npm - @payez/next-mvp - Versions diffs - 4.0.0 → 4.0.2 - Mend

@payez/next-mvp 4.0.0 → 4.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (81) hide show

package/dist/api-handlers/account/change-password.js +110 -110
package/dist/api-handlers/admin/analytics.d.ts +19 -19
package/dist/api-handlers/admin/analytics.js +378 -378
package/dist/api-handlers/admin/audit.d.ts +19 -19
package/dist/api-handlers/admin/audit.js +213 -213
package/dist/api-handlers/admin/index.d.ts +21 -21
package/dist/api-handlers/admin/index.js +42 -42
package/dist/api-handlers/admin/redis-sessions.d.ts +35 -35
package/dist/api-handlers/admin/redis-sessions.js +203 -203
package/dist/api-handlers/admin/sessions.d.ts +20 -20
package/dist/api-handlers/admin/sessions.js +283 -283
package/dist/api-handlers/admin/site-logs.d.ts +45 -45
package/dist/api-handlers/admin/site-logs.js +317 -317
package/dist/api-handlers/admin/stats.d.ts +20 -20
package/dist/api-handlers/admin/stats.js +239 -239
package/dist/api-handlers/admin/users.d.ts +19 -19
package/dist/api-handlers/admin/users.js +221 -221
package/dist/api-handlers/admin/vibe-data.d.ts +79 -79
package/dist/api-handlers/admin/vibe-data.js +267 -267
package/dist/api-handlers/auth/refresh.js +633 -633
package/dist/api-handlers/auth/signout.js +186 -186
package/dist/api-handlers/auth/verify-code.d.ts +43 -43
package/dist/api-handlers/auth/verify-code.js +90 -90
package/dist/api-handlers/session/viability.js +114 -114
package/dist/api-handlers/test/force-expire.js +59 -59
package/dist/auth/auth-decision.js +182 -182
package/dist/auth/utils/token-utils.d.ts +83 -83
package/dist/auth/utils/token-utils.js +218 -218
package/dist/client/AuthContext.js +115 -115
package/dist/client/better-auth-client.d.ts +1020 -1020
package/dist/components/SessionSync.js +121 -121
package/dist/components/account/MobileNavDrawer.js +64 -64
package/dist/components/account/UserAvatarMenu.js +91 -91
package/dist/components/admin/VibeAdminLayout.js +71 -71
package/dist/hooks/useAuthSettings.js +93 -93
package/dist/hooks/useAvailableProviders.d.ts +43 -43
package/dist/hooks/useAvailableProviders.js +112 -112
package/dist/lib/app-slug.d.ts +95 -95
package/dist/lib/app-slug.js +172 -172
package/dist/lib/test-aware-get-token.js +86 -86
package/dist/lib/token-lifecycle.d.ts +78 -78
package/dist/lib/token-lifecycle.js +360 -360
package/dist/pages/admin-login/page.js +73 -73
package/dist/pages/client-admin/ClientSiteAdminPage.js +179 -179
package/dist/pages/login/page.js +202 -202
package/dist/pages/showcase/ShowcasePage.js +142 -142
package/dist/pages/test-env/EmergencyLogoutPage.js +99 -99
package/dist/pages/test-env/JwtInspectPage.js +116 -116
package/dist/pages/test-env/TestEnvPage.js +51 -51
package/dist/pages/verify-code/page.js +412 -412
package/dist/routes/auth/logout.d.ts +31 -31
package/dist/routes/auth/logout.js +98 -98
package/dist/routes/auth/session.js +157 -157
package/dist/routes/auth/viability.js +190 -190
package/package.json +6 -16
package/dist/auth/auth-options.d.ts +0 -57
package/dist/auth/auth-options.js +0 -213
package/dist/auth/callbacks/index.d.ts +0 -6
package/dist/auth/callbacks/index.js +0 -12
package/dist/auth/callbacks/jwt.d.ts +0 -45
package/dist/auth/callbacks/jwt.js +0 -305
package/dist/auth/callbacks/session.d.ts +0 -60
package/dist/auth/callbacks/session.js +0 -170
package/dist/auth/callbacks/signin.d.ts +0 -23
package/dist/auth/callbacks/signin.js +0 -44
package/dist/auth/events/index.d.ts +0 -4
package/dist/auth/events/index.js +0 -8
package/dist/auth/events/signout.d.ts +0 -17
package/dist/auth/events/signout.js +0 -32
package/dist/auth/providers/credentials.d.ts +0 -32
package/dist/auth/providers/credentials.js +0 -223
package/dist/auth/providers/index.d.ts +0 -5
package/dist/auth/providers/index.js +0 -21
