@pandait.tech/payment-nuvei 0.1.1 → 0.2.1

package/dist/handlers/index.js

@@ -1,9 +1,28 @@
-import { NextResponse } from 'next/server';
 import { FieldValue } from 'firebase-admin/firestore';
 import crypto from 'crypto';
 import { z } from 'zod';
 
-// src/handlers/charge.ts
+// src/http.ts
+function json(data, init) {
+  const headers = new Headers(init?.headers);
+  if (!headers.has("content-type")) {
+    headers.set("content-type", "application/json; charset=utf-8");
+  }
+  return new Response(JSON.stringify(data), { ...init, headers });
+}
+function getCookie(request, name) {
+  const header = request.headers.get("cookie");
+  if (!header) return void 0;
+  for (const part of header.split(";")) {
+    const eq = part.indexOf("=");
+    if (eq === -1) continue;
+    const key = part.slice(0, eq).trim();
+    if (key === name) {
+      return decodeURIComponent(part.slice(eq + 1).trim());
+    }
+  }
+  return void 0;
+}
 var NUVEI_DOMAIN = "paymentez.com";
 function getBaseUrl() {
   const env = process.env.NUVEI_ENV === "prod" ? "prod" : "stg";
@@ -206,15 +225,15 @@ function createChargeHandler(deps) {
   const { db, auth } = deps.firebase;
   return async function POST(request) {
     try {
-      const sessionCookie = request.cookies.get("__session")?.value;
+      const sessionCookie = getCookie(request, "__session");
       if (!sessionCookie || !auth) {
-        return NextResponse.json({ error: "No autorizado" }, { status: 401 });
+        return json({ error: "No autorizado" }, { status: 401 });
       }
       let decodedToken;
       try {
         decodedToken = await auth.verifySessionCookie(sessionCookie, true);
       } catch {
-        return NextResponse.json({ error: "Sesion invalida" }, { status: 401 });
+        return json({ error: "Sesion invalida" }, { status: 401 });
       }
       const clientIpForLimit = request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || request.headers.get("x-real-ip") || "unknown";
       if (deps.rateLimit) {
@@ -224,7 +243,7 @@ function createChargeHandler(deps) {
           15 * 60 * 1e3
         );
         if (!allowed) {
-          return NextResponse.json(
+          return json(
             { error: "Demasiados intentos. Intent\xE1 de nuevo en unos minutos." },
             { status: 429 }
           );
@@ -234,7 +253,7 @@ function createChargeHandler(deps) {
       if (deps.turnstile) {
         const turnstileToken = body.turnstileToken;
         if (!turnstileToken) {
-          return NextResponse.json(
+          return json(
             { error: "Verificaci\xF3n de seguridad faltante. Recarg\xE1 la p\xE1gina." },
             { status: 403 }
           );
@@ -244,7 +263,7 @@ function createChargeHandler(deps) {
           clientIpForLimit === "unknown" ? void 0 : clientIpForLimit
         );
         if (!turnstileResult.success) {
-          return NextResponse.json(
+          return json(
             { error: "No pudimos verificar que sos humano. Recarg\xE1 la p\xE1gina." },
             { status: 403 }
           );
@@ -270,18 +289,18 @@ function createChargeHandler(deps) {
         userId: userId?.substring(0, 8) + "..."
       });
       if (!token || !orderId || !amount) {
-        return NextResponse.json({ error: "Datos incompletos" }, { status: 400 });
+        return json({ error: "Datos incompletos" }, { status: 400 });
       }
       if (decodedToken.uid !== userId) {
-        return NextResponse.json({ error: "Usuario no coincide" }, { status: 403 });
+        return json({ error: "Usuario no coincide" }, { status: 403 });
       }
       const orderDoc = await db.collection("orders").doc(orderId).get();
       if (!orderDoc.exists) {
-        return NextResponse.json({ error: "Orden no encontrada" }, { status: 404 });
+        return json({ error: "Orden no encontrada" }, { status: 404 });
       }
       const orderData = orderDoc.data() ?? {};
       if (orderData.status !== "pending") {
-        return NextResponse.json(
+        return json(
           { error: "Esta orden ya fue procesada" },
           { status: 409 }
         );
@@ -295,7 +314,7 @@ function createChargeHandler(deps) {
         });
         if (customResult.handled) {
           if (!customResult.valid) {
-            return NextResponse.json(
+            return json(
               { error: customResult.error },
               { status: customResult.status }
             );
@@ -309,7 +328,7 @@ function createChargeHandler(deps) {
         for (const item of orderItems) {
           const productDoc = await db.collection("products").doc(item.productId).get();
