@axova/shared 1.0.0

package/src/middleware/storeOwnership.ts

@@ -0,0 +1,199 @@
+import { eq } from "drizzle-orm";
+import type { FastifyReply, FastifyRequest } from "fastify";
+import { db } from "../lib/db";
+import { stores } from "../schemas/store/store-schema";
+import {
+	createServiceAuthenticator,
+	getServiceAuthConfigFromEnv,
+} from "./serviceAuth";
+
+export interface StoreOwnerMiddlewareOptions {
+	requireActive?: boolean;
+	allowParameterStoreId?: boolean;
+	storeIdParamName?: string;
+	allowAdminOverride?: boolean;
+	overrideRoles?: string[];
+	overridePermissions?: string[];
+}
+
+/**
+ * Factory that returns a middleware ensuring the current user owns the target store.
+ * - Uses shared store validation under the hood for existence/active checks
+ * - Supports optional admin/permission overrides (e.g. SUPER_ADMIN or * permissions)
+ */
+export function requireStoreOwner(options: StoreOwnerMiddlewareOptions = {}) {
+	const {
+		requireActive = true,
+		allowParameterStoreId = true,
+		storeIdParamName = "storeId",
+		allowAdminOverride = true,
+		overrideRoles = ["SUPER_ADMIN"],
+		overridePermissions = ["*", "store:read:all", "store:write:all"],
+	} = options;
+
+	return async (request: FastifyRequest, reply: FastifyReply) => {
+		const user = (request as any).user as
+			| {
+					userId: string;
+					role?: string;
+					permissions?: string[];
+			  }
+			| undefined;
+
+		// Extract storeId from params/query/body/user.context
+		let storeId: string | undefined;
+		const params = (request.params || {}) as Record<string, any>;
+		const query = (request.query || {}) as Record<string, any>;
+		const body = (request.body || {}) as Record<string, any>;
+		if (allowParameterStoreId && typeof params[storeIdParamName] === "string") {
+			storeId = params[storeIdParamName] as string;
+		}
+		if (!storeId && typeof query.storeId === "string")
+			storeId = query.storeId as string;
+		if (!storeId && typeof body.storeId === "string")
+			storeId = body.storeId as string;
+		if (!storeId && typeof (request as any).user?.storeId === "string") {
+			storeId = (request as any).user?.storeId as string;
+		}
+
+		if (!storeId) {
+			return reply.status(400).send({
+				error: "Store ID Required",
+				message: `Store ID must be provided in URL (:${storeIdParamName}), query, or body`,
+				code: "STORE_ID_MISSING",
+			});
+		}
+
+		// Admin/permission overrides
+		const hasRoleOverride = !!user?.role && overrideRoles.includes(user.role);
+		const hasPermissionOverride = !!user?.permissions?.some((p) =>
+			overridePermissions.includes(p),
+		);
+		if (allowAdminOverride && (hasRoleOverride || hasPermissionOverride)) {
+			// Optionally attach minimal store info by fetching; if it fails, still allow
+			await attachStoreInfoIfPossible(request, storeId);
+			return;
+		}
+
+		// Fetch store details from Store Service internal route
+		try {
+			const store = await fetchStoreById(storeId);
+
+			if (!store) {
+				return reply.status(404).send({
+					error: "Store Not Found",
+					message: `Store with ID ${storeId} does not exist`,
+					code: "STORE_NOT_FOUND",
+				});
+			}
+
+			// requireActive check
+			if (requireActive && store.isActive === false) {
+				return reply.status(403).send({
+					error: "Store Inactive",
+					message: `Store ${storeId} is currently inactive`,
+					code: "STORE_INACTIVE",
+				});
+			}
+
+			// Ownership check
+			if (!user?.userId || store.userId !== user.userId) {
+				return reply.status(403).send({
+					error: "Store Access Denied",
+					message: "You do not have permission to access this store",
+					code: "STORE_ACCESS_DENIED",
+				});
+			}
+
+			// Attach store info to request for downstream handlers
+			(request as any).storeInfo = {
+				storeId: store.id,
+				storeName: store.storeName,
+				isActive: !!store.isActive,
+				userId: store.userId,
+			};
+		} catch (error) {
+			console.error("Store ownership validation error:", error);
+			return reply.status(500).send({
+				error: "Internal Server Error",
