@payez/next-mvp 4.0.46 → 4.0.49

package/src/api/auth-handler.ts

@@ -50,9 +50,6 @@ export interface AuthHandlerOptions {
   /** Maximum number of retry attempts on 401 (default: 1) */
   maxRetries?: number;
 
-  /** NextAuth secret for JWT decoding */
-  nextAuthSecret?: string;
-
   /** IDP base URL for refresh requests */
   idpBaseUrl?: string;
 
@@ -99,7 +96,6 @@ export function createAuthHandler(options: AuthHandlerOptions = {}) {
     refreshBuffer = 60, // 60 seconds - matches website-membership proven threshold
     retryOn401 = true,
     maxRetries = 1,
-    nextAuthSecret = process.env.NEXTAUTH_SECRET,
     idpBaseUrl = process.env.IDP_URL,
     clientId = process.env.CLIENT_ID || process.env.NEXT_PUBLIC_IDP_CLIENT_ID
   } = options;

package/src/api-handlers/admin/stats.ts

@@ -1,238 +1,249 @@
-/**
- * Admin Stats API Handler
- *
- * Aggregates dashboard statistics from users, Redis sessions, and audit logs.
- * Uses service account HMAC auth for Vibe API requests.
- *
- * @version 1.0
- * @requires Admin role (vibe_app_admin or payez_admin)
- */
-
-import { NextRequest, NextResponse } from 'next/server';
-import { getSession } from '../../server/auth';
-import { getStartupIDPConfig } from '../../lib/startup-init';
-import { getRedis } from '../../lib/redis';
-import { ADMIN_ROLES } from '../../lib/roles';
-
-interface VibeRequestOptions {
-  method: 'GET' | 'POST' | 'PUT' | 'DELETE';
-  body?: unknown;
-}
-
-async function checkAdminRole(request: NextRequest): Promise<{ isAdmin: boolean; error?: NextResponse }> {
-  const session = await getSession(request) as any;
-
-  if (!session?.user) {
-    return {
-      isAdmin: false,
-      error: NextResponse.json({ success: false, error: 'Please sign in' }, { status: 401 }),
-    };
-  }
-
-  const userRoles = (session.user?.roles as string[]) || [];
-  const hasAdminRole = ADMIN_ROLES.some(role => userRoles.includes(role));
-
-  if (!hasAdminRole) {
-    return {
-      isAdmin: false,
-      error: NextResponse.json({ success: false, error: 'Admin access required' }, { status: 403 }),
-    };
-  }
-
-  return { isAdmin: true };
-}
-
-async function vibeServiceRequest<T = unknown>(
-  endpoint: string,
-  options: VibeRequestOptions
-): Promise<{ ok: boolean; status: number; data: T | null; error?: string }> {
-  const idpUrl = process.env.NEXT_PUBLIC_IDP_URL || process.env.IDP_URL;
-  const clientId = process.env.VIBE_CLIENT_ID;
-  const signingKey = process.env.VIBE_HMAC_KEY;
-
-  if (!idpUrl || !clientId || !signingKey) {
-    return { ok: false, status: 500, data: null, error: 'Vibe not configured' };
-  }
-
-  const timestamp = Math.floor(Date.now() / 1000);
-  const stringToSign = `${timestamp}|${options.method}|${endpoint}`;
-
-  const crypto = await import('crypto');
-  const signature = crypto
-    .createHmac('sha256', Buffer.from(signingKey, 'base64'))
-    .update(stringToSign)
-    .digest('base64');
-
-  const proxyUrl = `${idpUrl}/api/vibe/proxy`;
-
-  const idpConfig = getStartupIDPConfig();
-  const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
-
-  try {
-    const res = await fetch(proxyUrl, {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'X-Vibe-Client-Id': clientId,
-        'X-Vibe-Timestamp': String(timestamp),
-        'X-Vibe-Signature': signature,
-        ...(idpClientId && { 'X-Client-Id': idpClientId }),
-      },
-      body: JSON.stringify({
-        endpoint,
-        method: options.method,
-        data: options.body ?? null,
-      }),
-      cache: 'no-store',
-    });
-
-    if (res.status === 204) return { ok: true, status: 204, data: null };
-    if (!res.ok) {
-      const errorText = await res.text();
-      return { ok: false, status: res.status, data: null, error: errorText };
-    }
-
-    const body = await res.json();
-    return { ok: true, status: res.status, data: body };
-  } catch (error) {
-    return { ok: false, status: 0, data: null, error: String(error) };
-  }
-}
-
-export interface AdminStatsHandlerConfig {
-  appSlug?: string;
-}
-
-/**
- * GET /api/admin/stats - Dashboard statistics
- * Aggregates users + tier breakdown, active Redis sessions, and recent audit activity.
