npm - @payez/next-mvp - Versions diffs - 3.4.0 → 3.5.0 - Mend

@payez/next-mvp 3.4.0 → 3.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/dist/auth/callbacks/jwt.js +305 -305
package/dist/auth/providers/credentials.js +223 -223
package/dist/config/vibe-log-transport.d.ts +5 -3
package/dist/config/vibe-log-transport.js +14 -5
package/dist/server/auth-guard.d.ts +46 -0
package/dist/server/auth-guard.js +128 -0
package/dist/server/decode-session.d.ts +30 -0
package/dist/server/decode-session.js +78 -0
package/dist/server/slim-middleware.d.ts +23 -0
package/dist/server/slim-middleware.js +89 -0
package/dist/server/with-auth.d.ts +33 -0
package/dist/server/with-auth.js +59 -0
package/package.json +21 -1
package/src/config/vibe-log-transport.ts +17 -3
package/src/server/auth-guard.ts +170 -0
package/src/server/decode-session.ts +91 -0
package/src/server/slim-middleware.ts +117 -0
package/src/server/with-auth.ts +93 -0

package/dist/auth/providers/credentials.js CHANGED Viewed

@@ -1,223 +1,223 @@
-"use strict";
-/**
- * Credentials Provider
- *
- * Handles email/password authentication via PayEz IDP.
- * Creates Redis session and returns minimal user object to NextAuth.
- *
- * FLOW:
- * 1. User submits email/password
- * 2. We call IDP /api/ExternalAuth/login
- * 3. IDP returns tokens if credentials valid
- * 4. We create Redis session with tokens
- * 5. Return user object with redisSessionId to NextAuth
- *
- * @version 1.0.0
- * @since auth-refactor-2026-01
- */
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createCredentialsProvider = createCredentialsProvider;
-const credentials_1 = __importDefault(require("next-auth/providers/credentials"));
-const session_store_1 = require("../../lib/session-store");
-const idp_client_1 = require("../utils/idp-client");
-const token_utils_1 = require("../utils/token-utils");
-const auth_types_1 = require("../types/auth-types");
-// NOTE: Using any for sessionData until Phase 3 normalizes types
-// ============================================================================
-// CREDENTIALS PROVIDER
-// ============================================================================
-/**
- * Create the CredentialsProvider for NextAuth.
- *
- * This provider handles email/password login. The authorize function
- * is called when a user submits the login form.
- */
-function createCredentialsProvider() {
-    return (0, credentials_1.default)({
-        id: 'credentials',
-        name: 'Credentials',
-        credentials: {
-            email: { label: 'Email', type: 'email' },
-            password: { label: 'Password', type: 'password' },
-        },
-        authorize: authorizeCredentials,
-    });
-}
-/**
- * Authorize user with email/password.
- *
- * This is the core authentication function. It:
- * 1. Validates credentials with IDP
- * 2. Decodes the returned tokens
- * 3. Creates a Redis session
- * 4. Returns user info for NextAuth JWT
- *
- * @param credentials - Email and password from login form
- * @param req - The incoming request (for IP/UA forwarding)
- * @returns User object for NextAuth, or null/throws on failure
- */
-async function authorizeCredentials(credentials, req) {
-    // -------------------------------------------------------------------------
-    // Validate Input
-    // -------------------------------------------------------------------------
-    if (!credentials?.email || !credentials?.password) {
-        throw new Error('Email and password required');
-    }
-    const loginCredentials = {
-        email: credentials.email,
-        password: credentials.password,
-    };
-    // Extract client info for audit logging
-    const clientHeaders = extractClientHeaders(req);
-    // -------------------------------------------------------------------------
-    // Call IDP
-    // -------------------------------------------------------------------------
-    const loginResult = await (0, idp_client_1.idpLogin)(loginCredentials, clientHeaders);
-    if (!loginResult.success || !loginResult.result) {
-        // Build structured error for frontend
-        const errorResponse = buildAuthError(loginResult.error);
-        throw new Error(JSON.stringify(errorResponse));
-    }
-    const { access_token, refresh_token, user: idpUser } = loginResult.result;
-    // -------------------------------------------------------------------------
-    // Decode Token
-    // -------------------------------------------------------------------------
-    const decoded = (0, token_utils_1.decodeIdpAccessToken)(access_token);