package/dist/auth/providers/oauth.d.ts +0 -26
package/dist/auth/providers/oauth.js +0 -105
package/dist/lib/nextauth-secret.d.ts +0 -10
package/dist/lib/nextauth-secret.js +0 -100
package/dist/pages/profile/profile-patch.d.ts +0 -1
package/dist/pages/profile/profile-patch.js +0 -281
package/dist/pages/security/security-patch.d.ts +0 -1
package/dist/pages/security/security-patch.js +0 -302

package/dist/api-handlers/session/viability.js CHANGED Viewed

@@ -1,114 +1,114 @@
-"use strict";
-/**
- * Session Viability Check API Handler for `@payez/next-mvp`
- *
- * This API route is called by the middleware to securely check if a session is valid.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.GET = GET;
-const server_1 = require("next/server");
-const session_store_1 = require("../../lib/session-store");
-const auth_1 = require("../../server/auth");
-const startup_init_1 = require("../../lib/startup-init");
-const idp_client_config_1 = require("../../lib/idp-client-config");
-async function GET(req) {
-    try {
-        // Ensure initialization is complete
-        if (!process.env.NEXTAUTH_SECRET) {
-            try {
-                await (0, startup_init_1.ensureInitialized)();
-            }
-            catch (error) {
-                // Initialization failed - return 503
-                console.error('[API Viability] Initialization failed - returning 503');
-                return server_1.NextResponse.json({
-                    error: 'Service Unavailable',
-                    message: 'Authentication service is not properly configured',
-                    code: 'AUTH_NOT_INITIALIZED'
-                }, { status: 503 });
-            }
-        }
-        // Double-check after initialization attempt
-        if ((0, startup_init_1.isInitializationFailed)()) {
-            console.error('[API Viability] Initialization failed - returning 503');
-            return server_1.NextResponse.json({
-                error: 'Service Unavailable',
-                message: 'Authentication service is not properly configured',
-                code: 'AUTH_NOT_INITIALIZED'
-            }, { status: 503 });
-        }
-        // Get session from Better Auth
-        const betterAuthSession = await (0, auth_1.getSession)(req);
-        // Debug logging
-        if (!betterAuthSession) {
-            console.warn('[VIABILITY] getSession returned null');
-        }
-        const sessionToken = betterAuthSession?.session?.token;
-        if (betterAuthSession && sessionToken) {
-            const sessionData = await (0, session_store_1.getSession)(sessionToken);
-            if (sessionData) {
-                // The session exists in Redis
-                // Check if access token is expired (for middleware decision-making)
-                const accessTokenExpires = sessionData.idpAccessTokenExpires || 0;
-                const accessTokenExpired = accessTokenExpires < Date.now();
-                // Get requires2FA from cached client config (not session)
-                // This is a client-wide setting from the broker handshake
-                let requires2FA = true; // Default to true for security
-                try {
-                    const cachedConfig = await (0, idp_client_config_1.getIDPClientConfig)();
-                    requires2FA = cachedConfig.authSettings?.require2FA ?? true;
-                }
-                catch (e) {
-                    console.warn('[API Viability] Could not get client config, defaulting requires2FA to true');
-                }
-                // CRITICAL: Check if MFA has expired (2FA TTL enforcement)
-                // The session may have mfaVerified=true from days ago, but if mfaExpiresAt
-                // has passed, we must treat 2FA as incomplete to force re-verification.
