next-token-auth 1.0.0

package/dist/index.js

@@ -0,0 +1,619 @@
+'use strict';
+
+var react = require('react');
+var jsxRuntime = require('react/jsx-runtime');
+
+// src/utils/expiry.ts
+var UNIT_MAP = {
+  s: 1,
+  m: 60,
+  h: 3600,
+  d: 86400,
+  w: 604800
+};
+function parseExpiry(input) {
+  if (input === void 0 || input === null) {
+    throw new Error("parseExpiry: no expiry value provided");
+  }
+  if (typeof input === "number") {
+    if (input <= 0) throw new Error("parseExpiry: value must be positive");
+    return input;
+  }
+  const trimmed = input.trim();
+  if (/^\d+$/.test(trimmed)) {
+    return parseInt(trimmed, 10);
+  }
+  const match = trimmed.match(/^(\d+(?:\.\d+)?)\s*([smhdw])$/i);
+  if (!match) {
+    throw new Error(
+      `parseExpiry: unrecognised format "${input}". Expected a number or a string like "15m", "2h", "2d", "7d", "1w".`
+    );
+  }
+  const value = parseFloat(match[1]);
+  const unit = match[2].toLowerCase();
+  return Math.floor(value * UNIT_MAP[unit]);
+}
+function safeParseExpiry(input, fallbackSeconds = 900) {
+  try {
+    return parseExpiry(input);
+  } catch {
+    return fallbackSeconds;
+  }
+}
+function resolveAccessTokenExpiry(response, configExpiry, strategy = "hybrid") {
+  const now = Date.now();
+  const fromBackend = response.accessTokenExpiresIn ?? response.expiresIn ?? void 0;
+  if (strategy === "backend") {
+    if (fromBackend === void 0) {
+      throw new Error(
+        'resolveAccessTokenExpiry: strategy is "backend" but API returned no expiry'
+      );
+    }
+    return now + parseExpiry(fromBackend) * 1e3;
+  }
+  if (strategy === "config") {
+    if (configExpiry === void 0) {
+      throw new Error(
+        'resolveAccessTokenExpiry: strategy is "config" but no expiry configured'
+      );
+    }
+    return now + parseExpiry(configExpiry) * 1e3;
+  }
+  if (fromBackend !== void 0) {
+    return now + safeParseExpiry(fromBackend) * 1e3;
+  }
+  if (configExpiry !== void 0) {
+    return now + safeParseExpiry(configExpiry) * 1e3;
+  }
+  return now + 900 * 1e3;
+}
+function resolveRefreshTokenExpiry(response, configExpiry, strategy = "hybrid") {
+  const now = Date.now();
+  const fromBackend = response.refreshTokenExpiresIn;
+  if (strategy === "backend") {
+    return fromBackend !== void 0 ? now + parseExpiry(fromBackend) * 1e3 : void 0;
+  }
+  if (strategy === "config") {
+    return configExpiry !== void 0 ? now + parseExpiry(configExpiry) * 1e3 : void 0;
+  }
+  if (fromBackend !== void 0) {
+    return now + safeParseExpiry(fromBackend) * 1e3;
+  }
+  if (configExpiry !== void 0) {
+    return now + safeParseExpiry(configExpiry) * 1e3;
+  }
+  return void 0;
+}
+
+// src/core/HttpClient.ts
+var HttpClient = class {
+  constructor(config, tokenManager) {
+    this.refreshFn = null;
+    this.refreshPromise = null;
+    this.config = config;
+    this.tokenManager = tokenManager;
+  }
+  /** Register the refresh callback (set by AuthClient to avoid circular deps) */
+  setRefreshFn(fn) {
+    this.refreshFn = fn;
+  }
+  /**
+   * Authenticated fetch wrapper.
+   * Automatically injects the Bearer token and handles 401 → refresh → retry.
