@axova/shared 1.0.0

package/src/lib/authOrganization.ts

@@ -0,0 +1,153 @@
+import { createId } from "@paralleldrive/cuid2";
+import { APIError } from "../utils/errorHandler";
+
+export interface AuthOrganizationCreateRequest {
+	name: string;
+	slug: string;
+	logo?: string;
+	metadata?: Record<string, unknown>;
+	userId?: string;
+	keepCurrentActiveOrganization?: boolean;
+}
+
+export interface AuthOrganizationResponse {
+	id: string;
+	name: string;
+	slug: string;
+	logo?: string;
+	metadata?: Record<string, unknown>;
+	createdAt: Date;
+	updatedAt?: Date;
+}
+
+/**
+ * Creates an organization using the auth service
+ * @param organizationData Organization data to create
+ * @param headers Authentication headers to forward
+ * @returns Promise resolving to created organization data
+ */
+export const createAuthOrganization = async (
+	organizationData: AuthOrganizationCreateRequest,
+	headers?: Record<string, string>,
+): Promise<AuthOrganizationResponse> => {
+	try {
+		console.log("Creating organization:", {
+			name: organizationData.name,
+			slug: organizationData.slug,
+			userId: organizationData.userId,
+			hasHeaders: !!headers,
+		});
+
+		// Prepare payload matching auth service expectations
+		const payload = {
+			name: organizationData.name,
+			slug: organizationData.slug,
+			...(organizationData.logo && { logo: organizationData.logo }),
+			...(organizationData.metadata && { metadata: organizationData.metadata }),
+		};
+
+		// Make direct HTTP request to auth service
+		const authBaseUrl =
+			process.env.NEXT_PUBLIC_AUTH_URL || "http://localhost:4000";
+		const url = `${authBaseUrl}/api/auth/organization/create`;
+
+		const fetchOptions: RequestInit = {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/json",
+				...headers,
+			},
+			body: JSON.stringify(payload),
+		};
+
+		console.log("Sending request to auth service:", url);
+		const response = await fetch(url, fetchOptions);
+
+		console.log("Auth service response:", {
+			status: response.status,
+			statusText: response.statusText,
+			ok: response.ok,
+			headers: Object.fromEntries(response.headers.entries()),
+		});
+
+		// Check HTTP response status
+		if (!response.ok) {
+			const errorText = await response.text();
+			console.error("Auth service HTTP error:", {
+				status: response.status,
+				statusText: response.statusText,
+				body: errorText,
+			});
+
+			throw new APIError(
+				`Auth service error: ${response.status} ${response.statusText}`,
+				response.status,
+				{ code: "AUTH_HTTP_ERROR", response: errorText },
+			);
+		}
+
+		// Parse JSON response
+		let responseData: any;
+		try {
+			responseData = await response.json();
+		} catch (parseError) {
+			console.error("Failed to parse auth service response:", parseError);
+			throw new APIError("Invalid response format from auth service", 500, {
+				code: "JSON_PARSE_ERROR",
+				originalError: parseError,
+			});
+		}
+
+		// Auth service returns organization data directly
+		// Check if response has the required organization fields
+		if (responseData.id && responseData.name) {
+			console.log("Organization created successfully:", {
+				id: responseData.id,
+				name: responseData.name,
+				slug: responseData.slug,
+			});
+		} else {
+			console.error("Invalid organization response:", responseData);
+			throw new APIError(
+				"Invalid organization data format from auth service",
+				500,
+				{ code: "INVALID_ORGANIZATION_DATA", response: responseData },
+			);
+		}
+
+		// Return structured organization data (responseData contains the org data directly)
+		return {
+			id: responseData.id,
+			name: responseData.name,
+			slug: responseData.slug,
+			logo: responseData.logo || undefined,
+			metadata: responseData.metadata,
+			createdAt: new Date(responseData.createdAt),
+			updatedAt: undefined,
+		};
+	} catch (error: any) {
+		console.error("Organization creation failed:", {
+			message: error.message,
+			status: error.status || error.statusCode,
+			code: error.code,
+		});
+
+		// Handle different error types
+		if (error instanceof APIError) {
