nextjs-hasura-auth 0.1.1 → 0.1.3

package/dist/lib/apollo.js

@@ -12,52 +12,41 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getJwtSecret = void 0;
-exports.createClient = createClient;
+exports.CHECK_CONNECTION_QUERY = exports.CHECK_CONNECTION_SUBSCRIPTION = void 0;
+exports.createApolloClient = createApolloClient;
 exports.getClient = getClient;
-exports.useClient = useClient;
+exports.useCreateApolloClient = useCreateApolloClient;
 exports.checkConnection = checkConnection;
+const jsx_runtime_1 = require("react/jsx-runtime");
 const client_1 = require("@apollo/client");
 const context_1 = require("@apollo/client/link/context");
 const utilities_1 = require("@apollo/client/utilities");
+// Restore GraphQLWsLink imports
 const subscriptions_1 = require("@apollo/client/link/subscriptions");
 const graphql_ws_1 = require("graphql-ws");
 const cross_fetch_1 = __importDefault(require("cross-fetch"));
 const debug_1 = __importDefault(require("./debug"));
 const react_1 = require("react");
+const jwt_1 = require("./jwt");
+// Remove deprecated WebSocketLink import
+// import { WebSocketLink } from '@apollo/client/link/ws'; 
+const error_1 = require("@apollo/client/link/error");
 // Create a debug logger for this module
 const debug = (0, debug_1.default)('apollo');
 // Determine if running on client
 const isClient = typeof window !== 'undefined';
-/**
- * Get JWT secret from environment variables
- * @returns {Uint8Array} Secret key for JWT signing
- */
-const getJwtSecret = () => {
-    try {
-        const jwtSecret = process.env.HASURA_JWT_SECRET || '{"type":"HS256","key":"your-secret-key"}';
-        // Parse JWT configuration (may be in JSON format)
-        let secretKey;
-        try {
-            const jwtConfig = typeof jwtSecret === 'string' ? JSON.parse(jwtSecret) : jwtSecret;
-            secretKey = jwtConfig.key;
-            if (!secretKey) {
-                throw new Error('JWT key not found in configuration');
-            }
-        }
-        catch (e) {
-            // If failed to parse as JSON, use as string
-            secretKey = jwtSecret;
-        }
-        // Convert key to Uint8Array (required for jose)
-        return new TextEncoder().encode(secretKey);
-    }
-    catch (error) {
-        debug('apollo', '❌ Error getting JWT secret:', error);
-        throw error;
+const createRoleLink = () => (0, context_1.setContext)((request, previousContext) => {
+    // Get the role from the operation's context passed in the hook options
+    const role = previousContext === null || previousContext === void 0 ? void 0 : previousContext.role; // Correctly access context via the second argument
+    debug(`roleLink: Role from context: ${role}`);
+    if (role) {
+        return {
+            headers: Object.assign(Object.assign({}, previousContext.headers), { 'X-Hasura-Role': role }),
+        };
     }
-};
-exports.getJwtSecret = getJwtSecret;
+    // If no role is provided in the context, don't add the header
+    return {};
+});
 /**
  * Create Apollo Client
  *
@@ -67,81 +56,113 @@ exports.getJwtSecret = getJwtSecret;
  * @param {string} options.secret - Admin secret for Hasura
  * @returns {ApolloClient} Apollo Client
  */
-function createClient(options = {}) {
+function createApolloClient(options = {}) {
     // Default values
     const { url = process.env.NEXT_PUBLIC_HASURA_GRAPHQL_URL, ws = false, token = undefined, secret = process.env.HASURA_ADMIN_SECRET } = options;
     if (!url) {
         throw new Error('❌ options.url or NEXT_PUBLIC_HASURA_GRAPHQL_URL not defined');
     }
     debug('apollo', '🔌 Creating Apollo client with endpoint:', url);
-    // HTTP connection without authorization
-    const publicHttpLink = new client_1.HttpLink({
+    // --- NEW: Link to set Hasura Role Header ---
+    const roleLink = createRoleLink();
+    // --- END NEW ---
+    // --- Existing Links ---
+    // Create base HttpLink (no auth here initially)
+    const baseHttpLink = new client_1.HttpLink({
         uri: url,
         fetch: cross_fetch_1.default,
     });
-    // Create auth link with JWT token
-    const authLink = token
-        ? (0, context_1.setContext)((_, { headers }) => {
+    // Create link for adding auth (JWT or Admin Secret)
