npm - @payez/next-mvp - Versions diffs - 3.0.0 - Mend

@payez/next-mvp 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (654) hide show

package/README.md +782 -0
package/dist/api/auth-handler.d.ts +67 -0
package/dist/api/auth-handler.js +397 -0
package/dist/api/index.d.ts +10 -0
package/dist/api/index.js +19 -0
package/dist/api-handlers/account/change-password.d.ts +9 -0
package/dist/api-handlers/account/change-password.js +112 -0
package/dist/api-handlers/account/masked-info.d.ts +2 -0
package/dist/api-handlers/account/masked-info.js +41 -0
package/dist/api-handlers/account/profile.d.ts +3 -0
package/dist/api-handlers/account/profile.js +63 -0
package/dist/api-handlers/account/recovery/initiate.d.ts +2 -0
package/dist/api-handlers/account/recovery/initiate.js +26 -0
package/dist/api-handlers/account/recovery/send-code.d.ts +2 -0
package/dist/api-handlers/account/recovery/send-code.js +28 -0
package/dist/api-handlers/account/recovery/verify-code.d.ts +2 -0
package/dist/api-handlers/account/recovery/verify-code.js +28 -0
package/dist/api-handlers/account/reset-password.d.ts +2 -0
package/dist/api-handlers/account/reset-password.js +26 -0
package/dist/api-handlers/account/send-code.d.ts +24 -0
package/dist/api-handlers/account/send-code.js +60 -0
package/dist/api-handlers/account/update-phone.d.ts +27 -0
package/dist/api-handlers/account/update-phone.js +64 -0
package/dist/api-handlers/account/validate-password.d.ts +17 -0
package/dist/api-handlers/account/validate-password.js +81 -0
package/dist/api-handlers/account/verify-email.d.ts +26 -0
package/dist/api-handlers/account/verify-email.js +106 -0
package/dist/api-handlers/account/verify-sms.d.ts +26 -0
package/dist/api-handlers/account/verify-sms.js +106 -0
package/dist/api-handlers/admin/analytics.d.ts +20 -0
package/dist/api-handlers/admin/analytics.js +379 -0
package/dist/api-handlers/admin/audit.d.ts +20 -0
package/dist/api-handlers/admin/audit.js +214 -0
package/dist/api-handlers/admin/index.d.ts +21 -0
package/dist/api-handlers/admin/index.js +41 -0
package/dist/api-handlers/admin/redis-sessions.d.ts +36 -0
package/dist/api-handlers/admin/redis-sessions.js +204 -0
package/dist/api-handlers/admin/sessions.d.ts +21 -0
package/dist/api-handlers/admin/sessions.js +284 -0
package/dist/api-handlers/admin/site-logs.d.ts +46 -0
package/dist/api-handlers/admin/site-logs.js +318 -0
package/dist/api-handlers/admin/users.d.ts +20 -0
package/dist/api-handlers/admin/users.js +222 -0
package/dist/api-handlers/admin/vibe-data.d.ts +80 -0
package/dist/api-handlers/admin/vibe-data.js +268 -0
package/dist/api-handlers/anon/preferences.d.ts +37 -0
package/dist/api-handlers/anon/preferences.js +96 -0
package/dist/api-handlers/auth/jwks.d.ts +2 -0
package/dist/api-handlers/auth/jwks.js +24 -0
package/dist/api-handlers/auth/login.d.ts +42 -0
package/dist/api-handlers/auth/login.js +178 -0
package/dist/api-handlers/auth/refresh.d.ts +74 -0
package/dist/api-handlers/auth/refresh.js +635 -0
package/dist/api-handlers/auth/signout.d.ts +37 -0
package/dist/api-handlers/auth/signout.js +187 -0
package/dist/api-handlers/auth/status.d.ts +8 -0
package/dist/api-handlers/auth/status.js +26 -0
package/dist/api-handlers/auth/update-session.d.ts +37 -0
package/dist/api-handlers/auth/update-session.js +95 -0
package/dist/api-handlers/auth/validate.d.ts +6 -0
package/dist/api-handlers/auth/validate.js +43 -0
package/dist/api-handlers/auth/verify-code.d.ts +43 -0
package/dist/api-handlers/auth/verify-code.js +94 -0
package/dist/api-handlers/session/refresh-viability.d.ts +14 -0
package/dist/api-handlers/session/refresh-viability.js +39 -0
package/dist/api-handlers/session/viability.d.ts +13 -0
package/dist/api-handlers/session/viability.js +146 -0
package/dist/api-handlers/test/force-expire.d.ts +23 -0
package/dist/api-handlers/test/force-expire.js +65 -0
package/dist/auth/auth-decision.d.ts +39 -0
package/dist/auth/auth-decision.js +182 -0
package/dist/auth/auth-options.d.ts +57 -0
package/dist/auth/auth-options.js +213 -0
package/dist/auth/callbacks/index.d.ts +6 -0
package/dist/auth/callbacks/index.js +12 -0
package/dist/auth/callbacks/jwt.d.ts +45 -0
package/dist/auth/callbacks/jwt.js +305 -0
package/dist/auth/callbacks/session.d.ts +60 -0
package/dist/auth/callbacks/session.js +170 -0
package/dist/auth/callbacks/signin.d.ts +23 -0
package/dist/auth/callbacks/signin.js +44 -0
package/dist/auth/events/index.d.ts +4 -0
package/dist/auth/events/index.js +8 -0
package/dist/auth/events/signout.d.ts +17 -0
package/dist/auth/events/signout.js +32 -0
package/dist/auth/providers/credentials.d.ts +32 -0
package/dist/auth/providers/credentials.js +223 -0
package/dist/auth/providers/index.d.ts +5 -0
package/dist/auth/providers/index.js +21 -0
package/dist/auth/providers/oauth.d.ts +26 -0
package/dist/auth/providers/oauth.js +105 -0
package/dist/auth/route-config.d.ts +66 -0
package/dist/auth/route-config.js +190 -0
package/dist/auth/types/auth-types.d.ts +417 -0
package/dist/auth/types/auth-types.js +53 -0
package/dist/auth/types/index.d.ts +6 -0
package/dist/auth/types/index.js +22 -0
package/dist/auth/unauthenticated-routes.d.ts +1 -0
package/dist/auth/unauthenticated-routes.js +19 -0
package/dist/auth/utils/idp-client.d.ts +94 -0
package/dist/auth/utils/idp-client.js +383 -0
package/dist/auth/utils/index.d.ts +5 -0
package/dist/auth/utils/index.js +21 -0
package/dist/auth/utils/token-utils.d.ts +84 -0
package/dist/auth/utils/token-utils.js +219 -0
package/dist/client/AuthContext.d.ts +19 -0
package/dist/client/AuthContext.js +112 -0
package/dist/client/fetch-with-auth.d.ts +11 -0
package/dist/client/fetch-with-auth.js +44 -0
package/dist/client/fetchWithSession.d.ts +3 -0
package/dist/client/fetchWithSession.js +24 -0
package/dist/client/index.d.ts +9 -0
package/dist/client/index.js +20 -0
package/dist/client/useAnonSession.d.ts +36 -0
package/dist/client/useAnonSession.js +99 -0
package/dist/components/SessionSync.d.ts +13 -0
package/dist/components/SessionSync.js +119 -0
package/dist/components/SignalRHealthCheck.d.ts +10 -0
package/dist/components/SignalRHealthCheck.js +97 -0
package/dist/components/account/UserAvatarMenu.d.ts +20 -0
package/dist/components/account/UserAvatarMenu.js +80 -0
package/dist/components/account/index.d.ts +7 -0
package/dist/components/account/index.js +10 -0
