@heliyos/heliyos-api-core 1.0.71 → 1.0.72
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/authentication.d.ts +0 -1
- package/dist/authentication.js +3 -36
- package/dist/authorization.d.ts +9 -1
- package/dist/authorization.js +22 -1
- package/dist/static/authPolicyFile.d.ts +1 -0
- package/dist/static/authPolicyFile.js +4 -0
- package/dist/static/authPolicyFile.ts +8 -1
- package/package.json +1 -1
package/dist/authentication.d.ts
CHANGED
package/dist/authentication.js
CHANGED
|
@@ -23,26 +23,11 @@ exports.authentication = void 0;
|
|
|
23
23
|
const basic_auth_1 = __importDefault(require("basic-auth"));
|
|
24
24
|
const customError_1 = require("./@types/globals/customError");
|
|
25
25
|
const _1 = require(".");
|
|
26
|
-
const INACTIVE_ORG_ALLOWED_PATH_PREFIXES = [
|
|
27
|
-
"/v1/platform/billing/overview",
|
|
28
|
-
"/v1/platform/billing/products",
|
|
29
|
-
"/v1/platform/billing/payments",
|
|
30
|
-
"/v1/platform/billing/portal-link",
|
|
31
|
-
"/v1/platform/billing/portal",
|
|
32
|
-
"/v1/platform/billing/customer-portal",
|
|
33
|
-
"/v1/platform/billing/callback/",
|
|
34
|
-
"/v1/auth/session/logout",
|
|
35
|
-
];
|
|
36
26
|
const BASIC_AUTH_ALLOWED_PATH_PREFIXES = [
|
|
27
|
+
"/v1/auth/",
|
|
37
28
|
"/v1/platform/billing/internal/",
|
|
38
29
|
"/v1/platform/usage/internal/log",
|
|
39
30
|
];
|
|
40
|
-
const canAccessWithInactiveOrganization = (path) => {
|
|
41
|
-
if (!path) {
|
|
42
|
-
return false;
|
|
43
|
-
}
|
|
44
|
-
return INACTIVE_ORG_ALLOWED_PATH_PREFIXES.some((prefix) => path.startsWith(prefix));
|
|
45
|
-
};
|
|
46
31
|
const canAccessWithBasicAuth = (path) => {
|
|
47
32
|
if (!path) {
|
|
48
33
|
return false;
|
|
@@ -121,24 +106,6 @@ const authentication = (req, res, next) => __awaiter(void 0, void 0, void 0, fun
|
|
|
121
106
|
message: "Basic authentication is restricted to internal service endpoints.",
|
|
122
107
|
});
|
|
123
108
|
}
|
|
124
|
-
const authUser = authenticationResponse;
|
|
125
|
-
const hasOrganizationContext = Boolean(authUser === null || authUser === void 0 ? void 0 : authUser.organizationId);
|
|
126
|
-
const organizationIsActive = authUser === null || authUser === void 0 ? void 0 : authUser.organizationIsActive;
|
|
127
|
-
const shouldBlockInactiveOrganization = hasOrganizationContext &&
|
|
128
|
-
organizationIsActive !== true &&
|
|
129
|
-
!canAccessWithInactiveOrganization(req.path || req.originalUrl || "");
|
|
130
|
-
if (shouldBlockInactiveOrganization) {
|
|
131
|
-
return res.status(403).json({
|
|
132
|
-
error: {
|
|
133
|
-
status: 403,
|
|
134
|
-
err_msg: "FORBIDDEN",
|
|
135
|
-
},
|
|
136
|
-
message: "Organization billing is inactive. Please renew your subscription to continue.",
|
|
137
|
-
data: {
|
|
138
|
-
organizationBillingStatus: authUser.organizationBillingStatus || "past_due",
|
|
139
|
-
},
|
|
140
|
-
});
|
|
141
|
-
}
|
|
142
109
|
// Set logged in user data which can be used later on
|
|
143
110
|
setLoggedInUser(container, req);
|
|
144
111
|
// Move to next chain
|
|
