@payez/next-mvp 3.0.0

package/dist/api-handlers/anon/preferences.js

@@ -0,0 +1,96 @@
+"use strict";
+/**
+ * Anonymous Session Preferences API Handler
+ *
+ * GET /api/anon/preferences - Get current preferences
+ * POST /api/anon/preferences - Update preferences
+ *
+ * Sets a cookie to track anonymous visitors and stores preferences in Redis.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GET = GET;
+exports.POST = POST;
+const server_1 = require("next/server");
+const headers_1 = require("next/headers");
+const anon_session_1 = require("../../lib/anon-session");
+const COOKIE_MAX_AGE = 90 * 24 * 60 * 60; // 90 days in seconds
+/**
+ * GET handler - retrieves anonymous session preferences
+ */
+async function GET(request) {
+    try {
+        const cookieStore = await (0, headers_1.cookies)();
+        let anonId = cookieStore.get(anon_session_1.ANON_COOKIE_NAME)?.value;
+        // Get or create session
+        const session = await (0, anon_session_1.getOrCreateAnonSession)(anonId);
+        // Build response
+        const response = server_1.NextResponse.json({
+            success: true,
+            data: {
+                id: session.id,
+                preferences: session.preferences,
+                metrics: session.metrics,
+            },
+        });
+        // Set cookie if it's a new session
+        if (!anonId || anonId !== session.id) {
+            response.cookies.set(anon_session_1.ANON_COOKIE_NAME, session.id, {
+                httpOnly: true,
+                secure: process.env.NODE_ENV === 'production',
+                sameSite: 'lax',
+                maxAge: COOKIE_MAX_AGE,
+                path: '/',
+            });
+        }
+        return response;
+    }
+    catch (error) {
+        console.error('[ANON-PREFERENCES] GET error:', error);
+        return server_1.NextResponse.json({ success: false, error: 'Failed to get preferences' }, { status: 500 });
+    }
+}
+/**
+ * POST handler - updates anonymous session preferences
+ */
+async function POST(request) {
+    try {
+        const cookieStore = await (0, headers_1.cookies)();
+        let anonId = cookieStore.get(anon_session_1.ANON_COOKIE_NAME)?.value;
+        // Get or create session first
+        const session = await (0, anon_session_1.getOrCreateAnonSession)(anonId);
+        anonId = session.id;
+        // Parse body for preferences to update
+        const body = await request.json();
+        const preferences = body.preferences || body;
+        // Validate preferences
+        if (typeof preferences !== 'object') {
+            return server_1.NextResponse.json({ success: false, error: 'Invalid preferences format' }, { status: 400 });
+        }
+        // Update preferences
+        const updatedSession = await (0, anon_session_1.updateAnonPreferences)(anonId, preferences);
+        if (!updatedSession) {
+            return server_1.NextResponse.json({ success: false, error: 'Session not found' }, { status: 404 });
+        }
+        // Build response
+        const response = server_1.NextResponse.json({
+            success: true,
+            data: {
+                id: updatedSession.id,
+                preferences: updatedSession.preferences,
+            },
+        });
+        // Ensure cookie is set
+        response.cookies.set(anon_session_1.ANON_COOKIE_NAME, anonId, {
+            httpOnly: true,
+            secure: process.env.NODE_ENV === 'production',
+            sameSite: 'lax',
+            maxAge: COOKIE_MAX_AGE,
+            path: '/',
+        });
+        return response;
+    }
+    catch (error) {
+        console.error('[ANON-PREFERENCES] POST error:', error);
+        return server_1.NextResponse.json({ success: false, error: 'Failed to update preferences' }, { status: 500 });
+    }
+}

package/dist/api-handlers/auth/jwks.d.ts

@@ -0,0 +1,2 @@
+import { NextRequest, NextResponse } from 'next/server';
+export declare function GET(_req: NextRequest): Promise<NextResponse<any>>;

