@payez/next-mvp 3.9.1 → 4.0.0

package/src/auth/callbacks/session.ts

@@ -1,243 +0,0 @@
-/**
- * Session Callback
- *
- * Builds the NextAuth session from Redis session data.
- * The JWT only contains redisSessionId - all user data comes from Redis.
- *
- * FLOW:
- * 1. Extract redisSessionId from JWT token
- * 2. Fetch session data from Redis
- * 3. Build NextAuth session with user info
- *
- * @version 1.0.0
- * @since auth-refactor-2026-01
- */
-
-import type { Session } from 'next-auth';
-import type { JWT } from 'next-auth/jwt';
-import { getSession } from '../../lib/session-store';
-// NOTE: Using SessionData from models until Phase 3 normalizes names
-import type { SessionData } from '../../models/SessionModel';
-
-// ============================================================================
-// TYPES
-// ============================================================================
-
-interface SessionCallbackParams {
-  session: Session;
-  token: JWT & {
-    /** Redis session ID - the key to look up session data */
-    redisSessionId?: string;
-    error?: string;
-  };
-}
-
-interface AppSessionUser {
-  id: string;
-  email: string;
-  name?: string;
-  roles: string[];
-  // MFA status
-  twoFactorSessionVerified: boolean;
-  requiresTwoFactor: boolean;
-  // MFA claims from IDP token
-  authenticationMethods?: string[];
-  authenticationLevel?: string;
-  mfaCompletedAt?: number;
-  mfaExpiresAt?: number;
-  mfaValidityHours?: number;
-  // OAuth provider info
-  oauthProvider?: string;
-  // Multi-tenant IDP info
-  idpClientId?: string;
-  merchantId?: string;
-  // JWT signing key (from header, NOT client_id from payload)
-  bearerKeyId?: string;
-}
-
-interface AppSession extends Omit<Session, 'user'> {
-  user: AppSessionUser;
-  sessionToken?: string;
-  accessToken?: string;
-  refreshToken?: string;
-  accessTokenExpires?: number;
-  error?: string;
-}
-
-// ============================================================================
-// SESSION CALLBACK
-// ============================================================================
-
-/**
- * Session callback - builds NextAuth session from Redis.
- *
- * This callback is called whenever getSession() or useSession() is used.
- * It fetches the full session from Redis and exposes it to the client.
- *
- * @param params - Session callback parameters from NextAuth
- * @returns AppSession with user data from Redis
- */
-export async function sessionCallback({
-  session,
-  token,
-}: SessionCallbackParams): Promise<AppSession> {
-  // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
-  const redisSessionId = (token as any)?.sessionToken || token?.redisSessionId;
-
-  console.log('[SESSION_CALLBACK] Entry:', {
-    hasToken: !!token,
-    redisSessionId: redisSessionId || 'MISSING',
-    tokenError: token?.error || 'none',
-    tokenKeys: token ? Object.keys(token) : [],
-  });
-
-  // -------------------------------------------------------------------------
-  // Handle Token Errors
-  // -------------------------------------------------------------------------
-
-  if (token.error) {
-    console.log('[SESSION_CALLBACK] Token has error:', token.error);
-    // Special case: MFA expired - return partial session for step-up flow
-    if (token.error === 'MfaExpired' && redisSessionId) {
-      const sessionData = await safeGetSession(redisSessionId as string);
-      if (sessionData) {
-        return {
-          ...session,
-          user: {
-            id: sessionData.userId,
-            email: sessionData.email,
-            name: sessionData.name,
-            roles: sessionData.roles || [],
-            twoFactorSessionVerified: false,
-            requiresTwoFactor: true,
-            authenticationMethods: sessionData.authenticationMethods,
-            authenticationLevel: sessionData.authenticationLevel,
-            mfaExpiresAt: sessionData.mfaExpiresAt,
