Promise<TokenInfo>;
+    getTokenInfo: (token: string) => Promise<TokenInfo>;
+    refreshToken: (oldToken: string) => Promise<RefreshResult>;
+    createGuestToken: () => Promise<string | null>;
+};
+type TokenValidation = ReturnType<typeof createTokenValidation>;
+
+/**
+ * Proxy Handlers
+ * Request handling logic for different scenarios
+ */
+
+/**
+ * Creates proxy handlers
+ */
+declare function createHandlers(config: InternalProxyConfig, validation: TokenValidation): {
+    deleteAllAuthCookies: (req: NextRequest, response: NextResponse) => NextResponse;
+    jsonError: (message: string, status?: number) => NextResponse;
+    isAuthPage: (pathname: string) => boolean;
+    isProtectedRoute: (pathname: string) => boolean;
+    isPublicRoute: (pathname: string) => boolean;
+    isTokenTypeAllowed: (tokenType: string | null) => boolean;
+    handleNoToken: (req: NextRequest, isApiRoute: boolean) => Promise<NextResponse>;
+    handleValidationResult: (req: NextRequest, tokenInfo: TokenInfo, isUserToken: boolean, currentToken: string, isApiRoute: boolean) => Promise<NextResponse>;
+};
+
+/**
+ * Shared Constants
+ * Default values and constant configurations
+ */
+
+declare const DEFAULT_COOKIE_OPTIONS: Required<CookieOptions>;
+declare const DEFAULT_ENDPOINTS: Required<EndpointConfig>;
+declare const TOKEN_TYPES: {
+    readonly GUEST: "guest";
+};
+declare const ERROR_MESSAGES: {
+    readonly NO_TOKEN: "Token bulunamadı.";
+    readonly INVALID_TOKEN: "Token geçersiz veya süresi dolmuş.";
+    readonly CONNECTION_ERROR: "Bağlantı hatası oluştu.";
+    readonly UNAUTHORIZED: "Bu işlem için yetkiniz yok.";
+};
+declare const HEADERS: {
+    readonly AUTH_USER: "x-auth-user";
+    readonly REFRESHED_TOKEN: "x-refreshed-token";
+    readonly AUTHORIZATION: "Authorization";
+    readonly CONTENT_TYPE: "Content-Type";
+    readonly SKIP_AUTH: "x-skip-auth";
+    readonly LOCALE: "x-locale";
+};
+/** CSRF safe methods that don't need validation */
+declare const CSRF_SAFE_METHODS: readonly ["GET", "HEAD", "OPTIONS"];
+declare const DEFAULT_CSRF_CONFIG: {
+    readonly strategy: "both";
+    readonly cookieName: "__csrf";
+    readonly headerName: "x-csrf-token";
+    readonly ignoreMethods: readonly ["GET", "HEAD", "OPTIONS"];
+    readonly trustSameSite: false;
+};
+declare const DEFAULT_RATE_LIMIT_CONFIG: {
+    readonly windowMs: number;
+    readonly maxRequests: 100;
+    readonly skipRoutes: string[];
+};
+declare const DEFAULT_AUDIT_CONFIG: {
+    readonly events: readonly ["auth:success", "auth:fail", "auth:refresh", "access:denied", "csrf:fail", "rateLimit:exceeded", "error"];
+};
+
+export { AuditEventType, type AuditLogger, type AuthProxy, AuthProxyConfig, CSRF_SAFE_METHODS, CookieOptions, type CsrfValidator, DEFAULT_AUDIT_CONFIG, DEFAULT_COOKIE_OPTIONS, DEFAULT_CSRF_CONFIG, DEFAULT_ENDPOINTS, DEFAULT_RATE_LIMIT_CONFIG, ERROR_MESSAGES, EndpointConfig, HEADERS, type ProxyHandler, type ProxyHandlerConfig, type RateLimiter, TOKEN_TYPES, TokenInfo, createAuditLogger, createAuthProxy, createCsrfValidator, createHandlers, createProxyHandler, createRateLimiter, createTokenValidation };

