@payez/next-mvp 3.4.0 → 3.5.0

package/dist/server/auth-guard.js

@@ -0,0 +1,128 @@
+"use strict";
+/**
+ * Server-Side Auth Guard for Layouts
+ *
+ * Replaces middleware's self-fetch auth checks with direct Redis/function calls.
+ * Call from server-component layouts to protect routes.
+ *
+ * Zero HTTP self-fetches. ~8ms total (Redis + in-memory checks).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authGuard = authGuard;
+require("server-only");
+const navigation_1 = require("next/navigation");
+const headers_1 = require("next/headers");
+const decode_session_1 = require("./decode-session");
+const idp_client_config_1 = require("../lib/idp-client-config");
+// =============================================================================
+// CONSTANTS
+// =============================================================================
+const LOGIN_PAGE = '/account-auth/login';
+const VERIFY_CODE_PAGE = '/account-auth/verify-code';
+const SERVICE_UNAVAILABLE_PAGE = '/service-unavailable';
+// =============================================================================
+// MAIN
+// =============================================================================
+/**
+ * Server-side auth guard. Call from async server layouts.
+ *
+ * Redirects (via next/navigation redirect()) if:
+ * - No session cookie / invalid JWT
+ * - Session not in Redis (stale)
+ * - Session force-invalidated
+ * - 2FA required but not completed / expired
+ * - Any custom check fails
+ *
+ * Returns the authenticated user's session data on success.
+ */
+async function authGuard(options) {
+    const loginUrl = options?.loginUrl || LOGIN_PAGE;
+    const verifyCodeUrl = options?.verifyCodeUrl || VERIFY_CODE_PAGE;
+    const serviceUnavailableUrl = options?.serviceUnavailableUrl || SERVICE_UNAVAILABLE_PAGE;
+    // Get current pathname from headers (set by Next.js)
+    const headerStore = await (0, headers_1.headers)();
+    const pathname = headerStore.get('x-next-pathname') ||
+        headerStore.get('x-invoke-path') ||
+        headerStore.get('x-matched-path') ||
+        '/';
+    const callbackUrl = encodeURIComponent(pathname);
+    // --- Decode session (cookie → JWT → Redis) ---
+    let decoded;
+    try {
+        decoded = await (0, decode_session_1.decodeSession)();
+    }
+    catch (error) {
+        // Redis unreachable or startup failure → fail closed
+        console.error('[AUTH-GUARD] Session decode failed (service error):', error instanceof Error ? error.message : String(error));
+        (0, navigation_1.redirect)(serviceUnavailableUrl);
+    }
+    // No session at all → redirect to login
+    if (!decoded) {
+        (0, navigation_1.redirect)(`${loginUrl}?callbackUrl=${callbackUrl}`);
+    }
+    const { sessionData } = decoded;
+    // --- Force-invalidated session (admin action, password change) ---
+    if (sessionData.forceInvalidated) {
+        console.warn('[AUTH-GUARD] Session force-invalidated', {
+            userId: sessionData.userId,
+            pathname,
+        });
+        (0, navigation_1.redirect)(`${loginUrl}?callbackUrl=${callbackUrl}&reason=invalidated`);
+    }
+    // --- 2FA check ---
+    try {
+        const config = await (0, idp_client_config_1.getIDPClientConfig)();
+        const requires2FA = config.authSettings?.require2FA ?? true;
+        if (requires2FA) {
+            const mfaVerified = sessionData.mfaVerified ?? sessionData.twoFactorComplete ?? false;
+            const mfaExpiresAt = sessionData.mfaExpiresAt || 0;
+            const mfaExpired = mfaExpiresAt > 0 && mfaExpiresAt < Date.now();
+            if (!mfaVerified || mfaExpired) {
+                console.log('[AUTH-GUARD] 2FA required', {
+                    mfaVerified,
+                    mfaExpired,
+                    userId: sessionData.userId,
+                    pathname,
+                });
+                (0, navigation_1.redirect)(`${verifyCodeUrl}?callbackUrl=${callbackUrl}`);
+            }
+        }
+    }
+    catch (error) {
+        // If we can't check 2FA config, fail closed
+        console.error('[AUTH-GUARD] 2FA config check failed:', error instanceof Error ? error.message : String(error));
+        (0, navigation_1.redirect)(serviceUnavailableUrl);
+    }
+    // --- Custom checks (beta, admin, etc.) ---
+    if (options?.checks) {
+        for (const check of options.checks) {
+            try {
+                const redirectUrl = await check.check(sessionData, pathname);
+                if (redirectUrl) {
+                    console.log(`[AUTH-GUARD] Custom check "${check.name}" failed`, {
+                        userId: sessionData.userId,
+                        pathname,
+                        redirectUrl,
+                    });
+                    (0, navigation_1.redirect)(redirectUrl);
+                }
+            }
+            catch (error) {
+                // If the error is a redirect (from next/navigation), re-throw it
+                if (error && typeof error === 'object' && 'digest' in error) {
+                    throw error;
+                }
+                console.error(`[AUTH-GUARD] Custom check "${check.name}" error:`, error instanceof Error ? error.message : String(error));
+                (0, navigation_1.redirect)(serviceUnavailableUrl);
+            }
+        }
+    }
+    // --- All checks passed ---
+    return {
+        userId: sessionData.userId,
+        email: sessionData.email,
+        roles: sessionData.roles || [],
+        sessionData,
+        accessToken: sessionData.idpAccessToken,
+    };
+}

