@payez/next-mvp 4.0.0 → 4.0.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@payez/next-mvp",
-  "version": "4.0.0",
+  "version": "4.0.1",
   "sideEffects": false,
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -47,11 +47,6 @@
       "require": "./dist/types/auth.js",
       "default": "./dist/types/auth.js"
     },
-    "./auth/auth-options": {
-      "types": "./dist/auth/auth-options.d.ts",
-      "require": "./dist/auth/auth-options.js",
-      "default": "./dist/auth/auth-options.js"
-    },
     "./auth/better-auth": {
       "types": "./dist/auth/better-auth.d.ts",
       "require": "./dist/auth/better-auth.js",
@@ -152,11 +147,6 @@
       "require": "./dist/lib/jwt-decode.js",
       "default": "./dist/lib/jwt-decode.js"
     },
-    "./lib/nextauth-secret": {
-      "types": "./dist/lib/nextauth-secret.d.ts",
-      "require": "./dist/lib/nextauth-secret.js",
-      "default": "./dist/lib/nextauth-secret.js"
-    },
     "./lib/api-handler": {
       "types": "./dist/lib/api-handler.d.ts",
       "require": "./dist/lib/api-handler.js",
@@ -232,11 +222,6 @@
       "require": "./dist/lib/jwt-decode.js",
       "default": "./lib/jwt-decode.js"
     },
-    "./dist/lib/nextauth-secret": {
-      "types": "./lib/nextauth-secret.d.ts",
-      "require": "./dist/lib/nextauth-secret.js",
-      "default": "./lib/nextauth-secret.js"
-    },
     "./dist/lib/token-expiry": {
       "types": "./lib/token-expiry.d.ts",
       "require": "./dist/lib/token-expiry.js",
@@ -837,6 +822,11 @@
       "require": "./dist/pages/coming-soon/page.js",
       "default": "./dist/pages/coming-soon/page.js"
     },
+    "./server/auth": {
+      "types": "./dist/server/auth.d.ts",
+      "require": "./dist/server/auth.js",
+      "default": "./dist/server/auth.js"
+    },
     "./server/auth-guard": {
       "types": "./dist/server/auth-guard.d.ts",
       "require": "./dist/server/auth-guard.js",

package/dist/api/auth-handler.d.ts

@@ -1,66 +0,0 @@
-/**
- * Enhanced Auth Handler with Coordinated Token Refresh
- *
- * Provides a middleware wrapper that automatically handles token lifecycle:
- * - Checks token expiry before each request
- * - Automatically refreshes expired or near-expired tokens
- * - Uses Redis locks for coordinated refresh (prevents race conditions)
- * - Retries requests on 401 responses with fresh tokens
- *
- * Pattern ported from website-membership simple-api-handler.ts
- *
- * @version 2.1.0
- * @since auth-ready-v2
- */
-import { NextRequest, NextResponse } from 'next/server';
-export interface AuthContext {
-    token: any;
-    accessToken: string;
-    userId: string;
-    sessionToken: string;
-    refreshToken?: string;
-}
-export interface AuthHandlerOptions {
-    /** Whether authentication is required for this route (default: true) */
-    requireAuth?: boolean;
-    /** Automatically refresh expired or near-expired tokens (default: true) */
-    autoRefresh?: boolean;
-    /** Buffer time in seconds before token expiry to trigger refresh (default: 300 = 5 minutes) */
-    refreshBuffer?: number;
-    /** Retry request on 401 response after refreshing token (default: true) */
-    retryOn401?: boolean;
-    /** Maximum number of retry attempts on 401 (default: 1) */
-    maxRetries?: number;
-    /** NextAuth secret for JWT decoding */
-    nextAuthSecret?: string;
-    /** IDP base URL for refresh requests */
-    idpBaseUrl?: string;
-    /** OAuth client ID */
-    clientId?: string;
-}
-export type HandlerFunction = (req: NextRequest, context: any, auth: AuthContext) => Promise<NextResponse | Response>;
-/**
- * Creates an auth-aware handler with automatic token refresh
- *
- * @example
- * ```typescript
- * import { createAuthHandler } from '@payez/next-mvp/api';
- *
- * const handler = createAuthHandler({ requireAuth: true });
- *
- * export const GET = handler.handle(async (req, context, auth) => {
- *   // auth.accessToken is guaranteed to be fresh
- *   const response = await fetch('https://api.example.com/data', {
- *     headers: { 'Authorization': `Bearer ${auth.accessToken}` }
- *   });
- *   return NextResponse.json(await response.json());
- * });
- * ```
- */
-export declare function createAuthHandler(options?: AuthHandlerOptions): {
-    handle: (handler: HandlerFunction) => (req: NextRequest, context?: any) => Promise<Response>;
-};
-/**
- * Default export for convenience
- */
-export default createAuthHandler;

