@payez/next-mvp 4.0.35 → 4.0.36

package/dist/lib/nextauth-secret.d.ts

@@ -0,0 +1,10 @@
+import 'server-only';
+/**
+ * Resolve the NextAuth secret (server-only).
+ *
+ * Priority:
+ * 1) Use process.env.NEXTAUTH_SECRET if present (allows overrides/production)
+ * 2) Fetch from IDP broker endpoint - IDP handles all Key Vault/signing
+ * 3) Cache result in-memory and set process.env.NEXTAUTH_SECRET for subsequent calls
+ */
+export declare function resolveNextAuthSecret(): Promise<string>;

package/dist/lib/nextauth-secret.js

@@ -0,0 +1,100 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveNextAuthSecret = resolveNextAuthSecret;
+require("server-only");
+const secret_validation_1 = require("./secret-validation");
+const crypto_1 = require("crypto");
+let cachedSecret = null;
+let lastFetchedAt = 0;
+/**
+ * Resolve the NextAuth secret (server-only).
+ *
+ * Priority:
+ * 1) Use process.env.NEXTAUTH_SECRET if present (allows overrides/production)
+ * 2) Fetch from IDP broker endpoint - IDP handles all Key Vault/signing
+ * 3) Cache result in-memory and set process.env.NEXTAUTH_SECRET for subsequent calls
+ */
+async function resolveNextAuthSecret() {
+    // Check if already in environment
+    if (process.env.NEXTAUTH_SECRET && process.env.NEXTAUTH_SECRET.trim() !== '') {
+        // Silent - already configured
+        return process.env.NEXTAUTH_SECRET;
+    }
+    // Check if cached and fresh (within 5 minutes)
+    if (cachedSecret && Date.now() - lastFetchedAt < 5 * 60 * 1000) {
+        return cachedSecret;
+    }
+    // Broker mode: fetch from IDP (IDP handles all Key Vault/signing)
+    const base = process.env.IDP_URL;
+    if (!base)
+        throw new Error('IDP_URL environment variable is required');
+    const clientIdStr = process.env.CLIENT_ID;
+    if (!clientIdStr || clientIdStr.trim() === '')
+        throw new Error('CLIENT_ID is required (e.g., "ideal_resume_website")');
+    // Step 1: Request IDP to sign a client assertion (IDP has the keys, not us)
+    const signingUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/sign-client-assertion`);
+    const signingPayload = {
+        issuer: clientIdStr,
+        subject: clientIdStr,
+        audience: 'urn:payez:externalauth:nextauthsecret',
+        expires_in: 60,
+    };
+    const signingResp = await fetch(signingUrl.toString(), {
+        method: 'POST',
+        headers: {
+            'Accept': 'application/json',
+            'Content-Type': 'application/json',
+            'X-Client-Id': clientIdStr,
+            'X-Correlation-Id': (0, crypto_1.randomUUID)().replace(/-/g, ''),
+        },
+        body: JSON.stringify(signingPayload),
+        cache: 'no-store'
+    });
+    if (!signingResp.ok) {
+        const txt = await signingResp.text().catch(() => 'Unknown error');
+        throw new Error(`Failed to sign client assertion: ${signingResp.status} ${signingResp.statusText} - ${txt}`);
+    }
+    const signingBody = await signingResp.json().catch(() => ({}));
+    const client_assertion = (signingBody?.data?.client_assertion ??
+        signingBody?.data?.clientAssertion ??
+        signingBody?.client_assertion ??
+        signingBody?.clientAssertion ??
+        signingBody?.data?.ClientAssertion ??
+        signingBody?.ClientAssertion);
+    if (!client_assertion || typeof client_assertion !== 'string') {
+        throw new Error('IDP did not return a valid signed client assertion');
+    }
+    // Step 2: Use the signed assertion to fetch the NextAuth secret
+    const proxyUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/next-auth/secret`);
+    const proxyResp = await fetch(proxyUrl.toString(), {
+        method: 'POST',
+        headers: {
+            'Accept': 'application/json',
+            'Content-Type': 'application/json',
+            'X-Client-Id': clientIdStr,
+            'X-Correlation-Id': (0, crypto_1.randomUUID)().replace(/-/g, ''),
+        },
+        body: JSON.stringify({ client_assertion }),
+        cache: 'no-store'
+    });
+    if (!proxyResp.ok) {
+        const txt = await proxyResp.text().catch(() => 'Unknown error');
+        throw new Error(`Proxy error: ${proxyResp.status} ${proxyResp.statusText} - ${txt}`);
+    }
+    const proxyBody = await proxyResp.json().catch(() => ({}));
+    const secret = (proxyBody?.data?.secret ?? proxyBody?.secret);
+    const configuration = (proxyBody?.data?.configuration ?? proxyBody?.configuration);
+    // Configuration is available but we don't log it verbosely
+    if (!secret || typeof secret !== 'string') {
+        throw new Error('Proxy did not return a valid NextAuth secret');
+    }
+    const validation = (0, secret_validation_1.validateNextAuthSecret)(secret);
+    if (!validation.valid) {
+        throw new Error(`Fetched NextAuth secret failed validation: ${validation.reason}`);
+    }
+    cachedSecret = secret;
+    lastFetchedAt = Date.now();
+    process.env.NEXTAUTH_SECRET = secret;
+    console.log('[NEXTAUTH-SECRET] Resolved from IDP (length:', secret.length + ')');
+    return secret;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@payez/next-mvp",
-  "version": "4.0.35",
+  "version": "4.0.36",
   "sideEffects": false,
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -107,6 +107,11 @@
       "require": "./dist/lib/auth.js",
       "default": "./dist/lib/auth.js"
     },
+    "./lib/nextauth-secret": {
+      "types": "./dist/lib/nextauth-secret.d.ts",
+      "require": "./dist/lib/nextauth-secret.js",
+      "default": "./dist/lib/nextauth-secret.js"
+    },
     "./lib/session-store": {
       "types": "./dist/lib/session-store.d.ts",
       "require": "./dist/lib/session-store.js",

