npm - @insureco/cli - Versions diffs - 0.1.11 → 0.1.12 - Mend

@insureco/cli 0.1.11 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/dist/commands/push.d.ts.map +1 -1
package/dist/commands/push.js +39 -65
package/dist/commands/push.js.map +1 -1
package/dist/commands/sample.js +3 -3
package/dist/commands/sample.js.map +1 -1
package/dist/lib/builder.js +12 -9
package/dist/lib/builder.js.map +1 -1
package/dist/templates/nextjs-oauth/.dockerignore +6 -0
package/dist/templates/nextjs-oauth/.env.example +9 -11
package/dist/templates/nextjs-oauth/README.md +72 -85
package/dist/templates/nextjs-oauth/helm/Chart.yaml +6 -0
package/dist/templates/nextjs-oauth/helm/templates/_helpers.tpl +49 -0
package/dist/templates/nextjs-oauth/helm/templates/configmap.yaml +10 -0
package/dist/templates/nextjs-oauth/helm/templates/deployment.yaml +56 -0
package/dist/templates/nextjs-oauth/helm/templates/ingress.yaml +41 -0
package/dist/templates/nextjs-oauth/helm/templates/service.yaml +15 -0
package/dist/templates/nextjs-oauth/helm/values.yaml +69 -0
package/dist/templates/nextjs-oauth/package.json +1 -1
package/dist/templates/nextjs-oauth/src/app/api/auth/callback/route.ts +22 -9
package/dist/templates/nextjs-oauth/src/app/api/auth/logout/route.ts +2 -4
package/dist/templates/nextjs-oauth/src/app/api/auth/session/route.ts +5 -3
package/dist/templates/nextjs-oauth/src/lib/auth.ts +80 -69
package/dist/templates/nextjs-oauth/src/middleware.ts +7 -6
package/dist/types/index.d.ts +9 -5
package/dist/types/index.d.ts.map +1 -1
package/package.json +1 -1

package/dist/templates/nextjs-oauth/helm/templates/deployment.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "app.fullname" . }}
+  labels:
+    {{- include "app.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "app.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "app.labels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: {{ include "app.fullname" . }}-config
+            {{- if .Values.secretRef }}
+            - secretRef:
+                name: {{ .Values.secretRef }}
+                optional: true
+            {{- end }}
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

package/dist/templates/nextjs-oauth/helm/templates/ingress.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+{{- if .Values.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "app.fullname" . }}
+  labels:
+    {{- include "app.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ include "app.fullname" $ }}
+                port:
+                  number: {{ $.Values.service.port }}
+          {{- end }}
+    {{- end }}
+{{- end }}

package/dist/templates/nextjs-oauth/helm/templates/service.yaml ADDED Viewed

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "app.fullname" . }}
+  labels:
+    {{- include "app.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "app.selectorLabels" . | nindent 4 }}

package/dist/templates/nextjs-oauth/helm/values.yaml ADDED Viewed

@@ -0,0 +1,69 @@
+replicaCount: 1
+image:
+  repository: registry.digitalocean.com/insureco/{{name}}
+  pullPolicy: IfNotPresent
+  tag: "latest"
+imagePullSecrets:
+  - name: insureco
+nameOverride: ""
+fullnameOverride: ""
+service:
+  type: ClusterIP
+  port: 3000
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
+  hosts:
+    - host: {{name}}.sandbox.tawa.insureco.io
+      paths:
+        - path: /
+          pathType: Prefix
+  tls: []
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 256Mi
+autoscaling:
+  enabled: false
+env:
+  NODE_ENV: production
+  PORT: "3000"
+  HOSTNAME: "0.0.0.0"
+  BIO_ID_URL: "https://bio.tawa.insureco.io"
+# K8s Secret containing OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, JWT_SECRET
+# Create with: kubectl create secret generic {{name}}-secrets --from-env-file=.env -n <namespace>
+secretRef: {{name}}-secrets
+livenessProbe:
+  httpGet:
+    path: /api/health
+    port: http
+  initialDelaySeconds: 15
+  periodSeconds: 10
+  failureThreshold: 3
+readinessProbe:
+  httpGet:
+    path: /api/health
+    port: http
+  initialDelaySeconds: 5
+  periodSeconds: 5
+nodeSelector: {}
+tolerations: []
+affinity: {}

