@payez/next-mvp 4.0.46 → 4.0.47

package/src/lib/startup-init.ts

@@ -4,8 +4,8 @@
  * This module ensures that critical initialization tasks are completed
  * before the application serves requests.
  *
- * Now uses unified IDP client config for:
- * - NEXTAUTH_SECRET
+ * Uses unified IDP client config for:
+ * - BETTER_AUTH_SECRET (the Better Auth signing secret)
  * - OAuth provider configuration
  * - Auth settings (2FA, session timeouts, etc.)
  */
@@ -75,7 +75,7 @@ export function logStartupStatus(): void {
     console.log('║            🚀 PayEz Next MVP - Starting Up                    ║');
     console.log('║                                                              ║');
     console.log('║  Async initialization in progress...                         ║');
-    console.log('║  - Resolving NEXTAUTH_SECRET from IDP                       ║');
+    console.log('║  - Resolving BETTER_AUTH_SECRET from IDP                     ║');
     console.log('║  - Verifying environment configuration                       ║');
     console.log('║                                                              ║');
     console.log('║  Check logs below for detailed initialization status:        ║');
@@ -117,16 +117,21 @@ async function performInitialization(): Promise<void> {
       console.log('[STARTUP] Client config loaded successfully');
       console.log('[STARTUP]    - Client ID:', config.clientId);
       console.log('[STARTUP]    - Client Slug:', config.clientSlug);
-      console.log('[STARTUP]    - Secret length:', config.nextAuthSecret?.length || 0, 'chars');
+      console.log('[STARTUP]    - Secret length:', config.authSecret?.length || 0, 'chars');
       console.log('[STARTUP]    - OAuth Providers:', config.oauthProviders?.filter(p => p.enabled).map(p => p.provider).join(', ') || 'none');
       console.log('[STARTUP]    - Require 2FA:', config.authSettings?.require2FA);
       console.log('[STARTUP]    - Cache TTL:', config.configCacheTtlSeconds, 'seconds');
       console.log('[STARTUP]    - Base Client URL:', config.baseClientUrl || '(not set)');
 
-      // Set NEXTAUTH_SECRET from IDP response if not already set
-      if (config.nextAuthSecret && !process.env.NEXTAUTH_SECRET) {
-        process.env.NEXTAUTH_SECRET = config.nextAuthSecret;
-        console.log('[STARTUP] Set NEXTAUTH_SECRET from IDP config');
+      // Set BETTER_AUTH_SECRET from IDP response if not already set.
+      // Also mirror to legacy NEXTAUTH_SECRET during the rename transition
+      // so any consumer code still reading the old name keeps working.
+      if (config.authSecret && !process.env.BETTER_AUTH_SECRET) {
+        process.env.BETTER_AUTH_SECRET = config.authSecret;
+        console.log('[STARTUP] Set BETTER_AUTH_SECRET from IDP config');
+      }
+      if (config.authSecret && !process.env.NEXTAUTH_SECRET) {
+        process.env.NEXTAUTH_SECRET = config.authSecret;
       }
     } catch (error) {
       const errorMsg = error instanceof Error ? error.message : String(error);
@@ -136,16 +141,16 @@ async function performInitialization(): Promise<void> {
       console.error('[STARTUP] No fallback available for auth secret resolution');
     }
 
-    // Step 2: Verify NEXTAUTH_SECRET is available - FAIL FAST if not
-    console.log('[STARTUP] Step 2/2: Verifying NEXTAUTH_SECRET...');
+    // Step 2: Verify BETTER_AUTH_SECRET is available - FAIL FAST if not
+    console.log('[STARTUP] Step 2/2: Verifying BETTER_AUTH_SECRET...');
 
-    const secret = process.env.NEXTAUTH_SECRET;
+    const secret = process.env.BETTER_AUTH_SECRET || process.env.NEXTAUTH_SECRET;
     if (!secret || secret.trim() === '') {
       console.error('');
       console.error('╔══════════════════════════════════════════════════════════════╗');
-      console.error('║   ❌ FATAL: NEXTAUTH_SECRET NOT AVAILABLE                     ║');
+      console.error('║   ❌ FATAL: BETTER_AUTH_SECRET NOT AVAILABLE                  ║');
       console.error('║                                                              ║');
-      console.error('║   The app cannot start without a valid NEXTAUTH_SECRET.      ║');
+      console.error('║   The app cannot start without a valid auth signing secret.  ║');
       console.error('║   This should be fetched from IDP at startup.                ║');
       console.error('║                                                              ║');
       console.error('║   Possible causes:                                           ║');
@@ -155,10 +160,10 @@ async function performInitialization(): Promise<void> {
       console.error('║   • Network connectivity issue                               ║');
       console.error('╚══════════════════════════════════════════════════════════════╝');
       console.error('');
-      throw new Error('FATAL: NEXTAUTH_SECRET not available - cannot start without valid secret from IDP');
+      throw new Error('FATAL: BETTER_AUTH_SECRET not available - cannot start without valid secret from IDP');
     }
 
