@axova/shared 1.0.0

package/dist/lib/authOrganization.js

@@ -0,0 +1,110 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthOrganization = void 0;
+const errorHandler_1 = require("../utils/errorHandler");
+/**
+ * Creates an organization using the auth service
+ * @param organizationData Organization data to create
+ * @param headers Authentication headers to forward
+ * @returns Promise resolving to created organization data
+ */
+const createAuthOrganization = async (organizationData, headers) => {
+    try {
+        console.log("Creating organization:", {
+            name: organizationData.name,
+            slug: organizationData.slug,
+            userId: organizationData.userId,
+            hasHeaders: !!headers,
+        });
+        // Prepare payload matching auth service expectations
+        const payload = {
+            name: organizationData.name,
+            slug: organizationData.slug,
+            ...(organizationData.logo && { logo: organizationData.logo }),
+            ...(organizationData.metadata && { metadata: organizationData.metadata }),
+        };
+        // Make direct HTTP request to auth service
+        const authBaseUrl = process.env.NEXT_PUBLIC_AUTH_URL || "http://localhost:4000";
+        const url = `${authBaseUrl}/api/auth/organization/create`;
+        const fetchOptions = {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                ...headers,
+            },
+            body: JSON.stringify(payload),
+        };
+        console.log("Sending request to auth service:", url);
+        const response = await fetch(url, fetchOptions);
+        console.log("Auth service response:", {
+            status: response.status,
+            statusText: response.statusText,
+            ok: response.ok,
+            headers: Object.fromEntries(response.headers.entries()),
+        });
+        // Check HTTP response status
+        if (!response.ok) {
+            const errorText = await response.text();
+            console.error("Auth service HTTP error:", {
+                status: response.status,
+                statusText: response.statusText,
+                body: errorText,
+            });
+            throw new errorHandler_1.APIError(`Auth service error: ${response.status} ${response.statusText}`, response.status, { code: "AUTH_HTTP_ERROR", response: errorText });
+        }
+        // Parse JSON response
+        let responseData;
+        try {
+            responseData = await response.json();
+        }
+        catch (parseError) {
+            console.error("Failed to parse auth service response:", parseError);
+            throw new errorHandler_1.APIError("Invalid response format from auth service", 500, {
+                code: "JSON_PARSE_ERROR",
+                originalError: parseError,
+            });
+        }
+        // Auth service returns organization data directly
+        // Check if response has the required organization fields
+        if (responseData.id && responseData.name) {
+            console.log("Organization created successfully:", {
+                id: responseData.id,
+                name: responseData.name,
+                slug: responseData.slug,
+            });
+        }
+        else {
+            console.error("Invalid organization response:", responseData);
+            throw new errorHandler_1.APIError("Invalid organization data format from auth service", 500, { code: "INVALID_ORGANIZATION_DATA", response: responseData });
+        }
+        // Return structured organization data (responseData contains the org data directly)
+        return {
+            id: responseData.id,
+            name: responseData.name,
+            slug: responseData.slug,
+            logo: responseData.logo || undefined,
+            metadata: responseData.metadata,
+            createdAt: new Date(responseData.createdAt),
+            updatedAt: undefined,
+        };
+    }
+    catch (error) {
+        console.error("Organization creation failed:", {
+            message: error.message,
+            status: error.status || error.statusCode,
+            code: error.code,
+        });
+        // Handle different error types
+        if (error instanceof errorHandler_1.APIError) {
+            throw error;
+        }
+        if (error.message && error.message.includes("JSON")) {
+            throw new errorHandler_1.APIError("Invalid response format from auth service", 500, {
+                code: "JSON_PARSE_ERROR",
+                originalError: error.message,
+            });
+        }
+        throw new errorHandler_1.APIError(error.message || "Failed to create organization", error.status || error.statusCode || 500, { code: "ORGANIZATION_CREATION_FAILED", originalError: error });
+    }
+};
+exports.createAuthOrganization = createAuthOrganization;

