@payez/next-mvp 3.0.0

package/dist/api-handlers/account/profile.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GET = GET;
+exports.PUT = PUT;
+const server_1 = require("next/server");
+/**
+ * Account Profile API Handler
+ * Simple proxy to IDP profile endpoint
+ *
+ * GET /api/account/profile - Get user profile
+ * PUT /api/account/profile - Update user profile
+ */
+function getIdpUrl() {
+    const url = process.env.IDP_URL;
+    if (!url) {
+        throw new Error('[IDP_URL] FATAL: IDP_URL environment variable is REQUIRED.');
+    }
+    return url;
+}
+async function GET(req) {
+    const IDP_URL = getIdpUrl();
+    const authHeader = req.headers.get('authorization');
+    if (!authHeader) {
+        return server_1.NextResponse.json({ success: false, error: { code: 'UNAUTHORIZED', message: 'Authentication required' } }, { status: 401 });
+    }
+    try {
+        const upstream = await fetch(`${IDP_URL}/api/Account/profile`, {
+            method: 'GET',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': authHeader,
+            },
+        });
+        const data = await upstream.json().catch(() => ({}));
+        return server_1.NextResponse.json(data, { status: upstream.status });
+    }
+    catch (error) {
+        return server_1.NextResponse.json({ success: false, error: { code: 'UPSTREAM_ERROR', message: 'Failed to fetch profile' } }, { status: 500 });
+    }
+}
+async function PUT(req) {
+    const IDP_URL = getIdpUrl();
+    const authHeader = req.headers.get('authorization');
+    if (!authHeader) {
+        return server_1.NextResponse.json({ success: false, error: { code: 'UNAUTHORIZED', message: 'Authentication required' } }, { status: 401 });
+    }
+    try {
+        const body = await req.text();
+        const upstream = await fetch(`${IDP_URL}/api/Account/profile`, {
+            method: 'PUT',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': authHeader,
+            },
+            body,
+        });
+        const data = await upstream.json().catch(() => ({}));
+        return server_1.NextResponse.json(data, { status: upstream.status });
+    }
+    catch (error) {
+        return server_1.NextResponse.json({ success: false, error: { code: 'UPSTREAM_ERROR', message: 'Failed to update profile' } }, { status: 500 });
+    }
+}

package/dist/api-handlers/account/recovery/initiate.d.ts

@@ -0,0 +1,2 @@
+import { NextRequest, NextResponse } from 'next/server';
+export declare function POST(req: NextRequest): Promise<NextResponse<any>>;

package/dist/api-handlers/account/recovery/initiate.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = POST;
+const server_1 = require("next/server");
+function getIdpUrl() {
+    const url = process.env.IDP_URL;
+    if (!url)
+        throw new Error('[IDP_URL] FATAL: IDP_URL environment variable is REQUIRED.');
+    return url;
+}
+async function POST(req) {
+    const IDP_URL = getIdpUrl();
+    try {
+        const { email } = await req.json();
+        const upstream = await fetch(`${IDP_URL}/api/Account/recovery/initiate`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ email }),
+        });
+        const data = await upstream.json().catch(() => ({}));
+        return server_1.NextResponse.json(data, { status: upstream.status });
+    }
+    catch (e) {
+        return server_1.NextResponse.json({ success: false, error: 'initiate_failed' }, { status: 500 });
+    }
+}

package/dist/api-handlers/account/recovery/send-code.d.ts

@@ -0,0 +1,2 @@
+import { NextRequest, NextResponse } from 'next/server';
+export declare function POST(req: NextRequest): Promise<NextResponse<any>>;

package/dist/api-handlers/account/recovery/send-code.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = POST;
+const server_1 = require("next/server");
+function getIdpUrl() {
+    const url = process.env.IDP_URL;
+    if (!url)
+        throw new Error('[IDP_URL] FATAL: IDP_URL environment variable is REQUIRED.');
+    return url;
+}
+async function POST(req) {
+    const IDP_URL = getIdpUrl();
+    try {
+        const auth = req.headers.get('authorization') || '';
+        const token = auth.startsWith('Bearer ') ? auth.slice(7) : '';
+        const { method } = await req.json();
+        const upstream = await fetch(`${IDP_URL}/api/Account/recovery/send-code`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${token}` },
+            body: JSON.stringify({ method }),
+        });
+        const data = await upstream.json().catch(() => ({}));
+        return server_1.NextResponse.json(data, { status: upstream.status });
+    }
+    catch {
+        return server_1.NextResponse.json({ success: false, error: 'send_code_failed' }, { status: 500 });
+    }
+}