-    if (!decoded) {
-        throw new Error('Failed to decode token');
-    }
-    // Extract kid from JWT header (CRITICAL: this is different from client_id in payload)
-    const bearerKeyId = (0, token_utils_1.extractKidFromToken)(access_token);
-    if (bearerKeyId) {
-        console.log('[CREDENTIALS] Extracted bearerKeyId (kid) from JWT header:', bearerKeyId);
-    }
-    else {
-        console.warn('[CREDENTIALS] No kid found in JWT header - token may be unsigned or malformed');
-    }
-    // Extract claims from token
-    const email = (0, token_utils_1.extractEmailFromToken)(decoded);
-    const roles = (0, token_utils_1.extractRolesFromToken)(decoded);
-    const amrClaims = (0, token_utils_1.extractAmrFromToken)(decoded);
-    const acrLevel = decoded.acr || '1';
-    const userId = decoded.sub;
-    // Check if 2FA is complete based on ACR level
-    // ACR=1: Provisional token (requires 2FA)
-    // ACR=2: Full authentication (2FA complete)
-    const mfaVerified = acrLevel === '2';
-    // Decode refresh token expiry if available
-    let refreshTokenExpires;
-    try {
-        const refreshDecoded = (0, token_utils_1.decodeIdpAccessToken)(refresh_token);
-        if (refreshDecoded?.exp) {
-            refreshTokenExpires = (0, token_utils_1.expClaimToMs)(refreshDecoded.exp);
-        }
-    }
-    catch {
-        // Ignore - will use default expiry
-    }
-    // -------------------------------------------------------------------------
-    // Create Redis Session
-    // -------------------------------------------------------------------------
-    // Using normalized field names (session-store handles backward compatibility)
-    const sessionData = {
-        userId,
-        email,
-        roles,
-        // IDP tokens (normalized names)
-        idpAccessToken: access_token,
-        idpRefreshToken: refresh_token,
-        idpAccessTokenExpires: (0, token_utils_1.expClaimToMs)(decoded.exp),
-        idpRefreshTokenExpires: refreshTokenExpires,
-        decodedAccessToken: decoded,
-        // Bearer key ID from JWT header (NOT client_id from payload)
-        bearerKeyId,
-        // MFA state (normalized names)
-        mfaVerified,
-        authenticationMethods: amrClaims,
-        authenticationLevel: acrLevel,
-        // MFA timing info from token
-        mfaCompletedAt: decoded.mfa_time ? (0, token_utils_1.expClaimToMs)(decoded.mfa_time) : undefined,
-        mfaExpiresAt: decoded.mfa_expires ? (0, token_utils_1.expClaimToMs)(decoded.mfa_expires) : undefined,
-        mfaValidityHours: decoded.mfa_validity_hours,
-    };
-    // Determine MFA method from IDP user info
-    let mfaMethod;
-    if (idpUser?.isEmailConfirmed) {
-        mfaMethod = 'email';
-    }
-    else if (idpUser?.isSmsConfirmed) {
-        mfaMethod = 'sms';
-    }
-    if (mfaMethod) {
-        sessionData.mfaMethod = mfaMethod;
-    }
-    // Create the Redis session
-    const redisSessionId = await (0, session_store_1.createSession)(sessionData);
-    // -------------------------------------------------------------------------
-    // Return User Object for NextAuth
-    // -------------------------------------------------------------------------
-    // NextAuth requires 'id' field - we use userId from IDP
-    // The redisSessionId is passed through to the JWT callback
-    return {
-        id: userId,
-        email,
-        roles,
-        redisSessionId: (0, auth_types_1.toRedisSessionId)(redisSessionId),
-        mfaRequired: !mfaVerified,
-        mfaMethod,
-    };
-}
-// ============================================================================
-// HELPER FUNCTIONS
-// ============================================================================
-/**
- * Extract client headers from request for audit logging.
- */
-function extractClientHeaders(req) {
-    const headers = {};
-    // Extract client IP
-    const forwardedFor = req?.headers?.['x-forwarded-for'];
-    const realIp = req?.headers?.['x-real-ip'];
-    if (forwardedFor) {
-        const ip = Array.isArray(forwardedFor) ? forwardedFor[0] : forwardedFor.split(',')[0].trim();
-        headers.ip = ip;
-    }
-    else if (realIp) {
-        headers.ip = Array.isArray(realIp) ? realIp[0] : realIp;
-    }
-    // Extract User-Agent
-    const userAgent = req?.headers?.['user-agent'];
-    if (userAgent) {
-        headers.userAgent = Array.isArray(userAgent) ? userAgent[0] : userAgent;
-    }
-    return headers;
-}
-/**
- * Build structured error response for frontend.