- */
-export function createStatsHandler(config: AdminStatsHandlerConfig) {
-  const getSessionPrefix = () => {
-    const appSlug = config.appSlug || process.env.APP_SLUG || process.env.CLIENT_ID || 'app';
-    return `${appSlug}:sess:`;
-  };
-
-  return {
-    async GET(_request: NextRequest) {
-      const adminCheck = await checkAdminRole(_request);
-      if (adminCheck.error) return adminCheck.error;
-
-      try {
-        // Fetch from 3 sources in parallel
-        const [usersResult, sessionCount, auditResult] = await Promise.allSettled([
-          // 1. Users + tier breakdown via HMAC proxy (Vibe collection query)
-          vibeServiceRequest<any>('/v1/collections/vibe_app/tables/users/query', {
-            method: 'POST',
-            body: { page: 1, pageSize: 500, orderBy: 'created_at', orderDirection: 'desc' },
-          }),
-
-          // 2. Active sessions from Redis
-          (async () => {
-            const redis = getRedis();
-            const sessionPrefix = getSessionPrefix();
-            const sessionKeys: string[] = [];
-            let cursor = '0';
-            do {
-              const [newCursor, keys] = await redis.scan(cursor, 'MATCH', `${sessionPrefix}*`, 'COUNT', 100);
-              cursor = newCursor;
-              sessionKeys.push(...keys.filter((k: string) => !k.includes(':ver:')));
-            } while (cursor !== '0');
-            return sessionKeys.length;
-          })(),
-
-          // 3. Recent audit activity via HMAC proxy
-          vibeServiceRequest<any>('/v1/audit?pageSize=10&sortDir=desc', { method: 'GET' }),
-        ]);
-
-        // Parse users — deduplicate by user_id
-        let totalUsers = 0;
-        let tierBreakdown: Record<string, number> = {};
-        if (usersResult.status === 'fulfilled' && usersResult.value.ok && usersResult.value.data) {
-          const data = usersResult.value.data;
-          const rawUsers = data.data || data.documents || data.users || [];
-
-          // Deduplicate by user_id (keeps latest document_id)
-          const userMap = new Map();
-          for (const u of rawUsers) {
-            const uid = u.user_id || u.id || u.document_id;
-            const existing = userMap.get(uid);
-            if (!existing || (u.document_id || '') > (existing.document_id || '')) {
-              userMap.set(uid, u);
-            }
-          }
-          const uniqueUsers = Array.from(userMap.values());
-          totalUsers = uniqueUsers.length;
-
-          // Build tier breakdown from deduplicated users (unless API provides one)
-          tierBreakdown = data.tierBreakdown || data.tiers || {};
-          if (Object.keys(tierBreakdown).length === 0) {
-            for (const user of uniqueUsers) {
-              const tier = user.tier || 'free';
-              tierBreakdown[tier] = (tierBreakdown[tier] || 0) + 1;
-            }
-          }
-        }
-
-        // Parse active sessions count
-        let activeSessions = 0;
-        if (sessionCount.status === 'fulfilled') {
-          activeSessions = sessionCount.value;
-        }
-
-        // Parse audit events for recent activity
-        let recentActivity: any[] = [];
-        if (auditResult.status === 'fulfilled' && auditResult.value.ok && auditResult.value.data) {
-          const data = auditResult.value.data;
-
-          // Handle multiple possible response shapes
-          let events: any[] = [];
-          if (Array.isArray(data)) {
-            events = data;
-          } else if (Array.isArray(data.data)) {
-            events = data.data;
-          } else if (Array.isArray(data.entries)) {
-            events = data.entries;
-          } else if (Array.isArray(data.items)) {
-            events = data.items;
