@payez/next-mvp 3.9.1 → 4.0.1

package/dist/api-handlers/auth/refresh.js

@@ -1,635 +0,0 @@
-"use strict";
-/**
- * CRITICAL REFRESH TOKEN API HANDLER
- *
- * ASK BEFORE EDITING - TESTED AND WORKING SYSTEM
- *
- * This handler manages the server-side refresh token cycle with:
- * - NextAuth JWT token extraction
- * - Session token fallback for internal calls
- * - PayEz IDP refresh token exchange
- * - Session state updates with new tokens
- * - Proper error handling and logging
- * - Single-use semantics enforcement
- *
- * @version 2.0
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.POST = void 0;
-exports.createRefreshHandler = createRefreshHandler;
-const server_1 = require("next/server");
-const jwt_1 = require("next-auth/jwt");
-const session_store_1 = require("../../lib/session-store");
-const token_expiry_1 = require("../../lib/token-expiry");
-const app_slug_1 = require("../../lib/app-slug");
-const token_utils_1 = require("../../auth/utils/token-utils");
-/**
- * Creates a refresh token handler for Next.js API routes
- *
- * @param config Configuration for IDP connection and NextAuth
- * @returns Next.js POST handler function
- *
- * @example
- * ```typescript
- * // In your app's /app/api/auth/refresh/route.ts
- * import { createRefreshHandler } from '@payez/next-mvp/api-handlers/auth/refresh';
- *
- * export const POST = createRefreshHandler({
- *   idpBaseUrl: process.env.IDP_URL!,
- *   clientId: process.env.CLIENT_ID!,
- *   nextAuthSecret: process.env.NEXTAUTH_SECRET!,
- *   refreshEndpoint: '/api/ExternalAuth/refresh'
- * });
- * ```
- */
-function createRefreshHandler(config) {
-    const { idpBaseUrl, clientId, nextAuthSecret, refreshEndpoint = '/api/ExternalAuth/refresh' } = config;
-    return async function POST(req) {
-        try {
-            // Extract session token from NextAuth JWT
-            const token = await (0, jwt_1.getToken)({ req, secret: nextAuthSecret, cookieName: (0, app_slug_1.getJwtCookieName)() });
-            // Support both field names: sessionToken (auth.ts JWT) and redisSessionId (legacy)
-            let sessionToken = (token?.sessionToken || token?.redisSessionId);
-            let userId = token?.sub;
-            if (!sessionToken) {
-                // Fallback: check for session token in header (for internal server-to-server calls)
-                const headerSessionToken = req.headers.get('x-session-token');
-                if (headerSessionToken) {
-                    sessionToken = headerSessionToken;
-                    const currentSession = await (0, session_store_1.getSession)(sessionToken);
-                    userId = currentSession?.userId || currentSession?.email;
-                }
-            }
-            if (!sessionToken || !userId) {
-                console.warn('[AUTH_REFRESH] Missing sessionToken or user id on token');
-                return server_1.NextResponse.json({
-                    error: 'No session available for refresh',
-                    code: 'UNAUTHORIZED'
-                }, { status: 401 });
-            }
-            // Get current session
-            const currentSession = await (0, session_store_1.getSession)(sessionToken);
-            // NOTE: Field is idpRefreshToken (not refreshToken) per normalized naming convention
-            if (!currentSession?.idpRefreshToken) {
-                console.warn('[AUTH_REFRESH] No refresh token available', { userId });
-                return server_1.NextResponse.json({
-                    error: 'No refresh token available',
-                    code: 'NO_REFRESH_TOKEN', // Terminal state - session cannot be refreshed
-                    terminal: true, // Signal to frontend: don't retry, redirect to login
-                    resolution: 'User must re-authenticate'
-                }, { status: 401 });
-            }
-            // ============================================================================
-            // HIGH VISIBILITY: PRE-FLIGHT REFRESH DIAGNOSTICS
-            // ============================================================================
-            const now = Date.now();
-            const refreshTokenAge = currentSession.idpRefreshTokenIssuedAt
-                ? Math.round((now - currentSession.idpRefreshTokenIssuedAt) / 1000)
-                : 'unknown';
-            const refreshTokenExpiresIn = currentSession.idpRefreshTokenExpires
-                ? Math.round((currentSession.idpRefreshTokenExpires - now) / 1000)
-                : 'unknown';
-            const accessTokenExpiresIn = currentSession.idpAccessTokenExpires
-                ? Math.round((currentSession.idpAccessTokenExpires - now) / 1000)
