@payez/next-mvp 3.9.1 → 4.0.1

package/dist/auth/utils/token-utils.js

@@ -1,219 +0,0 @@
-"use strict";
-/**
- * Token Utilities
- *
- * JWT decoding and expiry checking utilities.
- * Extracted from auth-options.ts for clarity.
- *
- * @version 1.0.0
- * @since auth-refactor-2026-01
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.extractKidFromToken = exports.decodeJwtHeader = void 0;
-exports.decodeIdpAccessToken = decodeIdpAccessToken;
-exports.decodeIdpAccessTokenFull = decodeIdpAccessTokenFull;
-exports.extractEmailFromToken = extractEmailFromToken;
-exports.extractRolesFromToken = extractRolesFromToken;
-exports.extractAmrFromToken = extractAmrFromToken;
-exports.tokenNeedsRefresh = tokenNeedsRefresh;
-exports.tokenIsExpired = tokenIsExpired;
-exports.msUntilExpiry = msUntilExpiry;
-exports.expClaimToMs = expClaimToMs;
-exports.validateTokenExpiry = validateTokenExpiry;
-const jwt_decode_1 = require("../../lib/jwt-decode");
-// Re-export header utilities for consumers
-var jwt_decode_2 = require("../../lib/jwt-decode");
-Object.defineProperty(exports, "decodeJwtHeader", { enumerable: true, get: function () { return jwt_decode_2.decodeJwtHeader; } });
-Object.defineProperty(exports, "extractKidFromToken", { enumerable: true, get: function () { return jwt_decode_2.extractKidFromToken; } });
-// ============================================================================
-// TOKEN DECODING
-// ============================================================================
-/**
- * Decode an IDP access token and extract claims.
- *
- * @param token - The JWT access token from IDP
- * @returns Decoded token claims, or null if decode fails
- */
-function decodeIdpAccessToken(token) {
-    try {
-        return (0, jwt_decode_1.jwtDecode)(token);
-    }
-    catch (error) {
-        console.error('[TOKEN_UTILS] Failed to decode access token:', error);
-        return null;
-    }
-}
-/**
- * Decode both JWT header and payload from an IDP access token.
- * Returns the signing key ID (kid) along with payload claims.
- *
- * @param token - The JWT access token from IDP
- * @returns Object with header (including kid) and payload, or null if decode fails
- */
-function decodeIdpAccessTokenFull(token) {
-    try {
-        const header = (0, jwt_decode_1.decodeJwtHeader)(token);
-        const payload = (0, jwt_decode_1.jwtDecode)(token);
-        if (!header || !payload) {
-            return null;
-        }
-        return {
-            header,
-            payload,
-            bearerKeyId: header.kid,
-        };
-    }
-    catch (error) {
-        console.error('[TOKEN_UTILS] Failed to decode access token (full):', error);
-        return null;
-    }
-}
-/**
- * Extract user email from decoded token.
- * Handles multiple possible claim names used by IDP.
- */
-function extractEmailFromToken(decoded) {
-    return (decoded.email ||
-        decoded['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'] ||
-        '');
-}
-/**
- * Extract roles from decoded token.
- * Handles both 'role' and 'roles' claims, and both string and array formats.
- */
-function extractRolesFromToken(decoded) {
-    const rolesClaim = decoded.role || decoded.roles;
-    if (!rolesClaim) {
-        return [];
-    }
-    if (Array.isArray(rolesClaim)) {
-        return rolesClaim;
-    }
-    if (typeof rolesClaim === 'string') {
-        // Could be a single role or JSON array string
-        try {
-            const parsed = JSON.parse(rolesClaim);
-            return Array.isArray(parsed) ? parsed : [rolesClaim];
-        }
-        catch {
-            return [rolesClaim];
-        }
-    }
-    return [];
-}
-/**
- * Extract AMR (Authentication Methods References) from decoded token.
- */
-function extractAmrFromToken(decoded) {
-    const amr = decoded.amr;
-    if (!amr) {
-        return [];
-    }
-    if (Array.isArray(amr)) {
