@payez/next-mvp 3.9.1 → 4.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +6 -18
- package/src/api/auth-handler.ts +550 -549
- package/src/api-handlers/account/change-password.ts +5 -8
- package/src/api-handlers/admin/analytics.ts +4 -6
- package/src/api-handlers/admin/audit.ts +5 -7
- package/src/api-handlers/admin/index.ts +1 -2
- package/src/api-handlers/admin/redis-sessions.ts +6 -8
- package/src/api-handlers/admin/sessions.ts +5 -7
- package/src/api-handlers/admin/site-logs.ts +8 -10
- package/src/api-handlers/admin/stats.ts +4 -6
- package/src/api-handlers/admin/users.ts +5 -7
- package/src/api-handlers/admin/vibe-data.ts +10 -12
- package/src/api-handlers/auth/refresh.ts +5 -7
- package/src/api-handlers/auth/signout.ts +5 -6
- package/src/api-handlers/auth/status.ts +4 -7
- package/src/api-handlers/auth/update-session.ts +123 -125
- package/src/api-handlers/auth/verify-code.ts +9 -13
- package/src/api-handlers/session/viability.ts +10 -47
- package/src/api-handlers/test/force-expire.ts +4 -11
- package/src/auth/auth-decision.ts +1 -1
- package/src/auth/better-auth.ts +138 -141
- package/src/auth/route-config.ts +219 -219
- package/src/auth/utils/token-utils.ts +0 -1
- package/src/client/AuthContext.tsx +6 -2
- package/src/client/fetch-with-auth.ts +47 -47
- package/src/components/SessionSync.tsx +6 -5
- package/src/components/account/MobileNavDrawer.tsx +3 -3
- package/src/components/account/UserAvatarMenu.tsx +6 -3
- package/src/components/admin/VibeAdminLayout.tsx +4 -2
- package/src/config/logger.ts +1 -1
- package/src/hooks/useAuth.ts +117 -115
- package/src/hooks/useAuthSettings.ts +2 -2
- package/src/hooks/useAvailableProviders.ts +9 -5
- package/src/hooks/useSessionExpiration.ts +101 -102
- package/src/hooks/useViabilitySession.ts +336 -335
- package/src/index.ts +60 -63
- package/src/lib/api-handler.ts +0 -1
- package/src/lib/app-slug.ts +6 -6
- package/src/lib/standardized-client-api.ts +901 -895
- package/src/lib/startup-init.ts +243 -247
- package/src/lib/test-aware-get-token.ts +22 -12
- package/src/lib/token-lifecycle.ts +12 -53
- package/src/pages/admin-login/page.tsx +9 -17
- package/src/pages/client-admin/ClientSiteAdminPage.tsx +4 -2
- package/src/pages/login/page.tsx +21 -28
- package/src/pages/showcase/ShowcasePage.tsx +4 -2
- package/src/pages/test-env/EmergencyLogoutPage.tsx +7 -6
- package/src/pages/test-env/JwtInspectPage.tsx +5 -3
- package/src/pages/test-env/RefreshTokenPage.tsx +157 -155
- package/src/pages/test-env/TestEnvPage.tsx +4 -2
- package/src/pages/verify-code/page.tsx +10 -6
- package/src/routes/auth/logout.ts +7 -25
- package/src/routes/auth/nextauth.ts +45 -71
- package/src/routes/auth/session.ts +25 -50
- package/src/routes/auth/viability.ts +7 -19
- package/src/server/auth.ts +60 -0
- package/src/stores/authStore.ts +1899 -1904
- package/src/utils/logout.ts +30 -30
- package/dist/api/auth-handler.d.ts +0 -67
- package/dist/api/auth-handler.js +0 -397
- package/dist/api/index.d.ts +0 -10
- package/dist/api/index.js +0 -19
- package/dist/api-handlers/account/change-password.d.ts +0 -9
- package/dist/api-handlers/account/change-password.js +0 -112
- package/dist/api-handlers/account/masked-info.d.ts +0 -2
- package/dist/api-handlers/account/masked-info.js +0 -41
- package/dist/api-handlers/account/profile.d.ts +0 -3
- package/dist/api-handlers/account/profile.js +0 -63
- package/dist/api-handlers/account/recovery/initiate.d.ts +0 -2
- package/dist/api-handlers/account/recovery/initiate.js +0 -26
- package/dist/api-handlers/account/recovery/send-code.d.ts +0 -2
- package/dist/api-handlers/account/recovery/send-code.js +0 -28
- package/dist/api-handlers/account/recovery/verify-code.d.ts +0 -2
- package/dist/api-handlers/account/recovery/verify-code.js +0 -28
- package/dist/api-handlers/account/reset-password.d.ts +0 -2
- package/dist/api-handlers/account/reset-password.js +0 -26
- package/dist/api-handlers/account/send-code.d.ts +0 -24
- package/dist/api-handlers/account/send-code.js +0 -60
- package/dist/api-handlers/account/update-phone.d.ts +0 -27
- package/dist/api-handlers/account/update-phone.js +0 -64
- package/dist/api-handlers/account/validate-password.d.ts +0 -17
- package/dist/api-handlers/account/validate-password.js +0 -81
- package/dist/api-handlers/account/verify-email.d.ts +0 -26
- package/dist/api-handlers/account/verify-email.js +0 -106
- package/dist/api-handlers/account/verify-sms.d.ts +0 -26
- package/dist/api-handlers/account/verify-sms.js +0 -106
- package/dist/api-handlers/admin/analytics.d.ts +0 -20
- package/dist/api-handlers/admin/analytics.js +0 -379
- package/dist/api-handlers/admin/audit.d.ts +0 -20
- package/dist/api-handlers/admin/audit.js +0 -214
- package/dist/api-handlers/admin/index.d.ts +0 -22
- package/dist/api-handlers/admin/index.js +0 -43
- package/dist/api-handlers/admin/redis-sessions.d.ts +0 -36
- package/dist/api-handlers/admin/redis-sessions.js +0 -204
- package/dist/api-handlers/admin/sessions.d.ts +0 -21
- package/dist/api-handlers/admin/sessions.js +0 -284
- package/dist/api-handlers/admin/site-logs.d.ts +0 -46
- package/dist/api-handlers/admin/site-logs.js +0 -318
- package/dist/api-handlers/admin/stats.d.ts +0 -21
- package/dist/api-handlers/admin/stats.js +0 -240
- package/dist/api-handlers/admin/users.d.ts +0 -20
- package/dist/api-handlers/admin/users.js +0 -222
- package/dist/api-handlers/admin/vibe-data.d.ts +0 -80
- package/dist/api-handlers/admin/vibe-data.js +0 -268
- package/dist/api-handlers/anon/preferences.d.ts +0 -37
- package/dist/api-handlers/anon/preferences.js +0 -96
- package/dist/api-handlers/auth/jwks.d.ts +0 -2
- package/dist/api-handlers/auth/jwks.js +0 -24
- package/dist/api-handlers/auth/login.d.ts +0 -42
- package/dist/api-handlers/auth/login.js +0 -178
- package/dist/api-handlers/auth/refresh.d.ts +0 -74
- package/dist/api-handlers/auth/refresh.js +0 -635
- package/dist/api-handlers/auth/signout.d.ts +0 -37
- package/dist/api-handlers/auth/signout.js +0 -187
- package/dist/api-handlers/auth/status.d.ts +0 -8
- package/dist/api-handlers/auth/status.js +0 -26
- package/dist/api-handlers/auth/update-session.d.ts +0 -37
- package/dist/api-handlers/auth/update-session.js +0 -95
- package/dist/api-handlers/auth/validate.d.ts +0 -6
- package/dist/api-handlers/auth/validate.js +0 -43
- package/dist/api-handlers/auth/verify-code.d.ts +0 -43
- package/dist/api-handlers/auth/verify-code.js +0 -94
- package/dist/api-handlers/session/refresh-viability.d.ts +0 -14
- package/dist/api-handlers/session/refresh-viability.js +0 -39
- package/dist/api-handlers/session/viability.d.ts +0 -13
- package/dist/api-handlers/session/viability.js +0 -146
- package/dist/api-handlers/test/force-expire.d.ts +0 -23
- package/dist/api-handlers/test/force-expire.js +0 -65
- package/dist/auth/auth-decision.d.ts +0 -39
- package/dist/auth/auth-decision.js +0 -182
- package/dist/auth/auth-options.d.ts +0 -57
- package/dist/auth/auth-options.js +0 -213
- package/dist/auth/better-auth.d.ts +0 -82
- package/dist/auth/better-auth.js +0 -122
- package/dist/auth/callbacks/index.d.ts +0 -6
- package/dist/auth/callbacks/index.js +0 -12
- package/dist/auth/callbacks/jwt.d.ts +0 -45
- package/dist/auth/callbacks/jwt.js +0 -305
- package/dist/auth/callbacks/session.d.ts +0 -60
- package/dist/auth/callbacks/session.js +0 -170
- package/dist/auth/callbacks/signin.d.ts +0 -23
- package/dist/auth/callbacks/signin.js +0 -44
- package/dist/auth/events/index.d.ts +0 -4
- package/dist/auth/events/index.js +0 -8
- package/dist/auth/events/signout.d.ts +0 -17
- package/dist/auth/events/signout.js +0 -32
- package/dist/auth/providers/credentials.d.ts +0 -32
- package/dist/auth/providers/credentials.js +0 -223
- package/dist/auth/providers/index.d.ts +0 -5
- package/dist/auth/providers/index.js +0 -21
- package/dist/auth/providers/oauth.d.ts +0 -26
- package/dist/auth/providers/oauth.js +0 -105
- package/dist/auth/route-config.d.ts +0 -66
- package/dist/auth/route-config.js +0 -190
- package/dist/auth/types/auth-types.d.ts +0 -417
- package/dist/auth/types/auth-types.js +0 -53
- package/dist/auth/types/index.d.ts +0 -6
- package/dist/auth/types/index.js +0 -22
- package/dist/auth/unauthenticated-routes.d.ts +0 -1