-                const mfaExpiresAt = sessionData.mfaExpiresAt || 0;
-                const mfaExpired = mfaExpiresAt > 0 && mfaExpiresAt < Date.now();
-                // Check both field names for compatibility (mfaVerified is the normalized name)
-                const sessionMfaComplete = sessionData.mfaVerified ?? sessionData.twoFactorComplete ?? false;
-                const effectiveTwoFactorComplete = sessionMfaComplete && !mfaExpired;
-                console.log('[VIABILITY] Session 2FA check:', {
-                    sessionToken: sessionToken.substring(0, 8) + '...',
-                    mfaVerified: sessionData.mfaVerified,
-                    twoFactorComplete: sessionData.twoFactorComplete,
-                    sessionMfaComplete,
-                    mfaExpired,
-                    effectiveTwoFactorComplete,
-                });
-                if (mfaExpired && sessionMfaComplete) {
-                    console.warn('[API Viability] MFA expired - forcing 2FA re-verification', {
-                        mfaExpiresAt: new Date(mfaExpiresAt).toISOString(),
-                        now: new Date().toISOString(),
-                        hoursExpiredAgo: ((Date.now() - mfaExpiresAt) / (1000 * 60 * 60)).toFixed(1)
-                    });
-                }
-                const response = {
-                    authenticated: true,
-                    sessionToken, // Include token for middleware tracking
-                    // 2FA fields - critical for middleware redirect logic
-                    requires2FA, // From cached client config (client-wide setting)
-                    twoFactorComplete: effectiveTwoFactorComplete, // From session, BUT respects MFA TTL
-                    // Token status for refresh decisions
-                    accessTokenExpired,
-                    hasRefreshToken: !!sessionData.idpRefreshToken
-                };
-                return server_1.NextResponse.json(response);
-            }
-            // CRITICAL: Cookie exists but Redis session is missing (stale cookie state)
-            // Return sessionToken so middleware can detect this and clear the stale cookie
-            console.warn('[VIABILITY] Stale cookie detected - session not in Redis');
-            return server_1.NextResponse.json({
-                authenticated: false,
-                sessionToken // Include token to enable stale cookie detection
-            });
-        }
-        // If there's no token at all, it's not authenticated
-        return server_1.NextResponse.json({ authenticated: false });
-    }
-    catch (error) {
-        console.error('[API Viability] Error checking session viability:', error);
-        return server_1.NextResponse.json({ authenticated: false }, { status: 500 });
-    }
-}
+"use strict";
+/**
+ * Session Viability Check API Handler for `@payez/next-mvp`
+ *
+ * This API route is called by the middleware to securely check if a session is valid.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GET = GET;
+const server_1 = require("next/server");
+const session_store_1 = require("../../lib/session-store");
+const auth_1 = require("../../server/auth");
+const startup_init_1 = require("../../lib/startup-init");
+const idp_client_config_1 = require("../../lib/idp-client-config");
+async function GET(req) {
+    try {
+        // Ensure initialization is complete
+        if (!process.env.NEXTAUTH_SECRET) {
+            try {
+                await (0, startup_init_1.ensureInitialized)();
+            }
+            catch (error) {
+                // Initialization failed - return 503
+                console.error('[API Viability] Initialization failed - returning 503');
+                return server_1.NextResponse.json({
+                    error: 'Service Unavailable',
+                    message: 'Authentication service is not properly configured',
+                    code: 'AUTH_NOT_INITIALIZED'
+                }, { status: 503 });
+            }
+        }
+        // Double-check after initialization attempt
+        if ((0, startup_init_1.isInitializationFailed)()) {
+            console.error('[API Viability] Initialization failed - returning 503');
+            return server_1.NextResponse.json({
+                error: 'Service Unavailable',
+                message: 'Authentication service is not properly configured',
+                code: 'AUTH_NOT_INITIALIZED'
+            }, { status: 503 });
+        }
+        // Get session from Better Auth
+        const betterAuthSession = await (0, auth_1.getSession)(req);
+        // Debug logging
+        if (!betterAuthSession) {
+            console.warn('[VIABILITY] getSession returned null');
+        }
+        const sessionToken = betterAuthSession?.session?.token;
+        if (betterAuthSession && sessionToken) {
+            const sessionData = await (0, session_store_1.getSession)(sessionToken);
+            if (sessionData) {
+                // The session exists in Redis
+                // Check if access token is expired (for middleware decision-making)
+                const accessTokenExpires = sessionData.idpAccessTokenExpires || 0;
+                const accessTokenExpired = accessTokenExpires < Date.now();
+                // Get requires2FA from cached client config (not session)
+                // This is a client-wide setting from the broker handshake
+                let requires2FA = true; // Default to true for security
+                try {
+                    const cachedConfig = await (0, idp_client_config_1.getIDPClientConfig)();
+                    requires2FA = cachedConfig.authSettings?.require2FA ?? true;
+                }
+                catch (e) {
+                    console.warn('[API Viability] Could not get client config, defaulting requires2FA to true');
+                }
+                // CRITICAL: Check if MFA has expired (2FA TTL enforcement)
+                // The session may have mfaVerified=true from days ago, but if mfaExpiresAt
+                // has passed, we must treat 2FA as incomplete to force re-verification.
