@payez/next-mvp 4.0.47 → 4.0.49

package/dist/api-handlers/admin/stats.js

@@ -128,14 +128,16 @@ function createStatsHandler(config) {
             if (adminCheck.error)
                 return adminCheck.error;
             try {
-                // Fetch from 3 sources in parallel
-                const [usersResult, sessionCount, auditResult] = await Promise.allSettled([
-                    // 1. Users + tier breakdown via HMAC proxy (Vibe collection query)
+                // Fetch from 4 sources in parallel
+                const [usersResult, tierDistributionResult, sessionCount, auditResult] = await Promise.allSettled([
+                    // 1. Users count via HMAC proxy (Vibe collection query)
                     vibeServiceRequest('/v1/collections/vibe_app/tables/users/query', {
                         method: 'POST',
                         body: { page: 1, pageSize: 500, orderBy: 'created_at', orderDirection: 'desc' },
                     }),
-                    // 2. Active sessions from Redis
+                    // 2. Tier distribution from analytics endpoint (uses purchases table)
+                    vibeServiceRequest('/v1/analytics/tier-distribution?includeTrend=false', { method: 'GET' }),
+                    // 3. Active sessions from Redis
                     (async () => {
                         const redis = (0, redis_1.getRedis)();
                         const sessionPrefix = getSessionPrefix();
@@ -148,12 +150,11 @@ function createStatsHandler(config) {
                         } while (cursor !== '0');
                         return sessionKeys.length;
                     })(),
-                    // 3. Recent audit activity via HMAC proxy
+                    // 4. Recent audit activity via HMAC proxy
                     vibeServiceRequest('/v1/audit?pageSize=10&sortDir=desc', { method: 'GET' }),
                 ]);
                 // Parse users — deduplicate by user_id
                 let totalUsers = 0;
-                let tierBreakdown = {};
                 if (usersResult.status === 'fulfilled' && usersResult.value.ok && usersResult.value.data) {
                     const data = usersResult.value.data;
                     const rawUsers = data.data || data.documents || data.users || [];
@@ -166,17 +167,26 @@ function createStatsHandler(config) {
                             userMap.set(uid, u);
                         }
                     }
-                    const uniqueUsers = Array.from(userMap.values());
-                    totalUsers = uniqueUsers.length;
-                    // Build tier breakdown from deduplicated users (unless API provides one)
-                    tierBreakdown = data.tierBreakdown || data.tiers || {};
-                    if (Object.keys(tierBreakdown).length === 0) {
-                        for (const user of uniqueUsers) {
-                            const tier = user.tier || 'free';
-                            tierBreakdown[tier] = (tierBreakdown[tier] || 0) + 1;
+                    totalUsers = userMap.size;
+                }
+                // Parse tier distribution from analytics endpoint (uses purchases table)
+                let tierBreakdown = {};
+                if (tierDistributionResult.status === 'fulfilled' && tierDistributionResult.value.ok && tierDistributionResult.value.data) {
+                    const data = tierDistributionResult.value.data;
+                    // Handle response shape: { distribution: [{ tierKey, userCount }, ...] }
+                    const distribution = data.distribution || data.data || data.tiers || [];
+                    if (Array.isArray(distribution)) {
+                        for (const item of distribution) {
+                            const tierKey = item.tierKey || item.tier || item.name || 'free';
+                            const count = item.userCount || item.count || item.users || 0;
+                            tierBreakdown[tierKey] = (tierBreakdown[tierKey] || 0) + count;
                         }
                     }
                 }
+                // Fallback: if no tier data from analytics, show all as free
+                if (Object.keys(tierBreakdown).length === 0) {
+                    tierBreakdown = { free: totalUsers };
+                }
                 // Parse active sessions count
                 let activeSessions = 0;
                 if (sessionCount.status === 'fulfilled') {

package/dist/server/auth.d.ts

@@ -5,6 +5,16 @@
  * getAuthInstance(); use getSession(req) for the request-scoped session.
  */
 import 'server-only';
+import { type SessionData } from '../lib/session-store';
+export type IdpTokenResult = {
+    success: true;
+    accessToken: string;
+    sessionData: SessionData;
+} | {
+    success: false;
+    error: 'NO_SESSION' | 'NO_TOKEN';
+    terminal: true;
+};
 /**
  * Get the initialized Better Auth instance (singleton).
  */
@@ -54,6 +64,20 @@ export declare function getAuthInstance(): Promise<import("better-auth/types").A
  * Returns the session object or null if not authenticated.
