@payez/next-mvp 4.0.0 → 4.0.2

package/dist/api-handlers/auth/signout.js

@@ -1,186 +1,186 @@
-"use strict";
-/**
- * Authentication Signout API Handler
- *
- * Handles user session termination and cookie cleanup.
- * This handler is designed to be imported and used by Next.js applications
- * using the @payez/next-mvp package.
- *
- * @version 2.0
- * @requires No authentication (public endpoint)
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.POST = void 0;
-exports.createSignoutHandler = createSignoutHandler;
-const server_1 = require("next/server");
-const headers_1 = require("next/headers");
-const session_store_1 = require("../../lib/session-store");
-const auth_1 = require("../../server/auth");
-const app_slug_1 = require("../../lib/app-slug");
-// JWT decode helper - simple base64 decode without verification
-function jwtDecode(token) {
-    try {
-        const parts = token.split('.');
-        if (parts.length !== 3)
-            return null;
-        const payload = parts[1];
-        const decoded = Buffer.from(payload, 'base64').toString('utf-8');
-        return JSON.parse(decoded);
-    }
-    catch (e) {
-        return null;
-    }
-}
-// Add protection headers to all responses
-function addSecurityHeaders(response) {
-    response.headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';");
-    response.headers.set('X-Frame-Options', 'DENY');
-    response.headers.set('X-Content-Type-Options', 'nosniff');
-    response.headers.set('X-XSS-Protection', '1; mode=block');
-    response.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
-    response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
-    response.headers.set('Permissions-Policy', 'geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()');
-    response.headers.set('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
-    response.headers.set('Pragma', 'no-cache');
-    response.headers.set('Expires', '0');
-    return response;
-}
-/**
- * Creates a signout handler for Next.js API routes
- *
- * @param config Configuration for NextAuth
- * @returns Next.js POST handler function
- *
- * @example
- * ```typescript
- * // In your app's /app/api/auth/signout/route.ts
- * import { createSignoutHandler } from '@payez/next-mvp/api-handlers/auth/signout';
- *
- * export const POST = createSignoutHandler({
- *   nextAuthSecret: process.env.NEXTAUTH_SECRET!
- * });
- * ```
- */
-function createSignoutHandler(config) {
-    const { nextAuthSecret } = config;
-    return async function POST(req) {
-        const cookieStore = await (0, headers_1.cookies)();
-        // Get app-slug prefixed cookie names
-        const sessionCookieName = (0, app_slug_1.getSessionCookieName)();
-        const secureSessionCookieName = (0, app_slug_1.getSecureSessionCookieName)();
-        // Handle chunked session tokens (for large JWTs)
-        let sessionToken;
-        const sessionTokenCookie = cookieStore.get(sessionCookieName);
-        if (sessionTokenCookie?.value) {
-            // Single cookie case
-            sessionToken = sessionTokenCookie.value;
-        }
-        else {
-            // Chunked cookie case - reconstruct from parts
-            const chunkCookies = cookieStore.getAll()
-                .filter(cookie => cookie.name.startsWith(`${sessionCookieName}.`))
-                .sort((a, b) => {
-                const aIndex = parseInt(a.name.split('.').pop() || '0');
-                const bIndex = parseInt(b.name.split('.').pop() || '0');
-                return aIndex - bIndex;
-            });
-            if (chunkCookies.length > 0) {
-                sessionToken = chunkCookies.map(cookie => cookie.value).join('');
-            }
-        }
-        // Get chunk cookies for cleanup count
-        const chunkCookies = cookieStore.getAll()
-            .filter(cookie => cookie.name.startsWith(`${sessionCookieName}.`));
-        // Decode NextAuth JWT to extract the Redis session UUID before deletion
-        let redisSessionToken = null;
-        // First attempt: Better Auth getSession
-        try {
-            const betterAuthSession = await (0, auth_1.getSession)(req);
-            redisSessionToken = betterAuthSession?.session?.token || null;
-        }
