@globaltracking/auth-middleware 2.0.0

package/dist/nestjs/middleware/trusted-headers.middleware.js

@@ -0,0 +1,42 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GtTrustedHeadersMiddleware = void 0;
+const common_1 = require("@nestjs/common");
+const extract_user_1 = require("../../extract-user");
+const errors_1 = require("../../errors");
+/**
+ * NestJS middleware that wraps the core extractUser() function.
+ * Sets req.user and req.tenantId from the configured strategy chain.
+ *
+ * Register in your module's configure():
+ * ```
+ * consumer.apply(GtTrustedHeadersMiddleware).forRoutes('*');
+ * ```
+ */
+let GtTrustedHeadersMiddleware = class GtTrustedHeadersMiddleware {
+    use(req, _res, next) {
+        try {
+            req.user = (0, extract_user_1.extractUser)(req);
+            req.tenantId = req.user.orgId;
+            next();
+        }
+        catch (err) {
+            if (err instanceof errors_1.UnauthorizedError) {
+                next(err);
+                return;
+            }
+            next(err);
+        }
+    }
+};
+exports.GtTrustedHeadersMiddleware = GtTrustedHeadersMiddleware;
+exports.GtTrustedHeadersMiddleware = GtTrustedHeadersMiddleware = __decorate([
+    (0, common_1.Injectable)()
+], GtTrustedHeadersMiddleware);
+//# sourceMappingURL=trusted-headers.middleware.js.map

package/dist/nestjs/middleware/trusted-headers.middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trusted-headers.middleware.js","sourceRoot":"","sources":["../../../src/nestjs/middleware/trusted-headers.middleware.ts"],"names":[],"mappings":";;;;;;;;;AAAA,2CAA4D;AAE5D,qDAAiD;AACjD,yCAAiD;AAEjD;;;;;;;;GAQG;AAEI,IAAM,0BAA0B,GAAhC,MAAM,0BAA0B;IACrC,GAAG,CAAC,GAAY,EAAE,IAAc,EAAE,IAAkB;QAClD,IAAI,CAAC;YACH,GAAG,CAAC,IAAI,GAAG,IAAA,0BAAW,EAAC,GAAG,CAAC,CAAC;YAC5B,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC;YAC9B,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,0BAAiB,EAAE,CAAC;gBACrC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACV,OAAO;YACT,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,CAAC;QACZ,CAAC;IACH,CAAC;CACF,CAAA;AAdY,gEAA0B;qCAA1B,0BAA0B;IADtC,IAAA,mBAAU,GAAE;GACA,0BAA0B,CActC"}

package/dist/nestjs.d.ts

@@ -0,0 +1,2 @@
+export * from './nestjs/index';
+//# sourceMappingURL=nestjs.d.ts.map

package/dist/nestjs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nestjs.d.ts","sourceRoot":"","sources":["../src/nestjs.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC"}

package/dist/nestjs.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./nestjs/index"), exports);
+//# sourceMappingURL=nestjs.js.map

package/dist/nestjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nestjs.js","sourceRoot":"","sources":["../src/nestjs.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,iDAA+B"}

package/dist/strategies/gateway-header.strategy.d.ts

@@ -0,0 +1,13 @@
+import { Request } from 'express';
+import { AuthUser } from '../types';
+import { AuthExtractionStrategy } from './strategy.interface';
+/**
+ * Extracts user from GCP API Gateway's base64-encoded JSON header.
+ * The gateway has already verified the JWT — we just parse the claims.
+ */
+export declare class GatewayHeaderStrategy implements AuthExtractionStrategy {
+    readonly name = "gateway-header";
+    canHandle(req: Request): boolean;
+    extract(req: Request): AuthUser;
+}
+//# sourceMappingURL=gateway-header.strategy.d.ts.map

package/dist/strategies/gateway-header.strategy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway-header.strategy.d.ts","sourceRoot":"","sources":["../../src/strategies/gateway-header.strategy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,OAAO,EAAE,QAAQ,EAAc,MAAM,UAAU,CAAC;AAEhD,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAE9D;;;GAGG;AACH,qBAAa,qBAAsB,YAAW,sBAAsB;IAClE,QAAQ,CAAC,IAAI,oBAAoB;IAEjC,SAAS,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO;IAKhC,OAAO,CAAC,GAAG,EAAE,OAAO,GAAG,QAAQ;CAiChC"}