  */
 export declare function getSession(request?: Request): Promise<any>;
+/**
+ * Get normalized session data for the current request.
+ *
+ * This prefers the app's Redis session because it carries the canonical
+ * IDP token, roles, and tenant-specific user identity used by app routes.
+ */
+export declare function getSessionData(request?: Request): Promise<SessionData | null>;
+/**
+ * Get the current request's IDP access token without triggering a refresh.
+ *
+ * Use this for routes that only need the currently-issued bearer token and
+ * should fail closed instead of performing token lifecycle work.
+ */
+export declare function getIdpToken(request?: Request): Promise<IdpTokenResult>;
 /**
  * Get the current session, throwing if not authenticated.
  * Use in API handlers that require auth.

package/dist/server/auth.js

@@ -5,48 +5,67 @@
  * All server-side auth flows go through the Better Auth instance returned by
  * getAuthInstance(); use getSession(req) for the request-scoped session.
  */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getAuthInstance = getAuthInstance;
 exports.getSession = getSession;
+exports.getSessionData = getSessionData;
+exports.getIdpToken = getIdpToken;
 exports.requireSession = requireSession;
 require("server-only");
 const better_auth_1 = require("../auth/better-auth");
 const idp_client_config_1 = require("../lib/idp-client-config");
+const session_store_1 = require("../lib/session-store");
 let authInstance = null;
 let authInitPromise = null;
+function buildSessionDataFromAuthSession(session) {
+    const user = session?.user;
+    if (!user?.id && !user?.email) {
+        return null;
+    }
+    const expiresAt = session?.session?.expiresAt
+        ? new Date(session.session.expiresAt).getTime()
+        : Date.now() + 24 * 60 * 60 * 1000;
+    return {
+        userId: user.userId || user.id || '',
+        email: user.email || '',
+        name: user.name || undefined,
+        roles: Array.isArray(user.roles) ? user.roles : [],
+        idpAccessToken: user.idpAccessToken,
+        idpRefreshToken: user.idpRefreshToken,
+        idpAccessTokenExpires: user.idpAccessTokenExpires || expiresAt,
+        mfaVerified: user.mfaVerified ?? user.twoFactorSessionVerified ?? false,
+        oauthProvider: user.oauthProvider,
+        idpClientId: user.idpClientId,
+        merchantId: user.merchantId,
+    };
+}
+function attachSessionData(session, sessionData, sessionToken) {
+    if (!sessionData) {
+        return session;
+    }
+    const enrichedSessionData = {
+        ...sessionData,
+        ...(sessionToken ? { sessionToken } : {}),
+    };
+    session.sessionData = enrichedSessionData;
+    if (session?.user) {
+        const user = session.user;
+        user.userId = enrichedSessionData.userId || user.userId;
+        user.email = enrichedSessionData.email || user.email;
+        user.name = enrichedSessionData.name || user.name;
+        user.roles = enrichedSessionData.roles || user.roles || [];
+        user.idpAccessToken = enrichedSessionData.idpAccessToken;
+        user.idpRefreshToken = enrichedSessionData.idpRefreshToken;
+        user.idpAccessTokenExpires = enrichedSessionData.idpAccessTokenExpires;
+        user.mfaVerified = enrichedSessionData.mfaVerified;
+        user.twoFactorSessionVerified =
+            enrichedSessionData.mfaVerified ?? user.twoFactorSessionVerified;
+        user.oauthProvider = enrichedSessionData.oauthProvider || user.oauthProvider;
+        user.idpClientId = enrichedSessionData.idpClientId || user.idpClientId;
+        user.merchantId = enrichedSessionData.merchantId || user.merchantId;
+    }
+    return session;
+}
 /**
  * Get the initialized Better Auth instance (singleton).
  */
@@ -75,31 +94,66 @@ async function getSession(request) {
         const session = await auth.api.getSession({ headers: request.headers });
         if (!session?.session?.token || !session?.user)
             return session;
-        // Enrich with IDP tokens from Redis (stored by post-login hook)
+        const sessionToken = session.session.token;
+        let sessionData = null;
+        // Prefer the app's normalized Redis session. Fall back to Better Auth's
+        // secondary storage record, then finally to whatever Better Auth already
+        // put on the request session object.