-        catch (e) {
-            console.warn('[SIGNOUT] getSession() failed to extract session token (will try manual decode)');
-        }
-        // Second attempt: manual decode of the session cookie JWT (no verification)
-        if (!redisSessionToken && (sessionToken || cookieStore.getAll().some(c => c.name.startsWith(`${sessionCookieName}.`)))) {
-            try {
-                // Reconstruct raw JWT from chunked cookies if necessary
-                let rawJwt = null;
-                const direct = cookieStore.get(sessionCookieName);
-                if (direct?.value) {
-                    rawJwt = direct.value;
-                }
-                else {
-                    const chunks = cookieStore.getAll()
-                        .filter(c => c.name.startsWith(`${sessionCookieName}.`))
-                        .sort((a, b) => {
-                        const ai = parseInt(a.name.split('.').pop() || '0');
-                        const bi = parseInt(b.name.split('.').pop() || '0');
-                        return ai - bi;
-                    })
-                        .map(c => c.value);
-                    if (chunks.length > 0)
-                        rawJwt = chunks.join('');
-                }
-                if (rawJwt) {
-                    const decoded = jwtDecode(rawJwt);
-                    if (decoded && typeof decoded === 'object' && typeof decoded.sessionToken === 'string') {
-                        redisSessionToken = decoded.sessionToken;
-                    }
-                }
-            }
-            catch (e) {
-                console.warn('[SIGNOUT] Manual JWT decode failed to extract session token');
-            }
-        }
-        // Delete Redis session if UUID was extracted
-        if (redisSessionToken) {
-            try {
-                await (0, session_store_1.deleteSession)(redisSessionToken);
-                console.info('[SIGNOUT] Redis session cleanup successful', {
-                    sessionToken: redisSessionToken.substring(0, 8) + '...'
-                });
-            }
-            catch (sessionError) {
-                // Log error but don't fail the signout process
-                console.error('[SIGNOUT] Redis session cleanup failed', { error: sessionError });
-            }
-        }
-        else {
-            console.warn('[SIGNOUT] No Redis session token (UUID) extracted from cookie; skipping Redis deletion');
-        }
-        // Build response
-        const responseData = {
-            success: true,
-            message: sessionToken ? 'Session deleted successfully' : 'No active session found',
-            sessionDeleted: !!sessionToken,
-            chunkCookiesDeleted: chunkCookies.length
-        };
-        const response = server_1.NextResponse.json(responseData);
-        // Always clear cookies, regardless of success/failure (using app-slug prefixed names)
-        try {
-            response.cookies.delete(sessionCookieName);
-            response.cookies.delete(secureSessionCookieName);
-            response.cookies.delete((0, app_slug_1.getCsrfCookieName)());
-            response.cookies.delete((0, app_slug_1.getSecureCsrfCookieName)());
-            response.cookies.delete((0, app_slug_1.getCallbackUrlCookieName)());
-            response.cookies.delete(`__Secure-${(0, app_slug_1.getCallbackUrlCookieName)()}`);
-            response.cookies.delete('twoFactorSessionVerified');
-            // Delete chunked session cookies
-            chunkCookies.forEach(cookie => {
-                response.cookies.delete(cookie.name);
-            });
-        }
-        catch (cookieError) {
-            console.error('[SIGNOUT] Cookie cleanup failed:', cookieError);
-        }
-        return addSecurityHeaders(response);
-    };
-}
-/**
- * Default export for backward compatibility
- * Requires environment variable: NEXTAUTH_SECRET
- */
-exports.POST = createSignoutHandler({
-    nextAuthSecret: process.env.NEXTAUTH_SECRET || ''
-});
+"use strict";
+/**
+ * Authentication Signout API Handler
+ *
+ * Handles user session termination and cookie cleanup.
+ * This handler is designed to be imported and used by Next.js applications
+ * using the @payez/next-mvp package.