package/dist/api-handlers/auth/jwks.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GET = GET;
+const server_1 = require("next/server");
+const env_1 = require("../../config/env");
+const logger_1 = require("../../config/logger");
+async function GET(_req) {
+    try {
+        const url = `${env_1.ENV_CONFIG.IDP_URL}${env_1.API_ENDPOINTS.externalAuth.jwks}`;
+        const res = await fetch(url, { headers: { 'Accept': 'application/json' } });
+        const bodyText = await res.text();
+        try {
+            const json = JSON.parse(bodyText);
+            return server_1.NextResponse.json(json, { status: res.status });
+        }
+        catch (e) {
+            logger_1.logger.error('[AUTH_JWKS] Upstream returned non-JSON', { status: res.status, bodyText: bodyText?.slice(0, 200) });
+            return server_1.NextResponse.json({ error: 'Invalid JWKS response' }, { status: 502 });
+        }
+    }
+    catch (error) {
+        return server_1.NextResponse.json({ error: 'Failed to fetch JWKS' }, { status: 502 });
+    }
+}

package/dist/api-handlers/auth/login.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Authentication Login API Handler
+ *
+ * Handles user authentication against the external IDP service.
+ * This handler is designed to be imported and used by Next.js applications
+ * using the @payez/next-mvp package.
+ *
+ * @version 2.0
+ * @requires No authentication (public endpoint)
+ */
+import { NextRequest, NextResponse } from 'next/server';
+interface LoginConfig {
+    idpBaseUrl: string;
+    clientId: string;
+    loginEndpoint?: string;
+    clientType?: string;
+}
+/**
+ * Creates a login handler for Next.js API routes
+ *
+ * @param config Configuration for IDP connection
+ * @returns Next.js POST handler function
+ *
+ * @example
+ * ```typescript
+ * // In your app's /app/api/auth/login/route.ts
+ * import { createLoginHandler } from '@payez/next-mvp/api-handlers/auth/login';
+ *
+ * export const POST = createLoginHandler({
+ *   idpBaseUrl: process.env.IDP_URL!,
+ *   clientId: process.env.CLIENT_ID!,
+ *   loginEndpoint: '/api/ExternalAuth/login'
+ * });
+ * ```
+ */
+export declare function createLoginHandler(config: LoginConfig): (req: NextRequest) => Promise<NextResponse<unknown>>;
+/**
+ * Default export for backward compatibility
+ * Requires environment variables: IDP_URL, CLIENT_ID
+ */
+export declare const POST: (req: NextRequest) => Promise<NextResponse<unknown>>;
+export {};