           if (!productDoc.exists || !productDoc.data()?.isActive) {
-            return NextResponse.json(
+            return json(
               { error: `El producto "${item.name}" ya no est\xE1 disponible` },
               { status: 409 }
             );
@@ -318,7 +337,7 @@ function createChargeHandler(deps) {
           const isDigital = productData.isDigital === true;
           const stock = productData.stock ?? 0;
           if (!isDigital && stock < item.quantity) {
-            return NextResponse.json(
+            return json(
               {
                 error: `Stock insuficiente para "${item.name}" (disponible: ${stock})`
               },
@@ -331,7 +350,7 @@ function createChargeHandler(deps) {
           });
           const expectedItemSubtotal = display.finalSubtotal;
           if (Math.abs(expectedItemSubtotal - item.price) > 0.02) {
-            return NextResponse.json(
+            return json(
               {
                 error: `El precio de "${item.name}" cambi\xF3. Recarg\xE1 la p\xE1gina para ver el precio actualizado.`
               },
@@ -346,7 +365,7 @@ function createChargeHandler(deps) {
         if (orderPromotionId && orderDiscount > 0) {
           const promoDoc = await db.collection("promotions").doc(orderPromotionId).get();
           if (!promoDoc.exists || !promoDoc.data()?.isActive) {
-            return NextResponse.json(
+            return json(
               { error: "El cupon aplicado ya no es valido. Remuevelo y vuelve a intentar." },
               { status: 409 }
             );
@@ -356,13 +375,13 @@ function createChargeHandler(deps) {
           const validFrom = promo.rules.validFrom.toDate ? promo.rules.validFrom.toDate() : new Date(promo.rules.validFrom);
           const validUntil = promo.rules.validUntil.toDate ? promo.rules.validUntil.toDate() : new Date(promo.rules.validUntil);
           if (now < validFrom || now > validUntil) {
-            return NextResponse.json(
+            return json(
               { error: "El cupon aplicado ha expirado. Remuevelo y vuelve a intentar." },
               { status: 409 }
             );
           }
           if (promo.rules.maxTotalUses && promo.currentUses >= promo.rules.maxTotalUses) {
-            return NextResponse.json(
+            return json(
               { error: "El cupon aplicado ya alcanzo su limite de usos." },
               { status: 409 }
             );
@@ -381,7 +400,7 @@ function createChargeHandler(deps) {
         const verifiedVat = Math.round(verifiedDiscountedSubtotal * 0.15 * 100) / 100;
         const verifiedTotal = Math.round((verifiedDiscountedSubtotal + verifiedVat) * 100) / 100;
         if (verifiedTotal !== amount) {
-          return NextResponse.json(
+          return json(
             {
               error: "El monto no coincide con los precios actuales. Actualiza tu carrito."
             },
@@ -504,7 +523,7 @@ function createChargeHandler(deps) {
             (err) => logger.error("[charge] Failed to delete card after payment:", err)
           );
         }
-        return NextResponse.json({
+        return json({
           success: true,
           transactionId: nuveiData.transaction.id,
           authorizationCode: hasValidAuthCode ? rawAuthCode : null,
@@ -519,7 +538,7 @@ function createChargeHandler(deps) {
           chargeResponseAt: /* @__PURE__ */ new Date(),
           updatedAt: /* @__PURE__ */ new Date()
         });
-        return NextResponse.json({
+        return json({
           review: true,
           orderId,
           transactionId: nuveiData.transaction.id
@@ -536,7 +555,7 @@ function createChargeHandler(deps) {
           ...persistDeleteOnPaid,
           updatedAt: /* @__PURE__ */ new Date()
         });
-        return NextResponse.json({
+        return json({
           challenge: true,
           challengeHtml: hiddenIframeHtml,
           isDeviceFingerprint: true,
@@ -552,7 +571,7 @@ function createChargeHandler(deps) {
           ...persistDeleteOnPaid,
           updatedAt: /* @__PURE__ */ new Date()
         });
-        return NextResponse.json({
+        return json({
           otpRequired: true,
           orderId,
           nuveiTransactionId: nuveiData.transaction.id,
@@ -575,7 +594,7 @@ function createChargeHandler(deps) {
             ...persistDeleteOnPaid,
             updatedAt: /* @__PURE__ */ new Date()
           });
-          return NextResponse.json({
+          return json({
             challenge: true,
             challengeHtml,
             isDeviceFingerprint: false,
@@ -610,7 +629,7 @@ function createChargeHandler(deps) {
           }).catch(() => {
           });