package/dist/lib/db.d.ts

@@ -0,0 +1,6 @@
+import { Pool } from "pg";
+declare const pool: Pool;
+export declare const db: import("drizzle-orm/node-postgres").NodePgDatabase<Record<string, never>> & {
+    $client: Pool;
+};
+export { pool };

package/dist/lib/db.js

@@ -0,0 +1,88 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.pool = exports.db = void 0;
+const dotenv = __importStar(require("dotenv"));
+const node_postgres_1 = require("drizzle-orm/node-postgres");
+const pg_1 = require("pg");
+// Load environment variables from .env file
+dotenv.config();
+// Configure PostgreSQL connection
+const connectionString = process.env.DATABASE_URL;
+if (!connectionString) {
+    throw new Error("DATABASE_URL environment variable is not set");
+}
+// Configure PostgreSQL to handle timestamps and dates properly
+const pool = new pg_1.Pool({
+    connectionString,
+    ssl: process.env.NODE_ENV === "production"
+        ? { rejectUnauthorized: false }
+        : false,
+    // Connection pool configuration to prevent "Connection is closed" errors
+    max: 20, // Maximum number of clients in the pool
+    min: 2, // Minimum number of clients in the pool
+    idleTimeoutMillis: 30000, // Close idle clients after 30 seconds
+    connectionTimeoutMillis: 10000, // Wait 10 seconds for a connection
+    // Keep connections alive
+    keepAlive: true,
+    keepAliveInitialDelayMillis: 10000,
+    // Add parsing configuration for timestamps
+    types: {
+        getTypeParser: (typeId, _format) => {
+            // Handle dates and timestamps to ensure they're properly converted to JavaScript Date objects
+            if (typeId === 1082 ||
+                typeId === 1083 ||
+                typeId === 1114 ||
+                typeId === 1184) {
+                return (val) => (val === null ? null : new Date(val));
+            }
+            return undefined;
+        },
+    },
+});
+exports.pool = pool;
+// Add error handler to the pool
+pool.on("error", (err) => {
+    console.error("❌ Unexpected database pool error:", err);
+});
+pool.on("connect", () => {
+    if (process.env.NODE_ENV === "development") {
+        console.log("✅ Database pool connection established");
+    }
+});
+// Create a Drizzle ORM instance
+exports.db = (0, node_postgres_1.drizzle)(pool, {
+    logger: process.env.NODE_ENV === "development",
+});

package/dist/middleware/serviceAuth.d.ts

@@ -0,0 +1,60 @@
+import type { FastifyReply, FastifyRequest } from "fastify";
+import { z } from "zod";
+export declare const ServiceClaimsSchema: z.ZodObject<{
+    service: z.ZodString;
+    permissions: z.ZodArray<z.ZodString, "many">;
+    iat: z.ZodNumber;
+    exp: z.ZodNumber;
+    iss: z.ZodLiteral<"axova-platform">;
+}, "strip", z.ZodTypeAny, {
+    service: string;
+    permissions: string[];
+    iat: number;
+    exp: number;
+    iss: "axova-platform";
+}, {
+    service: string;
+    permissions: string[];
+    iat: number;
+    exp: number;
+    iss: "axova-platform";
+}>;
+export type ServiceClaims = z.infer<typeof ServiceClaimsSchema>;
+export interface ServiceAuthConfig {
+    internalSecret: string;
+    tokenExpiry?: string;
+    requiredPermissions?: string[];
+}
+export interface AuthenticatedRequest extends FastifyRequest {
+    serviceClaims?: ServiceClaims;
+    isServiceAuthenticated?: boolean;
+}
+export declare class ServiceAuthenticator {
+    private secret;
+    private tokenExpiry;
+    constructor(config: ServiceAuthConfig);
+    generateServiceToken(service: string, permissions?: string[]): string;
+    verifyServiceToken(token: string): ServiceClaims;
+    serviceAuthMiddleware(requiredPermissions?: string[]): (request: AuthenticatedRequest, reply: FastifyReply) => Promise<undefined>;
+    generateHMACSignature(payload: string, timestamp: string): string;
+    hmacAuthMiddleware(): (request: AuthenticatedRequest, reply: FastifyReply) => Promise<undefined>;
+}
+export declare function createServiceAuthenticator(config: ServiceAuthConfig): ServiceAuthenticator;
+export declare function getServiceAuthenticator(): ServiceAuthenticator;
+export declare function getServiceAuthConfigFromEnv(): ServiceAuthConfig;
+export declare const SERVICE_PERMISSIONS: {
+    readonly STORE_READ: "store:read";
+    readonly STORE_WRITE: "store:write";
+    readonly STORE_DELETE: "store:delete";
+    readonly COMPLIANCE_READ: "compliance:read";
+    readonly COMPLIANCE_WRITE: "compliance:write";
+    readonly COMPLIANCE_BAN: "compliance:ban";
+    readonly COMPLIANCE_APPEAL: "compliance:appeal";
+    readonly NOTIFICATION_SEND: "notification:send";
+    readonly NOTIFICATION_READ: "notification:read";
+    readonly AUDIT_READ: "audit:read";
+    readonly AUDIT_WRITE: "audit:write";
+    readonly ADMIN_OVERRIDE: "admin:override";
+    readonly ADMIN_REVIEW: "admin:review";
+    readonly AI_MODERATE: "ai:moderate";
+};

