@helpio/common 1.0.4 → 1.0.6

package/build/index.d.ts

@@ -8,6 +8,7 @@ export * from "./types/auth";
 export * from "./middlewares/current-user";
 export * from "./middlewares/error-handler";
 export * from "./middlewares/require-auth";
+export * from "./middlewares/require-role";
 export * from "./middlewares/validate-request";
 export * from "./events/consumer";
 export * from "./events/producer";

package/build/index.js

@@ -21,6 +21,7 @@ __exportStar(require("./types/auth"), exports);
 __exportStar(require("./middlewares/current-user"), exports);
 __exportStar(require("./middlewares/error-handler"), exports);
 __exportStar(require("./middlewares/require-auth"), exports);
+__exportStar(require("./middlewares/require-role"), exports);
 __exportStar(require("./middlewares/validate-request"), exports);
 __exportStar(require("./events/consumer"), exports);
 __exportStar(require("./events/producer"), exports);

package/build/middlewares/current-user.js

@@ -5,14 +5,35 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.currentUser = void 0;
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const getJwtSecret = () => {
+    return process.env.JWT_SECRET || process.env.JWT_KEY;
+};
+const extractAccessToken = (req) => {
+    var _a, _b;
+    const authHeader = req.headers.authorization;
+    const bearer = typeof authHeader === "string" && authHeader.startsWith("Bearer ")
+        ? authHeader.substring(7)
+        : undefined;
+    const cookieToken = (_a = req.cookies) === null || _a === void 0 ? void 0 : _a.accessToken;
+    const legacySessionToken = (_b = req.session) === null || _b === void 0 ? void 0 : _b.jwt;
+    const token = bearer || cookieToken || legacySessionToken;
+    return typeof token === "string" && token.trim() ? token.trim() : undefined;
+};
+const attachPayload = (req, payload) => {
+    req.currentUser = payload;
+    req.userId = payload.userId || payload.id;
+    req.sessionId = payload.sessionId;
+};
 const currentUser = (req, res, next) => {
-    var _a;
-    if (!((_a = req.session) === null || _a === void 0 ? void 0 : _a.jwt)) {
+    const token = extractAccessToken(req);
+    if (!token)
+        return next();
+    const secret = getJwtSecret();
+    if (!secret)
         return next();
-    }
     try {
-        const payload = jsonwebtoken_1.default.verify(req.session.jwt, process.env.JWT_KEY);
-        req.currentUser = payload;
+        const payload = jsonwebtoken_1.default.verify(token, secret);
+        attachPayload(req, payload);
     }
     catch (err) { }
     next();

