@adaptic/backend-legacy 0.0.70 → 0.0.72

package/config/tracing.cjs

@@ -0,0 +1,128 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.initTracing = initTracing;
+exports.shutdownTracing = shutdownTracing;
+const sdk_node_1 = require("@opentelemetry/sdk-node");
+const exporter_trace_otlp_http_1 = require("@opentelemetry/exporter-trace-otlp-http");
+const instrumentation_http_1 = require("@opentelemetry/instrumentation-http");
+const instrumentation_express_1 = require("@opentelemetry/instrumentation-express");
+const instrumentation_graphql_1 = require("@opentelemetry/instrumentation-graphql");
+const resources_1 = require("@opentelemetry/resources");
+const semantic_conventions_1 = require("@opentelemetry/semantic-conventions");
+const sdk_trace_node_1 = require("@opentelemetry/sdk-trace-node");
+const logger_1 = require("../utils/logger.cjs");
+const SERVICE_NAME = 'backend-legacy';
+/**
+ * Reads the package version for trace resource attributes.
+ * Falls back to 'unknown' if the version cannot be determined.
+ */
+function getPackageVersion() {
+    try {
+        const pkg = require('../../package.json.cjs');
+        return pkg.version || 'unknown';
+    }
+    catch (_a) {
+        return 'unknown';
+    }
+}
+/**
+ * Resolves the OTLP endpoint from environment variables.
+ * Defaults to http://localhost:4318/v1/traces (standard OTLP HTTP endpoint).
+ */
+function getOtlpEndpoint() {
+    return (process.env.OTEL_EXPORTER_OTLP_ENDPOINT || 'http://localhost:4318/v1/traces');
+}
+/**
+ * Determines if tracing is enabled.
+ * Disabled by default in development; enabled in production and staging.
+ * Can be explicitly controlled via OTEL_TRACING_ENABLED env var.
+ */
+function isTracingEnabled() {
+    const explicitSetting = process.env.OTEL_TRACING_ENABLED;
+    if (explicitSetting !== undefined) {
+        return explicitSetting === 'true' || explicitSetting === '1';
+    }
+    const env = process.env.NODE_ENV || 'development';
+    return env === 'production' || env === 'staging';
+}
+let sdk = null;
+/**
+ * Initializes OpenTelemetry tracing for the backend-legacy service.
+ *
+ * Configures:
+ * - HTTP instrumentation for incoming/outgoing HTTP requests
+ * - Express instrumentation for route-level spans
+ * - GraphQL instrumentation for resolver-level spans
+ * - OTLP HTTP exporter for sending traces to a collector (e.g., Jaeger, Grafana Tempo)
+ *
+ * Environment variables:
+ * - OTEL_TRACING_ENABLED: Explicit on/off ('true'/'false'). Defaults to on in production/staging.
+ * - OTEL_EXPORTER_OTLP_ENDPOINT: Collector endpoint (default: http://localhost:4318/v1/traces)
+ * - OTEL_SERVICE_NAME: Override service name (default: 'backend-legacy')
+ *
+ * Call this function before any other imports that need instrumentation (e.g., before Express/Apollo setup).
+ */
+function initTracing() {
+    if (!isTracingEnabled()) {
+        logger_1.logger.info('OpenTelemetry tracing is disabled', {
+            reason: 'OTEL_TRACING_ENABLED not set or environment is development',
+        });
+        return;
+    }
+    const endpoint = getOtlpEndpoint();
+    const serviceName = process.env.OTEL_SERVICE_NAME || SERVICE_NAME;
+    const serviceVersion = getPackageVersion();
+    const traceExporter = new exporter_trace_otlp_http_1.OTLPTraceExporter({
+        url: endpoint,
+    });
+    const resource = (0, resources_1.resourceFromAttributes)({
+        [semantic_conventions_1.ATTR_SERVICE_NAME]: serviceName,
+        [semantic_conventions_1.ATTR_SERVICE_VERSION]: serviceVersion,
+        'deployment.environment': process.env.NODE_ENV || 'development',
+    });
+    sdk = new sdk_node_1.NodeSDK({
+        resource,
+        spanProcessors: [new sdk_trace_node_1.BatchSpanProcessor(traceExporter)],
+        instrumentations: [
+            new instrumentation_http_1.HttpInstrumentation({
+                ignoreIncomingRequestHook: (req) => {
+                    // Skip health check endpoints to reduce trace noise
+                    return req.url === '/health' || req.url === '/metrics';
+                },
+            }),
+            new instrumentation_express_1.ExpressInstrumentation(),
+            new instrumentation_graphql_1.GraphQLInstrumentation({
+                mergeItems: true,
+                allowValues: true,
+                depth: 5,
+            }),
+        ],
+    });
+    sdk.start();
+    logger_1.logger.info('OpenTelemetry tracing initialized', {
+        endpoint,
+        serviceName,
+        serviceVersion,
+    });
+}
+/**
+ * Gracefully shuts down the OpenTelemetry SDK.
+ * Should be called during application shutdown (SIGTERM/SIGINT handlers).
+ * Flushes any pending spans before shutting down.
+ */
+async function shutdownTracing() {
+    if (sdk) {
+        try {
+            await sdk.shutdown();
+            logger_1.logger.info('OpenTelemetry tracing shut down successfully');
+        }
+        catch (shutdownError) {
+            logger_1.logger.error('Error shutting down OpenTelemetry tracing', {
+                error: shutdownError instanceof Error
+                    ? shutdownError.message
+                    : String(shutdownError),
+            });
+        }
+    }
+}
+//# sourceMappingURL=tracing.js.map

