@payez/next-mvp 3.0.0

package/src/api-handlers/admin/audit.ts

@@ -0,0 +1,225 @@
+/**
+ * Admin Audit Logs API Handler
+ *
+ * Provides admin-level access to audit logs using service account credentials.
+ *
+ * @version 1.0
+ * @requires Admin role (vibe_app_admin or payez_admin)
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { getStartupIDPConfig } from '../../lib/startup-init';
+import { ADMIN_ROLES, hasAnyRole } from '../../lib/roles';
+
+interface VibeRequestOptions {
+  method: 'GET' | 'POST' | 'PUT' | 'DELETE';
+  body?: unknown;
+}
+
+async function checkAdminRole(getAuthOptions: () => Promise<any>): Promise<{ isAdmin: boolean; error?: NextResponse }> {
+  const authOptions = await getAuthOptions();
+  const session = await getServerSession(authOptions) as any;
+
+  if (!session?.user) {
+    return {
+      isAdmin: false,
+      error: NextResponse.json({ success: false, error: 'Please sign in' }, { status: 401 }),
+    };
+  }
+
+  const userRoles = (session.user?.roles as string[]) || [];
+  const hasAdminRole = ADMIN_ROLES.some(role => userRoles.includes(role));
+
+  if (!hasAdminRole) {
+    return {
+      isAdmin: false,
+      error: NextResponse.json({ success: false, error: 'Admin access required' }, { status: 403 }),
+    };
+  }
+
+  return { isAdmin: true };
+}
+
+async function vibeServiceRequest<T = unknown>(
+  endpoint: string,
+  options: VibeRequestOptions
+): Promise<{ ok: boolean; status: number; data: T | null; error?: string }> {
+  const idpUrl = process.env.NEXT_PUBLIC_IDP_URL || process.env.IDP_URL;
+  const clientId = process.env.VIBE_CLIENT_ID;
+  const signingKey = process.env.VIBE_HMAC_KEY;
+
+  if (!idpUrl || !clientId || !signingKey) {
+    return { ok: false, status: 500, data: null, error: 'Vibe not configured' };
+  }
+
+  const timestamp = Math.floor(Date.now() / 1000);
+  const stringToSign = `${timestamp}|${options.method}|${endpoint}`;
+
+  const crypto = await import('crypto');
+  const signature = crypto
+    .createHmac('sha256', Buffer.from(signingKey, 'base64'))
+    .update(stringToSign)
+    .digest('base64');
+
+  const proxyUrl = `${idpUrl}/api/vibe/proxy`;
+
+  // Get the numeric client ID from startup config for multi-client admin support
+  const idpConfig = getStartupIDPConfig();
+  const numericClientId = idpConfig?.clientId;
+
+  try {
+    const res = await fetch(proxyUrl, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Vibe-Client-Id': clientId,
+        'X-Vibe-Timestamp': String(timestamp),
+        'X-Vibe-Signature': signature,
+        ...(numericClientId && { 'X-Client-Id': String(numericClientId) }),
+      },
+      body: JSON.stringify({
+        endpoint,
+        method: options.method,
+        data: options.body ?? null,
+      }),
+      cache: 'no-store',
+    });
+
+    if (res.status === 204) return { ok: true, status: 204, data: null };
+    if (!res.ok) {
+      const errorText = await res.text();
+      return { ok: false, status: res.status, data: null, error: errorText };
+    }
+
+    const body = await res.json();
+    return { ok: true, status: res.status, data: body };
+  } catch (error) {
+    return { ok: false, status: 0, data: null, error: String(error) };
+  }
+}
+
+export interface AdminAuditHandlerConfig {
+  getAuthOptions: () => Promise<any>;
+}
+
+/**
+ * GET /api/admin/audit - List audit logs
+ * POST /api/admin/audit - Stats
+ */
+export function createAuditHandler(config: AdminAuditHandlerConfig) {
+  return {
+    async GET(request: NextRequest) {
+      const adminCheck = await checkAdminRole(config.getAuthOptions);
+      if (adminCheck.error) return adminCheck.error;
+
+      const { searchParams } = new URL(request.url);
+      const action = searchParams.get('action');
+      const userId = searchParams.get('userId');
+      const startDate = searchParams.get('startDate');
+      const endDate = searchParams.get('endDate');
