@classytic/arc 1.1.0 → 2.1.3

package/dist/scope/index.d.mts

@@ -0,0 +1,21 @@
+import { a as AUTHENTICATED_SCOPE, c as getOrgId, d as hasOrgAccess, f as isAuthenticated, i as elevationPlugin, l as getOrgRoles, m as isMember, n as ElevationOptions, o as PUBLIC_SCOPE, p as isElevated, r as _default, s as RequestScope, t as ElevationEvent, u as getTeamId } from "../elevation-DGo5shaX.mjs";
+import { FastifyReply, FastifyRequest } from "fastify";
+
+//#region src/scope/resolveOrgFromHeader.d.ts
+interface ResolveOrgFromHeaderOptions {
+  /** Header name (default: 'x-organization-id') */
+  header?: string;
+  /** Resolve user's membership in the org. Return roles or null if not a member. */
+  resolveMembership: (userId: string, orgId: string) => Promise<{
+    roles: string[];
+  } | null>;
+}
+/**
+ * Create a preHandler hook that resolves org scope from a header.
+ * Must run AFTER authentication so `request.user` is populated.
+ * If the header is present and user is a member, sets `request.scope` to `member`.
+ * If the header is absent, scope stays as-is (typically `authenticated`).
+ */
+declare function resolveOrgFromHeader(options: ResolveOrgFromHeaderOptions): (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+//#endregion
+export { AUTHENTICATED_SCOPE, type ElevationEvent, type ElevationOptions, PUBLIC_SCOPE, type RequestScope, type ResolveOrgFromHeaderOptions, _default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgId, getOrgRoles, getTeamId, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };

package/dist/scope/index.mjs

@@ -0,0 +1,65 @@
+import { a as getTeamId, c as isElevated, i as getOrgRoles, l as isMember, n as PUBLIC_SCOPE, o as hasOrgAccess, r as getOrgId, s as isAuthenticated, t as AUTHENTICATED_SCOPE } from "../types-Beqn1Un7.mjs";
+import { n as elevation_default, t as elevationPlugin } from "../elevation-DSTbVvYj.mjs";
+
+//#region src/scope/resolveOrgFromHeader.ts
+/**
+* Create a preHandler hook that resolves org scope from a header.
+* Must run AFTER authentication so `request.user` is populated.
+* If the header is present and user is a member, sets `request.scope` to `member`.
+* If the header is absent, scope stays as-is (typically `authenticated`).
+*/
+function resolveOrgFromHeader(options) {
+	const { header = "x-organization-id", resolveMembership } = options;
+	return async (request, reply) => {
+		const orgId = request.headers[header];
+		if (!orgId) return;
+		const scope = request.scope;
+		if (!scope || scope.kind === "public") {
+			reply.code(401).send({
+				success: false,
+				error: "Unauthorized",
+				message: "Authentication required for organization access",
+				code: "ORG_AUTH_REQUIRED"
+			});
+			return;
+		}
+		if (scope.kind === "elevated") return;
+		const user = request.user;
+		if (!user) {
+			reply.code(401).send({
+				success: false,
+				error: "Unauthorized",
+				message: "Authentication required for organization access",
+				code: "ORG_AUTH_REQUIRED"
+			});
+			return;
+		}
+		const userId = String(user.id ?? user._id ?? "");
+		if (!userId) {
+			reply.code(401).send({
+				success: false,
+				error: "Unauthorized",
+				message: "User identity required for organization access"
+			});
+			return;
+		}
+		const membership = await resolveMembership(userId, orgId);
+		if (!membership) {
+			reply.code(403).send({
+				success: false,
+				error: "Forbidden",
+				message: "Not a member of this organization",
+				code: "ORG_ACCESS_DENIED"
+			});
+			return;
+		}
+		request.scope = {
+			kind: "member",
+			organizationId: orgId,
+			orgRoles: membership.roles
+		};
+	};
+}
+
+//#endregion
+export { AUTHENTICATED_SCOPE, PUBLIC_SCOPE, elevation_default as elevationPlugin, elevationPlugin as elevationPluginFn, getOrgId, getOrgRoles, getTeamId, hasOrgAccess, isAuthenticated, isElevated, isMember, resolveOrgFromHeader };

