@payez/next-mvp 3.0.0

package/dist/lib/idp-client-config.js

@@ -0,0 +1,351 @@
+"use strict";
+/**
+ * IDP Client Configuration
+ *
+ * Fetches full client configuration from IDP including:
+ * - OAuth provider credentials (from Key Vault)
+ * - 2FA/MFA settings
+ * - Session configuration
+ * - NextAuth secret
+ * - Branding
+ *
+ * CACHING STRATEGY:
+ * 1. In-memory cache (fastest, but lost on module reload in dev)
+ * 2. Redis cache (survives module reloads, shared across instances)
+ * 3. IDP fetch (when both caches miss)
+ *
+ * NO FALLBACKS. If IDP doesn't respond correctly, we fail loud.
+ *
+ * @version 2.0.0 - Added Redis-backed caching
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getIDPClientConfig = getIDPClientConfig;
+exports.clearConfigCache = clearConfigCache;
+exports.getEnabledProviders = getEnabledProviders;
+require("server-only");
+const crypto_1 = require("crypto");
+const redis_1 = __importDefault(require("./redis"));
+// ============================================================================
+// Cache & Fetch Deduplication
+// ============================================================================
+let cachedConfig = null;
+let cacheExpiry = 0;
+let pendingFetch = null; // Prevents parallel fetches
+// ============================================================================
+// Redis Cache Configuration
+// ============================================================================
+const REDIS_CONFIG_KEY_PREFIX = 'idp_config:';
+function getRedisConfigKey() {
+    const clientId = process.env.CLIENT_ID || process.env.NEXT_PUBLIC_CLIENT_ID || 'default';
+    return `${REDIS_CONFIG_KEY_PREFIX}${clientId}`;
+}
+async function getConfigFromRedis() {
+    try {
+        const key = getRedisConfigKey();
+        const cached = await redis_1.default.get(key);
+        if (!cached)
+            return null;
+        const parsed = JSON.parse(cached);
+        if (Date.now() >= parsed.expiresAt) {
+            // Expired, delete it
+            await redis_1.default.del(key);
+            return null;
+        }
+        return parsed.config;
+    }
+    catch (error) {
+        console.warn('[IDP_CONFIG] Failed to read from Redis cache:', error);
+        return null;
+    }
+}
+async function setConfigInRedis(config) {
+    try {
+        const key = getRedisConfigKey();
+        const ttlSeconds = config.configCacheTtlSeconds || 300;
+        const data = {
+            config,
+            expiresAt: Date.now() + (ttlSeconds * 1000)
+        };
+        // Store with TTL slightly longer than the logical expiry to allow for clock skew
+        await redis_1.default.set(key, JSON.stringify(data), 'EX', ttlSeconds + 10);
+    }
+    catch (error) {
+        console.warn('[IDP_CONFIG] Failed to write to Redis cache:', error);
+    }
+}
+// ============================================================================
+// Circuit Breaker & Backoff State
+// ============================================================================
+let consecutiveFailures = 0;
+let lastFailureTime = 0;
+const MAX_FAILURES = 3;
+const CIRCUIT_OPEN_MS = 300000; // 5 minutes
+const MAX_BACKOFF_MS = 30000; // 30 seconds max backoff
+// ============================================================================
+// Main Functions
+// ============================================================================
+/**
+ * Get IDP client configuration with multi-tier caching.
+ *
+ * Caching layers (checked in order):
+ * 1. In-memory cache (fastest, lost on module reload in dev)
+ * 2. Redis cache (survives module reloads)
+ * 3. IDP fetch (when both caches miss)
+ *
+ * THROWS if IDP is unavailable or misconfigured. No fallbacks.
+ */
+async function getIDPClientConfig(forceRefresh = false) {
+    const now = Date.now();
+    // Layer 1: Return in-memory cached if still valid (skip if forceRefresh)
+    if (!forceRefresh && cachedConfig && now < cacheExpiry) {
+        return cachedConfig;
+    }
+    // If a fetch is already in progress, wait for it instead of starting another
+    if (pendingFetch) {
+        return pendingFetch;
+    }
+    // Layer 2: Check Redis cache (skip if forceRefresh - startup should always get fresh data)
+    if (!forceRefresh) {
+        const redisConfig = await getConfigFromRedis();
+        if (redisConfig) {
+            // Restore to in-memory cache
+            cachedConfig = redisConfig;
+            cacheExpiry = Date.now() + ((redisConfig.configCacheTtlSeconds || 300) * 1000);
+            // Set NEXTAUTH_SECRET from cached config
+            if (redisConfig.nextAuthSecret) {
+                process.env.NEXTAUTH_SECRET = redisConfig.nextAuthSecret;
+            }
+            // Set IDENTITY_CLIENT_BASE_EXTERNAL_URL from cached config
+            // AUTH_TRUST_HOST=true tells NextAuth to derive OAuth callback URLs from headers.