package/config/tracing.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Initializes OpenTelemetry tracing for the backend-legacy service.
+ *
+ * Configures:
+ * - HTTP instrumentation for incoming/outgoing HTTP requests
+ * - Express instrumentation for route-level spans
+ * - GraphQL instrumentation for resolver-level spans
+ * - OTLP HTTP exporter for sending traces to a collector (e.g., Jaeger, Grafana Tempo)
+ *
+ * Environment variables:
+ * - OTEL_TRACING_ENABLED: Explicit on/off ('true'/'false'). Defaults to on in production/staging.
+ * - OTEL_EXPORTER_OTLP_ENDPOINT: Collector endpoint (default: http://localhost:4318/v1/traces)
+ * - OTEL_SERVICE_NAME: Override service name (default: 'backend-legacy')
+ *
+ * Call this function before any other imports that need instrumentation (e.g., before Express/Apollo setup).
+ */
+export declare function initTracing(): void;
+/**
+ * Gracefully shuts down the OpenTelemetry SDK.
+ * Should be called during application shutdown (SIGTERM/SIGINT handlers).
+ * Flushes any pending spans before shutting down.
+ */
+export declare function shutdownTracing(): Promise<void>;
+//# sourceMappingURL=tracing.d.ts.map

package/config/tracing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tracing.d.ts","sourceRoot":"","sources":["../../src/config/tracing.ts"],"names":[],"mappings":"AAsDA;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,WAAW,IAAI,IAAI,CAgDlC;AAED;;;;GAIG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAcrD"}

