@fluyappgocore/commons-backend 1.0.214 → 1.0.215

package/build/middlewares/guestAuth.middleware.d.ts

@@ -39,12 +39,28 @@ export interface PortalClaims {
     branchUuid: string;
     /** Present iff scope === "ticket" */
     ticketUuid?: string;
+    /** Stable token id — used for revocation by jti, kept in claims so
+     *  the verify path can blacklist a single emission without nuking
+     *  every token ever issued for the same ticket. */
+    jti?: string;
     iat: number;
     exp: number;
 }
 export interface RequestWithPortal extends Request {
     portalAuth?: PortalClaims;
 }
+/**
+ * Revokes every ticket-scoped token currently in flight for one
+ * ticket. Use this when the customer reports a stolen cookie or
+ * when an admin manually closes a session. TTL of the revocation
+ * key matches the longest possible JWT lifetime so it cleans itself.
+ */
+export declare function revokeTicketTokens(ticketUuid: string, ttlSec?: number): Promise<void>;
+/**
+ * Revokes a specific token emission by its `jti`. Useful when only
+ * one device should be cut off, not the whole ticket session.
+ */
+export declare function revokeTokenByJti(jti: string, ttlSec?: number): Promise<void>;
 /** Issue a fresh guest token for a visitor who just landed on a branch URL. */
 export declare function issueGuestToken(input: {
     entityUuid: string;
@@ -53,11 +69,22 @@ export declare function issueGuestToken(input: {
     token: string;
     expiresAt: number;
 };
-/** Upgrade a guest into a ticket holder after POST /tickets succeeds. */
+/**
+ * Upgrade a guest into a ticket holder. Optional `ttlSec` lets the
+ * caller dial the lifetime per ticket phase:
+ *
+ *   - WAITING / CALLING / ATTENDING → 2h (default)
+ *   - FINISHED                       → 7d (NPS, share, print receipt)
+ *   - CANCELLED / ABANDONED          → 30 min (de-prioritised)
+ *
+ * Renewing on every poll keeps the cookie warm without forcing a
+ * "still here" re-auth dance.
+ */
 export declare function issueTicketToken(input: {
     entityUuid: string;
     branchUuid: string;
     ticketUuid: string;
+    ttlSec?: number;
 }): {
     token: string;
     expiresAt: number;
@@ -69,7 +96,7 @@ export declare function issueTicketToken(input: {
  * Rejects anything that isn't a portal-scoped token (aud !== "portal")
  * so a regular user/agent JWT can NEVER accidentally pass this gate.
  */
-export declare function verifyPortalToken(req: RequestWithPortal, _res: Response, next: NextFunction): void;
+export declare function verifyPortalToken(req: RequestWithPortal, _res: Response, next: NextFunction): Promise<void>;
 /**
  * Gate a route by scope.
  *

package/build/middlewares/guestAuth.middleware.js

@@ -18,17 +18,160 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (_) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.requireBranchMatch = exports.requireTicketMatch = exports.requireScope = exports.verifyPortalToken = exports.issueTicketToken = exports.issueGuestToken = void 0;
+exports.requireBranchMatch = exports.requireTicketMatch = exports.requireScope = exports.verifyPortalToken = exports.issueTicketToken = exports.issueGuestToken = exports.revokeTokenByJti = exports.revokeTicketTokens = void 0;
 var jwt = __importStar(require("jsonwebtoken"));
+var redis = __importStar(require("redis"));
 var exceptions_1 = require("../exceptions");
+var promisify = require("util").promisify;
 var SECRET = process.env.JWT_KEY || "";
 var GUEST_TTL_SEC = 30 * 60; // 30 minutes
 var TICKET_TTL_SEC = 2 * 60 * 60; // 2 hours
+// ─── Revocation backbone ────────────────────────────────────────────
+//
+// JWT is stateless by design — the only way to invalidate a still-fresh
+// token is to keep a server-side blacklist and check it on every verify.
+// We keep two key namespaces in Redis:
+//
+//   portal_revoked_jti:<jti>           → revoke a single token emission
+//   portal_revoked_ticket:<ticketUuid> → revoke ALL ticket-scoped tokens
+//                                         for a given ticket (admin "kill
+//                                         the session" action)
+//
+// The key value is irrelevant; presence == revoked. We TTL the keys so
+// we don't accumulate forever — once the token's exp is in the past
+// the JWT verify alone rejects it, blacklist becomes redundant.
