npm - @payez/next-mvp - Versions diffs - 3.9.1 → 4.0.1 - Mend

@payez/next-mvp 3.9.1 → 4.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (526) hide show

package/package.json +6 -18
package/src/api/auth-handler.ts +550 -549
package/src/api-handlers/account/change-password.ts +5 -8
package/src/api-handlers/admin/analytics.ts +4 -6
package/src/api-handlers/admin/audit.ts +5 -7
package/src/api-handlers/admin/index.ts +1 -2
package/src/api-handlers/admin/redis-sessions.ts +6 -8
package/src/api-handlers/admin/sessions.ts +5 -7
package/src/api-handlers/admin/site-logs.ts +8 -10
package/src/api-handlers/admin/stats.ts +4 -6
package/src/api-handlers/admin/users.ts +5 -7
package/src/api-handlers/admin/vibe-data.ts +10 -12
package/src/api-handlers/auth/refresh.ts +5 -7
package/src/api-handlers/auth/signout.ts +5 -6
package/src/api-handlers/auth/status.ts +4 -7
package/src/api-handlers/auth/update-session.ts +123 -125
package/src/api-handlers/auth/verify-code.ts +9 -13
package/src/api-handlers/session/viability.ts +10 -47
package/src/api-handlers/test/force-expire.ts +4 -11
package/src/auth/auth-decision.ts +1 -1
package/src/auth/better-auth.ts +138 -141
package/src/auth/route-config.ts +219 -219
package/src/auth/utils/token-utils.ts +0 -1
package/src/client/AuthContext.tsx +6 -2
package/src/client/fetch-with-auth.ts +47 -47
package/src/components/SessionSync.tsx +6 -5
package/src/components/account/MobileNavDrawer.tsx +3 -3
package/src/components/account/UserAvatarMenu.tsx +6 -3
package/src/components/admin/VibeAdminLayout.tsx +4 -2
package/src/config/logger.ts +1 -1
package/src/hooks/useAuth.ts +117 -115
package/src/hooks/useAuthSettings.ts +2 -2
package/src/hooks/useAvailableProviders.ts +9 -5
package/src/hooks/useSessionExpiration.ts +101 -102
package/src/hooks/useViabilitySession.ts +336 -335
package/src/index.ts +60 -63
package/src/lib/api-handler.ts +0 -1
package/src/lib/app-slug.ts +6 -6
package/src/lib/standardized-client-api.ts +901 -895
package/src/lib/startup-init.ts +243 -247
package/src/lib/test-aware-get-token.ts +22 -12
package/src/lib/token-lifecycle.ts +12 -53
package/src/pages/admin-login/page.tsx +9 -17
package/src/pages/client-admin/ClientSiteAdminPage.tsx +4 -2
package/src/pages/login/page.tsx +21 -28
package/src/pages/showcase/ShowcasePage.tsx +4 -2
package/src/pages/test-env/EmergencyLogoutPage.tsx +7 -6
package/src/pages/test-env/JwtInspectPage.tsx +5 -3
package/src/pages/test-env/RefreshTokenPage.tsx +157 -155
package/src/pages/test-env/TestEnvPage.tsx +4 -2
package/src/pages/verify-code/page.tsx +10 -6
package/src/routes/auth/logout.ts +7 -25
package/src/routes/auth/nextauth.ts +45 -71
package/src/routes/auth/session.ts +25 -50
package/src/routes/auth/viability.ts +7 -19
package/src/server/auth.ts +60 -0
package/src/stores/authStore.ts +1899 -1904
package/src/utils/logout.ts +30 -30
package/dist/api/auth-handler.d.ts +0 -67
package/dist/api/auth-handler.js +0 -397
package/dist/api/index.d.ts +0 -10
package/dist/api/index.js +0 -19
package/dist/api-handlers/account/change-password.d.ts +0 -9
package/dist/api-handlers/account/change-password.js +0 -112
package/dist/api-handlers/account/masked-info.d.ts +0 -2
package/dist/api-handlers/account/masked-info.js +0 -41
package/dist/api-handlers/account/profile.d.ts +0 -3
package/dist/api-handlers/account/profile.js +0 -63
package/dist/api-handlers/account/recovery/initiate.d.ts +0 -2
package/dist/api-handlers/account/recovery/initiate.js +0 -26
package/dist/api-handlers/account/recovery/send-code.d.ts +0 -2
package/dist/api-handlers/account/recovery/send-code.js +0 -28
package/dist/api-handlers/account/recovery/verify-code.d.ts +0 -2
package/dist/api-handlers/account/recovery/verify-code.js +0 -28
package/dist/api-handlers/account/reset-password.d.ts +0 -2
package/dist/api-handlers/account/reset-password.js +0 -26
package/dist/api-handlers/account/send-code.d.ts +0 -24
package/dist/api-handlers/account/send-code.js +0 -60
package/dist/api-handlers/account/update-phone.d.ts +0 -27
package/dist/api-handlers/account/update-phone.js +0 -64
package/dist/api-handlers/account/validate-password.d.ts +0 -17
package/dist/api-handlers/account/validate-password.js +0 -81
package/dist/api-handlers/account/verify-email.d.ts +0 -26
package/dist/api-handlers/account/verify-email.js +0 -106
package/dist/api-handlers/account/verify-sms.d.ts +0 -26
package/dist/api-handlers/account/verify-sms.js +0 -106
package/dist/api-handlers/admin/analytics.d.ts +0 -20
package/dist/api-handlers/admin/analytics.js +0 -379
package/dist/api-handlers/admin/audit.d.ts +0 -20
package/dist/api-handlers/admin/audit.js +0 -214
package/dist/api-handlers/admin/index.d.ts +0 -22
package/dist/api-handlers/admin/index.js +0 -43
package/dist/api-handlers/admin/redis-sessions.d.ts +0 -36
package/dist/api-handlers/admin/redis-sessions.js +0 -204
package/dist/api-handlers/admin/sessions.d.ts +0 -21
package/dist/api-handlers/admin/sessions.js +0 -284
package/dist/api-handlers/admin/site-logs.d.ts +0 -46
package/dist/api-handlers/admin/site-logs.js +0 -318
package/dist/api-handlers/admin/stats.d.ts +0 -21
package/dist/api-handlers/admin/stats.js +0 -240
package/dist/api-handlers/admin/users.d.ts +0 -20
package/dist/api-handlers/admin/users.js +0 -222
package/dist/api-handlers/admin/vibe-data.d.ts +0 -80
package/dist/api-handlers/admin/vibe-data.js +0 -268
package/dist/api-handlers/anon/preferences.d.ts +0 -37
