next-token-auth 1.0.13 → 1.0.15

package/dist/react/index.mjs

@@ -1,512 +1,9 @@
-import { createContext, useRef, useState, useEffect, useCallback, useContext } from 'react';
+import { createContext, useState, useEffect, useCallback, useContext } from 'react';
 import { jsx } from 'react/jsx-runtime';
 
 // src/react/AuthProvider.tsx
-
-// src/utils/expiry.ts
-var UNIT_MAP = {
-  s: 1,
-  m: 60,
-  h: 3600,
-  d: 86400,
-  w: 604800
-};
-function parseExpiry(input) {
-  if (input === void 0 || input === null) {
-    throw new Error("parseExpiry: no expiry value provided");
-  }
-  if (typeof input === "number") {
-    if (input <= 0) throw new Error("parseExpiry: value must be positive");
-    return input;
-  }
-  const trimmed = input.trim();
-  if (/^\d+$/.test(trimmed)) {
-    return parseInt(trimmed, 10);
-  }
-  const match = trimmed.match(/^(\d+(?:\.\d+)?)\s*([smhdw])$/i);
-  if (!match) {
-    throw new Error(
-      `parseExpiry: unrecognised format "${input}". Expected a number or a string like "15m", "2h", "2d", "7d", "1w".`
-    );
-  }
-  const value = parseFloat(match[1]);
-  const unit = match[2].toLowerCase();
-  return Math.floor(value * UNIT_MAP[unit]);
-}
-function safeParseExpiry(input, fallbackSeconds = 900) {
-  try {
-    return parseExpiry(input);
-  } catch {
-    return fallbackSeconds;
-  }
-}
-function resolveAccessTokenExpiry(response, configExpiry, strategy = "hybrid") {
-  const now = Date.now();
-  const fromBackend = response.accessTokenExpiresIn ?? response.expiresIn ?? void 0;
-  if (strategy === "backend") {
-    if (fromBackend === void 0) {
-      throw new Error(
-        'resolveAccessTokenExpiry: strategy is "backend" but API returned no expiry'
-      );
-    }
-    return now + parseExpiry(fromBackend) * 1e3;
-  }
-  if (strategy === "config") {
-    if (configExpiry === void 0) {
-      throw new Error(
-        'resolveAccessTokenExpiry: strategy is "config" but no expiry configured'
-      );
-    }
-    return now + parseExpiry(configExpiry) * 1e3;
-  }
-  if (fromBackend !== void 0) {
-    return now + safeParseExpiry(fromBackend) * 1e3;
-  }
-  if (configExpiry !== void 0) {
-    return now + safeParseExpiry(configExpiry) * 1e3;
-  }
-  return now + 900 * 1e3;
-}
-function resolveRefreshTokenExpiry(response, configExpiry, strategy = "hybrid") {
-  const now = Date.now();
-  const fromBackend = response.refreshTokenExpiresIn;
-  if (strategy === "backend") {
-    return fromBackend !== void 0 ? now + parseExpiry(fromBackend) * 1e3 : void 0;
-  }
-  if (strategy === "config") {
-    return configExpiry !== void 0 ? now + parseExpiry(configExpiry) * 1e3 : void 0;
-  }
-  if (fromBackend !== void 0) {
-    return now + safeParseExpiry(fromBackend) * 1e3;
-  }
-  if (configExpiry !== void 0) {
-    return now + safeParseExpiry(configExpiry) * 1e3;
-  }
-  return void 0;
-}
-
-// src/core/HttpClient.ts
-var HttpClient = class {
-  constructor(config, tokenManager) {
-    this.refreshFn = null;
-    this.refreshPromise = null;
-    this.config = config;
-    this.tokenManager = tokenManager;
-  }
-  /** Register the refresh callback (set by AuthClient to avoid circular deps) */
-  setRefreshFn(fn) {
-    this.refreshFn = fn;
-  }
-  /**
-   * Authenticated fetch wrapper.
-   * Automatically injects the Bearer token and handles 401 → refresh → retry.