+				message: "Failed to validate store ownership",
+				code: "STORE_OWNERSHIP_VALIDATION_ERROR",
+			});
+		}
+	};
+}
+
+// Fetches store by ID from the Store Service internal endpoint
+async function fetchStoreById(storeId: string): Promise<{
+	id: string;
+	storeName: string;
+	isActive?: boolean;
+	userId: string;
+} | null> {
+	const baseUrl = process.env.STORE_SERVICE_URL || "http://localhost:3001";
+	const url = `${baseUrl}/internal/stores/${encodeURIComponent(storeId)}`;
+
+	let token: string | undefined;
+	try {
+		const cfg = getServiceAuthConfigFromEnv();
+		token = createServiceAuthenticator(cfg).generateServiceToken(
+			process.env.SERVICE_NAME || "inventory-core-service",
+			["store:read"],
+		);
+	} catch {
+		// Development fallback tokens accepted by store service
+		const isDev = process.env.NODE_ENV !== "production";
+		if (isDev) token = "inventory-dev-access";
+	}
+
+	const headers: Record<string, string> = {
+		"Content-Type": "application/json",
+	};
+	if (token) headers["x-service-token"] = token;
+
+	try {
+		const res = await fetch(url, { method: "GET", headers });
+		if (res.ok) {
+			const data = (await res.json()) as any;
+			const store = data?.store || data?.data?.store || null;
+			if (store) return store;
+		}
+	} catch {
+		// ignore network error and try DB fallback when possible
+	}
+	// DB fallback (primarily for in-process store-service)
+	try {
+		const result = await db
+			.select({
+				id: stores.id,
+				storeName: stores.storeName,
+				isActive: stores.isActive,
+				userId: stores.userId,
+			})
+			.from(stores)
+			.where(eq(stores.id, storeId))
+			.limit(1);
+		return result[0] || null;
+	} catch {
+		return null;
+	}
+}
+
+async function attachStoreInfoIfPossible(
+	request: FastifyRequest,
+	storeId: string,
+) {
+	try {
+		const store = await fetchStoreById(storeId);
+		if (store) {
+			(request as any).storeInfo = {
+				storeId: store.id,
+				storeName: store.storeName,
+				isActive: !!store.isActive,
+				userId: store.userId,
+			};
+		}
+	} catch {
+		// ignore
+	}
+}

package/src/middleware/storeValidationMiddleware.ts

@@ -0,0 +1,247 @@
+import { eq } from "drizzle-orm";
+import { FastifyReply, FastifyRequest } from "fastify";
+import { db } from "../lib/db";
+import { stores } from "../schemas/store/store-schema";
+
+// Store cache to reduce database calls
+const storeCache = new Map<
+	string,
+	{
+		isValid: boolean;
+		timestamp: number;
+		storeData?: {
+			id: string;
+			storeName: string;
+			isActive: boolean;
+			userId: string;
+		};
+	}
+>();
+const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+
+export interface StoreValidationOptions {
+	requireActive?: boolean;
+	allowParameterStoreId?: boolean;
+	storeIdParamName?: string;
+	requireOwnership?: boolean;
+}
+
+// Extended request interface to include store information
+declare module "fastify" {
+	interface FastifyRequest {
+		user?: {
+			userId: string;
+			storeId: string;
+			role: string;
+			permissions: string[];
+			iat?: number;
+			exp?: number;
+		};
+		session?: unknown;
+		storeInfo?: {
+			storeId: string;
+			storeName: string;
+			isActive: boolean;
+			userId: string;
+		};
+	}
+}
+
+/**
+ * Middleware to validate store existence and status
+ */
+export const validateStoreMiddleware = (
+	options: StoreValidationOptions = {},
+) => {
+	return async (request: FastifyRequest, reply: FastifyReply) => {
+		try {
+			const {
+				requireActive = true,
+				allowParameterStoreId = true,
+				storeIdParamName = "storeId",
+				requireOwnership = false,
+			} = options;
+
+			// Extract store ID from various sources
+			let storeId: string | undefined;
+
+			// 1. Try from authenticated user context
+			if (request.user?.storeId) {
+				storeId = request.user.storeId;
+			}
+
+			// 2. Try from URL parameters if allowed
+			if (!storeId && allowParameterStoreId) {
+				const params = request.params as Record<string, string>;
+				storeId = params[storeIdParamName];
+			}
+
+			// 3. Try from query parameters
