@epztickets/common 1.64.0 → 1.66.0

package/build/events/subjects.d.ts

@@ -28,6 +28,7 @@ export declare enum Subjects {
     UserDeleted = "events.user.deleted",
     UserDeletionRequested = "events.user.deletion-requested",
     UserDeletionRejected = "events.user.deletion-rejected",
+    UserEmailVerificationRequested = "events.user.email-verification-requested",
     ConnectDisconnectRequested = "events.user.connect-disconnect-requested",
     ConnectDisconnectApproved = "events.user.connect-disconnect-approved",
     ConnectDisconnectRejected = "events.user.connect-disconnect-rejected"

package/build/events/subjects.js

@@ -45,6 +45,12 @@ var Subjects;
     Subjects["UserDeleted"] = "events.user.deleted";
     Subjects["UserDeletionRequested"] = "events.user.deletion-requested";
     Subjects["UserDeletionRejected"] = "events.user.deletion-rejected";
+    // Auth publishes at signup (and on resend-verification) with the
+    // plaintext one-shot token + expiry. notifications-srv consumes
+    // and dispatches the verification email. The plaintext is in the
+    // event payload because the email is the ONE place it surfaces
+    // — auth's User row only has the SHA-256 hash.
+    Subjects["UserEmailVerificationRequested"] = "events.user.email-verification-requested";
     // Owner-initiated "stop hosting" lifecycle. Mirrors the deletion
     // request triplet — auth publishes Requested at submission, then
     // either Approved (which IS the disconnect) or Rejected after admin

package/build/events/user-email-verification-requested-event.d.ts

@@ -0,0 +1,12 @@
+import { Subjects } from "./subjects";
+export interface UserEmailVerificationRequestedEvent {
+    subject: Subjects.UserEmailVerificationRequested;
+    data: {
+        userId: string;
+        email: string;
+        /** Plaintext verification token to embed in the email link. */
+        token: string;
+        /** ISO timestamp of when the token expires (24h after issue). */
+        expiresAt: string;
+    };
+}

package/build/events/user-email-verification-requested-event.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/build/index.d.ts

@@ -11,6 +11,9 @@ export * from "./middlewares/require-auth";
 export * from "./middlewares/validate-request";
 export * from "./middlewares/require-owner";
 export * from "./middlewares/require-admin";
+export * from "./middlewares/request-id";
+export * from "./logging/logger";
+export * from "./logging/http-logger";
 export * from "./events/subjects";
 export * from "./events/types/order-status";
 export * from "./events/order-ticket-cancelled-event";
@@ -45,6 +48,7 @@ export * from "./events/user-updated-event";
 export * from "./events/user-deleted-event";
 export * from "./events/user-deletion-requested-event";
 export * from "./events/user-deletion-rejected-event";
+export * from "./events/user-email-verification-requested-event";
 export * from "./events/connect-disconnect-requested-event";
 export * from "./events/connect-disconnect-approved-event";
 export * from "./events/connect-disconnect-rejected-event";

package/build/index.js

@@ -29,6 +29,10 @@ __exportStar(require("./middlewares/require-auth"), exports);
 __exportStar(require("./middlewares/validate-request"), exports);
 __exportStar(require("./middlewares/require-owner"), exports);
 __exportStar(require("./middlewares/require-admin"), exports);
+__exportStar(require("./middlewares/request-id"), exports);
+// logging
+__exportStar(require("./logging/logger"), exports);
+__exportStar(require("./logging/http-logger"), exports);
 // events
 __exportStar(require("./events/subjects"), exports);
 __exportStar(require("./events/types/order-status"), exports);
@@ -64,6 +68,7 @@ __exportStar(require("./events/user-updated-event"), exports);
 __exportStar(require("./events/user-deleted-event"), exports);
 __exportStar(require("./events/user-deletion-requested-event"), exports);
 __exportStar(require("./events/user-deletion-rejected-event"), exports);
+__exportStar(require("./events/user-email-verification-requested-event"), exports);
 __exportStar(require("./events/connect-disconnect-requested-event"), exports);
 __exportStar(require("./events/connect-disconnect-approved-event"), exports);
 __exportStar(require("./events/connect-disconnect-rejected-event"), exports);

package/build/logging/http-logger.d.ts

@@ -0,0 +1,2 @@
+import { Logger } from "pino";
+export declare function createHttpLogger(logger: Logger): import("pino-http").HttpLogger<import("http").IncomingMessage, import("http").ServerResponse<import("http").IncomingMessage>, never>;

