@payez/next-mvp 4.0.1 → 4.0.3

package/dist/api/auth-handler.d.ts

@@ -0,0 +1,66 @@
+/**
+ * Enhanced Auth Handler with Coordinated Token Refresh
+ *
+ * Provides a middleware wrapper that automatically handles token lifecycle:
+ * - Checks token expiry before each request
+ * - Automatically refreshes expired or near-expired tokens
+ * - Uses Redis locks for coordinated refresh (prevents race conditions)
+ * - Retries requests on 401 responses with fresh tokens
+ *
+ * Pattern ported from website-membership simple-api-handler.ts
+ *
+ * @version 2.1.0
+ * @since auth-ready-v2
+ */
+import { NextRequest, NextResponse } from 'next/server';
+export interface AuthContext {
+    token: any;
+    accessToken: string;
+    userId: string;
+    sessionToken: string;
+    refreshToken?: string;
+}
+export interface AuthHandlerOptions {
+    /** Whether authentication is required for this route (default: true) */
+    requireAuth?: boolean;
+    /** Automatically refresh expired or near-expired tokens (default: true) */
+    autoRefresh?: boolean;
+    /** Buffer time in seconds before token expiry to trigger refresh (default: 300 = 5 minutes) */
+    refreshBuffer?: number;
+    /** Retry request on 401 response after refreshing token (default: true) */
+    retryOn401?: boolean;
+    /** Maximum number of retry attempts on 401 (default: 1) */
+    maxRetries?: number;
+    /** NextAuth secret for JWT decoding */
+    nextAuthSecret?: string;
+    /** IDP base URL for refresh requests */
+    idpBaseUrl?: string;
+    /** OAuth client ID */
+    clientId?: string;
+}
+export type HandlerFunction = (req: NextRequest, context: any, auth: AuthContext) => Promise<NextResponse | Response>;
+/**
+ * Creates an auth-aware handler with automatic token refresh
+ *
+ * @example
+ * ```typescript
+ * import { createAuthHandler } from '@payez/next-mvp/api';
+ *
+ * const handler = createAuthHandler({ requireAuth: true });
+ *
+ * export const GET = handler.handle(async (req, context, auth) => {
+ *   // auth.accessToken is guaranteed to be fresh
+ *   const response = await fetch('https://api.example.com/data', {
+ *     headers: { 'Authorization': `Bearer ${auth.accessToken}` }
+ *   });
+ *   return NextResponse.json(await response.json());
+ * });
+ * ```
+ */
+export declare function createAuthHandler(options?: AuthHandlerOptions): {
+    handle: (handler: HandlerFunction) => (req: NextRequest, context?: any) => Promise<Response>;
+};
+/**
+ * Default export for convenience
+ */
+export default createAuthHandler;

