@axova/shared 1.0.0

package/dist/middleware/storeOwnership.js

@@ -0,0 +1,156 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireStoreOwner = requireStoreOwner;
+const drizzle_orm_1 = require("drizzle-orm");
+const db_1 = require("../lib/db");
+const store_schema_1 = require("../schemas/store/store-schema");
+const serviceAuth_1 = require("./serviceAuth");
+/**
+ * Factory that returns a middleware ensuring the current user owns the target store.
+ * - Uses shared store validation under the hood for existence/active checks
+ * - Supports optional admin/permission overrides (e.g. SUPER_ADMIN or * permissions)
+ */
+function requireStoreOwner(options = {}) {
+    const { requireActive = true, allowParameterStoreId = true, storeIdParamName = "storeId", allowAdminOverride = true, overrideRoles = ["SUPER_ADMIN"], overridePermissions = ["*", "store:read:all", "store:write:all"], } = options;
+    return async (request, reply) => {
+        const user = request.user;
+        // Extract storeId from params/query/body/user.context
+        let storeId;
+        const params = (request.params || {});
+        const query = (request.query || {});
+        const body = (request.body || {});
+        if (allowParameterStoreId && typeof params[storeIdParamName] === "string") {
+            storeId = params[storeIdParamName];
+        }
+        if (!storeId && typeof query.storeId === "string")
+            storeId = query.storeId;
+        if (!storeId && typeof body.storeId === "string")
+            storeId = body.storeId;
+        if (!storeId && typeof request.user?.storeId === "string") {
+            storeId = request.user?.storeId;
+        }
+        if (!storeId) {
+            return reply.status(400).send({
+                error: "Store ID Required",
+                message: `Store ID must be provided in URL (:${storeIdParamName}), query, or body`,
+                code: "STORE_ID_MISSING",
+            });
+        }
+        // Admin/permission overrides
+        const hasRoleOverride = !!user?.role && overrideRoles.includes(user.role);
+        const hasPermissionOverride = !!user?.permissions?.some((p) => overridePermissions.includes(p));
+        if (allowAdminOverride && (hasRoleOverride || hasPermissionOverride)) {
+            // Optionally attach minimal store info by fetching; if it fails, still allow
+            await attachStoreInfoIfPossible(request, storeId);
+            return;
+        }
+        // Fetch store details from Store Service internal route
+        try {
+            const store = await fetchStoreById(storeId);
+            if (!store) {
+                return reply.status(404).send({
+                    error: "Store Not Found",
+                    message: `Store with ID ${storeId} does not exist`,
+                    code: "STORE_NOT_FOUND",
+                });
+            }
+            // requireActive check
+            if (requireActive && store.isActive === false) {
+                return reply.status(403).send({
+                    error: "Store Inactive",
+                    message: `Store ${storeId} is currently inactive`,
+                    code: "STORE_INACTIVE",
+                });
+            }
+            // Ownership check
+            if (!user?.userId || store.userId !== user.userId) {
+                return reply.status(403).send({
+                    error: "Store Access Denied",
+                    message: "You do not have permission to access this store",
+                    code: "STORE_ACCESS_DENIED",
+                });
+            }
+            // Attach store info to request for downstream handlers
+            request.storeInfo = {
+                storeId: store.id,
+                storeName: store.storeName,
+                isActive: !!store.isActive,
+                userId: store.userId,
+            };
+        }
+        catch (error) {
+            console.error("Store ownership validation error:", error);
+            return reply.status(500).send({
+                error: "Internal Server Error",
+                message: "Failed to validate store ownership",
+                code: "STORE_OWNERSHIP_VALIDATION_ERROR",
+            });
+        }
+    };
+}
+// Fetches store by ID from the Store Service internal endpoint
+async function fetchStoreById(storeId) {
+    const baseUrl = process.env.STORE_SERVICE_URL || "http://localhost:3001";
+    const url = `${baseUrl}/internal/stores/${encodeURIComponent(storeId)}`;
+    let token;
+    try {
+        const cfg = (0, serviceAuth_1.getServiceAuthConfigFromEnv)();
+        token = (0, serviceAuth_1.createServiceAuthenticator)(cfg).generateServiceToken(process.env.SERVICE_NAME || "inventory-core-service", ["store:read"]);
+    }
+    catch {
+        // Development fallback tokens accepted by store service
+        const isDev = process.env.NODE_ENV !== "production";
+        if (isDev)
+            token = "inventory-dev-access";
+    }
+    const headers = {
+        "Content-Type": "application/json",
+    };
+    if (token)
+        headers["x-service-token"] = token;
+    try {
+        const res = await fetch(url, { method: "GET", headers });
+        if (res.ok) {
+            const data = (await res.json());
+            const store = data?.store || data?.data?.store || null;
+            if (store)
+                return store;
+        }
+    }
+    catch {
+        // ignore network error and try DB fallback when possible
+    }
+    // DB fallback (primarily for in-process store-service)
+    try {
+        const result = await db_1.db
+            .select({
+            id: store_schema_1.stores.id,
+            storeName: store_schema_1.stores.storeName,
+            isActive: store_schema_1.stores.isActive,
+            userId: store_schema_1.stores.userId,
+        })
+            .from(store_schema_1.stores)
+            .where((0, drizzle_orm_1.eq)(store_schema_1.stores.id, storeId))
+            .limit(1);
+        return result[0] || null;
+    }
+    catch {
+        return null;
+    }
+}
+async function attachStoreInfoIfPossible(request, storeId) {
+    try {
+        const store = await fetchStoreById(storeId);
+        if (store) {
+            request.storeInfo = {
+                storeId: store.id,
+                storeName: store.storeName,
+                isActive: !!store.isActive,
+                userId: store.userId,
+            };
+        }
+    }
+    catch {
+        // ignore
+    }
+}