+			if (!storeId) {
+				const query = request.query as Record<string, string>;
+				storeId = query.storeId;
+			}
+
+			// 4. Try from request body
+			if (!storeId && request.body && typeof request.body === "object") {
+				const body = request.body as Record<string, unknown>;
+				if (typeof body.storeId === "string") {
+					storeId = body.storeId;
+				}
+			}
+
+			if (!storeId) {
+				return reply.status(400).send({
+					error: "Store ID Required",
+					message:
+						"Store ID must be provided in URL, query parameters, or request body",
+					code: "STORE_ID_MISSING",
+				});
+			}
+
+			// Check cache first
+			const cached = storeCache.get(storeId);
+			if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+				if (!cached.isValid) {
+					return reply.status(404).send({
+						error: "Store Not Found",
+						message: `Store with ID ${storeId} does not exist`,
+						code: "STORE_NOT_FOUND",
+					});
+				}
+
+				// Use cached store data if available
+				if (cached.storeData) {
+					const storeData = cached.storeData;
+
+					// Check if store is active when required
+					if (requireActive && !storeData.isActive) {
+						return reply.status(403).send({
+							error: "Store Inactive",
+							message: `Store ${storeId} is currently inactive`,
+							code: "STORE_INACTIVE",
+						});
+					}
+
+					// Check ownership when required
+					if (requireOwnership && request.user?.userId !== storeData.userId) {
+						return reply.status(403).send({
+							error: "Store Access Denied",
+							message: "You do not have permission to access this store",
+							code: "STORE_ACCESS_DENIED",
+						});
+					}
+
+					// Attach store information to request
+					request.storeInfo = {
+						storeId: storeData.id,
+						storeName: storeData.storeName,
+						isActive: storeData.isActive,
+						userId: storeData.userId,
+					};
+					return; // Successfully validated using cache
+				}
+			}
+
+			// Validate store exists and get details from database
+			const store = await db
+				.select({
+					id: stores.id,
+					storeName: stores.storeName,
+					isActive: stores.isActive,
+					userId: stores.userId,
+				})
+				.from(stores)
+				.where(eq(stores.id, storeId))
+				.limit(1);
+
+			if (store.length === 0) {
+				// Cache negative result
+				storeCache.set(storeId, { isValid: false, timestamp: Date.now() });
+
+				return reply.status(404).send({
+					error: "Store Not Found",
+					message: `Store with ID ${storeId} does not exist`,
+					code: "STORE_NOT_FOUND",
+				});
+			}
+
+			const storeData = store[0];
+
+			// Check if store is active when required
+			if (requireActive && !storeData.isActive) {
+				return reply.status(403).send({
+					error: "Store Inactive",
+					message: `Store ${storeId} is currently inactive`,
+					code: "STORE_INACTIVE",
+				});
+			}
+
+			// Check ownership when required
+			if (requireOwnership && request.user?.userId !== storeData.userId) {
+				return reply.status(403).send({
+					error: "Store Access Denied",
+					message: "You do not have permission to access this store",
+					code: "STORE_ACCESS_DENIED",
+				});
+			}
+
+			// Cache positive result with store data
+			storeCache.set(storeId, {
+				isValid: true,
+				timestamp: Date.now(),
+				storeData: {
+					id: storeData.id,
+					storeName: storeData.storeName,
+					isActive: storeData.isActive,
+					userId: storeData.userId,
+				},
+			});
+
+			// Attach store information to request
+			request.storeInfo = {
+				storeId: storeData.id,
+				storeName: storeData.storeName,
+				isActive: storeData.isActive,
+				userId: storeData.userId,
+			};
+
+			// Continue to next handler - explicitly return to proceed
+		} catch (error) {
+			console.error("Store validation error:", error);
+			return reply.status(500).send({
+				error: "Internal Server Error",
+				message: "Failed to validate store",
+				code: "STORE_VALIDATION_ERROR",
+			});
+		}
+	};
+};
+
+/**
+ * Helper to clear store cache entry
+ */
