@heliyos/heliyos-api-core 1.0.70 → 1.0.72

package/dist/authentication.d.ts

@@ -15,6 +15,7 @@ export interface IAuthResponseApiKey {
     policy: IAuthResponseApiKeyPolicy[] | undefined;
     userId: string;
     organizationId: string;
+    organizationBillingStatus?: string;
 }
 interface IAuthResponseApiKeyPolicy {
     resource: string;

package/dist/authentication.js

@@ -23,6 +23,37 @@ exports.authentication = void 0;
 const basic_auth_1 = __importDefault(require("basic-auth"));
 const customError_1 = require("./@types/globals/customError");
 const _1 = require(".");
+const BASIC_AUTH_ALLOWED_PATH_PREFIXES = [
+    "/v1/auth/",
+    "/v1/platform/billing/internal/",
+    "/v1/platform/usage/internal/log",
+];
+const canAccessWithBasicAuth = (path) => {
+    if (!path) {
+        return false;
+    }
+    return BASIC_AUTH_ALLOWED_PATH_PREFIXES.some((prefix) => path.startsWith(prefix));
+};
+const getCandidateSessionCookieNames = () => {
+    const explicitNodeEnv = String(process.env.NODE_ENV || "").trim();
+    const explicitPublicEnv = String(process.env.NEXT_PUBLIC_ENV || "").trim();
+    const names = new Set(["user_session"]);
+    [explicitNodeEnv, explicitPublicEnv, "production", "development", "local"]
+        .filter(Boolean)
+        .forEach((envName) => names.add(`${envName}_user_session`));
+    return Array.from(names);
+};
+const getUserSessionCookieFromRequest = (req) => {
+    const cookies = req.cookies || {};
+    const cookieNames = getCandidateSessionCookieNames();
+    for (const name of cookieNames) {
+        const value = cookies[name];
+        if (value) {
+            return value;
+        }
+    }
+    return undefined;
+};
 /**
  * Function to check internal and external authentication
  * @param req
@@ -36,7 +67,7 @@ const authentication = (req, res, next) => __awaiter(void 0, void 0, void 0, fun
         const container = {
             input: {
                 authentication_header: req.headers.authorization,
-                user_session_cookie: req.cookies.user_session,
+                user_session_cookie: getUserSessionCookieFromRequest(req),
                 ip: getIp(req),
                 auth_type: undefined,
             },
@@ -46,7 +77,10 @@ const authentication = (req, res, next) => __awaiter(void 0, void 0, void 0, fun
             },
         };
         //	Check for the type of authentication
-        checkAuthType(container, res);
+        const authTypeCheckResponse = checkAuthType(container, res);
+        if (authTypeCheckResponse) {
+            return;
+        }
         //	Based on type, do further authentication
         //	Either of BASIC / COOKIE / BEARER
         const authenticationResponse = yield authenticateRequest(container);
@@ -62,6 +96,16 @@ const authentication = (req, res, next) => __awaiter(void 0, void 0, void 0, fun
                 message: "User not authenticated, Invalid token",
             });
         }
+        if (container.output.isBasicAuth &&
+            !canAccessWithBasicAuth(req.path || req.originalUrl || "")) {
+            return res.status(403).json({
+                error: {
+                    status: 403,
+                    err_msg: "FORBIDDEN",
+                },
+                message: "Basic authentication is restricted to internal service endpoints.",
+            });
+        }
         //	Set logged in user data which can be used later on
         setLoggedInUser(container, req);
         //	Move to next chain
@@ -137,7 +181,15 @@ const isJwtToken = (token) => {
     try {
         if (token.indexOf(".") > -1) {
             const token_parts = token.split(".");
-            const token_detail_string = Buffer.from(token_parts[0], "base64");
+            if (!token_parts[0]) {
+                return false;
+            }
+            const normalizedHeader = token_parts[0]
+                .replace(/-/g, "+")
+                .replace(/_/g, "/");
+            const padding = (4 - (normalizedHeader.length % 4)) % 4;
+            const paddedHeader = normalizedHeader + "=".repeat(padding);
+            const token_detail_string = Buffer.from(paddedHeader, "base64");
             const token_detail = JSON.parse(token_detail_string.toString());
             if (token_detail.typ && token_detail.typ.toUpperCase() === "JWT") {
                 return true;
@@ -233,7 +285,7 @@ const setLoggedInUser = function (container, req) {
     //
     //	Handle Cookie and Bearer token
     const { output: { loggedInUser }, } = container;
-    const { token, userId, organizationId, role, userFullName } = loggedInUser;
+    const { token, userId, organizationId, role, userFullName, organizationBillingStatus } = loggedInUser;
     //	Modify req object with logged in user data
     req.loggedInUser = {
         token,
@@ -241,6 +293,7 @@ const setLoggedInUser = function (container, req) {
         organizationId,
         role,
         userFullName,
+        organizationBillingStatus,
         auth_type,
     };
     return undefined;
@@ -266,6 +319,7 @@ const callAuthApiServer = (token) => __awaiter(void 0, void 0, void 0, function*
                 organizationId: authResult.data.data.payload.organizationId,
                 role: authResult.data.data.payload.role,
                 userFullName: authResult.data.data.payload.userFullName,
+                organizationBillingStatus: authResult.data.data.payload.organizationBillingStatus,
             };
         }
         else {
@@ -273,7 +327,9 @@ const callAuthApiServer = (token) => __awaiter(void 0, void 0, void 0, function*
         }
     }
     catch (error) {
-        console.log(error);
+        _1.logger.error("Error while verifying bearer token with auth service", {
+            error: (error === null || error === void 0 ? void 0 : error.message) || error,
+        });
         throw error;
     }
 });
@@ -286,7 +342,7 @@ const verifyApiKey = (apiKey) => __awaiter(void 0, void 0, void 0, function* ()
     var _a, _b, _c, _d;
     try {
         //	Call api key service to verify api key
-        const apiRes = yield _1.axios.authServer.post(`/v2/auth/api_key/verify`, {
+        const apiRes = yield _1.axios.authServer.post(`/v1/auth/api_key/verify`, {
             apiKey,
         });
         if ((_b = (_a = apiRes.data) === null || _a === void 0 ? void 0 : _a.data) === null || _b === void 0 ? void 0 : _b.isValid) {
@@ -298,7 +354,9 @@ const verifyApiKey = (apiKey) => __awaiter(void 0, void 0, void 0, function* ()
         }
     }
     catch (err) {
-        console.log(err);
+        _1.logger.error("Error while verifying API key with auth service", {
+            error: (err === null || err === void 0 ? void 0 : err.message) || err,
+        });
         //	If verified api key not found then throw error
         const error = new customError_1.HttpError("Invalid api key.");
         error.status = "403";

