npm - @payez/next-mvp - Versions diffs - 3.0.0 - Mend

@payez/next-mvp 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (654) hide show

package/README.md +782 -0
package/dist/api/auth-handler.d.ts +67 -0
package/dist/api/auth-handler.js +397 -0
package/dist/api/index.d.ts +10 -0
package/dist/api/index.js +19 -0
package/dist/api-handlers/account/change-password.d.ts +9 -0
package/dist/api-handlers/account/change-password.js +112 -0
package/dist/api-handlers/account/masked-info.d.ts +2 -0
package/dist/api-handlers/account/masked-info.js +41 -0
package/dist/api-handlers/account/profile.d.ts +3 -0
package/dist/api-handlers/account/profile.js +63 -0
package/dist/api-handlers/account/recovery/initiate.d.ts +2 -0
package/dist/api-handlers/account/recovery/initiate.js +26 -0
package/dist/api-handlers/account/recovery/send-code.d.ts +2 -0
package/dist/api-handlers/account/recovery/send-code.js +28 -0
package/dist/api-handlers/account/recovery/verify-code.d.ts +2 -0
package/dist/api-handlers/account/recovery/verify-code.js +28 -0
package/dist/api-handlers/account/reset-password.d.ts +2 -0
package/dist/api-handlers/account/reset-password.js +26 -0
package/dist/api-handlers/account/send-code.d.ts +24 -0
package/dist/api-handlers/account/send-code.js +60 -0
package/dist/api-handlers/account/update-phone.d.ts +27 -0
package/dist/api-handlers/account/update-phone.js +64 -0
package/dist/api-handlers/account/validate-password.d.ts +17 -0
package/dist/api-handlers/account/validate-password.js +81 -0
package/dist/api-handlers/account/verify-email.d.ts +26 -0
package/dist/api-handlers/account/verify-email.js +106 -0
package/dist/api-handlers/account/verify-sms.d.ts +26 -0
package/dist/api-handlers/account/verify-sms.js +106 -0
package/dist/api-handlers/admin/analytics.d.ts +20 -0
package/dist/api-handlers/admin/analytics.js +379 -0
package/dist/api-handlers/admin/audit.d.ts +20 -0
package/dist/api-handlers/admin/audit.js +214 -0
package/dist/api-handlers/admin/index.d.ts +21 -0
package/dist/api-handlers/admin/index.js +41 -0
package/dist/api-handlers/admin/redis-sessions.d.ts +36 -0
package/dist/api-handlers/admin/redis-sessions.js +204 -0
package/dist/api-handlers/admin/sessions.d.ts +21 -0
package/dist/api-handlers/admin/sessions.js +284 -0
package/dist/api-handlers/admin/site-logs.d.ts +46 -0
package/dist/api-handlers/admin/site-logs.js +318 -0
package/dist/api-handlers/admin/users.d.ts +20 -0
package/dist/api-handlers/admin/users.js +222 -0
package/dist/api-handlers/admin/vibe-data.d.ts +80 -0
package/dist/api-handlers/admin/vibe-data.js +268 -0
package/dist/api-handlers/anon/preferences.d.ts +37 -0
package/dist/api-handlers/anon/preferences.js +96 -0
package/dist/api-handlers/auth/jwks.d.ts +2 -0
package/dist/api-handlers/auth/jwks.js +24 -0
package/dist/api-handlers/auth/login.d.ts +42 -0
package/dist/api-handlers/auth/login.js +178 -0
package/dist/api-handlers/auth/refresh.d.ts +74 -0
package/dist/api-handlers/auth/refresh.js +635 -0
package/dist/api-handlers/auth/signout.d.ts +37 -0
package/dist/api-handlers/auth/signout.js +187 -0
package/dist/api-handlers/auth/status.d.ts +8 -0
package/dist/api-handlers/auth/status.js +26 -0
package/dist/api-handlers/auth/update-session.d.ts +37 -0
package/dist/api-handlers/auth/update-session.js +95 -0
package/dist/api-handlers/auth/validate.d.ts +6 -0
package/dist/api-handlers/auth/validate.js +43 -0
package/dist/api-handlers/auth/verify-code.d.ts +43 -0
package/dist/api-handlers/auth/verify-code.js +94 -0
package/dist/api-handlers/session/refresh-viability.d.ts +14 -0
package/dist/api-handlers/session/refresh-viability.js +39 -0
package/dist/api-handlers/session/viability.d.ts +13 -0
package/dist/api-handlers/session/viability.js +146 -0
package/dist/api-handlers/test/force-expire.d.ts +23 -0
package/dist/api-handlers/test/force-expire.js +65 -0
package/dist/auth/auth-decision.d.ts +39 -0
package/dist/auth/auth-decision.js +182 -0
package/dist/auth/auth-options.d.ts +57 -0
package/dist/auth/auth-options.js +213 -0
package/dist/auth/callbacks/index.d.ts +6 -0
package/dist/auth/callbacks/index.js +12 -0
package/dist/auth/callbacks/jwt.d.ts +45 -0
package/dist/auth/callbacks/jwt.js +305 -0
package/dist/auth/callbacks/session.d.ts +60 -0
package/dist/auth/callbacks/session.js +170 -0
package/dist/auth/callbacks/signin.d.ts +23 -0
package/dist/auth/callbacks/signin.js +44 -0
package/dist/auth/events/index.d.ts +4 -0
package/dist/auth/events/index.js +8 -0
package/dist/auth/events/signout.d.ts +17 -0
package/dist/auth/events/signout.js +32 -0
package/dist/auth/providers/credentials.d.ts +32 -0
package/dist/auth/providers/credentials.js +223 -0
package/dist/auth/providers/index.d.ts +5 -0
package/dist/auth/providers/index.js +21 -0
package/dist/auth/providers/oauth.d.ts +26 -0
package/dist/auth/providers/oauth.js +105 -0
package/dist/auth/route-config.d.ts +66 -0
package/dist/auth/route-config.js +190 -0
package/dist/auth/types/auth-types.d.ts +417 -0
package/dist/auth/types/auth-types.js +53 -0
package/dist/auth/types/index.d.ts +6 -0
package/dist/auth/types/index.js +22 -0
package/dist/auth/unauthenticated-routes.d.ts +1 -0
package/dist/auth/unauthenticated-routes.js +19 -0
package/dist/auth/utils/idp-client.d.ts +94 -0
package/dist/auth/utils/idp-client.js +383 -0
package/dist/auth/utils/index.d.ts +5 -0
package/dist/auth/utils/index.js +21 -0
package/dist/auth/utils/token-utils.d.ts +84 -0
package/dist/auth/utils/token-utils.js +219 -0
package/dist/client/AuthContext.d.ts +19 -0
package/dist/client/AuthContext.js +112 -0
package/dist/client/fetch-with-auth.d.ts +11 -0
package/dist/client/fetch-with-auth.js +44 -0
package/dist/client/fetchWithSession.d.ts +3 -0
package/dist/client/fetchWithSession.js +24 -0
package/dist/client/index.d.ts +9 -0
package/dist/client/index.js +20 -0
package/dist/client/useAnonSession.d.ts +36 -0
package/dist/client/useAnonSession.js +99 -0
package/dist/components/SessionSync.d.ts +13 -0
package/dist/components/SessionSync.js +119 -0
package/dist/components/SignalRHealthCheck.d.ts +10 -0
package/dist/components/SignalRHealthCheck.js +97 -0
package/dist/components/account/UserAvatarMenu.d.ts +20 -0
package/dist/components/account/UserAvatarMenu.js +80 -0
package/dist/components/account/index.d.ts +7 -0
package/dist/components/account/index.js +10 -0
package/dist/components/admin/AlertSettingsTab.d.ts +48 -0
