npm - @payez/next-mvp - Versions diffs - 4.0.20 → 4.0.22 - Mend

@payez/next-mvp 4.0.20 → 4.0.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/dist/api-handlers/session/viability.js +9 -1
package/dist/auth/better-auth.js +1 -1
package/dist/client/AuthContext.d.ts +1 -2
package/dist/client/AuthContext.js +2 -2
package/dist/client/better-auth-client.d.ts +8 -0
package/dist/client/better-auth-client.js +15 -0
package/dist/components/account/MobileNavDrawer.js +1 -1
package/dist/hooks/useAvailableProviders.d.ts +4 -5
package/dist/hooks/useAvailableProviders.js +7 -8
package/dist/hooks/usePublicAuthSettings.d.ts +4 -4
package/dist/hooks/usePublicAuthSettings.js +6 -6
package/dist/lib/idp-client-config.d.ts +4 -0
package/dist/lib/idp-client-config.js +14 -0
package/dist/lib/session-store.d.ts +9 -0
package/dist/lib/session-store.js +65 -21
package/dist/lib/startup-init.js +21 -19
package/dist/routes/auth/settings.d.ts +1 -1
package/dist/routes/auth/settings.js +2 -2
package/dist/server/auth.js +1 -1
package/package.json +1 -1
package/src/api-handlers/session/viability.ts +136 -128
package/src/auth/better-auth.ts +271 -271
package/src/client/AuthContext.tsx +3 -4
package/src/client/better-auth-client.ts +14 -0
package/src/components/account/MobileNavDrawer.tsx +2 -2
package/src/hooks/useAvailableProviders.ts +5 -7
package/src/hooks/usePublicAuthSettings.ts +6 -6
package/src/lib/idp-client-config.ts +539 -526
package/src/lib/session-store.ts +689 -645
package/src/lib/startup-init.ts +246 -243
package/src/routes/auth/settings.ts +3 -3
package/src/server/auth.ts +81 -81

package/src/api-handlers/session/viability.ts CHANGED Viewed

@@ -1,129 +1,137 @@
-/**
- * Session Viability Check API Handler for `@payez/next-mvp`
- *
- * This API route is called by the middleware to securely check if a session is valid.
- */
-import { NextRequest, NextResponse } from 'next/server';
-import { getSession as getRedisSession } from '../../lib/session-store';
-import { getSession } from '../../server/auth';
-import { isInitializationFailed, ensureInitialized } from '../../lib/startup-init';
-import { getIDPClientConfig } from '../../lib/idp-client-config';
-export async function GET(req: NextRequest) {
-  try {
-    // Ensure initialization is complete
-    if (!process.env.NEXTAUTH_SECRET) {
-      try {
-        await ensureInitialized();
-      } catch (error) {
-        // Initialization failed - return 503
-        console.error('[API Viability] Initialization failed - returning 503');
-        return NextResponse.json(
-          {
-            error: 'Service Unavailable',
-            message: 'Authentication service is not properly configured',
-            code: 'AUTH_NOT_INITIALIZED'
-          },
-          { status: 503 }
-        );
-      }
-    }
-    // Double-check after initialization attempt
-    if (isInitializationFailed()) {
-      console.error('[API Viability] Initialization failed - returning 503');
-      return NextResponse.json(
-        {
-          error: 'Service Unavailable',
-          message: 'Authentication service is not properly configured',
-          code: 'AUTH_NOT_INITIALIZED'
-        },
-        { status: 503 }
-      );
-    }
-    // Get session from Better Auth
-    const betterAuthSession = await getSession(req);
-    // Debug logging
-    if (!betterAuthSession) {
-      console.warn('[VIABILITY] getSession returned null');
-    }
-    const sessionToken = betterAuthSession?.session?.token as string | undefined;
-    if (betterAuthSession && sessionToken) {
-      const sessionData = await getRedisSession(sessionToken);
-      if (sessionData) {
-        // The session exists in Redis
-        // Check if access token is expired (for middleware decision-making)
-        const accessTokenExpires = sessionData.idpAccessTokenExpires || 0;
-        const accessTokenExpired = accessTokenExpires < Date.now();
-        // Get requires2FA from cached client config (not session)
-        // This is a client-wide setting from the broker handshake
-        let requires2FA = true; // Default to true for security
-        try {
-          const cachedConfig = await getIDPClientConfig();
-          requires2FA = cachedConfig.authSettings?.require2FA ?? true;
-        } catch (e) {
-          console.warn('[API Viability] Could not get client config, defaulting requires2FA to true');
-        }
-        // CRITICAL: Check if MFA has expired (2FA TTL enforcement)
-        // The session may have mfaVerified=true from days ago, but if mfaExpiresAt
-        // has passed, we must treat 2FA as incomplete to force re-verification.