         try {
-            const { getRedis } = await Promise.resolve().then(() => __importStar(require('../lib/redis')));
-            const { getAppSlug } = await Promise.resolve().then(() => __importStar(require('../lib/app-slug')));
-            const baKey = `ba:${getAppSlug()}:${session.session.token}`;
-            const baRaw = await getRedis().get(baKey);
-            if (baRaw) {
-                const baData = JSON.parse(baRaw);
-                if (baData.idpTokens) {
-                    const u = session.user;
-                    u.roles = baData.idpTokens.roles || [];
-                    u.userId = baData.idpTokens.userId;
-                    u.idpAccessToken = baData.idpTokens.idpAccessToken;
-                    u.idpRefreshToken = baData.idpTokens.idpRefreshToken;
-                    u.idpAccessTokenExpires = baData.idpTokens.idpAccessTokenExpires;
-                }
+            sessionData = await (0, session_store_1.getSession)(sessionToken);
+            if (!sessionData) {
+                sessionData = await (0, session_store_1.getBetterAuthSession)(sessionToken);
             }
         }
         catch { /* Redis unavailable */ }
-        return session;
+        if (!sessionData) {
+            sessionData = buildSessionDataFromAuthSession(session);
+        }
+        return attachSessionData(session, sessionData, sessionToken);
     }
     catch {
         return null;
     }
 }
+/**
+ * Get normalized session data for the current request.
+ *
+ * This prefers the app's Redis session because it carries the canonical
+ * IDP token, roles, and tenant-specific user identity used by app routes.
+ */
+async function getSessionData(request) {
+    const session = await getSession(request);
+    const sessionData = session?.sessionData ||
+        buildSessionDataFromAuthSession(session);
+    if (!sessionData) {
+        return null;
+    }
+    const sessionToken = session?.session?.token;
+    return sessionToken
+        ? { ...sessionData, sessionToken }
+        : sessionData;
+}
+/**
+ * Get the current request's IDP access token without triggering a refresh.
+ *
+ * Use this for routes that only need the currently-issued bearer token and
+ * should fail closed instead of performing token lifecycle work.
+ */
+async function getIdpToken(request) {
+    const sessionData = await getSessionData(request);
+    if (!sessionData) {
+        return { success: false, error: 'NO_SESSION', terminal: true };
+    }
+    const accessToken = sessionData.idpAccessToken || sessionData.accessToken;
+    if (!accessToken) {
+        return { success: false, error: 'NO_TOKEN', terminal: true };
+    }
+    return {
+        success: true,
+        accessToken,
+        sessionData,
+    };
+}
 /**
  * Get the current session, throwing if not authenticated.
  * Use in API handlers that require auth.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@payez/next-mvp",
-  "version": "4.0.47",
+  "version": "4.0.49",
   "sideEffects": false,
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/api-handlers/admin/stats.ts

@@ -1,238 +1,249 @@
-/**
- * Admin Stats API Handler
- *
- * Aggregates dashboard statistics from users, Redis sessions, and audit logs.
- * Uses service account HMAC auth for Vibe API requests.
- *
- * @version 1.0
- * @requires Admin role (vibe_app_admin or payez_admin)
- */
-
-import { NextRequest, NextResponse } from 'next/server';
-import { getSession } from '../../server/auth';
-import { getStartupIDPConfig } from '../../lib/startup-init';
-import { getRedis } from '../../lib/redis';
-import { ADMIN_ROLES } from '../../lib/roles';
-
-interface VibeRequestOptions {
-  method: 'GET' | 'POST' | 'PUT' | 'DELETE';
-  body?: unknown;
-}
-
-async function checkAdminRole(request: NextRequest): Promise<{ isAdmin: boolean; error?: NextResponse }> {
-  const session = await getSession(request) as any;
-
-  if (!session?.user) {
-    return {
-      isAdmin: false,
-      error: NextResponse.json({ success: false, error: 'Please sign in' }, { status: 401 }),
-    };
-  }
-
-  const userRoles = (session.user?.roles as string[]) || [];
-  const hasAdminRole = ADMIN_ROLES.some(role => userRoles.includes(role));
-
-  if (!hasAdminRole) {
-    return {
-      isAdmin: false,
-      error: NextResponse.json({ success: false, error: 'Admin access required' }, { status: 403 }),
-    };
-  }
-
-  return { isAdmin: true };
-}
-
-async function vibeServiceRequest<T = unknown>(
-  endpoint: string,
-  options: VibeRequestOptions
-): Promise<{ ok: boolean; status: number; data: T | null; error?: string }> {
-  const idpUrl = process.env.NEXT_PUBLIC_IDP_URL || process.env.IDP_URL;
-  const clientId = process.env.VIBE_CLIENT_ID;
-  const signingKey = process.env.VIBE_HMAC_KEY;
-
