@axova/shared 1.0.2 → 1.1.0

package/src/middleware/storeOwnership.ts

@@ -1,181 +1,199 @@
-import type { FastifyReply, FastifyRequest } from "fastify";
-import {
-	createServiceAuthenticator,
-	getServiceAuthConfigFromEnv,
-} from "./serviceAuth";
-
-export interface StoreOwnerMiddlewareOptions {
-	requireActive?: boolean;
-	allowParameterStoreId?: boolean;
-	storeIdParamName?: string;
-	allowAdminOverride?: boolean;
-	overrideRoles?: string[];
-	overridePermissions?: string[];
-}
-
-/**
- * Factory that returns a middleware ensuring the current user owns the target store.
- * - Uses shared store validation under the hood for existence/active checks
- * - Supports optional admin/permission overrides (e.g. SUPER_ADMIN or * permissions)
- */
-export function requireStoreOwner(options: StoreOwnerMiddlewareOptions = {}) {
-	const {
-		requireActive = true,
-		allowParameterStoreId = true,
-		storeIdParamName = "storeId",
-		allowAdminOverride = true,
-		overrideRoles = ["SUPER_ADMIN"],
-		overridePermissions = ["*", "store:read:all", "store:write:all"],
-	} = options;
-
-	return async (request: FastifyRequest, reply: FastifyReply) => {
-		const user = (request as any).user as
-			| {
-					userId: string;
-					role?: string;
-					permissions?: string[];
-			  }
-			| undefined;
-
-		// Extract storeId from params/query/body/user.context
-		let storeId: string | undefined;
-		const params = (request.params || {}) as Record<string, any>;
-		const query = (request.query || {}) as Record<string, any>;
-		const body = (request.body || {}) as Record<string, any>;
-		if (allowParameterStoreId && typeof params[storeIdParamName] === "string") {
-			storeId = params[storeIdParamName] as string;
-		}
-		if (!storeId && typeof query.storeId === "string")
-			storeId = query.storeId as string;
-		if (!storeId && typeof body.storeId === "string")
-			storeId = body.storeId as string;
-		if (!storeId && typeof (request as any).user?.storeId === "string") {
-			storeId = (request as any).user?.storeId as string;
-		}
-
-		if (!storeId) {
-			return reply.status(400).send({
-				error: "Store ID Required",
-				message: `Store ID must be provided in URL (:${storeIdParamName}), query, or body`,
-				code: "STORE_ID_MISSING",
-			});
-		}
-
-		// Admin/permission overrides
-		const hasRoleOverride = !!user?.role && overrideRoles.includes(user.role);
-		const hasPermissionOverride = !!user?.permissions?.some((p) =>
-			overridePermissions.includes(p),
-		);
-		if (allowAdminOverride && (hasRoleOverride || hasPermissionOverride)) {
-			// Optionally attach minimal store info by fetching; if it fails, still allow
-			await attachStoreInfoIfPossible(request, storeId);
-			return;
-		}
-
-		// Fetch store details from Store Service internal route
-		try {
-			const store = await fetchStoreById(storeId);
-
-			if (!store) {
-				return reply.status(404).send({
-					error: "Store Not Found",
-					message: `Store with ID ${storeId} does not exist`,
-					code: "STORE_NOT_FOUND",
-				});
-			}
-
-			// requireActive check
-			if (requireActive && store.isActive === false) {
-				return reply.status(403).send({
-					error: "Store Inactive",
-					message: `Store ${storeId} is currently inactive`,
-					code: "STORE_INACTIVE",
-				});
-			}
-
-			// Ownership check
-			if (!user?.userId || store.userId !== user.userId) {
-				return reply.status(403).send({
-					error: "Store Access Denied",
-					message: "You do not have permission to access this store",
-					code: "STORE_ACCESS_DENIED",
-				});
-			}
-
-			// Attach store info to request for downstream handlers
-			(request as any).storeInfo = {
-				storeId: store.id,
-				storeName: store.storeName,
-				isActive: !!store.isActive,
-				userId: store.userId,
-			};
-		} catch (error) {
-			console.error("Store ownership validation error:", error);
-			return reply.status(500).send({