package/dist/server/decode-session.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Server-Side Session Decoder
+ *
+ * Reads the JWT session cookie, decodes it with jose, and fetches the
+ * full session from Redis. Used by authGuard (layouts) and withAuth (API routes).
+ *
+ * Zero HTTP self-fetches. Direct Redis reads only.
+ */
+import 'server-only';
+import { type JWTPayload } from 'jose';
+import { type SessionData } from '../lib/session-store';
+export interface DecodedSession {
+    sessionData: SessionData;
+    jwtPayload: JWTPayload & {
+        sessionToken?: string;
+        redisSessionId?: string;
+    };
+}
+/**
+ * Decode the session from cookies and Redis.
+ * Returns null if no valid session exists.
+ *
+ * @param requestCookies Optional cookie getter for API route context (NextRequest.cookies).
+ *                       If omitted, uses next/headers cookies() for server components.
+ */
+export declare function decodeSession(requestCookies?: {
+    get: (name: string) => {
+        value: string;
+    } | undefined;
+}): Promise<DecodedSession | null>;

package/dist/server/decode-session.js

@@ -0,0 +1,78 @@
+"use strict";
+/**
+ * Server-Side Session Decoder
+ *
+ * Reads the JWT session cookie, decodes it with jose, and fetches the
+ * full session from Redis. Used by authGuard (layouts) and withAuth (API routes).
+ *
+ * Zero HTTP self-fetches. Direct Redis reads only.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.decodeSession = decodeSession;
+require("server-only");
+const headers_1 = require("next/headers");
+const jose_1 = require("jose");
+const session_store_1 = require("../lib/session-store");
+const idp_client_config_1 = require("../lib/idp-client-config");
+const app_slug_1 = require("../lib/app-slug");
+const startup_init_1 = require("../lib/startup-init");
+/**
+ * Decode the session from cookies and Redis.
+ * Returns null if no valid session exists.
+ *
+ * @param requestCookies Optional cookie getter for API route context (NextRequest.cookies).
+ *                       If omitted, uses next/headers cookies() for server components.
+ */
+async function decodeSession(requestCookies) {
+    try {
+        // Ensure startup initialization is complete (Redis, IDP config, etc.)
+        await (0, startup_init_1.ensureInitialized)();
+        // Get the JWT cookie value
+        const cookieStore = requestCookies || (await (0, headers_1.cookies)());
+        const sessionCookieName = (0, app_slug_1.getSessionCookieName)();
+        const secureCookieName = (0, app_slug_1.getSecureSessionCookieName)();
+        const cookieValue = cookieStore.get(secureCookieName)?.value ||
+            cookieStore.get(sessionCookieName)?.value;
+        if (!cookieValue) {
+            return null;
+        }
+        // Get the NextAuth secret from IDP config
+        const config = await (0, idp_client_config_1.getIDPClientConfig)();
+        const secret = config.nextAuthSecret;
+        if (!secret) {
+            console.error('[DECODE-SESSION] No nextAuthSecret available from IDP config');
+            return null;
+        }
+        // Decode the JWT (same pattern as test-aware-get-token.ts)
+        const secretKey = new TextEncoder().encode(secret);
+        let payload;
+        try {
+            const result = await (0, jose_1.jwtVerify)(cookieValue, secretKey);
+            payload = result.payload;
+        }
+        catch (jwtError) {
+            // JWT decode failed - cookie may be corrupted or secret rotated
+            console.warn('[DECODE-SESSION] JWT verification failed:', jwtError instanceof Error ? jwtError.message : String(jwtError));
+            return null;
+        }
+        // Extract the Redis session ID from JWT payload
+        const sessionToken = payload.sessionToken || payload.redisSessionId;
+        if (!sessionToken) {
+            console.warn('[DECODE-SESSION] JWT payload missing sessionToken/redisSessionId');
+            return null;
+        }
+        // Fetch session from Redis (direct, no HTTP)
+        const sessionData = await (0, session_store_1.getSession)(sessionToken);
+        if (!sessionData) {
+            return null;
+        }
+        return {
+            sessionData,
+            jwtPayload: payload,
+        };
+    }
+    catch (error) {
+        console.error('[DECODE-SESSION] Error:', error instanceof Error ? error.message : String(error));
+        return null;
+    }
+}

