@payez/next-mvp 3.9.1 → 4.0.1

package/src/lib/token-lifecycle.ts

@@ -21,10 +21,8 @@
  */
 
 import { NextRequest } from 'next/server';
-import { getToken } from 'next-auth/jwt';
-import { getSession, SessionData } from './session-store';
-import { getJwtCookieName } from './app-slug';
-import { getIDPClientConfig } from './idp-client-config';
+import { getSession as getRedisSession, SessionData } from './session-store';
+import { getSession as getBetterAuthSession } from '../server/auth';
 
 // 5 minute threshold for "needs refresh" - matches refresh handler pattern
 const REFRESH_THRESHOLD_MS = 5 * 60 * 1000;
@@ -79,7 +77,7 @@ async function waitForConcurrentRefresh(
   while (Date.now() - startTime < maxWaitMs) {
     await delay(CONCURRENT_REFRESH_POLL_INTERVAL_MS);
 
-    const sessionData = await getSession(sessionToken);
+    const sessionData = await getRedisSession(sessionToken);
 
     if (!sessionData) {
       return { success: false };
@@ -208,7 +206,7 @@ async function triggerRefresh(
       if (response.status === 401 && retryCount < maxRetries) {
         await delay(REFRESH_RETRY_DELAY_MS);
 
-        const sessionData = await getSession(sessionToken);
+        const sessionData = await getRedisSession(sessionToken);
         if (sessionData && !needsRefresh(sessionData.idpAccessTokenExpires)) {
           return { success: true };
         }
@@ -230,7 +228,7 @@ async function triggerRefresh(
     // On network error, check if maybe another request refreshed the token
     if (retryCount < maxRetries) {
       await delay(REFRESH_RETRY_DELAY_MS);
-      const sessionData = await getSession(sessionToken);
+      const sessionData = await getRedisSession(sessionToken);
       if (sessionData && !needsRefresh(sessionData.idpAccessTokenExpires)) {
         return { success: true };
       }
@@ -266,54 +264,15 @@ async function triggerRefresh(
  * }
  * ```
  */
-/**
- * Get NextAuth secret from IDP config (cached).
- * NEVER use process.env.NEXTAUTH_SECRET directly - it may not be set.
- */
-async function getNextAuthSecret(): Promise<string> {
-  const config = await getIDPClientConfig();
-  return config.nextAuthSecret || '';
-}
-
 export async function ensureFreshToken(
   request: NextRequest
 ): Promise<EnsureFreshTokenResult> {
   try {
-    // 1. Get NextAuth JWT to extract sessionToken
-    // Use IDP config to get the secret (same as viability.ts)
-    const secret = await getNextAuthSecret();
-    if (!secret) {
-      console.error('[TOKEN_LIFECYCLE] NEXTAUTH_SECRET not available from IDP config');
-      return { success: false, error: 'NO_SESSION', message: 'Auth not configured' };
-    }
-    const cookieName = getJwtCookieName();
-    const token = await getToken({
-      req: request,
-      secret,
-      cookieName,
-    });
+    // 1. Get Better Auth session to extract sessionToken
+    const betterAuthSession = await getBetterAuthSession(request);
 
-    // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
-    const sessionTokenFromJwt = (token?.sessionToken || token?.redisSessionId) as string | undefined;
-    if (!sessionTokenFromJwt) {
-      // Debug: log what we got including cookie presence and value info
-      const cookieHeader = request.headers.get('cookie') || '';
-      const hasCookie = cookieHeader.includes(cookieName);
-
-      // Extract the actual cookie value to check if it's empty
-      const cookieMatch = cookieHeader.match(new RegExp(`${cookieName}=([^;]*)`));
-      const cookieValue = cookieMatch ? cookieMatch[1] : null;
-      const cookieValueLength = cookieValue?.length || 0;
-
-      console.warn('[TOKEN_LIFECYCLE] NO_SESSION -', {
-        token: token ? 'exists but no sessionToken/redisSessionId' : 'null',
-        cookieName,
-        hasCookie,
-        cookieValueLength,
-        cookieValuePreview: cookieValue ? cookieValue.substring(0, 20) + '...' : 'EMPTY',
-        cookieHeaderLength: cookieHeader.length,
-        secretLength: secret.length,
-      });
+    if (!betterAuthSession?.session?.token) {
+      console.warn('[TOKEN_LIFECYCLE] NO_SESSION - Better Auth session not found');
       return {
         success: false,
         error: 'NO_SESSION',
@@ -321,10 +280,10 @@ export async function ensureFreshToken(
       };
     }
 
-    const sessionToken = sessionTokenFromJwt;
+    const sessionToken = betterAuthSession.session.token;
 
     // 2. Get session data from Redis
-    let sessionData = await getSession(sessionToken);
+    let sessionData = await getRedisSession(sessionToken);
 
     if (!sessionData) {
       return {
@@ -405,7 +364,7 @@ export async function ensureFreshToken(
       }
 
       // 5. Re-fetch session data after refresh
-      sessionData = await getSession(sessionToken);
+      sessionData = await getRedisSession(sessionToken);
       console.log('[TOKEN_LIFECYCLE] After refresh:', {
         hasAccessToken: !!sessionData?.idpAccessToken,
         newAccessTokenExpires: sessionData?.idpAccessTokenExpires

package/src/pages/admin-login/page.tsx

@@ -17,7 +17,7 @@
 'use client';
 
 import React, { useState } from 'react';
-import { signIn } from 'next-auth/react';
+import { authClient } from '../../client/better-auth-client';
 import { useSearchParams } from 'next/navigation';
 import { Suspense } from 'react';
 import { useBranding, useColors } from '../../theme/useTheme';
@@ -57,26 +57,18 @@ function AdminLoginForm({
     setError(null);
 
     try {
-      const result = await signIn('credentials', {
+      const result = await authClient.signIn.email({
         email,
         password,
-        redirect: false,
-        callbackUrl,
+        callbackURL: callbackUrl,
       });
 
-      if (result?.error) {
-        // Parse structured error if available
-        try {
-          const errorData = JSON.parse(result.error);
-          setError(errorData.message || errorData.error?.message || 'Invalid credentials');