         }
-        return NextResponse.json({ error: threeDSErrorMsg }, { status: 400 });
+        return json({ error: threeDSErrorMsg }, { status: 400 });
       }
       const failedErrorMsg = getNuveiUserMessage(
         nuveiData.transaction?.status_detail,
@@ -638,10 +657,10 @@ function createChargeHandler(deps) {
         }).catch(() => {
         });
       }
-      return NextResponse.json({ error: failedErrorMsg }, { status: 400 });
+      return json({ error: failedErrorMsg }, { status: 400 });
     } catch (error) {
       logger.error("Payment charge error:", error);
-      return NextResponse.json(
+      return json(
         { error: "Error interno del servidor" },
         { status: 500 }
       );
@@ -675,7 +694,7 @@ function createWebhookHandler(deps) {
       logger.log("[webhook] Full payload:", JSON.stringify(payload));
       const { transaction } = payload;
       if (!transaction?.id || !transaction?.dev_reference) {
-        return NextResponse.json({ error: "Payload inv\xE1lido" }, { status: 400 });
+        return json({ error: "Payload inv\xE1lido" }, { status: 400 });
       }
       const incomingCres = extractCres(payload);
       if (incomingCres) {
@@ -697,7 +716,7 @@ function createWebhookHandler(deps) {
       const orderDoc = await orderRef.get();
       if (!orderDoc.exists) {
         logger.error(`Webhook: Order ${orderId} not found`);
-        return NextResponse.json({ error: "Orden no encontrada" }, { status: 404 });
+        return json({ error: "Orden no encontrada" }, { status: 404 });
       }
       const orderDataEarly = orderDoc.data() ?? {};
       if (incomingCres && orderDataEarly.status === "3ds-pending" && !orderDataEarly.verifyCalledAt) {
@@ -791,7 +810,7 @@ function createWebhookHandler(deps) {
                 );
               }
             }
-            return NextResponse.json({ received: true, verifiedFromWebhook: true });
+            return json({ received: true, verifiedFromWebhook: true });
           }
         } catch (err) {
           if (err.message !== "ALREADY_CALLED") {
@@ -885,17 +904,55 @@ function createWebhookHandler(deps) {
           );
         }
       }
-      return NextResponse.json({ received: true });
+      return json({ received: true });
     } catch (error) {
       logger.error("Webhook processing error:", error);
-      return NextResponse.json(
+      return json(
         { error: "Error procesando webhook" },
         { status: 500 }
       );
     }
   };
 }
+
+// src/handlers/3ds-callback.ts
+function pickCres(src) {
+  for (const key of Object.keys(src)) {
+    const k = key.toLowerCase();
+    if (k === "cres" || k === "cres_value" || k === "cresvalue" || k === "value" || k === "param.value" || k === "paramvalue") {
+      const v = src[key];
+      if (typeof v === "string" && v.length > 0) return v;
+    }
+  }
+  return src.cres || src.CRes || src.CRES || src.value || "";
+}
+function transStatusFromCres(cres, logger) {
+  try {
+    const base64 = cres.replace(/-/g, "+").replace(/_/g, "/");
+    const pad = base64.length % 4;
+    const padded = pad ? base64 + "=".repeat(4 - pad) : base64;
+    const decoded = JSON.parse(
+      Buffer.from(padded, "base64").toString("utf-8")
+    );
+    if (decoded && typeof decoded.transStatus === "string") {
+      return decoded.transStatus;
+    }
+  } catch (e) {
+    logger.warn(
+      "[3ds-callback] Could not decode CRES payload:",
+      e instanceof Error ? e.message : e
+    );
+  }
+  return null;
+}
+function paramsToObject(params) {
+  const obj = {};
+  for (const [k, v] of params.entries()) obj[k] = v;
+  return obj;
+}
 function buildCompletionPage(orderId, transStatus) {
+  const safeOrderId = String(orderId).replace(/[^a-zA-Z0-9_-]/g, "");
+  const safeTransStatus = String(transStatus).replace(/[^a-zA-Z0-9]/g, "");
   const html = `<!DOCTYPE html>
 <html><head><meta charset="utf-8"><title>3DS Verification</title></head>
 <body>
@@ -903,8 +960,8 @@ function buildCompletionPage(orderId, transStatus) {
 (function() {
   var message = {
     type: "3DS_COMPLETE",
-    orderId: "${orderId}",
-    transStatus: "${transStatus}"
+    orderId: "${safeOrderId}",
+    transStatus: "${safeTransStatus}"
   };
   try {
     if (window.parent && window.parent !== window) {
@@ -919,7 +976,7 @@ function buildCompletionPage(orderId, transStatus) {
 Verificando autenticaci&oacute;n...
 </p>
 </body></html>`;
-  return new NextResponse(html, {
+  return new Response(html, {
     status: 200,
     headers: { "Content-Type": "text/html; charset=utf-8" }
   });
@@ -927,46 +984,68 @@ Verificando autenticaci&oacute;n...