package/dist/strategies/gateway-header.strategy.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GatewayHeaderStrategy = void 0;
+const config_1 = require("../config");
+const errors_1 = require("../errors");
+/**
+ * Extracts user from GCP API Gateway's base64-encoded JSON header.
+ * The gateway has already verified the JWT — we just parse the claims.
+ */
+class GatewayHeaderStrategy {
+    constructor() {
+        this.name = 'gateway-header';
+    }
+    canHandle(req) {
+        const config = (0, config_1.getConfig)();
+        return !!req.headers[config.gatewayHeaderName];
+    }
+    extract(req) {
+        const config = (0, config_1.getConfig)();
+        const headerValue = req.headers[config.gatewayHeaderName];
+        let decoded;
+        try {
+            decoded = Buffer.from(headerValue, 'base64').toString('utf-8');
+        }
+        catch {
+            throw new errors_1.UnauthorizedError('Invalid gateway header encoding');
+        }
+        let payload;
+        try {
+            payload = JSON.parse(decoded);
+        }
+        catch {
+            throw new errors_1.UnauthorizedError('Invalid gateway header JSON');
+        }
+        if (!payload.sub) {
+            throw new errors_1.UnauthorizedError('Token missing required claim: sub');
+        }
+        return {
+            userId: payload.sub,
+            email: payload.email || '',
+            role: payload.role || '',
+            orgId: payload.org_id || '',
+            tenantId: payload.tenant_id || payload.org_id || '',
+            permissions: Array.isArray(payload.permissions) ? payload.permissions : [],
+            requestId: req.headers['x-request-id'] || '',
+            authSource: 'gateway-header',
+        };
+    }
+}
+exports.GatewayHeaderStrategy = GatewayHeaderStrategy;
+//# sourceMappingURL=gateway-header.strategy.js.map

package/dist/strategies/gateway-header.strategy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway-header.strategy.js","sourceRoot":"","sources":["../../src/strategies/gateway-header.strategy.ts"],"names":[],"mappings":";;;AACA,sCAAsC;AAEtC,sCAA8C;AAG9C;;;GAGG;AACH,MAAa,qBAAqB;IAAlC;QACW,SAAI,GAAG,gBAAgB,CAAC;IAwCnC,CAAC;IAtCC,SAAS,CAAC,GAAY;QACpB,MAAM,MAAM,GAAG,IAAA,kBAAS,GAAE,CAAC;QAC3B,OAAO,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACjD,CAAC;IAED,OAAO,CAAC,GAAY;QAClB,MAAM,MAAM,GAAG,IAAA,kBAAS,GAAE,CAAC;QAC3B,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAW,CAAC;QAEpE,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACjE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,0BAAiB,CAAC,iCAAiC,CAAC,CAAC;QACjE,CAAC;QAED,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,0BAAiB,CAAC,6BAA6B,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACjB,MAAM,IAAI,0BAAiB,CAAC,mCAAmC,CAAC,CAAC;QACnE,CAAC;QAED,OAAO;YACL,MAAM,EAAE,OAAO,CAAC,GAAG;YACnB,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,EAAE;YAC1B,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,EAAE;YACxB,KAAK,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;YAC3B,QAAQ,EAAE,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,MAAM,IAAI,EAAE;YACnD,WAAW,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE;YAC1E,SAAS,EAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAY,IAAI,EAAE;YACxD,UAAU,EAAE,gBAAgB;SAC7B,CAAC;IACJ,CAAC;CACF;AAzCD,sDAyCC"}

package/dist/strategies/index.d.ts

@@ -0,0 +1,5 @@
+export { AuthExtractionStrategy } from './strategy.interface';
+export { GatewayHeaderStrategy } from './gateway-header.strategy';
+export { TrustedHeadersStrategy } from './trusted-headers.strategy';
+export { JwtStrategy } from './jwt.strategy';
+//# sourceMappingURL=index.d.ts.map

