@payez/next-mvp 4.0.1 → 4.0.2

package/dist/api-handlers/admin/audit.js

@@ -0,0 +1,213 @@
+"use strict";
+/**
+ * Admin Audit Logs API Handler
+ *
+ * Provides admin-level access to audit logs using service account credentials.
+ *
+ * @version 1.0
+ * @requires Admin role (vibe_app_admin or payez_admin)
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuditHandler = createAuditHandler;
+const server_1 = require("next/server");
+const auth_1 = require("../../server/auth");
+const startup_init_1 = require("../../lib/startup-init");
+const roles_1 = require("../../lib/roles");
+async function checkAdminRole(request) {
+    const session = await (0, auth_1.getSession)(request);
+    if (!session?.user) {
+        return {
+            isAdmin: false,
+            error: server_1.NextResponse.json({ success: false, error: 'Please sign in' }, { status: 401 }),
+        };
+    }
+    const userRoles = session.user?.roles || [];
+    const hasAdminRole = roles_1.ADMIN_ROLES.some(role => userRoles.includes(role));
+    if (!hasAdminRole) {
+        return {
+            isAdmin: false,
+            error: server_1.NextResponse.json({ success: false, error: 'Admin access required' }, { status: 403 }),
+        };
+    }
+    return { isAdmin: true };
+}
+async function vibeServiceRequest(endpoint, options) {
+    const idpUrl = process.env.NEXT_PUBLIC_IDP_URL || process.env.IDP_URL;
+    const clientId = process.env.VIBE_CLIENT_ID;
+    const signingKey = process.env.VIBE_HMAC_KEY;
+    if (!idpUrl || !clientId || !signingKey) {
+        return { ok: false, status: 500, data: null, error: 'Vibe not configured' };
+    }
+    const timestamp = Math.floor(Date.now() / 1000);
+    const stringToSign = `${timestamp}|${options.method}|${endpoint}`;
+    const crypto = await Promise.resolve().then(() => __importStar(require('crypto')));
+    const signature = crypto
+        .createHmac('sha256', Buffer.from(signingKey, 'base64'))
+        .update(stringToSign)
+        .digest('base64');
+    const proxyUrl = `${idpUrl}/api/vibe/proxy`;
+    // Get the client slug from startup config for multi-client admin support
+    const idpConfig = (0, startup_init_1.getStartupIDPConfig)();
+    const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
+    try {
+        const res = await fetch(proxyUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'X-Vibe-Client-Id': clientId,
+                'X-Vibe-Timestamp': String(timestamp),
+                'X-Vibe-Signature': signature,
+                ...(idpClientId && { 'X-Client-Id': idpClientId }),
+            },
+            body: JSON.stringify({
+                endpoint,
+                method: options.method,
+                data: options.body ?? null,
+            }),
+            cache: 'no-store',
+        });
+        if (res.status === 204)
+            return { ok: true, status: 204, data: null };
+        if (!res.ok) {
+            const errorText = await res.text();
+            return { ok: false, status: res.status, data: null, error: errorText };
+        }
+        const body = await res.json();
+        return { ok: true, status: res.status, data: body };
+    }
+    catch (error) {
+        return { ok: false, status: 0, data: null, error: String(error) };
+    }
+}
+/**
+ * GET /api/admin/audit - List audit logs
+ * POST /api/admin/audit - Stats
+ */
+function createAuditHandler(config) {
+    return {
+        async GET(request) {
+            const adminCheck = await checkAdminRole(request);
+            if (adminCheck.error)
+                return adminCheck.error;
+            const { searchParams } = new URL(request.url);
+            const action = searchParams.get('action');
+            const userId = searchParams.get('userId');
+            const startDate = searchParams.get('startDate');
+            const endDate = searchParams.get('endDate');
+            const page = parseInt(searchParams.get('page') || '1');
+            const pageSize = parseInt(searchParams.get('pageSize') || '50');
+            const queryBody = {
+                page,
+                pageSize,
