@payez/next-mvp 3.1.0 → 3.2.1

package/dist/auth/providers/credentials.js

@@ -1,223 +1,223 @@
-"use strict";
-/**
- * Credentials Provider
- *
- * Handles email/password authentication via PayEz IDP.
- * Creates Redis session and returns minimal user object to NextAuth.
- *
- * FLOW:
- * 1. User submits email/password
- * 2. We call IDP /api/ExternalAuth/login
- * 3. IDP returns tokens if credentials valid
- * 4. We create Redis session with tokens
- * 5. Return user object with redisSessionId to NextAuth
- *
- * @version 1.0.0
- * @since auth-refactor-2026-01
- */
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createCredentialsProvider = createCredentialsProvider;
-const credentials_1 = __importDefault(require("next-auth/providers/credentials"));
-const session_store_1 = require("../../lib/session-store");
-const idp_client_1 = require("../utils/idp-client");
-const token_utils_1 = require("../utils/token-utils");
-const auth_types_1 = require("../types/auth-types");
-// NOTE: Using any for sessionData until Phase 3 normalizes types
-// ============================================================================
-// CREDENTIALS PROVIDER
-// ============================================================================
-/**
- * Create the CredentialsProvider for NextAuth.
- *
- * This provider handles email/password login. The authorize function
- * is called when a user submits the login form.
- */
-function createCredentialsProvider() {
-    return (0, credentials_1.default)({
-        id: 'credentials',
-        name: 'Credentials',
-        credentials: {
-            email: { label: 'Email', type: 'email' },
-            password: { label: 'Password', type: 'password' },
-        },
-        authorize: authorizeCredentials,
-    });
-}
-/**
- * Authorize user with email/password.
- *
- * This is the core authentication function. It:
- * 1. Validates credentials with IDP
- * 2. Decodes the returned tokens
- * 3. Creates a Redis session
- * 4. Returns user info for NextAuth JWT
- *
- * @param credentials - Email and password from login form
- * @param req - The incoming request (for IP/UA forwarding)
- * @returns User object for NextAuth, or null/throws on failure
- */
-async function authorizeCredentials(credentials, req) {
-    // -------------------------------------------------------------------------
-    // Validate Input
-    // -------------------------------------------------------------------------
-    if (!credentials?.email || !credentials?.password) {
-        throw new Error('Email and password required');
-    }
-    const loginCredentials = {
-        email: credentials.email,
-        password: credentials.password,
-    };
-    // Extract client info for audit logging
-    const clientHeaders = extractClientHeaders(req);
-    // -------------------------------------------------------------------------
-    // Call IDP
-    // -------------------------------------------------------------------------
-    const loginResult = await (0, idp_client_1.idpLogin)(loginCredentials, clientHeaders);
-    if (!loginResult.success || !loginResult.result) {
-        // Build structured error for frontend
-        const errorResponse = buildAuthError(loginResult.error);
-        throw new Error(JSON.stringify(errorResponse));
-    }
-    const { access_token, refresh_token, user: idpUser } = loginResult.result;
-    // -------------------------------------------------------------------------
-    // Decode Token
-    // -------------------------------------------------------------------------
-    const decoded = (0, token_utils_1.decodeIdpAccessToken)(access_token);
-    if (!decoded) {
-        throw new Error('Failed to decode token');
-    }
-    // Extract kid from JWT header (CRITICAL: this is different from client_id in payload)
-    const bearerKeyId = (0, token_utils_1.extractKidFromToken)(access_token);
-    if (bearerKeyId) {
-        console.log('[CREDENTIALS] Extracted bearerKeyId (kid) from JWT header:', bearerKeyId);
-    }
-    else {
-        console.warn('[CREDENTIALS] No kid found in JWT header - token may be unsigned or malformed');
-    }
-    // Extract claims from token
-    const email = (0, token_utils_1.extractEmailFromToken)(decoded);
-    const roles = (0, token_utils_1.extractRolesFromToken)(decoded);
-    const amrClaims = (0, token_utils_1.extractAmrFromToken)(decoded);
-    const acrLevel = decoded.acr || '1';
-    const userId = decoded.sub;
-    // Check if 2FA is complete based on ACR level
