npm - @payez/next-mvp - Versions diffs - 3.9.0 → 4.0.0 - Mend

@payez/next-mvp 3.9.0 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (149) hide show

package/dist/api/auth-handler.d.ts +1 -2
package/dist/api/auth-handler.js +9 -9
package/dist/api-handlers/account/change-password.js +110 -112
package/dist/api-handlers/admin/analytics.d.ts +19 -20
package/dist/api-handlers/admin/analytics.js +378 -379
package/dist/api-handlers/admin/audit.d.ts +19 -20
package/dist/api-handlers/admin/audit.js +213 -214
package/dist/api-handlers/admin/index.d.ts +21 -22
package/dist/api-handlers/admin/index.js +42 -43
package/dist/api-handlers/admin/redis-sessions.d.ts +35 -36
package/dist/api-handlers/admin/redis-sessions.js +203 -204
package/dist/api-handlers/admin/sessions.d.ts +20 -21
package/dist/api-handlers/admin/sessions.js +283 -284
package/dist/api-handlers/admin/site-logs.d.ts +45 -46
package/dist/api-handlers/admin/site-logs.js +317 -318
package/dist/api-handlers/admin/stats.d.ts +20 -21
package/dist/api-handlers/admin/stats.js +239 -240
package/dist/api-handlers/admin/users.d.ts +19 -20
package/dist/api-handlers/admin/users.js +221 -222
package/dist/api-handlers/admin/vibe-data.d.ts +79 -80
package/dist/api-handlers/admin/vibe-data.js +267 -268
package/dist/api-handlers/auth/refresh.js +633 -635
package/dist/api-handlers/auth/signout.js +186 -187
package/dist/api-handlers/auth/status.js +4 -7
package/dist/api-handlers/auth/update-session.d.ts +1 -1
package/dist/api-handlers/auth/update-session.js +12 -14
package/dist/api-handlers/auth/verify-code.d.ts +43 -43
package/dist/api-handlers/auth/verify-code.js +90 -94
package/dist/api-handlers/session/viability.js +114 -146
package/dist/api-handlers/test/force-expire.js +59 -65
package/dist/auth/auth-decision.js +182 -182
package/dist/auth/better-auth.d.ts +3 -6
package/dist/auth/better-auth.js +3 -6
package/dist/auth/route-config.js +2 -2
package/dist/auth/utils/token-utils.d.ts +83 -84
package/dist/auth/utils/token-utils.js +218 -219
package/dist/client/AuthContext.js +115 -112
package/dist/client/better-auth-client.d.ts +1020 -961
package/dist/client/better-auth-client.js +54 -7
package/dist/client/fetch-with-auth.js +2 -2
package/dist/components/SessionSync.js +121 -119
package/dist/components/account/MobileNavDrawer.js +64 -64
package/dist/components/account/UserAvatarMenu.js +91 -88
package/dist/components/admin/VibeAdminLayout.js +71 -69
package/dist/hooks/useAuth.js +9 -7
package/dist/hooks/useAuthSettings.js +93 -93
package/dist/hooks/useAvailableProviders.d.ts +43 -45
package/dist/hooks/useAvailableProviders.js +112 -108
package/dist/hooks/useSessionExpiration.d.ts +2 -3
package/dist/hooks/useSessionExpiration.js +2 -2
package/dist/hooks/useViabilitySession.js +3 -2
package/dist/index.js +4 -6
package/dist/lib/app-slug.d.ts +95 -95
package/dist/lib/app-slug.js +172 -172
package/dist/lib/standardized-client-api.js +10 -5
package/dist/lib/startup-init.js +21 -25
package/dist/lib/test-aware-get-token.js +86 -81
package/dist/lib/token-lifecycle.d.ts +78 -52
package/dist/lib/token-lifecycle.js +360 -398
package/dist/pages/admin-login/page.js +73 -83
package/dist/pages/client-admin/ClientSiteAdminPage.js +179 -177
package/dist/pages/login/page.js +202 -211
package/dist/pages/showcase/ShowcasePage.js +142 -140
package/dist/pages/test-env/EmergencyLogoutPage.js +99 -98
package/dist/pages/test-env/JwtInspectPage.js +116 -114
package/dist/pages/test-env/RefreshTokenPage.js +4 -2
package/dist/pages/test-env/TestEnvPage.js +51 -49
package/dist/pages/verify-code/page.js +412 -408
package/dist/routes/auth/logout.d.ts +31 -31
package/dist/routes/auth/logout.js +98 -113
package/dist/routes/auth/nextauth.d.ts +14 -11
package/dist/routes/auth/nextauth.js +25 -57
package/dist/routes/auth/session.js +157 -179
package/dist/routes/auth/viability.js +190 -201
package/dist/server/auth.d.ts +50 -0
package/dist/server/auth.js +62 -0
package/dist/stores/authStore.js +19 -23
package/dist/utils/logout.js +5 -5
package/package.json +1 -3
package/src/api/auth-handler.ts +550 -549
package/src/api-handlers/account/change-password.ts +5 -8
package/src/api-handlers/admin/analytics.ts +4 -6
package/src/api-handlers/admin/audit.ts +5 -7
package/src/api-handlers/admin/index.ts +1 -2
package/src/api-handlers/admin/redis-sessions.ts +6 -8
package/src/api-handlers/admin/sessions.ts +5 -7
package/src/api-handlers/admin/site-logs.ts +8 -10
package/src/api-handlers/admin/stats.ts +4 -6
package/src/api-handlers/admin/users.ts +5 -7
package/src/api-handlers/admin/vibe-data.ts +10 -12
package/src/api-handlers/auth/refresh.ts +5 -7
package/src/api-handlers/auth/signout.ts +5 -6
package/src/api-handlers/auth/status.ts +4 -7
package/src/api-handlers/auth/update-session.ts +123 -125
package/src/api-handlers/auth/verify-code.ts +9 -13
package/src/api-handlers/session/viability.ts +10 -47
package/src/api-handlers/test/force-expire.ts +4 -11
package/src/auth/auth-decision.ts +1 -1
package/src/auth/better-auth.ts +138 -141
package/src/auth/route-config.ts +219 -219
package/src/auth/utils/token-utils.ts +0 -1
package/src/client/AuthContext.tsx +6 -2
package/src/client/better-auth-client.ts +54 -7
package/src/client/fetch-with-auth.ts +47 -47
package/src/components/SessionSync.tsx +6 -5
package/src/components/account/MobileNavDrawer.tsx +3 -3
package/src/components/account/UserAvatarMenu.tsx +6 -3
package/src/components/admin/VibeAdminLayout.tsx +4 -2
package/src/config/logger.ts +1 -1
package/src/hooks/useAuth.ts +117 -115
package/src/hooks/useAuthSettings.ts +2 -2
package/src/hooks/useAvailableProviders.ts +9 -5
package/src/hooks/useSessionExpiration.ts +101 -102
package/src/hooks/useViabilitySession.ts +336 -335
package/src/index.ts +60 -63
package/src/lib/api-handler.ts +0 -1
package/src/lib/app-slug.ts +6 -6
package/src/lib/standardized-client-api.ts +901 -895
package/src/lib/startup-init.ts +243 -247
package/src/lib/test-aware-get-token.ts +22 -12
package/src/lib/token-lifecycle.ts +12 -53
package/src/pages/admin-login/page.tsx +9 -17
package/src/pages/client-admin/ClientSiteAdminPage.tsx +4 -2
package/src/pages/login/page.tsx +21 -28
package/src/pages/showcase/ShowcasePage.tsx +4 -2
package/src/pages/test-env/EmergencyLogoutPage.tsx +7 -6
package/src/pages/test-env/JwtInspectPage.tsx +5 -3
package/src/pages/test-env/RefreshTokenPage.tsx +157 -155
package/src/pages/test-env/TestEnvPage.tsx +4 -2
package/src/pages/verify-code/page.tsx +10 -6
package/src/routes/auth/logout.ts +7 -25
package/src/routes/auth/nextauth.ts +45 -71
package/src/routes/auth/session.ts +25 -50
package/src/routes/auth/viability.ts +7 -19
package/src/server/auth.ts +60 -0
package/src/stores/authStore.ts +1899 -1904
package/src/utils/logout.ts +30 -30
package/src/auth/auth-options.ts +0 -237
package/src/auth/callbacks/index.ts +0 -7
package/src/auth/callbacks/jwt.ts +0 -382
package/src/auth/callbacks/session.ts +0 -243
package/src/auth/callbacks/signin.ts +0 -56
package/src/auth/events/index.ts +0 -5
package/src/auth/events/signout.ts +0 -33
package/src/auth/providers/credentials.ts +0 -256
package/src/auth/providers/index.ts +0 -6
package/src/auth/providers/oauth.ts +0 -114
package/src/lib/nextauth-secret.ts +0 -121
package/src/types/next-auth.d.ts +0 -15

package/dist/api-handlers/auth/refresh.js CHANGED Viewed

@@ -1,635 +1,633 @@
-"use strict";
-/**
- * CRITICAL REFRESH TOKEN API HANDLER
- *
- * ASK BEFORE EDITING - TESTED AND WORKING SYSTEM
- *
- * This handler manages the server-side refresh token cycle with:
- * - NextAuth JWT token extraction
- * - Session token fallback for internal calls
- * - PayEz IDP refresh token exchange
- * - Session state updates with new tokens
- * - Proper error handling and logging
- * - Single-use semantics enforcement
- *
- * @version 2.0
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.POST = void 0;
-exports.createRefreshHandler = createRefreshHandler;
-const server_1 = require("next/server");
-const jwt_1 = require("next-auth/jwt");
-const session_store_1 = require("../../lib/session-store");
-const token_expiry_1 = require("../../lib/token-expiry");
-const app_slug_1 = require("../../lib/app-slug");
-const token_utils_1 = require("../../auth/utils/token-utils");
-/**
- * Creates a refresh token handler for Next.js API routes
- *
- * @param config Configuration for IDP connection and NextAuth
- * @returns Next.js POST handler function
- *
- * @example
- * ```typescript
- * // In your app's /app/api/auth/refresh/route.ts
- * import { createRefreshHandler } from '@payez/next-mvp/api-handlers/auth/refresh';
- *
- * export const POST = createRefreshHandler({
- *   idpBaseUrl: process.env.IDP_URL!,
- *   clientId: process.env.CLIENT_ID!,
- *   nextAuthSecret: process.env.NEXTAUTH_SECRET!,
- *   refreshEndpoint: '/api/ExternalAuth/refresh'
- * });
- * ```
- */
-function createRefreshHandler(config) {
-    const { idpBaseUrl, clientId, nextAuthSecret, refreshEndpoint = '/api/ExternalAuth/refresh' } = config;
-    return async function POST(req) {
-        try {
-            // Extract session token from NextAuth JWT
-            const token = await (0, jwt_1.getToken)({ req, secret: nextAuthSecret, cookieName: (0, app_slug_1.getJwtCookieName)() });
-            // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
-            let sessionToken = (token?.sessionToken || token?.redisSessionId);
-            let userId = token?.sub;
-            if (!sessionToken) {
-                // Fallback: check for session token in header (for internal server-to-server calls)
-                const headerSessionToken = req.headers.get('x-session-token');
-                if (headerSessionToken) {
-                    sessionToken = headerSessionToken;
-                    const currentSession = await (0, session_store_1.getSession)(sessionToken);
-                    userId = currentSession?.userId || currentSession?.email;
-                }
-            }
-            if (!sessionToken || !userId) {
-                console.warn('[AUTH_REFRESH] Missing sessionToken or user id on token');
-                return server_1.NextResponse.json({
-                    error: 'No session available for refresh',
-                    code: 'UNAUTHORIZED'
-                }, { status: 401 });
-            }
-            // Get current session
-            const currentSession = await (0, session_store_1.getSession)(sessionToken);
-            // NOTE: Field is idpRefreshToken (not refreshToken) per normalized naming convention