package/dist/templates/nextjs-oauth/package.json CHANGED Viewed

@@ -20,7 +20,7 @@
     "@types/node": "^22.0.0",
     "@types/react": "^18.3.0",
     "@types/react-dom": "^18.3.0",
-    "eslint": "^9.0.0",
+    "eslint": "^8.0.0",
     "eslint-config-next": "^14.2.0",
     "typescript": "^5.7.0"
   },

package/dist/templates/nextjs-oauth/src/app/api/auth/callback/route.ts CHANGED Viewed

@@ -1,8 +1,13 @@
 import { NextRequest, NextResponse } from 'next/server'
 import { cookies } from 'next/headers'
-import { exchangeCodeForTokens, setAuthCookies, sanitizeReturnTo } from '@/lib/auth'
-const APP_URL = process.env.APP_URL || 'http://localhost:3000'
+import {
+  exchangeCodeForTokens,
+  fetchUserInfo,
+  createSessionToken,
+  setSessionCookies,
+  sanitizeReturnTo,
+  getAppUrl,
+} from '@/lib/auth'
 export async function GET(request: NextRequest) {
   const searchParams = request.nextUrl.searchParams
@@ -23,7 +28,7 @@ export async function GET(request: NextRequest) {
   // Handle error from authorization server
   if (error) {
-    const errorUrl = new URL('/', APP_URL)
+    const errorUrl = new URL('/', getAppUrl())
     errorUrl.searchParams.set('error', error)
     if (errorDescription) {
       errorUrl.searchParams.set('error_description', errorDescription)
@@ -33,7 +38,7 @@ export async function GET(request: NextRequest) {
   // Validate state to prevent CSRF
   if (!state || state !== storedState) {
-    const errorUrl = new URL('/', APP_URL)
+    const errorUrl = new URL('/', getAppUrl())
     errorUrl.searchParams.set('error', 'invalid_state')
     errorUrl.searchParams.set('error_description', 'State parameter mismatch')
     return NextResponse.redirect(errorUrl)
@@ -41,19 +46,27 @@ export async function GET(request: NextRequest) {
   // Validate required params
   if (!code || !codeVerifier) {
-    const errorUrl = new URL('/', APP_URL)
+    const errorUrl = new URL('/', getAppUrl())
     errorUrl.searchParams.set('error', 'invalid_request')
     errorUrl.searchParams.set('error_description', 'Missing authorization code')
     return NextResponse.redirect(errorUrl)
   }
   try {
+    // Exchange code for bio-id tokens
     const tokens = await exchangeCodeForTokens(code, codeVerifier)
-    await setAuthCookies(tokens.access_token, tokens.refresh_token, tokens.expires_in)
+    // Fetch user info from bio-id using the access token
+    const user = await fetchUserInfo(tokens.access_token)
+    // Create our own session JWT and store it (not bio-id's access token)
+    const sessionToken = await createSessionToken(user)
+    await setSessionCookies(sessionToken, tokens.refresh_token)
     const safeReturnTo = sanitizeReturnTo(returnTo)
-    return NextResponse.redirect(new URL(safeReturnTo, APP_URL))
+    return NextResponse.redirect(new URL(safeReturnTo, getAppUrl()))
   } catch (err) {
-    const errorUrl = new URL('/', APP_URL)
+    const errorUrl = new URL('/', getAppUrl())
     errorUrl.searchParams.set('error', 'token_exchange_failed')
     errorUrl.searchParams.set(
       'error_description',

package/dist/templates/nextjs-oauth/src/app/api/auth/logout/route.ts CHANGED Viewed