+                orderBy: 'created_at',
+                orderDirection: 'desc',
+            };
+            const conditions = [];
+            if (action) {
+                conditions.push({ field: 'action', operator: 'eq', value: action });
+            }
+            if (userId) {
+                conditions.push({ field: 'user_id', operator: 'eq', value: userId });
+            }
+            if (startDate) {
+                conditions.push({ field: 'created_at', operator: 'gte', value: startDate });
+            }
+            if (endDate) {
+                conditions.push({ field: 'created_at', operator: 'lte', value: endDate });
+            }
+            if (conditions.length === 1) {
+                queryBody.filter = conditions[0];
+            }
+            else if (conditions.length > 1) {
+                queryBody.filter = { operator: 'and', conditions };
+            }
+            const result = await vibeServiceRequest('/v1/collections/vibe_app/tables/audit_logs/query', { method: 'POST', body: queryBody });
+            if (!result.ok) {
+                return server_1.NextResponse.json({ error: result.error }, { status: result.status || 500 });
+            }
+            const rawLogs = result.data?.data || result.data?.documents || [];
+            const logs = rawLogs.map((log) => ({
+                id: log.id || log.document_id,
+                user_id: log.user_id || log.idp_user_id,
+                email: log.email,
+                action: log.action,
+                resource_type: log.resource_type,
+                resource_id: log.resource_id,
+                details: log.details,
+                ip_address: log.ip_address,
+                user_agent: log.user_agent,
+                created_at: log.created_at,
+            }));
+            return server_1.NextResponse.json({
+                logs,
+                meta: result.data?.meta || { total: logs.length, page, pageSize },
+            });
+        },
+        async POST(request) {
+            const adminCheck = await checkAdminRole(request);
+            if (adminCheck.error)
+                return adminCheck.error;
+            const body = await request.json();
+            const { action } = body;
+            if (action === 'stats') {
+                const result = await vibeServiceRequest('/v1/collections/vibe_app/tables/audit_logs/query', { method: 'POST', body: { page: 1, pageSize: 10000 } });
+                if (!result.ok) {
+                    return server_1.NextResponse.json({ error: result.error }, { status: result.status || 500 });
+                }
+                const logs = result.data?.data || result.data?.documents || [];
+                const now = new Date();
+                const oneDayAgo = new Date(now.getTime() - 24 * 60 * 60 * 1000);
+                const oneWeekAgo = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1000);
+                const stats = {
+                    total: logs.length,
+                    today: logs.filter((l) => new Date(l.created_at) > oneDayAgo).length,
+                    thisWeek: logs.filter((l) => new Date(l.created_at) > oneWeekAgo).length,
+                    uniqueUsers: new Set(logs.map((l) => l.user_id || l.idp_user_id)).size,
+                    byAction: {},
+                    byResourceType: {},
+                };
+                logs.forEach((l) => {
+                    const act = l.action || 'unknown';
+                    stats.byAction[act] = (stats.byAction[act] || 0) + 1;
+                    const rt = l.resource_type || 'unknown';
+                    stats.byResourceType[rt] = (stats.byResourceType[rt] || 0) + 1;
+                });
+                return server_1.NextResponse.json({ stats });
+            }
+            return server_1.NextResponse.json({ error: 'Invalid action' }, { status: 400 });
+        },
+    };
+}

package/dist/api-handlers/admin/index.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Admin API Handlers
+ *
+ * Provides admin-level API handlers for Vibe data access.
+ * These handlers use service account credentials to bypass user filtering.