package/dist/middleware/storeValidationMiddleware.d.ts

@@ -0,0 +1,44 @@
+import { FastifyReply, FastifyRequest } from "fastify";
+export interface StoreValidationOptions {
+    requireActive?: boolean;
+    allowParameterStoreId?: boolean;
+    storeIdParamName?: string;
+    requireOwnership?: boolean;
+}
+declare module "fastify" {
+    interface FastifyRequest {
+        user?: {
+            userId: string;
+            storeId: string;
+            role: string;
+            permissions: string[];
+            iat?: number;
+            exp?: number;
+        };
+        session?: unknown;
+        storeInfo?: {
+            storeId: string;
+            storeName: string;
+            isActive: boolean;
+            userId: string;
+        };
+    }
+}
+/**
+ * Middleware to validate store existence and status
+ */
+export declare const validateStoreMiddleware: (options?: StoreValidationOptions) => (request: FastifyRequest, reply: FastifyReply) => Promise<undefined>;
+/**
+ * Helper to clear store cache entry
+ */
+export declare const clearStoreCache: (storeId: string) => void;
+/**
+ * Helper to clear all store cache
+ */
+export declare const clearAllStoreCache: () => void;
+/**
+ * Simplified middleware for common use cases
+ */
+export declare const requireValidStore: (request: FastifyRequest, reply: FastifyReply) => Promise<undefined>;
+export declare const requireOwnedStore: (request: FastifyRequest, reply: FastifyReply) => Promise<undefined>;
+export declare const requireAnyStore: (request: FastifyRequest, reply: FastifyReply) => Promise<undefined>;