package/config/tracing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tracing.js","sourceRoot":"","sources":["../../src/config/tracing.ts"],"names":[],"mappings":";;AAsEA,kCAgDC;AAOD,0CAcC;AA3ID,sDAAkD;AAClD,sFAA4E;AAC5E,8EAA0E;AAC1E,oFAAgF;AAChF,oFAAgF;AAChF,wDAAkE;AAClE,8EAG6C;AAC7C,kEAAmE;AACnE,4CAAyC;AAEzC,MAAM,YAAY,GAAG,gBAAgB,CAAC;AAEtC;;;GAGG;AACH,SAAS,iBAAiB;IACxB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;QAC1C,OAAQ,GAAG,CAAC,OAAkB,IAAI,SAAS,CAAC;IAC9C,CAAC;IAAC,WAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe;IACtB,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,iCAAiC,CAC7E,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB;IACvB,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IACzD,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;QAClC,OAAO,eAAe,KAAK,MAAM,IAAI,eAAe,KAAK,GAAG,CAAC;IAC/D,CAAC;IACD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,aAAa,CAAC;IAClD,OAAO,GAAG,KAAK,YAAY,IAAI,GAAG,KAAK,SAAS,CAAC;AACnD,CAAC;AAED,IAAI,GAAG,GAAmB,IAAI,CAAC;AAE/B;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,WAAW;IACzB,IAAI,CAAC,gBAAgB,EAAE,EAAE,CAAC;QACxB,eAAM,CAAC,IAAI,CAAC,mCAAmC,EAAE;YAC/C,MAAM,EAAE,4DAA4D;SACrE,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAC;IACnC,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,YAAY,CAAC;IAClE,MAAM,cAAc,GAAG,iBAAiB,EAAE,CAAC;IAE3C,MAAM,aAAa,GAAG,IAAI,4CAAiB,CAAC;QAC1C,GAAG,EAAE,QAAQ;KACd,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,IAAA,kCAAsB,EAAC;QACtC,CAAC,wCAAiB,CAAC,EAAE,WAAW;QAChC,CAAC,2CAAoB,CAAC,EAAE,cAAc;QACtC,wBAAwB,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,aAAa;KAChE,CAAC,CAAC;IAEH,GAAG,GAAG,IAAI,kBAAO,CAAC;QAChB,QAAQ;QACR,cAAc,EAAE,CAAC,IAAI,mCAAkB,CAAC,aAAa,CAAC,CAAC;QACvD,gBAAgB,EAAE;YAChB,IAAI,0CAAmB,CAAC;gBACtB,yBAAyB,EAAE,CAAC,GAAG,EAAE,EAAE;oBACjC,oDAAoD;oBACpD,OAAO,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,GAAG,KAAK,UAAU,CAAC;gBACzD,CAAC;aACF,CAAC;YACF,IAAI,gDAAsB,EAAE;YAC5B,IAAI,gDAAsB,CAAC;gBACzB,UAAU,EAAE,IAAI;gBAChB,WAAW,EAAE,IAAI;gBACjB,KAAK,EAAE,CAAC;aACT,CAAC;SACH;KACF,CAAC,CAAC;IAEH,GAAG,CAAC,KAAK,EAAE,CAAC;IAEZ,eAAM,CAAC,IAAI,CAAC,mCAAmC,EAAE;QAC/C,QAAQ;QACR,WAAW;QACX,cAAc;KACf,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,eAAe;IACnC,IAAI,GAAG,EAAE,CAAC;QACR,IAAI,CAAC;YACH,MAAM,GAAG,CAAC,QAAQ,EAAE,CAAC;YACrB,eAAM,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;QAC9D,CAAC;QAAC,OAAO,aAAa,EAAE,CAAC;YACvB,eAAM,CAAC,KAAK,CAAC,2CAA2C,EAAE;gBACxD,KAAK,EACH,aAAa,YAAY,KAAK;oBAC5B,CAAC,CAAC,aAAa,CAAC,OAAO;oBACvB,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC;aAC5B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC"}