-  if (!idpUrl || !clientId || !signingKey) {
-    return { ok: false, status: 500, data: null, error: 'Vibe not configured' };
-  }
-
-  const timestamp = Math.floor(Date.now() / 1000);
-  const stringToSign = `${timestamp}|${options.method}|${endpoint}`;
-
-  const crypto = await import('crypto');
-  const signature = crypto
-    .createHmac('sha256', Buffer.from(signingKey, 'base64'))
-    .update(stringToSign)
-    .digest('base64');
-
-  const proxyUrl = `${idpUrl}/api/vibe/proxy`;
-
-  const idpConfig = getStartupIDPConfig();
-  const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
-
-  try {
-    const res = await fetch(proxyUrl, {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'X-Vibe-Client-Id': clientId,
-        'X-Vibe-Timestamp': String(timestamp),
-        'X-Vibe-Signature': signature,
-        ...(idpClientId && { 'X-Client-Id': idpClientId }),
-      },
-      body: JSON.stringify({
-        endpoint,
-        method: options.method,
-        data: options.body ?? null,
-      }),
-      cache: 'no-store',
-    });
-
-    if (res.status === 204) return { ok: true, status: 204, data: null };
-    if (!res.ok) {
-      const errorText = await res.text();
-      return { ok: false, status: res.status, data: null, error: errorText };
-    }
-
-    const body = await res.json();
-    return { ok: true, status: res.status, data: body };
-  } catch (error) {
-    return { ok: false, status: 0, data: null, error: String(error) };
-  }
-}
-
-export interface AdminStatsHandlerConfig {
-  appSlug?: string;
-}
-
-/**
- * GET /api/admin/stats - Dashboard statistics
- * Aggregates users + tier breakdown, active Redis sessions, and recent audit activity.
- */
-export function createStatsHandler(config: AdminStatsHandlerConfig) {
-  const getSessionPrefix = () => {
-    const appSlug = config.appSlug || process.env.APP_SLUG || process.env.CLIENT_ID || 'app';
-    return `${appSlug}:sess:`;
-  };
-
-  return {
-    async GET(_request: NextRequest) {
-      const adminCheck = await checkAdminRole(_request);
-      if (adminCheck.error) return adminCheck.error;
-
-      try {
-        // Fetch from 3 sources in parallel
-        const [usersResult, sessionCount, auditResult] = await Promise.allSettled([
-          // 1. Users + tier breakdown via HMAC proxy (Vibe collection query)
-          vibeServiceRequest<any>('/v1/collections/vibe_app/tables/users/query', {
-            method: 'POST',
-            body: { page: 1, pageSize: 500, orderBy: 'created_at', orderDirection: 'desc' },
-          }),
-
-          // 2. Active sessions from Redis
-          (async () => {
-            const redis = getRedis();
-            const sessionPrefix = getSessionPrefix();
-            const sessionKeys: string[] = [];
-            let cursor = '0';
-            do {
-              const [newCursor, keys] = await redis.scan(cursor, 'MATCH', `${sessionPrefix}*`, 'COUNT', 100);
-              cursor = newCursor;
-              sessionKeys.push(...keys.filter((k: string) => !k.includes(':ver:')));
-            } while (cursor !== '0');
-            return sessionKeys.length;
-          })(),
-
-          // 3. Recent audit activity via HMAC proxy
-          vibeServiceRequest<any>('/v1/audit?pageSize=10&sortDir=desc', { method: 'GET' }),
-        ]);
-
-        // Parse users — deduplicate by user_id
-        let totalUsers = 0;
-        let tierBreakdown: Record<string, number> = {};
-        if (usersResult.status === 'fulfilled' && usersResult.value.ok && usersResult.value.data) {
-          const data = usersResult.value.data;
-          const rawUsers = data.data || data.documents || data.users || [];
-
-          // Deduplicate by user_id (keeps latest document_id)
-          const userMap = new Map();
-          for (const u of rawUsers) {
-            const uid = u.user_id || u.id || u.document_id;
-            const existing = userMap.get(uid);
-            if (!existing || (u.document_id || '') > (existing.document_id || '')) {
-              userMap.set(uid, u);
-            }
-          }
-          const uniqueUsers = Array.from(userMap.values());
-          totalUsers = uniqueUsers.length;
-
-          // Build tier breakdown from deduplicated users (unless API provides one)
-          tierBreakdown = data.tierBreakdown || data.tiers || {};
-          if (Object.keys(tierBreakdown).length === 0) {
-            for (const user of uniqueUsers) {
-              const tier = user.tier || 'free';
-              tierBreakdown[tier] = (tierBreakdown[tier] || 0) + 1;
-            }
-          }
-        }
-
-        // Parse active sessions count
-        let activeSessions = 0;
-        if (sessionCount.status === 'fulfilled') {
-          activeSessions = sessionCount.value;
-        }
-