package/dist/index.js

@@ -0,0 +1,3 @@
+export{d as createApiClient}from'./chunk-NBYI46RO.js';import {c,e,a,b,g,h,i}from'./chunk-XBAO7FJN.js';export{f as CSRF_SAFE_METHODS,i as DEFAULT_AUDIT_CONFIG,a as DEFAULT_COOKIE_OPTIONS,g as DEFAULT_CSRF_CONFIG,b as DEFAULT_ENDPOINTS,h as DEFAULT_RATE_LIMIT_CONFIG,d as ERROR_MESSAGES,e as HEADERS,c as TOKEN_TYPES}from'./chunk-XBAO7FJN.js';import {NextResponse}from'next/server';function ie(){return typeof crypto<"u"&&crypto.randomUUID?crypto.randomUUID()+crypto.randomUUID():`${Date.now()}-${Math.random().toString(36).substring(2)}`}function ue(e){return `rl:${e.headers.get("x-forwarded-for")?.split(",")[0]?.trim()||e.headers.get("x-real-ip")||"unknown"}`}function Q(e){if(!e.apiBaseUrl)throw new Error("next-api-layer: apiBaseUrl is required");if(!e.cookies?.user||!e.cookies?.guest)throw new Error("next-api-layer: cookies.user and cookies.guest are required");let t=e.apiBaseUrl.endsWith("/")?e.apiBaseUrl:`${e.apiBaseUrl}/`,f={...a,...e.cookies.options},l={...b,...e.endpoints},m={enabled:e.csrf?.enabled??false,strategy:e.csrf?.strategy??g.strategy,secret:e.csrf?.secret??ie(),cookieName:e.csrf?.cookieName??g.cookieName,headerName:e.csrf?.headerName??g.headerName,ignoreMethods:e.csrf?.ignoreMethods??g.ignoreMethods,trustSameSite:e.csrf?.trustSameSite??g.trustSameSite},R={enabled:e.rateLimit?.enabled??false,windowMs:e.rateLimit?.windowMs??h.windowMs,maxRequests:e.rateLimit?.maxRequests??h.maxRequests,keyFn:e.rateLimit?.keyFn??ue,skipRoutes:e.rateLimit?.skipRoutes??h.skipRoutes,onRateLimited:e.rateLimit?.onRateLimited},u={enabled:e.audit?.enabled??false,events:e.audit?.events??[...i.events],logger:e.audit?.logger};return {...e,apiBaseUrl:t,_resolved:{cookieOptions:f,endpoints:l,csrf:m,rateLimit:R,audit:u}}}var $={parseAuthMe:e=>{let t=e;return !t?.success||!t?.data?null:{isValid:true,tokenType:t.data.type||"user",exp:t.data.exp||null,userData:t.data}},parseRefreshToken:e=>{let t=e;return t?.success&&t?.data?.accessToken?t.data.accessToken:null},parseGuestToken:e=>e?.data?.accessToken||null};function j(e){let{apiBaseUrl:t,_resolved:f,responseMappers:l}=e,{endpoints:m}=f,R={parseAuthMe:l?.parseAuthMe||$.parseAuthMe,parseRefreshToken:l?.parseRefreshToken||$.parseRefreshToken,parseGuestToken:l?.parseGuestToken||$.parseGuestToken};async function u(a){let i={isValid:false,tokenType:null,exp:null,userData:null};try{let n=await fetch(`${t}${m.validate}`,{headers:{Authorization:`Bearer ${a}`,"Content-Type":"application/json"},cache:"no-store"});if(!n.ok)return i;let s=await n.json().catch(()=>null),d=R.parseAuthMe(s);return !d||!d.isValid?i:d}catch{return i}}async function c(a){return u(a)}async function p(a){try{let i=await fetch(`${t}${m.refresh}`,{method:"POST",headers:{Authorization:`Bearer ${a}`,"Content-Type":"application/json"},cache:"no-store"});if(!i.ok)return {success:!1,newToken:null};let n=await i.json().catch(()=>null),s=R.parseRefreshToken(n);return s?