@payez/next-mvp 4.0.19 → 4.0.21

package/dist/api-handlers/session/viability.js

@@ -45,7 +45,15 @@ async function GET(req) {
         }
         const sessionToken = betterAuthSession?.session?.token;
         if (betterAuthSession && sessionToken) {
-            const sessionData = await (0, session_store_1.getSession)(sessionToken);
+            // Try legacy session store first, then Better Auth format
+            let sessionData = await (0, session_store_1.getSession)(sessionToken);
+            if (!sessionData) {
+                // Better Auth stores sessions with ba:{appSlug}:{token} prefix
+                sessionData = await (0, session_store_1.getBetterAuthSession)(sessionToken);
+                if (sessionData) {
+                    console.log('[VIABILITY] Found session in Better Auth store');
+                }
+            }
             if (sessionData) {
                 // The session exists in Redis
                 // Check if access token is expired (for middleware decision-making)

package/dist/auth/better-auth.js

@@ -160,6 +160,7 @@ function createBetterAuthInstance(idpConfig) {
                             }
                             // Store IDP tokens in the BA Redis session
                             if (baData) {
+                                const requiresTwoFactor = result.user?.requiresTwoFactor ?? result.requiresTwoFactor ?? false;
                                 baData.idpTokens = {
                                     idpAccessToken: result.access_token,
                                     idpRefreshToken: result.refresh_token,
@@ -170,6 +171,7 @@ function createBetterAuthInstance(idpConfig) {
                                     email: result.user?.email || result.email || email,
                                     name: result.user?.full_name || result.user?.name || result.name || name,
                                     roles: result.user?.roles || result.roles || [],
+                                    mfaVerified: !requiresTwoFactor,
                                 };
                                 await (0, redis_1.getRedis)().setex(baKey, 7 * 24 * 60 * 60, JSON.stringify(baData));
                                 console.log('[BETTER_AUTH] IDP tokens stored in session for', email);

package/dist/lib/session-store.d.ts

@@ -34,6 +34,15 @@ export declare function createSession(data: SessionData): Promise<string>;
  * @returns The session data, or null if not found.
  */
 export declare function getSession(sessionToken: string): Promise<SessionData | null>;
+/**
+ * Retrieves a Better Auth session from Redis.
+ * Better Auth uses key format: ba:{appSlug}:{token}
+ *
+ * @param sessionToken The session token to look up.
+ * @param appSlug The app slug (defaults to 'idealvibe_online' or extracted from env).
+ * @returns The session data, or null if not found.
+ */
+export declare function getBetterAuthSession(sessionToken: string, appSlug?: string): Promise<SessionData | null>;
 /**
  * Refresh session TTL without reading/writing data (sliding window expiry).
  */