+ *
+ * @version 2.0
+ * @requires No authentication (public endpoint)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = void 0;
+exports.createSignoutHandler = createSignoutHandler;
+const server_1 = require("next/server");
+const headers_1 = require("next/headers");
+const session_store_1 = require("../../lib/session-store");
+const auth_1 = require("../../server/auth");
+const app_slug_1 = require("../../lib/app-slug");
+// JWT decode helper - simple base64 decode without verification
+function jwtDecode(token) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 3)
+            return null;
+        const payload = parts[1];
+        const decoded = Buffer.from(payload, 'base64').toString('utf-8');
+        return JSON.parse(decoded);
+    }
+    catch (e) {
+        return null;
+    }
+}
+// Add protection headers to all responses
+function addSecurityHeaders(response) {
+    response.headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';");
+    response.headers.set('X-Frame-Options', 'DENY');
+    response.headers.set('X-Content-Type-Options', 'nosniff');
+    response.headers.set('X-XSS-Protection', '1; mode=block');
+    response.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
+    response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+    response.headers.set('Permissions-Policy', 'geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()');
+    response.headers.set('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
+    response.headers.set('Pragma', 'no-cache');
+    response.headers.set('Expires', '0');
+    return response;
+}
+/**
+ * Creates a signout handler for Next.js API routes
+ *
+ * @param config Configuration for NextAuth
+ * @returns Next.js POST handler function
+ *
+ * @example
+ * ```typescript
+ * // In your app's /app/api/auth/signout/route.ts
+ * import { createSignoutHandler } from '@payez/next-mvp/api-handlers/auth/signout';
+ *
+ * export const POST = createSignoutHandler({
+ *   nextAuthSecret: process.env.NEXTAUTH_SECRET!
+ * });
+ * ```
+ */
+function createSignoutHandler(config) {
+    const { nextAuthSecret } = config;
+    return async function POST(req) {
+        const cookieStore = await (0, headers_1.cookies)();
+        // Get app-slug prefixed cookie names
+        const sessionCookieName = (0, app_slug_1.getSessionCookieName)();
+        const secureSessionCookieName = (0, app_slug_1.getSecureSessionCookieName)();
+        // Handle chunked session tokens (for large JWTs)
+        let sessionToken;
+        const sessionTokenCookie = cookieStore.get(sessionCookieName);
+        if (sessionTokenCookie?.value) {
+            // Single cookie case
+            sessionToken = sessionTokenCookie.value;
+        }
+        else {
+            // Chunked cookie case - reconstruct from parts
+            const chunkCookies = cookieStore.getAll()
+                .filter(cookie => cookie.name.startsWith(`${sessionCookieName}.`))
+                .sort((a, b) => {
+                const aIndex = parseInt(a.name.split('.').pop() || '0');
+                const bIndex = parseInt(b.name.split('.').pop() || '0');
+                return aIndex - bIndex;
+            });
+            if (chunkCookies.length > 0) {
+                sessionToken = chunkCookies.map(cookie => cookie.value).join('');
+            }
+        }
+        // Get chunk cookies for cleanup count
+        const chunkCookies = cookieStore.getAll()
+            .filter(cookie => cookie.name.startsWith(`${sessionCookieName}.`));
+        // Decode NextAuth JWT to extract the Redis session UUID before deletion
+        let redisSessionToken = null;
+        // First attempt: Better Auth getSession
+        try {
+            const betterAuthSession = await (0, auth_1.getSession)(req);
+            redisSessionToken = betterAuthSession?.session?.token || null;
+        }
+        catch (e) {
+            console.warn('[SIGNOUT] getSession() failed to extract session token (will try manual decode)');
+        }
+        // Second attempt: manual decode of the session cookie JWT (no verification)
+        if (!redisSessionToken && (sessionToken || cookieStore.getAll().some(c => c.name.startsWith(`${sessionCookieName}.`)))) {
+            try {
+                // Reconstruct raw JWT from chunked cookies if necessary
+                let rawJwt = null;
+                const direct = cookieStore.get(sessionCookieName);
+                if (direct?.value) {
+                    rawJwt = direct.value;
+                }
+                else {
+                    const chunks = cookieStore.getAll()
+                        .filter(c => c.name.startsWith(`${sessionCookieName}.`))
+                        .sort((a, b) => {
+                        const ai = parseInt(a.name.split('.').pop() || '0');
+                        const bi = parseInt(b.name.split('.').pop() || '0');
+                        return ai - bi;
+                    })
+                        .map(c => c.value);
+                    if (chunks.length > 0)
+                        rawJwt = chunks.join('');
+                }
+                if (rawJwt) {
+                    const decoded = jwtDecode(rawJwt);
+                    if (decoded && typeof decoded === 'object' && typeof decoded.sessionToken === 'string') {
+                        redisSessionToken = decoded.sessionToken;
+                    }
+                }
+            }
+            catch (e) {
+                console.warn('[SIGNOUT] Manual JWT decode failed to extract session token');
+            }
+        }
+        // Delete Redis session if UUID was extracted
+        if (redisSessionToken) {
+            try {
+                await (0, session_store_1.deleteSession)(redisSessionToken);
+                console.info('[SIGNOUT] Redis session cleanup successful', {
+                    sessionToken: redisSessionToken.substring(0, 8) + '...'