-                : 'unknown';
-            console.log('╔══════════════════════════════════════════════════════════════════════════════╗');
-            console.log('║                    REFRESH TOKEN ATTEMPT - PRE-FLIGHT                        ║');
-            console.log('╠══════════════════════════════════════════════════════════════════════════════╣');
-            console.log(`║ User: ${(userId || 'unknown').substring(0, 50).padEnd(50)}                   ║`);
-            console.log(`║ Session: ${sessionToken.substring(0, 8)}...                                                        ║`);
-            console.log('╠──────────────────────────────────────────────────────────────────────────────╣');
-            console.log(`║ Access Token Expires In:  ${String(accessTokenExpiresIn).padEnd(10)} seconds                            ║`);
-            console.log(`║ Refresh Token Age:        ${String(refreshTokenAge).padEnd(10)} seconds                            ║`);
-            console.log(`║ Refresh Token Expires In: ${String(refreshTokenExpiresIn).padEnd(10)} seconds                            ║`);
-            console.log(`║ Refresh Token Length:     ${String(currentSession.idpRefreshToken?.length || 0).padEnd(10)} chars                              ║`);
-            console.log(`║ 2FA Complete:             ${String(!!currentSession.mfaVerified).padEnd(10)}                                   ║`);
-            console.log(`║ Auth Level (ACR):         ${String(currentSession.authenticationLevel || '1').padEnd(10)}                                   ║`);
-            console.log('╚══════════════════════════════════════════════════════════════════════════════╝');
-            // Try to acquire refresh lock to prevent concurrent refresh attempts
-            const requestId = req.headers.get('x-request-id') ?? `refresh_${Date.now()}`;
-            const lockAcquired = await (0, session_store_1.acquireRefreshLock)(sessionToken, requestId, 5000);
-            let weAcquiredLock = false;
-            let releaseLockVersion;
-            if (!lockAcquired.acquired) {
-                const existingLock = await (0, session_store_1.checkRefreshLock)(sessionToken);
-                if (existingLock && existingLock.acquiredBy === requestId) {
-                    console.info('[AUTH_REFRESH] Proceeding under existing caller-held lock', { requestId });
-                }
-                else {
-                    // Wait for the lock to release, then check if token is now fresh
-                    console.info('[AUTH_REFRESH] Refresh in progress by another request, waiting for completion...', { requestId });
-                    const maxWaitMs = 5000;
-                    const checkIntervalMs = 200;
-                    const startWait = Date.now();
-                    while (Date.now() - startWait < maxWaitMs) {
-                        await new Promise(resolve => setTimeout(resolve, checkIntervalMs));
-                        // Check if lock was released
-                        const lockCheck = await (0, session_store_1.checkRefreshLock)(sessionToken);
-                        if (!lockCheck) {
-                            // Lock released - check if token is now fresh
-                            const refreshedSession = await (0, session_store_1.getSession)(sessionToken);
-                            if (refreshedSession?.idpAccessToken && refreshedSession?.idpAccessTokenExpires) {
-                                const timeUntilExpiry = refreshedSession.idpAccessTokenExpires - Date.now();
-                                const fiveMinutes = 5 * 60 * 1000;
-                                if (timeUntilExpiry > fiveMinutes) {
-                                    console.info('[AUTH_REFRESH] Lock released, token is fresh - returning success', {
-                                        requestId,
-                                        accessTokenExpires: new Date(refreshedSession.idpAccessTokenExpires).toISOString(),
-                                        waitedMs: Date.now() - startWait,
-                                    });
-                                    return server_1.NextResponse.json({
-                                        refreshed: true,
-                                        reason: 'completed_by_concurrent_request',
-                                        accessTokenExpires: refreshedSession.idpAccessTokenExpires,
-                                        hasRefreshToken: !!refreshedSession.idpRefreshToken,
-                                    });
-                                }