+//
+// Best-effort: if Redis is unreachable, we FAIL OPEN (allow the JWT)
+// instead of locking everyone out during an outage. The signed JWT
+// itself is still authentic. Trade-off documented for security audit.
+var RedisClient = null;
+var existsAsync = null;
+var setAsync = null;
+function getRedis() {
+    if (RedisClient)
+        return { existsAsync: existsAsync, setAsync: setAsync };
+    try {
+        RedisClient = redis.createClient({
+            host: process.env.REDIS_HOST || "redis",
+            port: Number(process.env.REDIS_PORT) || 6379,
+        });
+        RedisClient.on("error", function (e) {
+            // Silent — we fail open. Logging too loud across every microservice.
+            if (process.env.DEBUG_PORTAL_AUTH) {
+                console.warn("[portalAuth.redis]", e.message);
+            }
+        });
+        existsAsync = promisify(RedisClient.exists).bind(RedisClient);
+        setAsync = promisify(RedisClient.set).bind(RedisClient);
+    }
+    catch (_a) {
+        // Redis client init failed → leave nulls, fail open everywhere.
+    }
+    return { existsAsync: existsAsync, setAsync: setAsync };
+}
 function randomId() {
     return (Date.now().toString(36) +
         Math.random().toString(36).slice(2, 10));
 }
+/**
+ * Revokes every ticket-scoped token currently in flight for one
+ * ticket. Use this when the customer reports a stolen cookie or
+ * when an admin manually closes a session. TTL of the revocation
+ * key matches the longest possible JWT lifetime so it cleans itself.
+ */
+function revokeTicketTokens(ticketUuid, ttlSec) {
+    if (ttlSec === void 0) { ttlSec = 7 * 24 * 60 * 60; }
+    return __awaiter(this, void 0, void 0, function () {
+        var setAsync, _a;
+        return __generator(this, function (_b) {
+            switch (_b.label) {
+                case 0:
+                    setAsync = getRedis().setAsync;
+                    if (!setAsync || !ticketUuid)
+                        return [2 /*return*/];
+                    _b.label = 1;
+                case 1:
+                    _b.trys.push([1, 3, , 4]);
+                    return [4 /*yield*/, setAsync("portal_revoked_ticket:" + ticketUuid, "1", "EX", ttlSec)];
+                case 2:
+                    _b.sent();
+                    return [3 /*break*/, 4];
+                case 3:
+                    _a = _b.sent();
+                    return [3 /*break*/, 4];
+                case 4: return [2 /*return*/];
+            }
+        });
+    });
+}
+exports.revokeTicketTokens = revokeTicketTokens;
+/**
+ * Revokes a specific token emission by its `jti`. Useful when only
+ * one device should be cut off, not the whole ticket session.
+ */
+function revokeTokenByJti(jti, ttlSec) {
+    if (ttlSec === void 0) { ttlSec = 7 * 24 * 60 * 60; }
+    return __awaiter(this, void 0, void 0, function () {
+        var setAsync, _a;
+        return __generator(this, function (_b) {
+            switch (_b.label) {
+                case 0:
+                    setAsync = getRedis().setAsync;
+                    if (!setAsync || !jti)
+                        return [2 /*return*/];
+                    _b.label = 1;
+                case 1:
+                    _b.trys.push([1, 3, , 4]);
+                    return [4 /*yield*/, setAsync("portal_revoked_jti:" + jti, "1", "EX", ttlSec)];
+                case 2:
+                    _b.sent();
+                    return [3 /*break*/, 4];
+                case 3:
+                    _a = _b.sent();
+                    return [3 /*break*/, 4];
+                case 4: return [2 /*return*/];
+            }
+        });
+    });
+}
+exports.revokeTokenByJti = revokeTokenByJti;
 /** Issue a fresh guest token for a visitor who just landed on a branch URL. */
 function issueGuestToken(input) {
     var now = Math.floor(Date.now() / 1000);
@@ -39,6 +182,7 @@ function issueGuestToken(input) {
         scope: "guest",
         entityUuid: input.entityUuid,
         branchUuid: input.branchUuid,
+        jti: randomId(),
         iat: now,
         exp: exp,
     };
@@ -46,10 +190,21 @@ function issueGuestToken(input) {
     return { token: token, expiresAt: exp * 1000 };
 }
 exports.issueGuestToken = issueGuestToken;
-/** Upgrade a guest into a ticket holder after POST /tickets succeeds. */
+/**
+ * Upgrade a guest into a ticket holder. Optional `ttlSec` lets the
+ * caller dial the lifetime per ticket phase:
+ *
+ *   - WAITING / CALLING / ATTENDING → 2h (default)
+ *   - FINISHED                       → 7d (NPS, share, print receipt)
+ *   - CANCELLED / ABANDONED          → 30 min (de-prioritised)
+ *
+ * Renewing on every poll keeps the cookie warm without forcing a
+ * "still here" re-auth dance.
