@payez/next-mvp 4.0.6 → 4.0.8

package/dist/auth/better-auth.d.ts

@@ -33,11 +33,15 @@ export declare function createBetterAuthInstance(idpConfig: IDPClientConfig): im
     secret: string;
     socialProviders: Record<string, BetterAuthSocialProvider>;
     trustedOrigins: string[];
+    secondaryStorage: {
+        get: (key: string) => Promise<string | null>;
+        set: (key: string, value: string, ttl?: number) => Promise<void>;
+        delete: (key: string) => Promise<void>;
+    };
     session: {
         cookieCache: {
             enabled: true;
             maxAge: number;
-            refreshCache: true;
         };
     };
     advanced: {
@@ -66,6 +70,13 @@ export declare function createBetterAuthInstance(idpConfig: IDPClientConfig): im
  * Better Auth is always enabled (NextAuth removed in 4.0).
  */
 export declare function isBetterAuthEnabled(): boolean;
+/**
+ * Get Better Auth Next.js route handlers (GET, POST).
+ * Initializes Better Auth from IDP config on first call, caches the instance.
+ */
+declare let cachedInstance: any;
+export { cachedInstance as __betterAuthInstance };
+export declare function getBetterAuthInstance(): Promise<any>;
 /**
  * Get flag-gated auth handler for Next.js route.
  *

package/dist/auth/better-auth.js

@@ -10,9 +10,11 @@
  * @see BETTER-AUTH-MIGRATION-SPEC.md
  */
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.__betterAuthInstance = void 0;
 exports.buildBetterAuthProviders = buildBetterAuthProviders;
 exports.createBetterAuthInstance = createBetterAuthInstance;
 exports.isBetterAuthEnabled = isBetterAuthEnabled;
+exports.getBetterAuthInstance = getBetterAuthInstance;
 exports.getBetterAuthHandler = getBetterAuthHandler;
 require("server-only");
 const better_auth_1 = require("better-auth");
@@ -20,6 +22,7 @@ const next_js_1 = require("better-auth/next-js");
 const next_js_2 = require("better-auth/next-js");
 const idp_client_config_1 = require("../lib/idp-client-config");
 const app_slug_1 = require("../lib/app-slug");
+const redis_1 = require("../lib/redis");
 /**
  * Build Better Auth social providers from IDP config.
  */
@@ -61,13 +64,39 @@ function createBetterAuthInstance(idpConfig) {
             'http://localhost:3400',
             'http://localhost:3600',
         ],
-        // No database — stateless mode. Better Auth defaults to JWE cookie cache.
-        // Session cookie cache with refreshCache for DB-less setup.
+        // Redis-backed session storage via secondaryStorage
+        secondaryStorage: {
+            get: async (key) => {
+                try {
+                    return await (0, redis_1.getRedis)().get(`ba:${appSlug}:${key}`);
+                }
+                catch {
+                    return null;
+                }
+            },
+            set: async (key, value, ttl) => {
+                try {
+                    const redis = (0, redis_1.getRedis)();
+                    if (ttl) {
+                        await redis.setex(`ba:${appSlug}:${key}`, ttl, value);
+                    }
+                    else {
+                        await redis.setex(`ba:${appSlug}:${key}`, 7 * 24 * 60 * 60, value);
+                    }
+                }
+                catch { /* Redis unavailable — cookie cache still works */ }
+            },
+            delete: async (key) => {
+                try {
+                    await (0, redis_1.getRedis)().del(`ba:${appSlug}:${key}`);
+                }
+                catch { /* ignore */ }
+            },
+        },
         session: {
             cookieCache: {
                 enabled: true,
                 maxAge: 300,
-                refreshCache: true,
             },
         },
         // Cookie prefix must match slim-middleware expectations ({slug}.session-token)
@@ -96,6 +125,7 @@ function isBetterAuthEnabled() {
  */
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 let cachedInstance = null;
+exports.__betterAuthInstance = cachedInstance;
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 let initPromise = null;
 async function getBetterAuthInstance() {
@@ -104,7 +134,7 @@ async function getBetterAuthInstance() {
     if (!initPromise) {
         initPromise = (0, idp_client_config_1.getIDPClientConfig)().then(config => {
             const instance = createBetterAuthInstance(config);
-            cachedInstance = instance;
+            exports.__betterAuthInstance = cachedInstance = instance;
             console.log('[BETTER_AUTH] Instance created for', config.clientSlug || config.clientId);
             return instance;
         });

