@payez/next-mvp 3.2.2 → 3.3.0

package/dist/api-handlers/admin/analytics.js

@@ -81,9 +81,9 @@ async function vibeServiceRequest(endpoint, options) {
         .update(stringToSign)
         .digest('base64');
     const proxyUrl = `${idpUrl}/api/vibe/proxy`;
-    // Get the numeric client ID from startup config for multi-client admin support
+    // Get the client slug from startup config for multi-client admin support
     const idpConfig = (0, startup_init_1.getStartupIDPConfig)();
-    const numericClientId = idpConfig?.clientId;
+    const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
     try {
         const res = await fetch(proxyUrl, {
             method: 'POST',
@@ -92,7 +92,7 @@ async function vibeServiceRequest(endpoint, options) {
                 'X-Vibe-Client-Id': clientId,
                 'X-Vibe-Timestamp': String(timestamp),
                 'X-Vibe-Signature': signature,
-                ...(numericClientId && { 'X-Client-Id': String(numericClientId) }),
+                ...(idpClientId && { 'X-Client-Id': idpClientId }),
             },
             body: JSON.stringify({
                 endpoint,

package/dist/api-handlers/admin/audit.js

@@ -80,9 +80,9 @@ async function vibeServiceRequest(endpoint, options) {
         .update(stringToSign)
         .digest('base64');
     const proxyUrl = `${idpUrl}/api/vibe/proxy`;
-    // Get the numeric client ID from startup config for multi-client admin support
+    // Get the client slug from startup config for multi-client admin support
     const idpConfig = (0, startup_init_1.getStartupIDPConfig)();
-    const numericClientId = idpConfig?.clientId;
+    const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
     try {
         const res = await fetch(proxyUrl, {
             method: 'POST',
@@ -91,7 +91,7 @@ async function vibeServiceRequest(endpoint, options) {
                 'X-Vibe-Client-Id': clientId,
                 'X-Vibe-Timestamp': String(timestamp),
                 'X-Vibe-Signature': signature,
-                ...(numericClientId && { 'X-Client-Id': String(numericClientId) }),
+                ...(idpClientId && { 'X-Client-Id': idpClientId }),
             },
             body: JSON.stringify({
                 endpoint,

package/dist/api-handlers/admin/sessions.js

@@ -87,9 +87,9 @@ async function vibeServiceRequest(endpoint, options) {
         .update(stringToSign)
         .digest('base64');
     const proxyUrl = `${idpUrl}/api/vibe/proxy`;
-    // Get the numeric client ID from startup config for multi-client admin support
+    // Get the client slug from startup config for multi-client admin support
     const idpConfig = (0, startup_init_1.getStartupIDPConfig)();
-    const numericClientId = idpConfig?.clientId;
+    const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
     try {
         const res = await fetch(proxyUrl, {
             method: 'POST',
@@ -98,7 +98,7 @@ async function vibeServiceRequest(endpoint, options) {
                 'X-Vibe-Client-Id': clientId,
                 'X-Vibe-Timestamp': String(timestamp),
                 'X-Vibe-Signature': signature,
-                ...(numericClientId && { 'X-Client-Id': String(numericClientId) }),
+                ...(idpClientId && { 'X-Client-Id': idpClientId }),
             },
             body: JSON.stringify({
                 endpoint,

package/dist/api-handlers/admin/users.js

@@ -80,9 +80,9 @@ async function vibeServiceRequest(endpoint, options) {
         .update(stringToSign)
         .digest('base64');
     const proxyUrl = `${idpUrl}/api/vibe/proxy`;
-    // Get the numeric client ID from startup config for multi-client admin support
+    // Get the client slug from startup config for multi-client admin support
     const idpConfig = (0, startup_init_1.getStartupIDPConfig)();
-    const numericClientId = idpConfig?.clientId;
+    const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
     try {
         const res = await fetch(proxyUrl, {
             method: 'POST',
@@ -91,7 +91,7 @@ async function vibeServiceRequest(endpoint, options) {
                 'X-Vibe-Client-Id': clientId,
                 'X-Vibe-Timestamp': String(timestamp),
                 'X-Vibe-Signature': signature,
-                ...(numericClientId && { 'X-Client-Id': String(numericClientId) }),
+                ...(idpClientId && { 'X-Client-Id': idpClientId }),
             },
             body: JSON.stringify({
                 endpoint,