package/dist/server/slim-middleware.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Slim Middleware — Cookie-Only Auth Check
+ *
+ * Replaces the self-fetching middleware with a cookie existence check.
+ * All real auth validation happens in server-side layouts (authGuard).
+ *
+ * Zero self-fetches. Zero Redis calls. Zero JWT decoding.
+ * Just: does the session cookie exist? Yes → pass through. No → redirect to login.
+ */
+import { NextRequest, NextResponse } from 'next/server';
+export interface SlimMiddlewareOptions {
+    /** Routes that don't require authentication (glob-style patterns) */
+    publicRoutes?: string[];
+    /** Login page URL (default: /account-auth/login) */
+    loginUrl?: string;
+    /** Additional paths to always bypass (e.g., /api/auth/, /api/session/) */
+    bypassPrefixes?: string[];
+}
+/**
+ * Create a slim middleware that only checks cookie existence.
+ * Auth validation is deferred to server-side layouts (authGuard).
+ */
+export declare function createSlimMiddleware(options?: SlimMiddlewareOptions): (request: NextRequest) => NextResponse;

package/dist/server/slim-middleware.js

@@ -0,0 +1,89 @@
+"use strict";
+/**
+ * Slim Middleware — Cookie-Only Auth Check
+ *
+ * Replaces the self-fetching middleware with a cookie existence check.
+ * All real auth validation happens in server-side layouts (authGuard).
+ *
+ * Zero self-fetches. Zero Redis calls. Zero JWT decoding.
+ * Just: does the session cookie exist? Yes → pass through. No → redirect to login.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSlimMiddleware = createSlimMiddleware;
+const server_1 = require("next/server");
+const app_slug_1 = require("../lib/app-slug");
+// =============================================================================
+// DEFAULT BYPASS PATHS
+// =============================================================================
+/** Routes that must always bypass middleware (prevent infinite loops) */
+const DEFAULT_BYPASS_PREFIXES = [
+    '/api/auth/',
+    '/api/session/',
+    '/_next/',
+    '/favicon.ico',
+];
+/** Static file extensions to bypass */
+const STATIC_EXTENSIONS = /\.(svg|png|jpg|jpeg|gif|webp|ico|css|js|woff|woff2|ttf|eot|map)$/i;
+// =============================================================================
+// MAIN
+// =============================================================================
+/**
+ * Create a slim middleware that only checks cookie existence.
+ * Auth validation is deferred to server-side layouts (authGuard).
+ */
+function createSlimMiddleware(options) {
+    const publicRoutes = options?.publicRoutes || [];
+    const loginUrl = options?.loginUrl || '/account-auth/login';
+    const extraBypass = options?.bypassPrefixes || [];
+    const allBypass = [...DEFAULT_BYPASS_PREFIXES, ...extraBypass];
+    // Pre-compile public route patterns for fast matching
+    const publicMatchers = publicRoutes.map(pattern => {
+        if (pattern.endsWith('/*')) {
+            const prefix = pattern.slice(0, -2);
+            return (p) => p === prefix || p.startsWith(prefix + '/');
+        }
+        if (pattern.endsWith('*')) {
+            const prefix = pattern.slice(0, -1);
