@culturefy/shared 1.0.39 → 1.0.40

package/build/cjs/constants/app.js

@@ -0,0 +1,45 @@
+"use strict";
+
+exports.__esModule = true;
+exports.APP_MAP = void 0;
+const APP_MAP = exports.APP_MAP = {
+  '3238hxa2': {
+    appId: "3238hxa2",
+    name: "superadmin",
+    clientId: "cfy-superadmin-web",
+    domains: {
+      local: ["localhost:5173", "127.0.0.1:5173"],
+      dev: ["accounts.dev.culturefy.app"],
+      staging: ["accounts.staging.culturefy.app"],
+      prod: ["accounts.culturefy.app"]
+    },
+    auth: {
+      realm: "superadmin",
+      clientId: "cfy-superadmin-web"
+    },
+    exclude: {
+      prod: [] // e.g. add "app.culturefy.app" to prevent misrouting
+    },
+    cookie: {
+      prefix: "__Secure-auth",
+      domain: {
+        local: null,
+        // host-bound in local
+        dev: ".culturefy.dev",
+        // adjust to your dev root
+        staging: ".culturefy.staging",
+        // adjust to your staging root
+        prod: ".culturefy.app"
+      },
+      path: "/",
+      sameSite: "None",
+      secure: true,
+      httpOnly: true,
+      maxAgeSec: {
+        sid: 15 * 60,
+        rt: 30 * 24 * 60 * 60
+      } // 15m / 30d
+    }
+  }
+};
+//# sourceMappingURL=app.js.map

package/build/cjs/constants/app.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"app.js","names":["APP_MAP","exports","appId","name","clientId","domains","local","dev","staging","prod","auth","realm","exclude","cookie","prefix","domain","path","sameSite","secure","httpOnly","maxAgeSec","sid","rt"],"sources":["../../../src/constants/app.ts"],"sourcesContent":["import { IAppId, IDomainMappings } from \"../types/app\";\n\nexport const APP_MAP: Record<IAppId, IDomainMappings> = {\n  '3238hxa2': {\n      appId: \"3238hxa2\",\n      name: \"superadmin\",\n      clientId: \"cfy-superadmin-web\",\n      domains: {\n          local: [\"localhost:5173\", \"127.0.0.1:5173\"],\n          dev: [\"accounts.dev.culturefy.app\"],\n          staging: [\"accounts.staging.culturefy.app\"],\n          prod: [\"accounts.culturefy.app\"]\n      },\n\n      auth: {\n          realm: \"superadmin\",\n          clientId: \"cfy-superadmin-web\",\n      },\n\n      exclude: {\n          prod: [] // e.g. add \"app.culturefy.app\" to prevent misrouting\n      },\n      cookie: {\n          prefix: \"__Secure-auth\",\n          domain: {\n              local: null, // host-bound in local\n              dev: \".culturefy.dev\", // adjust to your dev root\n              staging: \".culturefy.staging\", // adjust to your staging root\n              prod: \".culturefy.app\"\n          },\n          path: \"/\",\n          sameSite: \"None\",\n          secure: true,\n          httpOnly: true,\n          maxAgeSec: { sid: 15 * 60, rt: 30 * 24 * 60 * 60 } // 15m / 30d\n      }\n\n  },\n\n};\n"],"mappings":";;;;AAEO,MAAMA,OAAwC,GAAAC,OAAA,CAAAD,OAAA,GAAG;EACtD,UAAU,EAAE;IACRE,KAAK,EAAE,UAAU;IACjBC,IAAI,EAAE,YAAY;IAClBC,QAAQ,EAAE,oBAAoB;IAC9BC,OAAO,EAAE;MACLC,KAAK,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;MAC3CC,GAAG,EAAE,CAAC,4BAA4B,CAAC;MACnCC,OAAO,EAAE,CAAC,gCAAgC,CAAC;MAC3CC,IAAI,EAAE,CAAC,wBAAwB;IACnC,CAAC;IAEDC,IAAI,EAAE;MACFC,KAAK,EAAE,YAAY;MACnBP,QAAQ,EAAE;IACd,CAAC;IAEDQ,OAAO,EAAE;MACLH,IAAI,EAAE,EAAE,CAAC;IACb,CAAC;IACDI,MAAM,EAAE;MACJC,MAAM,EAAE,eAAe;MACvBC,MAAM,EAAE;QACJT,KAAK,EAAE,IAAI;QAAE;QACbC,GAAG,EAAE,gBAAgB;QAAE;QACvBC,OAAO,EAAE,oBAAoB;QAAE;QAC/BC,IAAI,EAAE;MACV,CAAC;MACDO,IAAI,EAAE,GAAG;MACTC,QAAQ,EAAE,MAAM;MAChBC,MAAM,EAAE,IAAI;MACZC,QAAQ,EAAE,IAAI;MACdC,SAAS,EAAE;QAAEC,GAAG,EAAE,EAAE,GAAG,EAAE;QAAEC,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG;MAAG,CAAC,CAAC;IACvD;EAEJ;AAEF,CAAC","ignoreList":[]}

package/build/cjs/constants/index.js

@@ -0,0 +1,10 @@
+"use strict";
+
+exports.__esModule = true;
+var _app = require("./app");
+Object.keys(_app).forEach(function (key) {
+  if (key === "default" || key === "__esModule") return;
+  if (key in exports && exports[key] === _app[key]) return;
+  exports[key] = _app[key];
+});
+//# sourceMappingURL=index.js.map

package/build/cjs/constants/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","names":["_app","require","Object","keys","forEach","key","exports"],"sources":["../../../src/constants/index.ts"],"sourcesContent":["export * from './app';"],"mappings":";;;AAAA,IAAAA,IAAA,GAAAC,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAH,IAAA,EAAAI,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAL,IAAA,CAAAK,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAL,IAAA,CAAAK,GAAA;AAAA","ignoreList":[]}

package/build/cjs/index.js

@@ -25,4 +25,10 @@ Object.keys(_middlewares).forEach(function (key) {
   if (key in exports && exports[key] === _middlewares[key]) return;
   exports[key] = _middlewares[key];
 });
+var _constants = require("./constants");
+Object.keys(_constants).forEach(function (key) {
+  if (key === "default" || key === "__esModule") return;
+  if (key in exports && exports[key] === _constants[key]) return;
+  exports[key] = _constants[key];
+});
 //# sourceMappingURL=index.js.map

package/build/cjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":["_types","require","Object","keys","forEach","key","exports","_enums","_utils","_middlewares"],"sources":["../../src/index.ts"],"sourcesContent":["export * from './types';\nexport * from './enums';\nexport * from './utils';\nexport * from './middlewares';"],"mappings":";;;AAAA,IAAAA,MAAA,GAAAC,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAH,MAAA,EAAAI,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAL,MAAA,CAAAK,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAL,MAAA,CAAAK,GAAA;AAAA;AACA,IAAAE,MAAA,GAAAN,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAI,MAAA,EAAAH,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAE,MAAA,CAAAF,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAE,MAAA,CAAAF,GAAA;AAAA;AACA,IAAAG,MAAA,GAAAP,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAK,MAAA,EAAAJ,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAG,MAAA,CAAAH,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAG,MAAA,CAAAH,GAAA;AAAA;AACA,IAAAI,YAAA,GAAAR,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAM,YAAA,EAAAL,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAI,YAAA,CAAAJ,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAI,YAAA,CAAAJ,GAAA;AAAA","ignoreList":[]}
+{"version":3,"file":"index.js","names":["_types","require","Object","keys","forEach","key","exports","_enums","_utils","_middlewares","_constants"],"sources":["../../src/index.ts"],"sourcesContent":["export * from './types';\nexport * from './enums';\nexport * from './utils';\nexport * from './middlewares';\nexport * from './constants';\n"],"mappings":";;;AAAA,IAAAA,MAAA,GAAAC,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAH,MAAA,EAAAI,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAL,MAAA,CAAAK,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAL,MAAA,CAAAK,GAAA;AAAA;AACA,IAAAE,MAAA,GAAAN,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAI,MAAA,EAAAH,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAE,MAAA,CAAAF,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAE,MAAA,CAAAF,GAAA;AAAA;AACA,IAAAG,MAAA,GAAAP,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAK,MAAA,EAAAJ,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAG,MAAA,CAAAH,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAG,MAAA,CAAAH,GAAA;AAAA;AACA,IAAAI,YAAA,GAAAR,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAM,YAAA,EAAAL,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAI,YAAA,CAAAJ,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAI,YAAA,CAAAJ,GAAA;AAAA;AACA,IAAAK,UAAA,GAAAT,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAO,UAAA,EAAAN,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAK,UAAA,CAAAL,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAK,UAAA,CAAAL,GAAA;AAAA","ignoreList":[]}