- package/dist/auth/unauthenticated-routes.js +0 -19
- package/dist/auth/utils/idp-client.d.ts +0 -94
- package/dist/auth/utils/idp-client.js +0 -384
- package/dist/auth/utils/index.d.ts +0 -5
- package/dist/auth/utils/index.js +0 -21
- package/dist/auth/utils/token-utils.d.ts +0 -84
- package/dist/auth/utils/token-utils.js +0 -219
- package/dist/client/AuthContext.d.ts +0 -19
- package/dist/client/AuthContext.js +0 -112
- package/dist/client/better-auth-client.d.ts +0 -1020
- package/dist/client/better-auth-client.js +0 -68
- package/dist/client/fetch-with-auth.d.ts +0 -11
- package/dist/client/fetch-with-auth.js +0 -44
- package/dist/client/fetchWithSession.d.ts +0 -3
- package/dist/client/fetchWithSession.js +0 -24
- package/dist/client/index.d.ts +0 -9
- package/dist/client/index.js +0 -20
- package/dist/client/useAnonSession.d.ts +0 -36
- package/dist/client/useAnonSession.js +0 -99
- package/dist/components/SessionSync.d.ts +0 -13
- package/dist/components/SessionSync.js +0 -119
- package/dist/components/SignalRHealthCheck.d.ts +0 -10
- package/dist/components/SignalRHealthCheck.js +0 -97
- package/dist/components/account/MobileNavDrawer.d.ts +0 -32
- package/dist/components/account/MobileNavDrawer.js +0 -81
- package/dist/components/account/UserAvatarMenu.d.ts +0 -20
- package/dist/components/account/UserAvatarMenu.js +0 -88
- package/dist/components/account/index.d.ts +0 -9
- package/dist/components/account/index.js +0 -13
- package/dist/components/admin/AlertSettingsTab.d.ts +0 -48
- package/dist/components/admin/AlertSettingsTab.js +0 -351
- package/dist/components/admin/AnalyticsTab.d.ts +0 -22
- package/dist/components/admin/AnalyticsTab.js +0 -167
- package/dist/components/admin/DataBrowserTab.d.ts +0 -19
- package/dist/components/admin/DataBrowserTab.js +0 -252
- package/dist/components/admin/LoggingSettingsTab.d.ts +0 -73
- package/dist/components/admin/LoggingSettingsTab.js +0 -339
- package/dist/components/admin/SessionsTab.d.ts +0 -37
- package/dist/components/admin/SessionsTab.js +0 -165
- package/dist/components/admin/StatsTab.d.ts +0 -53
- package/dist/components/admin/StatsTab.js +0 -161
- package/dist/components/admin/VibeAdminContext.d.ts +0 -32
- package/dist/components/admin/VibeAdminContext.js +0 -38
- package/dist/components/admin/VibeAdminLayout.d.ts +0 -11
- package/dist/components/admin/VibeAdminLayout.js +0 -69
- package/dist/components/admin/index.d.ts +0 -29
- package/dist/components/admin/index.js +0 -44
- package/dist/components/auth/FederatedAuthSection.d.ts +0 -8
- package/dist/components/auth/FederatedAuthSection.js +0 -45
- package/dist/components/auth/ModeAwareLoginPage.d.ts +0 -10
- package/dist/components/auth/ModeAwareLoginPage.js +0 -42
- package/dist/components/auth/ModeAwareSignupPage.d.ts +0 -9
- package/dist/components/auth/ModeAwareSignupPage.js +0 -78
- package/dist/components/auth/TraditionalAuthSection.d.ts +0 -14
- package/dist/components/auth/TraditionalAuthSection.js +0 -20
- package/dist/components/recovery/CompleteStep.d.ts +0 -5
- package/dist/components/recovery/CompleteStep.js +0 -8
- package/dist/components/recovery/InitiateRecoveryStep.d.ts +0 -8
- package/dist/components/recovery/InitiateRecoveryStep.js +0 -20
- package/dist/components/recovery/SelectMethodStep.d.ts +0 -8
- package/dist/components/recovery/SelectMethodStep.js +0 -8
- package/dist/components/recovery/SetPasswordStep.d.ts +0 -6
- package/dist/components/recovery/SetPasswordStep.js +0 -20
- package/dist/components/recovery/VerifyCodeStep.d.ts +0 -10
- package/dist/components/recovery/VerifyCodeStep.js +0 -24
- package/dist/components/reserved/ReservedRecoveryWarning.d.ts +0 -38
- package/dist/components/reserved/ReservedRecoveryWarning.js +0 -92
- package/dist/components/reserved/ReservedStatusBox.d.ts +0 -30
- package/dist/components/reserved/ReservedStatusBox.js +0 -71
- package/dist/components/ui/BetaBadge.d.ts +0 -29
- package/dist/components/ui/BetaBadge.js +0 -38
- package/dist/components/ui/Footer.d.ts +0 -37
- package/dist/components/ui/Footer.js +0 -41
- package/dist/config/env.d.ts +0 -66
- package/dist/config/env.js +0 -57
- package/dist/config/logger.d.ts +0 -57
- package/dist/config/logger.js +0 -73
- package/dist/config/logging-config.d.ts +0 -30
- package/dist/config/logging-config.js +0 -122
- package/dist/config/unauthenticated-routes.d.ts +0 -17
- package/dist/config/unauthenticated-routes.js +0 -24
- package/dist/config/vibe-log-transport.d.ts +0 -81
- package/dist/config/vibe-log-transport.js +0 -212
- package/dist/edge/internal-api-url.d.ts +0 -53
- package/dist/edge/internal-api-url.js +0 -63
- package/dist/edge/middleware.d.ts +0 -14
- package/dist/edge/middleware.js +0 -32
- package/dist/hooks/useAuth.d.ts +0 -23
- package/dist/hooks/useAuth.js +0 -81
- package/dist/hooks/useAuthSettings.d.ts +0 -59
- package/dist/hooks/useAuthSettings.js +0 -93
- package/dist/hooks/useAvailableProviders.d.ts +0 -45
- package/dist/hooks/useAvailableProviders.js +0 -108
- package/dist/hooks/usePasswordValidation.d.ts +0 -27
- package/dist/hooks/usePasswordValidation.js +0 -102
- package/dist/hooks/useProfile.d.ts +0 -15
- package/dist/hooks/useProfile.js +0 -59
- package/dist/hooks/usePublicAuthSettings.d.ts +0 -56
- package/dist/hooks/usePublicAuthSettings.js +0 -131
- package/dist/hooks/useSessionExpiration.d.ts +0 -57
- package/dist/hooks/useSessionExpiration.js +0 -72
- package/dist/hooks/useViabilitySession.d.ts +0 -75
- package/dist/hooks/useViabilitySession.js +0 -268
- package/dist/index.d.ts +0 -12
- package/dist/index.js +0 -55
- package/dist/lib/anon-session.d.ts +0 -74
- package/dist/lib/anon-session.js +0 -169
- package/dist/lib/api-handler.d.ts +0 -123
- package/dist/lib/api-handler.js +0 -478
- package/dist/lib/app-slug.d.ts +0 -95
- package/dist/lib/app-slug.js +0 -172
- package/dist/lib/demo-mode.d.ts +0 -6
- package/dist/lib/demo-mode.js +0 -16
- package/dist/lib/geolocation.d.ts +0 -64
- package/dist/lib/geolocation.js +0 -235
- package/dist/lib/idp-client-config.d.ts +0 -75
- package/dist/lib/idp-client-config.js +0 -425
- package/dist/lib/idp-fetch.d.ts +0 -14
- package/dist/lib/idp-fetch.js +0 -91
- package/dist/lib/internal-api.d.ts +0 -87
- package/dist/lib/internal-api.js +0 -122
- package/dist/lib/jwt-decode-client.d.ts +0 -10
- package/dist/lib/jwt-decode-client.js +0 -46
- package/dist/lib/jwt-decode.d.ts +0 -48
- package/dist/lib/jwt-decode.js +0 -57
- package/dist/lib/nextauth-secret.d.ts +0 -10
- package/dist/lib/nextauth-secret.js +0 -100
- package/dist/lib/rate-limit-service.d.ts +0 -23
- package/dist/lib/rate-limit-service.js +0 -6
- package/dist/lib/redis.d.ts +0 -5
- package/dist/lib/redis.js +0 -28
- package/dist/lib/refresh-token-validator.d.ts +0 -13
- package/dist/lib/refresh-token-validator.js +0 -117
- package/dist/lib/roles.d.ts +0 -145
- package/dist/lib/roles.js +0 -168
- package/dist/lib/secret-validation.d.ts +0 -4
- package/dist/lib/secret-validation.js +0 -14
- package/dist/lib/session-store.d.ts +0 -170
- package/dist/lib/session-store.js +0 -545
- package/dist/lib/session.d.ts +0 -21
- package/dist/lib/session.js +0 -26
- package/dist/lib/site-logger.d.ts +0 -214
- package/dist/lib/site-logger.js +0 -210
- package/dist/lib/standardized-client-api.d.ts +0 -161
- package/dist/lib/standardized-client-api.js +0 -786
- package/dist/lib/startup-init.d.ts +0 -40
- package/dist/lib/startup-init.js +0 -261
- package/dist/lib/test-aware-get-token.d.ts +0 -2
- package/dist/lib/test-aware-get-token.js +0 -81
- package/dist/lib/token-expiry.d.ts +0 -14
- package/dist/lib/token-expiry.js +0 -39
- package/dist/lib/token-lifecycle.d.ts +0 -52
- package/dist/lib/token-lifecycle.js +0 -398
- package/dist/lib/types/api-responses.d.ts +0 -128
- package/dist/lib/types/api-responses.js +0 -171
- package/dist/lib/user-agent-parser.d.ts +0 -50
- package/dist/lib/user-agent-parser.js +0 -220
- package/dist/logging/api/admin-analytics.d.ts +0 -3
- package/dist/logging/api/admin-analytics.js +0 -45
- package/dist/logging/api/audit-log.d.ts +0 -3
- package/dist/logging/api/audit-log.js +0 -52
- package/dist/logging/components/AdminAnalyticsLayout.d.ts +0 -10
- package/dist/logging/components/AdminAnalyticsLayout.js +0 -11
