@discover-cloud/shared 1.0.0

package/dist/middleware/require-auth.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RequireAuthMiddleware = void 0;
+const errors_1 = require("../errors");
+class RequireAuthMiddleware {
+    constructor(verifier) {
+        this.verifier = verifier;
+        this.handle = async (req, _res, next) => {
+            const header = req.headers.authorization;
+            if (!header?.startsWith("Bearer ")) {
+                return next(new errors_1.UnauthorizedError("Missing Authorization header"));
+            }
+            const token = header.slice(7);
+            try {
+                // 1. Verify against Gateway Public Keys
+                const payload = await this.verifier.verifyAccessToken(token);
+                // 2. Store the raw payload (Access to .jti for logouts/suspensions)
+                req.internalAuth = payload;
+                // 3. Build AccessContext if it's a human user
+                if (payload.accountId && payload.accountRole) {
+                    req.accessContext = {
+                        accountId: payload.accountId,
+                        accountRole: payload.accountRole,
+                    };
+                }
+                next();
+            }
+            catch (err) {
+                next(new errors_1.UnauthorizedError("Unauthorized: Token validation failed"));
+            }
+        };
+    }
+}
+exports.RequireAuthMiddleware = RequireAuthMiddleware;

package/dist/middleware/validate.d.ts

@@ -0,0 +1,5 @@
+import { Request, Response, NextFunction } from "express";
+import { ZodType } from "zod";
+export declare class Validator {
+    static validate<T>(schema: ZodType<T>, source?: "body" | "params" | "query"): (req: Request, _res: Response, next: NextFunction) => void;
+}

package/dist/middleware/validate.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Validator = void 0;
+class Validator {
+    static validate(schema, source = "body") {
+        return (req, _res, next) => {
+            const result = schema.safeParse(req[source]);
+            if (!result.success) {
+                // Pass to GlobalErrorHandler
+                return next(result.error);
+            }
+            // Populate req.validated (defined in your shared .d.ts)
+            req.validated = result.data;
+            next();
+        };
+    }
+}
+exports.Validator = Validator;

package/dist/middleware/verify-internal-jwt.d.ts

@@ -0,0 +1,7 @@
+import { Request, Response, NextFunction } from "express";
+import { InternalJwtService } from "../internal";
+export declare class VerifyInternalJwtMiddleware {
+    private readonly internalJwt;
+    constructor(internalJwt: InternalJwtService);
+    handle: (req: Request, _res: Response, next: NextFunction) => Promise<void>;
+}

package/dist/middleware/verify-internal-jwt.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VerifyInternalJwtMiddleware = void 0;
+const errors_1 = require("../errors"); // Shared errors
+class VerifyInternalJwtMiddleware {
+    constructor(internalJwt) {
+        this.internalJwt = internalJwt;
+        this.handle = async (req, _res, next) => {
+            const raw = req.headers["x-internal-token"]; // Standardize header name
+            if (!raw || typeof raw !== "string") {
+                return next(new errors_1.UnauthorizedError("Missing internal token"));
+            }
+            try {
+                const payload = await this.internalJwt.verify(raw);
+                // Populate standardized internalAuth (from your shared .d.ts)
+                req.internalAuth = payload;
+                next();
+            }
+            catch (err) {
+                next(new errors_1.UnauthorizedError("Invalid internal token"));
+            }
+        };
+    }
+}
+exports.VerifyInternalJwtMiddleware = VerifyInternalJwtMiddleware;

package/dist/security/guard.d.ts

@@ -0,0 +1,10 @@
+import { AccountRole, GlobalPermission, OrganizationRole, OrgPermission } from "../enums";
+import { AccessContext } from "../types";
+export declare const globalRolePermissions: Record<AccountRole, readonly GlobalPermission[]>;
+export declare const orgRolePermissions: Record<OrganizationRole, readonly OrgPermission[]>;
+/**
+ * Updated isAllowed
+ * Since memberships are no longer in the JWT, this function
+ * primarily validates Global permissions.
+ */
+export declare const isAllowed: (ctx: AccessContext, permission: GlobalPermission | OrgPermission) => boolean;