package/dist/sessionManager-D_iEHjQl.d.mts

@@ -0,0 +1,186 @@
+import { FastifyPluginAsync, FastifyReply, FastifyRequest } from "fastify";
+
+//#region src/auth/sessionManager.d.ts
+/**
+ * Session data stored in the session store.
+ */
+interface SessionData {
+  /** User ID associated with this session */
+  userId: string;
+  /** Timestamp (ms since epoch) when session was created */
+  createdAt: number;
+  /** Timestamp (ms since epoch) when session was last refreshed */
+  updatedAt: number;
+  /** Timestamp (ms since epoch) when session expires */
+  expiresAt: number;
+  /** Optional metadata attached to the session */
+  metadata?: Record<string, unknown>;
+}
+/**
+ * Session store interface.
+ * Implement this for custom storage backends (Redis, database, etc.).
+ */
+interface SessionStore {
+  /** Retrieve a session by ID. Returns null if not found or expired. */
+  get(sessionId: string): Promise<SessionData | null>;
+  /** Create or update a session. */
+  set(sessionId: string, data: SessionData): Promise<void>;
+  /** Delete a single session. */
+  delete(sessionId: string): Promise<void>;
+  /** Delete all sessions for a user. */
+  deleteAll(userId: string): Promise<void>;
+  /** Delete all sessions for a user except the specified one. */
+  deleteAllExcept(userId: string, currentSessionId: string): Promise<void>;
+}
+/**
+ * Cookie configuration options.
+ */
+interface SessionCookieOptions {
+  /** Send cookie only over HTTPS (default: true in production) */
+  secure?: boolean;
+  /** Prevent client-side JavaScript access (default: true) */
+  httpOnly?: boolean;
+  /** SameSite attribute (default: 'lax') */
+  sameSite?: 'strict' | 'lax' | 'none';
+  /** Cookie path (default: '/') */
+  path?: string;
+  /** Cookie domain */
+  domain?: string;
+}
+/**
+ * Options for creating a session manager.
+ */
+interface SessionManagerOptions {
+  /** Session store implementation */
+  store: SessionStore;
+  /** Secret for signing session cookies (min 32 characters) */
+  secret: string;
+  /** Session max age in seconds (default: 604800 = 7 days) */
+  maxAge?: number;
+  /** Minimum interval between session updates in seconds (default: 86400 = 24h) */
+  updateAge?: number;
+  /** Time in seconds after which a session is no longer "fresh" (default: 600 = 10 min) */
+  freshAge?: number;
+  /** Cookie name (default: 'arc.session') */
+  cookieName?: string;
+  /** Cookie options */
+  cookie?: SessionCookieOptions;
+}
+/**
+ * Return type from createSessionManager.
+ */
+interface SessionManagerResult {
+  /** Fastify plugin that adds session middleware */
+  plugin: FastifyPluginAsync;
+  /** PreHandler that rejects requests without a fresh session */
+  requireFresh: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+}
+declare module 'fastify' {
+  interface FastifyInstance {
+    /** Authenticate middleware — validates session and sets request.user */
+    authenticate: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+    /** Session management helpers */
+    sessionManager: {
+      /** Create a new session for a user */createSession: (userId: string, metadata?: Record<string, unknown>) => Promise<{
+        sessionId: string;
+        cookie: string;
+      }>; /** Revoke a specific session */
+      revokeSession: (sessionId: string) => Promise<void>; /** Revoke all sessions for a user */
