npm - @payez/next-mvp - Versions diffs - 3.0.0 - Mend

@payez/next-mvp 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (654) hide show

package/README.md +782 -0
package/dist/api/auth-handler.d.ts +67 -0
package/dist/api/auth-handler.js +397 -0
package/dist/api/index.d.ts +10 -0
package/dist/api/index.js +19 -0
package/dist/api-handlers/account/change-password.d.ts +9 -0
package/dist/api-handlers/account/change-password.js +112 -0
package/dist/api-handlers/account/masked-info.d.ts +2 -0
package/dist/api-handlers/account/masked-info.js +41 -0
package/dist/api-handlers/account/profile.d.ts +3 -0
package/dist/api-handlers/account/profile.js +63 -0
package/dist/api-handlers/account/recovery/initiate.d.ts +2 -0
package/dist/api-handlers/account/recovery/initiate.js +26 -0
package/dist/api-handlers/account/recovery/send-code.d.ts +2 -0
package/dist/api-handlers/account/recovery/send-code.js +28 -0
package/dist/api-handlers/account/recovery/verify-code.d.ts +2 -0
package/dist/api-handlers/account/recovery/verify-code.js +28 -0
package/dist/api-handlers/account/reset-password.d.ts +2 -0
package/dist/api-handlers/account/reset-password.js +26 -0
package/dist/api-handlers/account/send-code.d.ts +24 -0
package/dist/api-handlers/account/send-code.js +60 -0
package/dist/api-handlers/account/update-phone.d.ts +27 -0
package/dist/api-handlers/account/update-phone.js +64 -0
package/dist/api-handlers/account/validate-password.d.ts +17 -0
package/dist/api-handlers/account/validate-password.js +81 -0
package/dist/api-handlers/account/verify-email.d.ts +26 -0
package/dist/api-handlers/account/verify-email.js +106 -0
package/dist/api-handlers/account/verify-sms.d.ts +26 -0
package/dist/api-handlers/account/verify-sms.js +106 -0
package/dist/api-handlers/admin/analytics.d.ts +20 -0
package/dist/api-handlers/admin/analytics.js +379 -0
package/dist/api-handlers/admin/audit.d.ts +20 -0
package/dist/api-handlers/admin/audit.js +214 -0
package/dist/api-handlers/admin/index.d.ts +21 -0
package/dist/api-handlers/admin/index.js +41 -0
package/dist/api-handlers/admin/redis-sessions.d.ts +36 -0
package/dist/api-handlers/admin/redis-sessions.js +204 -0
package/dist/api-handlers/admin/sessions.d.ts +21 -0
package/dist/api-handlers/admin/sessions.js +284 -0
package/dist/api-handlers/admin/site-logs.d.ts +46 -0
package/dist/api-handlers/admin/site-logs.js +318 -0
package/dist/api-handlers/admin/users.d.ts +20 -0
package/dist/api-handlers/admin/users.js +222 -0
package/dist/api-handlers/admin/vibe-data.d.ts +80 -0
package/dist/api-handlers/admin/vibe-data.js +268 -0
package/dist/api-handlers/anon/preferences.d.ts +37 -0
package/dist/api-handlers/anon/preferences.js +96 -0
package/dist/api-handlers/auth/jwks.d.ts +2 -0
package/dist/api-handlers/auth/jwks.js +24 -0
package/dist/api-handlers/auth/login.d.ts +42 -0
package/dist/api-handlers/auth/login.js +178 -0
package/dist/api-handlers/auth/refresh.d.ts +74 -0
package/dist/api-handlers/auth/refresh.js +635 -0
package/dist/api-handlers/auth/signout.d.ts +37 -0
package/dist/api-handlers/auth/signout.js +187 -0
package/dist/api-handlers/auth/status.d.ts +8 -0
package/dist/api-handlers/auth/status.js +26 -0
package/dist/api-handlers/auth/update-session.d.ts +37 -0
package/dist/api-handlers/auth/update-session.js +95 -0
package/dist/api-handlers/auth/validate.d.ts +6 -0
package/dist/api-handlers/auth/validate.js +43 -0
package/dist/api-handlers/auth/verify-code.d.ts +43 -0
package/dist/api-handlers/auth/verify-code.js +94 -0
package/dist/api-handlers/session/refresh-viability.d.ts +14 -0
package/dist/api-handlers/session/refresh-viability.js +39 -0
package/dist/api-handlers/session/viability.d.ts +13 -0
package/dist/api-handlers/session/viability.js +146 -0
package/dist/api-handlers/test/force-expire.d.ts +23 -0
package/dist/api-handlers/test/force-expire.js +65 -0
package/dist/auth/auth-decision.d.ts +39 -0
package/dist/auth/auth-decision.js +182 -0
package/dist/auth/auth-options.d.ts +57 -0
package/dist/auth/auth-options.js +213 -0
package/dist/auth/callbacks/index.d.ts +6 -0
package/dist/auth/callbacks/index.js +12 -0
package/dist/auth/callbacks/jwt.d.ts +45 -0
package/dist/auth/callbacks/jwt.js +305 -0
package/dist/auth/callbacks/session.d.ts +60 -0
package/dist/auth/callbacks/session.js +170 -0
package/dist/auth/callbacks/signin.d.ts +23 -0
package/dist/auth/callbacks/signin.js +44 -0
package/dist/auth/events/index.d.ts +4 -0
package/dist/auth/events/index.js +8 -0
package/dist/auth/events/signout.d.ts +17 -0
package/dist/auth/events/signout.js +32 -0
package/dist/auth/providers/credentials.d.ts +32 -0
package/dist/auth/providers/credentials.js +223 -0
package/dist/auth/providers/index.d.ts +5 -0
package/dist/auth/providers/index.js +21 -0
package/dist/auth/providers/oauth.d.ts +26 -0
package/dist/auth/providers/oauth.js +105 -0
package/dist/auth/route-config.d.ts +66 -0
package/dist/auth/route-config.js +190 -0
package/dist/auth/types/auth-types.d.ts +417 -0
package/dist/auth/types/auth-types.js +53 -0
package/dist/auth/types/index.d.ts +6 -0
package/dist/auth/types/index.js +22 -0
package/dist/auth/unauthenticated-routes.d.ts +1 -0
package/dist/auth/unauthenticated-routes.js +19 -0
package/dist/auth/utils/idp-client.d.ts +94 -0
package/dist/auth/utils/idp-client.js +383 -0
package/dist/auth/utils/index.d.ts +5 -0
package/dist/auth/utils/index.js +21 -0
package/dist/auth/utils/token-utils.d.ts +84 -0
package/dist/auth/utils/token-utils.js +219 -0
package/dist/client/AuthContext.d.ts +19 -0
package/dist/client/AuthContext.js +112 -0
package/dist/client/fetch-with-auth.d.ts +11 -0
package/dist/client/fetch-with-auth.js +44 -0
package/dist/client/fetchWithSession.d.ts +3 -0
package/dist/client/fetchWithSession.js +24 -0
package/dist/client/index.d.ts +9 -0
package/dist/client/index.js +20 -0
package/dist/client/useAnonSession.d.ts +36 -0
package/dist/client/useAnonSession.js +99 -0
package/dist/components/SessionSync.d.ts +13 -0
package/dist/components/SessionSync.js +119 -0
package/dist/components/SignalRHealthCheck.d.ts +10 -0
package/dist/components/SignalRHealthCheck.js +97 -0
package/dist/components/account/UserAvatarMenu.d.ts +20 -0
package/dist/components/account/UserAvatarMenu.js +80 -0
package/dist/components/account/index.d.ts +7 -0
package/dist/components/account/index.js +10 -0
package/dist/components/admin/AlertSettingsTab.d.ts +48 -0
package/dist/components/admin/AlertSettingsTab.js +351 -0
package/dist/components/admin/AnalyticsTab.d.ts +22 -0
package/dist/components/admin/AnalyticsTab.js +167 -0
