npm - @payez/next-mvp - Versions diffs - 4.0.34 → 4.0.36 - Mend

@payez/next-mvp 4.0.34 → 4.0.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/api/auth-handler.js +3 -0
package/dist/lib/api-handler.js +3 -1
package/dist/lib/nextauth-secret.d.ts +10 -0
package/dist/lib/nextauth-secret.js +100 -0
package/package.json +6 -1
package/src/api/auth-handler.ts +2 -0
package/src/lib/api-handler.ts +3 -1
package/src/lib/nextauth-secret.ts +121 -0

package/dist/api/auth-handler.js CHANGED Viewed

@@ -235,6 +235,9 @@ function createAuthHandler(options = {}) {
     function needsRefresh(auth) {
         if (!autoRefresh)
             return false;
+        // No refresh token = nothing to refresh with, skip entirely
+        if (!auth.refreshToken)
+            return false;
         // Check if we have token expiry information
         const token = auth.token;
         const expiresAt = token.accessTokenExpires || token.exp;

package/dist/lib/api-handler.js CHANGED Viewed

@@ -184,9 +184,11 @@ class ApiHandler {
             }
             catch { /* ignore */ }
             // Check if token needs refresh
+            // Skip entirely if there's no refresh token — nothing to refresh with
             const thresholdMs = 5 * 60 * 1000;
             const expires = sessionData.idpAccessTokenExpires || 0;
-            const needsRefresh = !accessToken || (expires - Date.now()) <= thresholdMs;
+            const hasRefreshToken = !!sessionData.idpRefreshToken;
+            const needsRefresh = hasRefreshToken && (!accessToken || (expires - Date.now()) <= thresholdMs);
             if (needsRefresh) {
                 const refreshResult = await this.handleCoordinatedRefresh(req, token, sessionData, ctx);
                 if (refreshResult.blocked) {

package/dist/lib/nextauth-secret.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import 'server-only';
+/**
+ * Resolve the NextAuth secret (server-only).
+ *
+ * Priority:
+ * 1) Use process.env.NEXTAUTH_SECRET if present (allows overrides/production)
+ * 2) Fetch from IDP broker endpoint - IDP handles all Key Vault/signing
+ * 3) Cache result in-memory and set process.env.NEXTAUTH_SECRET for subsequent calls
+ */
+export declare function resolveNextAuthSecret(): Promise<string>;