+                const mfaExpiresAt = sessionData.mfaExpiresAt || 0;
+                const mfaExpired = mfaExpiresAt > 0 && mfaExpiresAt < Date.now();
+                // Check both field names for compatibility (mfaVerified is the normalized name)
+                const sessionMfaComplete = sessionData.mfaVerified ?? sessionData.twoFactorComplete ?? false;
+                const effectiveTwoFactorComplete = sessionMfaComplete && !mfaExpired;
+                console.log('[VIABILITY] Session 2FA check:', {
+                    sessionToken: sessionToken.substring(0, 8) + '...',
+                    mfaVerified: sessionData.mfaVerified,
+                    twoFactorComplete: sessionData.twoFactorComplete,
+                    sessionMfaComplete,
+                    mfaExpired,
+                    effectiveTwoFactorComplete,
+                });
+                if (mfaExpired && sessionMfaComplete) {
+                    console.warn('[API Viability] MFA expired - forcing 2FA re-verification', {
+                        mfaExpiresAt: new Date(mfaExpiresAt).toISOString(),
+                        now: new Date().toISOString(),
+                        hoursExpiredAgo: ((Date.now() - mfaExpiresAt) / (1000 * 60 * 60)).toFixed(1)
+                    });
+                }
+                const response = {
+                    authenticated: true,
+                    sessionToken, // Include token for middleware tracking
+                    // 2FA fields - critical for middleware redirect logic
+                    requires2FA, // From cached client config (client-wide setting)
+                    twoFactorComplete: effectiveTwoFactorComplete, // From session, BUT respects MFA TTL
+                    // Token status for refresh decisions
+                    accessTokenExpired,
+                    hasRefreshToken: !!sessionData.idpRefreshToken
+                };
+                return server_1.NextResponse.json(response);
+            }
+            // CRITICAL: Cookie exists but Redis session is missing (stale cookie state)
+            // Return sessionToken so middleware can detect this and clear the stale cookie
+            console.warn('[VIABILITY] Stale cookie detected - session not in Redis');
+            return server_1.NextResponse.json({
+                authenticated: false,
+                sessionToken // Include token to enable stale cookie detection
+            });
+        }
+        // If there's no token at all, it's not authenticated
+        return server_1.NextResponse.json({ authenticated: false });
+    }
+    catch (error) {
+        console.error('[API Viability] Error checking session viability:', error);
+        return server_1.NextResponse.json({ authenticated: false }, { status: 500 });
+    }
+}

package/dist/api-handlers/test/force-expire.js CHANGED Viewed

@@ -1,59 +1,59 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.POST = void 0;
-const server_1 = require("next/server");
-const auth_1 = require("../../server/auth");
-const session_store_1 = require("../../lib/session-store");
-/**
- * Force-expire access token for testing refresh flow.
- *
- * Sets the access token expiry to 2 minutes in the past,
- * which will trigger a refresh on the next API call.