package/dist/api-handlers/admin/vibe-data.js

@@ -95,9 +95,9 @@ async function vibeServiceRequest(endpoint, options) {
         .update(stringToSign)
         .digest('base64');
     const proxyUrl = `${idpUrl}/api/vibe/proxy`;
-    // Get the numeric client ID from startup config for multi-client admin support
+    // Get the client slug from startup config for multi-client admin support
     const idpConfig = (0, startup_init_1.getStartupIDPConfig)();
-    const numericClientId = idpConfig?.clientId;
+    const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
     try {
         const res = await fetch(proxyUrl, {
             method: 'POST',
@@ -107,7 +107,7 @@ async function vibeServiceRequest(endpoint, options) {
                 'X-Vibe-Timestamp': String(timestamp),
                 'X-Vibe-Signature': signature,
                 // For multi-client admins: specify which client context to use
-                ...(numericClientId && { 'X-Client-Id': String(numericClientId) }),
+                ...(idpClientId && { 'X-Client-Id': idpClientId }),
             },
             body: JSON.stringify({
                 endpoint,

package/dist/lib/idp-client-config.d.ts

@@ -45,7 +45,7 @@ export interface BrandingConfig {
     logoUrl?: string;
 }
 export interface IDPClientConfig {
-    clientId: number;
+    clientId: string;
     clientSlug: string;
     nextAuthSecret: string;
     configCacheTtlSeconds: number;

package/dist/lib/idp-client-config.js

@@ -282,7 +282,7 @@ async function fetchConfigFromIDP(idpUrl, clientIdStr) {
         }
         // Map response to our interface (IDP always returns snake_case)
         const config = {
-            clientId: typeof rawClientId === 'string' ? parseInt(rawClientId, 10) : rawClientId,
+            clientId: String(rawClientId),
             clientSlug: configData.clientSlug ?? configData.client_slug ?? configData.slug ?? '',
             nextAuthSecret: configData.nextAuthSecret ?? configData.next_auth_secret ?? '',
             configCacheTtlSeconds: configData.configCacheTtlSeconds ?? configData.config_cache_ttl_seconds ?? 300,
@@ -330,7 +330,7 @@ async function fetchConfigFromIDP(idpUrl, clientIdStr) {
         console.log(`[IDP_CONFIG] Parsed baseClientUrl:`, config.baseClientUrl, `| raw keys:`, Object.keys(configData).filter(k => k.toLowerCase().includes('client')));
         // Validate we got what we need
         if (!config.clientId) {
-            throw new Error('[IDP_CONFIG] FATAL: clientId is 0 or missing after parsing');
+            throw new Error('[IDP_CONFIG] FATAL: clientId is empty or missing after parsing');
         }
         if (!config.nextAuthSecret) {
             throw new Error('[IDP_CONFIG] FATAL: nextAuthSecret is empty after parsing');

package/dist/lib/nextauth-secret.js

@@ -31,9 +31,6 @@ async function resolveNextAuthSecret() {
     const clientIdStr = process.env.CLIENT_ID;
     if (!clientIdStr || clientIdStr.trim() === '')
         throw new Error('CLIENT_ID is required (e.g., "ideal_resume_website")');
-    // Determine if clientId is numeric or string
-    const isNumeric = /^[0-9]+$/.test(clientIdStr);
-    const clientId = isNumeric ? parseInt(clientIdStr, 10) : clientIdStr;
     // Step 1: Request IDP to sign a client assertion (IDP has the keys, not us)
     const signingUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/sign-client-assertion`);
     // Client ID passed via X-Client-Id header, not query string

package/dist/middleware/create-middleware.d.ts

@@ -96,5 +96,7 @@ export interface MvpMiddlewareOptions {
     onRefreshFailure?: (status: number, isNetworkError: boolean) => void;
     /** Additional paths to bypass middleware (beyond /api/auth/ and /api/session/) */
     bypassPaths?: string[];
+    /** Paths exempt from RBAC checks (auth still enforced, just no page-permission check) */
+    rbacExemptPaths?: string[];
 }
 export declare function createMvpMiddleware(options?: MvpMiddlewareOptions): (request: NextRequest) => Promise<NextResponse>;