package/dist/api-handlers/auth/login.js

@@ -0,0 +1,178 @@
+"use strict";
+/**
+ * Authentication Login API Handler
+ *
+ * Handles user authentication against the external IDP service.
+ * This handler is designed to be imported and used by Next.js applications
+ * using the @payez/next-mvp package.
+ *
+ * @version 2.0
+ * @requires No authentication (public endpoint)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = void 0;
+exports.createLoginHandler = createLoginHandler;
+const server_1 = require("next/server");
+// Add protection headers to all responses
+function addSecurityHeaders(response) {
+    // Content Security Policy - restrictive for auth endpoints
+    response.headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';");
+    // Prevent clickjacking
+    response.headers.set('X-Frame-Options', 'DENY');
+    // Prevent MIME type sniffing
+    response.headers.set('X-Content-Type-Options', 'nosniff');
+    // Enable XSS protection
+    response.headers.set('X-XSS-Protection', '1; mode=block');
+    // Strict transport security for HTTPS
+    response.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
+    // Referrer policy
+    response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+    // Permissions policy
+    response.headers.set('Permissions-Policy', 'geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()');
+    // Cache control for sensitive auth endpoints
+    response.headers.set('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
+    response.headers.set('Pragma', 'no-cache');
+    response.headers.set('Expires', '0');
+    return response;
+}
+/**
+ * Creates a login handler for Next.js API routes
+ *
+ * @param config Configuration for IDP connection
+ * @returns Next.js POST handler function
+ *
+ * @example
+ * ```typescript
+ * // In your app's /app/api/auth/login/route.ts
+ * import { createLoginHandler } from '@payez/next-mvp/api-handlers/auth/login';
+ *
+ * export const POST = createLoginHandler({
+ *   idpBaseUrl: process.env.IDP_URL!,
+ *   clientId: process.env.CLIENT_ID!,
+ *   loginEndpoint: '/api/ExternalAuth/login'
+ * });
+ * ```
+ */
+function createLoginHandler(config) {
+    const { idpBaseUrl, clientId, loginEndpoint = '/api/ExternalAuth/login', clientType = 'partner' } = config;
+    return async function POST(req) {
+        let body;
+        try {
+            body = await req.json();
+        }
+        catch (parseError) {
+            return server_1.NextResponse.json({ error: 'Invalid JSON format' }, { status: 400 });
+        }
+        const { username_or_email, password, client_type, two_factor_code, two_factor_recovery_code } = body;
+        // Validate required fields
+        if (!username_or_email || typeof username_or_email !== 'string' || username_or_email.trim() === '') {
+            return server_1.NextResponse.json({ error: 'username_or_email is required' }, { status: 400 });
+        }
+        if (!password || typeof password !== 'string' || password.trim() === '') {
+            return server_1.NextResponse.json({ error: 'Password is required' }, { status: 400 });
+        }
+        const idpUrl = `${idpBaseUrl}${loginEndpoint}`;
+        const payload = {
+            username_or_email,
+            password,
+            client_id: clientId,
+            client_type: client_type || clientType // Use provided client_type or config default
+        };
+        // Add optional 2FA fields if provided
+        if (two_factor_code) {
+            payload.two_factor_code = two_factor_code;
+        }
+        if (two_factor_recovery_code) {
+            payload.two_factor_recovery_code = two_factor_recovery_code;
+        }
+        // Extract client headers for forwarding to IDP
+        const clientHeaders = {};
+        // Forward client IP if available
+        const clientIp = req.headers.get('x-forwarded-for') || req.headers.get('x-real-ip');
+        if (clientIp) {
+            clientHeaders['X-Forwarded-For'] = clientIp.split(',')[0].trim();
+        }
+        // Forward user agent if available
+        const userAgent = req.headers.get('user-agent');
+        if (userAgent) {
+            clientHeaders['User-Agent'] = userAgent;
+        }
+        const headers = {
+            'Content-Type': 'application/json',
+            'Accept': 'application/json',
+            'Cookie': 'X-Device-Id=payez-PayEz-6c8201c35c1b44c9b2e823b36b95a718',
+            ...clientHeaders
+        };
+        try {
+            const backendResponse = await fetch(idpUrl, {
+                method: 'POST',
+                headers,
+                body: JSON.stringify(payload),
+            });
+            const rawText = await backendResponse.text();
+            let data;
+            try {
+                data = JSON.parse(rawText);
+            }
+            catch (jsonError) {
+                console.error('[LOGIN] IDP returned non-JSON response', {
+                    response: rawText,
+                    status: backendResponse.status
+                });
+                return server_1.NextResponse.json({ error: 'Invalid response from authentication service' }, { status: 502 });
+            }
+            if (!backendResponse.ok) {
+                // Handle rate limiting specifically
+                if (backendResponse.status === 429) {
+                    const retryAfter = backendResponse.headers.get('retry-after');
+                    const retryAfterSeconds = retryAfter ? parseInt(retryAfter) : 60;
+                    return addSecurityHeaders(server_1.NextResponse.json({
+                        success: false,
+                        error: 'RATE_LIMIT_EXCEEDED',
+                        message: 'Too many login attempts. Please try again later.',
+                        retryAfter: retryAfterSeconds
+                    }, { status: 429 }));
+                }
+                // Pass through error from IDP
+                console.error('[LOGIN] IDP service error', {
+                    status: backendResponse.status,
+                    error: data
+                });
+                return addSecurityHeaders(server_1.NextResponse.json(data, { status: backendResponse.status }));
+            }
+            if (!data.success) {
+                // IDP returned a canonical error envelope with HTTP 200
+                console.error('[LOGIN] IDP authentication failure', { error: data });
+                return addSecurityHeaders(server_1.NextResponse.json(data, { status: 200 }));
+            }
+            // Normalize response shape for NextAuth authorize()
+            const normalized = {
+                success: data?.success === true,
+                result: (data?.data && data?.data?.result) ? data.data.result : (data?.result ?? data),
+                // Preserve original payload for debugging/compatibility
+                original: data
+            };
+            return addSecurityHeaders(server_1.NextResponse.json(normalized));
+        }
+        catch (error) {
+            // Handle network and other errors
+            console.error('[LOGIN] FETCH FAILED:', {
+                error: error instanceof Error ? error.message : String(error),
+                idpUrl
+            });
+            if (error instanceof Error && error.message.includes('fetch')) {
+                return server_1.NextResponse.json({ error: 'Unable to connect to authentication service' }, { status: 503 });
+            }
+            return server_1.NextResponse.json({ error: 'An unexpected error occurred during login' }, { status: 500 });
+        }
+    };
+}
+/**
+ * Default export for backward compatibility
+ * Requires environment variables: IDP_URL, CLIENT_ID
+ */
+exports.POST = createLoginHandler({
+    idpBaseUrl: process.env.IDP_URL,
+    clientId: process.env.CLIENT_ID || 'payez_default_client',
+    loginEndpoint: '/api/ExternalAuth/login'
+});