+            if (redisConfig.baseClientUrl) {
+                process.env.IDENTITY_CLIENT_BASE_EXTERNAL_URL = redisConfig.baseClientUrl;
+            }
+            return redisConfig;
+        }
+    }
+    // Layer 3: Fetch from IDP
+    const idpUrl = process.env.IDP_URL;
+    const clientIdStr = process.env.CLIENT_ID || process.env.NEXT_PUBLIC_CLIENT_ID;
+    if (!idpUrl) {
+        throw new Error('[IDP_CONFIG] FATAL: IDP_URL must be set');
+    }
+    if (!clientIdStr) {
+        throw new Error('[IDP_CONFIG] FATAL: CLIENT_ID or NEXT_PUBLIC_CLIENT_ID must be set');
+    }
+    // Start fetch and store promise so concurrent callers wait for same result
+    pendingFetch = fetchConfigFromIDP(idpUrl, clientIdStr)
+        .then(async (config) => {
+        // Cache with TTL from response (default 5 minutes)
+        cachedConfig = config;
+        cacheExpiry = Date.now() + ((config.configCacheTtlSeconds || 300) * 1000);
+        // Store in Redis for persistence across module reloads
+        await setConfigInRedis(config);
+        // Set NEXTAUTH_SECRET from config
+        if (config.nextAuthSecret) {
+            process.env.NEXTAUTH_SECRET = config.nextAuthSecret;
+        }
+        else {
+            throw new Error('[IDP_CONFIG] FATAL: IDP did not return nextAuthSecret');
+        }
+        // Set IDENTITY_CLIENT_BASE_EXTERNAL_URL from config
+        // AUTH_TRUST_HOST=true tells NextAuth to derive OAuth callback URLs from headers.
+        if (config.baseClientUrl) {
+            process.env.IDENTITY_CLIENT_BASE_EXTERNAL_URL = config.baseClientUrl;
+            console.log("[IDP_CONFIG] Set IDENTITY_CLIENT_BASE_EXTERNAL_URL:", config.baseClientUrl);
+        }
+        return config;
+    })
+        .finally(() => {
+        pendingFetch = null; // Clear so next cache miss can fetch again
+    });
+    return pendingFetch;
+}
+/**
+ * Clear the config cache (useful for testing or forced refresh)
+ */
+function clearConfigCache() {
+    cachedConfig = null;
+    cacheExpiry = 0;
+}
+/**
+ * Get enabled OAuth providers from config
+ */
+function getEnabledProviders(config) {
+    return config.oauthProviders?.filter(p => p.enabled) || [];
+}
+// ============================================================================
+// Internal Functions
+// ============================================================================
+async function fetchConfigFromIDP(idpUrl, clientIdStr) {
+    // =========================================================================
+    // Circuit Breaker Check
+    // =========================================================================
+    if (consecutiveFailures >= MAX_FAILURES) {
+        const timeSinceFailure = Date.now() - lastFailureTime;
+        if (timeSinceFailure < CIRCUIT_OPEN_MS) {
+            // Circuit is open - return stale cache if available
+            if (cachedConfig) {
+                return cachedConfig;
+            }
+            throw new Error(`[IDP_CONFIG] Circuit breaker OPEN - no cached config available. Retry in ${Math.round((CIRCUIT_OPEN_MS - timeSinceFailure) / 1000)}s`);
+        }
+        // Half-open state: allow one request to test
+        consecutiveFailures = MAX_FAILURES - 1;
+    }
+    // =========================================================================
+    // Exponential Backoff Check
+    // =========================================================================
+    if (consecutiveFailures > 0) {
+        const backoffMs = Math.min(1000 * Math.pow(2, consecutiveFailures), MAX_BACKOFF_MS);
+        const timeSinceFailure = Date.now() - lastFailureTime;
+        if (timeSinceFailure < backoffMs) {
+            const remainingMs = backoffMs - timeSinceFailure;
+            // Return stale cache during backoff if available
+            if (cachedConfig) {
+                return cachedConfig;
+            }
+            throw new Error(`[IDP_CONFIG] In backoff period - retry in ${Math.round(remainingMs)}ms`);
+        }
+    }
+    try {
+        // Step 1: Get signed client assertion from IDP
+        const signingUrl = `${idpUrl.replace(/\/$/, '')}/api/ExternalAuth/sign-client-assertion`;
+        const signingPayload = {
