@payez/next-mvp 3.0.0

package/dist/routes/auth/nextauth.js

@@ -0,0 +1,72 @@
+"use strict";
+/**
+ * Ready-to-Use NextAuth Route Handler
+ *
+ * Provides a pre-configured NextAuth handler that uses dynamic OAuth providers
+ * loaded from IDP at startup via getAuthOptions().
+ *
+ * @version 2.2.0 - Dynamic provider loading from IDP
+ * @since auth-ready-v2-hotfix
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GET = GET;
+exports.POST = POST;
+const next_auth_1 = __importDefault(require("next-auth"));
+const auth_options_1 = require("../../auth/auth-options");
+// Cached handler - built once with dynamic providers
+let cachedHandler = null;
+let handlerPromise = null;
+/**
+ * Get or build the NextAuth handler with dynamic providers.
+ * Uses caching to avoid rebuilding on every request.
+ */
+async function getHandler() {
+    // Return cached if available
+    if (cachedHandler) {
+        return cachedHandler;
+    }
+    // Prevent concurrent builds
+    if (handlerPromise) {
+        return handlerPromise;
+    }
+    handlerPromise = (async () => {
+        try {
+            // Try to get dynamic auth options from IDP
+            const options = await (0, auth_options_1.getAuthOptions)();
+            console.log('[NEXTAUTH_ROUTE] Built handler with dynamic providers');
+            cachedHandler = (0, next_auth_1.default)(options);
+            return cachedHandler;
+        }
+        catch (error) {
+            // Fallback to static options if IDP unavailable
+            console.warn('[NEXTAUTH_ROUTE] Failed to get dynamic options, using static fallback:', {
+                error: error instanceof Error ? error.message : String(error)
+            });
+            cachedHandler = (0, next_auth_1.default)(auth_options_1.authOptions);
+            return cachedHandler;
+        }
+        finally {
+            handlerPromise = null;
+        }
+    })();
+    return handlerPromise;
+}
+/**
+ * GET handler for NextAuth
+ * Uses async factory to get dynamic providers from IDP
+ */
+async function GET(request, context) {
+    const handler = await getHandler();
+    return handler(request, context);
+}
+/**
+ * POST handler for NextAuth
+ * Uses async factory to get dynamic providers from IDP
+ */
+async function POST(request, context) {
+    const handler = await getHandler();
+    return handler(request, context);
+}

package/dist/routes/auth/refresh.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Ready-to-Use Refresh Token Route
+ *
+ * Provides a pre-configured refresh handler that can be imported directly
+ * into your app's API routes with zero configuration.
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/refresh/route.ts
+ * export { POST } from '@payez/next-mvp/routes/auth/refresh';
+ * ```
+ *
+ * @version 2.0.0
+ * @since auth-ready-v2
+ */
+import { NextRequest } from 'next/server';
+export declare function POST(req: NextRequest): Promise<import("next/server").NextResponse<{
+    error: string;
+    code: string;
+}> | import("next/server").NextResponse<{
+    error: any;
+    code: any;
+    discardToken: boolean;
+    retryable: boolean;
+    resolution: any;
+}> | import("next/server").NextResponse<{
+    refreshed: boolean;
+    accessTokenExpires: number;
+    hasRefreshToken: boolean;
+}>>;

package/dist/routes/auth/refresh.js

@@ -0,0 +1,51 @@
+"use strict";
+/**
+ * Ready-to-Use Refresh Token Route
+ *
+ * Provides a pre-configured refresh handler that can be imported directly
+ * into your app's API routes with zero configuration.
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/refresh/route.ts
+ * export { POST } from '@payez/next-mvp/routes/auth/refresh';
+ * ```
+ *
+ * @version 2.0.0
+ * @since auth-ready-v2
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = POST;
+const refresh_1 = require("../../api-handlers/auth/refresh");
+const idp_client_config_1 = require("../../lib/idp-client-config");
+// Configuration is read at runtime from IDP config (cached)
+async function getConfig() {
+    const idpConfig = await (0, idp_client_config_1.getIDPClientConfig)();
+    const idpBaseUrl = process.env.IDP_URL;
+    if (!idpBaseUrl) {
+        throw new Error('[IDP_URL] FATAL: IDP_URL environment variable is REQUIRED.');
+    }
+    return {
+        idpBaseUrl,
+        clientId: process.env.CLIENT_ID || process.env.NEXT_PUBLIC_IDP_CLIENT_ID || '',
+        nextAuthSecret: idpConfig.nextAuthSecret || '',
+        refreshEndpoint: process.env.REFRESH_ENDPOINT || '/api/ExternalAuth/refresh',
+    };
+}
+/**
+ * Pre-configured POST handler for token refresh
+ *
+ * Environment variables used:
+ * - IDP_URL (REQUIRED)
+ * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
+ * - NEXTAUTH_SECRET (required)
+ * - REFRESH_ENDPOINT (default: /api/ExternalAuth/refresh)
+ */
+let _handler = null;
+async function POST(req) {
+    if (!_handler) {
+        const config = await getConfig();
+        _handler = (0, refresh_1.createRefreshHandler)(config);
+    }
+    return _handler(req);
+}

