@payez/next-mvp 3.9.1 → 4.0.1

package/dist/lib/internal-api.js

@@ -1,122 +0,0 @@
-"use strict";
-/**
- * Centralized internal API helper for the app to call ITSELF.
- *
- * IMPORTANT: All calls from the Next.js server to its own API routes MUST use
- * these functions. Never use req.url, req.nextUrl.origin, or construct URLs
- * from the incoming request.
- *
- * WHY HTTP IS REQUIRED (not optional):
- * - This is the app calling its OWN backend within the same pod/container
- * - NextAuth cookies are encrypted based on request protocol
- * - TLS is terminated at ingress, so the pod receives HTTP internally
- * - Using HTTPS here causes cookie decryption failures and 403 errors
- * - This is NOT about "K8s traffic doesn't need TLS" - it's about
- *   protocol consistency for cookie/session encryption
- *
- * Environment:
- * - INTERNAL_API_URL: Required in production (e.g., http://service.namespace.svc.cluster.local:80)
- * - Falls back to http://localhost:3200 in development only
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getInternalApiUrl = getInternalApiUrl;
-exports.internalFetch = internalFetch;
-exports.internalRefresh = internalRefresh;
-/**
- * Get the internal API base URL for the app to call itself.
- *
- * @throws Error in production if INTERNAL_API_URL is not set
- * @returns The base URL (no trailing slash)
- */
-function getInternalApiUrl() {
-    const url = process.env.INTERNAL_API_URL;
-    if (url)
-        return url.replace(/\/$/, ''); // strip trailing slash
-    if (process.env.NODE_ENV !== 'production') {
-        return 'http://localhost:3200';
-    }
-    throw new Error('[INTERNAL_API_URL] FATAL: INTERNAL_API_URL environment variable is REQUIRED in production. ' +
-        'This is for the app to call ITSELF. MUST be HTTP (not HTTPS) due to cookie encryption. ' +
-        'Set to http://service.namespace.svc.cluster.local:80');
-}
-/**
- * Make a fetch call to an internal API route (app calling itself).
- *
- * @param path - The API path (e.g., '/api/auth/refresh')
- * @param options - Fetch options
- * @returns The fetch result with parsed data
- *
- * @example
- * ```ts
- * // Simple GET
- * const result = await internalFetch('/api/health');
- *
- * // POST with session
- * const result = await internalFetch('/api/auth/refresh', {
- *   method: 'POST',
- *   cookie: req.headers.get('cookie') || '',
- *   sessionToken: token.redisSessionId,
- *   body: JSON.stringify({ refresh_token: refreshToken }),
- * });
- * ```
- */
-async function internalFetch(path, options = {}) {
-    const { headers: extraHeaders = {}, cookie, sessionToken, requestId, parseJson = true, ...fetchOptions } = options;
-    const baseUrl = getInternalApiUrl();
-    const url = `${baseUrl}${path.startsWith('/') ? path : `/${path}`}`;
-    // Build headers
-    const headers = {
-        'Accept': 'application/json',
-        'Content-Type': 'application/json',
-        ...extraHeaders,
-    };
-    if (cookie) {
-        headers['Cookie'] = cookie;
-    }
-    if (sessionToken) {
-        headers['X-Session-Token'] = sessionToken;
-    }
-    if (requestId) {
-        headers['X-Request-Id'] = requestId;
-    }
-    const response = await fetch(url, {
-        ...fetchOptions,
-        headers,
-    });
-    let data = null;
-    if (parseJson) {
-        try {
-            data = await response.json();
-        }
-        catch {
-            data = null;
-        }
-    }
-    return {
-        ok: response.ok,
-        status: response.status,
-        statusText: response.statusText,
-        data,
-        response,
-    };
-}
-/**
- * Trigger a token refresh via the internal API.
- * This is a convenience wrapper for the common refresh pattern.
- *
- * @param cookie - The cookie header from the incoming request
- * @param sessionToken - The session token
- * @param refreshToken - Optional refresh token to include in body
- * @param requestId - Optional request ID for tracing
- * @returns Whether the refresh was successful
- */
-async function internalRefresh(cookie, sessionToken, refreshToken, requestId) {
-    const result = await internalFetch('/api/auth/refresh', {
-        method: 'POST',
-        cookie,
-        sessionToken,
-        requestId,
-        body: refreshToken ? JSON.stringify({ refresh_token: refreshToken }) : undefined,
-    });
-    return { ok: result.ok, status: result.status };
-}