package/src/lib/nextauth-secret.ts

@@ -0,0 +1,121 @@
+import 'server-only';
+import { validateNextAuthSecret } from './secret-validation';
+import { randomUUID } from 'crypto';
+
+let cachedSecret: string | null = null;
+let lastFetchedAt = 0;
+
+/**
+ * Resolve the NextAuth secret (server-only).
+ *
+ * Priority:
+ * 1) Use process.env.NEXTAUTH_SECRET if present (allows overrides/production)
+ * 2) Fetch from IDP broker endpoint - IDP handles all Key Vault/signing
+ * 3) Cache result in-memory and set process.env.NEXTAUTH_SECRET for subsequent calls
+ */
+export async function resolveNextAuthSecret(): Promise<string> {
+  // Check if already in environment
+  if (process.env.NEXTAUTH_SECRET && process.env.NEXTAUTH_SECRET.trim() !== '') {
+    // Silent - already configured
+    return process.env.NEXTAUTH_SECRET;
+  }
+
+  // Check if cached and fresh (within 5 minutes)
+  if (cachedSecret && Date.now() - lastFetchedAt < 5 * 60 * 1000) {
+    return cachedSecret;
+  }
+
+  // Broker mode: fetch from IDP (IDP handles all Key Vault/signing)
+  const base = process.env.IDP_URL;
+  if (!base) throw new Error('IDP_URL environment variable is required');
+
+  const clientIdStr = process.env.CLIENT_ID;
+  if (!clientIdStr || clientIdStr.trim() === '') throw new Error('CLIENT_ID is required (e.g., "ideal_resume_website")');
+
+  // Step 1: Request IDP to sign a client assertion (IDP has the keys, not us)
+
+  const signingUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/sign-client-assertion`);
+
+  const signingPayload = {
+    issuer: clientIdStr,
+    subject: clientIdStr,
+    audience: 'urn:payez:externalauth:nextauthsecret',
+    expires_in: 60,
+  };
+
+  const signingResp = await fetch(signingUrl.toString(), {
+    method: 'POST',
+    headers: {
+      'Accept': 'application/json',
+      'Content-Type': 'application/json',
+      'X-Client-Id': clientIdStr,
+      'X-Correlation-Id': randomUUID().replace(/-/g, ''),
+    },
+    body: JSON.stringify(signingPayload),
+    cache: 'no-store'
+  } as RequestInit);
+
+  if (!signingResp.ok) {
+    const txt = await signingResp.text().catch(() => 'Unknown error');
+    throw new Error(`Failed to sign client assertion: ${signingResp.status} ${signingResp.statusText} - ${txt}`);
+  }
+
+  const signingBody: any = await signingResp.json().catch(() => ({}));
+  const client_assertion = (
+    signingBody?.data?.client_assertion ??
+    signingBody?.data?.clientAssertion ??
+    signingBody?.client_assertion ??
+    signingBody?.clientAssertion ??
+    signingBody?.data?.ClientAssertion ??
+    signingBody?.ClientAssertion
+  ) as string | undefined;
+
+  if (!client_assertion || typeof client_assertion !== 'string') {
+    throw new Error('IDP did not return a valid signed client assertion');
+  }
+
+  // Step 2: Use the signed assertion to fetch the NextAuth secret
+
+  const proxyUrl = new URL(`${base.replace(/\/$/, '')}/api/ExternalAuth/next-auth/secret`);
+
+  const proxyResp = await fetch(proxyUrl.toString(), {
+    method: 'POST',
+    headers: {
+      'Accept': 'application/json',
+      'Content-Type': 'application/json',
+      'X-Client-Id': clientIdStr,
+      'X-Correlation-Id': randomUUID().replace(/-/g, ''),
+    },
+    body: JSON.stringify({ client_assertion }),
+    cache: 'no-store'
+  } as RequestInit);
+
+  if (!proxyResp.ok) {
+    const txt = await proxyResp.text().catch(() => 'Unknown error');
+    throw new Error(`Proxy error: ${proxyResp.status} ${proxyResp.statusText} - ${txt}`);
+  }
+
+  const proxyBody: any = await proxyResp.json().catch(() => ({}));
+
+  const secret = (proxyBody?.data?.secret ?? proxyBody?.secret) as string | undefined;
+  const configuration = (proxyBody?.data?.configuration ?? proxyBody?.configuration) as any | undefined;
+
+  // Configuration is available but we don't log it verbosely
+
+  if (!secret || typeof secret !== 'string') {
+    throw new Error('Proxy did not return a valid NextAuth secret');
+  }
+
+  const validation = validateNextAuthSecret(secret);
+  if (!validation.valid) {
+    throw new Error(`Fetched NextAuth secret failed validation: ${validation.reason}`);
+  }
+
+  cachedSecret = secret;
+  lastFetchedAt = Date.now();
+  process.env.NEXTAUTH_SECRET = secret;
+
+  console.log('[NEXTAUTH-SECRET] Resolved from IDP (length:', secret.length + ')');
+
+  return secret;
+}