+            issuer: clientIdStr,
+            subject: clientIdStr,
+            audience: 'urn:payez:externalauth:clientconfig',
+            expires_in: 60
+        };
+        const signingResp = await fetch(signingUrl, {
+            method: 'POST',
+            headers: {
+                'Accept': 'application/json',
+                'Content-Type': 'application/json',
+                'X-Client-Id': clientIdStr,
+                'X-Correlation-Id': (0, crypto_1.randomUUID)().replace(/-/g, ''),
+            },
+            body: JSON.stringify(signingPayload),
+            cache: 'no-store'
+        });
+        if (!signingResp.ok) {
+            const txt = await signingResp.text().catch(() => 'Unknown error');
+            throw new Error(`[IDP_CONFIG] FATAL: Failed to sign client assertion: ${signingResp.status} - ${txt}`);
+        }
+        const signingBody = await signingResp.json().catch(() => null);
+        if (!signingBody) {
+            throw new Error('[IDP_CONFIG] FATAL: IDP returned empty or invalid JSON for sign-client-assertion');
+        }
+        // Per PayEz API standard: response is { success, data: { client_assertion }, ... }
+        // But IDP might use camelCase (clientAssertion) - check both
+        const client_assertion = (signingBody?.data?.client_assertion ??
+            signingBody?.data?.clientAssertion);
+        if (!client_assertion) {
+            console.error('[IDP_CONFIG] FATAL: Full response body:', JSON.stringify(signingBody, null, 2));
+            throw new Error(`[IDP_CONFIG] FATAL: IDP response missing client_assertion. Got keys: ${JSON.stringify(Object.keys(signingBody?.data || signingBody || {}))}`);
+        }
+        // Step 2: Fetch client config using the assertion
+        const configUrl = `${idpUrl.replace(/\/$/, '')}/api/ExternalAuth/client-config`;
+        const configResp = await fetch(configUrl, {
+            method: 'POST',
+            headers: {
+                'Accept': 'application/json',
+                'Content-Type': 'application/json',
+                'X-Client-Id': clientIdStr,
+                'X-Correlation-Id': (0, crypto_1.randomUUID)().replace(/-/g, ''),
+            },
+            body: JSON.stringify({ client_assertion }),
+            cache: 'no-store'
+        });
+        if (!configResp.ok) {
+            const txt = await configResp.text().catch(() => 'Unknown error');
+            throw new Error(`[IDP_CONFIG] FATAL: Failed to fetch client config: ${configResp.status} - ${txt}`);
+        }
+        const configBody = await configResp.json().catch(() => null);
+        if (!configBody) {
+            throw new Error('[IDP_CONFIG] FATAL: IDP returned empty or invalid JSON for client-config');
+        }
+        // Per PayEz API standard: response is wrapped in { success, data: {...} }
+        const configData = configBody?.data;
+        if (!configData || typeof configData !== 'object') {
+            console.error('[IDP_CONFIG] FATAL: Full config response body:', JSON.stringify(configBody, null, 2));
+            throw new Error('[IDP_CONFIG] FATAL: IDP client-config response missing data envelope');
+        }
+        // Validate required fields - handle both number and string client_id
+        const rawClientId = configData.clientId ?? configData.client_id;
+        if (rawClientId === undefined || rawClientId === null) {
+            throw new Error(`[IDP_CONFIG] FATAL: IDP response missing clientId/client_id. Got: ${JSON.stringify(Object.keys(configData))}`);
+        }
+        // Map response to our interface (IDP always returns snake_case)
+        const config = {
+            clientId: typeof rawClientId === 'string' ? parseInt(rawClientId, 10) : rawClientId,
+            clientSlug: configData.clientSlug ?? configData.client_slug ?? configData.slug ?? '',
+            nextAuthSecret: configData.nextAuthSecret ?? configData.next_auth_secret ?? '',
+            configCacheTtlSeconds: configData.configCacheTtlSeconds ?? configData.config_cache_ttl_seconds ?? 300,
+            oauthProviders: (configData.oauthProviders ?? configData.oauth_providers ?? []).map((p) => ({
+                provider: p.provider ?? '',