-				error: "Internal Server Error",
-				message: "Failed to validate store ownership",
-				code: "STORE_OWNERSHIP_VALIDATION_ERROR",
-			});
-		}
-	};
-}
-
-// Fetches store by ID from the Store Service internal endpoint
-async function fetchStoreById(storeId: string): Promise<{
-	id: string;
-	storeName: string;
-	isActive?: boolean;
-	userId: string;
-} | null> {
-	const baseUrl = process.env.STORE_SERVICE_URL || "http://localhost:3001";
-	const url = `${baseUrl}/internal/stores/${encodeURIComponent(storeId)}`;
-
-	let token: string | undefined;
-	try {
-		const cfg = getServiceAuthConfigFromEnv();
-		token = createServiceAuthenticator(cfg).generateServiceToken(
-			process.env.SERVICE_NAME || "inventory-core-service",
-			["store:read"],
-		);
-	} catch {
-		// Development fallback tokens accepted by store service
-		const isDev = process.env.NODE_ENV !== "production";
-		if (isDev) token = "inventory-dev-access";
-	}
-
-	const headers: Record<string, string> = {
-		"Content-Type": "application/json",
-	};
-	if (token) headers["x-service-token"] = token;
-
-	try {
-		const res = await fetch(url, { method: "GET", headers });
-		if (res.ok) {
-			const data = (await res.json()) as any;
-			const store = data?.store || data?.data?.store || null;
-			if (store) return store;
-		}
-	} catch (error) {
-		console.error('Failed to fetch store from store service:', error);
-	}
-	return null;
-}
-
-async function attachStoreInfoIfPossible(
-	request: FastifyRequest,
-	storeId: string,
-) {
-	try {
-		const store = await fetchStoreById(storeId);
-		if (store) {
-			(request as any).storeInfo = {
-				storeId: store.id,
-				storeName: store.storeName,
-				isActive: !!store.isActive,
-				userId: store.userId,
-			};
-		}
-	} catch {
-		// ignore
-	}
-}
+import { eq } from "drizzle-orm";
+import type { FastifyReply, FastifyRequest } from "fastify";
+import { db } from "../lib/db";
+import { stores } from "../schemas/store/store-schema";
+import {
+	createServiceAuthenticator,
+	getServiceAuthConfigFromEnv,
+} from "./serviceAuth";
+
+export interface StoreOwnerMiddlewareOptions {
+	requireActive?: boolean;
+	allowParameterStoreId?: boolean;
+	storeIdParamName?: string;
+	allowAdminOverride?: boolean;
+	overrideRoles?: string[];
+	overridePermissions?: string[];
+}
+
+/**
+ * Factory that returns a middleware ensuring the current user owns the target store.
+ * - Uses shared store validation under the hood for existence/active checks
+ * - Supports optional admin/permission overrides (e.g. SUPER_ADMIN or * permissions)
+ */
+export function requireStoreOwner(options: StoreOwnerMiddlewareOptions = {}) {
+	const {
+		requireActive = true,
+		allowParameterStoreId = true,
+		storeIdParamName = "storeId",
+		allowAdminOverride = true,
+		overrideRoles = ["SUPER_ADMIN"],
+		overridePermissions = ["*", "store:read:all", "store:write:all"],
+	} = options;
+
+	return async (request: FastifyRequest, reply: FastifyReply) => {
+		const user = (request as any).user as
+			| {
+					userId: string;
+					role?: string;
+					permissions?: string[];
+			  }
+			| undefined;
+
+		// Extract storeId from params/query/body/user.context
+		let storeId: string | undefined;
+		const params = (request.params || {}) as Record<string, any>;
+		const query = (request.query || {}) as Record<string, any>;
+		const body = (request.body || {}) as Record<string, any>;
+		if (allowParameterStoreId && typeof params[storeIdParamName] === "string") {
+			storeId = params[storeIdParamName] as string;
+		}
+		if (!storeId && typeof query.storeId === "string")
+			storeId = query.storeId as string;
+		if (!storeId && typeof body.storeId === "string")
+			storeId = body.storeId as string;
+		if (!storeId && typeof (request as any).user?.storeId === "string") {
+			storeId = (request as any).user?.storeId as string;
+		}
+
+		if (!storeId) {
+			return reply.status(400).send({