package/dist/components/admin/AlertSettingsTab.d.ts +48 -0
package/dist/components/admin/AlertSettingsTab.js +351 -0
package/dist/components/admin/AnalyticsTab.d.ts +22 -0
package/dist/components/admin/AnalyticsTab.js +167 -0
package/dist/components/admin/DataBrowserTab.d.ts +19 -0
package/dist/components/admin/DataBrowserTab.js +252 -0
package/dist/components/admin/LoggingSettingsTab.d.ts +73 -0
package/dist/components/admin/LoggingSettingsTab.js +339 -0
package/dist/components/admin/SessionsTab.d.ts +37 -0
package/dist/components/admin/SessionsTab.js +165 -0
package/dist/components/admin/StatsTab.d.ts +53 -0
package/dist/components/admin/StatsTab.js +161 -0
package/dist/components/admin/VibeAdminContext.d.ts +32 -0
package/dist/components/admin/VibeAdminContext.js +38 -0
package/dist/components/admin/VibeAdminLayout.d.ts +11 -0
package/dist/components/admin/VibeAdminLayout.js +69 -0
package/dist/components/admin/index.d.ts +29 -0
package/dist/components/admin/index.js +44 -0
package/dist/components/auth/FederatedAuthSection.d.ts +8 -0
package/dist/components/auth/FederatedAuthSection.js +45 -0
package/dist/components/auth/ModeAwareLoginPage.d.ts +10 -0
package/dist/components/auth/ModeAwareLoginPage.js +42 -0
package/dist/components/auth/ModeAwareSignupPage.d.ts +9 -0
package/dist/components/auth/ModeAwareSignupPage.js +78 -0
package/dist/components/auth/TraditionalAuthSection.d.ts +14 -0
package/dist/components/auth/TraditionalAuthSection.js +20 -0
package/dist/components/recovery/CompleteStep.d.ts +5 -0
package/dist/components/recovery/CompleteStep.js +8 -0
package/dist/components/recovery/InitiateRecoveryStep.d.ts +8 -0
package/dist/components/recovery/InitiateRecoveryStep.js +20 -0
package/dist/components/recovery/SelectMethodStep.d.ts +8 -0
package/dist/components/recovery/SelectMethodStep.js +8 -0
package/dist/components/recovery/SetPasswordStep.d.ts +6 -0
package/dist/components/recovery/SetPasswordStep.js +20 -0
package/dist/components/recovery/VerifyCodeStep.d.ts +10 -0
package/dist/components/recovery/VerifyCodeStep.js +24 -0
package/dist/components/reserved/ReservedRecoveryWarning.d.ts +38 -0
package/dist/components/reserved/ReservedRecoveryWarning.js +92 -0
package/dist/components/reserved/ReservedStatusBox.d.ts +30 -0
package/dist/components/reserved/ReservedStatusBox.js +71 -0
package/dist/components/ui/BetaBadge.d.ts +29 -0
package/dist/components/ui/BetaBadge.js +38 -0
package/dist/components/ui/Footer.d.ts +37 -0
package/dist/components/ui/Footer.js +41 -0
package/dist/config/env.d.ts +66 -0
package/dist/config/env.js +57 -0
package/dist/config/logger.d.ts +57 -0
package/dist/config/logger.js +73 -0
package/dist/config/logging-config.d.ts +30 -0
package/dist/config/logging-config.js +122 -0
package/dist/config/unauthenticated-routes.d.ts +17 -0
package/dist/config/unauthenticated-routes.js +24 -0
package/dist/config/vibe-log-transport.d.ts +79 -0
package/dist/config/vibe-log-transport.js +203 -0
package/dist/edge/internal-api-url.d.ts +53 -0
package/dist/edge/internal-api-url.js +63 -0
package/dist/edge/middleware.d.ts +14 -0
package/dist/edge/middleware.js +32 -0
package/dist/hooks/useAuth.d.ts +23 -0
package/dist/hooks/useAuth.js +81 -0
package/dist/hooks/useAuthSettings.d.ts +59 -0
package/dist/hooks/useAuthSettings.js +93 -0
package/dist/hooks/useAvailableProviders.d.ts +45 -0
package/dist/hooks/useAvailableProviders.js +108 -0
package/dist/hooks/usePasswordValidation.d.ts +27 -0
package/dist/hooks/usePasswordValidation.js +102 -0
package/dist/hooks/useProfile.d.ts +15 -0
package/dist/hooks/useProfile.js +59 -0
package/dist/hooks/usePublicAuthSettings.d.ts +56 -0
package/dist/hooks/usePublicAuthSettings.js +131 -0
package/dist/hooks/useSessionExpiration.d.ts +57 -0
package/dist/hooks/useSessionExpiration.js +72 -0
package/dist/hooks/useViabilitySession.d.ts +75 -0
package/dist/hooks/useViabilitySession.js +268 -0
package/dist/index.d.ts +12 -0
package/dist/index.js +54 -0
package/dist/lib/anon-session.d.ts +74 -0
package/dist/lib/anon-session.js +169 -0
package/dist/lib/api-handler.d.ts +123 -0
package/dist/lib/api-handler.js +478 -0
package/dist/lib/app-slug.d.ts +95 -0
package/dist/lib/app-slug.js +172 -0
package/dist/lib/demo-mode.d.ts +6 -0
package/dist/lib/demo-mode.js +16 -0
package/dist/lib/geolocation.d.ts +64 -0
package/dist/lib/geolocation.js +235 -0
package/dist/lib/idp-client-config.d.ts +75 -0
package/dist/lib/idp-client-config.js +351 -0
package/dist/lib/idp-fetch.d.ts +14 -0
package/dist/lib/idp-fetch.js +91 -0
package/dist/lib/internal-api.d.ts +87 -0
package/dist/lib/internal-api.js +122 -0
package/dist/lib/jwt-decode-client.d.ts +10 -0
package/dist/lib/jwt-decode-client.js +46 -0
package/dist/lib/jwt-decode.d.ts +48 -0
package/dist/lib/jwt-decode.js +57 -0
package/dist/lib/nextauth-secret.d.ts +10 -0
package/dist/lib/nextauth-secret.js +104 -0
package/dist/lib/rate-limit-service.d.ts +23 -0
package/dist/lib/rate-limit-service.js +6 -0
package/dist/lib/redis.d.ts +5 -0
package/dist/lib/redis.js +28 -0
package/dist/lib/refresh-token-validator.d.ts +13 -0
package/dist/lib/refresh-token-validator.js +117 -0
package/dist/lib/roles.d.ts +145 -0
package/dist/lib/roles.js +168 -0
package/dist/lib/secret-validation.d.ts +4 -0
package/dist/lib/secret-validation.js +14 -0
package/dist/lib/session-store.d.ts +166 -0
package/dist/lib/session-store.js +537 -0
package/dist/lib/session.d.ts +21 -0
package/dist/lib/session.js +26 -0
package/dist/lib/site-logger.d.ts +214 -0
package/dist/lib/site-logger.js +210 -0
package/dist/lib/standardized-client-api.d.ts +161 -0
package/dist/lib/standardized-client-api.js +786 -0
package/dist/lib/startup-init.d.ts +40 -0
package/dist/lib/startup-init.js +261 -0
package/dist/lib/test-aware-get-token.d.ts +2 -0
package/dist/lib/test-aware-get-token.js +81 -0
package/dist/lib/token-expiry.d.ts +14 -0
package/dist/lib/token-expiry.js +39 -0
package/dist/lib/token-lifecycle.d.ts +52 -0
package/dist/lib/token-lifecycle.js +398 -0
package/dist/lib/types/api-responses.d.ts +128 -0
package/dist/lib/types/api-responses.js +171 -0
package/dist/lib/user-agent-parser.d.ts +50 -0
package/dist/lib/user-agent-parser.js +220 -0
package/dist/logging/api/admin-analytics.d.ts +3 -0
package/dist/logging/api/admin-analytics.js +45 -0
package/dist/logging/api/audit-log.d.ts +3 -0