package/dist/server/auth.d.ts

@@ -16,11 +16,15 @@ export declare function getAuthInstance(): Promise<import("better-auth/types").A
     secret: string;
     socialProviders: Record<string, import("../auth/better-auth").BetterAuthSocialProvider>;
     trustedOrigins: string[];
+    secondaryStorage: {
+        get: (key: string) => Promise<string | null>;
+        set: (key: string, value: string, ttl?: number) => Promise<void>;
+        delete: (key: string) => Promise<void>;
+    };
     session: {
         cookieCache: {
             enabled: true;
             maxAge: number;
-            refreshCache: true;
         };
     };
     advanced: {

package/dist/server/decode-session.d.ts

@@ -1,10 +1,8 @@
 /**
  * Server-Side Session Decoder
  *
- * Reads the JWT session cookie, decodes it with jose, and fetches the
- * full session from Redis. Used by authGuard (layouts) and withAuth (API routes).
- *
- * Zero HTTP self-fetches. Direct Redis reads only.
+ * Uses Better Auth's server-side session API to get the current session.
+ * Falls back to legacy JWT + Redis path if Better Auth session not found.
  */
 import 'server-only';
 import { type JWTPayload } from 'jose';
@@ -17,8 +15,8 @@ export interface DecodedSession {
     };
 }
 /**
- * Decode the session from cookies and Redis.
- * Returns null if no valid session exists.
+ * Decode the session from cookies.
+ * Tries Better Auth first, falls back to legacy JWT + Redis.
  *
  * @param requestCookies Optional cookie getter for API route context (NextRequest.cookies).
  *                       If omitted, uses next/headers cookies() for server components.