+                });
+            }
+            catch (sessionError) {
+                // Log error but don't fail the signout process
+                console.error('[SIGNOUT] Redis session cleanup failed', { error: sessionError });
+            }
+        }
+        else {
+            console.warn('[SIGNOUT] No Redis session token (UUID) extracted from cookie; skipping Redis deletion');
+        }
+        // Build response
+        const responseData = {
+            success: true,
+            message: sessionToken ? 'Session deleted successfully' : 'No active session found',
+            sessionDeleted: !!sessionToken,
+            chunkCookiesDeleted: chunkCookies.length
+        };
+        const response = server_1.NextResponse.json(responseData);
+        // Always clear cookies, regardless of success/failure (using app-slug prefixed names)
+        try {
+            response.cookies.delete(sessionCookieName);
+            response.cookies.delete(secureSessionCookieName);
+            response.cookies.delete((0, app_slug_1.getCsrfCookieName)());
+            response.cookies.delete((0, app_slug_1.getSecureCsrfCookieName)());
+            response.cookies.delete((0, app_slug_1.getCallbackUrlCookieName)());
+            response.cookies.delete(`__Secure-${(0, app_slug_1.getCallbackUrlCookieName)()}`);
+            response.cookies.delete('twoFactorSessionVerified');
+            // Delete chunked session cookies
+            chunkCookies.forEach(cookie => {
+                response.cookies.delete(cookie.name);
+            });
+        }
+        catch (cookieError) {
+            console.error('[SIGNOUT] Cookie cleanup failed:', cookieError);
+        }
+        return addSecurityHeaders(response);
+    };
+}
+/**
+ * Default export for backward compatibility
+ * Requires environment variable: NEXTAUTH_SECRET
+ */
+exports.POST = createSignoutHandler({
+    nextAuthSecret: process.env.NEXTAUTH_SECRET || ''
+});

package/dist/api-handlers/auth/verify-code.d.ts

@@ -1,43 +1,43 @@
-/**
- * Authentication Verify Code / Complete 2FA API Handler
- *
- * Handles 2FA verification and token updates after successful verification.
- * This handler is designed to be imported and used by Next.js applications
- * using the @payez/next-mvp package.
- *
- * @version 2.0
- * @requires Authentication (authenticated endpoint)
- */
-import { NextRequest, NextResponse } from 'next/server';
-interface VerifyCodeConfig {
-    nextAuthSecret?: string;
-}
-/**
- * Creates a verify-code/complete-2FA handler for Next.js API routes
- *
- * @param config Configuration for NextAuth
- * @returns Next.js POST handler function
- *
- * @example
- * ```typescript
- * // In your app's /app/api/auth/verify-code/route.ts
- * import { createVerifyCodeHandler } from '@payez/next-mvp/api-handlers/auth/verify-code';
- *
- * export const POST = createVerifyCodeHandler({
- *   nextAuthSecret: process.env.NEXTAUTH_SECRET!
- * });
- * ```
- */
-export declare function createVerifyCodeHandler(config: VerifyCodeConfig): (req: NextRequest) => Promise<NextResponse<{
-    success: boolean;
-    message: string;
-}>>;
-/**
- * Default export for backward compatibility
- * Requires environment variable: NEXTAUTH_SECRET
- */
-export declare const POST: (req: NextRequest) => Promise<NextResponse<{
-    success: boolean;
-    message: string;
-}>>;
-export {};
+/**
+ * Authentication Verify Code / Complete 2FA API Handler
+ *
+ * Handles 2FA verification and token updates after successful verification.
+ * This handler is designed to be imported and used by Next.js applications
+ * using the @payez/next-mvp package.
