@payez/next-mvp 3.9.0 → 4.0.0

package/dist/api-handlers/auth/signout.js

@@ -1,187 +1,186 @@
-"use strict";
-/**
- * Authentication Signout API Handler
- *
- * Handles user session termination and cookie cleanup.
- * This handler is designed to be imported and used by Next.js applications
- * using the @payez/next-mvp package.
- *
- * @version 2.0
- * @requires No authentication (public endpoint)
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.POST = void 0;
-exports.createSignoutHandler = createSignoutHandler;
-const server_1 = require("next/server");
-const headers_1 = require("next/headers");
-const session_store_1 = require("../../lib/session-store");
-const jwt_1 = require("next-auth/jwt");
-const app_slug_1 = require("../../lib/app-slug");
-// JWT decode helper - simple base64 decode without verification
-function jwtDecode(token) {
-    try {
-        const parts = token.split('.');
-        if (parts.length !== 3)
-            return null;
-        const payload = parts[1];
-        const decoded = Buffer.from(payload, 'base64').toString('utf-8');
-        return JSON.parse(decoded);
-    }
-    catch (e) {
-        return null;
-    }
-}
-// Add protection headers to all responses
-function addSecurityHeaders(response) {
-    response.headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';");
-    response.headers.set('X-Frame-Options', 'DENY');
-    response.headers.set('X-Content-Type-Options', 'nosniff');
-    response.headers.set('X-XSS-Protection', '1; mode=block');
-    response.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
-    response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
-    response.headers.set('Permissions-Policy', 'geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()');
-    response.headers.set('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
-    response.headers.set('Pragma', 'no-cache');
-    response.headers.set('Expires', '0');
-    return response;
-}
-/**
- * Creates a signout handler for Next.js API routes
- *
- * @param config Configuration for NextAuth
- * @returns Next.js POST handler function
- *
- * @example
- * ```typescript
- * // In your app's /app/api/auth/signout/route.ts
- * import { createSignoutHandler } from '@payez/next-mvp/api-handlers/auth/signout';
- *
- * export const POST = createSignoutHandler({
- *   nextAuthSecret: process.env.NEXTAUTH_SECRET!
- * });
- * ```
- */
-function createSignoutHandler(config) {
-    const { nextAuthSecret } = config;
-    return async function POST(req) {
-        const cookieStore = await (0, headers_1.cookies)();
-        // Get app-slug prefixed cookie names
-        const sessionCookieName = (0, app_slug_1.getSessionCookieName)();
-        const secureSessionCookieName = (0, app_slug_1.getSecureSessionCookieName)();
-        // Handle chunked session tokens (for large JWTs)
-        let sessionToken;
-        const sessionTokenCookie = cookieStore.get(sessionCookieName);
-        if (sessionTokenCookie?.value) {
-            // Single cookie case
-            sessionToken = sessionTokenCookie.value;
-        }
-        else {
-            // Chunked cookie case - reconstruct from parts
-            const chunkCookies = cookieStore.getAll()
-                .filter(cookie => cookie.name.startsWith(`${sessionCookieName}.`))
-                .sort((a, b) => {
-                const aIndex = parseInt(a.name.split('.').pop() || '0');
-                const bIndex = parseInt(b.name.split('.').pop() || '0');
-                return aIndex - bIndex;
-            });
-            if (chunkCookies.length > 0) {
-                sessionToken = chunkCookies.map(cookie => cookie.value).join('');
-            }
-        }
-        // Get chunk cookies for cleanup count
-        const chunkCookies = cookieStore.getAll()
-            .filter(cookie => cookie.name.startsWith(`${sessionCookieName}.`));
-        // Decode NextAuth JWT to extract the Redis session UUID before deletion
-        let redisSessionToken = null;
-        // First attempt: NextAuth getToken (verified + robust in most cases)
-        // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
-        try {
-            const token = await (0, jwt_1.getToken)({ req, secret: nextAuthSecret, cookieName: (0, app_slug_1.getJwtCookieName)() });
-            redisSessionToken = token?.sessionToken || token?.redisSessionId || null;
-        }
-        catch (e) {
-            console.warn('[SIGNOUT] getToken() failed to extract session token (will try manual decode)');
-        }
-        // Second attempt: manual decode of the session cookie JWT (no verification)
-        if (!redisSessionToken && (sessionToken || cookieStore.getAll().some(c => c.name.startsWith(`${sessionCookieName}.`)))) {
-            try {
-                // Reconstruct raw JWT from chunked cookies if necessary
-                let rawJwt = null;
-                const direct = cookieStore.get(sessionCookieName);
-                if (direct?.value) {
-                    rawJwt = direct.value;
-                }
-                else {
-                    const chunks = cookieStore.getAll()
-                        .filter(c => c.name.startsWith(`${sessionCookieName}.`))
-                        .sort((a, b) => {
-                        const ai = parseInt(a.name.split('.').pop() || '0');
-                        const bi = parseInt(b.name.split('.').pop() || '0');
-                        return ai - bi;
-                    })
-                        .map(c => c.value);