-        // Parse audit events for recent activity
-        let recentActivity: any[] = [];
-        if (auditResult.status === 'fulfilled' && auditResult.value.ok && auditResult.value.data) {
-          const data = auditResult.value.data;
-
-          // Handle multiple possible response shapes
-          let events: any[] = [];
-          if (Array.isArray(data)) {
-            events = data;
-          } else if (Array.isArray(data.data)) {
-            events = data.data;
-          } else if (Array.isArray(data.entries)) {
-            events = data.entries;
-          } else if (Array.isArray(data.items)) {
-            events = data.items;
-          } else if (Array.isArray(data.documents)) {
-            events = data.documents;
-          } else if (data.success && Array.isArray(data.results)) {
-            events = data.results;
-          }
-
-          recentActivity = events.slice(0, 5).map((e: any) => ({
-            id: e.audit_log_id || e.id || e.document_id,
-            type: e.category || e.type || 'admin',
-            action: e.action || e.event || e.message || 'Unknown action',
-            actor: e.admin_email || e.actor || e.user || e.actor_email || 'System',
-            target: e.target_type ? `${e.target_type}:${e.target_id}` : (e.target || e.target_user),
-            details: e.description || e.details,
-            timestamp: e.created_at || e.timestamp || e.date,
-            success: e.is_success ?? e.success ?? true,
-          }));
-        }
-
-        // Calculate tier percentages
-        const tiers = Object.entries(tierBreakdown).map(([name, count]) => ({
-          name,
-          count: count as number,
-          pct: totalUsers > 0 ? Math.round(((count as number) / totalUsers) * 100) : 0,
-        }));
-
-        return NextResponse.json({
-          totalUsers,
-          activeSessions,
-          tiers,
-          recentActivity,
-        });
-      } catch (error: any) {
-        console.error('[admin/stats] Error:', error);
-        return NextResponse.json(
-          { error: error.message || 'Internal error' },
-          { status: 500 }
-        );
-      }
-    },
-  };
-}
+/**
+ * Admin Stats API Handler
+ *
+ * Aggregates dashboard statistics from users, Redis sessions, and audit logs.
+ * Uses service account HMAC auth for Vibe API requests.
+ *
+ * @version 1.0
+ * @requires Admin role (vibe_app_admin or payez_admin)
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getSession } from '../../server/auth';
+import { getStartupIDPConfig } from '../../lib/startup-init';
+import { getRedis } from '../../lib/redis';
+import { ADMIN_ROLES } from '../../lib/roles';
+
+interface VibeRequestOptions {
+  method: 'GET' | 'POST' | 'PUT' | 'DELETE';
+  body?: unknown;
+}
+
+async function checkAdminRole(request: NextRequest): Promise<{ isAdmin: boolean; error?: NextResponse }> {
+  const session = await getSession(request) as any;
+
+  if (!session?.user) {
+    return {
+      isAdmin: false,
+      error: NextResponse.json({ success: false, error: 'Please sign in' }, { status: 401 }),
+    };
+  }
+
+  const userRoles = (session.user?.roles as string[]) || [];
+  const hasAdminRole = ADMIN_ROLES.some(role => userRoles.includes(role));
+
+  if (!hasAdminRole) {
+    return {
+      isAdmin: false,
+      error: NextResponse.json({ success: false, error: 'Admin access required' }, { status: 403 }),
+    };
+  }
+
+  return { isAdmin: true };
+}
+
+async function vibeServiceRequest<T = unknown>(
+  endpoint: string,
+  options: VibeRequestOptions
+): Promise<{ ok: boolean; status: number; data: T | null; error?: string }> {
+  const idpUrl = process.env.NEXT_PUBLIC_IDP_URL || process.env.IDP_URL;
+  const clientId = process.env.VIBE_CLIENT_ID;
+  const signingKey = process.env.VIBE_HMAC_KEY;
+
+  if (!idpUrl || !clientId || !signingKey) {
+    return { ok: false, status: 500, data: null, error: 'Vibe not configured' };
+  }
+
+  const timestamp = Math.floor(Date.now() / 1000);
+  const stringToSign = `${timestamp}|${options.method}|${endpoint}`;
+
+  const crypto = await import('crypto');
+  const signature = crypto
+    .createHmac('sha256', Buffer.from(signingKey, 'base64'))
+    .update(stringToSign)
+    .digest('base64');
+
+  const proxyUrl = `${idpUrl}/api/vibe/proxy`;
+
+  const idpConfig = getStartupIDPConfig();
+  const idpClientId = idpConfig?.clientSlug || idpConfig?.clientId;
+
+  try {
+    const res = await fetch(proxyUrl, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Vibe-Client-Id': clientId,
+        'X-Vibe-Timestamp': String(timestamp),
+        'X-Vibe-Signature': signature,
+        ...(idpClientId && { 'X-Client-Id': idpClientId }),
+      },
+      body: JSON.stringify({
+        endpoint,
+        method: options.method,