{success:!0,newToken:s}:{success:!1,newToken:null}}catch{return {success:false,newToken:null}}}async function o(){let a=e.guestToken;if(!a?.enabled||!a.credentials)return null;try{let i=await fetch(`${t}${m.guest}`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({username:a.credentials.username,password:a.credentials.password}),cache:"no-store"});if(!i.ok)return null;let n=await i.json().catch(()=>null);return R.parseGuestToken(n)}catch{return null}}return {validateToken:u,getTokenInfo:c,refreshToken:p,createGuestToken:o}}function ee(e,t){if(!t?.enabled)return null;let f=t.locales??[],l=t.defaultLocale,R=e.split("/").filter(Boolean)[0];return R&&f.includes(R)?R:l??null}function z(e$1,t){let{cookies:f,guestToken:l,access:m,i18n:R,_resolved:u}=e$1,{cookieOptions:c$1}=u;function p(r,x,h){r.cookies.get(h)?.value&&x.cookies.delete(h);}function o(r,x){return p(r,x,f.guest),p(r,x,f.user),x}function a(r,x=500){return new NextResponse(JSON.stringify({success:false,message:r}),{status:x,headers:{"Content-Type":"application/json"}})}function i(r){return (m?.authRoutes??[]).some(h=>r===h||r.startsWith(`${h}/`))}function n(r){return m?.protectedByDefault?!s(r)&&!i(r):(m?.protectedRoutes??[]).some(h=>r===h||r.startsWith(`${h}/`))}function s(r){return (m?.publicRoutes??[]).some(h=>r===h||r.startsWith(`${h}/`))}function d(r){let x=m?.allowedTokenTypes;return !x||x.length===0?true:r?x.includes(r):false}async function C(r,x){let{origin:h}=r.nextUrl;if(l?.enabled){let y=await t.createGuestToken();if(y){let N;return x?N=NextResponse.next():n(r.nextUrl.pathname)?N=NextResponse.redirect(new URL("/login",h)):N=NextResponse.next(),N.cookies.set(f.guest,y,{...c$1,maxAge:3600}),N}}return x?a("Token bulunamad\u0131",401):n(r.nextUrl.pathname)?NextResponse.redirect(new URL("/login",h)):NextResponse.next()}async function v(r,x,h,y,N){let{pathname:k,origin:g}=r.nextUrl,{isValid:S,tokenType:T,userData:A}=x,E=T===c.GUEST;if(!S){if(h&&y){let D=await t.refreshToken(y);if(D.success&&D.newToken){let O=await t.getTokenInfo(D.newToken);if(O.isValid){let _=new Headers(r.headers);O.userData&&_.set(e.AUTH_USER,JSON.stringify(O.userData)),_.set(e.REFRESHED_TOKEN,D.newToken);let Z=ee(k,R);Z&&_.set(e.LOCALE,Z);let I;return i(k)?I=NextResponse.redirect(new URL("/",g)):I=NextResponse.next({request:{headers:_}}),I.cookies.set(f.user,D.newToken,{...c$1,maxAge:c$1.maxAge}),p(r,I,f.guest),I}}}let P=await C(r,N);return P.cookies.get(f.guest)?.value?p(r,P,f.user):o(r,P),P}let U=new Headers(r.headers);A&&U.set(e.AUTH_USER,JSON.stringify(A));let J=ee(k,R);if(J&&U.set(e.LOCALE,J),!E&&!d(T)){if(N){let Y=a("Bu i\u015Flem i\xE7in yetkiniz yok",403);return o(r,Y)}let P=NextResponse.redirect(new URL("/login",g));return o(r,P)}if(E)return N?NextResponse.next({request:{headers:U}}):n(k)?NextResponse.redirect(new URL("/login",g)):NextResponse.next({request:{headers:U}});if(i(k))return NextResponse.redirect(new URL("/",g));let X=NextResponse.next({request:{headers:U}});return p(r,X,f.guest),X}return {deleteAllAuthCookies:o,jsonError:a,isAuthPage:i,isProtectedRoute:n,isPublicRoute:s,isTokenTypeAllowed:d,handleNoToken:C,handleValidationResult:v}}function K(e){async function t(u){let c=le();return `${await ce(e.secret,u,c)}.