 function create3dsCallbackHandler(deps) {
   const logger = deps.logger ?? console;
   const { db } = deps.firebase;
-  async function storeCres(orderId, cres) {
-    if (orderId && cres) {
-      try {
-        await db.collection("orders").doc(orderId).update({
-          threeDSCres: cres,
-          updatedAt: /* @__PURE__ */ new Date()
-        });
-      } catch (err) {
-        logger.error("Failed to store cres on order:", err);
-      }
+  async function persist(orderId, cres, transStatus) {
+    if (!orderId) return;
+    try {
+      const ref = db.collection("orders").doc(orderId);
+      const snap = await ref.get();
+      const status = snap.data()?.status;
+      if (!snap.exists || status !== "3ds-pending") {
+        logger.warn(
+          "[3ds-callback] rejected: order not in 3ds-pending state",
+          { orderId, status }
+        );
+        return;
+      }
+      const update = { updatedAt: /* @__PURE__ */ new Date() };
+      if (cres) update.threeDSCres = cres;
+      if (transStatus) update.threeDSTransStatus = transStatus;
+      await ref.update(update);
+    } catch (err) {
+      logger.error("[3ds-callback] failed to store cres on order:", err);
+    }
+  }
+  function resolveTransStatus(cres, fallback) {
+    if (cres) {
+      const fromCres = transStatusFromCres(cres, logger);
+      if (fromCres) return fromCres;
     }
+    return fallback;
   }
   const POST = async function POST2(request) {
-    const { searchParams } = new URL(request.url);
-    const orderId = searchParams.get("orderId") || "";
+    const orderId = new URL(request.url).searchParams.get("orderId") || "";
     let transStatus = "U";
     let cres = "";
     try {
       const contentType = request.headers.get("content-type") || "";
+      const raw = await request.text();
       if (contentType.includes("application/x-www-form-urlencoded")) {
-        const text = await request.text();
-        const params = new URLSearchParams(text);
-        transStatus = params.get("transStatus") || "U";
-        cres = params.get("cres") || params.get("CRes") || "";
+        const obj = paramsToObject(new URLSearchParams(raw));
+        transStatus = obj.transStatus || obj.TransStatus || "U";
+        cres = pickCres(obj);
       } else {
-        const body = await request.json();
-        transStatus = body.transStatus || "U";
-        cres = body.cres || body.CRes || "";
+        try {
+          const body = JSON.parse(raw);
+          transStatus = body.transStatus || body.TransStatus || "U";
+          cres = pickCres(body);
+        } catch {
+        }
+      }
+      if (!cres && raw) {
+        cres = pickCres(paramsToObject(new URLSearchParams(raw)));
       }
     } catch {
     }
-    await storeCres(orderId, cres);
+    transStatus = resolveTransStatus(cres, transStatus);
+    await persist(orderId, cres, transStatus);
     return buildCompletionPage(orderId, transStatus);
   };
   const GET = async function GET2(request) {
-    const { searchParams } = new URL(request.url);
-    const orderId = searchParams.get("orderId") || "";
-    const transStatus = searchParams.get("transStatus") || "Y";
-    const cres = searchParams.get("cres") || searchParams.get("CRes") || "";
-    await storeCres(orderId, cres);
+    const params = new URL(request.url).searchParams;
+    const orderId = params.get("orderId") || "";
+    const cres = params.get("cres") || params.get("CRes") || params.get("value") || "";
+    const transStatus = resolveTransStatus(cres, params.get("transStatus") || "Y");
+    await persist(orderId, cres, transStatus);
     return buildCompletionPage(orderId, transStatus);
   };
   return { POST, GET };
@@ -983,32 +1062,32 @@ function create3dsCompleteHandler(deps) {
   const { db, auth } = deps.firebase;
   return async function POST(request) {
     try {
-      const sessionCookie = request.cookies.get("__session")?.value;
+      const sessionCookie = getCookie(request, "__session");
       if (!sessionCookie || !auth) {
-        return NextResponse.json({ error: "No autorizado" }, { status: 401 });
+        return json({ error: "No autorizado" }, { status: 401 });
       }
       let decodedToken;
       try {
         decodedToken = await auth.verifySessionCookie(sessionCookie, true);
       } catch {
-        return NextResponse.json({ error: "Sesion invalida" }, { status: 401 });
+        return json({ error: "Sesion invalida" }, { status: 401 });
       }
       const rawBody = await request.json();
       const parsed = ThreeDSCompleteSchema.safeParse(rawBody);
       if (!parsed.success) {
-        return NextResponse.json({ error: "Datos incompletos" }, { status: 400 });
+        return json({ error: "Datos incompletos" }, { status: 400 });
       }
       const { orderId, userId, type, nuveiTransactionId: bodyTxId, otpCode } = parsed.data;
       if (decodedToken.uid !== userId) {
-        return NextResponse.json({ error: "Usuario no coincide" }, { status: 403 });
+        return json({ error: "Usuario no coincide" }, { status: 403 });
       }
       const orderDoc = await db.collection("orders").doc(orderId).get();