package/build/middlewares/require-auth.js

@@ -6,42 +6,47 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.optionalAuth = exports.requireAuth = void 0;
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 const not_authorized_error_1 = require("../errors/not-authorized-error");
-const JWT_SECRET = process.env.JWT_SECRET || "your-secret-key-change-in-production";
+const getJwtSecret = () => {
+    const secret = process.env.JWT_SECRET || process.env.JWT_KEY;
+    if (!secret) {
+        throw new Error("JWT_SECRET must be defined");
+    }
+    return secret;
+};
+const extractAccessToken = (req) => {
+    var _a, _b;
+    const authHeader = req.headers.authorization;
+    const bearer = typeof authHeader === "string" && authHeader.startsWith("Bearer ")
+        ? authHeader.substring(7)
+        : undefined;
+    const cookieToken = (_a = req.cookies) === null || _a === void 0 ? void 0 : _a.accessToken;
+    const legacySessionToken = (_b = req.session) === null || _b === void 0 ? void 0 : _b.jwt;
+    const token = bearer || cookieToken || legacySessionToken;
+    return typeof token === "string" && token.trim() ? token.trim() : undefined;
+};
+const attachPayload = (req, payload) => {
+    req.currentUser = payload;
+    req.userId = payload.userId || payload.id;
+    req.sessionId = payload.sessionId;
+};
 /**
  * Middleware: Require authentication
  * Verifies JWT access token and attaches user payload to request
  * Works across all microservices
  */
 const requireAuth = (req, res, next) => {
-    var _a;
     try {
-        // Extract token from Authorization header or cookies
-        const authHeader = req.headers.authorization;
-        const token = (authHeader === null || authHeader === void 0 ? void 0 : authHeader.startsWith("Bearer "))
-            ? authHeader.substring(7)
-            : (_a = req.cookies) === null || _a === void 0 ? void 0 : _a.accessToken;
+        const token = extractAccessToken(req);
         // Check if token exists
         if (!token) {
-            console.log("[requireAuth] No token provided");
             throw new not_authorized_error_1.NotAuthorizedError();
         }
         // Verify token
-        const payload = jsonwebtoken_1.default.verify(token, JWT_SECRET);
-        console.log("[requireAuth] Token verified successfully:", {
-            userId: payload.userId,
-            id: payload.id,
-            email: payload.email,
-            hasAccountNumber: !!payload.accountNumber
-        });
-        // Attach user payload to request
-        req.currentUser = payload;
-        // Support both legacy 'id' and new 'userId' formats
-        req.userId = payload.userId || payload.id;
-        req.sessionId = payload.sessionId;
+        const payload = jsonwebtoken_1.default.verify(token, getJwtSecret());
+        attachPayload(req, payload);
         next();
     }
     catch (err) {
-        console.error("[requireAuth] Error:", err.message, err.name);
         if (err.name === "TokenExpiredError") {
             return res.status(401).json({
                 error: "TOKEN_EXPIRED",
@@ -67,20 +72,13 @@ exports.requireAuth = requireAuth;
  * Loads user if token is present, but doesn't require it
  */
 const optionalAuth = (req, res, next) => {
-    var _a;
     try {
-        const authHeader = req.headers.authorization;
-        const token = (authHeader === null || authHeader === void 0 ? void 0 : authHeader.startsWith("Bearer "))
-            ? authHeader.substring(7)
-            : (_a = req.cookies) === null || _a === void 0 ? void 0 : _a.accessToken;
+        const token = extractAccessToken(req);
         if (!token) {
             return next();
         }
-        const payload = jsonwebtoken_1.default.verify(token, JWT_SECRET);
-        req.currentUser = payload;
-        // Support both legacy 'id' and new 'userId' formats
-        req.userId = payload.userId || payload.id;
-        req.sessionId = payload.sessionId;
+        const payload = jsonwebtoken_1.default.verify(token, getJwtSecret());
+        attachPayload(req, payload);
         next();
     }
     catch (error) {

package/build/middlewares/require-role.d.ts

@@ -0,0 +1,6 @@
+import type { Request, Response, NextFunction } from "express";
+export declare const requireAnyRole: (allowedRoles: string[]) => (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
+export declare const requireWorker: (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
+export declare const requireEmployer: (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
+export declare const requireOwner: (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
+export declare const requireEmployerOrOwner: (req: Request, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;

package/build/middlewares/require-role.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireEmployerOrOwner = exports.requireOwner = exports.requireEmployer = exports.requireWorker = exports.requireAnyRole = void 0;
+const normalizeRole = (value) => {
+    if (typeof value !== "string")
+        return undefined;
+    const trimmed = value.trim();
+    return trimmed ? trimmed.toLowerCase() : undefined;
+};
+const getRoleCandidates = (req) => {
+    const currentUser = req.currentUser;
+    if (!currentUser)
+        return [];
+    const directRole = normalizeRole(currentUser.role);
+    const rolesArray = Array.isArray(currentUser.roles)
+        ? currentUser.roles.map(normalizeRole).filter(Boolean)
+        : [];
+    const activeMode = normalizeRole(currentUser.activeMode);
+    return [directRole, activeMode, ...rolesArray].filter(Boolean);
+};
+const requireAnyRole = (allowedRoles) => {
+    const allowed = allowedRoles.map((r) => r.toLowerCase());
+    return (req, res, next) => {
+        const candidates = getRoleCandidates(req);
+        if (candidates.some((r) => allowed.includes(r))) {
+            return next();
+        }
+        return res.status(403).send({
+            error: "FORBIDDEN",
+            message: `Required role: ${allowedRoles.join(" | ")}`,
+        });
+    };
+};
+exports.requireAnyRole = requireAnyRole;
+exports.requireWorker = (0, exports.requireAnyRole)(["worker"]);
+exports.requireEmployer = (0, exports.requireAnyRole)(["employer"]);
+// Owner/admin access varies across deployments, so we accept a few common values.
+exports.requireOwner = (0, exports.requireAnyRole)(["owner", "admin", "super_admin"]);
+exports.requireEmployerOrOwner = (0, exports.requireAnyRole)([
+    "employer",
+    "owner",
+    "admin",
+    "super_admin",
+]);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@helpio/common",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "common library for Helpio ",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",