package/build/cjs/middlewares/verify-middleware.js

@@ -0,0 +1,202 @@
+"use strict";
+
+exports.__esModule = true;
+exports.verifyMw = void 0;
+var _utils = require("../utils");
+var _constants = require("../constants");
+var _jwtDecode = require("jwt-decode");
+var _cookies = require("../utils/cookies");
+const apiURL = process.env.REFRESH_SESSION_URL || '';
+const parseCookieHeader = header => {
+  const out = {};
+  if (!header) return out;
+  for (const part of header.split(";")) {
+    const [k, ...rest] = part.trim().split("=");
+    if (!k) continue;
+    out[k] = decodeURIComponent(rest.join("=") || "");
+  }
+  return out;
+};
+const verifyMw = async (req, ctx, next) => {
+  var _APP_MAP$appId, _p, _ref, _ref$state, _p$cfy_tid, _p$sub, _ref2, _p$cfy_bid, _ref3, _p$email, _p$name, _ref4, _p$resource_access$ex, _p$resource_access, _p$realm_access;
+  const appId = req.headers.get("app-id");
+  if (!appId || !(_constants.APP_MAP != null && (_APP_MAP$appId = _constants.APP_MAP[appId]) != null && _APP_MAP$appId.clientId)) {
+    return (0, _utils.sendResponse)(400, {
+      status: "bad_request",
+      reason: "invalid_app"
+    });
+  }
+  const expectedClientId = _constants.APP_MAP[appId].clientId;
+
+  // cookies
+  const cookies = parseCookieHeader(req.headers.get("cookie"));
+  const at = cookies[`__Secure-session-v1.${appId}.at`];
+  const rt = cookies[`__Secure-session-v1.${appId}.rt`];
+  if (!at && !rt) {
+    return (0, _utils.sendResponse)(401, {
+      status: "unauthenticated",
+      reason: "no_tokens"
+    });
+  }
+
+  // decode/verify (lightweight; replace with your verifyJsonWebToken if you have it)
+  let p;
+  try {
+    p = (0, _jwtDecode.jwtDecode)(at);
+  } catch {
+    return (0, _utils.sendResponse)(401, {
+      status: "unauthenticated",
+      reason: "invalid_token"
+    });
+  }
+  if (!((_p = p) != null && _p.sid)) {
+    return (0, _utils.sendResponse)(401, {
+      status: "unauthenticated",
+      reason: "user_not_found"
+    });
+  }
+  const now = Math.floor(Date.now() / 1000);
+  // if (typeof p.exp === "number" && p.exp <= now) {
+  if (typeof p.exp === "number" && p.exp >= now) {
+    // Delegate to refresh helper; it will handle setting cookies/state or returning an error
+    return await getNewRefreshToken(req, ctx, appId, expectedClientId, rt, p, next);
+  }
+
+  // audience checks
+  const audOk = Array.isArray(p.aud) && p.aud.includes(expectedClientId) || typeof p.aud === "string" && (p.aud === expectedClientId || p.aud === "account") || p.azp === expectedClientId;
+  if (!audOk) {
+    return (0, _utils.sendResponse)(403, {
+      status: "forbidden",
+      reason: "audience_mismatch"
+    });
+  }
+  (0, _cookies.setCookieKV)(ctx, 'ew', 'rre');
+
+  // pass data downstream
+  (_ref$state = (_ref = ctx).state) != null ? _ref$state : _ref.state = {};
+  const tenantId = (_p$cfy_tid = p.cfy_tid) != null ? _p$cfy_tid : p.iss ? new URL(p.iss).pathname.split("/").pop() : null;
+  ctx.state.auth = {
+    appId,
+    userId: (_p$sub = p.sub) != null ? _p$sub : null,
+    businessId: (_ref2 = (_p$cfy_bid = p.cfy_bid) != null ? _p$cfy_bid : tenantId) != null ? _ref2 : null,
+    tenantId,
+    email: (_ref3 = (_p$email = p.email) != null ? _p$email : p.preferred_username) != null ? _ref3 : null,
+    name: (_p$name = p.name) != null ? _p$name : undefined,
+    roles: (_ref4 = (_p$resource_access$ex = (_p$resource_access = p.resource_access) == null || (_p$resource_access = _p$resource_access[expectedClientId]) == null ? void 0 : _p$resource_access.roles) != null ? _p$resource_access$ex : (_p$realm_access = p.realm_access) == null ? void 0 : _p$realm_access.roles) != null ? _ref4 : [],
+    exp: p.exp
+  };
+  return next();
+};
+exports.verifyMw = verifyMw;
+async function getNewRefreshToken(req, ctx, appId, expectedClientId, rt, p, next) {
+  var _APP_MAP$appId$auth;
+  // Attempt server-side refresh using RT
+  if (!rt) {
+    return (0, _utils.sendResponse)(401, {
+      status: "unauthenticated",
+      reason: "expired_no_rt"
+    });
+  }
+
+  // Resolve realm for refresh
+  let realmId = (_APP_MAP$appId$auth = _constants.APP_MAP[appId].auth) == null ? void 0 : _APP_MAP$appId$auth.realm;
+  if (!realmId) {
+    try {
+      const issRealm = p != null && p.iss ? new URL(p.iss).pathname.split("/").pop() : undefined;
+      realmId = (p == null ? void 0 : p.cfy_tid) || issRealm || undefined;
+    } catch {
+      realmId = undefined;
+    }
+  }
+  if (!realmId) {
+    return (0, _utils.sendResponse)(401, {
+      status: "unauthenticated",
+      reason: "cannot_resolve_realm"
+    });
+  }
+  ctx.info("refreshing token payload ----------------------", {
+    realmId,
+    expectedClientId,
+    rt
+  });
+
+  // Call auth service to refresh
+  try {
+    var _ref5, _ref5$state, _p2$cfy_tid, _p2$sub, _ref6, _p2$cfy_bid, _ref7, _p2$email, _p2$name, _ref8, _p2$resource_access$e, _p2$resource_access, _p2$realm_access;
+    const resp = await fetch(apiURL, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        realmId,
+        clientId: expectedClientId,
+        refresh_token: rt
+      })
+    });
+    if (!resp.ok) {
+      const text = await resp.text();
+      ctx.warn == null || ctx.warn(`refresh call failed: ${resp.status} ${text}`);
+      return (0, _utils.sendResponse)(401, {
+        status: "unauthenticated",
+        reason: "refresh_failed"
+      });
+    }
+    const payload = await resp.json();
+    const data = (payload == null ? void 0 : payload.data) || {};
+    const newAT = data.access_token;
+    const newRT = data.refresh_token;
+    if (!newAT || !newRT) {
+      return (0, _utils.sendResponse)(401, {
+        status: "unauthenticated",
+        reason: "invalid_refresh_response"
+      });
+    }
+
+    // Set refreshed cookies for client session
+    (0, _cookies.setCookieKV)(ctx, `__Secure-session-v1.${appId}.at`, newAT);
+    (0, _cookies.setCookieKV)(ctx, `__Secure-session-v1.${appId}.rt`, newRT);
+
+    // Decode new AT and proceed
+    let p2;
+    try {
+      p2 = (0, _jwtDecode.jwtDecode)(newAT);
+    } catch {
+      return (0, _utils.sendResponse)(401, {
+        status: "unauthenticated",
+        reason: "invalid_new_token"
+      });
+    }
+    const audOk2 = Array.isArray(p2.aud) && p2.aud.includes(expectedClientId) || typeof p2.aud === "string" && (p2.aud === expectedClientId || p2.aud === "account") || p2.azp === expectedClientId;
+    if (!audOk2) {
+      return (0, _utils.sendResponse)(403, {
+        status: "forbidden",
+        reason: "audience_mismatch"
+      });
+    }
+
+    // Update downstream auth state with refreshed token
+    (_ref5$state = (_ref5 = ctx).state) != null ? _ref5$state : _ref5.state = {};
+    const tenantId2 = (_p2$cfy_tid = p2.cfy_tid) != null ? _p2$cfy_tid : p2.iss ? new URL(p2.iss).pathname.split("/").pop() : null;
+    ctx.state.auth = {
+      appId,
+      userId: (_p2$sub = p2.sub) != null ? _p2$sub : null,
+      businessId: (_ref6 = (_p2$cfy_bid = p2.cfy_bid) != null ? _p2$cfy_bid : tenantId2) != null ? _ref6 : null,
+      tenantId: tenantId2,
+      email: (_ref7 = (_p2$email = p2.email) != null ? _p2$email : p2.preferred_username) != null ? _ref7 : null,
+      name: (_p2$name = p2.name) != null ? _p2$name : undefined,
+      roles: (_ref8 = (_p2$resource_access$e = (_p2$resource_access = p2.resource_access) == null || (_p2$resource_access = _p2$resource_access[expectedClientId]) == null ? void 0 : _p2$resource_access.roles) != null ? _p2$resource_access$e : (_p2$realm_access = p2.realm_access) == null ? void 0 : _p2$realm_access.roles) != null ? _ref8 : [],
+      exp: p2.exp
+    };
+
+    // Continue pipeline after refresh
+    return next();
+  } catch (e) {
+    ctx.error == null || ctx.error("refresh exception", e);
+    return (0, _utils.sendResponse)(401, {
+      status: "unauthenticated",
+      reason: "refresh_exception"
+    });
+  }
+}
+//# sourceMappingURL=verify-middleware.js.map