-            if (!currentSession?.idpRefreshToken) {
-                console.warn('[AUTH_REFRESH] No refresh token available', { userId });
-                return server_1.NextResponse.json({
-                    error: 'No refresh token available',
-                    code: 'NO_REFRESH_TOKEN', // Terminal state - session cannot be refreshed
-                    terminal: true, // Signal to frontend: don't retry, redirect to login
-                    resolution: 'User must re-authenticate'
-                }, { status: 401 });
-            }
-            // ============================================================================
-            // HIGH VISIBILITY: PRE-FLIGHT REFRESH DIAGNOSTICS
-            // ============================================================================
-            const now = Date.now();
-            const refreshTokenAge = currentSession.idpRefreshTokenIssuedAt
-                ? Math.round((now - currentSession.idpRefreshTokenIssuedAt) / 1000)
-                : 'unknown';
-            const refreshTokenExpiresIn = currentSession.idpRefreshTokenExpires
-                ? Math.round((currentSession.idpRefreshTokenExpires - now) / 1000)
-                : 'unknown';
-            const accessTokenExpiresIn = currentSession.idpAccessTokenExpires
-                ? Math.round((currentSession.idpAccessTokenExpires - now) / 1000)
-                : 'unknown';
-            console.log('╔══════════════════════════════════════════════════════════════════════════════╗');
-            console.log('║                    REFRESH TOKEN ATTEMPT - PRE-FLIGHT                        ║');
-            console.log('╠══════════════════════════════════════════════════════════════════════════════╣');
-            console.log(`║ User: ${(userId || 'unknown').substring(0, 50).padEnd(50)}                   ║`);
-            console.log(`║ Session: ${sessionToken.substring(0, 8)}...                                                        ║`);
-            console.log('╠──────────────────────────────────────────────────────────────────────────────╣');
-            console.log(`║ Access Token Expires In:  ${String(accessTokenExpiresIn).padEnd(10)} seconds                            ║`);
-            console.log(`║ Refresh Token Age:        ${String(refreshTokenAge).padEnd(10)} seconds                            ║`);
-            console.log(`║ Refresh Token Expires In: ${String(refreshTokenExpiresIn).padEnd(10)} seconds                            ║`);
-            console.log(`║ Refresh Token Length:     ${String(currentSession.idpRefreshToken?.length || 0).padEnd(10)} chars                              ║`);
-            console.log(`║ 2FA Complete:             ${String(!!currentSession.mfaVerified).padEnd(10)}                                   ║`);
-            console.log(`║ Auth Level (ACR):         ${String(currentSession.authenticationLevel || '1').padEnd(10)}                                   ║`);
-            console.log('╚══════════════════════════════════════════════════════════════════════════════╝');
-            // Try to acquire refresh lock to prevent concurrent refresh attempts
-            const requestId = req.headers.get('x-request-id') ?? `refresh_${Date.now()}`;
-            const lockAcquired = await (0, session_store_1.acquireRefreshLock)(sessionToken, requestId, 5000);
-            let weAcquiredLock = false;
-            let releaseLockVersion;
-            if (!lockAcquired.acquired) {
-                const existingLock = await (0, session_store_1.checkRefreshLock)(sessionToken);
-                if (existingLock && existingLock.acquiredBy === requestId) {
-                    console.info('[AUTH_REFRESH] Proceeding under existing caller-held lock', { requestId });
-                }
-                else {
-                    // Wait for the lock to release, then check if token is now fresh
-                    console.info('[AUTH_REFRESH] Refresh in progress by another request, waiting for completion...', { requestId });
-                    const maxWaitMs = 5000;
-                    const checkIntervalMs = 200;
-                    const startWait = Date.now();
-                    while (Date.now() - startWait < maxWaitMs) {
-                        await new Promise(resolve => setTimeout(resolve, checkIntervalMs));
-                        // Check if lock was released
-                        const lockCheck = await (0, session_store_1.checkRefreshLock)(sessionToken);
-                        if (!lockCheck) {
-                            // Lock released - check if token is now fresh
-                            const refreshedSession = await (0, session_store_1.getSession)(sessionToken);
-                            if (refreshedSession?.idpAccessToken && refreshedSession?.idpAccessTokenExpires) {
-                                const timeUntilExpiry = refreshedSession.idpAccessTokenExpires - Date.now();
-                                const fiveMinutes = 5 * 60 * 1000;
-                                if (timeUntilExpiry > fiveMinutes) {
-                                    console.info('[AUTH_REFRESH] Lock released, token is fresh - returning success', {
-                                        requestId,
-                                        accessTokenExpires: new Date(refreshedSession.idpAccessTokenExpires).toISOString(),
-                                        waitedMs: Date.now() - startWait,
-                                    });
-                                    return server_1.NextResponse.json({
-                                        refreshed: true,
-                                        reason: 'completed_by_concurrent_request',
-                                        accessTokenExpires: refreshedSession.idpAccessTokenExpires,
-                                        hasRefreshToken: !!refreshedSession.idpRefreshToken,
-                                    });
-                                }
-                            }
-                            // Lock released but token not fresh - try to acquire lock ourselves
-                            break;
-                        }
-                    }
-                    // Still locked after waiting - return 409
-                    console.warn('[AUTH_REFRESH] Refresh still in progress after waiting', { requestId, waitedMs: Date.now() - startWait });
-                    return server_1.NextResponse.json({
-                        error: 'Refresh already in progress',
-                        code: 'CONFLICT'
-                    }, { status: 409 });
-                }
-            }
-            else {
-                weAcquiredLock = true;
-                releaseLockVersion = lockAcquired.lockInfo?.lockVersion;
-            }
-            // Before performing network refresh, re-check if tokens are already fresh
-            const latestAfterLock = await (0, session_store_1.getSession)(sessionToken);
-            const fiveMinutes = 5 * 60 * 1000;
-            const timeUntilExpiry = latestAfterLock?.idpAccessTokenExpires
-                ? latestAfterLock.idpAccessTokenExpires - Date.now()
-                : -1;
-            // CRITICAL: Also check the actual JWT's exp claim - Redis might have stale data
-            let actualJwtExpMs = -1;
-            let tokenMismatch = false;
-            if (latestAfterLock?.idpAccessToken) {
-                try {
-                    const tokenParts = latestAfterLock.idpAccessToken.split('.');
-                    if (tokenParts.length === 3) {
-                        const payload = JSON.parse(Buffer.from(tokenParts[1], 'base64url').toString());
-                        actualJwtExpMs = (payload.exp || 0) * 1000;
-                        const now = Date.now();
-                        // If the actual JWT is expired, we MUST refresh regardless of what Redis says
-                        if (actualJwtExpMs < now) {
-                            tokenMismatch = true;
-                        }
-                    }
-                }
-                catch (e) {
-                    // If we can't decode, proceed with normal logic
-                }
-            }
-            console.log('[AUTH_REFRESH] Pre-refresh check:', {
-                userId,
-                hasAccessToken: !!latestAfterLock?.idpAccessToken,
-                accessTokenExpires: latestAfterLock?.idpAccessTokenExpires
-                    ? new Date(latestAfterLock.idpAccessTokenExpires).toISOString()
-                    : 'undefined',
-                actualJwtExp: actualJwtExpMs > 0 ? new Date(actualJwtExpMs).toISOString() : 'unknown',
-                now: new Date().toISOString(),
-                timeUntilExpiryMs: timeUntilExpiry,
-                tokenMismatch,
-                willRefresh: timeUntilExpiry <= fiveMinutes || tokenMismatch
-            });
-            // Only skip refresh if BOTH Redis says fresh AND the actual JWT is not expired
-            if (latestAfterLock?.idpAccessToken && latestAfterLock?.idpAccessTokenExpires &&
-                timeUntilExpiry > fiveMinutes && !tokenMismatch) {
-                console.info('[AUTH_REFRESH] Skipping refresh: tokens already fresh', { userId, timeUntilExpiryMs: timeUntilExpiry });
-                if (weAcquiredLock) {
-                    await (0, session_store_1.releaseRefreshLock)(sessionToken, requestId, releaseLockVersion);
-                    weAcquiredLock = false;
-                }
-                return server_1.NextResponse.json({
-                    refreshed: false,
-                    reason: 'already_fresh',
-                    accessTokenExpires: latestAfterLock.idpAccessTokenExpires,
-                    hasRefreshToken: !!latestAfterLock.idpRefreshToken,
-                });
-            }
-            // If we detected a token mismatch, log it prominently
-            if (tokenMismatch) {
-                console.warn('[AUTH_REFRESH] Token mismatch detected - forcing refresh despite Redis claiming fresh', {
-                    userId,
-                    redisExpires: latestAfterLock?.idpAccessTokenExpires ? new Date(latestAfterLock.idpAccessTokenExpires).toISOString() : 'N/A',
-                    actualJwtExp: new Date(actualJwtExpMs).toISOString()
-                });
-            }
-            // Copy refresh token for use in IDP call
-            // Note: Token is NOT cleared preemptively - it will be replaced on success.