package/dist/api-handlers/anon/preferences.js +0 -96
package/dist/api-handlers/auth/jwks.d.ts +0 -2
package/dist/api-handlers/auth/jwks.js +0 -24
package/dist/api-handlers/auth/login.d.ts +0 -42
package/dist/api-handlers/auth/login.js +0 -178
package/dist/api-handlers/auth/refresh.d.ts +0 -74
package/dist/api-handlers/auth/refresh.js +0 -635
package/dist/api-handlers/auth/signout.d.ts +0 -37
package/dist/api-handlers/auth/signout.js +0 -187
package/dist/api-handlers/auth/status.d.ts +0 -8
package/dist/api-handlers/auth/status.js +0 -26
package/dist/api-handlers/auth/update-session.d.ts +0 -37
package/dist/api-handlers/auth/update-session.js +0 -95
package/dist/api-handlers/auth/validate.d.ts +0 -6
package/dist/api-handlers/auth/validate.js +0 -43
package/dist/api-handlers/auth/verify-code.d.ts +0 -43
package/dist/api-handlers/auth/verify-code.js +0 -94
package/dist/api-handlers/session/refresh-viability.d.ts +0 -14
package/dist/api-handlers/session/refresh-viability.js +0 -39
package/dist/api-handlers/session/viability.d.ts +0 -13
package/dist/api-handlers/session/viability.js +0 -146
package/dist/api-handlers/test/force-expire.d.ts +0 -23
package/dist/api-handlers/test/force-expire.js +0 -65
package/dist/auth/auth-decision.d.ts +0 -39
package/dist/auth/auth-decision.js +0 -182
package/dist/auth/auth-options.d.ts +0 -57
package/dist/auth/auth-options.js +0 -213
package/dist/auth/better-auth.d.ts +0 -82
package/dist/auth/better-auth.js +0 -122
package/dist/auth/callbacks/index.d.ts +0 -6
package/dist/auth/callbacks/index.js +0 -12
package/dist/auth/callbacks/jwt.d.ts +0 -45
package/dist/auth/callbacks/jwt.js +0 -305
package/dist/auth/callbacks/session.d.ts +0 -60
package/dist/auth/callbacks/session.js +0 -170
package/dist/auth/callbacks/signin.d.ts +0 -23
package/dist/auth/callbacks/signin.js +0 -44
package/dist/auth/events/index.d.ts +0 -4
package/dist/auth/events/index.js +0 -8
package/dist/auth/events/signout.d.ts +0 -17
package/dist/auth/events/signout.js +0 -32
package/dist/auth/providers/credentials.d.ts +0 -32
package/dist/auth/providers/credentials.js +0 -223
package/dist/auth/providers/index.d.ts +0 -5
package/dist/auth/providers/index.js +0 -21
package/dist/auth/providers/oauth.d.ts +0 -26
package/dist/auth/providers/oauth.js +0 -105
package/dist/auth/route-config.d.ts +0 -66
package/dist/auth/route-config.js +0 -190
package/dist/auth/types/auth-types.d.ts +0 -417
package/dist/auth/types/auth-types.js +0 -53
package/dist/auth/types/index.d.ts +0 -6
package/dist/auth/types/index.js +0 -22
package/dist/auth/unauthenticated-routes.d.ts +0 -1
package/dist/auth/unauthenticated-routes.js +0 -19
package/dist/auth/utils/idp-client.d.ts +0 -94
package/dist/auth/utils/idp-client.js +0 -384
package/dist/auth/utils/index.d.ts +0 -5
package/dist/auth/utils/index.js +0 -21
package/dist/auth/utils/token-utils.d.ts +0 -84
package/dist/auth/utils/token-utils.js +0 -219
package/dist/client/AuthContext.d.ts +0 -19
package/dist/client/AuthContext.js +0 -112
package/dist/client/better-auth-client.d.ts +0 -1020
package/dist/client/better-auth-client.js +0 -68
package/dist/client/fetch-with-auth.d.ts +0 -11
package/dist/client/fetch-with-auth.js +0 -44
package/dist/client/fetchWithSession.d.ts +0 -3
package/dist/client/fetchWithSession.js +0 -24
package/dist/client/index.d.ts +0 -9
package/dist/client/index.js +0 -20
package/dist/client/useAnonSession.d.ts +0 -36
package/dist/client/useAnonSession.js +0 -99
package/dist/components/SessionSync.d.ts +0 -13
package/dist/components/SessionSync.js +0 -119
package/dist/components/SignalRHealthCheck.d.ts +0 -10
package/dist/components/SignalRHealthCheck.js +0 -97
package/dist/components/account/MobileNavDrawer.d.ts +0 -32
package/dist/components/account/MobileNavDrawer.js +0 -81
package/dist/components/account/UserAvatarMenu.d.ts +0 -20
package/dist/components/account/UserAvatarMenu.js +0 -88
package/dist/components/account/index.d.ts +0 -9
package/dist/components/account/index.js +0 -13
package/dist/components/admin/AlertSettingsTab.d.ts +0 -48
package/dist/components/admin/AlertSettingsTab.js +0 -351
package/dist/components/admin/AnalyticsTab.d.ts +0 -22
package/dist/components/admin/AnalyticsTab.js +0 -167
package/dist/components/admin/DataBrowserTab.d.ts +0 -19
package/dist/components/admin/DataBrowserTab.js +0 -252
package/dist/components/admin/LoggingSettingsTab.d.ts +0 -73
package/dist/components/admin/LoggingSettingsTab.js +0 -339
package/dist/components/admin/SessionsTab.d.ts +0 -37
package/dist/components/admin/SessionsTab.js +0 -165
package/dist/components/admin/StatsTab.d.ts +0 -53
package/dist/components/admin/StatsTab.js +0 -161
package/dist/components/admin/VibeAdminContext.d.ts +0 -32
package/dist/components/admin/VibeAdminContext.js +0 -38
package/dist/components/admin/VibeAdminLayout.d.ts +0 -11
package/dist/components/admin/VibeAdminLayout.js +0 -69
package/dist/components/admin/index.d.ts +0 -29
package/dist/components/admin/index.js +0 -44
package/dist/components/auth/FederatedAuthSection.d.ts +0 -8
package/dist/components/auth/FederatedAuthSection.js +0 -45
package/dist/components/auth/ModeAwareLoginPage.d.ts +0 -10
package/dist/components/auth/ModeAwareLoginPage.js +0 -42
package/dist/components/auth/ModeAwareSignupPage.d.ts +0 -9
package/dist/components/auth/ModeAwareSignupPage.js +0 -78
package/dist/components/auth/TraditionalAuthSection.d.ts +0 -14
package/dist/components/auth/TraditionalAuthSection.js +0 -20