package/dist/api-handlers/account/recovery/verify-code.d.ts

@@ -0,0 +1,2 @@
+import { NextRequest, NextResponse } from 'next/server';
+export declare function POST(req: NextRequest): Promise<NextResponse<any>>;

package/dist/api-handlers/account/recovery/verify-code.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = POST;
+const server_1 = require("next/server");
+function getIdpUrl() {
+    const url = process.env.IDP_URL;
+    if (!url)
+        throw new Error('[IDP_URL] FATAL: IDP_URL environment variable is REQUIRED.');
+    return url;
+}
+async function POST(req) {
+    const IDP_URL = getIdpUrl();
+    try {
+        const auth = req.headers.get('authorization') || '';
+        const token = auth.startsWith('Bearer ') ? auth.slice(7) : '';
+        const { code, method } = await req.json();
+        const upstream = await fetch(`${IDP_URL}/api/Account/recovery/verify-code`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${token}` },
+            body: JSON.stringify({ code, method }),
+        });
+        const data = await upstream.json().catch(() => ({}));
+        return server_1.NextResponse.json(data, { status: upstream.status });
+    }
+    catch {
+        return server_1.NextResponse.json({ success: false, error: 'verify_code_failed' }, { status: 500 });
+    }
+}

package/dist/api-handlers/account/reset-password.d.ts

@@ -0,0 +1,2 @@
+import { NextRequest, NextResponse } from 'next/server';
+export declare function POST(req: NextRequest): Promise<NextResponse<any>>;

package/dist/api-handlers/account/reset-password.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = POST;
+const server_1 = require("next/server");
+function getIdpUrl() {
+    const url = process.env.IDP_URL;
+    if (!url)
+        throw new Error('[IDP_URL] FATAL: IDP_URL environment variable is REQUIRED.');
+    return url;
+}
+async function POST(req) {
+    const IDP_URL = getIdpUrl();
+    try {
+        const payload = await req.json();
+        const upstream = await fetch(`${IDP_URL}/api/Account/reset-password`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify(payload),
+        });
+        const data = await upstream.json().catch(() => ({}));
+        return server_1.NextResponse.json(data, { status: upstream.status });
+    }
+    catch {
+        return server_1.NextResponse.json({ success: false, error: 'reset_password_failed' }, { status: 500 });
+    }
+}

package/dist/api-handlers/account/send-code.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Send 2FA Verification Code Handler
+ *
+ * Sends a verification code via email or SMS to the authenticated user.
+ * Requires a provisional Bearer token (ACR=1) from initial login.
+ *
+ * @package @payez/next-mvp
+ */
+import { NextRequest, NextResponse } from 'next/server';
+export declare function POST(req: NextRequest): Promise<NextResponse<{
+    success: boolean;
+    error: string;
+    code: string;
+}> | NextResponse<{
+    success: boolean;
+    error: any;
+    code: any;
+    meta: {
+        attemptedRefresh: boolean;
+    };
+}> | NextResponse<{
+    success: boolean;
+    message: string;
+}>>;

package/dist/api-handlers/account/send-code.js

@@ -0,0 +1,60 @@
+"use strict";
+/**
+ * Send 2FA Verification Code Handler
+ *
+ * Sends a verification code via email or SMS to the authenticated user.
+ * Requires a provisional Bearer token (ACR=1) from initial login.
+ *
+ * @package @payez/next-mvp
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = POST;
+const server_1 = require("next/server");
+const idp_fetch_1 = require("../../lib/idp-fetch");
+const env_1 = require("../../config/env");
+async function POST(req) {
+    try {
+        // Parse request body
+        const body = await req.json();
+        const method = String(body.method || '').toLowerCase();
+        if (method !== 'sms' && method !== 'email') {
+            return server_1.NextResponse.json({
+                success: false,
+                error: 'Method must be either "sms" or "email"',
+                code: 'INVALID_METHOD',
+            }, { status: 400 });
+        }
+        // Build IDP endpoint URL
+        const idpEndpoint = method === 'sms'
+            ? '/api/ExternalAuth/twofa/sms/send'
+            : '/api/ExternalAuth/twofa/email/send';
+        // Send client_id in body (lower_snake_case per PayEz standards)
+        const idpBody = JSON.stringify({ client_id: env_1.ENV_CONFIG.CLIENT_ID });
+        // Call IDP using idpFetchJSON which auto-injects Bearer token from Redis session
+        const result = await (0, idp_fetch_1.idpFetchJSON)(req, `${env_1.ENV_CONFIG.IDP_URL}${idpEndpoint}`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: idpBody,
+        });
+        if (!result.ok) {
+            return server_1.NextResponse.json({
+                success: false,
+                error: result.json?.message || `Failed to send ${method} code`,
+                code: result.json?.code || 'IDP_ERROR',
+                meta: { attemptedRefresh: result.attemptedRefresh },
+            }, { status: result.status });
+        }
+        return server_1.NextResponse.json({
+            success: true,
+            message: `Verification code sent via ${method}`,
+        }, { status: 200 });
+    }
+    catch (error) {
+        console.error('[SEND_CODE] Error:', error);
+        return server_1.NextResponse.json({
+            success: false,
+            error: 'Failed to send verification code',
+            code: 'INTERNAL_ERROR',
+        }, { status: 500 });
+    }
+}