-                            }
-                            // Lock released but token not fresh - try to acquire lock ourselves
-                            break;
-                        }
-                    }
-                    // Still locked after waiting - return 409
-                    console.warn('[AUTH_REFRESH] Refresh still in progress after waiting', { requestId, waitedMs: Date.now() - startWait });
-                    return server_1.NextResponse.json({
-                        error: 'Refresh already in progress',
-                        code: 'CONFLICT'
-                    }, { status: 409 });
-                }
-            }
-            else {
-                weAcquiredLock = true;
-                releaseLockVersion = lockAcquired.lockInfo?.lockVersion;
-            }
-            // Before performing network refresh, re-check if tokens are already fresh
-            const latestAfterLock = await (0, session_store_1.getSession)(sessionToken);
-            const fiveMinutes = 5 * 60 * 1000;
-            const timeUntilExpiry = latestAfterLock?.idpAccessTokenExpires
-                ? latestAfterLock.idpAccessTokenExpires - Date.now()
-                : -1;
-            // CRITICAL: Also check the actual JWT's exp claim - Redis might have stale data
-            let actualJwtExpMs = -1;
-            let tokenMismatch = false;
-            if (latestAfterLock?.idpAccessToken) {
-                try {
-                    const tokenParts = latestAfterLock.idpAccessToken.split('.');
-                    if (tokenParts.length === 3) {
-                        const payload = JSON.parse(Buffer.from(tokenParts[1], 'base64url').toString());
-                        actualJwtExpMs = (payload.exp || 0) * 1000;
-                        const now = Date.now();
-                        // If the actual JWT is expired, we MUST refresh regardless of what Redis says
-                        if (actualJwtExpMs < now) {
-                            tokenMismatch = true;
-                        }
-                    }
-                }
-                catch (e) {
-                    // If we can't decode, proceed with normal logic
-                }
-            }
-            console.log('[AUTH_REFRESH] Pre-refresh check:', {
-                userId,
-                hasAccessToken: !!latestAfterLock?.idpAccessToken,
-                accessTokenExpires: latestAfterLock?.idpAccessTokenExpires
-                    ? new Date(latestAfterLock.idpAccessTokenExpires).toISOString()
-                    : 'undefined',
-                actualJwtExp: actualJwtExpMs > 0 ? new Date(actualJwtExpMs).toISOString() : 'unknown',
-                now: new Date().toISOString(),
-                timeUntilExpiryMs: timeUntilExpiry,
-                tokenMismatch,
-                willRefresh: timeUntilExpiry <= fiveMinutes || tokenMismatch
-            });
-            // Only skip refresh if BOTH Redis says fresh AND the actual JWT is not expired
-            if (latestAfterLock?.idpAccessToken && latestAfterLock?.idpAccessTokenExpires &&
-                timeUntilExpiry > fiveMinutes && !tokenMismatch) {
-                console.info('[AUTH_REFRESH] Skipping refresh: tokens already fresh', { userId, timeUntilExpiryMs: timeUntilExpiry });
-                if (weAcquiredLock) {
-                    await (0, session_store_1.releaseRefreshLock)(sessionToken, requestId, releaseLockVersion);
-                    weAcquiredLock = false;
-                }
-                return server_1.NextResponse.json({
-                    refreshed: false,
-                    reason: 'already_fresh',
-                    accessTokenExpires: latestAfterLock.idpAccessTokenExpires,
-                    hasRefreshToken: !!latestAfterLock.idpRefreshToken,
-                });
-            }
-            // If we detected a token mismatch, log it prominently
-            if (tokenMismatch) {
-                console.warn('[AUTH_REFRESH] Token mismatch detected - forcing refresh despite Redis claiming fresh', {
-                    userId,
-                    redisExpires: latestAfterLock?.idpAccessTokenExpires ? new Date(latestAfterLock.idpAccessTokenExpires).toISOString() : 'N/A',
-                    actualJwtExp: new Date(actualJwtExpMs).toISOString()
-                });
-            }
-            // Copy refresh token for use in IDP call
-            // Note: Token is NOT cleared preemptively - it will be replaced on success.
-            // The lock mechanism prevents concurrent refresh attempts within the same session.
-            // If IDP call fails, user can retry with the same token.