-          } else if (Array.isArray(data.documents)) {
-            events = data.documents;
-          } else if (data.success && Array.isArray(data.results)) {
-            events = data.results;
-          }
-
-          recentActivity = events.slice(0, 5).map((e: any) => ({
-            id: e.audit_log_id || e.id || e.document_id,
-            type: e.category || e.type || 'admin',
-            action: e.action || e.event || e.message || 'Unknown action',
-            actor: e.admin_email || e.actor || e.user || e.actor_email || 'System',
-            target: e.target_type ? `${e.target_type}:${e.target_id}` : (e.target || e.target_user),
-            details: e.description || e.details,
-            timestamp: e.created_at || e.timestamp || e.date,
-            success: e.is_success ?? e.success ?? true,
-          }));
-        }
-
-        // Calculate tier percentages
-        const tiers = Object.entries(tierBreakdown).map(([name, count]) => ({
-          name,
-          count: count as number,
-          pct: totalUsers > 0 ? Math.round(((count as number) / totalUsers) * 100) : 0,
-        }));
-
-        return NextResponse.json({
-          totalUsers,
-          activeSessions,
-          tiers,
-          recentActivity,
-        });
-      } catch (error: any) {
-        console.error('[admin/stats] Error:', error);
-        return NextResponse.json(
-          { error: error.message || 'Internal error' },
-          { status: 500 }
-        );
-      }
-    },
-  };
-}
+/**
+ * Admin Stats API Handler
+ *
+ * Aggregates dashboard statistics from users, Redis sessions, and audit logs.
+ * Uses service account HMAC auth for Vibe API requests.
+ *
+ * @version 1.0
+ * @requires Admin role (vibe_app_admin or payez_admin)
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getSession } from '../../server/auth';
+import { getStartupIDPConfig } from '../../lib/startup-init';
+import { getRedis } from '../../lib/redis';
+import { ADMIN_ROLES } from '../../lib/roles';
+
+interface VibeRequestOptions {
+  method: 'GET' | 'POST' | 'PUT' | 'DELETE';
+  body?: unknown;
+}
+
+async function checkAdminRole(request: NextRequest): Promise<{ isAdmin: boolean; error?: NextResponse }> {
+  const session = await getSession(request) as any;
+
+  if (!session?.user) {
+    return {
+      isAdmin: false,
+      error: NextResponse.json({ success: false, error: 'Please sign in' }, { status: 401 }),
+    };
+  }
+
+  const userRoles = (session.user?.roles as string[]) || [];
+  const hasAdminRole = ADMIN_ROLES.some(role => userRoles.includes(role));
+
+  if (!hasAdminRole) {
+    return {
+      isAdmin: false,
+      error: NextResponse.json({ success: false, error: 'Admin access required' }, { status: 403 }),
+    };
+  }
+
+  return { isAdmin: true };
+}
+
+async function vibeServiceRequest<T = unknown>(
+  endpoint: string,
+  options: VibeRequestOptions
+): Promise<{ ok: boolean; status: number; data: T | null; error?: string }> {
+  const idpUrl = process.env.NEXT_PUBLIC_IDP_URL || process.env.IDP_URL;
+  const clientId = process.env.VIBE_CLIENT_ID;
+  const signingKey = process.env.VIBE_HMAC_KEY;
+
+  if (!idpUrl || !clientId || !signingKey) {
+    return { ok: false, status: 500, data: null, error: 'Vibe not configured' };
+  }
+
+  const timestamp = Math.floor(Date.now() / 1000);
+  const stringToSign = `${timestamp}|${options.method}|${endpoint}`;
+
+  const crypto = await import('crypto');
+  const signature = crypto
+    .createHmac('sha256', Buffer.from(signingKey, 'base64'))
+    .update(stringToSign)
+    .digest('base64');
+
+  const proxyUrl = `${idpUrl}/api/vibe/proxy`;
+
+  const idpConfig = getStartupIDPConfig();
+  const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