package/dist/api/auth-handler.js

@@ -1,397 +0,0 @@
-"use strict";
-/**
- * Enhanced Auth Handler with Coordinated Token Refresh
- *
- * Provides a middleware wrapper that automatically handles token lifecycle:
- * - Checks token expiry before each request
- * - Automatically refreshes expired or near-expired tokens
- * - Uses Redis locks for coordinated refresh (prevents race conditions)
- * - Retries requests on 401 responses with fresh tokens
- *
- * Pattern ported from website-membership simple-api-handler.ts
- *
- * @version 2.1.0
- * @since auth-ready-v2
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createAuthHandler = createAuthHandler;
-const server_1 = require("next/server");
-const auth_1 = require("../server/auth");
-const nanoid_1 = require("nanoid");
-const session_store_1 = require("../lib/session-store");
-/**
- * Creates an auth-aware handler with automatic token refresh
- *
- * @example
- * ```typescript
- * import { createAuthHandler } from '@payez/next-mvp/api';
- *
- * const handler = createAuthHandler({ requireAuth: true });
- *
- * export const GET = handler.handle(async (req, context, auth) => {
- *   // auth.accessToken is guaranteed to be fresh
- *   const response = await fetch('https://api.example.com/data', {
- *     headers: { 'Authorization': `Bearer ${auth.accessToken}` }
- *   });
- *   return NextResponse.json(await response.json());
- * });
- * ```
- */
-function createAuthHandler(options = {}) {
-    const { requireAuth = true, autoRefresh = true, refreshBuffer = 60, // 60 seconds - matches website-membership proven threshold
-    retryOn401 = true, maxRetries = 1, nextAuthSecret = process.env.NEXTAUTH_SECRET, idpBaseUrl = process.env.IDP_URL, clientId = process.env.CLIENT_ID || process.env.NEXT_PUBLIC_IDP_CLIENT_ID } = options;
-    /**
-     * Performs coordinated token refresh with Redis locking
-     * This prevents multiple concurrent requests from all trying to refresh simultaneously
-     */
-    async function performCoordinatedRefresh(sessionToken, requestId) {
-        // Check if refresh is already in progress
-        const existingLock = await (0, session_store_1.checkRefreshLock)(sessionToken);
-        if (existingLock) {
-            console.info('[AUTH_HANDLER] Refresh already in progress, waiting...', {
-                requestId,
-                lockOwner: existingLock.acquiredBy,
-                lockAge: Date.now() - existingLock.acquiredAt
-            });
-            // Wait for the refresh to complete
-            const waitResult = await waitForRefreshCompletion(sessionToken, requestId, 10000);
-            if (waitResult.success) {
-                // Get the fresh token from session
-                const freshSession = await (0, session_store_1.getSession)(sessionToken);
-                if (freshSession?.accessToken) {
-                    return {
-                        success: true,
-                        accessToken: freshSession.accessToken,
-                        refreshToken: freshSession.refreshToken,
-                        expiresIn: freshSession.accessTokenExpires
-                            ? Math.floor((freshSession.accessTokenExpires - Date.now()) / 1000)
-                            : undefined
-                    };
-                }
-            }
-            return { success: false, error: waitResult.reason || 'Wait for refresh failed' };
-        }
-        // Try to acquire the refresh lock
-        const lockAcquired = await (0, session_store_1.acquireRefreshLock)(sessionToken, requestId, 5000);
-        if (!lockAcquired) {
-            // Another request grabbed the lock, wait for it
-            console.info('[AUTH_HANDLER] Failed to acquire lock, waiting for other request', { requestId });
-            const waitResult = await waitForRefreshCompletion(sessionToken, requestId, 10000);
-            if (waitResult.success) {
-                const freshSession = await (0, session_store_1.getSession)(sessionToken);
-                if (freshSession?.accessToken) {
-                    return {
-                        success: true,
-                        accessToken: freshSession.accessToken,
-                        refreshToken: freshSession.refreshToken
-                    };
-                }
-            }
-            return { success: false, error: waitResult.reason || 'Wait for refresh failed' };
-        }
-        try {
-            // Double-check if tokens are still stale after acquiring lock
-            const latestSession = await (0, session_store_1.getSession)(sessionToken);
-            if (latestSession && !tokenNeedsRefresh(latestSession, refreshBuffer)) {
-                console.info('[AUTH_HANDLER] Tokens already fresh after acquiring lock, skipping refresh', { requestId });
-                return {
-                    success: true,
-                    accessToken: latestSession.accessToken,
-                    refreshToken: latestSession.refreshToken
-                };
-            }
-            // Actually perform the refresh