- package/dist/logging/components/AuditLogViewer.d.ts +0 -7
- package/dist/logging/components/AuditLogViewer.js +0 -51
- package/dist/logging/components/ErrorMetricsCard.d.ts +0 -7
- package/dist/logging/components/ErrorMetricsCard.js +0 -16
- package/dist/logging/components/HealthMetricsCard.d.ts +0 -7
- package/dist/logging/components/HealthMetricsCard.js +0 -19
- package/dist/logging/hooks/useAdminAnalytics.d.ts +0 -24
- package/dist/logging/hooks/useAdminAnalytics.js +0 -22
- package/dist/logging/hooks/useAuditLog.d.ts +0 -6
- package/dist/logging/hooks/useAuditLog.js +0 -25
- package/dist/logging/hooks/useErrorMetrics.d.ts +0 -6
- package/dist/logging/hooks/useErrorMetrics.js +0 -38
- package/dist/logging/hooks/useHealthMetrics.d.ts +0 -6
- package/dist/logging/hooks/useHealthMetrics.js +0 -41
- package/dist/logging/index.d.ts +0 -11
- package/dist/logging/index.js +0 -40
- package/dist/logging/types/analytics.d.ts +0 -68
- package/dist/logging/types/analytics.js +0 -3
- package/dist/logging/types/audit.d.ts +0 -29
- package/dist/logging/types/audit.js +0 -2
- package/dist/logging/types/index.d.ts +0 -2
- package/dist/logging/types/index.js +0 -19
- package/dist/middleware/auth-decision.d.ts +0 -33
- package/dist/middleware/auth-decision.js +0 -65
- package/dist/middleware/create-middleware.d.ts +0 -102
- package/dist/middleware/create-middleware.js +0 -469
- package/dist/middleware/rbac-check.d.ts +0 -51
- package/dist/middleware/rbac-check.js +0 -219
- package/dist/middleware/twofa-presets.d.ts +0 -134
- package/dist/middleware/twofa-presets.js +0 -175
- package/dist/models/DecodedAccessToken.d.ts +0 -17
- package/dist/models/DecodedAccessToken.js +0 -2
- package/dist/models/SessionModel.d.ts +0 -122
- package/dist/models/SessionModel.js +0 -136
- package/dist/pages/admin-login/page.d.ts +0 -31
- package/dist/pages/admin-login/page.js +0 -83
- package/dist/pages/admin-page-permissions/PagePermissionsAdminPage.d.ts +0 -18
- package/dist/pages/admin-page-permissions/PagePermissionsAdminPage.js +0 -276
- package/dist/pages/admin-page-permissions/index.d.ts +0 -6
- package/dist/pages/admin-page-permissions/index.js +0 -13
- package/dist/pages/admin-roles/RolesAdminPage.d.ts +0 -16
- package/dist/pages/admin-roles/RolesAdminPage.js +0 -261
- package/dist/pages/admin-roles/index.d.ts +0 -8
- package/dist/pages/admin-roles/index.js +0 -15
- package/dist/pages/admin-roles/modals.d.ts +0 -72
- package/dist/pages/admin-roles/modals.js +0 -154
- package/dist/pages/client-admin/ClientSiteAdminPage.d.ts +0 -79
- package/dist/pages/client-admin/ClientSiteAdminPage.js +0 -177
- package/dist/pages/client-admin/index.d.ts +0 -32
- package/dist/pages/client-admin/index.js +0 -37
- package/dist/pages/coming-soon/page.d.ts +0 -8
- package/dist/pages/coming-soon/page.js +0 -28
- package/dist/pages/login/page.d.ts +0 -22
- package/dist/pages/login/page.js +0 -239
- package/dist/pages/profile/EnhancedProfilePage.d.ts +0 -13
- package/dist/pages/profile/EnhancedProfilePage.js +0 -150
- package/dist/pages/profile/index.d.ts +0 -8
- package/dist/pages/profile/index.js +0 -16
- package/dist/pages/profile/page.d.ts +0 -19
- package/dist/pages/profile/page.js +0 -47
- package/dist/pages/profile/profile-patch.d.ts +0 -1
- package/dist/pages/profile/profile-patch.js +0 -281
- package/dist/pages/recovery/page.d.ts +0 -1
- package/dist/pages/recovery/page.js +0 -142
- package/dist/pages/roles/MyRolesPage.d.ts +0 -24
- package/dist/pages/roles/MyRolesPage.js +0 -71
- package/dist/pages/roles/components.d.ts +0 -63
- package/dist/pages/roles/components.js +0 -108
- package/dist/pages/roles/index.d.ts +0 -8
- package/dist/pages/roles/index.js +0 -19
- package/dist/pages/security/EnhancedSecurityPage.d.ts +0 -14
- package/dist/pages/security/EnhancedSecurityPage.js +0 -248
- package/dist/pages/security/index.d.ts +0 -8
- package/dist/pages/security/index.js +0 -16
- package/dist/pages/security/page.d.ts +0 -21
- package/dist/pages/security/page.js +0 -212
- package/dist/pages/security/security-patch.d.ts +0 -1
- package/dist/pages/security/security-patch.js +0 -302
- package/dist/pages/settings/EnhancedSettingsPage.d.ts +0 -46
- package/dist/pages/settings/EnhancedSettingsPage.js +0 -231
- package/dist/pages/settings/index.d.ts +0 -8
- package/dist/pages/settings/index.js +0 -16
- package/dist/pages/settings/page.d.ts +0 -7
- package/dist/pages/settings/page.js +0 -26
- package/dist/pages/showcase/ShowcasePage.d.ts +0 -13
- package/dist/pages/showcase/ShowcasePage.js +0 -140
- package/dist/pages/showcase/index.d.ts +0 -12
- package/dist/pages/showcase/index.js +0 -17
- package/dist/pages/test-env/EmergencyLogoutPage.d.ts +0 -14
- package/dist/pages/test-env/EmergencyLogoutPage.js +0 -98
- package/dist/pages/test-env/JwtInspectPage.d.ts +0 -14
- package/dist/pages/test-env/JwtInspectPage.js +0 -114
- package/dist/pages/test-env/RefreshTokenPage.d.ts +0 -15
- package/dist/pages/test-env/RefreshTokenPage.js +0 -91
- package/dist/pages/test-env/TestEnvPage.d.ts +0 -13
- package/dist/pages/test-env/TestEnvPage.js +0 -49
- package/dist/pages/test-env/index.d.ts +0 -24
- package/dist/pages/test-env/index.js +0 -32
- package/dist/pages/verify-code/page.d.ts +0 -30
- package/dist/pages/verify-code/page.js +0 -408
- package/dist/routes/account/index.d.ts +0 -28
- package/dist/routes/account/index.js +0 -71
- package/dist/routes/account/masked-info.d.ts +0 -33
- package/dist/routes/account/masked-info.js +0 -39
- package/dist/routes/account/send-code.d.ts +0 -37
- package/dist/routes/account/send-code.js +0 -42
- package/dist/routes/account/update-phone.d.ts +0 -13
- package/dist/routes/account/update-phone.js +0 -17
- package/dist/routes/account/verify-email.d.ts +0 -38
- package/dist/routes/account/verify-email.js +0 -43
- package/dist/routes/account/verify-sms.d.ts +0 -38
- package/dist/routes/account/verify-sms.js +0 -43
- package/dist/routes/auth/index.d.ts +0 -19
- package/dist/routes/auth/index.js +0 -64
- package/dist/routes/auth/logout.d.ts +0 -31
- package/dist/routes/auth/logout.js +0 -113
- package/dist/routes/auth/nextauth.d.ts +0 -19
- package/dist/routes/auth/nextauth.js +0 -72
- package/dist/routes/auth/refresh.d.ts +0 -30
- package/dist/routes/auth/refresh.js +0 -51
- package/dist/routes/auth/session.d.ts +0 -43
- package/dist/routes/auth/session.js +0 -179
- package/dist/routes/auth/settings.d.ts +0 -25
- package/dist/routes/auth/settings.js +0 -55
- package/dist/routes/auth/viability.d.ts +0 -52
- package/dist/routes/auth/viability.js +0 -201
- package/dist/routes/index.d.ts +0 -12
- package/dist/routes/index.js +0 -54
- package/dist/routes/session/index.d.ts +0 -6
- package/dist/routes/session/index.js +0 -10
- package/dist/routes/session/refresh-viability.d.ts +0 -16
- package/dist/routes/session/refresh-viability.js +0 -20
- package/dist/server/auth-guard.d.ts +0 -46
- package/dist/server/auth-guard.js +0 -128
- package/dist/server/decode-session.d.ts +0 -30
- package/dist/server/decode-session.js +0 -78
- package/dist/server/slim-middleware.d.ts +0 -23
- package/dist/server/slim-middleware.js +0 -89
- package/dist/server/with-auth.d.ts +0 -33
- package/dist/server/with-auth.js +0 -59
- package/dist/services/signalrActivityService.d.ts +0 -44
- package/dist/services/signalrActivityService.js +0 -257
- package/dist/stores/authStore.d.ts +0 -154
- package/dist/stores/authStore.js +0 -1531
- package/dist/theme/ThemeProvider.d.ts +0 -14
- package/dist/theme/ThemeProvider.js +0 -28
- package/dist/theme/default.d.ts +0 -8
- package/dist/theme/default.js +0 -33
- package/dist/theme/index.d.ts +0 -15
- package/dist/theme/index.js +0 -25
- package/dist/theme/types.d.ts +0 -56
- package/dist/theme/types.js +0 -8
- package/dist/theme/useTheme.d.ts +0 -60
- package/dist/theme/useTheme.js +0 -63
- package/dist/theme/utils.d.ts +0 -13
- package/dist/theme/utils.js +0 -39
- package/dist/types/api.d.ts +0 -134
- package/dist/types/api.js +0 -44
- package/dist/types/auth.d.ts +0 -19
- package/dist/types/auth.js +0 -2
- package/dist/types/logging.d.ts +0 -42
- package/dist/types/logging.js +0 -2
- package/dist/types/recovery.d.ts +0 -48
- package/dist/types/recovery.js +0 -2