+        data: options.body ?? null,
+      }),
+      cache: 'no-store',
+    });
+
+    if (res.status === 204) return { ok: true, status: 204, data: null };
+    if (!res.ok) {
+      const errorText = await res.text();
+      return { ok: false, status: res.status, data: null, error: errorText };
+    }
+
+    const body = await res.json();
+    return { ok: true, status: res.status, data: body };
+  } catch (error) {
+    return { ok: false, status: 0, data: null, error: String(error) };
+  }
+}
+
+export interface AdminStatsHandlerConfig {
+  appSlug?: string;
+}
+
+/**
+ * GET /api/admin/stats - Dashboard statistics
+ * Aggregates users + tier breakdown, active Redis sessions, and recent audit activity.
+ */
+export function createStatsHandler(config: AdminStatsHandlerConfig) {
+  const getSessionPrefix = () => {
+    const appSlug = config.appSlug || process.env.APP_SLUG || process.env.CLIENT_ID || 'app';
+    return `${appSlug}:sess:`;
+  };
+
+  return {
+    async GET(_request: NextRequest) {
+      const adminCheck = await checkAdminRole(_request);
+      if (adminCheck.error) return adminCheck.error;
+
+      try {
+        // Fetch from 4 sources in parallel
+        const [usersResult, tierDistributionResult, sessionCount, auditResult] = await Promise.allSettled([
+          // 1. Users count via HMAC proxy (Vibe collection query)
+          vibeServiceRequest<any>('/v1/collections/vibe_app/tables/users/query', {
+            method: 'POST',
+            body: { page: 1, pageSize: 500, orderBy: 'created_at', orderDirection: 'desc' },
+          }),
+
+          // 2. Tier distribution from analytics endpoint (uses purchases table)
+          vibeServiceRequest<any>('/v1/analytics/tier-distribution?includeTrend=false', { method: 'GET' }),
+
+          // 3. Active sessions from Redis
+          (async () => {
+            const redis = getRedis();
+            const sessionPrefix = getSessionPrefix();
+            const sessionKeys: string[] = [];
+            let cursor = '0';
+            do {
+              const [newCursor, keys] = await redis.scan(cursor, 'MATCH', `${sessionPrefix}*`, 'COUNT', 100);
+              cursor = newCursor;
+              sessionKeys.push(...keys.filter((k: string) => !k.includes(':ver:')));
+            } while (cursor !== '0');
+            return sessionKeys.length;
+          })(),
+
+          // 4. Recent audit activity via HMAC proxy
+          vibeServiceRequest<any>('/v1/audit?pageSize=10&sortDir=desc', { method: 'GET' }),
+        ]);
+
+        // Parse users — deduplicate by user_id
+        let totalUsers = 0;
+        if (usersResult.status === 'fulfilled' && usersResult.value.ok && usersResult.value.data) {
+          const data = usersResult.value.data;
+          const rawUsers = data.data || data.documents || data.users || [];
+
+          // Deduplicate by user_id (keeps latest document_id)
+          const userMap = new Map();
+          for (const u of rawUsers) {
+            const uid = u.user_id || u.id || u.document_id;
+            const existing = userMap.get(uid);
+            if (!existing || (u.document_id || '') > (existing.document_id || '')) {
+              userMap.set(uid, u);
+            }
+          }
+          totalUsers = userMap.size;
+        }
+
+        // Parse tier distribution from analytics endpoint (uses purchases table)
+        let tierBreakdown: Record<string, number> = {};
+        if (tierDistributionResult.status === 'fulfilled' && tierDistributionResult.value.ok && tierDistributionResult.value.data) {
+          const data = tierDistributionResult.value.data;
+          // Handle response shape: { distribution: [{ tierKey, userCount }, ...] }
+          const distribution = data.distribution || data.data || data.tiers || [];
+          if (Array.isArray(distribution)) {
+            for (const item of distribution) {
+              const tierKey = item.tierKey || item.tier || item.name || 'free';
+              const count = item.userCount || item.count || item.users || 0;
+              tierBreakdown[tierKey] = (tierBreakdown[tierKey] || 0) + count;
+            }
+          }
+        }
+        // Fallback: if no tier data from analytics, show all as free
+        if (Object.keys(tierBreakdown).length === 0) {
+          tierBreakdown = { free: totalUsers };
+        }
+
+        // Parse active sessions count
+        let activeSessions = 0;
+        if (sessionCount.status === 'fulfilled') {
+          activeSessions = sessionCount.value;
+        }
+
+        // Parse audit events for recent activity
+        let recentActivity: any[] = [];
+        if (auditResult.status === 'fulfilled' && auditResult.value.ok && auditResult.value.data) {
+          const data = auditResult.value.data;
+