-   */
-  async fetch(input, init = {}) {
-    const tokens = this.tokenManager.getTokens();
-    const headers = new Headers(init.headers);
-    if (tokens?.accessToken) {
-      headers.set("Authorization", `Bearer ${tokens.accessToken}`);
-    }
-    const response = await this.doFetch(input, { ...init, headers });
-    if (response.status === 401 && this.refreshFn) {
-      const refreshed = await this.deduplicatedRefresh();
-      if (refreshed) {
-        const newTokens = this.tokenManager.getTokens();
-        if (newTokens?.accessToken) {
-          headers.set("Authorization", `Bearer ${newTokens.accessToken}`);
-        }
-        return this.doFetch(input, { ...init, headers });
-      }
-    }
-    return response;
-  }
-  /**
-   * Raw fetch using the configured fetchFn or global fetch.
-   */
-  async doFetch(input, init) {
-    const fetchFn = this.config.fetchFn ?? fetch;
-    return fetchFn(input, init);
-  }
-  /**
-   * Builds a full URL from a path relative to baseUrl.
-   */
-  url(path) {
-    return `${this.config.baseUrl.replace(/\/$/, "")}/${path.replace(/^\//, "")}`;
-  }
-  // ─── Private ────────────────────────────────────────────────────────────────
-  /**
-   * Ensures only one refresh request is in-flight at a time.
-   */
-  async deduplicatedRefresh() {
-    if (this.refreshPromise) return this.refreshPromise;
-    this.refreshPromise = this.refreshFn().finally(() => {
-      this.refreshPromise = null;
-    });
-    return this.refreshPromise;
-  }
-};
-
-// src/core/SessionManager.ts
-var SessionManager = class {
-  constructor(config, tokenManager, httpClient) {
-    this.session = {
-      user: null,
-      tokens: null,
-      isAuthenticated: false
-    };
-    this.config = config;
-    this.tokenManager = tokenManager;
-    this.httpClient = httpClient;
-  }
-  getSession() {
-    return this.session;
-  }
-  setSession(session) {
-    this.session = session;
-  }
-  /**
-   * Builds a session from stored tokens, optionally fetching the user profile.
-   */
-  async loadSession() {
-    const tokens = this.tokenManager.getTokens();
-    if (!tokens) {
-      this.session = { user: null, tokens: null, isAuthenticated: false };
-      return this.session;
-    }
-    if (this.tokenManager.isAccessExpired(tokens) && this.tokenManager.isRefreshExpired(tokens)) {
-      this.tokenManager.clearTokens();
-      this.session = { user: null, tokens: null, isAuthenticated: false };
-      return this.session;
-    }
-    const user = await this.fetchUser(tokens);
-    this.session = {
-      user,
-      tokens,
-      isAuthenticated: true
-    };
-    return this.session;
-  }
-  /**
-   * Updates the session after a successful token refresh.
-   */
-  async refreshSession(tokens) {
-    const user = this.session.user ?? await this.fetchUser(tokens);
-    this.session = { user, tokens, isAuthenticated: true };
-  }
-  clearSession() {
-    this.session = { user: null, tokens: null, isAuthenticated: false };
-  }
-  // ─── Private ────────────────────────────────────────────────────────────────
-  async fetchUser(tokens) {
-    const meEndpoint = this.config.endpoints.me;
-    if (!meEndpoint) return null;
-    try {
-      const res = await this.httpClient.fetch(this.httpClient.url(meEndpoint));
-      if (!res.ok) return null;
-      return await res.json();
-    } catch {
-      return null;
-    }
-  }
-};
-
-// src/utils/crypto.ts
-var ALGO = "AES-GCM";
-var IV_LENGTH = 12;
-function getTextEncoder() {
-  return new TextEncoder();
-}
-function getTextDecoder() {
-  return new TextDecoder();
-}
-async function deriveKey(secret) {
-  const raw = getTextEncoder().encode(secret.padEnd(32, "0").slice(0, 32));
-  return crypto.subtle.importKey("raw", raw, { name: ALGO }, false, [
-    "encrypt",
-    "decrypt"
-  ]);
-}
-async function encrypt(data, secret) {
-  const key = await deriveKey(secret);
