npm - @payez/next-mvp - Versions diffs - 4.0.10 → 4.0.11 - Mend

@payez/next-mvp 4.0.10 → 4.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/auth/better-auth.d.ts +7 -0
package/dist/auth/better-auth.js +74 -0
package/dist/lib/token-lifecycle.js +20 -21
package/dist/server/auth.d.ts +7 -0
package/package.json +1 -1
package/src/auth/better-auth.ts +81 -0
package/src/lib/token-lifecycle.ts +21 -21

package/dist/auth/better-auth.d.ts CHANGED Viewed

@@ -45,6 +45,13 @@ export declare function createBetterAuthInstance(idpConfig: IDPClientConfig): im
             refreshCache: false;
         };
     };
+    databaseHooks: {
+        session: {
+            create: {
+                after: (session: any) => Promise<void>;
+            };
+        };
+    };
     advanced: {
         cookiePrefix: string;
         cookies: {

package/dist/auth/better-auth.js CHANGED Viewed

@@ -100,6 +100,80 @@ function createBetterAuthInstance(idpConfig) {
                 refreshCache: false,
             },
         },
+        // After social login, exchange Google identity for IDP tokens and store in Redis
+        databaseHooks: {
+            session: {
+                create: {
+                    after: async (session) => {
+                        try {
+                            const userId = session.userId;
+                            const token = session.token;
+                            if (!userId || !token)
+                                return;
+                            // Look up user from Better Auth's memory/DB to get email
+                            // The user was just created/found by Better Auth during OAuth
+                            const baKey = `ba:${appSlug}:${token}`;
+                            const baRaw = await (0, redis_1.getRedis)().get(baKey).catch(() => null);
+                            const baData = baRaw ? JSON.parse(baRaw) : null;
+                            const email = baData?.user?.email;
+                            const name = baData?.user?.name;
+                            const image = baData?.user?.image;
+                            if (!email) {
+                                console.warn('[BETTER_AUTH] Session created but no email found for IDP token exchange');
+                                return;
+                            }
+                            // Call IDP oauth-callback to get IDP tokens
+                            const idpUrl = process.env.INTERNAL_IDP_URL || process.env.IDP_URL || '';
+                            if (!idpUrl) {
+                                console.warn('[BETTER_AUTH] No IDP URL configured, skipping token exchange');
+                                return;
+                            }
+                            const oauthRes = await fetch(`${idpUrl}/api/ExternalAuth/oauth-callback`, {
+                                method: 'POST',
+                                headers: { 'Content-Type': 'application/json' },
+                                body: JSON.stringify({
+                                    provider: 'google',
+                                    provider_account_id: userId,
+                                    email,
+                                    name,
+                                    image,
+                                    client_id: idpConfig.clientSlug || String(idpConfig.clientId),
+                                }),
+                            });
+                            if (!oauthRes.ok) {
+                                console.error('[BETTER_AUTH] IDP oauth-callback failed:', oauthRes.status, await oauthRes.text().catch(() => ''));
+                                return;
+                            }
+                            const idpData = await oauthRes.json();
+                            const result = idpData?.data?.result || idpData?.result || idpData;
+                            if (!result?.access_token) {
+                                console.warn('[BETTER_AUTH] IDP oauth-callback returned no access_token');
+                                return;
+                            }
+                            // Store IDP tokens in the BA Redis session
+                            if (baData) {
+                                baData.idpTokens = {
+                                    idpAccessToken: result.access_token,
+                                    idpRefreshToken: result.refresh_token,
+                                    idpAccessTokenExpires: result.expires_in
+                                        ? Date.now() + result.expires_in * 1000
+                                        : Date.now() + 15 * 60 * 1000,
+                                    userId: String(result.user?.id || result.id || userId),
+                                    email: result.user?.email || result.email || email,
+                                    name: result.user?.name || result.name || name,
+                                    roles: result.user?.roles || result.roles || [],
+                                };
+                                await (0, redis_1.getRedis)().setex(baKey, 7 * 24 * 60 * 60, JSON.stringify(baData));
+                                console.log('[BETTER_AUTH] IDP tokens stored in session for', email);
+                            }
+                        }
+                        catch (err) {
+                            console.error('[BETTER_AUTH] Post-login IDP exchange failed:', err instanceof Error ? err.message : String(err));
+                        }
+                    },
+                },
+            },
+        },
         // Cookie prefix must match slim-middleware expectations ({slug}.session-token)
         advanced: {
             cookiePrefix: appSlug,

