@innvoid/getmarket-sdk 0.1.2 → 0.1.4

package/dist/index-WbfzvmOt.d.cts

@@ -0,0 +1,87 @@
+import { Request, Response, NextFunction } from 'express';
+import { JwtPayload } from 'jsonwebtoken';
+
+type AuthSubject = "employee" | "customer";
+type TokenType = "backend";
+type AuthSession = {
+    jti?: string;
+    device_id?: string;
+    expires_at?: number;
+};
+type AuthContext = {
+    tokenType: TokenType;
+    subject: AuthSubject;
+    employee?: any;
+    customer?: any;
+    company_uid?: string;
+    branch_uid?: string;
+    companies?: any[];
+    company?: any;
+    branch?: any;
+    roles?: string[];
+    permissions?: string[];
+    denied_permissions?: string[];
+    session?: AuthSession;
+    firebase?: any;
+};
+type HydrateInput = {
+    decoded: any;
+    req: Request;
+    subject: AuthSubject;
+    company_uid: string | null;
+    branch_uid: string | null;
+};
+type HydrateResult = Partial<Pick<AuthContext, "employee" | "customer" | "companies" | "company" | "branch" | "roles" | "permissions" | "denied_permissions">>;
+type Hydrator = (input: HydrateInput) => Promise<HydrateResult> | HydrateResult;
+type AuthMiddlewareOptions = {
+    subject: AuthSubject;
+    /**
+     * ✅ Si true, exige que el sujeto (employee/customer) exista tras hydrate.
+     * Default: true
+     */
+    requireSubject?: boolean;
+    /**
+     * Si true, permite fallback a Firebase idToken.
+     * Default: false
+     */
+    allowFirebaseIdToken?: boolean;
+    /**
+     * ✅ OBLIGATORIO para evitar "legacy" o acoplamientos:
+     * el micro decide cómo hidratar (DB local / AuthClient / etc).
+     */
+    hydrate: Hydrator;
+};
+
+/**
+ * ✅ Keys viven en getmarket-stack:
+ * - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub (recomendado)
+ * - fallback env AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY
+ */
+declare function readRs256PublicKey(): string;
+declare function verifyBackendJwtRS256(raw: string): JwtPayload;
+
+/**
+ * ✅ Middleware estándar:
+ * - Solo Authorization: Bearer
+ * - Solo RS256
+ * - Cero legacy
+ * - Hidrata vía hook (OBLIGATORIO) para que cada micro no replique lógica
+ */
+declare function createAuthMiddleware(opts: AuthMiddlewareOptions): (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+
+type index_AuthContext = AuthContext;
+type index_AuthMiddlewareOptions = AuthMiddlewareOptions;
+type index_AuthSession = AuthSession;
+type index_AuthSubject = AuthSubject;
+type index_HydrateInput = HydrateInput;
+type index_HydrateResult = HydrateResult;
+type index_Hydrator = Hydrator;
+type index_TokenType = TokenType;
+declare const index_createAuthMiddleware: typeof createAuthMiddleware;
+declare const index_readRs256PublicKey: typeof readRs256PublicKey;
+declare const index_verifyBackendJwtRS256: typeof verifyBackendJwtRS256;
+declare namespace index {
+  export { type index_AuthContext as AuthContext, type index_AuthMiddlewareOptions as AuthMiddlewareOptions, type index_AuthSession as AuthSession, type index_AuthSubject as AuthSubject, type index_HydrateInput as HydrateInput, type index_HydrateResult as HydrateResult, type index_Hydrator as Hydrator, type index_TokenType as TokenType, index_createAuthMiddleware as createAuthMiddleware, index_readRs256PublicKey as readRs256PublicKey, index_verifyBackendJwtRS256 as verifyBackendJwtRS256 };
+}
+
+export { type AuthContext as A, type HydrateInput as H, type TokenType as T, type AuthMiddlewareOptions as a, type AuthSession as b, type AuthSubject as c, type HydrateResult as d, type Hydrator as e, createAuthMiddleware as f, index as i, readRs256PublicKey as r, verifyBackendJwtRS256 as v };