package/dist/routes/auth/session.d.ts

@@ -0,0 +1,72 @@
+/**
+ * Ready-to-Use Session Management Route
+ *
+ * Provides pre-configured session handlers for checking and updating session state.
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/session/route.ts
+ * export { GET, POST } from '@payez/next-mvp/routes/auth/session';
+ * ```
+ *
+ * @version 2.0.0
+ * @since auth-ready-v2
+ */
+import { NextRequest, NextResponse } from 'next/server';
+/**
+ * GET /api/auth/session - Check current session status
+ *
+ * Returns the current session information including:
+ * - User details
+ * - Token expiry status
+ * - Session validity
+ */
+export declare function GET(req: NextRequest): Promise<NextResponse<{
+    authenticated: boolean;
+    message: string;
+}> | NextResponse<{
+    user: {
+        id: string | undefined;
+        email: string | null | undefined;
+        name: string | null | undefined;
+        image: any;
+        roles: string[];
+        twoFactorSessionVerified: boolean;
+        requiresTwoFactor: boolean;
+        authenticationMethods: string[] | undefined;
+        authenticationLevel: string | undefined;
+        mfaCompletedAt: number | undefined;
+        mfaExpiresAt: number | undefined;
+        mfaValidityHours: number | undefined;
+        oauthProvider: string | undefined;
+        idpClientId: string | undefined;
+        merchantId: string | undefined;
+    };
+    sessionToken: any;
+    accessToken: string | undefined;
+    refreshToken: string | undefined;
+    accessTokenExpires: number | undefined;
+    expires: string;
+}> | NextResponse<{
+    error: string;
+    details: string;
+}>>;
+/**
+ * POST /api/auth/session - Update session data
+ *
+ * Allows updating session metadata (not tokens).
+ * Token refresh should use the /api/auth/refresh endpoint.
+ *
+ * Body:
+ * - metadata: object - Custom metadata to store in session
+ */
+export declare function POST(req: NextRequest): Promise<NextResponse<{
+    error: string;
+    code: string;
+}> | NextResponse<{
+    success: boolean;
+    message: string;
+}> | NextResponse<{
+    error: string;
+    details: string;
+}>>;