+export const clearStoreCache = (storeId: string) => {
+	storeCache.delete(storeId);
+};
+
+/**
+ * Helper to clear all store cache
+ */
+export const clearAllStoreCache = () => {
+	storeCache.clear();
+};
+
+/**
+ * Simplified middleware for common use cases
+ */
+export const requireValidStore = validateStoreMiddleware({
+	requireActive: true,
+});
+export const requireOwnedStore = validateStoreMiddleware({
+	requireActive: true,
+	requireOwnership: true,
+});
+export const requireAnyStore = validateStoreMiddleware({
+	requireActive: false,
+});

package/src/middleware/userAuth.ts

@@ -0,0 +1,248 @@
+import { createAuthMiddleware } from "better-middleware";
+import type { FastifyPluginAsync, FastifyReply, FastifyRequest } from "fastify";
+import fp from "fastify-plugin";
+
+// Standardized user context aligned with existing request augmentation in this package
+export interface SharedUserContext {
+	userId: string;
+	storeId: string;
+	role: string;
+	permissions: string[];
+	organizationId?: string;
+	activeOrganizationId?: string;
+	iat?: number;
+	exp?: number;
+}
+
+// Optional role → permission mapping (used for helpers)
+export const DEFAULT_ROLE_PERMISSIONS: Record<string, string[]> = {
+	SUPER_ADMIN: ["*"],
+	STORE_ADMIN: [
+		"store:read",
+		"store:write",
+		"store:delete",
+		"orders:read",
+		"orders:write",
+		"products:read",
+		"products:write",
+	],
+	STORE_MANAGER: [
+		"store:read",
+		"store:write",
+		"orders:read",
+		"orders:write",
+		"products:read",
+		"products:write",
+	],
+	STORE_EMPLOYEE: ["store:read", "orders:read", "products:read"],
+	USER: ["store:read"],
+};
+
+// Core adapter of better-middleware to Fastify
+function createFastifyAuthHandler() {
+	const auth = createAuthMiddleware<FastifyRequest>({
+		baseURL: process.env.NEXT_PUBLIC_AUTH_URL || "http://localhost:4000",
+		cache: { enabled: true, ttl: 300, max: 1000 },
+		onError: async () => ({
+			status: 401,
+			body: {
+				success: false,
+				error: "Authentication required",
+				code: "UNAUTHORIZED",
+			},
+		}),
+		logger: {
+			info: (m, d) =>
+				process.env.NODE_ENV === "development"
+					? console.log(`[Auth] ${m}`, d)
+					: undefined,
+			error: (m, d) => console.error(`[Auth] ${m}`, d),
+			debug: (m, d) =>
+				process.env.NODE_ENV === "development"
+					? console.debug(`[Auth] ${m}`, d)
+					: undefined,
+		},
+		framework: {
+			getHeaders: (request: any) => {
+				const headers: Record<string, string> = {};
+				Object.entries(request.headers || {}).forEach(([k, v]) => {
+					if (typeof v === "string") headers[k] = v;
+					else if (Array.isArray(v)) headers[k] = v.join(", ");
+				});
+				const hasCookie = (headers["cookie"] || "").includes(
+					"better-auth.session_token=",
+				);
+				const bearer = headers["authorization"]?.startsWith("Bearer ")
+					? headers["authorization"].substring(7)
+					: undefined;
+				if (!hasCookie && bearer) {
+					headers["cookie"] =
+						`${headers["cookie"] ? headers["cookie"] + "; " : ""}better-auth.session_token=${bearer}`;
+				}
+				return headers;
+			},
+			getCookies: (request: any) => {
+				const cookies = request.cookies || {};
+				if (
+					!cookies["better-auth.session_token"] &&
+					request.headers.authorization?.startsWith("Bearer ")
+				) {
+					cookies["better-auth.session_token"] =
+						request.headers.authorization.substring(7);
+				}
+				return cookies;
+			},
+			setContext: (request: any, key: "user" | "session", value: any) => {
+				if (key === "user" && value) {
+					const u = value as any;
+					request.user = {
+						userId: u.id,
+						storeId: u.activeOrganizationId || u.organizationId || "",
+						role: u.role || "USER",
+						permissions: DEFAULT_ROLE_PERMISSIONS[u.role || "USER"] || [],
+						organizationId: u.organizationId,
+						activeOrganizationId: u.activeOrganizationId,
+						iat: u.iat,
+						exp: u.exp,
+					} satisfies SharedUserContext;
+				} else if (key === "session" && value) {
+					const s = value as any;
+					if (request.user && !request.user.storeId)