-        const mfaExpiresAt = sessionData.mfaExpiresAt || 0;
-        const mfaExpired = mfaExpiresAt > 0 && mfaExpiresAt < Date.now();
-        // Check both field names for compatibility (mfaVerified is the normalized name)
-        const sessionMfaComplete = sessionData.mfaVerified ?? (sessionData as any).twoFactorComplete ?? false;
-        const effectiveTwoFactorComplete = sessionMfaComplete && !mfaExpired;
-        console.log('[VIABILITY] Session 2FA check:', {
-          sessionToken: sessionToken.substring(0, 8) + '...',
-          mfaVerified: sessionData.mfaVerified,
-          twoFactorComplete: (sessionData as any).twoFactorComplete,
-          sessionMfaComplete,
-          mfaExpired,
-          effectiveTwoFactorComplete,
-        });
-        if (mfaExpired && sessionMfaComplete) {
-          console.warn('[API Viability] MFA expired - forcing 2FA re-verification', {
-            mfaExpiresAt: new Date(mfaExpiresAt).toISOString(),
-            now: new Date().toISOString(),
-            hoursExpiredAgo: ((Date.now() - mfaExpiresAt) / (1000 * 60 * 60)).toFixed(1)
-          });
-        }
-        const response = {
-          authenticated: true,
-          sessionToken, // Include token for middleware tracking
-          // 2FA fields - critical for middleware redirect logic
-          requires2FA, // From cached client config (client-wide setting)
-          twoFactorComplete: effectiveTwoFactorComplete, // From session, BUT respects MFA TTL
-          // Token status for refresh decisions
-          accessTokenExpired,
-          hasRefreshToken: !!sessionData.idpRefreshToken
-        };
-        return NextResponse.json(response);
-      }
-      // CRITICAL: Cookie exists but Redis session is missing (stale cookie state)
-      // Return sessionToken so middleware can detect this and clear the stale cookie
-      console.warn('[VIABILITY] Stale cookie detected - session not in Redis');
-      return NextResponse.json({
-        authenticated: false,
-        sessionToken // Include token to enable stale cookie detection
-      });
-    }
-    // If there's no token at all, it's not authenticated
-    return NextResponse.json({ authenticated: false });
-  } catch (error) {
-    console.error('[API Viability] Error checking session viability:', error);
-    return NextResponse.json({ authenticated: false }, { status: 500 });
-  }
+/**
+ * Session Viability Check API Handler for `@payez/next-mvp`
+ *
+ * This API route is called by the middleware to securely check if a session is valid.