+ *
+ * Usage:
+ * ------
+ * // In your app's API route (e.g., app/api/admin/vibe/data/[collection]/[table]/route.ts)
+ * import { createGetTableDataHandler } from '@payez/next-mvp/api-handlers/admin';
+ *
+ * export const GET = createGetTableDataHandler({ ... });
+ */
+export { createGetCollectionsHandler, createGetTablesHandler, createGetTableDataHandler, createGetRecordHandler, createUpdateRecordHandler, createDeleteRecordHandler, createQueryHandler, type AdminVibeHandlerConfig, } from './vibe-data';
+export { createSessionsHandler, type AdminSessionsHandlerConfig, } from './sessions';
+export { createUsersHandler, type AdminUsersHandlerConfig, } from './users';
+export { createAuditHandler, type AdminAuditHandlerConfig, } from './audit';
+export { createAnalyticsHandler, type AdminAnalyticsHandlerConfig, } from './analytics';
+export { createSiteLogsHandler, createSiteLogsStatsHandler, createSiteLogsDrainHandler, createSiteLogsQueueHandler, type SiteLogsHandlerConfig, } from './site-logs';
+export { createRedisSessionsHandler, createRedisSessionRevokeHandler, type RedisSessionsHandlerConfig, } from './redis-sessions';
+export { createStatsHandler, type AdminStatsHandlerConfig, } from './stats';

package/dist/api-handlers/admin/index.js

@@ -0,0 +1,42 @@
+"use strict";
+/**
+ * Admin API Handlers
+ *
+ * Provides admin-level API handlers for Vibe data access.
+ * These handlers use service account credentials to bypass user filtering.
+ *
+ * Usage:
+ * ------
+ * // In your app's API route (e.g., app/api/admin/vibe/data/[collection]/[table]/route.ts)
+ * import { createGetTableDataHandler } from '@payez/next-mvp/api-handlers/admin';
+ *
+ * export const GET = createGetTableDataHandler({ ... });
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createStatsHandler = exports.createRedisSessionRevokeHandler = exports.createRedisSessionsHandler = exports.createSiteLogsQueueHandler = exports.createSiteLogsDrainHandler = exports.createSiteLogsStatsHandler = exports.createSiteLogsHandler = exports.createAnalyticsHandler = exports.createAuditHandler = exports.createUsersHandler = exports.createSessionsHandler = exports.createQueryHandler = exports.createDeleteRecordHandler = exports.createUpdateRecordHandler = exports.createGetRecordHandler = exports.createGetTableDataHandler = exports.createGetTablesHandler = exports.createGetCollectionsHandler = void 0;
+var vibe_data_1 = require("./vibe-data");
+Object.defineProperty(exports, "createGetCollectionsHandler", { enumerable: true, get: function () { return vibe_data_1.createGetCollectionsHandler; } });
+Object.defineProperty(exports, "createGetTablesHandler", { enumerable: true, get: function () { return vibe_data_1.createGetTablesHandler; } });
+Object.defineProperty(exports, "createGetTableDataHandler", { enumerable: true, get: function () { return vibe_data_1.createGetTableDataHandler; } });
+Object.defineProperty(exports, "createGetRecordHandler", { enumerable: true, get: function () { return vibe_data_1.createGetRecordHandler; } });
+Object.defineProperty(exports, "createUpdateRecordHandler", { enumerable: true, get: function () { return vibe_data_1.createUpdateRecordHandler; } });
+Object.defineProperty(exports, "createDeleteRecordHandler", { enumerable: true, get: function () { return vibe_data_1.createDeleteRecordHandler; } });
+Object.defineProperty(exports, "createQueryHandler", { enumerable: true, get: function () { return vibe_data_1.createQueryHandler; } });
+var sessions_1 = require("./sessions");