package/dist/lib/token-lifecycle.js CHANGED Viewed

@@ -231,15 +231,16 @@ async function ensureFreshToken(request) {
                 const baRaw = await (0, redis_1.getRedis)().get(baKey);
                 if (baRaw) {
                     const baSession = JSON.parse(baRaw);
-                    // Map Better Auth session to SessionData
+                    const idpTokens = baSession.idpTokens;
                     sessionData = {
-                        userId: baSession.user?.id || betterAuthSession.user?.id || '',
-                        email: baSession.user?.email || betterAuthSession.user?.email || '',
-                        name: baSession.user?.name || betterAuthSession.user?.name,
-                        roles: [],
-                        idpAccessTokenExpires: baSession.session?.expiresAt
-                            ? new Date(baSession.session.expiresAt).getTime()
-                            : Date.now() + 24 * 60 * 60 * 1000,
+                        userId: idpTokens?.userId || baSession.user?.id || betterAuthSession.user?.id || '',
+                        email: idpTokens?.email || baSession.user?.email || betterAuthSession.user?.email || '',
+                        name: idpTokens?.name || baSession.user?.name || betterAuthSession.user?.name,
+                        roles: idpTokens?.roles || [],
+                        idpAccessToken: idpTokens?.idpAccessToken,
+                        idpRefreshToken: idpTokens?.idpRefreshToken,
+                        idpAccessTokenExpires: idpTokens?.idpAccessTokenExpires
+                            || (baSession.session?.expiresAt ? new Date(baSession.session.expiresAt).getTime() : Date.now() + 24 * 60 * 60 * 1000),
                         mfaVerified: true,
                         oauthProvider: 'google',
                     };
@@ -247,19 +248,17 @@ async function ensureFreshToken(request) {
             }
             catch { /* Redis unavailable */ }
         }
-        if (!sessionData) {
-            // Last resort: build from Better Auth in-memory session
-            if (betterAuthSession.user) {
-                sessionData = {
-                    userId: betterAuthSession.user.id || '',
-                    email: betterAuthSession.user.email || '',
-                    name: betterAuthSession.user.name,
-                    roles: [],
-                    idpAccessTokenExpires: Date.now() + 24 * 60 * 60 * 1000,
-                    mfaVerified: true,
-                    oauthProvider: 'google',
-                };
-            }
+        if (!sessionData && betterAuthSession.user) {
+            // Last resort: build from Better Auth in-memory session (no IDP tokens)
+            sessionData = {
+                userId: betterAuthSession.user.id || '',
+                email: betterAuthSession.user.email || '',
+                name: betterAuthSession.user.name,
+                roles: [],
+                idpAccessTokenExpires: Date.now() + 24 * 60 * 60 * 1000,
+                mfaVerified: true,
+                oauthProvider: 'google',
+            };
         }
         if (!sessionData) {
             return {

package/dist/server/auth.d.ts CHANGED Viewed

@@ -28,6 +28,13 @@ export declare function getAuthInstance(): Promise<import("better-auth/types").A
             refreshCache: false;
         };
     };
+    databaseHooks: {
+        session: {
+            create: {
+                after: (session: any) => Promise<void>;
+            };
+        };
+    };
     advanced: {
         cookiePrefix: string;
         cookies: {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@payez/next-mvp",
-  "version": "4.0.10",
+  "version": "4.0.11",
   "sideEffects": false,
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/auth/better-auth.ts CHANGED Viewed

