nextjs-cms 0.5.55 → 0.5.58

package/dist/auth/hooks/useRefreshToken.js

@@ -1,13 +1,15 @@
+import * as React from 'react';
 import { logout, refreshSession } from '../react.js';
 /**
  * This hook is used to refresh the access token when it expires.
  * It is used in the useAxiosPrivate hook to refresh the access token when a request returns a 401 error.
  */
 const useRefreshToken = () => {
-    let isRefreshing = false; // Is a refresh request being sent?
-    let failedQueue = []; // An array of requests that failed because of 401
+    const isRefreshingRef = React.useRef(false); // Is a refresh request being sent?
+    // An array of requests that failed because of 401
+    const failedQueueRef = React.useRef([]);
     const processQueue = (error, token = null) => {
-        failedQueue.forEach((prom) => {
+        failedQueueRef.current.forEach((prom) => {
             if (error) {
                 prom.reject(error);
             }
@@ -15,7 +17,7 @@ const useRefreshToken = () => {
                 prom.resolve(token);
             }
         });
-        failedQueue = [];
+        failedQueueRef.current = [];
     };
     const refresh = async () => {
         try {
@@ -24,7 +26,7 @@ const useRefreshToken = () => {
             /**
              * The refresh request is done
              */
-            isRefreshing = false;
+            isRefreshingRef.current = false;
             if (response.status !== 200) {
                 /**
                  * If the refresh token is invalid, we log out the user
@@ -41,7 +43,7 @@ const useRefreshToken = () => {
                 /**
                  * update the session
                  */
-                await refreshSession();
+                await refreshSession(data.session);
             }
             /**
              * Process the failed requests
@@ -65,14 +67,14 @@ const useRefreshToken = () => {
     // TODO: Apply this inside useAxiosPrivate.tsx to prevent even the 401 errors from happening
     // Let's use semaphores to prevent multiple refreshes at the same time
     return async () => {
-        if (isRefreshing) {
+        if (isRefreshingRef.current) {
             // If a refresh request is being sent, we return a promise
             // that will be resolved when the refresh request is done
             return new Promise((resolve, reject) => {
-                failedQueue.push({ resolve, reject });
+                failedQueueRef.current.push({ resolve, reject });
             });
         }
-        isRefreshing = true; // A refresh request is being sent
+        isRefreshingRef.current = true; // A refresh request is being sent
         return await refresh(); // Send the refresh request and return the new access token
     };
 };

package/dist/auth/lib/actions.d.ts

@@ -5,10 +5,12 @@ export declare const authRefresh: (refreshToken?: {
     status: number;
     code: string;
     state: string;
+    session?: undefined;
     user?: undefined;
 } | {
     status: number;
     state: string;
+    session: Session;
     user: {
         id: string;
         username: string;
@@ -21,6 +23,14 @@ export declare const login: ({ username, password }: {
     username: string;
     password: string;
 }) => Promise<{
+    status: number;
+    session: {
+        user: {
+            id: string;
+            name: string;
+            locale: string | null;
+        };
+    };
     user: {
         id: string;
         username: string;

package/dist/auth/lib/actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../../../src/auth/lib/actions.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAA;AAE1C,eAAO,MAAM,WAAW,GAAU,eAAe;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE;;;;;;;;;;;;;;;EA4GjE,CAAA;AAED,eAAO,MAAM,KAAK,GAAU,wBAAwB;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE;;;;;;;;EA+FzF,CAAA;AAED,eAAO,MAAM,aAAa,GAAU,UAAU,OAAO,GAAG,IAAI,qBA0B3D,CAAA"}
+{"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../../../src/auth/lib/actions.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAA;AAE1C,eAAO,MAAM,WAAW,GAAU,eAAe;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE;;;;;;;;;;;;;;;;;EA4HjE,CAAA;AAED,eAAO,MAAM,KAAK,GAAU,wBAAwB;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE;;;;;;;;;;;;;;;;EA+GzF,CAAA;AAED,eAAO,MAAM,aAAa,GAAU,UAAU,OAAO,GAAG,IAAI,qBA0B3D,CAAA"}