+      const page = parseInt(searchParams.get('page') || '1');
+      const pageSize = parseInt(searchParams.get('pageSize') || '50');
+
+      const queryBody: any = {
+        page,
+        pageSize,
+        orderBy: 'created_at',
+        orderDirection: 'desc',
+      };
+
+      const conditions: any[] = [];
+      if (action) {
+        conditions.push({ field: 'action', operator: 'eq', value: action });
+      }
+      if (userId) {
+        conditions.push({ field: 'user_id', operator: 'eq', value: userId });
+      }
+      if (startDate) {
+        conditions.push({ field: 'created_at', operator: 'gte', value: startDate });
+      }
+      if (endDate) {
+        conditions.push({ field: 'created_at', operator: 'lte', value: endDate });
+      }
+
+      if (conditions.length === 1) {
+        queryBody.filter = conditions[0];
+      } else if (conditions.length > 1) {
+        queryBody.filter = { operator: 'and', conditions };
+      }
+
+      const result = await vibeServiceRequest<any>(
+        '/v1/collections/vibe_app/tables/audit_logs/query',
+        { method: 'POST', body: queryBody }
+      );
+
+      if (!result.ok) {
+        return NextResponse.json({ error: result.error }, { status: result.status || 500 });
+      }
+
+      const rawLogs = result.data?.data || result.data?.documents || [];
+      const logs = rawLogs.map((log: any) => ({
+        id: log.id || log.document_id,
+        user_id: log.user_id || log.idp_user_id,
+        email: log.email,
+        action: log.action,
+        resource_type: log.resource_type,
+        resource_id: log.resource_id,
+        details: log.details,
+        ip_address: log.ip_address,
+        user_agent: log.user_agent,
+        created_at: log.created_at,
+      }));
+
+      return NextResponse.json({
+        logs,
+        meta: result.data?.meta || { total: logs.length, page, pageSize },
+      });
+    },
+
+    async POST(request: NextRequest) {
+      const adminCheck = await checkAdminRole(config.getAuthOptions);
+      if (adminCheck.error) return adminCheck.error;
+
+      const body = await request.json();
+      const { action } = body;
+
+      if (action === 'stats') {
+        const result = await vibeServiceRequest<any>(
+          '/v1/collections/vibe_app/tables/audit_logs/query',
+          { method: 'POST', body: { page: 1, pageSize: 10000 } }
+        );
+
+        if (!result.ok) {
+          return NextResponse.json({ error: result.error }, { status: result.status || 500 });
+        }
+
+        const logs = result.data?.data || result.data?.documents || [];
+        const now = new Date();
+        const oneDayAgo = new Date(now.getTime() - 24 * 60 * 60 * 1000);
+        const oneWeekAgo = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1000);
+
+        const stats = {
+          total: logs.length,
+          today: logs.filter((l: any) => new Date(l.created_at) > oneDayAgo).length,
+          thisWeek: logs.filter((l: any) => new Date(l.created_at) > oneWeekAgo).length,
+          uniqueUsers: new Set(logs.map((l: any) => l.user_id || l.idp_user_id)).size,
+          byAction: {} as Record<string, number>,
+          byResourceType: {} as Record<string, number>,
+        };
+
+        logs.forEach((l: any) => {
+          const act = l.action || 'unknown';
+          stats.byAction[act] = (stats.byAction[act] || 0) + 1;
+
+          const rt = l.resource_type || 'unknown';
+          stats.byResourceType[rt] = (stats.byResourceType[rt] || 0) + 1;
+        });
+
+        return NextResponse.json({ stats });
+      }
+
+      return NextResponse.json({ error: 'Invalid action' }, { status: 400 });
+    },
+  };
+}

package/src/api-handlers/admin/index.ts

@@ -0,0 +1,59 @@
+/**
+ * Admin API Handlers
+ *
+ * Provides admin-level API handlers for Vibe data access.
+ * These handlers use service account credentials to bypass user filtering.