package/dist/api-handlers/auth/refresh.d.ts

@@ -0,0 +1,74 @@
+/**
+ * CRITICAL REFRESH TOKEN API HANDLER
+ *
+ * ASK BEFORE EDITING - TESTED AND WORKING SYSTEM
+ *
+ * This handler manages the server-side refresh token cycle with:
+ * - NextAuth JWT token extraction
+ * - Session token fallback for internal calls
+ * - PayEz IDP refresh token exchange
+ * - Session state updates with new tokens
+ * - Proper error handling and logging
+ * - Single-use semantics enforcement
+ *
+ * @version 2.0
+ */
+import { NextRequest, NextResponse } from 'next/server';
+interface RefreshConfig {
+    idpBaseUrl: string;
+    clientId: string;
+    nextAuthSecret: string;
+    refreshEndpoint?: string;
+}
+/**
+ * Creates a refresh token handler for Next.js API routes
+ *
+ * @param config Configuration for IDP connection and NextAuth
+ * @returns Next.js POST handler function
+ *
+ * @example
+ * ```typescript
+ * // In your app's /app/api/auth/refresh/route.ts
+ * import { createRefreshHandler } from '@payez/next-mvp/api-handlers/auth/refresh';
+ *
+ * export const POST = createRefreshHandler({
+ *   idpBaseUrl: process.env.IDP_URL!,
+ *   clientId: process.env.CLIENT_ID!,
+ *   nextAuthSecret: process.env.NEXTAUTH_SECRET!,
+ *   refreshEndpoint: '/api/ExternalAuth/refresh'
+ * });
+ * ```
+ */
+export declare function createRefreshHandler(config: RefreshConfig): (req: NextRequest) => Promise<NextResponse<{
+    error: string;
+    code: string;
+}> | NextResponse<{
+    error: any;
+    code: any;
+    discardToken: boolean;
+    retryable: boolean;
+    resolution: any;
+}> | NextResponse<{
+    refreshed: boolean;
+    accessTokenExpires: number;
+    hasRefreshToken: boolean;
+}>>;
+/**
+ * Default export for backward compatibility
+ * Requires environment variables: IDP_URL, CLIENT_ID, NEXTAUTH_SECRET
+ */
+export declare const POST: (req: NextRequest) => Promise<NextResponse<{
+    error: string;
+    code: string;
+}> | NextResponse<{
+    error: any;
+    code: any;
+    discardToken: boolean;
+    retryable: boolean;
+    resolution: any;
+}> | NextResponse<{
+    refreshed: boolean;
+    accessTokenExpires: number;
+    hasRefreshToken: boolean;
+}>>;
+export {};