package/dist/auth/lib/actions.js

@@ -29,7 +29,7 @@ export const authRefresh = async (refreshToken) => {
             .where(and(eq(AccessTokensTable.adminId, decoded.id), eq(AccessTokensTable.refreshToken, refreshToken.value)))
             .limit(1);
         const adminTokenResult = result[0];
-        if (!adminTokenResult) {
+        if (!adminTokenResult || !adminTokenResult.adminId || !adminTokenResult.username) {
             return {
                 status: 401,
                 code: 'invalid_refresh_token',
@@ -39,17 +39,24 @@ export const authRefresh = async (refreshToken) => {
         // Let's create a JWT access token and refresh token
         const accessToken = encodeJWT({
             id: decoded.id,
-            iss: 'Lazemni CMS',
+            iss: 'nextjs-cms',
             aud: 'admin',
             sub: adminTokenResult.username,
             locale: adminTokenResult.locale || 'en',
         });
         const newRefreshToken = encodeRefreshToken({
             id: adminTokenResult.adminId,
-            iss: 'Lazemni CMS',
+            iss: 'nextjs-cms',
             aud: 'admin',
             sub: adminTokenResult.username,
         });
+        if (!accessToken || !newRefreshToken) {
+            return {
+                status: 401,
+                code: 'failed_to_create_tokens',
+                state: 'logged_out',
+            };
+        }
         // Let's update the refresh token in the database
         await db
             .update(AccessTokensTable)
@@ -78,10 +85,17 @@ export const authRefresh = async (refreshToken) => {
             sameSite: true,
             maxAge: 60 * 60 * 2, // 2 hours
         });
+        const session = {
+            user: {
+                id: adminTokenResult.adminId,
+                name: adminTokenResult.username,
+                locale: adminTokenResult.locale ?? null,
+            },
+        };
         return {
             status: 200,
-            // accessToken: accessToken,
             state: 'logged_in',
+            session,
             user: {
                 id: adminTokenResult.adminId,
                 username: adminTokenResult.username,
@@ -114,7 +128,7 @@ export const login = async ({ username, password }) => {
         .where(eq(AdminsTable.user, username))
         .limit(1);
     const admin = result[0];
-    if (!admin) {
+    if (!admin || !admin.password || !admin.id || !admin.username) {
         throw new Error('Invalid credentials');
     }
     // Verify password with bcrypt
@@ -125,33 +139,41 @@ export const login = async ({ username, password }) => {
     // Let's create a JWT access token and refresh token
     const accessToken = encodeJWT({
         id: admin.id,
-        iss: 'Lazemni CMS',
+        iss: 'nextjs-cms',
         aud: 'admin',
         sub: admin.username,
         locale: admin.locale || 'en',
     });
     const refreshToken = encodeRefreshToken({
         id: admin.id,
-        iss: 'Lazemni CMS',
+        iss: 'nextjs-cms',
         aud: 'admin',
         sub: admin.username,
     });
-    // Let's save the refresh token in the database
-    await db
-        .insert(AccessTokensTable)
-        .values({
-        accessToken,
-        refreshToken,
-        adminId: admin.id,
-        expiration: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
-    })
-        .onDuplicateKeyUpdate({
-        set: {
+    if (!accessToken || !refreshToken) {
+        throw new Error('Failed to create access and refresh tokens');
+    }
+    try {
+        // Let's save the refresh token in the database
+        await db
+            .insert(AccessTokensTable)
+            .values({
             accessToken,
             refreshToken,
+            adminId: admin.id,
             expiration: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
-        },
-    });
+        })
+            .onDuplicateKeyUpdate({
+            set: {
+                accessToken,
+                refreshToken,
+                expiration: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
+            },
+        });
+    }
+    catch (error) {
+        throw new Error('Failed to save access and refresh tokens to database');
+    }
     const cookieStore = await cookies();
     // Let's send the refresh token as a cookie
     cookieStore.set({
@@ -173,6 +195,14 @@ export const login = async ({ username, password }) => {
     });
     // Now, return the access token in body
     return {
+        status: 200,
+        session: {
+            user: {
+                id: admin.id,
+                name: admin.username,
+                locale: admin.locale,
+            },
+        },
         user: {
             id: admin.id,
             username: admin.username,

package/dist/auth/react.d.ts

@@ -45,6 +45,12 @@ export interface AuthClientConfig {
      * trigger session updates from places like `signIn` or `signOut`
      */
     _getSession: (...args: any[]) => any;
+    /**
+     * Directly set the session in the current tab/window,
+     * after being fetched from the server during a refresh request.
+     * This is to avoid the need to fetch the session from the server again.
+     */
+    _setSession: (session: Session | null) => void;
 }
 export declare const __AUTH: AuthClientConfig;
 export declare function logout(options?: {
@@ -54,7 +60,7 @@ export declare function login({ username, password }: {
     username: string;
     password: string;
 }): Promise<void>;
-export declare function refreshSession(): Promise<void>;
+export declare function refreshSession(session: Session): Promise<void>;
 /**
  * Returns the current CSRF token.
  * required to make requests that changes state.