+ *
+ * Usage:
+ * ------
+ * // In your app's API route (e.g., app/api/admin/vibe/data/[collection]/[table]/route.ts)
+ * import { createGetTableDataHandler } from '@payez/next-mvp/api-handlers/admin';
+ * import { getAuthOptions } from '@payez/next-mvp/auth/auth-options';
+ *
+ * export const GET = createGetTableDataHandler({ getAuthOptions });
+ */
+
+export {
+  createGetCollectionsHandler,
+  createGetTablesHandler,
+  createGetTableDataHandler,
+  createGetRecordHandler,
+  createUpdateRecordHandler,
+  createDeleteRecordHandler,
+  createQueryHandler,
+  type AdminVibeHandlerConfig,
+} from './vibe-data';
+
+export {
+  createSessionsHandler,
+  type AdminSessionsHandlerConfig,
+} from './sessions';
+
+export {
+  createUsersHandler,
+  type AdminUsersHandlerConfig,
+} from './users';
+
+export {
+  createAuditHandler,
+  type AdminAuditHandlerConfig,
+} from './audit';
+
+export {
+  createAnalyticsHandler,
+  type AdminAnalyticsHandlerConfig,
+} from './analytics';
+
+export {
+  createSiteLogsHandler,
+  createSiteLogsStatsHandler,
+  createSiteLogsDrainHandler,
+  createSiteLogsQueueHandler,
+  type SiteLogsHandlerConfig,
+} from './site-logs';
+
+export {
+  createRedisSessionsHandler,
+  createRedisSessionRevokeHandler,
+  type RedisSessionsHandlerConfig,
+} from './redis-sessions';

package/src/api-handlers/admin/redis-sessions.ts

@@ -0,0 +1,253 @@
+/**
+ * Admin Redis Sessions API Handler
+ *
+ * Provides admin-level access to active sessions stored in Redis.
+ * Reads directly from Redis {APP_SLUG}:sess:* pattern.
+ *
+ * Note: This is different from sessions.ts which queries Vibe login_sessions table.
+ * This handler shows real-time active sessions in Redis.
+ *
+ * @version 1.0
+ * @requires Admin role (vibe_app_admin or payez_admin)
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { getRedis } from '../../lib/redis';
+import { ADMIN_ROLES, hasAnyRole } from '../../lib/roles';
+
+export interface RedisSessionsHandlerConfig {
+  getAuthOptions: () => Promise<any>;
+  appSlug?: string;
+}
+
+/**
+ * Check if the current user has admin role
+ */
+async function checkAdminRole(getAuthOptions: () => Promise<any>): Promise<{ isAdmin: boolean; userId?: number; error?: NextResponse }> {
+  const authOptions = await getAuthOptions();
+  const session = await getServerSession(authOptions) as any;
+
+  if (!session?.user) {
+    return {
+      isAdmin: false,
+      error: NextResponse.json(
+        { success: false, error: 'Please sign in' },
+        { status: 401 }
+      ),
+    };
+  }
+
+  const userRoles = (session.user?.roles as string[]) || [];
+  const hasAdminRole = ADMIN_ROLES.some(role => userRoles.includes(role));
+
+  if (!hasAdminRole) {
+    return {
+      isAdmin: false,
+      error: NextResponse.json(
+        { success: false, error: 'Admin access required' },
+        { status: 403 }
+      ),
+    };
+  }
+
+  return { isAdmin: true, userId: session.user?.id };
+}
+
+/**
+ * Create Redis sessions handler
+ * GET /api/admin/redis-sessions - List all active sessions from Redis
+ */
+export function createRedisSessionsHandler(config: RedisSessionsHandlerConfig) {
+  const getSessionPrefix = () => {
+    const appSlug = config.appSlug || process.env.APP_SLUG || process.env.CLIENT_ID || 'app';
+    return `${appSlug}:sess:`;
+  };
+
+  return {
+    async GET(request: NextRequest) {
+      const adminCheck = await checkAdminRole(config.getAuthOptions);
+      if (adminCheck.error) return adminCheck.error;
+
+      try {
+        const redis = getRedis();
+        const sessionPrefix = getSessionPrefix();
+
+        // Scan Redis for all session keys (exclude version keys)
+        const sessionKeys: string[] = [];
+        let cursor = '0';
+        do {
+          const [newCursor, keys] = await redis.scan(cursor, 'MATCH', `${sessionPrefix}*`, 'COUNT', 100);
+          cursor = newCursor;
+          // Filter out version keys (ver:) - only want actual session keys
+          sessionKeys.push(...keys.filter((k: string) => !k.includes(':ver:')));
+        } while (cursor !== '0');
+
+        // Fetch all session data
+        const sessions = [];
+        for (const key of sessionKeys) {
+          const sessionJson = await redis.get(key);
+          if (!sessionJson) continue;
+
+          try {
+            const sessionData = JSON.parse(sessionJson);
+            const sessionToken = key.replace(sessionPrefix, '');
+
+            sessions.push({
+              id: sessionToken.substring(0, 16), // Truncated for display
+              session_token: sessionToken.substring(0, 8) + '...', // Masked
+              user_id: sessionData.userId,
+              user_name: sessionData.name,
+              user_email: sessionData.email,
+              status: 'active', // Sessions in Redis are active
+              created_at: sessionData.createdAt,