package/dist/components/admin/DataBrowserTab.d.ts +19 -0
package/dist/components/admin/DataBrowserTab.js +252 -0
package/dist/components/admin/LoggingSettingsTab.d.ts +73 -0
package/dist/components/admin/LoggingSettingsTab.js +339 -0
package/dist/components/admin/SessionsTab.d.ts +37 -0
package/dist/components/admin/SessionsTab.js +165 -0
package/dist/components/admin/StatsTab.d.ts +53 -0
package/dist/components/admin/StatsTab.js +161 -0
package/dist/components/admin/VibeAdminContext.d.ts +32 -0
package/dist/components/admin/VibeAdminContext.js +38 -0
package/dist/components/admin/VibeAdminLayout.d.ts +11 -0
package/dist/components/admin/VibeAdminLayout.js +69 -0
package/dist/components/admin/index.d.ts +29 -0
package/dist/components/admin/index.js +44 -0
package/dist/components/auth/FederatedAuthSection.d.ts +8 -0
package/dist/components/auth/FederatedAuthSection.js +45 -0
package/dist/components/auth/ModeAwareLoginPage.d.ts +10 -0
package/dist/components/auth/ModeAwareLoginPage.js +42 -0
package/dist/components/auth/ModeAwareSignupPage.d.ts +9 -0
package/dist/components/auth/ModeAwareSignupPage.js +78 -0
package/dist/components/auth/TraditionalAuthSection.d.ts +14 -0
package/dist/components/auth/TraditionalAuthSection.js +20 -0
package/dist/components/recovery/CompleteStep.d.ts +5 -0
package/dist/components/recovery/CompleteStep.js +8 -0
package/dist/components/recovery/InitiateRecoveryStep.d.ts +8 -0
package/dist/components/recovery/InitiateRecoveryStep.js +20 -0
package/dist/components/recovery/SelectMethodStep.d.ts +8 -0
package/dist/components/recovery/SelectMethodStep.js +8 -0
package/dist/components/recovery/SetPasswordStep.d.ts +6 -0
package/dist/components/recovery/SetPasswordStep.js +20 -0
package/dist/components/recovery/VerifyCodeStep.d.ts +10 -0
package/dist/components/recovery/VerifyCodeStep.js +24 -0
package/dist/components/reserved/ReservedRecoveryWarning.d.ts +38 -0
package/dist/components/reserved/ReservedRecoveryWarning.js +92 -0
package/dist/components/reserved/ReservedStatusBox.d.ts +30 -0
package/dist/components/reserved/ReservedStatusBox.js +71 -0
package/dist/components/ui/BetaBadge.d.ts +29 -0
package/dist/components/ui/BetaBadge.js +38 -0
package/dist/components/ui/Footer.d.ts +37 -0
package/dist/components/ui/Footer.js +41 -0
package/dist/config/env.d.ts +66 -0
package/dist/config/env.js +57 -0
package/dist/config/logger.d.ts +57 -0
package/dist/config/logger.js +73 -0
package/dist/config/logging-config.d.ts +30 -0
package/dist/config/logging-config.js +122 -0
package/dist/config/unauthenticated-routes.d.ts +17 -0
package/dist/config/unauthenticated-routes.js +24 -0
package/dist/config/vibe-log-transport.d.ts +79 -0
package/dist/config/vibe-log-transport.js +203 -0
package/dist/edge/internal-api-url.d.ts +53 -0
package/dist/edge/internal-api-url.js +63 -0
package/dist/edge/middleware.d.ts +14 -0
package/dist/edge/middleware.js +32 -0
package/dist/hooks/useAuth.d.ts +23 -0
package/dist/hooks/useAuth.js +81 -0
package/dist/hooks/useAuthSettings.d.ts +59 -0
package/dist/hooks/useAuthSettings.js +93 -0
package/dist/hooks/useAvailableProviders.d.ts +45 -0
package/dist/hooks/useAvailableProviders.js +108 -0
package/dist/hooks/usePasswordValidation.d.ts +27 -0
package/dist/hooks/usePasswordValidation.js +102 -0
package/dist/hooks/useProfile.d.ts +15 -0
package/dist/hooks/useProfile.js +59 -0
package/dist/hooks/usePublicAuthSettings.d.ts +56 -0
package/dist/hooks/usePublicAuthSettings.js +131 -0
package/dist/hooks/useSessionExpiration.d.ts +57 -0
package/dist/hooks/useSessionExpiration.js +72 -0
package/dist/hooks/useViabilitySession.d.ts +75 -0
package/dist/hooks/useViabilitySession.js +268 -0
package/dist/index.d.ts +12 -0
package/dist/index.js +54 -0
package/dist/lib/anon-session.d.ts +74 -0
package/dist/lib/anon-session.js +169 -0
package/dist/lib/api-handler.d.ts +123 -0
package/dist/lib/api-handler.js +478 -0
package/dist/lib/app-slug.d.ts +95 -0
package/dist/lib/app-slug.js +172 -0
package/dist/lib/demo-mode.d.ts +6 -0
package/dist/lib/demo-mode.js +16 -0
package/dist/lib/geolocation.d.ts +64 -0
package/dist/lib/geolocation.js +235 -0
package/dist/lib/idp-client-config.d.ts +75 -0
package/dist/lib/idp-client-config.js +351 -0
package/dist/lib/idp-fetch.d.ts +14 -0
package/dist/lib/idp-fetch.js +91 -0
package/dist/lib/internal-api.d.ts +87 -0
package/dist/lib/internal-api.js +122 -0
package/dist/lib/jwt-decode-client.d.ts +10 -0
package/dist/lib/jwt-decode-client.js +46 -0
package/dist/lib/jwt-decode.d.ts +48 -0
package/dist/lib/jwt-decode.js +57 -0
package/dist/lib/nextauth-secret.d.ts +10 -0
package/dist/lib/nextauth-secret.js +104 -0
package/dist/lib/rate-limit-service.d.ts +23 -0
package/dist/lib/rate-limit-service.js +6 -0
package/dist/lib/redis.d.ts +5 -0
package/dist/lib/redis.js +28 -0
package/dist/lib/refresh-token-validator.d.ts +13 -0
package/dist/lib/refresh-token-validator.js +117 -0
package/dist/lib/roles.d.ts +145 -0
package/dist/lib/roles.js +168 -0
package/dist/lib/secret-validation.d.ts +4 -0
package/dist/lib/secret-validation.js +14 -0
package/dist/lib/session-store.d.ts +166 -0
package/dist/lib/session-store.js +537 -0
package/dist/lib/session.d.ts +21 -0
package/dist/lib/session.js +26 -0
package/dist/lib/site-logger.d.ts +214 -0
package/dist/lib/site-logger.js +210 -0
package/dist/lib/standardized-client-api.d.ts +161 -0
package/dist/lib/standardized-client-api.js +786 -0
package/dist/lib/startup-init.d.ts +40 -0
package/dist/lib/startup-init.js +261 -0
package/dist/lib/test-aware-get-token.d.ts +2 -0
package/dist/lib/test-aware-get-token.js +81 -0
package/dist/lib/token-expiry.d.ts +14 -0
package/dist/lib/token-expiry.js +39 -0
package/dist/lib/token-lifecycle.d.ts +52 -0
package/dist/lib/token-lifecycle.js +398 -0
package/dist/lib/types/api-responses.d.ts +128 -0
package/dist/lib/types/api-responses.js +171 -0
package/dist/lib/user-agent-parser.d.ts +50 -0
package/dist/lib/user-agent-parser.js +220 -0
package/dist/logging/api/admin-analytics.d.ts +3 -0
package/dist/logging/api/admin-analytics.js +45 -0
package/dist/logging/api/audit-log.d.ts +3 -0
package/dist/logging/api/audit-log.js +52 -0
package/dist/logging/components/AdminAnalyticsLayout.d.ts +10 -0
package/dist/logging/components/AdminAnalyticsLayout.js +11 -0
package/dist/logging/components/AuditLogViewer.d.ts +7 -0
package/dist/logging/components/AuditLogViewer.js +51 -0
package/dist/logging/components/ErrorMetricsCard.d.ts +7 -0
package/dist/logging/components/ErrorMetricsCard.js +16 -0