-                    if (chunks.length > 0)
-                        rawJwt = chunks.join('');
-                }
-                if (rawJwt) {
-                    const decoded = jwtDecode(rawJwt);
-                    if (decoded && typeof decoded === 'object' && typeof decoded.sessionToken === 'string') {
-                        redisSessionToken = decoded.sessionToken;
-                    }
-                }
-            }
-            catch (e) {
-                console.warn('[SIGNOUT] Manual JWT decode failed to extract session token');
-            }
-        }
-        // Delete Redis session if UUID was extracted
-        if (redisSessionToken) {
-            try {
-                await (0, session_store_1.deleteSession)(redisSessionToken);
-                console.info('[SIGNOUT] Redis session cleanup successful', {
-                    sessionToken: redisSessionToken.substring(0, 8) + '...'
-                });
-            }
-            catch (sessionError) {
-                // Log error but don't fail the signout process
-                console.error('[SIGNOUT] Redis session cleanup failed', { error: sessionError });
-            }
-        }
-        else {
-            console.warn('[SIGNOUT] No Redis session token (UUID) extracted from cookie; skipping Redis deletion');
-        }
-        // Build response
-        const responseData = {
-            success: true,
-            message: sessionToken ? 'Session deleted successfully' : 'No active session found',
-            sessionDeleted: !!sessionToken,
-            chunkCookiesDeleted: chunkCookies.length
-        };
-        const response = server_1.NextResponse.json(responseData);
-        // Always clear cookies, regardless of success/failure (using app-slug prefixed names)
-        try {
-            response.cookies.delete(sessionCookieName);
-            response.cookies.delete(secureSessionCookieName);
-            response.cookies.delete((0, app_slug_1.getCsrfCookieName)());
-            response.cookies.delete((0, app_slug_1.getSecureCsrfCookieName)());
-            response.cookies.delete((0, app_slug_1.getCallbackUrlCookieName)());
-            response.cookies.delete(`__Secure-${(0, app_slug_1.getCallbackUrlCookieName)()}`);
-            response.cookies.delete('twoFactorSessionVerified');
-            // Delete chunked session cookies
-            chunkCookies.forEach(cookie => {
-                response.cookies.delete(cookie.name);
-            });
-        }
-        catch (cookieError) {
-            console.error('[SIGNOUT] Cookie cleanup failed:', cookieError);
-        }
-        return addSecurityHeaders(response);
-    };
-}
-/**
- * Default export for backward compatibility
- * Requires environment variable: NEXTAUTH_SECRET
- */
-exports.POST = createSignoutHandler({
-    nextAuthSecret: process.env.NEXTAUTH_SECRET || ''
-});
+"use strict";
+/**
+ * Authentication Signout API Handler
+ *
+ * Handles user session termination and cookie cleanup.
+ * This handler is designed to be imported and used by Next.js applications
+ * using the @payez/next-mvp package.
+ *
+ * @version 2.0
+ * @requires No authentication (public endpoint)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = void 0;
+exports.createSignoutHandler = createSignoutHandler;
+const server_1 = require("next/server");
+const headers_1 = require("next/headers");
+const session_store_1 = require("../../lib/session-store");
+const auth_1 = require("../../server/auth");
+const app_slug_1 = require("../../lib/app-slug");
+// JWT decode helper - simple base64 decode without verification
+function jwtDecode(token) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 3)
+            return null;
+        const payload = parts[1];
+        const decoded = Buffer.from(payload, 'base64').toString('utf-8');
+        return JSON.parse(decoded);
+    }
+    catch (e) {
+        return null;
+    }
+}
+// Add protection headers to all responses
+function addSecurityHeaders(response) {
+    response.headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';");
+    response.headers.set('X-Frame-Options', 'DENY');
+    response.headers.set('X-Content-Type-Options', 'nosniff');
+    response.headers.set('X-XSS-Protection', '1; mode=block');
+    response.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
+    response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+    response.headers.set('Permissions-Policy', 'geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()');
+    response.headers.set('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
+    response.headers.set('Pragma', 'no-cache');
+    response.headers.set('Expires', '0');
+    return response;
+}
+/**
+ * Creates a signout handler for Next.js API routes
+ *
+ * @param config Configuration for NextAuth
+ * @returns Next.js POST handler function
+ *
+ * @example
+ * ```typescript
+ * // In your app's /app/api/auth/signout/route.ts
+ * import { createSignoutHandler } from '@payez/next-mvp/api-handlers/auth/signout';
+ *
+ * export const POST = createSignoutHandler({
+ *   nextAuthSecret: process.env.NEXTAUTH_SECRET!
+ * });
+ * ```
+ */
+function createSignoutHandler(config) {
+    const { nextAuthSecret } = config;
+    return async function POST(req) {
+        const cookieStore = await (0, headers_1.cookies)();
+        // Get app-slug prefixed cookie names
+        const sessionCookieName = (0, app_slug_1.getSessionCookieName)();