+                enabled: p.enabled ?? false,
+                clientId: p.clientId ?? p.client_id ?? '',
+                clientSecret: p.clientSecret ?? p.client_secret ?? '',
+                scopes: p.scopes,
+                additionalParams: p.additionalParams ?? p.additional_params
+            })),
+            authSettings: {
+                require2FA: (() => {
+                    // Check nested locations first (canonical)
+                    const nested = configData.authSettings?.require2FA ?? configData.auth_settings?.require_2fa;
+                    if (nested !== undefined)
+                        return nested;
+                    // TRANSITION FALLBACK: Check top-level (deprecated)
+                    const topLevel = configData.require2FA ?? configData.require_2fa;
+                    if (topLevel !== undefined) {
+                        console.warn('[IDP_CONFIG] DEPRECATION: require2FA found at top-level. Should be nested under auth_settings. Update IDP.');
+                        return topLevel;
+                    }
+                    return true; // Default to true for security
+                })(),
+                allowed2FAMethods: configData.authSettings?.allowed2FAMethods ?? configData.auth_settings?.allowed_2fa_methods ?? ['email', 'sms'],
+                mfaGracePeriodHours: configData.authSettings?.mfaGracePeriodHours ?? configData.auth_settings?.mfa_grace_period_hours ?? 24,
+                mfaRememberDeviceDays: configData.authSettings?.mfaRememberDeviceDays ?? configData.auth_settings?.mfa_remember_device_days ?? 30,
+                sessionTimeoutMinutes: configData.authSettings?.sessionTimeoutMinutes ?? configData.auth_settings?.session_timeout_minutes ?? 60,
+                idleTimeoutMinutes: configData.authSettings?.idleTimeoutMinutes ?? configData.auth_settings?.idle_timeout_minutes ?? 15,
+                allowRememberMe: configData.authSettings?.allowRememberMe ?? configData.auth_settings?.allow_remember_me ?? true,
+                rememberMeDays: configData.authSettings?.rememberMeDays ?? configData.auth_settings?.remember_me_days ?? 30,
+                lockoutThreshold: configData.authSettings?.lockoutThreshold ?? configData.auth_settings?.lockout_threshold ?? 5,
+                lockoutDurationMinutes: configData.authSettings?.lockoutDurationMinutes ?? configData.auth_settings?.lockout_duration_minutes ?? 15
+            },
+            branding: {
+                theme: configData.branding?.theme,
+                primaryColor: configData.branding?.primaryColor ?? configData.branding?.primary_color,
+                secondaryColor: configData.branding?.secondaryColor ?? configData.branding?.secondary_color,
+                logoUrl: configData.branding?.logoUrl ?? configData.branding?.logo_url
+            },
+            baseClientUrl: configData.baseClientUrl ?? configData.base_client_url ?? configData.BaseClientUrl
+        };
+        // Debug: log what we got for baseClientUrl
+        console.log(`[IDP_CONFIG] Parsed baseClientUrl:`, config.baseClientUrl, `| raw keys:`, Object.keys(configData).filter(k => k.toLowerCase().includes('client')));
+        // Validate we got what we need
+        if (!config.clientId) {
+            throw new Error('[IDP_CONFIG] FATAL: clientId is 0 or missing after parsing');
+        }
+        if (!config.nextAuthSecret) {
+            throw new Error('[IDP_CONFIG] FATAL: nextAuthSecret is empty after parsing');
+        }
+        // Success - reset failure tracking
+        consecutiveFailures = 0;
+        return config;
+    }
+    catch (error) {
+        // Track failure for circuit breaker
+        consecutiveFailures++;
+        lastFailureTime = Date.now();
+        console.error('[IDP_CONFIG] Fetch failed', {
+            consecutiveFailures,
+            maxFailures: MAX_FAILURES,
+            error: error instanceof Error ? error.message : String(error)
+        });
+        throw error;
+    }
+}

package/dist/lib/idp-fetch.d.ts

@@ -0,0 +1,14 @@
+import { NextRequest } from 'next/server';
+/**
+ * Centralized IDP fetch helper
+ * - Injects Bearer from Redis session
+ * - If access token is expired/near-expiry, triggers one refresh and retries fetch once