-            return await executeRefresh(sessionToken, latestSession);
-        }
-        finally {
-            // Always release the lock
-            await (0, session_store_1.releaseRefreshLock)(sessionToken, requestId);
-        }
-    }
-    /**
-     * Wait for an in-progress refresh to complete
-     */
-    async function waitForRefreshCompletion(sessionToken, requestId, maxWaitMs) {
-        const startTime = Date.now();
-        const pollInterval = 100;
-        while (Date.now() - startTime < maxWaitMs) {
-            const lockExists = await (0, session_store_1.checkRefreshLock)(sessionToken);
-            if (!lockExists) {
-                // Lock released, check if tokens are fresh
-                const session = await (0, session_store_1.getSession)(sessionToken);
-                if (session?.accessToken && !tokenNeedsRefresh(session, refreshBuffer)) {
-                    return { success: true };
-                }
-                else {
-                    return { success: false, reason: 'Lock released but tokens not fresh' };
-                }
-            }
-            await new Promise(resolve => setTimeout(resolve, pollInterval));
-        }
-        return { success: false, reason: `Timeout waiting for refresh (${maxWaitMs}ms)` };
-    }
-    /**
-     * Check if token needs refresh based on expiry and buffer
-     */
-    function tokenNeedsRefresh(session, bufferSeconds) {
-        if (!session.accessToken)
-            return true;
-        const expires = session.accessTokenExpires || 0;
-        const bufferMs = bufferSeconds * 1000;
-        const timeUntilExpiry = expires - Date.now();
-        return timeUntilExpiry <= bufferMs;
-    }
-    /**
-     * Execute the actual token refresh against IDP
-     */
-    async function executeRefresh(sessionToken, currentSession) {
-        try {
-            if (!idpBaseUrl || !clientId) {
-                console.error('[AUTH_HANDLER] Missing IDP configuration for refresh');
-                return { success: false, error: 'Missing IDP configuration' };
-            }
-            if (!currentSession) {
-                console.error('[AUTH_HANDLER] No session found for refresh');
-                return { success: false, error: 'No session found' };
-            }
-            if (!currentSession.refreshToken) {
-                console.error('[AUTH_HANDLER] No refresh token available');
-                return { success: false, error: 'No refresh token' };
-            }
-            // Extract authentication methods from session
-            const authMethods = currentSession.authMethods ||
-                (currentSession.token?.amr ? JSON.parse(currentSession.token.amr) : ['pwd', 'mfa']);
-            const authLevel = String(currentSession.authenticationLevel || currentSession.token?.acr || '2');
-            const twoFactorMethod = currentSession.twoFactorMethod || 'authenticator';
-            // Build refresh request body
-            const refreshRequestBody = {
-                refresh_token: currentSession.refreshToken,
-                amr: authMethods,
-                acr: authLevel
-            };
-            if (currentSession.twoFactorComplete) {
-                refreshRequestBody.two_factor_verified = true;
-            }
-            if (twoFactorMethod) {
-                refreshRequestBody.two_factor_method = twoFactorMethod;
-            }
-            if (currentSession.mfaCompletedAt) {
-                refreshRequestBody.two_factor_completed_at = new Date(currentSession.mfaCompletedAt).toISOString();
-            }
-            console.info('[AUTH_HANDLER] Executing refresh against IDP', {
-                sessionToken: sessionToken.substring(0, 8) + '...',
-                hasRefreshToken: true
-            });
-            const response = await fetch(`${idpBaseUrl}/api/ExternalAuth/refresh`, {
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                    'X-Client-Id': clientId,
-                },
-                body: JSON.stringify(refreshRequestBody),
-            });
-            if (!response.ok) {
-                const errorText = await response.text().catch(() => 'Unknown error');
-                console.error('[AUTH_HANDLER] Refresh failed:', response.status, errorText);
-                return { success: false, error: `Refresh failed: ${response.status}` };
-            }
-            const data = await response.json();
-            if (data.success === false) {
-                return { success: false, error: data.error?.message || data.message || 'Refresh failed' };
-            }
-            const tokenData = data.data || data;
-            if (!tokenData.access_token) {
-                console.error('[AUTH_HANDLER] No access token in refresh response');
-                return { success: false, error: 'No access token received' };
-            }
-            // Update session with new tokens
-            const updatedSession = {
-                ...currentSession,
-                accessToken: tokenData.access_token,