package/dist/logging/components/HealthMetricsCard.d.ts +7 -0
package/dist/logging/components/HealthMetricsCard.js +19 -0
package/dist/logging/hooks/useAdminAnalytics.d.ts +24 -0
package/dist/logging/hooks/useAdminAnalytics.js +22 -0
package/dist/logging/hooks/useAuditLog.d.ts +6 -0
package/dist/logging/hooks/useAuditLog.js +25 -0
package/dist/logging/hooks/useErrorMetrics.d.ts +6 -0
package/dist/logging/hooks/useErrorMetrics.js +38 -0
package/dist/logging/hooks/useHealthMetrics.d.ts +6 -0
package/dist/logging/hooks/useHealthMetrics.js +41 -0
package/dist/logging/index.d.ts +11 -0
package/dist/logging/index.js +40 -0
package/dist/logging/types/analytics.d.ts +68 -0
package/dist/logging/types/analytics.js +3 -0
package/dist/logging/types/audit.d.ts +29 -0
package/dist/logging/types/audit.js +2 -0
package/dist/logging/types/index.d.ts +2 -0
package/dist/logging/types/index.js +19 -0
package/dist/middleware/auth-decision.d.ts +33 -0
package/dist/middleware/auth-decision.js +65 -0
package/dist/middleware/create-middleware.d.ts +100 -0
package/dist/middleware/create-middleware.js +445 -0
package/dist/middleware/rbac-check.d.ts +44 -0
package/dist/middleware/rbac-check.js +191 -0
package/dist/middleware/twofa-presets.d.ts +134 -0
package/dist/middleware/twofa-presets.js +175 -0
package/dist/models/DecodedAccessToken.d.ts +17 -0
package/dist/models/DecodedAccessToken.js +2 -0
package/dist/models/SessionModel.d.ts +122 -0
package/dist/models/SessionModel.js +136 -0
package/dist/pages/admin-login/page.d.ts +31 -0
package/dist/pages/admin-login/page.js +83 -0
package/dist/pages/admin-roles/RolesAdminPage.d.ts +15 -0
package/dist/pages/admin-roles/RolesAdminPage.js +78 -0
package/dist/pages/admin-roles/index.d.ts +8 -0
package/dist/pages/admin-roles/index.js +15 -0
package/dist/pages/admin-roles/modals.d.ts +72 -0
package/dist/pages/admin-roles/modals.js +154 -0
package/dist/pages/client-admin/ClientSiteAdminPage.d.ts +79 -0
package/dist/pages/client-admin/ClientSiteAdminPage.js +177 -0
package/dist/pages/client-admin/index.d.ts +32 -0
package/dist/pages/client-admin/index.js +37 -0
package/dist/pages/login/page.d.ts +22 -0
package/dist/pages/login/page.js +239 -0
package/dist/pages/profile/EnhancedProfilePage.d.ts +13 -0
package/dist/pages/profile/EnhancedProfilePage.js +150 -0
package/dist/pages/profile/index.d.ts +8 -0
package/dist/pages/profile/index.js +16 -0
package/dist/pages/profile/page.d.ts +19 -0
package/dist/pages/profile/page.js +47 -0
package/dist/pages/profile/profile-patch.d.ts +1 -0
package/dist/pages/profile/profile-patch.js +281 -0
package/dist/pages/recovery/page.d.ts +1 -0
package/dist/pages/recovery/page.js +142 -0
package/dist/pages/roles/MyRolesPage.d.ts +24 -0
package/dist/pages/roles/MyRolesPage.js +71 -0
package/dist/pages/roles/components.d.ts +63 -0
package/dist/pages/roles/components.js +108 -0
package/dist/pages/roles/index.d.ts +8 -0
package/dist/pages/roles/index.js +19 -0
package/dist/pages/security/EnhancedSecurityPage.d.ts +14 -0
package/dist/pages/security/EnhancedSecurityPage.js +248 -0
package/dist/pages/security/index.d.ts +8 -0
package/dist/pages/security/index.js +16 -0
package/dist/pages/security/page.d.ts +21 -0
package/dist/pages/security/page.js +212 -0
package/dist/pages/security/security-patch.d.ts +1 -0
package/dist/pages/security/security-patch.js +302 -0
package/dist/pages/settings/EnhancedSettingsPage.d.ts +46 -0
package/dist/pages/settings/EnhancedSettingsPage.js +231 -0
package/dist/pages/settings/index.d.ts +8 -0
package/dist/pages/settings/index.js +16 -0
package/dist/pages/settings/page.d.ts +7 -0
package/dist/pages/settings/page.js +26 -0
package/dist/pages/showcase/ShowcasePage.d.ts +13 -0
package/dist/pages/showcase/ShowcasePage.js +140 -0
package/dist/pages/showcase/index.d.ts +12 -0
package/dist/pages/showcase/index.js +17 -0
package/dist/pages/test-env/EmergencyLogoutPage.d.ts +14 -0
package/dist/pages/test-env/EmergencyLogoutPage.js +98 -0
package/dist/pages/test-env/JwtInspectPage.d.ts +14 -0
package/dist/pages/test-env/JwtInspectPage.js +114 -0
package/dist/pages/test-env/RefreshTokenPage.d.ts +15 -0
package/dist/pages/test-env/RefreshTokenPage.js +91 -0
package/dist/pages/test-env/TestEnvPage.d.ts +13 -0
package/dist/pages/test-env/TestEnvPage.js +49 -0
package/dist/pages/test-env/index.d.ts +24 -0
package/dist/pages/test-env/index.js +32 -0
package/dist/pages/verify-code/page.d.ts +30 -0
package/dist/pages/verify-code/page.js +408 -0
package/dist/routes/account/index.d.ts +28 -0
package/dist/routes/account/index.js +71 -0
package/dist/routes/account/masked-info.d.ts +33 -0
package/dist/routes/account/masked-info.js +39 -0
package/dist/routes/account/send-code.d.ts +37 -0
package/dist/routes/account/send-code.js +42 -0
package/dist/routes/account/update-phone.d.ts +13 -0
package/dist/routes/account/update-phone.js +17 -0
package/dist/routes/account/verify-email.d.ts +38 -0
package/dist/routes/account/verify-email.js +43 -0
package/dist/routes/account/verify-sms.d.ts +38 -0
package/dist/routes/account/verify-sms.js +43 -0
package/dist/routes/auth/index.d.ts +19 -0
package/dist/routes/auth/index.js +64 -0
package/dist/routes/auth/logout.d.ts +31 -0
package/dist/routes/auth/logout.js +113 -0
package/dist/routes/auth/nextauth.d.ts +19 -0
package/dist/routes/auth/nextauth.js +72 -0
package/dist/routes/auth/refresh.d.ts +30 -0
package/dist/routes/auth/refresh.js +51 -0
package/dist/routes/auth/session.d.ts +72 -0
package/dist/routes/auth/session.js +180 -0
package/dist/routes/auth/settings.d.ts +25 -0
package/dist/routes/auth/settings.js +55 -0
package/dist/routes/auth/viability.d.ts +52 -0
package/dist/routes/auth/viability.js +201 -0
package/dist/routes/index.d.ts +12 -0
package/dist/routes/index.js +54 -0
package/dist/routes/session/index.d.ts +6 -0
package/dist/routes/session/index.js +10 -0
package/dist/routes/session/refresh-viability.d.ts +16 -0
package/dist/routes/session/refresh-viability.js +20 -0
package/dist/services/signalrActivityService.d.ts +44 -0
package/dist/services/signalrActivityService.js +257 -0
package/dist/stores/authStore.d.ts +154 -0
package/dist/stores/authStore.js +1531 -0
package/dist/theme/ThemeProvider.d.ts +14 -0
package/dist/theme/ThemeProvider.js +28 -0
package/dist/theme/default.d.ts +8 -0
package/dist/theme/default.js +33 -0
package/dist/theme/index.d.ts +15 -0
package/dist/theme/index.js +25 -0
package/dist/theme/types.d.ts +56 -0
package/dist/theme/types.js +8 -0
package/dist/theme/useTheme.d.ts +60 -0