package/dist/components/admin/AlertSettingsTab.js +351 -0
package/dist/components/admin/AnalyticsTab.d.ts +22 -0
package/dist/components/admin/AnalyticsTab.js +167 -0
package/dist/components/admin/DataBrowserTab.d.ts +19 -0
package/dist/components/admin/DataBrowserTab.js +252 -0
package/dist/components/admin/LoggingSettingsTab.d.ts +73 -0
package/dist/components/admin/LoggingSettingsTab.js +339 -0
package/dist/components/admin/SessionsTab.d.ts +37 -0
package/dist/components/admin/SessionsTab.js +165 -0
package/dist/components/admin/StatsTab.d.ts +53 -0
package/dist/components/admin/StatsTab.js +161 -0
package/dist/components/admin/VibeAdminContext.d.ts +32 -0
package/dist/components/admin/VibeAdminContext.js +38 -0
package/dist/components/admin/VibeAdminLayout.d.ts +11 -0
package/dist/components/admin/VibeAdminLayout.js +69 -0
package/dist/components/admin/index.d.ts +29 -0
package/dist/components/admin/index.js +44 -0
package/dist/components/auth/FederatedAuthSection.d.ts +8 -0
package/dist/components/auth/FederatedAuthSection.js +45 -0
package/dist/components/auth/ModeAwareLoginPage.d.ts +10 -0
package/dist/components/auth/ModeAwareLoginPage.js +42 -0
package/dist/components/auth/ModeAwareSignupPage.d.ts +9 -0
package/dist/components/auth/ModeAwareSignupPage.js +78 -0
package/dist/components/auth/TraditionalAuthSection.d.ts +14 -0
package/dist/components/auth/TraditionalAuthSection.js +20 -0
package/dist/components/recovery/CompleteStep.d.ts +5 -0
package/dist/components/recovery/CompleteStep.js +8 -0
package/dist/components/recovery/InitiateRecoveryStep.d.ts +8 -0
package/dist/components/recovery/InitiateRecoveryStep.js +20 -0
package/dist/components/recovery/SelectMethodStep.d.ts +8 -0
package/dist/components/recovery/SelectMethodStep.js +8 -0
package/dist/components/recovery/SetPasswordStep.d.ts +6 -0
package/dist/components/recovery/SetPasswordStep.js +20 -0
package/dist/components/recovery/VerifyCodeStep.d.ts +10 -0
package/dist/components/recovery/VerifyCodeStep.js +24 -0
package/dist/components/reserved/ReservedRecoveryWarning.d.ts +38 -0
package/dist/components/reserved/ReservedRecoveryWarning.js +92 -0
package/dist/components/reserved/ReservedStatusBox.d.ts +30 -0
package/dist/components/reserved/ReservedStatusBox.js +71 -0
package/dist/components/ui/BetaBadge.d.ts +29 -0
package/dist/components/ui/BetaBadge.js +38 -0
package/dist/components/ui/Footer.d.ts +37 -0
package/dist/components/ui/Footer.js +41 -0
package/dist/config/env.d.ts +66 -0
package/dist/config/env.js +57 -0
package/dist/config/logger.d.ts +57 -0
package/dist/config/logger.js +73 -0
package/dist/config/logging-config.d.ts +30 -0
package/dist/config/logging-config.js +122 -0
package/dist/config/unauthenticated-routes.d.ts +17 -0
package/dist/config/unauthenticated-routes.js +24 -0
package/dist/config/vibe-log-transport.d.ts +79 -0
package/dist/config/vibe-log-transport.js +203 -0
package/dist/edge/internal-api-url.d.ts +53 -0
package/dist/edge/internal-api-url.js +63 -0
package/dist/edge/middleware.d.ts +14 -0
package/dist/edge/middleware.js +32 -0
package/dist/hooks/useAuth.d.ts +23 -0
package/dist/hooks/useAuth.js +81 -0
package/dist/hooks/useAuthSettings.d.ts +59 -0
package/dist/hooks/useAuthSettings.js +93 -0
package/dist/hooks/useAvailableProviders.d.ts +45 -0
package/dist/hooks/useAvailableProviders.js +108 -0
package/dist/hooks/usePasswordValidation.d.ts +27 -0
package/dist/hooks/usePasswordValidation.js +102 -0
package/dist/hooks/useProfile.d.ts +15 -0
package/dist/hooks/useProfile.js +59 -0
package/dist/hooks/usePublicAuthSettings.d.ts +56 -0
package/dist/hooks/usePublicAuthSettings.js +131 -0
package/dist/hooks/useSessionExpiration.d.ts +57 -0
package/dist/hooks/useSessionExpiration.js +72 -0
package/dist/hooks/useViabilitySession.d.ts +75 -0
package/dist/hooks/useViabilitySession.js +268 -0
package/dist/index.d.ts +12 -0
package/dist/index.js +54 -0
package/dist/lib/anon-session.d.ts +74 -0
package/dist/lib/anon-session.js +169 -0
package/dist/lib/api-handler.d.ts +123 -0
package/dist/lib/api-handler.js +478 -0
package/dist/lib/app-slug.d.ts +95 -0
package/dist/lib/app-slug.js +172 -0
package/dist/lib/demo-mode.d.ts +6 -0
package/dist/lib/demo-mode.js +16 -0
package/dist/lib/geolocation.d.ts +64 -0
package/dist/lib/geolocation.js +235 -0
package/dist/lib/idp-client-config.d.ts +75 -0
package/dist/lib/idp-client-config.js +351 -0
package/dist/lib/idp-fetch.d.ts +14 -0
package/dist/lib/idp-fetch.js +91 -0
package/dist/lib/internal-api.d.ts +87 -0
package/dist/lib/internal-api.js +122 -0
package/dist/lib/jwt-decode-client.d.ts +10 -0
package/dist/lib/jwt-decode-client.js +46 -0
package/dist/lib/jwt-decode.d.ts +48 -0
package/dist/lib/jwt-decode.js +57 -0
package/dist/lib/nextauth-secret.d.ts +10 -0
package/dist/lib/nextauth-secret.js +104 -0
package/dist/lib/rate-limit-service.d.ts +23 -0
package/dist/lib/rate-limit-service.js +6 -0
package/dist/lib/redis.d.ts +5 -0
package/dist/lib/redis.js +28 -0
package/dist/lib/refresh-token-validator.d.ts +13 -0
package/dist/lib/refresh-token-validator.js +117 -0
package/dist/lib/roles.d.ts +145 -0
package/dist/lib/roles.js +168 -0
package/dist/lib/secret-validation.d.ts +4 -0
package/dist/lib/secret-validation.js +14 -0
package/dist/lib/session-store.d.ts +166 -0
package/dist/lib/session-store.js +537 -0
package/dist/lib/session.d.ts +21 -0
package/dist/lib/session.js +26 -0
package/dist/lib/site-logger.d.ts +214 -0
package/dist/lib/site-logger.js +210 -0
package/dist/lib/standardized-client-api.d.ts +161 -0
package/dist/lib/standardized-client-api.js +786 -0
package/dist/lib/startup-init.d.ts +40 -0
package/dist/lib/startup-init.js +261 -0
package/dist/lib/test-aware-get-token.d.ts +2 -0
package/dist/lib/test-aware-get-token.js +81 -0
package/dist/lib/token-expiry.d.ts +14 -0
package/dist/lib/token-expiry.js +39 -0
package/dist/lib/token-lifecycle.d.ts +52 -0
package/dist/lib/token-lifecycle.js +398 -0
package/dist/lib/types/api-responses.d.ts +128 -0
package/dist/lib/types/api-responses.js +171 -0
package/dist/lib/user-agent-parser.d.ts +50 -0
package/dist/lib/user-agent-parser.js +220 -0
package/dist/logging/api/admin-analytics.d.ts +3 -0
package/dist/logging/api/admin-analytics.js +45 -0
package/dist/logging/api/audit-log.d.ts +3 -0
package/dist/logging/api/audit-log.js +52 -0
package/dist/logging/components/AdminAnalyticsLayout.d.ts +10 -0