-                refreshToken: tokenData.refresh_token || currentSession.refreshToken,
-                accessTokenExpires: tokenData.expires_in
-                    ? Date.now() + (tokenData.expires_in * 1000)
-                    : Date.now() + (3600 * 1000),
-            };
-            await (0, session_store_1.updateSession)(sessionToken, updatedSession);
-            console.info('[AUTH_HANDLER] Token refresh successful', {
-                newExpiry: new Date(updatedSession.accessTokenExpires).toISOString()
-            });
-            return {
-                success: true,
-                accessToken: tokenData.access_token,
-                refreshToken: tokenData.refresh_token,
-                expiresIn: tokenData.expires_in,
-            };
-        }
-        catch (error) {
-            console.error('[AUTH_HANDLER] Refresh exception:', error);
-            return { success: false, error: error instanceof Error ? error.message : 'Refresh failed' };
-        }
-    }
-    /**
-     * Checks if auth context token needs refresh based on expiry and buffer
-     */
-    function needsRefresh(auth) {
-        if (!autoRefresh)
-            return false;
-        // Check if we have token expiry information
-        const token = auth.token;
-        const expiresAt = token.accessTokenExpires || token.exp;
-        if (!expiresAt) {
-            // No expiry info, can't determine if refresh needed
-            return false;
-        }
-        const now = Math.floor(Date.now() / 1000);
-        const expiryTime = typeof expiresAt === 'number' && expiresAt > 1000000000000
-            ? Math.floor(expiresAt / 1000) // Convert milliseconds to seconds
-            : expiresAt;
-        // Check if token expires within the buffer period
-        return (expiryTime - now) <= refreshBuffer;
-    }
-    /**
-     * Generate a unique request ID for coordinated refresh
-     */
-    function generateRequestId() {
-        return (0, nanoid_1.nanoid)();
-    }
-    /**
-     * Main handler wrapper
-     */
-    return {
-        handle: (handler) => {
-            return async (req, context = {}) => {
-                // Extract session from Better Auth
-                const betterAuthSession = await (0, auth_1.getSession)(req);
-                const token = betterAuthSession ? { ...betterAuthSession.user, ...betterAuthSession.session } : null;
-                // Check if auth is required
-                if (requireAuth && !betterAuthSession) {
-                    return server_1.NextResponse.json({ error: 'Authentication required', code: 'UNAUTHORIZED' }, { status: 401 });
-                }
-                // If no session and auth not required, call handler without auth context
-                if (!betterAuthSession) {
-                    return handler(req, context, null);
-                }
-                // Validate client_slug (token confusion attack prevention)
-                // SECURITY: Fail closed - require configuration to be explicitly set
-                const expectedClientSlug = process.env.NEXT_PUBLIC_EXPECTED_CLIENT_SLUG;
-                if (!expectedClientSlug) {
-                    console.error('[AUTH_HANDLER] SECURITY MISCONFIGURATION: NEXT_PUBLIC_EXPECTED_CLIENT_SLUG not set');
-                    return server_1.NextResponse.json({
-                        error: 'Server configuration error',
-                        code: 'SECURITY_CONFIGURATION_MISSING'
-                    }, { status: 500 });
-                }
-                // Extract client_slug from token (normalize property name)
-                const tokenClientSlug = token.client_slug || token.clientSlug;
-                // SECURITY: Require client_slug claim in all tokens (no backward compat)
-                if (!tokenClientSlug) {
-                    console.warn('[AUTH_HANDLER] Token missing required client_slug claim');
-                    return server_1.NextResponse.json({
-                        error: 'Token missing required claim',
-                        code: 'TOKEN_MISSING_CLIENT_SLUG'
-                    }, { status: 401 });
-                }
-                // SECURITY: Case-insensitive comparison to avoid casing attacks
-                if (tokenClientSlug.toLowerCase() !== expectedClientSlug.toLowerCase()) {
-                    // Log without exposing sensitive details
-                    console.warn('[AUTH_HANDLER] Token client mismatch detected');
-                    return server_1.NextResponse.json({
-                        error: 'Token issued for different client',
-                        code: 'TOKEN_CLIENT_MISMATCH'
-                    }, { status: 401 });
-                }
-                // Build initial auth context
-                let authContext = {
-                    token,
-                    accessToken: token.accessToken || '',
-                    userId: betterAuthSession.user?.id || token.userId || '',
-                    sessionToken: betterAuthSession.session?.token || '',
-                    refreshToken: token.refreshToken,