+Object.defineProperty(exports, "createSessionsHandler", { enumerable: true, get: function () { return sessions_1.createSessionsHandler; } });
+var users_1 = require("./users");
+Object.defineProperty(exports, "createUsersHandler", { enumerable: true, get: function () { return users_1.createUsersHandler; } });
+var audit_1 = require("./audit");
+Object.defineProperty(exports, "createAuditHandler", { enumerable: true, get: function () { return audit_1.createAuditHandler; } });
+var analytics_1 = require("./analytics");
+Object.defineProperty(exports, "createAnalyticsHandler", { enumerable: true, get: function () { return analytics_1.createAnalyticsHandler; } });
+var site_logs_1 = require("./site-logs");
+Object.defineProperty(exports, "createSiteLogsHandler", { enumerable: true, get: function () { return site_logs_1.createSiteLogsHandler; } });
+Object.defineProperty(exports, "createSiteLogsStatsHandler", { enumerable: true, get: function () { return site_logs_1.createSiteLogsStatsHandler; } });
+Object.defineProperty(exports, "createSiteLogsDrainHandler", { enumerable: true, get: function () { return site_logs_1.createSiteLogsDrainHandler; } });
+Object.defineProperty(exports, "createSiteLogsQueueHandler", { enumerable: true, get: function () { return site_logs_1.createSiteLogsQueueHandler; } });
+var redis_sessions_1 = require("./redis-sessions");
+Object.defineProperty(exports, "createRedisSessionsHandler", { enumerable: true, get: function () { return redis_sessions_1.createRedisSessionsHandler; } });
+Object.defineProperty(exports, "createRedisSessionRevokeHandler", { enumerable: true, get: function () { return redis_sessions_1.createRedisSessionRevokeHandler; } });
+var stats_1 = require("./stats");
+Object.defineProperty(exports, "createStatsHandler", { enumerable: true, get: function () { return stats_1.createStatsHandler; } });

package/dist/api-handlers/admin/redis-sessions.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Admin Redis Sessions API Handler
+ *
+ * Provides admin-level access to active sessions stored in Redis.
+ * Reads directly from Redis {APP_SLUG}:sess:* pattern.
+ *
+ * Note: This is different from sessions.ts which queries Vibe login_sessions table.
+ * This handler shows real-time active sessions in Redis.
+ *
+ * @version 1.0
+ * @requires Admin role (vibe_app_admin or payez_admin)
+ */
+import { NextRequest, NextResponse } from 'next/server';
+export interface RedisSessionsHandlerConfig {
+    appSlug?: string;
+}
+/**
+ * Create Redis sessions handler
+ * GET /api/admin/redis-sessions - List all active sessions from Redis
+ */
+export declare function createRedisSessionsHandler(config: RedisSessionsHandlerConfig): {
+    GET(request: NextRequest): Promise<NextResponse<unknown>>;
+    DELETE(request: NextRequest): Promise<NextResponse<unknown>>;
+};
+/**
+ * Create Redis session revoke handler for specific session
+ * POST /api/admin/redis-sessions/[sessionId]/revoke
+ */
+export declare function createRedisSessionRevokeHandler(config: RedisSessionsHandlerConfig): {
+    POST(request: NextRequest, { params }: {
+        params: {
+            sessionId: string;
+        };
+    }): Promise<NextResponse<unknown>>;
+};

package/dist/api-handlers/admin/redis-sessions.js

@@ -0,0 +1,203 @@
+"use strict";
+/**
+ * Admin Redis Sessions API Handler
+ *
+ * Provides admin-level access to active sessions stored in Redis.
+ * Reads directly from Redis {APP_SLUG}:sess:* pattern.
+ *
+ * Note: This is different from sessions.ts which queries Vibe login_sessions table.
+ * This handler shows real-time active sessions in Redis.