package/middleware/audit-logger.cjs

@@ -0,0 +1,223 @@
+"use strict";
+/**
+ * Audit Logging Middleware
+ *
+ * Captures all GraphQL mutations and records an append-only audit trail.
+ * Each audit log entry includes: user ID (from JWT context), timestamp,
+ * operation type, model name, record ID, and changed fields.
+ *
+ * This middleware is implemented as an Apollo Server plugin that intercepts
+ * mutation operations and logs them to the AuditLog table.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuditLogPlugin = createAuditLogPlugin;
+exports.parseMutationOperation = parseMutationOperation;
+exports.extractUserId = extractUserId;
+exports.extractRecordId = extractRecordId;
+exports.extractChangedFields = extractChangedFields;
+const logger_1 = require("../utils/logger.cjs");
+/** List of models that are excluded from audit logging (e.g., the audit log itself) */
+const EXCLUDED_MODELS = new Set([
+    'AuditLog',
+    'Session',
+    'VerificationToken',
+    'Authenticator',
+]);
+/**
+ * Extracts the model name and operation type from a GraphQL mutation operation name.
+ * TypeGraphQL-Prisma generates mutations with names like:
+ *   createOneUser, updateOneUser, deleteOneUser,
+ *   createManyUser, updateManyUser, deleteManyUser,
+ *   upsertOneUser
+ *
+ * @param operationName - The name of the GraphQL field being executed
+ * @returns Parsed mutation data or null if not a recognized mutation pattern
+ */
+function parseMutationOperation(operationName) {
+    const createPattern = /^(createOne|createMany|upsertOne)(\w+)$/;
+    const updatePattern = /^(updateOne|updateMany|upsertOne)(\w+)$/;
+    const deletePattern = /^(deleteOne|deleteMany)(\w+)$/;
+    let match = createPattern.exec(operationName);
+    if (match) {
+        return {
+            operationType: 'CREATE',
+            modelName: match[2],
+            operationName,
+        };
+    }
+    match = updatePattern.exec(operationName);
+    if (match) {
+        return {
+            operationType: 'UPDATE',
+            modelName: match[2],
+            operationName,
+        };
+    }
+    match = deletePattern.exec(operationName);
+    if (match) {
+        return {
+            operationType: 'DELETE',
+            modelName: match[2],
+            operationName,
+        };
+    }
+    return null;
+}
+/**
+ * Extracts the user ID from the context user object.
+ * Handles both JWT-decoded objects and raw string tokens.
+ *
+ * @param user - The user object from GraphQL context
+ * @returns The user ID string or null
+ */
+function extractUserId(user) {
+    if (!user)
+        return null;
+    if (typeof user === 'string')
+        return user;
+    return user.sub || user.id || null;
+}
+/**
+ * Extracts the record ID from the mutation result data.
+ * Looks for 'id' field in the top-level result object.
+ *
+ * @param data - The result data from the mutation
+ * @returns The record ID as a string, or 'unknown'
+ */
+function extractRecordId(data) {
+    if (!data)
+        return 'unknown';
+    // The result is typically nested under the mutation name
+    const values = Object.values(data);
+    if (values.length === 0)
+        return 'unknown';
+    const result = values[0];
+    if (result &&
+        typeof result === 'object' &&
+        'id' in result) {
+        return String(result.id);
+    }
+    return 'unknown';
+}
+/**
+ * Extracts changed fields from the mutation variables.
+ * For create operations, captures all input data.
+ * For update operations, captures the data being set.
+ * For delete operations, captures the where clause.
+ *
+ * @param operationType - The type of mutation operation
+ * @param variables - The GraphQL variables passed to the mutation
+ * @returns A JSON-serializable object representing the changed fields
+ */
+function extractChangedFields(operationType, variables) {
+    if (!variables)
+        return {};
+    switch (operationType) {
+        case 'CREATE':
+            return { input: variables.data || variables };
+        case 'UPDATE':
+            return {
+                where: variables.where || {},
+                data: variables.data || {},
+            };
+        case 'DELETE':
+            return { where: variables.where || {} };
+        default:
+            return variables;
+    }
+}
+/**
+ * Creates an Apollo Server plugin that logs all mutations to the AuditLog table.
+ *
+ * The plugin intercepts the willSendResponse lifecycle event to capture
+ * mutation results after they have been processed by the resolvers.
+ * Only successful mutations are logged (errors are not audited here).
+ *
+ * @returns An Apollo Server plugin instance
+ */
+function createAuditLogPlugin() {
+    return {
+        async requestDidStart(_requestContext) {
+            return {
+                async willSendResponse(requestContext) {
+                    var _a, _b, _c, _d;
+                    const { contextValue, response, request, document } = requestContext;
+                    // Only audit mutations
+                    if (!document)
+                        return;
+                    const definitions = document.definitions;
+                    const operationDef = definitions.find((def) => def.kind === 'OperationDefinition' && def.operation === 'mutation');
+                    if (!operationDef || operationDef.kind !== 'OperationDefinition')
+                        return;
+                    // Skip if there were errors (we only audit successful mutations)
+                    if (response.body.kind === 'single' &&
+                        ((_a = response.body.singleResult.errors) === null || _a === void 0 ? void 0 : _a.length)) {
+                        return;
+                    }
+                    const prisma = contextValue.prisma;
+                    if (!prisma) {
+                        logger_1.logger.warn('Audit logger: Prisma client not available in context');
+                        return;
+                    }
+                    // Extract mutation field names from the selection set
+                    const selections = operationDef.selectionSet.selections;
+                    for (const selection of selections) {
+                        if (selection.kind !== 'Field')
+                            continue;
+                        const fieldName = selection.name.value;
+                        const auditData = parseMutationOperation(fieldName);
+                        if (!auditData)
+                            continue;
+                        if (EXCLUDED_MODELS.has(auditData.modelName))
+                            continue;
+                        const userId = extractUserId(contextValue.user);
+                        const variables = request.variables;
+                        const changedFields = extractChangedFields(auditData.operationType, variables);
+                        // Extract record ID from response data
+                        let recordId = 'unknown';
+                        if (response.body.kind === 'single' &&
+                            response.body.singleResult.data) {
+                            recordId = extractRecordId(response.body.singleResult.data);
+                        }
+                        // Extract IP address from request context
+                        const ipAddress = ((_b = contextValue.req) === null || _b === void 0 ? void 0 : _b.ip) ||
+                            ((_d = (_c = contextValue.req) === null || _c === void 0 ? void 0 : _c.headers) === null || _d === void 0 ? void 0 : _d['x-forwarded-for']) ||
+                            null;
+                        try {
+                            const prismaRecord = prisma;
+                            if (prismaRecord.auditLog) {
+                                const auditLogDelegate = prismaRecord.auditLog;
+                                await auditLogDelegate.create({
+                                    data: {
+                                        userId,
+                                        operationType: auditData.operationType,
+                                        modelName: auditData.modelName,
+                                        recordId,
+                                        changedFields,
+                                        operationName: auditData.operationName,
+                                        ipAddress,
+                                        metadata: {
+                                            graphqlOperationName: request.operationName || null,
+                                        },
+                                    },
+                                });
+                            }
+                            else {
+                                logger_1.logger.warn('Audit logger: AuditLog model not available on Prisma client');
+                            }
+                        }
+                        catch (error) {
+                            // Audit logging failures should never break the main request
+                            logger_1.logger.error('Audit logger: Failed to write audit log entry', {
+                                error: error instanceof Error ? error.message : String(error),
+                                modelName: auditData.modelName,
+                                operationType: auditData.operationType,
+                            });
+                        }
+                    }
+                },
+            };
+        },
+    };
+}
+//# sourceMappingURL=audit-logger.js.map