package/dist/lib/jwt-decode-client.d.ts

@@ -1,10 +0,0 @@
-/**
- * Client-safe JWT decode (no Node.js dependencies)
- * This is a lightweight version for browser usage
- */
-/**
- * Simple JWT decode for client-side use (no signature verification)
- * @param token - JWT token string
- * @returns Decoded payload or null if invalid
- */
-export declare function jwtDecode<T = any>(token: string): T | null;

package/dist/lib/jwt-decode-client.js

@@ -1,46 +0,0 @@
-"use strict";
-/**
- * Client-safe JWT decode (no Node.js dependencies)
- * This is a lightweight version for browser usage
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.jwtDecode = jwtDecode;
-// Decode base64url
-function base64urlDecode(base64url) {
-    try {
-        // Convert base64url to base64
-        let base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');
-        // Add padding if needed
-        while (base64.length % 4) {
-            base64 += '=';
-        }
-        return atob(base64);
-    }
-    catch (e) {
-        throw new Error('Invalid base64url encoding');
-    }
-}
-/**
- * Simple JWT decode for client-side use (no signature verification)
- * @param token - JWT token string
- * @returns Decoded payload or null if invalid
- */
-function jwtDecode(token) {
-    if (!token)
-        return null;
-    try {
-        const parts = token.split('.');
-        if (parts.length < 2) {
-            console.error('[JWT] Invalid token format');
-            return null;
-        }
-        const payload = parts[1];
-        const decoded = base64urlDecode(payload);
-        const parsedPayload = JSON.parse(decoded);
-        return parsedPayload;
-    }
-    catch (e) {
-        console.error('[JWT] Decode failed:', e instanceof Error ? e.message : 'Unknown error');
-        return null;
-    }
-}

package/dist/lib/jwt-decode.d.ts

@@ -1,48 +0,0 @@
-export interface JwtPayload {
-    iss?: string;
-    sub?: string;
-    aud?: string[] | string;
-    exp?: number;
-    nbf?: number;
-    iat?: number;
-    jti?: string;
-}
-/**
- * JWT Header structure.
- * Contains metadata about the token including the signing key ID.
- */
-export interface JwtHeader {
-    /** Algorithm used to sign the token (e.g., 'RS256', 'HS256') */
-    alg: string;
-    /** Token type (typically 'JWT') */
-    typ?: string;
-    /** Key ID - identifies which key was used to sign this token */
-    kid?: string;
-    /** Content type */
-    cty?: string;
-}
-/**
- * Decode JWT payload (standard claims).
- * This is a thin wrapper around jwt-decode library.
- */
-export declare function jwtDecode<T = JwtPayload>(token: string): T;
-/**
- * Decode JWT header to extract kid, alg, and other header claims.
- *
- * The JWT header contains critical information:
- * - kid: Key ID used to sign the token (needed for key governance)
- * - alg: Algorithm used for signing
- * - typ: Token type
- *
- * @param token - The JWT token string
- * @returns Decoded header or null if decoding fails
- */
-export declare function decodeJwtHeader(token: string): JwtHeader | null;
-/**
- * Extract just the kid (Key ID) from a JWT token.
- * Convenience function for when you only need the key ID.
- *
- * @param token - The JWT token string
- * @returns The kid value or undefined if not present/decodable
- */
-export declare function extractKidFromToken(token: string): string | undefined;