-        } catch {
-          if (result.error === 'CredentialsSignin') {
-            setError('Invalid email or password');
-          } else {
-            setError(result.error);
-          }
-        }
-      } else if (result?.ok) {
+      if ((result as any)?.error) {
+        const errorMsg = typeof (result as any).error === 'object'
+          ? ((result as any).error as any).message || 'Invalid credentials'
+          : String((result as any).error);
+        setError(errorMsg);
+      } else if (result?.data) {
         // Redirect to verify-code for 2FA or directly to callback
         window.location.href = `/account-auth/verify-code?callbackUrl=${encodeURIComponent(callbackUrl)}`;
       }

package/src/pages/client-admin/ClientSiteAdminPage.tsx

@@ -45,7 +45,7 @@
  */
 
 import React, { useEffect, useState, useCallback } from 'react';
-import { useSession } from 'next-auth/react';
+import { authClient } from '../../client/better-auth-client';
 import { useRouter } from 'next/navigation';
 import Link from 'next/link';
 
@@ -122,7 +122,9 @@ export function ClientSiteAdminPage({
   backUrl = '/',
   backLabel = 'Back to Site',
 }: ClientSiteAdminProps) {
-  const { data: session, status } = useSession();
+  const { data: sessionData, isPending } = authClient.useSession();
+  const session = sessionData;
+  const status = isPending ? 'loading' : session ? 'authenticated' : 'unauthenticated';
   const router = useRouter();
 
   // Theme detection

package/src/pages/login/page.tsx

@@ -23,7 +23,7 @@
 'use client';
 
 import React, { useState, useEffect } from 'react';
-import { signIn, useSession, getSession } from 'next-auth/react';
+import { authClient } from '../../client/better-auth-client';
 import { useSearchParams } from 'next/navigation';
 import { Suspense } from 'react';
 import ReservedStatusBox from '../../components/reserved/ReservedStatusBox';
@@ -35,7 +35,9 @@ function LoginForm() {
   const callbackUrl = searchParams?.get('callbackUrl') || '/dashboard';
   const urlError = searchParams?.get('error');
 
-  const { data: session, status } = useSession();
+  const { data: sessionData, isPending } = authClient.useSession();
+  const session = sessionData;
+  const status = isPending ? 'loading' : session ? 'authenticated' : 'unauthenticated';
   const branding = useBranding();
   const colors = useColors();
   const layout = useLayout();
@@ -128,40 +130,31 @@ function LoginForm() {
 
     try {
       console.log('[LOGIN] Starting authentication...');
-      const result = await signIn('credentials', {
+      const result = await authClient.signIn.email({
         email,
         password,
-        redirect: false,
-        callbackUrl,
+        callbackURL: callbackUrl,
       });
 
-      if (result?.error) {
-        console.log('[LOGIN] Authentication failed:', result.error);
+      if ((result as any)?.error) {
+        console.log('[LOGIN] Authentication failed:', (result as any).error);
 
         setIsSubmitting(false);
         setLoading(false);
         setLoginSuccess(false);
 
-        try {
-          const errorData = JSON.parse(result.error);
-          const passwordError = errorData.error?.details?.errors?.find((e: any) => e.field_name === 'password');
-
-          if (passwordError) {
-            // Show recovery options on ANY password error
-            console.log('[LOGIN] Password error detected - showing recovery options');
-            setShowRecoveryOptions(true);
-            setLoginError(passwordError.message);
-          } else {
-            setLoginError(result.error);
-          }
-        } catch {
-          if (result.error.includes('Unable to connect')) {
-            setLoginError('The authentication service is currently unavailable. Please try again later.');
-          } else if (result.error === 'CredentialsSignin') {
-            setLoginError('Invalid email or password. Please try again.');
-          } else {
-            setLoginError(result.error);
-          }
+        const errorMsg = typeof (result as any).error === 'object'
+          ? ((result as any).error as any).message || 'Authentication failed'
+          : String((result as any).error);
+
+        if (errorMsg.includes('password') || errorMsg.includes('Password')) {
+          console.log('[LOGIN] Password error detected - showing recovery options');
+          setShowRecoveryOptions(true);
+          setLoginError(errorMsg);
+        } else if (errorMsg.includes('Unable to connect')) {
+          setLoginError('The authentication service is currently unavailable. Please try again later.');
+        } else {
+          setLoginError(errorMsg);
         }
         return;
       }
@@ -173,7 +166,7 @@ function LoginForm() {
       setIsSubmitting(false);
 
       // Get updated session
-      const freshSession = await getSession();
+      const freshSession = await authClient.getSession();
       console.log('[LOGIN] Fresh session obtained, redirecting to 2FA...');
 
       // Redirect to verify-code for 2FA

package/src/pages/showcase/ShowcasePage.tsx

@@ -1,6 +1,6 @@
 'use client';
 
-import { useSession } from 'next-auth/react';
+import { authClient } from '../../client/better-auth-client';
 import { useState, useEffect, useRef, useCallback } from 'react';
 import Link from 'next/link';
 
@@ -113,7 +113,9 @@ function DemoButton({ variant, children, onClick }: DemoButtonProps) {
  * ```
  */
 export function ShowcasePage() {
-  const { data: session, status } = useSession();
+  const { data: sessionData, isPending } = authClient.useSession();
+  const session = sessionData;
+  const status = isPending ? 'loading' : session ? 'authenticated' : 'unauthenticated';
   const isDarkMode = useDarkMode();
   const [toastVisible, setToastVisible] = useState(false);
   const [toastMessage, setToastMessage] = useState('');