+          // Handle multiple possible response shapes
+          let events: any[] = [];
+          if (Array.isArray(data)) {
+            events = data;
+          } else if (Array.isArray(data.data)) {
+            events = data.data;
+          } else if (Array.isArray(data.entries)) {
+            events = data.entries;
+          } else if (Array.isArray(data.items)) {
+            events = data.items;
+          } else if (Array.isArray(data.documents)) {
+            events = data.documents;
+          } else if (data.success && Array.isArray(data.results)) {
+            events = data.results;
+          }
+
+          recentActivity = events.slice(0, 5).map((e: any) => ({
+            id: e.audit_log_id || e.id || e.document_id,
+            type: e.category || e.type || 'admin',
+            action: e.action || e.event || e.message || 'Unknown action',
+            actor: e.admin_email || e.actor || e.user || e.actor_email || 'System',
+            target: e.target_type ? `${e.target_type}:${e.target_id}` : (e.target || e.target_user),
+            details: e.description || e.details,
+            timestamp: e.created_at || e.timestamp || e.date,
+            success: e.is_success ?? e.success ?? true,
+          }));
+        }
+
+        // Calculate tier percentages
+        const tiers = Object.entries(tierBreakdown).map(([name, count]) => ({
+          name,
+          count: count as number,
+          pct: totalUsers > 0 ? Math.round(((count as number) / totalUsers) * 100) : 0,
+        }));
+
+        return NextResponse.json({
+          totalUsers,
+          activeSessions,
+          tiers,
+          recentActivity,
+        });
+      } catch (error: any) {
+        console.error('[admin/stats] Error:', error);
+        return NextResponse.json(
+          { error: error.message || 'Internal error' },
+          { status: 500 }
+        );
+      }
+    },
+  };
+}

package/src/server/auth.ts

@@ -8,10 +8,76 @@
 import 'server-only';
 import { createBetterAuthInstance } from '../auth/better-auth';
 import { getIDPClientConfig } from '../lib/idp-client-config';
+import {
+  getSession as getRedisSession,
+  getBetterAuthSession as getBetterAuthRedisSession,
+  type SessionData,
+} from '../lib/session-store';
 
 let authInstance: ReturnType<typeof createBetterAuthInstance> | null = null;
 let authInitPromise: Promise<ReturnType<typeof createBetterAuthInstance>> | null = null;
 
+export type IdpTokenResult =
+  | { success: true; accessToken: string; sessionData: SessionData }
+  | { success: false; error: 'NO_SESSION' | 'NO_TOKEN'; terminal: true };
+
+function buildSessionDataFromAuthSession(session: any): SessionData | null {
+  const user = session?.user;
+  if (!user?.id && !user?.email) {
+    return null;
+  }
+
+  const expiresAt = session?.session?.expiresAt
+    ? new Date(session.session.expiresAt).getTime()
+    : Date.now() + 24 * 60 * 60 * 1000;
+
+  return {
+    userId: user.userId || user.id || '',
+    email: user.email || '',
+    name: user.name || undefined,
+    roles: Array.isArray(user.roles) ? user.roles : [],
+    idpAccessToken: user.idpAccessToken,
+    idpRefreshToken: user.idpRefreshToken,
+    idpAccessTokenExpires: user.idpAccessTokenExpires || expiresAt,
+    mfaVerified: user.mfaVerified ?? user.twoFactorSessionVerified ?? false,
+    oauthProvider: user.oauthProvider,
+    idpClientId: user.idpClientId,
+    merchantId: user.merchantId,
+  };
+}
+
+function attachSessionData(session: any, sessionData: SessionData | null, sessionToken?: string) {
+  if (!sessionData) {
+    return session;
+  }
+
+  const enrichedSessionData = {
+    ...sessionData,
+    ...(sessionToken ? { sessionToken } : {}),
+  };
+
+  (session as any).sessionData = enrichedSessionData;
+
+  if (session?.user) {
+    const user = session.user as any;
+    user.userId = enrichedSessionData.userId || user.userId;
+    user.email = enrichedSessionData.email || user.email;
+    user.name = enrichedSessionData.name || user.name;
+    user.roles = enrichedSessionData.roles || user.roles || [];
+    user.idpAccessToken = enrichedSessionData.idpAccessToken;
+    user.idpRefreshToken = enrichedSessionData.idpRefreshToken;
+    user.idpAccessTokenExpires = enrichedSessionData.idpAccessTokenExpires;
+    user.mfaVerified = enrichedSessionData.mfaVerified;
+    user.twoFactorSessionVerified =
+      enrichedSessionData.mfaVerified ?? user.twoFactorSessionVerified;
+    user.oauthProvider = enrichedSessionData.oauthProvider || user.oauthProvider;
+    user.idpClientId = enrichedSessionData.idpClientId || user.idpClientId;
+    user.merchantId = enrichedSessionData.merchantId || user.merchantId;
+  }
+
+  return session;
+}
+
 /**
  * Get the initialized Better Auth instance (singleton).
