@payez/next-mvp 3.9.0 → 4.0.0

package/dist/routes/auth/viability.js

@@ -1,201 +1,190 @@
-"use strict";
-/**
- * Ready-to-Use Session Viability Route
- *
- * Checks if the current session is viable (valid and not expired).
- * Used by client-side code to determine if a refresh is needed.
- *
- * @example
- * ```typescript
- * // app/api/session/viability/route.ts
- * export { GET } from '@payez/next-mvp/routes/auth/viability';
- * ```
- *
- * @version 2.0.0
- * @since auth-ready-v2
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.GET = GET;
-const server_1 = require("next/server");
-const jwt_1 = require("next-auth/jwt");
-const session_store_1 = require("../../lib/session-store");
-const app_slug_1 = require("../../lib/app-slug");
-const idp_client_config_1 = require("../../lib/idp-client-config");
-/**
- * Get NextAuth secret from IDP config (cached).
- * NEVER use process.env.NEXTAUTH_SECRET at module level - it may not be set yet.
- */
-async function getNextAuthSecret() {
-    const config = await (0, idp_client_config_1.getIDPClientConfig)();
-    return config.nextAuthSecret || '';
-}
-/**
- * Get tenant-wide 2FA requirement from cached client config (from broker handshake)
- */
-async function getTenantRequiresTwoFactor() {
-    try {
-        const config = await (0, idp_client_config_1.getIDPClientConfig)();
-        return config.authSettings?.require2FA ?? true; // Default to true for security
-    }
-    catch {
-        console.warn('[VIABILITY] Could not get client config, defaulting tenantRequiresTwoFactor to true');
-        return true;
-    }
-}
-/**
- * GET /api/session/viability - Check if session is viable
- *
- * Returns:
- * - viable: boolean - Whether the session can be used
- * - needsRefresh: boolean - Whether a refresh is recommended
- * - expiresIn: number - Seconds until token expires
- */
-async function GET(req) {
-    try {
-        const cookieName = (0, app_slug_1.getJwtCookieName)();
-        const secret = await getNextAuthSecret();
-        const token = await (0, jwt_1.getToken)({ req, secret, cookieName });
-        if (!token) {
-            return server_1.NextResponse.json({
-                viable: false,
-                needsRefresh: false,
-                authenticated: false,
-                reason: 'No session found'
-            });
-        }
-        // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
-        const sessionToken = token.sessionToken || token.redisSessionId;
-        const session = sessionToken ? await (0, session_store_1.getSession)(sessionToken) : null;
-        // CRITICAL: Detect stale cookie state (JWT exists but Redis session missing)
-        if (sessionToken && !session) {
-            console.warn('[VIABILITY] Stale cookie detected - session not in Redis');
-            return server_1.NextResponse.json({
-                viable: false,
-                needsRefresh: false,
-                authenticated: false,
-                sessionToken, // Return sessionToken so middleware can detect and clear stale cookie
-                reason: 'Stale session - cookie exists but session not found in Redis'
-            });
-        }
-        // Check access token expiry
-        const now = Math.floor(Date.now() / 1000);
-        const accessTokenExpires = token.accessTokenExpires || token.exp;
-        if (!accessTokenExpires) {
-            // No expiry info, assume viable but recommend refresh
-            const tenantRequiresTwoFactor = await getTenantRequiresTwoFactor();
-            // CRITICAL: Check if MFA has expired (2FA TTL enforcement)
-            const mfaExpiresAt = session?.mfaExpiresAt || 0;
-            const mfaExpired = mfaExpiresAt > 0 && mfaExpiresAt < Date.now();
-            // Check mfaVerified (normalized name) with fallback to twoFactorComplete for compatibility
-            const mfaVerifiedInSession = session?.mfaVerified ?? session?.twoFactorComplete ?? false;
-            // User has completed 2FA requirements if: they verified AND it hasn't expired
-            const userHasCompletedTenantTwoFactorRequirements = mfaVerifiedInSession && !mfaExpired;
-            // userStillNeedsTwoFactor = inverse of completed (matches session callback logic)
-            const userStillNeedsTwoFactor = !userHasCompletedTenantTwoFactorRequirements;
-            return server_1.NextResponse.json({
-                viable: true,
-                needsRefresh: true,
-                authenticated: true,
-                sessionToken,
-                // Clear names for middleware decision-making
-                tenantRequiresTwoFactor,
-                userHasCompletedTenantTwoFactorRequirements,
-                userStillNeedsTwoFactor,
-                // Legacy field names for backwards compatibility
-                requires2FA: tenantRequiresTwoFactor,
-                twoFactorComplete: userHasCompletedTenantTwoFactorRequirements,
-                accessTokenExpired: false,
-                reason: 'No expiry information'
-            });
-        }
-        // Convert to seconds if needed
-        const expiryTime = accessTokenExpires > 1000000000000
-            ? Math.floor(accessTokenExpires / 1000)
-            : accessTokenExpires;
-        const expiresIn = expiryTime - now;
-        const isExpired = expiresIn <= 0;
-        const needsRefresh = expiresIn <= 300; // 5 minutes buffer
-        // Check if we have refresh capability (check normalized field name first)
-        const hasRefreshToken = !!(session?.idpRefreshToken || session?.refreshToken || token.refreshToken);
-        // CLEAR NAMING: Tenant-wide 2FA requirement from client config
-        const tenantRequiresTwoFactor = await getTenantRequiresTwoFactor();
-        // CRITICAL: Check if MFA has expired (2FA TTL enforcement)
-        // The session may have mfaVerified=true from days ago, but if mfaExpiresAt
-        // has passed, we must treat 2FA as incomplete to force re-verification.
