@payez/next-mvp 4.0.1 → 4.0.3

package/dist/api-handlers/admin/vibe-data.js

@@ -0,0 +1,267 @@
+"use strict";
+/**
+ * Admin Vibe Data API Handler
+ *
+ * Provides admin-level access to Vibe data using service account credentials.
+ * Bypasses user-level filtering to allow admins to view all records.
+ *
+ * @version 1.0
+ * @requires Admin role (vibe_app_admin or payez_admin)
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createGetCollectionsHandler = createGetCollectionsHandler;
+exports.createGetTablesHandler = createGetTablesHandler;
+exports.createGetTableDataHandler = createGetTableDataHandler;
+exports.createGetRecordHandler = createGetRecordHandler;
+exports.createUpdateRecordHandler = createUpdateRecordHandler;
+exports.createDeleteRecordHandler = createDeleteRecordHandler;
+exports.createQueryHandler = createQueryHandler;
+const server_1 = require("next/server");
+const auth_1 = require("../../server/auth");
+const startup_init_1 = require("../../lib/startup-init");
+const roles_1 = require("../../lib/roles");
+/**
+ * Check if the current user has admin role
+ */
+async function checkAdminRole(request) {
+    const session = await (0, auth_1.getSession)(request);
+    if (!session?.user) {
+        return {
+            isAdmin: false,
+            error: server_1.NextResponse.json({ success: false, error: { code: 'UNAUTHORIZED', message: 'Please sign in' } }, { status: 401 }),
+        };
+    }
+    const userRoles = session.user?.roles || [];
+    const hasAdminRole = roles_1.ADMIN_ROLES.some(role => userRoles.includes(role));
+    if (!hasAdminRole) {
+        return {
+            isAdmin: false,
+            error: server_1.NextResponse.json({ success: false, error: { code: 'FORBIDDEN', message: 'Admin access required' } }, { status: 403 }),
+        };
+    }
+    return { isAdmin: true };
+}
+/**
+ * Make a service account request to Vibe (admin mode - no user filtering)
+ */
+async function vibeServiceRequest(endpoint, options) {
+    const idpUrl = process.env.NEXT_PUBLIC_IDP_URL || process.env.IDP_URL;
+    const clientId = process.env.VIBE_CLIENT_ID;
+    const signingKey = process.env.VIBE_HMAC_KEY;
+    if (!idpUrl || !clientId || !signingKey) {
+        console.error('[Admin Vibe] Missing config:', { idpUrl: !!idpUrl, clientId: !!clientId, signingKey: !!signingKey });
+        return { ok: false, status: 500, data: null, error: 'Vibe not configured' };
+    }
+    const timestamp = Math.floor(Date.now() / 1000);
+    const stringToSign = `${timestamp}|${options.method}|${endpoint}`;
+    // Generate HMAC signature
+    const crypto = await Promise.resolve().then(() => __importStar(require('crypto')));
+    const signature = crypto
+        .createHmac('sha256', Buffer.from(signingKey, 'base64'))
+        .update(stringToSign)
+        .digest('base64');
+    const proxyUrl = `${idpUrl}/api/vibe/proxy`;
+    // Get the client slug from startup config for multi-client admin support
+    const idpConfig = (0, startup_init_1.getStartupIDPConfig)();
+    const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
+    try {
+        const res = await fetch(proxyUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'X-Vibe-Client-Id': clientId,
+                'X-Vibe-Timestamp': String(timestamp),
+                'X-Vibe-Signature': signature,
+                // For multi-client admins: specify which client context to use
+                ...(idpClientId && { 'X-Client-Id': idpClientId }),
+            },
+            body: JSON.stringify({
+                endpoint,
+                method: options.method,
+                data: options.body ?? null,
+            }),
+            cache: 'no-store',
+        });
+        if (res.status === 204) {
+            return { ok: true, status: 204, data: null };
+        }
+        if (!res.ok) {
+            const errorText = await res.text();
+            console.error(`[Admin Vibe] Request failed: ${options.method} ${endpoint} - ${res.status}`, errorText);
+            return { ok: false, status: res.status, data: null, error: errorText };
+        }
+        const body = await res.json();
+        return { ok: true, status: res.status, data: body };
+    }
+    catch (error) {
+        console.error(`[Admin Vibe] Request exception: ${options.method} ${endpoint}`, error);
+        return { ok: false, status: 0, data: null, error: String(error) };
+    }
+}
+/**
+ * GET /api/admin/vibe/collections
+ * List all Vibe collections
+ */
+function createGetCollectionsHandler(config) {
+    return async function GET(request) {
+        const adminCheck = await checkAdminRole(request);
+        if (adminCheck.error)
+            return adminCheck.error;
+        const result = await vibeServiceRequest('/v1/collections', { method: 'GET' });
+        if (!result.ok) {
+            return server_1.NextResponse.json({ success: false, error: { code: 'FETCH_ERROR', message: result.error } }, { status: result.status || 500 });
+        }
+        return server_1.NextResponse.json(result.data);
+    };
+}
+/**
+ * GET /api/admin/vibe/collections/[collection]/tables
+ * List tables in a collection
+ */
+function createGetTablesHandler(config) {
+    return async function GET(request, { params }) {