-    console.log('[STARTUP] NEXTAUTH_SECRET verified (' + secret.length + ' chars)');
+    console.log('[STARTUP] BETTER_AUTH_SECRET verified (' + secret.length + ' chars)');
 
     // Step 3: Validate cookie name consistency
     // This catches bugs where getJwtCookieName() returns a different name than
@@ -192,9 +197,9 @@ async function performInitialization(): Promise<void> {
 
     console.error(`
 ╔══════════════════════════════════════════════════════════════╗
-║   ❌ FATAL: NEXTAUTH_SECRET NOT AVAILABLE                     ║
+║   ❌ FATAL: BETTER_AUTH_SECRET NOT AVAILABLE                  ║
 ║                                                              ║
-║   The app cannot start without a valid NEXTAUTH_SECRET.      ║
+║   The app cannot start without a valid auth signing secret.  ║
 ║   This should be fetched from IDP at startup.                ║
 ║                                                              ║
 ${connectionLine}║   Possible causes:                                           ║
@@ -225,7 +230,7 @@ export function getStartupIDPConfig(): IDPClientConfig | null {
 }
 
 /**
- * Check if initialization failed (NEXTAUTH_SECRET couldn't be retrieved)
+ * Check if initialization failed (auth signing secret couldn't be retrieved)
  */
 export function isInitializationFailed(): boolean {
   return initializationFailed;

package/src/lib/test-aware-get-token.ts

@@ -6,11 +6,11 @@ import { getSessionCookieName } from './app-slug';
 export async function getTokenTestAware(req: NextRequest): Promise<any> {
   if (process.env.TEST_MODE === 'true') {
     try {
-      let secret = process.env.NEXTAUTH_SECRET;
+      let secret = process.env.BETTER_AUTH_SECRET || process.env.NEXTAUTH_SECRET;
       if (!secret || secret.trim() === '') {
         const { getIDPClientConfig } = await import('./idp-client-config');
         const idpConfig = await getIDPClientConfig();
-        secret = idpConfig.nextAuthSecret as string;
+        secret = idpConfig.authSecret;
       }
       // Use app-slug prefixed cookie name
       const cookieName = getSessionCookieName();
@@ -37,54 +37,5 @@ export async function getTokenTestAware(req: NextRequest): Promise<any> {
     };
   }
 
-  // Fallback for legacy NextAuth-based sites: try next-auth/jwt with the
-  // app-slug-prefixed cookie name. Uses runtime require so consumers without
-  // next-auth installed are unaffected.
-  try {
-    // eslint-disable-next-line @typescript-eslint/no-implied-eval, no-eval
-    const dynamicRequire = eval('require') as NodeRequire;
-    let nextAuthJwt: any = null;
-    try {
-      nextAuthJwt = dynamicRequire('next-auth/jwt');
-    } catch {
-      return null; // next-auth not installed → BA-only consumer
-    }
-    if (!nextAuthJwt?.getToken) return null;
-
-    const { resolveNextAuthSecret } = await import('./nextauth-secret');
-    const secret = await resolveNextAuthSecret();
-    if (!secret) return null;
-
-    const cookieName = getSessionCookieName();
-    let nextAuthToken = await nextAuthJwt.getToken({
-      req,
-      secret,
-      cookieName,
-      secureCookie: false,
-    });
-    if (nextAuthToken) {
-      logger.debug('[GET_TOKEN] Resolved via NextAuth JWT (cookieName=' + cookieName + ')');
-      return nextAuthToken;
-    }
-
-    // Try secure cookie variant for production
-    const { getSecureSessionCookieName } = await import('./app-slug');
-    const secureCookieName = getSecureSessionCookieName();
-    nextAuthToken = await nextAuthJwt.getToken({
-      req,
-      secret,
-      cookieName: secureCookieName,
-      secureCookie: true,
-    });
-    if (nextAuthToken) {
-      logger.debug('[GET_TOKEN] Resolved via NextAuth JWT (secure cookie)');
-      return nextAuthToken;
-    }
-  } catch (error) {
-    logger.debug('[GET_TOKEN] NextAuth fallback error', {
-      error: error instanceof Error ? error.message : String(error),
-    });
-  }
-
   return null;
 }

package/src/routes/account/masked-info.ts

@@ -28,7 +28,7 @@ export { POST } from '../../api-handlers/account/masked-info';
  * Environment variables used:
  * - IDP_URL or NEXT_PUBLIC_IDP_URL (default: http://localhost:32785)
  * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
- * - NEXTAUTH_SECRET (required)
+ * - BETTER_AUTH_SECRET (required — fetched from IDP at startup)
  *
  * Returns:
  * - Masked email addresses

