@axova/shared 1.0.2 → 1.1.0

package/src/middleware/userAuth.ts

@@ -1,248 +1,248 @@
-import { createAuthMiddleware } from "better-middleware";
-import type { FastifyPluginAsync, FastifyReply, FastifyRequest } from "fastify";
-import fp from "fastify-plugin";
-
-// Standardized user context aligned with existing request augmentation in this package
-export interface SharedUserContext {
-	userId: string;
-	storeId: string;
-	role: string;
-	permissions: string[];
-	organizationId?: string;
-	activeOrganizationId?: string;
-	iat?: number;
-	exp?: number;
-}
-
-// Optional role → permission mapping (used for helpers)
-export const DEFAULT_ROLE_PERMISSIONS: Record<string, string[]> = {
-	SUPER_ADMIN: ["*"],
-	STORE_ADMIN: [
-		"store:read",
-		"store:write",
-		"store:delete",
-		"orders:read",
-		"orders:write",
-		"products:read",
-		"products:write",
-	],
-	STORE_MANAGER: [
-		"store:read",
-		"store:write",
-		"orders:read",
-		"orders:write",
-		"products:read",
-		"products:write",
-	],
-	STORE_EMPLOYEE: ["store:read", "orders:read", "products:read"],
-	USER: ["store:read"],
-};
-
-// Core adapter of better-middleware to Fastify
-function createFastifyAuthHandler() {
-	const auth = createAuthMiddleware<FastifyRequest>({
-		baseURL: process.env.NEXT_PUBLIC_AUTH_URL || "http://localhost:4000",
-		cache: { enabled: true, ttl: 300, max: 1000 },
-		onError: async () => ({
-			status: 401,
-			body: {
-				success: false,
-				error: "Authentication required",
-				code: "UNAUTHORIZED",
-			},
-		}),
-		logger: {
-			info: (m, d) =>
-				process.env.NODE_ENV === "development"
-					? console.log(`[Auth] ${m}`, d)
-					: undefined,
-			error: (m, d) => console.error(`[Auth] ${m}`, d),
-			debug: (m, d) =>
-				process.env.NODE_ENV === "development"
-					? console.debug(`[Auth] ${m}`, d)
-					: undefined,
-		},
-		framework: {
-			getHeaders: (request: any) => {
-				const headers: Record<string, string> = {};
-				Object.entries(request.headers || {}).forEach(([k, v]) => {
-					if (typeof v === "string") headers[k] = v;
-					else if (Array.isArray(v)) headers[k] = v.join(", ");
-				});
-				const hasCookie = (headers["cookie"] || "").includes(
-					"better-auth.session_token=",
-				);
-				const bearer = headers["authorization"]?.startsWith("Bearer ")
-					? headers["authorization"].substring(7)
-					: undefined;
-				if (!hasCookie && bearer) {
-					headers["cookie"] =
-						`${headers["cookie"] ? headers["cookie"] + "; " : ""}better-auth.session_token=${bearer}`;
-				}
-				return headers;
-			},
-			getCookies: (request: any) => {
-				const cookies = request.cookies || {};
-				if (
-					!cookies["better-auth.session_token"] &&
-					request.headers.authorization?.startsWith("Bearer ")
-				) {
-					cookies["better-auth.session_token"] =
-						request.headers.authorization.substring(7);
-				}
-				return cookies;
-			},
-			setContext: (request: any, key: "user" | "session", value: any) => {
-				if (key === "user" && value) {
-					const u = value as any;
-					request.user = {
-						userId: u.id,
-						storeId: u.activeOrganizationId || u.organizationId || "",
-						role: u.role || "USER",
-						permissions: DEFAULT_ROLE_PERMISSIONS[u.role || "USER"] || [],
-						organizationId: u.organizationId,
-						activeOrganizationId: u.activeOrganizationId,
-						iat: u.iat,
-						exp: u.exp,
-					} satisfies SharedUserContext;
-				} else if (key === "session" && value) {
-					const s = value as any;
-					if (request.user && !request.user.storeId)
-						request.user.storeId =
-							s.activeOrganizationId || request.user.storeId;
-				}
-			},
-			createResponse: (_request: any, body: unknown, status: number) => ({
-				status,
-				body,
-			}),
-		},
-	});
-	return auth;