-  const ivArray = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
-  const iv = ivArray.buffer.slice(0, IV_LENGTH);
-  const encoded = getTextEncoder().encode(data);
-  const cipherBuffer = await crypto.subtle.encrypt({ name: ALGO, iv }, key, encoded);
-  const ivB64 = bufferToBase64(new Uint8Array(iv));
-  const cipherB64 = bufferToBase64(new Uint8Array(cipherBuffer));
-  return `${ivB64}.${cipherB64}`;
-}
-async function decrypt(data, secret) {
-  const [ivB64, cipherB64] = data.split(".");
-  if (!ivB64 || !cipherB64) {
-    throw new Error("decrypt: invalid ciphertext format");
-  }
-  const key = await deriveKey(secret);
-  const ivBytes = base64ToBuffer(ivB64);
-  const iv = ivBytes.buffer.slice(
-    ivBytes.byteOffset,
-    ivBytes.byteOffset + ivBytes.byteLength
-  );
-  const cipherBytes = base64ToBuffer(cipherB64);
-  const cipherBuffer = cipherBytes.buffer.slice(
-    cipherBytes.byteOffset,
-    cipherBytes.byteOffset + cipherBytes.byteLength
-  );
-  const plainBuffer = await crypto.subtle.decrypt({ name: ALGO, iv }, key, cipherBuffer);
-  return getTextDecoder().decode(plainBuffer);
-}
-function bufferToBase64(buffer) {
-  return btoa(String.fromCharCode(...buffer)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-function base64ToBuffer(b64) {
-  const padded = b64.replace(/-/g, "+").replace(/_/g, "/");
-  const binary = atob(padded);
-  return Uint8Array.from(binary, (c) => c.charCodeAt(0));
-}
-
-// src/core/TokenManager.ts
-var TokenManager = class {
-  constructor(config) {
-    this.memoryStore = null;
-    this.config = config;
-  }
-  // ─── Public API ─────────────────────────────────────────────────────────────
-  getTokens() {
-    if (this.config.token.storage === "memory") {
-      return this.memoryStore;
-    }
-    return this.readFromCookie();
-  }
-  async setTokens(tokens) {
-    if (this.config.token.storage === "memory") {
-      this.memoryStore = tokens;
-      return;
-    }
-    await this.writeToCookie(tokens);
-  }
-  clearTokens() {
-    this.memoryStore = null;
-    if (this.config.token.storage === "cookie") {
-      this.deleteCookie();
-    }
-  }
-  isAccessExpired(tokens) {
-    const threshold = (this.config.refreshThreshold ?? 60) * 1e3;
-    return Date.now() >= tokens.accessTokenExpiresAt - threshold;
-  }
-  isRefreshExpired(tokens) {
-    if (!tokens.refreshTokenExpiresAt) return false;
-    return Date.now() >= tokens.refreshTokenExpiresAt;
-  }
-  // ─── Cookie helpers (client-side only) ──────────────────────────────────────
-  cookieName() {
-    return this.config.token.cookieName ?? "next-token-auth.session";
-  }
-  readFromCookie() {
-    if (typeof document === "undefined") return null;
-    const raw = getCookieValue(this.cookieName());
-    if (!raw) return null;
-    try {
-      return JSON.parse(decodeURIComponent(raw));
-    } catch {
-      return null;
-    }
-  }
-  async writeToCookie(tokens) {
-    if (typeof document === "undefined") return;
-    const value = encodeURIComponent(JSON.stringify(tokens));
-    const secure = this.config.token.secure !== false ? "; Secure" : "";
-    const sameSite = this.config.token.sameSite ?? "lax";
-    const maxAge = tokens.refreshTokenExpiresAt ? Math.floor((tokens.refreshTokenExpiresAt - Date.now()) / 1e3) : 604800;
-    document.cookie = [
-      `${this.cookieName()}=${value}`,
-      `Max-Age=${maxAge}`,
-      `Path=/`,
-      `SameSite=${sameSite}`,
-      secure
-    ].filter(Boolean).join("; ");
-  }
-  deleteCookie() {
-    if (typeof document === "undefined") return;
-    document.cookie = `${this.cookieName()}=; Max-Age=0; Path=/`;
-  }
-  // ─── Server-side helpers ─────────────────────────────────────────────────────
-  /**
-   * Encrypts tokens for secure server-side cookie storage.
-   */
-  async encryptTokens(tokens) {
-    return encrypt(JSON.stringify(tokens), this.config.secret);
-  }
-  /**
-   * Decrypts tokens from a server-side cookie value.