package/dist/auth/react.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"react.d.ts","sourceRoot":"","sources":["../../src/auth/react.tsx"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,KAAK,MAAM,OAAO,CAAA;AAE9B,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AAEzC,OAAO,eAAe,MAAM,4BAA4B,CAAA;AACxD,OAAO,eAAe,MAAM,4BAA4B,CAAA;AAGxD,MAAM,MAAM,aAAa,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,KAAK,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAA;AACnE,MAAM,WAAW,oBAAoB;IACjC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAA;IACzB,OAAO,CAAC,EAAE,OAAO,GAAG,IAAI,CAAA;IACxB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB;;;OAGG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAC9B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,KAAK,CAAA;CAC7B;AAED,MAAM,WAAW,iBAAiB,CAAC,CAAC,SAAS,OAAO;IAChD,QAAQ,EAAE,CAAC,CAAA;IACX,2BAA2B;IAC3B,iBAAiB,CAAC,EAAE,MAAM,IAAI,CAAA;CACjC;AAED,MAAM,WAAW,gBAAgB;IAC7B,KAAK,CAAC,EAAE,SAAS,GAAG,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAA;IAC/C,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,SAAS,CAAC,EAAE,OAAO,CAAA;CACtB;AAED,MAAM,WAAW,gBAAgB;IAC7B,QAAQ,CAAC,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,CAAA;IACrC,wDAAwD;IACxD,SAAS,EAAE,MAAM,CAAA;IACjB;;;OAGG;IACH,WAAW,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAA;CACvC;AAED,eAAO,MAAM,MAAM,EAAE,gBAIpB,CAAA;AAED,wBAAsB,MAAM,CAAC,OAAO,CAAC,EAAE;IAAE,aAAa,CAAC,EAAE,OAAO,CAAA;CAAE,iBA2BjE;AAED,wBAAsB,KAAK,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,iBAyBzF;AAED,wBAAsB,cAAc,kBAWnC;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,oBAGjC;AAwBD,wBAAsB,UAAU,CAAC,MAAM,CAAC,EAAE,gBAAgB,2BAWzD;AAED,MAAM,MAAM,mBAAmB,CAAC,CAAC,SAAS,OAAO,GAAG,KAAK,IAAI,CAAC,SAAS,IAAI,GAE/D;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,eAAe,CAAA;CAAE,GACjE;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,SAAS,CAAA;CAAE,GAExD;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,eAAe,CAAA;CAAE,GACjE;IACI,MAAM,EAAE,aAAa,CAAA;IACrB,IAAI,EAAE,IAAI,CAAA;IACV,MAAM,EAAE,iBAAiB,GAAG,SAAS,CAAA;CACxC,CAAA;AAEb,eAAO,MAAM,cAAc;YAPL,aAAa;UAAQ,OAAO;YAAU,eAAe;;YAEnD,aAAa;UACf,IAAI;YACF,iBAAiB,GAAG,SAAS;cAG0C,CAAA;AAE/F,wBAAgB,UAAU,CAAC,CAAC,SAAS,OAAO,EAAE,OAAO,CAAC,EAAE,iBAAiB,CAAC,CAAC,CAAC,GAAG,mBAAmB,CAAC,CAAC,CAAC,CA6BpG;AAED;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,oBAAoB,qBAiN1D;AAED,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,CAAA;AAC3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAA"}