package/build/cjs/middlewares/verify-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-middleware.js","names":["_utils","require","_constants","_jwtDecode","_cookies","apiURL","process","env","REFRESH_SESSION_URL","parseCookieHeader","header","out","part","split","k","rest","trim","decodeURIComponent","join","verifyMw","req","ctx","next","_APP_MAP$appId","_p","_ref","_ref$state","_p$cfy_tid","_p$sub","_ref2","_p$cfy_bid","_ref3","_p$email","_p$name","_ref4","_p$resource_access$ex","_p$resource_access","_p$realm_access","appId","headers","get","APP_MAP","clientId","sendResponse","status","reason","expectedClientId","cookies","at","rt","p","jwtDecode","sid","now","Math","floor","Date","exp","getNewRefreshToken","audOk","Array","isArray","aud","includes","azp","setCookieKV","state","tenantId","cfy_tid","iss","URL","pathname","pop","auth","userId","sub","businessId","cfy_bid","email","preferred_username","name","undefined","roles","resource_access","realm_access","exports","_APP_MAP$appId$auth","realmId","realm","issRealm","info","_ref5","_ref5$state","_p2$cfy_tid","_p2$sub","_ref6","_p2$cfy_bid","_ref7","_p2$email","_p2$name","_ref8","_p2$resource_access$e","_p2$resource_access","_p2$realm_access","resp","fetch","method","body","JSON","stringify","refresh_token","ok","text","warn","payload","json","data","newAT","access_token","newRT","p2","audOk2","tenantId2","e","error"],"sources":["../../../src/middlewares/verify-middleware.ts"],"sourcesContent":["import { HttpResponseInit } from \"@azure/functions\";\nimport { HttpRequest } from \"@azure/functions\";\nimport { InvocationContext } from \"@azure/functions\";\nimport { sendResponse } from \"../utils\";\nimport { IMiddleware } from \"../types/middleware\";\nimport { IAppId } from \"../types/app\";\nimport { APP_MAP } from \"../constants\";\nimport { jwtDecode } from \"jwt-decode\";\nimport { setCookieKV } from \"../utils/cookies\";\n\nconst apiURL = process.env.REFRESH_SESSION_URL || ''\n\nconst parseCookieHeader = (header: string | null | undefined) => {\n  const out: Record<string, string> = {};\n  if (!header) return out;\n  for (const part of header.split(\";\")) {\n    const [k, ...rest] = part.trim().split(\"=\");\n    if (!k) continue;\n    out[k] = decodeURIComponent(rest.join(\"=\") || \"\");\n  }\n  return out;\n};\n\nexport const verifyMw: IMiddleware = async (\n  req: HttpRequest,\n  ctx: InvocationContext,\n  next: () => Promise<HttpResponseInit>\n): Promise<HttpResponseInit> => {\n  const appId = req.headers.get(\"app-id\") as IAppId | undefined;\n\n  if (!appId || !APP_MAP?.[appId]?.clientId) {\n    return sendResponse(400, { status: \"bad_request\", reason: \"invalid_app\" });\n  }\n  \n  const expectedClientId = APP_MAP[appId].clientId;\n\n  // cookies\n  const cookies = parseCookieHeader(req.headers.get(\"cookie\"));\n  const at = cookies[`__Secure-session-v1.${appId}.at`];\n  const rt = cookies[`__Secure-session-v1.${appId}.rt`];\n\n  if (!at && !rt) {\n    return sendResponse(401, { status: \"unauthenticated\", reason: \"no_tokens\" });\n  }\n\n  // decode/verify (lightweight; replace with your verifyJsonWebToken if you have it)\n  let p: any;\n  try {\n    p = jwtDecode(at);\n  } catch {\n    return sendResponse(401, { status: \"unauthenticated\", reason: \"invalid_token\" });\n  }\n\n  if (!p?.sid) {\n    return sendResponse(401, { status: \"unauthenticated\", reason: \"user_not_found\" });\n  }\n\n  const now = Math.floor(Date.now() / 1000);\n  // if (typeof p.exp === \"number\" && p.exp <= now) {\n  if (typeof p.exp === \"number\" && p.exp >= now) {\n    // Delegate to refresh helper; it will handle setting cookies/state or returning an error\n    return await getNewRefreshToken(req, ctx, appId, expectedClientId, rt, p, next);\n  }\n\n  // audience checks\n  const audOk =\n    (Array.isArray(p.aud) && p.aud.includes(expectedClientId)) ||\n    (typeof p.aud === \"string\" && (p.aud === expectedClientId || p.aud === \"account\")) ||\n    p.azp === expectedClientId;\n\n  if (!audOk) {\n    return sendResponse(403, { status: \"forbidden\", reason: \"audience_mismatch\" });\n  }\n\n\n  setCookieKV(ctx, 'ew','rre');\n\n  // pass data downstream\n  (ctx as any).state ??= {};\n  const tenantId = p.cfy_tid ?? (p.iss ? new URL(p.iss).pathname.split(\"/\").pop() : null);\n\n  (ctx as any).state.auth = {\n    appId,\n    userId: p.sub ?? null,\n    businessId: p.cfy_bid ?? tenantId ?? null,\n    tenantId,\n    email: p.email ?? p.preferred_username ?? null,\n    name: p.name ?? undefined,\n    roles: p.resource_access?.