package/dist/strategies/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/strategies/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAClE,OAAO,EAAE,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/strategies/index.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtStrategy = exports.TrustedHeadersStrategy = exports.GatewayHeaderStrategy = void 0;
+var gateway_header_strategy_1 = require("./gateway-header.strategy");
+Object.defineProperty(exports, "GatewayHeaderStrategy", { enumerable: true, get: function () { return gateway_header_strategy_1.GatewayHeaderStrategy; } });
+var trusted_headers_strategy_1 = require("./trusted-headers.strategy");
+Object.defineProperty(exports, "TrustedHeadersStrategy", { enumerable: true, get: function () { return trusted_headers_strategy_1.TrustedHeadersStrategy; } });
+var jwt_strategy_1 = require("./jwt.strategy");
+Object.defineProperty(exports, "JwtStrategy", { enumerable: true, get: function () { return jwt_strategy_1.JwtStrategy; } });
+//# sourceMappingURL=index.js.map

package/dist/strategies/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/strategies/index.ts"],"names":[],"mappings":";;;AACA,qEAAkE;AAAzD,gIAAA,qBAAqB,OAAA;AAC9B,uEAAoE;AAA3D,kIAAA,sBAAsB,OAAA;AAC/B,+CAA6C;AAApC,2GAAA,WAAW,OAAA"}

package/dist/strategies/jwt.strategy.d.ts

@@ -0,0 +1,13 @@
+import { Request } from 'express';
+import { AuthUser } from '../types';
+import { AuthExtractionStrategy } from './strategy.interface';
+/**
+ * Extracts user by verifying an RS256 JWT from the Authorization: Bearer header.
+ * Used in local dev or non-gateway environments.
+ */
+export declare class JwtStrategy implements AuthExtractionStrategy {
+    readonly name = "jwt";
+    canHandle(req: Request): boolean;
+    extract(req: Request): AuthUser;
+}
+//# sourceMappingURL=jwt.strategy.d.ts.map

package/dist/strategies/jwt.strategy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.strategy.d.ts","sourceRoot":"","sources":["../../src/strategies/jwt.strategy.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,OAAO,EAAE,QAAQ,EAAc,MAAM,UAAU,CAAC;AAEhD,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAE9D;;;GAGG;AACH,qBAAa,WAAY,YAAW,sBAAsB;IACxD,QAAQ,CAAC,IAAI,SAAS;IAEtB,SAAS,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO;IAIhC,OAAO,CAAC,GAAG,EAAE,OAAO,GAAG,QAAQ;CA8ChC"}

package/dist/strategies/jwt.strategy.js

@@ -0,0 +1,94 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtStrategy = void 0;
+const jwt = __importStar(require("jsonwebtoken"));
+const config_1 = require("../config");
+const errors_1 = require("../errors");
+/**
+ * Extracts user by verifying an RS256 JWT from the Authorization: Bearer header.
+ * Used in local dev or non-gateway environments.
+ */
+class JwtStrategy {
+    constructor() {
+        this.name = 'jwt';
+    }
+    canHandle(req) {
+        return !!req.headers.authorization;
+    }
+    extract(req) {
+        const config = (0, config_1.getConfig)();
+        const authHeader = req.headers.authorization;
+        const parts = authHeader.split(' ');
+        if (parts.length !== 2 || parts[0] !== 'Bearer') {
+            throw new errors_1.UnauthorizedError('Invalid Authorization header format — expected "Bearer <token>"');
+        }
+        const token = parts[1];
+        if (!config.publicKey) {
+            throw new errors_1.UnauthorizedError('JWT verification not configured — no public key available');
+        }
+        let decoded;
+        try {
+            decoded = jwt.verify(token, config.publicKey, {
+                algorithms: ['RS256'],
+                issuer: config.jwtIssuer || undefined,
+            });
+        }
+        catch (err) {
+            if (err instanceof jwt.TokenExpiredError) {
+                throw new errors_1.UnauthorizedError('Token has expired');
+            }
+            if (err instanceof jwt.JsonWebTokenError) {
+                throw new errors_1.UnauthorizedError(`Invalid token: ${err.message}`);
+            }
+            throw new errors_1.UnauthorizedError('Token verification failed');
+        }
+        if (!decoded.sub) {
+            throw new errors_1.UnauthorizedError('Token missing required claim: sub');
+        }
+        return {
+            userId: decoded.sub,
+            email: decoded.email || '',
+            role: decoded.role || '',
+            orgId: decoded.org_id || '',
+            tenantId: decoded.tenant_id || decoded.org_id || '',
+            permissions: Array.isArray(decoded.permissions) ? decoded.permissions : [],
+            requestId: req.headers['x-request-id'] || '',
+            authSource: 'jwt',
+        };
+    }
+}
+exports.JwtStrategy = JwtStrategy;
+//# sourceMappingURL=jwt.strategy.js.map