package/build/logging/http-logger.js

@@ -0,0 +1,80 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createHttpLogger = createHttpLogger;
+const pino_http_1 = __importDefault(require("pino-http"));
+// Per-request access-log middleware. Builds on pino-http with the
+// conventions we want across services:
+//
+//   - Uses req.id (set by the requestId middleware) as the
+//     per-request log correlation id. Echoes it as `req.id` on
+//     every line.
+//   - Includes the route, method, status, response time (ms), and
+//     authenticated user id when present.
+//   - Demotes 4xx-but-expected statuses (401/403/404) from "warn"
+//     to "info" — they're routine and shouldn't fire log-volume
+//     alerts. Genuine 5xx stays "error".
+//   - Silences health-check noise. The k8s liveness/readiness
+//     probes hit /healthz + /readyz once per second per pod, which
+//     is a 7000x amplifier on log volume if we don't filter them.
+//
+// Mount this AFTER the requestId middleware and BEFORE the routes
+// so every route handler can call req.log.info(...) with the per-
+// request child logger already attached.
+function createHttpLogger(logger) {
+    return (0, pino_http_1.default)({
+        logger,
+        // Reuse the id set by the requestId middleware. pino-http would
+        // otherwise generate its own (different) id, which defeats the
+        // whole correlation-with-the-X-Request-Id-header idea.
+        genReqId: (req) => { var _a; return (_a = req.id) !== null && _a !== void 0 ? _a : "no-id"; },
+        // Per-line log level. 5xx → error, 4xx → warn EXCEPT for the
+        // expected auth-related statuses which we keep at info to avoid
+        // alert fatigue.
+        customLogLevel: (_req, res, err) => {
+            if (err || res.statusCode >= 500)
+                return "error";
+            if (res.statusCode === 401 ||
+                res.statusCode === 403 ||
+                res.statusCode === 404) {
+                return "info";
+            }
+            if (res.statusCode >= 400)
+                return "warn";
+            return "info";
+        },
+        // Trim the access-log shape — pino-http's default dumps the
+        // entire req object which is verbose and noisy in dashboards.
+        serializers: {
+            req: (req) => {
+                var _a, _b;
+                return ({
+                    id: req.id,
+                    method: req.method,
+                    url: req.url,
+                    // userId comes from common's currentUser middleware. Helpful
+                    // for "show me all failures by user X" queries. Optional —
+                    // anonymous requests don't have one.
+                    userId: (_b = (_a = req.raw) === null || _a === void 0 ? void 0 : _a.currentUser) === null || _b === void 0 ? void 0 : _b.id,
+                });
+            },
+            res: (res) => ({ statusCode: res.statusCode }),
+        },
+        // Mute k8s probe traffic. These hit ~1/sec per pod and would
+        // otherwise dominate the log volume.
+        autoLogging: {
+            ignore: (req) => {
+                var _a;
+                const url = (_a = req.url) !== null && _a !== void 0 ? _a : "";
+                return url === "/healthz" || url === "/readyz";
+            },
+        },
+        // Per-request log message. Keep it short and consistent across
+        // services so a dashboard filtering on `msg: "request"` catches
+        // everything.
+        customSuccessMessage: () => "request",
+        customErrorMessage: () => "request",
+    });
+}

package/build/logging/logger.d.ts

@@ -0,0 +1,8 @@
+import pino from "pino";
+export interface LoggerOptions {
+    /** Service name — emitted on every line as `service` for filtering. */
+    service: string;
+    /** Override the global level (defaults to LOG_LEVEL env or "info"). */
+    level?: pino.Level;
+}
+export declare function createLogger(serviceOrOpts: string | LoggerOptions): pino.Logger;

package/build/logging/logger.js

@@ -0,0 +1,52 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createLogger = createLogger;
+const pino_1 = __importDefault(require("pino"));
+const isTest = process.env.NODE_ENV === "test";
+const isProd = process.env.NODE_ENV === "production";
+function createLogger(serviceOrOpts) {
+    var _a, _b;
+    const opts = typeof serviceOrOpts === "string"
+        ? { service: serviceOrOpts }
+        : serviceOrOpts;
+    const level = (_a = opts.level) !== null && _a !== void 0 ? _a : (isTest ? "silent" : (_b = process.env.LOG_LEVEL) !== null && _b !== void 0 ? _b : "info");
+    return (0, pino_1.default)({
+        name: opts.service,
+        level,
+        // Dev convenience: pretty-print colored lines instead of raw JSON.
+        // Production gets the raw JSON which is what log aggregators want.
+        transport: !isProd && !isTest
+            ? {
+                target: "pino-pretty",
+                options: {
+                    colorize: true,
+                    translateTime: "SYS:HH:MM:ss.l",
+                    ignore: "pid,hostname",
+                },
+            }
+            : undefined,
+        // Standardize the field names across services. Without these,
+        // some pino versions emit "time" while others emit "timestamp",
+        // making cross-service correlation harder.
+        timestamp: pino_1.default.stdTimeFunctions.isoTime,
+        formatters: {
+            level: (label) => ({ level: label }),
+        },
+        // Strip these standard fields from PII when they ride along on
+        // logged error objects. Add more as we discover them.
+        redact: {
+            paths: [
+                "req.headers.authorization",
+                "req.headers.cookie",
+                "*.password",
+                "*.token",
+                "*.refreshToken",
+                "*.jwt",
+            ],
+            remove: true,
+        },
+    });
+}