+{"version":3,"file":"react.d.ts","sourceRoot":"","sources":["../../src/auth/react.tsx"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,KAAK,MAAM,OAAO,CAAA;AAE9B,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AAEzC,OAAO,eAAe,MAAM,4BAA4B,CAAA;AACxD,OAAO,eAAe,MAAM,4BAA4B,CAAA;AAExD,MAAM,MAAM,aAAa,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,KAAK,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAA;AACnE,MAAM,WAAW,oBAAoB;IACjC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAA;IACzB,OAAO,CAAC,EAAE,OAAO,GAAG,IAAI,CAAA;IACxB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB;;;OAGG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAC9B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,KAAK,CAAA;CAC7B;AAED,MAAM,WAAW,iBAAiB,CAAC,CAAC,SAAS,OAAO;IAChD,QAAQ,EAAE,CAAC,CAAA;IACX,2BAA2B;IAC3B,iBAAiB,CAAC,EAAE,MAAM,IAAI,CAAA;CACjC;AAED,MAAM,WAAW,gBAAgB;IAC7B,KAAK,CAAC,EAAE,SAAS,GAAG,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAA;IAC/C,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,SAAS,CAAC,EAAE,OAAO,CAAA;CACtB;AAED,MAAM,WAAW,gBAAgB;IAC7B,QAAQ,CAAC,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,CAAA;IACrC,wDAAwD;IACxD,SAAS,EAAE,MAAM,CAAA;IACjB;;;OAGG;IACH,WAAW,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAA;IAEpC;;;;OAIG;IACH,WAAW,EAAE,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,KAAK,IAAI,CAAA;CACjD;AAED,eAAO,MAAM,MAAM,EAAE,gBAKpB,CAAA;AAED,wBAAsB,MAAM,CAAC,OAAO,CAAC,EAAE;IAAE,aAAa,CAAC,EAAE,OAAO,CAAA;CAAE,iBA2BjE;AAED,wBAAsB,KAAK,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,iBA0BzF;AAED,wBAAsB,cAAc,CAAC,OAAO,EAAE,OAAO,iBAWpD;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,oBAGjC;AAwBD,wBAAsB,UAAU,CAAC,MAAM,CAAC,EAAE,gBAAgB,2BAWzD;AAED,MAAM,MAAM,mBAAmB,CAAC,CAAC,SAAS,OAAO,GAAG,KAAK,IAAI,CAAC,SAAS,IAAI,GAE/D;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,eAAe,CAAA;CAAE,GACjE;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,SAAS,CAAA;CAAE,GAExD;IAAE,MAAM,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,eAAe,CAAA;CAAE,GACjE;IACI,MAAM,EAAE,aAAa,CAAA;IACrB,IAAI,EAAE,IAAI,CAAA;IACV,MAAM,EAAE,iBAAiB,GAAG,SAAS,CAAA;CACxC,CAAA;AAEb,eAAO,MAAM,cAAc;YAPL,aAAa;UAAQ,OAAO;YAAU,eAAe;;YAEnD,aAAa;UACf,IAAI;YACF,iBAAiB,GAAG,SAAS;cAG0C,CAAA;AAE/F,wBAAgB,UAAU,CAAC,CAAC,SAAS,OAAO,EAAE,OAAO,CAAC,EAAE,iBAAiB,CAAC,CAAC,CAAC,GAAG,mBAAmB,CAAC,CAAC,CAAC,CA6BpG;AAED;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,oBAAoB,qBAuO1D;AAED,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,CAAA;AAC3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAA"}