package/dist/middleware/serviceAuth.js

@@ -0,0 +1,272 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SERVICE_PERMISSIONS = exports.ServiceAuthenticator = exports.ServiceClaimsSchema = void 0;
+exports.createServiceAuthenticator = createServiceAuthenticator;
+exports.getServiceAuthenticator = getServiceAuthenticator;
+exports.getServiceAuthConfigFromEnv = getServiceAuthConfigFromEnv;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const zod_1 = require("zod");
+// Service claims schema
+exports.ServiceClaimsSchema = zod_1.z.object({
+    service: zod_1.z.string(),
+    permissions: zod_1.z.array(zod_1.z.string()),
+    iat: zod_1.z.number(),
+    exp: zod_1.z.number(),
+    iss: zod_1.z.literal("axova-platform"),
+});
+// Service authentication class
+class ServiceAuthenticator {
+    constructor(config) {
+        this.secret = config.internalSecret;
+        this.tokenExpiry = config.tokenExpiry || "1h";
+    }
+    // Generate service token
+    generateServiceToken(service, permissions = []) {
+        const payload = {
+            service,
+            permissions,
+            iss: "axova-platform",
+        };
+        return jsonwebtoken_1.default.sign(payload, this.secret, {
+            expiresIn: this.tokenExpiry,
+            algorithm: "HS256",
+        });
+    }
+    // Verify service token
+    verifyServiceToken(token) {
+        try {
+            const decoded = jsonwebtoken_1.default.verify(token, this.secret, {
+                algorithms: ["HS256"],
+                issuer: "axova-platform",
+            });
+            // Validate with Zod schema
+            return exports.ServiceClaimsSchema.parse(decoded);
+        }
+        catch (error) {
+            throw new Error(`Invalid service token: ${error instanceof Error ? error.message : "Unknown error"}`);
+        }
+    }
+    // Fastify middleware for service authentication
+    serviceAuthMiddleware(requiredPermissions = []) {
+        return async (request, reply) => {
+            try {
+                const authHeader = request.headers.authorization;
+                const serviceToken = request.headers["x-service-token"];
+                let token = null;
+                // Check for Bearer token in Authorization header
+                if (authHeader?.startsWith("Bearer ")) {
+                    token = authHeader.substring(7);
+                }
+                // Check for service token in custom header
+                else if (serviceToken) {
+                    token = serviceToken;
+                }
+                if (!token) {
+                    return reply.code(401).send({
+                        error: "Service authentication required",
+                        code: "MISSING_SERVICE_TOKEN",
+                    });
+                }
+                // DEVELOPMENT MODE: Accept simple constant tokens
+                const isDevelopment = process.env.NODE_ENV !== "production";
+                const developmentTokens = [
+                    "dev-compliance-token",
+                    "development-mode",
+                    "compliance-dev-access",
+                    "simple-dev-token",
+                    "inventory-dev-access",
+                    "product-dev-access",
+                    "oxa-dev-access",
+                ];
+                if (isDevelopment && developmentTokens.includes(token)) {
+                    // In development, validate against a proper development service registry
+                    // instead of using mock claims
+                    try {
+                        // TODO: Implement proper development service authentication
+                        // For now, only allow specific development services with limited permissions
+                        let servicePermissions = [];
+                        let serviceName = "unknown-service";
+                        // Grant permissions based on the specific development token
+                        switch (token) {
+                            case "inventory-dev-access":
+                                serviceName = "inventory-service-dev";
+                                servicePermissions = ["store:read", "store:write"];
+                                break;