${c}`}function f(u){let c=u.method.toUpperCase();if(e.ignoreMethods.includes(c))return {valid:true};let p=e.strategy;if(p==="fetch-metadata"||p==="both"){let o=l(u);if(p==="fetch-metadata"||o.valid||o.reason!=="missing-headers")return o}return p==="double-submit"||p==="both"?m(u):{valid:true}}function l(u){let c=u.headers.get("sec-fetch-site");if(!c)return {valid:false,reason:"missing-headers"};if(c==="same-origin")return {valid:true};if(c==="none"){let p=u.method.toUpperCase();return e.ignoreMethods.includes(p)?{valid:true}:{valid:false,reason:"direct-navigation-unsafe-method"}}return c==="same-site"?e.trustSameSite?{valid:true}:{valid:false,reason:"same-site-not-trusted"}:c==="cross-site"?{valid:false,reason:"cross-site-request"}:{valid:false,reason:"unknown-sec-fetch-site"}}function m(u){let c=u.cookies.get(e.cookieName)?.value;if(!c)return {valid:false,reason:"missing-cookie-token"};let p=u.headers.get(e.headerName);return p?de(c,p)?c.split(".").length!==2?{valid:false,reason:"invalid-token-format"}:{valid:true}:{valid:false,reason:"token-mismatch"}:{valid:false,reason:"missing-header-token"}}async function R(u,c){let p=await t(c);return u.cookies.set(e.cookieName,p,{httpOnly:false,secure:process.env.NODE_ENV==="production",sameSite:"strict",path:"/"}),u}return {validateRequest:f,generateToken:t,attachCsrfCookie:R}}function le(){if(typeof crypto<"u"&&crypto.getRandomValues){let e=new Uint8Array(32);return crypto.getRandomValues(e),Array.from(e,t=>t.toString(16).padStart(2,"0")).join("")}return Math.random().toString(36).substring(2)+Date.now().toString(36)}async function ce(e,t,f){let l=`${t.length}!${t}!${f.length}!${f}`;if(typeof crypto<"u"&&crypto.subtle){let u=new TextEncoder,c=u.encode(e),p=u.encode(l),o=await crypto.subtle.importKey("raw",c,{name:"HMAC",hash:"SHA-256"},false,["sign"]),a=await crypto.subtle.sign("HMAC",o,p);return Array.from(new Uint8Array(a),i=>i.toString(16).padStart(2,"0")).join("")}let m=0,R=e+l;for(let u=0;u<R.length;u++){let c=R.charCodeAt(u);m=(m<<5)-m+c,m=m&m;}return Math.abs(m).toString(16)}function de(e,t){if(e.length!==t.length)return  false;let f=0;for(let l=0;l<e.length;l++)f|=e.charCodeAt(l)^t.charCodeAt(l);return f===0}function W(e){let t=new Map,f=setInterval(()=>{let a=Date.now();for(let[i,n]of t)n.resetAt<=a&&t.delete(i);},e.windowMs);typeof process<"u"&&process.on&&process.on("beforeExit",()=>clearInterval(f));function l(a){return e.skipRoutes.some(i=>i.endsWith("*")?a.startsWith(i.slice(0,-1)):i.endsWith("**")?a.startsWith(i.slice(0,-2)):a===i)}function m(a){let i=a.nextUrl.pathname;if(l(i))return {allowed:true,remaining:e.maxRequests,resetAt:0,limit:e.maxRequests};let n=e.keyFn(a),s=Date.now(),d=t.get(n);if(!d||d.resetAt<=s)return d={count:1,resetAt:s+e.windowMs},t.set(n,d),{allowed:true,remaining:e.maxRequests-1,resetAt:d.resetAt,limit:e.maxRequests};d.count++;let C=Math.max(0,e.maxRequests-d.count);return {allowed:d.count<=e.maxRequests,remaining:C,resetAt:d.resetAt,limit:e.maxRequests}}function R(a,i){return