package/dist/lib/session-store.js

@@ -15,6 +15,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.generateSessionToken = generateSessionToken;
 exports.createSession = createSession;
 exports.getSession = getSession;
+exports.getBetterAuthSession = getBetterAuthSession;
 exports.touchSession = touchSession;
 exports.getSessionWithVersion = getSessionWithVersion;
 exports.isAccessTokenFresh = isAccessTokenFresh;
@@ -42,6 +43,8 @@ const token_utils_1 = require("../auth/utils/token-utils");
 const getSessionKey = (token) => `${(0, app_slug_1.getSessionPrefix)()}${token}`;
 const getRefreshLockKey = (token) => `${(0, app_slug_1.getRefreshLockPrefix)()}${token}`;
 const getSessionVersionKey = (token) => `${(0, app_slug_1.getSessionPrefix)()}ver:${token}`;
+// Better Auth uses a different key format: ba:{appSlug}:{token}
+const getBetterAuthSessionKey = (token, appSlug) => `ba:${appSlug || 'app'}:${token}`;
 const REFRESH_LOCK_TTL = 60; // 60 seconds
 const SESSION_TTL = 3 * 24 * 60 * 60; // 3 days in seconds (matches refresh token lifetime)
 /**
@@ -96,6 +99,47 @@ async function getSession(sessionToken) {
         return null;
     }
 }
+/**
+ * Retrieves a Better Auth session from Redis.
+ * Better Auth uses key format: ba:{appSlug}:{token}
+ *
+ * @param sessionToken The session token to look up.
+ * @param appSlug The app slug (defaults to 'idealvibe_online' or extracted from env).
+ * @returns The session data, or null if not found.
+ */
+async function getBetterAuthSession(sessionToken, appSlug) {
+    if (!sessionToken) {
+        return null;
+    }
+    // Try to get appSlug from env if not provided
+    const slug = appSlug || process.env.CLIENT_ID || 'idealvibe_online';
+    const key = getBetterAuthSessionKey(sessionToken, slug);
+    const json = await redis_1.default.get(key);
+    if (!json) {
+        return null;
+    }
+    try {
+        const data = JSON.parse(json);
+        // Better Auth stores the session differently - extract user data
+        if (data.user) {
+            return {
+                userId: data.user.id || data.user.email,
+                email: data.user.email,
+                name: data.user.name,
+                idpAccessToken: data.idpTokens?.idpAccessToken,
+                idpRefreshToken: data.idpTokens?.idpRefreshToken,
+                idpAccessTokenExpires: data.idpTokens?.idpAccessTokenExpires,
+                mfaVerified: data.idpTokens?.mfaVerified ?? false,
+                roles: data.idpTokens?.roles || [],
+            };
+        }
+        return data;
+    }
+    catch {
+        console.error('[SESSION-STORE] Failed to parse Better Auth session data');
+        return null;
+    }
+}
 /**
  * Refresh session TTL without reading/writing data (sliding window expiry).
  */
@@ -438,27 +482,27 @@ async function releaseRefreshLock(sessionToken, requestId, lockVersion) {
     const lockKey = getRefreshLockKey(sessionToken);
     try {
         // Lua script for atomic lock validation and release
-        const luaScript = `
-      local lockKey = KEYS[1]
-      local expectedRequestId = ARGV[1]
-      local expectedVersion = ARGV[2]
-
-      local lockData = redis.call('GET', lockKey)
-      if not lockData then
-        return 0  -- Lock doesn't exist
-      end
-
-      local lockInfo = cjson.decode(lockData)
-      if lockInfo.acquiredBy == expectedRequestId then
-        if not expectedVersion or expectedVersion == '' or tostring(lockInfo.lockVersion) == expectedVersion then
-          redis.call('DEL', lockKey)
-          return 1  -- Successfully released
-        else
-          return -2  -- Version mismatch
-        end
-      else
-        return -1  -- Wrong owner
-      end
+        const luaScript = `
+      local lockKey = KEYS[1]
+      local expectedRequestId = ARGV[1]
+      local expectedVersion = ARGV[2]
+
+      local lockData = redis.call('GET', lockKey)
+      if not lockData then
+        return 0  -- Lock doesn't exist
+      end
+
+      local lockInfo = cjson.decode(lockData)
+      if lockInfo.acquiredBy == expectedRequestId then
+        if not expectedVersion or expectedVersion == '' or tostring(lockInfo.lockVersion) == expectedVersion then
+          redis.call('DEL', lockKey)
+          return 1  -- Successfully released
+        else
+          return -2  -- Version mismatch
+        end
+      else
+        return -1  -- Wrong owner
+      end
     `;
         const result = await redis_1.default.eval(luaScript, 1, lockKey, requestId, lockVersion ? lockVersion.toString() : '');
         if (result === 1) {

package/dist/server/decode-session.js

@@ -53,18 +53,10 @@ const startup_init_1 = require("../lib/startup-init");
  */
 async function tryBetterAuthSession(requestCookies) {
     try {
-        const { getBetterAuthHandler } = await Promise.resolve().then(() => __importStar(require('../auth/better-auth')));
-        // getBetterAuthHandler initializes the instance; we need the raw instance
-        const { default: getBetterAuthInstanceFn } = await Promise.resolve().then(() => __importStar(require('../auth/better-auth'))).then(m => ({ default: m.getBetterAuthInstance || null }))
-            .catch(() => ({ default: null }));
-        // Access the cached instance via the module's internal getter
+        const { getBetterAuthInstance } = await Promise.resolve().then(() => __importStar(require('../auth/better-auth')));
         let auth = null;
         try {
-            // Force handler init which caches the instance, then use the API
-            await getBetterAuthHandler();
-            // The instance is cached in the module — re-import to access it
-            const mod = await Promise.resolve().then(() => __importStar(require('../auth/better-auth')));
-            auth = mod.__betterAuthInstance;
+            auth = await getBetterAuthInstance();
         }
         catch {
             return null;
@@ -122,7 +114,7 @@ async function tryBetterAuthSession(requestCookies) {
             idpRefreshToken: idpTokens?.idpRefreshToken,
             idpAccessTokenExpires: idpTokens?.idpAccessTokenExpires
                 || (result.session.expiresAt ? new Date(result.session.expiresAt).getTime() : Date.now() + 24 * 60 * 60 * 1000),
-            mfaVerified: true,
+            mfaVerified: idpTokens?.mfaVerified ?? false,
             oauthProvider: 'google',
         };
         // Backwards compat: session.user.email works alongside session.email