package/dist/logging/api/audit-log.js +52 -0
package/dist/logging/components/AdminAnalyticsLayout.d.ts +10 -0
package/dist/logging/components/AdminAnalyticsLayout.js +11 -0
package/dist/logging/components/AuditLogViewer.d.ts +7 -0
package/dist/logging/components/AuditLogViewer.js +51 -0
package/dist/logging/components/ErrorMetricsCard.d.ts +7 -0
package/dist/logging/components/ErrorMetricsCard.js +16 -0
package/dist/logging/components/HealthMetricsCard.d.ts +7 -0
package/dist/logging/components/HealthMetricsCard.js +19 -0
package/dist/logging/hooks/useAdminAnalytics.d.ts +24 -0
package/dist/logging/hooks/useAdminAnalytics.js +22 -0
package/dist/logging/hooks/useAuditLog.d.ts +6 -0
package/dist/logging/hooks/useAuditLog.js +25 -0
package/dist/logging/hooks/useErrorMetrics.d.ts +6 -0
package/dist/logging/hooks/useErrorMetrics.js +38 -0
package/dist/logging/hooks/useHealthMetrics.d.ts +6 -0
package/dist/logging/hooks/useHealthMetrics.js +41 -0
package/dist/logging/index.d.ts +11 -0
package/dist/logging/index.js +40 -0
package/dist/logging/types/analytics.d.ts +68 -0
package/dist/logging/types/analytics.js +3 -0
package/dist/logging/types/audit.d.ts +29 -0
package/dist/logging/types/audit.js +2 -0
package/dist/logging/types/index.d.ts +2 -0
package/dist/logging/types/index.js +19 -0
package/dist/middleware/auth-decision.d.ts +33 -0
package/dist/middleware/auth-decision.js +65 -0
package/dist/middleware/create-middleware.d.ts +100 -0
package/dist/middleware/create-middleware.js +445 -0
package/dist/middleware/rbac-check.d.ts +44 -0
package/dist/middleware/rbac-check.js +191 -0
package/dist/middleware/twofa-presets.d.ts +134 -0
package/dist/middleware/twofa-presets.js +175 -0
package/dist/models/DecodedAccessToken.d.ts +17 -0
package/dist/models/DecodedAccessToken.js +2 -0
package/dist/models/SessionModel.d.ts +122 -0
package/dist/models/SessionModel.js +136 -0
package/dist/pages/admin-login/page.d.ts +31 -0
package/dist/pages/admin-login/page.js +83 -0
package/dist/pages/admin-roles/RolesAdminPage.d.ts +15 -0
package/dist/pages/admin-roles/RolesAdminPage.js +78 -0
package/dist/pages/admin-roles/index.d.ts +8 -0
package/dist/pages/admin-roles/index.js +15 -0
package/dist/pages/admin-roles/modals.d.ts +72 -0
package/dist/pages/admin-roles/modals.js +154 -0
package/dist/pages/client-admin/ClientSiteAdminPage.d.ts +79 -0
package/dist/pages/client-admin/ClientSiteAdminPage.js +177 -0
package/dist/pages/client-admin/index.d.ts +32 -0
package/dist/pages/client-admin/index.js +37 -0
package/dist/pages/login/page.d.ts +22 -0
package/dist/pages/login/page.js +239 -0
package/dist/pages/profile/EnhancedProfilePage.d.ts +13 -0
package/dist/pages/profile/EnhancedProfilePage.js +150 -0
package/dist/pages/profile/index.d.ts +8 -0
package/dist/pages/profile/index.js +16 -0
package/dist/pages/profile/page.d.ts +19 -0
package/dist/pages/profile/page.js +47 -0
package/dist/pages/profile/profile-patch.d.ts +1 -0
package/dist/pages/profile/profile-patch.js +281 -0
package/dist/pages/recovery/page.d.ts +1 -0
package/dist/pages/recovery/page.js +142 -0
package/dist/pages/roles/MyRolesPage.d.ts +24 -0
package/dist/pages/roles/MyRolesPage.js +71 -0
package/dist/pages/roles/components.d.ts +63 -0
package/dist/pages/roles/components.js +108 -0
package/dist/pages/roles/index.d.ts +8 -0
package/dist/pages/roles/index.js +19 -0
package/dist/pages/security/EnhancedSecurityPage.d.ts +14 -0
package/dist/pages/security/EnhancedSecurityPage.js +248 -0
package/dist/pages/security/index.d.ts +8 -0
package/dist/pages/security/index.js +16 -0
package/dist/pages/security/page.d.ts +21 -0
package/dist/pages/security/page.js +212 -0
package/dist/pages/security/security-patch.d.ts +1 -0
package/dist/pages/security/security-patch.js +302 -0
package/dist/pages/settings/EnhancedSettingsPage.d.ts +46 -0
package/dist/pages/settings/EnhancedSettingsPage.js +231 -0
package/dist/pages/settings/index.d.ts +8 -0
package/dist/pages/settings/index.js +16 -0
package/dist/pages/settings/page.d.ts +7 -0
package/dist/pages/settings/page.js +26 -0
package/dist/pages/showcase/ShowcasePage.d.ts +13 -0
package/dist/pages/showcase/ShowcasePage.js +140 -0
package/dist/pages/showcase/index.d.ts +12 -0
package/dist/pages/showcase/index.js +17 -0
package/dist/pages/test-env/EmergencyLogoutPage.d.ts +14 -0
package/dist/pages/test-env/EmergencyLogoutPage.js +98 -0
package/dist/pages/test-env/JwtInspectPage.d.ts +14 -0
package/dist/pages/test-env/JwtInspectPage.js +114 -0
package/dist/pages/test-env/RefreshTokenPage.d.ts +15 -0
package/dist/pages/test-env/RefreshTokenPage.js +91 -0
package/dist/pages/test-env/TestEnvPage.d.ts +13 -0
package/dist/pages/test-env/TestEnvPage.js +49 -0
package/dist/pages/test-env/index.d.ts +24 -0
package/dist/pages/test-env/index.js +32 -0
package/dist/pages/verify-code/page.d.ts +30 -0
package/dist/pages/verify-code/page.js +408 -0
package/dist/routes/account/index.d.ts +28 -0
package/dist/routes/account/index.js +71 -0
package/dist/routes/account/masked-info.d.ts +33 -0
package/dist/routes/account/masked-info.js +39 -0
package/dist/routes/account/send-code.d.ts +37 -0
package/dist/routes/account/send-code.js +42 -0
package/dist/routes/account/update-phone.d.ts +13 -0
package/dist/routes/account/update-phone.js +17 -0
package/dist/routes/account/verify-email.d.ts +38 -0
package/dist/routes/account/verify-email.js +43 -0
package/dist/routes/account/verify-sms.d.ts +38 -0
package/dist/routes/account/verify-sms.js +43 -0
package/dist/routes/auth/index.d.ts +19 -0
package/dist/routes/auth/index.js +64 -0
package/dist/routes/auth/logout.d.ts +31 -0
package/dist/routes/auth/logout.js +113 -0
package/dist/routes/auth/nextauth.d.ts +19 -0
package/dist/routes/auth/nextauth.js +72 -0
package/dist/routes/auth/refresh.d.ts +30 -0
package/dist/routes/auth/refresh.js +51 -0
package/dist/routes/auth/session.d.ts +72 -0
package/dist/routes/auth/session.js +180 -0
package/dist/routes/auth/settings.d.ts +25 -0
package/dist/routes/auth/settings.js +55 -0
package/dist/routes/auth/viability.d.ts +52 -0
package/dist/routes/auth/viability.js +201 -0
package/dist/routes/index.d.ts +12 -0
package/dist/routes/index.js +54 -0
package/dist/routes/session/index.d.ts +6 -0
package/dist/routes/session/index.js +10 -0
package/dist/routes/session/refresh-viability.d.ts +16 -0
package/dist/routes/session/refresh-viability.js +20 -0