@@ -1,9 +1,7 @@
 import { NextResponse } from 'next/server'
-import { clearAuthCookies } from '@/lib/auth'
-const APP_URL = process.env.APP_URL || 'http://localhost:3000'
+import { clearAuthCookies, getAppUrl } from '@/lib/auth'
 export async function POST() {
   await clearAuthCookies()
-  return NextResponse.redirect(new URL('/', APP_URL), { status: 303 })
+  return NextResponse.redirect(new URL('/', getAppUrl()), { status: 303 })
 }

package/dist/templates/nextjs-oauth/src/app/api/auth/session/route.ts CHANGED Viewed

@@ -3,8 +3,9 @@ import { cookies } from 'next/headers'
 import {
   getCurrentUser,
   refreshAccessToken,
-  setAuthCookies,
   fetchUserInfo,
+  createSessionToken,
+  setSessionCookies,
   COOKIE_PREFIX,
 } from '@/lib/auth'
@@ -18,15 +19,16 @@ export async function GET() {
       return NextResponse.json({ user }, { headers: NO_CACHE_HEADERS })
     }
-    // Access token expired or missing — try refresh
+    // Session expired — try refreshing via bio-id refresh token
     const cookieStore = await cookies()
     const refreshToken = cookieStore.get(`${COOKIE_PREFIX}_refresh_token`)?.value
     if (refreshToken) {
       try {
         const tokens = await refreshAccessToken(refreshToken)
-        await setAuthCookies(tokens.access_token, tokens.refresh_token, tokens.expires_in)
         const refreshedUser = await fetchUserInfo(tokens.access_token)
+        const sessionToken = await createSessionToken(refreshedUser)
+        await setSessionCookies(sessionToken, tokens.refresh_token)
         return NextResponse.json({ user: refreshedUser }, { headers: NO_CACHE_HEADERS })
       } catch {
         // Refresh token also invalid — user must re-login