-            const originalRefreshToken = currentSession.idpRefreshToken;
-            try {
-                // Extract 2FA claims from current session
-                let authMethods = [];
-                if (currentSession.authenticationMethods) {
-                    if (typeof currentSession.authenticationMethods === 'string') {
-                        try {
-                            authMethods = JSON.parse(currentSession.authenticationMethods);
-                        }
-                        catch (e) {
-                            console.warn('[AUTH_REFRESH] Failed to parse authenticationMethods', { authenticationMethods: currentSession.authenticationMethods });
-                        }
-                    }
-                    else if (Array.isArray(currentSession.authenticationMethods)) {
-                        authMethods = currentSession.authenticationMethods;
-                    }
-                }
-                // For OAuth sessions with empty AMR claims, provide defaults
-                // OAuth IS a form of multi-factor auth (you authenticated with another provider)
-                let isOAuthSession = !!currentSession.oauthProvider;
-                if (authMethods.length === 0 && isOAuthSession) {
-                    // OAuth sessions get default AMR claims
-                    authMethods = ['pwd', 'mfa'];
-                    console.log('[AUTH_REFRESH] OAuth session with empty AMR - using defaults:', {
-                        oauthProvider: currentSession.oauthProvider,
-                        defaultAmr: authMethods
-                    });
-                }
-                // Check authMethods first, then fallback to twoFactorMethod field (set by transitionTo2FASession)
-                // For OAuth sessions, use 'oauth' as the 2FA method since OAuth itself is the authentication
-                const twoFactorMethod = authMethods.find(m => ['sms', 'totp', 'email'].includes(m))
-                    || currentSession.mfaMethod
-                    || (isOAuthSession ? 'oauth' : null);
-                // DEBUG: Log what we have for 2FA
-                console.log('[AUTH_REFRESH] 2FA Debug:', {
-                    authMethods,
-                    authMethodsRaw: currentSession.authenticationMethods,
-                    twoFactorMethodFromSession: currentSession.mfaMethod,
-                    twoFactorMethodResolved: twoFactorMethod,
-                    twoFactorComplete: currentSession.mfaVerified,
-                    sessionKeys: Object.keys(currentSession)
-                });
-                // Build refresh request body per PayEz wire standard (snake_case)
-                // See: 2FA-TOKEN-REFRESH-CONTEXT.md - "The Ninja Shit"
-                // For OAuth sessions with 2FA complete, use ACR level 2
-                let acrValue = String(currentSession.authenticationLevel ?? '1');
-                if (currentSession.oauthProvider && currentSession.mfaVerified && acrValue === '1') {
-                    acrValue = '2'; // OAuth with 2FA complete = full authentication
-                }
-                const refreshRequestBody = {
-                    refresh_token: originalRefreshToken,
-                    amr: authMethods,
-                    acr: acrValue
-                };
-                // DEBUG: Log exact request body
-                console.log('[AUTH_REFRESH] Request body:', JSON.stringify({
-                    refresh_token: '***REDACTED***',
-                    amr: authMethods,
-                    acr: acrValue,
-                    acrType: typeof acrValue
-                }));
-                const twoFactorVerified = !!currentSession.mfaVerified;
-                if (twoFactorVerified) {
-                    refreshRequestBody.two_factor_verified = true;
-                }
-                if (twoFactorMethod) {
-                    refreshRequestBody.two_factor_method = twoFactorMethod;
-                }
-                if (currentSession.mfaCompletedAt) {
-                    refreshRequestBody.two_factor_completed_at = new Date(currentSession.mfaCompletedAt).toISOString();
-                }
-                // Log the full request details for debugging
-                console.log('[AUTH_REFRESH] Sending refresh request:', {
-                    url: `${idpBaseUrl}${refreshEndpoint}`,
-                    clientId,
-                    hasRefreshToken: !!refreshRequestBody.refresh_token,
-                    refreshTokenLength: refreshRequestBody.refresh_token?.length,
-                    amr: refreshRequestBody.amr,
-                    acr: refreshRequestBody.acr
-                });
-                let refreshResponse;
-                try {
-                    refreshResponse = await fetch(`${idpBaseUrl}${refreshEndpoint}`, {
-                        method: 'POST',
-                        headers: {
-                            'Content-Type': 'application/json',