a.headers.set("X-RateLimit-Limit",i.limit.toString()),a.headers.set("X-RateLimit-Remaining",i.remaining.toString()),a.headers.set("X-RateLimit-Reset",Math.ceil(i.resetAt/1e3).toString()),a}function u(a,i){if(e.onRateLimited){let s=e.onRateLimited(a);return R(s,i)}let n=NextResponse.json({success:false,message:"Too many requests. Please try again later.",retryAfter:Math.ceil((i.resetAt-Date.now())/1e3)},{status:429});return n.headers.set("Retry-After",Math.ceil((i.resetAt-Date.now())/1e3).toString()),R(n,i)}function c(a){t.delete(a);}function p(){t.clear();}function o(){return t.size}return {check:m,applyHeaders:R,createLimitedResponse:u,shouldSkip:l,reset:c,clear:p,size:o}}function q(e){function t(n){return e.enabled&&e.events.includes(n)}function f(n){return n.headers.get("x-forwarded-for")?.split(",")[0]?.trim()||n.headers.get("x-real-ip")||null}async function l(n,s,d){if(!t(n))return;let C={type:n,timestamp:new Date,ip:f(s),userId:d.userId,path:s.nextUrl.pathname,method:s.method,success:d.success,metadata:d.metadata};if(e.logger)try{await e.logger(C);}catch(v){console.error("[next-api-layer] Audit logger error:",v);}}function m(n,s,d){return l("auth:success",n,{success:true,userId:s,metadata:d})}function R(n,s){return l("auth:fail",n,{success:false,metadata:s})}function u(n,s,d){return l("auth:refresh",n,{success:true,userId:s,metadata:d})}function c(n,s){return l("auth:guest",n,{success:true,metadata:s})}function p(n,s,d){return l("access:denied",n,{success:false,userId:s,metadata:d})}function o(n,s){return l("csrf:fail",n,{success:false,metadata:s})}function a(n,s){return l("rateLimit:exceeded",n,{success:false,metadata:s})}function i(n,s,d){return l("error",n,{success:false,metadata:{...d,error:s.message,stack:s.stack}})}return {emit:l,isEnabled:t,authSuccess:m,authFail:R,authRefresh:u,authGuest:c,accessDenied:p,csrfFail:o,rateLimitExceeded:a,error:i}}function te(e){let t=Q(e),f=j(t),l=z(t,f),m=K(t._resolved.csrf),R=W(t._resolved.rateLimit),u=q(t._resolved.audit);async function c(o){let{pathname:a,origin:i}=o.nextUrl,n=a.startsWith("/api");if(t._resolved.rateLimit.enabled){let g=R.check(o);if(!g.allowed)return await u.rateLimitExceeded(o,{limit:g.limit,resetAt:g.resetAt}),R.createLimitedResponse(o,g)}if(t._resolved.csrf.enabled){let g=m.validateRequest(o);if(!g.valid)return await u.csrfFail(o,{reason:g.reason}),NextResponse.json({success:false,message:"CSRF validation failed"},{status:403})}if(t.blockBrowserApiAccess&&n&&(o.headers.get("accept")||"").includes("text/html"))return NextResponse.redirect(new URL("/",i));if(t.beforeAuth){let g=await t.beforeAuth(o);if(g)return g}if((t.excludedPaths??[]).some(g=>a.startsWith(g)))return p(o,NextResponse.next(),{isAuthenticated:false,isGuest:false,tokenType:null,user:null});if(["/api/auth/login","/api/auth/logout","/api/auth/me","/api/auth/refresh","/api/auth/register"].includes(a))return p(o,NextResponse.next(),{isAuthenticated:false,isGuest:false,tokenType:null,user:null});let C=o.cookies?.get(t.cookies.user)?.value,v=o.cookies?.get(t.cookies.guest)?.value,r=C||v,x=!!C;if(!r){await u.authFail(o,{reason:"no-token"});let g=await l.handleNoToken(o,n);return p(o,g,{isAuthenticated:false,isGuest:false,tokenType:null,user:null})}let h=await f.getTokenInfo(r),y={isAuthenticated:h.isValid&&h.tokenType!