- *
- * The frontend expects a specific error structure to display
- * appropriate messages and handle things like lockout.
- */
-function buildAuthError(error) {
-    if (!error) {
-        return {
-            success: false,
-            error: {
-                code: 'AUTH_ERROR',
-                message: 'Authentication failed',
-                details: {},
-            },
-        };
-    }
-    return {
-        success: false,
-        error: {
-            code: error.code || 'AUTH_ERROR',
-            message: error.message || 'Authentication failed',
-            details: error.details || {},
-        },
-    };
-}
+"use strict";
+/**
+ * Credentials Provider
+ *
+ * Handles email/password authentication via PayEz IDP.
+ * Creates Redis session and returns minimal user object to NextAuth.
+ *
+ * FLOW:
+ * 1. User submits email/password
+ * 2. We call IDP /api/ExternalAuth/login
+ * 3. IDP returns tokens if credentials valid
+ * 4. We create Redis session with tokens
+ * 5. Return user object with redisSessionId to NextAuth
+ *
+ * @version 1.0.0
+ * @since auth-refactor-2026-01
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createCredentialsProvider = createCredentialsProvider;
+const credentials_1 = __importDefault(require("next-auth/providers/credentials"));
+const session_store_1 = require("../../lib/session-store");
+const idp_client_1 = require("../utils/idp-client");
+const token_utils_1 = require("../utils/token-utils");
+const auth_types_1 = require("../types/auth-types");
+// NOTE: Using any for sessionData until Phase 3 normalizes types
+// ============================================================================
+// CREDENTIALS PROVIDER
+// ============================================================================
+/**
+ * Create the CredentialsProvider for NextAuth.
+ *
+ * This provider handles email/password login. The authorize function
+ * is called when a user submits the login form.
+ */
+function createCredentialsProvider() {
+    return (0, credentials_1.default)({
+        id: 'credentials',
+        name: 'Credentials',
+        credentials: {
+            email: { label: 'Email', type: 'email' },
+            password: { label: 'Password', type: 'password' },
+        },
+        authorize: authorizeCredentials,
+    });
+}
+/**
+ * Authorize user with email/password.
+ *
+ * This is the core authentication function. It:
+ * 1. Validates credentials with IDP
+ * 2. Decodes the returned tokens
+ * 3. Creates a Redis session
+ * 4. Returns user info for NextAuth JWT
+ *
+ * @param credentials - Email and password from login form
+ * @param req - The incoming request (for IP/UA forwarding)
+ * @returns User object for NextAuth, or null/throws on failure
+ */
+async function authorizeCredentials(credentials, req) {
+    // -------------------------------------------------------------------------
+    // Validate Input
+    // -------------------------------------------------------------------------
+    if (!credentials?.email || !credentials?.password) {
+        throw new Error('Email and password required');
+    }
+    const loginCredentials = {
+        email: credentials.email,
+        password: credentials.password,
+    };
+    // Extract client info for audit logging
+    const clientHeaders = extractClientHeaders(req);
+    // -------------------------------------------------------------------------
+    // Call IDP
+    // -------------------------------------------------------------------------
+    const loginResult = await (0, idp_client_1.idpLogin)(loginCredentials, clientHeaders);
+    if (!loginResult.success || !loginResult.result) {
+        // Build structured error for frontend
+        const errorResponse = buildAuthError(loginResult.error);
+        throw new Error(JSON.stringify(errorResponse));
+    }
+    const { access_token, refresh_token, user: idpUser } = loginResult.result;
+    // -------------------------------------------------------------------------
+    // Decode Token
+    // -------------------------------------------------------------------------
+    const decoded = (0, token_utils_1.decodeIdpAccessToken)(access_token);
+    if (!decoded) {
+        throw new Error('Failed to decode token');
+    }
+    // Extract kid from JWT header (CRITICAL: this is different from client_id in payload)
+    const bearerKeyId = (0, token_utils_1.extractKidFromToken)(access_token);