+ * - Returns parsed JSON and HTTP status
+ */
+export interface IdpFetchResult<T = any> {
+    ok: boolean;
+    status: number;
+    json: T | null;
+    attemptedRefresh: boolean;
+}
+export declare function idpFetchJSON<T = any>(req: NextRequest, targetUrl: string, init?: RequestInit): Promise<IdpFetchResult<T>>;

package/dist/lib/idp-fetch.js

@@ -0,0 +1,91 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.idpFetchJSON = idpFetchJSON;
+const test_aware_get_token_1 = require("./test-aware-get-token");
+const session_store_1 = require("./session-store");
+const internal_api_1 = require("./internal-api");
+function buildHeaders(req, bearer, extra) {
+    const headers = {
+        Accept: 'application/json',
+        'Content-Type': 'application/json',
+        ...extra,
+    };
+    const xfwd = req.headers.get('x-forwarded-for') || req.headers.get('x-real-ip');
+    if (xfwd)
+        headers['X-Forwarded-For'] = xfwd.split(',')[0].trim();
+    const ua = req.headers.get('user-agent');
+    if (ua)
+        headers['User-Agent'] = ua;
+    if (bearer)
+        headers['Authorization'] = `Bearer ${bearer}`;
+    return headers;
+}
+async function ensureFreshAccessToken(req) {
+    const token = await (0, test_aware_get_token_1.getTokenTestAware)(req);
+    // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
+    const sessionToken = (token?.sessionToken || token?.redisSessionId);
+    console.log('[IDP_FETCH] ensureFreshAccessToken:', {
+        hasToken: !!token,
+        sessionToken: sessionToken?.substring(0, 20) + '...',
+        pathname: req.nextUrl.pathname
+    });
+    if (!sessionToken) {
+        console.warn('[IDP_FETCH] No sessionToken found in JWT - Bearer token will NOT be sent!');
+        return {};
+    }
+    let session = await (0, session_store_1.getSession)(sessionToken);
+    console.log('[IDP_FETCH] Redis session lookup:', {
+        hasSession: !!session,
+        hasAccessToken: !!session?.idpAccessToken,
+        bearerKeyId: session?.bearerKeyId || 'NOT_SET',
+        idpClientId: session?.idpClientId || 'NOT_SET',
+    });
+    if (!session?.idpAccessToken)
+        return { sessionToken };
+    const now = Date.now();
+    const timeLeft = (session.idpAccessTokenExpires ?? now) - now;
+    // Treat tokens as effectively expired if within 5 minutes of expiry
+    if (timeLeft > 5 * 60 * 1000) {
+        return { sessionToken, accessToken: session.idpAccessToken };
+    }
+    // attempt refresh once via centralized internal API helper
+    try {
+        await (0, internal_api_1.internalRefresh)(req.headers.get('cookie') || '', sessionToken);
+    }
+    catch { }
+    session = await (0, session_store_1.getSession)(sessionToken);
+    return { sessionToken, accessToken: session?.idpAccessToken };
+}
+async function idpFetchJSON(req, targetUrl, init = {}) {
+    let attemptedRefresh = false;
+    let { accessToken, sessionToken } = await ensureFreshAccessToken(req);
+    const makeCall = async (bearer) => {
+        const res = await fetch(targetUrl, {
+            ...init,
+            headers: buildHeaders(req, bearer, init.headers),
+        });
+        let json = null;
+        try {
+            json = await res.json();
+        }
+        catch {
+            json = null;
+        }
+        return { res, json };
+    };
+    // First attempt
+    let { res, json } = await makeCall(accessToken);
+    if ((res.status === 401 || res.status === 403) && sessionToken && !attemptedRefresh) {
+        attemptedRefresh = true;
+        try {
+            // Use centralized internal API helper for server-to-server calls
+            const rf = await (0, internal_api_1.internalRefresh)(req.headers.get('cookie') || '', sessionToken);
+            if (rf.ok) {
+                const fresh = await (0, session_store_1.getSession)(sessionToken);
+                ({ res, json } = await makeCall(fresh?.idpAccessToken));
+            }
+        }
+        catch { }
+    }
+    return { ok: res.ok, status: res.status, json: json, attemptedRefresh };
+}

package/dist/lib/internal-api.d.ts

@@ -0,0 +1,87 @@
+/**
+ * Centralized internal API helper for the app to call ITSELF.
