next-sanctum 0.1.0

package/dist/actions.cjs

@@ -0,0 +1,236 @@
+Object.defineProperty(exports, '__esModule', { value: true });
+
+require('server-only');
+var headers = require('next/headers');
+
+/**
+ * Error types for next-sanctum. All failures are normalized to `SanctumError`
+ * so consumers can handle them consistently (see plan §10: errors must not leak).
+ */ /** Base error for all module failures. */ class SanctumError extends Error {
+    constructor(message, options){
+        super(message, {
+            cause: options.cause
+        });
+        this.name = "SanctumError";
+        this.kind = options.kind;
+        this.status = options.status;
+        this.data = options.data;
+    }
+}
+/** Invalid configuration — fail-fast on init (see resolveConfig). */ class ConfigError extends SanctumError {
+    constructor(message, cause){
+        super(message, {
+            kind: "config",
+            cause
+        });
+        this.name = "ConfigError";
+    }
+}
+
+/**
+ * Resolve the server-side base URL (`SANCTUM_BASE_URL`, falling back to the public var
+ * for dev). Shared by `server.ts`/`actions.ts`. Fails fast with a clear ConfigError.
+ */ function resolveServerBaseUrl(explicit, label = "server helpers") {
+    const baseUrl = explicit ?? process.env.SANCTUM_BASE_URL ?? process.env.NEXT_PUBLIC_SANCTUM_BASE_URL;
+    if (!baseUrl) {
+        throw new ConfigError(`SANCTUM_BASE_URL (server) is not set for next-sanctum ${label}.`);
+    }
+    return baseUrl.replace(/\/+$/, "");
+}
+
+/**
+ * Shared Set-Cookie parsing helpers (pure — no `next`/`server-only` imports, so this
+ * stays isomorphic and tree-shakes out of the client graph). Used by `server.ts` and
+ * `actions.ts` to mirror Laravel's Set-Cookie into Next's writable cookie store.
+ */ /**
+ * Read all Set-Cookie headers as an array. Prefers `Headers.getSetCookie()` (Node ≥18.14,
+ * all supported Next runtimes). The single-header fallback only handles one cookie — we do
+ * NOT attempt to comma-split, which is unreliable (Expires dates contain commas).
+ */ function getSetCookies(headers) {
+    const anyHeaders = headers;
+    if (typeof anyHeaders.getSetCookie === "function") return anyHeaders.getSetCookie();
+    const value = headers.get("set-cookie");
+    return value ? [
+        value
+    ] : [];
+}
+/** Parse a single Set-Cookie header. Validates attributes; returns null when unusable. */ function parseSetCookie(header) {
+    const segments = header.split(";");
+    const first = segments.shift();
+    if (!first) return null;
+    const eq = first.indexOf("=");
+    if (eq === -1) return null;
+    const name = first.slice(0, eq).trim();
+    if (name === "") return null;
+    let value = first.slice(eq + 1).trim();
+    if (value.length >= 2 && value.startsWith('"') && value.endsWith('"')) {
+        value = value.slice(1, -1);
+    }
+    const options = {};
+    for (const segment of segments){
+        const idx = segment.indexOf("=");
+        const key = (idx === -1 ? segment : segment.slice(0, idx)).trim().toLowerCase();
+        const val = idx === -1 ? "" : segment.slice(idx + 1).trim();
+        switch(key){
+            case "path":
+                options.path = val;
+                break;
+            case "domain":
+                options.domain = val;
+                break;
+            case "max-age":
+                {
+                    const n = Number(val);
+                    if (val !== "" && Number.isFinite(n)) options.maxAge = n;
+                    break;
+                }
+            case "expires":
+                {
+                    const d = new Date(val);
+                    if (!Number.isNaN(d.getTime())) options.expires = d;
+                    break;
+                }
+            case "samesite":
+                {
+                    const lower = val.toLowerCase();
+                    if (lower === "lax" || lower === "strict" || lower === "none") {
+                        options.sameSite = lower;
+                    }
+                    break;
+                }
+            case "secure":
+                options.secure = true;
+                break;
+            case "httponly":
+                options.httpOnly = true;
+                break;
+        }
+    }
+    return {
+        name,
+        value,
+        options
+    };
+}
+/** Mirror a response's Set-Cookie headers into a writable cookie store. */ function applySetCookies(store, response) {
+    for (const raw of getSetCookies(response.headers)){
+        const parsed = parseSetCookie(raw);
+        if (!parsed) continue;
+        try {
+            store.set(parsed.name, parsed.value, parsed.options);
+        } catch  {
+        // store is read-only (e.g. called from a Server Component) — ignore.