package/dist/index-WbfzvmOt.d.ts

@@ -0,0 +1,87 @@
+import { Request, Response, NextFunction } from 'express';
+import { JwtPayload } from 'jsonwebtoken';
+
+type AuthSubject = "employee" | "customer";
+type TokenType = "backend";
+type AuthSession = {
+    jti?: string;
+    device_id?: string;
+    expires_at?: number;
+};
+type AuthContext = {
+    tokenType: TokenType;
+    subject: AuthSubject;
+    employee?: any;
+    customer?: any;
+    company_uid?: string;
+    branch_uid?: string;
+    companies?: any[];
+    company?: any;
+    branch?: any;
+    roles?: string[];
+    permissions?: string[];
+    denied_permissions?: string[];
+    session?: AuthSession;
+    firebase?: any;
+};
+type HydrateInput = {
+    decoded: any;
+    req: Request;
+    subject: AuthSubject;
+    company_uid: string | null;
+    branch_uid: string | null;
+};
+type HydrateResult = Partial<Pick<AuthContext, "employee" | "customer" | "companies" | "company" | "branch" | "roles" | "permissions" | "denied_permissions">>;
+type Hydrator = (input: HydrateInput) => Promise<HydrateResult> | HydrateResult;
+type AuthMiddlewareOptions = {
+    subject: AuthSubject;
+    /**
+     * ✅ Si true, exige que el sujeto (employee/customer) exista tras hydrate.
+     * Default: true
+     */
+    requireSubject?: boolean;
+    /**
+     * Si true, permite fallback a Firebase idToken.
+     * Default: false
+     */
+    allowFirebaseIdToken?: boolean;
+    /**
+     * ✅ OBLIGATORIO para evitar "legacy" o acoplamientos:
+     * el micro decide cómo hidratar (DB local / AuthClient / etc).
+     */
+    hydrate: Hydrator;
+};
+
+/**
+ * ✅ Keys viven en getmarket-stack:
+ * - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub (recomendado)
+ * - fallback env AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY
+ */
+declare function readRs256PublicKey(): string;
+declare function verifyBackendJwtRS256(raw: string): JwtPayload;
+
+/**
+ * ✅ Middleware estándar:
+ * - Solo Authorization: Bearer
+ * - Solo RS256
+ * - Cero legacy
+ * - Hidrata vía hook (OBLIGATORIO) para que cada micro no replique lógica
+ */
+declare function createAuthMiddleware(opts: AuthMiddlewareOptions): (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+
+type index_AuthContext = AuthContext;
+type index_AuthMiddlewareOptions = AuthMiddlewareOptions;
+type index_AuthSession = AuthSession;
+type index_AuthSubject = AuthSubject;
+type index_HydrateInput = HydrateInput;
+type index_HydrateResult = HydrateResult;
+type index_Hydrator = Hydrator;
+type index_TokenType = TokenType;
+declare const index_createAuthMiddleware: typeof createAuthMiddleware;
+declare const index_readRs256PublicKey: typeof readRs256PublicKey;
+declare const index_verifyBackendJwtRS256: typeof verifyBackendJwtRS256;
+declare namespace index {
+  export { type index_AuthContext as AuthContext, type index_AuthMiddlewareOptions as AuthMiddlewareOptions, type index_AuthSession as AuthSession, type index_AuthSubject as AuthSubject, type index_HydrateInput as HydrateInput, type index_HydrateResult as HydrateResult, type index_Hydrator as Hydrator, type index_TokenType as TokenType, index_createAuthMiddleware as createAuthMiddleware, index_readRs256PublicKey as readRs256PublicKey, index_verifyBackendJwtRS256 as verifyBackendJwtRS256 };
+}
+
+export { type AuthContext as A, type HydrateInput as H, type TokenType as T, type AuthMiddlewareOptions as a, type AuthSession as b, type AuthSubject as c, type HydrateResult as d, type Hydrator as e, createAuthMiddleware as f, index as i, readRs256PublicKey as r, verifyBackendJwtRS256 as v };

package/dist/index.cjs

@@ -40,7 +40,9 @@ __export(src_exports, {