-          },
-          sessionToken: redisSessionId as string,
-          accessToken: sessionData.idpAccessToken,
-          refreshToken: sessionData.idpRefreshToken,
-          error: 'MfaExpired',
-        };
-      }
-    }
-
-    // For other errors, try to recover session data if possible
-    if (redisSessionId) {
-      const sessionData = await safeGetSession(redisSessionId as string);
-      if (sessionData) {
-        return buildSessionFromRedis(session, redisSessionId as string, sessionData);
-      }
-    }
-
-    // No recovery possible - return error session
-    return buildErrorSession(session, token.error);
-  }
-
-  // -------------------------------------------------------------------------
-  // Validate Session Token
-  // -------------------------------------------------------------------------
-
-  if (!redisSessionId) {
-    console.log('[SESSION_CALLBACK] No redisSessionId - returning error session');
-    return buildErrorSession(session, 'NoSessionToken');
-  }
-
-  // -------------------------------------------------------------------------
-  // Fetch Session from Redis
-  // -------------------------------------------------------------------------
-
-  const sessionData = await safeGetSession(redisSessionId as string);
-
-  if (!sessionData) {
-    console.log('[SESSION_CALLBACK] Redis session not found for:', redisSessionId);
-    return buildErrorSession(session, 'SessionNotFound');
-  }
-
-  console.log('[SESSION_CALLBACK] Redis session found:', {
-    userId: sessionData.userId,
-    email: sessionData.email,
-    roles: sessionData.roles,
-    hasAccessToken: !!sessionData.idpAccessToken,
-  });
-
-  const result = buildSessionFromRedis(session, redisSessionId as string, sessionData);
-  console.log('[SESSION_CALLBACK] Returning:', {
-    userId: result.user.id,
-    roles: result.user.roles,
-    hasAccessToken: !!result.accessToken,
-  });
-  return result;
-}
-
-// ============================================================================
-// HELPER FUNCTIONS
-// ============================================================================
-
-/**
- * Safely fetch session from Redis, returning null on error.
- */
-async function safeGetSession(
-  sessionId: string
-): Promise<SessionData | null> {
-  try {
-    return await getSession(sessionId);
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Build complete session from Redis data.
- * Uses normalized field names from SessionData.
- */
-function buildSessionFromRedis(
-  session: Session,
-  sessionId: string,
-  data: SessionData
-): AppSession {
-  return {
-    ...session,
-    user: {
-      id: data.userId,
-      email: data.email,
-      name: data.name,
-      roles: data.roles || [],
-      // MFA state (normalized field name)
-      twoFactorSessionVerified: data.mfaVerified,
-      requiresTwoFactor: !data.mfaVerified,
-      authenticationMethods: data.authenticationMethods,
-      authenticationLevel: data.authenticationLevel,
-      mfaCompletedAt: data.mfaCompletedAt,
-      mfaExpiresAt: data.mfaExpiresAt,
-      mfaValidityHours: data.mfaValidityHours,
-      oauthProvider: data.oauthProvider,
-      idpClientId: data.idpClientId,
-      merchantId: data.merchantId,
-      // Bearer key ID from JWT header (may be undefined for old sessions)
-      bearerKeyId: data.bearerKeyId,
-    },
-    sessionToken: sessionId,
-    // IDP tokens (normalized field names)
-    accessToken: data.idpAccessToken,
-    refreshToken: data.idpRefreshToken,
-    accessTokenExpires: data.idpAccessTokenExpires,
-  };
-}
-
-/**
- * Build error session with empty user.
- */
-function buildErrorSession(session: Session, error: string): AppSession {
-  return {
-    ...session,
-    user: {
-      id: '',
-      email: '',
-      roles: [],
-      twoFactorSessionVerified: false,
-      requiresTwoFactor: false,
-    },
-    error,
-  };
-}