@@ -318,7 +285,7 @@ const setLoggedInUser = function (container, req) {
|
|
|
318
285
|
//
|
|
319
286
|
// Handle Cookie and Bearer token
|
|
320
287
|
const { output: { loggedInUser }, } = container;
|
|
321
|
-
const { token, userId, organizationId, role, userFullName } = loggedInUser;
|
|
288
|
+
const { token, userId, organizationId, role, userFullName, organizationBillingStatus } = loggedInUser;
|
|
322
289
|
// Modify req object with logged in user data
|
|
323
290
|
req.loggedInUser = {
|
|
324
291
|
token,
|
|
@@ -326,6 +293,7 @@ const setLoggedInUser = function (container, req) {
|
|
|
326
293
|
organizationId,
|
|
327
294
|
role,
|
|
328
295
|
userFullName,
|
|
296
|
+
organizationBillingStatus,
|
|
329
297
|
auth_type,
|
|
330
298
|
};
|
|
331
299
|
return undefined;
|
|
@@ -351,7 +319,6 @@ const callAuthApiServer = (token) => __awaiter(void 0, void 0, void 0, function*
|
|
|
351
319
|
organizationId: authResult.data.data.payload.organizationId,
|
|
352
320
|
role: authResult.data.data.payload.role,
|
|
353
321
|
userFullName: authResult.data.data.payload.userFullName,
|
|
354
|
-
organizationIsActive: authResult.data.data.payload.organizationIsActive,
|
|
355
322
|
organizationBillingStatus: authResult.data.data.payload.organizationBillingStatus,
|
|
356
323
|
};
|
|
357
324
|
}
|
package/dist/authorization.d.ts
CHANGED
|
@@ -1,12 +1,20 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Authorize the user with the resource action
|
|
2
|
+
* Authorize the user with the resource action.
|
|
3
|
+
* Also enforces billing gate: write actions (ADD/EDIT/DELETE/CREATE)
|
|
4
|
+
* are blocked when the org's billingStatus is canceled or expired.
|
|
5
|
+
* Read actions (VIEW_*) always pass through.
|
|
6
|
+
*
|
|
3
7
|
* @param organizationId
|
|
4
8
|
* @param userId
|
|
5
9
|
* @param resourceAction
|
|
10
|
+
* @param options.allowInactive - bypass inactive org check in auth service
|
|
11
|
+
* @param options.billingStatus - org billing status from session; used for write-gate
|
|
6
12
|
* @returns
|
|
7
13
|
*/
|
|
8
14
|
export declare const authorizeUser: <T = string, U = string>(organizationId: T, userId: U, resourceAction: string, options?: {
|
|
9
15
|
allowInactive?: boolean;
|
|
16
|
+
billingStatus?: string;
|
|
17
|
+
userRole?: string;
|
|
10
18
|
}) => Promise<{
|
|
11
19
|
isAllowed: string;
|
|
12
20
|
userRole: string;
|
package/dist/authorization.js
CHANGED
|
@@ -12,16 +12,37 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
12
12
|
exports.authorizeUser = void 0;
|
|
13
13
|
const customError_1 = require("./@types/globals/customError");
|
|
14
14
|
const axios_1 = require("./axios");
|
|
15
|
+
const BILLING_BLOCKED_STATUSES = ["canceled", "incomplete_expired"];
|
|
15
16
|
/**
|
|
16
|
-
* Authorize the user with the resource action
|
|
17
|
+
* Authorize the user with the resource action.
|
|
18
|
+
* Also enforces billing gate: write actions (ADD/EDIT/DELETE/CREATE)
|
|
19
|
+
* are blocked when the org's billingStatus is canceled or expired.
|
|
20
|
+
* Read actions (VIEW_*) always pass through.
