@payez/next-mvp 3.0.0

package/src/api-handlers/auth/refresh.ts

@@ -0,0 +1,687 @@
+/**
+ * CRITICAL REFRESH TOKEN API HANDLER
+ *
+ * ASK BEFORE EDITING - TESTED AND WORKING SYSTEM
+ *
+ * This handler manages the server-side refresh token cycle with:
+ * - NextAuth JWT token extraction
+ * - Session token fallback for internal calls
+ * - PayEz IDP refresh token exchange
+ * - Session state updates with new tokens
+ * - Proper error handling and logging
+ * - Single-use semantics enforcement
+ *
+ * @version 2.0
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getToken } from 'next-auth/jwt';
+import { getSession, updateSession, acquireRefreshLock, releaseRefreshLock, checkRefreshLock } from '../../lib/session-store';
+import { computeTokenExpiries } from '../../lib/token-expiry';
+import { getJwtCookieName } from '../../lib/app-slug';
+import { extractKidFromToken } from '../../auth/utils/token-utils';
+
+interface RefreshConfig {
+  idpBaseUrl: string;
+  clientId: string;
+  nextAuthSecret: string;
+  refreshEndpoint?: string;
+}
+
+/**
+ * Creates a refresh token handler for Next.js API routes
+ *
+ * @param config Configuration for IDP connection and NextAuth
+ * @returns Next.js POST handler function
+ *
+ * @example
+ * ```typescript
+ * // In your app's /app/api/auth/refresh/route.ts
+ * import { createRefreshHandler } from '@payez/next-mvp/api-handlers/auth/refresh';
+ *
+ * export const POST = createRefreshHandler({
+ *   idpBaseUrl: process.env.IDP_URL!,
+ *   clientId: process.env.CLIENT_ID!,
+ *   nextAuthSecret: process.env.NEXTAUTH_SECRET!,
+ *   refreshEndpoint: '/api/ExternalAuth/refresh'
+ * });
+ * ```
+ */
+export function createRefreshHandler(config: RefreshConfig) {
+  const { idpBaseUrl, clientId, nextAuthSecret, refreshEndpoint = '/api/ExternalAuth/refresh' } = config;
+
+  return async function POST(req: NextRequest) {
+    try {
+      // Extract session token from NextAuth JWT
+      const token = await getToken({ req, secret: nextAuthSecret, cookieName: getJwtCookieName() });
+
+      // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
+      let sessionToken = (token?.sessionToken || token?.redisSessionId) as string | undefined;
+      let userId = token?.sub;
+
+      if (!sessionToken) {
+        // Fallback: check for session token in header (for internal server-to-server calls)
+        const headerSessionToken = req.headers.get('x-session-token');
+        if (headerSessionToken) {
+          sessionToken = headerSessionToken;
+          const currentSession = await getSession(sessionToken);
+          userId = currentSession?.userId || currentSession?.email;
+        }
+      }
+
+      if (!sessionToken || !userId) {
+        console.warn('[AUTH_REFRESH] Missing sessionToken or user id on token');
+        return NextResponse.json({
+          error: 'No session available for refresh',
+          code: 'UNAUTHORIZED'
+        }, { status: 401 });
+      }
+
+      // Get current session
+      const currentSession = await getSession(sessionToken);
+      // NOTE: Field is idpRefreshToken (not refreshToken) per normalized naming convention
+      if (!currentSession?.idpRefreshToken) {
+        console.warn('[AUTH_REFRESH] No refresh token available', { userId });
+        return NextResponse.json({
+          error: 'No refresh token available',
+          code: 'NO_REFRESH_TOKEN',  // Terminal state - session cannot be refreshed
+          terminal: true,            // Signal to frontend: don't retry, redirect to login
+          resolution: 'User must re-authenticate'
+        }, { status: 401 });
+      }
+
+      // ============================================================================
+      // HIGH VISIBILITY: PRE-FLIGHT REFRESH DIAGNOSTICS
+      // ============================================================================
+      const now = Date.now();
+      const refreshTokenAge = currentSession.idpRefreshTokenIssuedAt
+        ? Math.round((now - currentSession.idpRefreshTokenIssuedAt) / 1000)