-   */
-  async decryptTokens(ciphertext) {
-    try {
-      const json = await decrypt(ciphertext, this.config.secret);
-      return JSON.parse(json);
-    } catch {
-      return null;
-    }
-  }
-};
-function getCookieValue(name) {
-  if (typeof document === "undefined") return null;
-  const match = document.cookie.match(
-    new RegExp(`(?:^|;\\s*)${escapeRegex(name)}=([^;]*)`)
-  );
-  return match ? match[1] : null;
-}
-function escapeRegex(str) {
-  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-
-// src/core/AuthClient.ts
-var AuthClient = class {
-  constructor(config) {
-    this.sessionListeners = [];
-    this.config = config;
-    this.tokenManager = new TokenManager(config);
-    this.httpClient = new HttpClient(config, this.tokenManager);
-    this.sessionManager = new SessionManager(
-      config,
-      this.tokenManager,
-      this.httpClient
-    );
-    this.httpClient.setRefreshFn(() => this.refresh());
-  }
-  // ─── Auth Operations ────────────────────────────────────────────────────────
-  /**
-   * Authenticates the user and stores tokens.
-   */
-  async login(input) {
-    const res = await this.httpClient.doFetch(
-      this.httpClient.url(this.config.endpoints.login),
-      {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify(input)
-      }
-    );
-    if (!res.ok) {
-      const error = await res.text();
-      throw new Error(`Login failed (${res.status}): ${error}`);
-    }
-    const data = await res.json();
-    const tokens = this.buildTokens(data);
-    await this.tokenManager.setTokens(tokens);
-    await this.sessionManager.loadSession();
-    const session = this.sessionManager.getSession();
-    this.config.onLogin?.(session);
-    this.notifyListeners(session);
-    return session;
-  }
-  /**
-   * Logs out the user, clears tokens, and optionally calls the backend.
-   */
-  async logout() {
-    const logoutEndpoint = this.config.endpoints.logout;
-    if (logoutEndpoint) {
-      try {
-        await this.httpClient.fetch(this.httpClient.url(logoutEndpoint), {
-          method: "POST"
-        });
-      } catch {
-      }
-    }
-    this.tokenManager.clearTokens();
-    this.sessionManager.clearSession();
-    this.config.onLogout?.();
-    this.notifyListeners(this.sessionManager.getSession());
-  }
-  /**
-   * Refreshes the access token using the stored refresh token.
-   * Returns true on success, false on failure.
-   */
-  async refresh() {
-    const tokens = this.tokenManager.getTokens();
-    if (!tokens) return false;
-    if (this.tokenManager.isRefreshExpired(tokens)) {
-      await this.logout();
-      return false;
-    }
-    try {
-      const res = await this.httpClient.doFetch(
-        this.httpClient.url(this.config.endpoints.refresh),
-        {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ refreshToken: tokens.refreshToken })
-        }
-      );
-      if (!res.ok) {
-        await this.logout();
-        return false;
-      }
-      const data = await res.json();
-      const newTokens = this.buildTokens(data);
-      await this.tokenManager.setTokens(newTokens);
-      await this.sessionManager.refreshSession(newTokens);
-      this.notifyListeners(this.sessionManager.getSession());
-      return true;
-    } catch (err) {
-      this.config.onRefreshError?.(err);
-      return false;
-    }
-  }
-  /**
-   * Loads the session from stored tokens (call on app mount).
-   */
-  async initialize() {
-    const session = await this.sessionManager.loadSession();
-    if (session.isAuthenticated && session.tokens && this.tokenManager.isAccessExpired(session.tokens) && !this.tokenManager.isRefreshExpired(session.tokens)) {
-      await this.refresh();
-    }
-    return this.sessionManager.getSession();
-  }
-  getSession() {
-    return this.sessionManager.getSession();
-  }
-  /**
-   * Returns the authenticated fetch wrapper.