+				error: "Store ID Required",
+				message: `Store ID must be provided in URL (:${storeIdParamName}), query, or body`,
+				code: "STORE_ID_MISSING",
+			});
+		}
+
+		// Admin/permission overrides
+		const hasRoleOverride = !!user?.role && overrideRoles.includes(user.role);
+		const hasPermissionOverride = !!user?.permissions?.some((p) =>
+			overridePermissions.includes(p),
+		);
+		if (allowAdminOverride && (hasRoleOverride || hasPermissionOverride)) {
+			// Optionally attach minimal store info by fetching; if it fails, still allow
+			await attachStoreInfoIfPossible(request, storeId);
+			return;
+		}
+
+		// Fetch store details from Store Service internal route
+		try {
+			const store = await fetchStoreById(storeId);
+
+			if (!store) {
+				return reply.status(404).send({
+					error: "Store Not Found",
+					message: `Store with ID ${storeId} does not exist`,
+					code: "STORE_NOT_FOUND",
+				});
+			}
+
+			// requireActive check
+			if (requireActive && store.isActive === false) {
+				return reply.status(403).send({
+					error: "Store Inactive",
+					message: `Store ${storeId} is currently inactive`,
+					code: "STORE_INACTIVE",
+				});
+			}
+
+			// Ownership check
+			if (!user?.userId || store.userId !== user.userId) {
+				return reply.status(403).send({
+					error: "Store Access Denied",
+					message: "You do not have permission to access this store",
+					code: "STORE_ACCESS_DENIED",
+				});
+			}
+
+			// Attach store info to request for downstream handlers
+			(request as any).storeInfo = {
+				storeId: store.id,
+				storeName: store.storeName,
+				isActive: !!store.isActive,
+				userId: store.userId,
+			};
+		} catch (error) {
+			console.error("Store ownership validation error:", error);
+			return reply.status(500).send({
+				error: "Internal Server Error",
+				message: "Failed to validate store ownership",
+				code: "STORE_OWNERSHIP_VALIDATION_ERROR",
+			});
+		}
+	};
+}
+
+// Fetches store by ID from the Store Service internal endpoint
+async function fetchStoreById(storeId: string): Promise<{
+	id: string;
+	storeName: string;
+	isActive?: boolean;
+	userId: string;
+} | null> {
+	const baseUrl = process.env.STORE_SERVICE_URL || "http://localhost:3001";
+	const url = `${baseUrl}/internal/stores/${encodeURIComponent(storeId)}`;
+
+	let token: string | undefined;
+	try {
+		const cfg = getServiceAuthConfigFromEnv();
+		token = createServiceAuthenticator(cfg).generateServiceToken(
+			process.env.SERVICE_NAME || "inventory-core-service",
+			["store:read"],
+		);
+	} catch {
+		// Development fallback tokens accepted by store service
+		const isDev = process.env.NODE_ENV !== "production";
+		if (isDev) token = "inventory-dev-access";
+	}
+
+	const headers: Record<string, string> = {
+		"Content-Type": "application/json",
+	};
+	if (token) headers["x-service-token"] = token;
+
+	try {
+		const res = await fetch(url, { method: "GET", headers });
+		if (res.ok) {
+			const data = (await res.json()) as any;
+			const store = data?.store || data?.data?.store || null;
+			if (store) return store;
+		}
+	} catch {
+		// ignore network error and try DB fallback when possible
+	}
+	// DB fallback (primarily for in-process store-service)
+	try {
+		const result = await db
+			.select({
+				id: stores.id,
+				storeName: stores.storeName,
+				isActive: stores.isActive,
+				userId: stores.userId,
+			})
+			.from(stores)
+			.where(eq(stores.id, storeId))
+			.limit(1);
+		return result[0] || null;
+	} catch {
+		return null;
+	}
+}
+
+async function attachStoreInfoIfPossible(
+	request: FastifyRequest,
+	storeId: string,
+) {
+	try {
+		const store = await fetchStoreById(storeId);
+		if (store) {
+			(request as any).storeInfo = {
+				storeId: store.id,
+				storeName: store.storeName,
+				isActive: !!store.isActive,
+				userId: store.userId,
+			};
+		}
+	} catch {
+		// ignore
+	}
+}