-}
-
-// Pre-handler that runs authentication; emits response when not authorized
-export const AuthPreHandler = async (
-	request: FastifyRequest,
-	reply: FastifyReply,
-) => {
-	const auth = createFastifyAuthHandler();
-	const result = await auth(request, request, async () => {});
-	if (result) {
-		reply.code(result.status).send(result.body);
-	}
-};
-
-// Fastify plugin for easy registration
-export const fastifyUserAuthPlugin: FastifyPluginAsync = fp(
-	async (fastify: any) => {
-		fastify.addHook("preHandler", AuthPreHandler as any);
-	},
-);
-
-// ---------- Helper utilities ----------
-export function getAuthTokenFromRequest(
-	request: FastifyRequest,
-): string | undefined {
-	const cookies = (request as any).cookies || {};
-	const tokenFromCookie = cookies["better-auth.session_token"] as
-		| string
-		| undefined;
-	if (tokenFromCookie) return tokenFromCookie;
-	const cookieHeader = request.headers.cookie;
-	if (cookieHeader) {
-		const match = cookieHeader.match(/better-auth\.session_token=([^;]+)/);
-		if (match) return match[1];
-	}
-	const authHeader = request.headers.authorization;
-	if (authHeader?.startsWith("Bearer ")) return authHeader.substring(7);
-	return undefined;
-}
-
-export function getAuthHeadersFromRequest(
-	request: FastifyRequest,
-): Record<string, string> {
-	const headers: Record<string, string> = {
-		"Content-Type": "application/json",
-	};
-	const token = getAuthTokenFromRequest(request);
-	if (token) {
-		headers["Cookie"] = `better-auth.session_token=${token}`;
-		headers["Authorization"] = `Bearer ${token}`;
-	}
-	return headers;
-}
-
-export function getUserDataFromRequest(request: FastifyRequest): {
-	userId: string;
-	organizationId?: string;
-	role?: string;
-	permissions?: string[];
-} | null {
-	const user = (request as any).user as SharedUserContext | undefined;
-	if (user) {
-		return {
-			userId: user.userId,
-			organizationId: user.storeId || user.organizationId,
-			role: user.role,
-			permissions: user.permissions,
-		};
-	}
-
-	const userIdFromHeader = request.headers["x-user-id"] as string | undefined;
-	const storeIdFromHeader = request.headers["x-store-id"] as string | undefined;
-	const roleFromHeader = request.headers["x-user-role"] as string | undefined;
-	if (userIdFromHeader) {
-		return {
-			userId: userIdFromHeader,
-			organizationId: storeIdFromHeader,
-			role: roleFromHeader || "USER",
-			permissions: DEFAULT_ROLE_PERMISSIONS[roleFromHeader || "USER"] || [],
-		};
-	}
-	return null;
-}
-
-export function getUserIdFromRequest(request: FastifyRequest): string | null {
-	return getUserDataFromRequest(request)?.userId || null;
-}
-
-export function hasPermission(
-	request: FastifyRequest,
-	permission: string,
-): boolean {
-	const user = (request as any).user as SharedUserContext | undefined;
-	const perms = user?.permissions || [];
-	return perms.includes("*") || perms.includes(permission);
-}
-
-export function hasRole(request: FastifyRequest, role: string): boolean {
-	const user = (request as any).user as SharedUserContext | undefined;
-	return (user?.role || "").toUpperCase() === role.toUpperCase();
-}
-
-export function requirePermission(permission: string) {
-	return async (request: FastifyRequest, reply: FastifyReply) => {
-		if (!hasPermission(request, permission)) {
-			reply.code(403).send({
-				success: false,
-				error: "Insufficient permissions",
-				message: `Required permission: ${permission}`,
-				code: "FORBIDDEN",
-			});
-		}
-	};
-}
-
-export function requireRole(role: string) {
-	return async (request: FastifyRequest, reply: FastifyReply) => {
-		if (!hasRole(request, role)) {
-			reply.code(403).send({
-				success: false,
-				error: "Insufficient role",
-				message: `Required role: ${role}`,