package/dist/authorization.d.ts

@@ -1,11 +1,21 @@
 /**
- * Authorize the user with the resource action
+ * Authorize the user with the resource action.
+ * Also enforces billing gate: write actions (ADD/EDIT/DELETE/CREATE)
+ * are blocked when the org's billingStatus is canceled or expired.
+ * Read actions (VIEW_*) always pass through.
+ *
  * @param organizationId
  * @param userId
  * @param resourceAction
+ * @param options.allowInactive - bypass inactive org check in auth service
+ * @param options.billingStatus - org billing status from session; used for write-gate
  * @returns
  */
-export declare const authorizeUser: <T = string, U = string>(organizationId: T, userId: U, resourceAction: string) => Promise<{
+export declare const authorizeUser: <T = string, U = string>(organizationId: T, userId: U, resourceAction: string, options?: {
+    allowInactive?: boolean;
+    billingStatus?: string;
+    userRole?: string;
+}) => Promise<{
     isAllowed: string;
     userRole: string;
 }>;

package/dist/authorization.js

@@ -12,25 +12,51 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.authorizeUser = void 0;
 const customError_1 = require("./@types/globals/customError");
 const axios_1 = require("./axios");
+const BILLING_BLOCKED_STATUSES = ["canceled", "incomplete_expired"];
 /**
- * Authorize the user with the resource action
+ * Authorize the user with the resource action.
+ * Also enforces billing gate: write actions (ADD/EDIT/DELETE/CREATE)
+ * are blocked when the org's billingStatus is canceled or expired.
+ * Read actions (VIEW_*) always pass through.
+ *
  * @param organizationId
  * @param userId
  * @param resourceAction
+ * @param options.allowInactive - bypass inactive org check in auth service
+ * @param options.billingStatus - org billing status from session; used for write-gate
  * @returns
  */
 // eslint-disable-next-line import/prefer-default-export, @typescript-eslint/naming-convention
-const authorizeUser = (organizationId, userId, resourceAction) => __awaiter(void 0, void 0, void 0, function* () {
+const authorizeUser = (organizationId, userId, resourceAction, options) => __awaiter(void 0, void 0, void 0, function* () {
     try {
-        const authenticationResponse = yield axios_1.coreAxios.authServer.post(`v1/auth/user/${userId}`, { resourceAction, organizationId });
+        // Platform admin roles bypass billing gate entirely
+        const PLATFORM_ROLES = ["SUPER_ADMIN", "STAFF", "SUPPORT"];
+        const isPlatformAdmin = PLATFORM_ROLES.includes(String((options === null || options === void 0 ? void 0 : options.userRole) || "").toUpperCase());
+        // Billing gate: block write actions for orgs with canceled/expired billing
+        // Platform admins (SUPER_ADMIN etc.) are exempt
+        const isWriteAction = !resourceAction.startsWith("VIEW_");
+        if (!isPlatformAdmin &&
+            isWriteAction &&
+            (options === null || options === void 0 ? void 0 : options.billingStatus) &&
+            BILLING_BLOCKED_STATUSES.includes(options.billingStatus)) {
+            const error = new customError_1.HttpError("Your subscription is inactive. Please renew to continue.");
+            error.status = "403";
+            throw error;
+        }
+        const authenticationResponse = yield axios_1.coreAxios.authServer.post(`/v1/auth/user/${userId}`, {
+            resourceAction,
+            organizationId,
+            allowInactive: Boolean(options === null || options === void 0 ? void 0 : options.allowInactive),
+        });
         return authenticationResponse.data.data;
         // eslint-disable-next-line @typescript-eslint/no-unsafe-return, @typescript-eslint/no-unsafe-member-access
     }
     catch (err) {
-        if ((err === null || err === void 0 ? void 0 : err.status) === 401) {
+        const status = String((err === null || err === void 0 ? void 0 : err.status) || "");
+        if (status === "401") {
             throw err;
         }
-        if ((err === null || err === void 0 ? void 0 : err.status) === 501) {
+        if (status === "403") {
             throw err;
         }
         const error = new customError_1.HttpError("Something went wrong with Authentication");