package/dist/auth/react.js

@@ -11,6 +11,7 @@ export const __AUTH = {
     _lastSync: 0,
     _session: undefined,
     _getSession: () => { },
+    _setSession: () => { },
 };
 export async function logout(options) {
     const { deleteCookies = true } = options ?? {};
@@ -51,26 +52,27 @@ export async function login({ username, password }) {
         const error = await response.json();
         throw new Error(error.error);
     }
+    const data = await response.json();
     /**
      * Broadcast a message to all other tabs/windows to tell them the user has logged in.
      * This is to ensure all tabs/windows trigger a session update.
      */
-    broadcast().postMessage({ event: 'session', data: { trigger: 'login' } });
+    broadcast().postMessage({ event: 'session', data: { trigger: 'refetch' } });
     /**
      * Update the session in the current tab/window.
      */
-    await __AUTH._getSession({ event: 'storage' });
+    __AUTH._setSession(data.session);
 }
-export async function refreshSession() {
+export async function refreshSession(session) {
     /**
      * Broadcast a message to all other tabs/windows to tell them the session has been updated.
      * This is to ensure all tabs/windows trigger a session update.
      */
-    broadcast().postMessage({ event: 'session', data: { trigger: 'refresh' } });
+    broadcast().postMessage({ event: 'session', data: { trigger: 'refetch' } });
     /**
      * Update the session in the current tab/window.
      */
-    await __AUTH._getSession({ event: 'storage' });
+    __AUTH._setSession(session);
 }
 /**
  * Returns the current CSRF token.
@@ -90,8 +92,8 @@ function broadcast() {
     if (typeof BroadcastChannel === 'undefined') {
         return {
             postMessage: () => { },
-            addEventListener: () => { },
-            removeEventListener: () => { },
+            addEventListener: (_type, _listener) => { },
+            removeEventListener: (_type, _listener) => { },
         };
     }
     if (broadcastChannel === null) {
@@ -176,6 +178,11 @@ export function SessionProvider(props) {
     /** If session was passed, initialize as not loading */
     const [loading, setLoading] = React.useState(!hasInitialSession);
     React.useEffect(() => {
+        __AUTH._setSession = (session) => {
+            __AUTH._lastSync = now();
+            __AUTH._session = session;
+            setSession(session);
+        };
         async function generateInitialSession() {
             /**
              * Use the `axiosPrivate` instance to make a request to `/api/auth/session` to get the
@@ -194,7 +201,7 @@ export function SessionProvider(props) {
         async function init() {
             /**
              * Make sure the session is created at the start of the app.
-             * Is session is not set, this means this is the first time
+             * If session is not set, this means this is the first time
              * the app is being loaded.
              */
             if (__AUTH._session === undefined) {
@@ -209,18 +216,15 @@ export function SessionProvider(props) {
          */
         init()
             .then(async (session) => {
-            if (session) {
+            /**
+             * Only update if we fetched a new session (i.e., no initial session was provided).
+             * When hasInitialSession is true, __AUTH._session and state are already set,
+             * so we skip the redundant update.
+             */
+            if (!hasInitialSession && session) {
                 __AUTH._session = session;
                 setSession(session);
             }
-            else {
-                /**
-                 * It's not necessary to log out the user and broadcast the logout event,
-                 * because there are no cookies set to delete.
-                 * But it's a good practice to do so.
-                 */
-                // await logout()
-            }
         })
             .then(() => {
             __AUTH._getSession = async ({ event } = {}) => {
@@ -235,11 +239,11 @@ export function SessionProvider(props) {
                         return;
                     }
                     /**
-                     * If the event is a storage event, we should update the session and not broadcast the event.
-                     * Storage events can also be triggered when a broadcast message is sent from another
+                     * If the event is a refetch event, we should update the session and not broadcast the event.
+                     * Refetch events can be triggered when a broadcast message is sent from another
                      * tab/window. (see below)
                      */
-                    if (event === 'storage') {
+                    if (event === 'refetch') {
                         __AUTH._lastSync = now();
                         __AUTH._session = await getSession({
                             broadcast: false,
@@ -254,7 +258,7 @@ export function SessionProvider(props) {
                     !event ||
                         // If the client doesn't have a session then we don't need to call
                         // the server to check if it does (if they have signed in via another
-                        // tab or window that will come through as a "storage" event anyway)
+                        // tab or window that will come through as a "refetch" event anyway)
                         __AUTH._session === null ||
                         // Bail out early if the client session is not stale yet
                         now() < __AUTH._lastSync) {
@@ -281,21 +285,39 @@ export function SessionProvider(props) {
             __AUTH._lastSync = 0;
             __AUTH._session = undefined;
             __AUTH._getSession = () => { };
+            __AUTH._setSession = () => { };
         };
     }, []);
     React.useEffect(() => {
-        const handle = () => __AUTH._getSession({ event: 'storage' });
-        // Listen for storage events and update session if event fired from
-        // another window (but suppress firing another event to avoid a loop)
-        // Fetch new session data but tell it not to fire another event to
-        // avoid an infinite loop.
+        const handleBroadcastMessage = (event) => {
+            try {
+                const message = event.data;
+                // Only handle session-related broadcast messages
+                if (message.event !== 'session')
+                    return;
+                // Handle logout events by updating the session directly
+                if (message.data?.trigger === 'logout') {
+                    __AUTH._getSession({ event: 'logout' });
+                }
+                // Handle refetch events by updating the session directly
+                if (message.data?.trigger === 'refetch') {
+                    __AUTH._getSession({ event: 'refetch' });
+                }
+            }
+            catch (error) {
+                // Ignore invalid JSON or malformed messages
+                console.warn('Failed to parse broadcast message:', error);
+            }
+        };
+        // Listen for broadcast events fired from another tab/window
+        // refetch/logout the current session data depending on the event
         // Note: We could pass session data through and do something like
         // `setData(message.data)` but that can cause problems depending
         // on how the session object is being used in the client; it is
         // more robust to have each window/tab fetch it's own copy of the
         // session object rather than share it across instances.
-        broadcast().addEventListener('message', handle);
-        return () => broadcast().removeEventListener('message', handle);
+        broadcast().addEventListener('message', handleBroadcastMessage);
+        return () => broadcast().removeEventListener('message', handleBroadcastMessage);
     }, []);
     React.useEffect(() => {
         const { refetchOnWindowFocus = true } = props;
@@ -335,7 +357,7 @@ export function SessionProvider(props) {
                 setSession(newSession);
                 broadcast().postMessage({
                     event: 'session',
-                    data: { trigger: 'getSession' },
+                    data: { trigger: 'refetch' },
                 });
             }
             return newSession;