+        : 'unknown';
+      const refreshTokenExpiresIn = currentSession.idpRefreshTokenExpires
+        ? Math.round((currentSession.idpRefreshTokenExpires - now) / 1000)
+        : 'unknown';
+      const accessTokenExpiresIn = currentSession.idpAccessTokenExpires
+        ? Math.round((currentSession.idpAccessTokenExpires - now) / 1000)
+        : 'unknown';
+
+      console.log('╔══════════════════════════════════════════════════════════════════════════════╗');
+      console.log('║                    REFRESH TOKEN ATTEMPT - PRE-FLIGHT                        ║');
+      console.log('╠══════════════════════════════════════════════════════════════════════════════╣');
+      console.log(`║ User: ${(userId || 'unknown').substring(0, 50).padEnd(50)}                   ║`);
+      console.log(`║ Session: ${sessionToken.substring(0, 8)}...                                                        ║`);
+      console.log('╠──────────────────────────────────────────────────────────────────────────────╣');
+      console.log(`║ Access Token Expires In:  ${String(accessTokenExpiresIn).padEnd(10)} seconds                            ║`);
+      console.log(`║ Refresh Token Age:        ${String(refreshTokenAge).padEnd(10)} seconds                            ║`);
+      console.log(`║ Refresh Token Expires In: ${String(refreshTokenExpiresIn).padEnd(10)} seconds                            ║`);
+      console.log(`║ Refresh Token Length:     ${String(currentSession.idpRefreshToken?.length || 0).padEnd(10)} chars                              ║`);
+      console.log(`║ 2FA Complete:             ${String(!!currentSession.mfaVerified).padEnd(10)}                                   ║`);
+      console.log(`║ Auth Level (ACR):         ${String(currentSession.authenticationLevel || '1').padEnd(10)}                                   ║`);
+      console.log('╚══════════════════════════════════════════════════════════════════════════════╝');
+
+      // Try to acquire refresh lock to prevent concurrent refresh attempts
+      const requestId = req.headers.get('x-request-id') ?? `refresh_${Date.now()}`;
+      const lockAcquired = await acquireRefreshLock(sessionToken, requestId, 5000);
+
+      let weAcquiredLock = false;
+      let releaseLockVersion: number | undefined;
+
+      if (!lockAcquired.acquired) {
+        const existingLock = await checkRefreshLock(sessionToken);
+        if (existingLock && existingLock.acquiredBy === requestId) {
+          console.info('[AUTH_REFRESH] Proceeding under existing caller-held lock', { requestId });
+        } else {
+          // Wait for the lock to release, then check if token is now fresh
+          console.info('[AUTH_REFRESH] Refresh in progress by another request, waiting for completion...', { requestId });
+
+          const maxWaitMs = 5000;
+          const checkIntervalMs = 200;
+          const startWait = Date.now();
+
+          while (Date.now() - startWait < maxWaitMs) {
+            await new Promise(resolve => setTimeout(resolve, checkIntervalMs));
+
+            // Check if lock was released
+            const lockCheck = await checkRefreshLock(sessionToken);
+            if (!lockCheck) {
+              // Lock released - check if token is now fresh
+              const refreshedSession = await getSession(sessionToken);
+              if (refreshedSession?.idpAccessToken && refreshedSession?.idpAccessTokenExpires) {
+                const timeUntilExpiry = refreshedSession.idpAccessTokenExpires - Date.now();
+                const fiveMinutes = 5 * 60 * 1000;
+
+                if (timeUntilExpiry > fiveMinutes) {
+                  console.info('[AUTH_REFRESH] Lock released, token is fresh - returning success', {
+                    requestId,
+                    accessTokenExpires: new Date(refreshedSession.idpAccessTokenExpires).toISOString(),
+                    waitedMs: Date.now() - startWait,
+                  });
+                  return NextResponse.json({
