UNPKG

@wristband/nextjs-auth

Version:

SDK for integrating your Next.js application with Wristband. Handles user authentication, session management, and token management.

wristband.dev

wristband-dev/nextjs-auth

158 lines (157 loc) 6.82 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
import { NextRequest, NextResponse } from 'next/server'; import { AuthMiddlewareConfig, NormalizedMiddlewareConfig, UnauthenticatedPageHandler } from '../types'; /** * Normalizes middleware configuration by applying default values for optional fields. * * @param config - User-provided middleware configuration with nested strategy configs * @returns Normalized configuration with all strategy configs in nested objects and defaults applied * @throws {TypeError} If configuration validation fails * * @example * ```typescript * const normalized = normalizeMiddlewareConfig({ * authStrategies: ['SESSION'], * sessionConfig: { * sessionOptions: { secrets: 'my-secret', enableCsrfProtection: true }, * }, * protectedPages: ['/dashboard'], * }); * // Returns config with sessionConfig and jwtConfig objects, all defaults applied * ``` */ export declare function normalizeMiddlewareConfig(config: AuthMiddlewareConfig): NormalizedMiddlewareConfig; /** * Resolves the onPageUnauthenticated() handler, using the provided config or creating a default handler * that redirects to the login endpoint with a return_url query parameter. * * @param config - Normalized middleware configuration * @param loginUrl - The full login URL from WristbandAuth config * @returns The resolved onPageUnauthenticated handler function * * @example * ```typescript * // With custom handler * const onPageUnauthenticated = resolveOnPageUnauthenticated(config, loginUrl); * return await onPageUnauthenticated(req); * * // Default behavior (no custom handler provided) * // Redirects to: /api/auth/login?return_url=<current_location> * ``` */ export declare function resolveOnPageUnauthenticated(config: NormalizedMiddlewareConfig, loginUrl: string): UnauthenticatedPageHandler; /** * Creates a route matcher function from an array of URL patterns. * * Supports: * - Exact path matches: `/api/users` * - Named parameters: `/api/users/:id` matches `/api/users/123` * - Wildcards: `/dashboard(.*)` matches `/dashboard`, `/dashboard/settings`, etc. * - Regex patterns: Any valid regex pattern * * @param patterns - Array of route patterns to match against * @returns Matcher function that tests if a pathname matches any pattern * * @example * ```typescript * const matcher = createRouteMatcher([ * '/dashboard(.*)', * '/api/users/:id', * '/settings' * ]); * * matcher('/dashboard/profile'); // true * matcher('/api/users/123'); // true * matcher('/settings'); // true * matcher('/home'); // false * ``` */ export declare function createRouteMatcher(patterns: string[]): (pathname: string) => boolean; /** * Determines if a pathname is a protected API route that requires authentication. * * A route is considered protected if: * 1. SESSION strategy is used and it matches the Session Endpoint (`/api/auth/session` by default) * 2. SESSION strategy is used and it matches the Token Endpoint (`/api/auth/token` by default) * 3. It matches any pattern in `config.protectedApis` * * Note: Session and token endpoints are only protected when using the SESSION authentication strategy. * If using only JWT strategy, these endpoints will not be automatically protected. * * @param pathname - The URL pathname to check * @param config - Normalized middleware configuration * @returns True if the route requires authentication * * @example * ```typescript * // With SESSION strategy and no protectedApis configured * isProtectedApi('/api/users', config); // false (not protected by default) * isProtectedApi('/api/auth/login', config); // false * isProtectedApi('/api/auth/session', config); // true (protected when using SESSION strategy) * isProtectedApi('/api/auth/token', config); // true (protected when using SESSION strategy) * * // With JWT strategy only (no SESSION strategy) * isProtectedApi('/api/auth/session', config); // false (not protected without SESSION strategy) * isProtectedApi('/api/auth/token', config); // false (not protected without SESSION strategy) * * // With protectedApis: ['/api/v1/.*'] * isProtectedApi('/api/v1/users', config); // true * ``` */ export declare function isProtectedApi(pathname: string, config: NormalizedMiddlewareConfig): boolean; /** * Determines if a pathname is a protected page route that requires authentication. * * Checks if the pathname matches any pattern defined in `config.protectedPages`. * Unlike API routes, pages typically redirect unauthenticated users rather than * returning 401 status codes. * * @param pathname - The URL pathname to check * @param config - Normalized middleware configuration * @returns True if the page requires authentication * * @example * ```typescript * // With protectedPages: ['/dashboard(.*)', '/settings'] * isProtectedPage('/dashboard', config); // true * isProtectedPage('/dashboard/profile', config); // true * isProtectedPage('/settings', config); // true * isProtectedPage('/home', config); // false * ``` */ export declare function isProtectedPage(request: NextRequest, config: NormalizedMiddlewareConfig): boolean; /** * Validates the CSRF token for API requests to prevent cross-site request forgery attacks. * * Compares the CSRF token stored in the session against the token provided in the * request header. Both must exist and match exactly for validation to pass. * * This should only be used for API routes, as page navigations don't include CSRF headers. * * @param req - The NextRequest object containing headers * @param csrfToken - The CSRF token stored in the session (from session.csrfToken) * @param csrfHeaderName - The header name to check for the token (default: 'X-CSRF-TOKEN') * @returns True if the CSRF token is valid, false otherwise * * @example * ```typescript * // In middleware for protected API routes * const isValid = isValidCsrf(req, session.csrfToken, 'X-CSRF-TOKEN'); * if (!isValid) { * return new NextResponse(null, { status: 403 }); * } * ``` */ export declare function isValidCsrf(req: NextRequest, csrfToken: string | undefined, csrfHeaderName: string): boolean; /** * Copies all headers from a source Response to a target NextResponse. * This is useful for preserving headers (including Set-Cookie) when creating * new responses in middleware. * * IMPORTANT: Filters out the internal Next.js 'x-middleware-next' header to prevent * routing conflicts when copying headers to error or redirect responses. * * @param source - The source Response to copy headers from * @param target - The target NextResponse to copy headers to * @returns The target NextResponse with headers copied */ export declare function copyResponseHeaders(source: Response, target: NextResponse): NextResponse;