+        const { collection } = await params;
+        const adminCheck = await checkAdminRole(request);
+        if (adminCheck.error)
+            return adminCheck.error;
+        const result = await vibeServiceRequest(`/v1/collections/${collection}/tables`, { method: 'GET' });
+        if (!result.ok) {
+            return server_1.NextResponse.json({ success: false, error: { code: 'FETCH_ERROR', message: result.error } }, { status: result.status || 500 });
+        }
+        return server_1.NextResponse.json(result.data);
+    };
+}
+/**
+ * GET /api/admin/vibe/data/[collection]/[table]
+ * Fetch all records from a table (admin - no user filtering)
+ */
+function createGetTableDataHandler(config) {
+    return async function GET(request, { params }) {
+        const { collection, table } = await params;
+        const adminCheck = await checkAdminRole(request);
+        if (adminCheck.error)
+            return adminCheck.error;
+        const searchParams = request.nextUrl.searchParams.toString();
+        const queryString = searchParams ? `?${searchParams}` : '';
+        const endpoint = `/v1/collections/${collection}/tables/${table}${queryString}`;
+        const result = await vibeServiceRequest(endpoint, { method: 'GET' });
+        if (result.status === 204) {
+            return server_1.NextResponse.json({ data: [], meta: { total: 0, limit: 50, offset: 0 } });
+        }
+        if (!result.ok) {
+            return server_1.NextResponse.json({ success: false, error: { code: 'FETCH_ERROR', message: result.error } }, { status: result.status || 500 });
+        }
+        return server_1.NextResponse.json(result.data);
+    };
+}
+/**
+ * GET /api/admin/vibe/data/[collection]/[table]/[id]
+ * Fetch single record (admin access)
+ */
+function createGetRecordHandler(config) {
+    return async function GET(request, { params }) {
+        const { collection, table, id } = await params;
+        const adminCheck = await checkAdminRole(request);
+        if (adminCheck.error)
+            return adminCheck.error;
+        const endpoint = `/v1/collections/${collection}/tables/${table}/${id}`;
+        const result = await vibeServiceRequest(endpoint, { method: 'GET' });
+        if (!result.ok) {
+            const status = result.status === 404 ? 404 : result.status || 500;
+            return server_1.NextResponse.json({ success: false, error: { code: result.status === 404 ? 'NOT_FOUND' : 'FETCH_ERROR', message: result.error } }, { status });
+        }
+        return server_1.NextResponse.json(result.data);
+    };
+}
+/**
+ * PUT /api/admin/vibe/data/[collection]/[table]/[id]
+ * Update record (admin access)
+ */
+function createUpdateRecordHandler(config) {
+    return async function PUT(request, { params }) {
+        const { collection, table, id } = await params;
+        const adminCheck = await checkAdminRole(request);
+        if (adminCheck.error)
+            return adminCheck.error;
+        const body = await request.json();
+        const endpoint = `/v1/collections/${collection}/tables/${table}/${id}`;
+        const result = await vibeServiceRequest(endpoint, { method: 'PUT', body });
+        if (!result.ok) {
+            return server_1.NextResponse.json({ success: false, error: { code: 'UPDATE_ERROR', message: result.error } }, { status: result.status || 500 });
+        }
+        return server_1.NextResponse.json(result.data);
+    };
+}
+/**
+ * DELETE /api/admin/vibe/data/[collection]/[table]/[id]
+ * Delete record (admin access)
+ */
+function createDeleteRecordHandler(config) {
+    return async function DELETE(request, { params }) {
+        const { collection, table, id } = await params;
+        const adminCheck = await checkAdminRole(request);
+        if (adminCheck.error)
+            return adminCheck.error;
+        const endpoint = `/v1/collections/${collection}/tables/${table}/${id}`;
+        const result = await vibeServiceRequest(endpoint, { method: 'DELETE' });
+        if (!result.ok) {
+            return server_1.NextResponse.json({ success: false, error: { code: 'DELETE_ERROR', message: result.error } }, { status: result.status || 500 });
+        }
+        return new server_1.NextResponse(null, { status: 204 });
+    };
+}
+/**
+ * POST /api/admin/vibe/data/[collection]/[table]/query
+ * Query records with filters (admin access)
+ */
+function createQueryHandler(config) {
+    return async function POST(request, { params }) {
+        const { collection, table } = await params;
+        const adminCheck = await checkAdminRole(request);
+        if (adminCheck.error)
+            return adminCheck.error;
+        const body = await request.json();
+        const endpoint = `/v1/collections/${collection}/tables/${table}/query`;
+        const result = await vibeServiceRequest(endpoint, { method: 'POST', body });
+        if (result.status === 204) {
+            return server_1.NextResponse.json({ data: [], meta: { total: 0, page: 1, pageSize: 20 } });
+        }
+        if (!result.ok) {
+            return server_1.NextResponse.json({ success: false, error: { code: 'QUERY_ERROR', message: result.error } }, { status: result.status || 500 });
+        }
+        return server_1.NextResponse.json(result.data);
+    };
+}