package/dist/strategies/jwt.strategy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.strategy.js","sourceRoot":"","sources":["../../src/strategies/jwt.strategy.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,kDAAoC;AAEpC,sCAAsC;AAEtC,sCAA8C;AAG9C;;;GAGG;AACH,MAAa,WAAW;IAAxB;QACW,SAAI,GAAG,KAAK,CAAC;IAoDxB,CAAC;IAlDC,SAAS,CAAC,GAAY;QACpB,OAAO,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;IACrC,CAAC;IAED,OAAO,CAAC,GAAY;QAClB,MAAM,MAAM,GAAG,IAAA,kBAAS,GAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAc,CAAC;QAE9C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;YAChD,MAAM,IAAI,0BAAiB,CAAC,iEAAiE,CAAC,CAAC;QACjG,CAAC;QAED,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEvB,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,IAAI,0BAAiB,CAAC,2DAA2D,CAAC,CAAC;QAC3F,CAAC;QAED,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,SAAS,EAAE;gBAC5C,UAAU,EAAE,CAAC,OAAO,CAAC;gBACrB,MAAM,EAAE,MAAM,CAAC,SAAS,IAAI,SAAS;aACtC,CAAe,CAAC;QACnB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,GAAG,CAAC,iBAAiB,EAAE,CAAC;gBACzC,MAAM,IAAI,0BAAiB,CAAC,mBAAmB,CAAC,CAAC;YACnD,CAAC;YACD,IAAI,GAAG,YAAY,GAAG,CAAC,iBAAiB,EAAE,CAAC;gBACzC,MAAM,IAAI,0BAAiB,CAAC,kBAAkB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YAC/D,CAAC;YACD,MAAM,IAAI,0BAAiB,CAAC,2BAA2B,CAAC,CAAC;QAC3D,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACjB,MAAM,IAAI,0BAAiB,CAAC,mCAAmC,CAAC,CAAC;QACnE,CAAC;QAED,OAAO;YACL,MAAM,EAAE,OAAO,CAAC,GAAG;YACnB,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,EAAE;YAC1B,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,EAAE;YACxB,KAAK,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;YAC3B,QAAQ,EAAE,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,MAAM,IAAI,EAAE;YACnD,WAAW,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE;YAC1E,SAAS,EAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAY,IAAI,EAAE;YACxD,UAAU,EAAE,KAAK;SAClB,CAAC;IACJ,CAAC;CACF;AArDD,kCAqDC"}

package/dist/strategies/strategy.interface.d.ts

@@ -0,0 +1,15 @@
+import { Request } from 'express';
+import { AuthUser } from '../types';
+/**
+ * Interface for auth extraction strategies.
+ * Each strategy knows how to detect and extract user context from a request.
+ */
+export interface AuthExtractionStrategy {
+    /** Strategy identifier matching AuthStrategy type */
+    readonly name: string;
+    /** Returns true if this strategy can handle the given request (i.e., the relevant headers exist) */
+    canHandle(req: Request): boolean;
+    /** Extract AuthUser from the request. Throws UnauthorizedError on invalid credentials. */
+    extract(req: Request): AuthUser;
+}
+//# sourceMappingURL=strategy.interface.d.ts.map

package/dist/strategies/strategy.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"strategy.interface.d.ts","sourceRoot":"","sources":["../../src/strategies/strategy.interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAEpC;;;GAGG;AACH,MAAM,WAAW,sBAAsB;IACrC,qDAAqD;IACrD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,oGAAoG;IACpG,SAAS,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC;IAEjC,0FAA0F;IAC1F,OAAO,CAAC,GAAG,EAAE,OAAO,GAAG,QAAQ,CAAC;CACjC"}

package/dist/strategies/strategy.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=strategy.interface.js.map

package/dist/strategies/strategy.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"strategy.interface.js","sourceRoot":"","sources":["../../src/strategies/strategy.interface.ts"],"names":[],"mappings":""}