-            // The lock mechanism prevents concurrent refresh attempts within the same session.
-            // If IDP call fails, user can retry with the same token.
-            const originalRefreshToken = currentSession.idpRefreshToken;
-            try {
-                // Extract 2FA claims from current session
-                let authMethods = [];
-                if (currentSession.authenticationMethods) {
-                    if (typeof currentSession.authenticationMethods === 'string') {
-                        try {
-                            authMethods = JSON.parse(currentSession.authenticationMethods);
-                        }
-                        catch (e) {
-                            console.warn('[AUTH_REFRESH] Failed to parse authenticationMethods', { authenticationMethods: currentSession.authenticationMethods });
-                        }
-                    }
-                    else if (Array.isArray(currentSession.authenticationMethods)) {
-                        authMethods = currentSession.authenticationMethods;
-                    }
-                }
-                // For OAuth sessions with empty AMR claims, provide defaults
-                // OAuth IS a form of multi-factor auth (you authenticated with another provider)
-                let isOAuthSession = !!currentSession.oauthProvider;
-                if (authMethods.length === 0 && isOAuthSession) {
-                    // OAuth sessions get default AMR claims
-                    authMethods = ['pwd', 'mfa'];
-                    console.log('[AUTH_REFRESH] OAuth session with empty AMR - using defaults:', {
-                        oauthProvider: currentSession.oauthProvider,
-                        defaultAmr: authMethods
-                    });
-                }
-                // Check authMethods first, then fallback to twoFactorMethod field (set by transitionTo2FASession)
-                // For OAuth sessions, use 'oauth' as the 2FA method since OAuth itself is the authentication
-                const twoFactorMethod = authMethods.find(m => ['sms', 'totp', 'email'].includes(m))
-                    || currentSession.mfaMethod
-                    || (isOAuthSession ? 'oauth' : null);
-                // DEBUG: Log what we have for 2FA
-                console.log('[AUTH_REFRESH] 2FA Debug:', {
-                    authMethods,
-                    authMethodsRaw: currentSession.authenticationMethods,
-                    twoFactorMethodFromSession: currentSession.mfaMethod,
-                    twoFactorMethodResolved: twoFactorMethod,
-                    twoFactorComplete: currentSession.mfaVerified,
-                    sessionKeys: Object.keys(currentSession)
-                });
-                // Build refresh request body per PayEz wire standard (snake_case)
-                // See: 2FA-TOKEN-REFRESH-CONTEXT.md - "The Ninja Shit"
-                // For OAuth sessions with 2FA complete, use ACR level 2
-                let acrValue = String(currentSession.authenticationLevel ?? '1');
-                if (currentSession.oauthProvider && currentSession.mfaVerified && acrValue === '1') {
-                    acrValue = '2'; // OAuth with 2FA complete = full authentication
-                }
-                const refreshRequestBody = {
-                    refresh_token: originalRefreshToken,
-                    amr: authMethods,
-                    acr: acrValue
-                };
-                // DEBUG: Log exact request body
-                console.log('[AUTH_REFRESH] Request body:', JSON.stringify({
-                    refresh_token: '***REDACTED***',
-                    amr: authMethods,
-                    acr: acrValue,
-                    acrType: typeof acrValue
-                }));
-                const twoFactorVerified = !!currentSession.mfaVerified;
-                if (twoFactorVerified) {
-                    refreshRequestBody.two_factor_verified = true;
-                }
-                if (twoFactorMethod) {
-                    refreshRequestBody.two_factor_method = twoFactorMethod;
-                }
-                if (currentSession.mfaCompletedAt) {
-                    refreshRequestBody.two_factor_completed_at = new Date(currentSession.mfaCompletedAt).toISOString();
-                }
-                // Log the full request details for debugging
-                console.log('[AUTH_REFRESH] Sending refresh request:', {
-                    url: `${idpBaseUrl}${refreshEndpoint}`,
-                    clientId,
-                    hasRefreshToken: !!refreshRequestBody.refresh_token,
-                    refreshTokenLength: refreshRequestBody.refresh_token?.length,
-                    amr: refreshRequestBody.amr,
-                    acr: refreshRequestBody.acr
-                });
-                let refreshResponse;
-                try {
-                    refreshResponse = await fetch(`${idpBaseUrl}${refreshEndpoint}`, {
-                        method: 'POST',
-                        headers: {
-                            'Content-Type': 'application/json',
-                            'X-Client-Id': clientId,
-                        },
-                        body: JSON.stringify(refreshRequestBody),
-                    });
-                }
-                catch (fetchError) {
-                    // Network error - IDP unreachable
-                    // Note: Lock will be released by finally block
-                    console.error('[AUTH_REFRESH] IDP unreachable:', {
-                        error: fetchError instanceof Error ? fetchError.message : String(fetchError),
-                        idpUrl: idpBaseUrl,
-                        userId
-                    });
-                    return server_1.NextResponse.json({
-                        error: 'IDP service unavailable',
-                        code: 'UPSTREAM_SERVICE_UNAVAILABLE',
-                        retryable: true,
-                        discardToken: false
-                    }, { status: 503 });
-                }
-                // Parse response body - handle empty or invalid JSON
-                let responseData;
-                try {
-                    const responseText = await refreshResponse.text();
-                    if (!responseText || responseText.trim() === '') {
-                        // Note: Lock will be released by finally block
-                        console.error('[AUTH_REFRESH] Empty response from IDP:', {
-                            status: refreshResponse.status,
-                            statusText: refreshResponse.statusText,
-                            userId
-                        });
-                        return server_1.NextResponse.json({
-                            error: 'Empty response from IDP',
-                            code: 'UPSTREAM_SERVICE_ERROR',
-                            retryable: true,
-                            discardToken: false
-                        }, { status: 502 });
-                    }
-                    responseData = JSON.parse(responseText);
-                }
-                catch (parseError) {
-                    // Note: Lock will be released by finally block
-                    console.error('[AUTH_REFRESH] Failed to parse IDP response:', {
-                        error: parseError instanceof Error ? parseError.message : String(parseError),
-                        status: refreshResponse.status,
-                        userId
-                    });
-                    return server_1.NextResponse.json({
-                        error: 'Invalid response from IDP',
-                        code: 'UPSTREAM_SERVICE_ERROR',
-                        retryable: true,
-                        discardToken: false
-                    }, { status: 502 });
-                }
-                // Handle non-OK responses with structured error format
-                if (!refreshResponse.ok) {
-                    // Parse structured error from IDP
-                    const idpError = responseData?.error || {};
-                    const errorCode = idpError.code || 'UNKNOWN_ERROR';
-                    const errorMessage = idpError.message || 'Token refresh failed';
-                    // CRITICAL: 401 means token is definitively invalid - always discard
-                    // This prevents redirect loops where viability check keeps returning canRefresh:true
-                    const discardToken = refreshResponse.status === 401 || idpError.discard_token === true;
-                    const retryable = refreshResponse.status !== 401 && idpError.retryable === true;
-                    const resolution = idpError.resolution || null;
-                    // ============================================================================
-                    // HIGH VISIBILITY: REFRESH TOKEN FAILURE DIAGNOSTICS
-                    // ============================================================================
-                    // Translate error codes to human-readable explanations
-                    const failureReasons = {
-                        'UNAUTHORIZED': 'Token was already used (rotation) OR token is expired OR token was revoked',
-                        'INVALID_REFRESH_TOKEN': 'Token format invalid OR token not found in IDP database',
-                        'TOKEN_EXPIRED': 'Refresh token exceeded its max lifetime',
-                        'TOKEN_REVOKED': 'Token was explicitly revoked (logout, password change, admin action)',
-                        'TOKEN_REUSE_DETECTED': 'Same refresh token used twice - possible token theft, all tokens revoked',