package/dist/components/recovery/CompleteStep.d.ts +0 -5
package/dist/components/recovery/CompleteStep.js +0 -8
package/dist/components/recovery/InitiateRecoveryStep.d.ts +0 -8
package/dist/components/recovery/InitiateRecoveryStep.js +0 -20
package/dist/components/recovery/SelectMethodStep.d.ts +0 -8
package/dist/components/recovery/SelectMethodStep.js +0 -8
package/dist/components/recovery/SetPasswordStep.d.ts +0 -6
package/dist/components/recovery/SetPasswordStep.js +0 -20
package/dist/components/recovery/VerifyCodeStep.d.ts +0 -10
package/dist/components/recovery/VerifyCodeStep.js +0 -24
package/dist/components/reserved/ReservedRecoveryWarning.d.ts +0 -38
package/dist/components/reserved/ReservedRecoveryWarning.js +0 -92
package/dist/components/reserved/ReservedStatusBox.d.ts +0 -30
package/dist/components/reserved/ReservedStatusBox.js +0 -71
package/dist/components/ui/BetaBadge.d.ts +0 -29
package/dist/components/ui/BetaBadge.js +0 -38
package/dist/components/ui/Footer.d.ts +0 -37
package/dist/components/ui/Footer.js +0 -41
package/dist/config/env.d.ts +0 -66
package/dist/config/env.js +0 -57
package/dist/config/logger.d.ts +0 -57
package/dist/config/logger.js +0 -73
package/dist/config/logging-config.d.ts +0 -30
package/dist/config/logging-config.js +0 -122
package/dist/config/unauthenticated-routes.d.ts +0 -17
package/dist/config/unauthenticated-routes.js +0 -24
package/dist/config/vibe-log-transport.d.ts +0 -81
package/dist/config/vibe-log-transport.js +0 -212
package/dist/edge/internal-api-url.d.ts +0 -53
package/dist/edge/internal-api-url.js +0 -63
package/dist/edge/middleware.d.ts +0 -14
package/dist/edge/middleware.js +0 -32
package/dist/hooks/useAuth.d.ts +0 -23
package/dist/hooks/useAuth.js +0 -81
package/dist/hooks/useAuthSettings.d.ts +0 -59
package/dist/hooks/useAuthSettings.js +0 -93
package/dist/hooks/useAvailableProviders.d.ts +0 -45
package/dist/hooks/useAvailableProviders.js +0 -108
package/dist/hooks/usePasswordValidation.d.ts +0 -27
package/dist/hooks/usePasswordValidation.js +0 -102
package/dist/hooks/useProfile.d.ts +0 -15
package/dist/hooks/useProfile.js +0 -59
package/dist/hooks/usePublicAuthSettings.d.ts +0 -56
package/dist/hooks/usePublicAuthSettings.js +0 -131
package/dist/hooks/useSessionExpiration.d.ts +0 -57
package/dist/hooks/useSessionExpiration.js +0 -72
package/dist/hooks/useViabilitySession.d.ts +0 -75
package/dist/hooks/useViabilitySession.js +0 -268
package/dist/index.d.ts +0 -12
package/dist/index.js +0 -55
package/dist/lib/anon-session.d.ts +0 -74
package/dist/lib/anon-session.js +0 -169
package/dist/lib/api-handler.d.ts +0 -123
package/dist/lib/api-handler.js +0 -478
package/dist/lib/app-slug.d.ts +0 -95
package/dist/lib/app-slug.js +0 -172
package/dist/lib/demo-mode.d.ts +0 -6
package/dist/lib/demo-mode.js +0 -16
package/dist/lib/geolocation.d.ts +0 -64
package/dist/lib/geolocation.js +0 -235
package/dist/lib/idp-client-config.d.ts +0 -75
package/dist/lib/idp-client-config.js +0 -425
package/dist/lib/idp-fetch.d.ts +0 -14
package/dist/lib/idp-fetch.js +0 -91
package/dist/lib/internal-api.d.ts +0 -87
package/dist/lib/internal-api.js +0 -122
package/dist/lib/jwt-decode-client.d.ts +0 -10
package/dist/lib/jwt-decode-client.js +0 -46
package/dist/lib/jwt-decode.d.ts +0 -48
package/dist/lib/jwt-decode.js +0 -57
package/dist/lib/nextauth-secret.d.ts +0 -10
package/dist/lib/nextauth-secret.js +0 -100
package/dist/lib/rate-limit-service.d.ts +0 -23
package/dist/lib/rate-limit-service.js +0 -6
package/dist/lib/redis.d.ts +0 -5
package/dist/lib/redis.js +0 -28
package/dist/lib/refresh-token-validator.d.ts +0 -13
package/dist/lib/refresh-token-validator.js +0 -117
package/dist/lib/roles.d.ts +0 -145
package/dist/lib/roles.js +0 -168
package/dist/lib/secret-validation.d.ts +0 -4
package/dist/lib/secret-validation.js +0 -14
package/dist/lib/session-store.d.ts +0 -170
package/dist/lib/session-store.js +0 -545
package/dist/lib/session.d.ts +0 -21
package/dist/lib/session.js +0 -26
package/dist/lib/site-logger.d.ts +0 -214
package/dist/lib/site-logger.js +0 -210
package/dist/lib/standardized-client-api.d.ts +0 -161
package/dist/lib/standardized-client-api.js +0 -786
package/dist/lib/startup-init.d.ts +0 -40
package/dist/lib/startup-init.js +0 -261
package/dist/lib/test-aware-get-token.d.ts +0 -2
package/dist/lib/test-aware-get-token.js +0 -81
package/dist/lib/token-expiry.d.ts +0 -14
package/dist/lib/token-expiry.js +0 -39
package/dist/lib/token-lifecycle.d.ts +0 -52
package/dist/lib/token-lifecycle.js +0 -398
package/dist/lib/types/api-responses.d.ts +0 -128
package/dist/lib/types/api-responses.js +0 -171
package/dist/lib/user-agent-parser.d.ts +0 -50
package/dist/lib/user-agent-parser.js +0 -220
package/dist/logging/api/admin-analytics.d.ts +0 -3
package/dist/logging/api/admin-analytics.js +0 -45
package/dist/logging/api/audit-log.d.ts +0 -3
package/dist/logging/api/audit-log.js +0 -52
package/dist/logging/components/AdminAnalyticsLayout.d.ts +0 -10
package/dist/logging/components/AdminAnalyticsLayout.js +0 -11
package/dist/logging/components/AuditLogViewer.d.ts +0 -7
package/dist/logging/components/AuditLogViewer.js +0 -51
package/dist/logging/components/ErrorMetricsCard.d.ts +0 -7
package/dist/logging/components/ErrorMetricsCard.js +0 -16
package/dist/logging/components/HealthMetricsCard.d.ts +0 -7
package/dist/logging/components/HealthMetricsCard.js +0 -19
package/dist/logging/hooks/useAdminAnalytics.d.ts +0 -24