package/dist/lib/jwt-decode.js

@@ -1,57 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.jwtDecode = jwtDecode;
-exports.decodeJwtHeader = decodeJwtHeader;
-exports.extractKidFromToken = extractKidFromToken;
-const jwt_decode_1 = require("jwt-decode");
-/**
- * Decode JWT payload (standard claims).
- * This is a thin wrapper around jwt-decode library.
- */
-function jwtDecode(token) {
-    return (0, jwt_decode_1.jwtDecode)(token);
-}
-/**
- * Decode JWT header to extract kid, alg, and other header claims.
- *
- * The JWT header contains critical information:
- * - kid: Key ID used to sign the token (needed for key governance)
- * - alg: Algorithm used for signing
- * - typ: Token type
- *
- * @param token - The JWT token string
- * @returns Decoded header or null if decoding fails
- */
-function decodeJwtHeader(token) {
-    try {
-        if (!token || typeof token !== 'string') {
-            return null;
-        }
-        const parts = token.split('.');
-        if (parts.length !== 3) {
-            console.warn('[JWT_DECODE] Invalid JWT structure - expected 3 parts, got', parts.length);
-            return null;
-        }
-        // Decode base64url header (part 0)
-        const headerB64 = parts[0].replace(/-/g, '+').replace(/_/g, '/');
-        const headerJson = typeof atob !== 'undefined'
-            ? atob(headerB64)
-            : Buffer.from(headerB64, 'base64').toString('utf-8');
-        return JSON.parse(headerJson);
-    }
-    catch (error) {
-        console.error('[JWT_DECODE] Failed to decode JWT header:', error);
-        return null;
-    }
-}
-/**
- * Extract just the kid (Key ID) from a JWT token.
- * Convenience function for when you only need the key ID.
- *
- * @param token - The JWT token string
- * @returns The kid value or undefined if not present/decodable
- */
-function extractKidFromToken(token) {
-    const header = decodeJwtHeader(token);
-    return header?.kid;
-}

package/dist/lib/nextauth-secret.d.ts

@@ -1,10 +0,0 @@
-import 'server-only';
-/**
- * Resolve the NextAuth secret (server-only).
- *
- * Priority:
- * 1) Use process.env.NEXTAUTH_SECRET if present (allows overrides/production)
- * 2) Fetch from IDP broker endpoint - IDP handles all Key Vault/signing
- * 3) Cache result in-memory and set process.env.NEXTAUTH_SECRET for subsequent calls
- */
-export declare function resolveNextAuthSecret(): Promise<string>;