- package/dist/types/security.d.ts +0 -1
- package/dist/types/security.js +0 -2
- package/dist/utils/api.d.ts +0 -85
- package/dist/utils/api.js +0 -287
- package/dist/utils/circuitBreaker.d.ts +0 -43
- package/dist/utils/circuitBreaker.js +0 -91
- package/dist/utils/error-message.d.ts +0 -1
- package/dist/utils/error-message.js +0 -103
- package/dist/utils/layout/reservedSpace.d.ts +0 -59
- package/dist/utils/layout/reservedSpace.js +0 -102
- package/dist/utils/logout.d.ts +0 -14
- package/dist/utils/logout.js +0 -32
- package/dist/vibe/client.d.ts +0 -261
- package/dist/vibe/client.js +0 -445
- package/dist/vibe/enterprise-auth.d.ts +0 -106
- package/dist/vibe/enterprise-auth.js +0 -173
- package/dist/vibe/errors.d.ts +0 -83
- package/dist/vibe/errors.js +0 -146
- package/dist/vibe/generic.d.ts +0 -234
- package/dist/vibe/generic.js +0 -369
- package/dist/vibe/hooks/index.d.ts +0 -169
- package/dist/vibe/hooks/index.js +0 -252
- package/dist/vibe/index.d.ts +0 -25
- package/dist/vibe/index.js +0 -72
- package/dist/vibe/sessions.d.ts +0 -161
- package/dist/vibe/sessions.js +0 -391
- package/dist/vibe/types.d.ts +0 -353
- package/dist/vibe/types.js +0 -315
- package/src/auth/auth-options.ts +0 -237
- package/src/auth/callbacks/index.ts +0 -7
- package/src/auth/callbacks/jwt.ts +0 -382
- package/src/auth/callbacks/session.ts +0 -243
- package/src/auth/callbacks/signin.ts +0 -56
- package/src/auth/events/index.ts +0 -5
- package/src/auth/events/signout.ts +0 -33
- package/src/auth/providers/credentials.ts +0 -256
- package/src/auth/providers/index.ts +0 -6
- package/src/auth/providers/oauth.ts +0 -114
- package/src/lib/nextauth-secret.ts +0 -121
- package/src/types/next-auth.d.ts +0 -15
package/src/api/auth-handler.ts
CHANGED
|
@@ -1,550 +1,551 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Enhanced Auth Handler with Coordinated Token Refresh
|
|
3
|
-
*
|
|
4
|
-
* Provides a middleware wrapper that automatically handles token lifecycle:
|
|
5
|
-
* - Checks token expiry before each request
|
|
6
|
-
* - Automatically refreshes expired or near-expired tokens
|
|
7
|
-
* - Uses Redis locks for coordinated refresh (prevents race conditions)
|
|
8
|
-
* - Retries requests on 401 responses with fresh tokens
|
|
9
|
-
*
|
|
10
|
-
* Pattern ported from website-membership simple-api-handler.ts
|
|
11
|
-
*
|
|
12
|
-
* @version 2.1.0
|
|
13
|
-
* @since auth-ready-v2
|
|
14
|
-
*/
|
|
15
|
-
|
|
16
|
-
import { NextRequest, NextResponse } from 'next/server';
|
|
17
|
-
import {
|
|
18
|
-
import { nanoid } from 'nanoid';
|
|
19
|
-
import {
|
|
20
|
-
getSession,
|
|
21
|
-
updateSession,
|
|
22
|
-
acquireRefreshLock,
|
|
23
|
-
releaseRefreshLock,
|
|
24
|
-
checkRefreshLock,
|
|
25
|
-
type SessionData
|
|
26
|
-
} from '../lib/session-store';
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
export interface AuthContext {
|
|
30
|
-
token:
|
|
31
|
-
accessToken: string;
|
|
32
|
-
userId: string;
|
|
33
|
-
sessionToken: string;
|
|
34
|
-
refreshToken?: string;
|
|
35
|
-
}
|
|
36
|
-
|
|
37
|
-
export interface AuthHandlerOptions {
|
|
38
|
-
/** Whether authentication is required for this route (default: true) */
|
|
39
|
-
requireAuth?: boolean;
|
|
40
|
-
|
|
41
|
-
/** Automatically refresh expired or near-expired tokens (default: true) */
|
|
42
|
-
autoRefresh?: boolean;
|
|
43
|
-
|
|
44
|
-
/** Buffer time in seconds before token expiry to trigger refresh (default: 300 = 5 minutes) */
|
|
45
|
-
refreshBuffer?: number;
|
|
46
|
-
|
|
47
|
-
/** Retry request on 401 response after refreshing token (default: true) */
|
|
48
|
-
retryOn401?: boolean;
|
|
49
|
-
|
|
50
|
-
/** Maximum number of retry attempts on 401 (default: 1) */
|
|
51
|
-
maxRetries?: number;
|
|
52
|
-
|
|
53
|
-
/** NextAuth secret for JWT decoding */
|
|
54
|
-
nextAuthSecret?: string;
|
|
55
|
-
|
|
56
|
-
/** IDP base URL for refresh requests */
|
|
57
|
-
idpBaseUrl?: string;
|
|
58
|
-
|
|
59
|
-
/** OAuth client ID */
|
|
60
|
-
clientId?: string;
|
|
61
|
-
}
|
|
62
|
-
|
|
63
|
-
export type HandlerFunction = (
|
|
64
|
-
req: NextRequest,
|
|
65
|
-
context: any,
|
|
66
|
-
auth: AuthContext
|
|
67
|
-
) => Promise<NextResponse | Response>;
|
|
68
|
-
|
|
69
|
-
interface RefreshResult {
|
|
70
|
-
success: boolean;
|
|
71
|
-
accessToken?: string;
|
|
72
|
-
refreshToken?: string;
|
|
73
|
-
expiresIn?: number;
|
|
74
|
-
error?: string;
|
|
75
|
-
}
|
|
76
|
-
|
|
77
|
-
/**
|
|
78
|
-
* Creates an auth-aware handler with automatic token refresh
|
|
79
|
-
*
|
|
80
|
-
* @example
|
|
81
|
-
* ```typescript
|
|
82
|
-
* import { createAuthHandler } from '@payez/next-mvp/api';
|
|
83
|
-
*
|
|
84
|
-
* const handler = createAuthHandler({ requireAuth: true });
|
|
85
|
-
*
|
|
86
|
-
* export const GET = handler.handle(async (req, context, auth) => {
|
|
87
|
-
* // auth.accessToken is guaranteed to be fresh
|
|
88
|
-
* const response = await fetch('https://api.example.com/data', {
|
|
89
|
-
* headers: { 'Authorization': `Bearer ${auth.accessToken}` }
|
|
90
|
-
* });
|
|
91
|
-
* return NextResponse.json(await response.json());
|
|
92
|
-
* });
|
|
93
|
-
* ```
|
|
94
|
-
*/
|
|
95
|
-
export function createAuthHandler(options: AuthHandlerOptions = {}) {
|
|
96
|
-
const {
|
|
97
|
-
requireAuth = true,
|
|
98
|
-
autoRefresh = true,
|
|
99
|
-
refreshBuffer = 60, // 60 seconds - matches website-membership proven threshold
|
|
100
|
-
retryOn401 = true,
|
|
101
|
-
maxRetries = 1,
|
|
102
|
-
nextAuthSecret = process.env.NEXTAUTH_SECRET,
|
|
103
|
-
idpBaseUrl = process.env.IDP_URL,
|
|
104
|
-
clientId = process.env.CLIENT_ID || process.env.NEXT_PUBLIC_IDP_CLIENT_ID
|
|
105
|
-
} = options;
|
|
106
|
-
|
|
107
|
-
/**
|
|
108
|
-
* Performs coordinated token refresh with Redis locking
|
|
109
|
-
* This prevents multiple concurrent requests from all trying to refresh simultaneously
|
|
110
|
-
*/
|
|
111
|
-
async function performCoordinatedRefresh(
|
|
112
|
-
sessionToken: string,
|
|
113
|
-
requestId: string
|
|
114
|
-
): Promise<RefreshResult> {
|
|
115
|
-
// Check if refresh is already in progress
|
|
116
|
-
const existingLock = await checkRefreshLock(sessionToken);
|
|
117
|
-
|
|
118
|
-
if (existingLock) {
|
|
119
|
-
console.info('[AUTH_HANDLER] Refresh already in progress, waiting...', {
|
|
120
|
-
requestId,
|
|
121
|
-
lockOwner: existingLock.acquiredBy,
|
|
122
|
-
lockAge: Date.now() - existingLock.acquiredAt
|
|
123
|
-
});
|
|
124
|
-
|
|
125
|
-
// Wait for the refresh to complete
|
|
126
|
-
const waitResult = await waitForRefreshCompletion(sessionToken, requestId, 10000);
|
|
127
|
-
if (waitResult.success) {
|
|
128
|
-
// Get the fresh token from session
|
|
129
|
-
const freshSession = await getSession(sessionToken);
|
|
130
|
-
if (freshSession?.accessToken) {
|
|
131
|
-
return {
|
|
132
|
-
success: true,
|
|
133
|
-
accessToken: freshSession.accessToken,
|
|
134
|
-
refreshToken: freshSession.refreshToken,
|
|
135
|
-
expiresIn: freshSession.accessTokenExpires
|
|
136
|
-
? Math.floor((freshSession.accessTokenExpires - Date.now()) / 1000)
|
|
137
|
-
: undefined
|
|
138
|
-
};
|
|
139
|
-
}
|
|
140
|
-
}
|
|
141
|
-
return { success: false, error: waitResult.reason || 'Wait for refresh failed' };
|
|
142
|
-
}
|
|
143
|
-
|
|
144
|
-
// Try to acquire the refresh lock
|
|
145
|
-
const lockAcquired = await acquireRefreshLock(sessionToken, requestId, 5000);
|
|
146
|
-
|
|
147
|
-
if (!lockAcquired) {
|
|
148
|
-
// Another request grabbed the lock, wait for it
|
|
149
|
-
console.info('[AUTH_HANDLER] Failed to acquire lock, waiting for other request', { requestId });
|
|
150
|
-
const waitResult = await waitForRefreshCompletion(sessionToken, requestId, 10000);
|
|
151
|
-
if (waitResult.success) {
|
|
152
|
-
const freshSession = await getSession(sessionToken);
|
|
153
|
-
if (freshSession?.accessToken) {
|
|
154
|
-
return {
|
|
155
|
-
success: true,
|
|
156
|
-
accessToken: freshSession.accessToken,
|
|
157
|
-
refreshToken: freshSession.refreshToken
|
|
158
|
-
};
|
|
159
|
-
}
|
|
160
|
-
}
|
|
161
|
-
return { success: false, error: waitResult.reason || 'Wait for refresh failed' };
|
|
162
|
-
}
|
|
163
|
-
|
|
164
|
-
try {
|
|
165
|
-