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@payez/next-mvp",
-  "version": "4.0.19",
+  "version": "4.0.21",
   "sideEffects": false,
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/api-handlers/session/viability.ts

@@ -1,129 +1,137 @@
-/**
- * Session Viability Check API Handler for `@payez/next-mvp`
- *
- * This API route is called by the middleware to securely check if a session is valid.
- */
-
-import { NextRequest, NextResponse } from 'next/server';
-import { getSession as getRedisSession } from '../../lib/session-store';
-import { getSession } from '../../server/auth';
-import { isInitializationFailed, ensureInitialized } from '../../lib/startup-init';
-import { getIDPClientConfig } from '../../lib/idp-client-config';
-
-export async function GET(req: NextRequest) {
-  try {
-    // Ensure initialization is complete
-    if (!process.env.NEXTAUTH_SECRET) {
-      try {
-        await ensureInitialized();
-      } catch (error) {
-        // Initialization failed - return 503
-        console.error('[API Viability] Initialization failed - returning 503');
-        return NextResponse.json(
-          {
-            error: 'Service Unavailable',
-            message: 'Authentication service is not properly configured',
-            code: 'AUTH_NOT_INITIALIZED'
-          },
-          { status: 503 }
-        );
-      }
-    }
-
-    // Double-check after initialization attempt
-    if (isInitializationFailed()) {
-      console.error('[API Viability] Initialization failed - returning 503');
-      return NextResponse.json(
-        {
-          error: 'Service Unavailable',
-          message: 'Authentication service is not properly configured',
-          code: 'AUTH_NOT_INITIALIZED'
-        },
-        { status: 503 }
-      );
-    }
-
-    // Get session from Better Auth
-    const betterAuthSession = await getSession(req);
-
-    // Debug logging
-    if (!betterAuthSession) {
-      console.warn('[VIABILITY] getSession returned null');
-    }
-
-    const sessionToken = betterAuthSession?.session?.token as string | undefined;
-    if (betterAuthSession && sessionToken) {
-      const sessionData = await getRedisSession(sessionToken);
-      if (sessionData) {
-        // The session exists in Redis
-
-        // Check if access token is expired (for middleware decision-making)
-        const accessTokenExpires = sessionData.idpAccessTokenExpires || 0;
-        const accessTokenExpired = accessTokenExpires < Date.now();
-
-        // Get requires2FA from cached client config (not session)
-        // This is a client-wide setting from the broker handshake
-        let requires2FA = true; // Default to true for security
-        try {
-          const cachedConfig = await getIDPClientConfig();
-          requires2FA = cachedConfig.authSettings?.require2FA ?? true;
-        } catch (e) {
-          console.warn('[API Viability] Could not get client config, defaulting requires2FA to true');
-        }
-
-        // CRITICAL: Check if MFA has expired (2FA TTL enforcement)
-        // The session may have mfaVerified=true from days ago, but if mfaExpiresAt
-        // has passed, we must treat 2FA as incomplete to force re-verification.
-        const mfaExpiresAt = sessionData.mfaExpiresAt || 0;
-        const mfaExpired = mfaExpiresAt > 0 && mfaExpiresAt < Date.now();
-        // Check both field names for compatibility (mfaVerified is the normalized name)
-        const sessionMfaComplete = sessionData.mfaVerified ?? (sessionData as any).twoFactorComplete ?? false;
-        const effectiveTwoFactorComplete = sessionMfaComplete && !mfaExpired;
-
-        console.log('[VIABILITY] Session 2FA check:', {
-          sessionToken: sessionToken.substring(0, 8) + '...',
-          mfaVerified: sessionData.mfaVerified,
-          twoFactorComplete: (sessionData as any).twoFactorComplete,
-          sessionMfaComplete,
-          mfaExpired,
-          effectiveTwoFactorComplete,
-        });
-
-        if (mfaExpired && sessionMfaComplete) {
-          console.warn('[API Viability] MFA expired - forcing 2FA re-verification', {