package/dist/lib/nextauth-secret.js ADDED Viewed

@@ -0,0 +1,100 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveNextAuthSecret = resolveNextAuthSecret;
+require("server-only");
+const secret_validation_1 = require("./secret-validation");
+const crypto_1 = require("crypto");
+let cachedSecret = null;
+let lastFetchedAt = 0;
+/**
+ * Resolve the NextAuth secret (server-only).
+ *
+ * Priority:
+ * 1) Use process.env.NEXTAUTH_SECRET if present (allows overrides/production)
+ * 2) Fetch from IDP broker endpoint - IDP handles all Key Vault/signing
+ * 3) Cache result in-memory and set process.env.NEXTAUTH_SECRET for subsequent calls
+ */
+async function resolveNextAuthSecret() {
+    // Check if already in environment
+    if (process.env.NEXTAUTH_SECRET && process.env.NEXTAUTH_SECRET.trim() !== '') {
+        // Silent - already configured
+        return process.env.NEXTAUTH_SECRET;
+    }
+    // Check if cached and fresh (within 5 minutes)
+    if (cachedSecret && Date.now() - lastFetchedAt < 5 * 60 * 1000) {
+        return cachedSecret;
+    }
+    // Broker mode: fetch from IDP (IDP handles all Key Vault/signing)
+    const base = process.env.IDP_URL;
+    if (!base)
+        throw new Error('IDP_URL environment variable is required');
+    const clientIdStr = process.env.CLIENT_ID;
+    if (!clientIdStr || clientIdStr.trim() === '')
+        throw new Error('CLIENT_ID is required (e.g., "ideal_resume_website")');
+    // Step 1: Request IDP to sign a client assertion (IDP has the keys, not us)
+    const signingUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/sign-client-assertion`);
+    const signingPayload = {
+        issuer: clientIdStr,
+        subject: clientIdStr,
+        audience: 'urn:payez:externalauth:nextauthsecret',
+        expires_in: 60,
+    };
+    const signingResp = await fetch(signingUrl.toString(), {
+        method: 'POST',
+        headers: {
+            'Accept': 'application/json',
+            'Content-Type': 'application/json',
+            'X-Client-Id': clientIdStr,
+            'X-Correlation-Id': (0, crypto_1.randomUUID)().replace(/-/g, ''),
+        },
+        body: JSON.stringify(signingPayload),
+        cache: 'no-store'
+    });
+    if (!signingResp.ok) {
+        const txt = await signingResp.text().catch(() => 'Unknown error');
+        throw new Error(`Failed to sign client assertion: ${signingResp.status} ${signingResp.statusText} - ${txt}`);
+    }
+    const signingBody = await signingResp.json().catch(() => ({}));
+    const client_assertion = (signingBody?.data?.client_assertion ??
+        signingBody?.data?.clientAssertion ??
+        signingBody?.client_assertion ??
+        signingBody?.clientAssertion ??
+        signingBody?.data?.ClientAssertion ??
+        signingBody?.ClientAssertion);
+    if (!client_assertion || typeof client_assertion !== 'string') {
+        throw new Error('IDP did not return a valid signed client assertion');
+    }
+    // Step 2: Use the signed assertion to fetch the NextAuth secret
+    const proxyUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/next-auth/secret`);
+    const proxyResp = await fetch(proxyUrl.toString(), {
+        method: 'POST',
+        headers: {
+            'Accept': 'application/json',
+            'Content-Type': 'application/json',
+            'X-Client-Id': clientIdStr,
+            'X-Correlation-Id': (0, crypto_1.randomUUID)().replace(/-/g, ''),
+        },
+        body: JSON.stringify({ client_assertion }),
+        cache: 'no-store'
+    });
+    if (!proxyResp.ok) {
+        const txt = await proxyResp.text().catch(() => 'Unknown error');
+        throw new Error(`Proxy error: ${proxyResp.status} ${proxyResp.statusText} - ${txt}`);
+    }
+    const proxyBody = await proxyResp.json().catch(() => ({}));
+    const secret = (proxyBody?.data?.secret ?? proxyBody?.secret);
+    const configuration = (proxyBody?.data?.configuration ?? proxyBody?.configuration);
+    // Configuration is available but we don't log it verbosely
+    if (!secret || typeof secret !== 'string') {
+        throw new Error('Proxy did not return a valid NextAuth secret');
+    }
+    const validation = (0, secret_validation_1.validateNextAuthSecret)(secret);
+    if (!validation.valid) {
+        throw new Error(`Fetched NextAuth secret failed validation: ${validation.reason}`);
+    }
+    cachedSecret = secret;
+    lastFetchedAt = Date.now();
+    process.env.NEXTAUTH_SECRET = secret;
+    console.log('[NEXTAUTH-SECRET] Resolved from IDP (length:', secret.length + ')');
+    return secret;
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@payez/next-mvp",
-  "version": "4.0.34",
+  "version": "4.0.36",
   "sideEffects": false,
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -107,6 +107,11 @@
       "require": "./dist/lib/auth.js",
       "default": "./dist/lib/auth.js"
     },
+    "./lib/nextauth-secret": {
+      "types": "./dist/lib/nextauth-secret.d.ts",
+      "require": "./dist/lib/nextauth-secret.js",
+      "default": "./dist/lib/nextauth-secret.js"
+    },
     "./lib/session-store": {
       "types": "./dist/lib/session-store.d.ts",
       "require": "./dist/lib/session-store.js",

package/src/api/auth-handler.ts CHANGED Viewed

@@ -337,6 +337,8 @@ export function createAuthHandler(options: AuthHandlerOptions = {}) {
    */
   function needsRefresh(auth: AuthContext): boolean {
     if (!autoRefresh) return false;
+    // No refresh token = nothing to refresh with, skip entirely
+    if (!auth.refreshToken) return false;
     // Check if we have token expiry information
     const token = auth.token as any;

package/src/lib/api-handler.ts CHANGED Viewed

@@ -279,9 +279,11 @@ export class ApiHandler {
       } catch { /* ignore */ }
       // Check if token needs refresh
+      // Skip entirely if there's no refresh token — nothing to refresh with
       const thresholdMs = 5 * 60 * 1000;
       const expires = sessionData.idpAccessTokenExpires || 0;
-      const needsRefresh = !accessToken || (expires - Date.now()) <= thresholdMs;
+      const hasRefreshToken = !!sessionData.idpRefreshToken;
+      const needsRefresh = hasRefreshToken && (!accessToken || (expires - Date.now()) <= thresholdMs);
       if (needsRefresh) {
         const refreshResult = await this.handleCoordinatedRefresh(req, token, sessionData, ctx);