package/dist/middleware/create-middleware.js

@@ -232,6 +232,7 @@ function createMvpMiddleware(options = {}) {
     const viabilityEndpoint = options.viabilityEndpoint || '/api/session/viability';
     const refreshEndpoint = options.refreshEndpoint || '/api/auth/refresh';
     const bypassPaths = options.bypassPaths || [];
+    const rbacExemptPaths = options.rbacExemptPaths || [];
     return async function middleware(request) {
         const { pathname, searchParams } = request.nextUrl;
         // =========================================================================
@@ -287,6 +288,7 @@ function createMvpMiddleware(options = {}) {
             circuitBreaker: cb,
             logger: log,
             refreshEndpoint,
+            rbacExemptPaths,
             onRefreshSuccess: options.onRefreshSuccess,
             onRefreshFailure: options.onRefreshFailure,
         });
@@ -351,7 +353,7 @@ async function executeDecision(request, decision, pathname, sessionPointer, sess
     const safeCallback = getSafeCallbackUrl(pathname);
     switch (decision.type) {
         case 'allow':
-            return handleAllow(request, pathname, sessionPointer, sessionStatus);
+            return handleAllow(request, pathname, sessionPointer, sessionStatus, opts.rbacExemptPaths);
         case 'redirect':
             return redirectTo(request, decision.location, decision.clearCookies);
         case 'service_error':
@@ -363,11 +365,12 @@ async function executeDecision(request, decision, pathname, sessionPointer, sess
 /** Paths that must never be RBAC-checked (they are RBAC redirect targets) */
 const RBAC_EXEMPT_PATHS = ['/error', '/unauthorized', '/service-unavailable'];
 /** Handle 'allow' decision - run RBAC if enabled */
-async function handleAllow(request, pathname, sessionPointer, sessionStatus) {
+async function handleAllow(request, pathname, sessionPointer, sessionStatus, rbacExemptPaths = []) {
     const isPublic = (0, route_config_1.isUnauthenticatedRoute)(pathname);
     if ((0, rbac_check_1.isRBACEnabled)() && !isPublic && sessionPointer.exists) {
-        // Skip RBAC for error/fallback pages to prevent redirect loops
-        if (RBAC_EXEMPT_PATHS.some(p => pathname.startsWith(p))) {
+        // Skip RBAC for error/fallback pages (prevent redirect loops) and app-configured exempt paths
+        if (RBAC_EXEMPT_PATHS.some(p => pathname.startsWith(p)) ||
+            rbacExemptPaths.some(p => pathname.startsWith(p))) {
             return server_1.NextResponse.next();
         }
         if (!sessionPointer.clientId) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@payez/next-mvp",
-  "version": "3.2.2",
+  "version": "3.3.0",
   "sideEffects": false,
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/api-handlers/admin/analytics.ts

@@ -65,9 +65,9 @@ async function vibeServiceRequest<T = unknown>(
 
   const proxyUrl = `${idpUrl}/api/vibe/proxy`;
 
-  // Get the numeric client ID from startup config for multi-client admin support
+  // Get the client slug from startup config for multi-client admin support
   const idpConfig = getStartupIDPConfig();
-  const numericClientId = idpConfig?.clientId;
+  const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
 
   try {
     const res = await fetch(proxyUrl, {
@@ -77,7 +77,7 @@ async function vibeServiceRequest<T = unknown>(
         'X-Vibe-Client-Id': clientId,
         'X-Vibe-Timestamp': String(timestamp),
         'X-Vibe-Signature': signature,
-        ...(numericClientId && { 'X-Client-Id': String(numericClientId) }),
+        ...(idpClientId && { 'X-Client-Id': idpClientId }),
       },
       body: JSON.stringify({
         endpoint,

package/src/api-handlers/admin/audit.ts

@@ -64,9 +64,9 @@ async function vibeServiceRequest<T = unknown>(
 
   const proxyUrl = `${idpUrl}/api/vibe/proxy`;
 