+			throw error;
+		}
+
+		if (error.message && error.message.includes("JSON")) {
+			throw new APIError("Invalid response format from auth service", 500, {
+				code: "JSON_PARSE_ERROR",
+				originalError: error.message,
+			});
+		}
+
+		throw new APIError(
+			error.message || "Failed to create organization",
+			error.status || error.statusCode || 500,
+			{ code: "ORGANIZATION_CREATION_FAILED", originalError: error },
+		);
+	}
+};

package/src/lib/db.ts

@@ -0,0 +1,64 @@
+import * as dotenv from "dotenv";
+import { drizzle } from "drizzle-orm/node-postgres";
+import { Pool } from "pg";
+
+// Load environment variables from .env file
+dotenv.config();
+
+// Configure PostgreSQL connection
+const connectionString = process.env.DATABASE_URL;
+
+if (!connectionString) {
+	throw new Error("DATABASE_URL environment variable is not set");
+}
+
+// Configure PostgreSQL to handle timestamps and dates properly
+const pool = new Pool({
+	connectionString,
+	ssl:
+		process.env.NODE_ENV === "production"
+			? { rejectUnauthorized: false }
+			: false,
+	// Connection pool configuration to prevent "Connection is closed" errors
+	max: 20, // Maximum number of clients in the pool
+	min: 2, // Minimum number of clients in the pool
+	idleTimeoutMillis: 30000, // Close idle clients after 30 seconds
+	connectionTimeoutMillis: 10000, // Wait 10 seconds for a connection
+	// Keep connections alive
+	keepAlive: true,
+	keepAliveInitialDelayMillis: 10000,
+	// Add parsing configuration for timestamps
+	types: {
+		getTypeParser: (typeId: number, _format?: string) => {
+			// Handle dates and timestamps to ensure they're properly converted to JavaScript Date objects
+			if (
+				typeId === 1082 ||
+				typeId === 1083 ||
+				typeId === 1114 ||
+				typeId === 1184
+			) {
+				return (val: string) => (val === null ? null : new Date(val));
+			}
+			return undefined;
+		},
+	},
+});
+
+// Add error handler to the pool
+pool.on("error", (err) => {
+	console.error("❌ Unexpected database pool error:", err);
+});
+
+pool.on("connect", () => {
+	if (process.env.NODE_ENV === "development") {
+		console.log("✅ Database pool connection established");
+	}
+});
+
+// Create a Drizzle ORM instance
+export const db = drizzle(pool, {
+	logger: process.env.NODE_ENV === "development",
+});
+
+// Exported for testing
+export { pool };

package/src/middleware/serviceAuth.ts

@@ -0,0 +1,328 @@
+import type { FastifyReply, FastifyRequest } from "fastify";
+import jwt from "jsonwebtoken";
+import { z } from "zod";
+
+// Service claims schema
+export const ServiceClaimsSchema = z.object({
+	service: z.string(),
+	permissions: z.array(z.string()),
+	iat: z.number(),
+	exp: z.number(),
+	iss: z.literal("axova-platform"),
+});
+
+export type ServiceClaims = z.infer<typeof ServiceClaimsSchema>;
+
+// Service authentication configuration
+export interface ServiceAuthConfig {
+	internalSecret: string;
+	tokenExpiry?: string; // Default: '1h'
+	requiredPermissions?: string[];
+}
+
+// Extended request interface
+export interface AuthenticatedRequest extends FastifyRequest {
+	serviceClaims?: ServiceClaims;
+	isServiceAuthenticated?: boolean;
+}
+
+// Service authentication class
+export class ServiceAuthenticator {
+	private secret: string;
+	private tokenExpiry: string;
+
+	constructor(config: ServiceAuthConfig) {
+		this.secret = config.internalSecret;
+		this.tokenExpiry = config.tokenExpiry || "1h";
+	}
+
+	// Generate service token
+	generateServiceToken(service: string, permissions: string[] = []): string {
+		const payload: Omit<ServiceClaims, "iat" | "exp"> = {
+			service,
+			permissions,
+			iss: "axova-platform",
+		};
+
+		return jwt.sign(payload, this.secret, {
+			expiresIn: this.tokenExpiry,
+			algorithm: "HS256",
+		} as jwt.SignOptions);
+	}
+
+	// Verify service token
+	verifyServiceToken(token: string): ServiceClaims {
+		try {
+			const decoded = jwt.verify(token, this.secret, {
+				algorithms: ["HS256"],
+				issuer: "axova-platform",
+			}) as ServiceClaims;
+
+			// Validate with Zod schema