-                        'UPSTREAM_SERVICE_ERROR': 'IDP internal error - token may have been rotated before failure',
-                        'INTERNAL_ERROR': 'IDP internal error - check IDP logs for details',
-                        'RATE_LIMITED': 'Too many refresh attempts - try again later',
-                    };
-                    const whyItFailed = failureReasons[errorCode] || 'Unknown error - check IDP logs';
-                    console.error('╔══════════════════════════════════════════════════════════════════════════════╗');
-                    console.error('║              ❌ REFRESH TOKEN FAILURE - DIAGNOSTIC REPORT                    ║');
-                    console.error('╠══════════════════════════════════════════════════════════════════════════════╣');
-                    console.error(`║ HTTP Status:    ${String(refreshResponse.status).padEnd(60)}║`);
-                    console.error(`║ Error Code:     ${errorCode.padEnd(60)}║`);
-                    console.error(`║ Discard Token:  ${String(discardToken).padEnd(60)}║`);
-                    console.error(`║ Retryable:      ${String(retryable).padEnd(60)}║`);
-                    console.error('╠──────────────────────────────────────────────────────────────────────────────╣');
-                    console.error(`║ WHY IT FAILED:                                                               ║`);
-                    console.error(`║ ${whyItFailed.substring(0, 76).padEnd(76)} ║`);
-                    console.error('╠──────────────────────────────────────────────────────────────────────────────╣');
-                    console.error(`║ User:           ${(userId || 'unknown').substring(0, 60).padEnd(60)}║`);
-                    console.error(`║ Session:        ${sessionToken.substring(0, 8)}...                                                     ║`);
-                    console.error(`║ Resolution:     ${(resolution || 'Check IDP logs').substring(0, 60).padEnd(60)}║`);
-                    console.error('╚══════════════════════════════════════════════════════════════════════════════╝');
-                    // Also log the full response for detailed debugging
-                    console.error('[AUTH_REFRESH] Full IDP error response:', JSON.stringify(responseData, null, 2).substring(0, 1000));
-                    // If IDP signals to discard token, clear it from Redis
-                    if (discardToken) {
-                        console.error('[AUTH_REFRESH] ⚠️ REFRESH_TOKEN_REMOVAL: IDP signaled discard_token', {
-                            reason: 'IDP_DISCARD_TOKEN',
-                            errorCode,
-                            userId,
-                            sessionToken: sessionToken.substring(0, 8) + '...',
-                            hadRefreshToken: !!currentSession.idpRefreshToken,
-                            stack: new Error().stack
-                        });
-                        await (0, session_store_1.updateSession)(sessionToken, {
-                            idpRefreshToken: '',
-                            idpRefreshTokenExpires: undefined,
-                            refreshTokenClearedAt: Date.now(),
-                            refreshTokenClearedReason: `IDP_DISCARD_TOKEN:${errorCode}`
-                        });
-                    }
-                    return server_1.NextResponse.json({
-                        error: errorMessage,
-                        code: errorCode,
-                        discardToken,
-                        retryable,
-                        resolution,
-                        status: refreshResponse.status
-                    }, { status: refreshResponse.status });
-                }
-                // Validate PayEz canonical envelope for success responses
-                const isCompliant = responseData && typeof responseData === 'object' &&
-                    Object.prototype.hasOwnProperty.call(responseData, 'success') &&
-                    (responseData.success === true ? Object.prototype.hasOwnProperty.call(responseData, 'data') : Object.prototype.hasOwnProperty.call(responseData, 'error')) &&
-                    Object.prototype.hasOwnProperty.call(responseData, 'meta');
-                if (!isCompliant) {
-                    console.error('[AUTH_REFRESH] Upstream non-compliant IDP response', { bodySample: responseData });
-                    return server_1.NextResponse.json({
-                        error: 'Upstream non-compliance',
-                        code: 'UPSTREAM_SERVICE_ERROR',
-                        retryable: true,
-                        discardToken: false
-                    }, { status: 502 });
-                }
-                if (responseData.success !== true || !responseData.data) {
-                    // Handle success:false with structured error
-                    const idpError = responseData?.error || {};
-                    const errorCode = idpError.code || 'UPSTREAM_VALIDATION_ERROR';
-                    const discardToken = idpError.discard_token === true;
-                    const retryable = idpError.retryable === true;
-                    console.warn('[AUTH_REFRESH] IDP refresh unsuccessful', {
-                        code: errorCode,
-                        discardToken,
-                        body: responseData
-                    });
-                    if (discardToken) {
-                        console.error('[AUTH_REFRESH] ⚠️ REFRESH_TOKEN_REMOVAL: IDP success:false with discard_token', {
-                            reason: 'IDP_SUCCESS_FALSE_DISCARD',
-                            errorCode,
-                            userId,
-                            sessionToken: sessionToken.substring(0, 8) + '...',
-                            hadRefreshToken: !!currentSession.idpRefreshToken,
-                            stack: new Error().stack
-                        });
-                        await (0, session_store_1.updateSession)(sessionToken, {
-                            idpRefreshToken: '',
-                            idpRefreshTokenExpires: undefined,
-                            refreshTokenClearedAt: Date.now(),
-                            refreshTokenClearedReason: `IDP_SUCCESS_FALSE_DISCARD:${errorCode}`
-                        });
-                    }
-                    return server_1.NextResponse.json({
-                        error: idpError.message || 'Token refresh failed',
-                        code: errorCode,
-                        discardToken,
-                        retryable,
-                        resolution: idpError.resolution || null
-                    }, { status: refreshResponse.status || 400 });
-                }
-                // Extract tokens from response
-                const payload = responseData.data;
-                const accessToken = payload?.access_token;
-                const refreshToken = payload?.refresh_token;
-                if (!accessToken) {
-                    console.error('[AUTH_REFRESH] Missing access token in IDP response');
-                    return server_1.NextResponse.json({
-                        error: 'Invalid token response from IDP',
-                        code: 'INTERNAL_SERVER_ERROR'
-                    }, { status: 500 });
-                }
-                // Decode and compute token expiries
-                let decodedAccessToken;
-                let accessTokenExpires;
-                let computedRefreshTokenExpires;
-                try {
-                    const result = (0, token_expiry_1.computeTokenExpiries)({ accessToken, refreshToken, preferJwt: true });
-                    decodedAccessToken = result.decodedAccessToken;
-                    accessTokenExpires = result.accessTokenExpires;
-                    computedRefreshTokenExpires = result.refreshTokenExpires;
-                    console.info('[AUTH_REFRESH] Successfully decoded new token pair', {
-                        accessTokenExpires: new Date(accessTokenExpires).toISOString(),
-                        refreshTokenExpires: computedRefreshTokenExpires ? new Date(computedRefreshTokenExpires).toISOString() : null
-                    });
-                }
-                catch (decodeError) {
-                    console.error('[AUTH_REFRESH] Failed to compute token expiries', { error: decodeError });
-                    return server_1.NextResponse.json({
-                        error: 'Failed to decode JWT tokens',
-                        code: 'INTERNAL_SERVER_ERROR'
-                    }, { status: 500 });
-                }
-                // Extract 2FA claims from the new access token
-                let amrClaims = [];
-                if (decodedAccessToken.amr) {
-                    try {
-                        amrClaims = typeof decodedAccessToken.amr === 'string'
-                            ? JSON.parse(decodedAccessToken.amr)
-                            : decodedAccessToken.amr;
-                    }
-                    catch (e) {
-                        console.warn('[AUTH_REFRESH] Failed to parse AMR claims', { amr: decodedAccessToken.amr });
-                        amrClaims = currentSession.authenticationMethods || [];
-                    }
-                }
-                else {
-                    amrClaims = currentSession.authenticationMethods || [];
-                }
-                const acrLevel = String(decodedAccessToken.acr || currentSession.authenticationLevel || '1');
-                // Extract MFA timing claims