package/build/middlewares/current-user.js

@@ -5,15 +5,66 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.currentUser = void 0;
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+// Look up the public key for a given `kid` (key id, from the JWT
+// header). Falls through to single-key JWT_PUBLIC_KEY if either no
+// kid is present (legacy token issued before rotation was wired)
+// or the keyed env var isn't set (still operating in single-key
+// mode pre-rotation).
+//
+// Two supported env layouts:
+//
+//   Single-key (legacy, default):
+//     JWT_PUBLIC_KEY=<pem>
+//
+//   Multi-key (during/after rotation):
+//     JWT_PUBLIC_KEYS={"kid-1":"<pem>","kid-2":"<pem>"}
+//     JWT_PUBLIC_KEY=<pem>                    (still accepted as fallback)
+//
+// JWT_PUBLIC_KEYS holds a JSON object mapping kid → PEM. The PEMs
+// have embedded newlines which is awkward in shell env vars; the
+// production convention is to base64-encode each PEM in the JSON
+// value and decode here. To keep this middleware compatible with
+// plain-text PEMs too (the common case in tests + dev), we accept
+// both: if a value contains "-----BEGIN" it's used as-is; otherwise
+// we base64-decode it.
+//
+// The JSON parse + decode runs ON EACH REQUEST today. That's fine
+// for current traffic; if it ever becomes hot, memoize at first use.
+function lookupPublicKey(kid) {
+    var _a;
+    const mapJson = process.env.JWT_PUBLIC_KEYS;
+    if (kid && mapJson) {
+        try {
+            const map = JSON.parse(mapJson);
+            const value = map[kid];
+            if (value) {
+                return value.includes("-----BEGIN")
+                    ? value
+                    : Buffer.from(value, "base64").toString("utf8");
+            }
+        }
+        catch (err) {
+            console.error("JWT_PUBLIC_KEYS is set but not valid JSON; falling back to JWT_PUBLIC_KEY", err);
+        }
+    }
+    return (_a = process.env.JWT_PUBLIC_KEY) !== null && _a !== void 0 ? _a : null;
+}
 const currentUser = (req, res, next) => {
     var _a;
     if (!((_a = req.session) === null || _a === void 0 ? void 0 : _a.jwt)) {
         return next();
     }
     try {
-        const publicKey = process.env.JWT_PUBLIC_KEY;
+        // Decode without verifying to read the `kid` header so we can
+        // pick the right public key. The actual signature check happens
+        // in the verify() call below — decode is just for routing.
+        const decoded = jsonwebtoken_1.default.decode(req.session.jwt, { complete: true });
+        const headerKid = decoded && typeof decoded !== "string"
+            ? decoded.header.kid
+            : undefined;
+        const publicKey = lookupPublicKey(headerKid);
         if (!publicKey) {
-            console.error("JWT_PUBLIC_KEY is not set");
+            console.error(`JWT verify: no public key configured (kid="${headerKid !== null && headerKid !== void 0 ? headerKid : "none"}")`);
             return next();
         }
         const payload = jsonwebtoken_1.default.verify(req.session.jwt, publicKey, {

package/build/middlewares/request-id.d.ts

@@ -0,0 +1,10 @@
+import { Request, Response, NextFunction } from "express";
+declare global {
+    namespace Express {
+        interface Request {
+            /** Stable id for this request, set by requestId middleware. */
+            id?: string;
+        }
+    }
+}
+export declare const requestId: (req: Request, res: Response, next: NextFunction) => void;

package/build/middlewares/request-id.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requestId = void 0;
+const crypto_1 = require("crypto");
+// Request-ID middleware.
+//
+// Accepts an `X-Request-Id` header from the caller (e.g. the
+// reservation-frontend's axiosClient, an upstream proxy, or another
+// service forwarding context). When absent, generates a fresh UUID.
+// Always echoes the chosen id back in the response header so the
+// client can record it for later support requests.
+//
+// Why this matters: without per-request ids, log lines from
+// concurrent requests interleave with no way to tell which "auth
+// failed" log goes with which "checkout 500'd" log. With ids, every
+// pino log line emitted during the request lifetime carries the
+// same id (via pino-http's auto-child-logger), and the response
+// header lets you grep one id across every service's logs to
+// reconstruct the full causal chain.
+//
+// Mount BEFORE pino-http so the request id is available when
+// pino-http creates the per-request child logger.
+const HEADER = "x-request-id";
+// Permissive — UUIDs, ULIDs, kubectl-style request IDs all fit. We
+// just want to reject obviously-malicious inputs that would mess
+// with our log files (newlines, control chars, absurd lengths).
+const ID_REGEX = /^[A-Za-z0-9._-]{1,128}$/;
+const requestId = (req, res, next) => {
+    const incoming = req.get(HEADER);
+    const id = incoming && ID_REGEX.test(incoming) ? incoming : (0, crypto_1.randomUUID)();
+    req.id = id;
+    res.setHeader("X-Request-Id", id);
+    next();
+};
+exports.requestId = requestId;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@epztickets/common",
-  "version": "1.64.0",
+  "version": "1.66.0",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
   "files": [
@@ -33,6 +33,8 @@
     "express": "^4.21.2",
     "express-validator": "^7.2.1",
     "jsonwebtoken": "^9.0.2",
-    "nats": "^2.29.3"
+    "nats": "^2.29.3",
+    "pino": "^9.5.0",
+    "pino-http": "^10.3.0"
   }
 }