+            return (p) => p.startsWith(prefix);
+        }
+        if (pattern.startsWith('/*.')) {
+            const ext = pattern.slice(2);
+            return (p) => p.endsWith(ext);
+        }
+        return (p) => p === pattern;
+    });
+    return function middleware(request) {
+        const { pathname } = request.nextUrl;
+        // 1. Always bypass static/internal routes
+        if (STATIC_EXTENSIONS.test(pathname)) {
+            return server_1.NextResponse.next();
+        }
+        for (const prefix of allBypass) {
+            if (pathname.startsWith(prefix)) {
+                return server_1.NextResponse.next();
+            }
+        }
+        // 2. Check if it's a public route → pass through
+        for (const matcher of publicMatchers) {
+            if (matcher(pathname)) {
+                return server_1.NextResponse.next();
+            }
+        }
+        // 3. THE ONLY AUTH CHECK: Does a session cookie exist?
+        const sessionCookieName = (0, app_slug_1.getSessionCookieName)();
+        const secureCookieName = (0, app_slug_1.getSecureSessionCookieName)();
+        const hasCookie = request.cookies.has(sessionCookieName) ||
+            request.cookies.has(secureCookieName);
+        if (!hasCookie) {
+            // No cookie on a protected route → redirect to login
+            // API routes get 401 instead of redirect
+            if (pathname.startsWith('/api/')) {
+                return server_1.NextResponse.json({ error: 'Unauthorized', message: 'No session' }, { status: 401 });
+            }
+            const callbackUrl = encodeURIComponent(pathname);
+            return server_1.NextResponse.redirect(new URL(`${loginUrl}?callbackUrl=${callbackUrl}`, request.url));
+        }
+        // Cookie exists → pass through, layout authGuard does the real validation
+        return server_1.NextResponse.next();
+    };
+}

package/dist/server/with-auth.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Server-Side Auth Wrapper for API Routes & Server Actions
+ *
+ * Wraps route handlers with session validation. Uses direct Redis reads.
+ * Zero HTTP self-fetches.
+ *
+ * Usage:
+ *   export const GET = withAuth(async (req, auth) => {
+ *     return NextResponse.json({ userId: auth.userId });
+ *   });
+ *
+ *   // With role requirement:
+ *   export const POST = withAuth(async (req, auth) => { ... }, { requiredRoles: ['admin'] });
+ */
+import 'server-only';
+import { NextRequest, NextResponse } from 'next/server';
+import type { SessionData } from '../lib/session-store';
+export interface ApiAuthResult {
+    userId: string;
+    email: string;
+    roles: string[];
+    sessionData: SessionData;
+    accessToken?: string;
+}
+export interface WithAuthOptions {
+    /** Roles required to access the route (any match = allowed) */
+    requiredRoles?: string[];
+}
+/**
+ * Wrap an API route handler with auth validation.
+ * Returns 401 if not authenticated, 403 if missing required roles.
+ */
+export declare function withAuth(handler: (req: NextRequest, auth: ApiAuthResult) => Promise<NextResponse>, options?: WithAuthOptions): (req: NextRequest) => Promise<NextResponse>;