+   */
+  async fetch(input, init = {}) {
+    const tokens = this.tokenManager.getTokens();
+    const headers = new Headers(init.headers);
+    if (tokens?.accessToken) {
+      headers.set("Authorization", `Bearer ${tokens.accessToken}`);
+    }
+    const response = await this.doFetch(input, { ...init, headers });
+    if (response.status === 401 && this.refreshFn) {
+      const refreshed = await this.deduplicatedRefresh();
+      if (refreshed) {
+        const newTokens = this.tokenManager.getTokens();
+        if (newTokens?.accessToken) {
+          headers.set("Authorization", `Bearer ${newTokens.accessToken}`);
+        }
+        return this.doFetch(input, { ...init, headers });
+      }
+    }
+    return response;
+  }
+  /**
+   * Raw fetch using the configured fetchFn or global fetch.
+   */
+  async doFetch(input, init) {
+    const fetchFn = this.config.fetchFn ?? fetch;
+    return fetchFn(input, init);
+  }
+  /**
+   * Builds a full URL from a path relative to baseUrl.
+   */
+  url(path) {
+    return `${this.config.baseUrl.replace(/\/$/, "")}/${path.replace(/^\//, "")}`;
+  }
+  // ─── Private ────────────────────────────────────────────────────────────────
+  /**
+   * Ensures only one refresh request is in-flight at a time.
+   */
+  async deduplicatedRefresh() {
+    if (this.refreshPromise) return this.refreshPromise;
+    this.refreshPromise = this.refreshFn().finally(() => {
+      this.refreshPromise = null;
+    });
+    return this.refreshPromise;
+  }
+};
+
+// src/core/SessionManager.ts
+var SessionManager = class {
+  constructor(config, tokenManager, httpClient) {
+    this.session = {
+      user: null,
+      tokens: null,
+      isAuthenticated: false
+    };
+    this.config = config;
+    this.tokenManager = tokenManager;
+    this.httpClient = httpClient;
+  }
+  getSession() {
+    return this.session;
+  }
+  setSession(session) {
+    this.session = session;
+  }
+  /**
+   * Builds a session from stored tokens, optionally fetching the user profile.
+   */
+  async loadSession() {
+    const tokens = this.tokenManager.getTokens();
+    if (!tokens) {
+      this.session = { user: null, tokens: null, isAuthenticated: false };
+      return this.session;
+    }
+    if (this.tokenManager.isAccessExpired(tokens) && this.tokenManager.isRefreshExpired(tokens)) {
+      this.tokenManager.clearTokens();
+      this.session = { user: null, tokens: null, isAuthenticated: false };
+      return this.session;
+    }
+    const user = await this.fetchUser(tokens);
+    this.session = {
+      user,
+      tokens,
+      isAuthenticated: true
+    };
+    return this.session;
+  }
+  /**
+   * Updates the session after a successful token refresh.
+   */
+  async refreshSession(tokens) {
+    const user = this.session.user ?? await this.fetchUser(tokens);
+    this.session = { user, tokens, isAuthenticated: true };
+  }
+  clearSession() {
+    this.session = { user: null, tokens: null, isAuthenticated: false };
+  }
+  // ─── Private ────────────────────────────────────────────────────────────────
+  async fetchUser(tokens) {
+    const meEndpoint = this.config.endpoints.me;
+    if (!meEndpoint) return null;
+    try {
+      const res = await this.httpClient.fetch(this.httpClient.url(meEndpoint));
+      if (!res.ok) return null;
+      return await res.json();
+    } catch {
+      return null;
+    }
+  }
+};
+
+// src/utils/crypto.ts
+var ALGO = "AES-GCM";
+var IV_LENGTH = 12;
+function getTextEncoder() {
+  return new TextEncoder();
+}
+function getTextDecoder() {
+  return new TextDecoder();
+}
+async function deriveKey(secret) {
+  const raw = getTextEncoder().encode(secret.padEnd(32, "0").slice(0, 32));
+  return crypto.subtle.importKey("raw", raw, { name: ALGO }, false, [
+    "encrypt",
+    "decrypt"
+  ]);
+}
+async function encrypt(data, secret) {
+  const key = await deriveKey(secret);