[expectedClientId]?.roles ?? p.realm_access?.roles ?? [],\n    exp: p.exp,\n  };\n\n  return next();\n};\n\n\n\nasync function getNewRefreshToken(\n  req: HttpRequest,\n  ctx: InvocationContext,\n  appId: IAppId,\n  expectedClientId: string,\n  rt: string | undefined,\n  p: any,\n  next: () => Promise<HttpResponseInit>\n): Promise<HttpResponseInit> {\n  // Attempt server-side refresh using RT\n  if (!rt) {\n    return sendResponse(401, { status: \"unauthenticated\", reason: \"expired_no_rt\" });\n  }\n\n  // Resolve realm for refresh\n  let realmId: string | undefined = APP_MAP[appId].auth?.realm;\n  if (!realmId) {\n    try {\n      const issRealm = p?.iss ? new URL(p.iss).pathname.split(\"/\").pop() : undefined;\n      realmId = (p as any)?.cfy_tid || issRealm || undefined;\n    } catch {\n      realmId = undefined;\n    }\n  }\n\n  if (!realmId) {\n    return sendResponse(401, { status: \"unauthenticated\", reason: \"cannot_resolve_realm\" });\n  }\n\n  ctx.info(\"refreshing token payload ----------------------\", {\n    realmId,\n    expectedClientId,\n    rt\n  });\n\n\n  // Call auth service to refresh\n  try {\n    const resp = await fetch(apiURL, {\n      method: \"POST\",\n      headers: { \"Content-Type\": \"application/json\" },\n      body: JSON.stringify({ \n        realmId, \n        clientId: expectedClientId, \n        refresh_token: rt\n      })\n    });\n\n    if (!resp.ok) {\n      const text = await resp.text();\n      ctx.warn?.(`refresh call failed: ${resp.status} ${text}`);\n      return sendResponse(401, { status: \"unauthenticated\", reason: \"refresh_failed\" });\n    }\n\n\n    const payload = await resp.json();\n    const data = payload?.data || {};\n    const newAT = data.access_token as string | undefined;\n    const newRT = data.refresh_token as string | undefined;\n    if (!newAT || !newRT) {\n      return sendResponse(401, { status: \"unauthenticated\", reason: \"invalid_refresh_response\" });\n    }\n\n    // Set refreshed cookies for client session\n    setCookieKV(ctx, `__Secure-session-v1.${appId}.at`, newAT);\n    setCookieKV(ctx, `__Secure-session-v1.${appId}.rt`, newRT);\n\n    // Decode new AT and proceed\n    let p2: any;\n    try { p2 = jwtDecode(newAT); } catch { return sendResponse(401, { status: \"unauthenticated\", reason: \"invalid_new_token\" }); }\n\n    const audOk2 =\n      (Array.isArray(p2.aud) && p2.aud.includes(expectedClientId)) ||\n      (typeof p2.aud === \"string\" && (p2.aud === expectedClientId || p2.aud === \"account\")) ||\n      p2.azp === expectedClientId;\n    if (!audOk2) {\n      return sendResponse(403, { status: \"forbidden\", reason: \"audience_mismatch\" });\n    }\n\n    // Update downstream auth state with refreshed token\n    (ctx as any).state ??= {};\n    const tenantId2 = p2.cfy_tid ?? (p2.iss ? new URL(p2.iss).pathname.split(\"/\").pop() : null);\n    (ctx as any).state.auth = {\n      appId,\n      userId: p2.sub ?? null,\n      businessId: p2.cfy_bid ?? tenantId2 ?? null,\n      tenantId: tenantId2,\n      email: p2.email ?? p2.preferred_username ?? null,\n      name: p2.name ?? undefined,\n      roles: p2.resource_access?.[expectedClientId]?.roles ?? p2.realm_access?.roles ?? [],\n      exp: p2.exp,\n    };\n\n    // Continue pipeline after refresh\n    return next();\n  } catch (e) {\n    ctx.error?.(\"refresh exception\", e as any);\n    return sendResponse(401, { status: \"unauthenticated\", reason: \"refresh_exception\" });\n  }\n}"],"mappings":";;;;AAGA,IAAAA,MAAA,GAAAC,OAAA;AAGA,IAAAC,UAAA,GAAAD,OAAA;AACA,IAAAE,UAAA,GAAAF,OAAA;AACA,IAAAG,QAAA,GAAAH,OAAA;AAEA,MAAMI,MAAM,GAAGC,OAAO,CAACC,GAAG,CAACC,mBAAmB,IAAI,EAAE;AAEpD,MAAMC,iBAAiB,GAAIC,MAAiC,IAAK;EAC/D,MAAMC,GAA2B,GAAG,CAAC,CAAC;EACtC,IAAI,CAACD,MAAM,EAAE,OAAOC,GAAG;EACvB,KAAK,MAAMC,IAAI,IAAIF,MAAM,CAACG,KAAK,CAAC,GAAG,CAAC,EAAE;IACpC,MAAM,CAACC,CAAC,EAAE,GAAGC,IAAI,CAAC,GAAGH,IAAI,CAACI,IAAI,CAAC,CAAC,CAACH,KAAK,CAAC,GAAG,CAAC;IAC3C,IAAI,CAACC,CAAC,EAAE;IACRH,GAAG,CAACG,CAAC,CAAC,GAAGG,kBAAkB,CAACF,IAAI,CAACG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;EACnD;EACA,OAAOP,GAAG;AACZ,CAAC;AAEM,MAAMQ,QAAqB,GAAG,MAAAA,CACnCC,GAAgB,EAChBC,GAAsB,EACtBC,IAAqC,KACP;EAAA,IAAAC,cAAA,EAAAC,EAAA,EAAAC,IAAA,EAAAC,UAAA,EAAAC,UAAA,EAAAC,MAAA,EAAAC,KAAA,EAAAC,UAAA,EAAAC,KAAA,EAAAC,QAAA,EAAAC,OAAA,EAAAC,KAAA,EAAAC,qBAAA,EAAAC,kBAAA,EAAAC,eAAA;EAC9B,MAAMC,KAAK,GAAGlB,GAAG,CAACmB,OAAO,CAACC,GAAG,CAAC,QAAQ,CAAuB;EAE7D,IAAI,CAACF,KAAK,IAAI,EAACG,kBAAO,aAAAlB,cAAA,GAAPkB,kBAAO,CAAGH,KAAK,CAAC,aAAhBf,cAAA,CAAkBmB,QAAQ,GAAE;IACzC,OAAO,IAAAC,mBAAY,EAAC,GAAG,EAAE;MAAEC,MAAM,EAAE,aAAa;MAAEC,MAAM,EAAE;IAAc,CAAC,CAAC;EAC5E;EAEA,MAAMC,gBAAgB,GAAGL,kBAAO,CAACH,KAAK,CAAC,CAACI,QAAQ;;EAEhD;EACA,MAAMK,OAAO,GAAGtC,iBAAiB,CAACW,GAAG,CAACmB,OAAO,CAACC,GAAG,CAAC,QAAQ,CAAC,CAAC;EAC5D,MAAMQ,EAAE,GAAGD,OAAO,CAAC,uBAAuBT,KAAK,KAAK,CAAC;EACrD,MAAMW,EAAE,GAAGF,OAAO,CAAC,uBAAuBT,KAAK,KAAK,CAAC;EAErD,IAAI,CAACU,EAAE,IAAI,CAACC,EAAE,EAAE;IACd,OAAO,IAAAN,mBAAY,EAAC,GAAG,EAAE;MAAEC,MAAM,EAAE,iBAAiB;MAAEC,MAAM,EAAE;IAAY,CAAC,CAAC;EAC9E;;EAEA;EACA,IAAIK,CAAM;EACV,IAAI;IACFA,CAAC,GAAG,IAAAC,oBAAS,EAACH,EAAE,CAAC;EACnB,CAAC,CAAC,MAAM;IACN,OAAO,IAAAL,mBAAY,EAAC,GAAG,EAAE;MAAEC,MAAM,EAAE,iBAAiB;MAAEC,MAAM,EAAE;IAAgB,CAAC,CAAC;EAClF;EAEA,IAAI,GAAArB,EAAA,GAAC0B,CAAC,aAAD1B,EAAA,CAAG4B,GAAG,GAAE;IACX,OAAO,IAAAT,mBAAY,EAAC,GAAG,EAAE;MAAEC,MAAM,EAAE,iBAAiB;MAAEC,MAAM,EAAE;IAAiB,CAAC,CAAC;EACnF;EAEA,MAAMQ,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;EACzC;EACA,IAAI,OAAOH,CAAC,CAACO,GAAG,KAAK,QAAQ,IAAIP,CAAC,CAACO,GAAG,IAAIJ,GAAG,EAAE;IAC7C;IACA,OAAO,MAAMK,kBAAkB,CAACtC,GAAG,EAAEC,GAAG,EAAEiB,KAAK,EAAEQ,gBAAgB,EAAEG,EAAE,EAAEC,CAAC,EAAE5B,IAAI,CAAC;EACjF;;EAEA;EACA,MAAMqC,KAAK,GACRC,KAAK,CAACC,OAAO,CAACX,CAAC,CAACY,GAAG,CAAC,IAAIZ,CAAC,CAACY,GAAG,CAACC,QAAQ,CAACjB,gBAAgB,CAAC,IACxD,OAAOI,CAAC,CAACY,GAAG,KAAK,QAAQ,KAAKZ,CAAC,CAACY,GAAG,KAAKhB,gBAAgB,IAAII,CAAC,CAACY,GAAG,KAAK,SAAS,CAAE,IAClFZ,CAAC,CAACc,GAAG,KAAKlB,gBAAgB;EAE5B,IAAI,CAACa,KAAK,EAAE;IACV,OAAO,IAAAhB,mBAAY,