package/dist/logging/components/AdminAnalyticsLayout.js +11 -0
package/dist/logging/components/AuditLogViewer.d.ts +7 -0
package/dist/logging/components/AuditLogViewer.js +51 -0
package/dist/logging/components/ErrorMetricsCard.d.ts +7 -0
package/dist/logging/components/ErrorMetricsCard.js +16 -0
package/dist/logging/components/HealthMetricsCard.d.ts +7 -0
package/dist/logging/components/HealthMetricsCard.js +19 -0
package/dist/logging/hooks/useAdminAnalytics.d.ts +24 -0
package/dist/logging/hooks/useAdminAnalytics.js +22 -0
package/dist/logging/hooks/useAuditLog.d.ts +6 -0
package/dist/logging/hooks/useAuditLog.js +25 -0
package/dist/logging/hooks/useErrorMetrics.d.ts +6 -0
package/dist/logging/hooks/useErrorMetrics.js +38 -0
package/dist/logging/hooks/useHealthMetrics.d.ts +6 -0
package/dist/logging/hooks/useHealthMetrics.js +41 -0
package/dist/logging/index.d.ts +11 -0
package/dist/logging/index.js +40 -0
package/dist/logging/types/analytics.d.ts +68 -0
package/dist/logging/types/analytics.js +3 -0
package/dist/logging/types/audit.d.ts +29 -0
package/dist/logging/types/audit.js +2 -0
package/dist/logging/types/index.d.ts +2 -0
package/dist/logging/types/index.js +19 -0
package/dist/middleware/auth-decision.d.ts +33 -0
package/dist/middleware/auth-decision.js +65 -0
package/dist/middleware/create-middleware.d.ts +100 -0
package/dist/middleware/create-middleware.js +445 -0
package/dist/middleware/rbac-check.d.ts +44 -0
package/dist/middleware/rbac-check.js +191 -0
package/dist/middleware/twofa-presets.d.ts +134 -0
package/dist/middleware/twofa-presets.js +175 -0
package/dist/models/DecodedAccessToken.d.ts +17 -0
package/dist/models/DecodedAccessToken.js +2 -0
package/dist/models/SessionModel.d.ts +122 -0
package/dist/models/SessionModel.js +136 -0
package/dist/pages/admin-login/page.d.ts +31 -0
package/dist/pages/admin-login/page.js +83 -0
package/dist/pages/admin-roles/RolesAdminPage.d.ts +15 -0
package/dist/pages/admin-roles/RolesAdminPage.js +78 -0
package/dist/pages/admin-roles/index.d.ts +8 -0
package/dist/pages/admin-roles/index.js +15 -0
package/dist/pages/admin-roles/modals.d.ts +72 -0
package/dist/pages/admin-roles/modals.js +154 -0
package/dist/pages/client-admin/ClientSiteAdminPage.d.ts +79 -0
package/dist/pages/client-admin/ClientSiteAdminPage.js +177 -0
package/dist/pages/client-admin/index.d.ts +32 -0
package/dist/pages/client-admin/index.js +37 -0
package/dist/pages/login/page.d.ts +22 -0
package/dist/pages/login/page.js +239 -0
package/dist/pages/profile/EnhancedProfilePage.d.ts +13 -0
package/dist/pages/profile/EnhancedProfilePage.js +150 -0
package/dist/pages/profile/index.d.ts +8 -0
package/dist/pages/profile/index.js +16 -0
package/dist/pages/profile/page.d.ts +19 -0
package/dist/pages/profile/page.js +47 -0
package/dist/pages/profile/profile-patch.d.ts +1 -0
package/dist/pages/profile/profile-patch.js +281 -0
package/dist/pages/recovery/page.d.ts +1 -0
package/dist/pages/recovery/page.js +142 -0
package/dist/pages/roles/MyRolesPage.d.ts +24 -0
package/dist/pages/roles/MyRolesPage.js +71 -0
package/dist/pages/roles/components.d.ts +63 -0
package/dist/pages/roles/components.js +108 -0
package/dist/pages/roles/index.d.ts +8 -0
package/dist/pages/roles/index.js +19 -0
package/dist/pages/security/EnhancedSecurityPage.d.ts +14 -0
package/dist/pages/security/EnhancedSecurityPage.js +248 -0
package/dist/pages/security/index.d.ts +8 -0
package/dist/pages/security/index.js +16 -0
package/dist/pages/security/page.d.ts +21 -0
package/dist/pages/security/page.js +212 -0
package/dist/pages/security/security-patch.d.ts +1 -0
package/dist/pages/security/security-patch.js +302 -0
package/dist/pages/settings/EnhancedSettingsPage.d.ts +46 -0
package/dist/pages/settings/EnhancedSettingsPage.js +231 -0
package/dist/pages/settings/index.d.ts +8 -0
package/dist/pages/settings/index.js +16 -0
package/dist/pages/settings/page.d.ts +7 -0
package/dist/pages/settings/page.js +26 -0
package/dist/pages/showcase/ShowcasePage.d.ts +13 -0
package/dist/pages/showcase/ShowcasePage.js +140 -0
package/dist/pages/showcase/index.d.ts +12 -0
package/dist/pages/showcase/index.js +17 -0
package/dist/pages/test-env/EmergencyLogoutPage.d.ts +14 -0
package/dist/pages/test-env/EmergencyLogoutPage.js +98 -0
package/dist/pages/test-env/JwtInspectPage.d.ts +14 -0
package/dist/pages/test-env/JwtInspectPage.js +114 -0
package/dist/pages/test-env/RefreshTokenPage.d.ts +15 -0
package/dist/pages/test-env/RefreshTokenPage.js +91 -0
package/dist/pages/test-env/TestEnvPage.d.ts +13 -0
package/dist/pages/test-env/TestEnvPage.js +49 -0
package/dist/pages/test-env/index.d.ts +24 -0
package/dist/pages/test-env/index.js +32 -0
package/dist/pages/verify-code/page.d.ts +30 -0
package/dist/pages/verify-code/page.js +408 -0
package/dist/routes/account/index.d.ts +28 -0
package/dist/routes/account/index.js +71 -0
package/dist/routes/account/masked-info.d.ts +33 -0
package/dist/routes/account/masked-info.js +39 -0
package/dist/routes/account/send-code.d.ts +37 -0
package/dist/routes/account/send-code.js +42 -0
package/dist/routes/account/update-phone.d.ts +13 -0
package/dist/routes/account/update-phone.js +17 -0
package/dist/routes/account/verify-email.d.ts +38 -0
package/dist/routes/account/verify-email.js +43 -0
package/dist/routes/account/verify-sms.d.ts +38 -0
package/dist/routes/account/verify-sms.js +43 -0
package/dist/routes/auth/index.d.ts +19 -0
package/dist/routes/auth/index.js +64 -0
package/dist/routes/auth/logout.d.ts +31 -0
package/dist/routes/auth/logout.js +113 -0
package/dist/routes/auth/nextauth.d.ts +19 -0
package/dist/routes/auth/nextauth.js +72 -0
package/dist/routes/auth/refresh.d.ts +30 -0
package/dist/routes/auth/refresh.js +51 -0
package/dist/routes/auth/session.d.ts +72 -0
package/dist/routes/auth/session.js +180 -0
package/dist/routes/auth/settings.d.ts +25 -0
package/dist/routes/auth/settings.js +55 -0
package/dist/routes/auth/viability.d.ts +52 -0
package/dist/routes/auth/viability.js +201 -0
package/dist/routes/index.d.ts +12 -0
package/dist/routes/index.js +54 -0
package/dist/routes/session/index.d.ts +6 -0
package/dist/routes/session/index.js +10 -0
package/dist/routes/session/refresh-viability.d.ts +16 -0
package/dist/routes/session/refresh-viability.js +20 -0
package/dist/services/signalrActivityService.d.ts +44 -0
package/dist/services/signalrActivityService.js +257 -0
package/dist/stores/authStore.d.ts +154 -0