+    const authHeaderLink = (0, context_1.setContext)((_, { headers }) => {
+        // Return the headers to the context so httpLink can read them
+        if (token) {
+            debug('apollo', '🔒 Using JWT token for Authorization header');
             return {
                 headers: Object.assign(Object.assign({}, headers), { Authorization: `Bearer ${token}` })
             };
-        })
-        : client_1.ApolloLink.from([]);
-    // Choose link based on token or secret availability
-    let httpLink;
-    if (token) {
-        // If token provided, use it for authorization
-        httpLink = client_1.ApolloLink.from([authLink, publicHttpLink]);
-    }
-    else if (secret) {
-        // If no token but admin secret exists, use it
-        httpLink = new client_1.HttpLink({
-            uri: url,
-            fetch: cross_fetch_1.default,
-            headers: {
-                'x-hasura-admin-secret': secret || ''
-            }
-        });
-        ;
-    }
-    else {
-        // If neither token nor secret, use public access
-        httpLink = publicHttpLink;
-    }
-    // Create link splitter for queries
-    let splitLink = httpLink;
-    // If WebSocket connection needed and we're in browser
-    if (ws && isClient) {
-        const wsEndpoint = url.replace('http', 'ws').replace('https', 'wss');
-        // Configure connection parameters
-        const connectionParams = {};
-        if (token) {
-            // If token provided, use it for WebSocket authorization
-            connectionParams.headers = {
-                Authorization: `Bearer ${token}`,
-            };
         }
         else if (secret) {
-            // If no token but admin secret exists, use it
-            connectionParams.headers = {
-                'x-hasura-admin-secret': secret,
+            debug('apollo', '🔑 Using Admin Secret for x-hasura-admin-secret header');
+            return {
+                headers: Object.assign(Object.assign({}, headers), { 'x-hasura-admin-secret': secret })
             };
         }
-        // Create WebSocket client
+        debug('apollo', '🔓 Sending request without authentication headers');
+        return { headers };
+    });
+    // Chain the links: roleLink -> authHeaderLink -> baseHttpLink
+    const httpLink = client_1.ApolloLink.from([roleLink, authHeaderLink, baseHttpLink]);
+    // --- End Existing Links Modification ---
+    // --- WebSocket Link Setup (Remains largely the same) ---
+    let link = httpLink; // Start with the combined HTTP link
+    // --- Debugging WS Link Creation ---
+    debug('apollo', `🚀 Checking WS setup: ws=${ws}, isClient=${isClient}`);
+    if (ws && isClient) {
+        debug('apollo', '✅ Entering WS Link creation block.'); // Log entry
+        const wsEndpoint = url.replace('http', 'ws').replace('https://', 'wss');
+        debug('apollo', '🔌 Setting up GraphQLWsLink for:', wsEndpoint);
+        // --- Restore GraphQLWsLink --- 
         const wsLink = new subscriptions_1.GraphQLWsLink((0, graphql_ws_1.createClient)({
             url: wsEndpoint,
-            connectionParams: () => connectionParams
+            connectionParams: () => __awaiter(this, void 0, void 0, function* () {
+                debug('apollo', '⚙️ Evaluating connectionParams function...');
+                const params = {};
+                if (token) {
+                    debug('apollo', '🔒 Using JWT token for WS connectionParams (from function)');
+                    params.headers = { Authorization: `Bearer ${token}` };
+                }
+                else if (secret) {
+                    debug('apollo', '🔑 Using Admin Secret for WS connectionParams (from function)');
+                    params.headers = { 'x-hasura-admin-secret': secret };
+                }
+                else {
+                    debug('apollo', '🔓 WebSocket connection without specific auth params (from function)');
+                }
+                debug('apollo', '⚙️ connectionParams function returning:', params);
+                return params;
+            }),
+            // Note: Dynamically changing headers per subscription via context
+            // is not standard in GraphQLWsLink. The roleLink above won't affect this.