-  // Get the numeric client ID from startup config for multi-client admin support
+  // Get the client slug from startup config for multi-client admin support
   const idpConfig = getStartupIDPConfig();
-  const numericClientId = idpConfig?.clientId;
+  const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
 
   try {
     const res = await fetch(proxyUrl, {
@@ -76,7 +76,7 @@ async function vibeServiceRequest<T = unknown>(
         'X-Vibe-Client-Id': clientId,
         'X-Vibe-Timestamp': String(timestamp),
         'X-Vibe-Signature': signature,
-        ...(numericClientId && { 'X-Client-Id': String(numericClientId) }),
+        ...(idpClientId && { 'X-Client-Id': idpClientId }),
       },
       body: JSON.stringify({
         endpoint,

package/src/api-handlers/admin/sessions.ts

@@ -77,9 +77,9 @@ async function vibeServiceRequest<T = unknown>(
 
   const proxyUrl = `${idpUrl}/api/vibe/proxy`;
 
-  // Get the numeric client ID from startup config for multi-client admin support
+  // Get the client slug from startup config for multi-client admin support
   const idpConfig = getStartupIDPConfig();
-  const numericClientId = idpConfig?.clientId;
+  const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
 
   try {
     const res = await fetch(proxyUrl, {
@@ -89,7 +89,7 @@ async function vibeServiceRequest<T = unknown>(
         'X-Vibe-Client-Id': clientId,
         'X-Vibe-Timestamp': String(timestamp),
         'X-Vibe-Signature': signature,
-        ...(numericClientId && { 'X-Client-Id': String(numericClientId) }),
+        ...(idpClientId && { 'X-Client-Id': idpClientId }),
       },
       body: JSON.stringify({
         endpoint,

package/src/api-handlers/admin/users.ts

@@ -64,9 +64,9 @@ async function vibeServiceRequest<T = unknown>(
 
   const proxyUrl = `${idpUrl}/api/vibe/proxy`;
 
-  // Get the numeric client ID from startup config for multi-client admin support
+  // Get the client slug from startup config for multi-client admin support
   const idpConfig = getStartupIDPConfig();
-  const numericClientId = idpConfig?.clientId;
+  const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
 
   try {
     const res = await fetch(proxyUrl, {
@@ -76,7 +76,7 @@ async function vibeServiceRequest<T = unknown>(
         'X-Vibe-Client-Id': clientId,
         'X-Vibe-Timestamp': String(timestamp),
         'X-Vibe-Signature': signature,
-        ...(numericClientId && { 'X-Client-Id': String(numericClientId) }),
+        ...(idpClientId && { 'X-Client-Id': idpClientId }),
       },
       body: JSON.stringify({
         endpoint,

package/src/api-handlers/admin/vibe-data.ts

@@ -79,9 +79,9 @@ async function vibeServiceRequest<T = unknown>(
 
   const proxyUrl = `${idpUrl}/api/vibe/proxy`;
 
-  // Get the numeric client ID from startup config for multi-client admin support
+  // Get the client slug from startup config for multi-client admin support
   const idpConfig = getStartupIDPConfig();
-  const numericClientId = idpConfig?.clientId;
+  const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
 
   try {
     const res = await fetch(proxyUrl, {
@@ -92,7 +92,7 @@ async function vibeServiceRequest<T = unknown>(
         'X-Vibe-Timestamp': String(timestamp),
         'X-Vibe-Signature': signature,
         // For multi-client admins: specify which client context to use
-        ...(numericClientId && { 'X-Client-Id': String(numericClientId) }),
+        ...(idpClientId && { 'X-Client-Id': idpClientId }),
       },
       body: JSON.stringify({
         endpoint,

package/src/lib/idp-client-config.ts

@@ -56,7 +56,7 @@ export interface BrandingConfig {
 }
 
 export interface IDPClientConfig {
-    clientId: number;
+    clientId: string;
     clientSlug: string;
     nextAuthSecret: string;
     configCacheTtlSeconds: number;
@@ -371,7 +371,7 @@ async function fetchConfigFromIDP(idpUrl: string, clientIdStr: string): Promise<
 
     // Map response to our interface (IDP always returns snake_case)
     const config: IDPClientConfig = {
-        clientId: typeof rawClientId === 'string' ? parseInt(rawClientId, 10) : rawClientId,
+        clientId: String(rawClientId),
         clientSlug: configData.clientSlug ?? configData.client_slug ?? configData.slug ?? '',
         nextAuthSecret: configData.nextAuthSecret ?? configData.next_auth_secret ?? '',
         configCacheTtlSeconds: configData.configCacheTtlSeconds ?? configData.config_cache_ttl_seconds ?? 300,
@@ -420,7 +420,7 @@ async function fetchConfigFromIDP(idpUrl: string, clientIdStr: string): Promise<
 