-                const mfaTime = decodedAccessToken.mfa_time ? parseInt(decodedAccessToken.mfa_time) * 1000 : currentSession.mfaCompletedAt;
-                const mfaExpires = decodedAccessToken.mfa_expires ? parseInt(decodedAccessToken.mfa_expires) * 1000 : currentSession.mfaExpiresAt;
-                const mfaValidityHours = decodedAccessToken.mfa_validity_hours ? parseInt(decodedAccessToken.mfa_validity_hours) : currentSession.mfaValidityHours;
-                // Update session with new tokens
-                const hasNewRefresh = typeof refreshToken === 'string' && refreshToken.length > 0;
-                const newRefreshTokenExpires = hasNewRefresh ? computedRefreshTokenExpires : undefined;
-                // CRITICAL: Log if we're about to clear the refresh token due to missing new token
-                if (!hasNewRefresh && currentSession.idpRefreshToken) {
-                    console.error('[AUTH_REFRESH] ⚠️ REFRESH_TOKEN_REMOVAL: No new refresh token in IDP response', {
-                        reason: 'NO_NEW_REFRESH_TOKEN_IN_RESPONSE',
-                        userId,
-                        sessionToken: sessionToken.substring(0, 8) + '...',
-                        hadRefreshToken: true,
-                        refreshTokenFromResponse: refreshToken,
-                        refreshTokenType: typeof refreshToken,
-                        payloadKeys: Object.keys(payload || {}),
-                        stack: new Error().stack
-                    });
-                }
-                // Keep existing refresh token if IDP doesn't provide a new one
-                // Only clear if IDP explicitly signals discard_token=true (handled in error paths)
-                // NOTE: Use normalized field names (idp* prefix) per SessionData interface
-                // CRITICAL: Extract kid from JWT header - IDP may rotate keys during refresh
-                const newBearerKeyId = (0, token_utils_1.extractKidFromToken)(accessToken);
-                if (newBearerKeyId) {
-                    console.log('[AUTH_REFRESH] Extracted bearerKeyId (kid) from new JWT header:', newBearerKeyId);
-                }
-                else {
-                    console.warn('[AUTH_REFRESH] No kid found in new JWT header');
-                }
-                const sessionUpdate = {
-                    ...currentSession,
-                    idpAccessToken: accessToken,
-                    idpAccessTokenExpires: accessTokenExpires,
-                    idpRefreshToken: hasNewRefresh ? refreshToken : currentSession.idpRefreshToken,
-                    idpRefreshTokenExpires: hasNewRefresh ? newRefreshTokenExpires : currentSession.idpRefreshTokenExpires,
-                    decodedAccessToken: decodedAccessToken,
-                    // Bearer key ID from JWT header (may change on key rotation)
-                    bearerKeyId: newBearerKeyId || currentSession.bearerKeyId,
-                    authenticationMethods: amrClaims,
-                    authenticationLevel: acrLevel,
-                    mfaVerified: amrClaims.includes('mfa') || currentSession.mfaVerified,
-                    mfaCompletedAt: mfaTime,
-                    mfaExpiresAt: mfaExpires,
-                    mfaValidityHours: mfaValidityHours
-                };
-                await (0, session_store_1.updateSession)(sessionToken, sessionUpdate);
-                console.info('[AUTH_REFRESH] Token refreshed successfully', {
-                    expiresAt: new Date(accessTokenExpires).toISOString(),
-                    userId,
-                    hasNewRefreshToken: hasNewRefresh,
-                    tokenPreview: accessToken ? accessToken.substring(0, 20) + '...' : 'none'
-                });
-            }
-            catch (error) {
-                console.error('[AUTH_REFRESH] Error during token refresh', { error });
-                return server_1.NextResponse.json({
-                    error: 'Token refresh error',
-                    code: 'INTERNAL_SERVER_ERROR'
-                }, { status: 500 });
-            }
-            finally {
-                if (weAcquiredLock) {
-                    await (0, session_store_1.releaseRefreshLock)(sessionToken, requestId, releaseLockVersion);
-                }
-            }
-            // Load the latest session to return basic status
-            const latest = await (0, session_store_1.getSession)(sessionToken);
-            if (!latest?.idpAccessToken) {
-                return server_1.NextResponse.json({
-                    error: 'No access token after refresh',
-                    code: 'INTERNAL_SERVER_ERROR'
-                }, { status: 500 });
-            }
-            return server_1.NextResponse.json({
-                refreshed: true,
-                accessTokenExpires: latest.idpAccessTokenExpires,
-                hasRefreshToken: !!latest.idpRefreshToken,
-            });
-        }
-        catch (err) {
-            console.error('[AUTH_REFRESH] Unexpected error', { error: err?.message || String(err) });
-            return server_1.NextResponse.json({
-                error: 'Unexpected error during refresh',
-                code: 'INTERNAL_SERVER_ERROR'
-            }, { status: 500 });
-        }
-    };
-}
-/**
- * Default export for backward compatibility
- * Requires environment variables: IDP_URL, CLIENT_ID, NEXTAUTH_SECRET
- */
-exports.POST = createRefreshHandler({
-    idpBaseUrl: process.env.IDP_URL,
-    clientId: process.env.CLIENT_ID || 'payez_default_client',
-    nextAuthSecret: process.env.NEXTAUTH_SECRET || '',
-    refreshEndpoint: '/api/ExternalAuth/refresh'
-});
+"use strict";
+/**
+ * CRITICAL REFRESH TOKEN API HANDLER
+ *
+ * ASK BEFORE EDITING - TESTED AND WORKING SYSTEM
+ *
+ * This handler manages the server-side refresh token cycle with:
+ * - NextAuth JWT token extraction
+ * - Session token fallback for internal calls
+ * - PayEz IDP refresh token exchange
+ * - Session state updates with new tokens
+ * - Proper error handling and logging
+ * - Single-use semantics enforcement
+ *
+ * @version 2.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = void 0;
+exports.createRefreshHandler = createRefreshHandler;
+const server_1 = require("next/server");
+const auth_1 = require("../../server/auth");
+const session_store_1 = require("../../lib/session-store");
+const token_expiry_1 = require("../../lib/token-expiry");
+const token_utils_1 = require("../../auth/utils/token-utils");
+/**
+ * Creates a refresh token handler for Next.js API routes
+ *
+ * @param config Configuration for IDP connection and NextAuth
+ * @returns Next.js POST handler function
+ *
+ * @example
+ * ```typescript
+ * // In your app's /app/api/auth/refresh/route.ts
+ * import { createRefreshHandler } from '@payez/next-mvp/api-handlers/auth/refresh';
+ *
+ * export const POST = createRefreshHandler({
+ *   idpBaseUrl: process.env.IDP_URL!,
+ *   clientId: process.env.CLIENT_ID!,
+ *   nextAuthSecret: process.env.NEXTAUTH_SECRET!,
+ *   refreshEndpoint: '/api/ExternalAuth/refresh'
+ * });
+ * ```
+ */
+function createRefreshHandler(config) {
+    const { idpBaseUrl, clientId, nextAuthSecret, refreshEndpoint = '/api/ExternalAuth/refresh' } = config;
+    return async function POST(req) {
+        try {
+            // Extract session from Better Auth
+            const betterAuthSession = await (0, auth_1.getSession)(req);
+            let sessionToken = (betterAuthSession?.session?.token);
+            let userId = betterAuthSession?.user?.id;
+            if (!sessionToken) {
+                // Fallback: check for session token in header (for internal server-to-server calls)
+                const headerSessionToken = req.headers.get('x-session-token');
+                if (headerSessionToken) {
+                    sessionToken = headerSessionToken;
+                    const currentSession = await (0, session_store_1.getSession)(sessionToken);
+                    userId = currentSession?.userId || currentSession?.email;
+                }
+            }
+            if (!sessionToken || !userId) {
+                console.warn('[AUTH_REFRESH] Missing sessionToken or user id on token');
+                return server_1.NextResponse.json({
+                    error: 'No session available for refresh',
+                    code: 'UNAUTHORIZED'
+                }, { status: 401 });
+            }
+            // Get current session
+            const currentSession = await (0, session_store_1.getSession)(sessionToken);
+            // NOTE: Field is idpRefreshToken (not refreshToken) per normalized naming convention
+            if (!currentSession?.idpRefreshToken) {
+                console.warn('[AUTH_REFRESH] No refresh token available', { userId });
+                return server_1.NextResponse.json({
+                    error: 'No refresh token available',
+                    code: 'NO_REFRESH_TOKEN', // Terminal state - session cannot be refreshed
+                    terminal: true, // Signal to frontend: don't retry, redirect to login
+                    resolution: 'User must re-authenticate'
+                }, { status: 401 });
+            }
+            // ============================================================================
+            // HIGH VISIBILITY: PRE-FLIGHT REFRESH DIAGNOSTICS
+            // ============================================================================
+            const now = Date.now();
+            const refreshTokenAge = currentSession.idpRefreshTokenIssuedAt
+                ? Math.round((now - currentSession.idpRefreshTokenIssuedAt) / 1000)