+
+  try {
+    const res = await fetch(proxyUrl, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Vibe-Client-Id': clientId,
+        'X-Vibe-Timestamp': String(timestamp),
+        'X-Vibe-Signature': signature,
+        ...(idpClientId && { 'X-Client-Id': idpClientId }),
+      },
+      body: JSON.stringify({
+        endpoint,
+        method: options.method,
+        data: options.body ?? null,
+      }),
+      cache: 'no-store',
+    });
+
+    if (res.status === 204) return { ok: true, status: 204, data: null };
+    if (!res.ok) {
+      const errorText = await res.text();
+      return { ok: false, status: res.status, data: null, error: errorText };
+    }
+
+    const body = await res.json();
+    return { ok: true, status: res.status, data: body };
+  } catch (error) {
+    return { ok: false, status: 0, data: null, error: String(error) };
+  }
+}
+
+export interface AdminStatsHandlerConfig {
+  appSlug?: string;
+}
+
+/**
+ * GET /api/admin/stats - Dashboard statistics
+ * Aggregates users + tier breakdown, active Redis sessions, and recent audit activity.
+ */
+export function createStatsHandler(config: AdminStatsHandlerConfig) {
+  const getSessionPrefix = () => {
+    const appSlug = config.appSlug || process.env.APP_SLUG || process.env.CLIENT_ID || 'app';
+    return `${appSlug}:sess:`;
+  };
+
+  return {
+    async GET(_request: NextRequest) {
+      const adminCheck = await checkAdminRole(_request);
+      if (adminCheck.error) return adminCheck.error;
+
+      try {
+        // Fetch from 4 sources in parallel
+        const [usersResult, tierDistributionResult, sessionCount, auditResult] = await Promise.allSettled([
+          // 1. Users count via HMAC proxy (Vibe collection query)
+          vibeServiceRequest<any>('/v1/collections/vibe_app/tables/users/query', {
+            method: 'POST',
+            body: { page: 1, pageSize: 500, orderBy: 'created_at', orderDirection: 'desc' },
+          }),
+
+          // 2. Tier distribution from analytics endpoint (uses purchases table)
+          vibeServiceRequest<any>('/v1/analytics/tier-distribution?includeTrend=false', { method: 'GET' }),
+
+          // 3. Active sessions from Redis
+          (async () => {
+            const redis = getRedis();
+            const sessionPrefix = getSessionPrefix();
+            const sessionKeys: string[] = [];
+            let cursor = '0';
+            do {
+              const [newCursor, keys] = await redis.scan(cursor, 'MATCH', `${sessionPrefix}*`, 'COUNT', 100);
+              cursor = newCursor;
+              sessionKeys.push(...keys.filter((k: string) => !k.includes(':ver:')));
+            } while (cursor !== '0');
+            return sessionKeys.length;
+          })(),
+
+          // 4. Recent audit activity via HMAC proxy
+          vibeServiceRequest<any>('/v1/audit?pageSize=10&sortDir=desc', { method: 'GET' }),
+        ]);
+
+        // Parse users — deduplicate by user_id
+        let totalUsers = 0;
+        if (usersResult.status === 'fulfilled' && usersResult.value.ok && usersResult.value.data) {
+          const data = usersResult.value.data;
+          const rawUsers = data.data || data.documents || data.users || [];
+
+          // Deduplicate by user_id (keeps latest document_id)
+          const userMap = new Map();
+          for (const u of rawUsers) {
+            const uid = u.user_id || u.id || u.document_id;
+            const existing = userMap.get(uid);
+            if (!existing || (u.document_id || '') > (existing.document_id || '')) {
+              userMap.set(uid, u);
+            }
+          }
+          totalUsers = userMap.size;
+        }
+
+        // Parse tier distribution from analytics endpoint (uses purchases table)