     // Validate we got what we need
     if (!config.clientId) {
-        throw new Error('[IDP_CONFIG] FATAL: clientId is 0 or missing after parsing');
+        throw new Error('[IDP_CONFIG] FATAL: clientId is empty or missing after parsing');
     }
     if (!config.nextAuthSecret) {
         throw new Error('[IDP_CONFIG] FATAL: nextAuthSecret is empty after parsing');

package/src/lib/nextauth-secret.ts

@@ -32,10 +32,6 @@ export async function resolveNextAuthSecret(): Promise<string> {
   const clientIdStr = process.env.CLIENT_ID;
   if (!clientIdStr || clientIdStr.trim() === '') throw new Error('CLIENT_ID is required (e.g., "ideal_resume_website")');
 
-  // Determine if clientId is numeric or string
-  const isNumeric = /^[0-9]+$/.test(clientIdStr);
-  const clientId = isNumeric ? parseInt(clientIdStr, 10) : clientIdStr;
-
   // Step 1: Request IDP to sign a client assertion (IDP has the keys, not us)
 
   const signingUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/sign-client-assertion`);

package/src/middleware/create-middleware.ts

@@ -108,6 +108,8 @@ export interface MvpMiddlewareOptions {
   onRefreshFailure?: (status: number, isNetworkError: boolean) => void;
   /** Additional paths to bypass middleware (beyond /api/auth/ and /api/session/) */
   bypassPaths?: string[];
+  /** Paths exempt from RBAC checks (auth still enforced, just no page-permission check) */
+  rbacExemptPaths?: string[];
 }
 
 // =============================================================================
@@ -336,6 +338,7 @@ export function createMvpMiddleware(options: MvpMiddlewareOptions = {}) {
   const viabilityEndpoint = options.viabilityEndpoint || '/api/session/viability';
   const refreshEndpoint = options.refreshEndpoint || '/api/auth/refresh';
   const bypassPaths = options.bypassPaths || [];
+  const rbacExemptPaths = options.rbacExemptPaths || [];
 
   return async function middleware(request: NextRequest): Promise<NextResponse> {
     const { pathname, searchParams } = request.nextUrl;
@@ -400,6 +403,7 @@ export function createMvpMiddleware(options: MvpMiddlewareOptions = {}) {
       circuitBreaker: cb,
       logger: log,
       refreshEndpoint,
+      rbacExemptPaths,
       onRefreshSuccess: options.onRefreshSuccess,
       onRefreshFailure: options.onRefreshFailure,
     });
@@ -474,6 +478,7 @@ interface ExecuteOptions {
   circuitBreaker: CircuitBreakerProvider;
   logger: MiddlewareLogger;
   refreshEndpoint: string;
+  rbacExemptPaths: string[];
   onRefreshSuccess?: () => void;
   onRefreshFailure?: (status: number, isNetworkError: boolean) => void;
 }
@@ -491,7 +496,7 @@ async function executeDecision(
 
   switch (decision.type) {
     case 'allow':
-      return handleAllow(request, pathname, sessionPointer, sessionStatus);
+      return handleAllow(request, pathname, sessionPointer, sessionStatus, opts.rbacExemptPaths);
 
     case 'redirect':
       return redirectTo(request, decision.location, decision.clearCookies);
@@ -512,13 +517,15 @@ async function handleAllow(
   request: NextRequest,
   pathname: string,
   sessionPointer: SessionPointer,
-  sessionStatus: SessionStatus
+  sessionStatus: SessionStatus,
+  rbacExemptPaths: string[] = []
 ): Promise<NextResponse> {
   const isPublic = isUnauthenticatedRoute(pathname);
 
   if (isRBACEnabled() && !isPublic && sessionPointer.exists) {
-    // Skip RBAC for error/fallback pages to prevent redirect loops
-    if (RBAC_EXEMPT_PATHS.some(p => pathname.startsWith(p))) {
+    // Skip RBAC for error/fallback pages (prevent redirect loops) and app-configured exempt paths
+    if (RBAC_EXEMPT_PATHS.some(p => pathname.startsWith(p)) ||
+        rbacExemptPaths.some(p => pathname.startsWith(p))) {
       return NextResponse.next();
     }