-        return amr;
-    }
-    if (typeof amr === 'string') {
-        try {
-            const parsed = JSON.parse(amr);
-            return Array.isArray(parsed) ? parsed : [amr];
-        }
-        catch {
-            return [amr];
-        }
-    }
-    return [];
-}
-// ============================================================================
-// EXPIRY CHECKING
-// ============================================================================
-/**
- * Check if a token expiry timestamp indicates the token needs refresh.
- *
- * @param expiresAt - Token expiry timestamp (Unix milliseconds)
- * @param bufferMs - How early to trigger refresh (default 5 minutes)
- * @returns true if token is expired or will expire within buffer period
- */
-function tokenNeedsRefresh(expiresAt, bufferMs = 5 * 60 * 1000) {
-    if (!expiresAt) {
-        return true; // No expiry info = assume needs refresh
-    }
-    const timeUntilExpiry = expiresAt - Date.now();
-    return timeUntilExpiry <= bufferMs;
-}
-/**
- * Check if a token is completely expired (past its exp time).
- *
- * @param expiresAt - Token expiry timestamp (Unix milliseconds)
- * @returns true if token is expired
- */
-function tokenIsExpired(expiresAt) {
-    if (!expiresAt) {
-        return true;
-    }
-    return Date.now() >= expiresAt;
-}
-/**
- * Calculate milliseconds until token expires.
- *
- * @param expiresAt - Token expiry timestamp (Unix milliseconds)
- * @returns Milliseconds until expiry, or 0 if already expired
- */
-function msUntilExpiry(expiresAt) {
-    if (!expiresAt) {
-        return 0;
-    }
-    return Math.max(0, expiresAt - Date.now());
-}
-/**
- * Convert Unix seconds (from JWT exp claim) to milliseconds.
- */
-function expClaimToMs(exp) {
-    // JWT exp is in seconds, we use milliseconds internally
-    return exp * 1000;
-}
-// ============================================================================
-// TOKEN VALIDATION
-// ============================================================================
-/**
- * Validate that an access token's actual JWT exp matches what we have cached.
- * This catches cases where the token was refreshed but cache wasn't updated.
- *
- * @param accessToken - The JWT access token
- * @param cachedExpiresAt - What we think the expiry is (Unix ms)
- * @returns Object with validation result and actual expiry
- */
-function validateTokenExpiry(accessToken, cachedExpiresAt) {
-    try {
-        const parts = accessToken.split('.');
-        if (parts.length !== 3) {
-            return { valid: false, actualExpiresAt: null, mismatch: false };
-        }
-        const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
-        const actualExpiresAt = payload.exp ? payload.exp * 1000 : null;
-        if (!actualExpiresAt) {
-            return { valid: false, actualExpiresAt: null, mismatch: false };
-        }
-        const now = Date.now();
-        const isExpired = actualExpiresAt < now;
-        // Check for mismatch between cached and actual expiry
-        const mismatch = cachedExpiresAt
-            ? Math.abs(actualExpiresAt - cachedExpiresAt) > 1000 // Allow 1 second tolerance
-            : false;
-        if (mismatch) {
-            console.warn('[TOKEN_UTILS] Token expiry mismatch detected:', {
-                cached: cachedExpiresAt ? new Date(cachedExpiresAt).toISOString() : 'none',
-                actual: new Date(actualExpiresAt).toISOString(),
-                diff: cachedExpiresAt ? actualExpiresAt - cachedExpiresAt : 'N/A',
-            });
-        }
-        return {
-            valid: !isExpired,
-            actualExpiresAt,
-            mismatch,
-        };
-    }
-    catch (error) {
-        console.error('[TOKEN_UTILS] Failed to validate token expiry:', error);
-        return { valid: false, actualExpiresAt: null, mismatch: false };
-    }
-}