+            // --- Add event handlers for diagnostics ---
+            on: {
+                connected: (socket) => debug('apollo', '🔗 [graphql-ws] WebSocket connected:', socket),
+                ping: (received) => debug('apollo', `➡️ [graphql-ws] Ping ${received ? 'received' : 'sent'}`),
+                pong: (received) => debug('apollo', `⬅️ [graphql-ws] Pong ${received ? 'received' : 'sent'}`),
+                error: (err) => debug('apollo', '❌ [graphql-ws] WebSocket error:', err),
+                closed: (event) => debug('apollo', '🚪 [graphql-ws] WebSocket closed:', event),
+            }
+            // --- End event handlers ---
         }));
-        // Split requests: WebSocket for subscriptions, HTTP for others
-        splitLink = (0, client_1.split)(({ query }) => {
+        /* --- Remove Deprecated WebSocketLink ---
+        const wsLink = new WebSocketLink({
+          uri: wsEndpoint,
+          options: {
+            reconnect: true,
+            connectionParams: connectionParams, // Pass prepared headers here
+            // Note: Timeout options might be needed depending on env
+          }
+        });
+        debug('apollo', '🔗 DEPRECATED WebSocketLink created.');
+        */
+        // Split based on operation type
+        link = (0, client_1.split)(({ query }) => {
             const definition = (0, utilities_1.getMainDefinition)(query);
+            const isSubscription = definition.kind === 'OperationDefinition' &&
+                definition.operation === 'subscription';
+            debug('apollo', `🔗 Split link decision: isSubscription=${isSubscription}`);
             return (definition.kind === 'OperationDefinition' &&
                 definition.operation === 'subscription');
-        }, wsLink, httpLink);
+        }, wsLink, // Use wsLink for subscriptions
+        httpLink // Use httpLink (with roleLink and authHeaderLink) for query/mutation
+        );
+    }
+    else {
+        debug('apollo', '❌ Skipping WS Link creation.', { ws, isClient });
     }
-    // Create Apollo Client
-    return new client_1.ApolloClient({
-        link: splitLink,
+    // --- End WebSocket Setup ---
+    // Create Apollo Client with the final composed link
+    const apolloClient = new client_1.ApolloClient({
+        link: link, // Use the potentially split link
         cache: new client_1.InMemoryCache(),
         defaultOptions: {
             watchQuery: {
@@ -157,6 +178,10 @@ function createClient(options = {}) {
             },
         }
     });
+    apolloClient.Provider = function Provider({ children }) {
+        return (0, jsx_runtime_1.jsx)(client_1.ApolloProvider, { client: apolloClient, children: children });
+    };
+    return apolloClient;
 }
 // Default client instance
 let clientInstance = null;
@@ -167,7 +192,7 @@ let clientInstance = null;
  */
 function getClient(options = {}) {
     if (!clientInstance) {
-        clientInstance = createClient(options);
+        clientInstance = createApolloClient(options);
     }
     return clientInstance;
 }
@@ -175,10 +200,19 @@ function getClient(options = {}) {
  * React hook to get Apollo client instance
  * @returns Apollo client instance
  */
-function useClient(options) {
-    return (0, react_1.useMemo)(() => createClient(options), [options]);
+function useCreateApolloClient(options) {
+    return (0, react_1.useMemo)(() => createApolloClient(options), [options]);
 }
-const CHECK_CONNECTION = (0, client_1.gql) `
+exports.CHECK_CONNECTION_SUBSCRIPTION = (0, client_1.gql) `
+subscription CheckConnection {
+  __schema {
+    queryType {
+      name
+    }
+  }
+}
+`;
+exports.CHECK_CONNECTION_QUERY = (0, client_1.gql) `
 query CheckConnection {
   __schema {
     queryType {
@@ -194,13 +228,16 @@ query CheckConnection {
 function checkConnection() {
     return __awaiter(this, arguments, void 0, function* (client = getClient()) {
         var _a, _b, _c;
-        const result = yield client.query({ query: CHECK_CONNECTION });
+        const result = yield client.query({ query: exports.CHECK_CONNECTION_QUERY });
         return !!((_c = (_b = (_a = result.data) === null || _a === void 0 ? void 0 : _a.__schema) === null || _b === void 0 ? void 0 : _b.queryType) === null || _c === void 0 ? void 0 : _c.name);
     });
 }
+const errorLink = (0, error_1.onError)(({ graphQLErrors, networkError, operation, forward }) => {