package/dist/api-handlers/anon/preferences.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Anonymous Session Preferences API Handler
+ *
+ * GET /api/anon/preferences - Get current preferences
+ * POST /api/anon/preferences - Update preferences
+ *
+ * Sets a cookie to track anonymous visitors and stores preferences in Redis.
+ */
+import { NextRequest, NextResponse } from 'next/server';
+import { AnonSessionPreferences } from '../../lib/anon-session';
+/**
+ * GET handler - retrieves anonymous session preferences
+ */
+export declare function GET(request: NextRequest): Promise<NextResponse<{
+    success: boolean;
+    data: {
+        id: string;
+        preferences: AnonSessionPreferences;
+        metrics: import("../../lib/anon-session").AnonSessionMetrics;
+    };
+}> | NextResponse<{
+    success: boolean;
+    error: string;
+}>>;
+/**
+ * POST handler - updates anonymous session preferences
+ */
+export declare function POST(request: NextRequest): Promise<NextResponse<{
+    success: boolean;
+    error: string;
+}> | NextResponse<{
+    success: boolean;
+    data: {
+        id: string;
+        preferences: AnonSessionPreferences;
+    };
+}>>;

package/dist/api-handlers/anon/preferences.js

@@ -0,0 +1,96 @@
+"use strict";
+/**
+ * Anonymous Session Preferences API Handler
+ *
+ * GET /api/anon/preferences - Get current preferences
+ * POST /api/anon/preferences - Update preferences
+ *
+ * Sets a cookie to track anonymous visitors and stores preferences in Redis.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GET = GET;
+exports.POST = POST;
+const server_1 = require("next/server");
+const headers_1 = require("next/headers");
+const anon_session_1 = require("../../lib/anon-session");
+const COOKIE_MAX_AGE = 90 * 24 * 60 * 60; // 90 days in seconds
+/**
+ * GET handler - retrieves anonymous session preferences
+ */
+async function GET(request) {
+    try {
+        const cookieStore = await (0, headers_1.cookies)();
+        let anonId = cookieStore.get(anon_session_1.ANON_COOKIE_NAME)?.value;
+        // Get or create session
+        const session = await (0, anon_session_1.getOrCreateAnonSession)(anonId);
+        // Build response
+        const response = server_1.NextResponse.json({
+            success: true,
+            data: {
+                id: session.id,
+                preferences: session.preferences,
+                metrics: session.metrics,
+            },
+        });
+        // Set cookie if it's a new session
+        if (!anonId || anonId !== session.id) {
+            response.cookies.set(anon_session_1.ANON_COOKIE_NAME, session.id, {
+                httpOnly: true,
+                secure: process.env.NODE_ENV === 'production',
+                sameSite: 'lax',
+                maxAge: COOKIE_MAX_AGE,
+                path: '/',
+            });
+        }
+        return response;
+    }
+    catch (error) {
+        console.error('[ANON-PREFERENCES] GET error:', error);
+        return server_1.NextResponse.json({ success: false, error: 'Failed to get preferences' }, { status: 500 });
+    }
+}
+/**
+ * POST handler - updates anonymous session preferences
+ */
+async function POST(request) {
+    try {
+        const cookieStore = await (0, headers_1.cookies)();
+        let anonId = cookieStore.get(anon_session_1.ANON_COOKIE_NAME)?.value;
+        // Get or create session first
+        const session = await (0, anon_session_1.getOrCreateAnonSession)(anonId);
+        anonId = session.id;
+        // Parse body for preferences to update
+        const body = await request.json();
+        const preferences = body.preferences || body;
+        // Validate preferences
+        if (typeof preferences !== 'object') {
+            return server_1.NextResponse.json({ success: false, error: 'Invalid preferences format' }, { status: 400 });
+        }
+        // Update preferences
+        const updatedSession = await (0, anon_session_1.updateAnonPreferences)(anonId, preferences);
+        if (!updatedSession) {
+            return server_1.NextResponse.json({ success: false, error: 'Session not found' }, { status: 404 });
+        }
+        // Build response
+        const response = server_1.NextResponse.json({
+            success: true,
+            data: {
+                id: updatedSession.id,
+                preferences: updatedSession.preferences,
+            },
+        });
+        // Ensure cookie is set
+        response.cookies.set(anon_session_1.ANON_COOKIE_NAME, anonId, {
+            httpOnly: true,
+            secure: process.env.NODE_ENV === 'production',
+            sameSite: 'lax',
+            maxAge: COOKIE_MAX_AGE,
+            path: '/',
+        });
+        return response;
+    }
+    catch (error) {
+        console.error('[ANON-PREFERENCES] POST error:', error);
+        return server_1.NextResponse.json({ success: false, error: 'Failed to update preferences' }, { status: 500 });
+    }
+}

package/dist/api-handlers/auth/jwks.d.ts

@@ -0,0 +1,2 @@
+import { NextRequest, NextResponse } from 'next/server';
+export declare function GET(_req: NextRequest): Promise<NextResponse<any>>;

package/dist/api-handlers/auth/jwks.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GET = GET;
+const server_1 = require("next/server");
+const env_1 = require("../../config/env");
+const logger_1 = require("../../config/logger");
+async function GET(_req) {
+    try {
+        const url = `${env_1.ENV_CONFIG.IDP_URL}${env_1.API_ENDPOINTS.externalAuth.jwks}`;
+        const res = await fetch(url, { headers: { 'Accept': 'application/json' } });
+        const bodyText = await res.text();
+        try {
+            const json = JSON.parse(bodyText);
+            return server_1.NextResponse.json(json, { status: res.status });
+        }
+        catch (e) {
+            logger_1.logger.error('[AUTH_JWKS] Upstream returned non-JSON', { status: res.status, bodyText: bodyText?.slice(0, 200) });
+            return server_1.NextResponse.json({ error: 'Invalid JWKS response' }, { status: 502 });
+        }
+    }
+    catch (error) {
+        return server_1.NextResponse.json({ error: 'Failed to fetch JWKS' }, { status: 502 });
+    }
+}