+ *
+ * @version 2.0
+ * @requires Authentication (authenticated endpoint)
+ */
+import { NextRequest, NextResponse } from 'next/server';
+interface VerifyCodeConfig {
+    nextAuthSecret?: string;
+}
+/**
+ * Creates a verify-code/complete-2FA handler for Next.js API routes
+ *
+ * @param config Configuration for NextAuth
+ * @returns Next.js POST handler function
+ *
+ * @example
+ * ```typescript
+ * // In your app's /app/api/auth/verify-code/route.ts
+ * import { createVerifyCodeHandler } from '@payez/next-mvp/api-handlers/auth/verify-code';
+ *
+ * export const POST = createVerifyCodeHandler({
+ *   nextAuthSecret: process.env.NEXTAUTH_SECRET!
+ * });
+ * ```
+ */
+export declare function createVerifyCodeHandler(config: VerifyCodeConfig): (req: NextRequest) => Promise<NextResponse<{
+    success: boolean;
+    message: string;
+}>>;
+/**
+ * Default export for backward compatibility
+ * Requires environment variable: NEXTAUTH_SECRET
+ */
+export declare const POST: (req: NextRequest) => Promise<NextResponse<{
+    success: boolean;
+    message: string;
+}>>;
+export {};

package/dist/api-handlers/auth/verify-code.js

@@ -1,90 +1,90 @@
-"use strict";
-/**
- * Authentication Verify Code / Complete 2FA API Handler
- *
- * Handles 2FA verification and token updates after successful verification.
- * This handler is designed to be imported and used by Next.js applications
- * using the @payez/next-mvp package.
- *
- * @version 2.0
- * @requires Authentication (authenticated endpoint)
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.POST = void 0;
-exports.createVerifyCodeHandler = createVerifyCodeHandler;
-const server_1 = require("next/server");
-const auth_1 = require("../../server/auth");
-const session_store_1 = require("../../lib/session-store");
-/**
- * Creates a verify-code/complete-2FA handler for Next.js API routes
- *
- * @param config Configuration for NextAuth
- * @returns Next.js POST handler function
- *
- * @example
- * ```typescript
- * // In your app's /app/api/auth/verify-code/route.ts
- * import { createVerifyCodeHandler } from '@payez/next-mvp/api-handlers/auth/verify-code';
- *
- * export const POST = createVerifyCodeHandler({
- *   nextAuthSecret: process.env.NEXTAUTH_SECRET!
- * });
- * ```
- */
-function createVerifyCodeHandler(config) {
-    const { nextAuthSecret } = config;
-    return async function POST(req) {
-        try {
-            let body;
-            try {
-                body = await req.json();
-            }
-            catch (parseError) {
-                return server_1.NextResponse.json({ success: false, message: 'Invalid JSON format' }, { status: 400 });
-            }
-            const { accessToken, refreshToken, accessTokenExpires, refreshTokenExpires } = body;
-            // Get current session from Better Auth
-            const betterAuthSession = await (0, auth_1.getSession)(req);
-            const sessionToken = betterAuthSession?.session?.token;
-            if (!sessionToken) {
-                console.error('[VERIFY-CODE] No session token found', {
-                    hasSession: !!betterAuthSession,
-                });
-                return server_1.NextResponse.json({ success: false, message: 'No session found' }, { status: 401 });
-            }
-            console.info('[VERIFY-CODE] Updating session with new tokens after 2FA', {
-                sessionToken: sessionToken.substring(0, 8) + '...',
-                userId: betterAuthSession?.user?.id,
-                hasAccessToken: !!accessToken,
-                hasRefreshToken: !!refreshToken,
-                accessTokenLength: accessToken?.length,
-                refreshTokenLength: refreshToken?.length
-            });
-            // Update tokens in Redis
-            await (0, session_store_1.updateTokens)(sessionToken, accessToken, refreshToken, accessTokenExpires, refreshTokenExpires);
-            // Mark 2FA as complete
-            await (0, session_store_1.mark2FAComplete)(sessionToken);
-            console.info('[VERIFY-CODE] 2FA completion successful', {
-                sessionToken: sessionToken.substring(0, 8) + '...',
-                userId: betterAuthSession?.user?.id
-            });
-            return server_1.NextResponse.json({
-                success: true,
-                message: '2FA verification complete'
-            });
-        }
-        catch (error) {
-            console.error('[VERIFY-CODE] Failed to complete 2FA', {
-                error: error instanceof Error ? error.message : String(error)
-            });
-            return server_1.NextResponse.json({ success: false, message: 'Failed to complete 2FA' }, { status: 500 });
-        }
-    };
-}
-/**
- * Default export for backward compatibility
- * Requires environment variable: NEXTAUTH_SECRET
- */
-exports.POST = createVerifyCodeHandler({
-    nextAuthSecret: process.env.NEXTAUTH_SECRET || ''
-});
+"use strict";
+/**
+ * Authentication Verify Code / Complete 2FA API Handler
+ *
+ * Handles 2FA verification and token updates after successful verification.