- *
- * Usage in consuming app:
- * ```typescript
- * // app/api/test/force-expire/route.ts
- * export { POST } from '@payez/next-mvp/api-handlers/test/force-expire';
- * ```
- */
-const POST = async (req) => {
-    try {
-        const betterAuthSession = await (0, auth_1.getSession)(req);
-        let sessionToken = betterAuthSession?.session?.token;
-        if (!sessionToken) {
-            const headerSessionToken = req.headers.get('x-session-token') || req.headers.get('X-Session-Token');
-            if (headerSessionToken) {
-                sessionToken = headerSessionToken;
-            }
-            else {
-                console.warn('[TEST_EXPIRE] No session token or X-Session-Token header');
-                return server_1.NextResponse.json({ success: false, error: 'No session token' }, { status: 401 });
-            }
-        }
-        const session = await (0, session_store_1.getSession)(sessionToken);
-        if (!session) {
-            return server_1.NextResponse.json({ success: false, error: 'Session not found' }, { status: 404 });
-        }
-        const now = Date.now();
-        const forced = now - (2 * 60 * 1000); // two minutes ago
-        const prev = session.idpAccessTokenExpires || null;
-        await (0, session_store_1.updateSession)(sessionToken, { idpAccessTokenExpires: forced });
-        console.log('[TEST_EXPIRE] Forced access token expiry for session', {
-            sessionToken: sessionToken.substring(0, 8) + '...',
-            previous: prev ? new Date(prev).toISOString() : null,
-            newExpiry: new Date(forced).toISOString()
-        });
-        return server_1.NextResponse.json({
-            success: true,
-            previous: prev,
-            previousIso: prev ? new Date(prev).toISOString() : null,
-            newExpiry: forced,
-            newExpiryIso: new Date(forced).toISOString()
-        });
-    }
-    catch (e) {
-        console.error('[TEST_EXPIRE] Error:', e);
-        return server_1.NextResponse.json({ success: false, error: e instanceof Error ? e.message : String(e) }, { status: 500 });
-    }
-};
-exports.POST = POST;
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = void 0;
+const server_1 = require("next/server");
+const auth_1 = require("../../server/auth");
+const session_store_1 = require("../../lib/session-store");
+/**
+ * Force-expire access token for testing refresh flow.
+ *
+ * Sets the access token expiry to 2 minutes in the past,
+ * which will trigger a refresh on the next API call.
+ *
+ * Usage in consuming app:
+ * ```typescript
+ * // app/api/test/force-expire/route.ts
+ * export { POST } from '@payez/next-mvp/api-handlers/test/force-expire';
+ * ```
+ */
+const POST = async (req) => {
+    try {
+        const betterAuthSession = await (0, auth_1.getSession)(req);
+        let sessionToken = betterAuthSession?.session?.token;
+        if (!sessionToken) {
+            const headerSessionToken = req.headers.get('x-session-token') || req.headers.get('X-Session-Token');
+            if (headerSessionToken) {
+                sessionToken = headerSessionToken;
+            }
+            else {
+                console.warn('[TEST_EXPIRE] No session token or X-Session-Token header');
+                return server_1.NextResponse.json({ success: false, error: 'No session token' }, { status: 401 });
+            }
+        }
+        const session = await (0, session_store_1.getSession)(sessionToken);
+        if (!session) {
+            return server_1.NextResponse.json({ success: false, error: 'Session not found' }, { status: 404 });
+        }
+        const now = Date.now();
+        const forced = now - (2 * 60 * 1000); // two minutes ago
+        const prev = session.idpAccessTokenExpires || null;
+        await (0, session_store_1.updateSession)(sessionToken, { idpAccessTokenExpires: forced });
+        console.log('[TEST_EXPIRE] Forced access token expiry for session', {
+            sessionToken: sessionToken.substring(0, 8) + '...',
+            previous: prev ? new Date(prev).toISOString() : null,
+            newExpiry: new Date(forced).toISOString()
+        });
+        return server_1.NextResponse.json({
+            success: true,
+            previous: prev,
+            previousIso: prev ? new Date(prev).toISOString() : null,
+            newExpiry: forced,
+            newExpiryIso: new Date(forced).toISOString()
+        });
+    }
+    catch (e) {
+        console.error('[TEST_EXPIRE] Error:', e);
+        return server_1.NextResponse.json({ success: false, error: e instanceof Error ? e.message : String(e) }, { status: 500 });
+    }
+};
+exports.POST = POST;