package/dist/logging/hooks/useAdminAnalytics.js +0 -22
package/dist/logging/hooks/useAuditLog.d.ts +0 -6
package/dist/logging/hooks/useAuditLog.js +0 -25
package/dist/logging/hooks/useErrorMetrics.d.ts +0 -6
package/dist/logging/hooks/useErrorMetrics.js +0 -38
package/dist/logging/hooks/useHealthMetrics.d.ts +0 -6
package/dist/logging/hooks/useHealthMetrics.js +0 -41
package/dist/logging/index.d.ts +0 -11
package/dist/logging/index.js +0 -40
package/dist/logging/types/analytics.d.ts +0 -68
package/dist/logging/types/analytics.js +0 -3
package/dist/logging/types/audit.d.ts +0 -29
package/dist/logging/types/audit.js +0 -2
package/dist/logging/types/index.d.ts +0 -2
package/dist/logging/types/index.js +0 -19
package/dist/middleware/auth-decision.d.ts +0 -33
package/dist/middleware/auth-decision.js +0 -65
package/dist/middleware/create-middleware.d.ts +0 -102
package/dist/middleware/create-middleware.js +0 -469
package/dist/middleware/rbac-check.d.ts +0 -51
package/dist/middleware/rbac-check.js +0 -219
package/dist/middleware/twofa-presets.d.ts +0 -134
package/dist/middleware/twofa-presets.js +0 -175
package/dist/models/DecodedAccessToken.d.ts +0 -17
package/dist/models/DecodedAccessToken.js +0 -2
package/dist/models/SessionModel.d.ts +0 -122
package/dist/models/SessionModel.js +0 -136
package/dist/pages/admin-login/page.d.ts +0 -31
package/dist/pages/admin-login/page.js +0 -83
package/dist/pages/admin-page-permissions/PagePermissionsAdminPage.d.ts +0 -18
package/dist/pages/admin-page-permissions/PagePermissionsAdminPage.js +0 -276
package/dist/pages/admin-page-permissions/index.d.ts +0 -6
package/dist/pages/admin-page-permissions/index.js +0 -13
package/dist/pages/admin-roles/RolesAdminPage.d.ts +0 -16
package/dist/pages/admin-roles/RolesAdminPage.js +0 -261
package/dist/pages/admin-roles/index.d.ts +0 -8
package/dist/pages/admin-roles/index.js +0 -15
package/dist/pages/admin-roles/modals.d.ts +0 -72
package/dist/pages/admin-roles/modals.js +0 -154
package/dist/pages/client-admin/ClientSiteAdminPage.d.ts +0 -79
package/dist/pages/client-admin/ClientSiteAdminPage.js +0 -177
package/dist/pages/client-admin/index.d.ts +0 -32
package/dist/pages/client-admin/index.js +0 -37
package/dist/pages/coming-soon/page.d.ts +0 -8
package/dist/pages/coming-soon/page.js +0 -28
package/dist/pages/login/page.d.ts +0 -22
package/dist/pages/login/page.js +0 -239
package/dist/pages/profile/EnhancedProfilePage.d.ts +0 -13
package/dist/pages/profile/EnhancedProfilePage.js +0 -150
package/dist/pages/profile/index.d.ts +0 -8
package/dist/pages/profile/index.js +0 -16
package/dist/pages/profile/page.d.ts +0 -19
package/dist/pages/profile/page.js +0 -47
package/dist/pages/profile/profile-patch.d.ts +0 -1
package/dist/pages/profile/profile-patch.js +0 -281
package/dist/pages/recovery/page.d.ts +0 -1
package/dist/pages/recovery/page.js +0 -142
package/dist/pages/roles/MyRolesPage.d.ts +0 -24
package/dist/pages/roles/MyRolesPage.js +0 -71
package/dist/pages/roles/components.d.ts +0 -63
package/dist/pages/roles/components.js +0 -108
package/dist/pages/roles/index.d.ts +0 -8
package/dist/pages/roles/index.js +0 -19
package/dist/pages/security/EnhancedSecurityPage.d.ts +0 -14
package/dist/pages/security/EnhancedSecurityPage.js +0 -248
package/dist/pages/security/index.d.ts +0 -8
package/dist/pages/security/index.js +0 -16
package/dist/pages/security/page.d.ts +0 -21
package/dist/pages/security/page.js +0 -212
package/dist/pages/security/security-patch.d.ts +0 -1
package/dist/pages/security/security-patch.js +0 -302
package/dist/pages/settings/EnhancedSettingsPage.d.ts +0 -46
package/dist/pages/settings/EnhancedSettingsPage.js +0 -231
package/dist/pages/settings/index.d.ts +0 -8
package/dist/pages/settings/index.js +0 -16
package/dist/pages/settings/page.d.ts +0 -7
package/dist/pages/settings/page.js +0 -26
package/dist/pages/showcase/ShowcasePage.d.ts +0 -13
package/dist/pages/showcase/ShowcasePage.js +0 -140
package/dist/pages/showcase/index.d.ts +0 -12
package/dist/pages/showcase/index.js +0 -17
package/dist/pages/test-env/EmergencyLogoutPage.d.ts +0 -14
package/dist/pages/test-env/EmergencyLogoutPage.js +0 -98
package/dist/pages/test-env/JwtInspectPage.d.ts +0 -14
package/dist/pages/test-env/JwtInspectPage.js +0 -114
package/dist/pages/test-env/RefreshTokenPage.d.ts +0 -15
package/dist/pages/test-env/RefreshTokenPage.js +0 -91
package/dist/pages/test-env/TestEnvPage.d.ts +0 -13
package/dist/pages/test-env/TestEnvPage.js +0 -49
package/dist/pages/test-env/index.d.ts +0 -24
package/dist/pages/test-env/index.js +0 -32
package/dist/pages/verify-code/page.d.ts +0 -30
package/dist/pages/verify-code/page.js +0 -408
package/dist/routes/account/index.d.ts +0 -28
package/dist/routes/account/index.js +0 -71
package/dist/routes/account/masked-info.d.ts +0 -33
package/dist/routes/account/masked-info.js +0 -39
package/dist/routes/account/send-code.d.ts +0 -37
package/dist/routes/account/send-code.js +0 -42
package/dist/routes/account/update-phone.d.ts +0 -13
package/dist/routes/account/update-phone.js +0 -17
package/dist/routes/account/verify-email.d.ts +0 -38
package/dist/routes/account/verify-email.js +0 -43
package/dist/routes/account/verify-sms.d.ts +0 -38
package/dist/routes/account/verify-sms.js +0 -43
package/dist/routes/auth/index.d.ts +0 -19
package/dist/routes/auth/index.js +0 -64
package/dist/routes/auth/logout.d.ts +0 -31
package/dist/routes/auth/logout.js +0 -113