package/dist/lib/nextauth-secret.js

@@ -1,100 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.resolveNextAuthSecret = resolveNextAuthSecret;
-require("server-only");
-const secret_validation_1 = require("./secret-validation");
-const crypto_1 = require("crypto");
-let cachedSecret = null;
-let lastFetchedAt = 0;
-/**
- * Resolve the NextAuth secret (server-only).
- *
- * Priority:
- * 1) Use process.env.NEXTAUTH_SECRET if present (allows overrides/production)
- * 2) Fetch from IDP broker endpoint - IDP handles all Key Vault/signing
- * 3) Cache result in-memory and set process.env.NEXTAUTH_SECRET for subsequent calls
- */
-async function resolveNextAuthSecret() {
-    // Check if already in environment
-    if (process.env.NEXTAUTH_SECRET && process.env.NEXTAUTH_SECRET.trim() !== '') {
-        // Silent - already configured
-        return process.env.NEXTAUTH_SECRET;
-    }
-    // Check if cached and fresh (within 5 minutes)
-    if (cachedSecret && Date.now() - lastFetchedAt < 5 * 60 * 1000) {
-        return cachedSecret;
-    }
-    // Broker mode: fetch from IDP (IDP handles all Key Vault/signing)
-    const base = process.env.IDP_URL;
-    if (!base)
-        throw new Error('IDP_URL environment variable is required');
-    const clientIdStr = process.env.CLIENT_ID;
-    if (!clientIdStr || clientIdStr.trim() === '')
-        throw new Error('CLIENT_ID is required (e.g., "ideal_resume_website")');
-    // Step 1: Request IDP to sign a client assertion (IDP has the keys, not us)
-    const signingUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/sign-client-assertion`);
-    const signingPayload = {
-        issuer: clientIdStr,
-        subject: clientIdStr,
-        audience: 'urn:payez:externalauth:nextauthsecret',
-        expires_in: 60,
-    };
-    const signingResp = await fetch(signingUrl.toString(), {
-        method: 'POST',
-        headers: {
-            'Accept': 'application/json',
-            'Content-Type': 'application/json',
-            'X-Client-Id': clientIdStr,
-            'X-Correlation-Id': (0, crypto_1.randomUUID)().replace(/-/g, ''),
-        },
-        body: JSON.stringify(signingPayload),
-        cache: 'no-store'
-    });
-    if (!signingResp.ok) {
-        const txt = await signingResp.text().catch(() => 'Unknown error');
-        throw new Error(`Failed to sign client assertion: ${signingResp.status} ${signingResp.statusText} - ${txt}`);
-    }
-    const signingBody = await signingResp.json().catch(() => ({}));
-    const client_assertion = (signingBody?.data?.client_assertion ??
-        signingBody?.data?.clientAssertion ??
-        signingBody?.client_assertion ??
-        signingBody?.clientAssertion ??
-        signingBody?.data?.ClientAssertion ??
-        signingBody?.ClientAssertion);
-    if (!client_assertion || typeof client_assertion !== 'string') {
-        throw new Error('IDP did not return a valid signed client assertion');
-    }
-    // Step 2: Use the signed assertion to fetch the NextAuth secret
-    const proxyUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/next-auth/secret`);
-    const proxyResp = await fetch(proxyUrl.toString(), {
-        method: 'POST',
-        headers: {
-            'Accept': 'application/json',
-            'Content-Type': 'application/json',
-            'X-Client-Id': clientIdStr,
-            'X-Correlation-Id': (0, crypto_1.randomUUID)().replace(/-/g, ''),
-        },
-        body: JSON.stringify({ client_assertion }),
-        cache: 'no-store'
-    });
-    if (!proxyResp.ok) {
-        const txt = await proxyResp.text().catch(() => 'Unknown error');
-        throw new Error(`Proxy error: ${proxyResp.status} ${proxyResp.statusText} - ${txt}`);
-    }
-    const proxyBody = await proxyResp.json().catch(() => ({}));
-    const secret = (proxyBody?.data?.secret ?? proxyBody?.secret);
-    const configuration = (proxyBody?.data?.configuration ?? proxyBody?.configuration);
-    // Configuration is available but we don't log it verbosely
-    if (!secret || typeof secret !== 'string') {
-        throw new Error('Proxy did not return a valid NextAuth secret');
-    }
-    const validation = (0, secret_validation_1.validateNextAuthSecret)(secret);
-    if (!validation.valid) {
-        throw new Error(`Fetched NextAuth secret failed validation: ${validation.reason}`);
-    }
-    cachedSecret = secret;
-    lastFetchedAt = Date.now();
-    process.env.NEXTAUTH_SECRET = secret;
-    console.log('[NEXTAUTH-SECRET] Resolved from IDP (length:', secret.length + ')');
-    return secret;
-}

package/dist/lib/rate-limit-service.d.ts

@@ -1,23 +0,0 @@
-export interface RateLimitRule {
-    endpoint: string;
-    period: string;
-    limit: number;
-}
-export interface RateLimitResult {
-    isAllowed: boolean;
-    requestCount: number;
-    limit: number;
-    retryAfterSeconds?: number;
-    failedAttempts?: number;
-}
-export declare function createPayEzRateLimitResponse(retryAfterSeconds: number, remainingAttempts?: number): {
-    success: boolean;
-    message: string;
-    user_info: null;
-    errors: {
-        code: string;
-        message: string;
-        resolution: string;
-        remainingAttempts: number;
-    }[];
-};