-            mfaExpiresAt: new Date(mfaExpiresAt).toISOString(),
-            now: new Date().toISOString(),
-            hoursExpiredAgo: ((Date.now() - mfaExpiresAt) / (1000 * 60 * 60)).toFixed(1)
-          });
-        }
-
-        const response = {
-          authenticated: true,
-          sessionToken, // Include token for middleware tracking
-          // 2FA fields - critical for middleware redirect logic
-          requires2FA, // From cached client config (client-wide setting)
-          twoFactorComplete: effectiveTwoFactorComplete, // From session, BUT respects MFA TTL
-          // Token status for refresh decisions
-          accessTokenExpired,
-          hasRefreshToken: !!sessionData.idpRefreshToken
-        };
-        return NextResponse.json(response);
-      }
-
-      // CRITICAL: Cookie exists but Redis session is missing (stale cookie state)
-      // Return sessionToken so middleware can detect this and clear the stale cookie
-      console.warn('[VIABILITY] Stale cookie detected - session not in Redis');
-      return NextResponse.json({
-        authenticated: false,
-        sessionToken // Include token to enable stale cookie detection
-      });
-    }
-
-    // If there's no token at all, it's not authenticated
-    return NextResponse.json({ authenticated: false });
-
-  } catch (error) {
-    console.error('[API Viability] Error checking session viability:', error);
-    return NextResponse.json({ authenticated: false }, { status: 500 });
-  }
+/**
+ * Session Viability Check API Handler for `@payez/next-mvp`
+ *
+ * This API route is called by the middleware to securely check if a session is valid.
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getSession as getRedisSession, getBetterAuthSession } from '../../lib/session-store';
+import { getSession } from '../../server/auth';
+import { isInitializationFailed, ensureInitialized } from '../../lib/startup-init';
+import { getIDPClientConfig } from '../../lib/idp-client-config';
+
+export async function GET(req: NextRequest) {
+  try {
+    // Ensure initialization is complete
+    if (!process.env.NEXTAUTH_SECRET) {
+      try {
+        await ensureInitialized();
+      } catch (error) {
+        // Initialization failed - return 503
+        console.error('[API Viability] Initialization failed - returning 503');
+        return NextResponse.json(
+          {
+            error: 'Service Unavailable',
+            message: 'Authentication service is not properly configured',
+            code: 'AUTH_NOT_INITIALIZED'
+          },
+          { status: 503 }
+        );
+      }
+    }
+
+    // Double-check after initialization attempt
+    if (isInitializationFailed()) {
+      console.error('[API Viability] Initialization failed - returning 503');
+      return NextResponse.json(
+        {
+          error: 'Service Unavailable',
+          message: 'Authentication service is not properly configured',
+          code: 'AUTH_NOT_INITIALIZED'
+        },
+        { status: 503 }
+      );
+    }
+
+    // Get session from Better Auth
+    const betterAuthSession = await getSession(req);
+
+    // Debug logging
+    if (!betterAuthSession) {
+      console.warn('[VIABILITY] getSession returned null');
+    }
+
+    const sessionToken = betterAuthSession?.session?.token as string | undefined;
+    if (betterAuthSession && sessionToken) {
+      // Try legacy session store first, then Better Auth format
+      let sessionData = await getRedisSession(sessionToken);
+      if (!sessionData) {
+        // Better Auth stores sessions with ba:{appSlug}:{token} prefix
+        sessionData = await getBetterAuthSession(sessionToken);
+        if (sessionData) {
+          console.log('[VIABILITY] Found session in Better Auth store');
+        }
+      }
+      if (sessionData) {
+        // The session exists in Redis
+
+        // Check if access token is expired (for middleware decision-making)
+        const accessTokenExpires = sessionData.idpAccessTokenExpires || 0;
+        const accessTokenExpired = accessTokenExpires < Date.now();
+
+        // Get requires2FA from cached client config (not session)