package/dist/middleware/storeValidationMiddleware.js

@@ -0,0 +1,180 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireAnyStore = exports.requireOwnedStore = exports.requireValidStore = exports.clearAllStoreCache = exports.clearStoreCache = exports.validateStoreMiddleware = void 0;
+const drizzle_orm_1 = require("drizzle-orm");
+const db_1 = require("../lib/db");
+const store_schema_1 = require("../schemas/store/store-schema");
+// Store cache to reduce database calls
+const storeCache = new Map();
+const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+/**
+ * Middleware to validate store existence and status
+ */
+const validateStoreMiddleware = (options = {}) => {
+    return async (request, reply) => {
+        try {
+            const { requireActive = true, allowParameterStoreId = true, storeIdParamName = "storeId", requireOwnership = false, } = options;
+            // Extract store ID from various sources
+            let storeId;
+            // 1. Try from authenticated user context
+            if (request.user?.storeId) {
+                storeId = request.user.storeId;
+            }
+            // 2. Try from URL parameters if allowed
+            if (!storeId && allowParameterStoreId) {
+                const params = request.params;
+                storeId = params[storeIdParamName];
+            }
+            // 3. Try from query parameters
+            if (!storeId) {
+                const query = request.query;
+                storeId = query.storeId;
+            }
+            // 4. Try from request body
+            if (!storeId && request.body && typeof request.body === "object") {
+                const body = request.body;
+                if (typeof body.storeId === "string") {
+                    storeId = body.storeId;
+                }
+            }
+            if (!storeId) {
+                return reply.status(400).send({
+                    error: "Store ID Required",
+                    message: "Store ID must be provided in URL, query parameters, or request body",
+                    code: "STORE_ID_MISSING",
+                });
+            }
+            // Check cache first
+            const cached = storeCache.get(storeId);
+            if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+                if (!cached.isValid) {
+                    return reply.status(404).send({
+                        error: "Store Not Found",
+                        message: `Store with ID ${storeId} does not exist`,
+                        code: "STORE_NOT_FOUND",
+                    });
+                }
+                // Use cached store data if available
+                if (cached.storeData) {
+                    const storeData = cached.storeData;
+                    // Check if store is active when required
+                    if (requireActive && !storeData.isActive) {
+                        return reply.status(403).send({
+                            error: "Store Inactive",
+                            message: `Store ${storeId} is currently inactive`,
+                            code: "STORE_INACTIVE",
+                        });
+                    }
+                    // Check ownership when required
+                    if (requireOwnership && request.user?.userId !== storeData.userId) {
+                        return reply.status(403).send({
+                            error: "Store Access Denied",
+                            message: "You do not have permission to access this store",
+                            code: "STORE_ACCESS_DENIED",
+                        });
+                    }
+                    // Attach store information to request
+                    request.storeInfo = {
+                        storeId: storeData.id,
+                        storeName: storeData.storeName,
+                        isActive: storeData.isActive,
+                        userId: storeData.userId,
+                    };
+                    return; // Successfully validated using cache
+                }
+            }
+            // Validate store exists and get details from database
+            const store = await db_1.db
+                .select({
+                id: store_schema_1.stores.id,
+                storeName: store_schema_1.stores.storeName,
+                isActive: store_schema_1.stores.isActive,
+                userId: store_schema_1.stores.userId,
+            })
+                .from(store_schema_1.stores)
+                .where((0, drizzle_orm_1.eq)(store_schema_1.stores.id, storeId))
+                .limit(1);
+            if (store.length === 0) {
+                // Cache negative result
+                storeCache.set(storeId, { isValid: false, timestamp: Date.now() });
+                return reply.status(404).send({
+                    error: "Store Not Found",
+                    message: `Store with ID ${storeId} does not exist`,
+                    code: "STORE_NOT_FOUND",
+                });
+            }
+            const storeData = store[0];
+            // Check if store is active when required
+            if (requireActive && !storeData.isActive) {
+                return reply.status(403).send({
+                    error: "Store Inactive",
+                    message: `Store ${storeId} is currently inactive`,
+                    code: "STORE_INACTIVE",
+                });
+            }
+            // Check ownership when required
+            if (requireOwnership && request.user?.userId !== storeData.userId) {
+                return reply.status(403).send({
+                    error: "Store Access Denied",
+                    message: "You do not have permission to access this store",
+                    code: "STORE_ACCESS_DENIED",
+                });
+            }
+            // Cache positive result with store data
+            storeCache.set(storeId, {
+                isValid: true,
+                timestamp: Date.now(),
+                storeData: {
+                    id: storeData.id,
+                    storeName: storeData.storeName,
+                    isActive: storeData.isActive,
+                    userId: storeData.userId,
+                },
+            });
+            // Attach store information to request
+            request.storeInfo = {
+                storeId: storeData.id,
+                storeName: storeData.storeName,
+                isActive: storeData.isActive,
+                userId: storeData.userId,
+            };
+            // Continue to next handler - explicitly return to proceed
+        }
+        catch (error) {
+            console.error("Store validation error:", error);
+            return reply.status(500).send({
+                error: "Internal Server Error",
+                message: "Failed to validate store",
+                code: "STORE_VALIDATION_ERROR",
+            });
+        }
+    };
+};
+exports.validateStoreMiddleware = validateStoreMiddleware;
+/**
+ * Helper to clear store cache entry
+ */
+const clearStoreCache = (storeId) => {
+    storeCache.delete(storeId);
+};
+exports.clearStoreCache = clearStoreCache;
+/**
+ * Helper to clear all store cache
+ */
+const clearAllStoreCache = () => {
+    storeCache.clear();
+};
+exports.clearAllStoreCache = clearAllStoreCache;
+/**
+ * Simplified middleware for common use cases
+ */
+exports.requireValidStore = (0, exports.validateStoreMiddleware)({
+    requireActive: true,
+});
+exports.requireOwnedStore = (0, exports.validateStoreMiddleware)({
+    requireActive: true,
+    requireOwnership: true,
+});
+exports.requireAnyStore = (0, exports.validateStoreMiddleware)({
+    requireActive: false,
+});