package/dist/routes/auth/nextauth.d.ts +0 -19
package/dist/routes/auth/nextauth.js +0 -72
package/dist/routes/auth/refresh.d.ts +0 -30
package/dist/routes/auth/refresh.js +0 -51
package/dist/routes/auth/session.d.ts +0 -43
package/dist/routes/auth/session.js +0 -179
package/dist/routes/auth/settings.d.ts +0 -25
package/dist/routes/auth/settings.js +0 -55
package/dist/routes/auth/viability.d.ts +0 -52
package/dist/routes/auth/viability.js +0 -201
package/dist/routes/index.d.ts +0 -12
package/dist/routes/index.js +0 -54
package/dist/routes/session/index.d.ts +0 -6
package/dist/routes/session/index.js +0 -10
package/dist/routes/session/refresh-viability.d.ts +0 -16
package/dist/routes/session/refresh-viability.js +0 -20
package/dist/server/auth-guard.d.ts +0 -46
package/dist/server/auth-guard.js +0 -128
package/dist/server/decode-session.d.ts +0 -30
package/dist/server/decode-session.js +0 -78
package/dist/server/slim-middleware.d.ts +0 -23
package/dist/server/slim-middleware.js +0 -89
package/dist/server/with-auth.d.ts +0 -33
package/dist/server/with-auth.js +0 -59
package/dist/services/signalrActivityService.d.ts +0 -44
package/dist/services/signalrActivityService.js +0 -257
package/dist/stores/authStore.d.ts +0 -154
package/dist/stores/authStore.js +0 -1531
package/dist/theme/ThemeProvider.d.ts +0 -14
package/dist/theme/ThemeProvider.js +0 -28
package/dist/theme/default.d.ts +0 -8
package/dist/theme/default.js +0 -33
package/dist/theme/index.d.ts +0 -15
package/dist/theme/index.js +0 -25
package/dist/theme/types.d.ts +0 -56
package/dist/theme/types.js +0 -8
package/dist/theme/useTheme.d.ts +0 -60
package/dist/theme/useTheme.js +0 -63
package/dist/theme/utils.d.ts +0 -13
package/dist/theme/utils.js +0 -39
package/dist/types/api.d.ts +0 -134
package/dist/types/api.js +0 -44
package/dist/types/auth.d.ts +0 -19
package/dist/types/auth.js +0 -2
package/dist/types/logging.d.ts +0 -42
package/dist/types/logging.js +0 -2
package/dist/types/recovery.d.ts +0 -48
package/dist/types/recovery.js +0 -2
package/dist/types/security.d.ts +0 -1
package/dist/types/security.js +0 -2
package/dist/utils/api.d.ts +0 -85
package/dist/utils/api.js +0 -287
package/dist/utils/circuitBreaker.d.ts +0 -43
package/dist/utils/circuitBreaker.js +0 -91
package/dist/utils/error-message.d.ts +0 -1
package/dist/utils/error-message.js +0 -103
package/dist/utils/layout/reservedSpace.d.ts +0 -59
package/dist/utils/layout/reservedSpace.js +0 -102
package/dist/utils/logout.d.ts +0 -14
package/dist/utils/logout.js +0 -32
package/dist/vibe/client.d.ts +0 -261
package/dist/vibe/client.js +0 -445
package/dist/vibe/enterprise-auth.d.ts +0 -106
package/dist/vibe/enterprise-auth.js +0 -173
package/dist/vibe/errors.d.ts +0 -83
package/dist/vibe/errors.js +0 -146
package/dist/vibe/generic.d.ts +0 -234
package/dist/vibe/generic.js +0 -369
package/dist/vibe/hooks/index.d.ts +0 -169
package/dist/vibe/hooks/index.js +0 -252
package/dist/vibe/index.d.ts +0 -25
package/dist/vibe/index.js +0 -72
package/dist/vibe/sessions.d.ts +0 -161
package/dist/vibe/sessions.js +0 -391
package/dist/vibe/types.d.ts +0 -353
package/dist/vibe/types.js +0 -315
package/src/auth/auth-options.ts +0 -237
package/src/auth/callbacks/index.ts +0 -7
package/src/auth/callbacks/jwt.ts +0 -382
package/src/auth/callbacks/session.ts +0 -243
package/src/auth/callbacks/signin.ts +0 -56
package/src/auth/events/index.ts +0 -5
package/src/auth/events/signout.ts +0 -33
package/src/auth/providers/credentials.ts +0 -256
package/src/auth/providers/index.ts +0 -6
package/src/auth/providers/oauth.ts +0 -114
package/src/lib/nextauth-secret.ts +0 -121
package/src/types/next-auth.d.ts +0 -15

package/src/auth/auth-options.ts DELETED Viewed

@@ -1,237 +0,0 @@
-/**
- * NextAuth Configuration (Refactored)
- *
- * This is the composition layer that wires together all auth modules.
- * Individual logic lives in dedicated modules:
- * - providers/ - Credentials and OAuth provider builders
- * - callbacks/ - JWT, session, signIn callbacks
- * - events/ - SignOut event handler
- * - utils/ - Token utilities, IDP client
- * - types/ - Type definitions
- *
- * CARGO CULT PATTERNS REMOVED:
- * ============================
- * The original auth-options.ts (1186 lines) had several anti-patterns that
- * added complexity without benefit:
- *
- * 1. CALLBACK CONCURRENCY PROTECTION (removed)
- *    - shouldExecuteCallback() / markCallbackComplete()
- *    - A debouncing mechanism that tried to prevent callbacks from running
- *      too frequently. NextAuth already handles this properly.
- *    - Added complexity, caused race condition bugs, and leaked memory
- *      (Map entries never cleaned up).
- *
- * 2. SESSION RESTORATION (removed)
- *    - attemptSessionRestoration()
- *    - Tried to restore sessions by calling refresh endpoint from JWT callback.
- *    - Created circular dependencies and made debugging impossible.
- *    - Clean approach: Session missing = user re-authenticates. Simple.
- *
- * 3. VARIABLE NAME SOUP (normalized in Phase 3)
- *    - accessToken vs idpAccessToken vs oauthAccessToken
- *    - twoFactorComplete vs mfaVerified vs requiresTwoFactor
- *    - sessionToken vs redisSessionId
- *    - Now: Clear prefixes (idp*, oauth*, mfa*) with documented meanings.
- *
- * 4. INLINE EVERYTHING (modularized in Phase 2)
- *    - All logic was in one giant file with no separation of concerns.
- *    - Now: Each module has one job and can be tested independently.