+			return ServiceClaimsSchema.parse(decoded);
+		} catch (error) {
+			throw new Error(
+				`Invalid service token: ${error instanceof Error ? error.message : "Unknown error"}`,
+			);
+		}
+	}
+
+	// Fastify middleware for service authentication
+	serviceAuthMiddleware(requiredPermissions: string[] = []) {
+		return async (request: AuthenticatedRequest, reply: FastifyReply) => {
+			try {
+				const authHeader = request.headers.authorization;
+				const serviceToken = request.headers["x-service-token"] as string;
+
+				let token: string | null = null;
+
+				// Check for Bearer token in Authorization header
+				if (authHeader?.startsWith("Bearer ")) {
+					token = authHeader.substring(7);
+				}
+				// Check for service token in custom header
+				else if (serviceToken) {
+					token = serviceToken;
+				}
+
+				if (!token) {
+					return reply.code(401).send({
+						error: "Service authentication required",
+						code: "MISSING_SERVICE_TOKEN",
+					});
+				}
+
+				// DEVELOPMENT MODE: Accept simple constant tokens
+				const isDevelopment = process.env.NODE_ENV !== "production";
+				const developmentTokens = [
+					"dev-compliance-token",
+					"development-mode",
+					"compliance-dev-access",
+					"simple-dev-token",
+					"inventory-dev-access",
+					"product-dev-access",
+					"oxa-dev-access",
+				];
+
+				if (isDevelopment && developmentTokens.includes(token)) {
+					// In development, validate against a proper development service registry
+					// instead of using mock claims
+					try {
+						// TODO: Implement proper development service authentication
+						// For now, only allow specific development services with limited permissions
+						let servicePermissions: string[] = [];
+						let serviceName = "unknown-service";
+
+						// Grant permissions based on the specific development token
+						switch (token) {
+							case "inventory-dev-access":
+								serviceName = "inventory-service-dev";
+								servicePermissions = ["store:read", "store:write"];
+								break;
+							case "product-dev-access":
+								serviceName = "product-service-dev";
+								servicePermissions = ["store:read", "store:write"];
+								break;
+							case "compliance-dev-access":
+								serviceName = "compliance-service-dev";
+								servicePermissions = ["compliance:read", "compliance:write"];
+								break;
+							case "oxa-dev-access":
+								serviceName = "oxa-service-dev";
+								servicePermissions = ["store:read", "ai:moderate"];
+								break;
+							default:
+								throw new Error("Unknown development token");
+						}
+
+						const devClaims: ServiceClaims = {
+							service: serviceName,
+							permissions: servicePermissions,
+							iss: "axova-platform",
+							iat: Math.floor(Date.now() / 1000),
+							exp: Math.floor(Date.now() / 1000) + 60 * 60 * 24, // 24 hours
+						};
+
+						request.serviceClaims = devClaims;
+						request.isServiceAuthenticated = true;
+						console.log(
+							`🔧 Development mode: Service authenticated with token "${token}"`,
+						);
+						return; // Skip JWT verification in development
+					} catch (error) {
+						return reply.code(401).send({
+							error: "Invalid development token",
+							code: "INVALID_DEVELOPMENT_TOKEN",
+							message: error instanceof Error ? error.message : "Unknown error",
+						});
+					}
+				}
+
+				// Verify the token
+				const claims = this.verifyServiceToken(token);
+
+				// Check required permissions
+				if (requiredPermissions.length > 0) {
+					const hasPermissions = requiredPermissions.every((perm) =>
+						claims.permissions.includes(perm),
+					);
+
+					if (!hasPermissions) {
+						return reply.code(403).send({
+							error: "Insufficient permissions",
+							code: "INSUFFICIENT_PERMISSIONS",
+							required: requiredPermissions,
+							granted: claims.permissions,
+						});
+					}
+				}
+
+				// Attach claims to request
+				request.serviceClaims = claims;
+				request.isServiceAuthenticated = true;
+
+				console.log(`Service authenticated: ${claims.service}`);