+ *
+ * IMPORTANT: All calls from the Next.js server to its own API routes MUST use
+ * these functions. Never use req.url, req.nextUrl.origin, or construct URLs
+ * from the incoming request.
+ *
+ * WHY HTTP IS REQUIRED (not optional):
+ * - This is the app calling its OWN backend within the same pod/container
+ * - NextAuth cookies are encrypted based on request protocol
+ * - TLS is terminated at ingress, so the pod receives HTTP internally
+ * - Using HTTPS here causes cookie decryption failures and 403 errors
+ * - This is NOT about "K8s traffic doesn't need TLS" - it's about
+ *   protocol consistency for cookie/session encryption
+ *
+ * Environment:
+ * - INTERNAL_API_URL: Required in production (e.g., http://service.namespace.svc.cluster.local:80)
+ * - Falls back to http://localhost:3200 in development only
+ */
+/**
+ * Get the internal API base URL for the app to call itself.
+ *
+ * @throws Error in production if INTERNAL_API_URL is not set
+ * @returns The base URL (no trailing slash)
+ */
+export declare function getInternalApiUrl(): string;
+/**
+ * Options for internal fetch calls
+ */
+export interface InternalFetchOptions extends Omit<RequestInit, 'headers'> {
+    /** Additional headers to include */
+    headers?: Record<string, string>;
+    /** Cookie header to forward (typically from req.headers.get('cookie')) */
+    cookie?: string;
+    /** Session token for x-session-token header */
+    sessionToken?: string;
+    /** Request ID for tracing */
+    requestId?: string;
+    /** Parse response as JSON (default: true) */
+    parseJson?: boolean;
+}
+/**
+ * Result of an internal fetch call
+ */
+export interface InternalFetchResult<T = unknown> {
+    ok: boolean;
+    status: number;
+    statusText: string;
+    data: T | null;
+    response: Response;
+}
+/**
+ * Make a fetch call to an internal API route (app calling itself).
+ *
+ * @param path - The API path (e.g., '/api/auth/refresh')
+ * @param options - Fetch options
+ * @returns The fetch result with parsed data
+ *
+ * @example
+ * ```ts
+ * // Simple GET
+ * const result = await internalFetch('/api/health');
+ *
+ * // POST with session
+ * const result = await internalFetch('/api/auth/refresh', {
+ *   method: 'POST',
+ *   cookie: req.headers.get('cookie') || '',
+ *   sessionToken: token.redisSessionId,
+ *   body: JSON.stringify({ refresh_token: refreshToken }),
+ * });
+ * ```
+ */
+export declare function internalFetch<T = unknown>(path: string, options?: InternalFetchOptions): Promise<InternalFetchResult<T>>;
+/**
+ * Trigger a token refresh via the internal API.
+ * This is a convenience wrapper for the common refresh pattern.
+ *
+ * @param cookie - The cookie header from the incoming request
+ * @param sessionToken - The session token
+ * @param refreshToken - Optional refresh token to include in body
+ * @param requestId - Optional request ID for tracing
+ * @returns Whether the refresh was successful
+ */
+export declare function internalRefresh(cookie: string, sessionToken: string, refreshToken?: string, requestId?: string): Promise<{
+    ok: boolean;
+    status: number;
+}>;

package/dist/lib/internal-api.js

@@ -0,0 +1,122 @@
+"use strict";
+/**
+ * Centralized internal API helper for the app to call ITSELF.
+ *
+ * IMPORTANT: All calls from the Next.js server to its own API routes MUST use
+ * these functions. Never use req.url, req.nextUrl.origin, or construct URLs
+ * from the incoming request.