- *
- * @version 2.0.0
- * @since auth-refactor-2026-01
- */
-import type { NextAuthOptions } from 'next-auth';
-import type { Provider } from 'next-auth/providers/index';
-import { encode as defaultEncode, decode as defaultDecode } from 'next-auth/jwt';
-import { getIDPClientConfig, type IDPClientConfig } from '../lib/idp-client-config';
-import {
-  getSessionCookieName,
-  getSecureSessionCookieName,
-  getCsrfCookieName,
-  getSecureCsrfCookieName,
-  getCallbackUrlCookieName,
-} from '../lib/app-slug';
-// Module imports
-import { createCredentialsProvider, buildOAuthProviders } from './providers';
-import { jwtCallback, sessionCallback, signInCallback } from './callbacks';
-import { handleSignOut } from './events';
-// ============================================================================
-// ENVIRONMENT HELPERS
-// ============================================================================
-/**
- * Get AUTH_ISSUER_URL for JWT issuer claim.
- * Required for SSO across apps.
- */
-function getAuthIssuerUrl(): string {
-  const url = process.env.AUTH_ISSUER_URL;
-  if (!url) {
-    throw new Error('AUTH_ISSUER_URL environment variable is REQUIRED');
-  }
-  return url;
-}
-// ============================================================================
-// BASE AUTH OPTIONS
-// ============================================================================
-/**
- * Base NextAuth configuration.
- * Use getAuthOptions() for dynamic provider loading from IDP.
- */
-export const authOptions: NextAuthOptions = {
-  // Session uses JWT strategy - JWT contains only redisSessionId
-  session: {
-    strategy: 'jwt',
-    maxAge: 30 * 24 * 60 * 60, // 30 days default, overridden by IDP config
-  },
-  // Custom JWT handling for SSO issuer
-  jwt: {
-    encode: async (params) => {
-      try {
-        const issuer = getAuthIssuerUrl();
-        console.log('[JWT_ENCODE] Encoding token:', {
-          hasToken: !!params.token,
-          hasSecret: !!params.secret,
-          secretLength: params.secret?.length || 0,
-          issuer,
-          tokenKeys: params.token ? Object.keys(params.token) : [],
-        });
-        const encoded = await defaultEncode({
-          ...params,
-          secret: params.secret,
-          token: {
-            ...params.token,
-            iss: issuer,
-          },
-        });
-        console.log('[JWT_ENCODE] Success, encoded length:', encoded?.length || 0);
-        return encoded;
-      } catch (error) {
-        console.error('[JWT_ENCODE] FAILED:', error);
-        throw error;
-      }
-    },
-    decode: async (params) => {
-      const decoded = await defaultDecode(params);
-      if (decoded?.iss && decoded.iss !== getAuthIssuerUrl()) {
-        console.error('[JWT] Invalid issuer. Expected:', getAuthIssuerUrl(), 'Got:', decoded.iss);
-        return null; // Hard enforcement - reject mismatched issuers
-      }
-      return decoded;
-    },
-  },
-  // Cookie configuration for multi-app support
-  // In production, use __Secure- prefixed cookie names for enhanced security
-  cookies: {
-    sessionToken: {
-      name: process.env.NODE_ENV === 'production' ? getSecureSessionCookieName() : getSessionCookieName(),
-      options: {
-        httpOnly: true,
-        sameSite: 'lax',
-        path: '/',
-        secure: process.env.NODE_ENV === 'production',
-      },
-    },
-    csrfToken: {
-      name: process.env.NODE_ENV === 'production' ? getSecureCsrfCookieName() : getCsrfCookieName(),
-      options: {
-        httpOnly: true,
-        sameSite: 'lax',
-        path: '/',
-        secure: process.env.NODE_ENV === 'production',
-      },
-    },
-    callbackUrl: {
-      name: getCallbackUrlCookieName(),
-      options: {
-        sameSite: 'lax',
-        path: '/',
-        secure: process.env.NODE_ENV === 'production',
-      },
-    },
-  },
-  // Providers - credentials only in base, OAuth added dynamically
-  providers: [createCredentialsProvider()],
-  // Callbacks wired to modular implementations
-  callbacks: {
-    jwt: jwtCallback,
-    session: sessionCallback as any, // Type cast needed for NextAuth compatibility
-    signIn: signInCallback,
-  },
-  // Events
-  events: {
-    signOut: handleSignOut,
-  },
-  // Custom pages
-  pages: {
-    signIn: '/account-auth/login',
-    error: '/account-auth/login',
-  },
-  debug: false,
-};
-// ============================================================================
-// DYNAMIC AUTH OPTIONS (WITH IDP OAUTH PROVIDERS)
-// ============================================================================
-let cachedAuthOptions: NextAuthOptions | null = null;
-let authOptionsPromise: Promise<NextAuthOptions> | null = null;
-/**
- * Get auth options with dynamically loaded OAuth providers from IDP.
- * Uses caching to avoid rebuilding on every request.
- */
-export async function getAuthOptions(): Promise<NextAuthOptions> {
-  if (cachedAuthOptions) {
-    return cachedAuthOptions;
-  }
-  if (authOptionsPromise) {
-    return authOptionsPromise;
-  }
-  authOptionsPromise = buildDynamicAuthOptions();
-  cachedAuthOptions = await authOptionsPromise;
-  authOptionsPromise = null;
-  return cachedAuthOptions;
-}
-/**
- * Build auth options with dynamic OAuth providers from IDP.
- */
-async function buildDynamicAuthOptions(): Promise<NextAuthOptions> {
-  const idpConfig = await getIDPClientConfig();
-  const oauthProviders = buildOAuthProviders(idpConfig);
-  return {
-    ...authOptions,
-    secret: idpConfig.nextAuthSecret || process.env.NEXTAUTH_SECRET,
-    session: {
-      ...authOptions.session,
-      maxAge: idpConfig.authSettings?.rememberMeDays
-        ? idpConfig.authSettings.rememberMeDays * 24 * 60 * 60
-        : 30 * 24 * 60 * 60,
-    },
-    providers: [createCredentialsProvider(), ...oauthProviders],
-  };
-}
-/**
- * Clear cached auth options (when IDP config changes).
- */
-export function clearAuthOptionsCache(): void {
-  cachedAuthOptions = null;
-  authOptionsPromise = null;
-}

package/src/auth/callbacks/index.ts DELETED Viewed

@@ -1,7 +0,0 @@
-/**
- * Auth Callbacks - Public Exports
- */
-export { jwtCallback } from './jwt';
-export { sessionCallback } from './session';
-export { signInCallback } from './signin';

package/src/auth/callbacks/jwt.ts DELETED Viewed

@@ -1,382 +0,0 @@
-/**
- * JWT Callback
- *
- * Minimal token strategy - only store redisSessionId in JWT.