package/dist/api/auth-handler.js

@@ -0,0 +1,397 @@
+"use strict";
+/**
+ * Enhanced Auth Handler with Coordinated Token Refresh
+ *
+ * Provides a middleware wrapper that automatically handles token lifecycle:
+ * - Checks token expiry before each request
+ * - Automatically refreshes expired or near-expired tokens
+ * - Uses Redis locks for coordinated refresh (prevents race conditions)
+ * - Retries requests on 401 responses with fresh tokens
+ *
+ * Pattern ported from website-membership simple-api-handler.ts
+ *
+ * @version 2.1.0
+ * @since auth-ready-v2
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthHandler = createAuthHandler;
+const server_1 = require("next/server");
+const auth_1 = require("../server/auth");
+const nanoid_1 = require("nanoid");
+const session_store_1 = require("../lib/session-store");
+/**
+ * Creates an auth-aware handler with automatic token refresh
+ *
+ * @example
+ * ```typescript
+ * import { createAuthHandler } from '@payez/next-mvp/api';
+ *
+ * const handler = createAuthHandler({ requireAuth: true });
+ *
+ * export const GET = handler.handle(async (req, context, auth) => {
+ *   // auth.accessToken is guaranteed to be fresh
+ *   const response = await fetch('https://api.example.com/data', {
+ *     headers: { 'Authorization': `Bearer ${auth.accessToken}` }
+ *   });
+ *   return NextResponse.json(await response.json());
+ * });
+ * ```
+ */
+function createAuthHandler(options = {}) {
+    const { requireAuth = true, autoRefresh = true, refreshBuffer = 60, // 60 seconds - matches website-membership proven threshold
+    retryOn401 = true, maxRetries = 1, nextAuthSecret = process.env.NEXTAUTH_SECRET, idpBaseUrl = process.env.IDP_URL, clientId = process.env.CLIENT_ID || process.env.NEXT_PUBLIC_IDP_CLIENT_ID } = options;
+    /**
+     * Performs coordinated token refresh with Redis locking
+     * This prevents multiple concurrent requests from all trying to refresh simultaneously
+     */
+    async function performCoordinatedRefresh(sessionToken, requestId) {
+        // Check if refresh is already in progress
+        const existingLock = await (0, session_store_1.checkRefreshLock)(sessionToken);
+        if (existingLock) {
+            console.info('[AUTH_HANDLER] Refresh already in progress, waiting...', {
+                requestId,
+                lockOwner: existingLock.acquiredBy,
+                lockAge: Date.now() - existingLock.acquiredAt
+            });
+            // Wait for the refresh to complete
+            const waitResult = await waitForRefreshCompletion(sessionToken, requestId, 10000);
+            if (waitResult.success) {
+                // Get the fresh token from session
+                const freshSession = await (0, session_store_1.getSession)(sessionToken);
+                if (freshSession?.accessToken) {
+                    return {
+                        success: true,
+                        accessToken: freshSession.accessToken,
+                        refreshToken: freshSession.refreshToken,
+                        expiresIn: freshSession.accessTokenExpires
+                            ? Math.floor((freshSession.accessTokenExpires - Date.now()) / 1000)
+                            : undefined
+                    };
+                }
+            }
+            return { success: false, error: waitResult.reason || 'Wait for refresh failed' };
+        }
+        // Try to acquire the refresh lock
+        const lockAcquired = await (0, session_store_1.acquireRefreshLock)(sessionToken, requestId, 5000);
+        if (!lockAcquired) {
+            // Another request grabbed the lock, wait for it
+            console.info('[AUTH_HANDLER] Failed to acquire lock, waiting for other request', { requestId });
+            const waitResult = await waitForRefreshCompletion(sessionToken, requestId, 10000);
+            if (waitResult.success) {
+                const freshSession = await (0, session_store_1.getSession)(sessionToken);
+                if (freshSession?.accessToken) {
+                    return {
+                        success: true,
+                        accessToken: freshSession.accessToken,
+                        refreshToken: freshSession.refreshToken
+                    };
+                }
+            }
+            return { success: false, error: waitResult.reason || 'Wait for refresh failed' };
+        }
+        try {
+            // Double-check if tokens are still stale after acquiring lock
+            const latestSession = await (0, session_store_1.getSession)(sessionToken);
+            if (latestSession && !tokenNeedsRefresh(latestSession, refreshBuffer)) {
+                console.info('[AUTH_HANDLER] Tokens already fresh after acquiring lock, skipping refresh', { requestId });
+                return {
+                    success: true,
+                    accessToken: latestSession.accessToken,
+                    refreshToken: latestSession.refreshToken
+                };
+            }
+            // Actually perform the refresh