+        }
+    }
+}
+
+const DEFAULTS = {
+    csrf: "/sanctum/csrf-cookie",
+    login: "/login",
+    logout: "/logout",
+    register: "/register",
+    forgotPassword: "/forgot-password",
+    resetPassword: "/reset-password",
+    confirmPassword: "/user/confirm-password",
+    twoFactorChallenge: "/two-factor-challenge"
+};
+async function readErrors(response) {
+    try {
+        const data = await response.json();
+        return data?.errors;
+    } catch  {
+        return undefined;
+    }
+}
+async function statefulPost(path, json, config) {
+    const store = await headers.cookies();
+    const base = resolveServerBaseUrl(config?.baseUrl, "actions");
+    const csrfCookie = config?.csrf?.cookie ?? "XSRF-TOKEN";
+    const csrfHeader = config?.csrf?.header ?? "X-XSRF-TOKEN";
+    const csrfPath = config?.endpoints?.csrf ?? DEFAULTS.csrf;
+    let token = store.get(csrfCookie)?.value;
+    if (!token) {
+        const csrfResponse = await fetch(`${base}${csrfPath}`, {
+            headers: {
+                cookie: store.toString(),
+                accept: "application/json"
+            },
+            cache: "no-store"
+        });
+        applySetCookies(store, csrfResponse);
+        token = store.get(csrfCookie)?.value;
+    }
+    const headers$1 = {
+        accept: "application/json",
+        "content-type": "application/json",
+        cookie: store.toString()
+    };
+    if (token) headers$1[csrfHeader] = decodeURIComponent(token);
+    const response = await fetch(`${base}${path}`, {
+        method: "POST",
+        headers: headers$1,
+        body: JSON.stringify(json ?? {}),
+        cache: "no-store"
+    });
+    applySetCookies(store, response);
+    return {
+        ok: response.ok,
+        status: response.status,
+        raw: response
+    };
+}
+async function toResult(result) {
+    if (!result.ok) {
+        return {
+            ok: false,
+            status: result.status,
+            errors: result.status === 422 ? await readErrors(result.raw) : undefined
+        };
+    }
+    return {
+        ok: true,
+        status: result.status
+    };
+}
+/** Login (CSRF → POST /login). Check `twoFactor` on the result before assuming success. */ async function login(credentials, config) {
+    const result = await statefulPost(config?.endpoints?.login ?? DEFAULTS.login, credentials, config);
+    if (!result.ok) return toResult(result);
+    let twoFactor = false;
+    try {
+        const data = await result.raw.json();
+        twoFactor = Boolean(data?.two_factor);
+    } catch  {
+    // empty body → not 2FA
+    }
+    return {
+        ok: true,
+        status: result.status,
+        twoFactor
+    };
+}
+async function logout(config) {
+    return toResult(await statefulPost(config?.endpoints?.logout ?? DEFAULTS.logout, {}, config));
+}
+async function register(payload, config) {
+    return toResult(await statefulPost(config?.endpoints?.register ?? DEFAULTS.register, payload, config));
+}
+async function twoFactorChallenge(payload, config) {
+    return toResult(await statefulPost(config?.endpoints?.twoFactorChallenge ?? DEFAULTS.twoFactorChallenge, payload, config));
+}
+async function forgotPassword(payload, config) {
+    return toResult(await statefulPost(config?.endpoints?.forgotPassword ?? DEFAULTS.forgotPassword, payload, config));
+}
+async function resetPassword(payload, config) {
+    return toResult(await statefulPost(config?.endpoints?.resetPassword ?? DEFAULTS.resetPassword, payload, config));
+}
+async function confirmPassword(payload, config) {
+    return toResult(await statefulPost(config?.endpoints?.confirmPassword ?? DEFAULTS.confirmPassword, payload, config));
+}
+
+exports.confirmPassword = confirmPassword;
+exports.forgotPassword = forgotPassword;
+exports.login = login;
+exports.logout = logout;
+exports.register = register;
+exports.resetPassword = resetPassword;
+exports.twoFactorChallenge = twoFactorChallenge;

package/dist/actions.d.cts

@@ -0,0 +1,81 @@
+/**
+ * Public & internal type surface of next-sanctum.
+ * TypeScript-first, generic User model, no public `any`.