package/dist/services/signalrActivityService.d.ts +44 -0
package/dist/services/signalrActivityService.js +257 -0
package/dist/stores/authStore.d.ts +154 -0
package/dist/stores/authStore.js +1531 -0
package/dist/theme/ThemeProvider.d.ts +14 -0
package/dist/theme/ThemeProvider.js +28 -0
package/dist/theme/default.d.ts +8 -0
package/dist/theme/default.js +33 -0
package/dist/theme/index.d.ts +15 -0
package/dist/theme/index.js +25 -0
package/dist/theme/types.d.ts +56 -0
package/dist/theme/types.js +8 -0
package/dist/theme/useTheme.d.ts +60 -0
package/dist/theme/useTheme.js +63 -0
package/dist/theme/utils.d.ts +13 -0
package/dist/theme/utils.js +39 -0
package/dist/types/api.d.ts +134 -0
package/dist/types/api.js +44 -0
package/dist/types/auth.d.ts +19 -0
package/dist/types/auth.js +2 -0
package/dist/types/logging.d.ts +42 -0
package/dist/types/logging.js +2 -0
package/dist/types/recovery.d.ts +48 -0
package/dist/types/recovery.js +2 -0
package/dist/types/security.d.ts +1 -0
package/dist/types/security.js +2 -0
package/dist/utils/api.d.ts +85 -0
package/dist/utils/api.js +287 -0
package/dist/utils/circuitBreaker.d.ts +43 -0
package/dist/utils/circuitBreaker.js +91 -0
package/dist/utils/error-message.d.ts +1 -0
package/dist/utils/error-message.js +103 -0
package/dist/utils/layout/reservedSpace.d.ts +59 -0
package/dist/utils/layout/reservedSpace.js +102 -0
package/dist/utils/logout.d.ts +14 -0
package/dist/utils/logout.js +32 -0
package/dist/vibe/client.d.ts +261 -0
package/dist/vibe/client.js +445 -0
package/dist/vibe/errors.d.ts +83 -0
package/dist/vibe/errors.js +146 -0
package/dist/vibe/generic.d.ts +234 -0
package/dist/vibe/generic.js +369 -0
package/dist/vibe/hooks/index.d.ts +169 -0
package/dist/vibe/hooks/index.js +252 -0
package/dist/vibe/index.d.ts +23 -0
package/dist/vibe/index.js +67 -0
package/dist/vibe/sessions.d.ts +161 -0
package/dist/vibe/sessions.js +391 -0
package/dist/vibe/types.d.ts +353 -0
package/dist/vibe/types.js +315 -0
package/package.json +855 -0
package/scripts/check-internal-url-usage.sh +73 -0
package/scripts/dev-broker.ps1 +35 -0
package/scripts/dev-local.ps1 +45 -0
package/src/api/auth-handler.ts +550 -0
package/src/api/index.ts +18 -0
package/src/api-handlers/account/change-password.ts +145 -0
package/src/api-handlers/account/masked-info.ts +45 -0
package/src/api-handlers/account/profile.ts +80 -0
package/src/api-handlers/account/recovery/initiate.ts +23 -0
package/src/api-handlers/account/recovery/send-code.ts +25 -0
package/src/api-handlers/account/recovery/verify-code.ts +25 -0
package/src/api-handlers/account/reset-password.ts +23 -0
package/src/api-handlers/account/send-code.ts +76 -0
package/src/api-handlers/account/update-phone.ts +79 -0
package/src/api-handlers/account/validate-password.ts +118 -0
package/src/api-handlers/account/verify-email.ts +125 -0
package/src/api-handlers/account/verify-sms.ts +125 -0
package/src/api-handlers/admin/analytics.ts +445 -0
package/src/api-handlers/admin/audit.ts +225 -0
package/src/api-handlers/admin/index.ts +59 -0
package/src/api-handlers/admin/redis-sessions.ts +253 -0
package/src/api-handlers/admin/sessions.ts +320 -0
package/src/api-handlers/admin/site-logs.ts +367 -0
package/src/api-handlers/admin/users.ts +244 -0
package/src/api-handlers/admin/vibe-data.ts +326 -0
package/src/api-handlers/anon/preferences.ts +123 -0
package/src/api-handlers/auth/jwks.ts +20 -0
package/src/api-handlers/auth/login.ts +240 -0
package/src/api-handlers/auth/refresh.ts +687 -0
package/src/api-handlers/auth/signout.ts +212 -0
package/src/api-handlers/auth/status.ts +23 -0
package/src/api-handlers/auth/update-session.ts +125 -0
package/src/api-handlers/auth/validate.ts +44 -0
package/src/api-handlers/auth/verify-code.ts +129 -0
package/src/api-handlers/session/refresh-viability.ts +36 -0
package/src/api-handlers/session/viability.ts +166 -0
package/src/api-handlers/test/force-expire.ts +67 -0
package/src/auth/auth-decision.ts +230 -0
package/src/auth/auth-options.ts +237 -0
package/src/auth/callbacks/index.ts +7 -0
package/src/auth/callbacks/jwt.ts +382 -0
package/src/auth/callbacks/session.ts +243 -0
package/src/auth/callbacks/signin.ts +56 -0
package/src/auth/events/index.ts +5 -0
package/src/auth/events/signout.ts +33 -0
package/src/auth/providers/credentials.ts +256 -0
package/src/auth/providers/index.ts +6 -0
package/src/auth/providers/oauth.ts +114 -0
package/src/auth/route-config.ts +220 -0
package/src/auth/types/auth-types.ts +555 -0
package/src/auth/types/index.ts +7 -0
package/src/auth/unauthenticated-routes.ts +3 -0
package/src/auth/utils/idp-client.ts +444 -0
package/src/auth/utils/index.ts +6 -0
package/src/auth/utils/token-utils.ts +244 -0
package/src/client/AuthContext.tsx +140 -0
package/src/client/fetch-with-auth.ts +48 -0
package/src/client/fetchWithSession.ts +21 -0
package/src/client/index.ts +13 -0
package/src/client/useAnonSession.ts +131 -0
package/src/components/SessionSync.tsx +137 -0
package/src/components/SignalRHealthCheck.tsx +131 -0
package/src/components/account/UserAvatarMenu.tsx +217 -0
package/src/components/account/index.ts +8 -0
package/src/components/admin/AlertSettingsTab.tsx +728 -0
package/src/components/admin/AnalyticsTab.tsx +703 -0
package/src/components/admin/DataBrowserTab.tsx +505 -0
package/src/components/admin/LoggingSettingsTab.tsx +665 -0
package/src/components/admin/SessionsTab.tsx +414 -0
package/src/components/admin/StatsTab.tsx +379 -0
package/src/components/admin/VibeAdminContext.tsx +87 -0
package/src/components/admin/VibeAdminLayout.tsx +185 -0
package/src/components/admin/index.ts +59 -0
package/src/components/auth/FederatedAuthSection.tsx +95 -0
package/src/components/auth/ModeAwareLoginPage.tsx +135 -0
package/src/components/auth/ModeAwareSignupPage.tsx +267 -0
package/src/components/auth/TraditionalAuthSection.tsx +99 -0
package/src/components/recovery/CompleteStep.tsx +36 -0
package/src/components/recovery/InitiateRecoveryStep.tsx +68 -0
package/src/components/recovery/SelectMethodStep.tsx +73 -0
package/src/components/recovery/SetPasswordStep.tsx +97 -0
package/src/components/recovery/VerifyCodeStep.tsx +90 -0
package/src/components/reserved/ReservedRecoveryWarning.tsx +160 -0
package/src/components/reserved/ReservedStatusBox.tsx +118 -0
package/src/components/ui/BetaBadge.tsx +58 -0