+    if (bearerKeyId) {
+        console.log('[CREDENTIALS] Extracted bearerKeyId (kid) from JWT header:', bearerKeyId);
+    }
+    else {
+        console.warn('[CREDENTIALS] No kid found in JWT header - token may be unsigned or malformed');
+    }
+    // Extract claims from token
+    const email = (0, token_utils_1.extractEmailFromToken)(decoded);
+    const roles = (0, token_utils_1.extractRolesFromToken)(decoded);
+    const amrClaims = (0, token_utils_1.extractAmrFromToken)(decoded);
+    const acrLevel = decoded.acr || '1';
+    const userId = decoded.sub;
+    // Check if 2FA is complete based on ACR level
+    // ACR=1: Provisional token (requires 2FA)
+    // ACR=2: Full authentication (2FA complete)
+    const mfaVerified = acrLevel === '2';
+    // Decode refresh token expiry if available
+    let refreshTokenExpires;
+    try {
+        const refreshDecoded = (0, token_utils_1.decodeIdpAccessToken)(refresh_token);
+        if (refreshDecoded?.exp) {
+            refreshTokenExpires = (0, token_utils_1.expClaimToMs)(refreshDecoded.exp);
+        }
+    }
+    catch {
+        // Ignore - will use default expiry
+    }
+    // -------------------------------------------------------------------------
+    // Create Redis Session
+    // -------------------------------------------------------------------------
+    // Using normalized field names (session-store handles backward compatibility)
+    const sessionData = {
+        userId,
+        email,
+        roles,
+        // IDP tokens (normalized names)
+        idpAccessToken: access_token,
+        idpRefreshToken: refresh_token,
+        idpAccessTokenExpires: (0, token_utils_1.expClaimToMs)(decoded.exp),
+        idpRefreshTokenExpires: refreshTokenExpires,
+        decodedAccessToken: decoded,
+        // Bearer key ID from JWT header (NOT client_id from payload)
+        bearerKeyId,
+        // MFA state (normalized names)
+        mfaVerified,
+        authenticationMethods: amrClaims,
+        authenticationLevel: acrLevel,
+        // MFA timing info from token
+        mfaCompletedAt: decoded.mfa_time ? (0, token_utils_1.expClaimToMs)(decoded.mfa_time) : undefined,
+        mfaExpiresAt: decoded.mfa_expires ? (0, token_utils_1.expClaimToMs)(decoded.mfa_expires) : undefined,
+        mfaValidityHours: decoded.mfa_validity_hours,
+    };
+    // Determine MFA method from IDP user info
+    let mfaMethod;
+    if (idpUser?.isEmailConfirmed) {
+        mfaMethod = 'email';
+    }
+    else if (idpUser?.isSmsConfirmed) {
+        mfaMethod = 'sms';
+    }
+    if (mfaMethod) {
+        sessionData.mfaMethod = mfaMethod;
+    }
+    // Create the Redis session
+    const redisSessionId = await (0, session_store_1.createSession)(sessionData);
+    // -------------------------------------------------------------------------
+    // Return User Object for NextAuth
+    // -------------------------------------------------------------------------
+    // NextAuth requires 'id' field - we use userId from IDP
+    // The redisSessionId is passed through to the JWT callback
+    return {
+        id: userId,
+        email,
+        roles,
+        redisSessionId: (0, auth_types_1.toRedisSessionId)(redisSessionId),
+        mfaRequired: !mfaVerified,
+        mfaMethod,
+    };
+}
+// ============================================================================
+// HELPER FUNCTIONS
+// ============================================================================
+/**
+ * Extract client headers from request for audit logging.
+ */
+function extractClientHeaders(req) {
+    const headers = {};
+    // Extract client IP
+    const forwardedFor = req?.headers?.['x-forwarded-for'];
+    const realIp = req?.headers?.['x-real-ip'];
+    if (forwardedFor) {
+        const ip = Array.isArray(forwardedFor) ? forwardedFor[0] : forwardedFor.split(',')[0].trim();
+        headers.ip = ip;
+    }
+    else if (realIp) {
+        headers.ip = Array.isArray(realIp) ? realIp[0] : realIp;
+    }
+    // Extract User-Agent
+    const userAgent = req?.headers?.['user-agent'];
+    if (userAgent) {
+        headers.userAgent = Array.isArray(userAgent) ? userAgent[0] : userAgent;
+    }
+    return headers;
+}
+/**
+ * Build structured error response for frontend.
+ *
+ * The frontend expects a specific error structure to display
+ * appropriate messages and handle things like lockout.