+                            case "product-dev-access":
+                                serviceName = "product-service-dev";
+                                servicePermissions = ["store:read", "store:write"];
+                                break;
+                            case "compliance-dev-access":
+                                serviceName = "compliance-service-dev";
+                                servicePermissions = ["compliance:read", "compliance:write"];
+                                break;
+                            case "oxa-dev-access":
+                                serviceName = "oxa-service-dev";
+                                servicePermissions = ["store:read", "ai:moderate"];
+                                break;
+                            default:
+                                throw new Error("Unknown development token");
+                        }
+                        const devClaims = {
+                            service: serviceName,
+                            permissions: servicePermissions,
+                            iss: "axova-platform",
+                            iat: Math.floor(Date.now() / 1000),
+                            exp: Math.floor(Date.now() / 1000) + 60 * 60 * 24, // 24 hours
+                        };
+                        request.serviceClaims = devClaims;
+                        request.isServiceAuthenticated = true;
+                        console.log(`🔧 Development mode: Service authenticated with token "${token}"`);
+                        return; // Skip JWT verification in development
+                    }
+                    catch (error) {
+                        return reply.code(401).send({
+                            error: "Invalid development token",
+                            code: "INVALID_DEVELOPMENT_TOKEN",
+                            message: error instanceof Error ? error.message : "Unknown error",
+                        });
+                    }
+                }
+                // Verify the token
+                const claims = this.verifyServiceToken(token);
+                // Check required permissions
+                if (requiredPermissions.length > 0) {
+                    const hasPermissions = requiredPermissions.every((perm) => claims.permissions.includes(perm));
+                    if (!hasPermissions) {
+                        return reply.code(403).send({
+                            error: "Insufficient permissions",
+                            code: "INSUFFICIENT_PERMISSIONS",
+                            required: requiredPermissions,
+                            granted: claims.permissions,
+                        });
+                    }
+                }
+                // Attach claims to request
+                request.serviceClaims = claims;
+                request.isServiceAuthenticated = true;
+                console.log(`Service authenticated: ${claims.service}`);
+            }
+            catch (error) {
+                return reply.code(401).send({
+                    error: "Invalid service token",
+                    code: "INVALID_SERVICE_TOKEN",
+                    message: error instanceof Error ? error.message : "Unknown error",
+                });
+            }
+        };
+    }
+    // Alternative HMAC-based authentication
+    generateHMACSignature(payload, timestamp) {
+        const crypto = require("node:crypto");
+        const message = `${timestamp}.${payload}`;
+        return crypto
+            .createHmac("sha256", this.secret)
+            .update(message)
+            .digest("hex");
+    }
+    // HMAC middleware
+    hmacAuthMiddleware() {
+        return async (request, reply) => {
+            try {
+                const signature = request.headers["x-signature"];
+                const timestamp = request.headers["x-timestamp"];
+                const service = request.headers["x-service"];
+                if (!signature || !timestamp || !service) {
+                    return reply.code(401).send({
+                        error: "HMAC authentication headers missing",
+                        code: "MISSING_HMAC_HEADERS",
+                    });
+                }
+                // Check timestamp (prevent replay attacks)