package/dist/api-handlers/account/update-phone.d.ts

@@ -0,0 +1,27 @@
+import { NextRequest, NextResponse } from 'next/server';
+/**
+ * Update Phone Number API Handler
+ *
+ * PATCH /api/account/update-phone - Update user's phone number
+ * Used for 2FA setup - users need to add a phone to enable SMS verification.
+ */
+export declare function POST(req: NextRequest): Promise<NextResponse<{
+    success: boolean;
+    error: {
+        code: string;
+        message: string;
+    };
+}> | NextResponse<{
+    success: boolean;
+    error: {
+        code: any;
+        message: any;
+    };
+    meta: {
+        attemptedRefresh: boolean;
+    };
+}> | NextResponse<{
+    success: boolean;
+    message: string;
+    data: any;
+}>>;

package/dist/api-handlers/account/update-phone.js

@@ -0,0 +1,64 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = POST;
+const server_1 = require("next/server");
+const idp_fetch_1 = require("../../lib/idp-fetch");
+const env_1 = require("../../config/env");
+/**
+ * Update Phone Number API Handler
+ *
+ * PATCH /api/account/update-phone - Update user's phone number
+ * Used for 2FA setup - users need to add a phone to enable SMS verification.
+ */
+async function POST(req) {
+    try {
+        // Parse request body
+        let body;
+        try {
+            body = await req.json();
+        }
+        catch {
+            return server_1.NextResponse.json({ success: false, error: { code: 'INVALID_JSON', message: 'Invalid request body' } }, { status: 400 });
+        }
+        const { phoneNumber } = body;
+        if (!phoneNumber) {
+            return server_1.NextResponse.json({ success: false, error: { code: 'INVALID_INPUT', message: 'Phone number is required' } }, { status: 400 });
+        }
+        // PATCH profile with phone_number only
+        const url = `${env_1.ENV_CONFIG.IDP_URL}/api/Account/profile`;
+        const result = await (0, idp_fetch_1.idpFetchJSON)(req, url, {
+            method: 'PATCH',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ phone_number: phoneNumber }),
+        });
+        if (!result.ok) {
+            console.error('[UPDATE_PHONE] IDP error:', result.status, result.json);
+            return server_1.NextResponse.json({
+                success: false,
+                error: {
+                    code: result.json?.error?.code || 'UPDATE_FAILED',
+                    message: result.json?.error?.message || 'Failed to update phone number',
+                },
+                meta: { attemptedRefresh: result.attemptedRefresh },
+            }, { status: result.status });
+        }
+        const responseData = result.json;
+        // Unwrap if IDP returns envelope { success, data }
+        if (responseData && typeof responseData === 'object' && 'success' in responseData && 'data' in responseData) {
+            return server_1.NextResponse.json({
+                success: true,
+                message: 'Phone number updated successfully',
+                data: responseData.data,
+            });
+        }
+        return server_1.NextResponse.json({
+            success: true,
+            message: 'Phone number updated successfully',
+            data: responseData,
+        });
+    }
+    catch (error) {
+        console.error('[UPDATE_PHONE] Error:', error);
+        return server_1.NextResponse.json({ success: false, error: { code: 'INTERNAL_ERROR', message: 'Failed to update phone number' } }, { status: 500 });
+    }
+}

package/dist/api-handlers/account/validate-password.d.ts

@@ -0,0 +1,17 @@
+import { NextRequest, NextResponse } from 'next/server';
+interface ValidatePasswordResponse {
+    is_valid: boolean;
+    score: number;
+    failed_requirements: string[];
+    tip?: string;
+    policy?: {
+        min_length?: number;
+        require_uppercase?: boolean;
+        require_lowercase?: boolean;
+        require_digit?: boolean;
+        require_special?: boolean;
+        min_strength_score?: number;
+    };
+}
+export declare function POST(req: NextRequest): Promise<NextResponse<ValidatePasswordResponse>>;
+export {};