+                    refreshed: true,
+                    reason: 'completed_by_concurrent_request',
+                    accessTokenExpires: refreshedSession.idpAccessTokenExpires,
+                    hasRefreshToken: !!refreshedSession.idpRefreshToken,
+                  });
+                }
+              }
+              // Lock released but token not fresh - try to acquire lock ourselves
+              break;
+            }
+          }
+
+          // Still locked after waiting - return 409
+          console.warn('[AUTH_REFRESH] Refresh still in progress after waiting', { requestId, waitedMs: Date.now() - startWait });
+          return NextResponse.json({
+            error: 'Refresh already in progress',
+            code: 'CONFLICT'
+          }, { status: 409 });
+        }
+      } else {
+        weAcquiredLock = true;
+        releaseLockVersion = lockAcquired.lockInfo?.lockVersion;
+      }
+
+      // Before performing network refresh, re-check if tokens are already fresh
+      const latestAfterLock = await getSession(sessionToken);
+      const fiveMinutes = 5 * 60 * 1000;
+      const timeUntilExpiry = latestAfterLock?.idpAccessTokenExpires
+        ? latestAfterLock.idpAccessTokenExpires - Date.now()
+        : -1;
+
+      // CRITICAL: Also check the actual JWT's exp claim - Redis might have stale data
+      let actualJwtExpMs = -1;
+      let tokenMismatch = false;
+      if (latestAfterLock?.idpAccessToken) {
+        try {
+          const tokenParts = latestAfterLock.idpAccessToken.split('.');
+          if (tokenParts.length === 3) {
+            const payload = JSON.parse(Buffer.from(tokenParts[1], 'base64url').toString());
+            actualJwtExpMs = (payload.exp || 0) * 1000;
+            const now = Date.now();
+            // If the actual JWT is expired, we MUST refresh regardless of what Redis says
+            if (actualJwtExpMs < now) {
+              tokenMismatch = true;
+            }
+          }
+        } catch (e) {
+          // If we can't decode, proceed with normal logic
+        }
+      }
+
+      console.log('[AUTH_REFRESH] Pre-refresh check:', {
+        userId,
+        hasAccessToken: !!latestAfterLock?.idpAccessToken,
+        accessTokenExpires: latestAfterLock?.idpAccessTokenExpires
+          ? new Date(latestAfterLock.idpAccessTokenExpires).toISOString()
+          : 'undefined',
+        actualJwtExp: actualJwtExpMs > 0 ? new Date(actualJwtExpMs).toISOString() : 'unknown',
+        now: new Date().toISOString(),
+        timeUntilExpiryMs: timeUntilExpiry,
+        tokenMismatch,
+        willRefresh: timeUntilExpiry <= fiveMinutes || tokenMismatch
+      });
+
+      // Only skip refresh if BOTH Redis says fresh AND the actual JWT is not expired
+      if (latestAfterLock?.idpAccessToken && latestAfterLock?.idpAccessTokenExpires &&
+          timeUntilExpiry > fiveMinutes && !tokenMismatch) {
+        console.info('[AUTH_REFRESH] Skipping refresh: tokens already fresh', { userId, timeUntilExpiryMs: timeUntilExpiry });
+        if (weAcquiredLock) {
+          await releaseRefreshLock(sessionToken, requestId, releaseLockVersion);
+          weAcquiredLock = false;
+        }
+        return NextResponse.json({
+          refreshed: false,
+          reason: 'already_fresh',
+          accessTokenExpires: latestAfterLock.idpAccessTokenExpires,
+          hasRefreshToken: !!latestAfterLock.idpRefreshToken,
+        });
+      }
+
+      // If we detected a token mismatch, log it prominently
+      if (tokenMismatch) {
+        console.warn('[AUTH_REFRESH] Token mismatch detected - forcing refresh despite Redis claiming fresh', {
+          userId,
+          redisExpires: latestAfterLock?.idpAccessTokenExpires ? new Date(latestAfterLock.idpAccessTokenExpires).toISOString() : 'N/A',
+          actualJwtExp: new Date(actualJwtExpMs).toISOString()
+        });
+      }
+
+      // Copy refresh token for use in IDP call
+      // Note: Token is NOT cleared preemptively - it will be replaced on success.