-                };
-                // Check if token needs refresh
-                if (needsRefresh(authContext) && authContext.refreshToken) {
-                    const requestId = generateRequestId();
-                    console.info('[AUTH_HANDLER] Token near expiry, initiating coordinated refresh', {
-                        requestId,
-                        sessionToken: authContext.sessionToken.substring(0, 8) + '...'
-                    });
-                    const refreshResult = await performCoordinatedRefresh(authContext.sessionToken, requestId);
-                    if (refreshResult.success && refreshResult.accessToken) {
-                        // Update auth context with fresh token
-                        authContext.accessToken = refreshResult.accessToken;
-                        if (refreshResult.refreshToken) {
-                            authContext.refreshToken = refreshResult.refreshToken;
-                        }
-                        // Update token object for future checks
-                        authContext.token.accessToken = refreshResult.accessToken;
-                        if (refreshResult.expiresIn) {
-                            authContext.token.accessTokenExpires = Date.now() + (refreshResult.expiresIn * 1000);
-                        }
-                        console.info('[AUTH_HANDLER] Coordinated refresh successful', { requestId });
-                    }
-                    else {
-                        console.warn('[AUTH_HANDLER] Failed to refresh token:', refreshResult.error);
-                        // Continue with potentially expired token - handler may still succeed
-                    }
-                }
-                // Attach auth context to request for downstream use (following existing pattern)
-                // IMPORTANT: Set this ONCE before the retry loop to avoid overwriting with stale data
-                req.__authContext = {
-                    accessToken: authContext.accessToken,
-                    userId: authContext.userId,
-                    sessionToken: authContext.sessionToken,
-                };
-                // Call the actual handler
-                let response;
-                let retryCount = 0;
-                while (retryCount <= maxRetries) {
-                    try {
-                        response = await handler(req, context, authContext);
-                        // Check if we got a 401 and should retry
-                        if (response.status === 401 &&
-                            retryOn401 &&
-                            retryCount < maxRetries &&
-                            authContext.refreshToken) {
-                            const retryRequestId = generateRequestId();
-                            console.info('[AUTH_HANDLER] Got 401, attempting coordinated refresh and retry', { retryRequestId });
-                            const refreshResult = await performCoordinatedRefresh(authContext.sessionToken, retryRequestId);
-                            if (refreshResult.success && refreshResult.accessToken) {
-                                console.info('[AUTH_HANDLER] Refresh succeeded, updating tokens', { retryRequestId });
-                                // Update auth context with fresh token
-                                authContext.accessToken = refreshResult.accessToken;
-                                if (refreshResult.refreshToken) {
-                                    authContext.refreshToken = refreshResult.refreshToken;
-                                }
-                                // Update request context
-                                req.__authContext.accessToken = refreshResult.accessToken;
-                                console.info('[AUTH_HANDLER] Updated req.__authContext with new token, retrying request', { retryRequestId });
-                                retryCount++;
-                                continue; // Retry the request
-                            }
-                            else {
-                                console.warn('[AUTH_HANDLER] Refresh failed on 401 retry:', refreshResult.error);
-                                break; // Don't retry if refresh failed
-                            }
-                        }
-                        // Success or non-401 error - return response
-                        break;
-                    }
-                    catch (error) {
-                        // Handler threw an error
-                        console.error('[AUTH_HANDLER] Handler error:', error);
-                        return server_1.NextResponse.json({
-                            error: 'Internal server error',
-                            details: error instanceof Error ? error.message : 'Unknown error'
-                        }, { status: 500 });
-                    }
-                }
-                return response;
-            };
-        }
-    };
-}
-/**
- * Default export for convenience
- */
-exports.default = createAuthHandler;