+        let tierBreakdown: Record<string, number> = {};
+        if (tierDistributionResult.status === 'fulfilled' && tierDistributionResult.value.ok && tierDistributionResult.value.data) {
+          const data = tierDistributionResult.value.data;
+          // Handle response shape: { distribution: [{ tierKey, userCount }, ...] }
+          const distribution = data.distribution || data.data || data.tiers || [];
+          if (Array.isArray(distribution)) {
+            for (const item of distribution) {
+              const tierKey = item.tierKey || item.tier || item.name || 'free';
+              const count = item.userCount || item.count || item.users || 0;
+              tierBreakdown[tierKey] = (tierBreakdown[tierKey] || 0) + count;
+            }
+          }
+        }
+        // Fallback: if no tier data from analytics, show all as free
+        if (Object.keys(tierBreakdown).length === 0) {
+          tierBreakdown = { free: totalUsers };
+        }
+
+        // Parse active sessions count
+        let activeSessions = 0;
+        if (sessionCount.status === 'fulfilled') {
+          activeSessions = sessionCount.value;
+        }
+
+        // Parse audit events for recent activity
+        let recentActivity: any[] = [];
+        if (auditResult.status === 'fulfilled' && auditResult.value.ok && auditResult.value.data) {
+          const data = auditResult.value.data;
+
+          // Handle multiple possible response shapes
+          let events: any[] = [];
+          if (Array.isArray(data)) {
+            events = data;
+          } else if (Array.isArray(data.data)) {
+            events = data.data;
+          } else if (Array.isArray(data.entries)) {
+            events = data.entries;
+          } else if (Array.isArray(data.items)) {
+            events = data.items;
+          } else if (Array.isArray(data.documents)) {
+            events = data.documents;
+          } else if (data.success && Array.isArray(data.results)) {
+            events = data.results;
+          }
+
+          recentActivity = events.slice(0, 5).map((e: any) => ({
+            id: e.audit_log_id || e.id || e.document_id,
+            type: e.category || e.type || 'admin',
+            action: e.action || e.event || e.message || 'Unknown action',
+            actor: e.admin_email || e.actor || e.user || e.actor_email || 'System',
+            target: e.target_type ? `${e.target_type}:${e.target_id}` : (e.target || e.target_user),
+            details: e.description || e.details,
+            timestamp: e.created_at || e.timestamp || e.date,
+            success: e.is_success ?? e.success ?? true,
+          }));
+        }
+
+        // Calculate tier percentages
+        const tiers = Object.entries(tierBreakdown).map(([name, count]) => ({
+          name,
+          count: count as number,
+          pct: totalUsers > 0 ? Math.round(((count as number) / totalUsers) * 100) : 0,
+        }));
+
+        return NextResponse.json({
+          totalUsers,
+          activeSessions,
+          tiers,
+          recentActivity,
+        });
+      } catch (error: any) {
+        console.error('[admin/stats] Error:', error);
+        return NextResponse.json(
+          { error: error.message || 'Internal error' },
+          { status: 500 }
+        );
+      }
+    },
+  };
+}

package/src/api-handlers/auth/refresh.ts

@@ -4,7 +4,7 @@
  * ASK BEFORE EDITING - TESTED AND WORKING SYSTEM
  *
  * This handler manages the server-side refresh token cycle with:
- * - NextAuth JWT token extraction
+ * - Better Auth session extraction
  * - Session token fallback for internal calls
  * - PayEz IDP refresh token exchange
  * - Session state updates with new tokens