package/dist/templates/nextjs-oauth/src/lib/auth.ts CHANGED Viewed

@@ -1,13 +1,25 @@
 import { cookies } from 'next/headers'
-import { jwtVerify } from 'jose'
+import { SignJWT, jwtVerify } from 'jose'
 import crypto from 'crypto'
-// Configuration — set these in .env
-const BIO_ID_URL = process.env.BIO_ID_URL || 'http://localhost:6100'
-const APP_URL = process.env.APP_URL || 'http://localhost:3000'
-const CLIENT_ID = process.env.OAUTH_CLIENT_ID || ''
-const CLIENT_SECRET = process.env.OAUTH_CLIENT_SECRET || ''
+// Configuration — read lazily so `next build` doesn't fail when env vars are
+// absent (they are injected at runtime via ConfigMap / Secret in K8s).
+function getBioIdUrl(): string {
+  return process.env.BIO_ID_URL || 'http://localhost:6100'
+}
+function getAppUrl(): string {
+  return process.env.APP_URL || 'http://localhost:3000'
+}
+function getClientId(): string {
+  const id = process.env.OAUTH_CLIENT_ID
+  if (!id) throw new Error('OAUTH_CLIENT_ID is not configured')
+  return id
+}
+function getClientSecret(): string {
+  const secret = process.env.OAUTH_CLIENT_SECRET
+  if (!secret) throw new Error('OAUTH_CLIENT_SECRET is not configured')
+  return secret
+}
 function getJwtSecret(): Uint8Array {
   const secret = process.env.JWT_SECRET
   if (!secret && process.env.NODE_ENV === 'production') {
@@ -16,26 +28,22 @@ function getJwtSecret(): Uint8Array {
   return new TextEncoder().encode(secret || 'dev-only-secret-do-not-use-in-production')
 }
-const JWT_SECRET = getJwtSecret()
-if (process.env.NODE_ENV === 'production' && (!CLIENT_ID || !CLIENT_SECRET)) {
-  throw new Error('OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET are required in production')
-}
 const COOKIE_PREFIX = '{{name}}'
+const SESSION_MAX_AGE = 60 * 60           // 1 hour
 const REFRESH_TOKEN_MAX_AGE = 60 * 60 * 24 * 30 // 30 days
-const OAUTH_FLOW_MAX_AGE = 60 * 10               // 10 minutes
+const OAUTH_FLOW_MAX_AGE = 60 * 10        // 10 minutes
 export interface User {
-  id: string // Maps to bio_id from Bio-id userinfo endpoint
+  id: string
   email: string
   name: string
   roles: string[]
 }
-/**
- * Validate that a returnTo path is safe (relative, no open redirect)
- */
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
 export function sanitizeReturnTo(returnTo: string | undefined, fallback = '/dashboard'): string {
   if (!returnTo || !returnTo.startsWith('/') || returnTo.startsWith('//')) {
     return fallback
@@ -43,34 +51,26 @@ export function sanitizeReturnTo(returnTo: string | undefined, fallback = '/dash
   return returnTo
 }
-/**
- * Generate PKCE code verifier and S256 challenge
- */
 export function generatePKCE(): { codeVerifier: string; codeChallenge: string } {
   const codeVerifier = crypto.randomBytes(32).toString('base64url')
   const codeChallenge = crypto
     .createHash('sha256')
     .update(codeVerifier)
     .digest('base64url')
   return { codeVerifier, codeChallenge }
 }
-/**
- * Build Bio-id authorization URL
- */
 export function getAuthorizationUrl(state: string, codeChallenge: string): string {
   const params = new URLSearchParams({
-    client_id: CLIENT_ID,
-    redirect_uri: `${APP_URL}/api/auth/callback`,
+    client_id: getClientId(),
+    redirect_uri: `${getAppUrl()}/api/auth/callback`,
     response_type: 'code',
     scope: 'openid profile email',
     state,
     code_challenge: codeChallenge,
     code_challenge_method: 'S256',
   })
-  return `${BIO_ID_URL}/oauth/authorize?${params.toString()}`
+  return `${getBioIdUrl()}/oauth/authorize?${params.toString()}`
 }
 async function parseErrorResponse(response: Response, fallbackMessage: string): Promise<string> {
@@ -82,9 +82,10 @@ async function parseErrorResponse(response: Response, fallbackMessage: string):
   }
 }
-/**
- * Exchange authorization code for tokens
- */
+// ---------------------------------------------------------------------------
+// Bio-id API calls
+// ---------------------------------------------------------------------------
 export async function exchangeCodeForTokens(
   code: string,
   codeVerifier: string
@@ -96,15 +97,15 @@ export async function exchangeCodeForTokens(
   scope: string
   id_token?: string
 }> {
-  const response = await fetch(`${BIO_ID_URL}/api/oauth/token`, {
+  const response = await fetch(`${getBioIdUrl()}/api/oauth/token`, {
     method: 'POST',
     headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
     body: new URLSearchParams({
       grant_type: 'authorization_code',
       code,
-      redirect_uri: `${APP_URL}/api/auth/callback`,
-      client_id: CLIENT_ID,
-      client_secret: CLIENT_SECRET,
+      redirect_uri: `${getAppUrl()}/api/auth/callback`,
+      client_id: getClientId(),
+      client_secret: getClientSecret(),
       code_verifier: codeVerifier,
     }).toString(),
   })
@@ -116,9 +117,6 @@ export async function exchangeCodeForTokens(
   return response.json()
 }
-/**
- * Refresh an expired access token
- */
 export async function refreshAccessToken(refreshToken: string): Promise<{