+            return await executeRefresh(sessionToken, latestSession);
+        }
+        finally {
+            // Always release the lock
+            await (0, session_store_1.releaseRefreshLock)(sessionToken, requestId);
+        }
+    }
+    /**
+     * Wait for an in-progress refresh to complete
+     */
+    async function waitForRefreshCompletion(sessionToken, requestId, maxWaitMs) {
+        const startTime = Date.now();
+        const pollInterval = 100;
+        while (Date.now() - startTime < maxWaitMs) {
+            const lockExists = await (0, session_store_1.checkRefreshLock)(sessionToken);
+            if (!lockExists) {
+                // Lock released, check if tokens are fresh
+                const session = await (0, session_store_1.getSession)(sessionToken);
+                if (session?.accessToken && !tokenNeedsRefresh(session, refreshBuffer)) {
+                    return { success: true };
+                }
+                else {
+                    return { success: false, reason: 'Lock released but tokens not fresh' };
+                }
+            }
+            await new Promise(resolve => setTimeout(resolve, pollInterval));
+        }
+        return { success: false, reason: `Timeout waiting for refresh (${maxWaitMs}ms)` };
+    }
+    /**
+     * Check if token needs refresh based on expiry and buffer
+     */
+    function tokenNeedsRefresh(session, bufferSeconds) {
+        if (!session.accessToken)
+            return true;
+        const expires = session.accessTokenExpires || 0;
+        const bufferMs = bufferSeconds * 1000;
+        const timeUntilExpiry = expires - Date.now();
+        return timeUntilExpiry <= bufferMs;
+    }
+    /**
+     * Execute the actual token refresh against IDP
+     */
+    async function executeRefresh(sessionToken, currentSession) {
+        try {
+            if (!idpBaseUrl || !clientId) {
+                console.error('[AUTH_HANDLER] Missing IDP configuration for refresh');
+                return { success: false, error: 'Missing IDP configuration' };
+            }
+            if (!currentSession) {
+                console.error('[AUTH_HANDLER] No session found for refresh');
+                return { success: false, error: 'No session found' };
+            }
+            if (!currentSession.refreshToken) {
+                console.error('[AUTH_HANDLER] No refresh token available');
+                return { success: false, error: 'No refresh token' };
+            }
+            // Extract authentication methods from session
+            const authMethods = currentSession.authMethods ||
+                (currentSession.token?.amr ? JSON.parse(currentSession.token.amr) : ['pwd', 'mfa']);
+            const authLevel = String(currentSession.authenticationLevel || currentSession.token?.acr || '2');
+            const twoFactorMethod = currentSession.twoFactorMethod || 'authenticator';
+            // Build refresh request body
+            const refreshRequestBody = {
+                refresh_token: currentSession.refreshToken,
+                amr: authMethods,
+                acr: authLevel
+            };
+            if (currentSession.twoFactorComplete) {
+                refreshRequestBody.two_factor_verified = true;
+            }
+            if (twoFactorMethod) {
+                refreshRequestBody.two_factor_method = twoFactorMethod;
+            }
+            if (currentSession.mfaCompletedAt) {
+                refreshRequestBody.two_factor_completed_at = new Date(currentSession.mfaCompletedAt).toISOString();
+            }
+            console.info('[AUTH_HANDLER] Executing refresh against IDP', {
+                sessionToken: sessionToken.substring(0, 8) + '...',
+                hasRefreshToken: true
+            });
+            const response = await fetch(`${idpBaseUrl}/api/ExternalAuth/refresh`, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'X-Client-Id': clientId,
+                },
+                body: JSON.stringify(refreshRequestBody),
+            });
+            if (!response.ok) {
+                const errorText = await response.text().catch(() => 'Unknown error');
+                console.error('[AUTH_HANDLER] Refresh failed:', response.status, errorText);
+                return { success: false, error: `Refresh failed: ${response.status}` };
+            }
+            const data = await response.json();
+            if (data.success === false) {
+                return { success: false, error: data.error?.message || data.message || 'Refresh failed' };
+            }
+            const tokenData = data.data || data;
+            if (!tokenData.access_token) {
+                console.error('[AUTH_HANDLER] No access token in refresh response');
+                return { success: false, error: 'No access token received' };
+            }
+            // Update session with new tokens
+            const updatedSession = {
+                ...currentSession,
+                accessToken: tokenData.access_token,