// Double-check if tokens are still stale after acquiring lock
|
|
166
|
-
const latestSession = await getSession(sessionToken);
|
|
167
|
-
if (latestSession && !tokenNeedsRefresh(latestSession, refreshBuffer)) {
|
|
168
|
-
console.info('[AUTH_HANDLER] Tokens already fresh after acquiring lock, skipping refresh', { requestId });
|
|
169
|
-
return {
|
|
170
|
-
success: true,
|
|
171
|
-
accessToken: latestSession.accessToken,
|
|
172
|
-
refreshToken: latestSession.refreshToken
|
|
173
|
-
};
|
|
174
|
-
}
|
|
175
|
-
|
|
176
|
-
// Actually perform the refresh
|
|
177
|
-
return await executeRefresh(sessionToken, latestSession);
|
|
178
|
-
|
|
179
|
-
} finally {
|
|
180
|
-
// Always release the lock
|
|
181
|
-
await releaseRefreshLock(sessionToken, requestId);
|
|
182
|
-
}
|
|
183
|
-
}
|
|
184
|
-
|
|
185
|
-
/**
|
|
186
|
-
* Wait for an in-progress refresh to complete
|
|
187
|
-
*/
|
|
188
|
-
async function waitForRefreshCompletion(
|
|
189
|
-
sessionToken: string,
|
|
190
|
-
requestId: string,
|
|
191
|
-
maxWaitMs: number
|
|
192
|
-
): Promise<{ success: boolean; reason?: string }> {
|
|
193
|
-
const startTime = Date.now();
|
|
194
|
-
const pollInterval = 100;
|
|
195
|
-
|
|
196
|
-
while (Date.now() - startTime < maxWaitMs) {
|
|
197
|
-
const lockExists = await checkRefreshLock(sessionToken);
|
|
198
|
-
|
|
199
|
-
if (!lockExists) {
|
|
200
|
-
// Lock released, check if tokens are fresh
|
|
201
|
-
const session = await getSession(sessionToken);
|
|
202
|
-
if (session?.accessToken && !tokenNeedsRefresh(session, refreshBuffer)) {
|
|
203
|
-
return { success: true };
|
|
204
|
-
} else {
|
|
205
|
-
return { success: false, reason: 'Lock released but tokens not fresh' };
|
|
206
|
-
}
|
|
207
|
-
}
|
|
208
|
-
|
|
209
|
-
await new Promise(resolve => setTimeout(resolve, pollInterval));
|
|
210
|
-
}
|
|
211
|
-
|
|
212
|
-
return { success: false, reason: `Timeout waiting for refresh (${maxWaitMs}ms)` };
|
|
213
|
-
}
|
|
214
|
-
|
|
215
|
-
/**
|
|
216
|
-
* Check if token needs refresh based on expiry and buffer
|
|
217
|
-
*/
|
|
218
|
-
function tokenNeedsRefresh(session: SessionData, bufferSeconds: number): boolean {
|
|
219
|
-
if (!session.accessToken) return true;
|
|
220
|
-
|
|
221
|
-
const expires = session.accessTokenExpires || 0;
|
|
222
|
-
const bufferMs = bufferSeconds * 1000;
|
|
223
|
-
const timeUntilExpiry = expires - Date.now();
|
|
224
|
-
|
|
225
|
-
return timeUntilExpiry <= bufferMs;
|
|
226
|
-
}
|
|
227
|
-
|
|
228
|
-
/**
|
|
229
|
-
* Execute the actual token refresh against IDP
|
|
230
|
-
*/
|
|
231
|
-
async function executeRefresh(
|
|
232
|
-
sessionToken: string,
|
|
233
|
-
currentSession: SessionData | null
|
|
234
|
-
): Promise<RefreshResult> {
|
|
235
|
-
try {
|
|
236
|
-
if (!idpBaseUrl || !clientId) {
|
|
237
|
-
console.error('[AUTH_HANDLER] Missing IDP configuration for refresh');
|
|
238
|
-
return { success: false, error: 'Missing IDP configuration' };
|
|
239
|
-
}
|
|
240
|
-
|
|
241
|
-
if (!currentSession) {
|
|
242
|
-
console.error('[AUTH_HANDLER] No session found for refresh');
|
|
243
|
-
return { success: false, error: 'No session found' };
|
|
244
|
-
}
|
|
245
|
-
|
|
246
|
-
if (!currentSession.refreshToken) {
|
|
247
|
-
console.error('[AUTH_HANDLER] No refresh token available');
|
|
248
|
-
return { success: false, error: 'No refresh token' };
|
|
249
|
-
}
|
|
250
|
-
|
|
251
|
-
// Extract authentication methods from session
|
|
252
|
-
const authMethods = (currentSession as any).authMethods ||
|
|
253
|
-
((currentSession as any).token?.amr ? JSON.parse((currentSession as any).token.amr) : ['pwd', 'mfa']);
|
|
254
|
-
const authLevel = String((currentSession as any).authenticationLevel || (currentSession as any).token?.acr || '2');
|
|
255
|
-
const twoFactorMethod = (currentSession as any).twoFactorMethod || 'authenticator';
|
|
256
|
-
|
|
257
|
-
// Build refresh request body
|
|
258
|
-
const refreshRequestBody: any = {
|
|
259
|
-
refresh_token: currentSession.refreshToken,
|
|
260
|
-
amr: authMethods,
|
|
261
|
-
acr: authLevel
|
|
262
|
-
};
|
|
263
|
-
|
|
264
|
-
if ((currentSession as any).twoFactorComplete) {
|
|
265
|
-
refreshRequestBody.two_factor_verified = true;
|
|
266
|
-
}
|
|
267
|
-
if (twoFactorMethod) {
|
|
268
|
-
refreshRequestBody.two_factor_method = twoFactorMethod;
|
|
269
|
-
}
|
|
270
|
-
if ((currentSession as any).mfaCompletedAt) {
|
|
271
|
-
refreshRequestBody.two_factor_completed_at = new Date((currentSession as any).mfaCompletedAt).toISOString();
|
|
272
|
-
}
|
|
273
|
-
|
|
274
|
-
console.info('[AUTH_HANDLER] Executing refresh against IDP', {
|
|
275
|
-
sessionToken: sessionToken.substring(0, 8) + '...',
|
|
276
|
-
hasRefreshToken: true
|
|
277
|
-
});
|
|
278
|
-
|
|
279
|
-
const response = await fetch(`${idpBaseUrl}/api/ExternalAuth/refresh`, {
|
|
280
|
-
method: 'POST',
|
|
281
|
-
headers: {
|
|
282
|
-
'Content-Type': 'application/json',
|
|
283
|
-
'X-Client-Id': clientId,
|
|
284
|
-
},
|
|
285
|
-
body: JSON.stringify(refreshRequestBody),
|
|
286
|
-
});
|
|
287
|
-
|
|
288
|
-
if (!response.ok) {
|
|
289
|
-
const errorText = await response.text().catch(() => 'Unknown error');
|
|
290
|
-
console.error('[AUTH_HANDLER] Refresh failed:', response.status, errorText);
|
|
291
|
-
return { success: false, error: `Refresh failed: ${response.status}` };
|
|
292
|
-
}
|
|
293
|
-
|
|
294
|
-
const data = await response.json();
|
|
295
|
-
|
|
296
|
-
if (data.success === false) {
|
|
297
|
-
return { success: false, error: data.error?.message || data.message || 'Refresh failed' };
|
|
298
|
-
}
|
|
299
|
-
|
|
300
|
-
const tokenData = data.data || data;
|
|
301
|
-
|
|
302
|
-
if (!tokenData.access_token) {
|
|
303
|
-
console.error('[AUTH_HANDLER] No access token in refresh response');
|
|
304
|
-
return { success: false, error: 'No access token received' };
|
|
305
|
-
}
|
|
306
|
-
|
|
307
|
-
// Update session with new tokens
|
|
308
|
-
const updatedSession = {
|
|
309
|
-
...currentSession,
|
|
310
|
-
accessToken: tokenData.access_token,
|
|
311
|
-
refreshToken: tokenData.refresh_token || currentSession.refreshToken,
|
|
312
|
-
accessTokenExpires: tokenData.expires_in
|
|
313
|
-
? Date.now() + (tokenData.expires_in * 1000)
|
|
314
|
-
: Date.now() + (3600 * 1000),
|
|
315
|
-
};
|
|
316
|
-
|
|
317
|
-
await updateSession(sessionToken, updatedSession);
|
|
318
|
-
|
|
319
|
-
console.info('[AUTH_HANDLER] Token refresh successful', {
|
|
320
|
-
newExpiry: new Date(updatedSession.accessTokenExpires).toISOString()
|
|
321
|
-
});
|
|
322
|
-
|
|
323
|
-
return {
|
|
324
|
-
success: true,
|
|
325
|
-
accessToken: tokenData.access_token,
|
|
326
|
-
refreshToken: tokenData.refresh_token,
|
|
327
|
-
expiresIn: tokenData.expires_in,
|
|
328
|
-
};
|
|
329
|
-
} catch (error) {
|
|
330
|
-
console.error('[AUTH_HANDLER] Refresh exception:', error);
|
|
331
|
-
return { success: false, error: error instanceof Error ? error.message : 'Refresh failed' };
|
|
332
|
-
}
|
|
333
|
-
}
|
|
334
|
-
|
|
335
|
-
/**
|
|
336
|
-
* Checks if auth context token needs refresh based on expiry and buffer
|
|
337
|
-
*/
|
|
338
|
-
function needsRefresh(auth: AuthContext): boolean {
|
|
339
|
-
if (!autoRefresh) return false;
|
|
340
|
-
|
|
341
|
-
// Check if we have token expiry information
|
|
342
|
-
const token = auth.token as any;
|
|
343
|
-
const expiresAt = token.accessTokenExpires || token.exp;
|
|
344
|
-
|
|
345
|
-
if (!expiresAt) {
|
|
346
|
-
// No expiry info, can't determine if refresh needed
|
|
347
|
-
return false;
|
|
348
|
-
}
|
|
349
|
-
|
|
350
|
-
const now = Math.floor(Date.now() / 1000);
|
|
351
|
-
const expiryTime = typeof expiresAt === 'number' && expiresAt > 1000000000000
|
|
352
|
-
? Math.floor(expiresAt / 1000) // Convert milliseconds to seconds
|
|
353
|
-
: expiresAt;
|
|
354
|
-
|
|
355
|
-
// Check if token expires within the buffer period
|
|
356
|
-
return (expiryTime - now) <= refreshBuffer;
|
|
357
|
-
}
|
|
358
|
-
|
|
359
|
-
/**
|
|
360
|
-
* Generate a unique request ID for coordinated refresh
|
|
361
|
-
*/
|
|
362
|
-
function generateRequestId(): string {
|
|
363
|
-
return nanoid();
|
|
364
|
-
}
|
|