   access_token: string
   token_type: string
@@ -126,14 +124,14 @@ export async function refreshAccessToken(refreshToken: string): Promise<{
   refresh_token: string
   scope: string
 }> {
-  const response = await fetch(`${BIO_ID_URL}/api/oauth/token`, {
+  const response = await fetch(`${getBioIdUrl()}/api/oauth/token`, {
     method: 'POST',
     headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
     body: new URLSearchParams({
       grant_type: 'refresh_token',
       refresh_token: refreshToken,
-      client_id: CLIENT_ID,
-      client_secret: CLIENT_SECRET,
+      client_id: getClientId(),
+      client_secret: getClientSecret(),
     }).toString(),
   })
@@ -144,11 +142,8 @@ export async function refreshAccessToken(refreshToken: string): Promise<{
   return response.json()
 }
-/**
- * Fetch user info from Bio-id userinfo endpoint
- */
 export async function fetchUserInfo(accessToken: string): Promise<User> {
-  const response = await fetch(`${BIO_ID_URL}/api/oauth/userinfo`, {
+  const response = await fetch(`${getBioIdUrl()}/api/oauth/userinfo`, {
     headers: { Authorization: `Bearer ${accessToken}` },
   })
@@ -166,26 +161,44 @@ export async function fetchUserInfo(accessToken: string): Promise<User> {
   }
 }
-/**
- * Set httpOnly auth cookies
- */
-export async function setAuthCookies(
-  accessToken: string,
-  refreshToken: string,
-  expiresIn: number
+// ---------------------------------------------------------------------------
+// Session management
+//
+// After the OAuth callback, we create OUR OWN session JWT signed with
+// JWT_SECRET. This avoids needing to verify bio-id's access token locally
+// (bio-id uses HS256 signed with its own server secret).
+// ---------------------------------------------------------------------------
+export async function createSessionToken(user: User): Promise<string> {
+  return new SignJWT({
+    sub: user.id,
+    email: user.email,
+    name: user.name,
+    roles: user.roles,
+  })
+    .setProtectedHeader({ alg: 'HS256' })
+    .setIssuedAt()
+    .setExpirationTime(`${SESSION_MAX_AGE}s`)
+    .setIssuer(getAppUrl())
+    .sign(getJwtSecret())
+}
+export async function setSessionCookies(
+  sessionToken: string,
+  bioRefreshToken: string
 ): Promise<void> {
   const cookieStore = await cookies()
-  const secure = process.env.NODE_ENV === 'production'
+  const secure = getAppUrl().startsWith('https://')
-  cookieStore.set(`${COOKIE_PREFIX}_access_token`, accessToken, {
+  cookieStore.set(`${COOKIE_PREFIX}_session`, sessionToken, {
     httpOnly: true,
     secure,
     sameSite: 'lax',
-    maxAge: expiresIn,
+    maxAge: SESSION_MAX_AGE,
     path: '/',
   })
-  cookieStore.set(`${COOKIE_PREFIX}_refresh_token`, refreshToken, {
+  cookieStore.set(`${COOKIE_PREFIX}_refresh_token`, bioRefreshToken, {
     httpOnly: true,
     secure,
     sameSite: 'lax',
@@ -194,12 +207,9 @@ export async function setAuthCookies(
   })
 }
-/**
- * Clear all auth cookies
- */
 export async function clearAuthCookies(): Promise<void> {
   const cookieStore = await cookies()
-  cookieStore.delete(`${COOKIE_PREFIX}_access_token`)
+  cookieStore.delete(`${COOKIE_PREFIX}_session`)
   cookieStore.delete(`${COOKIE_PREFIX}_refresh_token`)
   cookieStore.delete('oauth_state')
   cookieStore.delete('oauth_code_verifier')
@@ -207,23 +217,24 @@ export async function clearAuthCookies(): Promise<void> {
 }
 /**
- * Get the current authenticated user from JWT payload (no network call)
+ * Get the current user from the session cookie (no network call).
+ * Verifies OUR session JWT — not bio-id's access token.
  */
 export async function getCurrentUser(): Promise<User | null> {
   const cookieStore = await cookies()
-  const accessToken = cookieStore.get(`${COOKIE_PREFIX}_access_token`)?.value
+  const sessionToken = cookieStore.get(`${COOKIE_PREFIX}_session`)?.value
-  if (!accessToken) {
+  if (!sessionToken) {
     return null
   }
   try {
-    const { payload } = await jwtVerify(accessToken, JWT_SECRET, {
-      issuer: BIO_ID_URL,
+    const { payload } = await jwtVerify(sessionToken, getJwtSecret(), {
+      issuer: getAppUrl(),
     })
     return {
-      id: (payload.bio_id as string) || payload.sub || '',
+      id: payload.sub || '',
       email: payload.email as string,
       name: payload.name as string,
       roles: (payload.roles as string[]) || [],
@@ -238,7 +249,7 @@ export async function getCurrentUser(): Promise<User | null> {
  */
 export async function getLoginUrl(returnTo?: string): Promise<string> {
   const cookieStore = await cookies()
-  const secure = process.env.NODE_ENV === 'production'
+  const secure = getAppUrl().startsWith('https://')
   const state = crypto.randomBytes(16).toString('hex')
   const { codeVerifier, codeChallenge } = generatePKCE()
@@ -271,4 +282,4 @@ export async function getLoginUrl(returnTo?: string): Promise<string> {
   return getAuthorizationUrl(state, codeChallenge)
 }
-export { COOKIE_PREFIX, JWT_SECRET, BIO_ID_URL }
+export { COOKIE_PREFIX, getBioIdUrl, getAppUrl }