+ */
+
+interface LoginCredentials {
+    email?: string;
+    /** Supports backends that use `username` (config/fortify.php). */
+    username?: string;
+    password: string;
+    remember?: boolean;
+    [key: string]: unknown;
+}
+interface TwoFactorChallengePayload {
+    code?: string;
+    recovery_code?: string;
+}
+interface RegisterPayload {
+    name?: string;
+    email?: string;
+    username?: string;
+    password?: string;
+    password_confirmation?: string;
+    [key: string]: unknown;
+}
+interface ForgotPasswordPayload {
+    email: string;
+    [key: string]: unknown;
+}
+interface ResetPasswordPayload {
+    token: string;
+    email: string;
+    password: string;
+    password_confirmation: string;
+    [key: string]: unknown;
+}
+interface ConfirmPasswordPayload {
+    password: string;
+}
+
+/**
+ * Server-action helpers. WRAPPED by the consumer's own Server Action (`'use server'`)
+ * — not literally `'use server'` (see §6 of the plan). Runs the CSRF→POST flow and
+ * writes Laravel's Set-Cookie into `cookies()` so the session is persisted.
+ */
+interface ActionConfig {
+    baseUrl?: string;
+    endpoints?: {
+        csrf?: string;
+        login?: string;
+        logout?: string;
+        register?: string;
+        forgotPassword?: string;
+        resetPassword?: string;
+        confirmPassword?: string;
+        twoFactorChallenge?: string;
+    };
+    csrf?: {
+        cookie?: string;
+        header?: string;
+    };
+}
+interface ActionResult {
+    ok: boolean;
+    status: number;
+    /** True when login requires a 2FA challenge (Fortify `two_factor`). */
+    twoFactor?: boolean;
+    /** Laravel validation errors (422). */
+    errors?: Record<string, string[]>;
+}
+/** Login (CSRF → POST /login). Check `twoFactor` on the result before assuming success. */
+declare function login(credentials: LoginCredentials, config?: ActionConfig): Promise<ActionResult>;
+declare function logout(config?: ActionConfig): Promise<ActionResult>;
+declare function register(payload: RegisterPayload, config?: ActionConfig): Promise<ActionResult>;
+declare function twoFactorChallenge(payload: TwoFactorChallengePayload, config?: ActionConfig): Promise<ActionResult>;
+declare function forgotPassword(payload: ForgotPasswordPayload, config?: ActionConfig): Promise<ActionResult>;
+declare function resetPassword(payload: ResetPasswordPayload, config?: ActionConfig): Promise<ActionResult>;
+declare function confirmPassword(payload: ConfirmPasswordPayload, config?: ActionConfig): Promise<ActionResult>;
+
+export { confirmPassword, forgotPassword, login, logout, register, resetPassword, twoFactorChallenge };
+export type { ActionConfig, ActionResult };

package/dist/actions.d.ts

@@ -0,0 +1,81 @@
+/**
+ * Public & internal type surface of next-sanctum.
+ * TypeScript-first, generic User model, no public `any`.
+ */
+
+interface LoginCredentials {
+    email?: string;
+    /** Supports backends that use `username` (config/fortify.php). */
+    username?: string;
+    password: string;
+    remember?: boolean;
+    [key: string]: unknown;
+}
+interface TwoFactorChallengePayload {
+    code?: string;
+    recovery_code?: string;
+}
+interface RegisterPayload {
+    name?: string;
+    email?: string;
+    username?: string;
+    password?: string;
+    password_confirmation?: string;
+    [key: string]: unknown;
+}
+interface ForgotPasswordPayload {
+    email: string;
+    [key: string]: unknown;
+}
+interface ResetPasswordPayload {
+    token: string;
+    email: string;
+    password: string;
+    password_confirmation: string;
+    [key: string]: unknown;
+}
+interface ConfirmPasswordPayload {
+    password: string;
+}
+
+/**
+ * Server-action helpers. WRAPPED by the consumer's own Server Action (`'use server'`)
+ * — not literally `'use server'` (see §6 of the plan). Runs the CSRF→POST flow and
+ * writes Laravel's Set-Cookie into `cookies()` so the session is persisted.