+              mfa_verified: sessionData.mfaVerified || sessionData.twoFactorComplete || false,
+              access_token_expires: sessionData.idpAccessTokenExpires
+                ? new Date(sessionData.idpAccessTokenExpires).toISOString()
+                : null,
+            });
+          } catch (parseError) {
+            console.error('[admin/redis-sessions] Failed to parse session:', key, parseError);
+          }
+        }
+
+        // Sort by most recent first (if created_at available)
+        sessions.sort((a, b) => {
+          if (!a.created_at || !b.created_at) return 0;
+          return new Date(b.created_at).getTime() - new Date(a.created_at).getTime();
+        });
+
+        // Calculate stats
+        const uniqueUsers = new Set(sessions.map(s => s.user_email).filter(Boolean)).size;
+
+        return NextResponse.json({
+          sessions,
+          total: sessions.length,
+          stats: {
+            total_active: sessions.length,
+            total_revoked: 0, // Revoked sessions are deleted from Redis
+            unique_users: uniqueUsers,
+          },
+          redis_prefix: sessionPrefix,
+        });
+      } catch (error: any) {
+        console.error('[admin/redis-sessions] Error:', error);
+        return NextResponse.json(
+          { error: error.message || 'Internal error' },
+          { status: 500 }
+        );
+      }
+    },
+
+    async DELETE(request: NextRequest) {
+      const adminCheck = await checkAdminRole(config.getAuthOptions);
+      if (adminCheck.error) return adminCheck.error;
+
+      try {
+        const { searchParams } = new URL(request.url);
+        const sessionToken = searchParams.get('session_token');
+
+        if (!sessionToken) {
+          return NextResponse.json(
+            { error: 'session_token parameter required' },
+            { status: 400 }
+          );
+        }
+
+        const redis = getRedis();
+        const sessionPrefix = getSessionPrefix();
+        const sessionKey = `${sessionPrefix}${sessionToken}`;
+
+        // Delete the session
+        const deleted = await redis.del(sessionKey);
+
+        if (deleted === 0) {
+          return NextResponse.json(
+            { error: 'Session not found or already deleted' },
+            { status: 404 }
+          );
+        }
+
+        return NextResponse.json({
+          success: true,
+          message: 'Session revoked',
+          session_token: sessionToken.substring(0, 8) + '...',
+        });
+      } catch (error: any) {
+        console.error('[admin/redis-sessions] DELETE Error:', error);
+        return NextResponse.json(
+          { error: error.message || 'Internal error' },
+          { status: 500 }
+        );
+      }
+    },
+  };
+}
+
+/**
+ * Create Redis session revoke handler for specific session
+ * POST /api/admin/redis-sessions/[sessionId]/revoke
+ */
+export function createRedisSessionRevokeHandler(config: RedisSessionsHandlerConfig) {
+  const getSessionPrefix = () => {
+    const appSlug = config.appSlug || process.env.APP_SLUG || process.env.CLIENT_ID || 'app';
+    return `${appSlug}:sess:`;
+  };
+
+  return {
+    async POST(request: NextRequest, { params }: { params: { sessionId: string } }) {
+      const adminCheck = await checkAdminRole(config.getAuthOptions);
+      if (adminCheck.error) return adminCheck.error;
+
+      try {
+        const sessionId = params.sessionId;
+        if (!sessionId) {
+          return NextResponse.json(
+            { error: 'Session ID required' },
+            { status: 400 }
+          );
+        }
+
+        const redis = getRedis();
+        const sessionPrefix = getSessionPrefix();
+
+        // Find session key that starts with the sessionId
+        let targetKey: string | null = null;
+        let cursor = '0';
+        do {
+          const [newCursor, keys] = await redis.scan(cursor, 'MATCH', `${sessionPrefix}*`, 'COUNT', 100);
+          cursor = newCursor;
+          for (const key of keys) {
+            const token = key.replace(sessionPrefix, '');
+            if (token.startsWith(sessionId) || token.substring(0, 16) === sessionId) {
+              targetKey = key;
+              break;
+            }
+          }
+          if (targetKey) break;
+        } while (cursor !== '0');
+
+        if (!targetKey) {
+          return NextResponse.json(
+            { error: 'Session not found' },
+            { status: 404 }
+          );
+        }
+
+        // Delete the session
+        await redis.del(targetKey);
+
+        return NextResponse.json({
+          success: true,
+          message: 'Session revoked',
+        });
+      } catch (error: any) {
+        console.error('[admin/redis-sessions/revoke] Error:', error);
+        return NextResponse.json(
+          { error: error.message || 'Internal error' },
+          { status: 500 }
+        );
+      }
+    },
+  };
+}