package/src/middleware/storeValidationMiddleware.ts

@@ -1,8 +1,7 @@
+import { eq } from "drizzle-orm";
 import { FastifyReply, FastifyRequest } from "fastify";
-import {
-	createServiceAuthenticator,
-	getServiceAuthConfigFromEnv,
-} from "./serviceAuth";
+import { db } from "../lib/db";
+import { stores } from "../schemas/store/store-schema";
 
 // Store cache to reduce database calls
 const storeCache = new Map<
@@ -144,10 +143,19 @@ export const validateStoreMiddleware = (
 				}
 			}
 
-			// Validate store exists and get details from store service API
-			const fetchedStore = await fetchStoreById(storeId);
-
-			if (!fetchedStore) {
+			// Validate store exists and get details from database
+			const store = await db
+				.select({
+					id: stores.id,
+					storeName: stores.storeName,
+					isActive: stores.isActive,
+					userId: stores.userId,
+				})
+				.from(stores)
+				.where(eq(stores.id, storeId))
+				.limit(1);
+
+			if (store.length === 0) {
 				// Cache negative result
 				storeCache.set(storeId, { isValid: false, timestamp: Date.now() });
 
@@ -158,7 +166,7 @@ export const validateStoreMiddleware = (
 				});
 			}
 
-			const storeData = fetchedStore;
+			const storeData = store[0];
 
 			// Check if store is active when required
 			if (requireActive && !storeData.isActive) {
@@ -237,44 +245,3 @@ export const requireOwnedStore = validateStoreMiddleware({
 export const requireAnyStore = validateStoreMiddleware({
 	requireActive: false,
 });
-
-// Helper function to fetch store from store service
-async function fetchStoreById(storeId: string): Promise<{
-	id: string;
-	storeName: string;
-	isActive: boolean;
-	userId: string;
-} | null> {
-	const baseUrl = process.env.STORE_SERVICE_URL || "http://localhost:3001";
-	const url = `${baseUrl}/internal/stores/${encodeURIComponent(storeId)}`;
-
-	let token: string | undefined;
-	try {
-		const cfg = getServiceAuthConfigFromEnv();
-		token = createServiceAuthenticator(cfg).generateServiceToken(
-			process.env.SERVICE_NAME || "shared-middleware",
-			["store:read"],
-		);
-	} catch {
-		// Development fallback tokens accepted by store service
-		const isDev = process.env.NODE_ENV !== "production";
-		if (isDev) token = "dev-access";
-	}
-
-	const headers: Record<string, string> = {
-		"Content-Type": "application/json",
-	};
-	if (token) headers["x-service-token"] = token;
-
-	try {
-		const res = await fetch(url, { method: "GET", headers });
-		if (res.ok) {
-			const data = (await res.json()) as any;
-			const store = data?.store || data?.data?.store || null;
-			if (store) return store;
-		}
-	} catch (error) {
-		console.error('Failed to fetch store from store service:', error);
-	}
-	return null;
-}