-                            'X-Client-Id': clientId,
-                        },
-                        body: JSON.stringify(refreshRequestBody),
-                    });
-                }
-                catch (fetchError) {
-                    // Network error - IDP unreachable
-                    // Note: Lock will be released by finally block
-                    console.error('[AUTH_REFRESH] IDP unreachable:', {
-                        error: fetchError instanceof Error ? fetchError.message : String(fetchError),
-                        idpUrl: idpBaseUrl,
-                        userId
-                    });
-                    return server_1.NextResponse.json({
-                        error: 'IDP service unavailable',
-                        code: 'UPSTREAM_SERVICE_UNAVAILABLE',
-                        retryable: true,
-                        discardToken: false
-                    }, { status: 503 });
-                }
-                // Parse response body - handle empty or invalid JSON
-                let responseData;
-                try {
-                    const responseText = await refreshResponse.text();
-                    if (!responseText || responseText.trim() === '') {
-                        // Note: Lock will be released by finally block
-                        console.error('[AUTH_REFRESH] Empty response from IDP:', {
-                            status: refreshResponse.status,
-                            statusText: refreshResponse.statusText,
-                            userId
-                        });
-                        return server_1.NextResponse.json({
-                            error: 'Empty response from IDP',
-                            code: 'UPSTREAM_SERVICE_ERROR',
-                            retryable: true,
-                            discardToken: false
-                        }, { status: 502 });
-                    }
-                    responseData = JSON.parse(responseText);
-                }
-                catch (parseError) {
-                    // Note: Lock will be released by finally block
-                    console.error('[AUTH_REFRESH] Failed to parse IDP response:', {
-                        error: parseError instanceof Error ? parseError.message : String(parseError),
-                        status: refreshResponse.status,
-                        userId
-                    });
-                    return server_1.NextResponse.json({
-                        error: 'Invalid response from IDP',
-                        code: 'UPSTREAM_SERVICE_ERROR',
-                        retryable: true,
-                        discardToken: false
-                    }, { status: 502 });
-                }
-                // Handle non-OK responses with structured error format
-                if (!refreshResponse.ok) {
-                    // Parse structured error from IDP
-                    const idpError = responseData?.error || {};
-                    const errorCode = idpError.code || 'UNKNOWN_ERROR';
-                    const errorMessage = idpError.message || 'Token refresh failed';
-                    // CRITICAL: 401 means token is definitively invalid - always discard
-                    // This prevents redirect loops where viability check keeps returning canRefresh:true
-                    const discardToken = refreshResponse.status === 401 || idpError.discard_token === true;
-                    const retryable = refreshResponse.status !== 401 && idpError.retryable === true;
-                    const resolution = idpError.resolution || null;
-                    // ============================================================================
-                    // HIGH VISIBILITY: REFRESH TOKEN FAILURE DIAGNOSTICS
-                    // ============================================================================
-                    // Translate error codes to human-readable explanations
-                    const failureReasons = {
-                        'UNAUTHORIZED': 'Token was already used (rotation) OR token is expired OR token was revoked',
-                        'INVALID_REFRESH_TOKEN': 'Token format invalid OR token not found in IDP database',
-                        'TOKEN_EXPIRED': 'Refresh token exceeded its max lifetime',
-                        'TOKEN_REVOKED': 'Token was explicitly revoked (logout, password change, admin action)',
-                        'TOKEN_REUSE_DETECTED': 'Same refresh token used twice - possible token theft, all tokens revoked',
-                        'UPSTREAM_SERVICE_ERROR': 'IDP internal error - token may have been rotated before failure',
-                        'INTERNAL_ERROR': 'IDP internal error - check IDP logs for details',
-                        'RATE_LIMITED': 'Too many refresh attempts - try again later',
-                    };