package/dist/stores/authStore.js +1531 -0
package/dist/theme/ThemeProvider.d.ts +14 -0
package/dist/theme/ThemeProvider.js +28 -0
package/dist/theme/default.d.ts +8 -0
package/dist/theme/default.js +33 -0
package/dist/theme/index.d.ts +15 -0
package/dist/theme/index.js +25 -0
package/dist/theme/types.d.ts +56 -0
package/dist/theme/types.js +8 -0
package/dist/theme/useTheme.d.ts +60 -0
package/dist/theme/useTheme.js +63 -0
package/dist/theme/utils.d.ts +13 -0
package/dist/theme/utils.js +39 -0
package/dist/types/api.d.ts +134 -0
package/dist/types/api.js +44 -0
package/dist/types/auth.d.ts +19 -0
package/dist/types/auth.js +2 -0
package/dist/types/logging.d.ts +42 -0
package/dist/types/logging.js +2 -0
package/dist/types/recovery.d.ts +48 -0
package/dist/types/recovery.js +2 -0
package/dist/types/security.d.ts +1 -0
package/dist/types/security.js +2 -0
package/dist/utils/api.d.ts +85 -0
package/dist/utils/api.js +287 -0
package/dist/utils/circuitBreaker.d.ts +43 -0
package/dist/utils/circuitBreaker.js +91 -0
package/dist/utils/error-message.d.ts +1 -0
package/dist/utils/error-message.js +103 -0
package/dist/utils/layout/reservedSpace.d.ts +59 -0
package/dist/utils/layout/reservedSpace.js +102 -0
package/dist/utils/logout.d.ts +14 -0
package/dist/utils/logout.js +32 -0
package/dist/vibe/client.d.ts +261 -0
package/dist/vibe/client.js +445 -0
package/dist/vibe/errors.d.ts +83 -0
package/dist/vibe/errors.js +146 -0
package/dist/vibe/generic.d.ts +234 -0
package/dist/vibe/generic.js +369 -0
package/dist/vibe/hooks/index.d.ts +169 -0
package/dist/vibe/hooks/index.js +252 -0
package/dist/vibe/index.d.ts +23 -0
package/dist/vibe/index.js +67 -0
package/dist/vibe/sessions.d.ts +161 -0
package/dist/vibe/sessions.js +391 -0
package/dist/vibe/types.d.ts +353 -0
package/dist/vibe/types.js +315 -0
package/package.json +855 -0
package/scripts/check-internal-url-usage.sh +73 -0
package/scripts/dev-broker.ps1 +35 -0
package/scripts/dev-local.ps1 +45 -0
package/src/api/auth-handler.ts +550 -0
package/src/api/index.ts +18 -0
package/src/api-handlers/account/change-password.ts +145 -0
package/src/api-handlers/account/masked-info.ts +45 -0
package/src/api-handlers/account/profile.ts +80 -0
package/src/api-handlers/account/recovery/initiate.ts +23 -0
package/src/api-handlers/account/recovery/send-code.ts +25 -0
package/src/api-handlers/account/recovery/verify-code.ts +25 -0
package/src/api-handlers/account/reset-password.ts +23 -0
package/src/api-handlers/account/send-code.ts +76 -0
package/src/api-handlers/account/update-phone.ts +79 -0
package/src/api-handlers/account/validate-password.ts +118 -0
package/src/api-handlers/account/verify-email.ts +125 -0
package/src/api-handlers/account/verify-sms.ts +125 -0
package/src/api-handlers/admin/analytics.ts +445 -0
package/src/api-handlers/admin/audit.ts +225 -0
package/src/api-handlers/admin/index.ts +59 -0
package/src/api-handlers/admin/redis-sessions.ts +253 -0
package/src/api-handlers/admin/sessions.ts +320 -0
package/src/api-handlers/admin/site-logs.ts +367 -0
package/src/api-handlers/admin/users.ts +244 -0
package/src/api-handlers/admin/vibe-data.ts +326 -0
package/src/api-handlers/anon/preferences.ts +123 -0
package/src/api-handlers/auth/jwks.ts +20 -0
package/src/api-handlers/auth/login.ts +240 -0
package/src/api-handlers/auth/refresh.ts +687 -0
package/src/api-handlers/auth/signout.ts +212 -0
package/src/api-handlers/auth/status.ts +23 -0
package/src/api-handlers/auth/update-session.ts +125 -0
package/src/api-handlers/auth/validate.ts +44 -0
package/src/api-handlers/auth/verify-code.ts +129 -0
package/src/api-handlers/session/refresh-viability.ts +36 -0
package/src/api-handlers/session/viability.ts +166 -0
package/src/api-handlers/test/force-expire.ts +67 -0
package/src/auth/auth-decision.ts +230 -0
package/src/auth/auth-options.ts +237 -0
package/src/auth/callbacks/index.ts +7 -0
package/src/auth/callbacks/jwt.ts +382 -0
package/src/auth/callbacks/session.ts +243 -0
package/src/auth/callbacks/signin.ts +56 -0
package/src/auth/events/index.ts +5 -0
package/src/auth/events/signout.ts +33 -0
package/src/auth/providers/credentials.ts +256 -0
package/src/auth/providers/index.ts +6 -0
package/src/auth/providers/oauth.ts +114 -0
package/src/auth/route-config.ts +220 -0
package/src/auth/types/auth-types.ts +555 -0
package/src/auth/types/index.ts +7 -0
package/src/auth/unauthenticated-routes.ts +3 -0
package/src/auth/utils/idp-client.ts +444 -0
package/src/auth/utils/index.ts +6 -0
package/src/auth/utils/token-utils.ts +244 -0
package/src/client/AuthContext.tsx +140 -0
package/src/client/fetch-with-auth.ts +48 -0
package/src/client/fetchWithSession.ts +21 -0
package/src/client/index.ts +13 -0
package/src/client/useAnonSession.ts +131 -0
package/src/components/SessionSync.tsx +137 -0
package/src/components/SignalRHealthCheck.tsx +131 -0
package/src/components/account/UserAvatarMenu.tsx +217 -0
package/src/components/account/index.ts +8 -0
package/src/components/admin/AlertSettingsTab.tsx +728 -0
package/src/components/admin/AnalyticsTab.tsx +703 -0
package/src/components/admin/DataBrowserTab.tsx +505 -0
package/src/components/admin/LoggingSettingsTab.tsx +665 -0
package/src/components/admin/SessionsTab.tsx +414 -0
package/src/components/admin/StatsTab.tsx +379 -0
package/src/components/admin/VibeAdminContext.tsx +87 -0
package/src/components/admin/VibeAdminLayout.tsx +185 -0
package/src/components/admin/index.ts +59 -0
package/src/components/auth/FederatedAuthSection.tsx +95 -0
package/src/components/auth/ModeAwareLoginPage.tsx +135 -0
package/src/components/auth/ModeAwareSignupPage.tsx +267 -0
package/src/components/auth/TraditionalAuthSection.tsx +99 -0
package/src/components/recovery/CompleteStep.tsx +36 -0
package/src/components/recovery/InitiateRecoveryStep.tsx +68 -0
package/src/components/recovery/SelectMethodStep.tsx +73 -0
package/src/components/recovery/SetPasswordStep.tsx +97 -0
package/src/components/recovery/VerifyCodeStep.tsx +90 -0
package/src/components/reserved/ReservedRecoveryWarning.tsx +160 -0
package/src/components/reserved/ReservedStatusBox.tsx +118 -0
package/src/components/ui/BetaBadge.tsx +58 -0
package/src/components/ui/Footer.tsx +93 -0
package/src/config/env.ts +57 -0
package/src/config/logger.ts +62 -0
package/src/config/logging-config.ts +82 -0
package/src/config/unauthenticated-routes.ts +19 -0
package/src/config/vibe-log-transport.ts +250 -0