+        const secureSessionCookieName = (0, app_slug_1.getSecureSessionCookieName)();
+        // Handle chunked session tokens (for large JWTs)
+        let sessionToken;
+        const sessionTokenCookie = cookieStore.get(sessionCookieName);
+        if (sessionTokenCookie?.value) {
+            // Single cookie case
+            sessionToken = sessionTokenCookie.value;
+        }
+        else {
+            // Chunked cookie case - reconstruct from parts
+            const chunkCookies = cookieStore.getAll()
+                .filter(cookie => cookie.name.startsWith(`${sessionCookieName}.`))
+                .sort((a, b) => {
+                const aIndex = parseInt(a.name.split('.').pop() || '0');
+                const bIndex = parseInt(b.name.split('.').pop() || '0');
+                return aIndex - bIndex;
+            });
+            if (chunkCookies.length > 0) {
+                sessionToken = chunkCookies.map(cookie => cookie.value).join('');
+            }
+        }
+        // Get chunk cookies for cleanup count
+        const chunkCookies = cookieStore.getAll()
+            .filter(cookie => cookie.name.startsWith(`${sessionCookieName}.`));
+        // Decode NextAuth JWT to extract the Redis session UUID before deletion
+        let redisSessionToken = null;
+        // First attempt: Better Auth getSession
+        try {
+            const betterAuthSession = await (0, auth_1.getSession)(req);
+            redisSessionToken = betterAuthSession?.session?.token || null;
+        }
+        catch (e) {
+            console.warn('[SIGNOUT] getSession() failed to extract session token (will try manual decode)');
+        }
+        // Second attempt: manual decode of the session cookie JWT (no verification)
+        if (!redisSessionToken && (sessionToken || cookieStore.getAll().some(c => c.name.startsWith(`${sessionCookieName}.`)))) {
+            try {
+                // Reconstruct raw JWT from chunked cookies if necessary
+                let rawJwt = null;
+                const direct = cookieStore.get(sessionCookieName);
+                if (direct?.value) {
+                    rawJwt = direct.value;
+                }
+                else {
+                    const chunks = cookieStore.getAll()
+                        .filter(c => c.name.startsWith(`${sessionCookieName}.`))
+                        .sort((a, b) => {
+                        const ai = parseInt(a.name.split('.').pop() || '0');
+                        const bi = parseInt(b.name.split('.').pop() || '0');
+                        return ai - bi;
+                    })
+                        .map(c => c.value);
+                    if (chunks.length > 0)
+                        rawJwt = chunks.join('');
+                }
+                if (rawJwt) {
+                    const decoded = jwtDecode(rawJwt);
+                    if (decoded && typeof decoded === 'object' && typeof decoded.sessionToken === 'string') {
+                        redisSessionToken = decoded.sessionToken;
+                    }
+                }
+            }
+            catch (e) {
+                console.warn('[SIGNOUT] Manual JWT decode failed to extract session token');
+            }
+        }
+        // Delete Redis session if UUID was extracted
+        if (redisSessionToken) {
+            try {
+                await (0, session_store_1.deleteSession)(redisSessionToken);
+                console.info('[SIGNOUT] Redis session cleanup successful', {
+                    sessionToken: redisSessionToken.substring(0, 8) + '...'
+                });
+            }
+            catch (sessionError) {
+                // Log error but don't fail the signout process
+                console.error('[SIGNOUT] Redis session cleanup failed', { error: sessionError });
+            }
+        }
+        else {
+            console.warn('[SIGNOUT] No Redis session token (UUID) extracted from cookie; skipping Redis deletion');
+        }
+        // Build response
+        const responseData = {
+            success: true,
+            message: sessionToken ? 'Session deleted successfully' : 'No active session found',
+            sessionDeleted: !!sessionToken,
+            chunkCookiesDeleted: chunkCookies.length
+        };
+        const response = server_1.NextResponse.json(responseData);
+        // Always clear cookies, regardless of success/failure (using app-slug prefixed names)
+        try {
+            response.cookies.delete(sessionCookieName);
+            response.cookies.delete(secureSessionCookieName);
+            response.cookies.delete((0, app_slug_1.getCsrfCookieName)());
+            response.cookies.delete((0, app_slug_1.getSecureCsrfCookieName)());
+            response.cookies.delete((0, app_slug_1.getCallbackUrlCookieName)());
+            response.cookies.delete(`__Secure-${(0, app_slug_1.getCallbackUrlCookieName)()}`);
+            response.cookies.delete('twoFactorSessionVerified');
+            // Delete chunked session cookies
+            chunkCookies.forEach(cookie => {
+                response.cookies.delete(cookie.name);
+            });
+        }
+        catch (cookieError) {
+            console.error('[SIGNOUT] Cookie cleanup failed:', cookieError);
+        }
+        return addSecurityHeaders(response);
+    };
+}
+/**
+ * Default export for backward compatibility
+ * Requires environment variable: NEXTAUTH_SECRET
+ */
+exports.POST = createSignoutHandler({
+    nextAuthSecret: process.env.NEXTAUTH_SECRET || ''
+});