+    // Handle errors
+});
 exports.default = {
-    createClient,
+    createApolloClient,
     getClient,
-    getJwtSecret: exports.getJwtSecret,
+    getJwtSecret: jwt_1.getJwtSecret,
     checkConnection
 };

package/dist/lib/auth.d.ts

@@ -0,0 +1,16 @@
+import { NextRequest } from "next/server";
+import { IncomingMessage } from "http";
+import { JWT } from 'next-auth/jwt';
+import WebSocket from "ws";
+export declare function getTokenFromRequest(request: NextRequest): Promise<JWT | null>;
+export declare function WsClientsManager(route?: string): {
+    Client: (client: WebSocket) => string;
+    getToken(request: IncomingMessage, clientId: string): Promise<string | JWT | null>;
+    parseUser(request: IncomingMessage, clientId: string): Promise<any>;
+    delete(clientId: string): void;
+    getClient(clientId: string): {
+        ws: WebSocket;
+        userId?: string;
+        user?: any;
+    } | undefined;
+};

package/dist/lib/auth.js

@@ -0,0 +1,159 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getTokenFromRequest = getTokenFromRequest;
+exports.WsClientsManager = WsClientsManager;
+const debug_1 = __importDefault(require("@/lib/debug"));
+const jwt_1 = require("next-auth/jwt");
+const uuid_1 = require("uuid");
+const debug = (0, debug_1.default)('auth');
+function getTokenFromRequest(request) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const secureCookie = request.url.startsWith('https');
+        const cookieName = secureCookie
+            ? '__Secure-next-auth.session-token'
+            : 'next-auth.session-token';
+        debug(`GET /api/auth: Using cookie name: ${cookieName}, secure: ${secureCookie}`);
+        const token = yield (0, jwt_1.getToken)({
+            req: request, // Cast to any to satisfy getToken, NextRequest works
+            secret: process.env.NEXTAUTH_SECRET,
+            cookieName: cookieName,
+        });
+        return token;
+    });
+}
+function WsClientsManager(route = '') {
+    const clientManagerId = route + (0, uuid_1.v4)();
+    debug(`(${clientManagerId}): New WebSocket clients manager established.`);
+    const clients = new Map();
+    return {
+        Client: (client) => {
+            const clientId = (0, uuid_1.v4)();
+            clients.set(clientId, { ws: client });
+            debug(`(${clientManagerId}): New client (${clientId}) connected.`);
+            return clientId;
+        },
+        getToken(request, clientId) {
+            return __awaiter(this, void 0, void 0, function* () {
+                var _a;
+                const cookieHeader = request.headers.cookie;
+                const userAgent = request.headers['user-agent'];
+                const forwardedProto = request.headers['x-forwarded-proto'];
+                const connectionEncrypted = (_a = request.connection) === null || _a === void 0 ? void 0 : _a.encrypted;
+                debug(`${clientManagerId}: (${clientId}): Incoming request details - URL: ${request.url}, Method: ${request.method}, User-Agent: ${userAgent}`);
+                debug(`${clientManagerId}: (${clientId}): Incoming headers:`, request.headers);
+                debug(`${clientManagerId}: (${clientId}): Connection encrypted: ${connectionEncrypted}`);
+                debug(`${clientManagerId}: (${clientId}): X-Forwarded-Proto: ${forwardedProto}`);
+                debug(`${clientManagerId}: (${clientId}): Full cookie header:`, cookieHeader || 'No cookies header');
+                // Determine secure context and cookie name
+                const isSecure = forwardedProto === 'https' || connectionEncrypted;
+                const sessionCookieName = isSecure
+                    ? '__Secure-next-auth.session-token'
+                    : 'next-auth.session-token';
+                debug(`${clientManagerId}: (${clientId}): Determined secure context: ${isSecure}`);
+                debug(`${clientManagerId}: (${clientId}): Expecting session cookie name: ${sessionCookieName}`);
+                let token = null;
+                let payload = null;
+                let userId = null;
+                const rawToken = false; // Keep false
+                try {
+                    debug(`SOCKET /api/auth (${clientId}): Preparing adapted request for getToken (raw: ${rawToken})...`);
+                    const parsedCookies = request.headers.cookie ?