+                : 'unknown';
+            const refreshTokenExpiresIn = currentSession.idpRefreshTokenExpires
+                ? Math.round((currentSession.idpRefreshTokenExpires - now) / 1000)
+                : 'unknown';
+            const accessTokenExpiresIn = currentSession.idpAccessTokenExpires
+                ? Math.round((currentSession.idpAccessTokenExpires - now) / 1000)
+                : 'unknown';
+            console.log('╔══════════════════════════════════════════════════════════════════════════════╗');
+            console.log('║                    REFRESH TOKEN ATTEMPT - PRE-FLIGHT                        ║');
+            console.log('╠══════════════════════════════════════════════════════════════════════════════╣');
+            console.log(`║ User: ${(userId || 'unknown').substring(0, 50).padEnd(50)}                   ║`);
+            console.log(`║ Session: ${sessionToken.substring(0, 8)}...                                                        ║`);
+            console.log('╠──────────────────────────────────────────────────────────────────────────────╣');
+            console.log(`║ Access Token Expires In:  ${String(accessTokenExpiresIn).padEnd(10)} seconds                            ║`);
+            console.log(`║ Refresh Token Age:        ${String(refreshTokenAge).padEnd(10)} seconds                            ║`);
+            console.log(`║ Refresh Token Expires In: ${String(refreshTokenExpiresIn).padEnd(10)} seconds                            ║`);
+            console.log(`║ Refresh Token Length:     ${String(currentSession.idpRefreshToken?.length || 0).padEnd(10)} chars                              ║`);
+            console.log(`║ 2FA Complete:             ${String(!!currentSession.mfaVerified).padEnd(10)}                                   ║`);
+            console.log(`║ Auth Level (ACR):         ${String(currentSession.authenticationLevel || '1').padEnd(10)}                                   ║`);
+            console.log('╚══════════════════════════════════════════════════════════════════════════════╝');
+            // Try to acquire refresh lock to prevent concurrent refresh attempts
+            const requestId = req.headers.get('x-request-id') ?? `refresh_${Date.now()}`;
+            const lockAcquired = await (0, session_store_1.acquireRefreshLock)(sessionToken, requestId, 5000);
+            let weAcquiredLock = false;
+            let releaseLockVersion;
+            if (!lockAcquired.acquired) {
+                const existingLock = await (0, session_store_1.checkRefreshLock)(sessionToken);
+                if (existingLock && existingLock.acquiredBy === requestId) {
+                    console.info('[AUTH_REFRESH] Proceeding under existing caller-held lock', { requestId });
+                }
+                else {
+                    // Wait for the lock to release, then check if token is now fresh
+                    console.info('[AUTH_REFRESH] Refresh in progress by another request, waiting for completion...', { requestId });
+                    const maxWaitMs = 5000;
+                    const checkIntervalMs = 200;
+                    const startWait = Date.now();
+                    while (Date.now() - startWait < maxWaitMs) {
+                        await new Promise(resolve => setTimeout(resolve, checkIntervalMs));
+                        // Check if lock was released
+                        const lockCheck = await (0, session_store_1.checkRefreshLock)(sessionToken);
+                        if (!lockCheck) {
+                            // Lock released - check if token is now fresh
+                            const refreshedSession = await (0, session_store_1.getSession)(sessionToken);
+                            if (refreshedSession?.idpAccessToken && refreshedSession?.idpAccessTokenExpires) {
+                                const timeUntilExpiry = refreshedSession.idpAccessTokenExpires - Date.now();
+                                const fiveMinutes = 5 * 60 * 1000;
+                                if (timeUntilExpiry > fiveMinutes) {
+                                    console.info('[AUTH_REFRESH] Lock released, token is fresh - returning success', {
+                                        requestId,
+                                        accessTokenExpires: new Date(refreshedSession.idpAccessTokenExpires).toISOString(),
+                                        waitedMs: Date.now() - startWait,
+                                    });
+                                    return server_1.NextResponse.json({
+                                        refreshed: true,
+                                        reason: 'completed_by_concurrent_request',
+                                        accessTokenExpires: refreshedSession.idpAccessTokenExpires,
+                                        hasRefreshToken: !!refreshedSession.idpRefreshToken,
+                                    });
+                                }
+                            }
+                            // Lock released but token not fresh - try to acquire lock ourselves
+                            break;
+                        }
+                    }
+                    // Still locked after waiting - return 409
+                    console.warn('[AUTH_REFRESH] Refresh still in progress after waiting', { requestId, waitedMs: Date.now() - startWait });
+                    return server_1.NextResponse.json({
+                        error: 'Refresh already in progress',
+                        code: 'CONFLICT'
+                    }, { status: 409 });
+                }
+            }
+            else {
+                weAcquiredLock = true;
+                releaseLockVersion = lockAcquired.lockInfo?.lockVersion;
+            }
+            // Before performing network refresh, re-check if tokens are already fresh
+            const latestAfterLock = await (0, session_store_1.getSession)(sessionToken);
+            const fiveMinutes = 5 * 60 * 1000;
+            const timeUntilExpiry = latestAfterLock?.idpAccessTokenExpires
+                ? latestAfterLock.idpAccessTokenExpires - Date.now()
+                : -1;
+            // CRITICAL: Also check the actual JWT's exp claim - Redis might have stale data
+            let actualJwtExpMs = -1;
+            let tokenMismatch = false;
+            if (latestAfterLock?.idpAccessToken) {
+                try {
+                    const tokenParts = latestAfterLock.idpAccessToken.split('.');
+                    if (tokenParts.length === 3) {
+                        const payload = JSON.parse(Buffer.from(tokenParts[1], 'base64url').toString());
+                        actualJwtExpMs = (payload.exp || 0) * 1000;
+                        const now = Date.now();
+                        // If the actual JWT is expired, we MUST refresh regardless of what Redis says
+                        if (actualJwtExpMs < now) {
+                            tokenMismatch = true;
+                        }
+                    }
+                }
+                catch (e) {
+                    // If we can't decode, proceed with normal logic
+                }
+            }
+            console.log('[AUTH_REFRESH] Pre-refresh check:', {
+                userId,
+                hasAccessToken: !!latestAfterLock?.idpAccessToken,
+                accessTokenExpires: latestAfterLock?.idpAccessTokenExpires
+                    ? new Date(latestAfterLock.idpAccessTokenExpires).toISOString()
+                    : 'undefined',
+                actualJwtExp: actualJwtExpMs > 0 ? new Date(actualJwtExpMs).toISOString() : 'unknown',
+                now: new Date().toISOString(),
+                timeUntilExpiryMs: timeUntilExpiry,
+                tokenMismatch,
+                willRefresh: timeUntilExpiry <= fiveMinutes || tokenMismatch
+            });
+            // Only skip refresh if BOTH Redis says fresh AND the actual JWT is not expired
+            if (latestAfterLock?.idpAccessToken && latestAfterLock?.idpAccessTokenExpires &&
+                timeUntilExpiry > fiveMinutes && !tokenMismatch) {
+                console.info('[AUTH_REFRESH] Skipping refresh: tokens already fresh', { userId, timeUntilExpiryMs: timeUntilExpiry });
+                if (weAcquiredLock) {
+                    await (0, session_store_1.releaseRefreshLock)(sessionToken, requestId, releaseLockVersion);
+                    weAcquiredLock = false;
+                }
+                return server_1.NextResponse.json({
+                    refreshed: false,
+                    reason: 'already_fresh',
+                    accessTokenExpires: latestAfterLock.idpAccessTokenExpires,
+                    hasRefreshToken: !!latestAfterLock.idpRefreshToken,
+                });
+            }
+            // If we detected a token mismatch, log it prominently
+            if (tokenMismatch) {
+                console.warn('[AUTH_REFRESH] Token mismatch detected - forcing refresh despite Redis claiming fresh', {
+                    userId,
+                    redisExpires: latestAfterLock?.idpAccessTokenExpires ? new Date(latestAfterLock.idpAccessTokenExpires).toISOString() : 'N/A',
+                    actualJwtExp: new Date(actualJwtExpMs).toISOString()
+                });
+            }
+            // Copy refresh token for use in IDP call
+            // Note: Token is NOT cleared preemptively - it will be replaced on success.
+            // The lock mechanism prevents concurrent refresh attempts within the same session.
+            // If IDP call fails, user can retry with the same token.