package/dist/theme/useTheme.js +63 -0
package/dist/theme/utils.d.ts +13 -0
package/dist/theme/utils.js +39 -0
package/dist/types/api.d.ts +134 -0
package/dist/types/api.js +44 -0
package/dist/types/auth.d.ts +19 -0
package/dist/types/auth.js +2 -0
package/dist/types/logging.d.ts +42 -0
package/dist/types/logging.js +2 -0
package/dist/types/recovery.d.ts +48 -0
package/dist/types/recovery.js +2 -0
package/dist/types/security.d.ts +1 -0
package/dist/types/security.js +2 -0
package/dist/utils/api.d.ts +85 -0
package/dist/utils/api.js +287 -0
package/dist/utils/circuitBreaker.d.ts +43 -0
package/dist/utils/circuitBreaker.js +91 -0
package/dist/utils/error-message.d.ts +1 -0
package/dist/utils/error-message.js +103 -0
package/dist/utils/layout/reservedSpace.d.ts +59 -0
package/dist/utils/layout/reservedSpace.js +102 -0
package/dist/utils/logout.d.ts +14 -0
package/dist/utils/logout.js +32 -0
package/dist/vibe/client.d.ts +261 -0
package/dist/vibe/client.js +445 -0
package/dist/vibe/errors.d.ts +83 -0
package/dist/vibe/errors.js +146 -0
package/dist/vibe/generic.d.ts +234 -0
package/dist/vibe/generic.js +369 -0
package/dist/vibe/hooks/index.d.ts +169 -0
package/dist/vibe/hooks/index.js +252 -0
package/dist/vibe/index.d.ts +23 -0
package/dist/vibe/index.js +67 -0
package/dist/vibe/sessions.d.ts +161 -0
package/dist/vibe/sessions.js +391 -0
package/dist/vibe/types.d.ts +353 -0
package/dist/vibe/types.js +315 -0
package/package.json +855 -0
package/scripts/check-internal-url-usage.sh +73 -0
package/scripts/dev-broker.ps1 +35 -0
package/scripts/dev-local.ps1 +45 -0
package/src/api/auth-handler.ts +550 -0
package/src/api/index.ts +18 -0
package/src/api-handlers/account/change-password.ts +145 -0
package/src/api-handlers/account/masked-info.ts +45 -0
package/src/api-handlers/account/profile.ts +80 -0
package/src/api-handlers/account/recovery/initiate.ts +23 -0
package/src/api-handlers/account/recovery/send-code.ts +25 -0
package/src/api-handlers/account/recovery/verify-code.ts +25 -0
package/src/api-handlers/account/reset-password.ts +23 -0
package/src/api-handlers/account/send-code.ts +76 -0
package/src/api-handlers/account/update-phone.ts +79 -0
package/src/api-handlers/account/validate-password.ts +118 -0
package/src/api-handlers/account/verify-email.ts +125 -0
package/src/api-handlers/account/verify-sms.ts +125 -0
package/src/api-handlers/admin/analytics.ts +445 -0
package/src/api-handlers/admin/audit.ts +225 -0
package/src/api-handlers/admin/index.ts +59 -0
package/src/api-handlers/admin/redis-sessions.ts +253 -0
package/src/api-handlers/admin/sessions.ts +320 -0
package/src/api-handlers/admin/site-logs.ts +367 -0
package/src/api-handlers/admin/users.ts +244 -0
package/src/api-handlers/admin/vibe-data.ts +326 -0
package/src/api-handlers/anon/preferences.ts +123 -0
package/src/api-handlers/auth/jwks.ts +20 -0
package/src/api-handlers/auth/login.ts +240 -0
package/src/api-handlers/auth/refresh.ts +687 -0
package/src/api-handlers/auth/signout.ts +212 -0
package/src/api-handlers/auth/status.ts +23 -0
package/src/api-handlers/auth/update-session.ts +125 -0
package/src/api-handlers/auth/validate.ts +44 -0
package/src/api-handlers/auth/verify-code.ts +129 -0
package/src/api-handlers/session/refresh-viability.ts +36 -0
package/src/api-handlers/session/viability.ts +166 -0
package/src/api-handlers/test/force-expire.ts +67 -0
package/src/auth/auth-decision.ts +230 -0
package/src/auth/auth-options.ts +237 -0
package/src/auth/callbacks/index.ts +7 -0
package/src/auth/callbacks/jwt.ts +382 -0
package/src/auth/callbacks/session.ts +243 -0
package/src/auth/callbacks/signin.ts +56 -0
package/src/auth/events/index.ts +5 -0
package/src/auth/events/signout.ts +33 -0
package/src/auth/providers/credentials.ts +256 -0
package/src/auth/providers/index.ts +6 -0
package/src/auth/providers/oauth.ts +114 -0
package/src/auth/route-config.ts +220 -0
package/src/auth/types/auth-types.ts +555 -0
package/src/auth/types/index.ts +7 -0
package/src/auth/unauthenticated-routes.ts +3 -0
package/src/auth/utils/idp-client.ts +444 -0
package/src/auth/utils/index.ts +6 -0
package/src/auth/utils/token-utils.ts +244 -0
package/src/client/AuthContext.tsx +140 -0
package/src/client/fetch-with-auth.ts +48 -0
package/src/client/fetchWithSession.ts +21 -0
package/src/client/index.ts +13 -0
package/src/client/useAnonSession.ts +131 -0
package/src/components/SessionSync.tsx +137 -0
package/src/components/SignalRHealthCheck.tsx +131 -0
package/src/components/account/UserAvatarMenu.tsx +217 -0
package/src/components/account/index.ts +8 -0
package/src/components/admin/AlertSettingsTab.tsx +728 -0
package/src/components/admin/AnalyticsTab.tsx +703 -0
package/src/components/admin/DataBrowserTab.tsx +505 -0
package/src/components/admin/LoggingSettingsTab.tsx +665 -0
package/src/components/admin/SessionsTab.tsx +414 -0
package/src/components/admin/StatsTab.tsx +379 -0
package/src/components/admin/VibeAdminContext.tsx +87 -0
package/src/components/admin/VibeAdminLayout.tsx +185 -0
package/src/components/admin/index.ts +59 -0
package/src/components/auth/FederatedAuthSection.tsx +95 -0
package/src/components/auth/ModeAwareLoginPage.tsx +135 -0
package/src/components/auth/ModeAwareSignupPage.tsx +267 -0
package/src/components/auth/TraditionalAuthSection.tsx +99 -0
package/src/components/recovery/CompleteStep.tsx +36 -0
package/src/components/recovery/InitiateRecoveryStep.tsx +68 -0
package/src/components/recovery/SelectMethodStep.tsx +73 -0
package/src/components/recovery/SetPasswordStep.tsx +97 -0
package/src/components/recovery/VerifyCodeStep.tsx +90 -0
package/src/components/reserved/ReservedRecoveryWarning.tsx +160 -0
package/src/components/reserved/ReservedStatusBox.tsx +118 -0
package/src/components/ui/BetaBadge.tsx +58 -0
package/src/components/ui/Footer.tsx +93 -0
package/src/config/env.ts +57 -0
package/src/config/logger.ts +62 -0
package/src/config/logging-config.ts +82 -0
package/src/config/unauthenticated-routes.ts +19 -0
package/src/config/vibe-log-transport.ts +250 -0
package/src/edge/internal-api-url.ts +65 -0
package/src/edge/middleware.ts +42 -0
package/src/hooks/useAuth.ts +115 -0
package/src/hooks/useAuthSettings.ts +97 -0
package/src/hooks/useAvailableProviders.ts +118 -0
package/src/hooks/usePasswordValidation.ts +127 -0
package/src/hooks/useProfile.ts +75 -0
package/src/hooks/usePublicAuthSettings.ts +149 -0
package/src/hooks/useSessionExpiration.ts +102 -0
package/src/hooks/useViabilitySession.ts +335 -0
package/src/index.ts +63 -0