+                        Object.fromEntries(request.headers.cookie.split('; ').map(c => {
+                            const [key, ...val] = c.split('=');
+                            return [key, decodeURIComponent(val.join('='))];
+                        }))
+                        : {};
+                    debug(`SOCKET /api/auth (${clientId}): Parsed cookies object:`, parsedCookies);
+                    const adaptedReq = {
+                        headers: request.headers,
+                        cookies: parsedCookies,
+                        url: request.url || '',
+                        method: request.method || 'GET',
+                    };
+                    debug(`SOCKET /api/auth (${clientId}): Final adapted request object for getToken:`, adaptedReq);
+                    const getTokenParams = {
+                        req: adaptedReq,
+                        secret: process.env.NEXTAUTH_SECRET,
+                        cookieName: sessionCookieName,
+                        raw: rawToken, // Should be false now
+                    };
+                    debug(`${clientManagerId}: (${clientId}): Calling getToken with params:`, {
+                        cookieName: getTokenParams.cookieName,
+                        raw: getTokenParams.raw,
+                        secretProvided: !!getTokenParams.secret,
+                    });
+                    token = yield (0, jwt_1.getToken)(getTokenParams);
+                    debug(`${clientManagerId}: (${clientId}): getToken result received.`);
+                    debug(`${clientManagerId}: (${clientId}): Decoded token value from getToken:`, token);
+                    debug(`${clientManagerId}: (${clientId}): getToken result type: ${typeof token}, isNull: ${token === null}`);
+                    if (token && typeof token === 'object' && token.sub) {
+                        payload = token;
+                        userId = payload.sub;
+                        debug(`${clientManagerId}: (${clientId}): User ${userId} authenticated via decoded token from getToken.`);
+                    }
+                    else {
+                        debug(`${clientManagerId}: (${clientId}): No valid token found or token is not an object with sub property.`);
+                    }
+                    return token;
+                }
+                catch (error) {
+                    debug(`${clientManagerId}: (${clientId}): Error preparing adapted request for getToken:`, error);
+                    throw error;
+                }
+            });
+        },
+        parseUser(request, clientId) {
+            return __awaiter(this, void 0, void 0, function* () {
+                const token = yield this.getToken(request, clientId);
+                if (token && typeof token === 'object' && token.sub) {
+                    const _a = token, { accessToken } = _a, user = __rest(_a, ["accessToken"]);
+                    const client = clients.get(clientId);
+                    if (client) {
+                        client.userId = token.sub;
+                        client.user = user;
+                        clients.set(clientId, client);
+                        debug(`${clientManagerId}: (${clientId}): Client parsed and updated.`);
+                    }
+                    else {
+                        debug(`${clientManagerId}: (${clientId}): No client found in clients map.`);
+                    }
+                    return user;
+                }
+                else {
+                    debug(`${clientManagerId}: (${clientId}): No valid token found or token is not an object with sub property.`);
+                }
+                return null;
+            });
+        },
+        delete(clientId) {
+            clients.delete(clientId);
+            debug(`${clientManagerId}: (${clientId}): Client deleted from clients map.`);
+        },
+        getClient(clientId) {
+            return clients.get(clientId);
+        }
+    };
+}

package/dist/lib/authDbUtils.d.ts

@@ -0,0 +1,48 @@
+import { Client } from 'nextjs-hasura-auth';
+/**
+ * Hashes a password using bcrypt.
+ * @param password The plain text password.
+ * @returns The hashed password.
+ */
+export declare function hashPassword(password: string): Promise<string>;
+/**
+ * Compares a plain text password with a hash.
+ * @param password The plain text password.
+ * @param hash The hash to compare against.
+ * @returns True if the password matches the hash, false otherwise.
+ */
+export declare function comparePassword(password: string, hash: string): Promise<boolean>;
+interface UserProfileFromProvider {
+    name?: string | null;
+    email?: string | null;
+    image?: string | null;
+}
+export interface HasuraUser {
+    id: string;
+    name?: string | null;
+    email?: string | null;
+    email_verified?: string | null;
+    image?: string | null;
+    password?: string | null;
+    created_at: string;
+    updated_at: string;
+    is_admin?: boolean | null;
+    hasura_role?: string | null;
+    accounts?: {
+        provider: string;
+        provider_account_id: string;
+    }[];
+}
+/**
+ * Finds or creates a user and their associated account based on provider information.
+ * This function handles the core logic of linking OAuth/Credentials logins to Hasura users.
+ *
+ * @param client The initialized NHA Client instance.
+ * @param provider The OAuth provider name (e.g., 'google', 'credentials').
+ * @param providerAccountId The user's unique ID from the provider.
+ * @param profile Optional profile information from the provider (name, email, image).
+ * @returns The Hasura user object associated with the account.
+ * @throws Error if user/account processing fails.
+ */
+export declare function getOrCreateUserAndAccount(client: Client, provider: string, providerAccountId: string, profile?: UserProfileFromProvider | null): Promise<HasuraUser>;
+export {};