package/src/routes/account/send-code.ts

@@ -31,7 +31,7 @@ export { POST } from '../../api-handlers/account/send-code';
  * Environment variables used:
  * - IDP_URL or NEXT_PUBLIC_IDP_URL (default: http://localhost:32785)
  * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
- * - NEXTAUTH_SECRET (required)
+ * - BETTER_AUTH_SECRET (required — fetched from IDP at startup)
  *
  * Returns:
  * - Success status

package/src/routes/account/verify-email.ts

@@ -30,7 +30,7 @@ export { POST } from '../../api-handlers/account/verify-email';
  * Environment variables used:
  * - IDP_URL or NEXT_PUBLIC_IDP_URL (default: http://localhost:32785)
  * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
- * - NEXTAUTH_SECRET (required)
+ * - BETTER_AUTH_SECRET (required — fetched from IDP at startup)
  *
  * Returns:
  * - Upgraded access token with MFA claim

package/src/routes/account/verify-sms.ts

@@ -30,7 +30,7 @@ export { POST } from '../../api-handlers/account/verify-sms';
  * Environment variables used:
  * - IDP_URL or NEXT_PUBLIC_IDP_URL (default: http://localhost:32785)
  * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
- * - NEXTAUTH_SECRET (required)
+ * - BETTER_AUTH_SECRET (required — fetched from IDP at startup)
  *
  * Returns:
  * - Upgraded access token with MFA claim

package/src/routes/auth/refresh.ts

@@ -15,11 +15,9 @@
  */
 
 import { createRefreshHandler } from '../../api-handlers/auth/refresh';
-import { getIDPClientConfig } from '../../lib/idp-client-config';
 
-// Configuration is read at runtime from IDP config (cached)
-async function getConfig() {
-  const idpConfig = await getIDPClientConfig();
+// Configuration is read at runtime from environment.
+function getConfig() {
   const idpBaseUrl = process.env.IDP_URL;
   if (!idpBaseUrl) {
     throw new Error('[IDP_URL] FATAL: IDP_URL environment variable is REQUIRED.');
@@ -27,7 +25,6 @@ async function getConfig() {
   return {
     idpBaseUrl,
     clientId: process.env.CLIENT_ID || process.env.NEXT_PUBLIC_IDP_CLIENT_ID || '',
-    nextAuthSecret: idpConfig.nextAuthSecret || '',
     refreshEndpoint: process.env.REFRESH_ENDPOINT || '/api/ExternalAuth/refresh',
   };
 }
@@ -38,7 +35,6 @@ async function getConfig() {
  * Environment variables used:
  * - IDP_URL (REQUIRED)
  * - CLIENT_ID or NEXT_PUBLIC_IDP_CLIENT_ID (required)
- * - NEXTAUTH_SECRET (required)
  * - REFRESH_ENDPOINT (default: /api/ExternalAuth/refresh)
  */
 let _handler: ReturnType<typeof createRefreshHandler> | null = null;
@@ -47,8 +43,7 @@ import { NextRequest } from 'next/server';
 
 export async function POST(req: NextRequest) {
   if (!_handler) {
-    const config = await getConfig();
-    _handler = createRefreshHandler(config);
+    _handler = createRefreshHandler(getConfig());
   }
   return _handler(req);
 }

package/src/server/auth.ts

@@ -1,11 +1,8 @@
 /**
- * Server-side auth utilities for Better Auth (v4.0)
+ * Server-side auth utilities for Better Auth.
  *
- * Replaces:
- * - getToken() from next-auth/jwt
- * - getServerSession() from next-auth
- *
- * All server-side auth flows go through the Better Auth instance.
+ * All server-side auth flows go through the Better Auth instance returned by
+ * getAuthInstance(); use getSession(req) for the request-scoped session.
  */
 
 import 'server-only';

package/src/server/decode-session.ts

@@ -152,9 +152,9 @@ export async function decodeSession(
     }
 
     const config = await getIDPClientConfig();
-    const secret = config.nextAuthSecret;
+    const secret = config.authSecret;
     if (!secret) {
-      console.error('[DECODE-SESSION] No nextAuthSecret available from IDP config');
+      console.error('[DECODE-SESSION] No authSecret available from IDP config');
       return null;
     }
 

package/dist/lib/nextauth-secret.d.ts

@@ -1,10 +0,0 @@
-import 'server-only';
-/**
- * Resolve the NextAuth secret (server-only).
- *
- * Priority:
- * 1) Use process.env.NEXTAUTH_SECRET if present (allows overrides/production)
- * 2) Fetch from IDP broker endpoint - IDP handles all Key Vault/signing
- * 3) Cache result in-memory and set process.env.NEXTAUTH_SECRET for subsequent calls
- */
-export declare function resolveNextAuthSecret(): Promise<string>;