package/middleware/audit-logger.d.ts

@@ -0,0 +1,85 @@
+/**
+ * Audit Logging Middleware
+ *
+ * Captures all GraphQL mutations and records an append-only audit trail.
+ * Each audit log entry includes: user ID (from JWT context), timestamp,
+ * operation type, model name, record ID, and changed fields.
+ *
+ * This middleware is implemented as an Apollo Server plugin that intercepts
+ * mutation operations and logs them to the AuditLog table.
+ */
+import type { ApolloServerPlugin } from '@apollo/server';
+import type { PrismaClient } from '@prisma/client';
+/** Represents the user object decoded from JWT context */
+interface AuditUser {
+    sub?: string;
+    id?: string;
+    name?: string;
+    role?: string;
+    provider?: string;
+}
+/** Context shape expected by the audit logger plugin */
+interface AuditContext {
+    prisma: PrismaClient;
+    user?: AuditUser | string | null;
+    req?: {
+        ip?: string;
+        headers?: Record<string, string | string[] | undefined>;
+    };
+}
+/** Fields extracted from a GraphQL mutation for audit logging */
+interface MutationAuditData {
+    operationType: 'CREATE' | 'UPDATE' | 'DELETE';
+    modelName: string;
+    operationName: string;
+}
+/**
+ * Extracts the model name and operation type from a GraphQL mutation operation name.
+ * TypeGraphQL-Prisma generates mutations with names like:
+ *   createOneUser, updateOneUser, deleteOneUser,
+ *   createManyUser, updateManyUser, deleteManyUser,
+ *   upsertOneUser
+ *
+ * @param operationName - The name of the GraphQL field being executed
+ * @returns Parsed mutation data or null if not a recognized mutation pattern
+ */
+declare function parseMutationOperation(operationName: string): MutationAuditData | null;
+/**
+ * Extracts the user ID from the context user object.
+ * Handles both JWT-decoded objects and raw string tokens.
+ *
+ * @param user - The user object from GraphQL context
+ * @returns The user ID string or null
+ */
+declare function extractUserId(user: AuditUser | string | null | undefined): string | null;
+/**
+ * Extracts the record ID from the mutation result data.
+ * Looks for 'id' field in the top-level result object.
+ *
+ * @param data - The result data from the mutation
+ * @returns The record ID as a string, or 'unknown'
+ */
+declare function extractRecordId(data: Record<string, unknown> | null | undefined): string;
+/**
+ * Extracts changed fields from the mutation variables.
+ * For create operations, captures all input data.
+ * For update operations, captures the data being set.
+ * For delete operations, captures the where clause.
+ *
+ * @param operationType - The type of mutation operation
+ * @param variables - The GraphQL variables passed to the mutation
+ * @returns A JSON-serializable object representing the changed fields
+ */
+declare function extractChangedFields(operationType: 'CREATE' | 'UPDATE' | 'DELETE', variables: Record<string, unknown> | null | undefined): Record<string, unknown>;
+/**
+ * Creates an Apollo Server plugin that logs all mutations to the AuditLog table.
+ *
+ * The plugin intercepts the willSendResponse lifecycle event to capture
+ * mutation results after they have been processed by the resolvers.
+ * Only successful mutations are logged (errors are not audited here).
+ *
+ * @returns An Apollo Server plugin instance
+ */
+export declare function createAuditLogPlugin(): ApolloServerPlugin<AuditContext>;
+export { parseMutationOperation, extractUserId, extractRecordId, extractChangedFields, };
+//# sourceMappingURL=audit-logger.d.ts.map