   REQUEST_ID_HEADER: () => REQUEST_ID_HEADER,
   TwoLevelCache: () => TwoLevelCache,
   UpstreamError: () => UpstreamError,
+  auth: () => auth_exports,
   closeCache: () => closeCache,
+  createAuthMiddleware: () => createAuthMiddleware,
   createHttpClient: () => createHttpClient,
   getOrSet: () => getOrSet,
   getRequestContextFromHeaders: () => getRequestContextFromHeaders,
@@ -48,9 +50,14 @@ __export(src_exports, {
   internalAuth: () => internalAuth,
   mapAxiosToUpstreamError: () => mapAxiosToUpstreamError,
   parseHeaders: () => parseHeaders,
+  readRs256PublicKey: () => readRs256PublicKey,
   requestId: () => requestId,
+  requireAuthContext: () => requireAuthContext,
+  requirePermissions: () => requirePermissions,
+  requireRoles: () => requireRoles,
   sendError: () => sendError,
   sendOk: () => sendOk,
+  verifyBackendJwtRS256: () => verifyBackendJwtRS256,
   withRequestId: () => withRequestId,
   withRequestIdConfig: () => withRequestIdConfig
 });
@@ -617,6 +624,191 @@ function internalAuth(req, res, next) {
   }
   return next();
 }
+
+// src/middlewares/autorization.ts
+function getAuth(req) {
+  return req.auth ?? {};
+}
+function requireAuthContext() {
+  return (req, res, next) => {
+    if (!req.auth) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
+    return next();
+  };
+}
+function requirePermissions(...perms) {
+  return (req, res, next) => {
+    const auth = getAuth(req);
+    const allow = new Set(auth.permissions ?? []);
+    const deny = new Set(auth.denied_permissions ?? []);
+    for (const p of perms) {
+      if (deny.has(p)) {
+        return sendError(req, res, 403, "FORBIDDEN", `Denied: ${p}`);
+      }
+    }
+    const missing = perms.filter((p) => !allow.has(p));
+    if (missing.length) {
+      return sendError(req, res, 403, "FORBIDDEN", "Missing permissions", { missing });
+    }
+    return next();
+  };
+}
+function requireRoles(...roles) {
+  return (req, res, next) => {
+    const auth = getAuth(req);
+    const have = new Set(auth.roles ?? []);
+    if (!roles.some((r) => have.has(r))) {
+      return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", { required: roles });
+    }
+    return next();
+  };
+}
+
+// src/auth/index.ts
+var auth_exports = {};
+__export(auth_exports, {
+  createAuthMiddleware: () => createAuthMiddleware,
+  readRs256PublicKey: () => readRs256PublicKey,
+  verifyBackendJwtRS256: () => verifyBackendJwtRS256
+});
+
+// src/auth/jwt.ts
+var import_fs2 = __toESM(require("fs"), 1);
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
+function readFileIfExists(path) {
+  if (!path) return null;
+  try {
+    const v = import_fs2.default.readFileSync(path, "utf8").trim();
+    return v.length ? v : null;
+  } catch {
+    return null;
+  }
+}
+function readRs256PublicKey() {
+  const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);
+  if (fromFile) return fromFile;
+  const fromEnv = String(process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "").replace(/\\n/g, "\n").trim();
+  if (fromEnv) return fromEnv;
+  throw new Error("Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)");
+}
+function verifyBackendJwtRS256(raw) {
+  const publicKey = readRs256PublicKey();
+  const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
+  const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
+  return import_jsonwebtoken.default.verify(raw, publicKey, {
+    algorithms: ["RS256"],
+    audience,
+    issuer
+  });
+}
+
+// src/auth/middleware.ts
+function getBearerToken(req) {
+  const auth = String(req.headers?.authorization || "");
+  if (!auth.startsWith("Bearer ")) return null;