package/src/edge/internal-api-url.ts +65 -0
package/src/edge/middleware.ts +42 -0
package/src/hooks/useAuth.ts +115 -0
package/src/hooks/useAuthSettings.ts +97 -0
package/src/hooks/useAvailableProviders.ts +118 -0
package/src/hooks/usePasswordValidation.ts +127 -0
package/src/hooks/useProfile.ts +75 -0
package/src/hooks/usePublicAuthSettings.ts +149 -0
package/src/hooks/useSessionExpiration.ts +102 -0
package/src/hooks/useViabilitySession.ts +335 -0
package/src/index.ts +63 -0
package/src/lib/anon-session.ts +213 -0
package/src/lib/api-handler.ts +625 -0
package/src/lib/app-slug.ts +178 -0
package/src/lib/demo-mode.ts +13 -0
package/src/lib/geolocation.ts +265 -0
package/src/lib/idp-client-config.ts +442 -0
package/src/lib/idp-fetch.ts +101 -0
package/src/lib/internal-api.ts +171 -0
package/src/lib/jwt-decode-client.ts +45 -0
package/src/lib/jwt-decode.ts +83 -0
package/src/lib/nextauth-secret.ts +126 -0
package/src/lib/rate-limit-service.ts +9 -0
package/src/lib/redis.ts +27 -0
package/src/lib/refresh-token-validator.ts +64 -0
package/src/lib/roles.ts +177 -0
package/src/lib/secret-validation.ts +8 -0
package/src/lib/session-store.ts +637 -0
package/src/lib/session.ts +34 -0
package/src/lib/site-logger.ts +245 -0
package/src/lib/standardized-client-api.ts +896 -0
package/src/lib/startup-init.ts +247 -0
package/src/lib/test-aware-get-token.ts +30 -0
package/src/lib/token-expiry.ts +40 -0
package/src/lib/token-lifecycle.ts +477 -0
package/src/lib/types/api-responses.ts +336 -0
package/src/lib/user-agent-parser.ts +252 -0
package/src/logging/api/admin-analytics.ts +51 -0
package/src/logging/api/audit-log.ts +53 -0
package/src/logging/components/AdminAnalyticsLayout.tsx +49 -0
package/src/logging/components/AuditLogViewer.tsx +125 -0
package/src/logging/components/ErrorMetricsCard.tsx +98 -0
package/src/logging/components/HealthMetricsCard.tsx +70 -0
package/src/logging/hooks/useAdminAnalytics.ts +22 -0
package/src/logging/hooks/useAuditLog.ts +24 -0
package/src/logging/hooks/useErrorMetrics.ts +40 -0
package/src/logging/hooks/useHealthMetrics.ts +44 -0
package/src/logging/index.ts +18 -0
package/src/logging/types/analytics.ts +81 -0
package/src/logging/types/audit.ts +31 -0
package/src/logging/types/index.ts +3 -0
package/src/middleware/auth-decision.ts +43 -0
package/src/middleware/create-middleware.ts +626 -0
package/src/middleware/rbac-check.ts +244 -0
package/src/middleware/twofa-presets.ts +224 -0
package/src/models/DecodedAccessToken.ts +17 -0
package/src/models/SessionModel.ts +258 -0
package/src/pages/admin-login/page.tsx +229 -0
package/src/pages/admin-roles/RolesAdminPage.tsx +357 -0
package/src/pages/admin-roles/index.ts +9 -0
package/src/pages/admin-roles/modals.tsx +469 -0
package/src/pages/client-admin/ClientSiteAdminPage.tsx +380 -0
package/src/pages/client-admin/index.ts +33 -0
package/src/pages/login/page.tsx +463 -0
package/src/pages/profile/EnhancedProfilePage.tsx +479 -0
package/src/pages/profile/index.ts +9 -0
package/src/pages/profile/page.tsx +166 -0
package/src/pages/recovery/page.tsx +234 -0
package/src/pages/roles/MyRolesPage.tsx +211 -0
package/src/pages/roles/components.tsx +294 -0
package/src/pages/roles/index.ts +17 -0
package/src/pages/security/EnhancedSecurityPage.tsx +574 -0
package/src/pages/security/index.ts +9 -0
package/src/pages/security/page.tsx +507 -0
package/src/pages/settings/EnhancedSettingsPage.tsx +642 -0
package/src/pages/settings/index.ts +9 -0
package/src/pages/settings/page.tsx +47 -0
package/src/pages/showcase/ShowcasePage.tsx +530 -0
package/src/pages/showcase/index.ts +13 -0
package/src/pages/test-env/EmergencyLogoutPage.tsx +179 -0
package/src/pages/test-env/JwtInspectPage.tsx +418 -0
package/src/pages/test-env/RefreshTokenPage.tsx +155 -0
package/src/pages/test-env/TestEnvPage.tsx +116 -0
package/src/pages/test-env/index.ts +25 -0
package/src/pages/verify-code/page.tsx +648 -0
package/src/routes/account/index.ts +32 -0
package/src/routes/account/masked-info.ts +37 -0
package/src/routes/account/send-code.ts +40 -0
package/src/routes/account/update-phone.ts +13 -0
package/src/routes/account/verify-email.ts +41 -0
package/src/routes/account/verify-sms.ts +41 -0
package/src/routes/auth/index.ts +23 -0
package/src/routes/auth/logout.ts +127 -0
package/src/routes/auth/nextauth.ts +71 -0
package/src/routes/auth/refresh.ts +54 -0
package/src/routes/auth/session.ts +193 -0
package/src/routes/auth/settings.ts +75 -0
package/src/routes/auth/viability.ts +220 -0
package/src/routes/index.ts +18 -0
package/src/routes/session/index.ts +7 -0
package/src/routes/session/refresh-viability.ts +17 -0
package/src/services/signalrActivityService.ts +258 -0
package/src/stores/authStore.ts +1904 -0
package/src/templates/instrumentation.ts +41 -0
package/src/theme/ThemeProvider.tsx +39 -0
package/src/theme/default.ts +33 -0
package/src/theme/index.ts +31 -0
package/src/theme/types.ts +69 -0
package/src/theme/useTheme.ts +57 -0
package/src/theme/utils.ts +40 -0
package/src/types/api.ts +13 -0
package/src/types/auth.d.ts +15 -0
package/src/types/auth.ts +22 -0
package/src/types/logging.ts +11 -0
package/src/types/next-auth.d.ts +15 -0
package/src/types/recovery.ts +54 -0
package/src/types/security.ts +1 -0
package/src/utils/api.ts +353 -0
package/src/utils/circuitBreaker.ts +40 -0
package/src/utils/error-message.ts +108 -0
package/src/utils/layout/reservedSpace.ts +124 -0
package/src/utils/logout.ts +30 -0
package/src/vibe/client.ts +590 -0
package/src/vibe/errors.ts +185 -0
package/src/vibe/generic.ts +429 -0
package/src/vibe/hooks/index.ts +367 -0
package/src/vibe/index.ts +121 -0
package/src/vibe/sessions.ts +551 -0
package/src/vibe/types.ts +577 -0

package/dist/api-handlers/session/viability.js ADDED Viewed

@@ -0,0 +1,146 @@
+"use strict";
+/**
+ * Session Viability Check API Handler for `@payez/next-mvp`
+ *
+ * This API route is called by the middleware to securely check if a session is valid.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GET = GET;
+const server_1 = require("next/server");
+const session_store_1 = require("../../lib/session-store");
+const jwt_1 = require("next-auth/jwt");
+const startup_init_1 = require("../../lib/startup-init");
+const app_slug_1 = require("../../lib/app-slug");
+const idp_client_config_1 = require("../../lib/idp-client-config");
+/**
+ * Get NextAuth secret from IDP config (cached).