       if (!orderDoc.exists) {
-        return NextResponse.json({ error: "Orden no encontrada" }, { status: 404 });
+        return json({ error: "Orden no encontrada" }, { status: 404 });
       }
       const orderData = orderDoc.data() ?? {};
       if (orderData.status === "paid") {
-        return NextResponse.json({
+        return json({
           success: true,
           transactionId: orderData.paymentTransactionId,
           authorizationCode: orderData.authorizationCode || null,
@@ -1019,10 +1098,10 @@ function create3dsCompleteHandler(deps) {
         logger.log(
           `[3ds-complete] verify already called for order ${orderId}, returning current state`
         );
-        return NextResponse.json({ error: "Pago ya procesado" }, { status: 409 });
+        return json({ error: "Pago ya procesado" }, { status: 409 });
       }
       if (orderData.status !== "3ds-pending" && orderData.status !== "otp-pending") {
-        return NextResponse.json(
+        return json(
           { error: "Esta orden ya fue procesada" },
           { status: 409 }
         );
@@ -1049,29 +1128,29 @@ function create3dsCompleteHandler(deps) {
           }).catch(() => {
           });
         }
-        return NextResponse.json({ error: msg }, { status: 400 });
+        return json({ error: msg }, { status: 400 });
       }
       const transactionId = orderData.nuveiTransactionId || bodyTxId;
       if (!transactionId) {
-        return NextResponse.json(
+        return json(
           { error: "No se encontr\xF3 el ID de transacci\xF3n para verificar" },
           { status: 400 }
         );
       }
       if (type === "AUTHENTICATION_CONTINUE" && !orderData.threeDSCres && !orderData.isDeviceFingerprint) {
         logger.log(`[3ds-complete] No CRES yet for order ${orderId} \u2014 still pending`);
-        return NextResponse.json({ stillPending: true });
+        return json({ stillPending: true });
       }
       const actualType = type === "AUTHENTICATION_CONTINUE" && orderData.threeDSCres ? "BY_CRES" : type;
       const cresValue = actualType === "BY_CRES" ? orderData.threeDSCres : void 0;
       if (actualType === "BY_CRES" && !cresValue) {
-        return NextResponse.json(
+        return json(
           { error: "No se encontr\xF3 el valor de autenticaci\xF3n 3DS (cres)" },
           { status: 400 }
         );
       }
       if (type === "BY_OTP" && !otpCode) {
-        return NextResponse.json(
+        return json(
           { error: "Debes ingresar el c\xF3digo OTP" },
           { status: 400 }
         );
@@ -1102,7 +1181,7 @@ function create3dsCompleteHandler(deps) {
         logger.log(
           `[3ds-complete] Still pending: txStatus=${txStatus} detail=${txStatusDetail}. Polling continues.`
         );
-        return NextResponse.json({ stillPending: true });
+        return json({ stillPending: true });
       }
       if (isSuccess) {
         const hasValidAuthCode = typeof txAuthCode === "string" && txAuthCode.trim().length > 0 && txAuthCode !== "null";
@@ -1188,7 +1267,7 @@ function create3dsCompleteHandler(deps) {
             (err) => logger.error("[3ds-complete] Failed to delete card after payment:", err)
           );
         }
-        return NextResponse.json({
+        return json({
           success: true,
           transactionId: txId,
           authorizationCode: hasValidAuthCode ? txAuthCode : null,
@@ -1206,7 +1285,7 @@ function create3dsCompleteHandler(deps) {
             updatedAt: /* @__PURE__ */ new Date(),
             threeDSCres: FieldValue.delete()
           });
-          return NextResponse.json({
+          return json({
             challenge: true,
             challengeHtml,
             isDeviceFingerprint: false,
@@ -1236,48 +1315,50 @@ function create3dsCompleteHandler(deps) {
         }).catch(() => {
         });
       }
-      return NextResponse.json(
+      return json(
         { error: "Pago rechazado tras autenticaci\xF3n 3DS." },
         { status: 400 }
       );
     } catch (error) {
       logger.error("3DS complete error:", error);
-      return NextResponse.json(
+      return json(
         { error: "Error interno del servidor" },
         { status: 500 }
       );
     }
   };
 }
+
+// src/handlers/3ds-timeout.ts
 function create3dsTimeoutHandler(deps) {
   const logger = deps.logger ?? console;
   const { db, auth } = deps.firebase;
   return async function POST(request) {
-    const sessionCookie = request.cookies.get("__session")?.value;
+    const sessionCookie = getCookie(request, "__session");
     if (!sessionCookie || !auth) {
-      return NextResponse.json({ error: "No autorizado" }, { status: 401 });
+      return json({ error: "No autorizado" }, { status: 401 });
     }
     let decodedToken;
     try {
       decodedToken = await auth.verifySessionCookie(sessionCookie, true);
     } catch {
-      return NextResponse.json({ error: "Sesion invalida" }, { status: 401 });
+      return json({ error: "Sesion invalida" }, { status: 401 });
     }
     const { orderId } = await request.json();
     if (!orderId || typeof orderId !== "string") {