package/dist/api-handlers/auth/status.js

@@ -2,15 +2,12 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.GET = GET;
 const server_1 = require("next/server");
-const jwt_1 = require("next-auth/jwt");
-const nextauth_secret_1 = require("../../lib/nextauth-secret");
+const auth_1 = require("../../server/auth");
 const session_store_1 = require("../../lib/session-store");
-const app_slug_1 = require("../../lib/app-slug");
 async function GET(req) {
     try {
-        let token = await (0, jwt_1.getToken)({ req, secret: await (0, nextauth_secret_1.resolveNextAuthSecret)(), cookieName: (0, app_slug_1.getJwtCookieName)() });
-        // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
-        const sessionToken = token?.sessionToken || token?.redisSessionId;
+        const betterAuthSession = await (0, auth_1.getSession)(req);
+        const sessionToken = betterAuthSession?.session?.token;
         if (!sessionToken) {
             return server_1.NextResponse.json({ success: false, error: 'No session token' }, { status: 401 });
         }
@@ -18,7 +15,7 @@ async function GET(req) {
         if (!sessionModel) {
             return server_1.NextResponse.json({ success: false, error: 'Session missing in Redis' }, { status: 401 });
         }
-        return server_1.NextResponse.json({ success: true, userId: sessionModel.userId || null });
+        return server_1.NextResponse.json({ success: true, userId: betterAuthSession?.user?.id || sessionModel.userId || null });
     }
     catch (err) {
         return server_1.NextResponse.json({ success: false, error: err instanceof Error ? err.message : 'Unknown error' }, { status: 500 });

package/dist/api-handlers/auth/update-session.d.ts

@@ -10,7 +10,7 @@
  */
 import { NextRequest, NextResponse } from 'next/server';
 interface UpdateSessionConfig {
-    nextAuthSecret: string;
+    nextAuthSecret?: string;
 }
 /**
  * Creates an update-session handler for Next.js API routes