+      revokeAllSessions: (userId: string) => Promise<void>; /** Revoke all sessions except the current one */
+      revokeOtherSessions: (userId: string, currentSessionId: string) => Promise<void>; /** Refresh a session (reset updatedAt, extend expiry if needed) */
+      refreshSession: (sessionId: string) => Promise<SessionData | null>;
+    };
+  }
+  interface FastifyRequest {
+    /** Current session data (set by session plugin) */
+    session?: SessionData & {
+      id: string;
+    };
+  }
+}
+interface MemorySessionStoreOptions {
+  /** Cleanup interval in milliseconds (default: 60000 = 1 min) */
+  cleanupIntervalMs?: number;
+}
+/**
+ * In-memory session store for development and single-instance deployments.
+ * NOT suitable for multi-instance/clustered deployments — use Redis or similar.
+ */
+declare class MemorySessionStore implements SessionStore {
+  private sessions;
+  /** Reverse index: userId -> Set<sessionId> for efficient bulk operations */
+  private userIndex;
+  private cleanupInterval;
+  constructor(options?: MemorySessionStoreOptions);
+  get(sessionId: string): Promise<SessionData | null>;
+  set(sessionId: string, data: SessionData): Promise<void>;
+  delete(sessionId: string): Promise<void>;
+  deleteAll(userId: string): Promise<void>;
+  deleteAllExcept(userId: string, currentSessionId: string): Promise<void>;
+  /**
+   * Close the store and clean up resources.
+   */
+  close(): void;
+  /**
+   * Get current stats (for debugging/monitoring).
+   */
+  getStats(): {
+    sessions: number;
+    users: number;
+  };
+  /**
+   * Remove expired sessions.
+   */
+  private cleanup;
+}
+/**
+ * Create a session manager for Arc.
+ *
+ * Returns a Fastify plugin and a `requireFresh` preHandler.
+ *
+ * The plugin:
+ * - Parses session cookie on each request
+ * - Validates session against the store
+ * - Sets `request.user` and `request.session` from session data
+ * - Refreshes session token if older than `updateAge`
+ * - Provides `fastify.authenticate` decorator
+ * - Provides `fastify.sessionManager` decorator for session CRUD
+ *
+ * @example
+ * ```typescript
+ * import { createSessionManager, MemorySessionStore } from '@classytic/arc/auth';
+ *
+ * const sessions = createSessionManager({
+ *   store: new MemorySessionStore(),
+ *   secret: process.env.SESSION_SECRET!,
+ *   maxAge: 7 * 24 * 60 * 60,
+ *   updateAge: 24 * 60 * 60,
+ *   freshAge: 10 * 60,
+ * });
+ *
+ * await fastify.register(sessions.plugin);
+ *
+ * // Login route
+ * fastify.post('/login', async (request, reply) => {
+ *   const user = await authenticateUser(request.body);
+ *   const { cookie } = await fastify.sessionManager.createSession(user.id);
+ *   reply.header('Set-Cookie', cookie);
+ *   return { success: true, user };
+ * });
+ *
+ * // Protected route
+ * fastify.get('/me', {
+ *   preHandler: [fastify.authenticate],
+ * }, async (request) => {
+ *   return { user: request.user };
+ * });
+ *
+ * // Sensitive route (requires fresh session)
+ * fastify.post('/change-password', {
+ *   preHandler: [fastify.authenticate, sessions.requireFresh],
+ * }, handler);
+ * ```
+ */
+declare function createSessionManager(options: SessionManagerOptions): SessionManagerResult;
+//#endregion
+export { SessionManagerOptions as a, createSessionManager as c, SessionData as i, MemorySessionStoreOptions as n, SessionManagerResult as o, SessionCookieOptions as r, SessionStore as s, MemorySessionStore as t };