-      return NextResponse.json({ error: "orderId requerido" }, { status: 400 });
+      return json({ error: "orderId requerido" }, { status: 400 });
     }
     const orderRef = db.collection("orders").doc(orderId);
     const orderDoc = await orderRef.get();
     if (!orderDoc.exists) {
-      return NextResponse.json({ error: "Orden no encontrada" }, { status: 404 });
+      return json({ error: "Orden no encontrada" }, { status: 404 });
     }
     const orderData = orderDoc.data() ?? {};
     if (decodedToken.uid !== orderData.userId) {
-      return NextResponse.json({ error: "Usuario no coincide" }, { status: 403 });
+      return json({ error: "Usuario no coincide" }, { status: 403 });
     }
     if (orderData.status !== "3ds-pending") {
-      return NextResponse.json({ alreadyResolved: true });
+      return json({ alreadyResolved: true });
     }
     await orderRef.update({
       status: "failed",
@@ -1298,48 +1379,50 @@ function create3dsTimeoutHandler(deps) {
         ...retryUrl ? { retryUrl } : {}
       }).catch((err) => logger.error("[3ds-timeout] Failed to send email:", err));
     }
-    return NextResponse.json({ ok: true });
+    return json({ ok: true });
   };
 }
+
+// src/handlers/refund.ts
 function createRefundHandler(deps) {
   const logger = deps.logger ?? console;
   const { db, auth } = deps.firebase;
   return async function POST(request) {
     try {
-      const sessionCookie = request.cookies.get("__session")?.value;
+      const sessionCookie = getCookie(request, "__session");
       if (!sessionCookie || !auth) {
-        return NextResponse.json({ error: "No autorizado" }, { status: 401 });
+        return json({ error: "No autorizado" }, { status: 401 });
       }
       let decodedToken;
       try {
         decodedToken = await auth.verifySessionCookie(sessionCookie, true);
       } catch {
-        return NextResponse.json({ error: "Sesi\xF3n inv\xE1lida" }, { status: 401 });
+        return json({ error: "Sesi\xF3n inv\xE1lida" }, { status: 401 });
       }
       const { orderId } = await request.json();
       if (!orderId) {
-        return NextResponse.json({ error: "orderId requerido" }, { status: 400 });
+        return json({ error: "orderId requerido" }, { status: 400 });
       }
       const orderDoc = await db.collection("orders").doc(orderId).get();
       if (!orderDoc.exists) {
-        return NextResponse.json({ error: "Orden no encontrada" }, { status: 404 });
+        return json({ error: "Orden no encontrada" }, { status: 404 });
       }
       const order = orderDoc.data() ?? {};
       if (order.userId !== decodedToken.uid) {
-        return NextResponse.json(
+        return json(
           { error: "No autorizado para esta orden" },
           { status: 403 }
         );
       }
       if (order.status !== "paid") {
-        return NextResponse.json(
+        return json(
           { error: "Solo se pueden reembolsar \xF3rdenes pagadas" },
           { status: 400 }
         );
       }
       const paymentTransactionId = order.paymentTransactionId;
       if (!paymentTransactionId) {
-        return NextResponse.json(
+        return json(
           { error: "No se encontr\xF3 ID de transacci\xF3n" },
           { status: 400 }
         );
@@ -1361,15 +1444,15 @@ function createRefundHandler(deps) {
             );
           }
         }
-        return NextResponse.json({ success: true, detail: result.detail });
+        return json({ success: true, detail: result.detail });
       }
-      return NextResponse.json(
+      return json(
         { error: result.detail || "Error al procesar reembolso" },
         { status: 400 }
       );
     } catch (error) {
       logger.error("Refund error:", error);
-      return NextResponse.json(
+      return json(
         { error: "Error interno del servidor" },
         { status: 500 }
       );
@@ -1380,20 +1463,20 @@ function createInitCheckoutHandler(deps) {
   const logger = deps.logger ?? console;
   const { auth } = deps.firebase;
   return async function POST(request) {
-    const sessionCookie = request.cookies.get("__session")?.value;
+    const sessionCookie = getCookie(request, "__session");
     if (!sessionCookie || !auth) {
-      return NextResponse.json({ error: "No autorizado" }, { status: 401 });
+      return json({ error: "No autorizado" }, { status: 401 });
     }
     let decodedToken;
     try {
       decodedToken = await auth.verifySessionCookie(sessionCookie, true);
     } catch {
-      return NextResponse.json({ error: "Sesi\xF3n inv\xE1lida" }, { status: 401 });
+      return json({ error: "Sesi\xF3n inv\xE1lida" }, { status: 401 });
     }
     try {
       const { amount, vat, description, devReference } = await request.json();
       if (!amount || !devReference) {
-        return NextResponse.json(
+        return json(
           { error: "amount y devReference son requeridos" },
           { status: 400 }
         );
@@ -1421,36 +1504,38 @@ function createInitCheckoutHandler(deps) {
         }
       });
       if (result.error) {
-        return NextResponse.json(
+        return json(