-                    const whyItFailed = failureReasons[errorCode] || 'Unknown error - check IDP logs';
-                    console.error('╔══════════════════════════════════════════════════════════════════════════════╗');
-                    console.error('║              ❌ REFRESH TOKEN FAILURE - DIAGNOSTIC REPORT                    ║');
-                    console.error('╠══════════════════════════════════════════════════════════════════════════════╣');
-                    console.error(`║ HTTP Status:    ${String(refreshResponse.status).padEnd(60)}║`);
-                    console.error(`║ Error Code:     ${errorCode.padEnd(60)}║`);
-                    console.error(`║ Discard Token:  ${String(discardToken).padEnd(60)}║`);
-                    console.error(`║ Retryable:      ${String(retryable).padEnd(60)}║`);
-                    console.error('╠──────────────────────────────────────────────────────────────────────────────╣');
-                    console.error(`║ WHY IT FAILED:                                                               ║`);
-                    console.error(`║ ${whyItFailed.substring(0, 76).padEnd(76)} ║`);
-                    console.error('╠──────────────────────────────────────────────────────────────────────────────╣');
-                    console.error(`║ User:           ${(userId || 'unknown').substring(0, 60).padEnd(60)}║`);
-                    console.error(`║ Session:        ${sessionToken.substring(0, 8)}...                                                     ║`);
-                    console.error(`║ Resolution:     ${(resolution || 'Check IDP logs').substring(0, 60).padEnd(60)}║`);
-                    console.error('╚══════════════════════════════════════════════════════════════════════════════╝');
-                    // Also log the full response for detailed debugging
-                    console.error('[AUTH_REFRESH] Full IDP error response:', JSON.stringify(responseData, null, 2).substring(0, 1000));
-                    // If IDP signals to discard token, clear it from Redis
-                    if (discardToken) {
-                        console.error('[AUTH_REFRESH] ⚠️ REFRESH_TOKEN_REMOVAL: IDP signaled discard_token', {
-                            reason: 'IDP_DISCARD_TOKEN',
-                            errorCode,
-                            userId,
-                            sessionToken: sessionToken.substring(0, 8) + '...',
-                            hadRefreshToken: !!currentSession.idpRefreshToken,
-                            stack: new Error().stack
-                        });
-                        await (0, session_store_1.updateSession)(sessionToken, {
-                            idpRefreshToken: '',
-                            idpRefreshTokenExpires: undefined,
-                            refreshTokenClearedAt: Date.now(),
-                            refreshTokenClearedReason: `IDP_DISCARD_TOKEN:${errorCode}`
-                        });
-                    }
-                    return server_1.NextResponse.json({
-                        error: errorMessage,
-                        code: errorCode,
-                        discardToken,
-                        retryable,
-                        resolution,
-                        status: refreshResponse.status
-                    }, { status: refreshResponse.status });
-                }
-                // Validate PayEz canonical envelope for success responses
-                const isCompliant = responseData && typeof responseData === 'object' &&
-                    Object.prototype.hasOwnProperty.call(responseData, 'success') &&
-                    (responseData.success === true ? Object.prototype.hasOwnProperty.call(responseData, 'data') : Object.prototype.hasOwnProperty.call(responseData, 'error')) &&
-                    Object.prototype.hasOwnProperty.call(responseData, 'meta');
-                if (!isCompliant) {
-                    console.error('[AUTH_REFRESH] Upstream non-compliant IDP response', { bodySample: responseData });
-                    return server_1.NextResponse.json({
-                        error: 'Upstream non-compliance',
-                        code: 'UPSTREAM_SERVICE_ERROR',
-                        retryable: true,
-                        discardToken: false
-                    }, { status: 502 });
-                }
-                if (responseData.success !== true || !responseData.data) {
-                    // Handle success:false with structured error
-                    const idpError = responseData?.error || {};
-                    const errorCode = idpError.code || 'UPSTREAM_VALIDATION_ERROR';
-                    const discardToken = idpError.discard_token === true;
-                    const retryable = idpError.retryable === true;
-                    console.warn('[AUTH_REFRESH] IDP refresh unsuccessful', {
-                        code: errorCode,
-                        discardToken,