package/dist/auth/trpc.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"trpc.d.ts","sourceRoot":"","sources":["../../src/auth/trpc.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAA;AAM5C;;GAEG;AACH,eAAO,MAAM,gBAAgB,QAAO,QAAQ,CAAC,aAAa,CAAC,GAAG,CA4E7D,CAAA"}
+{"version":3,"file":"trpc.d.ts","sourceRoot":"","sources":["../../src/auth/trpc.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAA;AAM5C;;GAEG;AACH,eAAO,MAAM,gBAAgB,QAAO,QAAQ,CAAC,aAAa,CAAC,GAAG,CA6E7D,CAAA"}

package/dist/auth/trpc.js

@@ -25,6 +25,7 @@ export const refreshTokenLink = () => {
                                     refreshPromise = (async () => {
                                         try {
                                             const response = await fetch('/api/auth/refresh');
+                                            const data = await response.json();
                                             if (response.status !== 200) {
                                                 await logout({
                                                     /**
@@ -34,7 +35,7 @@ export const refreshTokenLink = () => {
                                                 });
                                                 return;
                                             }
-                                            await refreshSession();
+                                            await refreshSession(data.session);
                                         }
                                         catch (e) {
                                             await logout({

package/dist/core/config/config-loader.d.ts

@@ -97,6 +97,6 @@ export interface ComputedCMSConfig {
  * @returns A readonly computed CMS configuration with all required fields
  * @throws Error if the config file exists but is invalid
  */
-export declare function getCMSConfig(): Readonly<ComputedCMSConfig>;
+export declare function getCMSConfig(): Promise<Readonly<ComputedCMSConfig>>;
 export {};
 //# sourceMappingURL=config-loader.d.ts.map

package/dist/core/config/config-loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../../src/core/config/config-loader.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,CAAC,MAAM,KAAK,CAAA;AAIxB,QAAA,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA+InB,CAAA;AAGF,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAA;AAGvD,MAAM,WAAW,iBAAiB;IAC9B,EAAE,EAAE;QACA,KAAK,EAAE,MAAM,CAAA;QACb,YAAY,EAAE,MAAM,CAAA;QACpB,IAAI,EAAE,MAAM,CAAA;KACf,CAAA;IACD,KAAK,EAAE,OAAO,CAAA;IACd,QAAQ,EAAE;QACN,IAAI,EAAE,MAAM,CAAA;QACZ,MAAM,EAAE,OAAO,CAAA;QACf,QAAQ,EAAE;YACN,oBAAoB,EAAE,OAAO,CAAA;SAChC,CAAA;KACJ,CAAA;IACD,KAAK,EAAE;QACH,MAAM,EAAE;YACJ,IAAI,EAAE,MAAM,CAAA;YACZ,iBAAiB,EAAE,OAAO,CAAA;SAC7B,CAAA;QACD,MAAM,EAAE;YACJ,SAAS,EAAE;gBACP,KAAK,EAAE,MAAM,CAAA;gBACb,MAAM,EAAE,MAAM,CAAA;gBACd,IAAI,EAAE,OAAO,CAAA;gBACb,OAAO,EAAE,MAAM,CAAA;aAClB,CAAA;YACD,SAAS,EAAE,OAAO,CAAA;SACrB,CAAA;KACJ,CAAA;IACD,gBAAgB,EAAE;QACd,OAAO,EAAE;YACL,OAAO,EAAE,OAAO,CAAA;YAChB,MAAM,EAAE,MAAM,CAAA;YACd,QAAQ,EAAE,MAAM,CAAA;YAChB,MAAM,EAAE;gBACJ,MAAM,EAAE,WAAW,GAAG,WAAW,GAAG,YAAY,CAAA;gBAChD,OAAO,EAAE,WAAW,GAAG,WAAW,GAAG,YAAY,CAAA;aACpD,CAAA;SACJ,CAAA;KACJ,CAAA;CACJ;AAmID;;;;;;GAMG;AACH,wBAAgB,YAAY,IAAI,QAAQ,CAAC,iBAAiB,CAAC,CAW1D"}
+{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../../src/core/config/config-loader.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,CAAC,MAAM,KAAK,CAAA;AAIxB,QAAA,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA+InB,CAAA;AAGF,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAA;AAGvD,MAAM,WAAW,iBAAiB;IAC9B,EAAE,EAAE;QACA,KAAK,EAAE,MAAM,CAAA;QACb,YAAY,EAAE,MAAM,CAAA;QACpB,IAAI,EAAE,MAAM,CAAA;KACf,CAAA;IACD,KAAK,EAAE,OAAO,CAAA;IACd,QAAQ,EAAE;QACN,IAAI,EAAE,MAAM,CAAA;QACZ,MAAM,EAAE,OAAO,CAAA;QACf,QAAQ,EAAE;YACN,oBAAoB,EAAE,OAAO,CAAA;SAChC,CAAA;KACJ,CAAA;IACD,KAAK,EAAE;QACH,MAAM,EAAE;YACJ,IAAI,EAAE,MAAM,CAAA;YACZ,iBAAiB,EAAE,OAAO,CAAA;SAC7B,CAAA;QACD,MAAM,EAAE;YACJ,SAAS,EAAE;gBACP,KAAK,EAAE,MAAM,CAAA;gBACb,MAAM,EAAE,MAAM,CAAA;gBACd,IAAI,EAAE,OAAO,CAAA;gBACb,OAAO,EAAE,MAAM,CAAA;aAClB,CAAA;YACD,SAAS,EAAE,OAAO,CAAA;SACrB,CAAA;KACJ,CAAA;IACD,gBAAgB,EAAE;QACd,OAAO,EAAE;YACL,OAAO,EAAE,OAAO,CAAA;YAChB,MAAM,EAAE,MAAM,CAAA;YACd,QAAQ,EAAE,MAAM,CAAA;YAChB,MAAM,EAAE;gBACJ,MAAM,EAAE,WAAW,GAAG,WAAW,GAAG,YAAY,CAAA;gBAChD,OAAO,EAAE,WAAW,GAAG,WAAW,GAAG,YAAY,CAAA;aACpD,CAAA;SACJ,CAAA;KACJ,CAAA;CACJ;AAoID;;;;;;GAMG;AACH,wBAAsB,YAAY,IAAI,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAazE"}