+  const token = auth.slice(7).trim();
+  return token.length ? token : null;
+}
+function normalizeUid(v) {
+  const s = String(v ?? "").trim();
+  return s.length ? s : null;
+}
+function createAuthMiddleware(opts) {
+  const {
+    subject,
+    allowFirebaseIdToken = false,
+    requireSubject = true,
+    hydrate
+  } = opts;
+  return async (req, res, next) => {
+    const token = getBearerToken(req);
+    if (!token) {
+      return res.status(401).json({
+        ok: false,
+        code: "AUTH_MISSING_TOKEN",
+        message: "Missing Authorization Bearer token"
+      });
+    }
+    const headerCtx = req.context || {};
+    const company_uid = normalizeUid(headerCtx.company_uid);
+    const branch_uid = normalizeUid(headerCtx.branch_uid);
+    try {
+      const decoded = verifyBackendJwtRS256(token);
+      const baseCtx = {
+        tokenType: "backend",
+        subject,
+        company_uid: company_uid ?? void 0,
+        branch_uid: branch_uid ?? void 0,
+        roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+        permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+        denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
+        session: {
+          jti: decoded?.jti,
+          device_id: decoded?.device_id,
+          expires_at: decoded?.exp
+        }
+      };
+      const hydrated = await hydrate({ decoded, req, subject, company_uid, branch_uid });
+      Object.assign(baseCtx, hydrated);
+      if (requireSubject) {
+        if (subject === "employee" && !baseCtx.employee) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_EMPLOYEE_NOT_FOUND",
+            message: "Employee not resolved by hydrator"
+          });
+        }
+        if (subject === "customer" && !baseCtx.customer) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_CUSTOMER_NOT_FOUND",
+            message: "Customer not resolved by hydrator"
+          });
+        }
+      }
+      req.auth = baseCtx;
+      return next();
+    } catch (errJwt) {
+      if (!allowFirebaseIdToken) {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_INVALID_TOKEN",
+          message: "Invalid or expired token"
+        });
+      }
+      try {
+        const { default: admin } = await import("firebase-admin");
+        const firebaseDecoded = await admin.auth().verifyIdToken(token);
+        if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_EMAIL_NOT_VERIFIED",
+            message: "Email not verified"
+          });
+        }
+        req.auth = {
+          tokenType: "backend",
+          subject,
+          firebase: firebaseDecoded,
+          company_uid: company_uid ?? void 0,
+          branch_uid: branch_uid ?? void 0,
+          companies: [],
+          roles: [],
+          permissions: [],
+          denied_permissions: []
+        };
+        return next();
+      } catch {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_INVALID_TOKEN",
+          message: "Invalid or expired token"
+        });
+      }
+    }
+  };
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   HEADER_AUTHORIZATION,
@@ -629,7 +821,9 @@ function internalAuth(req, res, next) {
   REQUEST_ID_HEADER,
   TwoLevelCache,
   UpstreamError,
+  auth,
   closeCache,
+  createAuthMiddleware,
   createHttpClient,
   getOrSet,
   getRequestContextFromHeaders,
@@ -637,9 +831,14 @@ function internalAuth(req, res, next) {
   internalAuth,
   mapAxiosToUpstreamError,
   parseHeaders,
+  readRs256PublicKey,
   requestId,
+  requireAuthContext,
+  requirePermissions,
+  requireRoles,
   sendError,
   sendOk,
+  verifyBackendJwtRS256,
   withRequestId,
   withRequestIdConfig
 });