package/src/pages/test-env/EmergencyLogoutPage.tsx

@@ -1,6 +1,6 @@
 'use client';
 
-import { signOut, useSession } from 'next-auth/react';
+import { authClient } from '../../client/better-auth-client';
 import { useState, useEffect } from 'react';
 
 /**
@@ -16,7 +16,8 @@ import { useState, useEffect } from 'react';
  * ```
  */
 export function EmergencyLogoutPage() {
-  const { status } = useSession();
+  const { data: sessionData, isPending } = authClient.useSession();
+  const status = isPending ? 'loading' : sessionData ? 'authenticated' : 'unauthenticated';
   const [isDarkMode, setIsDarkMode] = useState(false);
   const [isLoggingOut, setIsLoggingOut] = useState(false);
   const [logoutComplete, setLogoutComplete] = useState(false);
@@ -70,10 +71,10 @@ export function EmergencyLogoutPage() {
       sessionStorage.clear();
       addLog('sessionStorage cleared');
 
-      // Step 4: Call NextAuth signOut
-      addLog('Calling NextAuth signOut...');
-      await signOut({ redirect: false });
-      addLog('NextAuth signOut complete');
+      // Step 4: Call Better Auth signOut
+      addLog('Calling Better Auth signOut...');
+      await authClient.signOut();
+      addLog('Better Auth signOut complete');
 
       // Step 5: Clear any auth-related fetch cache
       addLog('Invalidating caches...');

package/src/pages/test-env/JwtInspectPage.tsx

@@ -1,6 +1,6 @@
 'use client';
 
-import { useSession } from 'next-auth/react';
+import { authClient } from '../../client/better-auth-client';
 import { useState, useEffect } from 'react';
 
 // Decode JWT header (contains kid, alg, typ)
@@ -42,7 +42,9 @@ function decodeJwtPayload(token: string): any {
  * ```
  */
 export function JwtInspectPage() {
-  const { data: session, status } = useSession();
+  const { data: sessionData, isPending } = authClient.useSession();
+  const session = sessionData;
+  const status = isPending ? 'loading' : session ? 'authenticated' : 'unauthenticated';
   const [copied, setCopied] = useState<string | null>(null);
   const [isDarkMode, setIsDarkMode] = useState(false);
   const [jwtHeader, setJwtHeader] = useState<any>(null);
@@ -319,7 +321,7 @@ export function JwtInspectPage() {
           <div className="grid grid-cols-1 md:grid-cols-2 gap-3 text-sm">
             <InfoRow
               label="Session Expires"
-              value={session?.expires ? new Date(session.expires).toISOString() : undefined}
+              value={(session as any)?.expires ? new Date((session as any).expires).toISOString() : undefined}
               labelClass={labelClass}
               valueClass={valueClass}
             />