           { error: result.error.description || "Error al inicializar checkout" },
           { status: 400 }
         );
       }
       if (!result.reference) {
-        return NextResponse.json(
+        return json(
           { error: "No se recibi\xF3 referencia de checkout" },
           { status: 500 }
         );
       }
-      return NextResponse.json({
+      return json({
         reference: result.reference,
         checkoutUrl: result.checkout_url
       });
     } catch (error) {
       logger.error("Init checkout error:", error);
-      return NextResponse.json(
+      return json(
         { error: "Error al inicializar checkout" },
         { status: 500 }
       );
     }
   };
 }
+
+// src/handlers/cards.ts
 function createCardsHandler(deps) {
   const logger = deps.logger ?? console;
   const { db, auth } = deps.firebase;
   const verifiedCardsEnabled = deps.enableVerifiedCardsTracking !== false;
   async function verifySession(request) {
-    const sessionCookie = request.cookies.get("__session")?.value;
+    const sessionCookie = getCookie(request, "__session");
     if (!sessionCookie || !auth) return null;
     try {
       return await auth.verifySessionCookie(sessionCookie, true);
@@ -1461,7 +1546,7 @@ function createCardsHandler(deps) {
   const GET = async function GET2(request) {
     const decoded = await verifySession(request);
     if (!decoded) {
-      return NextResponse.json({ error: "No autorizado" }, { status: 401 });
+      return json({ error: "No autorizado" }, { status: 401 });
     }
     try {
       const result = await listCards(decoded.uid);
@@ -1485,12 +1570,12 @@ function createCardsHandler(deps) {
         const enrichedCards = cards.map(
           (c) => c.status === "review" && verifiedTokens.has(c.token) ? { ...c, status: "valid" } : c
         );
-        return NextResponse.json({ cards: enrichedCards });
+        return json({ cards: enrichedCards });
       }
-      return NextResponse.json({ cards });
+      return json({ cards });
     } catch (error) {
       logger.error("Error listing cards:", error);
-      return NextResponse.json(
+      return json(
         { error: "Error al obtener tarjetas" },
         { status: 500 }
       );
@@ -1499,12 +1584,12 @@ function createCardsHandler(deps) {
   const DELETE = async function DELETE2(request) {
     const decoded = await verifySession(request);
     if (!decoded) {
-      return NextResponse.json({ error: "No autorizado" }, { status: 401 });
+      return json({ error: "No autorizado" }, { status: 401 });
     }
     try {
       const { token } = await request.json();
       if (!token) {
-        return NextResponse.json(
+        return json(
           { error: "Token de tarjeta requerido" },
           { status: 400 }
         );
@@ -1514,7 +1599,7 @@ function createCardsHandler(deps) {
       const resultWithError = result;
       if (resultWithError.error) {
         logger.error("[cards/DELETE] Nuvei delete failed:", JSON.stringify(result));
-        return NextResponse.json(
+        return json(
           { error: "No se pudo eliminar la tarjeta en Nuvei", detail: result },
           { status: 400 }
         );
@@ -1525,10 +1610,10 @@ function createCardsHandler(deps) {
         } catch {
         }
       }
-      return NextResponse.json(result);
+      return json(result);
     } catch (error) {
       logger.error("Error deleting card:", error);
-      return NextResponse.json(
+      return json(
         { error: "Error al eliminar tarjeta" },
         { status: 500 }
       );
@@ -1536,25 +1621,27 @@ function createCardsHandler(deps) {
   };
   return { GET, DELETE };
 }
+
+// src/handlers/verify.ts
 function createVerifyHandler(deps) {
   const logger = deps.logger ?? console;
   const { db, auth } = deps.firebase;
   const verifiedCardsEnabled = deps.enableVerifiedCardsTracking !== false;
   return async function POST(request) {
-    const sessionCookie = request.cookies.get("__session")?.value;
+    const sessionCookie = getCookie(request, "__session");
     if (!sessionCookie || !auth) {
-      return NextResponse.json({ error: "No autorizado" }, { status: 401 });
+      return json({ error: "No autorizado" }, { status: 401 });
     }
     let decodedToken;
     try {
       decodedToken = await auth.verifySessionCookie(sessionCookie, true);
     } catch {
-      return NextResponse.json({ error: "Sesi\xF3n inv\xE1lida" }, { status: 401 });
+      return json({ error: "Sesi\xF3n inv\xE1lida" }, { status: 401 });
     }
     try {
       const { cardToken, transactionReference, value } = await request.json();
       if (!cardToken && !transactionReference || !value) {
-        return NextResponse.json(
+        return json(
           { error: "transactionReference y value son requeridos" },
           { status: 400 }
         );
@@ -1565,7 +1652,7 @@ function createVerifyHandler(deps) {
         value
       });
       if (result.error) {
-        return NextResponse.json(
+        return json(
           { error: result.error.description || "Error de verificaci\xF3n" },
           { status: 400 }
         );