package/dist/sse-DkqQ1uxb.mjs

@@ -0,0 +1,123 @@
+import { t as __exportAll } from "./chunk-C7Uep-_p.mjs";
+import { n as PUBLIC_SCOPE, r as getOrgId } from "./types-Beqn1Un7.mjs";
+import { t as arcLog } from "./logger-ByrvQWZO.mjs";
+import fp from "fastify-plugin";
+
+//#region src/plugins/sse.ts
+/**
+* SSE Plugin (Server-Sent Events)
+*
+* Streams domain events to clients over HTTP using Server-Sent Events.
+* Requires the events plugin (`arc-events`) to be registered first.
+*
+* @example
+* import { ssePlugin } from '@classytic/arc/plugins';
+*
+* // Basic — stream all events at /events/stream
+* await fastify.register(ssePlugin);
+*
+* // Filtered + org-scoped
+* await fastify.register(ssePlugin, {
+*   path: '/api/events',
+*   patterns: ['order.*', 'product.*'],
+*   orgScoped: true,
+* });
+*/
+var sse_exports = /* @__PURE__ */ __exportAll({
+	default: () => sse_default,
+	ssePlugin: () => ssePlugin
+});
+const log = arcLog("sse");
+const ssePlugin = async (fastify, opts = {}) => {
+	const { path = "/events/stream", requireAuth = true, patterns = ["*"], heartbeat = 3e4, orgScoped = false, filter: customFilter } = opts;
+	if (!fastify.hasDecorator("events")) {
+		log.warn("Events plugin (arc-events) not registered. SSE plugin will not function. Register eventPlugin before ssePlugin.");
+		return;
+	}
+	const activeConnections = /* @__PURE__ */ new Set();
+	const routeOpts = {
+		method: "GET",
+		url: path,
+		schema: {
+			tags: ["Events"],
+			summary: "SSE event stream",
+			description: "Server-Sent Events stream for real-time domain events",
+			response: { 200: {
+				type: "string",
+				description: "text/event-stream"
+			} }
+		},
+		handler: async (request, reply) => {
+			reply.hijack();
+			reply.raw.writeHead(200, {
+				"content-type": "text/event-stream",
+				"cache-control": "no-cache",
+				connection: "keep-alive",
+				"x-accel-buffering": "no"
+			});
+			reply.raw.flushHeaders();
+			const unsubscribers = [];
+			const requestOrgId = getOrgId(request.scope ?? PUBLIC_SCOPE);
+			const dropOrgEvents = orgScoped && !requestOrgId;
+			for (const pattern of patterns) {
+				const unsub = await fastify.events.subscribe(pattern, async (event) => {
+					if (orgScoped) {
+						const eventOrgId = event.meta?.organizationId;
+						if (dropOrgEvents && eventOrgId) return;
+						if (requestOrgId && eventOrgId && eventOrgId !== requestOrgId) return;
+					}
+					if (customFilter && !customFilter(event, request)) return;
+					const data = JSON.stringify({
+						type: event.type,
+						payload: event.payload,
+						meta: {
+							id: event.meta.id,
+							timestamp: event.meta.timestamp
+						}
+					});
+					if (!reply.raw.write(`event: ${event.type}\ndata: ${data}\n\n`)) {
+						request.raw.destroy(/* @__PURE__ */ new Error("SSE connection terminated: slow client backpressure"));
+						cleanup();
+					}
+				});
+				unsubscribers.push(unsub);
+			}
+			const heartbeatTimer = setInterval(() => {
+				if (!reply.raw.write(": heartbeat\n\n")) {
+					request.raw.destroy(/* @__PURE__ */ new Error("SSE connection terminated: heartbeat backpressure"));
+					cleanup();
+				}
+			}, heartbeat);
+			const cleanup = () => {
+				clearInterval(heartbeatTimer);
+				for (const unsub of unsubscribers) unsub();
+				if (!reply.raw.writableEnded) reply.raw.end();
+				activeConnections.delete(cleanup);
+			};
+			activeConnections.add(cleanup);
+			request.raw.on("close", cleanup);
+		}
+	};
+	if (requireAuth) {
+		if (!fastify.hasDecorator("authenticate")) throw new Error("[arc-sse] requireAuth is true but fastify.authenticate is not registered. Register an auth plugin before SSE, or set requireAuth: false.");
+		routeOpts.preHandler = fastify.authenticate;
+	}
+	fastify.route(routeOpts);
+	fastify.addHook("onClose", async () => {
+		for (const cleanup of activeConnections) cleanup();
+		activeConnections.clear();
+	});
+	log.debug("Plugin registered", {
+		path,
+		patterns,
+		orgScoped
+	});
+};
+var sse_default = fp(ssePlugin, {
+	name: "arc-sse",
+	fastify: "5.x",
+	dependencies: ["arc-events"]
+});
+
+//#endregion
+export { sse_default as n, sse_exports as r, ssePlugin as t };