+            const originalRefreshToken = currentSession.idpRefreshToken;
+            try {
+                // Extract 2FA claims from current session
+                let authMethods = [];
+                if (currentSession.authenticationMethods) {
+                    if (typeof currentSession.authenticationMethods === 'string') {
+                        try {
+                            authMethods = JSON.parse(currentSession.authenticationMethods);
+                        }
+                        catch (e) {
+                            console.warn('[AUTH_REFRESH] Failed to parse authenticationMethods', { authenticationMethods: currentSession.authenticationMethods });
+                        }
+                    }
+                    else if (Array.isArray(currentSession.authenticationMethods)) {
+                        authMethods = currentSession.authenticationMethods;
+                    }
+                }
+                // For OAuth sessions with empty AMR claims, provide defaults
+                // OAuth IS a form of multi-factor auth (you authenticated with another provider)
+                let isOAuthSession = !!currentSession.oauthProvider;
+                if (authMethods.length === 0 && isOAuthSession) {
+                    // OAuth sessions get default AMR claims
+                    authMethods = ['pwd', 'mfa'];
+                    console.log('[AUTH_REFRESH] OAuth session with empty AMR - using defaults:', {
+                        oauthProvider: currentSession.oauthProvider,
+                        defaultAmr: authMethods
+                    });
+                }
+                // Check authMethods first, then fallback to twoFactorMethod field (set by transitionTo2FASession)
+                // For OAuth sessions, use 'oauth' as the 2FA method since OAuth itself is the authentication
+                const twoFactorMethod = authMethods.find(m => ['sms', 'totp', 'email'].includes(m))
+                    || currentSession.mfaMethod
+                    || (isOAuthSession ? 'oauth' : null);
+                // DEBUG: Log what we have for 2FA
+                console.log('[AUTH_REFRESH] 2FA Debug:', {
+                    authMethods,
+                    authMethodsRaw: currentSession.authenticationMethods,
+                    twoFactorMethodFromSession: currentSession.mfaMethod,
+                    twoFactorMethodResolved: twoFactorMethod,
+                    twoFactorComplete: currentSession.mfaVerified,
+                    sessionKeys: Object.keys(currentSession)
+                });
+                // Build refresh request body per PayEz wire standard (snake_case)
+                // See: 2FA-TOKEN-REFRESH-CONTEXT.md - "The Ninja Shit"
+                // For OAuth sessions with 2FA complete, use ACR level 2
+                let acrValue = String(currentSession.authenticationLevel ?? '1');
+                if (currentSession.oauthProvider && currentSession.mfaVerified && acrValue === '1') {
+                    acrValue = '2'; // OAuth with 2FA complete = full authentication
+                }
+                const refreshRequestBody = {
+                    refresh_token: originalRefreshToken,
+                    amr: authMethods,
+                    acr: acrValue
+                };
+                // DEBUG: Log exact request body
+                console.log('[AUTH_REFRESH] Request body:', JSON.stringify({
+                    refresh_token: '***REDACTED***',
+                    amr: authMethods,
+                    acr: acrValue,
+                    acrType: typeof acrValue
+                }));
+                const twoFactorVerified = !!currentSession.mfaVerified;
+                if (twoFactorVerified) {
+                    refreshRequestBody.two_factor_verified = true;
+                }
+                if (twoFactorMethod) {
+                    refreshRequestBody.two_factor_method = twoFactorMethod;
+                }
+                if (currentSession.mfaCompletedAt) {
+                    refreshRequestBody.two_factor_completed_at = new Date(currentSession.mfaCompletedAt).toISOString();
+                }
+                // Log the full request details for debugging
+                console.log('[AUTH_REFRESH] Sending refresh request:', {
+                    url: `${idpBaseUrl}${refreshEndpoint}`,
+                    clientId,
+                    hasRefreshToken: !!refreshRequestBody.refresh_token,
+                    refreshTokenLength: refreshRequestBody.refresh_token?.length,
+                    amr: refreshRequestBody.amr,
+                    acr: refreshRequestBody.acr
+                });
+                let refreshResponse;
+                try {
+                    refreshResponse = await fetch(`${idpBaseUrl}${refreshEndpoint}`, {
+                        method: 'POST',
+                        headers: {
+                            'Content-Type': 'application/json',
+                            'X-Client-Id': clientId,
+                        },
+                        body: JSON.stringify(refreshRequestBody),
+                    });
+                }
+                catch (fetchError) {
+                    // Network error - IDP unreachable
+                    // Note: Lock will be released by finally block
+                    console.error('[AUTH_REFRESH] IDP unreachable:', {
+                        error: fetchError instanceof Error ? fetchError.message : String(fetchError),
+                        idpUrl: idpBaseUrl,
+                        userId
+                    });
+                    return server_1.NextResponse.json({
+                        error: 'IDP service unavailable',
+                        code: 'UPSTREAM_SERVICE_UNAVAILABLE',
+                        retryable: true,
+                        discardToken: false
+                    }, { status: 503 });
+                }
+                // Parse response body - handle empty or invalid JSON
+                let responseData;
+                try {
+                    const responseText = await refreshResponse.text();
+                    if (!responseText || responseText.trim() === '') {
+                        // Note: Lock will be released by finally block
+                        console.error('[AUTH_REFRESH] Empty response from IDP:', {
+                            status: refreshResponse.status,
+                            statusText: refreshResponse.statusText,
+                            userId
+                        });
+                        return server_1.NextResponse.json({
+                            error: 'Empty response from IDP',
+                            code: 'UPSTREAM_SERVICE_ERROR',
+                            retryable: true,
+                            discardToken: false
+                        }, { status: 502 });
+                    }
+                    responseData = JSON.parse(responseText);
+                }
+                catch (parseError) {
+                    // Note: Lock will be released by finally block
+                    console.error('[AUTH_REFRESH] Failed to parse IDP response:', {
+                        error: parseError instanceof Error ? parseError.message : String(parseError),
+                        status: refreshResponse.status,
+                        userId
+                    });
+                    return server_1.NextResponse.json({
+                        error: 'Invalid response from IDP',
+                        code: 'UPSTREAM_SERVICE_ERROR',
+                        retryable: true,
+                        discardToken: false
+                    }, { status: 502 });
+                }
+                // Handle non-OK responses with structured error format
+                if (!refreshResponse.ok) {
+                    // Parse structured error from IDP
+                    const idpError = responseData?.error || {};
+                    const errorCode = idpError.code || 'UNKNOWN_ERROR';
+                    const errorMessage = idpError.message || 'Token refresh failed';
+                    // CRITICAL: 401 means token is definitively invalid - always discard
+                    // This prevents redirect loops where viability check keeps returning canRefresh:true
+                    const discardToken = refreshResponse.status === 401 || idpError.discard_token === true;
+                    const retryable = refreshResponse.status !== 401 && idpError.retryable === true;
+                    const resolution = idpError.resolution || null;
+                    // ============================================================================
+                    // HIGH VISIBILITY: REFRESH TOKEN FAILURE DIAGNOSTICS
+                    // ============================================================================
+                    // Translate error codes to human-readable explanations
+                    const failureReasons = {
+                        'UNAUTHORIZED': 'Token was already used (rotation) OR token is expired OR token was revoked',
+                        'INVALID_REFRESH_TOKEN': 'Token format invalid OR token not found in IDP database',
+                        'TOKEN_EXPIRED': 'Refresh token exceeded its max lifetime',
+                        'TOKEN_REVOKED': 'Token was explicitly revoked (logout, password change, admin action)',
+                        'TOKEN_REUSE_DETECTED': 'Same refresh token used twice - possible token theft, all tokens revoked',
+                        'UPSTREAM_SERVICE_ERROR': 'IDP internal error - token may have been rotated before failure',
+                        'INTERNAL_ERROR': 'IDP internal error - check IDP logs for details',
+                        'RATE_LIMITED': 'Too many refresh attempts - try again later',
+                    };
+                    const whyItFailed = failureReasons[errorCode] || 'Unknown error - check IDP logs';
+                    console.error('╔══════════════════════════════════════════════════════════════════════════════╗');
+                    console.error('║              ❌ REFRESH TOKEN FAILURE - DIAGNOSTIC REPORT                    ║');
+                    console.error('╠══════════════════════════════════════════════════════════════════════════════╣');
+                    console.error(`║ HTTP Status:    ${String(refreshResponse.status).padEnd(60)}║`);
+                    console.error(`║ Error Code:     ${errorCode.padEnd(60)}║`);
+                    console.error(`║ Discard Token:  ${String(discardToken).padEnd(60)}║`);
+                    console.error(`║ Retryable:      ${String(retryable).padEnd(60)}║`);
+                    console.error('╠──────────────────────────────────────────────────────────────────────────────╣');
+                    console.error(`║ WHY IT FAILED:                                                               ║`);
+                    console.error(`║ ${whyItFailed.substring(0, 76).padEnd(76)} ║`);
+                    console.error('╠──────────────────────────────────────────────────────────────────────────────╣');
+                    console.error(`║ User:           ${(userId || 'unknown').substring(0, 60).padEnd(60)}║`);
+                    console.error(`║ Session:        ${sessionToken.substring(0, 8)}...                                                     ║`);
+                    console.error(`║ Resolution:     ${(resolution || 'Check IDP logs').substring(0, 60).padEnd(60)}║`);
+                    console.error('╚══════════════════════════════════════════════════════════════════════════════╝');
+                    // Also log the full response for detailed debugging
+                    console.error('[AUTH_REFRESH] Full IDP error response:', JSON.stringify(responseData, null, 2).substring(0, 1000));
+                    // If IDP signals to discard token, clear it from Redis
+                    if (discardToken) {
+                        console.error('[AUTH_REFRESH] ⚠️ REFRESH_TOKEN_REMOVAL: IDP signaled discard_token', {
+                            reason: 'IDP_DISCARD_TOKEN',
+                            errorCode,
+                            userId,
+                            sessionToken: sessionToken.substring(0, 8) + '...',
+                            hadRefreshToken: !!currentSession.idpRefreshToken,