EAAC,GAAG,EAAE;MAAEC,MAAM,EAAE,WAAW;MAAEC,MAAM,EAAE;IAAoB,CAAC,CAAC;EAChF;EAGA,IAAAoB,oBAAW,EAAC5C,GAAG,EAAE,IAAI,EAAC,KAAK,CAAC;;EAE5B;EACA,CAAAK,UAAA,IAAAD,IAAA,GAACJ,GAAG,EAAS6C,KAAK,YAAAxC,UAAA,GAAlBD,IAAA,CAAayC,KAAK,GAAK,CAAC,CAAC;EACzB,MAAMC,QAAQ,IAAAxC,UAAA,GAAGuB,CAAC,CAACkB,OAAO,YAAAzC,UAAA,GAAKuB,CAAC,CAACmB,GAAG,GAAG,IAAIC,GAAG,CAACpB,CAAC,CAACmB,GAAG,CAAC,CAACE,QAAQ,CAAC1D,KAAK,CAAC,GAAG,CAAC,CAAC2D,GAAG,CAAC,CAAC,GAAG,IAAK;EAEtFnD,GAAG,CAAS6C,KAAK,CAACO,IAAI,GAAG;IACxBnC,KAAK;IACLoC,MAAM,GAAA9C,MAAA,GAAEsB,CAAC,CAACyB,GAAG,YAAA/C,MAAA,GAAI,IAAI;IACrBgD,UAAU,GAAA/C,KAAA,IAAAC,UAAA,GAAEoB,CAAC,CAAC2B,OAAO,YAAA/C,UAAA,GAAIqC,QAAQ,YAAAtC,KAAA,GAAI,IAAI;IACzCsC,QAAQ;IACRW,KAAK,GAAA/C,KAAA,IAAAC,QAAA,GAAEkB,CAAC,CAAC4B,KAAK,YAAA9C,QAAA,GAAIkB,CAAC,CAAC6B,kBAAkB,YAAAhD,KAAA,GAAI,IAAI;IAC9CiD,IAAI,GAAA/C,OAAA,GAAEiB,CAAC,CAAC8B,IAAI,YAAA/C,OAAA,GAAIgD,SAAS;IACzBC,KAAK,GAAAhD,KAAA,IAAAC,qBAAA,IAAAC,kBAAA,GAAEc,CAAC,CAACiC,eAAe,cAAA/C,kBAAA,GAAjBA,kBAAA,CAAoBU,gBAAgB,CAAC,qBAArCV,kBAAA,CAAuC8C,KAAK,YAAA/C,qBAAA,IAAAE,eAAA,GAAIa,CAAC,CAACkC,YAAY,qBAAd/C,eAAA,CAAgB6C,KAAK,YAAAhD,KAAA,GAAI,EAAE;IAClFuB,GAAG,EAAEP,CAAC,CAACO;EACT,CAAC;EAED,OAAOnC,IAAI,CAAC,CAAC;AACf,CAAC;AAAC+D,OAAA,CAAAlE,QAAA,GAAAA,QAAA;AAIF,eAAeuC,kBAAkBA,CAC/BtC,GAAgB,EAChBC,GAAsB,EACtBiB,KAAa,EACbQ,gBAAwB,EACxBG,EAAsB,EACtBC,CAAM,EACN5B,IAAqC,EACV;EAAA,IAAAgE,mBAAA;EAC3B;EACA,IAAI,CAACrC,EAAE,EAAE;IACP,OAAO,IAAAN,mBAAY,EAAC,GAAG,EAAE;MAAEC,MAAM,EAAE,iBAAiB;MAAEC,MAAM,EAAE;IAAgB,CAAC,CAAC;EAClF;;EAEA;EACA,IAAI0C,OAA2B,IAAAD,mBAAA,GAAG7C,kBAAO,CAACH,KAAK,CAAC,CAACmC,IAAI,qBAAnBa,mBAAA,CAAqBE,KAAK;EAC5D,IAAI,CAACD,OAAO,EAAE;IACZ,IAAI;MACF,MAAME,QAAQ,GAAGvC,CAAC,YAADA,CAAC,CAAEmB,GAAG,GAAG,IAAIC,GAAG,CAACpB,CAAC,CAACmB,GAAG,CAAC,CAACE,QAAQ,CAAC1D,KAAK,CAAC,GAAG,CAAC,CAAC2D,GAAG,CAAC,CAAC,GAAGS,SAAS;MAC9EM,OAAO,GAAG,CAACrC,CAAC,oBAADA,CAAC,CAAUkB,OAAO,KAAIqB,QAAQ,IAAIR,SAAS;IACxD,CAAC,CAAC,MAAM;MACNM,OAAO,GAAGN,SAAS;IACrB;EACF;EAEA,IAAI,CAACM,OAAO,EAAE;IACZ,OAAO,IAAA5C,mBAAY,EAAC,GAAG,EAAE;MAAEC,MAAM,EAAE,iBAAiB;MAAEC,MAAM,EAAE;IAAuB,CAAC,CAAC;EACzF;EAEAxB,GAAG,CAACqE,IAAI,CAAC,iDAAiD,EAAE;IAC1DH,OAAO;IACPzC,gBAAgB;IAChBG;EACF,CAAC,CAAC;;EAGF;EACA,IAAI;IAAA,IAAA0C,KAAA,EAAAC,WAAA,EAAAC,WAAA,EAAAC,OAAA,EAAAC,KAAA,EAAAC,WAAA,EAAAC,KAAA,EAAAC,SAAA,EAAAC,QAAA,EAAAC,KAAA,EAAAC,qBAAA,EAAAC,mBAAA,EAAAC,gBAAA;IACF,MAAMC,IAAI,GAAG,MAAMC,KAAK,CAACpG,MAAM,EAAE;MAC/BqG,MAAM,EAAE,MAAM;MACdnE,OAAO,EAAE;QAAE,cAAc,EAAE;MAAmB,CAAC;MAC/CoE,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QACnBtB,OAAO;QACP7C,QAAQ,EAAEI,gBAAgB;QAC1BgE,aAAa,EAAE7D;MACjB,CAAC;IACH,CAAC,CAAC;IAEF,IAAI,CAACuD,IAAI,CAACO,EAAE,EAAE;MACZ,MAAMC,IAAI,GAAG,MAAMR,IAAI,CAACQ,IAAI,CAAC,CAAC;MAC9B3F,GAAG,CAAC4F,IAAI,YAAR5F,GAAG,CAAC4F,IAAI,CAAG,wBAAwBT,IAAI,CAAC5D,MAAM,IAAIoE,IAAI,EAAE,CAAC;MACzD,OAAO,IAAArE,mBAAY,EAAC,GAAG,EAAE;QAAEC,MAAM,EAAE,iBAAiB;QAAEC,MAAM,EAAE;MAAiB,CAAC,CAAC;IACnF;IAGA,MAAMqE,OAAO,GAAG,MAAMV,IAAI,CAACW,IAAI,CAAC,CAAC;IACjC,MAAMC,IAAI,GAAG,CAAAF,OAAO,oBAAPA,OAAO,CAAEE,IAAI,KAAI,CAAC,CAAC;IAChC,MAAMC,KAAK,GAAGD,IAAI,CAACE,YAAkC;IACrD,MAAMC,KAAK,GAAGH,IAAI,CAACN,aAAmC;IACtD,IAAI,CAACO,KAAK,IAAI,CAACE,KAAK,EAAE;MACpB,OAAO,IAAA5E,mBAAY,EAAC,GAAG,EAAE;QAAEC,MAAM,EAAE,iBAAiB;QAAEC,MAAM,EAAE;MAA2B,CAAC,CAAC;IAC7F;;IAEA;IACA,IAAAoB,oBAAW,EAAC5C,GAAG,EAAE,uBAAuBiB,KAAK,KAAK,EAAE+E,KAAK,CAAC;IAC1D,IAAApD,oBAAW,EAAC5C,GAAG,EAAE,uBAAuBiB,KAAK,KAAK,EAAEiF,KAAK,CAAC;;IAE1D;IACA,IAAIC,EAAO;IACX,IAAI;MAAEA,EAAE,GAAG,IAAArE,oBAAS,EAACkE,KAAK,CAAC;IAAE,CAAC,CAAC,MAAM;MAAE,OAAO,IAAA1E,mBAAY,EAAC,GAAG,EAAE;QAAEC,MAAM,EAAE,iBAAiB;QAAEC,MAAM,EAAE;MAAoB,CAAC,CAAC;IAAE;IAE7H,MAAM4E,MAAM,GACT7D,KAAK,CAACC,OAAO,CAAC2D,EAAE,CAAC1D,GAAG,CAAC,IAAI0D,EAAE,CAAC1D,GAAG,CAACC,QAAQ,CAACjB,gBAAgB,CAAC,IAC1D,OAAO0E,EAAE,CAAC1D,GAAG,KAAK,QAAQ,KAAK0D,EAAE,CAAC1D,GAAG,KAAKhB,gBAAgB,IAAI0E,EAAE,CAAC1D,GAAG,KAAK,SAAS,CAAE,IACrF0D,EAAE,CAACxD,GAAG,KAAKlB,gBAAgB;IAC7B,IAAI,CAAC2E,MAAM,EAAE;MACX,OAAO,IAAA9E,mBAAY,EAAC,GAAG,EAAE;QAAEC,MAAM,EAAE,WAAW;QAAEC,MAAM,EAAE;MAAoB,CAAC,CAAC;IAChF;;IAEA;IACA,CAAA+C,WAAA,IAAAD,KAAA,GAACtE,GAAG,EAAS6C,KAAK,YAAA0B,WAAA,GAAlBD,KAAA,CAAazB,KAAK,GAAK,CAAC,CAAC;IACzB,MAAMwD,SAAS,IAAA7B,WAAA,GAAG2B,EAAE,CAACpD,OAAO,YAAAyB,WAAA,GAAK2B,EAAE,CAACnD,GAAG,GAAG,IAAIC,GAAG,CAACkD,EAAE,CAACnD,GAAG,CAAC,CAACE,QAAQ,CAAC1D,KAAK,CAAC,GAAG,CAAC,CAAC2D,GAAG,CAAC,CAAC,GAAG,IAAK;IAC1FnD,GAAG,CAAS6C,KAAK,CAACO,IAAI,GAAG;MACxBnC,KAAK;MACLoC,MAAM,GAAAoB,OAAA,GAAE0B,EAAE,CAAC7C,GAAG,YAAAmB,OAAA,GAAI,IAAI;MACtBlB,UAAU,GAAAmB,KAAA,IAAAC,WAAA,GAAEwB,EAAE,CAAC3C,OAAO,YAAAmB,WAAA,GAAI0B,SAAS,YAAA3B,KAAA,GAAI,IAAI;MAC3C5B,QAAQ,EAAEuD,SAAS;MACnB5C,KAAK,GAAAmB,KAAA,IAAAC,SAAA,GAAEsB,EAAE,CAAC1C,KAAK,YAAAoB,SAAA,GAAIsB,EAAE,CAACzC,kBAAkB,YAAAkB,KAAA,GAAI,IAAI;MAChDjB,IAAI,GAAAmB,QAAA,GAAEqB,EAAE,CAACxC,IAAI,YAAAmB,QAAA,GAAIlB,SAAS;MAC1BC,KAAK,GAAAkB,KAAA,IAAAC,qBAAA,IAAAC,mBAAA,GAAEkB,EAAE,CAACrC,eAAe,cAAAmB,mBAAA,GAAlBA,mBAAA,CAAqBxD,gBAAgB,CAAC,qBAAtCwD,mBAAA,CAAwCpB,KAAK,YAAAmB,qBAAA,IAAAE,gBAAA,GAAIiB,EAAE,CAACpC,YAAY,qBAAfmB,gBAAA,CAAiBrB,KAAK,YAAAkB,KAAA,GAAI,EAAE;MACpF3C,GAAG,EAAE+D,EAAE,CAAC/D;IACV,CAAC;;IAED;IACA,OAAOnC,IAAI,CAAC,CAAC;EACf,CAAC,CAAC,OAAOqG,CAAC,EAAE;IACVtG,GAAG,CAACuG,KAAK,YAATvG,GAAG,CAACuG,KAAK,CAAG,mBAAmB,EAAED,CAAQ,CAAC;IAC1C,OAAO,IAAAhF,mBAAY,EAAC,GAAG,EAAE;MAAEC,MAAM,EAAE,iBAAiB;MAAEC,MAAM,EAAE;IAAoB,CAAC,CAAC;EACtF;AACF","ignoreList":[]}