package/dist/server/decode-session.js

@@ -2,11 +2,42 @@
 /**
  * Server-Side Session Decoder
  *
- * Reads the JWT session cookie, decodes it with jose, and fetches the
- * full session from Redis. Used by authGuard (layouts) and withAuth (API routes).
- *
- * Zero HTTP self-fetches. Direct Redis reads only.
+ * Uses Better Auth's server-side session API to get the current session.
+ * Falls back to legacy JWT + Redis path if Better Auth session not found.
  */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.decodeSession = decodeSession;
 require("server-only");
@@ -17,17 +48,100 @@ const idp_client_config_1 = require("../lib/idp-client-config");
 const app_slug_1 = require("../lib/app-slug");
 const startup_init_1 = require("../lib/startup-init");
 /**
- * Decode the session from cookies and Redis.
- * Returns null if no valid session exists.
+ * Try Better Auth's server-side session API.
+ * Returns a DecodedSession if Better Auth has an active session, null otherwise.
+ */
+async function tryBetterAuthSession(requestCookies) {
+    try {
+        const { getBetterAuthHandler } = await Promise.resolve().then(() => __importStar(require('../auth/better-auth')));
+        // getBetterAuthHandler initializes the instance; we need the raw instance
+        const { default: getBetterAuthInstanceFn } = await Promise.resolve().then(() => __importStar(require('../auth/better-auth'))).then(m => ({ default: m.getBetterAuthInstance || null }))
+            .catch(() => ({ default: null }));
+        // Access the cached instance via the module's internal getter
+        let auth = null;
+        try {
+            // Force handler init which caches the instance, then use the API
+            await getBetterAuthHandler();
+            // The instance is cached in the module — re-import to access it
+            const mod = await Promise.resolve().then(() => __importStar(require('../auth/better-auth')));
+            auth = mod.__betterAuthInstance;
+        }
+        catch {
+            return null;
+        }
+        if (!auth?.api?.getSession) {
+            return null;
+        }
+        // Build headers from cookies for Better Auth to read
+        const cookieStore = requestCookies || (await (0, headers_1.cookies)());
+        const headerObj = new Headers();
+        // Collect all cookies into a Cookie header
+        if ('getAll' in cookieStore && typeof cookieStore.getAll === 'function') {
+            const allCookies = cookieStore.getAll();
+            const cookieStr = allCookies.map((c) => `${c.name}=${c.value}`).join('; ');
+            headerObj.set('cookie', cookieStr);
+        }
+        else {
+            // Fallback: read known cookie names
+            const sessionCookieName = (0, app_slug_1.getSessionCookieName)();
+            const secureCookieName = (0, app_slug_1.getSecureSessionCookieName)();
+            const parts = [];
+            const sc = cookieStore.get(secureCookieName);
+            if (sc?.value)
+                parts.push(`${secureCookieName}=${sc.value}`);
+            const nc = cookieStore.get(sessionCookieName);
+            if (nc?.value)
+                parts.push(`${sessionCookieName}=${nc.value}`);
+            if (parts.length > 0)
+                headerObj.set('cookie', parts.join('; '));
+        }
+        const result = await auth.api.getSession({ headers: headerObj });
+        if (!result?.session || !result?.user) {
+            return null;
+        }
+        // Map Better Auth session to SessionData
+        const sessionData = {
+            userId: result.user.id || '',
+            email: result.user.email || '',
+            name: result.user.name || undefined,
+            roles: [],
+            idpAccessTokenExpires: result.session.expiresAt
+                ? new Date(result.session.expiresAt).getTime()
+                : Date.now() + 24 * 60 * 60 * 1000,
+            mfaVerified: true, // Social login doesn't require MFA
+            oauthProvider: 'google',
+        };
+        const jwtPayload = {
+            sub: result.user.id,
+            email: result.user.email,
+            name: result.user.name,
+            iat: Math.floor(Date.now() / 1000),
+            exp: sessionData.idpAccessTokenExpires / 1000,
+            sessionToken: result.session.token,
+        };
+        return { sessionData, jwtPayload };
+    }
+    catch (error) {
+        console.warn('[DECODE-SESSION] Better Auth session check failed:', error instanceof Error ? error.message : String(error));
+        return null;
+    }
+}
+/**
+ * Decode the session from cookies.
+ * Tries Better Auth first, falls back to legacy JWT + Redis.
  *
  * @param requestCookies Optional cookie getter for API route context (NextRequest.cookies).
  *                       If omitted, uses next/headers cookies() for server components.
  */
 async function decodeSession(requestCookies) {
     try {
-        // Ensure startup initialization is complete (Redis, IDP config, etc.)
         await (0, startup_init_1.ensureInitialized)();
-        // Get the JWT cookie value
+        // Try Better Auth session first
+        const betterAuthSession = await tryBetterAuthSession(requestCookies);
+        if (betterAuthSession) {
+            return betterAuthSession;
+        }
+        // Fall back to legacy JWT + Redis path
         const cookieStore = requestCookies || (await (0, headers_1.cookies)());
         const sessionCookieName = (0, app_slug_1.getSessionCookieName)();
         const secureCookieName = (0, app_slug_1.getSecureSessionCookieName)();
@@ -36,14 +150,12 @@ async function decodeSession(requestCookies) {
         if (!cookieValue) {
             return null;
         }
-        // Get the NextAuth secret from IDP config
         const config = await (0, idp_client_config_1.getIDPClientConfig)();
         const secret = config.nextAuthSecret;
         if (!secret) {
             console.error('[DECODE-SESSION] No nextAuthSecret available from IDP config');
             return null;
         }
-        // Decode the JWT (same pattern as test-aware-get-token.ts)
         const secretKey = new TextEncoder().encode(secret);
         let payload;
         try {
@@ -51,17 +163,14 @@ async function decodeSession(requestCookies) {
             payload = result.payload;
         }
         catch (jwtError) {
-            // JWT decode failed - cookie may be corrupted or secret rotated
             console.warn('[DECODE-SESSION] JWT verification failed:', jwtError instanceof Error ? jwtError.message : String(jwtError));
             return null;
         }
-        // Extract the Redis session ID from JWT payload
         const sessionToken = payload.sessionToken || payload.redisSessionId;
         if (!sessionToken) {
             console.warn('[DECODE-SESSION] JWT payload missing sessionToken/redisSessionId');
             return null;
         }
-        // Fetch session from Redis (direct, no HTTP)
         const sessionData = await (0, session_store_1.getSession)(sessionToken);
         if (!sessionData) {
             return null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@payez/next-mvp",
-  "version": "4.0.6",
+  "version": "4.0.8",
   "sideEffects": false,
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/auth/better-auth.ts