+      // The lock mechanism prevents concurrent refresh attempts within the same session.
+      // If IDP call fails, user can retry with the same token.
+      const originalRefreshToken = currentSession.idpRefreshToken as string;
+
+      try {
+        // Extract 2FA claims from current session
+        let authMethods: string[] = [];
+        if (currentSession.authenticationMethods) {
+          if (typeof currentSession.authenticationMethods === 'string') {
+            try {
+              authMethods = JSON.parse(currentSession.authenticationMethods);
+            } catch (e) {
+              console.warn('[AUTH_REFRESH] Failed to parse authenticationMethods', { authenticationMethods: currentSession.authenticationMethods });
+            }
+          } else if (Array.isArray(currentSession.authenticationMethods)) {
+            authMethods = currentSession.authenticationMethods;
+          }
+        }
+
+        // For OAuth sessions with empty AMR claims, provide defaults
+        // OAuth IS a form of multi-factor auth (you authenticated with another provider)
+        let isOAuthSession = !!currentSession.oauthProvider;
+        if (authMethods.length === 0 && isOAuthSession) {
+          // OAuth sessions get default AMR claims
+          authMethods = ['pwd', 'mfa'];
+          console.log('[AUTH_REFRESH] OAuth session with empty AMR - using defaults:', {
+            oauthProvider: currentSession.oauthProvider,
+            defaultAmr: authMethods
+          });
+        }
+
+        // Check authMethods first, then fallback to twoFactorMethod field (set by transitionTo2FASession)
+        // For OAuth sessions, use 'oauth' as the 2FA method since OAuth itself is the authentication
+        const twoFactorMethod = authMethods.find(m => ['sms', 'totp', 'email'].includes(m))
+          || currentSession.mfaMethod
+          || (isOAuthSession ? 'oauth' : null);
+
+        // DEBUG: Log what we have for 2FA
+        console.log('[AUTH_REFRESH] 2FA Debug:', {
+          authMethods,
+          authMethodsRaw: currentSession.authenticationMethods,
+          twoFactorMethodFromSession: currentSession.mfaMethod,
+          twoFactorMethodResolved: twoFactorMethod,
+          twoFactorComplete: currentSession.mfaVerified,
+          sessionKeys: Object.keys(currentSession)
+        });
+
+        // Build refresh request body per PayEz wire standard (snake_case)
+        // See: 2FA-TOKEN-REFRESH-CONTEXT.md - "The Ninja Shit"
+        // For OAuth sessions with 2FA complete, use ACR level 2
+        let acrValue = String(currentSession.authenticationLevel ?? '1');
+        if (currentSession.oauthProvider && currentSession.mfaVerified && acrValue === '1') {
+          acrValue = '2'; // OAuth with 2FA complete = full authentication
+        }
+        const refreshRequestBody: any = {
+          refresh_token: originalRefreshToken,
+          amr: authMethods,
+          acr: acrValue
+        };
+
+        // DEBUG: Log exact request body
+        console.log('[AUTH_REFRESH] Request body:', JSON.stringify({
+          refresh_token: '***REDACTED***',
+          amr: authMethods,
+          acr: acrValue,
+          acrType: typeof acrValue
+        }));
+
+        const twoFactorVerified = !!currentSession.mfaVerified;
+        if (twoFactorVerified) {
+          refreshRequestBody.two_factor_verified = true;
+        }
+        if (twoFactorMethod) {
+          refreshRequestBody.two_factor_method = twoFactorMethod;
+        }
+        if (currentSession.mfaCompletedAt) {
+          refreshRequestBody.two_factor_completed_at = new Date(currentSession.mfaCompletedAt).toISOString();
+        }
+
+        // Log the full request details for debugging
+        console.log('[AUTH_REFRESH] Sending refresh request:', {
+          url: `${idpBaseUrl}${refreshEndpoint}`,
+          clientId,
+          hasRefreshToken: !!refreshRequestBody.refresh_token,
+          refreshTokenLength: refreshRequestBody.refresh_token?.length,
+          amr: refreshRequestBody.amr,
+          acr: refreshRequestBody.acr
+        });
+
+        let refreshResponse: Response;
+        try {