package/dist/lib/rate-limit-service.js

@@ -1,6 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createPayEzRateLimitResponse = createPayEzRateLimitResponse;
-function createPayEzRateLimitResponse(retryAfterSeconds, remainingAttempts = 0) {
-    return { success: false, message: 'Too many failed attempts', user_info: null, errors: [{ code: 'RateLimitExceeded', message: 'Too many failed authentication attempts', resolution: `Please try again in ${retryAfterSeconds} seconds`, remainingAttempts }] };
-}

package/dist/lib/redis.d.ts

@@ -1,5 +0,0 @@
-import Redis from 'ioredis';
-export declare function getRedis(): Redis;
-declare const redis: Redis;
-export { redis };
-export default redis;

package/dist/lib/redis.js

@@ -1,28 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.redis = void 0;
-exports.getRedis = getRedis;
-// E:\Repos\PayEz-Next-MVP\packages\next-mvp\src\lib\redis.ts
-const ioredis_1 = __importDefault(require("ioredis"));
-let client = null;
-function createClient() {
-    const url = process.env.REDIS_URL;
-    if (url && url.trim() !== '') {
-        // Use a standard configuration for better Docker compatibility
-        return new ioredis_1.default(url);
-    }
-    // No REDIS_URL set, create a client that will fail fast.
-    return new ioredis_1.default({ lazyConnect: true });
-}
-function getRedis() {
-    if (!client) {
-        client = createClient();
-    }
-    return client;
-}
-const redis = getRedis();
-exports.redis = redis;
-exports.default = redis;

package/dist/lib/refresh-token-validator.d.ts

@@ -1,13 +0,0 @@
-export declare function isRefreshTokenValid(token: string): boolean;
-export declare function isRefreshTokenExpiring(token: string, bufferMinutes?: number): boolean;
-export declare function getRefreshTokenExpiration(token: string): number | null;
-export declare function getRefreshTokenTimeRemaining(token: string): number | null;
-export interface RefreshViabilityCheck {
-    canRefresh: boolean;
-    reason: 'valid_refresh_token' | 'no_refresh_token' | 'refresh_token_expired' | 'session_missing';
-    timeRemaining?: number;
-    expiresAt?: string;
-    accessTokenExpired?: boolean;
-    accessTokenTimeRemaining?: number;
-}
-export declare function checkRefreshViability(sessionData: any): RefreshViabilityCheck;