package/dist/routes/auth/session.js

@@ -0,0 +1,180 @@
+"use strict";
+/**
+ * Ready-to-Use Session Management Route
+ *
+ * Provides pre-configured session handlers for checking and updating session state.
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/session/route.ts
+ * export { GET, POST } from '@payez/next-mvp/routes/auth/session';
+ * ```
+ *
+ * @version 2.0.0
+ * @since auth-ready-v2
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GET = GET;
+exports.POST = POST;
+const server_1 = require("next/server");
+const jwt_1 = require("next-auth/jwt");
+const session_store_1 = require("../../lib/session-store");
+const app_slug_1 = require("../../lib/app-slug");
+const idp_client_config_1 = require("../../lib/idp-client-config");
+/**
+ * Get NextAuth secret from IDP config (cached).
+ * NEVER use process.env.NEXTAUTH_SECRET - it's always loaded from IDP.
+ */
+async function getNextAuthSecret() {
+    const config = await (0, idp_client_config_1.getIDPClientConfig)();
+    return config.nextAuthSecret || '';
+}
+/**
+ * GET /api/auth/session - Check current session status
+ *
+ * Returns the current session information including:
+ * - User details
+ * - Token expiry status
+ * - Session validity
+ */
+async function GET(req) {
+    try {
+        const secret = await getNextAuthSecret();
+        const cookieName = (0, app_slug_1.getJwtCookieName)();
+        // Debug logging
+        const cookieValue = req.cookies.get(cookieName)?.value;
+        console.log('[SESSION_ROUTE] GET called:', {
+            cookieName,
+            hasCookie: !!cookieValue,
+            cookieLength: cookieValue?.length || 0,
+            secretLength: secret?.length || 0,
+        });
+        const token = await (0, jwt_1.getToken)({ req, secret, cookieName });
+        if (!token) {
+            console.warn('[SESSION_ROUTE] getToken returned null');
+            return server_1.NextResponse.json({
+                authenticated: false,
+                message: 'No session found'
+            }, { status: 200 });
+        }
+        // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
+        const redisSessionId = token.sessionToken || token.redisSessionId;
+        console.log('[SESSION_ROUTE] Token found:', {
+            sub: token.sub,
+            email: token.email,
+            name: token.name,
+            hasExp: !!token.exp,
+            redisSessionId: redisSessionId ? redisSessionId.substring(0, 8) + '...' : 'MISSING',
+        });
+        // Fetch full session data from Redis
+        const session = redisSessionId ? await (0, session_store_1.getSession)(redisSessionId) : null;
+        console.log('[SESSION_ROUTE] Redis session:', {
+            found: !!session,
+            userId: session?.userId,
+            roles: session?.roles,
+            hasAccessToken: !!session?.idpAccessToken,
+        });
+        // Return NextAuth-compatible session format with Redis data
+        // useSession() expects: { user: {...}, expires: "..." }
+        // We enrich with all session data from Redis
+        return server_1.NextResponse.json({
+            user: {
+                id: session?.userId || token.sub,
+                email: session?.email || token.email,
+                name: session?.name || token.name,
+                image: token.picture || null,
+                // Redis session data
+                roles: session?.roles || [],
+                twoFactorSessionVerified: session?.mfaVerified || false,
+                requiresTwoFactor: !session?.mfaVerified,
+                authenticationMethods: session?.authenticationMethods,
+                authenticationLevel: session?.authenticationLevel,
+                mfaCompletedAt: session?.mfaCompletedAt,
+                mfaExpiresAt: session?.mfaExpiresAt,
+                mfaValidityHours: session?.mfaValidityHours,
+                oauthProvider: session?.oauthProvider,
+                idpClientId: session?.idpClientId,
+                merchantId: session?.merchantId,
+            },
+            // Session tokens
+            sessionToken: redisSessionId,
+            accessToken: session?.idpAccessToken,
+            refreshToken: session?.idpRefreshToken,
+            accessTokenExpires: session?.idpAccessTokenExpires,
+            expires: token.exp ? new Date(token.exp * 1000).toISOString() : new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(),
+        });
+    }
+    catch (error) {
+        console.error('[SESSION_ROUTE] Error checking session:', error);
+        return server_1.NextResponse.json({
+            error: 'Failed to check session',
+            details: error instanceof Error ? error.message : 'Unknown error'
+        }, { status: 500 });
+    }
+}
+/**
+ * POST /api/auth/session - Update session data
+ *
+ * Allows updating session metadata (not tokens).
+ * Token refresh should use the /api/auth/refresh endpoint.
+ *
+ * Body:
+ * - metadata: object - Custom metadata to store in session
+ */
+async function POST(req) {
+    try {
+        const secret = await getNextAuthSecret();
+        const token = await (0, jwt_1.getToken)({ req, secret, cookieName: (0, app_slug_1.getJwtCookieName)() });
+        if (!token) {
+            return server_1.NextResponse.json({
+                error: 'No session found',
+                code: 'UNAUTHORIZED'
+            }, { status: 401 });
+        }
+        // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
+        const sessionToken = token.sessionToken || token.redisSessionId;
+        if (!sessionToken) {
+            return server_1.NextResponse.json({
+                error: 'Invalid session',
+                code: 'INVALID_SESSION'
+            }, { status: 400 });
+        }
+        const body = await req.json();
+        const { metadata, access_token, refresh_token, twoFactorComplete, twoFactorMethod } = body;
+        // Get current session
+        const session = await (0, session_store_1.getSession)(sessionToken);
+        if (!session) {
+            return server_1.NextResponse.json({
+                error: 'Session not found',
+                code: 'SESSION_NOT_FOUND'
+            }, { status: 404 });
+        }
+        // Update session with new data
+        const updatedSession = {
+            ...session,
+            ...(access_token ? { accessToken: access_token } : {}),
+            ...(refresh_token ? { refreshToken: refresh_token } : {}),
+            ...(typeof twoFactorComplete === 'boolean' ? { twoFactorComplete } : {}),
+            ...(twoFactorMethod ? { twoFactorMethod } : {}),
+            ...(metadata ? {
+                metadata: {
+                    ...(session.metadata || {}),
+                    ...metadata,
+                    updatedAt: new Date().toISOString()
+                }
+            } : {})
+        };
+        await (0, session_store_1.updateSession)(sessionToken, updatedSession);
+        return server_1.NextResponse.json({
+            success: true,
+            message: 'Session updated successfully'
+        });
+    }
+    catch (error) {
+        console.error('[SESSION_ROUTE] Error updating session:', error);
+        return server_1.NextResponse.json({
+            error: 'Failed to update session',
+            details: error instanceof Error ? error.message : 'Unknown error'
+        }, { status: 500 });
+    }
+}