package/middleware/audit-logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logger.d.ts","sourceRoot":"","sources":["../../src/middleware/audit-logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EACV,kBAAkB,EAGnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAGnD,0DAA0D;AAC1D,UAAU,SAAS;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,wDAAwD;AACxD,UAAU,YAAY;IACpB,MAAM,EAAE,YAAY,CAAC;IACrB,IAAI,CAAC,EAAE,SAAS,GAAG,MAAM,GAAG,IAAI,CAAC;IACjC,GAAG,CAAC,EAAE;QACJ,EAAE,CAAC,EAAE,MAAM,CAAC;QACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;KACzD,CAAC;CACH;AAED,iEAAiE;AACjE,UAAU,iBAAiB;IACzB,aAAa,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC;IAC9C,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAUD;;;;;;;;;GASG;AACH,iBAAS,sBAAsB,CAC7B,aAAa,EAAE,MAAM,GACpB,iBAAiB,GAAG,IAAI,CAiC1B;AAED;;;;;;GAMG;AACH,iBAAS,aAAa,CACpB,IAAI,EAAE,SAAS,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,GAC1C,MAAM,GAAG,IAAI,CAIf;AAED;;;;;;GAMG;AACH,iBAAS,eAAe,CACtB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,GAAG,SAAS,GAC/C,MAAM,CAiBR;AAED;;;;;;;;;GASG;AACH,iBAAS,oBAAoB,CAC3B,aAAa,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,EAC7C,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,GAAG,SAAS,GACpD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAgBzB;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,IAAI,kBAAkB,CAAC,YAAY,CAAC,CAoHvE;AAED,OAAO,EACL,sBAAsB,EACtB,aAAa,EACb,eAAe,EACf,oBAAoB,GACrB,CAAC"}