+          refreshResponse = await fetch(`${idpBaseUrl}${refreshEndpoint}`, {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+              'X-Client-Id': clientId,
+            },
+            body: JSON.stringify(refreshRequestBody),
+          });
+        } catch (fetchError) {
+          // Network error - IDP unreachable
+          // Note: Lock will be released by finally block
+          console.error('[AUTH_REFRESH] IDP unreachable:', {
+            error: fetchError instanceof Error ? fetchError.message : String(fetchError),
+            idpUrl: idpBaseUrl,
+            userId
+          });
+          return NextResponse.json({
+            error: 'IDP service unavailable',
+            code: 'UPSTREAM_SERVICE_UNAVAILABLE',
+            retryable: true,
+            discardToken: false
+          }, { status: 503 });
+        }
+
+        // Parse response body - handle empty or invalid JSON
+        let responseData: any;
+        try {
+          const responseText = await refreshResponse.text();
+          if (!responseText || responseText.trim() === '') {
+            // Note: Lock will be released by finally block
+            console.error('[AUTH_REFRESH] Empty response from IDP:', {
+              status: refreshResponse.status,
+              statusText: refreshResponse.statusText,
+              userId
+            });
+            return NextResponse.json({
+              error: 'Empty response from IDP',
+              code: 'UPSTREAM_SERVICE_ERROR',
+              retryable: true,
+              discardToken: false
+            }, { status: 502 });
+          }
+          responseData = JSON.parse(responseText);
+        } catch (parseError) {
+          // Note: Lock will be released by finally block
+          console.error('[AUTH_REFRESH] Failed to parse IDP response:', {
+            error: parseError instanceof Error ? parseError.message : String(parseError),
+            status: refreshResponse.status,
+            userId
+          });
+          return NextResponse.json({
+            error: 'Invalid response from IDP',
+            code: 'UPSTREAM_SERVICE_ERROR',
+            retryable: true,
+            discardToken: false
+          }, { status: 502 });
+        }
+
+        // Handle non-OK responses with structured error format
+        if (!refreshResponse.ok) {
+          // Parse structured error from IDP
+          const idpError = responseData?.error || {};
+          const errorCode = idpError.code || 'UNKNOWN_ERROR';
+          const errorMessage = idpError.message || 'Token refresh failed';
+          // CRITICAL: 401 means token is definitively invalid - always discard
+          // This prevents redirect loops where viability check keeps returning canRefresh:true
+          const discardToken = refreshResponse.status === 401 || idpError.discard_token === true;
+          const retryable = refreshResponse.status !== 401 && idpError.retryable === true;
+          const resolution = idpError.resolution || null;
+
+          // ============================================================================
+          // HIGH VISIBILITY: REFRESH TOKEN FAILURE DIAGNOSTICS
+          // ============================================================================
+          // Translate error codes to human-readable explanations
+          const failureReasons: Record<string, string> = {
+            'UNAUTHORIZED': 'Token was already used (rotation) OR token is expired OR token was revoked',
+            'INVALID_REFRESH_TOKEN': 'Token format invalid OR token not found in IDP database',
+            'TOKEN_EXPIRED': 'Refresh token exceeded its max lifetime',
+            'TOKEN_REVOKED': 'Token was explicitly revoked (logout, password change, admin action)',
+            'TOKEN_REUSE_DETECTED': 'Same refresh token used twice - possible token theft, all tokens revoked',
+            'UPSTREAM_SERVICE_ERROR': 'IDP internal error - token may have been rotated before failure',
+            'INTERNAL_ERROR': 'IDP internal error - check IDP logs for details',
+            'RATE_LIMITED': 'Too many refresh attempts - try again later',
+          };
+