+                            stack: new Error().stack
+                        });
+                        await (0, session_store_1.updateSession)(sessionToken, {
+                            idpRefreshToken: '',
+                            idpRefreshTokenExpires: undefined,
+                            refreshTokenClearedAt: Date.now(),
+                            refreshTokenClearedReason: `IDP_DISCARD_TOKEN:${errorCode}`
+                        });
+                    }
+                    return server_1.NextResponse.json({
+                        error: errorMessage,
+                        code: errorCode,
+                        discardToken,
+                        retryable,
+                        resolution,
+                        status: refreshResponse.status
+                    }, { status: refreshResponse.status });
+                }
+                // Validate PayEz canonical envelope for success responses
+                const isCompliant = responseData && typeof responseData === 'object' &&
+                    Object.prototype.hasOwnProperty.call(responseData, 'success') &&
+                    (responseData.success === true ? Object.prototype.hasOwnProperty.call(responseData, 'data') : Object.prototype.hasOwnProperty.call(responseData, 'error')) &&
+                    Object.prototype.hasOwnProperty.call(responseData, 'meta');
+                if (!isCompliant) {
+                    console.error('[AUTH_REFRESH] Upstream non-compliant IDP response', { bodySample: responseData });
+                    return server_1.NextResponse.json({
+                        error: 'Upstream non-compliance',
+                        code: 'UPSTREAM_SERVICE_ERROR',
+                        retryable: true,
+                        discardToken: false
+                    }, { status: 502 });
+                }
+                if (responseData.success !== true || !responseData.data) {
+                    // Handle success:false with structured error
+                    const idpError = responseData?.error || {};
+                    const errorCode = idpError.code || 'UPSTREAM_VALIDATION_ERROR';
+                    const discardToken = idpError.discard_token === true;
+                    const retryable = idpError.retryable === true;
+                    console.warn('[AUTH_REFRESH] IDP refresh unsuccessful', {
+                        code: errorCode,
+                        discardToken,
+                        body: responseData
+                    });
+                    if (discardToken) {
+                        console.error('[AUTH_REFRESH] ⚠️ REFRESH_TOKEN_REMOVAL: IDP success:false with discard_token', {
+                            reason: 'IDP_SUCCESS_FALSE_DISCARD',
+                            errorCode,
+                            userId,
+                            sessionToken: sessionToken.substring(0, 8) + '...',
+                            hadRefreshToken: !!currentSession.idpRefreshToken,
+                            stack: new Error().stack
+                        });
+                        await (0, session_store_1.updateSession)(sessionToken, {
+                            idpRefreshToken: '',
+                            idpRefreshTokenExpires: undefined,
+                            refreshTokenClearedAt: Date.now(),
+                            refreshTokenClearedReason: `IDP_SUCCESS_FALSE_DISCARD:${errorCode}`
+                        });
+                    }
+                    return server_1.NextResponse.json({
+                        error: idpError.message || 'Token refresh failed',
+                        code: errorCode,
+                        discardToken,
+                        retryable,
+                        resolution: idpError.resolution || null
+                    }, { status: refreshResponse.status || 400 });
+                }
+                // Extract tokens from response
+                const payload = responseData.data;
+                const accessToken = payload?.access_token;
+                const refreshToken = payload?.refresh_token;
+                if (!accessToken) {
+                    console.error('[AUTH_REFRESH] Missing access token in IDP response');
+                    return server_1.NextResponse.json({
+                        error: 'Invalid token response from IDP',
+                        code: 'INTERNAL_SERVER_ERROR'
+                    }, { status: 500 });
+                }
+                // Decode and compute token expiries
+                let decodedAccessToken;
+                let accessTokenExpires;
+                let computedRefreshTokenExpires;
+                try {
+                    const result = (0, token_expiry_1.computeTokenExpiries)({ accessToken, refreshToken, preferJwt: true });
+                    decodedAccessToken = result.decodedAccessToken;
+                    accessTokenExpires = result.accessTokenExpires;
+                    computedRefreshTokenExpires = result.refreshTokenExpires;
+                    console.info('[AUTH_REFRESH] Successfully decoded new token pair', {
+                        accessTokenExpires: new Date(accessTokenExpires).toISOString(),
+                        refreshTokenExpires: computedRefreshTokenExpires ? new Date(computedRefreshTokenExpires).toISOString() : null
+                    });
+                }
+                catch (decodeError) {
+                    console.error('[AUTH_REFRESH] Failed to compute token expiries', { error: decodeError });
+                    return server_1.NextResponse.json({
+                        error: 'Failed to decode JWT tokens',
+                        code: 'INTERNAL_SERVER_ERROR'
+                    }, { status: 500 });
+                }
+                // Extract 2FA claims from the new access token
+                let amrClaims = [];
+                if (decodedAccessToken.amr) {
+                    try {
+                        amrClaims = typeof decodedAccessToken.amr === 'string'
+                            ? JSON.parse(decodedAccessToken.amr)
+                            : decodedAccessToken.amr;
+                    }
+                    catch (e) {
+                        console.warn('[AUTH_REFRESH] Failed to parse AMR claims', { amr: decodedAccessToken.amr });
+                        amrClaims = currentSession.authenticationMethods || [];
+                    }
+                }
+                else {
+                    amrClaims = currentSession.authenticationMethods || [];
+                }
+                const acrLevel = String(decodedAccessToken.acr || currentSession.authenticationLevel || '1');
+                // Extract MFA timing claims
+                const mfaTime = decodedAccessToken.mfa_time ? parseInt(decodedAccessToken.mfa_time) * 1000 : currentSession.mfaCompletedAt;
+                const mfaExpires = decodedAccessToken.mfa_expires ? parseInt(decodedAccessToken.mfa_expires) * 1000 : currentSession.mfaExpiresAt;
+                const mfaValidityHours = decodedAccessToken.mfa_validity_hours ? parseInt(decodedAccessToken.mfa_validity_hours) : currentSession.mfaValidityHours;
+                // Update session with new tokens
+                const hasNewRefresh = typeof refreshToken === 'string' && refreshToken.length > 0;
+                const newRefreshTokenExpires = hasNewRefresh ? computedRefreshTokenExpires : undefined;
+                // CRITICAL: Log if we're about to clear the refresh token due to missing new token
+                if (!hasNewRefresh && currentSession.idpRefreshToken) {
+                    console.error('[AUTH_REFRESH] ⚠️ REFRESH_TOKEN_REMOVAL: No new refresh token in IDP response', {
+                        reason: 'NO_NEW_REFRESH_TOKEN_IN_RESPONSE',
+                        userId,
+                        sessionToken: sessionToken.substring(0, 8) + '...',
+                        hadRefreshToken: true,
+                        refreshTokenFromResponse: refreshToken,
+                        refreshTokenType: typeof refreshToken,
+                        payloadKeys: Object.keys(payload || {}),
+                        stack: new Error().stack
+                    });
+                }
+                // Keep existing refresh token if IDP doesn't provide a new one
+                // Only clear if IDP explicitly signals discard_token=true (handled in error paths)
+                // NOTE: Use normalized field names (idp* prefix) per SessionData interface
+                // CRITICAL: Extract kid from JWT header - IDP may rotate keys during refresh
+                const newBearerKeyId = (0, token_utils_1.extractKidFromToken)(accessToken);
+                if (newBearerKeyId) {
+                    console.log('[AUTH_REFRESH] Extracted bearerKeyId (kid) from new JWT header:', newBearerKeyId);
+                }
+                else {
+                    console.warn('[AUTH_REFRESH] No kid found in new JWT header');
+                }
+                const sessionUpdate = {
+                    ...currentSession,
+                    idpAccessToken: accessToken,
+                    idpAccessTokenExpires: accessTokenExpires,
+                    idpRefreshToken: hasNewRefresh ? refreshToken : currentSession.idpRefreshToken,
+                    idpRefreshTokenExpires: hasNewRefresh ? newRefreshTokenExpires : currentSession.idpRefreshTokenExpires,
+                    decodedAccessToken: decodedAccessToken,
+                    // Bearer key ID from JWT header (may change on key rotation)
+                    bearerKeyId: newBearerKeyId || currentSession.bearerKeyId,
+                    authenticationMethods: amrClaims,
+                    authenticationLevel: acrLevel,
+                    mfaVerified: amrClaims.includes('mfa') || currentSession.mfaVerified,
+                    mfaCompletedAt: mfaTime,
+                    mfaExpiresAt: mfaExpires,
+                    mfaValidityHours: mfaValidityHours
+                };
+                await (0, session_store_1.updateSession)(sessionToken, sessionUpdate);
+                console.info('[AUTH_REFRESH] Token refreshed successfully', {
+                    expiresAt: new Date(accessTokenExpires).toISOString(),
+                    userId,
+                    hasNewRefreshToken: hasNewRefresh,
+                    tokenPreview: accessToken ? accessToken.substring(0, 20) + '...' : 'none'
+                });
+            }
+            catch (error) {
+                console.error('[AUTH_REFRESH] Error during token refresh', { error });
+                return server_1.NextResponse.json({
+                    error: 'Token refresh error',
+                    code: 'INTERNAL_SERVER_ERROR'
+                }, { status: 500 });
+            }
+            finally {
+                if (weAcquiredLock) {
+                    await (0, session_store_1.releaseRefreshLock)(sessionToken, requestId, releaseLockVersion);
+                }
+            }
+            // Load the latest session to return basic status
+            const latest = await (0, session_store_1.getSession)(sessionToken);
+            if (!latest?.idpAccessToken) {
+                return server_1.NextResponse.json({
+                    error: 'No access token after refresh',
+                    code: 'INTERNAL_SERVER_ERROR'
+                }, { status: 500 });
+            }
+            return server_1.NextResponse.json({
+                refreshed: true,
+                accessTokenExpires: latest.idpAccessTokenExpires,
+                hasRefreshToken: !!latest.idpRefreshToken,
+            });
+        }
+        catch (err) {
+            console.error('[AUTH_REFRESH] Unexpected error', { error: err?.message || String(err) });
+            return server_1.NextResponse.json({
+                error: 'Unexpected error during refresh',
+                code: 'INTERNAL_SERVER_ERROR'
+            }, { status: 500 });
+        }
+    };
+}
+/**
+ * Default export for backward compatibility
+ * Requires environment variables: IDP_URL, CLIENT_ID, NEXTAUTH_SECRET
+ */
+exports.POST = createRefreshHandler({
+    idpBaseUrl: process.env.IDP_URL,
+    clientId: process.env.CLIENT_ID || 'payez_default_client',
+    nextAuthSecret: process.env.NEXTAUTH_SECRET || '',
+    refreshEndpoint: '/api/ExternalAuth/refresh'
+});