package/dist/middleware/userAuth.d.ts

@@ -0,0 +1,27 @@
+import type { FastifyPluginAsync, FastifyReply, FastifyRequest } from "fastify";
+export interface SharedUserContext {
+    userId: string;
+    storeId: string;
+    role: string;
+    permissions: string[];
+    organizationId?: string;
+    activeOrganizationId?: string;
+    iat?: number;
+    exp?: number;
+}
+export declare const DEFAULT_ROLE_PERMISSIONS: Record<string, string[]>;
+export declare const AuthPreHandler: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+export declare const fastifyUserAuthPlugin: FastifyPluginAsync;
+export declare function getAuthTokenFromRequest(request: FastifyRequest): string | undefined;
+export declare function getAuthHeadersFromRequest(request: FastifyRequest): Record<string, string>;
+export declare function getUserDataFromRequest(request: FastifyRequest): {
+    userId: string;
+    organizationId?: string;
+    role?: string;
+    permissions?: string[];
+} | null;
+export declare function getUserIdFromRequest(request: FastifyRequest): string | null;
+export declare function hasPermission(request: FastifyRequest, permission: string): boolean;
+export declare function hasRole(request: FastifyRequest, role: string): boolean;
+export declare function requirePermission(permission: string): (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+export declare function requireRole(role: string): (request: FastifyRequest, reply: FastifyReply) => Promise<void>;