+          const whyItFailed = failureReasons[errorCode] || 'Unknown error - check IDP logs';
+
+          console.error('╔══════════════════════════════════════════════════════════════════════════════╗');
+          console.error('║              ❌ REFRESH TOKEN FAILURE - DIAGNOSTIC REPORT                    ║');
+          console.error('╠══════════════════════════════════════════════════════════════════════════════╣');
+          console.error(`║ HTTP Status:    ${String(refreshResponse.status).padEnd(60)}║`);
+          console.error(`║ Error Code:     ${errorCode.padEnd(60)}║`);
+          console.error(`║ Discard Token:  ${String(discardToken).padEnd(60)}║`);
+          console.error(`║ Retryable:      ${String(retryable).padEnd(60)}║`);
+          console.error('╠──────────────────────────────────────────────────────────────────────────────╣');
+          console.error(`║ WHY IT FAILED:                                                               ║`);
+          console.error(`║ ${whyItFailed.substring(0, 76).padEnd(76)} ║`);
+          console.error('╠──────────────────────────────────────────────────────────────────────────────╣');
+          console.error(`║ User:           ${(userId || 'unknown').substring(0, 60).padEnd(60)}║`);
+          console.error(`║ Session:        ${sessionToken.substring(0, 8)}...                                                     ║`);
+          console.error(`║ Resolution:     ${(resolution || 'Check IDP logs').substring(0, 60).padEnd(60)}║`);
+          console.error('╚══════════════════════════════════════════════════════════════════════════════╝');
+
+          // Also log the full response for detailed debugging
+          console.error('[AUTH_REFRESH] Full IDP error response:', JSON.stringify(responseData, null, 2).substring(0, 1000));
+
+          // If IDP signals to discard token, clear it from Redis
+          if (discardToken) {
+            console.error('[AUTH_REFRESH] ⚠️ REFRESH_TOKEN_REMOVAL: IDP signaled discard_token', {
+              reason: 'IDP_DISCARD_TOKEN',
+              errorCode,
+              userId,
+              sessionToken: sessionToken.substring(0, 8) + '...',
+              hadRefreshToken: !!currentSession.idpRefreshToken,
+              stack: new Error().stack
+            });
+            await updateSession(sessionToken, {
+              idpRefreshToken: '',
+              idpRefreshTokenExpires: undefined,
+              refreshTokenClearedAt: Date.now(),
+              refreshTokenClearedReason: `IDP_DISCARD_TOKEN:${errorCode}`
+            });
+          }
+
+          return NextResponse.json({
+            error: errorMessage,
+            code: errorCode,
+            discardToken,
+            retryable,
+            resolution,
+            status: refreshResponse.status
+          }, { status: refreshResponse.status });
+        }
+
+        // Validate PayEz canonical envelope for success responses
+        const isCompliant = responseData && typeof responseData === 'object' &&
+                            Object.prototype.hasOwnProperty.call(responseData, 'success') &&
+                            (responseData.success === true ? Object.prototype.hasOwnProperty.call(responseData, 'data') : Object.prototype.hasOwnProperty.call(responseData, 'error')) &&
+                            Object.prototype.hasOwnProperty.call(responseData, 'meta');
+
+        if (!isCompliant) {
+          console.error('[AUTH_REFRESH] Upstream non-compliant IDP response', { bodySample: responseData });
+          return NextResponse.json({
+            error: 'Upstream non-compliance',
+            code: 'UPSTREAM_SERVICE_ERROR',
+            retryable: true,
+            discardToken: false
+          }, { status: 502 });
+        }
+
+        if (responseData.success !== true || !responseData.data) {
+          // Handle success:false with structured error
+          const idpError = responseData?.error || {};
+          const errorCode = idpError.code || 'UPSTREAM_VALIDATION_ERROR';
+          const discardToken = idpError.discard_token === true;
+          const retryable = idpError.retryable === true;
+