package/build/cjs/types/app.js

@@ -0,0 +1,2 @@
+"use strict";
+//# sourceMappingURL=app.js.map

package/build/cjs/types/app.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"app.js","names":[],"sources":["../../../src/types/app.ts"],"sourcesContent":["export type IAppId = \"3238hxa2\";\n\nexport interface IDomainMappings {\n  domains: Record<string, string[]>;\n  clientId: string;\n  appId: string;\n  name: string;\n  exclude: Record<string, string[]>;\n  cookie: {\n      prefix: string;\n      domain: {\n          local: string | null;\n          dev: string;\n          staging: string;\n          prod: string;\n      };\n      path: string;\n      sameSite: string;\n      secure: boolean;\n      httpOnly: boolean;\n      maxAgeSec: { sid: number; rt: number };\n  };\n  auth?: {\n      realm: string;\n      clientId: string;\n  };\n}"],"mappings":"","ignoreList":[]}

package/build/cjs/utils/cookies.js

@@ -0,0 +1,28 @@
+"use strict";
+
+exports.__esModule = true;
+exports.setCookieKV = setCookieKV;
+function setCookieKV(ctx, key, value) {
+  var _ref, _ref$CTX_COOKIES_OBJ, _ref2, _ref2$CTX_COOKIES;
+  // Object-cookie bag (preferred)
+  const CTX_COOKIES_OBJ = Symbol.for("cfy.resCookies.obj");
+  // @ts-ignore
+  const objBag = (_ref$CTX_COOKIES_OBJ = (_ref = ctx)[CTX_COOKIES_OBJ]) != null ? _ref$CTX_COOKIES_OBJ : _ref[CTX_COOKIES_OBJ] = [];
+  objBag.push({
+    name: key,
+    value,
+    path: "/",
+    httpOnly: true,
+    secure: true,
+    // drop to false if testing on http://
+    sameSite: "None",
+    // use "Lax" for same-site
+    maxAge: 300 // seconds
+  });
+
+  // (Optional) Keep your string fallback too:
+  const CTX_COOKIES = Symbol.for("cfy.resCookies");
+  const strBag = (_ref2$CTX_COOKIES = (_ref2 = ctx)[CTX_COOKIES]) != null ? _ref2$CTX_COOKIES : _ref2[CTX_COOKIES] = [];
+  strBag.push(`${encodeURIComponent(key)}=${encodeURIComponent(value)}; Path=/; HttpOnly; SameSite=None; Secure; Max-Age=300`);
+}
+//# sourceMappingURL=cookies.js.map

package/build/cjs/utils/cookies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookies.js","names":["setCookieKV","ctx","key","value","_ref","_ref$CTX_COOKIES_OBJ","_ref2","_ref2$CTX_COOKIES","CTX_COOKIES_OBJ","Symbol","for","objBag","push","name","path","httpOnly","secure","sameSite","maxAge","CTX_COOKIES","strBag","encodeURIComponent"],"sources":["../../../src/utils/cookies.ts"],"sourcesContent":["import { InvocationContext } from \"@azure/functions\";\n\nexport function setCookieKV(ctx: InvocationContext, key: string, value: string): void {\n  // Object-cookie bag (preferred)\n  const CTX_COOKIES_OBJ = Symbol.for(\"cfy.resCookies.obj\");\n  // @ts-ignore\n  const objBag = ((ctx as any)[CTX_COOKIES_OBJ] ??= [] as HttpCookie[]);\n  objBag.push({\n      name: key,\n      value,\n      path: \"/\",\n      httpOnly: true,\n      secure: true,       // drop to false if testing on http://\n      sameSite: \"None\",   // use \"Lax\" for same-site\n      maxAge: 300,        // seconds\n  });\n\n  // (Optional) Keep your string fallback too:\n  const CTX_COOKIES = Symbol.for(\"cfy.resCookies\");\n  const strBag = ((ctx as any)[CTX_COOKIES] ??= [] as string[]);\n  strBag.push(\n      `${encodeURIComponent(key)}=${encodeURIComponent(value)}; Path=/; HttpOnly; SameSite=None; Secure; Max-Age=300`\n  );\n}"],"mappings":";;;;AAEO,SAASA,WAAWA,CAACC,GAAsB,EAAEC,GAAW,EAAEC,KAAa,EAAQ;EAAA,IAAAC,IAAA,EAAAC,oBAAA,EAAAC,KAAA,EAAAC,iBAAA;EACpF;EACA,MAAMC,eAAe,GAAGC,MAAM,CAACC,GAAG,CAAC,oBAAoB,CAAC;EACxD;EACA,MAAMC,MAAM,IAAAN,oBAAA,GAAI,CAAAD,IAAA,GAACH,GAAG,EAASO,eAAe,CAAC,YAAAH,oBAAA,GAA7BD,IAAA,CAAaI,eAAe,CAAC,GAAK,EAAmB;EACrEG,MAAM,CAACC,IAAI,CAAC;IACRC,IAAI,EAAEX,GAAG;IACTC,KAAK;IACLW,IAAI,EAAE,GAAG;IACTC,QAAQ,EAAE,IAAI;IACdC,MAAM,EAAE,IAAI;IAAQ;IACpBC,QAAQ,EAAE,MAAM;IAAI;IACpBC,MAAM,EAAE,GAAG,CAAS;EACxB,CAAC,CAAC;;EAEF;EACA,MAAMC,WAAW,GAAGV,MAAM,CAACC,GAAG,CAAC,gBAAgB,CAAC;EAChD,MAAMU,MAAM,IAAAb,iBAAA,GAAI,CAAAD,KAAA,GAACL,GAAG,EAASkB,WAAW,CAAC,YAAAZ,iBAAA,GAAzBD,KAAA,CAAaa,WAAW,CAAC,GAAK,EAAe;EAC7DC,MAAM,CAACR,IAAI,CACP,GAAGS,kBAAkB,CAACnB,GAAG,CAAC,IAAImB,kBAAkB,CAAClB,KAAK,CAAC,wDAC3D,CAAC;AACH","ignoreList":[]}