package/src/components/ui/Footer.tsx +93 -0
package/src/config/env.ts +57 -0
package/src/config/logger.ts +62 -0
package/src/config/logging-config.ts +82 -0
package/src/config/unauthenticated-routes.ts +19 -0
package/src/config/vibe-log-transport.ts +250 -0
package/src/edge/internal-api-url.ts +65 -0
package/src/edge/middleware.ts +42 -0
package/src/hooks/useAuth.ts +115 -0
package/src/hooks/useAuthSettings.ts +97 -0
package/src/hooks/useAvailableProviders.ts +118 -0
package/src/hooks/usePasswordValidation.ts +127 -0
package/src/hooks/useProfile.ts +75 -0
package/src/hooks/usePublicAuthSettings.ts +149 -0
package/src/hooks/useSessionExpiration.ts +102 -0
package/src/hooks/useViabilitySession.ts +335 -0
package/src/index.ts +63 -0
package/src/lib/anon-session.ts +213 -0
package/src/lib/api-handler.ts +625 -0
package/src/lib/app-slug.ts +178 -0
package/src/lib/demo-mode.ts +13 -0
package/src/lib/geolocation.ts +265 -0
package/src/lib/idp-client-config.ts +442 -0
package/src/lib/idp-fetch.ts +101 -0
package/src/lib/internal-api.ts +171 -0
package/src/lib/jwt-decode-client.ts +45 -0
package/src/lib/jwt-decode.ts +83 -0
package/src/lib/nextauth-secret.ts +126 -0
package/src/lib/rate-limit-service.ts +9 -0
package/src/lib/redis.ts +27 -0
package/src/lib/refresh-token-validator.ts +64 -0
package/src/lib/roles.ts +177 -0
package/src/lib/secret-validation.ts +8 -0
package/src/lib/session-store.ts +637 -0
package/src/lib/session.ts +34 -0
package/src/lib/site-logger.ts +245 -0
package/src/lib/standardized-client-api.ts +896 -0
package/src/lib/startup-init.ts +247 -0
package/src/lib/test-aware-get-token.ts +30 -0
package/src/lib/token-expiry.ts +40 -0
package/src/lib/token-lifecycle.ts +477 -0
package/src/lib/types/api-responses.ts +336 -0
package/src/lib/user-agent-parser.ts +252 -0
package/src/logging/api/admin-analytics.ts +51 -0
package/src/logging/api/audit-log.ts +53 -0
package/src/logging/components/AdminAnalyticsLayout.tsx +49 -0
package/src/logging/components/AuditLogViewer.tsx +125 -0
package/src/logging/components/ErrorMetricsCard.tsx +98 -0
package/src/logging/components/HealthMetricsCard.tsx +70 -0
package/src/logging/hooks/useAdminAnalytics.ts +22 -0
package/src/logging/hooks/useAuditLog.ts +24 -0
package/src/logging/hooks/useErrorMetrics.ts +40 -0
package/src/logging/hooks/useHealthMetrics.ts +44 -0
package/src/logging/index.ts +18 -0
package/src/logging/types/analytics.ts +81 -0
package/src/logging/types/audit.ts +31 -0
package/src/logging/types/index.ts +3 -0
package/src/middleware/auth-decision.ts +43 -0
package/src/middleware/create-middleware.ts +626 -0
package/src/middleware/rbac-check.ts +244 -0
package/src/middleware/twofa-presets.ts +224 -0
package/src/models/DecodedAccessToken.ts +17 -0
package/src/models/SessionModel.ts +258 -0
package/src/pages/admin-login/page.tsx +229 -0
package/src/pages/admin-roles/RolesAdminPage.tsx +357 -0
package/src/pages/admin-roles/index.ts +9 -0
package/src/pages/admin-roles/modals.tsx +469 -0
package/src/pages/client-admin/ClientSiteAdminPage.tsx +380 -0
package/src/pages/client-admin/index.ts +33 -0
package/src/pages/login/page.tsx +463 -0
package/src/pages/profile/EnhancedProfilePage.tsx +479 -0
package/src/pages/profile/index.ts +9 -0
package/src/pages/profile/page.tsx +166 -0
package/src/pages/recovery/page.tsx +234 -0
package/src/pages/roles/MyRolesPage.tsx +211 -0
package/src/pages/roles/components.tsx +294 -0
package/src/pages/roles/index.ts +17 -0
package/src/pages/security/EnhancedSecurityPage.tsx +574 -0
package/src/pages/security/index.ts +9 -0
package/src/pages/security/page.tsx +507 -0
package/src/pages/settings/EnhancedSettingsPage.tsx +642 -0
package/src/pages/settings/index.ts +9 -0
package/src/pages/settings/page.tsx +47 -0
package/src/pages/showcase/ShowcasePage.tsx +530 -0
package/src/pages/showcase/index.ts +13 -0
package/src/pages/test-env/EmergencyLogoutPage.tsx +179 -0
package/src/pages/test-env/JwtInspectPage.tsx +418 -0
package/src/pages/test-env/RefreshTokenPage.tsx +155 -0
package/src/pages/test-env/TestEnvPage.tsx +116 -0
package/src/pages/test-env/index.ts +25 -0
package/src/pages/verify-code/page.tsx +648 -0
package/src/routes/account/index.ts +32 -0
package/src/routes/account/masked-info.ts +37 -0
package/src/routes/account/send-code.ts +40 -0
package/src/routes/account/update-phone.ts +13 -0
package/src/routes/account/verify-email.ts +41 -0
package/src/routes/account/verify-sms.ts +41 -0
package/src/routes/auth/index.ts +23 -0
package/src/routes/auth/logout.ts +127 -0
package/src/routes/auth/nextauth.ts +71 -0
package/src/routes/auth/refresh.ts +54 -0
package/src/routes/auth/session.ts +193 -0
package/src/routes/auth/settings.ts +75 -0
package/src/routes/auth/viability.ts +220 -0
package/src/routes/index.ts +18 -0
package/src/routes/session/index.ts +7 -0
package/src/routes/session/refresh-viability.ts +17 -0
package/src/services/signalrActivityService.ts +258 -0
package/src/stores/authStore.ts +1904 -0
package/src/templates/instrumentation.ts +41 -0
package/src/theme/ThemeProvider.tsx +39 -0
package/src/theme/default.ts +33 -0
package/src/theme/index.ts +31 -0
package/src/theme/types.ts +69 -0
package/src/theme/useTheme.ts +57 -0
package/src/theme/utils.ts +40 -0
package/src/types/api.ts +13 -0
package/src/types/auth.d.ts +15 -0
package/src/types/auth.ts +22 -0
package/src/types/logging.ts +11 -0
package/src/types/next-auth.d.ts +15 -0
package/src/types/recovery.ts +54 -0
package/src/types/security.ts +1 -0
package/src/utils/api.ts +353 -0
package/src/utils/circuitBreaker.ts +40 -0
package/src/utils/error-message.ts +108 -0
package/src/utils/layout/reservedSpace.ts +124 -0
package/src/utils/logout.ts +30 -0
package/src/vibe/client.ts +590 -0
package/src/vibe/errors.ts +185 -0
package/src/vibe/generic.ts +429 -0
package/src/vibe/hooks/index.ts +367 -0
package/src/vibe/index.ts +121 -0
package/src/vibe/sessions.ts +551 -0
package/src/vibe/types.ts +577 -0

package/src/auth/callbacks/index.ts ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * Auth Callbacks - Public Exports
+ */
+export { jwtCallback } from './jwt';
+export { sessionCallback } from './session';
+export { signInCallback } from './signin';

package/src/auth/callbacks/jwt.ts ADDED Viewed

@@ -0,0 +1,382 @@
+/**
+ * JWT Callback
+ *
+ * Minimal token strategy - only store redisSessionId in JWT.