+ *
+ * @version 1.0
+ * @requires Admin role (vibe_app_admin or payez_admin)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createRedisSessionsHandler = createRedisSessionsHandler;
+exports.createRedisSessionRevokeHandler = createRedisSessionRevokeHandler;
+const server_1 = require("next/server");
+const auth_1 = require("../../server/auth");
+const redis_1 = require("../../lib/redis");
+const roles_1 = require("../../lib/roles");
+/**
+ * Check if the current user has admin role
+ */
+async function checkAdminRole(request) {
+    const session = await (0, auth_1.getSession)(request);
+    if (!session?.user) {
+        return {
+            isAdmin: false,
+            error: server_1.NextResponse.json({ success: false, error: 'Please sign in' }, { status: 401 }),
+        };
+    }
+    const userRoles = session.user?.roles || [];
+    const hasAdminRole = roles_1.ADMIN_ROLES.some(role => userRoles.includes(role));
+    if (!hasAdminRole) {
+        return {
+            isAdmin: false,
+            error: server_1.NextResponse.json({ success: false, error: 'Admin access required' }, { status: 403 }),
+        };
+    }
+    return { isAdmin: true, userId: session.user?.id };
+}
+/**
+ * Create Redis sessions handler
+ * GET /api/admin/redis-sessions - List all active sessions from Redis
+ */
+function createRedisSessionsHandler(config) {
+    const getSessionPrefix = () => {
+        const appSlug = config.appSlug || process.env.APP_SLUG || process.env.CLIENT_ID || 'app';
+        return `${appSlug}:sess:`;
+    };
+    return {
+        async GET(request) {
+            const adminCheck = await checkAdminRole(request);
+            if (adminCheck.error)
+                return adminCheck.error;
+            try {
+                const redis = (0, redis_1.getRedis)();
+                const sessionPrefix = getSessionPrefix();
+                // Scan Redis for all session keys (exclude version keys)
+                const sessionKeys = [];
+                let cursor = '0';
+                do {
+                    const [newCursor, keys] = await redis.scan(cursor, 'MATCH', `${sessionPrefix}*`, 'COUNT', 100);
+                    cursor = newCursor;
+                    // Filter out version keys (ver:) - only want actual session keys
+                    sessionKeys.push(...keys.filter((k) => !k.includes(':ver:')));
+                } while (cursor !== '0');
+                // Fetch all session data
+                const sessions = [];
+                for (const key of sessionKeys) {
+                    const sessionJson = await redis.get(key);
+                    if (!sessionJson)
+                        continue;
+                    try {
+                        const sessionData = JSON.parse(sessionJson);
+                        const sessionToken = key.replace(sessionPrefix, '');
+                        sessions.push({
+                            id: sessionToken.substring(0, 16), // Truncated for display
+                            session_token: sessionToken.substring(0, 8) + '...', // Masked
+                            user_id: sessionData.userId,
+                            user_name: sessionData.name,
+                            user_email: sessionData.email,
+                            status: 'active', // Sessions in Redis are active
+                            created_at: sessionData.createdAt,
+                            mfa_verified: sessionData.mfaVerified || sessionData.twoFactorComplete || false,
+                            access_token_expires: sessionData.idpAccessTokenExpires
+                                ? new Date(sessionData.idpAccessTokenExpires).toISOString()
+                                : null,
+                        });
+                    }
+                    catch (parseError) {
+                        console.error('[admin/redis-sessions] Failed to parse session:', key, parseError);
+                    }
+                }
+                // Sort by most recent first (if created_at available)
+                sessions.sort((a, b) => {
+                    if (!a.created_at || !b.created_at)
+                        return 0;
+                    return new Date(b.created_at).getTime() - new Date(a.created_at).getTime();
+                });
+                // Calculate stats
+                const uniqueUsers = new Set(sessions.map(s => s.user_email).filter(Boolean)).size;
+                return server_1.NextResponse.json({
+                    sessions,
+                    total: sessions.length,
+                    stats: {
+                        total_active: sessions.length,
+                        total_revoked: 0, // Revoked sessions are deleted from Redis
+                        unique_users: uniqueUsers,
+                    },
+                    redis_prefix: sessionPrefix,
+                });