package/dist/core/config/config-loader.js

@@ -4,7 +4,7 @@ if (typeof window !== 'undefined') {
 // import 'server-only'
 // import chalk from 'chalk'
 import * as z from 'zod';
-import { loadConfigModule } from './loader.js';
+import { loadConfigModule, getConfigImportVersion } from './loader.js';
 // 1. Define config schema
 const cmsConfigSchema = z.object({
     /**
@@ -237,6 +237,7 @@ const defaultConfig = {
     return `${chalk.bgRed.bold(' Error ')} ${error} ${greyMsg ? chalk.grey(greyMsg) : ''}`.trim()
 }*/
 let cachedConfig;
+let cachedConfigVersion = -1;
 /**
  * Loads and parses the user configuration module.
  * This is called lazily when getCMSConfig() is first invoked.
@@ -244,9 +245,9 @@ let cachedConfig;
  * @returns The parsed user configuration object, or undefined if no config file exists
  * @throws Error if the config file exists but cannot be loaded or parsed
  */
-function loadUserConfig() {
+async function loadUserConfig() {
     try {
-        const mod = loadConfigModule();
+        const mod = (await loadConfigModule());
         const config = mod ? (mod.config ?? mod) : undefined;
         if (!config) {
             return undefined;
@@ -270,13 +271,15 @@ function loadUserConfig() {
  * @returns A readonly computed CMS configuration with all required fields
  * @throws Error if the config file exists but is invalid
  */
-export function getCMSConfig() {
-    if (cachedConfig === undefined) {
+export async function getCMSConfig() {
+    const currentVersion = getConfigImportVersion();
+    if (cachedConfig === undefined || cachedConfigVersion !== currentVersion) {
         // Load user config lazily (only when this function is first called)
-        const userConfig = loadUserConfig();
+        const userConfig = await loadUserConfig();
         // Merge user config with defaults
         const mergedConfig = mergeConfig(defaultConfig, userConfig ?? {});
         cachedConfig = mergedConfig;
+        cachedConfigVersion = currentVersion;
     }
     return cachedConfig;
 }

package/dist/core/config/index.d.ts

@@ -1,3 +1,4 @@
 export { getCMSConfig } from './config-loader.js';
+export { getConfigImportVersion } from './loader.js';
 export type { CMSConfig, ComputedCMSConfig } from './config-loader.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/core/config/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/core/config/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,YAAY,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/core/config/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAA;AACpD,YAAY,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA"}

package/dist/core/config/index.js

@@ -1 +1,2 @@
 export { getCMSConfig } from './config-loader.js';
+export { getConfigImportVersion } from './loader.js';