package/dist/routes/auth/settings.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Public Auth Settings Route
+ *
+ * Returns client auth settings for pre-login pages (signup, login).
+ * Does NOT require authentication - these are public client settings.
+ */
+import { NextResponse } from 'next/server';
+export interface PublicAuthSettings {
+    enabledProviders: string[];
+    allowPublicRegistration: boolean;
+    allowSocialLogin: boolean;
+    enablePasswordReset: boolean;
+    require2FA: boolean;
+    allowed2FAMethods: string[];
+}
+/**
+ * GET /api/auth/settings
+ *
+ * Returns public auth settings for the current client.
+ * Used by login/signup pages to determine what options to show.
+ */
+export declare function GET(): Promise<NextResponse<{
+    success: boolean;
+    data: PublicAuthSettings;
+}>>;

package/dist/routes/auth/settings.js

@@ -0,0 +1,55 @@
+"use strict";
+/**
+ * Public Auth Settings Route
+ *
+ * Returns client auth settings for pre-login pages (signup, login).
+ * Does NOT require authentication - these are public client settings.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GET = GET;
+const server_1 = require("next/server");
+const idp_client_config_1 = require("../../lib/idp-client-config");
+/**
+ * GET /api/auth/settings
+ *
+ * Returns public auth settings for the current client.
+ * Used by login/signup pages to determine what options to show.
+ */
+async function GET() {
+    try {
+        const config = await (0, idp_client_config_1.getIDPClientConfig)();
+        const settings = {
+            // Get enabled OAuth provider names
+            enabledProviders: config.oauthProviders
+                ?.filter(p => p.enabled)
+                .map(p => p.provider) ?? [],
+            // Registration - default to true if not specified
+            allowPublicRegistration: true, // Could come from config.authSettings in future
+            allowSocialLogin: config.oauthProviders?.some(p => p.enabled) ?? false,
+            // Password reset
+            enablePasswordReset: true, // Could come from config.authSettings in future
+            // 2FA
+            require2FA: config.authSettings?.require2FA ?? true,
+            allowed2FAMethods: config.authSettings?.allowed2FAMethods ?? ['email', 'sms'],
+        };
+        return server_1.NextResponse.json({
+            success: true,
+            data: settings,
+        });
+    }
+    catch (error) {
+        console.error('[AUTH_SETTINGS] Failed to get settings:', error);
+        // Return safe defaults on error
+        return server_1.NextResponse.json({
+            success: true,
+            data: {
+                enabledProviders: [],
+                allowPublicRegistration: true,
+                allowSocialLogin: false,
+                enablePasswordReset: true,
+                require2FA: true,
+                allowed2FAMethods: ['email', 'sms'],
+            },
+        });
+    }
+}

package/dist/routes/auth/viability.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Ready-to-Use Session Viability Route
+ *
+ * Checks if the current session is viable (valid and not expired).
+ * Used by client-side code to determine if a refresh is needed.
+ *
+ * @example
+ * ```typescript
+ * // app/api/session/viability/route.ts
+ * export { GET } from '@payez/next-mvp/routes/auth/viability';
+ * ```
+ *
+ * @version 2.0.0
+ * @since auth-ready-v2
+ */
+import { NextRequest, NextResponse } from 'next/server';
+/**
+ * GET /api/session/viability - Check if session is viable
+ *
+ * Returns:
+ * - viable: boolean - Whether the session can be used
+ * - needsRefresh: boolean - Whether a refresh is recommended
+ * - expiresIn: number - Seconds until token expires
+ */
+export declare function GET(req: NextRequest): Promise<NextResponse<{
+    viable: boolean;
+    needsRefresh: boolean;
+    authenticated: boolean;
+    reason: string;
+}> | NextResponse<{
+    viable: boolean;
+    needsRefresh: boolean;
+    expiresIn: number;
+    hasRefreshToken: boolean;
+    authenticated: boolean;
+    sessionToken: any;
+    tenantRequiresTwoFactor: boolean;
+    userHasCompletedTenantTwoFactorRequirements: any;
+    userStillNeedsTwoFactor: boolean;
+    requires2FA: boolean;
+    twoFactorComplete: any;
+    accessTokenExpired: boolean;
+    expiresAt: string;
+    roles: string[];
+    clientId: string;
+}> | NextResponse<{
+    viable: boolean;
+    needsRefresh: boolean;
+    authenticated: boolean;
+    error: string;
+    details: string;
+}>>;