package/dist/api-handlers/auth/login.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Authentication Login API Handler
+ *
+ * Handles user authentication against the external IDP service.
+ * This handler is designed to be imported and used by Next.js applications
+ * using the @payez/next-mvp package.
+ *
+ * @version 2.0
+ * @requires No authentication (public endpoint)
+ */
+import { NextRequest, NextResponse } from 'next/server';
+interface LoginConfig {
+    idpBaseUrl: string;
+    clientId: string;
+    loginEndpoint?: string;
+    clientType?: string;
+}
+/**
+ * Creates a login handler for Next.js API routes
+ *
+ * @param config Configuration for IDP connection
+ * @returns Next.js POST handler function
+ *
+ * @example
+ * ```typescript
+ * // In your app's /app/api/auth/login/route.ts
+ * import { createLoginHandler } from '@payez/next-mvp/api-handlers/auth/login';
+ *
+ * export const POST = createLoginHandler({
+ *   idpBaseUrl: process.env.IDP_URL!,
+ *   clientId: process.env.CLIENT_ID!,
+ *   loginEndpoint: '/api/ExternalAuth/login'
+ * });
+ * ```
+ */
+export declare function createLoginHandler(config: LoginConfig): (req: NextRequest) => Promise<NextResponse<unknown>>;
+/**
+ * Default export for backward compatibility
+ * Requires environment variables: IDP_URL, CLIENT_ID
+ */
+export declare const POST: (req: NextRequest) => Promise<NextResponse<unknown>>;
+export {};