package/src/auth/callbacks/signin.ts

@@ -1,56 +0,0 @@
-/**
- * SignIn Callback
- *
- * Handles post-authentication actions like 2FA redirect.
- * Called after credentials or OAuth authentication succeeds.
- *
- * @version 1.0.0
- * @since auth-refactor-2026-01
- */
-
-import type { User, Account } from 'next-auth';
-
-// ============================================================================
-// SIGNIN CALLBACK
-// ============================================================================
-
-/**
- * SignIn callback - handle 2FA redirect for OAuth users.
- *
- * When require2FA is true for the client, OAuth users need to be
- * redirected to the verify-code page immediately after OAuth login.
- *
- * @param params - SignIn callback parameters from NextAuth
- * @returns true to allow sign-in, or a URL string to redirect
- */
-export async function signInCallback({
-  user,
-  account,
-}: {
-  user: User | any;
-  account: Account | null;
-}): Promise<boolean | string> {
-  // Only handle OAuth providers (credentials flow handles 2FA separately)
-  if (!account?.provider || account.provider === 'credentials') {
-    return true;
-  }
-
-  // Check if OAuth user needs 2FA redirect
-  const token = user as any;
-  if (token?.requiresTwoFactorRedirect) {
-    // Preserve the original callback URL through 2FA flow
-    const originalCallbackUrl = (account as any)?.callbackUrl || '/';
-
-    // Don't redirect back to auth pages after 2FA
-    const safeCallbackUrl = originalCallbackUrl.startsWith('/account-auth/')
-      ? '/'
-      : originalCallbackUrl;
-
-    const encodedCallback = encodeURIComponent(safeCallbackUrl);
-
-    // Return redirect URL - NextAuth will redirect here instead of completing sign-in
-    return `/account-auth/verify-code?callbackUrl=${encodedCallback}`;
-  }
-
-  return true;
-}

package/src/auth/events/index.ts

@@ -1,5 +0,0 @@
-/**
- * Auth Events - Public Exports
- */
-
-export { handleSignOut } from './signout';

package/src/auth/events/signout.ts

@@ -1,33 +0,0 @@
-/**
- * SignOut Event Handler
- *
- * Cleans up Redis session when user signs out.
- *
- * @version 1.0.0
- * @since auth-refactor-2026-01
- */
-
-import type { JWT } from 'next-auth/jwt';
-import { deleteSession } from '../../lib/session-store';
-
-// ============================================================================
-// SIGNOUT EVENT
-// ============================================================================
-
-/**
- * Handle user sign out by deleting Redis session.
- *
- * @param token - The JWT token containing the session ID
- */
-export async function handleSignOut({ token }: { token: JWT | null }): Promise<void> {
-  // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
-  const redisSessionId = (token as any)?.sessionToken || (token as any)?.redisSessionId;
-
-  if (redisSessionId) {
-    try {
-      await deleteSession(redisSessionId);
-    } catch (error) {
-      console.error('[SIGNOUT_EVENT] Failed to delete session:', error);
-    }
-  }
-}