+ */
+import { NextRequest, NextResponse } from 'next/server';
+import { getSession as getRedisSession, getBetterAuthSession } from '../../lib/session-store';
+import { getSession } from '../../server/auth';
+import { isInitializationFailed, ensureInitialized } from '../../lib/startup-init';
+import { getIDPClientConfig } from '../../lib/idp-client-config';
+export async function GET(req: NextRequest) {
+  try {
+    // Ensure initialization is complete
+    if (!process.env.NEXTAUTH_SECRET) {
+      try {
+        await ensureInitialized();
+      } catch (error) {
+        // Initialization failed - return 503
+        console.error('[API Viability] Initialization failed - returning 503');
+        return NextResponse.json(
+          {
+            error: 'Service Unavailable',
+            message: 'Authentication service is not properly configured',
+            code: 'AUTH_NOT_INITIALIZED'
+          },
+          { status: 503 }
+        );
+      }
+    }
+    // Double-check after initialization attempt
+    if (isInitializationFailed()) {
+      console.error('[API Viability] Initialization failed - returning 503');
+      return NextResponse.json(
+        {
+          error: 'Service Unavailable',
+          message: 'Authentication service is not properly configured',
+          code: 'AUTH_NOT_INITIALIZED'
+        },
+        { status: 503 }
+      );
+    }
+    // Get session from Better Auth
+    const betterAuthSession = await getSession(req);
+    // Debug logging
+    if (!betterAuthSession) {
+      console.warn('[VIABILITY] getSession returned null');
+    }
+    const sessionToken = betterAuthSession?.session?.token as string | undefined;
+    if (betterAuthSession && sessionToken) {
+      // Try legacy session store first, then Better Auth format
+      let sessionData = await getRedisSession(sessionToken);
+      if (!sessionData) {
+        // Better Auth stores sessions with ba:{appSlug}:{token} prefix
+        sessionData = await getBetterAuthSession(sessionToken);
+        if (sessionData) {
+          console.log('[VIABILITY] Found session in Better Auth store');
+        }
+      }
+      if (sessionData) {
+        // The session exists in Redis
+        // Check if access token is expired (for middleware decision-making)
+        const accessTokenExpires = sessionData.idpAccessTokenExpires || 0;
+        const accessTokenExpired = accessTokenExpires < Date.now();
+        // Get requires2FA from cached client config (not session)
+        // This is a client-wide setting from the broker handshake
+        let requires2FA = true; // Default to true for security
+        try {
+          const cachedConfig = await getIDPClientConfig();
+          requires2FA = cachedConfig.authSettings?.require2FA ?? true;
+        } catch (e) {
+          console.warn('[API Viability] Could not get client config, defaulting requires2FA to true');
+        }
+        // CRITICAL: Check if MFA has expired (2FA TTL enforcement)
+        // The session may have mfaVerified=true from days ago, but if mfaExpiresAt
+        // has passed, we must treat 2FA as incomplete to force re-verification.
+        const mfaExpiresAt = sessionData.mfaExpiresAt || 0;
+        const mfaExpired = mfaExpiresAt > 0 && mfaExpiresAt < Date.now();
+        // Check both field names for compatibility (mfaVerified is the normalized name)
+        const sessionMfaComplete = sessionData.mfaVerified ?? (sessionData as any).twoFactorComplete ?? false;
+        const effectiveTwoFactorComplete = sessionMfaComplete && !mfaExpired;
+        console.log('[VIABILITY] Session 2FA check:', {
+          sessionToken: sessionToken.substring(0, 8) + '...',
+          mfaVerified: sessionData.mfaVerified,
+          twoFactorComplete: (sessionData as any).twoFactorComplete,
+          sessionMfaComplete,
+          mfaExpired,
+          effectiveTwoFactorComplete,
+        });
+        if (mfaExpired && sessionMfaComplete) {
+          console.warn('[API Viability] MFA expired - forcing 2FA re-verification', {
+            mfaExpiresAt: new Date(mfaExpiresAt).toISOString(),
+            now: new Date().toISOString(),
+            hoursExpiredAgo: ((Date.now() - mfaExpiresAt) / (1000 * 60 * 60)).toFixed(1)
+          });
+        }
+        const response = {
+          authenticated: true,
+          sessionToken, // Include token for middleware tracking
+          // 2FA fields - critical for middleware redirect logic
+          requires2FA, // From cached client config (client-wide setting)
+          twoFactorComplete: effectiveTwoFactorComplete, // From session, BUT respects MFA TTL
+          // Token status for refresh decisions
+          accessTokenExpired,
+          hasRefreshToken: !!sessionData.idpRefreshToken
+        };
+        return NextResponse.json(response);
+      }
+      // CRITICAL: Cookie exists but Redis session is missing (stale cookie state)
+      // Return sessionToken so middleware can detect this and clear the stale cookie
+      console.warn('[VIABILITY] Stale cookie detected - session not in Redis');
+      return NextResponse.json({
+        authenticated: false,
+        sessionToken // Include token to enable stale cookie detection
+      });
+    }
+    // If there's no token at all, it's not authenticated
+    return NextResponse.json({ authenticated: false });
+  } catch (error) {
+    console.error('[API Viability] Error checking session viability:', error);
+    return NextResponse.json({ authenticated: false }, { status: 500 });
+  }
 }