@@ -1577,41 +1664,43 @@ function createVerifyHandler(deps) {
           logger.error("Failed to persist verified card:", err);
         }
       }
-      return NextResponse.json({
+      return json({
         success: true,
         transaction: result.transaction
       });
     } catch (error) {
       logger.error("Card verify error:", error);
-      return NextResponse.json(
+      return json(
         { error: "Error al verificar tarjeta" },
         { status: 500 }
       );
     }
   };
 }
+
+// src/handlers/test-charge.ts
 function createTestChargeHandler(deps) {
   const logger = deps.logger ?? console;
   const { auth } = deps.firebase;
   const defaultDescription = deps.defaultDescription ?? "Test charge";
   return async function POST(request) {
     if (process.env.NUVEI_ENV === "prod") {
-      return NextResponse.json({ error: "Not available" }, { status: 404 });
+      return json({ error: "Not available" }, { status: 404 });
     }
-    const sessionCookie = request.cookies.get("__session")?.value;
+    const sessionCookie = getCookie(request, "__session");
     if (!sessionCookie || !auth) {
-      return NextResponse.json({ error: "No autorizado" }, { status: 401 });
+      return json({ error: "No autorizado" }, { status: 401 });
     }
     let decodedToken;
     try {
       decodedToken = await auth.verifySessionCookie(sessionCookie, true);
     } catch {
-      return NextResponse.json({ error: "Sesi\xF3n inv\xE1lida" }, { status: 401 });
+      return json({ error: "Sesi\xF3n inv\xE1lida" }, { status: 401 });
     }
     try {
       const { token, amount, vat, description, devReference } = await request.json();
       if (!token || !amount || !devReference) {
-        return NextResponse.json(
+        return json(
           { error: "token, amount y devReference son requeridos" },
           { status: 400 }
         );
@@ -1627,13 +1716,13 @@ function createTestChargeHandler(deps) {
       });
       logger.log("Test charge result:", JSON.stringify(result, null, 2));
       if (result.transaction && result.transaction.status === "success" && result.transaction.status_detail === 3) {
-        return NextResponse.json({
+        return json({
           success: true,
           transaction: result.transaction,
           card: result.card
         });
       }
-      return NextResponse.json(
+      return json(
         {
           success: false,
           error: result.transaction?.message || result.error?.description || "Pago rechazado",
@@ -1643,7 +1732,7 @@ function createTestChargeHandler(deps) {
       );
     } catch (error) {
       logger.error("Test charge error:", error);
-      return NextResponse.json(
+      return json(
         { error: "Error interno del servidor" },
         { status: 500 }
       );
@@ -1651,6 +1740,57 @@ function createTestChargeHandler(deps) {
   };
 }
 
-export { create3dsCallbackHandler, create3dsCompleteHandler, create3dsTimeoutHandler, createCardsHandler, createChargeHandler, createInitCheckoutHandler, createRefundHandler, createTestChargeHandler, createVerifyHandler, createWebhookHandler };
+// src/handlers/proxy.ts
+function createNuveiProxyHandler(deps = {}) {
+  const logger = deps.logger ?? console;
+  return async function POST(request) {
+    if (request.method !== "POST") {
+      return json({ error: "Method not allowed" }, { status: 405 });
+    }
+    let parsed;
+    try {
+      parsed = await request.json();
+    } catch {
+      return json({ error: "Invalid JSON body" }, { status: 400 });
+    }
+    const { path, method, body: nuveiBody } = parsed;
+    const authToken = request.headers.get("x-nuvei-auth-token");
+    if (!path || !method || !authToken) {
+      return json(
+        { error: "Missing path, method, or x-nuvei-auth-token header" },
+        { status: 400 }
+      );
+    }
+    const env = request.headers.get("x-nuvei-env") || "prod";
+    const baseUrl = env === "prod" ? "https://ccapi.paymentez.com" : "https://ccapi-stg.paymentez.com";
+    const url = `${baseUrl}${path}`;
+    try {
+      const options = {
+        method,
+        headers: {
+          "Content-Type": "application/json",
+          "Auth-Token": authToken
+        }
+      };
+      if (nuveiBody && method === "POST") {
+        options.body = JSON.stringify(nuveiBody);
+      }
+      const response = await fetch(url, options);
+      const responseBody = await response.text();
+      return new Response(responseBody, {
+        status: response.status,
+        headers: { "content-type": "application/json; charset=utf-8" }
+      });
+    } catch (err) {
+      logger.error("[nuveiProxy] Error:", err);
+      return json(
+        { error: "Proxy error: " + (err instanceof Error ? err.message : String(err)) },
+        { status: 500 }
+      );
+    }
+  };
+}
+
+export { create3dsCallbackHandler, create3dsCompleteHandler, create3dsTimeoutHandler, createCardsHandler, createChargeHandler, createInitCheckoutHandler, createNuveiProxyHandler, createRefundHandler, createTestChargeHandler, createVerifyHandler, createWebhookHandler };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map