- * All session data lives in Redis, not in the browser cookie.
- *
- * HANDLES:
- * - Initial sign-in (credentials): Store redisSessionId from authorize()
- * - Initial sign-in (OAuth): Register with IDP, create session, store redisSessionId
- * - Subsequent requests: Validate session exists, return token
- *
- * @version 1.0.0
- * @since auth-refactor-2026-01
- */
-import type { JWT } from 'next-auth/jwt';
-import type { User, Account } from 'next-auth';
-import { createHmac } from 'crypto';
-import { createSession, getSession } from '../../lib/session-store';
-import { getIDPClientConfig } from '../../lib/idp-client-config';
-import { idpOAuthCallback } from '../utils/idp-client';
-import {
-  decodeIdpAccessToken,
-  extractAmrFromToken,
-  expClaimToMs,
-  extractKidFromToken,
-} from '../utils/token-utils';
-// NOTE: Using any for sessionData until Phase 3 normalizes types
-// ============================================================================
-// VIBE ROLE FETCHING
-// ============================================================================
-/**
- * Generate HMAC signature for Vibe API request.
- */
-function generateVibeSignature(
-  endpoint: string,
-  clientId: string,
-  timestamp: number
-): string {
-  const signingKey = process.env.VIBE_SIGNING_KEY;
-  if (!signingKey) {
-    return '';
-  }
-  const stringToSign = `${timestamp}|GET|${endpoint}|${clientId}`;
-  return createHmac('sha256', Buffer.from(signingKey, 'base64'))
-    .update(stringToSign)
-    .digest('base64');
-}
-/**
- * Fetch user's roles from Vibe API.
- * Returns empty array on failure (non-blocking).
- * Uses HMAC signature for authentication when signing key is configured.
- */
-async function fetchVibeRoles(userId: string, clientId: string): Promise<string[]> {
-  const vibeApiUrl = process.env.VIBE_API_URL;
-  if (!vibeApiUrl) {
-    return [];
-  }
-  const endpoint = `/api/v1/users/${userId}/roles`;
-  const timestamp = Math.floor(Date.now() / 1000);
-  const signature = generateVibeSignature(endpoint, clientId, timestamp);
-  // Build headers with optional signature
-  const headers: Record<string, string> = {
-    'Accept': 'application/json',
-    'X-Client-Id': clientId,
-    'X-Vibe-Client-Id': clientId,
-  };
-  if (signature) {
-    headers['X-Vibe-Timestamp'] = String(timestamp);
-    headers['X-Vibe-Signature'] = signature;
-  }
-  try {
-    const response = await fetch(
-      `${vibeApiUrl}${endpoint}`,
-      {
-        method: 'GET',
-        headers,
-        // 2 second timeout
-        signal: AbortSignal.timeout(2000),
-      }
-    );
-    if (!response.ok) {
-      console.warn('[JWT_CALLBACK] Failed to fetch Vibe roles:', response.status);
-      return [];
-    }
-    const data = await response.json();
-    const roles = data.roles?.map((r: any) => r.role_name || r) || [];
-    console.log('[JWT_CALLBACK] Fetched Vibe roles:', roles);
-    return roles;
-  } catch (error) {
-    console.warn('[JWT_CALLBACK] Error fetching Vibe roles (continuing with IDP roles only):', error);
-    return [];
-  }
-}
-/**
- * Merge IDP roles with Vibe roles, deduplicating.
- */
-function mergeRoles(idpRoles: string[], vibeRoles: string[]): string[] {
-  return [...new Set([...idpRoles, ...vibeRoles])];
-}
-// ============================================================================
-// TYPES
-// ============================================================================
-interface JwtCallbackParams {
-  token: JWT;
-  user?: User | any;
-  account?: Account | null;
-  trigger?: 'signIn' | 'signUp' | 'update';
-}
-interface JwtCallbackResult extends JWT {
-  /** Redis session ID - the key to look up session data */
-  redisSessionId?: string;
-  /** User ID from IDP */
-  sub: string;
-  /** Error code if session validation failed */
-  error?: string;
-  /** Flag for OAuth users who need immediate 2FA redirect */
-  requiresTwoFactorRedirect?: boolean;
-}
-// ============================================================================
-// JWT CALLBACK
-// ============================================================================
-/**
- * JWT callback - builds the NextAuth JWT token.
- *
- * MINIMAL TOKEN STRATEGY:
- * - Only store redisSessionId (key to Redis session)
- * - All tokens and user data live in Redis
- * - Browser cookie stays small and secure
- *
- * @param params - JWT callback parameters from NextAuth
- * @returns JWT payload to store in browser cookie
- */
-export async function jwtCallback({
-  token,
-  user,
-  account,
-  trigger,
-}: JwtCallbackParams): Promise<JwtCallbackResult> {
-  console.log('[JWT_CALLBACK] Called with:', {
-    trigger,
-    hasAccount: !!account,
-    provider: account?.provider,
-    hasUser: !!user,
-    userEmail: user?.email,
-    existingRedisSessionId: token?.redisSessionId ? 'yes' : 'no',
-  });
-  // -------------------------------------------------------------------------
-  // OAuth Sign-In: Register with IDP and create session
-  // -------------------------------------------------------------------------
-  if (account && account.provider !== 'credentials') {
-    console.log('[JWT_CALLBACK] Handling OAuth sign-in for provider:', account.provider);
-    return handleOAuthSignIn(token, user, account);
-  }
-  // -------------------------------------------------------------------------
-  // Credentials Sign-In: Session already created in authorize()
-  // -------------------------------------------------------------------------
-  if (user && (user as any).redisSessionId) {
-    // Credentials authorize() returns redisSessionId
-    const redisSessionId = (user as any).redisSessionId;
-    return {
-      ...token,
-      redisSessionId,
-            sub: user.id || token.sub || 'unknown',
-    };
-  }
-  // -------------------------------------------------------------------------
-  // Subsequent Requests: Validate session exists
-  // -------------------------------------------------------------------------
-  const redisSessionId = (user as any)?.redisSessionId || token?.redisSessionId || token?.redisSessionId;
-  if (!redisSessionId) {
-    return { ...token, error: 'NoSession', sub: token.sub || 'unknown' };
-  }
-  // Validate session still exists in Redis
-  try {
-    const sessionData = await getSession(redisSessionId as string);
-    if (!sessionData) {
-      // Session expired or deleted
-      return { ...token, error: 'SessionNotFound', sub: token.sub || 'unknown' };
-    }
-    // Check if refresh token has expired (session should be terminated)
-    if (sessionData.idpRefreshTokenExpires && Date.now() >= sessionData.idpRefreshTokenExpires) {
-      return { ...token, error: 'RefreshTokenExpired', sub: token.sub || 'unknown' };
-    }
-    // Check if MFA has expired (requires step-up authentication)
-    if (sessionData.mfaExpiresAt && Date.now() > sessionData.mfaExpiresAt) {
-      return {
-        ...token,
-        redisSessionId,
-                sub: sessionData.userId,
-        error: 'MfaExpired',
-      };
-    }
-  } catch (error) {
-    console.error('[JWT_CALLBACK] Session validation error:', error);
-    return { ...token, error: 'SessionError', sub: token.sub || 'unknown' };
-  }
-  // Session is valid - return minimal token
-  return {
-    ...token,
-    redisSessionId,
-        sub: token.sub || 'unknown',
-  };
-}
-// ============================================================================
-// OAUTH SIGN-IN HANDLER
-// ============================================================================
-/**
- * Handle OAuth sign-in by registering with IDP and creating session.