+ * NEVER use process.env.NEXTAUTH_SECRET directly - it may not be set.
+ */
+async function getNextAuthSecret() {
+    const config = await (0, idp_client_config_1.getIDPClientConfig)();
+    return config.nextAuthSecret || '';
+}
+async function GET(req) {
+    try {
+        // Ensure initialization is complete
+        if (!process.env.NEXTAUTH_SECRET) {
+            try {
+                await (0, startup_init_1.ensureInitialized)();
+            }
+            catch (error) {
+                // Initialization failed - return 503
+                console.error('[API Viability] Initialization failed - returning 503');
+                return server_1.NextResponse.json({
+                    error: 'Service Unavailable',
+                    message: 'Authentication service is not properly configured',
+                    code: 'AUTH_NOT_INITIALIZED'
+                }, { status: 503 });
+            }
+        }
+        // Double-check after initialization attempt
+        if ((0, startup_init_1.isInitializationFailed)()) {
+            console.error('[API Viability] Initialization failed - returning 503');
+            return server_1.NextResponse.json({
+                error: 'Service Unavailable',
+                message: 'Authentication service is not properly configured',
+                code: 'AUTH_NOT_INITIALIZED'
+            }, { status: 503 });
+        }
+        // Get secret from IDP config (same source as session.ts and token-lifecycle.ts)
+        const secret = await getNextAuthSecret();
+        if (!secret) {
+            console.error('[API Viability] NEXTAUTH_SECRET not available from IDP config');
+            return server_1.NextResponse.json({
+                error: 'Service Unavailable',
+                message: 'Authentication service is not properly configured',
+                code: 'AUTH_NOT_INITIALIZED'
+            }, { status: 503 });
+        }
+        // getToken is the recommended way to get the JWT from a request
+        const cookieName = (0, app_slug_1.getJwtCookieName)();
+        const token = await (0, jwt_1.getToken)({ req, secret, cookieName });
+        // Debug logging to diagnose AKS-specific issues
+        if (!token) {
+            const cookieHeader = req.headers.get('cookie') || '';
+            const hasCookie = cookieHeader.includes(cookieName);
+            const cookieMatch = cookieHeader.match(new RegExp(`${cookieName}=([^;]*)`));
+            const cookieValue = cookieMatch ? cookieMatch[1] : null;
+            console.warn('[VIABILITY] getToken returned null:', {
+                cookieName,
+                hasCookie,
+                cookieValueLength: cookieValue?.length || 0,
+                cookieValuePreview: cookieValue ? cookieValue.substring(0, 30) + '...' : 'EMPTY',
+                secretLength: secret.length,
+                secretPreview: secret ? secret.substring(0, 10) + '...' : 'EMPTY',
+            });
+        }
+        // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
+        const sessionToken = (token?.sessionToken || token?.redisSessionId);
+        if (token && sessionToken) {
+            const sessionData = await (0, session_store_1.getSession)(sessionToken);
+            if (sessionData) {
+                // The session exists in Redis
+                // Check if access token is expired (for middleware decision-making)
+                const accessTokenExpires = sessionData.idpAccessTokenExpires || 0;
+                const accessTokenExpired = accessTokenExpires < Date.now();
+                // Get requires2FA from cached client config (not session)
+                // This is a client-wide setting from the broker handshake
+                let requires2FA = true; // Default to true for security
+                try {
+                    const cachedConfig = await (0, idp_client_config_1.getIDPClientConfig)();
+                    requires2FA = cachedConfig.authSettings?.require2FA ?? true;
+                }
+                catch (e) {
+                    console.warn('[API Viability] Could not get client config, defaulting requires2FA to true');
+                }
+                // CRITICAL: Check if MFA has expired (2FA TTL enforcement)
+                // The session may have mfaVerified=true from days ago, but if mfaExpiresAt
+                // has passed, we must treat 2FA as incomplete to force re-verification.
+                const mfaExpiresAt = sessionData.mfaExpiresAt || 0;
+                const mfaExpired = mfaExpiresAt > 0 && mfaExpiresAt < Date.now();
+                // Check both field names for compatibility (mfaVerified is the normalized name)
+                const sessionMfaComplete = sessionData.mfaVerified ?? sessionData.twoFactorComplete ?? false;
+                const effectiveTwoFactorComplete = sessionMfaComplete && !mfaExpired;
+                console.log('[VIABILITY] Session 2FA check:', {
+                    sessionToken: sessionToken.substring(0, 8) + '...',
+                    mfaVerified: sessionData.mfaVerified,
+                    twoFactorComplete: sessionData.twoFactorComplete,
+                    sessionMfaComplete,
+                    mfaExpired,
+                    effectiveTwoFactorComplete,
+                });
+                if (mfaExpired && sessionMfaComplete) {
+                    console.warn('[API Viability] MFA expired - forcing 2FA re-verification', {
+                        mfaExpiresAt: new Date(mfaExpiresAt).toISOString(),
+                        now: new Date().toISOString(),
+                        hoursExpiredAgo: ((Date.now() - mfaExpiresAt) / (1000 * 60 * 60)).toFixed(1)
+                    });
+                }
+                const response = {
+                    authenticated: true,
+                    sessionToken, // Include token for middleware tracking
+                    // 2FA fields - critical for middleware redirect logic
+                    requires2FA, // From cached client config (client-wide setting)
+                    twoFactorComplete: effectiveTwoFactorComplete, // From session, BUT respects MFA TTL
+                    // Token status for refresh decisions
+                    accessTokenExpired,
+                    hasRefreshToken: !!sessionData.idpRefreshToken
+                };
+                return server_1.NextResponse.json(response);
+            }
+            // CRITICAL: Cookie exists but Redis session is missing (stale cookie state)
+            // Return sessionToken so middleware can detect this and clear the stale cookie
+            console.warn('[VIABILITY] Stale cookie detected - session not in Redis');
+            return server_1.NextResponse.json({
+                authenticated: false,
+                sessionToken // Include token to enable stale cookie detection
+            });
+        }
+        // If there's no token at all, it's not authenticated
+        return server_1.NextResponse.json({ authenticated: false });
+    }
+    catch (error) {
+        console.error('[API Viability] Error checking session viability:', error);
+        return server_1.NextResponse.json({ authenticated: false }, { status: 500 });
+    }
+}

package/dist/api-handlers/test/force-expire.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import { NextRequest, NextResponse } from 'next/server';
+/**
+ * Force-expire access token for testing refresh flow.