+                refreshToken: tokenData.refresh_token || currentSession.refreshToken,
+                accessTokenExpires: tokenData.expires_in
+                    ? Date.now() + (tokenData.expires_in * 1000)
+                    : Date.now() + (3600 * 1000),
+            };
+            await (0, session_store_1.updateSession)(sessionToken, updatedSession);
+            console.info('[AUTH_HANDLER] Token refresh successful', {
+                newExpiry: new Date(updatedSession.accessTokenExpires).toISOString()
+            });
+            return {
+                success: true,
+                accessToken: tokenData.access_token,
+                refreshToken: tokenData.refresh_token,
+                expiresIn: tokenData.expires_in,
+            };
+        }
+        catch (error) {
+            console.error('[AUTH_HANDLER] Refresh exception:', error);
+            return { success: false, error: error instanceof Error ? error.message : 'Refresh failed' };
+        }
+    }
+    /**
+     * Checks if auth context token needs refresh based on expiry and buffer
+     */
+    function needsRefresh(auth) {
+        if (!autoRefresh)
+            return false;
+        // Check if we have token expiry information
+        const token = auth.token;
+        const expiresAt = token.accessTokenExpires || token.exp;
+        if (!expiresAt) {
+            // No expiry info, can't determine if refresh needed
+            return false;
+        }
+        const now = Math.floor(Date.now() / 1000);
+        const expiryTime = typeof expiresAt === 'number' && expiresAt > 1000000000000
+            ? Math.floor(expiresAt / 1000) // Convert milliseconds to seconds
+            : expiresAt;
+        // Check if token expires within the buffer period
+        return (expiryTime - now) <= refreshBuffer;
+    }
+    /**
+     * Generate a unique request ID for coordinated refresh
+     */
+    function generateRequestId() {
+        return (0, nanoid_1.nanoid)();
+    }
+    /**
+     * Main handler wrapper
+     */
+    return {
+        handle: (handler) => {
+            return async (req, context = {}) => {
+                // Extract session from Better Auth
+                const betterAuthSession = await (0, auth_1.getSession)(req);
+                const token = betterAuthSession ? { ...betterAuthSession.user, ...betterAuthSession.session } : null;
+                // Check if auth is required
+                if (requireAuth && !betterAuthSession) {
+                    return server_1.NextResponse.json({ error: 'Authentication required', code: 'UNAUTHORIZED' }, { status: 401 });
+                }
+                // If no session and auth not required, call handler without auth context
+                if (!betterAuthSession) {
+                    return handler(req, context, null);
+                }
+                // Validate client_slug (token confusion attack prevention)
+                // SECURITY: Fail closed - require configuration to be explicitly set
+                const expectedClientSlug = process.env.NEXT_PUBLIC_EXPECTED_CLIENT_SLUG;
+                if (!expectedClientSlug) {
+                    console.error('[AUTH_HANDLER] SECURITY MISCONFIGURATION: NEXT_PUBLIC_EXPECTED_CLIENT_SLUG not set');
+                    return server_1.NextResponse.json({
+                        error: 'Server configuration error',
+                        code: 'SECURITY_CONFIGURATION_MISSING'
+                    }, { status: 500 });
+                }
+                // Extract client_slug from token (normalize property name)
+                const tokenClientSlug = token.client_slug || token.clientSlug;
+                // SECURITY: Require client_slug claim in all tokens (no backward compat)
+                if (!tokenClientSlug) {
+                    console.warn('[AUTH_HANDLER] Token missing required client_slug claim');
+                    return server_1.NextResponse.json({
+                        error: 'Token missing required claim',
+                        code: 'TOKEN_MISSING_CLIENT_SLUG'
+                    }, { status: 401 });
+                }
+                // SECURITY: Case-insensitive comparison to avoid casing attacks
+                if (tokenClientSlug.toLowerCase() !== expectedClientSlug.toLowerCase()) {
+                    // Log without exposing sensitive details
+                    console.warn('[AUTH_HANDLER] Token client mismatch detected');
+                    return server_1.NextResponse.json({
+                        error: 'Token issued for different client',
+                        code: 'TOKEN_CLIENT_MISMATCH'
+                    }, { status: 401 });
+                }
+                // Build initial auth context
+                let authContext = {
+                    token,
+                    accessToken: token.accessToken || '',
+                    userId: betterAuthSession.user?.id || token.userId || '',
+                    sessionToken: betterAuthSession.session?.token || '',
+                    refreshToken: token.refreshToken,