-				code: "FORBIDDEN",
-			});
-		}
-	};
-}
+import { createAuthMiddleware } from "better-middleware";
+import type { FastifyPluginAsync, FastifyReply, FastifyRequest } from "fastify";
+import fp from "fastify-plugin";
+
+// Standardized user context aligned with existing request augmentation in this package
+export interface SharedUserContext {
+	userId: string;
+	storeId: string;
+	role: string;
+	permissions: string[];
+	organizationId?: string;
+	activeOrganizationId?: string;
+	iat?: number;
+	exp?: number;
+}
+
+// Optional role → permission mapping (used for helpers)
+export const DEFAULT_ROLE_PERMISSIONS: Record<string, string[]> = {
+	SUPER_ADMIN: ["*"],
+	STORE_ADMIN: [
+		"store:read",
+		"store:write",
+		"store:delete",
+		"orders:read",
+		"orders:write",
+		"products:read",
+		"products:write",
+	],
+	STORE_MANAGER: [
+		"store:read",
+		"store:write",
+		"orders:read",
+		"orders:write",
+		"products:read",
+		"products:write",
+	],
+	STORE_EMPLOYEE: ["store:read", "orders:read", "products:read"],
+	USER: ["store:read"],
+};
+
+// Core adapter of better-middleware to Fastify
+function createFastifyAuthHandler() {
+	const auth = createAuthMiddleware<FastifyRequest>({
+		baseURL: process.env.NEXT_PUBLIC_AUTH_URL || "http://localhost:4000",
+		cache: { enabled: true, ttl: 300, max: 1000 },
+		onError: async () => ({
+			status: 401,
+			body: {
+				success: false,
+				error: "Authentication required",
+				code: "UNAUTHORIZED",
+			},
+		}),
+		logger: {
+			info: (m, d) =>
+				process.env.NODE_ENV === "development"
+					? console.log(`[Auth] ${m}`, d)
+					: undefined,
+			error: (m, d) => console.error(`[Auth] ${m}`, d),
+			debug: (m, d) =>
+				process.env.NODE_ENV === "development"
+					? console.debug(`[Auth] ${m}`, d)
+					: undefined,
+		},
+		framework: {
+			getHeaders: (request: any) => {
+				const headers: Record<string, string> = {};
+				Object.entries(request.headers || {}).forEach(([k, v]) => {
+					if (typeof v === "string") headers[k] = v;
+					else if (Array.isArray(v)) headers[k] = v.join(", ");
+				});
+				const hasCookie = (headers["cookie"] || "").includes(
+					"better-auth.session_token=",
+				);
+				const bearer = headers["authorization"]?.startsWith("Bearer ")
+					? headers["authorization"].substring(7)
+					: undefined;
+				if (!hasCookie && bearer) {
+					headers["cookie"] =
+						`${headers["cookie"] ? headers["cookie"] + "; " : ""}better-auth.session_token=${bearer}`;
+				}
+				return headers;
+			},
+			getCookies: (request: any) => {
+				const cookies = request.cookies || {};
+				if (
+					!cookies["better-auth.session_token"] &&
+					request.headers.authorization?.startsWith("Bearer ")
+				) {
+					cookies["better-auth.session_token"] =
+						request.headers.authorization.substring(7);
+				}
+				return cookies;
+			},
+			setContext: (request: any, key: "user" | "session", value: any) => {
+				if (key === "user" && value) {
+					const u = value as any;
+					request.user = {
+						userId: u.id,
+						storeId: u.activeOrganizationId || u.organizationId || "",
+						role: u.role || "USER",
+						permissions: DEFAULT_ROLE_PERMISSIONS[u.role || "USER"] || [],
+						organizationId: u.organizationId,
+						activeOrganizationId: u.activeOrganizationId,
+						iat: u.iat,
+						exp: u.exp,
+					} satisfies SharedUserContext;
+				} else if (key === "session" && value) {
+					const s = value as any;
+					if (request.user && !request.user.storeId)
+						request.user.storeId =
+							s.activeOrganizationId || request.user.storeId;
+				}
+			},
+			createResponse: (_request: any, body: unknown, status: number) => ({
+				status,
+				body,
+			}),
+		},
+	});
+	return auth;
+}
+