-                        body: responseData
-                    });
-                    if (discardToken) {
-                        console.error('[AUTH_REFRESH] ⚠️ REFRESH_TOKEN_REMOVAL: IDP success:false with discard_token', {
-                            reason: 'IDP_SUCCESS_FALSE_DISCARD',
-                            errorCode,
-                            userId,
-                            sessionToken: sessionToken.substring(0, 8) + '...',
-                            hadRefreshToken: !!currentSession.idpRefreshToken,
-                            stack: new Error().stack
-                        });
-                        await (0, session_store_1.updateSession)(sessionToken, {
-                            idpRefreshToken: '',
-                            idpRefreshTokenExpires: undefined,
-                            refreshTokenClearedAt: Date.now(),
-                            refreshTokenClearedReason: `IDP_SUCCESS_FALSE_DISCARD:${errorCode}`
-                        });
-                    }
-                    return server_1.NextResponse.json({
-                        error: idpError.message || 'Token refresh failed',
-                        code: errorCode,
-                        discardToken,
-                        retryable,
-                        resolution: idpError.resolution || null
-                    }, { status: refreshResponse.status || 400 });
-                }
-                // Extract tokens from response
-                const payload = responseData.data;
-                const accessToken = payload?.access_token;
-                const refreshToken = payload?.refresh_token;
-                if (!accessToken) {
-                    console.error('[AUTH_REFRESH] Missing access token in IDP response');
-                    return server_1.NextResponse.json({
-                        error: 'Invalid token response from IDP',
-                        code: 'INTERNAL_SERVER_ERROR'
-                    }, { status: 500 });
-                }
-                // Decode and compute token expiries
-                let decodedAccessToken;
-                let accessTokenExpires;
-                let computedRefreshTokenExpires;
-                try {
-                    const result = (0, token_expiry_1.computeTokenExpiries)({ accessToken, refreshToken, preferJwt: true });
-                    decodedAccessToken = result.decodedAccessToken;
-                    accessTokenExpires = result.accessTokenExpires;
-                    computedRefreshTokenExpires = result.refreshTokenExpires;
-                    console.info('[AUTH_REFRESH] Successfully decoded new token pair', {
-                        accessTokenExpires: new Date(accessTokenExpires).toISOString(),
-                        refreshTokenExpires: computedRefreshTokenExpires ? new Date(computedRefreshTokenExpires).toISOString() : null
-                    });
-                }
-                catch (decodeError) {
-                    console.error('[AUTH_REFRESH] Failed to compute token expiries', { error: decodeError });
-                    return server_1.NextResponse.json({
-                        error: 'Failed to decode JWT tokens',
-                        code: 'INTERNAL_SERVER_ERROR'
-                    }, { status: 500 });
-                }
-                // Extract 2FA claims from the new access token
-                let amrClaims = [];
-                if (decodedAccessToken.amr) {
-                    try {
-                        amrClaims = typeof decodedAccessToken.amr === 'string'
-                            ? JSON.parse(decodedAccessToken.amr)
-                            : decodedAccessToken.amr;
-                    }
-                    catch (e) {
-                        console.warn('[AUTH_REFRESH] Failed to parse AMR claims', { amr: decodedAccessToken.amr });
-                        amrClaims = currentSession.authenticationMethods || [];
-                    }
-                }
-                else {
-                    amrClaims = currentSession.authenticationMethods || [];
-                }
-                const acrLevel = String(decodedAccessToken.acr || currentSession.authenticationLevel || '1');
-                // Extract MFA timing claims
-                const mfaTime = decodedAccessToken.mfa_time ? parseInt(decodedAccessToken.mfa_time) * 1000 : currentSession.mfaCompletedAt;
-                const mfaExpires = decodedAccessToken.mfa_expires ? parseInt(decodedAccessToken.mfa_expires) * 1000 : currentSession.mfaExpiresAt;
-                const mfaValidityHours = decodedAccessToken.mfa_validity_hours ? parseInt(decodedAccessToken.mfa_validity_hours) : currentSession.mfaValidityHours;
-                // Update session with new tokens
-                const hasNewRefresh = typeof refreshToken === 'string' && refreshToken.length > 0;
-                const newRefreshTokenExpires = hasNewRefresh ? computedRefreshTokenExpires : undefined;