package/dist/api-handlers/auth/update-session.js

@@ -13,8 +13,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.POST = void 0;
 exports.createUpdateSessionHandler = createUpdateSessionHandler;
 const server_1 = require("next/server");
-const jwt_1 = require("next-auth/jwt");
-const app_slug_1 = require("../../lib/app-slug");
+const auth_1 = require("../../server/auth");
 // Add protection headers to all responses
 function addSecurityHeaders(response) {
     response.headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';");
@@ -57,26 +56,25 @@ function createUpdateSessionHandler(config) {
                 return addSecurityHeaders(server_1.NextResponse.json({ error: 'Invalid JSON format' }, { status: 400 }));
             }
             const { twoFactorSessionVerified, twoFactorMethod } = body;
-            // Get the current token
-            const token = await (0, jwt_1.getToken)({ req, secret: nextAuthSecret, cookieName: (0, app_slug_1.getJwtCookieName)() });
-            if (!token) {
+            // Get the current session from Better Auth
+            const session = await (0, auth_1.getSession)(req);
+            if (!session) {
                 return addSecurityHeaders(server_1.NextResponse.json({ error: 'No session token available' }, { status: 401 }));
             }
-            // Update the token with 2FA challenge completion status
-            const updatedToken = {
-                ...token,
+            // Update the session with 2FA challenge completion status
+            const updatedSession = {
                 twoFactorSessionVerified: !!twoFactorSessionVerified,
-                twoFactorMethod: twoFactorMethod || token.twoFactorMethod
+                twoFactorMethod: twoFactorMethod || session.twoFactorMethod
             };
             console.info('[UPDATE-SESSION] Session updated successfully', {
-                userId: token.sub,
-                twoFactorSessionVerified: updatedToken.twoFactorSessionVerified,
-                twoFactorMethod: updatedToken.twoFactorMethod
+                userId: session.user?.id,
+                twoFactorSessionVerified: updatedSession.twoFactorSessionVerified,
+                twoFactorMethod: updatedSession.twoFactorMethod
             });
             const responseData = {
                 success: true,
-                twoFactorSessionVerified: updatedToken.twoFactorSessionVerified,
-                twoFactorMethod: updatedToken.twoFactorMethod
+                twoFactorSessionVerified: updatedSession.twoFactorSessionVerified,
+                twoFactorMethod: updatedSession.twoFactorMethod
             };
             return addSecurityHeaders(server_1.NextResponse.json(responseData));
         }

package/dist/api-handlers/auth/verify-code.d.ts

@@ -1,43 +1,43 @@
-/**
- * Authentication Verify Code / Complete 2FA API Handler
- *
- * Handles 2FA verification and token updates after successful verification.
- * This handler is designed to be imported and used by Next.js applications
- * using the @payez/next-mvp package.
- *
- * @version 2.0
- * @requires Authentication (authenticated endpoint)
- */
-import { NextRequest, NextResponse } from 'next/server';
-interface VerifyCodeConfig {
-    nextAuthSecret: string;
-}
-/**
- * Creates a verify-code/complete-2FA handler for Next.js API routes
- *
- * @param config Configuration for NextAuth
- * @returns Next.js POST handler function
- *
- * @example
- * ```typescript
- * // In your app's /app/api/auth/verify-code/route.ts
- * import { createVerifyCodeHandler } from '@payez/next-mvp/api-handlers/auth/verify-code';
- *
- * export const POST = createVerifyCodeHandler({
- *   nextAuthSecret: process.env.NEXTAUTH_SECRET!
- * });
- * ```
- */
-export declare function createVerifyCodeHandler(config: VerifyCodeConfig): (req: NextRequest) => Promise<NextResponse<{
-    success: boolean;
-    message: string;
-}>>;
-/**
- * Default export for backward compatibility
- * Requires environment variable: NEXTAUTH_SECRET
- */
-export declare const POST: (req: NextRequest) => Promise<NextResponse<{
-    success: boolean;
-    message: string;
-}>>;
-export {};
+/**
+ * Authentication Verify Code / Complete 2FA API Handler
+ *
+ * Handles 2FA verification and token updates after successful verification.
+ * This handler is designed to be imported and used by Next.js applications
+ * using the @payez/next-mvp package.
+ *
+ * @version 2.0
+ * @requires Authentication (authenticated endpoint)
+ */
+import { NextRequest, NextResponse } from 'next/server';
+interface VerifyCodeConfig {
+    nextAuthSecret?: string;
+}
+/**
+ * Creates a verify-code/complete-2FA handler for Next.js API routes
+ *
+ * @param config Configuration for NextAuth
+ * @returns Next.js POST handler function
+ *
+ * @example
+ * ```typescript
+ * // In your app's /app/api/auth/verify-code/route.ts
+ * import { createVerifyCodeHandler } from '@payez/next-mvp/api-handlers/auth/verify-code';
+ *
+ * export const POST = createVerifyCodeHandler({
+ *   nextAuthSecret: process.env.NEXTAUTH_SECRET!
+ * });
+ * ```
+ */
+export declare function createVerifyCodeHandler(config: VerifyCodeConfig): (req: NextRequest) => Promise<NextResponse<{
+    success: boolean;
+    message: string;
+}>>;
+/**
+ * Default export for backward compatibility
+ * Requires environment variable: NEXTAUTH_SECRET
+ */
+export declare const POST: (req: NextRequest) => Promise<NextResponse<{
+    success: boolean;
+    message: string;
+}>>;
+export {};