-        const mfaExpiresAt = session?.mfaExpiresAt || 0;
-        const mfaExpired = mfaExpiresAt > 0 && mfaExpiresAt < Date.now();
-        // Check mfaVerified (normalized name) with fallback to twoFactorComplete for compatibility
-        const mfaVerifiedInSession = session?.mfaVerified ?? session?.twoFactorComplete ?? false;
-        // DEBUG: Log what we're reading from the session
-        console.log('[VIABILITY] Session 2FA state:', {
-            sessionToken: sessionToken?.substring(0, 8) + '...',
-            'session.mfaVerified': session?.mfaVerified,
-            'session.twoFactorComplete': session?.twoFactorComplete,
-            mfaVerifiedInSession,
-            mfaExpiresAt,
-            mfaExpired,
-            hasRefreshToken,
-            'session.idpRefreshToken': !!session?.idpRefreshToken,
-            'session.refreshToken': !!session?.refreshToken,
-        });
-        // CLEAR NAMING: User has completed 2FA requirements if: they verified AND it hasn't expired
-        const userHasCompletedTenantTwoFactorRequirements = mfaVerifiedInSession && !mfaExpired;
-        // userStillNeedsTwoFactor = inverse of completed (matches session callback logic)
-        const userStillNeedsTwoFactor = !userHasCompletedTenantTwoFactorRequirements;
-        if (mfaExpired && mfaVerifiedInSession) {
-            console.warn('[VIABILITY] MFA expired - forcing 2FA re-verification');
-        }
-        if (isExpired) {
-            return server_1.NextResponse.json({
-                viable: false,
-                needsRefresh: hasRefreshToken,
-                expiresIn: 0,
-                hasRefreshToken,
-                authenticated: true,
-                sessionToken,
-                // Clear names
-                tenantRequiresTwoFactor,
-                userHasCompletedTenantTwoFactorRequirements,
-                userStillNeedsTwoFactor,
-                // Legacy names for backwards compatibility
-                requires2FA: tenantRequiresTwoFactor,
-                twoFactorComplete: userHasCompletedTenantTwoFactorRequirements,
-                accessTokenExpired: true,
-                reason: 'Token expired',
-                // RBAC fields
-                roles: session?.roles || [],
-                clientId: session?.idpClientId || process.env.IDP_CLIENT_ID || '',
-            });
-        }
-        return server_1.NextResponse.json({
-            viable: true,
-            needsRefresh,
-            expiresIn,
-            hasRefreshToken,
-            authenticated: true,
-            sessionToken,
-            // Clear names
-            tenantRequiresTwoFactor,
-            userHasCompletedTenantTwoFactorRequirements,
-            userStillNeedsTwoFactor,
-            // Legacy names for backwards compatibility
-            requires2FA: tenantRequiresTwoFactor,
-            twoFactorComplete: userHasCompletedTenantTwoFactorRequirements,
-            accessTokenExpired: false,
-            expiresAt: new Date(expiryTime * 1000).toISOString(),
-            // RBAC fields
-            roles: session?.roles || [],
-            clientId: session?.idpClientId || process.env.IDP_CLIENT_ID || '',
-        });
-    }
-    catch (error) {
-        console.error('[VIABILITY_ROUTE] Error checking session viability:', error);
-        return server_1.NextResponse.json({
-            viable: false,
-            needsRefresh: false,
-            authenticated: false,
-            error: 'Failed to check session',
-            details: error instanceof Error ? error.message : 'Unknown error'
-        }, { status: 500 });
-    }
-}
+"use strict";
+/**
+ * Ready-to-Use Session Viability Route
+ *
+ * Checks if the current session is viable (valid and not expired).