-    // ACR=1: Provisional token (requires 2FA)
-    // ACR=2: Full authentication (2FA complete)
-    const mfaVerified = acrLevel === '2';
-    // Decode refresh token expiry if available
-    let refreshTokenExpires;
-    try {
-        const refreshDecoded = (0, token_utils_1.decodeIdpAccessToken)(refresh_token);
-        if (refreshDecoded?.exp) {
-            refreshTokenExpires = (0, token_utils_1.expClaimToMs)(refreshDecoded.exp);
-        }
-    }
-    catch {
-        // Ignore - will use default expiry
-    }
-    // -------------------------------------------------------------------------
-    // Create Redis Session
-    // -------------------------------------------------------------------------
-    // Using normalized field names (session-store handles backward compatibility)
-    const sessionData = {
-        userId,
-        email,
-        roles,
-        // IDP tokens (normalized names)
-        idpAccessToken: access_token,
-        idpRefreshToken: refresh_token,
-        idpAccessTokenExpires: (0, token_utils_1.expClaimToMs)(decoded.exp),
-        idpRefreshTokenExpires: refreshTokenExpires,
-        decodedAccessToken: decoded,
-        // Bearer key ID from JWT header (NOT client_id from payload)
-        bearerKeyId,
-        // MFA state (normalized names)
-        mfaVerified,
-        authenticationMethods: amrClaims,
-        authenticationLevel: acrLevel,
-        // MFA timing info from token
-        mfaCompletedAt: decoded.mfa_time ? (0, token_utils_1.expClaimToMs)(decoded.mfa_time) : undefined,
-        mfaExpiresAt: decoded.mfa_expires ? (0, token_utils_1.expClaimToMs)(decoded.mfa_expires) : undefined,
-        mfaValidityHours: decoded.mfa_validity_hours,
-    };
-    // Determine MFA method from IDP user info
-    let mfaMethod;
-    if (idpUser?.isEmailConfirmed) {
-        mfaMethod = 'email';
-    }
-    else if (idpUser?.isSmsConfirmed) {
-        mfaMethod = 'sms';
-    }
-    if (mfaMethod) {
-        sessionData.mfaMethod = mfaMethod;
-    }
-    // Create the Redis session
-    const redisSessionId = await (0, session_store_1.createSession)(sessionData);
-    // -------------------------------------------------------------------------
-    // Return User Object for NextAuth
-    // -------------------------------------------------------------------------
-    // NextAuth requires 'id' field - we use userId from IDP
-    // The redisSessionId is passed through to the JWT callback
-    return {
-        id: userId,
-        email,
-        roles,
-        redisSessionId: (0, auth_types_1.toRedisSessionId)(redisSessionId),
-        mfaRequired: !mfaVerified,
-        mfaMethod,
-    };
-}
-// ============================================================================
-// HELPER FUNCTIONS
-// ============================================================================
-/**
- * Extract client headers from request for audit logging.
- */
-function extractClientHeaders(req) {
-    const headers = {};
-    // Extract client IP
-    const forwardedFor = req?.headers?.['x-forwarded-for'];
-    const realIp = req?.headers?.['x-real-ip'];
-    if (forwardedFor) {
-        const ip = Array.isArray(forwardedFor) ? forwardedFor[0] : forwardedFor.split(',')[0].trim();
-        headers.ip = ip;
-    }
-    else if (realIp) {
-        headers.ip = Array.isArray(realIp) ? realIp[0] : realIp;
-    }
-    // Extract User-Agent
-    const userAgent = req?.headers?.['user-agent'];
-    if (userAgent) {
-        headers.userAgent = Array.isArray(userAgent) ? userAgent[0] : userAgent;
-    }
-    return headers;
-}
-/**
- * Build structured error response for frontend.
- *
- * The frontend expects a specific error structure to display
- * appropriate messages and handle things like lockout.
- */
-function buildAuthError(error) {
-    if (!error) {
-        return {
-            success: false,
-            error: {
-                code: 'AUTH_ERROR',
-                message: 'Authentication failed',
-                details: {},
-            },
-        };
-    }
-    return {
-        success: false,
-        error: {
-            code: error.code || 'AUTH_ERROR',
-            message: error.message || 'Authentication failed',
-            details: error.details || {},
-        },
-    };
-}
+"use strict";
+/**
+ * Credentials Provider
+ *
+ * Handles email/password authentication via PayEz IDP.
+ * Creates Redis session and returns minimal user object to NextAuth.