+ * This handler is designed to be imported and used by Next.js applications
+ * using the @payez/next-mvp package.
+ *
+ * @version 2.0
+ * @requires Authentication (authenticated endpoint)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = void 0;
+exports.createVerifyCodeHandler = createVerifyCodeHandler;
+const server_1 = require("next/server");
+const auth_1 = require("../../server/auth");
+const session_store_1 = require("../../lib/session-store");
+/**
+ * Creates a verify-code/complete-2FA handler for Next.js API routes
+ *
+ * @param config Configuration for NextAuth
+ * @returns Next.js POST handler function
+ *
+ * @example
+ * ```typescript
+ * // In your app's /app/api/auth/verify-code/route.ts
+ * import { createVerifyCodeHandler } from '@payez/next-mvp/api-handlers/auth/verify-code';
+ *
+ * export const POST = createVerifyCodeHandler({
+ *   nextAuthSecret: process.env.NEXTAUTH_SECRET!
+ * });
+ * ```
+ */
+function createVerifyCodeHandler(config) {
+    const { nextAuthSecret } = config;
+    return async function POST(req) {
+        try {
+            let body;
+            try {
+                body = await req.json();
+            }
+            catch (parseError) {
+                return server_1.NextResponse.json({ success: false, message: 'Invalid JSON format' }, { status: 400 });
+            }
+            const { accessToken, refreshToken, accessTokenExpires, refreshTokenExpires } = body;
+            // Get current session from Better Auth
+            const betterAuthSession = await (0, auth_1.getSession)(req);
+            const sessionToken = betterAuthSession?.session?.token;
+            if (!sessionToken) {
+                console.error('[VERIFY-CODE] No session token found', {
+                    hasSession: !!betterAuthSession,
+                });
+                return server_1.NextResponse.json({ success: false, message: 'No session found' }, { status: 401 });
+            }
+            console.info('[VERIFY-CODE] Updating session with new tokens after 2FA', {
+                sessionToken: sessionToken.substring(0, 8) + '...',
+                userId: betterAuthSession?.user?.id,
+                hasAccessToken: !!accessToken,
+                hasRefreshToken: !!refreshToken,
+                accessTokenLength: accessToken?.length,
+                refreshTokenLength: refreshToken?.length
+            });
+            // Update tokens in Redis
+            await (0, session_store_1.updateTokens)(sessionToken, accessToken, refreshToken, accessTokenExpires, refreshTokenExpires);
+            // Mark 2FA as complete
+            await (0, session_store_1.mark2FAComplete)(sessionToken);
+            console.info('[VERIFY-CODE] 2FA completion successful', {
+                sessionToken: sessionToken.substring(0, 8) + '...',
+                userId: betterAuthSession?.user?.id
+            });
+            return server_1.NextResponse.json({
+                success: true,
+                message: '2FA verification complete'
+            });
+        }
+        catch (error) {
+            console.error('[VERIFY-CODE] Failed to complete 2FA', {
+                error: error instanceof Error ? error.message : String(error)
+            });
+            return server_1.NextResponse.json({ success: false, message: 'Failed to complete 2FA' }, { status: 500 });
+        }
+    };
+}
+/**
+ * Default export for backward compatibility
+ * Requires environment variable: NEXTAUTH_SECRET
+ */
+exports.POST = createVerifyCodeHandler({
+    nextAuthSecret: process.env.NEXTAUTH_SECRET || ''
+});