-                // CRITICAL: Log if we're about to clear the refresh token due to missing new token
-                if (!hasNewRefresh && currentSession.idpRefreshToken) {
-                    console.error('[AUTH_REFRESH] ⚠️ REFRESH_TOKEN_REMOVAL: No new refresh token in IDP response', {
-                        reason: 'NO_NEW_REFRESH_TOKEN_IN_RESPONSE',
-                        userId,
-                        sessionToken: sessionToken.substring(0, 8) + '...',
-                        hadRefreshToken: true,
-                        refreshTokenFromResponse: refreshToken,
-                        refreshTokenType: typeof refreshToken,
-                        payloadKeys: Object.keys(payload || {}),
-                        stack: new Error().stack
-                    });
-                }
-                // Keep existing refresh token if IDP doesn't provide a new one
-                // Only clear if IDP explicitly signals discard_token=true (handled in error paths)
-                // NOTE: Use normalized field names (idp* prefix) per SessionData interface
-                // CRITICAL: Extract kid from JWT header - IDP may rotate keys during refresh
-                const newBearerKeyId = (0, token_utils_1.extractKidFromToken)(accessToken);
-                if (newBearerKeyId) {
-                    console.log('[AUTH_REFRESH] Extracted bearerKeyId (kid) from new JWT header:', newBearerKeyId);
-                }
-                else {
-                    console.warn('[AUTH_REFRESH] No kid found in new JWT header');
-                }
-                const sessionUpdate = {
-                    ...currentSession,
-                    idpAccessToken: accessToken,
-                    idpAccessTokenExpires: accessTokenExpires,
-                    idpRefreshToken: hasNewRefresh ? refreshToken : currentSession.idpRefreshToken,
-                    idpRefreshTokenExpires: hasNewRefresh ? newRefreshTokenExpires : currentSession.idpRefreshTokenExpires,
-                    decodedAccessToken: decodedAccessToken,
-                    // Bearer key ID from JWT header (may change on key rotation)
-                    bearerKeyId: newBearerKeyId || currentSession.bearerKeyId,
-                    authenticationMethods: amrClaims,
-                    authenticationLevel: acrLevel,
-                    mfaVerified: amrClaims.includes('mfa') || currentSession.mfaVerified,
-                    mfaCompletedAt: mfaTime,
-                    mfaExpiresAt: mfaExpires,
-                    mfaValidityHours: mfaValidityHours
-                };
-                await (0, session_store_1.updateSession)(sessionToken, sessionUpdate);
-                console.info('[AUTH_REFRESH] Token refreshed successfully', {
-                    expiresAt: new Date(accessTokenExpires).toISOString(),
-                    userId,
-                    hasNewRefreshToken: hasNewRefresh,
-                    tokenPreview: accessToken ? accessToken.substring(0, 20) + '...' : 'none'
-                });
-            }
-            catch (error) {
-                console.error('[AUTH_REFRESH] Error during token refresh', { error });
-                return server_1.NextResponse.json({
-                    error: 'Token refresh error',
-                    code: 'INTERNAL_SERVER_ERROR'
-                }, { status: 500 });
-            }
-            finally {
-                if (weAcquiredLock) {
-                    await (0, session_store_1.releaseRefreshLock)(sessionToken, requestId, releaseLockVersion);
-                }
-            }
-            // Load the latest session to return basic status
-            const latest = await (0, session_store_1.getSession)(sessionToken);
-            if (!latest?.idpAccessToken) {
-                return server_1.NextResponse.json({
-                    error: 'No access token after refresh',
-                    code: 'INTERNAL_SERVER_ERROR'
-                }, { status: 500 });
-            }
-            return server_1.NextResponse.json({
-                refreshed: true,
-                accessTokenExpires: latest.idpAccessTokenExpires,
-                hasRefreshToken: !!latest.idpRefreshToken,
-            });
-        }
-        catch (err) {
-            console.error('[AUTH_REFRESH] Unexpected error', { error: err?.message || String(err) });
-            return server_1.NextResponse.json({
-                error: 'Unexpected error during refresh',
-                code: 'INTERNAL_SERVER_ERROR'
-            }, { status: 500 });
-        }
-    };
-}
-/**
- * Default export for backward compatibility
- * Requires environment variables: IDP_URL, CLIENT_ID, NEXTAUTH_SECRET
- */
-exports.POST = createRefreshHandler({
-    idpBaseUrl: process.env.IDP_URL,
-    clientId: process.env.CLIENT_ID || 'payez_default_client',
-    nextAuthSecret: process.env.NEXTAUTH_SECRET || '',
-    refreshEndpoint: '/api/ExternalAuth/refresh'
-});