@@ -16,6 +16,7 @@ import { toNextJsHandler } from 'better-auth/next-js';
 import type { IDPClientConfig } from '../lib/idp-client-config';
 import { getIDPClientConfig } from '../lib/idp-client-config';
 import { getAppSlug } from '../lib/app-slug';
+import { getRedis } from '../lib/redis';
 
 /**
  * Better Auth social provider config shape.
@@ -76,13 +77,34 @@ export function createBetterAuthInstance(idpConfig: IDPClientConfig) {
       'http://localhost:3600',
     ],
 
-    // No database — stateless mode. Better Auth defaults to JWE cookie cache.
-    // Session cookie cache with refreshCache for DB-less setup.
+    // Redis-backed session storage via secondaryStorage
+    secondaryStorage: {
+      get: async (key: string) => {
+        try {
+          return await getRedis().get(`ba:${appSlug}:${key}`);
+        } catch { return null; }
+      },
+      set: async (key: string, value: string, ttl?: number) => {
+        try {
+          const redis = getRedis();
+          if (ttl) {
+            await redis.setex(`ba:${appSlug}:${key}`, ttl, value);
+          } else {
+            await redis.setex(`ba:${appSlug}:${key}`, 7 * 24 * 60 * 60, value);
+          }
+        } catch { /* Redis unavailable — cookie cache still works */ }
+      },
+      delete: async (key: string) => {
+        try {
+          await getRedis().del(`ba:${appSlug}:${key}`);
+        } catch { /* ignore */ }
+      },
+    },
+
     session: {
       cookieCache: {
         enabled: true,
         maxAge: 300,
-        refreshCache: true,
       },
     },
 
@@ -118,7 +140,11 @@ let cachedInstance: any = null;
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 let initPromise: Promise<any> | null = null;
 
-async function getBetterAuthInstance() {
+// Expose for server-side session access (decode-session.ts)
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export { cachedInstance as __betterAuthInstance };
+
+export async function getBetterAuthInstance() {
   if (cachedInstance) return cachedInstance;
 