+                };
+                // Check if token needs refresh
+                if (needsRefresh(authContext) && authContext.refreshToken) {
+                    const requestId = generateRequestId();
+                    console.info('[AUTH_HANDLER] Token near expiry, initiating coordinated refresh', {
+                        requestId,
+                        sessionToken: authContext.sessionToken.substring(0, 8) + '...'
+                    });
+                    const refreshResult = await performCoordinatedRefresh(authContext.sessionToken, requestId);
+                    if (refreshResult.success && refreshResult.accessToken) {
+                        // Update auth context with fresh token
+                        authContext.accessToken = refreshResult.accessToken;
+                        if (refreshResult.refreshToken) {
+                            authContext.refreshToken = refreshResult.refreshToken;
+                        }
+                        // Update token object for future checks
+                        authContext.token.accessToken = refreshResult.accessToken;
+                        if (refreshResult.expiresIn) {
+                            authContext.token.accessTokenExpires = Date.now() + (refreshResult.expiresIn * 1000);
+                        }
+                        console.info('[AUTH_HANDLER] Coordinated refresh successful', { requestId });
+                    }
+                    else {
+                        console.warn('[AUTH_HANDLER] Failed to refresh token:', refreshResult.error);
+                        // Continue with potentially expired token - handler may still succeed
+                    }
+                }
+                // Attach auth context to request for downstream use (following existing pattern)
+                // IMPORTANT: Set this ONCE before the retry loop to avoid overwriting with stale data
+                req.__authContext = {
+                    accessToken: authContext.accessToken,
+                    userId: authContext.userId,
+                    sessionToken: authContext.sessionToken,
+                };
+                // Call the actual handler
+                let response;
+                let retryCount = 0;
+                while (retryCount <= maxRetries) {
+                    try {
+                        response = await handler(req, context, authContext);
+                        // Check if we got a 401 and should retry
+                        if (response.status === 401 &&
+                            retryOn401 &&
+                            retryCount < maxRetries &&
+                            authContext.refreshToken) {
+                            const retryRequestId = generateRequestId();
+                            console.info('[AUTH_HANDLER] Got 401, attempting coordinated refresh and retry', { retryRequestId });
+                            const refreshResult = await performCoordinatedRefresh(authContext.sessionToken, retryRequestId);
+                            if (refreshResult.success && refreshResult.accessToken) {
+                                console.info('[AUTH_HANDLER] Refresh succeeded, updating tokens', { retryRequestId });
+                                // Update auth context with fresh token
+                                authContext.accessToken = refreshResult.accessToken;
+                                if (refreshResult.refreshToken) {
+                                    authContext.refreshToken = refreshResult.refreshToken;
+                                }
+                                // Update request context
+                                req.__authContext.accessToken = refreshResult.accessToken;
+                                console.info('[AUTH_HANDLER] Updated req.__authContext with new token, retrying request', { retryRequestId });
+                                retryCount++;
+                                continue; // Retry the request
+                            }
+                            else {
+                                console.warn('[AUTH_HANDLER] Refresh failed on 401 retry:', refreshResult.error);
+                                break; // Don't retry if refresh failed
+                            }
+                        }
+                        // Success or non-401 error - return response
+                        break;
+                    }
+                    catch (error) {
+                        // Handler threw an error
+                        console.error('[AUTH_HANDLER] Handler error:', error);
+                        return server_1.NextResponse.json({
+                            error: 'Internal server error',
+                            details: error instanceof Error ? error.message : 'Unknown error'
+                        }, { status: 500 });
+                    }
+                }
+                return response;
+            };
+        }
+    };
+}
+/**
+ * Default export for convenience
+ */
+exports.default = createAuthHandler;