+  const ivArray = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+  const iv = ivArray.buffer.slice(0, IV_LENGTH);
+  const encoded = getTextEncoder().encode(data);
+  const cipherBuffer = await crypto.subtle.encrypt({ name: ALGO, iv }, key, encoded);
+  const ivB64 = bufferToBase64(new Uint8Array(iv));
+  const cipherB64 = bufferToBase64(new Uint8Array(cipherBuffer));
+  return `${ivB64}.${cipherB64}`;
+}
+async function decrypt(data, secret) {
+  const [ivB64, cipherB64] = data.split(".");
+  if (!ivB64 || !cipherB64) {
+    throw new Error("decrypt: invalid ciphertext format");
+  }
+  const key = await deriveKey(secret);
+  const ivBytes = base64ToBuffer(ivB64);
+  const iv = ivBytes.buffer.slice(
+    ivBytes.byteOffset,
+    ivBytes.byteOffset + ivBytes.byteLength
+  );
+  const cipherBytes = base64ToBuffer(cipherB64);
+  const cipherBuffer = cipherBytes.buffer.slice(
+    cipherBytes.byteOffset,
+    cipherBytes.byteOffset + cipherBytes.byteLength
+  );
+  const plainBuffer = await crypto.subtle.decrypt({ name: ALGO, iv }, key, cipherBuffer);
+  return getTextDecoder().decode(plainBuffer);
+}
+function bufferToBase64(buffer) {
+  return btoa(String.fromCharCode(...buffer)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64ToBuffer(b64) {
+  const padded = b64.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(padded);
+  return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+
+// src/core/TokenManager.ts
+var TokenManager = class {
+  constructor(config) {
+    this.memoryStore = null;
+    this.config = config;
+  }
+  // ─── Public API ─────────────────────────────────────────────────────────────
+  getTokens() {
+    if (this.config.token.storage === "memory") {
+      return this.memoryStore;
+    }
+    return this.readFromCookie();
+  }
+  async setTokens(tokens) {
+    if (this.config.token.storage === "memory") {
+      this.memoryStore = tokens;
+      return;
+    }
+    await this.writeToCookie(tokens);
+  }
+  clearTokens() {
+    this.memoryStore = null;
+    if (this.config.token.storage === "cookie") {
+      this.deleteCookie();
+    }
+  }
+  isAccessExpired(tokens) {
+    const threshold = (this.config.refreshThreshold ?? 60) * 1e3;
+    return Date.now() >= tokens.accessTokenExpiresAt - threshold;
+  }
+  isRefreshExpired(tokens) {
+    if (!tokens.refreshTokenExpiresAt) return false;
+    return Date.now() >= tokens.refreshTokenExpiresAt;
+  }
+  // ─── Cookie helpers (client-side only) ──────────────────────────────────────
+  cookieName() {
+    return this.config.token.cookieName ?? "next-auth-kit.session";
+  }
+  readFromCookie() {
+    if (typeof document === "undefined") return null;
+    const raw = getCookieValue(this.cookieName());
+    if (!raw) return null;
+    try {
+      return JSON.parse(decodeURIComponent(raw));
+    } catch {
+      return null;
+    }
+  }
+  async writeToCookie(tokens) {
+    if (typeof document === "undefined") return;
+    const value = encodeURIComponent(JSON.stringify(tokens));
+    const secure = this.config.token.secure !== false ? "; Secure" : "";
+    const sameSite = this.config.token.sameSite ?? "lax";
+    const maxAge = tokens.refreshTokenExpiresAt ? Math.floor((tokens.refreshTokenExpiresAt - Date.now()) / 1e3) : 604800;
+    document.cookie = [
+      `${this.cookieName()}=${value}`,
+      `Max-Age=${maxAge}`,
+      `Path=/`,
+      `SameSite=${sameSite}`,
+      secure
+    ].filter(Boolean).join("; ");
+  }
+  deleteCookie() {
+    if (typeof document === "undefined") return;
+    document.cookie = `${this.cookieName()}=; Max-Age=0; Path=/`;
+  }
+  // ─── Server-side helpers ─────────────────────────────────────────────────────
+  /**
+   * Encrypts tokens for secure server-side cookie storage.
+   */
+  async encryptTokens(tokens) {
+    return encrypt(JSON.stringify(tokens), this.config.secret);
+  }
+  /**
+   * Decrypts tokens from a server-side cookie value.