+ *
+ * Sets the access token expiry to 2 minutes in the past,
+ * which will trigger a refresh on the next API call.
+ *
+ * Usage in consuming app:
+ * ```typescript
+ * // app/api/test/force-expire/route.ts
+ * export { POST } from '@payez/next-mvp/api-handlers/test/force-expire';
+ * ```
+ */
+export declare const POST: (req: NextRequest) => Promise<NextResponse<{
+    success: boolean;
+    error: string;
+}> | NextResponse<{
+    success: boolean;
+    previous: number | null;
+    previousIso: string | null;
+    newExpiry: number;
+    newExpiryIso: string;
+}>>;

package/dist/api-handlers/test/force-expire.js ADDED Viewed

@@ -0,0 +1,65 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = void 0;
+const server_1 = require("next/server");
+const jwt_1 = require("next-auth/jwt");
+const session_store_1 = require("../../lib/session-store");
+const app_slug_1 = require("../../lib/app-slug");
+/**
+ * Force-expire access token for testing refresh flow.
+ *
+ * Sets the access token expiry to 2 minutes in the past,
+ * which will trigger a refresh on the next API call.
+ *
+ * Usage in consuming app:
+ * ```typescript
+ * // app/api/test/force-expire/route.ts
+ * export { POST } from '@payez/next-mvp/api-handlers/test/force-expire';
+ * ```
+ */
+const POST = async (req) => {
+    try {
+        const secret = process.env.NEXTAUTH_SECRET;
+        if (!secret) {
+            return server_1.NextResponse.json({ success: false, error: 'NEXTAUTH_SECRET not configured' }, { status: 500 });
+        }
+        const cookieName = (0, app_slug_1.getJwtCookieName)();
+        const token = await (0, jwt_1.getToken)({ req, secret, cookieName });
+        let sessionToken = token?.redisSessionId;
+        if (!sessionToken) {
+            const headerSessionToken = req.headers.get('x-session-token') || req.headers.get('X-Session-Token');
+            if (headerSessionToken) {
+                sessionToken = headerSessionToken;
+            }
+            else {
+                console.warn('[TEST_EXPIRE] No session token in JWT cookie or X-Session-Token header');
+                return server_1.NextResponse.json({ success: false, error: 'No session token' }, { status: 401 });
+            }
+        }
+        const session = await (0, session_store_1.getSession)(sessionToken);
+        if (!session) {
+            return server_1.NextResponse.json({ success: false, error: 'Session not found' }, { status: 404 });
+        }
+        const now = Date.now();
+        const forced = now - (2 * 60 * 1000); // two minutes ago
+        const prev = session.idpAccessTokenExpires || null;
+        await (0, session_store_1.updateSession)(sessionToken, { idpAccessTokenExpires: forced });
+        console.log('[TEST_EXPIRE] Forced access token expiry for session', {
+            sessionToken: sessionToken.substring(0, 8) + '...',
+            previous: prev ? new Date(prev).toISOString() : null,
+            newExpiry: new Date(forced).toISOString()
+        });
+        return server_1.NextResponse.json({
+            success: true,
+            previous: prev,
+            previousIso: prev ? new Date(prev).toISOString() : null,
+            newExpiry: forced,
+            newExpiryIso: new Date(forced).toISOString()
+        });
+    }
+    catch (e) {
+        console.error('[TEST_EXPIRE] Error:', e);
+        return server_1.NextResponse.json({ success: false, error: e instanceof Error ? e.message : String(e) }, { status: 500 });
+    }
+};
+exports.POST = POST;

package/dist/auth/auth-decision.d.ts ADDED Viewed

@@ -0,0 +1,39 @@
+/**
+ * Auth Decision Engine - Pure function for middleware auth flow
+ *
+ * This module provides a deterministic decision tree for authentication middleware.
+ * All auth flow logic is centralized here for testability and maintainability.
+ */
+export interface AuthContext {
+    pathname: string;
+    isPublicRoute: boolean;
+    isLoginPage: boolean;
+    searchParams: URLSearchParams;
+    sessionPointer: {
+        exists: boolean;
+        sessionToken?: string;
+        expired?: boolean;
+    };
+    sessionStatus: {
+        exists: boolean | null;
+        forceInvalid: boolean | null;
+        requires2FA: boolean;
+        twoFactorComplete: boolean;
+    };
+    circuitBreakerOpen: boolean;
+}
+export type AuthAction = {
+    type: 'allow';
+} | {
+    type: 'redirect';
+    location: string;
+    reason: string;
+    clearCookies?: boolean;
+} | {
+    type: 'service_error';
+    reason: string;
+};
+/**
+ * Main decision function - pure, testable, deterministic
+ */
+export declare function makeAuthDecision(context: AuthContext): AuthAction;

package/dist/auth/auth-decision.js ADDED Viewed

@@ -0,0 +1,182 @@
+"use strict";
+/**
+ * Auth Decision Engine - Pure function for middleware auth flow
+ *
+ * This module provides a deterministic decision tree for authentication middleware.
+ * All auth flow logic is centralized here for testability and maintainability.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.makeAuthDecision = makeAuthDecision;
+/**
+ * Main decision function - pure, testable, deterministic
+ */
+function makeAuthDecision(context) {
+    const { pathname, isPublicRoute, isLoginPage, searchParams, sessionPointer, sessionStatus, circuitBreakerOpen } = context;
+    // SAFEGUARD: Never use auth pages as callback URLs to prevent redirect loops
+    const safeCallbackUrl = pathname.startsWith('/account-auth/') ? '/' : pathname;
+    // Public routes are allowed, but we need to check login page separately
+    if (isPublicRoute && !isLoginPage) {
+        // For non-login public routes, check if authenticated user needs 2FA
+        if (sessionPointer.exists && sessionStatus.exists && sessionStatus.requires2FA && !sessionStatus.twoFactorComplete) {
+            // Skip redirect for verify-code page
+            if (pathname === '/account-auth/verify-code') {
+                return { type: 'allow' };
+            }
+        }
+        return { type: 'allow' };
+    }
+    // Circuit breaker open - redirect to login with service unavailable
+    if (circuitBreakerOpen) {
+        if (isLoginPage) {
+            return { type: 'allow' }; // Let them see login page
+        }
+        return {
+            type: 'redirect',
+            location: '/account-auth/login?error=ServiceUnavailable&reason=CircuitBreakerOpen',
+            reason: 'CircuitBreakerOpen',
+            clearCookies: true
+        };
+    }
+    // No session pointer (JWT cookie) - need to login
+    if (!sessionPointer.exists) {
+        if (isLoginPage) {
+            return { type: 'allow' };
+        }
+        // Redirect root to configured URL for unauthenticated users
+        if (pathname === '/') {
+            const unauthUrl = process.env.UNAUTHENTICATED_REDIRECT_URL || '/account-auth/login';
+            return {
+                type: 'redirect',
+                location: unauthUrl,
+                reason: 'unauthenticated_root_redirect'
+            };
+        }
+        return {
+            type: 'redirect',
+            location: `/account-auth/login?callbackUrl=${encodeURIComponent(safeCallbackUrl)}`,
+            reason: 'no_session_pointer'
+        };
+    }
+    // Redis/service errors - can't verify session
+    if (sessionStatus.exists === null || sessionStatus.forceInvalid === null) {
+        return {
+            type: 'service_error',
+            reason: 'redis_unavailable'
+        };
+    }
+    // Session force invalidated - need fresh login
+    if (sessionStatus.forceInvalid) {
+        if (isLoginPage) {
+            return { type: 'allow' };
+        }
+        return {
+            type: 'redirect',
+            location: `/account-auth/login?callbackUrl=${encodeURIComponent(safeCallbackUrl)}&reason=force_invalidated`,
+            reason: 'force_invalidated',
+            clearCookies: true
+        };
+    }
+    // Stale session (cookie exists but not in Redis) - need fresh login
+    if (!sessionStatus.exists) {
+        if (isLoginPage) {
+            return { type: 'allow' };
+        }
+        return {
+            type: 'redirect',
+            location: `/account-auth/login?callbackUrl=${encodeURIComponent(safeCallbackUrl)}&reason=stale_session`,
+            reason: 'stale_session',
+            clearCookies: true
+        };
+    }
+    // PRIORITIZE 2FA: If session exists and 2FA is required but not complete, handle this before token-expired logic
+    if (sessionStatus.requires2FA && !sessionStatus.twoFactorComplete) {
+        console.log('[MIDDLEWARE-DECISION] 2FA required but not complete', {
+            pathname,
+            isLoginPage,
+            sessionExists: sessionStatus.exists,
+            sessionToken: sessionPointer.sessionToken?.substring(0, 8) + '...'