+ * All session data lives in Redis, not in the browser cookie.
+ *
+ * HANDLES:
+ * - Initial sign-in (credentials): Store redisSessionId from authorize()
+ * - Initial sign-in (OAuth): Register with IDP, create session, store redisSessionId
+ * - Subsequent requests: Validate session exists, return token
+ *
+ * @version 1.0.0
+ * @since auth-refactor-2026-01
+ */
+import type { JWT } from 'next-auth/jwt';
+import type { User, Account } from 'next-auth';
+import { createHmac } from 'crypto';
+import { createSession, getSession } from '../../lib/session-store';
+import { getIDPClientConfig } from '../../lib/idp-client-config';
+import { idpOAuthCallback } from '../utils/idp-client';
+import {
+  decodeIdpAccessToken,
+  extractAmrFromToken,
+  expClaimToMs,
+  extractKidFromToken,
+} from '../utils/token-utils';
+// NOTE: Using any for sessionData until Phase 3 normalizes types
+// ============================================================================
+// VIBE ROLE FETCHING
+// ============================================================================
+/**
+ * Generate HMAC signature for Vibe API request.
+ */
+function generateVibeSignature(
+  endpoint: string,
+  clientId: string,
+  timestamp: number
+): string {
+  const signingKey = process.env.VIBE_SIGNING_KEY;
+  if (!signingKey) {
+    return '';
+  }
+  const stringToSign = `${timestamp}|GET|${endpoint}|${clientId}`;
+  return createHmac('sha256', Buffer.from(signingKey, 'base64'))
+    .update(stringToSign)
+    .digest('base64');
+}
+/**
+ * Fetch user's roles from Vibe API.
+ * Returns empty array on failure (non-blocking).
+ * Uses HMAC signature for authentication when signing key is configured.
+ */
+async function fetchVibeRoles(userId: string, clientId: string): Promise<string[]> {
+  const vibeApiUrl = process.env.VIBE_API_URL;
+  if (!vibeApiUrl) {
+    return [];
+  }
+  const endpoint = `/api/v1/users/${userId}/roles`;
+  const timestamp = Math.floor(Date.now() / 1000);
+  const signature = generateVibeSignature(endpoint, clientId, timestamp);
+  // Build headers with optional signature
+  const headers: Record<string, string> = {
+    'Accept': 'application/json',
+    'X-Client-Id': clientId,
+    'X-Vibe-Client-Id': clientId,
+  };
+  if (signature) {
+    headers['X-Vibe-Timestamp'] = String(timestamp);
+    headers['X-Vibe-Signature'] = signature;
+  }
+  try {
+    const response = await fetch(
+      `${vibeApiUrl}${endpoint}`,
+      {
+        method: 'GET',
+        headers,
+        // 2 second timeout
+        signal: AbortSignal.timeout(2000),
+      }
+    );
+    if (!response.ok) {
+      console.warn('[JWT_CALLBACK] Failed to fetch Vibe roles:', response.status);
+      return [];
+    }
+    const data = await response.json();
+    const roles = data.roles?.map((r: any) => r.role_name || r) || [];
+    console.log('[JWT_CALLBACK] Fetched Vibe roles:', roles);
+    return roles;
+  } catch (error) {
+    console.warn('[JWT_CALLBACK] Error fetching Vibe roles (continuing with IDP roles only):', error);
+    return [];
+  }
+}
+/**
+ * Merge IDP roles with Vibe roles, deduplicating.
+ */
+function mergeRoles(idpRoles: string[], vibeRoles: string[]): string[] {
+  return [...new Set([...idpRoles, ...vibeRoles])];
+}
+// ============================================================================
+// TYPES
+// ============================================================================
+interface JwtCallbackParams {
+  token: JWT;
+  user?: User | any;
+  account?: Account | null;
+  trigger?: 'signIn' | 'signUp' | 'update';
+}
+interface JwtCallbackResult extends JWT {
+  /** Redis session ID - the key to look up session data */
+  redisSessionId?: string;
+  /** User ID from IDP */
+  sub: string;
+  /** Error code if session validation failed */
+  error?: string;
+  /** Flag for OAuth users who need immediate 2FA redirect */
+  requiresTwoFactorRedirect?: boolean;
+}
+// ============================================================================
+// JWT CALLBACK
+// ============================================================================
+/**
+ * JWT callback - builds the NextAuth JWT token.
+ *
+ * MINIMAL TOKEN STRATEGY:
+ * - Only store redisSessionId (key to Redis session)
+ * - All tokens and user data live in Redis
+ * - Browser cookie stays small and secure
+ *
+ * @param params - JWT callback parameters from NextAuth
+ * @returns JWT payload to store in browser cookie
+ */
+export async function jwtCallback({
+  token,
+  user,
+  account,
+  trigger,
+}: JwtCallbackParams): Promise<JwtCallbackResult> {
+  console.log('[JWT_CALLBACK] Called with:', {
+    trigger,
+    hasAccount: !!account,
+    provider: account?.provider,
+    hasUser: !!user,
+    userEmail: user?.email,
+    existingRedisSessionId: token?.redisSessionId ? 'yes' : 'no',
+  });
+  // -------------------------------------------------------------------------
+  // OAuth Sign-In: Register with IDP and create session
+  // -------------------------------------------------------------------------
+  if (account && account.provider !== 'credentials') {
+    console.log('[JWT_CALLBACK] Handling OAuth sign-in for provider:', account.provider);
+    return handleOAuthSignIn(token, user, account);
+  }
+  // -------------------------------------------------------------------------
+  // Credentials Sign-In: Session already created in authorize()
+  // -------------------------------------------------------------------------
+  if (user && (user as any).redisSessionId) {
+    // Credentials authorize() returns redisSessionId
+    const redisSessionId = (user as any).redisSessionId;
+    return {
+      ...token,
+      redisSessionId,
+            sub: user.id || token.sub || 'unknown',
+    };
+  }
+  // -------------------------------------------------------------------------
+  // Subsequent Requests: Validate session exists
+  // -------------------------------------------------------------------------
+  const redisSessionId = (user as any)?.redisSessionId || token?.redisSessionId || token?.redisSessionId;
+  if (!redisSessionId) {
+    return { ...token, error: 'NoSession', sub: token.sub || 'unknown' };
+  }
+  // Validate session still exists in Redis
+  try {
+    const sessionData = await getSession(redisSessionId as string);
+    if (!sessionData) {
+      // Session expired or deleted
+      return { ...token, error: 'SessionNotFound', sub: token.sub || 'unknown' };
+    }
+    // Check if refresh token has expired (session should be terminated)
+    if (sessionData.idpRefreshTokenExpires && Date.now() >= sessionData.idpRefreshTokenExpires) {
+      return { ...token, error: 'RefreshTokenExpired', sub: token.sub || 'unknown' };
+    }
+    // Check if MFA has expired (requires step-up authentication)
+    if (sessionData.mfaExpiresAt && Date.now() > sessionData.mfaExpiresAt) {
+      return {
+        ...token,
+        redisSessionId,
+                sub: sessionData.userId,
+        error: 'MfaExpired',
+      };
+    }
+  } catch (error) {
+    console.error('[JWT_CALLBACK] Session validation error:', error);
+    return { ...token, error: 'SessionError', sub: token.sub || 'unknown' };
+  }
+  // Session is valid - return minimal token
+  return {
+    ...token,
+    redisSessionId,
+        sub: token.sub || 'unknown',
+  };
+}
+// ============================================================================
+// OAUTH SIGN-IN HANDLER
+// ============================================================================
+/**
+ * Handle OAuth sign-in by registering with IDP and creating session.