package/dist/strategies/trusted-headers.strategy.d.ts

@@ -0,0 +1,16 @@
+import { Request } from 'express';
+import { AuthUser } from '../types';
+import { AuthExtractionStrategy } from './strategy.interface';
+/**
+ * Extracts user from trusted headers set by an API Gateway or reverse proxy.
+ * Headers: X-User-Id, X-Org-Id, X-User-Role, X-Request-Id, X-Gateway-Token.
+ *
+ * If `internalGatewayToken` is configured, the request must include a matching
+ * gateway token header to prove it came through the trusted gateway.
+ */
+export declare class TrustedHeadersStrategy implements AuthExtractionStrategy {
+    readonly name = "trusted-headers";
+    canHandle(req: Request): boolean;
+    extract(req: Request): AuthUser;
+}
+//# sourceMappingURL=trusted-headers.strategy.d.ts.map

package/dist/strategies/trusted-headers.strategy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trusted-headers.strategy.d.ts","sourceRoot":"","sources":["../../src/strategies/trusted-headers.strategy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAEpC,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAE9D;;;;;;GAMG;AACH,qBAAa,sBAAuB,YAAW,sBAAsB;IACnE,QAAQ,CAAC,IAAI,qBAAqB;IAElC,SAAS,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO;IAMhC,OAAO,CAAC,GAAG,EAAE,OAAO,GAAG,QAAQ;CA8BhC"}

package/dist/strategies/trusted-headers.strategy.js

@@ -0,0 +1,50 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TrustedHeadersStrategy = void 0;
+const config_1 = require("../config");
+const errors_1 = require("../errors");
+/**
+ * Extracts user from trusted headers set by an API Gateway or reverse proxy.
+ * Headers: X-User-Id, X-Org-Id, X-User-Role, X-Request-Id, X-Gateway-Token.
+ *
+ * If `internalGatewayToken` is configured, the request must include a matching
+ * gateway token header to prove it came through the trusted gateway.
+ */
+class TrustedHeadersStrategy {
+    constructor() {
+        this.name = 'trusted-headers';
+    }
+    canHandle(req) {
+        const config = (0, config_1.getConfig)();
+        const headerNames = config.trustedHeaderNames;
+        return !!req.headers[headerNames.userId];
+    }
+    extract(req) {
+        const config = (0, config_1.getConfig)();
+        const headerNames = config.trustedHeaderNames;
+        const userId = req.headers[headerNames.userId];
+        if (!userId) {
+            throw new errors_1.UnauthorizedError('Missing required trusted header: user ID');
+        }
+        // Validate gateway token if configured
+        if (config.internalGatewayToken) {
+            const gatewayToken = req.headers[headerNames.gatewayToken];
+            if (gatewayToken !== config.internalGatewayToken) {
+                throw new errors_1.UnauthorizedError('Invalid or missing gateway token');
+            }
+        }
+        const orgId = req.headers[headerNames.orgId] || '';
+        return {
+            userId,
+            email: '',
+            role: req.headers[headerNames.userRole] || '',
+            orgId,
+            tenantId: orgId,
+            permissions: [],
+            requestId: req.headers[headerNames.requestId] || '',
+            authSource: 'trusted-headers',
+        };
+    }
+}
+exports.TrustedHeadersStrategy = TrustedHeadersStrategy;
+//# sourceMappingURL=trusted-headers.strategy.js.map