package/src/lib/anon-session.ts +213 -0
package/src/lib/api-handler.ts +625 -0
package/src/lib/app-slug.ts +178 -0
package/src/lib/demo-mode.ts +13 -0
package/src/lib/geolocation.ts +265 -0
package/src/lib/idp-client-config.ts +442 -0
package/src/lib/idp-fetch.ts +101 -0
package/src/lib/internal-api.ts +171 -0
package/src/lib/jwt-decode-client.ts +45 -0
package/src/lib/jwt-decode.ts +83 -0
package/src/lib/nextauth-secret.ts +126 -0
package/src/lib/rate-limit-service.ts +9 -0
package/src/lib/redis.ts +27 -0
package/src/lib/refresh-token-validator.ts +64 -0
package/src/lib/roles.ts +177 -0
package/src/lib/secret-validation.ts +8 -0
package/src/lib/session-store.ts +637 -0
package/src/lib/session.ts +34 -0
package/src/lib/site-logger.ts +245 -0
package/src/lib/standardized-client-api.ts +896 -0
package/src/lib/startup-init.ts +247 -0
package/src/lib/test-aware-get-token.ts +30 -0
package/src/lib/token-expiry.ts +40 -0
package/src/lib/token-lifecycle.ts +477 -0
package/src/lib/types/api-responses.ts +336 -0
package/src/lib/user-agent-parser.ts +252 -0
package/src/logging/api/admin-analytics.ts +51 -0
package/src/logging/api/audit-log.ts +53 -0
package/src/logging/components/AdminAnalyticsLayout.tsx +49 -0
package/src/logging/components/AuditLogViewer.tsx +125 -0
package/src/logging/components/ErrorMetricsCard.tsx +98 -0
package/src/logging/components/HealthMetricsCard.tsx +70 -0
package/src/logging/hooks/useAdminAnalytics.ts +22 -0
package/src/logging/hooks/useAuditLog.ts +24 -0
package/src/logging/hooks/useErrorMetrics.ts +40 -0
package/src/logging/hooks/useHealthMetrics.ts +44 -0
package/src/logging/index.ts +18 -0
package/src/logging/types/analytics.ts +81 -0
package/src/logging/types/audit.ts +31 -0
package/src/logging/types/index.ts +3 -0
package/src/middleware/auth-decision.ts +43 -0
package/src/middleware/create-middleware.ts +626 -0
package/src/middleware/rbac-check.ts +244 -0
package/src/middleware/twofa-presets.ts +224 -0
package/src/models/DecodedAccessToken.ts +17 -0
package/src/models/SessionModel.ts +258 -0
package/src/pages/admin-login/page.tsx +229 -0
package/src/pages/admin-roles/RolesAdminPage.tsx +357 -0
package/src/pages/admin-roles/index.ts +9 -0
package/src/pages/admin-roles/modals.tsx +469 -0
package/src/pages/client-admin/ClientSiteAdminPage.tsx +380 -0
package/src/pages/client-admin/index.ts +33 -0
package/src/pages/login/page.tsx +463 -0
package/src/pages/profile/EnhancedProfilePage.tsx +479 -0
package/src/pages/profile/index.ts +9 -0
package/src/pages/profile/page.tsx +166 -0
package/src/pages/recovery/page.tsx +234 -0
package/src/pages/roles/MyRolesPage.tsx +211 -0
package/src/pages/roles/components.tsx +294 -0
package/src/pages/roles/index.ts +17 -0
package/src/pages/security/EnhancedSecurityPage.tsx +574 -0
package/src/pages/security/index.ts +9 -0
package/src/pages/security/page.tsx +507 -0
package/src/pages/settings/EnhancedSettingsPage.tsx +642 -0
package/src/pages/settings/index.ts +9 -0
package/src/pages/settings/page.tsx +47 -0
package/src/pages/showcase/ShowcasePage.tsx +530 -0
package/src/pages/showcase/index.ts +13 -0
package/src/pages/test-env/EmergencyLogoutPage.tsx +179 -0
package/src/pages/test-env/JwtInspectPage.tsx +418 -0
package/src/pages/test-env/RefreshTokenPage.tsx +155 -0
package/src/pages/test-env/TestEnvPage.tsx +116 -0
package/src/pages/test-env/index.ts +25 -0
package/src/pages/verify-code/page.tsx +648 -0
package/src/routes/account/index.ts +32 -0
package/src/routes/account/masked-info.ts +37 -0
package/src/routes/account/send-code.ts +40 -0
package/src/routes/account/update-phone.ts +13 -0
package/src/routes/account/verify-email.ts +41 -0
package/src/routes/account/verify-sms.ts +41 -0
package/src/routes/auth/index.ts +23 -0
package/src/routes/auth/logout.ts +127 -0
package/src/routes/auth/nextauth.ts +71 -0
package/src/routes/auth/refresh.ts +54 -0
package/src/routes/auth/session.ts +193 -0
package/src/routes/auth/settings.ts +75 -0
package/src/routes/auth/viability.ts +220 -0
package/src/routes/index.ts +18 -0
package/src/routes/session/index.ts +7 -0
package/src/routes/session/refresh-viability.ts +17 -0
package/src/services/signalrActivityService.ts +258 -0
package/src/stores/authStore.ts +1904 -0
package/src/templates/instrumentation.ts +41 -0
package/src/theme/ThemeProvider.tsx +39 -0
package/src/theme/default.ts +33 -0
package/src/theme/index.ts +31 -0
package/src/theme/types.ts +69 -0
package/src/theme/useTheme.ts +57 -0
package/src/theme/utils.ts +40 -0
package/src/types/api.ts +13 -0
package/src/types/auth.d.ts +15 -0
package/src/types/auth.ts +22 -0
package/src/types/logging.ts +11 -0
package/src/types/next-auth.d.ts +15 -0
package/src/types/recovery.ts +54 -0
package/src/types/security.ts +1 -0
package/src/utils/api.ts +353 -0
package/src/utils/circuitBreaker.ts +40 -0
package/src/utils/error-message.ts +108 -0
package/src/utils/layout/reservedSpace.ts +124 -0
package/src/utils/logout.ts +30 -0
package/src/vibe/client.ts +590 -0
package/src/vibe/errors.ts +185 -0
package/src/vibe/generic.ts +429 -0
package/src/vibe/hooks/index.ts +367 -0
package/src/vibe/index.ts +121 -0
package/src/vibe/sessions.ts +551 -0
package/src/vibe/types.ts +577 -0

package/dist/auth/auth-options.js ADDED Viewed

@@ -0,0 +1,213 @@
+"use strict";
+/**
+ * NextAuth Configuration (Refactored)
+ *
+ * This is the composition layer that wires together all auth modules.
+ * Individual logic lives in dedicated modules:
+ * - providers/ - Credentials and OAuth provider builders
+ * - callbacks/ - JWT, session, signIn callbacks
+ * - events/ - SignOut event handler
+ * - utils/ - Token utilities, IDP client
+ * - types/ - Type definitions
+ *
+ * CARGO CULT PATTERNS REMOVED:
+ * ============================
+ * The original auth-options.ts (1186 lines) had several anti-patterns that
+ * added complexity without benefit:
+ *
+ * 1. CALLBACK CONCURRENCY PROTECTION (removed)
+ *    - shouldExecuteCallback() / markCallbackComplete()
+ *    - A debouncing mechanism that tried to prevent callbacks from running
+ *      too frequently. NextAuth already handles this properly.
+ *    - Added complexity, caused race condition bugs, and leaked memory
+ *      (Map entries never cleaned up).
+ *
+ * 2. SESSION RESTORATION (removed)
+ *    - attemptSessionRestoration()
+ *    - Tried to restore sessions by calling refresh endpoint from JWT callback.
+ *    - Created circular dependencies and made debugging impossible.
+ *    - Clean approach: Session missing = user re-authenticates. Simple.