-   */
-  get fetch() {
-    return this.httpClient.fetch.bind(this.httpClient);
-  }
-  // ─── Subscription ────────────────────────────────────────────────────────────
-  subscribe(listener) {
-    this.sessionListeners.push(listener);
-    return () => {
-      this.sessionListeners = this.sessionListeners.filter((l) => l !== listener);
-    };
-  }
-  // ─── Private ────────────────────────────────────────────────────────────────
-  buildTokens(data) {
-    const strategy = this.config.expiry?.strategy ?? "hybrid";
-    const configAccess = this.config.expiry?.accessTokenExpiresIn;
-    const configRefresh = this.config.expiry?.refreshTokenExpiresIn;
-    return {
-      accessToken: data.accessToken,
-      refreshToken: data.refreshToken,
-      accessTokenExpiresAt: resolveAccessTokenExpiry(data, configAccess, strategy),
-      refreshTokenExpiresAt: resolveRefreshTokenExpiry(data, configRefresh, strategy)
-    };
-  }
-  notifyListeners(session) {
-    for (const listener of this.sessionListeners) {
-      listener(session);
-    }
-  }
-};
 var AuthContext = createContext(null);
-function AuthProvider({
-  config,
-  children
-}) {
-  const clientRef = useRef(null);
-  if (!clientRef.current) {
-    clientRef.current = new AuthClient(config);
-  }
-  const client = clientRef.current;
+function AuthProvider({ config, children }) {
   const [session, setSession] = useState({
     user: null,
     tokens: null,
@@ -515,57 +12,87 @@ function AuthProvider({
   const [isLoading, setIsLoading] = useState(true);
   useEffect(() => {
     let cancelled = false;
-    client.initialize().then((s) => {
+    fetch("/api/auth/session").then((res) => res.json()).then((data) => {
+      if (!cancelled) {
+        setSession({
+          user: data.user ?? null,
+          tokens: null,
+          // tokens are HttpOnly, never exposed to client
+          isAuthenticated: data.isAuthenticated ?? false
+        });
+        setIsLoading(false);
+      }
+    }).catch(() => {
       if (!cancelled) {
-        setSession(s);
+        setSession({ user: null, tokens: null, isAuthenticated: false });
         setIsLoading(false);
       }
     });
-    const unsubscribe = client.subscribe((s) => {
-      if (!cancelled) setSession(s);
-    });
     return () => {
       cancelled = true;
-      unsubscribe();
     };
-  }, [client]);
+  }, []);
   useEffect(() => {
     if (!config.autoRefresh) return;
     const interval = setInterval(async () => {
-      const tokens = client.tokenManager.getTokens();
-      if (tokens && client.tokenManager.isAccessExpired(tokens) && !client.tokenManager.isRefreshExpired(tokens)) {
-        await client.refresh();
+      if (session.isAuthenticated) {
+        try {
+          await fetch("/api/auth/refresh", { method: "POST" });
+          const updated = await fetch("/api/auth/session").then((r) => r.json());
+          setSession({
+            user: updated.user ?? null,
+            tokens: null,
+            isAuthenticated: updated.isAuthenticated ?? false
+          });
+        } catch {
+        }
       }
-    }, 3e4);
+    }, (config.refreshThreshold ?? 60) * 1e3);
     return () => clearInterval(interval);
-  }, [client, config.autoRefresh]);
+  }, [config.autoRefresh, config.refreshThreshold, session.isAuthenticated]);
   const login = useCallback(
     async (input) => {
       setIsLoading(true);
       try {
-        const s = await client.login(input);
-        setSession(s);
+        const res = await fetch("/api/auth/login", {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify(input)
+        });
+        if (!res.ok) {
+          const { error } = await res.json();
+          throw new Error(error ?? "Login failed");
+        }
+        const { user } = await res.json();
+        const newSession = { user, tokens: null, isAuthenticated: true };
+        setSession(newSession);
+        config.onLogin?.(newSession);
       } finally {
         setIsLoading(false);
       }
     },
-    [client]
+    [config]
   );
   const logout = useCallback(async () => {
-    await client.logout();
+    await fetch("/api/auth/logout", { method: "POST" });
     setSession({ user: null, tokens: null, isAuthenticated: false });
-  }, [client]);
+    config.onLogout?.();
+  }, [config]);
   const refresh = useCallback(async () => {
-    await client.refresh();
-    setSession(client.getSession());
-  }, [client]);
+    await fetch("/api/auth/refresh", { method: "POST" });
+    const updated = await fetch("/api/auth/session").then((r) => r.json());
+    setSession({
+      user: updated.user ?? null,
+      tokens: null,
+      isAuthenticated: updated.isAuthenticated ?? false
+    });
+  }, []);
   const value = {
     session,
     isLoading,
     login,
     logout,
-    refresh,
-    client
+    refresh
   };
   return /* @__PURE__ */ jsx(AuthContext.Provider, { value, children });
 }