package/dist/strategies/trusted-headers.strategy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trusted-headers.strategy.js","sourceRoot":"","sources":["../../src/strategies/trusted-headers.strategy.ts"],"names":[],"mappings":";;;AACA,sCAAsC;AAEtC,sCAA8C;AAG9C;;;;;;GAMG;AACH,MAAa,sBAAsB;IAAnC;QACW,SAAI,GAAG,iBAAiB,CAAC;IAsCpC,CAAC;IApCC,SAAS,CAAC,GAAY;QACpB,MAAM,MAAM,GAAG,IAAA,kBAAS,GAAE,CAAC;QAC3B,MAAM,WAAW,GAAG,MAAM,CAAC,kBAAkB,CAAC;QAC9C,OAAO,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IAC3C,CAAC;IAED,OAAO,CAAC,GAAY;QAClB,MAAM,MAAM,GAAG,IAAA,kBAAS,GAAE,CAAC;QAC3B,MAAM,WAAW,GAAG,MAAM,CAAC,kBAAkB,CAAC;QAE9C,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAuB,CAAC;QACrE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,0BAAiB,CAAC,0CAA0C,CAAC,CAAC;QAC1E,CAAC;QAED,uCAAuC;QACvC,IAAI,MAAM,CAAC,oBAAoB,EAAE,CAAC;YAChC,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,YAAY,CAAuB,CAAC;YACjF,IAAI,YAAY,KAAK,MAAM,CAAC,oBAAoB,EAAE,CAAC;gBACjD,MAAM,IAAI,0BAAiB,CAAC,kCAAkC,CAAC,CAAC;YAClE,CAAC;QACH,CAAC;QAED,MAAM,KAAK,GAAI,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,KAAK,CAAY,IAAI,EAAE,CAAC;QAE/D,OAAO;YACL,MAAM;YACN,KAAK,EAAE,EAAE;YACT,IAAI,EAAG,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAY,IAAI,EAAE;YACzD,KAAK;YACL,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,EAAE;YACf,SAAS,EAAG,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,SAAS,CAAY,IAAI,EAAE;YAC/D,UAAU,EAAE,iBAAiB;SAC9B,CAAC;IACJ,CAAC;CACF;AAvCD,wDAuCC"}

package/dist/types.d.ts

@@ -0,0 +1,78 @@
+export type AuthStrategy = 'gateway-header' | 'trusted-headers' | 'jwt';
+export type UserRole = 'system_admin' | 'org_admin' | 'user' | (string & {});
+export interface AuthUser {
+    userId: string;
+    email: string;
+    role: UserRole;
+    orgId: string;
+    tenantId: string;
+    permissions: string[];
+    requestId: string;
+    authSource: AuthStrategy;
+}
+/** Backward-compatible alias for services migrating from RequestUser */
+export type RequestUser = AuthUser;
+export interface TrustedHeaderNames {
+    userId?: string;
+    orgId?: string;
+    userRole?: string;
+    requestId?: string;
+    gatewayToken?: string;
+}
+export interface AuthConfig {
+    /** Header name for gateway-decoded user info. Default: 'x-apigateway-api-userinfo' */
+    gatewayHeaderName?: string;
+    /** Expected JWT issuer for fallback verification. Default: 'globaltracking-auth' */
+    jwtIssuer?: string;
+    /** RS256 public key PEM string for fallback JWT verification */
+    publicKey?: string;
+    /** Path to RS256 public key file (alternative to publicKey) */
+    publicKeyPath?: string;
+    /** @deprecated Use adminRoles instead. Kept for backward compat. */
+    superAdminRole?: string;
+    /** Ordered list of strategies to try. Default: ['gateway-header', 'jwt'] */
+    strategies?: AuthStrategy[];
+    /** Roles that bypass all permission checks. Default: ['system_admin', 'org_admin'] */
+    adminRoles?: string[];
+    /** Shared secret for InternalOnlyGuard. Also reads from env INTERNAL_GATEWAY_TOKEN */
+    internalGatewayToken?: string;
+    /** Header names for trusted-headers strategy */
+    trustedHeaderNames?: TrustedHeaderNames;
+    /** URL to gt-rbac-service for DB-based permission resolution */
+    rbacServiceUrl?: string;
+    /** Custom permission resolver function (used by RBAC service itself) */
+    permissionResolver?: (orgId: string, userId: string, resource: string, action: string) => Promise<boolean>;
+}
+export interface JwtPayload {
+    sub: string;
+    email: string;
+    role: string;
+    tenant_id: string;
+    org_id: string;
+    permissions: string[];
+    iss?: string;
+    exp?: number;
+    iat?: number;
+}
+/** Resolved config with all defaults applied */
+export interface ResolvedAuthConfig {
+    gatewayHeaderName: string;
+    jwtIssuer: string;
+    publicKey: string;
+    publicKeyPath: string;
+    strategies: AuthStrategy[];
+    adminRoles: string[];
+    internalGatewayToken: string;
+    trustedHeaderNames: Required<TrustedHeaderNames>;
+    rbacServiceUrl: string;
+    permissionResolver?: (orgId: string, userId: string, resource: string, action: string) => Promise<boolean>;
+}
+declare global {
+    namespace Express {
+        interface Request {
+            user?: AuthUser;
+            tenantId?: string;
+        }
+    }
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG,gBAAgB,GAAG,iBAAiB,GAAG,KAAK,CAAC;AAExE,MAAM,MAAM,QAAQ,GAAG,cAAc,GAAG,WAAW,GAAG,MAAM,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAE7E,MAAM,WAAW,QAAQ;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,QAAQ,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,YAAY,CAAC;CAC1B;AAED,wEAAwE;AACxE,MAAM,MAAM,WAAW,GAAG,QAAQ,CAAC;AAEnC,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,UAAU;IACzB,sFAAsF;IACtF,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oFAAoF;IACpF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gEAAgE;IAChE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+DAA+D;IAC/D,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,oEAAoE;IACpE,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,4EAA4E;IAC5E,UAAU,CAAC,EAAE,YAAY,EAAE,CAAC;IAC5B,sFAAsF;IACtF,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,sFAAsF;IACtF,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,gDAAgD;IAChD,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,gEAAgE;IAChE,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wEAAwE;IACxE,kBAAkB,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;CAC5G;AAED,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,gDAAgD;AAChD,MAAM,WAAW,kBAAkB;IACjC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,YAAY,EAAE,CAAC;IAC3B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB,CAAC,CAAC;IACjD,cAAc,EAAE,MAAM,CAAC;IACvB,kBAAkB,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;CAC5G;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,QAAQ,CAAC;YAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;SACnB;KACF;CACF"}