package/dist/api/index.d.ts

@@ -1,10 +0,0 @@
-/**
- * @payez/next-mvp API Module Exports
- *
- * Provides enhanced API route handlers with automatic token management
- *
- * @version 2.0.0
- * @since auth-ready-v2
- */
-export { createAuthHandler, type AuthContext, type AuthHandlerOptions, type HandlerFunction } from './auth-handler';
-export { default } from './auth-handler';

package/dist/api/index.js

@@ -1,19 +0,0 @@
-"use strict";
-/**
- * @payez/next-mvp API Module Exports
- *
- * Provides enhanced API route handlers with automatic token management
- *
- * @version 2.0.0
- * @since auth-ready-v2
- */
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.default = exports.createAuthHandler = void 0;
-var auth_handler_1 = require("./auth-handler");
-Object.defineProperty(exports, "createAuthHandler", { enumerable: true, get: function () { return auth_handler_1.createAuthHandler; } });
-// Default export for convenience
-var auth_handler_2 = require("./auth-handler");
-Object.defineProperty(exports, "default", { enumerable: true, get: function () { return __importDefault(auth_handler_2).default; } });

package/dist/api-handlers/account/change-password.d.ts

@@ -1,9 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server';
-export declare function POST(req: NextRequest): Promise<NextResponse<{
-    success: boolean;
-    message: string;
-}> | NextResponse<{
-    success: boolean;
-    message: any;
-    request_id: string;
-}>>;