package/dist/templates/nextjs-oauth/src/middleware.ts CHANGED Viewed

@@ -36,24 +36,25 @@ export async function middleware(request: NextRequest) {
     return NextResponse.next()
   }
-  const accessToken = request.cookies.get(`${COOKIE_PREFIX}_access_token`)?.value
+  // Check for our session cookie (not bio-id's access token)
+  const sessionToken = request.cookies.get(`${COOKIE_PREFIX}_session`)?.value
-  if (!accessToken) {
+  if (!sessionToken) {
     const loginUrl = new URL('/api/auth/login', request.url)
     loginUrl.searchParams.set('returnTo', pathname)
     return NextResponse.redirect(loginUrl)
   }
-  // Verify JWT is valid and not expired
+  // Verify our own session JWT (signed with JWT_SECRET, issued by APP_URL)
   try {
     const secret = new TextEncoder().encode(
       process.env.JWT_SECRET || 'dev-only-secret-do-not-use-in-production'
     )
-    await jwtVerify(accessToken, secret, {
-      issuer: process.env.BIO_ID_URL || 'http://localhost:6100',
+    await jwtVerify(sessionToken, secret, {
+      issuer: process.env.APP_URL || 'http://localhost:3000',
     })
   } catch {
-    // Token invalid or expired — redirect to login
+    // Session expired or invalid — redirect to login
     const loginUrl = new URL('/api/auth/login', request.url)
     loginUrl.searchParams.set('returnTo', pathname)
     return NextResponse.redirect(loginUrl)

package/dist/types/index.d.ts CHANGED Viewed

@@ -278,17 +278,21 @@ export interface Version {
     updatedAt: string;
 }
 export interface PushRequest {
-    serviceId: string;
     serviceName: string;
     archive: Buffer;
-    checksum: string;
+    environment?: string;
+    branch?: string;
     message?: string;
 }
 export interface PushResponse {
-    versionId: string;
-    archiveId: string;
+    buildId: string;
+    serviceId: string;
+    serviceName: string;
+    version: string;
+    environment: string;
+    tarballId: string;
+    status: string;
     message: string;
-    size: number;
 }
 export interface DeployVersionResponse {
     buildId: string;