+   */
+  async decryptTokens(ciphertext) {
+    try {
+      const json = await decrypt(ciphertext, this.config.secret);
+      return JSON.parse(json);
+    } catch {
+      return null;
+    }
+  }
+};
+function getCookieValue(name) {
+  if (typeof document === "undefined") return null;
+  const match = document.cookie.match(
+    new RegExp(`(?:^|;\\s*)${escapeRegex(name)}=([^;]*)`)
+  );
+  return match ? match[1] : null;
+}
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+// src/core/AuthClient.ts
+var AuthClient = class {
+  constructor(config) {
+    this.sessionListeners = [];
+    this.config = config;
+    this.tokenManager = new TokenManager(config);
+    this.httpClient = new HttpClient(config, this.tokenManager);
+    this.sessionManager = new SessionManager(
+      config,
+      this.tokenManager,
+      this.httpClient
+    );
+    this.httpClient.setRefreshFn(() => this.refresh());
+  }
+  // ─── Auth Operations ────────────────────────────────────────────────────────
+  /**
+   * Authenticates the user and stores tokens.
+   */
+  async login(input) {
+    const res = await this.httpClient.doFetch(
+      this.httpClient.url(this.config.endpoints.login),
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(input)
+      }
+    );
+    if (!res.ok) {
+      const error = await res.text();
+      throw new Error(`Login failed (${res.status}): ${error}`);
+    }
+    const data = await res.json();
+    const tokens = this.buildTokens(data);
+    await this.tokenManager.setTokens(tokens);
+    await this.sessionManager.loadSession();
+    const session = this.sessionManager.getSession();
+    this.config.onLogin?.(session);
+    this.notifyListeners(session);
+    return session;
+  }
+  /**
+   * Logs out the user, clears tokens, and optionally calls the backend.
+   */
+  async logout() {
+    const logoutEndpoint = this.config.endpoints.logout;
+    if (logoutEndpoint) {
+      try {
+        await this.httpClient.fetch(this.httpClient.url(logoutEndpoint), {
+          method: "POST"
+        });
+      } catch {
+      }
+    }
+    this.tokenManager.clearTokens();
+    this.sessionManager.clearSession();
+    this.config.onLogout?.();
+    this.notifyListeners(this.sessionManager.getSession());
+  }
+  /**
+   * Refreshes the access token using the stored refresh token.
+   * Returns true on success, false on failure.
+   */
+  async refresh() {
+    const tokens = this.tokenManager.getTokens();
+    if (!tokens) return false;
+    if (this.tokenManager.isRefreshExpired(tokens)) {
+      await this.logout();
+      return false;
+    }
+    try {
+      const res = await this.httpClient.doFetch(
+        this.httpClient.url(this.config.endpoints.refresh),
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ refreshToken: tokens.refreshToken })
+        }
+      );
+      if (!res.ok) {
+        await this.logout();
+        return false;
+      }
+      const data = await res.json();
+      const newTokens = this.buildTokens(data);
+      await this.tokenManager.setTokens(newTokens);
+      await this.sessionManager.refreshSession(newTokens);
+      this.notifyListeners(this.sessionManager.getSession());
+      return true;
+    } catch (err) {
+      this.config.onRefreshError?.(err);
+      return false;
+    }
+  }
+  /**
+   * Loads the session from stored tokens (call on app mount).
+   */
+  async initialize() {
+    const session = await this.sessionManager.loadSession();
+    if (session.isAuthenticated && session.tokens && this.tokenManager.isAccessExpired(session.tokens) && !this.tokenManager.isRefreshExpired(session.tokens)) {
+      await this.refresh();
+    }
+    return this.sessionManager.getSession();
+  }
+  getSession() {
+    return this.sessionManager.getSession();
+  }
+  /**
+   * Returns the authenticated fetch wrapper.