package/dist/server/with-auth.js

@@ -0,0 +1,59 @@
+"use strict";
+/**
+ * Server-Side Auth Wrapper for API Routes & Server Actions
+ *
+ * Wraps route handlers with session validation. Uses direct Redis reads.
+ * Zero HTTP self-fetches.
+ *
+ * Usage:
+ *   export const GET = withAuth(async (req, auth) => {
+ *     return NextResponse.json({ userId: auth.userId });
+ *   });
+ *
+ *   // With role requirement:
+ *   export const POST = withAuth(async (req, auth) => { ... }, { requiredRoles: ['admin'] });
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.withAuth = withAuth;
+require("server-only");
+const server_1 = require("next/server");
+const decode_session_1 = require("./decode-session");
+// =============================================================================
+// MAIN
+// =============================================================================
+/**
+ * Wrap an API route handler with auth validation.
+ * Returns 401 if not authenticated, 403 if missing required roles.
+ */
+function withAuth(handler, options) {
+    return async (req) => {
+        try {
+            // Decode session from request cookies (direct Redis, no self-fetch)
+            const decoded = await (0, decode_session_1.decodeSession)(req.cookies);
+            if (!decoded) {
+                return server_1.NextResponse.json({ error: 'Unauthorized', message: 'No valid session' }, { status: 401 });
+            }
+            const { sessionData } = decoded;
+            // Check required roles
+            if (options?.requiredRoles && options.requiredRoles.length > 0) {
+                const userRoles = sessionData.roles || [];
+                const hasRole = options.requiredRoles.some(r => userRoles.includes(r));
+                if (!hasRole) {
+                    return server_1.NextResponse.json({ error: 'Forbidden', message: 'Insufficient permissions' }, { status: 403 });
+                }
+            }
+            const auth = {
+                userId: sessionData.userId,
+                email: sessionData.email,
+                roles: sessionData.roles || [],
+                sessionData,
+                accessToken: sessionData.idpAccessToken,
+            };
+            return handler(req, auth);
+        }
+        catch (error) {
+            console.error('[WITH-AUTH] Error:', error instanceof Error ? error.message : String(error));
+            return server_1.NextResponse.json({ error: 'Internal Server Error', message: 'Auth check failed' }, { status: 500 });
+        }
+    };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@payez/next-mvp",
-  "version": "3.4.0",
+  "version": "3.5.0",
   "sideEffects": false,
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -821,6 +821,26 @@
       "types": "./dist/pages/coming-soon/page.d.ts",
       "require": "./dist/pages/coming-soon/page.js",
       "default": "./dist/pages/coming-soon/page.js"
+    },
+    "./server/auth-guard": {
+      "types": "./dist/server/auth-guard.d.ts",
+      "require": "./dist/server/auth-guard.js",
+      "default": "./dist/server/auth-guard.js"
+    },
+    "./server/with-auth": {
+      "types": "./dist/server/with-auth.d.ts",
+      "require": "./dist/server/with-auth.js",
+      "default": "./dist/server/with-auth.js"
+    },
+    "./server/slim-middleware": {
+      "types": "./dist/server/slim-middleware.d.ts",
+      "require": "./dist/server/slim-middleware.js",
+      "default": "./dist/server/slim-middleware.js"
+    },
+    "./server/decode-session": {
+      "types": "./dist/server/decode-session.d.ts",
+      "require": "./dist/server/decode-session.js",
+      "default": "./dist/server/decode-session.js"
     }
   },
   "peerDependencies": {

package/src/config/vibe-log-transport.ts

@@ -11,15 +11,29 @@
  * - Graceful degradation on failure
  */
 
-import Transport from 'winston-transport';
 import { getRedis } from '../lib/redis';
 
+// Dynamic import — winston is a peerDependency and may not be installed.
+// We resolve the base class lazily so builds don't break without it.
+let TransportBase: any;
+try {
+  TransportBase = require('winston-transport');
+} catch {
+  // Fallback: minimal base class for when winston is not installed
+  TransportBase = class {
+    constructor(_opts?: any) {}
+    emit(_event: string, _info: any) {}
+  };
+}
+
 /** Redis key for pending log entries */
 const REDIS_LOG_KEY = 'vibe:logs:pending';
 /** TTL in seconds: 1 week */
 const REDIS_LOG_TTL = 7 * 24 * 60 * 60;
 
-export interface VibeLogTransportOptions extends Transport.TransportStreamOptions {
+export interface VibeLogTransportOptions {
+  /** Winston transport level */
+  level?: string;
   /** Redis URL (optional, uses REDIS_URL env var by default) */
   redisUrl?: string;
   /** Vibe client ID (for log metadata) */
@@ -55,7 +69,7 @@ const LEVEL_ORDER: Record<string, number> = {
 /**
  * Winston transport that buffers logs to Redis for Vibe drain processing
  */
-export class VibeLogTransport extends Transport {
+export class VibeLogTransport extends TransportBase {
   private vibeClientId: string;
   private appSlug: string;
   private minLevelNum: number;