package/dist/api-handlers/account/validate-password.js

@@ -0,0 +1,81 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = POST;
+const server_1 = require("next/server");
+async function POST(req) {
+    try {
+        const body = await req.json();
+        const { password } = body;
+        const requestId = req.headers.get('x-request-id') ?? crypto.randomUUID();
+        // Validate input
+        if (!password || typeof password !== 'string') {
+            return server_1.NextResponse.json({
+                is_valid: false,
+                score: 0,
+                failed_requirements: ['Password is required'],
+            }, {
+                status: 200, // Return 200 even for validation errors to keep UI responsive
+                headers: { 'Cache-Control': 'no-store' },
+            });
+        }
+        // Get IDP base URL and client ID from environment
+        const idpBaseUrl = process.env.IDP_URL;
+        const clientId = process.env.CLIENT_ID || process.env.NEXT_PUBLIC_CLIENT_ID;
+        if (!idpBaseUrl) {
+            console.error('[VALIDATE_PASSWORD] IDP_URL not configured');
+            return server_1.NextResponse.json({
+                is_valid: false,
+                score: 0,
+                failed_requirements: ['Password validation service unavailable'],
+            }, {
+                status: 200,
+                headers: { 'Cache-Control': 'no-store' },
+            });
+        }
+        // Proxy request to IDP
+        const idpUrl = `${idpBaseUrl}/api/Account/validate-password`;
+        const payload = {
+            password,
+            client_id: clientId,
+        };
+        const idpResponse = await fetch(idpUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'x-request-id': requestId,
+            },
+            body: JSON.stringify(payload),
+        });
+        const responseData = await idpResponse.json().catch(() => ({}));
+        if (!idpResponse.ok) {
+            console.error('[VALIDATE_PASSWORD] IDP error:', {
+                status: idpResponse.status,
+                response: responseData,
+            });
+            return server_1.NextResponse.json({
+                is_valid: false,
+                score: 0,
+                failed_requirements: ['Password validation failed'],
+            }, {
+                status: 200,
+                headers: { 'Cache-Control': 'no-store' },
+            });
+        }
+        // Return the IDP response with proper structure
+        return server_1.NextResponse.json(responseData, {
+            status: 200,
+            headers: { 'Cache-Control': 'no-store' },
+        });
+    }
+    catch (error) {
+        console.error('[VALIDATE_PASSWORD] Error:', error);
+        return server_1.NextResponse.json({
+            is_valid: false,
+            score: 0,
+            failed_requirements: ['Password validation failed'],
+        }, {
+            status: 200,
+            headers: { 'Cache-Control': 'no-store' },
+        });
+    }
+}

package/dist/api-handlers/account/verify-email.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Verify Email 2FA Code Handler
+ *
+ * Verifies the 2FA email verification code and completes the 2FA flow.
+ * Updates the session with new tokens upon successful verification.
+ *
+ * @package @payez/next-mvp
+ */
+import { NextRequest, NextResponse } from 'next/server';
+export declare function POST(req: NextRequest): Promise<NextResponse<{
+    success: boolean;
+    error: string;
+    code: string;
+}> | NextResponse<{
+    success: boolean;
+    error: any;
+    code: any;
+    meta: {
+        attemptedRefresh: boolean;
+    };
+}> | NextResponse<{
+    success: boolean;
+    verificationSuccessful: boolean;
+    twoFactorSessionVerified: boolean;
+    message: any;
+}>>;