@@ -23,14 +23,13 @@ import { extractKidFromToken } from '../../auth/utils/token-utils';
 interface RefreshConfig {
   idpBaseUrl: string;
   clientId: string;
-  nextAuthSecret: string;
   refreshEndpoint?: string;
 }
 
 /**
  * Creates a refresh token handler for Next.js API routes
  *
- * @param config Configuration for IDP connection and NextAuth
+ * @param config IDP connection settings (Better Auth handles session crypto)
  * @returns Next.js POST handler function
  *
  * @example
@@ -41,13 +40,12 @@ interface RefreshConfig {
  * export const POST = createRefreshHandler({
  *   idpBaseUrl: process.env.IDP_URL!,
  *   clientId: process.env.CLIENT_ID!,
- *   nextAuthSecret: process.env.NEXTAUTH_SECRET!,
  *   refreshEndpoint: '/api/ExternalAuth/refresh'
  * });
  * ```
  */
 export function createRefreshHandler(config: RefreshConfig) {
-  const { idpBaseUrl, clientId, nextAuthSecret, refreshEndpoint = '/api/ExternalAuth/refresh' } = config;
+  const { idpBaseUrl, clientId, refreshEndpoint = '/api/ExternalAuth/refresh' } = config;
 
   return async function POST(req: NextRequest) {
     try {
@@ -674,12 +672,11 @@ export function createRefreshHandler(config: RefreshConfig) {
 }
 
 /**
- * Default export for backward compatibility
- * Requires environment variables: IDP_URL, CLIENT_ID, NEXTAUTH_SECRET
+ * Default POST export — drop-in for `app/api/auth/refresh/route.ts`.
+ * Requires environment variables: IDP_URL, CLIENT_ID
  */
 export const POST = createRefreshHandler({
   idpBaseUrl: process.env.IDP_URL!,
   clientId: process.env.CLIENT_ID || 'payez_default_client',
-  nextAuthSecret: process.env.NEXTAUTH_SECRET || '',
   refreshEndpoint: '/api/ExternalAuth/refresh'
 });

package/src/api-handlers/auth/signout.ts

@@ -57,29 +57,19 @@ interface SignoutResponse {
   chunkCookiesDeleted?: number;
 }
 
-interface SignoutConfig {
-  nextAuthSecret: string;
-}
-
 /**
- * Creates a signout handler for Next.js API routes
+ * Creates a signout handler for Next.js API routes.
  *
- * @param config Configuration for NextAuth
- * @returns Next.js POST handler function
+ * Better Auth resolves its session from cookies, so this handler takes no
+ * configuration. Use the default `POST` export below for typical usage.
  *
  * @example
  * ```typescript
  * // In your app's /app/api/auth/signout/route.ts
- * import { createSignoutHandler } from '@payez/next-mvp/api-handlers/auth/signout';
- *
- * export const POST = createSignoutHandler({
- *   nextAuthSecret: process.env.NEXTAUTH_SECRET!
- * });
+ * export { POST } from '@payez/next-mvp/api-handlers/auth/signout';
  * ```
  */
-export function createSignoutHandler(config: SignoutConfig) {
-  const { nextAuthSecret } = config;
-
+export function createSignoutHandler() {
   return async function POST(req: NextRequest) {
     const cookieStore = await cookies();
 
@@ -113,7 +103,8 @@ export function createSignoutHandler(config: SignoutConfig) {
     const chunkCookies = cookieStore.getAll()
       .filter(cookie => cookie.name.startsWith(`${sessionCookieName}.`));
 
-    // Decode NextAuth JWT to extract the Redis session UUID before deletion
+    // Decode the Better Auth session JWT to extract the Redis session UUID
+    // before deletion.
     let redisSessionToken: string | null = null;
 
     // First attempt: Better Auth getSession
@@ -203,9 +194,6 @@ export function createSignoutHandler(config: SignoutConfig) {
 }
 
 /**
- * Default export for backward compatibility
- * Requires environment variable: NEXTAUTH_SECRET
+ * Default POST export — drop-in for `app/api/auth/signout/route.ts`.
  */
-export const POST = createSignoutHandler({
-  nextAuthSecret: process.env.NEXTAUTH_SECRET || ''
-});
+export const POST = createSignoutHandler();