package/dist/core/config/loader-with-esbuild.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Turbopack-safe loader:
+ * - In Next 16 Turbopack SSR, dynamic require(found) fails ("expression is too dynamic")
+ * - Use runtime import(file://...) and tell turbopack to ignore analyzing it.
+ */
+export declare const loadConfigModule: () => Promise<unknown>;
+//# sourceMappingURL=loader-with-esbuild.d.ts.map

package/dist/core/config/loader-with-esbuild.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader-with-esbuild.d.ts","sourceRoot":"","sources":["../../../src/core/config/loader-with-esbuild.ts"],"names":[],"mappings":"AAgFA;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,QAAa,OAAO,CAAC,OAAO,CA2BxD,CAAA"}

package/dist/core/config/loader-with-esbuild.js

@@ -0,0 +1,98 @@
+// loader.ts (or config-loader.ts)
+// Turbopack-safe config loader for Next.js 16+
+// - Avoids dynamic require(found) which Turbopack rejects ("expression is too dynamic")
+// - Uses runtime import(file://...) with `turbopackIgnore`
+// - Still supports TS configs via esbuild-register
+// - Keeps your Node CJS resolve patch for tests (js specifier -> ts fallback)
+import { existsSync } from 'fs';
+import { resolve, join } from 'path';
+import { createRequire } from 'module';
+import { pathToFileURL } from 'url';
+// Create a require function that works in ES modules
+const safeRequire = createRequire(import.meta.url);
+/**
+ * See SectionFactory.ts: during dev/tests we may runtime-load TS that contains NodeNext-style `./x.js` specifiers
+ * pointing at `./x.ts` in the source tree. Patch CJS resolution to fall back to `.ts` for relative imports.
+ */
+const withPatchedCjsResolveJsToTs = (fn) => {
+    const NodeModule = safeRequire('module');
+    const originalResolve = NodeModule._resolveFilename;
+    NodeModule._resolveFilename = function (request, parent, isMain, options) {
+        try {
+            return originalResolve.call(this, request, parent, isMain, options);
+        }
+        catch (err) {
+            if (typeof request === 'string' && /^(\.{1,2}\/.*)\.js$/.test(request)) {
+                const tsRequest = request.replace(/\.js$/, '.ts');
+                try {
+                    return originalResolve.call(this, tsRequest, parent, isMain, options);
+                }
+                catch {
+                    // fall through to rethrow original error
+                }
+            }
+            throw err;
+        }
+    };
+    try {
+        return fn();
+    }
+    finally {
+        NodeModule._resolveFilename = originalResolve;
+    }
+};
+const registerEsbuildForTs = () => {
+    try {
+        const { register } = safeRequire('esbuild-register/dist/node');
+        return register({ format: 'cjs', loader: 'ts' }).unregister;
+    }
+    catch {
+        throw new Error(`Unable to load TypeScript config. Install 'esbuild-register', or provide cms.config.js/json.`);
+    }
+};
+const findConfigFile = () => {
+    const cwd = process.cwd();
+    const candidates = [
+        'cms.config.js',
+        'cms.config.cjs',
+        'cms.config.mjs',
+        'cms.config.json',
+        'cms.config.ts',
+        'cms.config.cts',
+        'cms.config.mts',
+    ].map((f) => resolve(join(cwd, f)));
+    const found = candidates.find((p) => existsSync(p));
+    if (!found) {
+        throw new Error(`Config file not found. Searched: ${candidates.join(', ')}`);
+    }
+    const isTs = found.endsWith('.ts') || found.endsWith('.cts') || found.endsWith('.mts');
+    return { found, isTs };
+};
+/**
+ * Turbopack-safe loader:
+ * - In Next 16 Turbopack SSR, dynamic require(found) fails ("expression is too dynamic")
+ * - Use runtime import(file://...) and tell turbopack to ignore analyzing it.
+ */
+export const loadConfigModule = async () => {
+    const { found, isTs } = findConfigFile();
+    let unregister;
+    try {
+        if (isTs) {
+            unregister = registerEsbuildForTs();
+        }
+        // For tests (NODE_ENV=test), keep your CJS resolver patch behavior
+        const importConfig = async () => {
+            const url = pathToFileURL(found).href;
+            // IMPORTANT: prevent Turbopack from trying to statically analyze the specifier
+            const mod = await import(/* turbopackIgnore: true */ url);
+            return mod;
+        };
+        const mod = process.env.NODE_ENV === 'test' && isTs
+            ? await withPatchedCjsResolveJsToTs(() => importConfig())
+            : await importConfig();
+        return mod?.default ?? mod;
+    }
+    finally {
+        unregister?.();
+    }
+};