+ * Used by client-side code to determine if a refresh is needed.
+ *
+ * @example
+ * ```typescript
+ * // app/api/session/viability/route.ts
+ * export { GET } from '@payez/next-mvp/routes/auth/viability';
+ * ```
+ *
+ * @version 2.0.0
+ * @since auth-ready-v2
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GET = GET;
+const server_1 = require("next/server");
+const auth_1 = require("../../server/auth");
+const session_store_1 = require("../../lib/session-store");
+const idp_client_config_1 = require("../../lib/idp-client-config");
+/**
+ * Get tenant-wide 2FA requirement from cached client config (from broker handshake)
+ */
+async function getTenantRequiresTwoFactor() {
+    try {
+        const config = await (0, idp_client_config_1.getIDPClientConfig)();
+        return config.authSettings?.require2FA ?? true; // Default to true for security
+    }
+    catch {
+        console.warn('[VIABILITY] Could not get client config, defaulting tenantRequiresTwoFactor to true');
+        return true;
+    }
+}
+/**
+ * GET /api/session/viability - Check if session is viable
+ *
+ * Returns:
+ * - viable: boolean - Whether the session can be used
+ * - needsRefresh: boolean - Whether a refresh is recommended
+ * - expiresIn: number - Seconds until token expires
+ */
+async function GET(req) {
+    try {
+        const baSession = await (0, auth_1.getSession)(req);
+        if (!baSession) {
+            return server_1.NextResponse.json({
+                viable: false,
+                needsRefresh: false,
+                authenticated: false,
+                reason: 'No session found'
+            });
+        }
+        const token = baSession;
+        const sessionToken = baSession.session?.token;
+        const session = sessionToken ? await (0, session_store_1.getSession)(sessionToken) : null;
+        // CRITICAL: Detect stale cookie state (JWT exists but Redis session missing)
+        if (sessionToken && !session) {
+            console.warn('[VIABILITY] Stale cookie detected - session not in Redis');
+            return server_1.NextResponse.json({
+                viable: false,
+                needsRefresh: false,
+                authenticated: false,
+                sessionToken, // Return sessionToken so middleware can detect and clear stale cookie
+                reason: 'Stale session - cookie exists but session not found in Redis'
+            });
+        }
+        // Check access token expiry
+        const now = Math.floor(Date.now() / 1000);
+        const accessTokenExpires = token.accessTokenExpires || token.exp;
+        if (!accessTokenExpires) {
+            // No expiry info, assume viable but recommend refresh
+            const tenantRequiresTwoFactor = await getTenantRequiresTwoFactor();
+            // CRITICAL: Check if MFA has expired (2FA TTL enforcement)
+            const mfaExpiresAt = session?.mfaExpiresAt || 0;
+            const mfaExpired = mfaExpiresAt > 0 && mfaExpiresAt < Date.now();
+            // Check mfaVerified (normalized name) with fallback to twoFactorComplete for compatibility
+            const mfaVerifiedInSession = session?.mfaVerified ?? session?.twoFactorComplete ?? false;
+            // User has completed 2FA requirements if: they verified AND it hasn't expired
+            const userHasCompletedTenantTwoFactorRequirements = mfaVerifiedInSession && !mfaExpired;
+            // userStillNeedsTwoFactor = inverse of completed (matches session callback logic)
+            const userStillNeedsTwoFactor = !userHasCompletedTenantTwoFactorRequirements;
+            return server_1.NextResponse.json({
+                viable: true,
+                needsRefresh: true,
+                authenticated: true,
+                sessionToken,
+                // Clear names for middleware decision-making
+                tenantRequiresTwoFactor,
+                userHasCompletedTenantTwoFactorRequirements,
+                userStillNeedsTwoFactor,
+                // Legacy field names for backwards compatibility
+                requires2FA: tenantRequiresTwoFactor,
+                twoFactorComplete: userHasCompletedTenantTwoFactorRequirements,
+                accessTokenExpired: false,
+                reason: 'No expiry information'
+            });
+        }
+        // Convert to seconds if needed
+        const expiryTime = accessTokenExpires > 1000000000000
+            ? Math.floor(accessTokenExpires / 1000)
+            : accessTokenExpires;
+        const expiresIn = expiryTime - now;
+        const isExpired = expiresIn <= 0;
+        const needsRefresh = expiresIn <= 300; // 5 minutes buffer
+        // Check if we have refresh capability (check normalized field name first)
+        const hasRefreshToken = !!(session?.idpRefreshToken || session?.refreshToken || token.refreshToken);
+        // CLEAR NAMING: Tenant-wide 2FA requirement from client config
+        const tenantRequiresTwoFactor = await getTenantRequiresTwoFactor();
+        // CRITICAL: Check if MFA has expired (2FA TTL enforcement)
+        // The session may have mfaVerified=true from days ago, but if mfaExpiresAt
+        // has passed, we must treat 2FA as incomplete to force re-verification.