+ */
+interface ActionConfig {
+    baseUrl?: string;
+    endpoints?: {
+        csrf?: string;
+        login?: string;
+        logout?: string;
+        register?: string;
+        forgotPassword?: string;
+        resetPassword?: string;
+        confirmPassword?: string;
+        twoFactorChallenge?: string;
+    };
+    csrf?: {
+        cookie?: string;
+        header?: string;
+    };
+}
+interface ActionResult {
+    ok: boolean;
+    status: number;
+    /** True when login requires a 2FA challenge (Fortify `two_factor`). */
+    twoFactor?: boolean;
+    /** Laravel validation errors (422). */
+    errors?: Record<string, string[]>;
+}
+/** Login (CSRF → POST /login). Check `twoFactor` on the result before assuming success. */
+declare function login(credentials: LoginCredentials, config?: ActionConfig): Promise<ActionResult>;
+declare function logout(config?: ActionConfig): Promise<ActionResult>;
+declare function register(payload: RegisterPayload, config?: ActionConfig): Promise<ActionResult>;
+declare function twoFactorChallenge(payload: TwoFactorChallengePayload, config?: ActionConfig): Promise<ActionResult>;
+declare function forgotPassword(payload: ForgotPasswordPayload, config?: ActionConfig): Promise<ActionResult>;
+declare function resetPassword(payload: ResetPasswordPayload, config?: ActionConfig): Promise<ActionResult>;
+declare function confirmPassword(payload: ConfirmPasswordPayload, config?: ActionConfig): Promise<ActionResult>;
+
+export { confirmPassword, forgotPassword, login, logout, register, resetPassword, twoFactorChallenge };
+export type { ActionConfig, ActionResult };

package/dist/actions.js

@@ -0,0 +1,228 @@
+import 'server-only';
+import { cookies } from 'next/headers';
+
+/**
+ * Error types for next-sanctum. All failures are normalized to `SanctumError`
+ * so consumers can handle them consistently (see plan §10: errors must not leak).
+ */ /** Base error for all module failures. */ class SanctumError extends Error {
+    constructor(message, options){
+        super(message, {
+            cause: options.cause
+        });
+        this.name = "SanctumError";
+        this.kind = options.kind;
+        this.status = options.status;
+        this.data = options.data;
+    }
+}
+/** Invalid configuration — fail-fast on init (see resolveConfig). */ class ConfigError extends SanctumError {
+    constructor(message, cause){
+        super(message, {
+            kind: "config",
+            cause
+        });
+        this.name = "ConfigError";
+    }
+}
+
+/**
+ * Resolve the server-side base URL (`SANCTUM_BASE_URL`, falling back to the public var
+ * for dev). Shared by `server.ts`/`actions.ts`. Fails fast with a clear ConfigError.
+ */ function resolveServerBaseUrl(explicit, label = "server helpers") {
+    const baseUrl = explicit ?? process.env.SANCTUM_BASE_URL ?? process.env.NEXT_PUBLIC_SANCTUM_BASE_URL;
+    if (!baseUrl) {
+        throw new ConfigError(`SANCTUM_BASE_URL (server) is not set for next-sanctum ${label}.`);
+    }
+    return baseUrl.replace(/\/+$/, "");
+}
+
+/**
+ * Shared Set-Cookie parsing helpers (pure — no `next`/`server-only` imports, so this
+ * stays isomorphic and tree-shakes out of the client graph). Used by `server.ts` and
+ * `actions.ts` to mirror Laravel's Set-Cookie into Next's writable cookie store.
+ */ /**
+ * Read all Set-Cookie headers as an array. Prefers `Headers.getSetCookie()` (Node ≥18.14,
+ * all supported Next runtimes). The single-header fallback only handles one cookie — we do
+ * NOT attempt to comma-split, which is unreliable (Expires dates contain commas).
+ */ function getSetCookies(headers) {
+    const anyHeaders = headers;
+    if (typeof anyHeaders.getSetCookie === "function") return anyHeaders.getSetCookie();
+    const value = headers.get("set-cookie");
+    return value ? [
+        value
+    ] : [];
+}
+/** Parse a single Set-Cookie header. Validates attributes; returns null when unusable. */ function parseSetCookie(header) {
+    const segments = header.split(";");
+    const first = segments.shift();
+    if (!first) return null;
+    const eq = first.indexOf("=");
+    if (eq === -1) return null;
+    const name = first.slice(0, eq).trim();
+    if (name === "") return null;
+    let value = first.slice(eq + 1).trim();
+    if (value.length >= 2 && value.startsWith('"') && value.endsWith('"')) {
+        value = value.slice(1, -1);
+    }
+    const options = {};
+    for (const segment of segments){
+        const idx = segment.indexOf("=");
+        const key = (idx === -1 ? segment : segment.slice(0, idx)).trim().toLowerCase();
+        const val = idx === -1 ? "" : segment.slice(idx + 1).trim();
+        switch(key){
+            case "path":
+                options.path = val;
+                break;
+            case "domain":
+                options.domain = val;
+                break;
+            case "max-age":
+                {
+                    const n = Number(val);
+                    if (val !== "" && Number.isFinite(n)) options.maxAge = n;
+                    break;
+                }
+            case "expires":
+                {
+                    const d = new Date(val);
+                    if (!Number.isNaN(d.getTime())) options.expires = d;
+                    break;
+                }
+            case "samesite":
+                {
+                    const lower = val.toLowerCase();
+                    if (lower === "lax" || lower === "strict" || lower === "none") {
+                        options.sameSite = lower;
+                    }
+                    break;
+                }
+            case "secure":
+                options.secure = true;
+                break;
+            case "httponly":
+                options.httpOnly = true;
+                break;
+        }
+    }
+    return {
+        name,
+        value,
+        options
+    };
+}
+/** Mirror a response's Set-Cookie headers into a writable cookie store. */ function applySetCookies(store, response) {
+    for (const raw of getSetCookies(response.headers)){
+        const parsed = parseSetCookie(raw);
+        if (!parsed) continue;
+        try {
+            store.set(parsed.name, parsed.value, parsed.options);
+        } catch  {
+        // store is read-only (e.g. called from a Server Component) — ignore.