package/dist/lib/refresh-token-validator.js

@@ -1,117 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isRefreshTokenValid = isRefreshTokenValid;
-exports.isRefreshTokenExpiring = isRefreshTokenExpiring;
-exports.getRefreshTokenExpiration = getRefreshTokenExpiration;
-exports.getRefreshTokenTimeRemaining = getRefreshTokenTimeRemaining;
-exports.checkRefreshViability = checkRefreshViability;
-const jwt_decode_1 = require("./jwt-decode");
-const logger_1 = require("../config/logger");
-function isRefreshTokenValid(token) {
-    if (!token)
-        return false;
-    try {
-        const decoded = (0, jwt_decode_1.jwtDecode)(token);
-        if (!decoded)
-            return false;
-        const now = Math.floor(Date.now() / 1000);
-        if (decoded.exp < now)
-            return false;
-        if (decoded.token_type !== 'refresh_token')
-            return false;
-        return true;
-    }
-    catch {
-        return false;
-    }
-}
-function isRefreshTokenExpiring(token, bufferMinutes = 60) {
-    if (!token)
-        return true;
-    try {
-        const decoded = (0, jwt_decode_1.jwtDecode)(token);
-        if (!decoded?.exp)
-            return true;
-        const now = Math.floor(Date.now() / 1000);
-        const buffer = bufferMinutes * 60;
-        return decoded.exp <= (now + buffer);
-    }
-    catch {
-        return true;
-    }
-}
-function getRefreshTokenExpiration(token) {
-    if (!token)
-        return null;
-    try {
-        const decoded = (0, jwt_decode_1.jwtDecode)(token);
-        if (!decoded?.exp)
-            return null;
-        return decoded.exp * 1000;
-    }
-    catch {
-        return null;
-    }
-}
-function getRefreshTokenTimeRemaining(token) {
-    if (!token)
-        return null;
-    try {
-        const decoded = (0, jwt_decode_1.jwtDecode)(token);
-        if (!decoded?.exp)
-            return null;
-        const now = Math.floor(Date.now() / 1000);
-        const timeRemaining = decoded.exp - now;
-        return timeRemaining > 0 ? timeRemaining : null;
-    }
-    catch {
-        return null;
-    }
-}
-function checkRefreshViability(sessionData) {
-    if (!sessionData)
-        return { canRefresh: false, reason: 'session_missing' };
-    let accessTokenExpired = false;
-    let accessTokenTimeRemaining;
-    if (sessionData.idpAccessTokenExpires) {
-        const now = Date.now();
-        let expiresAtMs = sessionData.idpAccessTokenExpires;
-        if (typeof expiresAtMs === 'string')
-            expiresAtMs = parseInt(expiresAtMs, 10);
-        if (expiresAtMs < 1000000000000)
-            expiresAtMs = expiresAtMs * 1000;
-        accessTokenTimeRemaining = Math.floor((expiresAtMs - now) / 1000);
-        const bufferSec = 5 * 60; // 5 minutes pre-expiry buffer
-        accessTokenExpired = accessTokenTimeRemaining <= bufferSec;
-        logger_1.tokenRefreshLogger.debug('[REFRESH_VIABILITY] Access token expiration check', { now, expiresAtMs, accessTokenTimeRemaining, bufferSec, accessTokenExpired });
-    }
-    if (!sessionData.idpRefreshToken)
-        return { canRefresh: false, reason: 'no_refresh_token', accessTokenExpired, accessTokenTimeRemaining };
-    if (sessionData.idpRefreshTokenExpires) {
-        let refreshExpMs = sessionData.idpRefreshTokenExpires;
-        if (typeof refreshExpMs === 'string')
-            refreshExpMs = parseInt(refreshExpMs, 10);
-        if (refreshExpMs < 1000000000000)
-            refreshExpMs = refreshExpMs * 1000;
-        const nowMs = Date.now();
-        const timeRemainingSec = Math.floor((refreshExpMs - nowMs) / 1000);
-        if (timeRemainingSec <= 0)
-            return { canRefresh: false, reason: 'refresh_token_expired', accessTokenExpired, accessTokenTimeRemaining };
-        return { canRefresh: true, reason: 'valid_refresh_token', timeRemaining: timeRemainingSec, expiresAt: new Date(refreshExpMs).toISOString(), accessTokenExpired, accessTokenTimeRemaining };
-    }
-    try {
-        const decoded = (0, jwt_decode_1.jwtDecode)(sessionData.idpRefreshToken);
-        const nowSec = Math.floor(Date.now() / 1000);
-        if (!decoded?.exp || decoded.token_type !== 'refresh_token')
-            return { canRefresh: false, reason: 'refresh_token_expired', accessTokenExpired, accessTokenTimeRemaining };
-        const timeRemaining = decoded.exp - nowSec;
-        if (timeRemaining <= 0)
-            return { canRefresh: false, reason: 'refresh_token_expired', accessTokenExpired, accessTokenTimeRemaining };
-        const expiresAtIso = new Date(decoded.exp * 1000).toISOString();
-        return { canRefresh: true, reason: 'valid_refresh_token', timeRemaining, expiresAt: expiresAtIso, accessTokenExpired, accessTokenTimeRemaining };
-    }
-    catch (error) {
-        logger_1.tokenRefreshLogger.debug('[REFRESH_VIABILITY] Failed to decode refresh token for viability', { error: error instanceof Error ? error.message : String(error) });
-        return { canRefresh: false, reason: 'refresh_token_expired', accessTokenExpired, accessTokenTimeRemaining };
-    }
-}