@@ -109,6 +109,87 @@ export function createBetterAuthInstance(idpConfig: IDPClientConfig) {
       },
     },
+    // After social login, exchange Google identity for IDP tokens and store in Redis
+    databaseHooks: {
+      session: {
+        create: {
+          after: async (session: any) => {
+            try {
+              const userId = session.userId;
+              const token = session.token;
+              if (!userId || !token) return;
+              // Look up user from Better Auth's memory/DB to get email
+              // The user was just created/found by Better Auth during OAuth
+              const baKey = `ba:${appSlug}:${token}`;
+              const baRaw = await getRedis().get(baKey).catch(() => null);
+              const baData = baRaw ? JSON.parse(baRaw) : null;
+              const email = baData?.user?.email;
+              const name = baData?.user?.name;
+              const image = baData?.user?.image;
+              if (!email) {
+                console.warn('[BETTER_AUTH] Session created but no email found for IDP token exchange');
+                return;
+              }
+              // Call IDP oauth-callback to get IDP tokens
+              const idpUrl = process.env.INTERNAL_IDP_URL || process.env.IDP_URL || '';
+              if (!idpUrl) {
+                console.warn('[BETTER_AUTH] No IDP URL configured, skipping token exchange');
+                return;
+              }
+              const oauthRes = await fetch(`${idpUrl}/api/ExternalAuth/oauth-callback`, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                  provider: 'google',
+                  provider_account_id: userId,
+                  email,
+                  name,
+                  image,
+                  client_id: idpConfig.clientSlug || String(idpConfig.clientId),
+                }),
+              });
+              if (!oauthRes.ok) {
+                console.error('[BETTER_AUTH] IDP oauth-callback failed:', oauthRes.status, await oauthRes.text().catch(() => ''));
+                return;
+              }
+              const idpData = await oauthRes.json();
+              const result = idpData?.data?.result || idpData?.result || idpData;
+              if (!result?.access_token) {
+                console.warn('[BETTER_AUTH] IDP oauth-callback returned no access_token');
+                return;
+              }
+              // Store IDP tokens in the BA Redis session
+              if (baData) {
+                baData.idpTokens = {
+                  idpAccessToken: result.access_token,
+                  idpRefreshToken: result.refresh_token,
+                  idpAccessTokenExpires: result.expires_in
+                    ? Date.now() + result.expires_in * 1000
+                    : Date.now() + 15 * 60 * 1000,
+                  userId: String(result.user?.id || result.id || userId),
+                  email: result.user?.email || result.email || email,
+                  name: result.user?.name || result.name || name,
+                  roles: result.user?.roles || result.roles || [],
+                };
+                await getRedis().setex(baKey, 7 * 24 * 60 * 60, JSON.stringify(baData));
+                console.log('[BETTER_AUTH] IDP tokens stored in session for', email);
+              }
+            } catch (err) {
+              console.error('[BETTER_AUTH] Post-login IDP exchange failed:', err instanceof Error ? err.message : String(err));
+            }
+          },
+        },
+      },
+    },
     // Cookie prefix must match slim-middleware expectations ({slug}.session-token)
     advanced: {
       cookiePrefix: appSlug,

package/src/lib/token-lifecycle.ts CHANGED Viewed

@@ -294,15 +294,17 @@ export async function ensureFreshToken(
         const baRaw = await getRedis().get(baKey);
         if (baRaw) {
           const baSession = JSON.parse(baRaw);
-          // Map Better Auth session to SessionData
+          const idpTokens = baSession.idpTokens;
           sessionData = {
-            userId: baSession.user?.id || betterAuthSession.user?.id || '',
-            email: baSession.user?.email || betterAuthSession.user?.email || '',
-            name: baSession.user?.name || betterAuthSession.user?.name,
-            roles: [],
-            idpAccessTokenExpires: baSession.session?.expiresAt
-              ? new Date(baSession.session.expiresAt).getTime()
-              : Date.now() + 24 * 60 * 60 * 1000,
+            userId: idpTokens?.userId || baSession.user?.id || betterAuthSession.user?.id || '',
+            email: idpTokens?.email || baSession.user?.email || betterAuthSession.user?.email || '',
+            name: idpTokens?.name || baSession.user?.name || betterAuthSession.user?.name,
+            roles: idpTokens?.roles || [],
+            idpAccessToken: idpTokens?.idpAccessToken,
+            idpRefreshToken: idpTokens?.idpRefreshToken,
+            idpAccessTokenExpires: idpTokens?.idpAccessTokenExpires
+              || (baSession.session?.expiresAt ? new Date(baSession.session.expiresAt).getTime() : Date.now() + 24 * 60 * 60 * 1000),
             mfaVerified: true,
             oauthProvider: 'google',
           } as SessionData;
@@ -310,19 +312,17 @@ export async function ensureFreshToken(
       } catch { /* Redis unavailable */ }
     }
-    if (!sessionData) {
-      // Last resort: build from Better Auth in-memory session
-      if (betterAuthSession.user) {
-        sessionData = {
-          userId: betterAuthSession.user.id || '',
-          email: betterAuthSession.user.email || '',
-          name: betterAuthSession.user.name,
-          roles: [],
-          idpAccessTokenExpires: Date.now() + 24 * 60 * 60 * 1000,
-          mfaVerified: true,
-          oauthProvider: 'google',
-        } as SessionData;
-      }
+    if (!sessionData && betterAuthSession.user) {
+      // Last resort: build from Better Auth in-memory session (no IDP tokens)
+      sessionData = {
+        userId: betterAuthSession.user.id || '',
+        email: betterAuthSession.user.email || '',
+        name: betterAuthSession.user.name,
+        roles: [],
+        idpAccessTokenExpires: Date.now() + 24 * 60 * 60 * 1000,
+        mfaVerified: true,
+        oauthProvider: 'google',
+      } as SessionData;
     }
     if (!sessionData) {