+			} catch (error) {
+				return reply.code(401).send({
+					error: "Invalid service token",
+					code: "INVALID_SERVICE_TOKEN",
+					message: error instanceof Error ? error.message : "Unknown error",
+				});
+			}
+		};
+	}
+
+	// Alternative HMAC-based authentication
+	generateHMACSignature(payload: string, timestamp: string): string {
+		const crypto = require("node:crypto");
+		const message = `${timestamp}.${payload}`;
+		return crypto
+			.createHmac("sha256", this.secret)
+			.update(message)
+			.digest("hex");
+	}
+
+	// HMAC middleware
+	hmacAuthMiddleware() {
+		return async (request: AuthenticatedRequest, reply: FastifyReply) => {
+			try {
+				const signature = request.headers["x-signature"] as string;
+				const timestamp = request.headers["x-timestamp"] as string;
+				const service = request.headers["x-service"] as string;
+
+				if (!signature || !timestamp || !service) {
+					return reply.code(401).send({
+						error: "HMAC authentication headers missing",
+						code: "MISSING_HMAC_HEADERS",
+					});
+				}
+
+				// Check timestamp (prevent replay attacks)
+				const now = Date.now();
+				const requestTime = Number.parseInt(timestamp);
+				const timeDiff = Math.abs(now - requestTime);
+
+				// Allow 5 minutes tolerance
+				if (timeDiff > 300000) {
+					return reply.code(401).send({
+						error: "Request timestamp too old",
+						code: "TIMESTAMP_EXPIRED",
+					});
+				}
+
+				// Get request body as string
+				const body = JSON.stringify(request.body || {});
+				const expectedSignature = this.generateHMACSignature(body, timestamp);
+
+				if (signature !== expectedSignature) {
+					return reply.code(401).send({
+						error: "Invalid HMAC signature",
+						code: "INVALID_HMAC_SIGNATURE",
+					});
+				}
+
+				// Set service info on request
+				request.serviceClaims = {
+					service,
+					permissions: [], // HMAC doesn't include permissions by default
+					iat: requestTime,
+					exp: requestTime + 300000, // 5 minutes
+					iss: "axova-platform",
+				};
+				request.isServiceAuthenticated = true;
+
+				console.log(`Service authenticated via HMAC: ${service}`);
+			} catch (error) {
+				return reply.code(401).send({
+					error: "HMAC authentication failed",
+					code: "HMAC_AUTH_FAILED",
+					message: error instanceof Error ? error.message : "Unknown error",
+				});
+			}
+		};
+	}
+}
+
+// Singleton factory
+let serviceAuthInstance: ServiceAuthenticator | null = null;
+
+export function createServiceAuthenticator(
+	config: ServiceAuthConfig,
+): ServiceAuthenticator {
+	if (!serviceAuthInstance) {
+		serviceAuthInstance = new ServiceAuthenticator(config);
+	}
+	return serviceAuthInstance;
+}
+
+export function getServiceAuthenticator(): ServiceAuthenticator {
+	if (!serviceAuthInstance) {
+		throw new Error(
+			"Service authenticator not created. Call createServiceAuthenticator() first.",
+		);
+	}
+	return serviceAuthInstance;
+}
+
+// Utility to get auth config from environment
+export function getServiceAuthConfigFromEnv(): ServiceAuthConfig {
+	const internalSecret = process.env.INTERNAL_SECRET;
+
+	if (!internalSecret) {
+		throw new Error("INTERNAL_SECRET environment variable is required");
+	}
+
+	return {
+		internalSecret,
+		tokenExpiry: process.env.SERVICE_TOKEN_EXPIRY || "1h",
+	};
+}
+
+// Common service permissions
+export const SERVICE_PERMISSIONS = {
+	// Store service permissions
+	STORE_READ: "store:read",
+	STORE_WRITE: "store:write",
+	STORE_DELETE: "store:delete",
+
+	// Compliance service permissions
+	COMPLIANCE_READ: "compliance:read",
+	COMPLIANCE_WRITE: "compliance:write",
+	COMPLIANCE_BAN: "compliance:ban",
+	COMPLIANCE_APPEAL: "compliance:appeal",
+
+	// Notification service permissions
+	NOTIFICATION_SEND: "notification:send",
+	NOTIFICATION_READ: "notification:read",
+
+	// Audit service permissions
+	AUDIT_READ: "audit:read",
+	AUDIT_WRITE: "audit:write",
+
+	// Admin service permissions
+	ADMIN_OVERRIDE: "admin:override",
+	ADMIN_REVIEW: "admin:review",
+
+	// AI moderation permissions
+	AI_MODERATE: "ai:moderate",
+} as const;