package/src/auth/providers/credentials.ts

@@ -1,256 +0,0 @@
-/**
- * Credentials Provider
- *
- * Handles email/password authentication via PayEz IDP.
- * Creates Redis session and returns minimal user object to NextAuth.
- *
- * FLOW:
- * 1. User submits email/password
- * 2. We call IDP /api/ExternalAuth/login
- * 3. IDP returns tokens if credentials valid
- * 4. We create Redis session with tokens
- * 5. Return user object with redisSessionId to NextAuth
- *
- * @version 1.0.0
- * @since auth-refactor-2026-01
- */
-
-import CredentialsProvider from 'next-auth/providers/credentials';
-import { createSession } from '../../lib/session-store';
-import { idpLogin } from '../utils/idp-client';
-import {
-  decodeIdpAccessToken,
-  extractEmailFromToken,
-  extractRolesFromToken,
-  extractAmrFromToken,
-  expClaimToMs,
-  extractKidFromToken,
-} from '../utils/token-utils';
-import type { AuthorizeResult, LoginCredentials } from '../types/auth-types';
-import { toRedisSessionId } from '../types/auth-types';
-// NOTE: Using any for sessionData until Phase 3 normalizes types
-
-// ============================================================================
-// CREDENTIALS PROVIDER
-// ============================================================================
-
-/**
- * Create the CredentialsProvider for NextAuth.
- *
- * This provider handles email/password login. The authorize function
- * is called when a user submits the login form.
- */
-export function createCredentialsProvider() {
-  return CredentialsProvider({
-    id: 'credentials',
-    name: 'Credentials',
-    credentials: {
-      email: { label: 'Email', type: 'email' },
-      password: { label: 'Password', type: 'password' },
-    },
-    authorize: authorizeCredentials,
-  });
-}
-
-/**
- * Authorize user with email/password.
- *
- * This is the core authentication function. It:
- * 1. Validates credentials with IDP
- * 2. Decodes the returned tokens
- * 3. Creates a Redis session
- * 4. Returns user info for NextAuth JWT
- *
- * @param credentials - Email and password from login form
- * @param req - The incoming request (for IP/UA forwarding)
- * @returns User object for NextAuth, or null/throws on failure
- */
-async function authorizeCredentials(
-  credentials: Record<'email' | 'password', string> | undefined,
-  req: any
-): Promise<AuthorizeResult | null> {
-  // -------------------------------------------------------------------------
-  // Validate Input
-  // -------------------------------------------------------------------------
-
-  if (!credentials?.email || !credentials?.password) {
-    throw new Error('Email and password required');
-  }
-
-  const loginCredentials: LoginCredentials = {
-    email: credentials.email,
-    password: credentials.password,
-  };
-
-  // Extract client info for audit logging
-  const clientHeaders = extractClientHeaders(req);
-
-  // -------------------------------------------------------------------------
-  // Call IDP
-  // -------------------------------------------------------------------------
-
-  const loginResult = await idpLogin(loginCredentials, clientHeaders);
-
-  if (!loginResult.success || !loginResult.result) {
-    // Build structured error for frontend
-    const errorResponse = buildAuthError(loginResult.error);
-    throw new Error(JSON.stringify(errorResponse));
-  }
-
-  const { access_token, refresh_token, user: idpUser } = loginResult.result;
-
-  // -------------------------------------------------------------------------
-  // Decode Token
-  // -------------------------------------------------------------------------
-
-  const decoded = decodeIdpAccessToken(access_token);
-  if (!decoded) {
-    throw new Error('Failed to decode token');
-  }
-
-  // Extract kid from JWT header (CRITICAL: this is different from client_id in payload)
-  const bearerKeyId = extractKidFromToken(access_token);
-  if (bearerKeyId) {
-    console.log('[CREDENTIALS] Extracted bearerKeyId (kid) from JWT header:', bearerKeyId);
-  } else {
-    console.warn('[CREDENTIALS] No kid found in JWT header - token may be unsigned or malformed');
-  }
-
-  // Extract claims from token
-  const email = extractEmailFromToken(decoded);
-  const roles = extractRolesFromToken(decoded);
-  const amrClaims = extractAmrFromToken(decoded);