+            }
+            catch (error) {
+                console.error('[admin/redis-sessions] Error:', error);
+                return server_1.NextResponse.json({ error: error.message || 'Internal error' }, { status: 500 });
+            }
+        },
+        async DELETE(request) {
+            const adminCheck = await checkAdminRole(request);
+            if (adminCheck.error)
+                return adminCheck.error;
+            try {
+                const { searchParams } = new URL(request.url);
+                const sessionToken = searchParams.get('session_token');
+                if (!sessionToken) {
+                    return server_1.NextResponse.json({ error: 'session_token parameter required' }, { status: 400 });
+                }
+                const redis = (0, redis_1.getRedis)();
+                const sessionPrefix = getSessionPrefix();
+                const sessionKey = `${sessionPrefix}${sessionToken}`;
+                // Delete the session
+                const deleted = await redis.del(sessionKey);
+                if (deleted === 0) {
+                    return server_1.NextResponse.json({ error: 'Session not found or already deleted' }, { status: 404 });
+                }
+                return server_1.NextResponse.json({
+                    success: true,
+                    message: 'Session revoked',
+                    session_token: sessionToken.substring(0, 8) + '...',
+                });
+            }
+            catch (error) {
+                console.error('[admin/redis-sessions] DELETE Error:', error);
+                return server_1.NextResponse.json({ error: error.message || 'Internal error' }, { status: 500 });
+            }
+        },
+    };
+}
+/**
+ * Create Redis session revoke handler for specific session
+ * POST /api/admin/redis-sessions/[sessionId]/revoke
+ */
+function createRedisSessionRevokeHandler(config) {
+    const getSessionPrefix = () => {
+        const appSlug = config.appSlug || process.env.APP_SLUG || process.env.CLIENT_ID || 'app';
+        return `${appSlug}:sess:`;
+    };
+    return {
+        async POST(request, { params }) {
+            const adminCheck = await checkAdminRole(request);
+            if (adminCheck.error)
+                return adminCheck.error;
+            try {
+                const sessionId = params.sessionId;
+                if (!sessionId) {
+                    return server_1.NextResponse.json({ error: 'Session ID required' }, { status: 400 });
+                }
+                const redis = (0, redis_1.getRedis)();
+                const sessionPrefix = getSessionPrefix();
+                // Find session key that starts with the sessionId
+                let targetKey = null;
+                let cursor = '0';
+                do {
+                    const [newCursor, keys] = await redis.scan(cursor, 'MATCH', `${sessionPrefix}*`, 'COUNT', 100);
+                    cursor = newCursor;
+                    for (const key of keys) {
+                        const token = key.replace(sessionPrefix, '');
+                        if (token.startsWith(sessionId) || token.substring(0, 16) === sessionId) {
+                            targetKey = key;
+                            break;
+                        }
+                    }
+                    if (targetKey)
+                        break;
+                } while (cursor !== '0');
+                if (!targetKey) {
+                    return server_1.NextResponse.json({ error: 'Session not found' }, { status: 404 });
+                }
+                // Delete the session
+                await redis.del(targetKey);
+                return server_1.NextResponse.json({
+                    success: true,
+                    message: 'Session revoked',
+                });
+            }
+            catch (error) {
+                console.error('[admin/redis-sessions/revoke] Error:', error);
+                return server_1.NextResponse.json({ error: error.message || 'Internal error' }, { status: 500 });
+            }
+        },
+    };
+}

package/dist/api-handlers/admin/sessions.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Admin Sessions API Handler
+ *
+ * Provides admin-level access to login sessions using service account credentials.
+ * Used by SessionsTab component.
+ *
+ * @version 1.0
+ * @requires Admin role (vibe_app_admin or payez_admin)
+ */
+import { NextRequest, NextResponse } from 'next/server';
+export interface AdminSessionsHandlerConfig {
+}
+/**
+ * GET /api/admin/sessions - List sessions
+ * POST /api/admin/sessions - Stats, revoke actions
+ */
+export declare function createSessionsHandler(config: AdminSessionsHandlerConfig): {
+    GET(request: NextRequest): Promise<NextResponse<unknown>>;
+    POST(request: NextRequest): Promise<NextResponse<unknown>>;
+};