package/dist/api/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * @payez/next-mvp API Module Exports
+ *
+ * Provides enhanced API route handlers with automatic token management
+ *
+ * @version 2.0.0
+ * @since auth-ready-v2
+ */
+export { createAuthHandler, type AuthContext, type AuthHandlerOptions, type HandlerFunction } from './auth-handler';
+export { default } from './auth-handler';

package/dist/api/index.js

@@ -0,0 +1,19 @@
+"use strict";
+/**
+ * @payez/next-mvp API Module Exports
+ *
+ * Provides enhanced API route handlers with automatic token management
+ *
+ * @version 2.0.0
+ * @since auth-ready-v2
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = exports.createAuthHandler = void 0;
+var auth_handler_1 = require("./auth-handler");
+Object.defineProperty(exports, "createAuthHandler", { enumerable: true, get: function () { return auth_handler_1.createAuthHandler; } });
+// Default export for convenience
+var auth_handler_2 = require("./auth-handler");
+Object.defineProperty(exports, "default", { enumerable: true, get: function () { return __importDefault(auth_handler_2).default; } });

package/dist/api-handlers/account/change-password.d.ts

@@ -0,0 +1,9 @@
+import { NextRequest, NextResponse } from 'next/server';
+export declare function POST(req: NextRequest): Promise<NextResponse<{
+    success: boolean;
+    message: string;
+}> | NextResponse<{
+    success: boolean;
+    message: any;
+    request_id: string;
+}>>;

package/dist/api-handlers/account/change-password.js

@@ -0,0 +1,110 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = POST;
+const server_1 = require("next/server");
+const auth_1 = require("../../server/auth");
+const session_store_1 = require("../../lib/session-store");
+const nanoid_1 = require("nanoid");
+// ...
+async function POST(req) {
+    const requestId = (0, nanoid_1.nanoid)();
+    try {
+        // Get session from Better Auth
+        const betterAuthSession = await (0, auth_1.getSession)(req);
+        const sessionToken = betterAuthSession?.session?.token;
+        if (!betterAuthSession || typeof sessionToken !== 'string') {
+            return server_1.NextResponse.json({ success: false, message: 'Unauthorized' }, { status: 401 });
+        }
+        const sessionData = await (0, session_store_1.getSession)(sessionToken);
+        // NOTE: Field is idpAccessToken (not accessToken) per normalized naming convention
+        if (!sessionData?.idpAccessToken) {
+            return server_1.NextResponse.json({
+                success: false,
+                message: 'Authentication required - no access token available',
+                error_code: 'UNAUTHORIZED',
+                request_id: requestId,
+            }, { status: 401 });
+        }
+        const body = await req.json();
+        const { current_password, new_password, confirm_password } = body;
+        // Validate input
+        if (!current_password || !new_password || !confirm_password) {
+            return server_1.NextResponse.json({
+                success: false,
+                message: 'Current password, new password, and confirmation are required',
+                error_code: 'VALIDATION_ERROR',
+                request_id: requestId,
+            }, { status: 400 });
+        }
+        if (new_password !== confirm_password) {
+            return server_1.NextResponse.json({
+                success: false,
+                message: 'New password and confirmation do not match',
+                error_code: 'VALIDATION_ERROR',
+                request_id: requestId,
+            }, { status: 400 });
+        }
+        // Get IDP base URL from environment
+        const idpBaseUrl = process.env.IDP_URL;
+        if (!idpBaseUrl) {
+            console.error('[CHANGE_PASSWORD] IDP_URL not configured');
+            return server_1.NextResponse.json({
+                success: false,
+                message: 'Service configuration error',
+                error_code: 'CONFIGURATION_ERROR',
+                request_id: requestId,
+            }, { status: 500 });
+        }
+        // Proxy request to IDP
+        const idpUrl = `${idpBaseUrl}/api/Account/change-password`;
+        const idpResponse = await fetch(idpUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': `Bearer ${sessionData.idpAccessToken}`,
+                'x-request-id': requestId,
+            },
+            body: JSON.stringify({
+                current_password,
+                new_password,
+                confirm_password,
+            }),
+        });
+        const responseData = await idpResponse.json().catch(() => ({}));
+        if (!idpResponse.ok) {
+            // Extract error message from IDP response
+            let errorMessage = 'Failed to change password';
+            if (responseData.message) {
+                errorMessage = responseData.message;
+            }
+            else if (responseData.details?.value && Array.isArray(responseData.details.value) && responseData.details.value.length > 0) {
+                errorMessage = responseData.details.value[0].message || errorMessage;
+            }
+            else if (responseData.details?.message) {
+                errorMessage = responseData.details.message;
+            }
+            return server_1.NextResponse.json({
+                success: false,
+                message: errorMessage,
+                error_code: responseData.error_code || 'CHANGE_PASSWORD_FAILED',
+                request_id: requestId,
+                details: responseData.details,
+            }, { status: idpResponse.status });
+        }
+        return server_1.NextResponse.json({
+            success: true,
+            message: responseData.message || 'Password changed successfully',
+            request_id: requestId,
+        });
+    }
+    catch (error) {
+        console.error('[CHANGE_PASSWORD] Error:', error);
+        const requestId = req.headers.get('x-request-id') ?? crypto.randomUUID();
+        return server_1.NextResponse.json({
+            success: false,
+            message: error instanceof Error ? error.message : 'Failed to change password',
+            error_code: 'INTERNAL_ERROR',
+            request_id: requestId,
+        }, { status: 500 });
+    }
+}

