@payez/next-mvp 3.6.2 → 3.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -136,6 +136,9 @@ async function getIDPClientConfig(forceRefresh = false) {
|
|
|
136
136
|
if (!clientIdStr) {
|
|
137
137
|
throw new Error('[IDP_CONFIG] FATAL: CLIENT_ID or NEXT_PUBLIC_CLIENT_ID must be set');
|
|
138
138
|
}
|
|
139
|
+
if (!process.env.PAYEZ_CLIENT_SECRET) {
|
|
140
|
+
throw new Error('[IDP_CONFIG] FATAL: PAYEZ_CLIENT_SECRET is required. Inject via container env or K8s Secret — never .env files.');
|
|
141
|
+
}
|
|
139
142
|
// Start fetch and store promise so concurrent callers wait for same result
|
|
140
143
|
pendingFetch = fetchConfigFromIDP(idpUrl, clientIdStr)
|
|
141
144
|
.then(async (config) => {
|
|
@@ -219,7 +222,8 @@ async function fetchConfigFromIDP(idpUrl, clientIdStr) {
|
|
|
219
222
|
issuer: clientIdStr,
|
|
220
223
|
subject: clientIdStr,
|
|
221
224
|
audience: 'urn:payez:externalauth:clientconfig',
|
|
222
|
-
expires_in: 60
|
|
225
|
+
expires_in: 60,
|
|
226
|
+
client_secret: process.env.PAYEZ_CLIENT_SECRET,
|
|
223
227
|
};
|
|
224
228
|
const signingResp = await fetch(signingUrl, {
|
|
225
229
|
method: 'POST',
|
|
@@ -31,6 +31,9 @@ async function resolveNextAuthSecret() {
|
|
|
31
31
|
const clientIdStr = process.env.CLIENT_ID;
|
|
32
32
|
if (!clientIdStr || clientIdStr.trim() === '')
|
|
33
33
|
throw new Error('CLIENT_ID is required (e.g., "ideal_resume_website")');
|
|
34
|
+
if (!process.env.PAYEZ_CLIENT_SECRET) {
|
|
35
|
+
throw new Error('[NEXTAUTH-SECRET] FATAL: PAYEZ_CLIENT_SECRET is required. Inject via container env or K8s Secret — never .env files.');
|
|
36
|
+
}
|
|
34
37
|
// Step 1: Request IDP to sign a client assertion (IDP has the keys, not us)
|
|
35
38
|
const signingUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/sign-client-assertion`);
|
|
36
39
|
// Client ID passed via X-Client-Id header, not query string
|
|
@@ -38,7 +41,8 @@ async function resolveNextAuthSecret() {
|
|
|
38
41
|
issuer: clientIdStr,
|
|
39
42
|
subject: clientIdStr,
|
|
40
43
|
audience: 'urn:payez:externalauth:nextauthsecret',
|
|
41
|
-
expires_in: 60
|
|
44
|
+
expires_in: 60,
|
|
45
|
+
client_secret: process.env.PAYEZ_CLIENT_SECRET,
|
|
42
46
|
};
|
|
43
47
|
const signingResp = await fetch(signingUrl.toString(), {
|
|
44
48
|
method: 'POST',
|
|
@@ -75,7 +79,7 @@ async function resolveNextAuthSecret() {
|
|
|
75
79
|
'X-Client-Id': clientIdStr,
|
|
76
80
|
'X-Correlation-Id': (0, crypto_1.randomUUID)().replace(/-/g, ''),
|
|
77
81
|
},
|
|
78
|
-
body: JSON.stringify({ client_assertion }),
|
|
82
|
+
body: JSON.stringify({ client_assertion, client_secret: process.env.PAYEZ_CLIENT_SECRET }),
|
|
79
83
|
cache: 'no-store'
|
|
80
84
|
});
|
|
81
85
|
if (!proxyResp.ok) {
|