package/dist/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/dist/utils/helpers.d.ts

@@ -0,0 +1,14 @@
+import { AuthUser } from '../types';
+/**
+ * Check if a user has one of the specified roles.
+ */
+export declare function hasRole(user: AuthUser, ...roles: string[]): boolean;
+/**
+ * Check if a user has ALL of the specified permissions.
+ */
+export declare function hasPermission(user: AuthUser, ...permissions: string[]): boolean;
+/**
+ * Check if a user has AT LEAST ONE of the specified permissions.
+ */
+export declare function hasAnyPermission(user: AuthUser, ...permissions: string[]): boolean;
+//# sourceMappingURL=helpers.d.ts.map

package/dist/utils/helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../src/utils/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAEpC;;GAEG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAEnE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAG/E;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAGlF"}

package/dist/utils/helpers.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hasRole = hasRole;
+exports.hasPermission = hasPermission;
+exports.hasAnyPermission = hasAnyPermission;
+/**
+ * Check if a user has one of the specified roles.
+ */
+function hasRole(user, ...roles) {
+    return roles.includes(user.role);
+}
+/**
+ * Check if a user has ALL of the specified permissions.
+ */
+function hasPermission(user, ...permissions) {
+    const userPerms = new Set(user.permissions);
+    return permissions.every((p) => userPerms.has(p));
+}
+/**
+ * Check if a user has AT LEAST ONE of the specified permissions.
+ */
+function hasAnyPermission(user, ...permissions) {
+    const userPerms = new Set(user.permissions);
+    return permissions.some((p) => userPerms.has(p));
+}
+//# sourceMappingURL=helpers.js.map

package/dist/utils/helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../src/utils/helpers.ts"],"names":[],"mappings":";;AAKA,0BAEC;AAKD,sCAGC;AAKD,4CAGC;AArBD;;GAEG;AACH,SAAgB,OAAO,CAAC,IAAc,EAAE,GAAG,KAAe;IACxD,OAAO,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,SAAgB,aAAa,CAAC,IAAc,EAAE,GAAG,WAAqB;IACpE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC5C,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAAC,IAAc,EAAE,GAAG,WAAqB;IACvE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC5C,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AACnD,CAAC"}

package/dist/utils/jwt.d.ts

@@ -0,0 +1,12 @@
+import { AuthUser } from '../types';
+/**
+ * Verify a JWT token using the configured RS256 public key.
+ * @deprecated Use JwtStrategy directly via extractUser(). Kept for backward compat.
+ */
+export declare function verifyToken(token: string): AuthUser;
+/**
+ * Decode a base64-encoded JSON gateway header into AuthUser.
+ * @deprecated Use GatewayHeaderStrategy directly via extractUser(). Kept for backward compat.
+ */
+export declare function decodeGatewayHeader(base64Value: string): AuthUser;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/utils/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/utils/jwt.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,QAAQ,EAAc,MAAM,UAAU,CAAC;AAGhD;;;GAGG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CA2BnD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,QAAQ,CAkBjE"}