   if (!initPromise) {

package/src/server/decode-session.ts

@@ -1,91 +1,175 @@
-/**
- * Server-Side Session Decoder
- *
- * Reads the JWT session cookie, decodes it with jose, and fetches the
- * full session from Redis. Used by authGuard (layouts) and withAuth (API routes).
- *
- * Zero HTTP self-fetches. Direct Redis reads only.
- */
-
-import 'server-only';
-import { cookies } from 'next/headers';
-import { jwtVerify, type JWTPayload } from 'jose';
-import { getSession, type SessionData } from '../lib/session-store';
-import { getIDPClientConfig } from '../lib/idp-client-config';
-import { getSessionCookieName, getSecureSessionCookieName } from '../lib/app-slug';
-import { ensureInitialized } from '../lib/startup-init';
-
-export interface DecodedSession {
-  sessionData: SessionData;
-  jwtPayload: JWTPayload & { sessionToken?: string; redisSessionId?: string };
-}
-
-/**
- * Decode the session from cookies and Redis.
- * Returns null if no valid session exists.
- *
- * @param requestCookies Optional cookie getter for API route context (NextRequest.cookies).
- *                       If omitted, uses next/headers cookies() for server components.
- */
-export async function decodeSession(
-  requestCookies?: { get: (name: string) => { value: string } | undefined }
-): Promise<DecodedSession | null> {
-  try {
-    // Ensure startup initialization is complete (Redis, IDP config, etc.)
-    await ensureInitialized();
-
-    // Get the JWT cookie value
-    const cookieStore = requestCookies || (await cookies());
-    const sessionCookieName = getSessionCookieName();
-    const secureCookieName = getSecureSessionCookieName();
-
-    const cookieValue =
-      cookieStore.get(secureCookieName)?.value ||
-      cookieStore.get(sessionCookieName)?.value;
-
-    if (!cookieValue) {
-      return null;
-    }
-
-    // Get the NextAuth secret from IDP config
-    const config = await getIDPClientConfig();
-    const secret = config.nextAuthSecret;
-    if (!secret) {
-      console.error('[DECODE-SESSION] No nextAuthSecret available from IDP config');
-      return null;
-    }
-
-    // Decode the JWT (same pattern as test-aware-get-token.ts)
-    const secretKey = new TextEncoder().encode(secret);
-    let payload: JWTPayload;
-    try {
-      const result = await jwtVerify(cookieValue, secretKey);
-      payload = result.payload;
-    } catch (jwtError) {
-      // JWT decode failed - cookie may be corrupted or secret rotated
-      console.warn('[DECODE-SESSION] JWT verification failed:', jwtError instanceof Error ? jwtError.message : String(jwtError));
-      return null;
-    }
-
-    // Extract the Redis session ID from JWT payload
-    const sessionToken = (payload as any).sessionToken || (payload as any).redisSessionId;
-    if (!sessionToken) {
-      console.warn('[DECODE-SESSION] JWT payload missing sessionToken/redisSessionId');
-      return null;
-    }
-
-    // Fetch session from Redis (direct, no HTTP)
-    const sessionData = await getSession(sessionToken);
-    if (!sessionData) {
-      return null;
-    }
-
-    return {
-      sessionData,
-      jwtPayload: payload as DecodedSession['jwtPayload'],
-    };
-  } catch (error) {
-    console.error('[DECODE-SESSION] Error:', error instanceof Error ? error.message : String(error));
-    return null;
-  }
-}
+/**
+ * Server-Side Session Decoder
+ *
+ * Uses Better Auth's server-side session API to get the current session.
+ * Falls back to legacy JWT + Redis path if Better Auth session not found.
+ */
+
+import 'server-only';
+import { cookies } from 'next/headers';
+import { jwtVerify, type JWTPayload } from 'jose';
+import { getSession, type SessionData } from '../lib/session-store';
+import { getIDPClientConfig } from '../lib/idp-client-config';
+import { getSessionCookieName, getSecureSessionCookieName } from '../lib/app-slug';
+import { ensureInitialized } from '../lib/startup-init';
+
+export interface DecodedSession {
+  sessionData: SessionData;
+  jwtPayload: JWTPayload & { sessionToken?: string; redisSessionId?: string };
+}
+
+/**
+ * Try Better Auth's server-side session API.
+ * Returns a DecodedSession if Better Auth has an active session, null otherwise.
+ */
+async function tryBetterAuthSession(
+  requestCookies?: { get: (name: string) => { value: string } | undefined }
+): Promise<DecodedSession | null> {
+  try {
+    const { getBetterAuthHandler } = await import('../auth/better-auth');
+    // getBetterAuthHandler initializes the instance; we need the raw instance
+    const { default: getBetterAuthInstanceFn } = await import('../auth/better-auth')
+      .then(m => ({ default: (m as any).getBetterAuthInstance || null }))
+      .catch(() => ({ default: null }));
+
+    // Access the cached instance via the module's internal getter
+    let auth: any = null;
+    try {