+        const mfaExpiresAt = session?.mfaExpiresAt || 0;
+        const mfaExpired = mfaExpiresAt > 0 && mfaExpiresAt < Date.now();
+        // Check mfaVerified (normalized name) with fallback to twoFactorComplete for compatibility
+        const mfaVerifiedInSession = session?.mfaVerified ?? session?.twoFactorComplete ?? false;
+        // DEBUG: Log what we're reading from the session
+        console.log('[VIABILITY] Session 2FA state:', {
+            sessionToken: sessionToken?.substring(0, 8) + '...',
+            'session.mfaVerified': session?.mfaVerified,
+            'session.twoFactorComplete': session?.twoFactorComplete,
+            mfaVerifiedInSession,
+            mfaExpiresAt,
+            mfaExpired,
+            hasRefreshToken,
+            'session.idpRefreshToken': !!session?.idpRefreshToken,
+            'session.refreshToken': !!session?.refreshToken,
+        });
+        // CLEAR NAMING: User has completed 2FA requirements if: they verified AND it hasn't expired
+        const userHasCompletedTenantTwoFactorRequirements = mfaVerifiedInSession && !mfaExpired;
+        // userStillNeedsTwoFactor = inverse of completed (matches session callback logic)
+        const userStillNeedsTwoFactor = !userHasCompletedTenantTwoFactorRequirements;
+        if (mfaExpired && mfaVerifiedInSession) {
+            console.warn('[VIABILITY] MFA expired - forcing 2FA re-verification');
+        }
+        if (isExpired) {
+            return server_1.NextResponse.json({
+                viable: false,
+                needsRefresh: hasRefreshToken,
+                expiresIn: 0,
+                hasRefreshToken,
+                authenticated: true,
+                sessionToken,
+                // Clear names
+                tenantRequiresTwoFactor,
+                userHasCompletedTenantTwoFactorRequirements,
+                userStillNeedsTwoFactor,
+                // Legacy names for backwards compatibility
+                requires2FA: tenantRequiresTwoFactor,
+                twoFactorComplete: userHasCompletedTenantTwoFactorRequirements,
+                accessTokenExpired: true,
+                reason: 'Token expired',
+                // RBAC fields
+                roles: session?.roles || [],
+                clientId: session?.idpClientId || process.env.IDP_CLIENT_ID || '',
+            });
+        }
+        return server_1.NextResponse.json({
+            viable: true,
+            needsRefresh,
+            expiresIn,
+            hasRefreshToken,
+            authenticated: true,
+            sessionToken,
+            // Clear names
+            tenantRequiresTwoFactor,
+            userHasCompletedTenantTwoFactorRequirements,
+            userStillNeedsTwoFactor,
+            // Legacy names for backwards compatibility
+            requires2FA: tenantRequiresTwoFactor,
+            twoFactorComplete: userHasCompletedTenantTwoFactorRequirements,
+            accessTokenExpired: false,
+            expiresAt: new Date(expiryTime * 1000).toISOString(),
+            // RBAC fields
+            roles: session?.roles || [],
+            clientId: session?.idpClientId || process.env.IDP_CLIENT_ID || '',
+        });
+    }
+    catch (error) {
+        console.error('[VIABILITY_ROUTE] Error checking session viability:', error);
+        return server_1.NextResponse.json({
+            viable: false,
+            needsRefresh: false,
+            authenticated: false,
+            error: 'Failed to check session',
+            details: error instanceof Error ? error.message : 'Unknown error'
+        }, { status: 500 });
+    }
+}

package/dist/server/auth.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Server-side auth utilities for Better Auth (v4.0)
+ *
+ * Replaces:
+ * - getToken() from next-auth/jwt
+ * - getServerSession() from next-auth
+ *
+ * All server-side auth flows go through the Better Auth instance.