package/middleware/audit-logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logger.js","sourceRoot":"","sources":["../../src/middleware/audit-logger.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;AA8KH,oDAoHC;AAGC,wDAAsB;AACtB,sCAAa;AACb,0CAAe;AACf,oDAAoB;AAhStB,4CAAyC;AA4BzC,uFAAuF;AACvF,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IAC9B,UAAU;IACV,SAAS;IACT,mBAAmB;IACnB,eAAe;CAChB,CAAC,CAAC;AAEH;;;;;;;;;GASG;AACH,SAAS,sBAAsB,CAC7B,aAAqB;IAErB,MAAM,aAAa,GAAG,yCAAyC,CAAC;IAChE,MAAM,aAAa,GAAG,yCAAyC,CAAC;IAChE,MAAM,aAAa,GAAG,+BAA+B,CAAC;IAEtD,IAAI,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC9C,IAAI,KAAK,EAAE,CAAC;QACV,OAAO;YACL,aAAa,EAAE,QAAQ;YACvB,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;YACnB,aAAa;SACd,CAAC;IACJ,CAAC;IAED,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1C,IAAI,KAAK,EAAE,CAAC;QACV,OAAO;YACL,aAAa,EAAE,QAAQ;YACvB,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;YACnB,aAAa;SACd,CAAC;IACJ,CAAC;IAED,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1C,IAAI,KAAK,EAAE,CAAC;QACV,OAAO;YACL,aAAa,EAAE,QAAQ;YACvB,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;YACnB,aAAa;SACd,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,SAAS,aAAa,CACpB,IAA2C;IAE3C,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC1C,OAAO,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,EAAE,IAAI,IAAI,CAAC;AACrC,CAAC;AAED;;;;;;GAMG;AACH,SAAS,eAAe,CACtB,IAAgD;IAEhD,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAE5B,yDAAyD;IACzD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACnC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAE1C,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACzB,IACE,MAAM;QACN,OAAO,MAAM,KAAK,QAAQ;QAC1B,IAAI,IAAK,MAAkC,EAC3C,CAAC;QACD,OAAO,MAAM,CAAE,MAAkC,CAAC,EAAE,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,oBAAoB,CAC3B,aAA6C,EAC7C,SAAqD;IAErD,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,CAAC;IAE1B,QAAQ,aAAa,EAAE,CAAC;QACtB,KAAK,QAAQ;YACX,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC;QAChD,KAAK,QAAQ;YACX,OAAO;gBACL,KAAK,EAAE,SAAS,CAAC,KAAK,IAAI,EAAE;gBAC5B,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,EAAE;aAC3B,CAAC;QACJ,KAAK,QAAQ;YACX,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;QAC1C;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,oBAAoB;IAClC,OAAO;QACL,KAAK,CAAC,eAAe,CACnB,eAAoD;YAEpD,OAAO;gBACL,KAAK,CAAC,gBAAgB,CAAC,cAAc;;oBACnC,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,cAAc,CAAC;oBAErE,uBAAuB;oBACvB,IAAI,CAAC,QAAQ;wBAAE,OAAO;oBAEtB,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC;oBACzC,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CACnC,CAAC,GAAG,EAAE,EAAE,CACN,GAAG,CAAC,IAAI,KAAK,qBAAqB,IAAI,GAAG,CAAC,SAAS,KAAK,UAAU,CACrE,CAAC;oBAEF,IAAI,CAAC,YAAY,IAAI,YAAY,CAAC,IAAI,KAAK,qBAAqB;wBAC9D,OAAO;oBAET,iEAAiE;oBACjE,IACE,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,QAAQ;yBAC/B,MAAA,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,0CAAE,MAAM,CAAA,EACzC,CAAC;wBACD,OAAO;oBACT,CAAC;oBAED,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC;oBACnC,IAAI,CAAC,MAAM,EAAE,CAAC;wBACZ,eAAM,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;wBACpE,OAAO;oBACT,CAAC;oBAED,sDAAsD;oBACtD,MAAM,UAAU,GAAG,YAAY,CAAC,YAAY,CAAC,UAAU,CAAC;oBAExD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;wBACnC,IAAI,SAAS,CAAC,IAAI,KAAK,OAAO;4BAAE,SAAS;wBAEzC,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC;wBACvC,MAAM,SAAS,GAAG,sBAAsB,CAAC,SAAS,CAAC,CAAC;wBAEpD,IAAI,CAAC,SAAS;4BAAE,SAAS;wBACzB,IAAI,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC;4BAAE,SAAS;wBAEvD,MAAM,MAAM,GAAG,aAAa,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;wBAChD,MAAM,SAAS,GAAG,OAAO,CAAC,SAGb,CAAC;wBACd,MAAM,aAAa,GAAG,oBAAoB,CACxC,SAAS,CAAC,aAAa,EACvB,SAAS,CACV,CAAC;wBAEF,uCAAuC;wBACvC,IAAI,QAAQ,GAAG,SAAS,CAAC;wBACzB,IACE,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,QAAQ;4BAC/B,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,EAC/B,CAAC;4BACD,QAAQ,GAAG,eAAe,CACxB,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,IAA+B,CAC3D,CAAC;wBACJ,CAAC;wBAED,0CAA0C;wBAC1C,MAAM,SAAS,GACb,CAAA,MAAA,YAAY,CAAC,GAAG,0CAAE,EAAE;6BACnB,MAAA,MAAA,YAAY,CAAC,GAAG,0CAAE,OAAO,0CAAG,iBAAiB,CAEhC,CAAA;4BACd,IAAI,CAAC;wBAEP,IAAI,CAAC;4BACH,MAAM,YAAY,GAAG,MAA4C,CAAC;4BAClE,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;gCAC1B,MAAM,gBAAgB,GAAG,YAAY,CAAC,QAIrC,CAAC;gCACF,MAAM,gBAAgB,CAAC,MAAM,CAAC;oCAC5B,IAAI,EAAE;wCACJ,MAAM;wCACN,aAAa,EAAE,SAAS,CAAC,aAAa;wCACtC,SAAS,EAAE,SAAS,CAAC,SAAS;wCAC9B,QAAQ;wCACR,aAAa;wCACb,aAAa,EAAE,SAAS,CAAC,aAAa;wCACtC,SAAS;wCACT,QAAQ,EAAE;4CACR,oBAAoB,EAAE,OAAO,CAAC,aAAa,IAAI,IAAI;yCACpD;qCACF;iCACF,CAAC,CAAC;4BACL,CAAC;iCAAM,CAAC;gCACN,eAAM,CAAC,IAAI,CACT,6DAA6D,CAC9D,CAAC;4BACJ,CAAC;wBACH,CAAC;wBAAC,OAAO,KAAK,EAAE,CAAC;4BACf,6DAA6D;4BAC7D,eAAM,CAAC,KAAK,CAAC,+CAA+C,EAAE;gCAC5D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gCAC7D,SAAS,EAAE,SAAS,CAAC,SAAS;gCAC9B,aAAa,EAAE,SAAS,CAAC,aAAa;6BACvC,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;aACF,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/middleware/auth.cjs