package/src/lib/nextauth-secret.ts ADDED Viewed

@@ -0,0 +1,121 @@
+import 'server-only';
+import { validateNextAuthSecret } from './secret-validation';
+import { randomUUID } from 'crypto';
+let cachedSecret: string | null = null;
+let lastFetchedAt = 0;
+/**
+ * Resolve the NextAuth secret (server-only).
+ *
+ * Priority:
+ * 1) Use process.env.NEXTAUTH_SECRET if present (allows overrides/production)
+ * 2) Fetch from IDP broker endpoint - IDP handles all Key Vault/signing
+ * 3) Cache result in-memory and set process.env.NEXTAUTH_SECRET for subsequent calls
+ */
+export async function resolveNextAuthSecret(): Promise<string> {
+  // Check if already in environment
+  if (process.env.NEXTAUTH_SECRET && process.env.NEXTAUTH_SECRET.trim() !== '') {
+    // Silent - already configured
+    return process.env.NEXTAUTH_SECRET;
+  }
+  // Check if cached and fresh (within 5 minutes)
+  if (cachedSecret && Date.now() - lastFetchedAt < 5 * 60 * 1000) {
+    return cachedSecret;
+  }
+  // Broker mode: fetch from IDP (IDP handles all Key Vault/signing)
+  const base = process.env.IDP_URL;
+  if (!base) throw new Error('IDP_URL environment variable is required');
+  const clientIdStr = process.env.CLIENT_ID;
+  if (!clientIdStr || clientIdStr.trim() === '') throw new Error('CLIENT_ID is required (e.g., "ideal_resume_website")');
+  // Step 1: Request IDP to sign a client assertion (IDP has the keys, not us)
+  const signingUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/sign-client-assertion`);
+  const signingPayload = {
+    issuer: clientIdStr,
+    subject: clientIdStr,
+    audience: 'urn:payez:externalauth:nextauthsecret',
+    expires_in: 60,
+  };
+  const signingResp = await fetch(signingUrl.toString(), {
+    method: 'POST',
+    headers: {
+      'Accept': 'application/json',
+      'Content-Type': 'application/json',
+      'X-Client-Id': clientIdStr,
+      'X-Correlation-Id': randomUUID().replace(/-/g, ''),
+    },
+    body: JSON.stringify(signingPayload),
+    cache: 'no-store'
+  } as RequestInit);
+  if (!signingResp.ok) {
+    const txt = await signingResp.text().catch(() => 'Unknown error');
+    throw new Error(`Failed to sign client assertion: ${signingResp.status} ${signingResp.statusText} - ${txt}`);
+  }
+  const signingBody: any = await signingResp.json().catch(() => ({}));
+  const client_assertion = (
+    signingBody?.data?.client_assertion ??
+    signingBody?.data?.clientAssertion ??
+    signingBody?.client_assertion ??
+    signingBody?.clientAssertion ??
+    signingBody?.data?.ClientAssertion ??
+    signingBody?.ClientAssertion
+  ) as string | undefined;
+  if (!client_assertion || typeof client_assertion !== 'string') {
+    throw new Error('IDP did not return a valid signed client assertion');
+  }
+  // Step 2: Use the signed assertion to fetch the NextAuth secret
+  const proxyUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/next-auth/secret`);
+  const proxyResp = await fetch(proxyUrl.toString(), {
+    method: 'POST',
+    headers: {
+      'Accept': 'application/json',
+      'Content-Type': 'application/json',
+      'X-Client-Id': clientIdStr,
+      'X-Correlation-Id': randomUUID().replace(/-/g, ''),
+    },
+    body: JSON.stringify({ client_assertion }),
+    cache: 'no-store'
+  } as RequestInit);
+  if (!proxyResp.ok) {
+    const txt = await proxyResp.text().catch(() => 'Unknown error');
+    throw new Error(`Proxy error: ${proxyResp.status} ${proxyResp.statusText} - ${txt}`);
+  }
+  const proxyBody: any = await proxyResp.json().catch(() => ({}));
+  const secret = (proxyBody?.data?.secret ?? proxyBody?.secret) as string | undefined;
+  const configuration = (proxyBody?.data?.configuration ?? proxyBody?.configuration) as any | undefined;
+  // Configuration is available but we don't log it verbosely
+  if (!secret || typeof secret !== 'string') {
+    throw new Error('Proxy did not return a valid NextAuth secret');
+  }
+  const validation = validateNextAuthSecret(secret);
+  if (!validation.valid) {
+    throw new Error(`Fetched NextAuth secret failed validation: ${validation.reason}`);
+  }
+  cachedSecret = secret;
+  lastFetchedAt = Date.now();
+  process.env.NEXTAUTH_SECRET = secret;
+  console.log('[NEXTAUTH-SECRET] Resolved from IDP (length:', secret.length + ')');
+  return secret;
+}