package/dist/api-handlers/account/change-password.js

@@ -1,110 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.POST = POST;
-const server_1 = require("next/server");
-const auth_1 = require("../../server/auth");
-const session_store_1 = require("../../lib/session-store");
-const nanoid_1 = require("nanoid");
-// ...
-async function POST(req) {
-    const requestId = (0, nanoid_1.nanoid)();
-    try {
-        // Get session from Better Auth
-        const betterAuthSession = await (0, auth_1.getSession)(req);
-        const sessionToken = betterAuthSession?.session?.token;
-        if (!betterAuthSession || typeof sessionToken !== 'string') {
-            return server_1.NextResponse.json({ success: false, message: 'Unauthorized' }, { status: 401 });
-        }
-        const sessionData = await (0, session_store_1.getSession)(sessionToken);
-        // NOTE: Field is idpAccessToken (not accessToken) per normalized naming convention
-        if (!sessionData?.idpAccessToken) {
-            return server_1.NextResponse.json({
-                success: false,
-                message: 'Authentication required - no access token available',
-                error_code: 'UNAUTHORIZED',
-                request_id: requestId,
-            }, { status: 401 });
-        }
-        const body = await req.json();
-        const { current_password, new_password, confirm_password } = body;
-        // Validate input
-        if (!current_password || !new_password || !confirm_password) {
-            return server_1.NextResponse.json({
-                success: false,
-                message: 'Current password, new password, and confirmation are required',
-                error_code: 'VALIDATION_ERROR',
-                request_id: requestId,
-            }, { status: 400 });
-        }
-        if (new_password !== confirm_password) {
-            return server_1.NextResponse.json({
-                success: false,
-                message: 'New password and confirmation do not match',
-                error_code: 'VALIDATION_ERROR',
-                request_id: requestId,
-            }, { status: 400 });
-        }
-        // Get IDP base URL from environment
-        const idpBaseUrl = process.env.IDP_URL;
-        if (!idpBaseUrl) {
-            console.error('[CHANGE_PASSWORD] IDP_URL not configured');
-            return server_1.NextResponse.json({
-                success: false,
-                message: 'Service configuration error',
-                error_code: 'CONFIGURATION_ERROR',
-                request_id: requestId,
-            }, { status: 500 });
-        }
-        // Proxy request to IDP
-        const idpUrl = `${idpBaseUrl}/api/Account/change-password`;
-        const idpResponse = await fetch(idpUrl, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json',
-                'Authorization': `Bearer ${sessionData.idpAccessToken}`,
-                'x-request-id': requestId,
-            },
-            body: JSON.stringify({
-                current_password,
-                new_password,
-                confirm_password,
-            }),
-        });
-        const responseData = await idpResponse.json().catch(() => ({}));
-        if (!idpResponse.ok) {
-            // Extract error message from IDP response
-            let errorMessage = 'Failed to change password';
-            if (responseData.message) {
-                errorMessage = responseData.message;
-            }
-            else if (responseData.details?.value && Array.isArray(responseData.details.value) && responseData.details.value.length > 0) {
-                errorMessage = responseData.details.value[0].message || errorMessage;
-            }
-            else if (responseData.details?.message) {
-                errorMessage = responseData.details.message;
-            }
-            return server_1.NextResponse.json({
-                success: false,
-                message: errorMessage,
-                error_code: responseData.error_code || 'CHANGE_PASSWORD_FAILED',
-                request_id: requestId,
-                details: responseData.details,
-            }, { status: idpResponse.status });
-        }
-        return server_1.NextResponse.json({
-            success: true,
-            message: responseData.message || 'Password changed successfully',
-            request_id: requestId,
-        });
-    }
-    catch (error) {
-        console.error('[CHANGE_PASSWORD] Error:', error);
-        const requestId = req.headers.get('x-request-id') ?? crypto.randomUUID();
-        return server_1.NextResponse.json({
-            success: false,
-            message: error instanceof Error ? error.message : 'Failed to change password',
-            error_code: 'INTERNAL_ERROR',
-            request_id: requestId,
-        }, { status: 500 });
-    }
-}

package/dist/api-handlers/account/masked-info.d.ts

@@ -1,2 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server';
-export declare function POST(req: NextRequest): Promise<NextResponse<any>>;