+ *
+ * 3. VARIABLE NAME SOUP (normalized in Phase 3)
+ *    - accessToken vs idpAccessToken vs oauthAccessToken
+ *    - twoFactorComplete vs mfaVerified vs requiresTwoFactor
+ *    - sessionToken vs redisSessionId
+ *    - Now: Clear prefixes (idp*, oauth*, mfa*) with documented meanings.
+ *
+ * 4. INLINE EVERYTHING (modularized in Phase 2)
+ *    - All logic was in one giant file with no separation of concerns.
+ *    - Now: Each module has one job and can be tested independently.
+ *
+ * @version 2.0.0
+ * @since auth-refactor-2026-01
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authOptions = void 0;
+exports.getAuthOptions = getAuthOptions;
+exports.clearAuthOptionsCache = clearAuthOptionsCache;
+const jwt_1 = require("next-auth/jwt");
+const idp_client_config_1 = require("../lib/idp-client-config");
+const app_slug_1 = require("../lib/app-slug");
+// Module imports
+const providers_1 = require("./providers");
+const callbacks_1 = require("./callbacks");
+const events_1 = require("./events");
+// ============================================================================
+// ENVIRONMENT HELPERS
+// ============================================================================
+/**
+ * Get AUTH_ISSUER_URL for JWT issuer claim.
+ * Required for SSO across apps.
+ */
+function getAuthIssuerUrl() {
+    const url = process.env.AUTH_ISSUER_URL;
+    if (!url) {
+        throw new Error('AUTH_ISSUER_URL environment variable is REQUIRED');
+    }
+    return url;
+}
+// ============================================================================
+// BASE AUTH OPTIONS
+// ============================================================================
+/**
+ * Base NextAuth configuration.
+ * Use getAuthOptions() for dynamic provider loading from IDP.
+ */
+exports.authOptions = {
+    // Session uses JWT strategy - JWT contains only redisSessionId
+    session: {
+        strategy: 'jwt',
+        maxAge: 30 * 24 * 60 * 60, // 30 days default, overridden by IDP config
+    },
+    // Custom JWT handling for SSO issuer
+    jwt: {
+        encode: async (params) => {
+            try {
+                const issuer = getAuthIssuerUrl();
+                console.log('[JWT_ENCODE] Encoding token:', {
+                    hasToken: !!params.token,
+                    hasSecret: !!params.secret,
+                    secretLength: params.secret?.length || 0,
+                    issuer,
+                    tokenKeys: params.token ? Object.keys(params.token) : [],
+                });
+                const encoded = await (0, jwt_1.encode)({
+                    ...params,
+                    secret: params.secret,
+                    token: {
+                        ...params.token,
+                        iss: issuer,
+                    },
+                });
+                console.log('[JWT_ENCODE] Success, encoded length:', encoded?.length || 0);
+                return encoded;
+            }
+            catch (error) {
+                console.error('[JWT_ENCODE] FAILED:', error);
+                throw error;
+            }
+        },
+        decode: async (params) => {
+            const decoded = await (0, jwt_1.decode)(params);
+            if (decoded?.iss && decoded.iss !== getAuthIssuerUrl()) {
+                console.error('[JWT] Invalid issuer. Expected:', getAuthIssuerUrl(), 'Got:', decoded.iss);
+                return null; // Hard enforcement - reject mismatched issuers
+            }
+            return decoded;
+        },
+    },
+    // Cookie configuration for multi-app support
+    // In production, use __Secure- prefixed cookie names for enhanced security
+    cookies: {
+        sessionToken: {
+            name: process.env.NODE_ENV === 'production' ? (0, app_slug_1.getSecureSessionCookieName)() : (0, app_slug_1.getSessionCookieName)(),
+            options: {
+                httpOnly: true,
+                sameSite: 'lax',
+                path: '/',
+                secure: process.env.NODE_ENV === 'production',
+            },
+        },
+        csrfToken: {
+            name: process.env.NODE_ENV === 'production' ? (0, app_slug_1.getSecureCsrfCookieName)() : (0, app_slug_1.getCsrfCookieName)(),
+            options: {
+                httpOnly: true,
+                sameSite: 'lax',
+                path: '/',
+                secure: process.env.NODE_ENV === 'production',
+            },
+        },
+        callbackUrl: {
+            name: (0, app_slug_1.getCallbackUrlCookieName)(),
+            options: {
+                sameSite: 'lax',
+                path: '/',
+                secure: process.env.NODE_ENV === 'production',
+            },
+        },
+    },
+    // Providers - credentials only in base, OAuth added dynamically
+    providers: [(0, providers_1.createCredentialsProvider)()],
+    // Callbacks wired to modular implementations
+    callbacks: {
+        jwt: callbacks_1.jwtCallback,
+        session: callbacks_1.sessionCallback, // Type cast needed for NextAuth compatibility
+        signIn: callbacks_1.signInCallback,
+    },
+    // Events
+    events: {
+        signOut: events_1.handleSignOut,
+    },
+    // Custom pages
+    pages: {
+        signIn: '/account-auth/login',
+        error: '/account-auth/login',
+    },
+    debug: false,
+};
+// ============================================================================
+// DYNAMIC AUTH OPTIONS (WITH IDP OAUTH PROVIDERS)
+// ============================================================================
+let cachedAuthOptions = null;
+let authOptionsPromise = null;
+/**
+ * Get auth options with dynamically loaded OAuth providers from IDP.
+ * Uses caching to avoid rebuilding on every request.
+ */
+async function getAuthOptions() {
+    if (cachedAuthOptions) {
+        return cachedAuthOptions;
+    }
+    if (authOptionsPromise) {
+        return authOptionsPromise;
+    }
+    authOptionsPromise = buildDynamicAuthOptions();
+    cachedAuthOptions = await authOptionsPromise;
+    authOptionsPromise = null;
+    return cachedAuthOptions;
+}
+/**
+ * Build auth options with dynamic OAuth providers from IDP.
+ */
+async function buildDynamicAuthOptions() {
+    const idpConfig = await (0, idp_client_config_1.getIDPClientConfig)();
+    const oauthProviders = (0, providers_1.buildOAuthProviders)(idpConfig);
+    return {
+        ...exports.authOptions,
+        secret: idpConfig.nextAuthSecret || process.env.NEXTAUTH_SECRET,
+        session: {
+            ...exports.authOptions.session,
+            maxAge: idpConfig.authSettings?.rememberMeDays
+                ? idpConfig.authSettings.rememberMeDays * 24 * 60 * 60
+                : 30 * 24 * 60 * 60,
+        },
+        providers: [(0, providers_1.createCredentialsProvider)(), ...oauthProviders],
+    };
+}
+/**
+ * Clear cached auth options (when IDP config changes).
+ */
+function clearAuthOptionsCache() {
+    cachedAuthOptions = null;
+    authOptionsPromise = null;
+}

package/dist/auth/callbacks/index.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * Auth Callbacks - Public Exports
+ */
+export { jwtCallback } from './jwt';
+export { sessionCallback } from './session';
+export { signInCallback } from './signin';

package/dist/auth/callbacks/index.js ADDED Viewed

@@ -0,0 +1,12 @@
+"use strict";
+/**
+ * Auth Callbacks - Public Exports
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signInCallback = exports.sessionCallback = exports.jwtCallback = void 0;
+var jwt_1 = require("./jwt");
+Object.defineProperty(exports, "jwtCallback", { enumerable: true, get: function () { return jwt_1.jwtCallback; } });
+var session_1 = require("./session");
+Object.defineProperty(exports, "sessionCallback", { enumerable: true, get: function () { return session_1.sessionCallback; } });
+var signin_1 = require("./signin");
+Object.defineProperty(exports, "signInCallback", { enumerable: true, get: function () { return signin_1.signInCallback; } });

package/dist/auth/callbacks/jwt.d.ts ADDED Viewed

@@ -0,0 +1,45 @@
+/**
+ * JWT Callback
+ *
+ * Minimal token strategy - only store redisSessionId in JWT.
+ * All session data lives in Redis, not in the browser cookie.