package/dist/api-handlers/auth/login.js

@@ -0,0 +1,178 @@
+"use strict";
+/**
+ * Authentication Login API Handler
+ *
+ * Handles user authentication against the external IDP service.
+ * This handler is designed to be imported and used by Next.js applications
+ * using the @payez/next-mvp package.
+ *
+ * @version 2.0
+ * @requires No authentication (public endpoint)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.POST = void 0;
+exports.createLoginHandler = createLoginHandler;
+const server_1 = require("next/server");
+// Add protection headers to all responses
+function addSecurityHeaders(response) {
+    // Content Security Policy - restrictive for auth endpoints
+    response.headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';");
+    // Prevent clickjacking
+    response.headers.set('X-Frame-Options', 'DENY');
+    // Prevent MIME type sniffing
+    response.headers.set('X-Content-Type-Options', 'nosniff');
+    // Enable XSS protection
+    response.headers.set('X-XSS-Protection', '1; mode=block');
+    // Strict transport security for HTTPS
+    response.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
+    // Referrer policy
+    response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+    // Permissions policy
+    response.headers.set('Permissions-Policy', 'geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()');
+    // Cache control for sensitive auth endpoints
+    response.headers.set('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
+    response.headers.set('Pragma', 'no-cache');
+    response.headers.set('Expires', '0');
+    return response;
+}
+/**
+ * Creates a login handler for Next.js API routes
+ *
+ * @param config Configuration for IDP connection
+ * @returns Next.js POST handler function
+ *
+ * @example
+ * ```typescript
+ * // In your app's /app/api/auth/login/route.ts
+ * import { createLoginHandler } from '@payez/next-mvp/api-handlers/auth/login';
+ *
+ * export const POST = createLoginHandler({
+ *   idpBaseUrl: process.env.IDP_URL!,
+ *   clientId: process.env.CLIENT_ID!,
+ *   loginEndpoint: '/api/ExternalAuth/login'
+ * });
+ * ```
+ */
+function createLoginHandler(config) {
+    const { idpBaseUrl, clientId, loginEndpoint = '/api/ExternalAuth/login', clientType = 'partner' } = config;
+    return async function POST(req) {
+        let body;
+        try {
+            body = await req.json();
+        }
+        catch (parseError) {
+            return server_1.NextResponse.json({ error: 'Invalid JSON format' }, { status: 400 });
+        }
+        const { username_or_email, password, client_type, two_factor_code, two_factor_recovery_code } = body;
+        // Validate required fields
+        if (!username_or_email || typeof username_or_email !== 'string' || username_or_email.trim() === '') {
+            return server_1.NextResponse.json({ error: 'username_or_email is required' }, { status: 400 });
+        }
+        if (!password || typeof password !== 'string' || password.trim() === '') {
+            return server_1.NextResponse.json({ error: 'Password is required' }, { status: 400 });
+        }
+        const idpUrl = `${idpBaseUrl}${loginEndpoint}`;
+        const payload = {
+            username_or_email,
+            password,
+            client_id: clientId,
+            client_type: client_type || clientType // Use provided client_type or config default
+        };
+        // Add optional 2FA fields if provided
+        if (two_factor_code) {
+            payload.two_factor_code = two_factor_code;
+        }
+        if (two_factor_recovery_code) {
+            payload.two_factor_recovery_code = two_factor_recovery_code;
+        }
+        // Extract client headers for forwarding to IDP
+        const clientHeaders = {};
+        // Forward client IP if available
+        const clientIp = req.headers.get('x-forwarded-for') || req.headers.get('x-real-ip');
+        if (clientIp) {