+        }
+    }
+}
+
+const DEFAULTS = {
+    csrf: "/sanctum/csrf-cookie",
+    login: "/login",
+    logout: "/logout",
+    register: "/register",
+    forgotPassword: "/forgot-password",
+    resetPassword: "/reset-password",
+    confirmPassword: "/user/confirm-password",
+    twoFactorChallenge: "/two-factor-challenge"
+};
+async function readErrors(response) {
+    try {
+        const data = await response.json();
+        return data?.errors;
+    } catch  {
+        return undefined;
+    }
+}
+async function statefulPost(path, json, config) {
+    const store = await cookies();
+    const base = resolveServerBaseUrl(config?.baseUrl, "actions");
+    const csrfCookie = config?.csrf?.cookie ?? "XSRF-TOKEN";
+    const csrfHeader = config?.csrf?.header ?? "X-XSRF-TOKEN";
+    const csrfPath = config?.endpoints?.csrf ?? DEFAULTS.csrf;
+    let token = store.get(csrfCookie)?.value;
+    if (!token) {
+        const csrfResponse = await fetch(`${base}${csrfPath}`, {
+            headers: {
+                cookie: store.toString(),
+                accept: "application/json"
+            },
+            cache: "no-store"
+        });
+        applySetCookies(store, csrfResponse);
+        token = store.get(csrfCookie)?.value;
+    }
+    const headers = {
+        accept: "application/json",
+        "content-type": "application/json",
+        cookie: store.toString()
+    };
+    if (token) headers[csrfHeader] = decodeURIComponent(token);
+    const response = await fetch(`${base}${path}`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(json ?? {}),
+        cache: "no-store"
+    });
+    applySetCookies(store, response);
+    return {
+        ok: response.ok,
+        status: response.status,
+        raw: response
+    };
+}
+async function toResult(result) {
+    if (!result.ok) {
+        return {
+            ok: false,
+            status: result.status,
+            errors: result.status === 422 ? await readErrors(result.raw) : undefined
+        };
+    }
+    return {
+        ok: true,
+        status: result.status
+    };
+}
+/** Login (CSRF → POST /login). Check `twoFactor` on the result before assuming success. */ async function login(credentials, config) {
+    const result = await statefulPost(config?.endpoints?.login ?? DEFAULTS.login, credentials, config);
+    if (!result.ok) return toResult(result);
+    let twoFactor = false;
+    try {
+        const data = await result.raw.json();
+        twoFactor = Boolean(data?.two_factor);
+    } catch  {
+    // empty body → not 2FA
+    }
+    return {
+        ok: true,
+        status: result.status,
+        twoFactor
+    };
+}
+async function logout(config) {
+    return toResult(await statefulPost(config?.endpoints?.logout ?? DEFAULTS.logout, {}, config));
+}
+async function register(payload, config) {
+    return toResult(await statefulPost(config?.endpoints?.register ?? DEFAULTS.register, payload, config));
+}
+async function twoFactorChallenge(payload, config) {
+    return toResult(await statefulPost(config?.endpoints?.twoFactorChallenge ?? DEFAULTS.twoFactorChallenge, payload, config));
+}
+async function forgotPassword(payload, config) {
+    return toResult(await statefulPost(config?.endpoints?.forgotPassword ?? DEFAULTS.forgotPassword, payload, config));
+}
+async function resetPassword(payload, config) {
+    return toResult(await statefulPost(config?.endpoints?.resetPassword ?? DEFAULTS.resetPassword, payload, config));
+}
+async function confirmPassword(payload, config) {
+    return toResult(await statefulPost(config?.endpoints?.confirmPassword ?? DEFAULTS.confirmPassword, payload, config));
+}
+
+export { confirmPassword, forgotPassword, login, logout, register, resetPassword, twoFactorChallenge };