=="guest",isGuest:h.isValid&&h.tokenType==="guest",tokenType:h.tokenType,user:h.userData};if(h.isValid)if(h.tokenType==="guest")await u.authGuest(o);else {let g=h.userData?.id?.toString();await u.authSuccess(o,g,{tokenType:h.tokenType});}else await u.authFail(o,{reason:"invalid-token"});let N=await l.handleValidationResult(o,h,x,r,n),k=await p(o,N,y);if(t._resolved.csrf.enabled&&y.isAuthenticated){let g=h.userData?.id?.toString()||r.slice(0,32);k=await m.attachCsrfCookie(k,g);}if(t._resolved.rateLimit.enabled){let g=R.check(o);k=R.applyHeaders(k,g);}return k}async function p(o,a,i){return t.afterAuth?t.afterAuth(o,a,i):a}return c.config=t,c.csrf=m,c.rateLimiter=R,c.audit=u,c}function pe(e,t){if(!t||t.length===0)return  false;let f=e.replace(/^\/api\//,"").replace(/^\//,"");return t.some(l=>{if(l===f)return  true;if(l.includes("*")){let m=l.replace(/\*\*/g,"<<<DOUBLE>>>").replace(/\*/g,"[^/]+").replace(/<<<DOUBLE>>>/g,".+");return new RegExp(`^${m}$`).test(f)}return  false})}function ne(e$1){let{apiBaseUrl:t,userCookieName:f="auth_token",guestCookieName:l="guest_token",skipAuthByDefault:m=false,publicEndpoints:R=[],forwardHeaders:u=["content-type","accept","accept-language","x-requested-with"],excludeHeaders:c=["host","connection","cookie"],transformRequest:p,transformResponse:o}=e$1,a=t.replace(/\/$/,"");function i(s,d){return s.headers.get(e.SKIP_AUTH)==="true"||pe(d,R)?true:m}async function n(s){try{let d=new URL(s.url),C=d.pathname.replace(/^\/api\/?/,""),v=new URL(`${a}/${C}`);v.search=d.search;let r=new Headers;if(u.forEach(T=>{let A=s.headers.get(T);A&&r.set(T,A);}),s.headers.forEach((T,A)=>{let E=A.toLowerCase();!c.includes(E)&&!r.has(A)&&r.set(A,T);}),!i(s,C)){let T=s.cookies.get(f)?.value,A=s.cookies.get(l)?.value,E=T||A;E&&r.set(e.AUTHORIZATION,`Bearer ${E}`);}r.delete(e.SKIP_AUTH);let x=p?await p(s,r):r,h=null;if(s.method!=="GET"&&s.method!=="HEAD"){let T=s.headers.get("content-type")||"";T.includes("application/json")?h=await s.text():T.includes("multipart/form-data")?h=await s.formData():h=await s.text();}let y=await fetch(v.toString(),{method:s.method,headers:x,body:h}),N=y.headers.get("content-type")||"",k;N.includes("application/json")?k=await y.text():k=await y.arrayBuffer();let g=new Headers;y.headers.forEach((T,A)=>{let E=A.toLowerCase();["transfer-encoding","connection","keep-alive"].includes(E)||g.set(A,T);});let S=new NextResponse(k,{status:y.status,statusText:y.statusText,headers:g});return o&&(S=await o(S)),S}catch(d){return console.error("[Proxy Error]",d),NextResponse.json({success:false,message:"Proxy error: Unable to connect to backend",error:d instanceof Error?d.message:"Unknown error"},{status:502})}}return n.config=e$1,n}
+export{q as createAuditLogger,te as createAuthProxy,K as createCsrfValidator,z as createHandlers,ne as createProxyHandler,W as createRateLimiter,j as createTokenValidation};//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map