+ */
+async function handleOAuthSignIn(
+  token: JWT,
+  user: User | any,
+  account: Account
+): Promise<JwtCallbackResult> {
+  console.log('[JWT_CALLBACK] handleOAuthSignIn starting for:', {
+    provider: account.provider,
+    email: user?.email,
+    providerAccountId: account.providerAccountId,
+  });
+  try {
+  // Call IDP to register/authenticate OAuth user
+  const idpResult = await idpOAuthCallback({
+    provider: account.provider,
+    providerAccountId: account.providerAccountId,
+    email: user?.email || '',
+    name: user?.name || '',
+    image: user?.image || '',
+    accessToken: account.access_token,
+    refreshToken: account.refresh_token,
+    expiresAt: account.expires_at,
+  });
+  // Build session data using normalized field names
+  let sessionData: any;
+  let mfaVerified = false;
+  if (idpResult.success && idpResult.data?.accessToken) {
+    // IDP integration succeeded - we have IDP tokens
+    const decoded = decodeIdpAccessToken(idpResult.data.accessToken);
+    const amrClaims = decoded ? extractAmrFromToken(decoded) : [];
+    const acrLevel = decoded?.acr || '1';
+    // Extract kid from JWT header (CRITICAL: different from client_id in payload)
+    const bearerKeyId = extractKidFromToken(idpResult.data.accessToken);
+    if (bearerKeyId) {
+      console.log('[JWT_CALLBACK] Extracted bearerKeyId (kid) from JWT header:', bearerKeyId);
+    } else {
+      console.warn('[JWT_CALLBACK] No kid found in JWT header');
+    }
+    // Check if MFA is required for this client
+    try {
+      const clientConfig = await getIDPClientConfig();
+      const require2FA = clientConfig?.authSettings?.require2FA ?? true;
+      mfaVerified = !require2FA; // If MFA not required, mark as verified
+    } catch {
+      // Default to requiring MFA if config unavailable
+      mfaVerified = false;
+    }
+    sessionData = {
+      userId: idpResult.data.user?.userId?.toString() || account.providerAccountId,
+      email: idpResult.data.user?.email || user?.email || '',
+      name: idpResult.data.user?.fullName || user?.name || '',
+      roles: idpResult.data.user?.roles || [],
+      // IDP tokens (normalized names)
+      idpAccessToken: idpResult.data.accessToken,
+      idpRefreshToken: idpResult.data.refreshToken,
+      idpAccessTokenExpires: decoded?.exp ? expClaimToMs(decoded.exp) : Date.now() + 3600000,
+      decodedAccessToken: decoded || undefined,
+      // Bearer key ID from JWT header (NOT client_id from payload)
+      bearerKeyId,
+      // MFA state (normalized names)
+      mfaVerified,
+      authenticationMethods: amrClaims,
+      authenticationLevel: acrLevel,
+      // OAuth provider info (normalized names)
+      oauthProvider: account.provider,
+      oauthProviderToken: account.access_token,
+      oauthProviderRefreshToken: account.refresh_token,
+      // Multi-tenant info
+      idpClientId: decoded?.client_id,
+      merchantId: decoded?.merchant_id,
+    };
+  } else {
+    // IDP integration failed - create OAuth-only session
+    // This allows OAuth login to work even if IDP is unavailable
+    mfaVerified = true; // OAuth IS multi-factor (Google/Microsoft handle MFA)
+    sessionData = {
+      userId: account.providerAccountId,
+      email: user?.email || '',
+      name: user?.name || '',
+      roles: [],
+      mfaVerified: true, // OAuth IS multi-factor
+      oauthProvider: account.provider,
+      oauthProviderToken: account.access_token,
+      oauthProviderRefreshToken: account.refresh_token,
+      idpAccessTokenExpires: account.expires_at
+        ? account.expires_at * 1000
+        : Date.now() + 3600000,
+    };
+  }
+  // -------------------------------------------------------------------------
+  // ROLE MERGING: Fetch Vibe roles and merge with IDP roles
+  // -------------------------------------------------------------------------
+  const clientId = sessionData.idpClientId || process.env.IDP_CLIENT_ID || '';
+  if (clientId && sessionData.userId) {
+    const vibeRoles = await fetchVibeRoles(sessionData.userId, clientId);
+    // SECURITY: Filter out protected IDP-level role prefixes to prevent injection
+    const safeVibeRoles = vibeRoles.filter(r => !r.startsWith('payez_'));
+    const idpRoles = sessionData.roles || [];
+    sessionData.roles = mergeRoles(idpRoles, safeVibeRoles);
+    console.log('[JWT_CALLBACK] Merged roles:', {
+      idpRoles,
+      vibeRoles,
+      safeVibeRoles,
+      merged: sessionData.roles,
+    });
+  }
+  // Create Redis session
+  console.log('[JWT_CALLBACK] Creating Redis session for:', {
+    userId: sessionData.userId,
+    email: sessionData.email,
+    mfaVerified: sessionData.mfaVerified,
+    roles: sessionData.roles,
+  });
+  const redisSessionId = await createSession(sessionData);
+  console.log('[JWT_CALLBACK] Redis session created:', {
+    redisSessionId: redisSessionId ? redisSessionId.substring(0, 8) + '...' : 'NONE',
+  });
+  // Check if immediate MFA redirect is needed
+  const needsImmediateTwoFactor = !mfaVerified;
+  return {
+    ...token,
+    redisSessionId,
+        sub: sessionData.userId,
+    requiresTwoFactorRedirect: needsImmediateTwoFactor,
+  };
+  } catch (error) {
+    console.error('[JWT_CALLBACK] handleOAuthSignIn FAILED:', error);
+    return { ...token, error: 'OAuthSignInFailed', sub: token.sub || 'unknown' };
+  }
+}

package/src/auth/callbacks/session.ts ADDED Viewed

@@ -0,0 +1,243 @@
+/**
+ * Session Callback
+ *
+ * Builds the NextAuth session from Redis session data.
+ * The JWT only contains redisSessionId - all user data comes from Redis.
+ *
+ * FLOW:
+ * 1. Extract redisSessionId from JWT token
+ * 2. Fetch session data from Redis
+ * 3. Build NextAuth session with user info
+ *
+ * @version 1.0.0
+ * @since auth-refactor-2026-01
+ */
+import type { Session } from 'next-auth';
+import type { JWT } from 'next-auth/jwt';
+import { getSession } from '../../lib/session-store';
+// NOTE: Using SessionData from models until Phase 3 normalizes names
+import type { SessionData } from '../../models/SessionModel';
+// ============================================================================
+// TYPES
+// ============================================================================
+interface SessionCallbackParams {
+  session: Session;
+  token: JWT & {
+    /** Redis session ID - the key to look up session data */
+    redisSessionId?: string;
+    error?: string;
+  };
+}
+interface AppSessionUser {
+  id: string;
+  email: string;
+  name?: string;
+  roles: string[];
+  // MFA status
+  twoFactorSessionVerified: boolean;
+  requiresTwoFactor: boolean;
+  // MFA claims from IDP token
+  authenticationMethods?: string[];
+  authenticationLevel?: string;
+  mfaCompletedAt?: number;
+  mfaExpiresAt?: number;
+  mfaValidityHours?: number;
+  // OAuth provider info
+  oauthProvider?: string;
+  // Multi-tenant IDP info
+  idpClientId?: string;
+  merchantId?: string;
+  // JWT signing key (from header, NOT client_id from payload)
+  bearerKeyId?: string;
+}
+interface AppSession extends Omit<Session, 'user'> {
+  user: AppSessionUser;
+  sessionToken?: string;
+  accessToken?: string;
+  refreshToken?: string;
+  accessTokenExpires?: number;
+  error?: string;
+}
+// ============================================================================
+// SESSION CALLBACK
+// ============================================================================
+/**
+ * Session callback - builds NextAuth session from Redis.