+                const now = Date.now();
+                const requestTime = Number.parseInt(timestamp);
+                const timeDiff = Math.abs(now - requestTime);
+                // Allow 5 minutes tolerance
+                if (timeDiff > 300000) {
+                    return reply.code(401).send({
+                        error: "Request timestamp too old",
+                        code: "TIMESTAMP_EXPIRED",
+                    });
+                }
+                // Get request body as string
+                const body = JSON.stringify(request.body || {});
+                const expectedSignature = this.generateHMACSignature(body, timestamp);
+                if (signature !== expectedSignature) {
+                    return reply.code(401).send({
+                        error: "Invalid HMAC signature",
+                        code: "INVALID_HMAC_SIGNATURE",
+                    });
+                }
+                // Set service info on request
+                request.serviceClaims = {
+                    service,
+                    permissions: [], // HMAC doesn't include permissions by default
+                    iat: requestTime,
+                    exp: requestTime + 300000, // 5 minutes
+                    iss: "axova-platform",
+                };
+                request.isServiceAuthenticated = true;
+                console.log(`Service authenticated via HMAC: ${service}`);
+            }
+            catch (error) {
+                return reply.code(401).send({
+                    error: "HMAC authentication failed",
+                    code: "HMAC_AUTH_FAILED",
+                    message: error instanceof Error ? error.message : "Unknown error",
+                });
+            }
+        };
+    }
+}
+exports.ServiceAuthenticator = ServiceAuthenticator;
+// Singleton factory
+let serviceAuthInstance = null;
+function createServiceAuthenticator(config) {
+    if (!serviceAuthInstance) {
+        serviceAuthInstance = new ServiceAuthenticator(config);
+    }
+    return serviceAuthInstance;
+}
+function getServiceAuthenticator() {
+    if (!serviceAuthInstance) {
+        throw new Error("Service authenticator not created. Call createServiceAuthenticator() first.");
+    }
+    return serviceAuthInstance;
+}
+// Utility to get auth config from environment
+function getServiceAuthConfigFromEnv() {
+    const internalSecret = process.env.INTERNAL_SECRET;
+    if (!internalSecret) {
+        throw new Error("INTERNAL_SECRET environment variable is required");
+    }
+    return {
+        internalSecret,
+        tokenExpiry: process.env.SERVICE_TOKEN_EXPIRY || "1h",
+    };
+}
+// Common service permissions
+exports.SERVICE_PERMISSIONS = {
+    // Store service permissions
+    STORE_READ: "store:read",
+    STORE_WRITE: "store:write",
+    STORE_DELETE: "store:delete",
+    // Compliance service permissions
+    COMPLIANCE_READ: "compliance:read",
+    COMPLIANCE_WRITE: "compliance:write",
+    COMPLIANCE_BAN: "compliance:ban",
+    COMPLIANCE_APPEAL: "compliance:appeal",
+    // Notification service permissions
+    NOTIFICATION_SEND: "notification:send",
+    NOTIFICATION_READ: "notification:read",
+    // Audit service permissions
+    AUDIT_READ: "audit:read",
+    AUDIT_WRITE: "audit:write",
+    // Admin service permissions
+    ADMIN_OVERRIDE: "admin:override",
+    ADMIN_REVIEW: "admin:review",
+    // AI moderation permissions
+    AI_MODERATE: "ai:moderate",
+};

package/dist/middleware/storeOwnership.d.ts

@@ -0,0 +1,15 @@
+import type { FastifyReply, FastifyRequest } from "fastify";
+export interface StoreOwnerMiddlewareOptions {
+    requireActive?: boolean;
+    allowParameterStoreId?: boolean;
+    storeIdParamName?: string;
+    allowAdminOverride?: boolean;
+    overrideRoles?: string[];
+    overridePermissions?: string[];
+}
+/**
+ * Factory that returns a middleware ensuring the current user owns the target store.
+ * - Uses shared store validation under the hood for existence/active checks
+ * - Supports optional admin/permission overrides (e.g. SUPER_ADMIN or * permissions)
+ */
+export declare function requireStoreOwner(options?: StoreOwnerMiddlewareOptions): (request: FastifyRequest, reply: FastifyReply) => Promise<undefined>;