+						request.user.storeId =
+							s.activeOrganizationId || request.user.storeId;
+				}
+			},
+			createResponse: (_request: any, body: unknown, status: number) => ({
+				status,
+				body,
+			}),
+		},
+	});
+	return auth;
+}
+
+// Pre-handler that runs authentication; emits response when not authorized
+export const AuthPreHandler = async (
+	request: FastifyRequest,
+	reply: FastifyReply,
+) => {
+	const auth = createFastifyAuthHandler();
+	const result = await auth(request, request, async () => {});
+	if (result) {
+		reply.code(result.status).send(result.body);
+	}
+};
+
+// Fastify plugin for easy registration
+export const fastifyUserAuthPlugin: FastifyPluginAsync = fp(
+	async (fastify: any) => {
+		fastify.addHook("preHandler", AuthPreHandler as any);
+	},
+);
+
+// ---------- Helper utilities ----------
+export function getAuthTokenFromRequest(
+	request: FastifyRequest,
+): string | undefined {
+	const cookies = (request as any).cookies || {};
+	const tokenFromCookie = cookies["better-auth.session_token"] as
+		| string
+		| undefined;
+	if (tokenFromCookie) return tokenFromCookie;
+	const cookieHeader = request.headers.cookie;
+	if (cookieHeader) {
+		const match = cookieHeader.match(/better-auth\.session_token=([^;]+)/);
+		if (match) return match[1];
+	}
+	const authHeader = request.headers.authorization;
+	if (authHeader?.startsWith("Bearer ")) return authHeader.substring(7);
+	return undefined;
+}
+
+export function getAuthHeadersFromRequest(
+	request: FastifyRequest,
+): Record<string, string> {
+	const headers: Record<string, string> = {
+		"Content-Type": "application/json",
+	};
+	const token = getAuthTokenFromRequest(request);
+	if (token) {
+		headers["Cookie"] = `better-auth.session_token=${token}`;
+		headers["Authorization"] = `Bearer ${token}`;
+	}
+	return headers;
+}
+
+export function getUserDataFromRequest(request: FastifyRequest): {
+	userId: string;
+	organizationId?: string;
+	role?: string;
+	permissions?: string[];
+} | null {
+	const user = (request as any).user as SharedUserContext | undefined;
+	if (user) {
+		return {
+			userId: user.userId,
+			organizationId: user.storeId || user.organizationId,
+			role: user.role,
+			permissions: user.permissions,
+		};
+	}
+
+	const userIdFromHeader = request.headers["x-user-id"] as string | undefined;
+	const storeIdFromHeader = request.headers["x-store-id"] as string | undefined;
+	const roleFromHeader = request.headers["x-user-role"] as string | undefined;
+	if (userIdFromHeader) {
+		return {
+			userId: userIdFromHeader,
+			organizationId: storeIdFromHeader,
+			role: roleFromHeader || "USER",
+			permissions: DEFAULT_ROLE_PERMISSIONS[roleFromHeader || "USER"] || [],
+		};
+	}
+	return null;
+}
+
+export function getUserIdFromRequest(request: FastifyRequest): string | null {
+	return getUserDataFromRequest(request)?.userId || null;
+}
+
+export function hasPermission(
+	request: FastifyRequest,
+	permission: string,
+): boolean {
+	const user = (request as any).user as SharedUserContext | undefined;
+	const perms = user?.permissions || [];
+	return perms.includes("*") || perms.includes(permission);
+}
+
+export function hasRole(request: FastifyRequest, role: string): boolean {
+	const user = (request as any).user as SharedUserContext | undefined;
+	return (user?.role || "").toUpperCase() === role.toUpperCase();
+}
+
+export function requirePermission(permission: string) {
+	return async (request: FastifyRequest, reply: FastifyReply) => {
+		if (!hasPermission(request, permission)) {
+			reply.code(403).send({
+				success: false,
+				error: "Insufficient permissions",
+				message: `Required permission: ${permission}`,
+				code: "FORBIDDEN",
+			});
+		}
+	};
+}
+
+export function requireRole(role: string) {
+	return async (request: FastifyRequest, reply: FastifyReply) => {
+		if (!hasRole(request, role)) {
+			reply.code(403).send({
+				success: false,
+				error: "Insufficient role",
+				message: `Required role: ${role}`,
+				code: "FORBIDDEN",
+			});
+		}
+	};
+}