+          console.warn('[AUTH_REFRESH] IDP refresh unsuccessful', {
+            code: errorCode,
+            discardToken,
+            body: responseData
+          });
+
+          if (discardToken) {
+            console.error('[AUTH_REFRESH] ⚠️ REFRESH_TOKEN_REMOVAL: IDP success:false with discard_token', {
+              reason: 'IDP_SUCCESS_FALSE_DISCARD',
+              errorCode,
+              userId,
+              sessionToken: sessionToken.substring(0, 8) + '...',
+              hadRefreshToken: !!currentSession.idpRefreshToken,
+              stack: new Error().stack
+            });
+            await updateSession(sessionToken, {
+              idpRefreshToken: '',
+              idpRefreshTokenExpires: undefined,
+              refreshTokenClearedAt: Date.now(),
+              refreshTokenClearedReason: `IDP_SUCCESS_FALSE_DISCARD:${errorCode}`
+            });
+          }
+
+          return NextResponse.json({
+            error: idpError.message || 'Token refresh failed',
+            code: errorCode,
+            discardToken,
+            retryable,
+            resolution: idpError.resolution || null
+          }, { status: refreshResponse.status || 400 });
+        }
+
+        // Extract tokens from response
+        const payload = responseData.data as any;
+        const accessToken = payload?.access_token;
+        const refreshToken = payload?.refresh_token;
+
+        if (!accessToken) {
+          console.error('[AUTH_REFRESH] Missing access token in IDP response');
+          return NextResponse.json({
+            error: 'Invalid token response from IDP',
+            code: 'INTERNAL_SERVER_ERROR'
+          }, { status: 500 });
+        }
+
+        // Decode and compute token expiries
+        let decodedAccessToken: any;
+        let accessTokenExpires: number;
+        let computedRefreshTokenExpires: number | undefined;
+        try {
+          const result = computeTokenExpiries({ accessToken, refreshToken, preferJwt: true });
+          decodedAccessToken = result.decodedAccessToken;
+          accessTokenExpires = result.accessTokenExpires;
+          computedRefreshTokenExpires = result.refreshTokenExpires;
+
+          console.info('[AUTH_REFRESH] Successfully decoded new token pair', {
+            accessTokenExpires: new Date(accessTokenExpires).toISOString(),
+            refreshTokenExpires: computedRefreshTokenExpires ? new Date(computedRefreshTokenExpires).toISOString() : null
+          });
+        } catch (decodeError) {
+          console.error('[AUTH_REFRESH] Failed to compute token expiries', { error: decodeError });
+          return NextResponse.json({
+            error: 'Failed to decode JWT tokens',
+            code: 'INTERNAL_SERVER_ERROR'
+          }, { status: 500 });
+        }
+
+        // Extract 2FA claims from the new access token
+        let amrClaims: string[] = [];
+        if (decodedAccessToken.amr) {
+          try {
+            amrClaims = typeof decodedAccessToken.amr === 'string'
+              ? JSON.parse(decodedAccessToken.amr)
+              : decodedAccessToken.amr;
+          } catch (e) {
+            console.warn('[AUTH_REFRESH] Failed to parse AMR claims', { amr: decodedAccessToken.amr });
+            amrClaims = currentSession.authenticationMethods || [];
+          }
+        } else {
+          amrClaims = currentSession.authenticationMethods || [];
+        }
+        const acrLevel = String(decodedAccessToken.acr || currentSession.authenticationLevel || '1');
+
+        // Extract MFA timing claims
+        const mfaTime = decodedAccessToken.mfa_time ? parseInt(decodedAccessToken.mfa_time) * 1000 : currentSession.mfaCompletedAt;
+        const mfaExpires = decodedAccessToken.mfa_expires ? parseInt(decodedAccessToken.mfa_expires) * 1000 : currentSession.mfaExpiresAt;
+        const mfaValidityHours = decodedAccessToken.mfa_validity_hours ? parseInt(decodedAccessToken.mfa_validity_hours) : currentSession.mfaValidityHours;
+
+        // Update session with new tokens
+        const hasNewRefresh = typeof refreshToken === 'string' && refreshToken.length > 0;
+        const newRefreshTokenExpires = hasNewRefresh ? computedRefreshTokenExpires : undefined;