+        // This is a client-wide setting from the broker handshake
+        let requires2FA = true; // Default to true for security
+        try {
+          const cachedConfig = await getIDPClientConfig();
+          requires2FA = cachedConfig.authSettings?.require2FA ?? true;
+        } catch (e) {
+          console.warn('[API Viability] Could not get client config, defaulting requires2FA to true');
+        }
+
+        // CRITICAL: Check if MFA has expired (2FA TTL enforcement)
+        // The session may have mfaVerified=true from days ago, but if mfaExpiresAt
+        // has passed, we must treat 2FA as incomplete to force re-verification.
+        const mfaExpiresAt = sessionData.mfaExpiresAt || 0;
+        const mfaExpired = mfaExpiresAt > 0 && mfaExpiresAt < Date.now();
+        // Check both field names for compatibility (mfaVerified is the normalized name)
+        const sessionMfaComplete = sessionData.mfaVerified ?? (sessionData as any).twoFactorComplete ?? false;
+        const effectiveTwoFactorComplete = sessionMfaComplete && !mfaExpired;
+
+        console.log('[VIABILITY] Session 2FA check:', {
+          sessionToken: sessionToken.substring(0, 8) + '...',
+          mfaVerified: sessionData.mfaVerified,
+          twoFactorComplete: (sessionData as any).twoFactorComplete,
+          sessionMfaComplete,
+          mfaExpired,
+          effectiveTwoFactorComplete,
+        });
+
+        if (mfaExpired && sessionMfaComplete) {
+          console.warn('[API Viability] MFA expired - forcing 2FA re-verification', {
+            mfaExpiresAt: new Date(mfaExpiresAt).toISOString(),
+            now: new Date().toISOString(),
+            hoursExpiredAgo: ((Date.now() - mfaExpiresAt) / (1000 * 60 * 60)).toFixed(1)
+          });
+        }
+
+        const response = {
+          authenticated: true,
+          sessionToken, // Include token for middleware tracking
+          // 2FA fields - critical for middleware redirect logic
+          requires2FA, // From cached client config (client-wide setting)
+          twoFactorComplete: effectiveTwoFactorComplete, // From session, BUT respects MFA TTL
+          // Token status for refresh decisions
+          accessTokenExpired,
+          hasRefreshToken: !!sessionData.idpRefreshToken
+        };
+        return NextResponse.json(response);
+      }
+
+      // CRITICAL: Cookie exists but Redis session is missing (stale cookie state)
+      // Return sessionToken so middleware can detect this and clear the stale cookie
+      console.warn('[VIABILITY] Stale cookie detected - session not in Redis');
+      return NextResponse.json({
+        authenticated: false,
+        sessionToken // Include token to enable stale cookie detection
+      });
+    }
+
+    // If there's no token at all, it's not authenticated
+    return NextResponse.json({ authenticated: false });
+
+  } catch (error) {
+    console.error('[API Viability] Error checking session viability:', error);
+    return NextResponse.json({ authenticated: false }, { status: 500 });
+  }
 }

package/src/auth/better-auth.ts

@@ -172,6 +172,7 @@ export function createBetterAuthInstance(idpConfig: IDPClientConfig) {
 
               // Store IDP tokens in the BA Redis session
               if (baData) {
+                const requiresTwoFactor = result.user?.requiresTwoFactor ?? result.requiresTwoFactor ?? false;
                 baData.idpTokens = {
                   idpAccessToken: result.access_token,
                   idpRefreshToken: result.refresh_token,
@@ -182,6 +183,7 @@ export function createBetterAuthInstance(idpConfig: IDPClientConfig) {
                   email: result.user?.email || result.email || email,
                   name: result.user?.full_name || result.user?.name || result.name || name,
                   roles: result.user?.roles || result.roles || [],
+                  mfaVerified: !requiresTwoFactor,
                 };
                 await getRedis().setex(baKey, 7 * 24 * 60 * 60, JSON.stringify(baData));
                 console.log('[BETTER_AUTH] IDP tokens stored in session for', email);