package/dist/api-handlers/account/masked-info.d.ts

@@ -0,0 +1,2 @@
+import { NextRequest, NextResponse } from 'next/server';
+export declare function POST(req: NextRequest): Promise<NextResponse<any>>;

package/dist/api-handlers/account/masked-info.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = POST;
+const server_1 = require("next/server");
+const idp_fetch_1 = require("../../lib/idp-fetch");
+const env_1 = require("../../config/env");
+// IDP masked-info is POST and uses capital 'A' in /api/Account
+async function POST(req) {
+    const url = `${env_1.ENV_CONFIG.IDP_URL}/api/Account/masked-info`;
+    // Forward request body if present; IDP often accepts empty object
+    let body = '{}';
+    try {
+        const raw = await req.text();
+        if (raw && raw.trim().length > 0)
+            body = raw;
+    }
+    catch { }
+    const result = await (0, idp_fetch_1.idpFetchJSON)(req, url, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body
+    });
+    if (!result.ok) {
+        return server_1.NextResponse.json({
+            success: false,
+            message: 'Upstream error',
+            error: { code: 'UPSTREAM_SERVICE_ERROR', status: result.status, details: result.json },
+            meta: { attemptedRefresh: result.attemptedRefresh },
+        }, { status: result.status });
+    }
+    const bodyJson = result.json;
+    // Unwrap if IDP returns envelope { success, data }
+    if (bodyJson && typeof bodyJson === 'object' && 'success' in bodyJson && 'data' in bodyJson) {
+        if (bodyJson.success === true) {
+            return server_1.NextResponse.json(bodyJson.data, { status: 200 });
+        }
+        return server_1.NextResponse.json(bodyJson, { status: 200 });
+    }
+    // Passthrough otherwise
+    return server_1.NextResponse.json(bodyJson ?? {}, { status: 200 });
+}

package/dist/api-handlers/account/profile.d.ts

@@ -0,0 +1,3 @@
+import { NextRequest, NextResponse } from 'next/server';
+export declare function GET(req: NextRequest): Promise<NextResponse<any>>;
+export declare function PUT(req: NextRequest): Promise<NextResponse<any>>;