+ *
+ * WHY HTTP IS REQUIRED (not optional):
+ * - This is the app calling its OWN backend within the same pod/container
+ * - NextAuth cookies are encrypted based on request protocol
+ * - TLS is terminated at ingress, so the pod receives HTTP internally
+ * - Using HTTPS here causes cookie decryption failures and 403 errors
+ * - This is NOT about "K8s traffic doesn't need TLS" - it's about
+ *   protocol consistency for cookie/session encryption
+ *
+ * Environment:
+ * - INTERNAL_API_URL: Required in production (e.g., http://service.namespace.svc.cluster.local:80)
+ * - Falls back to http://localhost:3200 in development only
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getInternalApiUrl = getInternalApiUrl;
+exports.internalFetch = internalFetch;
+exports.internalRefresh = internalRefresh;
+/**
+ * Get the internal API base URL for the app to call itself.
+ *
+ * @throws Error in production if INTERNAL_API_URL is not set
+ * @returns The base URL (no trailing slash)
+ */
+function getInternalApiUrl() {
+    const url = process.env.INTERNAL_API_URL;
+    if (url)
+        return url.replace(/\/$/, ''); // strip trailing slash
+    if (process.env.NODE_ENV !== 'production') {
+        return 'http://localhost:3200';
+    }
+    throw new Error('[INTERNAL_API_URL] FATAL: INTERNAL_API_URL environment variable is REQUIRED in production. ' +
+        'This is for the app to call ITSELF. MUST be HTTP (not HTTPS) due to cookie encryption. ' +
+        'Set to http://service.namespace.svc.cluster.local:80');
+}
+/**
+ * Make a fetch call to an internal API route (app calling itself).
+ *
+ * @param path - The API path (e.g., '/api/auth/refresh')
+ * @param options - Fetch options
+ * @returns The fetch result with parsed data
+ *
+ * @example
+ * ```ts
+ * // Simple GET
+ * const result = await internalFetch('/api/health');
+ *
+ * // POST with session
+ * const result = await internalFetch('/api/auth/refresh', {
+ *   method: 'POST',
+ *   cookie: req.headers.get('cookie') || '',
+ *   sessionToken: token.redisSessionId,
+ *   body: JSON.stringify({ refresh_token: refreshToken }),
+ * });
+ * ```
+ */
+async function internalFetch(path, options = {}) {
+    const { headers: extraHeaders = {}, cookie, sessionToken, requestId, parseJson = true, ...fetchOptions } = options;
+    const baseUrl = getInternalApiUrl();
+    const url = `${baseUrl}${path.startsWith('/') ? path : `/${path}`}`;
+    // Build headers
+    const headers = {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json',
+        ...extraHeaders,
+    };
+    if (cookie) {
+        headers['Cookie'] = cookie;
+    }
+    if (sessionToken) {
+        headers['X-Session-Token'] = sessionToken;
+    }
+    if (requestId) {
+        headers['X-Request-Id'] = requestId;
+    }
+    const response = await fetch(url, {
+        ...fetchOptions,
+        headers,
+    });
+    let data = null;
+    if (parseJson) {
+        try {
+            data = await response.json();
+        }
+        catch {
+            data = null;
+        }
+    }
+    return {
+        ok: response.ok,
+        status: response.status,
+        statusText: response.statusText,
+        data,
+        response,
+    };
+}
+/**
+ * Trigger a token refresh via the internal API.
+ * This is a convenience wrapper for the common refresh pattern.
+ *
+ * @param cookie - The cookie header from the incoming request
+ * @param sessionToken - The session token
+ * @param refreshToken - Optional refresh token to include in body
+ * @param requestId - Optional request ID for tracing
+ * @returns Whether the refresh was successful
+ */
+async function internalRefresh(cookie, sessionToken, refreshToken, requestId) {
+    const result = await internalFetch('/api/auth/refresh', {
+        method: 'POST',
+        cookie,
+        sessionToken,
+        requestId,
+        body: refreshToken ? JSON.stringify({ refresh_token: refreshToken }) : undefined,
+    });
+    return { ok: result.ok, status: result.status };
+}

package/dist/lib/jwt-decode-client.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Client-safe JWT decode (no Node.js dependencies)
+ * This is a lightweight version for browser usage
+ */
+/**
+ * Simple JWT decode for client-side use (no signature verification)
+ * @param token - JWT token string
+ * @returns Decoded payload or null if invalid
+ */
+export declare function jwtDecode<T = any>(token: string): T | null;