package/dist/client/AuthContext.d.ts

@@ -1,19 +0,0 @@
-import { ReactNode } from 'react';
-import { AuthConfig, AuthMode, FederatedProvider } from '@/types/auth';
-interface AuthProviderProps {
-    children: ReactNode;
-    config?: Partial<AuthConfig>;
-    /**
-     * If true, providers will be fetched dynamically from NextAuth
-     * instead of using the static providers array from config.
-     * Defaults to true for dynamic provider loading from IDP.
-     */
-    useDynamicProviders?: boolean;
-}
-export declare function AuthProvider({ children, config, useDynamicProviders }: AuthProviderProps): import("react/jsx-runtime").JSX.Element;
-export declare function useAuthConfig(): AuthConfig;
-export declare function useAuthMode(): AuthMode;
-export declare function useFederatedProviders(): FederatedProvider[];
-export declare function useFederatedAuthEnabled(): boolean;
-export declare function useTraditionalAuthEnabled(): boolean;
-export {};

package/dist/client/AuthContext.js

@@ -1,112 +0,0 @@
-"use strict";
-'use client';
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthProvider = AuthProvider;
-exports.useAuthConfig = useAuthConfig;
-exports.useAuthMode = useAuthMode;
-exports.useFederatedProviders = useFederatedProviders;
-exports.useFederatedAuthEnabled = useFederatedAuthEnabled;
-exports.useTraditionalAuthEnabled = useTraditionalAuthEnabled;
-const jsx_runtime_1 = require("react/jsx-runtime");
-const react_1 = require("react");
-const react_2 = require("next-auth/react");
-const react_query_1 = require("@tanstack/react-query");
-const AuthContext = (0, react_1.createContext)(null);
-const defaultConfig = {
-    mode: 'traditional',
-    providers: [],
-    enableRecovery: true,
-    enableEmailSignup: true,
-    allowPasswordReset: true,
-};
-// Map NextAuth provider IDs to our FederatedProvider type
-const PROVIDER_MAP = {
-    'google': 'google',
-    'apple': 'apple',
-    'facebook': 'facebook',
-    'github': 'github',
-    'azure-ad': 'microsoft',
-    'microsoft-entra-id': 'microsoft',
-};
-// OAuth providers we support in UI (excludes credentials)
-const OAUTH_PROVIDER_IDS = ['google', 'apple', 'facebook', 'github', 'azure-ad', 'microsoft-entra-id'];
-function AuthProvider({ children, config, useDynamicProviders = true }) {
-    const [dynamicProviders, setDynamicProviders] = (0, react_1.useState)([]);
-    const [providersLoaded, setProvidersLoaded] = (0, react_1.useState)(!useDynamicProviders);
-    // Create QueryClient instance for React Query - used internally by MVP hooks
-    const [queryClient] = (0, react_1.useState)(() => new react_query_1.QueryClient({
-        defaultOptions: {
-            queries: {
-                staleTime: 60 * 1000, // 1 minute
-                retry: 1,
-                refetchOnWindowFocus: false,
-            },
-        },
-    }));
-    // Fetch dynamic providers from NextAuth on mount
-    (0, react_1.useEffect)(() => {
-        if (!useDynamicProviders)
-            return;
-        let mounted = true;
-        async function fetchDynamicProviders() {
-            try {
-                const result = await (0, react_2.getProviders)();
-                if (!mounted)
-                    return;
-                if (result) {
-                    // Filter to OAuth providers only and map to FederatedProvider type
-                    const oauthProviders = Object.keys(result)
-                        .filter(id => OAUTH_PROVIDER_IDS.includes(id))
-                        .map(id => PROVIDER_MAP[id])
-                        .filter((p) => p !== undefined);
-                    setDynamicProviders(oauthProviders);
-                }
-            }
-            catch (err) {
-                // Fall back to static config providers on error
-            }
-            finally {
-                if (mounted) {
-                    setProvidersLoaded(true);
-                }
-            }
-        }
-        fetchDynamicProviders();
-        return () => {
-            mounted = false;
-        };
-    }, [useDynamicProviders]);
-    // Determine final providers list
-    const providers = useDynamicProviders && providersLoaded
-        ? dynamicProviders
-        : (config?.providers ?? defaultConfig.providers);
-    const authConfig = {
-        ...defaultConfig,
-        ...config,
-        providers, // Override with dynamic providers if enabled
-    };
-    return ((0, jsx_runtime_1.jsx)(react_query_1.QueryClientProvider, { client: queryClient, children: (0, jsx_runtime_1.jsx)(AuthContext.Provider, { value: authConfig, children: children }) }));
-}
-function useAuthConfig() {
-    const context = (0, react_1.useContext)(AuthContext);
-    if (!context) {
-        return defaultConfig;
-    }
-    return context;
-}
-function useAuthMode() {
-    const config = useAuthConfig();
-    return config.mode;
-}
-function useFederatedProviders() {
-    const config = useAuthConfig();
-    return config.providers;
-}
-function useFederatedAuthEnabled() {
-    const config = useAuthConfig();
-    return config.mode === 'federated' && config.providers.length > 0;
-}
-function useTraditionalAuthEnabled() {
-    const config = useAuthConfig();
-    return config.mode === 'traditional';
-}