+   */
+  get fetch() {
+    return this.httpClient.fetch.bind(this.httpClient);
+  }
+  // ─── Subscription ────────────────────────────────────────────────────────────
+  subscribe(listener) {
+    this.sessionListeners.push(listener);
+    return () => {
+      this.sessionListeners = this.sessionListeners.filter((l) => l !== listener);
+    };
+  }
+  // ─── Private ────────────────────────────────────────────────────────────────
+  buildTokens(data) {
+    const strategy = this.config.expiry?.strategy ?? "hybrid";
+    const configAccess = this.config.expiry?.accessTokenExpiresIn;
+    const configRefresh = this.config.expiry?.refreshTokenExpiresIn;
+    return {
+      accessToken: data.accessToken,
+      refreshToken: data.refreshToken,
+      accessTokenExpiresAt: resolveAccessTokenExpiry(data, configAccess, strategy),
+      refreshTokenExpiresAt: resolveRefreshTokenExpiry(data, configRefresh, strategy)
+    };
+  }
+  notifyListeners(session) {
+    for (const listener of this.sessionListeners) {
+      listener(session);
+    }
+  }
+};
+var AuthContext = react.createContext(null);
+function AuthProvider({
+  config,
+  children
+}) {
+  const clientRef = react.useRef(null);
+  if (!clientRef.current) {
+    clientRef.current = new AuthClient(config);
+  }
+  const client = clientRef.current;
+  const [session, setSession] = react.useState({
+    user: null,
+    tokens: null,
+    isAuthenticated: false
+  });
+  const [isLoading, setIsLoading] = react.useState(true);
+  react.useEffect(() => {
+    let cancelled = false;
+    client.initialize().then((s) => {
+      if (!cancelled) {
+        setSession(s);
+        setIsLoading(false);
+      }
+    });
+    const unsubscribe = client.subscribe((s) => {
+      if (!cancelled) setSession(s);
+    });
+    return () => {
+      cancelled = true;
+      unsubscribe();
+    };
+  }, [client]);
+  react.useEffect(() => {
+    if (!config.autoRefresh) return;
+    const interval = setInterval(async () => {
+      const tokens = client.tokenManager.getTokens();
+      if (tokens && client.tokenManager.isAccessExpired(tokens) && !client.tokenManager.isRefreshExpired(tokens)) {
+        await client.refresh();
+      }
+    }, 3e4);
+    return () => clearInterval(interval);
+  }, [client, config.autoRefresh]);
+  const login = react.useCallback(
+    async (input) => {
+      setIsLoading(true);
+      try {
+        const s = await client.login(input);
+        setSession(s);
+      } finally {
+        setIsLoading(false);
+      }
+    },
+    [client]
+  );
+  const logout = react.useCallback(async () => {
+    await client.logout();
+    setSession({ user: null, tokens: null, isAuthenticated: false });
+  }, [client]);
+  const refresh = react.useCallback(async () => {
+    await client.refresh();
+    setSession(client.getSession());
+  }, [client]);
+  const value = {
+    session,
+    isLoading,
+    login,
+    logout,
+    refresh,
+    client
+  };
+  return /* @__PURE__ */ jsxRuntime.jsx(AuthContext.Provider, { value, children });
+}
+function useAuthContext() {
+  const ctx = react.useContext(AuthContext);
+  if (!ctx) {
+    throw new Error("useAuthContext must be used within <AuthProvider>");
+  }
+  return ctx;
+}
+
+// src/react/hooks/useAuth.ts
+function useAuth() {
+  const { session, login, logout, refresh, isLoading } = useAuthContext();
+  return { session, login, logout, refresh, isLoading };
+}
+
+// src/react/hooks/useSession.ts
+function useSession() {
+  return useAuthContext().session;
+}
+function useRequireAuth(options = {}) {
+  const { redirectTo = "/login", onUnauthenticated } = options;
+  const { session, isLoading } = useAuthContext();
+  react.useEffect(() => {
+    if (isLoading) return;
+    if (session.isAuthenticated) return;
+    if (onUnauthenticated) {
+      onUnauthenticated();
+      return;
+    }
+    if (typeof window !== "undefined") {
+      window.location.href = redirectTo;
+    }
+  }, [session.isAuthenticated, isLoading, redirectTo, onUnauthenticated]);
+}
+
+exports.AuthClient = AuthClient;
+exports.AuthProvider = AuthProvider;
+exports.HttpClient = HttpClient;
+exports.SessionManager = SessionManager;
+exports.TokenManager = TokenManager;
+exports.decrypt = decrypt;
+exports.encrypt = encrypt;
+exports.parseExpiry = parseExpiry;
+exports.safeParseExpiry = safeParseExpiry;
+exports.useAuth = useAuth;
+exports.useRequireAuth = useRequireAuth;
+exports.useSession = useSession;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map