+      // Force handler init which caches the instance, then use the API
+      await getBetterAuthHandler();
+      // The instance is cached in the module — re-import to access it
+      const mod = await import('../auth/better-auth');
+      auth = (mod as any).__betterAuthInstance;
+    } catch {
+      return null;
+    }
+
+    if (!auth?.api?.getSession) {
+      return null;
+    }
+
+    // Build headers from cookies for Better Auth to read
+    const cookieStore = requestCookies || (await cookies());
+    const headerObj = new Headers();
+
+    // Collect all cookies into a Cookie header
+    if ('getAll' in cookieStore && typeof cookieStore.getAll === 'function') {
+      const allCookies = (cookieStore as any).getAll();
+      const cookieStr = allCookies.map((c: any) => `${c.name}=${c.value}`).join('; ');
+      headerObj.set('cookie', cookieStr);
+    } else {
+      // Fallback: read known cookie names
+      const sessionCookieName = getSessionCookieName();
+      const secureCookieName = getSecureSessionCookieName();
+      const parts: string[] = [];
+      const sc = cookieStore.get(secureCookieName);
+      if (sc?.value) parts.push(`${secureCookieName}=${sc.value}`);
+      const nc = cookieStore.get(sessionCookieName);
+      if (nc?.value) parts.push(`${sessionCookieName}=${nc.value}`);
+      if (parts.length > 0) headerObj.set('cookie', parts.join('; '));
+    }
+
+    const result = await auth.api.getSession({ headers: headerObj });
+
+    if (!result?.session || !result?.user) {
+      return null;
+    }
+
+    // Map Better Auth session to SessionData
+    const sessionData: SessionData = {
+      userId: result.user.id || '',
+      email: result.user.email || '',
+      name: result.user.name || undefined,
+      roles: [],
+      idpAccessTokenExpires: result.session.expiresAt
+        ? new Date(result.session.expiresAt).getTime()
+        : Date.now() + 24 * 60 * 60 * 1000,
+      mfaVerified: true, // Social login doesn't require MFA
+      oauthProvider: 'google',
+    };
+
+    const jwtPayload: DecodedSession['jwtPayload'] = {
+      sub: result.user.id,
+      email: result.user.email,
+      name: result.user.name,
+      iat: Math.floor(Date.now() / 1000),
+      exp: sessionData.idpAccessTokenExpires / 1000,
+      sessionToken: result.session.token,
+    };
+
+    return { sessionData, jwtPayload };
+  } catch (error) {
+    console.warn('[DECODE-SESSION] Better Auth session check failed:', error instanceof Error ? error.message : String(error));
+    return null;
+  }
+}
+
+/**
+ * Decode the session from cookies.
+ * Tries Better Auth first, falls back to legacy JWT + Redis.
+ *
+ * @param requestCookies Optional cookie getter for API route context (NextRequest.cookies).
+ *                       If omitted, uses next/headers cookies() for server components.
+ */
+export async function decodeSession(
+  requestCookies?: { get: (name: string) => { value: string } | undefined }
+): Promise<DecodedSession | null> {
+  try {
+    await ensureInitialized();
+
+    // Try Better Auth session first
+    const betterAuthSession = await tryBetterAuthSession(requestCookies);
+    if (betterAuthSession) {
+      return betterAuthSession;
+    }
+
+    // Fall back to legacy JWT + Redis path
+    const cookieStore = requestCookies || (await cookies());
+    const sessionCookieName = getSessionCookieName();
+    const secureCookieName = getSecureSessionCookieName();
+
+    const cookieValue =
+      cookieStore.get(secureCookieName)?.value ||
+      cookieStore.get(sessionCookieName)?.value;
+
+    if (!cookieValue) {
+      return null;
+    }
+
+    const config = await getIDPClientConfig();
+    const secret = config.nextAuthSecret;
+    if (!secret) {
+      console.error('[DECODE-SESSION] No nextAuthSecret available from IDP config');
+      return null;
+    }
+
+    const secretKey = new TextEncoder().encode(secret);
+    let payload: JWTPayload;
+    try {
+      const result = await jwtVerify(cookieValue, secretKey);
+      payload = result.payload;
+    } catch (jwtError) {
+      console.warn('[DECODE-SESSION] JWT verification failed:', jwtError instanceof Error ? jwtError.message : String(jwtError));
+      return null;
+    }
+
+    const sessionToken = (payload as any).sessionToken || (payload as any).redisSessionId;
+    if (!sessionToken) {
+      console.warn('[DECODE-SESSION] JWT payload missing sessionToken/redisSessionId');
+      return null;
+    }
+
+    const sessionData = await getSession(sessionToken);
+    if (!sessionData) {
+      return null;
+    }
+
+    return {
+      sessionData,
+      jwtPayload: payload as DecodedSession['jwtPayload'],
+    };
+  } catch (error) {
+    console.error('[DECODE-SESSION] Error:', error instanceof Error ? error.message : String(error));
+    return null;
+  }
+}