package/build/esm/constants/app.js

@@ -0,0 +1,41 @@
+export const APP_MAP = {
+  '3238hxa2': {
+    appId: "3238hxa2",
+    name: "superadmin",
+    clientId: "cfy-superadmin-web",
+    domains: {
+      local: ["localhost:5173", "127.0.0.1:5173"],
+      dev: ["accounts.dev.culturefy.app"],
+      staging: ["accounts.staging.culturefy.app"],
+      prod: ["accounts.culturefy.app"]
+    },
+    auth: {
+      realm: "superadmin",
+      clientId: "cfy-superadmin-web"
+    },
+    exclude: {
+      prod: [] // e.g. add "app.culturefy.app" to prevent misrouting
+    },
+    cookie: {
+      prefix: "__Secure-auth",
+      domain: {
+        local: null,
+        // host-bound in local
+        dev: ".culturefy.dev",
+        // adjust to your dev root
+        staging: ".culturefy.staging",
+        // adjust to your staging root
+        prod: ".culturefy.app"
+      },
+      path: "/",
+      sameSite: "None",
+      secure: true,
+      httpOnly: true,
+      maxAgeSec: {
+        sid: 15 * 60,
+        rt: 30 * 24 * 60 * 60
+      } // 15m / 30d
+    }
+  }
+};
+//# sourceMappingURL=app.js.map

package/build/esm/constants/app.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"app.js","names":["APP_MAP","appId","name","clientId","domains","local","dev","staging","prod","auth","realm","exclude","cookie","prefix","domain","path","sameSite","secure","httpOnly","maxAgeSec","sid","rt"],"sources":["../../../src/constants/app.ts"],"sourcesContent":["import { IAppId, IDomainMappings } from \"../types/app\";\n\nexport const APP_MAP: Record<IAppId, IDomainMappings> = {\n  '3238hxa2': {\n      appId: \"3238hxa2\",\n      name: \"superadmin\",\n      clientId: \"cfy-superadmin-web\",\n      domains: {\n          local: [\"localhost:5173\", \"127.0.0.1:5173\"],\n          dev: [\"accounts.dev.culturefy.app\"],\n          staging: [\"accounts.staging.culturefy.app\"],\n          prod: [\"accounts.culturefy.app\"]\n      },\n\n      auth: {\n          realm: \"superadmin\",\n          clientId: \"cfy-superadmin-web\",\n      },\n\n      exclude: {\n          prod: [] // e.g. add \"app.culturefy.app\" to prevent misrouting\n      },\n      cookie: {\n          prefix: \"__Secure-auth\",\n          domain: {\n              local: null, // host-bound in local\n              dev: \".culturefy.dev\", // adjust to your dev root\n              staging: \".culturefy.staging\", // adjust to your staging root\n              prod: \".culturefy.app\"\n          },\n          path: \"/\",\n          sameSite: \"None\",\n          secure: true,\n          httpOnly: true,\n          maxAgeSec: { sid: 15 * 60, rt: 30 * 24 * 60 * 60 } // 15m / 30d\n      }\n\n  },\n\n};\n"],"mappings":"AAEA,OAAO,MAAMA,OAAwC,GAAG;EACtD,UAAU,EAAE;IACRC,KAAK,EAAE,UAAU;IACjBC,IAAI,EAAE,YAAY;IAClBC,QAAQ,EAAE,oBAAoB;IAC9BC,OAAO,EAAE;MACLC,KAAK,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;MAC3CC,GAAG,EAAE,CAAC,4BAA4B,CAAC;MACnCC,OAAO,EAAE,CAAC,gCAAgC,CAAC;MAC3CC,IAAI,EAAE,CAAC,wBAAwB;IACnC,CAAC;IAEDC,IAAI,EAAE;MACFC,KAAK,EAAE,YAAY;MACnBP,QAAQ,EAAE;IACd,CAAC;IAEDQ,OAAO,EAAE;MACLH,IAAI,EAAE,EAAE,CAAC;IACb,CAAC;IACDI,MAAM,EAAE;MACJC,MAAM,EAAE,eAAe;MACvBC,MAAM,EAAE;QACJT,KAAK,EAAE,IAAI;QAAE;QACbC,GAAG,EAAE,gBAAgB;QAAE;QACvBC,OAAO,EAAE,oBAAoB;QAAE;QAC/BC,IAAI,EAAE;MACV,CAAC;MACDO,IAAI,EAAE,GAAG;MACTC,QAAQ,EAAE,MAAM;MAChBC,MAAM,EAAE,IAAI;MACZC,QAAQ,EAAE,IAAI;MACdC,SAAS,EAAE;QAAEC,GAAG,EAAE,EAAE,GAAG,EAAE;QAAEC,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG;MAAG,CAAC,CAAC;IACvD;EAEJ;AAEF,CAAC","ignoreList":[]}

package/build/esm/constants/index.js

@@ -0,0 +1,2 @@
+export * from './app';
+//# sourceMappingURL=index.js.map

package/build/esm/constants/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","names":[],"sources":["../../../src/constants/index.ts"],"sourcesContent":["export * from './app';"],"mappings":"AAAA,cAAc,OAAO","ignoreList":[]}

package/build/esm/index.js

@@ -2,4 +2,5 @@ export * from './types';
 export * from './enums';
 export * from './utils';
 export * from './middlewares';
+export * from './constants';
 //# sourceMappingURL=index.js.map

package/build/esm/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":[],"sources":["../../src/index.ts"],"sourcesContent":["export * from './types';\nexport * from './enums';\nexport * from './utils';\nexport * from './middlewares';"],"mappings":"AAAA,cAAc,SAAS;AACvB,cAAc,SAAS;AACvB,cAAc,SAAS;AACvB,cAAc,eAAe","ignoreList":[]}
+{"version":3,"file":"index.js","names":[],"sources":["../../src/index.ts"],"sourcesContent":["export * from './types';\nexport * from './enums';\nexport * from './utils';\nexport * from './middlewares';\nexport * from './constants';\n"],"mappings":"AAAA,cAAc,SAAS;AACvB,cAAc,SAAS;AACvB,cAAc,SAAS;AACvB,cAAc,eAAe;AAC7B,cAAc,aAAa","ignoreList":[]}