@@ -0,0 +1,44 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authMiddleware = void 0;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const jwtConfig_1 = require("../config/jwtConfig.cjs");
+const logger_1 = require("../utils/logger.cjs");
+const authMiddleware = (req, res, next) => {
+    const authHeader = req.header('Authorization') || '';
+    const token = authHeader.startsWith('Bearer ')
+        ? authHeader.replace('Bearer ', '')
+        : '';
+    if (!token) {
+        return res.status(401).send({ error: 'Unauthorized' });
+    }
+    // Handle Google OAuth tokens
+    if (token.startsWith('ya29.')) {
+        logger_1.logger.info('Detected Google OAuth token in middleware, skipping JWT verification');
+        req.user = { provider: 'google', token };
+        return next();
+    }
+    // Handle regular JWT tokens
+    try {
+        // Check for server-to-server auth token from environment
+        const serverAuthToken = process.env.SERVER_AUTH_TOKEN;
+        if (serverAuthToken && token === serverAuthToken) {
+            req.user = { sub: 'server', name: 'Server Auth', role: 'server' };
+        }
+        else {
+            const decoded = jsonwebtoken_1.default.verify(token, jwtConfig_1.jwtSecret);
+            req.user = decoded;
+        }
+        next();
+    }
+    catch (error) {
+        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+        logger_1.logger.warn(`[Auth] Middleware JWT verification failed: ${errorMessage}`);
+        res.status(401).send({ error: 'Unauthorized' });
+    }
+};
+exports.authMiddleware = authMiddleware;
+//# sourceMappingURL=auth.js.map

package/middleware/auth.d.ts

@@ -0,0 +1,6 @@
+import { Request, Response, NextFunction } from 'express';
+export interface AuthenticatedRequest extends Request {
+    user?: any;
+}
+export declare const authMiddleware: (req: AuthenticatedRequest, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
+//# sourceMappingURL=auth.d.ts.map

package/middleware/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAK1D,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,IAAI,CAAC,EAAE,GAAG,CAAC;CACZ;AAED,eAAO,MAAM,cAAc,GACzB,KAAK,oBAAoB,EACzB,KAAK,QAAQ,EACb,MAAM,YAAY,8CAqCnB,CAAC"}

package/middleware/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":";;;;;;AACA,gEAA+B;AAC/B,mDAAgD;AAChD,4CAAyC;AAMlC,MAAM,cAAc,GAAG,CAC5B,GAAyB,EACzB,GAAa,EACb,IAAkB,EAClB,EAAE;IACF,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC;IACrD,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC;QAC5C,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC;QACnC,CAAC,CAAC,EAAE,CAAC;IAEP,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,6BAA6B;IAC7B,IAAI,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9B,eAAM,CAAC,IAAI,CACT,sEAAsE,CACvE,CAAC;QACF,GAAG,CAAC,IAAI,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QACzC,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC;IAED,4BAA4B;IAC5B,IAAI,CAAC;QACH,yDAAyD;QACzD,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;QACtD,IAAI,eAAe,IAAI,KAAK,KAAK,eAAe,EAAE,CAAC;YACjD,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,KAAK,EAAE,qBAAS,CAAC,CAAC;YAC7C,GAAG,CAAC,IAAI,GAAG,OAAO,CAAC;QACrB,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,YAAY,GAChB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;QAC3D,eAAM,CAAC,IAAI,CAAC,8CAA8C,YAAY,EAAE,CAAC,CAAC;QAC1E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;IAClD,CAAC;AACH,CAAC,CAAC;AAxCW,QAAA,cAAc,kBAwCzB"}