+ *
+ * HANDLES:
+ * - Initial sign-in (credentials): Store redisSessionId from authorize()
+ * - Initial sign-in (OAuth): Register with IDP, create session, store redisSessionId
+ * - Subsequent requests: Validate session exists, return token
+ *
+ * @version 1.0.0
+ * @since auth-refactor-2026-01
+ */
+import type { JWT } from 'next-auth/jwt';
+import type { User, Account } from 'next-auth';
+interface JwtCallbackParams {
+    token: JWT;
+    user?: User | any;
+    account?: Account | null;
+    trigger?: 'signIn' | 'signUp' | 'update';
+}
+interface JwtCallbackResult extends JWT {
+    /** Redis session ID - the key to look up session data */
+    redisSessionId?: string;
+    /** User ID from IDP */
+    sub: string;
+    /** Error code if session validation failed */
+    error?: string;
+    /** Flag for OAuth users who need immediate 2FA redirect */
+    requiresTwoFactorRedirect?: boolean;
+}
+/**
+ * JWT callback - builds the NextAuth JWT token.
+ *
+ * MINIMAL TOKEN STRATEGY:
+ * - Only store redisSessionId (key to Redis session)
+ * - All tokens and user data live in Redis
+ * - Browser cookie stays small and secure
+ *
+ * @param params - JWT callback parameters from NextAuth
+ * @returns JWT payload to store in browser cookie
+ */
+export declare function jwtCallback({ token, user, account, trigger, }: JwtCallbackParams): Promise<JwtCallbackResult>;
+export {};

package/dist/auth/callbacks/jwt.js ADDED Viewed

@@ -0,0 +1,305 @@
+"use strict";
+/**
+ * JWT Callback
+ *
+ * Minimal token strategy - only store redisSessionId in JWT.
+ * All session data lives in Redis, not in the browser cookie.
+ *
+ * HANDLES:
+ * - Initial sign-in (credentials): Store redisSessionId from authorize()
+ * - Initial sign-in (OAuth): Register with IDP, create session, store redisSessionId
+ * - Subsequent requests: Validate session exists, return token
+ *
+ * @version 1.0.0
+ * @since auth-refactor-2026-01
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jwtCallback = jwtCallback;
+const crypto_1 = require("crypto");
+const session_store_1 = require("../../lib/session-store");
+const idp_client_config_1 = require("../../lib/idp-client-config");
+const idp_client_1 = require("../utils/idp-client");
+const token_utils_1 = require("../utils/token-utils");
+// NOTE: Using any for sessionData until Phase 3 normalizes types
+// ============================================================================
+// VIBE ROLE FETCHING
+// ============================================================================
+/**
+ * Generate HMAC signature for Vibe API request.
+ */
+function generateVibeSignature(endpoint, clientId, timestamp) {
+    const signingKey = process.env.VIBE_SIGNING_KEY;
+    if (!signingKey) {
+        return '';
+    }
+    const stringToSign = `${timestamp}|GET|${endpoint}|${clientId}`;
+    return (0, crypto_1.createHmac)('sha256', Buffer.from(signingKey, 'base64'))
+        .update(stringToSign)
+        .digest('base64');
+}
+/**
+ * Fetch user's roles from Vibe API.
+ * Returns empty array on failure (non-blocking).
+ * Uses HMAC signature for authentication when signing key is configured.
+ */
+async function fetchVibeRoles(userId, clientId) {
+    const vibeApiUrl = process.env.VIBE_API_URL;
+    if (!vibeApiUrl) {
+        return [];
+    }
+    const endpoint = `/api/v1/users/${userId}/roles`;
+    const timestamp = Math.floor(Date.now() / 1000);
+    const signature = generateVibeSignature(endpoint, clientId, timestamp);
+    // Build headers with optional signature
+    const headers = {
+        'Accept': 'application/json',
+        'X-Client-Id': clientId,
+        'X-Vibe-Client-Id': clientId,
+    };
+    if (signature) {
+        headers['X-Vibe-Timestamp'] = String(timestamp);
+        headers['X-Vibe-Signature'] = signature;
+    }
+    try {
+        const response = await fetch(`${vibeApiUrl}${endpoint}`, {
+            method: 'GET',
+            headers,
+            // 2 second timeout
+            signal: AbortSignal.timeout(2000),
+        });
+        if (!response.ok) {
+            console.warn('[JWT_CALLBACK] Failed to fetch Vibe roles:', response.status);
+            return [];
+        }
+        const data = await response.json();
+        const roles = data.roles?.map((r) => r.role_name || r) || [];
+        console.log('[JWT_CALLBACK] Fetched Vibe roles:', roles);
+        return roles;
+    }
+    catch (error) {
+        console.warn('[JWT_CALLBACK] Error fetching Vibe roles (continuing with IDP roles only):', error);
+        return [];
+    }
+}
+/**
+ * Merge IDP roles with Vibe roles, deduplicating.
+ */
+function mergeRoles(idpRoles, vibeRoles) {
+    return [...new Set([...idpRoles, ...vibeRoles])];
+}
+// ============================================================================
+// JWT CALLBACK
+// ============================================================================
+/**
+ * JWT callback - builds the NextAuth JWT token.
+ *
+ * MINIMAL TOKEN STRATEGY:
+ * - Only store redisSessionId (key to Redis session)
+ * - All tokens and user data live in Redis
+ * - Browser cookie stays small and secure
+ *
+ * @param params - JWT callback parameters from NextAuth
+ * @returns JWT payload to store in browser cookie
+ */
+async function jwtCallback({ token, user, account, trigger, }) {
+    console.log('[JWT_CALLBACK] Called with:', {
+        trigger,
+        hasAccount: !!account,
+        provider: account?.provider,
+        hasUser: !!user,
+        userEmail: user?.email,
+        existingRedisSessionId: token?.redisSessionId ? 'yes' : 'no',
+    });
+    // -------------------------------------------------------------------------
+    // OAuth Sign-In: Register with IDP and create session
+    // -------------------------------------------------------------------------
+    if (account && account.provider !== 'credentials') {
+        console.log('[JWT_CALLBACK] Handling OAuth sign-in for provider:', account.provider);
+        return handleOAuthSignIn(token, user, account);
+    }
+    // -------------------------------------------------------------------------
+    // Credentials Sign-In: Session already created in authorize()
+    // -------------------------------------------------------------------------
+    if (user && user.redisSessionId) {
+        // Credentials authorize() returns redisSessionId
+        const redisSessionId = user.redisSessionId;
+        return {
+            ...token,
+            redisSessionId,
+            sub: user.id || token.sub || 'unknown',
+        };
+    }
+    // -------------------------------------------------------------------------
+    // Subsequent Requests: Validate session exists
+    // -------------------------------------------------------------------------
+    const redisSessionId = user?.redisSessionId || token?.redisSessionId || token?.redisSessionId;
+    if (!redisSessionId) {
+        return { ...token, error: 'NoSession', sub: token.sub || 'unknown' };
+    }
+    // Validate session still exists in Redis
+    try {
+        const sessionData = await (0, session_store_1.getSession)(redisSessionId);
+        if (!sessionData) {
+            // Session expired or deleted
+            return { ...token, error: 'SessionNotFound', sub: token.sub || 'unknown' };
+        }
+        // Check if refresh token has expired (session should be terminated)
+        if (sessionData.idpRefreshTokenExpires && Date.now() >= sessionData.idpRefreshTokenExpires) {
+            return { ...token, error: 'RefreshTokenExpired', sub: token.sub || 'unknown' };
+        }
+        // Check if MFA has expired (requires step-up authentication)
+        if (sessionData.mfaExpiresAt && Date.now() > sessionData.mfaExpiresAt) {
+            return {
+                ...token,
+                redisSessionId,
+                sub: sessionData.userId,
+                error: 'MfaExpired',
+            };
+        }
+    }
+    catch (error) {
+        console.error('[JWT_CALLBACK] Session validation error:', error);
+        return { ...token, error: 'SessionError', sub: token.sub || 'unknown' };
+    }
+    // Session is valid - return minimal token
+    return {
+        ...token,
+        redisSessionId,
+        sub: token.sub || 'unknown',
+    };
+}
+// ============================================================================
+// OAUTH SIGN-IN HANDLER
+// ============================================================================
+/**
+ * Handle OAuth sign-in by registering with IDP and creating session.