package/dist/api-handlers/account/verify-email.js

@@ -0,0 +1,106 @@
+"use strict";
+/**
+ * Verify Email 2FA Code Handler
+ *
+ * Verifies the 2FA email verification code and completes the 2FA flow.
+ * Updates the session with new tokens upon successful verification.
+ *
+ * @package @payez/next-mvp
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = POST;
+const server_1 = require("next/server");
+const idp_fetch_1 = require("../../lib/idp-fetch");
+const env_1 = require("../../config/env");
+const test_aware_get_token_1 = require("../../lib/test-aware-get-token");
+const session_store_1 = require("../../lib/session-store");
+const jwt_decode_1 = require("../../lib/jwt-decode");
+async function POST(req) {
+    try {
+        // Parse request body
+        const body = await req.json();
+        const verificationCode = body.verificationCode || body.verification_code;
+        if (!verificationCode) {
+            return server_1.NextResponse.json({
+                success: false,
+                error: 'Verification code is required',
+                code: 'INVALID_REQUEST',
+            }, { status: 400 });
+        }
+        // Call IDP using idpFetchJSON which auto-injects Bearer token from Redis session
+        const result = await (0, idp_fetch_1.idpFetchJSON)(req, `${env_1.ENV_CONFIG.IDP_URL}/api/ExternalAuth/twofa/email/verify`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ verification_code: verificationCode }),
+        });
+        if (!result.ok) {
+            return server_1.NextResponse.json({
+                success: false,
+                error: result.json?.message || 'Verification failed',
+                code: result.json?.code || 'IDP_ERROR',
+                meta: { attemptedRefresh: result.attemptedRefresh },
+            }, { status: result.status });
+        }
+        // Unwrap IDP envelope
+        const unwrappedData = result.json?.data || result.json;
+        // If we have new tokens, update the session to complete 2FA
+        if (unwrappedData.access_token && unwrappedData.refresh_token) {
+            // Get session token from NextAuth
+            // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
+            const token = await (0, test_aware_get_token_1.getTokenTestAware)(req);
+            const sessionToken = (token?.sessionToken || token?.redisSessionId);
+            if (sessionToken) {
+                console.log('[VERIFY_EMAIL] Updating session with new tokens');
+                // Decode access token to get actual expiration
+                let accessTokenExpires = Date.now() + (15 * 60 * 1000); // Default: 15 minutes
+                try {
+                    const decoded = (0, jwt_decode_1.jwtDecode)(unwrappedData.access_token);
+                    if (decoded?.exp) {
+                        accessTokenExpires = decoded.exp * 1000; // Convert to milliseconds
+                    }
+                }
+                catch (err) {
+                    console.warn('[VERIFY_EMAIL] Could not decode access token, using default expiration');
+                }
+                // Decode refresh token to get actual expiration (optional)
+                let refreshTokenExpires = Date.now() + (3 * 24 * 60 * 60 * 1000); // Default: 3 days
+                try {
+                    const decoded = (0, jwt_decode_1.jwtDecode)(unwrappedData.refresh_token);
+                    if (decoded?.exp) {
+                        refreshTokenExpires = decoded.exp * 1000;
+                    }
+                }
+                catch {
+                    // Refresh token may not have exp claim, use default
+                }
+                // Update session with new tokens and mark 2FA complete
+                await (0, session_store_1.transitionTo2FASession)(sessionToken, {
+                    accessToken: unwrappedData.access_token,
+                    refreshToken: unwrappedData.refresh_token,
+                    accessTokenExpires,
+                    refreshTokenExpires
+                }, 'email' // Store 2FA method for refresh token flow
+                );
+                console.log('[VERIFY_EMAIL] Session updated successfully', {
+                    accessTokenExpires: new Date(accessTokenExpires).toISOString(),
+                    refreshTokenExpires: new Date(refreshTokenExpires).toISOString()
+                });
+            }
+        }
+        // Return simplified success response (don't expose tokens to client)
+        return server_1.NextResponse.json({
+            success: true,
+            verificationSuccessful: true,
+            twoFactorSessionVerified: true,
+            message: unwrappedData.message || 'Email code verified successfully'
+        }, { status: 200 });
+    }
+    catch (error) {
+        console.error('[VERIFY_EMAIL] Error:', error);
+        return server_1.NextResponse.json({
+            success: false,
+            error: 'Failed to verify code',
+            code: 'INTERNAL_ERROR',
+        }, { status: 500 });
+    }
+}

package/dist/api-handlers/account/verify-sms.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Verify SMS 2FA Code Handler
+ *
+ * Verifies the 2FA SMS verification code and completes the 2FA flow.
+ * Updates the session with new tokens upon successful verification.
+ *
+ * @package @payez/next-mvp
+ */
+import { NextRequest, NextResponse } from 'next/server';
+export declare function POST(req: NextRequest): Promise<NextResponse<{
+    success: boolean;
+    error: string;
+    code: string;
+}> | NextResponse<{
+    success: boolean;
+    error: any;
+    code: any;
+    meta: {
+        attemptedRefresh: boolean;
+    };
+}> | NextResponse<{
+    success: boolean;
+    verificationSuccessful: boolean;
+    twoFactorSessionVerified: boolean;
+    message: any;
+}>>;