365
|
-
|
|
366
|
-
/**
|
|
367
|
-
* Main handler wrapper
|
|
368
|
-
*/
|
|
369
|
-
return {
|
|
370
|
-
handle: (handler: HandlerFunction) => {
|
|
371
|
-
return async (req: NextRequest, context: any = {}) => {
|
|
372
|
-
// Extract
|
|
373
|
-
const
|
|
374
|
-
|
|
375
|
-
|
|
376
|
-
if
|
|
377
|
-
|
|
378
|
-
|
|
379
|
-
{
|
|
380
|
-
|
|
381
|
-
|
|
382
|
-
|
|
383
|
-
|
|
384
|
-
|
|
385
|
-
|
|
386
|
-
|
|
387
|
-
|
|
388
|
-
|
|
389
|
-
//
|
|
390
|
-
|
|
391
|
-
|
|
392
|
-
|
|
393
|
-
|
|
394
|
-
|
|
395
|
-
|
|
396
|
-
|
|
397
|
-
|
|
398
|
-
|
|
399
|
-
|
|
400
|
-
|
|
401
|
-
|
|
402
|
-
|
|
403
|
-
|
|
404
|
-
|
|
405
|
-
|
|
406
|
-
|
|
407
|
-
|
|
408
|
-
|
|
409
|
-
|
|
410
|
-
|
|
411
|
-
|
|
412
|
-
|
|
413
|
-
|
|
414
|
-
|
|
415
|
-
|
|
416
|
-
|
|
417
|
-
|
|
418
|
-
|
|
419
|
-
|
|
420
|
-
|
|
421
|
-
|
|
422
|
-
|
|
423
|
-
|
|
424
|
-
|
|
425
|
-
|
|
426
|
-
|
|
427
|
-
|
|
428
|
-
|
|
429
|
-
|
|
430
|
-
|
|
431
|
-
|
|
432
|
-
|
|
433
|
-
|
|
434
|
-
|
|
435
|
-
|
|
436
|
-
|
|
437
|
-
|
|
438
|
-
|
|
439
|
-
|
|
440
|
-
|
|
441
|
-
if
|
|
442
|
-
|
|
443
|
-
|
|
444
|
-
|
|
445
|
-
|
|
446
|
-
|
|
447
|
-
|
|
448
|
-
|
|
449
|
-
|
|
450
|
-
|
|
451
|
-
|
|
452
|
-
|
|
453
|
-
|
|
454
|
-
|
|
455
|
-
|
|
456
|
-
|
|
457
|
-
|
|
458
|
-
|
|
459
|
-
|
|
460
|
-
|
|
461
|
-
|
|
462
|
-
|
|
463
|
-
|
|
464
|
-
|
|
465
|
-
|
|
466
|
-
|
|
467
|
-
|
|
468
|
-
|
|
469
|
-
|
|
470
|
-
|
|
471
|
-
|
|
472
|
-
|
|
473
|
-
|
|
474
|
-
//
|
|
475
|
-
|
|
476
|
-
|
|
477
|
-
|
|
478
|
-
|
|
479
|
-
|
|
480
|
-
|
|
481
|
-
|
|
482
|
-
|
|
483
|
-
let
|
|
484
|
-
|
|
485
|
-
|
|
486
|
-
|
|
487
|
-
|
|
488
|
-
|
|
489
|
-
|
|
490
|
-
if
|
|
491
|
-
|
|
492
|
-
|
|
493
|
-
|
|
494
|
-
|
|
495
|
-
|
|
496
|
-
|
|
497
|
-
|
|
498
|
-
|
|
499
|
-
|
|
500
|
-
|
|
501
|
-
|
|
502
|
-
|
|
503
|
-
|
|
504
|
-
|
|
505
|
-
|
|
506
|
-
|
|
507
|
-
|
|
508
|
-
|
|
509
|
-
|
|
510
|
-
|
|
511
|
-
|
|
512
|
-
|
|
513
|
-
|
|
514
|
-
|
|
515
|
-
|
|
516
|
-
|
|
517
|
-
|
|
518
|
-
|
|
519
|
-
|
|
520
|
-
|
|
521
|
-
|
|
522
|
-
|
|
523
|
-
|
|
524
|
-
|
|
525
|
-
|
|
526
|
-
|
|
527
|
-
|
|
528
|
-
|
|
529
|
-
|
|
530
|
-
|
|
531
|
-
|
|
532
|
-
|
|
533
|
-
|
|
534
|
-
|
|
535
|
-
|
|
536
|
-
|
|
537
|
-
|
|
538
|
-
|
|
539
|
-
|
|
540
|
-
|
|
541
|
-
|
|
542
|
-
|
|
543
|
-
|
|
544
|
-
|
|
545
|
-
}
|
|
546
|
-
|
|
547
|
-
|
|
548
|
-
|
|
549
|
-
|
|
1
|
+
/**
|
|
2
|
+
* Enhanced Auth Handler with Coordinated Token Refresh
|
|
3
|
+
*
|
|
4
|
+
* Provides a middleware wrapper that automatically handles token lifecycle:
|
|
5
|
+
* - Checks token expiry before each request
|
|
6
|
+
* - Automatically refreshes expired or near-expired tokens
|
|
7
|
+
* - Uses Redis locks for coordinated refresh (prevents race conditions)
|
|
8
|
+
* - Retries requests on 401 responses with fresh tokens
|
|
9
|
+
*
|
|
10
|
+
* Pattern ported from website-membership simple-api-handler.ts
|
|
11
|
+
*
|
|
12
|
+
* @version 2.1.0
|
|
13
|
+
* @since auth-ready-v2
|
|
14
|
+
*/
|
|
15
|
+
|
|
16
|
+
import { NextRequest, NextResponse } from 'next/server';
|
|
17
|
+
import { getSession as getBetterAuthSession } from '../server/auth';
|
|
18
|
+
import { nanoid } from 'nanoid';
|
|
19
|
+
import {
|
|
20
|
+
getSession,
|
|
21
|
+
updateSession,
|
|
22
|
+
acquireRefreshLock,
|
|
23
|
+
releaseRefreshLock,
|
|
24
|
+
checkRefreshLock,
|
|
25
|
+
type SessionData
|
|
26
|
+
} from '../lib/session-store';
|
|
27
|
+
|
|
28
|
+
|
|
29
|
+
export interface AuthContext {
|
|
30
|
+
token: any;
|
|
31
|
+
accessToken: string;
|
|
32
|
+
userId: string;
|
|
33
|
+
sessionToken: string;
|
|
34
|
+
refreshToken?: string;
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
export interface AuthHandlerOptions {
|
|
38
|
+
/** Whether authentication is required for this route (default: true) */
|
|
39
|
+
requireAuth?: boolean;
|
|
40
|
+
|
|
41
|
+
/** Automatically refresh expired or near-expired tokens (default: true) */
|
|
42
|
+
autoRefresh?: boolean;
|
|
43
|
+
|
|
44
|
+
/** Buffer time in seconds before token expiry to trigger refresh (default: 300 = 5 minutes) */
|
|
45
|
+
refreshBuffer?: number;
|
|
46
|
+
|
|
47
|
+
/** Retry request on 401 response after refreshing token (default: true) */
|
|
48
|
+
retryOn401?: boolean;
|
|
49
|
+
|
|
50
|
+
/** Maximum number of retry attempts on 401 (default: 1) */
|
|
51
|
+
maxRetries?: number;
|
|
52
|
+
|
|
53
|
+
/** NextAuth secret for JWT decoding */
|
|
54
|
+
nextAuthSecret?: string;
|
|
55
|
+
|
|
56
|
+
/** IDP base URL for refresh requests */
|
|
57
|
+
idpBaseUrl?: string;
|
|
58
|
+
|
|
59
|
+
/** OAuth client ID */
|
|
60
|
+
clientId?: string;
|
|
61
|
+
}
|
|
62
|
+
|
|
63
|
+
export type HandlerFunction = (
|
|
64
|
+
req: NextRequest,
|
|
65
|
+
context: any,
|
|
66
|
+
auth: AuthContext
|
|
67
|
+
) => Promise<NextResponse | Response>;
|
|
68
|
+
|
|
69
|
+
interface RefreshResult {
|
|
70
|
+
success: boolean;
|
|
71
|
+
accessToken?: string;
|
|
72
|
+
refreshToken?: string;
|
|
73
|
+
expiresIn?: number;
|
|
74
|
+
error?: string;
|
|
75
|
+
}
|
|
76
|
+
|
|
77
|
+
/**
|
|
78
|
+
* Creates an auth-aware handler with automatic token refresh
|
|
79
|
+
*
|
|
80
|
+
* @example
|
|
81
|
+
* ```typescript
|
|
82
|
+
* import { createAuthHandler } from '@payez/next-mvp/api';
|
|
83
|
+
*
|
|
84
|
+
* const handler = createAuthHandler({ requireAuth: true });
|
|
85
|
+
*
|
|
86
|
+
* export const GET = handler.handle(async (req, context, auth) => {
|
|
87
|
+
* // auth.accessToken is guaranteed to be fresh
|
|
88
|
+
* const response = await fetch('https://api.example.com/data', {
|
|
89
|
+
* headers: { 'Authorization': `Bearer ${auth.accessToken}` }
|
|
90
|
+
* });
|
|
91
|
+
* return NextResponse.json(await response.json());
|
|
92
|
+
* });
|
|
93
|
+
* ```
|
|
94
|
+
*/
|
|
95
|
+
export function createAuthHandler(options: AuthHandlerOptions = {}) {
|
|
96
|
+
const {
|
|
97
|
+
requireAuth = true,
|
|
98
|
+
autoRefresh = true,
|
|
99
|
+
refreshBuffer = 60, // 60 seconds - matches website-membership proven threshold
|
|
100
|
+
retryOn401 = true,
|
|
101
|
+
maxRetries = 1,
|
|
102
|
+
nextAuthSecret = process.env.NEXTAUTH_SECRET,
|
|
103
|
+
idpBaseUrl = process.env.IDP_URL,
|
|
104
|
+
clientId = process.env.CLIENT_ID || process.env.NEXT_PUBLIC_IDP_CLIENT_ID
|
|
105
|
+
} = options;
|
|
106
|
+
|
|
107
|
+
/**
|
|
108
|
+
* Performs coordinated token refresh with Redis locking
|
|
109
|
+
* This prevents multiple concurrent requests from all trying to refresh simultaneously
|
|
110
|
+
*/
|
|
111
|
+
async function performCoordinatedRefresh(
|
|
112
|
+
sessionToken: string,
|
|
113
|
+
requestId: string
|
|
114
|
+
): Promise<RefreshResult> {
|
|
115
|
+
// Check if refresh is already in progress
|
|
116
|
+
const existingLock = await checkRefreshLock(sessionToken);
|
|
117
|
+
|
|
118
|
+
if (existingLock) {
|
|
119
|
+
console.info('[AUTH_HANDLER] Refresh already in progress, waiting...', {
|
|
120
|
+
requestId,
|
|
121
|
+
lockOwner: existingLock.acquiredBy,
|
|
122
|
+
lockAge: Date.now() - existingLock.acquiredAt
|
|
123
|
+
});
|
|
124
|
+
|
|
125
|
+
// Wait for the refresh to complete
|
|
126
|
+
const waitResult = await waitForRefreshCompletion(sessionToken, requestId, 10000);
|
|
127
|
+
if (waitResult.success) {
|
|
128
|
+
// Get the fresh token from session
|
|
129
|
+
const freshSession = await getSession(sessionToken);
|
|
130
|
+
if (freshSession?.accessToken) {
|
|
131
|
+
return {
|
|
132
|
+
success: true,
|
|
133
|
+
accessToken: freshSession.accessToken,
|
|
134
|
+
refreshToken: freshSession.refreshToken,
|
|
135
|
+
expiresIn: freshSession.accessTokenExpires
|
|
136
|
+
? Math.floor((freshSession.accessTokenExpires - Date.now()) / 1000)
|
|
137
|
+
: undefined
|
|
138
|
+
};
|
|
139
|
+
}
|
|
140
|
+
}
|
|
141
|
+
return { success: false, error: waitResult.reason || 'Wait for refresh failed' };
|
|
142
|
+
}
|
|
143
|
+
|
|
144
|
+
// Try to acquire the refresh lock
|
|
145
|
+
const lockAcquired = await acquireRefreshLock(sessionToken, requestId, 5000);
|
|
146
|
+
|
|
147
|
+
if (!lockAcquired) {
|
|
148
|
+
// Another request grabbed the lock, wait for it
|
|
149
|
+