+ *
+ * FLOW:
+ * 1. User submits email/password
+ * 2. We call IDP /api/ExternalAuth/login
+ * 3. IDP returns tokens if credentials valid
+ * 4. We create Redis session with tokens
+ * 5. Return user object with redisSessionId to NextAuth
+ *
+ * @version 1.0.0
+ * @since auth-refactor-2026-01
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createCredentialsProvider = createCredentialsProvider;
+const credentials_1 = __importDefault(require("next-auth/providers/credentials"));
+const session_store_1 = require("../../lib/session-store");
+const idp_client_1 = require("../utils/idp-client");
+const token_utils_1 = require("../utils/token-utils");
+const auth_types_1 = require("../types/auth-types");
+// NOTE: Using any for sessionData until Phase 3 normalizes types
+// ============================================================================
+// CREDENTIALS PROVIDER
+// ============================================================================
+/**
+ * Create the CredentialsProvider for NextAuth.
+ *
+ * This provider handles email/password login. The authorize function
+ * is called when a user submits the login form.
+ */
+function createCredentialsProvider() {
+    return (0, credentials_1.default)({
+        id: 'credentials',
+        name: 'Credentials',
+        credentials: {
+            email: { label: 'Email', type: 'email' },
+            password: { label: 'Password', type: 'password' },
+        },
+        authorize: authorizeCredentials,
+    });
+}
+/**
+ * Authorize user with email/password.
+ *
+ * This is the core authentication function. It:
+ * 1. Validates credentials with IDP
+ * 2. Decodes the returned tokens
+ * 3. Creates a Redis session
+ * 4. Returns user info for NextAuth JWT
+ *
+ * @param credentials - Email and password from login form
+ * @param req - The incoming request (for IP/UA forwarding)
+ * @returns User object for NextAuth, or null/throws on failure
+ */
+async function authorizeCredentials(credentials, req) {
+    // -------------------------------------------------------------------------
+    // Validate Input
+    // -------------------------------------------------------------------------
+    if (!credentials?.email || !credentials?.password) {
+        throw new Error('Email and password required');
+    }
+    const loginCredentials = {
+        email: credentials.email,
+        password: credentials.password,
+    };
+    // Extract client info for audit logging
+    const clientHeaders = extractClientHeaders(req);
+    // -------------------------------------------------------------------------
+    // Call IDP
+    // -------------------------------------------------------------------------
+    const loginResult = await (0, idp_client_1.idpLogin)(loginCredentials, clientHeaders);
+    if (!loginResult.success || !loginResult.result) {
+        // Build structured error for frontend
+        const errorResponse = buildAuthError(loginResult.error);
+        throw new Error(JSON.stringify(errorResponse));
+    }
+    const { access_token, refresh_token, user: idpUser } = loginResult.result;
+    // -------------------------------------------------------------------------
+    // Decode Token
+    // -------------------------------------------------------------------------
+    const decoded = (0, token_utils_1.decodeIdpAccessToken)(access_token);
+    if (!decoded) {
+        throw new Error('Failed to decode token');
+    }
+    // Extract kid from JWT header (CRITICAL: this is different from client_id in payload)
+    const bearerKeyId = (0, token_utils_1.extractKidFromToken)(access_token);
+    if (bearerKeyId) {
+        console.log('[CREDENTIALS] Extracted bearerKeyId (kid) from JWT header:', bearerKeyId);
+    }
+    else {
+        console.warn('[CREDENTIALS] No kid found in JWT header - token may be unsigned or malformed');
+    }
+    // Extract claims from token
+    const email = (0, token_utils_1.extractEmailFromToken)(decoded);
+    const roles = (0, token_utils_1.extractRolesFromToken)(decoded);
+    const amrClaims = (0, token_utils_1.extractAmrFromToken)(decoded);
+    const acrLevel = decoded.acr || '1';
+    const userId = decoded.sub;
+    // Check if 2FA is complete based on ACR level
+    // ACR=1: Provisional token (requires 2FA)
+    // ACR=2: Full authentication (2FA complete)
+    const mfaVerified = acrLevel === '2';
+    // Decode refresh token expiry if available
+    let refreshTokenExpires;
+    try {
+        const refreshDecoded = (0, token_utils_1.decodeIdpAccessToken)(refresh_token);
+        if (refreshDecoded?.exp) {
+            refreshTokenExpires = (0, token_utils_1.expClaimToMs)(refreshDecoded.exp);
+        }
+    }
+    catch {