  */
@@ -40,31 +106,75 @@ export async function getSession(request?: Request): Promise<any> {
     const session = await auth.api.getSession({ headers: request.headers });
     if (!session?.session?.token || !session?.user) return session;
 
-    // Enrich with IDP tokens from Redis (stored by post-login hook)
+    const sessionToken = session.session.token as string;
+    let sessionData: SessionData | null = null;
+
+    // Prefer the app's normalized Redis session. Fall back to Better Auth's
+    // secondary storage record, then finally to whatever Better Auth already
+    // put on the request session object.
     try {
-      const { getRedis } = await import('../lib/redis');
-      const { getAppSlug } = await import('../lib/app-slug');
-      const baKey = `ba:${getAppSlug()}:${session.session.token}`;
-      const baRaw = await getRedis().get(baKey);
-      if (baRaw) {
-        const baData = JSON.parse(baRaw);
-        if (baData.idpTokens) {
-          const u = session.user as any;
-          u.roles = baData.idpTokens.roles || [];
-          u.userId = baData.idpTokens.userId;
-          u.idpAccessToken = baData.idpTokens.idpAccessToken;
-          u.idpRefreshToken = baData.idpTokens.idpRefreshToken;
-          u.idpAccessTokenExpires = baData.idpTokens.idpAccessTokenExpires;
-        }
+      sessionData = await getRedisSession(sessionToken);
+      if (!sessionData) {
+        sessionData = await getBetterAuthRedisSession(sessionToken);
       }
     } catch { /* Redis unavailable */ }
 
-    return session;
+    if (!sessionData) {
+      sessionData = buildSessionDataFromAuthSession(session);
+    }
+
+    return attachSessionData(session, sessionData, sessionToken);
   } catch {
     return null;
   }
 }
 
+/**
+ * Get normalized session data for the current request.
+ *
+ * This prefers the app's Redis session because it carries the canonical
+ * IDP token, roles, and tenant-specific user identity used by app routes.
+ */
+export async function getSessionData(request?: Request): Promise<SessionData | null> {
+  const session = await getSession(request);
+  const sessionData =
+    ((session as any)?.sessionData as SessionData | undefined) ||
+    buildSessionDataFromAuthSession(session);
+
+  if (!sessionData) {
+    return null;
+  }
+
+  const sessionToken = session?.session?.token as string | undefined;
+  return sessionToken
+    ? { ...sessionData, sessionToken }
+    : sessionData;
+}
+
+/**
+ * Get the current request's IDP access token without triggering a refresh.
+ *
+ * Use this for routes that only need the currently-issued bearer token and
+ * should fail closed instead of performing token lifecycle work.
+ */
+export async function getIdpToken(request?: Request): Promise<IdpTokenResult> {
+  const sessionData = await getSessionData(request);
+  if (!sessionData) {
+    return { success: false, error: 'NO_SESSION', terminal: true };
+  }
+
+  const accessToken = sessionData.idpAccessToken || (sessionData as any).accessToken;
+  if (!accessToken) {
+    return { success: false, error: 'NO_TOKEN', terminal: true };
+  }
+
+  return {
+    success: true,
+    accessToken,
+    sessionData,
+  };
+}
+
 /**
  * Get the current session, throwing if not authenticated.
  * Use in API handlers that require auth.