+ */
+async function handleOAuthSignIn(token, user, account) {
+    console.log('[JWT_CALLBACK] handleOAuthSignIn starting for:', {
+        provider: account.provider,
+        email: user?.email,
+        providerAccountId: account.providerAccountId,
+    });
+    try {
+        // Call IDP to register/authenticate OAuth user
+        const idpResult = await (0, idp_client_1.idpOAuthCallback)({
+            provider: account.provider,
+            providerAccountId: account.providerAccountId,
+            email: user?.email || '',
+            name: user?.name || '',
+            image: user?.image || '',
+            accessToken: account.access_token,
+            refreshToken: account.refresh_token,
+            expiresAt: account.expires_at,
+        });
+        // Build session data using normalized field names
+        let sessionData;
+        let mfaVerified = false;
+        if (idpResult.success && idpResult.data?.accessToken) {
+            // IDP integration succeeded - we have IDP tokens
+            const decoded = (0, token_utils_1.decodeIdpAccessToken)(idpResult.data.accessToken);
+            const amrClaims = decoded ? (0, token_utils_1.extractAmrFromToken)(decoded) : [];
+            const acrLevel = decoded?.acr || '1';
+            // Extract kid from JWT header (CRITICAL: different from client_id in payload)
+            const bearerKeyId = (0, token_utils_1.extractKidFromToken)(idpResult.data.accessToken);
+            if (bearerKeyId) {
+                console.log('[JWT_CALLBACK] Extracted bearerKeyId (kid) from JWT header:', bearerKeyId);
+            }
+            else {
+                console.warn('[JWT_CALLBACK] No kid found in JWT header');
+            }
+            // Check if MFA is required for this client
+            try {
+                const clientConfig = await (0, idp_client_config_1.getIDPClientConfig)();
+                const require2FA = clientConfig?.authSettings?.require2FA ?? true;
+                mfaVerified = !require2FA; // If MFA not required, mark as verified
+            }
+            catch {
+                // Default to requiring MFA if config unavailable
+                mfaVerified = false;
+            }
+            sessionData = {
+                userId: idpResult.data.user?.userId?.toString() || account.providerAccountId,
+                email: idpResult.data.user?.email || user?.email || '',
+                name: idpResult.data.user?.fullName || user?.name || '',
+                roles: idpResult.data.user?.roles || [],
+                // IDP tokens (normalized names)
+                idpAccessToken: idpResult.data.accessToken,
+                idpRefreshToken: idpResult.data.refreshToken,
+                idpAccessTokenExpires: decoded?.exp ? (0, token_utils_1.expClaimToMs)(decoded.exp) : Date.now() + 3600000,
+                decodedAccessToken: decoded || undefined,
+                // Bearer key ID from JWT header (NOT client_id from payload)
+                bearerKeyId,
+                // MFA state (normalized names)
+                mfaVerified,
+                authenticationMethods: amrClaims,
+                authenticationLevel: acrLevel,
+                // OAuth provider info (normalized names)
+                oauthProvider: account.provider,
+                oauthProviderToken: account.access_token,
+                oauthProviderRefreshToken: account.refresh_token,
+                // Multi-tenant info
+                idpClientId: decoded?.client_id,
+                merchantId: decoded?.merchant_id,
+            };
+        }
+        else {
+            // IDP integration failed - create OAuth-only session
+            // This allows OAuth login to work even if IDP is unavailable
+            mfaVerified = true; // OAuth IS multi-factor (Google/Microsoft handle MFA)
+            sessionData = {
+                userId: account.providerAccountId,
+                email: user?.email || '',
+                name: user?.name || '',
+                roles: [],
+                mfaVerified: true, // OAuth IS multi-factor
+                oauthProvider: account.provider,
+                oauthProviderToken: account.access_token,
+                oauthProviderRefreshToken: account.refresh_token,
+                idpAccessTokenExpires: account.expires_at
+                    ? account.expires_at * 1000
+                    : Date.now() + 3600000,
+            };
+        }
+        // -------------------------------------------------------------------------
+        // ROLE MERGING: Fetch Vibe roles and merge with IDP roles
+        // -------------------------------------------------------------------------
+        const clientId = sessionData.idpClientId || process.env.IDP_CLIENT_ID || '';
+        if (clientId && sessionData.userId) {
+            const vibeRoles = await fetchVibeRoles(sessionData.userId, clientId);
+            // SECURITY: Filter out protected IDP-level role prefixes to prevent injection
+            const safeVibeRoles = vibeRoles.filter(r => !r.startsWith('payez_'));
+            const idpRoles = sessionData.roles || [];
+            sessionData.roles = mergeRoles(idpRoles, safeVibeRoles);
+            console.log('[JWT_CALLBACK] Merged roles:', {
+                idpRoles,
+                vibeRoles,
+                safeVibeRoles,
+                merged: sessionData.roles,
+            });
+        }
+        // Create Redis session
+        console.log('[JWT_CALLBACK] Creating Redis session for:', {
+            userId: sessionData.userId,
+            email: sessionData.email,
+            mfaVerified: sessionData.mfaVerified,
+            roles: sessionData.roles,
+        });
+        const redisSessionId = await (0, session_store_1.createSession)(sessionData);
+        console.log('[JWT_CALLBACK] Redis session created:', {
+            redisSessionId: redisSessionId ? redisSessionId.substring(0, 8) + '...' : 'NONE',
+        });
+        // Check if immediate MFA redirect is needed
+        const needsImmediateTwoFactor = !mfaVerified;
+        return {
+            ...token,
+            redisSessionId,
+            sub: sessionData.userId,
+            requiresTwoFactorRedirect: needsImmediateTwoFactor,
+        };
+    }
+    catch (error) {
+        console.error('[JWT_CALLBACK] handleOAuthSignIn FAILED:', error);
+        return { ...token, error: 'OAuthSignInFailed', sub: token.sub || 'unknown' };
+    }
+}

package/dist/auth/callbacks/session.d.ts ADDED Viewed

@@ -0,0 +1,60 @@
+/**
+ * Session Callback
+ *
+ * Builds the NextAuth session from Redis session data.
+ * The JWT only contains redisSessionId - all user data comes from Redis.
+ *
+ * FLOW:
+ * 1. Extract redisSessionId from JWT token
+ * 2. Fetch session data from Redis
+ * 3. Build NextAuth session with user info
+ *
+ * @version 1.0.0
+ * @since auth-refactor-2026-01
+ */
+import type { Session } from 'next-auth';
+import type { JWT } from 'next-auth/jwt';
+interface SessionCallbackParams {
+    session: Session;
+    token: JWT & {
+        /** Redis session ID - the key to look up session data */
+        redisSessionId?: string;
+        error?: string;
+    };
+}
+interface AppSessionUser {
+    id: string;
+    email: string;
+    name?: string;
+    roles: string[];
+    twoFactorSessionVerified: boolean;
+    requiresTwoFactor: boolean;
+    authenticationMethods?: string[];
+    authenticationLevel?: string;
+    mfaCompletedAt?: number;
+    mfaExpiresAt?: number;
+    mfaValidityHours?: number;
+    oauthProvider?: string;
+    idpClientId?: string;
+    merchantId?: string;
+    bearerKeyId?: string;
+}
+interface AppSession extends Omit<Session, 'user'> {
+    user: AppSessionUser;
+    sessionToken?: string;
+    accessToken?: string;
+    refreshToken?: string;
+    accessTokenExpires?: number;
+    error?: string;
+}
+/**
+ * Session callback - builds NextAuth session from Redis.
+ *
+ * This callback is called whenever getSession() or useSession() is used.
+ * It fetches the full session from Redis and exposes it to the client.
+ *
+ * @param params - Session callback parameters from NextAuth
+ * @returns AppSession with user data from Redis
+ */
+export declare function sessionCallback({ session, token, }: SessionCallbackParams): Promise<AppSession>;
+export {};