package/dist/middleware.js

@@ -19,6 +19,7 @@ const serve_static_1 = __importDefault(require("serve-static"));
 const authentication_1 = require("./authentication");
 const allowedOrigin_1 = require("./allowedOrigin");
 const customError_1 = require("./@types/globals/customError");
+const logger_1 = require("./logger");
 const genericErrorMessage = "Something went wrong";
 const defaultErrorStatusCode = 500;
 const nonProductionEnvironments = new Set(["development", "local", "test"]);
@@ -189,19 +190,12 @@ const handle_errors = (error, _, res, __) => {
         description: sanitizeErrorDescription(description),
     };
     //  Log original error
-    console.error("=== Begin Error ===\n---\n" +
-        "Error: " +
-        message +
-        "\n" +
-        "Status: " +
-        status +
-        "\n" +
-        "Desc: " +
-        description +
-        "\n" +
-        "Stack: " +
-        stack +
-        "\n---\n=== End Error ===");
+    logger_1.logger.error("Unhandled middleware error", {
+        message,
+        status,
+        description,
+        stack,
+    });
     //	Provide stack track in env development and local
     if (!isProductionEnvironment()) {
         response.error = Object.assign({ stack }, error);

package/dist/static/authPolicyFile.d.ts

@@ -4,6 +4,8 @@ interface IAuthPolicy {
     ROLES_PERMISSIONS: RolesPermissionsType;
 }
 export type RolesPermissionsType = {
+    MEMBER?: string[];
+    AGENCY?: string[];
     TEAM_MEMBER: string[];
     ADMIN: string[];
     OWNER: string[];

package/dist/static/authPolicyFile.js

@@ -700,3 +700,9 @@ exports.authPolicy = {
         ],
     },
 };
+// MEMBER is the canonical name (renamed from TEAM_MEMBER)
+const memberRolePermissions = Array.from(new Set(exports.authPolicy.ROLES_PERMISSIONS.TEAM_MEMBER));
+exports.authPolicy.ROLES_PERMISSIONS.MEMBER = memberRolePermissions;
+// AGENCY has the same permissions as OWNER
+const agencyRolePermissions = Array.from(new Set(exports.authPolicy.ROLES_PERMISSIONS.OWNER));
+exports.authPolicy.ROLES_PERMISSIONS.AGENCY = agencyRolePermissions;

package/dist/static/authPolicyFile.ts

@@ -773,12 +773,26 @@ export const authPolicy: IAuthPolicy = {
   },
 };
 
+// MEMBER is the canonical name (renamed from TEAM_MEMBER)
+const memberRolePermissions = Array.from(
+  new Set(authPolicy.ROLES_PERMISSIONS.TEAM_MEMBER)
+);
+authPolicy.ROLES_PERMISSIONS.MEMBER = memberRolePermissions;
+
+// AGENCY has the same permissions as OWNER
+const agencyRolePermissions = Array.from(
+  new Set(authPolicy.ROLES_PERMISSIONS.OWNER)
+);
+authPolicy.ROLES_PERMISSIONS.AGENCY = agencyRolePermissions;
+
 interface IAuthPolicy {
   RESOURCES_ACTIONS: ResourcePolicyActionsType;
   ROLES_PERMISSIONS: RolesPermissionsType;
 }
 
 export type RolesPermissionsType = {
+  MEMBER?: string[];
+  AGENCY?: string[];
   TEAM_MEMBER: string[];
   ADMIN: string[];
   OWNER: string[];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@heliyos/heliyos-api-core",
-  "version": "1.0.70",
+  "version": "1.0.72",
   "description": "Heliyos's core api functions and middlewares. Its a private package hosted on npm.",
   "main": "./dist/index.js",
   "scripts": {