|
|
21
|
+
*
|
|
17
22
|
* @param organizationId
|
|
18
23
|
* @param userId
|
|
19
24
|
* @param resourceAction
|
|
25
|
+
* @param options.allowInactive - bypass inactive org check in auth service
|
|
26
|
+
* @param options.billingStatus - org billing status from session; used for write-gate
|
|
20
27
|
* @returns
|
|
21
28
|
*/
|
|
22
29
|
// eslint-disable-next-line import/prefer-default-export, @typescript-eslint/naming-convention
|
|
23
30
|
const authorizeUser = (organizationId, userId, resourceAction, options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
24
31
|
try {
|
|
32
|
+
// Platform admin roles bypass billing gate entirely
|
|
33
|
+
const PLATFORM_ROLES = ["SUPER_ADMIN", "STAFF", "SUPPORT"];
|
|
34
|
+
const isPlatformAdmin = PLATFORM_ROLES.includes(String((options === null || options === void 0 ? void 0 : options.userRole) || "").toUpperCase());
|
|
35
|
+
// Billing gate: block write actions for orgs with canceled/expired billing
|
|
36
|
+
// Platform admins (SUPER_ADMIN etc.) are exempt
|
|
37
|
+
const isWriteAction = !resourceAction.startsWith("VIEW_");
|
|
38
|
+
if (!isPlatformAdmin &&
|
|
39
|
+
isWriteAction &&
|
|
40
|
+
(options === null || options === void 0 ? void 0 : options.billingStatus) &&
|
|
41
|
+
BILLING_BLOCKED_STATUSES.includes(options.billingStatus)) {
|
|
42
|
+
const error = new customError_1.HttpError("Your subscription is inactive. Please renew to continue.");
|
|
43
|
+
error.status = "403";
|
|
44
|
+
throw error;
|
|
45
|
+
}
|
|
25
46
|
const authenticationResponse = yield axios_1.coreAxios.authServer.post(`/v1/auth/user/${userId}`, {
|
|
26
47
|
resourceAction,
|
|
27
48
|
organizationId,
|
|
@@ -700,5 +700,9 @@ exports.authPolicy = {
|
|
|
700
700
|
],
|
|
701
701
|
},
|
|
702
702
|
};
|
|
703
|
+
// MEMBER is the canonical name (renamed from TEAM_MEMBER)
|
|
703
704
|
const memberRolePermissions = Array.from(new Set(exports.authPolicy.ROLES_PERMISSIONS.TEAM_MEMBER));
|
|
704
705
|
exports.authPolicy.ROLES_PERMISSIONS.MEMBER = memberRolePermissions;
|
|
706
|
+
// AGENCY has the same permissions as OWNER
|
|
707
|
+
const agencyRolePermissions = Array.from(new Set(exports.authPolicy.ROLES_PERMISSIONS.OWNER));
|
|
708
|
+
exports.authPolicy.ROLES_PERMISSIONS.AGENCY = agencyRolePermissions;
|
|
@@ -773,12 +773,18 @@ export const authPolicy: IAuthPolicy = {
|
|
|
773
773
|
},
|
|
774
774
|
};
|
|
775
775
|
|
|
776
|
+
// MEMBER is the canonical name (renamed from TEAM_MEMBER)
|
|
776
777
|
const memberRolePermissions = Array.from(
|
|
777
778
|
new Set(authPolicy.ROLES_PERMISSIONS.TEAM_MEMBER)
|
|
778
779
|
);
|
|
779
|
-
|
|
780
780
|
authPolicy.ROLES_PERMISSIONS.MEMBER = memberRolePermissions;
|
|
781
781
|
|
|
782
|
+
// AGENCY has the same permissions as OWNER
|
|
783
|
+
const agencyRolePermissions = Array.from(
|
|
784
|
+
new Set(authPolicy.ROLES_PERMISSIONS.OWNER)
|
|
785
|
+
);
|
|
786
|
+
authPolicy.ROLES_PERMISSIONS.AGENCY = agencyRolePermissions;
|
|
787
|
+
|
|
782
788
|
interface IAuthPolicy {
|
|
783
789
|
RESOURCES_ACTIONS: ResourcePolicyActionsType;
|
|
784
790
|
ROLES_PERMISSIONS: RolesPermissionsType;
|
|
@@ -786,6 +792,7 @@ interface IAuthPolicy {
|
|
|
786
792
|
|
|
787
793
|
export type RolesPermissionsType = {
|
|
788
794
|
MEMBER?: string[];
|
|
795
|
+
AGENCY?: string[];
|
|
789
796
|
TEAM_MEMBER: string[];
|
|
790
797
|
ADMIN: string[];
|
|
791
798
|
OWNER: string[];
|