- */
-async function handleOAuthSignIn(
-  token: JWT,
-  user: User | any,
-  account: Account
-): Promise<JwtCallbackResult> {
-  console.log('[JWT_CALLBACK] handleOAuthSignIn starting for:', {
-    provider: account.provider,
-    email: user?.email,
-    providerAccountId: account.providerAccountId,
-  });
-  try {
-  // Call IDP to register/authenticate OAuth user
-  const idpResult = await idpOAuthCallback({
-    provider: account.provider,
-    providerAccountId: account.providerAccountId,
-    email: user?.email || '',
-    name: user?.name || '',
-    image: user?.image || '',
-    accessToken: account.access_token,
-    refreshToken: account.refresh_token,
-    expiresAt: account.expires_at,
-  });
-  // Build session data using normalized field names
-  let sessionData: any;
-  let mfaVerified = false;
-  if (idpResult.success && idpResult.data?.accessToken) {
-    // IDP integration succeeded - we have IDP tokens
-    const decoded = decodeIdpAccessToken(idpResult.data.accessToken);
-    const amrClaims = decoded ? extractAmrFromToken(decoded) : [];
-    const acrLevel = decoded?.acr || '1';
-    // Extract kid from JWT header (CRITICAL: different from client_id in payload)
-    const bearerKeyId = extractKidFromToken(idpResult.data.accessToken);
-    if (bearerKeyId) {
-      console.log('[JWT_CALLBACK] Extracted bearerKeyId (kid) from JWT header:', bearerKeyId);
-    } else {
-      console.warn('[JWT_CALLBACK] No kid found in JWT header');
-    }
-    // Check if MFA is required for this client
-    try {
-      const clientConfig = await getIDPClientConfig();
-      const require2FA = clientConfig?.authSettings?.require2FA ?? true;
-      mfaVerified = !require2FA; // If MFA not required, mark as verified
-    } catch {
-      // Default to requiring MFA if config unavailable
-      mfaVerified = false;
-    }
-    sessionData = {
-      userId: idpResult.data.user?.userId?.toString() || account.providerAccountId,
-      email: idpResult.data.user?.email || user?.email || '',
-      name: idpResult.data.user?.fullName || user?.name || '',
-      roles: idpResult.data.user?.roles || [],
-      // IDP tokens (normalized names)
-      idpAccessToken: idpResult.data.accessToken,
-      idpRefreshToken: idpResult.data.refreshToken,
-      idpAccessTokenExpires: decoded?.exp ? expClaimToMs(decoded.exp) : Date.now() + 3600000,
-      decodedAccessToken: decoded || undefined,
-      // Bearer key ID from JWT header (NOT client_id from payload)
-      bearerKeyId,
-      // MFA state (normalized names)
-      mfaVerified,
-      authenticationMethods: amrClaims,
-      authenticationLevel: acrLevel,
-      // OAuth provider info (normalized names)
-      oauthProvider: account.provider,
-      oauthProviderToken: account.access_token,
-      oauthProviderRefreshToken: account.refresh_token,
-      // Multi-tenant info
-      idpClientId: decoded?.client_id,
-      merchantId: decoded?.merchant_id,
-    };
-  } else {
-    // IDP integration failed - create OAuth-only session
-    // This allows OAuth login to work even if IDP is unavailable
-    mfaVerified = true; // OAuth IS multi-factor (Google/Microsoft handle MFA)
-    sessionData = {
-      userId: account.providerAccountId,
-      email: user?.email || '',
-      name: user?.name || '',
-      roles: [],
-      mfaVerified: true, // OAuth IS multi-factor
-      oauthProvider: account.provider,
-      oauthProviderToken: account.access_token,
-      oauthProviderRefreshToken: account.refresh_token,
-      idpAccessTokenExpires: account.expires_at
-        ? account.expires_at * 1000
-        : Date.now() + 3600000,
-    };
-  }
-  // -------------------------------------------------------------------------
-  // ROLE MERGING: Fetch Vibe roles and merge with IDP roles
-  // -------------------------------------------------------------------------
-  const clientId = sessionData.idpClientId || process.env.IDP_CLIENT_ID || '';
-  if (clientId && sessionData.userId) {
-    const vibeRoles = await fetchVibeRoles(sessionData.userId, clientId);
-    // SECURITY: Filter out protected IDP-level role prefixes to prevent injection
-    const safeVibeRoles = vibeRoles.filter(r => !r.startsWith('payez_'));
-    const idpRoles = sessionData.roles || [];
-    sessionData.roles = mergeRoles(idpRoles, safeVibeRoles);
-    console.log('[JWT_CALLBACK] Merged roles:', {
-      idpRoles,
-      vibeRoles,
-      safeVibeRoles,
-      merged: sessionData.roles,
-    });
-  }
-  // Create Redis session
-  console.log('[JWT_CALLBACK] Creating Redis session for:', {
-    userId: sessionData.userId,
-    email: sessionData.email,
-    mfaVerified: sessionData.mfaVerified,
-    roles: sessionData.roles,
-  });
-  const redisSessionId = await createSession(sessionData);
-  console.log('[JWT_CALLBACK] Redis session created:', {
-    redisSessionId: redisSessionId ? redisSessionId.substring(0, 8) + '...' : 'NONE',
-  });
-  // Check if immediate MFA redirect is needed
-  const needsImmediateTwoFactor = !mfaVerified;
-  return {
-    ...token,
-    redisSessionId,
-        sub: sessionData.userId,
-    requiresTwoFactorRedirect: needsImmediateTwoFactor,
-  };
-  } catch (error) {
-    console.error('[JWT_CALLBACK] handleOAuthSignIn FAILED:', error);
-    return { ...token, error: 'OAuthSignInFailed', sub: token.sub || 'unknown' };
-  }
-}