package/build/esm/middlewares/verify-middleware.js

@@ -0,0 +1,197 @@
+import { sendResponse } from "../utils";
+import { APP_MAP } from "../constants";
+import { jwtDecode } from "jwt-decode";
+import { setCookieKV } from "../utils/cookies";
+const apiURL = process.env.REFRESH_SESSION_URL || '';
+const parseCookieHeader = header => {
+  const out = {};
+  if (!header) return out;
+  for (const part of header.split(";")) {
+    const [k, ...rest] = part.trim().split("=");
+    if (!k) continue;
+    out[k] = decodeURIComponent(rest.join("=") || "");
+  }
+  return out;
+};
+export const verifyMw = async (req, ctx, next) => {
+  var _APP_MAP$appId, _p, _ref, _ref$state, _p$cfy_tid, _p$sub, _ref2, _p$cfy_bid, _ref3, _p$email, _p$name, _ref4, _p$resource_access$ex, _p$resource_access, _p$realm_access;
+  const appId = req.headers.get("app-id");
+  if (!appId || !(APP_MAP != null && (_APP_MAP$appId = APP_MAP[appId]) != null && _APP_MAP$appId.clientId)) {
+    return sendResponse(400, {
+      status: "bad_request",
+      reason: "invalid_app"
+    });
+  }
+  const expectedClientId = APP_MAP[appId].clientId;
+
+  // cookies
+  const cookies = parseCookieHeader(req.headers.get("cookie"));
+  const at = cookies[`__Secure-session-v1.${appId}.at`];
+  const rt = cookies[`__Secure-session-v1.${appId}.rt`];
+  if (!at && !rt) {
+    return sendResponse(401, {
+      status: "unauthenticated",
+      reason: "no_tokens"
+    });
+  }
+
+  // decode/verify (lightweight; replace with your verifyJsonWebToken if you have it)
+  let p;
+  try {
+    p = jwtDecode(at);
+  } catch (_unused) {
+    return sendResponse(401, {
+      status: "unauthenticated",
+      reason: "invalid_token"
+    });
+  }
+  if (!((_p = p) != null && _p.sid)) {
+    return sendResponse(401, {
+      status: "unauthenticated",
+      reason: "user_not_found"
+    });
+  }
+  const now = Math.floor(Date.now() / 1000);
+  // if (typeof p.exp === "number" && p.exp <= now) {
+  if (typeof p.exp === "number" && p.exp >= now) {
+    // Delegate to refresh helper; it will handle setting cookies/state or returning an error
+    return await getNewRefreshToken(req, ctx, appId, expectedClientId, rt, p, next);
+  }
+
+  // audience checks
+  const audOk = Array.isArray(p.aud) && p.aud.includes(expectedClientId) || typeof p.aud === "string" && (p.aud === expectedClientId || p.aud === "account") || p.azp === expectedClientId;
+  if (!audOk) {
+    return sendResponse(403, {
+      status: "forbidden",
+      reason: "audience_mismatch"
+    });
+  }
+  setCookieKV(ctx, 'ew', 'rre');
+
+  // pass data downstream
+  (_ref$state = (_ref = ctx).state) != null ? _ref$state : _ref.state = {};
+  const tenantId = (_p$cfy_tid = p.cfy_tid) != null ? _p$cfy_tid : p.iss ? new URL(p.iss).pathname.split("/").pop() : null;
+  ctx.state.auth = {
+    appId,
+    userId: (_p$sub = p.sub) != null ? _p$sub : null,
+    businessId: (_ref2 = (_p$cfy_bid = p.cfy_bid) != null ? _p$cfy_bid : tenantId) != null ? _ref2 : null,
+    tenantId,
+    email: (_ref3 = (_p$email = p.email) != null ? _p$email : p.preferred_username) != null ? _ref3 : null,
+    name: (_p$name = p.name) != null ? _p$name : undefined,
+    roles: (_ref4 = (_p$resource_access$ex = (_p$resource_access = p.resource_access) == null || (_p$resource_access = _p$resource_access[expectedClientId]) == null ? void 0 : _p$resource_access.roles) != null ? _p$resource_access$ex : (_p$realm_access = p.realm_access) == null ? void 0 : _p$realm_access.roles) != null ? _ref4 : [],
+    exp: p.exp
+  };
+  return next();
+};
+async function getNewRefreshToken(req, ctx, appId, expectedClientId, rt, p, next) {
+  var _APP_MAP$appId$auth;
+  // Attempt server-side refresh using RT
+  if (!rt) {
+    return sendResponse(401, {
+      status: "unauthenticated",
+      reason: "expired_no_rt"
+    });
+  }
+
+  // Resolve realm for refresh
+  let realmId = (_APP_MAP$appId$auth = APP_MAP[appId].auth) == null ? void 0 : _APP_MAP$appId$auth.realm;
+  if (!realmId) {
+    try {
+      const issRealm = p != null && p.iss ? new URL(p.iss).pathname.split("/").pop() : undefined;
+      realmId = (p == null ? void 0 : p.cfy_tid) || issRealm || undefined;
+    } catch (_unused2) {
+      realmId = undefined;
+    }
+  }
+  if (!realmId) {
+    return sendResponse(401, {
+      status: "unauthenticated",
+      reason: "cannot_resolve_realm"
+    });
+  }
+  ctx.info("refreshing token payload ----------------------", {
+    realmId,
+    expectedClientId,
+    rt
+  });
+
+  // Call auth service to refresh
+  try {
+    var _ref5, _ref5$state, _p2$cfy_tid, _p2$sub, _ref6, _p2$cfy_bid, _ref7, _p2$email, _p2$name, _ref8, _p2$resource_access$e, _p2$resource_access, _p2$realm_access;
+    const resp = await fetch(apiURL, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        realmId,
+        clientId: expectedClientId,
+        refresh_token: rt
+      })
+    });
+    if (!resp.ok) {
+      const text = await resp.text();
+      ctx.warn == null || ctx.warn(`refresh call failed: ${resp.status} ${text}`);
+      return sendResponse(401, {
+        status: "unauthenticated",
+        reason: "refresh_failed"
+      });
+    }
+    const payload = await resp.json();
+    const data = (payload == null ? void 0 : payload.data) || {};
+    const newAT = data.access_token;
+    const newRT = data.refresh_token;
+    if (!newAT || !newRT) {
+      return sendResponse(401, {
+        status: "unauthenticated",
+        reason: "invalid_refresh_response"
+      });
+    }
+
+    // Set refreshed cookies for client session
+    setCookieKV(ctx, `__Secure-session-v1.${appId}.at`, newAT);
+    setCookieKV(ctx, `__Secure-session-v1.${appId}.rt`, newRT);
+
+    // Decode new AT and proceed
+    let p2;
+    try {
+      p2 = jwtDecode(newAT);
+    } catch (_unused3) {
+      return sendResponse(401, {
+        status: "unauthenticated",
+        reason: "invalid_new_token"
+      });
+    }
+    const audOk2 = Array.isArray(p2.aud) && p2.aud.includes(expectedClientId) || typeof p2.aud === "string" && (p2.aud === expectedClientId || p2.aud === "account") || p2.azp === expectedClientId;
+    if (!audOk2) {
+      return sendResponse(403, {
+        status: "forbidden",
+        reason: "audience_mismatch"
+      });
+    }
+
+    // Update downstream auth state with refreshed token
+    (_ref5$state = (_ref5 = ctx).state) != null ? _ref5$state : _ref5.state = {};
+    const tenantId2 = (_p2$cfy_tid = p2.cfy_tid) != null ? _p2$cfy_tid : p2.iss ? new URL(p2.iss).pathname.split("/").pop() : null;
+    ctx.state.auth = {
+      appId,
+      userId: (_p2$sub = p2.sub) != null ? _p2$sub : null,
+      businessId: (_ref6 = (_p2$cfy_bid = p2.cfy_bid) != null ? _p2$cfy_bid : tenantId2) != null ? _ref6 : null,
+      tenantId: tenantId2,
+      email: (_ref7 = (_p2$email = p2.email) != null ? _p2$email : p2.preferred_username) != null ? _ref7 : null,
+      name: (_p2$name = p2.name) != null ? _p2$name : undefined,
+      roles: (_ref8 = (_p2$resource_access$e = (_p2$resource_access = p2.resource_access) == null || (_p2$resource_access = _p2$resource_access[expectedClientId]) == null ? void 0 : _p2$resource_access.roles) != null ? _p2$resource_access$e : (_p2$realm_access = p2.realm_access) == null ? void 0 : _p2$realm_access.roles) != null ? _ref8 : [],
+      exp: p2.exp
+    };
+
+    // Continue pipeline after refresh
+    return next();
+  } catch (e) {
+    ctx.error == null || ctx.error("refresh exception", e);
+    return sendResponse(401, {
+      status: "unauthenticated",
+      reason: "refresh_exception"
+    });
+  }
+}
+//# sourceMappingURL=verify-middleware.js.map