+ */
+import 'server-only';
+/**
+ * Get the initialized Better Auth instance (singleton).
+ */
+export declare function getAuthInstance(): Promise<import("better-auth/types").Auth<{
+    secret: string;
+    socialProviders: Record<string, import("../auth/better-auth").BetterAuthSocialProvider>;
+    trustedOrigins: string[];
+    session: {
+        cookieCache: {
+            enabled: true;
+            maxAge: number;
+            refreshCache: true;
+        };
+    };
+    plugins: [{
+        id: "next-cookies";
+        hooks: {
+            before: {
+                matcher(ctx: import("@better-auth/core").HookEndpointContext): boolean;
+                handler: (inputContext: import("better-call").MiddlewareInputContext<import("better-call").MiddlewareOptions>) => Promise<void>;
+            }[];
+            after: {
+                matcher(ctx: import("@better-auth/core").HookEndpointContext): true;
+                handler: (inputContext: import("better-call").MiddlewareInputContext<import("better-call").MiddlewareOptions>) => Promise<void>;
+            }[];
+        };
+    }];
+}>>;
+/**
+ * Get the current session from a request.
+ * Replaces getToken() and getServerSession().
+ *
+ * Returns the session object or null if not authenticated.
+ */
+export declare function getSession(request?: Request): Promise<any>;
+/**
+ * Get the current session, throwing if not authenticated.
+ * Use in API handlers that require auth.
+ */
+export declare function requireSession(request: Request): Promise<any>;

package/dist/server/auth.js

@@ -0,0 +1,62 @@
+"use strict";
+/**
+ * Server-side auth utilities for Better Auth (v4.0)
+ *
+ * Replaces:
+ * - getToken() from next-auth/jwt
+ * - getServerSession() from next-auth
+ *
+ * All server-side auth flows go through the Better Auth instance.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAuthInstance = getAuthInstance;
+exports.getSession = getSession;
+exports.requireSession = requireSession;
+require("server-only");
+const better_auth_1 = require("../auth/better-auth");
+const idp_client_config_1 = require("../lib/idp-client-config");
+let authInstance = null;
+let authInitPromise = null;
+/**
+ * Get the initialized Better Auth instance (singleton).
+ */
+async function getAuthInstance() {
+    if (authInstance)
+        return authInstance;
+    if (!authInitPromise) {
+        authInitPromise = (0, idp_client_config_1.getIDPClientConfig)().then(config => {
+            authInstance = (0, better_auth_1.createBetterAuthInstance)(config);
+            return authInstance;
+        });
+    }
+    return authInitPromise;
+}
+/**
+ * Get the current session from a request.
+ * Replaces getToken() and getServerSession().
+ *
+ * Returns the session object or null if not authenticated.
+ */
+async function getSession(request) {
+    const auth = await getAuthInstance();
+    if (!request)
+        return null;
+    try {
+        const session = await auth.api.getSession({ headers: request.headers });
+        return session;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Get the current session, throwing if not authenticated.
+ * Use in API handlers that require auth.
+ */
+async function requireSession(request) {
+    const session = await getSession(request);
+    if (!session) {
+        throw new Error('Unauthorized');
+    }
+    return session;
+}

package/dist/stores/authStore.js

@@ -49,7 +49,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.initializeAuthStore = exports.useAuthStore = void 0;
 const zustand_1 = require("zustand");
 const middleware_1 = require("zustand/middleware");
-const react_1 = require("next-auth/react");
+const better_auth_client_1 = require("../client/better-auth-client");
 const session_1 = require("../lib/session");
 const logger_1 = require("../config/logger");
 const signalr_1 = require("@microsoft/signalr");
@@ -254,18 +254,19 @@ exports.useAuthStore = (0, zustand_1.create)()((0, middleware_1.devtools)((set,
     signIn: async (credentials) => {
         set({ isLoading: true, error: null });
         try {
-            // Use NextAuth signIn - this will trigger our auth callbacks
-            const { signIn } = await Promise.resolve().then(() => __importStar(require('next-auth/react')));
-            const result = await signIn('credentials', {
-                ...credentials,
-                redirect: false,
+            // Use Better Auth signIn
+            const result = await better_auth_client_1.authClient.signIn.email({
+                email: credentials.email,
+                password: credentials.password,
             });
-            if (result?.ok) {
+            if (result?.data) {
                 logger_1.authLogger.info('[AuthStore] Sign in successful');
                 return true;
             }
             else {
-                const errorMessage = result?.error || 'Sign in failed';
+                const errorMessage = result?.error