-  const acrLevel = decoded.acr || '1';
-  const userId = decoded.sub;
-
-  // Check if 2FA is complete based on ACR level
-  // ACR=1: Provisional token (requires 2FA)
-  // ACR=2: Full authentication (2FA complete)
-  const mfaVerified = acrLevel === '2';
-
-  // Decode refresh token expiry if available
-  let refreshTokenExpires: number | undefined;
-  try {
-    const refreshDecoded = decodeIdpAccessToken(refresh_token);
-    if (refreshDecoded?.exp) {
-      refreshTokenExpires = expClaimToMs(refreshDecoded.exp);
-    }
-  } catch {
-    // Ignore - will use default expiry
-  }
-
-  // -------------------------------------------------------------------------
-  // Create Redis Session
-  // -------------------------------------------------------------------------
-
-  // Using normalized field names (session-store handles backward compatibility)
-  const sessionData: any = {
-    userId,
-    email,
-    roles,
-    // IDP tokens (normalized names)
-    idpAccessToken: access_token,
-    idpRefreshToken: refresh_token,
-    idpAccessTokenExpires: expClaimToMs(decoded.exp),
-    idpRefreshTokenExpires: refreshTokenExpires,
-    decodedAccessToken: decoded,
-    // Bearer key ID from JWT header (NOT client_id from payload)
-    bearerKeyId,
-    // MFA state (normalized names)
-    mfaVerified,
-    authenticationMethods: amrClaims,
-    authenticationLevel: acrLevel,
-    // MFA timing info from token
-    mfaCompletedAt: decoded.mfa_time ? expClaimToMs(decoded.mfa_time) : undefined,
-    mfaExpiresAt: decoded.mfa_expires ? expClaimToMs(decoded.mfa_expires) : undefined,
-    mfaValidityHours: decoded.mfa_validity_hours,
-  };
-
-  // Determine MFA method from IDP user info
-  let mfaMethod: 'email' | 'sms' | 'totp' | undefined;
-  if (idpUser?.isEmailConfirmed) {
-    mfaMethod = 'email';
-  } else if (idpUser?.isSmsConfirmed) {
-    mfaMethod = 'sms';
-  }
-
-  if (mfaMethod) {
-    sessionData.mfaMethod = mfaMethod;
-  }
-
-  // Create the Redis session
-  const redisSessionId = await createSession(sessionData);
-
-  // -------------------------------------------------------------------------
-  // Return User Object for NextAuth
-  // -------------------------------------------------------------------------
-
-  // NextAuth requires 'id' field - we use userId from IDP
-  // The redisSessionId is passed through to the JWT callback
-  return {
-    id: userId,
-    email,
-    roles,
-    redisSessionId: toRedisSessionId(redisSessionId),
-    mfaRequired: !mfaVerified,
-    mfaMethod,
-  };
-}
-
-// ============================================================================
-// HELPER FUNCTIONS
-// ============================================================================
-
-/**
- * Extract client headers from request for audit logging.
- */
-function extractClientHeaders(req: any): { ip?: string; userAgent?: string } {
-  const headers: { ip?: string; userAgent?: string } = {};
-
-  // Extract client IP
-  const forwardedFor = req?.headers?.['x-forwarded-for'];
-  const realIp = req?.headers?.['x-real-ip'];
-
-  if (forwardedFor) {
-    const ip = Array.isArray(forwardedFor) ? forwardedFor[0] : forwardedFor.split(',')[0].trim();
-    headers.ip = ip;
-  } else if (realIp) {
-    headers.ip = Array.isArray(realIp) ? realIp[0] : realIp;
-  }
-
-  // Extract User-Agent
-  const userAgent = req?.headers?.['user-agent'];
-  if (userAgent) {
-    headers.userAgent = Array.isArray(userAgent) ? userAgent[0] : userAgent;
-  }
-
-  return headers;
-}
-
-/**
- * Build structured error response for frontend.
- *
- * The frontend expects a specific error structure to display
- * appropriate messages and handle things like lockout.
- */
-function buildAuthError(error?: { code: string; message: string; details?: any }): object {
-  if (!error) {
-    return {
-      success: false,
-      error: {
-        code: 'AUTH_ERROR',
-        message: 'Authentication failed',
-        details: {},
-      },
-    };
-  }
-
-  return {
-    success: false,
-    error: {
-      code: error.code || 'AUTH_ERROR',
-      message: error.message || 'Authentication failed',
-      details: error.details || {},
-    },
-  };
-}

package/src/auth/providers/index.ts

@@ -1,6 +0,0 @@
-/**
- * Auth Providers - Public Exports
- */
-
-export * from './credentials';
-export * from './oauth';