+// Pre-handler that runs authentication; emits response when not authorized
+export const AuthPreHandler = async (
+	request: FastifyRequest,
+	reply: FastifyReply,
+) => {
+	const auth = createFastifyAuthHandler();
+	const result = await auth(request, request, async () => {});
+	if (result) {
+		reply.code(result.status).send(result.body);
+	}
+};
+
+// Fastify plugin for easy registration
+export const fastifyUserAuthPlugin: FastifyPluginAsync = fp(
+	async (fastify: any) => {
+		fastify.addHook("preHandler", AuthPreHandler as any);
+	},
+);
+
+// ---------- Helper utilities ----------
+export function getAuthTokenFromRequest(
+	request: FastifyRequest,
+): string | undefined {
+	const cookies = (request as any).cookies || {};
+	const tokenFromCookie = cookies["better-auth.session_token"] as
+		| string
+		| undefined;
+	if (tokenFromCookie) return tokenFromCookie;
+	const cookieHeader = request.headers.cookie;
+	if (cookieHeader) {
+		const match = cookieHeader.match(/better-auth\.session_token=([^;]+)/);
+		if (match) return match[1];
+	}
+	const authHeader = request.headers.authorization;
+	if (authHeader?.startsWith("Bearer ")) return authHeader.substring(7);
+	return undefined;
+}
+
+export function getAuthHeadersFromRequest(
+	request: FastifyRequest,
+): Record<string, string> {
+	const headers: Record<string, string> = {
+		"Content-Type": "application/json",
+	};
+	const token = getAuthTokenFromRequest(request);
+	if (token) {
+		headers["Cookie"] = `better-auth.session_token=${token}`;
+		headers["Authorization"] = `Bearer ${token}`;
+	}
+	return headers;
+}
+
+export function getUserDataFromRequest(request: FastifyRequest): {
+	userId: string;
+	organizationId?: string;
+	role?: string;
+	permissions?: string[];
+} | null {
+	const user = (request as any).user as SharedUserContext | undefined;
+	if (user) {
+		return {
+			userId: user.userId,
+			organizationId: user.storeId || user.organizationId,
+			role: user.role,
+			permissions: user.permissions,
+		};
+	}
+
+	const userIdFromHeader = request.headers["x-user-id"] as string | undefined;
+	const storeIdFromHeader = request.headers["x-store-id"] as string | undefined;
+	const roleFromHeader = request.headers["x-user-role"] as string | undefined;
+	if (userIdFromHeader) {
+		return {
+			userId: userIdFromHeader,
+			organizationId: storeIdFromHeader,
+			role: roleFromHeader || "USER",
+			permissions: DEFAULT_ROLE_PERMISSIONS[roleFromHeader || "USER"] || [],
+		};
+	}
+	return null;
+}
+
+export function getUserIdFromRequest(request: FastifyRequest): string | null {
+	return getUserDataFromRequest(request)?.userId || null;
+}
+
+export function hasPermission(
+	request: FastifyRequest,
+	permission: string,
+): boolean {
+	const user = (request as any).user as SharedUserContext | undefined;
+	const perms = user?.permissions || [];
+	return perms.includes("*") || perms.includes(permission);
+}
+
+export function hasRole(request: FastifyRequest, role: string): boolean {
+	const user = (request as any).user as SharedUserContext | undefined;
+	return (user?.role || "").toUpperCase() === role.toUpperCase();
+}
+
+export function requirePermission(permission: string) {
+	return async (request: FastifyRequest, reply: FastifyReply) => {
+		if (!hasPermission(request, permission)) {
+			reply.code(403).send({
+				success: false,
+				error: "Insufficient permissions",
+				message: `Required permission: ${permission}`,
+				code: "FORBIDDEN",
+			});
+		}
+	};
+}
+
+export function requireRole(role: string) {
+	return async (request: FastifyRequest, reply: FastifyReply) => {
+		if (!hasRole(request, role)) {
+			reply.code(403).send({
+				success: false,
+				error: "Insufficient role",
+				message: `Required role: ${role}`,
+				code: "FORBIDDEN",
+			});
+		}
+	};
+}