console.info('[AUTH_HANDLER] Failed to acquire lock, waiting for other request', { requestId });
|
|
150
|
+
const waitResult = await waitForRefreshCompletion(sessionToken, requestId, 10000);
|
|
151
|
+
if (waitResult.success) {
|
|
152
|
+
const freshSession = await getSession(sessionToken);
|
|
153
|
+
if (freshSession?.accessToken) {
|
|
154
|
+
return {
|
|
155
|
+
success: true,
|
|
156
|
+
accessToken: freshSession.accessToken,
|
|
157
|
+
refreshToken: freshSession.refreshToken
|
|
158
|
+
};
|
|
159
|
+
}
|
|
160
|
+
}
|
|
161
|
+
return { success: false, error: waitResult.reason || 'Wait for refresh failed' };
|
|
162
|
+
}
|
|
163
|
+
|
|
164
|
+
try {
|
|
165
|
+
// Double-check if tokens are still stale after acquiring lock
|
|
166
|
+
const latestSession = await getSession(sessionToken);
|
|
167
|
+
if (latestSession && !tokenNeedsRefresh(latestSession, refreshBuffer)) {
|
|
168
|
+
console.info('[AUTH_HANDLER] Tokens already fresh after acquiring lock, skipping refresh', { requestId });
|
|
169
|
+
return {
|
|
170
|
+
success: true,
|
|
171
|
+
accessToken: latestSession.accessToken,
|
|
172
|
+
refreshToken: latestSession.refreshToken
|
|
173
|
+
};
|
|
174
|
+
}
|
|
175
|
+
|
|
176
|
+
// Actually perform the refresh
|
|
177
|
+
return await executeRefresh(sessionToken, latestSession);
|
|
178
|
+
|
|
179
|
+
} finally {
|
|
180
|
+
// Always release the lock
|
|
181
|
+
await releaseRefreshLock(sessionToken, requestId);
|
|
182
|
+
}
|
|
183
|
+
}
|
|
184
|
+
|
|
185
|
+
/**
|
|
186
|
+
* Wait for an in-progress refresh to complete
|
|
187
|
+
*/
|
|
188
|
+
async function waitForRefreshCompletion(
|
|
189
|
+
sessionToken: string,
|
|
190
|
+
requestId: string,
|
|
191
|
+
maxWaitMs: number
|
|
192
|
+
): Promise<{ success: boolean; reason?: string }> {
|
|
193
|
+
const startTime = Date.now();
|
|
194
|
+
const pollInterval = 100;
|
|
195
|
+
|
|
196
|
+
while (Date.now() - startTime < maxWaitMs) {
|
|
197
|
+
const lockExists = await checkRefreshLock(sessionToken);
|
|
198
|
+
|
|
199
|
+
if (!lockExists) {
|
|
200
|
+
// Lock released, check if tokens are fresh
|
|
201
|
+
const session = await getSession(sessionToken);
|
|
202
|
+
if (session?.accessToken && !tokenNeedsRefresh(session, refreshBuffer)) {
|
|
203
|
+
return { success: true };
|
|
204
|
+
} else {
|
|
205
|
+
return { success: false, reason: 'Lock released but tokens not fresh' };
|
|
206
|
+
}
|
|
207
|
+
}
|
|
208
|
+
|
|
209
|
+
await new Promise(resolve => setTimeout(resolve, pollInterval));
|
|
210
|
+
}
|
|
211
|
+
|
|
212
|
+
return { success: false, reason: `Timeout waiting for refresh (${maxWaitMs}ms)` };
|
|
213
|
+
}
|
|
214
|
+
|
|
215
|
+
/**
|
|
216
|
+
* Check if token needs refresh based on expiry and buffer
|
|
217
|
+
*/
|
|
218
|
+
function tokenNeedsRefresh(session: SessionData, bufferSeconds: number): boolean {
|
|
219
|
+
if (!session.accessToken) return true;
|
|
220
|
+
|
|
221
|
+
const expires = session.accessTokenExpires || 0;
|
|
222
|
+
const bufferMs = bufferSeconds * 1000;
|
|
223
|
+
const timeUntilExpiry = expires - Date.now();
|
|
224
|
+
|
|
225
|
+
return timeUntilExpiry <= bufferMs;
|
|
226
|
+
}
|
|
227
|
+
|
|
228
|
+
/**
|
|
229
|
+
* Execute the actual token refresh against IDP
|
|
230
|
+
*/
|
|
231
|
+
async function executeRefresh(
|
|
232
|
+
sessionToken: string,
|
|
233
|
+
currentSession: SessionData | null
|
|
234
|
+
): Promise<RefreshResult> {
|
|
235
|
+
try {
|
|
236
|
+
if (!idpBaseUrl || !clientId) {
|
|
237
|
+
console.error('[AUTH_HANDLER] Missing IDP configuration for refresh');
|
|
238
|
+
return { success: false, error: 'Missing IDP configuration' };
|
|
239
|
+
}
|
|
240
|
+
|
|
241
|
+
if (!currentSession) {
|
|
242
|
+
console.error('[AUTH_HANDLER] No session found for refresh');
|
|
243
|
+
return { success: false, error: 'No session found' };
|
|
244
|
+
}
|
|
245
|
+
|
|
246
|
+
if (!currentSession.refreshToken) {
|
|
247
|
+
console.error('[AUTH_HANDLER] No refresh token available');
|
|
248
|
+
return { success: false, error: 'No refresh token' };
|
|
249
|
+
}
|
|
250
|
+
|
|
251
|
+
// Extract authentication methods from session
|
|
252
|
+
const authMethods = (currentSession as any).authMethods ||
|
|
253
|
+
((currentSession as any).token?.amr ? JSON.parse((currentSession as any).token.amr) : ['pwd', 'mfa']);
|
|
254
|
+
const authLevel = String((currentSession as any).authenticationLevel || (currentSession as any).token?.acr || '2');
|
|
255
|
+
const twoFactorMethod = (currentSession as any).twoFactorMethod || 'authenticator';
|
|
256
|
+
|
|
257
|
+
// Build refresh request body
|
|
258
|
+
const refreshRequestBody: any = {
|
|
259
|
+
refresh_token: currentSession.refreshToken,
|
|
260
|
+
amr: authMethods,
|
|
261
|
+
acr: authLevel
|
|
262
|
+
};
|
|
263
|
+
|
|
264
|
+
if ((currentSession as any).twoFactorComplete) {
|
|
265
|
+
refreshRequestBody.two_factor_verified = true;
|
|
266
|
+
}
|
|
267
|
+
if (twoFactorMethod) {
|
|
268
|
+
refreshRequestBody.two_factor_method = twoFactorMethod;
|
|
269
|
+
}
|
|
270
|
+
if ((currentSession as any).mfaCompletedAt) {
|
|
271
|
+
refreshRequestBody.two_factor_completed_at = new Date((currentSession as any).mfaCompletedAt).toISOString();
|
|
272
|
+
}
|
|
273
|
+
|
|
274
|
+
console.info('[AUTH_HANDLER] Executing refresh against IDP', {
|
|
275
|
+
sessionToken: sessionToken.substring(0, 8) + '...',
|
|
276
|
+
hasRefreshToken: true
|
|
277
|
+
});
|
|
278
|
+
|
|
279
|
+
const response = await fetch(`${idpBaseUrl}/api/ExternalAuth/refresh`, {
|
|
280
|
+
method: 'POST',
|
|
281
|
+
headers: {
|
|
282
|
+
'Content-Type': 'application/json',
|
|
283
|
+
'X-Client-Id': clientId,
|
|
284
|
+
},
|
|
285
|
+
body: JSON.stringify(refreshRequestBody),
|
|
286
|
+
});
|
|
287
|
+
|
|
288
|
+
if (!response.ok) {
|
|
289
|
+
const errorText = await response.text().catch(() => 'Unknown error');
|
|
290
|
+
console.error('[AUTH_HANDLER] Refresh failed:', response.status, errorText);
|
|
291
|
+
return { success: false, error: `Refresh failed: ${response.status}` };
|
|
292
|
+
}
|
|
293
|
+
|
|
294
|
+
const data = await response.json();
|
|
295
|
+
|
|
296
|
+
if (data.success === false) {
|
|
297
|
+
return { success: false, error: data.error?.message || data.message || 'Refresh failed' };
|
|
298
|
+
}
|
|
299
|
+
|
|
300
|
+
const tokenData = data.data || data;
|
|
301
|
+
|
|
302
|
+
if (!tokenData.access_token) {
|
|
303
|
+
console.error('[AUTH_HANDLER] No access token in refresh response');
|
|
304
|
+
return { success: false, error: 'No access token received' };
|
|
305
|
+
}
|
|
306
|
+
|
|
307
|
+
// Update session with new tokens
|
|
308
|
+
const updatedSession = {
|
|
309
|
+
...currentSession,
|
|
310
|
+
accessToken: tokenData.access_token,
|
|
311
|
+
refreshToken: tokenData.refresh_token || currentSession.refreshToken,
|
|
312
|
+
accessTokenExpires: tokenData.expires_in
|
|
313
|
+
? Date.now() + (tokenData.expires_in * 1000)
|
|
314
|
+
: Date.now() + (3600 * 1000),
|
|
315
|
+
};
|
|
316
|
+
|
|
317
|
+
await updateSession(sessionToken, updatedSession);
|
|
318
|
+
|
|
319
|
+
console.info('[AUTH_HANDLER] Token refresh successful', {
|
|
320
|
+
newExpiry: new Date(updatedSession.accessTokenExpires).toISOString()
|
|
321
|
+
});
|
|
322
|
+
|
|
323
|
+
return {
|
|
324
|
+
success: true,
|
|
325
|
+
accessToken: tokenData.access_token,
|
|
326
|
+
refreshToken: tokenData.refresh_token,
|
|
327
|
+
expiresIn: tokenData.expires_in,
|
|
328
|
+
};
|
|
329
|
+
} catch (error) {
|
|
330
|
+
console.error('[AUTH_HANDLER] Refresh exception:', error);
|
|
331
|
+
return { success: false, error: error instanceof Error ? error.message : 'Refresh failed' };
|
|
332
|
+
}
|
|
333
|
+
}
|
|
334
|
+
|
|
335
|
+
/**
|
|
336
|
+
* Checks if auth context token needs refresh based on expiry and buffer
|
|
337
|
+
*/
|
|
338
|
+
function needsRefresh(auth: AuthContext): boolean {
|
|
339
|
+
if (!autoRefresh) return false;
|
|
340
|
+
|
|
341
|
+
// Check if we have token expiry information
|
|
342
|
+
const token = auth.token as any;
|
|
343
|
+
const expiresAt = token.accessTokenExpires || token.exp;
|
|
344
|
+
|
|
345
|
+
if (!expiresAt) {
|
|
346
|
+
// No expiry info, can't determine if refresh needed