+ */
+function buildAuthError(error) {
+    if (!error) {
+        return {
+            success: false,
+            error: {
+                code: 'AUTH_ERROR',
+                message: 'Authentication failed',
+                details: {},
+            },
+        };
+    }
+    return {
+        success: false,
+        error: {
+            code: error.code || 'AUTH_ERROR',
+            message: error.message || 'Authentication failed',
+            details: error.details || {},
+        },
+    };
+}

package/dist/config/vibe-log-transport.d.ts CHANGED Viewed

@@ -10,8 +10,10 @@
  * - Redis buffering with 1-week TTL
  * - Graceful degradation on failure
  */
-import Transport from 'winston-transport';
-export interface VibeLogTransportOptions extends Transport.TransportStreamOptions {
+declare let TransportBase: any;
+export interface VibeLogTransportOptions {
+    /** Winston transport level */
+    level?: string;
     /** Redis URL (optional, uses REDIS_URL env var by default) */
     redisUrl?: string;
     /** Vibe client ID (for log metadata) */
@@ -30,7 +32,7 @@ export interface VibeLogTransportOptions extends Transport.TransportStreamOption
 /**
  * Winston transport that buffers logs to Redis for Vibe drain processing
  */
-export declare class VibeLogTransport extends Transport {
+export declare class VibeLogTransport extends TransportBase {
     private vibeClientId;
     private appSlug;
     private minLevelNum;

package/dist/config/vibe-log-transport.js CHANGED Viewed

@@ -11,14 +11,23 @@
  * - Redis buffering with 1-week TTL
  * - Graceful degradation on failure
  */
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VibeLogTransport = void 0;
 exports.createVibeLogTransport = createVibeLogTransport;
-const winston_transport_1 = __importDefault(require("winston-transport"));
 const redis_1 = require("../lib/redis");
+// Dynamic import — winston is a peerDependency and may not be installed.
+// We resolve the base class lazily so builds don't break without it.
+let TransportBase;
+try {
+    TransportBase = require('winston-transport');
+}
+catch {
+    // Fallback: minimal base class for when winston is not installed
+    TransportBase = class {
+        constructor(_opts) { }
+        emit(_event, _info) { }
+    };
+}
 /** Redis key for pending log entries */
 const REDIS_LOG_KEY = 'vibe:logs:pending';
 /** TTL in seconds: 1 week */
@@ -33,7 +42,7 @@ const LEVEL_ORDER = {
 /**
  * Winston transport that buffers logs to Redis for Vibe drain processing
  */
-class VibeLogTransport extends winston_transport_1.default {
+class VibeLogTransport extends TransportBase {
     vibeClientId;
     appSlug;
     minLevelNum;

package/dist/server/auth-guard.d.ts ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * Server-Side Auth Guard for Layouts
+ *
+ * Replaces middleware's self-fetch auth checks with direct Redis/function calls.
+ * Call from server-component layouts to protect routes.
+ *
+ * Zero HTTP self-fetches. ~8ms total (Redis + in-memory checks).
+ */
+import 'server-only';
+import type { SessionData } from '../lib/session-store';
+export interface AuthGuardOptions {
+    /** Custom checks to run after standard auth validation */
+    checks?: AuthCheck[];
+    /** Override login redirect URL (default: /account-auth/login) */
+    loginUrl?: string;
+    /** Override 2FA redirect URL (default: /account-auth/verify-code) */
+    verifyCodeUrl?: string;
+    /** Override service unavailable URL (default: /service-unavailable) */
+    serviceUnavailableUrl?: string;
+}
+export interface AuthCheck {
+    /** Name for logging */
+    name: string;
+    /** Returns redirect URL if check fails, null if passes */
+    check: (session: SessionData, pathname: string) => Promise<string | null>;
+}
+export interface AuthGuardResult {
+    userId: string;
+    email: string;
+    roles: string[];
+    sessionData: SessionData;
+    accessToken?: string;
+}
+/**
+ * Server-side auth guard. Call from async server layouts.
+ *
+ * Redirects (via next/navigation redirect()) if:
+ * - No session cookie / invalid JWT
+ * - Session not in Redis (stale)
+ * - Session force-invalidated
+ * - 2FA required but not completed / expired
+ * - Any custom check fails
+ *
+ * Returns the authenticated user's session data on success.
+ */
+export declare function authGuard(options?: AuthGuardOptions): Promise<AuthGuardResult>;