+        });
+        // Already on the 2FA page
+        if (pathname === '/account-auth/verify-code') {
+            console.log('[MIDDLEWARE-DECISION] Already on verify-code page, allowing');
+            return { type: 'allow' };
+        }
+        // If user is on the login page, send them to verify-code with the original callback
+        if (isLoginPage) {
+            const callbackUrl = searchParams.get('callbackUrl') || '/';
+            // CRITICAL FIX: Never use auth pages as callback URLs
+            const safeCallbackUrl = callbackUrl.startsWith('/account-auth/') ? '/' : callbackUrl;
+            console.log('[MIDDLEWARE-DECISION] On login page with 2FA incomplete, redirecting to verify-code', {
+                originalCallback: callbackUrl,
+                safeCallback: safeCallbackUrl,
+                originalUrl: pathname
+            });
+            return {
+                type: 'redirect',
+                location: `/account-auth/verify-code?callbackUrl=${encodeURIComponent(safeCallbackUrl)}`,
+                reason: '2fa_required_login_redirect'
+            };
+        }
+        // For protected routes, allow middleware to proceed (it may refresh tokens); pages will enforce 2FA
+        console.log('[MIDDLEWARE-DECISION] Protected route with incomplete 2FA, allowing middleware to handle');
+        return { type: 'allow' };
+    }
+    // Token expired - redirect to login (let NextAuth handle refresh)
+    if (sessionPointer.expired) {
+        if (isLoginPage) {
+            return { type: 'allow' };
+        }
+        return {
+            type: 'redirect',
+            location: `/account-auth/login?callbackUrl=${encodeURIComponent(safeCallbackUrl)}&error=SessionExpired`,
+            reason: 'token_expired'
+        };
+    }
+    // Authenticated root path should land on dashboards
+    if (pathname === '/') {
+        return {
+            type: 'redirect',
+            location: '/',
+            reason: 'authenticated_root_redirect'
+        };
+    }
+    // Valid session but 2FA required and not complete - more intelligent handling
+    if (sessionStatus.requires2FA && !sessionStatus.twoFactorComplete) {
+        if (pathname === '/account-auth/verify-code') {
+            return { type: 'allow' }; // Already on 2FA page
+        }
+        // For login page, redirect to 2FA with original callback
+        if (isLoginPage) {
+            const callbackUrl = searchParams.get('callbackUrl') || '/';
+            // CRITICAL FIX: Never use auth pages as callback URLs
+            const safeCallbackUrl = callbackUrl.startsWith('/account-auth/') ? '/' : callbackUrl;
+            return {
+                type: 'redirect',
+                location: `/account-auth/verify-code?callbackUrl=${encodeURIComponent(safeCallbackUrl)}`,
+                reason: '2fa_required'
+            };
+        }
+        // For protected routes:
+        // - If access token is expired and we have a valid refresh token, let middleware handle refresh first
+        // - Only redirect to verify-code if access token is still valid or refresh failed
+        // - Allow middleware to pass - it will either refresh successfully or handle redirect appropriately
+        return { type: 'allow' };
+    }
+    // Authenticated user on login page - redirect to dashboard or callback
+    if (isLoginPage) {
+        const callbackUrl = searchParams.get('callbackUrl') || '/';
+        // CRITICAL FIX: Never redirect back to login page (prevents infinite loop)
+        const safeCallbackUrl = callbackUrl.startsWith('/account-auth/') ? '/' : callbackUrl;
+        console.log('[MIDDLEWARE-DECISION] Authenticated user on login page, redirecting', {
+            originalCallback: callbackUrl,
+            safeCallback: safeCallbackUrl
+        });
+        return {
+            type: 'redirect',
+            location: safeCallbackUrl,
+            reason: 'already_authenticated'
+        };
+    }
+    // All checks passed - allow access
+    return { type: 'allow' };
+}

package/dist/auth/auth-options.d.ts ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * NextAuth Configuration (Refactored)
+ *
+ * This is the composition layer that wires together all auth modules.
+ * Individual logic lives in dedicated modules:
+ * - providers/ - Credentials and OAuth provider builders
+ * - callbacks/ - JWT, session, signIn callbacks
+ * - events/ - SignOut event handler
+ * - utils/ - Token utilities, IDP client
+ * - types/ - Type definitions
+ *
+ * CARGO CULT PATTERNS REMOVED:
+ * ============================
+ * The original auth-options.ts (1186 lines) had several anti-patterns that
+ * added complexity without benefit:
+ *
+ * 1. CALLBACK CONCURRENCY PROTECTION (removed)
+ *    - shouldExecuteCallback() / markCallbackComplete()
+ *    - A debouncing mechanism that tried to prevent callbacks from running
+ *      too frequently. NextAuth already handles this properly.
+ *    - Added complexity, caused race condition bugs, and leaked memory
+ *      (Map entries never cleaned up).
+ *
+ * 2. SESSION RESTORATION (removed)
+ *    - attemptSessionRestoration()
+ *    - Tried to restore sessions by calling refresh endpoint from JWT callback.
+ *    - Created circular dependencies and made debugging impossible.
+ *    - Clean approach: Session missing = user re-authenticates. Simple.
+ *
+ * 3. VARIABLE NAME SOUP (normalized in Phase 3)
+ *    - accessToken vs idpAccessToken vs oauthAccessToken
+ *    - twoFactorComplete vs mfaVerified vs requiresTwoFactor
+ *    - sessionToken vs redisSessionId
+ *    - Now: Clear prefixes (idp*, oauth*, mfa*) with documented meanings.
+ *
+ * 4. INLINE EVERYTHING (modularized in Phase 2)
+ *    - All logic was in one giant file with no separation of concerns.
+ *    - Now: Each module has one job and can be tested independently.
+ *
+ * @version 2.0.0
+ * @since auth-refactor-2026-01
+ */
+import type { NextAuthOptions } from 'next-auth';
+/**
+ * Base NextAuth configuration.
+ * Use getAuthOptions() for dynamic provider loading from IDP.
+ */
+export declare const authOptions: NextAuthOptions;
+/**
+ * Get auth options with dynamically loaded OAuth providers from IDP.
+ * Uses caching to avoid rebuilding on every request.
+ */
+export declare function getAuthOptions(): Promise<NextAuthOptions>;
+/**
+ * Clear cached auth options (when IDP config changes).
+ */
+export declare function clearAuthOptionsCache(): void;