+            clientHeaders['X-Forwarded-For'] = clientIp.split(',')[0].trim();
+        }
+        // Forward user agent if available
+        const userAgent = req.headers.get('user-agent');
+        if (userAgent) {
+            clientHeaders['User-Agent'] = userAgent;
+        }
+        const headers = {
+            'Content-Type': 'application/json',
+            'Accept': 'application/json',
+            'Cookie': 'X-Device-Id=payez-PayEz-6c8201c35c1b44c9b2e823b36b95a718',
+            ...clientHeaders
+        };
+        try {
+            const backendResponse = await fetch(idpUrl, {
+                method: 'POST',
+                headers,
+                body: JSON.stringify(payload),
+            });
+            const rawText = await backendResponse.text();
+            let data;
+            try {
+                data = JSON.parse(rawText);
+            }
+            catch (jsonError) {
+                console.error('[LOGIN] IDP returned non-JSON response', {
+                    response: rawText,
+                    status: backendResponse.status
+                });
+                return server_1.NextResponse.json({ error: 'Invalid response from authentication service' }, { status: 502 });
+            }
+            if (!backendResponse.ok) {
+                // Handle rate limiting specifically
+                if (backendResponse.status === 429) {
+                    const retryAfter = backendResponse.headers.get('retry-after');
+                    const retryAfterSeconds = retryAfter ? parseInt(retryAfter) : 60;
+                    return addSecurityHeaders(server_1.NextResponse.json({
+                        success: false,
+                        error: 'RATE_LIMIT_EXCEEDED',
+                        message: 'Too many login attempts. Please try again later.',
+                        retryAfter: retryAfterSeconds
+                    }, { status: 429 }));
+                }
+                // Pass through error from IDP
+                console.error('[LOGIN] IDP service error', {
+                    status: backendResponse.status,
+                    error: data
+                });
+                return addSecurityHeaders(server_1.NextResponse.json(data, { status: backendResponse.status }));
+            }
+            if (!data.success) {
+                // IDP returned a canonical error envelope with HTTP 200
+                console.error('[LOGIN] IDP authentication failure', { error: data });
+                return addSecurityHeaders(server_1.NextResponse.json(data, { status: 200 }));
+            }
+            // Normalize response shape for NextAuth authorize()
+            const normalized = {
+                success: data?.success === true,
+                result: (data?.data && data?.data?.result) ? data.data.result : (data?.result ?? data),
+                // Preserve original payload for debugging/compatibility
+                original: data
+            };
+            return addSecurityHeaders(server_1.NextResponse.json(normalized));
+        }
+        catch (error) {
+            // Handle network and other errors
+            console.error('[LOGIN] FETCH FAILED:', {
+                error: error instanceof Error ? error.message : String(error),
+                idpUrl
+            });
+            if (error instanceof Error && error.message.includes('fetch')) {
+                return server_1.NextResponse.json({ error: 'Unable to connect to authentication service' }, { status: 503 });
+            }
+            return server_1.NextResponse.json({ error: 'An unexpected error occurred during login' }, { status: 500 });
+        }
+    };
+}
+/**
+ * Default export for backward compatibility
+ * Requires environment variables: IDP_URL, CLIENT_ID
+ */
+exports.POST = createLoginHandler({
+    idpBaseUrl: process.env.IDP_URL,
+    clientId: process.env.CLIENT_ID || 'payez_default_client',
+    loginEndpoint: '/api/ExternalAuth/login'
+});