package/dist/middleware/userAuth.js

@@ -0,0 +1,218 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fastifyUserAuthPlugin = exports.AuthPreHandler = exports.DEFAULT_ROLE_PERMISSIONS = void 0;
+exports.getAuthTokenFromRequest = getAuthTokenFromRequest;
+exports.getAuthHeadersFromRequest = getAuthHeadersFromRequest;
+exports.getUserDataFromRequest = getUserDataFromRequest;
+exports.getUserIdFromRequest = getUserIdFromRequest;
+exports.hasPermission = hasPermission;
+exports.hasRole = hasRole;
+exports.requirePermission = requirePermission;
+exports.requireRole = requireRole;
+const better_middleware_1 = require("better-middleware");
+const fastify_plugin_1 = __importDefault(require("fastify-plugin"));
+// Optional role → permission mapping (used for helpers)
+exports.DEFAULT_ROLE_PERMISSIONS = {
+    SUPER_ADMIN: ["*"],
+    STORE_ADMIN: [
+        "store:read",
+        "store:write",
+        "store:delete",
+        "orders:read",
+        "orders:write",
+        "products:read",
+        "products:write",
+    ],
+    STORE_MANAGER: [
+        "store:read",
+        "store:write",
+        "orders:read",
+        "orders:write",
+        "products:read",
+        "products:write",
+    ],
+    STORE_EMPLOYEE: ["store:read", "orders:read", "products:read"],
+    USER: ["store:read"],
+};
+// Core adapter of better-middleware to Fastify
+function createFastifyAuthHandler() {
+    const auth = (0, better_middleware_1.createAuthMiddleware)({
+        baseURL: process.env.NEXT_PUBLIC_AUTH_URL || "http://localhost:4000",
+        cache: { enabled: true, ttl: 300, max: 1000 },
+        onError: async () => ({
+            status: 401,
+            body: {
+                success: false,
+                error: "Authentication required",
+                code: "UNAUTHORIZED",
+            },
+        }),
+        logger: {
+            info: (m, d) => process.env.NODE_ENV === "development"
+                ? console.log(`[Auth] ${m}`, d)
+                : undefined,
+            error: (m, d) => console.error(`[Auth] ${m}`, d),
+            debug: (m, d) => process.env.NODE_ENV === "development"
+                ? console.debug(`[Auth] ${m}`, d)
+                : undefined,
+        },
+        framework: {
+            getHeaders: (request) => {
+                const headers = {};
+                Object.entries(request.headers || {}).forEach(([k, v]) => {
+                    if (typeof v === "string")
+                        headers[k] = v;
+                    else if (Array.isArray(v))
+                        headers[k] = v.join(", ");
+                });
+                const hasCookie = (headers["cookie"] || "").includes("better-auth.session_token=");
+                const bearer = headers["authorization"]?.startsWith("Bearer ")
+                    ? headers["authorization"].substring(7)
+                    : undefined;
+                if (!hasCookie && bearer) {
+                    headers["cookie"] =
+                        `${headers["cookie"] ? headers["cookie"] + "; " : ""}better-auth.session_token=${bearer}`;
+                }
+                return headers;
+            },
+            getCookies: (request) => {
+                const cookies = request.cookies || {};
+                if (!cookies["better-auth.session_token"] &&
+                    request.headers.authorization?.startsWith("Bearer ")) {
+                    cookies["better-auth.session_token"] =
+                        request.headers.authorization.substring(7);
+                }
+                return cookies;
+            },
+            setContext: (request, key, value) => {
+                if (key === "user" && value) {
+                    const u = value;
+                    request.user = {
+                        userId: u.id,
+                        storeId: u.activeOrganizationId || u.organizationId || "",
+                        role: u.role || "USER",
+                        permissions: exports.DEFAULT_ROLE_PERMISSIONS[u.role || "USER"] || [],
+                        organizationId: u.organizationId,
+                        activeOrganizationId: u.activeOrganizationId,
+                        iat: u.iat,
+                        exp: u.exp,
+                    };
+                }
+                else if (key === "session" && value) {
+                    const s = value;
+                    if (request.user && !request.user.storeId)
+                        request.user.storeId =
+                            s.activeOrganizationId || request.user.storeId;
+                }
+            },
+            createResponse: (_request, body, status) => ({
+                status,
+                body,
+            }),
+        },
+    });
+    return auth;
+}
+// Pre-handler that runs authentication; emits response when not authorized
+const AuthPreHandler = async (request, reply) => {
+    const auth = createFastifyAuthHandler();
+    const result = await auth(request, request, async () => { });
+    if (result) {
+        reply.code(result.status).send(result.body);
+    }
+};
+exports.AuthPreHandler = AuthPreHandler;
+// Fastify plugin for easy registration
+exports.fastifyUserAuthPlugin = (0, fastify_plugin_1.default)(async (fastify) => {
+    fastify.addHook("preHandler", exports.AuthPreHandler);
+});
+// ---------- Helper utilities ----------
+function getAuthTokenFromRequest(request) {
+    const cookies = request.cookies || {};
+    const tokenFromCookie = cookies["better-auth.session_token"];
+    if (tokenFromCookie)
+        return tokenFromCookie;
+    const cookieHeader = request.headers.cookie;
+    if (cookieHeader) {
+        const match = cookieHeader.match(/better-auth\.session_token=([^;]+)/);
+        if (match)
+            return match[1];
+    }
+    const authHeader = request.headers.authorization;
+    if (authHeader?.startsWith("Bearer "))
+        return authHeader.substring(7);
+    return undefined;
+}
+function getAuthHeadersFromRequest(request) {
+    const headers = {
+        "Content-Type": "application/json",
+    };
+    const token = getAuthTokenFromRequest(request);
+    if (token) {
+        headers["Cookie"] = `better-auth.session_token=${token}`;
+        headers["Authorization"] = `Bearer ${token}`;
+    }
+    return headers;
+}
+function getUserDataFromRequest(request) {
+    const user = request.user;
+    if (user) {
+        return {
+            userId: user.userId,
+            organizationId: user.storeId || user.organizationId,
+            role: user.role,
+            permissions: user.permissions,
+        };
+    }
+    const userIdFromHeader = request.headers["x-user-id"];
+    const storeIdFromHeader = request.headers["x-store-id"];
+    const roleFromHeader = request.headers["x-user-role"];
+    if (userIdFromHeader) {
+        return {
+            userId: userIdFromHeader,
+            organizationId: storeIdFromHeader,
+            role: roleFromHeader || "USER",
+            permissions: exports.DEFAULT_ROLE_PERMISSIONS[roleFromHeader || "USER"] || [],
+        };
+    }
+    return null;
+}
+function getUserIdFromRequest(request) {
+    return getUserDataFromRequest(request)?.userId || null;
+}
+function hasPermission(request, permission) {
+    const user = request.user;
+    const perms = user?.permissions || [];
+    return perms.includes("*") || perms.includes(permission);
+}
+function hasRole(request, role) {
+    const user = request.user;
+    return (user?.role || "").toUpperCase() === role.toUpperCase();
+}
+function requirePermission(permission) {
+    return async (request, reply) => {
+        if (!hasPermission(request, permission)) {
+            reply.code(403).send({
+                success: false,
+                error: "Insufficient permissions",
+                message: `Required permission: ${permission}`,
+                code: "FORBIDDEN",
+            });
+        }
+    };
+}
+function requireRole(role) {
+    return async (request, reply) => {
+        if (!hasRole(request, role)) {
+            reply.code(403).send({
+                success: false,
+                error: "Insufficient role",
+                message: `Required role: ${role}`,
+                code: "FORBIDDEN",
+            });
+        }
+    };
+}