+ *
+ * This callback is called whenever getSession() or useSession() is used.
+ * It fetches the full session from Redis and exposes it to the client.
+ *
+ * @param params - Session callback parameters from NextAuth
+ * @returns AppSession with user data from Redis
+ */
+export async function sessionCallback({
+  session,
+  token,
+}: SessionCallbackParams): Promise<AppSession> {
+  // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
+  const redisSessionId = (token as any)?.sessionToken || token?.redisSessionId;
+  console.log('[SESSION_CALLBACK] Entry:', {
+    hasToken: !!token,
+    redisSessionId: redisSessionId || 'MISSING',
+    tokenError: token?.error || 'none',
+    tokenKeys: token ? Object.keys(token) : [],
+  });
+  // -------------------------------------------------------------------------
+  // Handle Token Errors
+  // -------------------------------------------------------------------------
+  if (token.error) {
+    console.log('[SESSION_CALLBACK] Token has error:', token.error);
+    // Special case: MFA expired - return partial session for step-up flow
+    if (token.error === 'MfaExpired' && redisSessionId) {
+      const sessionData = await safeGetSession(redisSessionId as string);
+      if (sessionData) {
+        return {
+          ...session,
+          user: {
+            id: sessionData.userId,
+            email: sessionData.email,
+            name: sessionData.name,
+            roles: sessionData.roles || [],
+            twoFactorSessionVerified: false,
+            requiresTwoFactor: true,
+            authenticationMethods: sessionData.authenticationMethods,
+            authenticationLevel: sessionData.authenticationLevel,
+            mfaExpiresAt: sessionData.mfaExpiresAt,
+          },
+          sessionToken: redisSessionId as string,
+          accessToken: sessionData.idpAccessToken,
+          refreshToken: sessionData.idpRefreshToken,
+          error: 'MfaExpired',
+        };
+      }
+    }
+    // For other errors, try to recover session data if possible
+    if (redisSessionId) {
+      const sessionData = await safeGetSession(redisSessionId as string);
+      if (sessionData) {
+        return buildSessionFromRedis(session, redisSessionId as string, sessionData);
+      }
+    }
+    // No recovery possible - return error session
+    return buildErrorSession(session, token.error);
+  }
+  // -------------------------------------------------------------------------
+  // Validate Session Token
+  // -------------------------------------------------------------------------
+  if (!redisSessionId) {
+    console.log('[SESSION_CALLBACK] No redisSessionId - returning error session');
+    return buildErrorSession(session, 'NoSessionToken');
+  }
+  // -------------------------------------------------------------------------
+  // Fetch Session from Redis
+  // -------------------------------------------------------------------------
+  const sessionData = await safeGetSession(redisSessionId as string);
+  if (!sessionData) {
+    console.log('[SESSION_CALLBACK] Redis session not found for:', redisSessionId);
+    return buildErrorSession(session, 'SessionNotFound');
+  }
+  console.log('[SESSION_CALLBACK] Redis session found:', {
+    userId: sessionData.userId,
+    email: sessionData.email,
+    roles: sessionData.roles,
+    hasAccessToken: !!sessionData.idpAccessToken,
+  });
+  const result = buildSessionFromRedis(session, redisSessionId as string, sessionData);
+  console.log('[SESSION_CALLBACK] Returning:', {
+    userId: result.user.id,
+    roles: result.user.roles,
+    hasAccessToken: !!result.accessToken,
+  });
+  return result;
+}
+// ============================================================================
+// HELPER FUNCTIONS
+// ============================================================================
+/**
+ * Safely fetch session from Redis, returning null on error.
+ */
+async function safeGetSession(
+  sessionId: string
+): Promise<SessionData | null> {
+  try {
+    return await getSession(sessionId);
+  } catch {
+    return null;
+  }
+}
+/**
+ * Build complete session from Redis data.
+ * Uses normalized field names from SessionData.
+ */
+function buildSessionFromRedis(
+  session: Session,
+  sessionId: string,
+  data: SessionData
+): AppSession {
+  return {
+    ...session,
+    user: {
+      id: data.userId,
+      email: data.email,
+      name: data.name,
+      roles: data.roles || [],
+      // MFA state (normalized field name)
+      twoFactorSessionVerified: data.mfaVerified,
+      requiresTwoFactor: !data.mfaVerified,
+      authenticationMethods: data.authenticationMethods,
+      authenticationLevel: data.authenticationLevel,
+      mfaCompletedAt: data.mfaCompletedAt,
+      mfaExpiresAt: data.mfaExpiresAt,
+      mfaValidityHours: data.mfaValidityHours,
+      oauthProvider: data.oauthProvider,
+      idpClientId: data.idpClientId,
+      merchantId: data.merchantId,
+      // Bearer key ID from JWT header (may be undefined for old sessions)
+      bearerKeyId: data.bearerKeyId,
+    },
+    sessionToken: sessionId,
+    // IDP tokens (normalized field names)
+    accessToken: data.idpAccessToken,
+    refreshToken: data.idpRefreshToken,
+    accessTokenExpires: data.idpAccessTokenExpires,
+  };
+}
+/**
+ * Build error session with empty user.
+ */
+function buildErrorSession(session: Session, error: string): AppSession {
+  return {
+    ...session,
+    user: {
+      id: '',
+      email: '',
+      roles: [],
+      twoFactorSessionVerified: false,
+      requiresTwoFactor: false,
+    },
+    error,
+  };
+}

package/src/auth/callbacks/signin.ts ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * SignIn Callback
+ *
+ * Handles post-authentication actions like 2FA redirect.
+ * Called after credentials or OAuth authentication succeeds.
+ *
+ * @version 1.0.0
+ * @since auth-refactor-2026-01
+ */
+import type { User, Account } from 'next-auth';
+// ============================================================================
+// SIGNIN CALLBACK
+// ============================================================================
+/**
+ * SignIn callback - handle 2FA redirect for OAuth users.
+ *
+ * When require2FA is true for the client, OAuth users need to be
+ * redirected to the verify-code page immediately after OAuth login.
+ *
+ * @param params - SignIn callback parameters from NextAuth
+ * @returns true to allow sign-in, or a URL string to redirect
+ */
+export async function signInCallback({
+  user,
+  account,
+}: {
+  user: User | any;
+  account: Account | null;
+}): Promise<boolean | string> {
+  // Only handle OAuth providers (credentials flow handles 2FA separately)
+  if (!account?.provider || account.provider === 'credentials') {
+    return true;
+  }
+  // Check if OAuth user needs 2FA redirect
+  const token = user as any;
+  if (token?.requiresTwoFactorRedirect) {
+    // Preserve the original callback URL through 2FA flow
+    const originalCallbackUrl = (account as any)?.callbackUrl || '/';
+    // Don't redirect back to auth pages after 2FA
+    const safeCallbackUrl = originalCallbackUrl.startsWith('/account-auth/')
+      ? '/'
+      : originalCallbackUrl;
+    const encodedCallback = encodeURIComponent(safeCallbackUrl);
+    // Return redirect URL - NextAuth will redirect here instead of completing sign-in
+    return `/account-auth/verify-code?callbackUrl=${encodedCallback}`;
+  }
+  return true;
+}

package/src/auth/events/index.ts ADDED Viewed

@@ -0,0 +1,5 @@
+/**
+ * Auth Events - Public Exports
+ */
+export { handleSignOut } from './signout';