+                    ? (typeof result.error === 'object' ? result.error.message : String(result.error))
+                    : 'Sign in failed';
                 set({ error: errorMessage, isLoading: false });
                 return false;
             }
@@ -291,8 +292,8 @@ exports.useAuthStore = (0, zustand_1.create)()((0, middleware_1.devtools)((set,
             rolesLastFetch: null,
         });
         try {
-            // Use NextAuth signOut
-            await (0, react_1.signOut)({ redirect: false });
+            // Use Better Auth signOut
+            await better_auth_client_1.authClient.signOut();
             logger_1.authLogger.info('[AuthStore] Sign out completed');
         }
         catch (error) {
@@ -361,9 +362,8 @@ exports.useAuthStore = (0, zustand_1.create)()((0, middleware_1.devtools)((set,
                     }
                 });
             }
-            // Step 6: Force NextAuth signOut (this should clear the session cookie)
-            const { signOut } = await Promise.resolve().then(() => __importStar(require('next-auth/react')));
-            await signOut({ redirect: false });
+            // Step 6: Force Better Auth signOut (this should clear the session cookie)
+            await better_auth_client_1.authClient.signOut();
             logger_1.authLogger.info('[AuthStore] Force logout completed, redirecting to login');
             // Step 7: Longer delay to ensure everything is processed
             await new Promise(resolve => setTimeout(resolve, 1000));
@@ -421,9 +421,8 @@ exports.useAuthStore = (0, zustand_1.create)()((0, middleware_1.devtools)((set,
                 if (token)
                     return token;
                 try {
-                    const { getSession } = await Promise.resolve().then(() => __importStar(require('next-auth/react')));
                     for (let attempt = 1; attempt <= 3 && !token; attempt++) {
-                        const s = await getSession();
+                        const { data: s } = await better_auth_client_1.authClient.getSession();
                         token = s?.sessionToken;
                         if (!token) {
                             await new Promise(r => setTimeout(r, 150));
@@ -431,7 +430,7 @@ exports.useAuthStore = (0, zustand_1.create)()((0, middleware_1.devtools)((set,
                     }
                 }
                 catch {
-                    logger_1.authLogger.warn('[AuthStore] Failed to resolve session token from NextAuth during refresh');
+                    logger_1.authLogger.warn('[AuthStore] Failed to resolve session token from Better Auth during refresh');
                 }
                 return token;
             };
@@ -504,15 +503,12 @@ exports.useAuthStore = (0, zustand_1.create)()((0, middleware_1.devtools)((set,
         logger_1.authLogger.info('[AuthStore] Starting session rehydration after token refresh');
         for (let attempt = 1; attempt <= maxRetries; attempt++) {
             try {
-                // Force NextAuth to reload the session from the session store
-                // This triggers the JWT callback which reads fresh data from Redis
-                const { getSession } = await Promise.resolve().then(() => __importStar(require('next-auth/react')));
+                // Force Better Auth to reload the session
                 logger_1.authLogger.debug(`[AuthStore] Rehydration attempt ${attempt}/${maxRetries}`);
-                // Force session refresh - this calls NextAuth's session endpoint
-                // which triggers JWT callback to read fresh tokens from Redis
-                const freshSession = await getSession();
+                // Force session refresh via Better Auth
+                const { data: freshSession } = await better_auth_client_1.authClient.getSession();
                 if (!freshSession) {
-                    throw new Error('No session returned from NextAuth after refresh');
+                    throw new Error('No session returned from Better Auth after refresh');
                 }
                 if (!freshSession.accessToken) {
                     throw new Error('Fresh session missing access token');

package/dist/utils/logout.js

@@ -9,7 +9,7 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.logout = logout;
-const react_1 = require("next-auth/react");
+const better_auth_client_1 = require("../client/better-auth-client");
 /**
  * Sign out the current user and redirect to login
  *
@@ -17,10 +17,10 @@ const react_1 = require("next-auth/react");
  */
 async function logout(redirectUrl = '/account-auth/login') {
     try {
-        await (0, react_1.signOut)({
-            callbackUrl: redirectUrl,
-            redirect: true,
-        });
+        await better_auth_client_1.authClient.signOut();
+        if (typeof window !== 'undefined') {
+            window.location.href = redirectUrl;
+        }
     }
     catch (error) {
         console.error('Logout error:', error);