package/dist/security/guard.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isAllowed = exports.orgRolePermissions = exports.globalRolePermissions = void 0;
+const enums_1 = require("../enums");
+exports.globalRolePermissions = {
+    [enums_1.AccountRole.SUPERADMIN]: Object.values(enums_1.GlobalPermission), // Superadmin gets everything
+    [enums_1.AccountRole.ADMIN]: [
+        enums_1.GlobalPermission.MANAGE_USERS,
+        enums_1.GlobalPermission.SUPPORT_ACTIONS,
+        enums_1.GlobalPermission.VIEW_SYSTEM_LOGS
+    ],
+    [enums_1.AccountRole.SUPPORT]: [enums_1.GlobalPermission.SUPPORT_ACTIONS],
+    [enums_1.AccountRole.MODERATOR]: [enums_1.GlobalPermission.MODERATE_CONTENT],
+    [enums_1.AccountRole.USER]: []
+};
+// We keep this here as a reference for local service lookups
+exports.orgRolePermissions = {
+    [enums_1.OrganizationRole.OWNER]: [enums_1.OrgPermission.MANAGE_ORG, enums_1.OrgPermission.MANAGE_MEMBERS],
+    [enums_1.OrganizationRole.ADMIN]: [enums_1.OrgPermission.MANAGE_MEMBERS],
+    [enums_1.OrganizationRole.EDITOR]: [],
+    [enums_1.OrganizationRole.VIEWER]: [],
+};
+const canPerformGlobalPermission = (role, permission) => {
+    return exports.globalRolePermissions[role]?.includes(permission) ?? false;
+};
+/**
+ * Updated isAllowed
+ * Since memberships are no longer in the JWT, this function
+ * primarily validates Global permissions.
+ */
+const isAllowed = (ctx, permission) => {
+    // 1. Check if it's a Global Permission (Handled via JWT role)
+    if (Object.values(enums_1.GlobalPermission).includes(permission)) {
+        return canPerformGlobalPermission(ctx.accountRole, permission);
+    }
+    // 2. Org Permissions are now handled by specific "Tenant Middleware"
+    // within the microservices because they require a DB check.
+    return false;
+};
+exports.isAllowed = isAllowed;

package/dist/security/index.d.ts

@@ -0,0 +1 @@
+export * from "./guard";

package/dist/security/index.js

@@ -0,0 +1,17 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./guard"), exports);

package/dist/types/express.d.ts

@@ -0,0 +1,22 @@
+import "express-serve-static-core";
+import { JWTPayload } from "jose";
+import { AccountRole } from "../enums";
+export interface AccessContext {
+    accountId: string;
+    accountRole: AccountRole;
+}
+export interface InternalJwtPayload extends JWTPayload {
+    jti: string;
+    accountId?: string;
+    accountRole?: string;
+    isMachine?: boolean;
+}
+declare module "express-serve-static-core" {
+    interface Request {
+        id: string;
+        validated?: any;
+        accessContext?: AccessContext;
+        internalAuth?: InternalJwtPayload;
+    }
+}
+export {};

package/dist/types/express.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+require("express-serve-static-core");

package/dist/types/index.d.ts

@@ -0,0 +1 @@
+export * from "./express";

package/dist/types/index.js

@@ -0,0 +1,17 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./express"), exports);

package/dist/utils/index.d.ts

@@ -0,0 +1 @@
+export * from "./response";

package/dist/utils/index.js

@@ -0,0 +1,17 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./response"), exports);

package/dist/utils/response.d.ts

@@ -0,0 +1,3 @@
+import { Response } from "express";
+export declare const success: <T>(res: Response, data: T, statusCode?: number) => Response<any, Record<string, any>>;
+export declare const failure: (res: Response, message: string, statusCode?: number, details?: unknown) => Response<any, Record<string, any>>;

package/dist/utils/response.js

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.failure = exports.success = void 0;
+const success = (res, data, statusCode = 200) => {
+    const req = res.req;
+    const response = {
+        success: true,
+        data,
+        meta: {
+            requestId: req?.id ?? null,
+            timestamp: new Date().toISOString()
+        }
+    };
+    return res.status(statusCode).json(response);
+};
+exports.success = success;
+const failure = (res, message, statusCode = 400, details) => {
+    const req = res.req;
+    const response = {
+        success: false,
+        error: {
+            message,
+            details: details ?? null
+        },
+        meta: {
+            requestId: req?.id ?? null,
+            timestamp: new Date().toISOString()
+        }
+    };
+    return res.status(statusCode).json(response);
+};
+exports.failure = failure;

package/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "@discover-cloud/shared",
+  "version": "1.0.0",
+  "private": false,
+  "type": "commonjs",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "prepublishOnly": "npm run build"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "axios-retry": "^4.5.0",
+    "jose": "^6.1.3"
+  },
+  "peerDependencies": {
+    "axios": "^1.13.5",
+    "express": "^5.2.1",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@types/express": "^5.0.6",
+    "@types/node": "^25.3.0",
+    "axios": "^1.13.5",
+    "express": "^5.2.1",
+    "typescript": "^5.9.3",
+    "zod": "^4.3.6"
+  }
+}