+        // Ignore - will use default expiry
+    }
+    // -------------------------------------------------------------------------
+    // Create Redis Session
+    // -------------------------------------------------------------------------
+    // Using normalized field names (session-store handles backward compatibility)
+    const sessionData = {
+        userId,
+        email,
+        roles,
+        // IDP tokens (normalized names)
+        idpAccessToken: access_token,
+        idpRefreshToken: refresh_token,
+        idpAccessTokenExpires: (0, token_utils_1.expClaimToMs)(decoded.exp),
+        idpRefreshTokenExpires: refreshTokenExpires,
+        decodedAccessToken: decoded,
+        // Bearer key ID from JWT header (NOT client_id from payload)
+        bearerKeyId,
+        // MFA state (normalized names)
+        mfaVerified,
+        authenticationMethods: amrClaims,
+        authenticationLevel: acrLevel,
+        // MFA timing info from token
+        mfaCompletedAt: decoded.mfa_time ? (0, token_utils_1.expClaimToMs)(decoded.mfa_time) : undefined,
+        mfaExpiresAt: decoded.mfa_expires ? (0, token_utils_1.expClaimToMs)(decoded.mfa_expires) : undefined,
+        mfaValidityHours: decoded.mfa_validity_hours,
+    };
+    // Determine MFA method from IDP user info
+    let mfaMethod;
+    if (idpUser?.isEmailConfirmed) {
+        mfaMethod = 'email';
+    }
+    else if (idpUser?.isSmsConfirmed) {
+        mfaMethod = 'sms';
+    }
+    if (mfaMethod) {
+        sessionData.mfaMethod = mfaMethod;
+    }
+    // Create the Redis session
+    const redisSessionId = await (0, session_store_1.createSession)(sessionData);
+    // -------------------------------------------------------------------------
+    // Return User Object for NextAuth
+    // -------------------------------------------------------------------------
+    // NextAuth requires 'id' field - we use userId from IDP
+    // The redisSessionId is passed through to the JWT callback
+    return {
+        id: userId,
+        email,
+        roles,
+        redisSessionId: (0, auth_types_1.toRedisSessionId)(redisSessionId),
+        mfaRequired: !mfaVerified,
+        mfaMethod,
+    };
+}
+// ============================================================================
+// HELPER FUNCTIONS
+// ============================================================================
+/**
+ * Extract client headers from request for audit logging.
+ */
+function extractClientHeaders(req) {
+    const headers = {};
+    // Extract client IP
+    const forwardedFor = req?.headers?.['x-forwarded-for'];
+    const realIp = req?.headers?.['x-real-ip'];
+    if (forwardedFor) {
+        const ip = Array.isArray(forwardedFor) ? forwardedFor[0] : forwardedFor.split(',')[0].trim();
+        headers.ip = ip;
+    }
+    else if (realIp) {
+        headers.ip = Array.isArray(realIp) ? realIp[0] : realIp;
+    }
+    // Extract User-Agent
+    const userAgent = req?.headers?.['user-agent'];
+    if (userAgent) {
+        headers.userAgent = Array.isArray(userAgent) ? userAgent[0] : userAgent;
+    }
+    return headers;
+}
+/**
+ * Build structured error response for frontend.
+ *
+ * The frontend expects a specific error structure to display
+ * appropriate messages and handle things like lockout.
+ */
+function buildAuthError(error) {
+    if (!error) {
+        return {
+            success: false,
+            error: {
+                code: 'AUTH_ERROR',
+                message: 'Authentication failed',
+                details: {},
+            },
+        };
+    }
+    return {
+        success: false,
+        error: {
+            code: error.code || 'AUTH_ERROR',
+            message: error.message || 'Authentication failed',
+            details: error.details || {},
+        },
+    };
+}

package/dist/lib/idp-client-config.js

@@ -120,7 +120,8 @@ async function getIDPClientConfig(forceRefresh = false) {
             }
             // Set IDENTITY_CLIENT_BASE_EXTERNAL_URL from cached config
             // AUTH_TRUST_HOST=true tells NextAuth to derive OAuth callback URLs from headers.
-            if (redisConfig.baseClientUrl) {
+            // Only set if not already defined (allows deployment override for beta/staging)
+            if (redisConfig.baseClientUrl && !process.env.IDENTITY_CLIENT_BASE_EXTERNAL_URL) {
                 process.env.IDENTITY_CLIENT_BASE_EXTERNAL_URL = redisConfig.baseClientUrl;
             }
             return redisConfig;
@@ -152,7 +153,8 @@ async function getIDPClientConfig(forceRefresh = false) {
         }
         // Set IDENTITY_CLIENT_BASE_EXTERNAL_URL from config
         // AUTH_TRUST_HOST=true tells NextAuth to derive OAuth callback URLs from headers.