+
+        // CRITICAL: Log if we're about to clear the refresh token due to missing new token
+        if (!hasNewRefresh && currentSession.idpRefreshToken) {
+          console.error('[AUTH_REFRESH] ⚠️ REFRESH_TOKEN_REMOVAL: No new refresh token in IDP response', {
+            reason: 'NO_NEW_REFRESH_TOKEN_IN_RESPONSE',
+            userId,
+            sessionToken: sessionToken.substring(0, 8) + '...',
+            hadRefreshToken: true,
+            refreshTokenFromResponse: refreshToken,
+            refreshTokenType: typeof refreshToken,
+            payloadKeys: Object.keys(payload || {}),
+            stack: new Error().stack
+          });
+        }
+
+        // Keep existing refresh token if IDP doesn't provide a new one
+        // Only clear if IDP explicitly signals discard_token=true (handled in error paths)
+        // NOTE: Use normalized field names (idp* prefix) per SessionData interface
+
+        // CRITICAL: Extract kid from JWT header - IDP may rotate keys during refresh
+        const newBearerKeyId = extractKidFromToken(accessToken);
+        if (newBearerKeyId) {
+          console.log('[AUTH_REFRESH] Extracted bearerKeyId (kid) from new JWT header:', newBearerKeyId);
+        } else {
+          console.warn('[AUTH_REFRESH] No kid found in new JWT header');
+        }
+
+        const sessionUpdate: any = {
+          ...currentSession,
+          idpAccessToken: accessToken,
+          idpAccessTokenExpires: accessTokenExpires,
+          idpRefreshToken: hasNewRefresh ? (refreshToken as string) : currentSession.idpRefreshToken,
+          idpRefreshTokenExpires: hasNewRefresh ? newRefreshTokenExpires : currentSession.idpRefreshTokenExpires,
+          decodedAccessToken: decodedAccessToken,
+          // Bearer key ID from JWT header (may change on key rotation)
+          bearerKeyId: newBearerKeyId || currentSession.bearerKeyId,
+          authenticationMethods: amrClaims,
+          authenticationLevel: acrLevel,
+          mfaVerified: amrClaims.includes('mfa') || currentSession.mfaVerified,
+          mfaCompletedAt: mfaTime,
+          mfaExpiresAt: mfaExpires,
+          mfaValidityHours: mfaValidityHours
+        };
+
+        await updateSession(sessionToken, sessionUpdate);
+
+        console.info('[AUTH_REFRESH] Token refreshed successfully', {
+          expiresAt: new Date(accessTokenExpires).toISOString(),
+          userId,
+          hasNewRefreshToken: hasNewRefresh,
+          tokenPreview: accessToken ? accessToken.substring(0, 20) + '...' : 'none'
+        });
+
+      } catch (error) {
+        console.error('[AUTH_REFRESH] Error during token refresh', { error });
+        return NextResponse.json({
+          error: 'Token refresh error',
+          code: 'INTERNAL_SERVER_ERROR'
+        }, { status: 500 });
+      } finally {
+        if (weAcquiredLock) {
+          await releaseRefreshLock(sessionToken, requestId, releaseLockVersion);
+        }
+      }
+
+      // Load the latest session to return basic status
+      const latest = await getSession(sessionToken);
+      if (!latest?.idpAccessToken) {
+        return NextResponse.json({
+          error: 'No access token after refresh',
+          code: 'INTERNAL_SERVER_ERROR'
+        }, { status: 500 });
+      }
+
+      return NextResponse.json({
+        refreshed: true,
+        accessTokenExpires: latest.idpAccessTokenExpires,
+        hasRefreshToken: !!latest.idpRefreshToken,
+      });
+    } catch (err: any) {
+      console.error('[AUTH_REFRESH] Unexpected error', { error: err?.message || String(err) });
+      return NextResponse.json({
+        error: 'Unexpected error during refresh',
+        code: 'INTERNAL_SERVER_ERROR'
+      }, { status: 500 });
+    }
+  };
+}
+
+/**
+ * Default export for backward compatibility
+ * Requires environment variables: IDP_URL, CLIENT_ID, NEXTAUTH_SECRET
+ */
+export const POST = createRefreshHandler({
+  idpBaseUrl: process.env.IDP_URL!,
+  clientId: process.env.CLIENT_ID || 'payez_default_client',
+  nextAuthSecret: process.env.NEXTAUTH_SECRET || '',
+  refreshEndpoint: '/api/ExternalAuth/refresh'
+});