@payez/next-mvp 3.6.2 → 3.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -196,6 +196,9 @@ export async function getIDPClientConfig(forceRefresh: boolean = false): Promise
|
|
|
196
196
|
if (!clientIdStr) {
|
|
197
197
|
throw new Error('[IDP_CONFIG] FATAL: CLIENT_ID or NEXT_PUBLIC_CLIENT_ID must be set');
|
|
198
198
|
}
|
|
199
|
+
if (!process.env.PAYEZ_CLIENT_SECRET) {
|
|
200
|
+
throw new Error('[IDP_CONFIG] FATAL: PAYEZ_CLIENT_SECRET is required. Inject via container env or K8s Secret — never .env files.');
|
|
201
|
+
}
|
|
199
202
|
|
|
200
203
|
// Start fetch and store promise so concurrent callers wait for same result
|
|
201
204
|
pendingFetch = fetchConfigFromIDP(idpUrl, clientIdStr)
|
|
@@ -291,7 +294,8 @@ async function fetchConfigFromIDP(idpUrl: string, clientIdStr: string): Promise<
|
|
|
291
294
|
issuer: clientIdStr,
|
|
292
295
|
subject: clientIdStr,
|
|
293
296
|
audience: 'urn:payez:externalauth:clientconfig',
|
|
294
|
-
expires_in: 60
|
|
297
|
+
expires_in: 60,
|
|
298
|
+
client_secret: process.env.PAYEZ_CLIENT_SECRET,
|
|
295
299
|
};
|
|
296
300
|
|
|
297
301
|
const signingResp = await fetch(signingUrl, {
|
|
@@ -32,6 +32,10 @@ export async function resolveNextAuthSecret(): Promise<string> {
|
|
|
32
32
|
const clientIdStr = process.env.CLIENT_ID;
|
|
33
33
|
if (!clientIdStr || clientIdStr.trim() === '') throw new Error('CLIENT_ID is required (e.g., "ideal_resume_website")');
|
|
34
34
|
|
|
35
|
+
if (!process.env.PAYEZ_CLIENT_SECRET) {
|
|
36
|
+
throw new Error('[NEXTAUTH-SECRET] FATAL: PAYEZ_CLIENT_SECRET is required. Inject via container env or K8s Secret — never .env files.');
|
|
37
|
+
}
|
|
38
|
+
|
|
35
39
|
// Step 1: Request IDP to sign a client assertion (IDP has the keys, not us)
|
|
36
40
|
|
|
37
41
|
const signingUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/sign-client-assertion`);
|
|
@@ -41,7 +45,8 @@ export async function resolveNextAuthSecret(): Promise<string> {
|
|
|
41
45
|
issuer: clientIdStr,
|
|
42
46
|
subject: clientIdStr,
|
|
43
47
|
audience: 'urn:payez:externalauth:nextauthsecret',
|
|
44
|
-
expires_in: 60
|
|
48
|
+
expires_in: 60,
|
|
49
|
+
client_secret: process.env.PAYEZ_CLIENT_SECRET,
|
|
45
50
|
};
|
|
46
51
|
|
|
47
52
|
const signingResp = await fetch(signingUrl.toString(), {
|
|
@@ -87,7 +92,7 @@ export async function resolveNextAuthSecret(): Promise<string> {
|
|
|
87
92
|
'X-Client-Id': clientIdStr,
|
|
88
93
|
'X-Correlation-Id': randomUUID().replace(/-/g, ''),
|
|
89
94
|
},
|
|
90
|
-
body: JSON.stringify({ client_assertion }),
|
|
95
|
+
body: JSON.stringify({ client_assertion, client_secret: process.env.PAYEZ_CLIENT_SECRET }),
|
|
91
96
|
cache: 'no-store'
|
|
92
97
|
} as RequestInit);
|
|
93
98
|
|