+ */
 function issueTicketToken(input) {
     var now = Math.floor(Date.now() / 1000);
-    var exp = now + TICKET_TTL_SEC;
+    var ttl = input.ttlSec && input.ttlSec > 0 ? input.ttlSec : TICKET_TTL_SEC;
+    var exp = now + ttl;
     var payload = {
         sub: "ticket:" + input.ticketUuid,
         aud: "portal",
@@ -57,6 +212,7 @@ function issueTicketToken(input) {
         entityUuid: input.entityUuid,
         branchUuid: input.branchUuid,
         ticketUuid: input.ticketUuid,
+        jti: randomId(),
         iat: now,
         exp: exp,
     };
@@ -73,26 +229,59 @@ exports.issueTicketToken = issueTicketToken;
  */
 function verifyPortalToken(req, _res, next) {
     var _a;
-    var auth = (_a = req.headers) === null || _a === void 0 ? void 0 : _a.authorization;
-    if (!auth || !auth.startsWith("Bearer ")) {
-        return next(new exceptions_1.HttpException(401, "Missing portal token"));
-    }
-    var token = auth.slice("Bearer ".length).trim();
-    try {
-        var decoded = jwt.verify(token, SECRET, {
-            algorithms: ["HS256"],
+    return __awaiter(this, void 0, void 0, function () {
+        var auth, token, decoded, existsAsync, checks, results, _b;
+        return __generator(this, function (_c) {
+            switch (_c.label) {
+                case 0:
+                    auth = (_a = req.headers) === null || _a === void 0 ? void 0 : _a.authorization;
+                    if (!auth || !auth.startsWith("Bearer ")) {
+                        return [2 /*return*/, next(new exceptions_1.HttpException(401, "Missing portal token"))];
+                    }
+                    token = auth.slice("Bearer ".length).trim();
+                    try {
+                        decoded = jwt.verify(token, SECRET, {
+                            algorithms: ["HS256"],
+                        });
+                    }
+                    catch (err) {
+                        return [2 /*return*/, next(new exceptions_1.HttpException(401, (err === null || err === void 0 ? void 0 : err.name) === "TokenExpiredError"
+                                ? "Portal token expired"
+                                : "Invalid portal token"))];
+                    }
+                    if (decoded.aud !== "portal") {
+                        return [2 /*return*/, next(new exceptions_1.HttpException(401, "Invalid token audience"))];
+                    }
+                    existsAsync = getRedis().existsAsync;
+                    if (!existsAsync) return [3 /*break*/, 5];
+                    _c.label = 1;
+                case 1:
+                    _c.trys.push([1, 4, , 5]);
+                    checks = [];
+                    if (decoded.jti) {
+                        checks.push(existsAsync("portal_revoked_jti:" + decoded.jti));
+                    }
+                    if (decoded.ticketUuid) {
+                        checks.push(existsAsync("portal_revoked_ticket:" + decoded.ticketUuid));
+                    }
+                    if (!(checks.length > 0)) return [3 /*break*/, 3];
+                    return [4 /*yield*/, Promise.all(checks)];
+                case 2:
+                    results = _c.sent();
+                    if (results.some(function (r) { return r === 1; })) {
+                        return [2 /*return*/, next(new exceptions_1.HttpException(401, "Portal token revoked"))];
+                    }
+                    _c.label = 3;
+                case 3: return [3 /*break*/, 5];
+                case 4:
+                    _b = _c.sent();
+                    return [3 /*break*/, 5];
+                case 5:
+                    req.portalAuth = decoded;
+                    return [2 /*return*/, next()];
+            }
         });
-        if (decoded.aud !== "portal") {
-            return next(new exceptions_1.HttpException(401, "Invalid token audience"));
-        }
-        req.portalAuth = decoded;
-        return next();
-    }
-    catch (err) {
-        return next(new exceptions_1.HttpException(401, (err === null || err === void 0 ? void 0 : err.name) === "TokenExpiredError"
-            ? "Portal token expired"
-            : "Invalid portal token"));
-    }
+    });
 }
 exports.verifyPortalToken = verifyPortalToken;
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fluyappgocore/commons-backend",
-  "version": "1.0.214",
+  "version": "1.0.215",
   "description": "",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",