-        if (config.baseClientUrl) {
+        // Only set if not already defined (allows deployment override for beta/staging)
+        if (config.baseClientUrl && !process.env.IDENTITY_CLIENT_BASE_EXTERNAL_URL) {
             process.env.IDENTITY_CLIENT_BASE_EXTERNAL_URL = config.baseClientUrl;
             console.log("[IDP_CONFIG] Set IDENTITY_CLIENT_BASE_EXTERNAL_URL:", config.baseClientUrl);
         }

package/dist/middleware/create-middleware.js

@@ -359,10 +359,16 @@ async function executeDecision(request, decision, pathname, sessionPointer, sess
             return handleRefresh(request, safeCallback, opts);
     }
 }
+/** Paths that must never be RBAC-checked (they are RBAC redirect targets) */
+const RBAC_EXEMPT_PATHS = ['/error', '/unauthorized', '/service-unavailable'];
 /** Handle 'allow' decision - run RBAC if enabled */
 async function handleAllow(request, pathname, sessionPointer, sessionStatus) {
     const isPublic = (0, route_config_1.isUnauthenticatedRoute)(pathname);
     if ((0, rbac_check_1.isRBACEnabled)() && !isPublic) {
+        // Skip RBAC for error/fallback pages to prevent redirect loops
+        if (RBAC_EXEMPT_PATHS.some(p => pathname.startsWith(p))) {
+            return server_1.NextResponse.next();
+        }
         if (!sessionPointer.clientId) {
             console.error('[MIDDLEWARE] RBAC: No clientId');
             return server_1.NextResponse.redirect(new URL('/error?code=no_client_id', request.url));
@@ -371,6 +377,11 @@ async function handleAllow(request, pathname, sessionPointer, sessionStatus) {
             const result = await (0, rbac_check_1.checkPagePermission)(pathname, sessionPointer.roles, sessionPointer.clientId);
             if (!result.allowed) {
                 console.log('[MIDDLEWARE] RBAC denied:', { pathname, reason: result.reason });
+                // In development, fail open - RBAC API may not be fully configured
+                if (process.env.NODE_ENV !== 'production') {
+                    console.warn('[MIDDLEWARE] RBAC: Allowing in development despite denial:', result.reason);
+                    return server_1.NextResponse.next();
+                }
                 return server_1.NextResponse.redirect(new URL(result.redirect || '/unauthorized', request.url));
             }
             if (result.requires_2fa && !sessionStatus.twoFactorComplete) {
@@ -379,6 +390,11 @@ async function handleAllow(request, pathname, sessionPointer, sessionStatus) {
         }
         catch (error) {
             console.error('[MIDDLEWARE] RBAC error:', error);
+            // In development, fail open
+            if (process.env.NODE_ENV !== 'production') {
+                console.warn('[MIDDLEWARE] RBAC: Allowing in development despite error');
+                return server_1.NextResponse.next();
+            }
             return server_1.NextResponse.redirect(new URL('/error?code=rbac_error', request.url));
         }
     }

package/dist/middleware/rbac-check.d.ts

@@ -1,11 +1,14 @@
 /**
  * Page RBAC Check Module
  *
- * Checks page-level permissions via Vibe API.
+ * Checks page-level permissions via Vibe API through the IDP Proxy.
  * Uses in-memory cache to reduce API calls.
  * Fails closed (DENY) on errors or timeout.
  *
- * @version 1.0.0
+ * All requests route through the IDP Vibe Proxy ({IDP_URL}/api/vibe/proxy)
+ * which injects proper HMAC credentials for the Vibe API.
+ *
+ * @version 2.0.0
  * @since page-rbac-2026-01
  */
 export interface RBACResult {
@@ -29,11 +32,15 @@ export declare function clearRBACCache(): void;
 /**
  * Check if user has permission to access a page.
  *
- * FAIL CLOSED: If Vibe API is unreachable or times out, access is DENIED.
+ * Routes through IDP Vibe Proxy ({IDP_URL}/api/vibe/proxy) which injects
+ * proper HMAC credentials. The Vibe RBAC endpoint requires client context
+ * that only the proxy can provide.
+ *
+ * FAIL CLOSED: If proxy is unreachable or times out, access is DENIED.
  *
  * @param path - The route path to check
  * @param userRoles - User's roles from session
- * @param clientId - Client ID for multi-tenancy
+ * @param clientId - Client slug for multi-tenancy
  * @param userClaims - Optional claims for claim-based authorization
  * @returns RBAC result with allowed/denied status
  */