|
|
347
|
+
return false;
|
|
348
|
+
}
|
|
349
|
+
|
|
350
|
+
const now = Math.floor(Date.now() / 1000);
|
|
351
|
+
const expiryTime = typeof expiresAt === 'number' && expiresAt > 1000000000000
|
|
352
|
+
? Math.floor(expiresAt / 1000) // Convert milliseconds to seconds
|
|
353
|
+
: expiresAt;
|
|
354
|
+
|
|
355
|
+
// Check if token expires within the buffer period
|
|
356
|
+
return (expiryTime - now) <= refreshBuffer;
|
|
357
|
+
}
|
|
358
|
+
|
|
359
|
+
/**
|
|
360
|
+
* Generate a unique request ID for coordinated refresh
|
|
361
|
+
*/
|
|
362
|
+
function generateRequestId(): string {
|
|
363
|
+
return nanoid();
|
|
364
|
+
}
|
|
365
|
+
|
|
366
|
+
/**
|
|
367
|
+
* Main handler wrapper
|
|
368
|
+
*/
|
|
369
|
+
return {
|
|
370
|
+
handle: (handler: HandlerFunction) => {
|
|
371
|
+
return async (req: NextRequest, context: any = {}) => {
|
|
372
|
+
// Extract session from Better Auth
|
|
373
|
+
const betterAuthSession = await getBetterAuthSession(req);
|
|
374
|
+
const token = betterAuthSession ? { ...betterAuthSession.user, ...betterAuthSession.session } as any : null;
|
|
375
|
+
|
|
376
|
+
// Check if auth is required
|
|
377
|
+
if (requireAuth && !betterAuthSession) {
|
|
378
|
+
return NextResponse.json(
|
|
379
|
+
{ error: 'Authentication required', code: 'UNAUTHORIZED' },
|
|
380
|
+
{ status: 401 }
|
|
381
|
+
);
|
|
382
|
+
}
|
|
383
|
+
|
|
384
|
+
// If no session and auth not required, call handler without auth context
|
|
385
|
+
if (!betterAuthSession) {
|
|
386
|
+
return handler(req, context, null as any);
|
|
387
|
+
}
|
|
388
|
+
|
|
389
|
+
// Validate client_slug (token confusion attack prevention)
|
|
390
|
+
// SECURITY: Fail closed - require configuration to be explicitly set
|
|
391
|
+
const expectedClientSlug = process.env.NEXT_PUBLIC_EXPECTED_CLIENT_SLUG;
|
|
392
|
+
|
|
393
|
+
if (!expectedClientSlug) {
|
|
394
|
+
console.error('[AUTH_HANDLER] SECURITY MISCONFIGURATION: NEXT_PUBLIC_EXPECTED_CLIENT_SLUG not set');
|
|
395
|
+
return NextResponse.json(
|
|
396
|
+
{
|
|
397
|
+
error: 'Server configuration error',
|
|
398
|
+
code: 'SECURITY_CONFIGURATION_MISSING'
|
|
399
|
+
},
|
|
400
|
+
{ status: 500 }
|
|
401
|
+
);
|
|
402
|
+
}
|
|
403
|
+
|
|
404
|
+
// Extract client_slug from token (normalize property name)
|
|
405
|
+
const tokenClientSlug = (token as any).client_slug || (token as any).clientSlug;
|
|
406
|
+
|
|
407
|
+
// SECURITY: Require client_slug claim in all tokens (no backward compat)
|
|
408
|
+
if (!tokenClientSlug) {
|
|
409
|
+
console.warn('[AUTH_HANDLER] Token missing required client_slug claim');
|
|
410
|
+
return NextResponse.json(
|
|
411
|
+
{
|
|
412
|
+
error: 'Token missing required claim',
|
|
413
|
+
code: 'TOKEN_MISSING_CLIENT_SLUG'
|
|
414
|
+
},
|
|
415
|
+
{ status: 401 }
|
|
416
|
+
);
|
|
417
|
+
}
|
|
418
|
+
|
|
419
|
+
// SECURITY: Case-insensitive comparison to avoid casing attacks
|
|
420
|
+
if (tokenClientSlug.toLowerCase() !== expectedClientSlug.toLowerCase()) {
|
|
421
|
+
// Log without exposing sensitive details
|
|
422
|
+
console.warn('[AUTH_HANDLER] Token client mismatch detected');
|
|
423
|
+
return NextResponse.json(
|
|
424
|
+
{
|
|
425
|
+
error: 'Token issued for different client',
|
|
426
|
+
code: 'TOKEN_CLIENT_MISMATCH'
|
|
427
|
+
},
|
|
428
|
+
{ status: 401 }
|
|
429
|
+
);
|
|
430
|
+
}
|
|
431
|
+
|
|
432
|
+
// Build initial auth context
|
|
433
|
+
let authContext: AuthContext = {
|
|
434
|
+
token,
|
|
435
|
+
accessToken: (token as any).accessToken || '',
|
|
436
|
+
userId: betterAuthSession.user?.id || (token as any).userId || '',
|
|
437
|
+
sessionToken: betterAuthSession.session?.token || '',
|
|
438
|
+
refreshToken: (token as any).refreshToken,
|
|
439
|
+
};
|
|
440
|
+
|
|
441
|
+
// Check if token needs refresh
|
|
442
|
+
if (needsRefresh(authContext) && authContext.refreshToken) {
|
|
443
|
+
const requestId = generateRequestId();
|
|
444
|
+
console.info('[AUTH_HANDLER] Token near expiry, initiating coordinated refresh', {
|
|
445
|
+
requestId,
|
|
446
|
+
sessionToken: authContext.sessionToken.substring(0, 8) + '...'
|
|
447
|
+
});
|
|
448
|
+
|
|
449
|
+
const refreshResult = await performCoordinatedRefresh(
|
|
450
|
+
authContext.sessionToken,
|
|
451
|
+
requestId
|
|
452
|
+
);
|
|
453
|
+
|
|
454
|
+
if (refreshResult.success && refreshResult.accessToken) {
|
|
455
|
+
// Update auth context with fresh token
|
|
456
|
+
authContext.accessToken = refreshResult.accessToken;
|
|
457
|
+
if (refreshResult.refreshToken) {
|
|
458
|
+
authContext.refreshToken = refreshResult.refreshToken;
|
|
459
|
+
}
|
|
460
|
+
|
|
461
|
+
// Update token object for future checks
|
|
462
|
+
(authContext.token as any).accessToken = refreshResult.accessToken;
|
|
463
|
+
if (refreshResult.expiresIn) {
|
|
464
|
+
(authContext.token as any).accessTokenExpires = Date.now() + (refreshResult.expiresIn * 1000);
|
|
465
|
+
}
|
|
466
|
+
|
|
467
|
+
console.info('[AUTH_HANDLER] Coordinated refresh successful', { requestId });
|
|
468
|
+
} else {
|
|
469
|
+
console.warn('[AUTH_HANDLER] Failed to refresh token:', refreshResult.error);
|
|
470
|
+
// Continue with potentially expired token - handler may still succeed
|
|
471
|
+
}
|
|
472
|
+
}
|
|
473
|
+
|
|
474
|
+
// Attach auth context to request for downstream use (following existing pattern)
|
|
475
|
+
// IMPORTANT: Set this ONCE before the retry loop to avoid overwriting with stale data
|
|
476
|
+
(req as any).__authContext = {
|
|
477
|
+
accessToken: authContext.accessToken,
|
|
478
|
+
userId: authContext.userId,
|
|
479
|
+
sessionToken: authContext.sessionToken,
|
|
480
|
+
};
|
|
481
|
+
|
|
482
|
+
// Call the actual handler
|
|
483
|
+
let response: NextResponse | Response;
|
|
484
|
+
let retryCount = 0;
|
|
485
|
+
|
|
486
|
+
while (retryCount <= maxRetries) {
|
|
487
|
+
try {
|
|
488
|
+
response = await handler(req, context, authContext);
|
|
489
|
+
|
|
490
|
+
// Check if we got a 401 and should retry
|
|
491
|
+
if (
|
|
492
|
+
response.status === 401 &&
|
|
493
|
+
retryOn401 &&
|
|
494
|
+
retryCount < maxRetries &&
|
|
495
|
+
authContext.refreshToken
|
|
496
|
+
) {
|
|
497
|
+
const retryRequestId = generateRequestId();
|
|
498
|
+
console.info('[AUTH_HANDLER] Got 401, attempting coordinated refresh and retry', { retryRequestId });
|
|
499
|
+
|
|
500
|
+
const refreshResult = await performCoordinatedRefresh(
|
|
501
|
+
authContext.sessionToken,
|
|
502
|
+
retryRequestId
|
|
503
|
+
);
|
|
504
|
+
|
|
505
|
+
if (refreshResult.success && refreshResult.accessToken) {
|
|
506
|
+
console.info('[AUTH_HANDLER] Refresh succeeded, updating tokens', { retryRequestId });
|
|
507
|
+
|
|
508
|
+
// Update auth context with fresh token
|
|
509
|
+
authContext.accessToken = refreshResult.accessToken;
|
|
510
|
+
if (refreshResult.refreshToken) {
|
|
511
|
+
authContext.refreshToken = refreshResult.refreshToken;
|
|
512
|
+
}
|
|
513
|
+
|
|
514
|
+
// Update request context
|
|
515
|
+
(req as any).__authContext.accessToken = refreshResult.accessToken;
|
|
516
|
+
|
|
517
|
+
console.info('[AUTH_HANDLER] Updated req.__authContext with new token, retrying request', { retryRequestId });
|
|
518
|
+
|
|
519
|
+
retryCount++;
|
|
520
|
+
continue; // Retry the request
|
|
521
|
+
} else {
|
|
522
|
+
console.warn('[AUTH_HANDLER] Refresh failed on 401 retry:', refreshResult.error);
|
|
523
|
+
break; // Don't retry if refresh failed
|
|
524
|
+
}
|
|
525
|
+
}
|
|
526
|
+
|
|
527
|
+
// Success or non-401 error - return response
|
|
528
|
+
break;
|
|
529
|
+
} catch (error) {
|
|
530
|
+
// Handler threw an error
|
|
531
|
+
console.error('[AUTH_HANDLER] Handler error:', error);
|
|
532
|
+
return NextResponse.json(
|
|
533
|
+
{
|
|
534
|
+
error: 'Internal server error',
|
|
535
|
+
details: error instanceof Error ? error.message : 'Unknown error'
|
|
536
|
+
},
|
|
537
|
+
{ status: 500 }
|
|
538
|
+
);
|
|
539
|
+
}
|
|
540
|
+
}
|
|
541
|
+
|
|
542
|
+
return response!;
|
|
543
|
+
};
|
|
544
|
+
}
|
|
545
|
+
};
|
|
546
|
+
}
|
|
547
|
+
|
|
548
|
+
/**
|
|
549
|
+
* Default export for convenience
|
|
550
|
+
*/
|
|
550
551
|
export default createAuthHandler;
|