npm - @innvoid/getmarket-sdk - Versions diffs - 0.1.3 → 0.1.4 - Mend

@innvoid/getmarket-sdk 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/dist/auth/index.cjs +181 -0
package/dist/auth/index.cjs.map +1 -0
package/dist/auth/index.d.cts +3 -0
package/dist/auth/index.d.ts +3 -0
package/dist/auth/index.js +12 -0
package/dist/auth/index.js.map +1 -0
package/dist/cache/index.js +1 -0
package/dist/chunk-PZ5AY32C.js +10 -0
package/dist/chunk-PZ5AY32C.js.map +1 -0
package/dist/chunk-W23UYULS.js +156 -0
package/dist/chunk-W23UYULS.js.map +1 -0
package/dist/{chunk-HTHX24NK.js → chunk-Y2JJLHAY.js} +45 -2
package/dist/chunk-Y2JJLHAY.js.map +1 -0
package/dist/core/index.js +1 -0
package/dist/headers/index.js +1 -0
package/dist/index-WbfzvmOt.d.cts +87 -0
package/dist/index-WbfzvmOt.d.ts +87 -0
package/dist/index.cjs +199 -0
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +3 -1
package/dist/index.d.ts +3 -1
package/dist/index.js +18 -1
package/dist/middlewares/index.cjs +46 -0
package/dist/middlewares/index.cjs.map +1 -1
package/dist/middlewares/index.d.cts +16 -1
package/dist/middlewares/index.d.ts +16 -1
package/dist/middlewares/index.js +8 -1
package/package.json +12 -1
package/dist/chunk-HTHX24NK.js.map +0 -1

package/dist/auth/index.cjs ADDED Viewed

@@ -0,0 +1,181 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/auth/index.ts
+var auth_exports = {};
+__export(auth_exports, {
+  createAuthMiddleware: () => createAuthMiddleware,
+  readRs256PublicKey: () => readRs256PublicKey,
+  verifyBackendJwtRS256: () => verifyBackendJwtRS256
+});
+module.exports = __toCommonJS(auth_exports);
+// src/auth/jwt.ts
+var import_fs = __toESM(require("fs"), 1);
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
+function readFileIfExists(path) {
+  if (!path) return null;
+  try {
+    const v = import_fs.default.readFileSync(path, "utf8").trim();
+    return v.length ? v : null;
+  } catch {
+    return null;
+  }
+}
+function readRs256PublicKey() {
+  const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);
+  if (fromFile) return fromFile;
+  const fromEnv = String(process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "").replace(/\\n/g, "\n").trim();
+  if (fromEnv) return fromEnv;
+  throw new Error("Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)");
+}
+function verifyBackendJwtRS256(raw) {
+  const publicKey = readRs256PublicKey();
+  const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
+  const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
+  return import_jsonwebtoken.default.verify(raw, publicKey, {
+    algorithms: ["RS256"],
+    audience,
+    issuer
+  });
+}
+// src/auth/middleware.ts
+function getBearerToken(req) {
+  const auth = String(req.headers?.authorization || "");
+  if (!auth.startsWith("Bearer ")) return null;
+  const token = auth.slice(7).trim();
+  return token.length ? token : null;
+}
+function normalizeUid(v) {
+  const s = String(v ?? "").trim();
+  return s.length ? s : null;
+}
+function createAuthMiddleware(opts) {
+  const {
+    subject,
+    allowFirebaseIdToken = false,
+    requireSubject = true,
+    hydrate
+  } = opts;
+  return async (req, res, next) => {
+    const token = getBearerToken(req);
+    if (!token) {
+      return res.status(401).json({
+        ok: false,
+        code: "AUTH_MISSING_TOKEN",
+        message: "Missing Authorization Bearer token"
+      });
+    }
+    const headerCtx = req.context || {};
+    const company_uid = normalizeUid(headerCtx.company_uid);
+    const branch_uid = normalizeUid(headerCtx.branch_uid);
+    try {
+      const decoded = verifyBackendJwtRS256(token);
+      const baseCtx = {
+        tokenType: "backend",
+        subject,
+        company_uid: company_uid ?? void 0,
+        branch_uid: branch_uid ?? void 0,
+        roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+        permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+        denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
+        session: {
+          jti: decoded?.jti,
+          device_id: decoded?.device_id,
+          expires_at: decoded?.exp
+        }
+      };
+      const hydrated = await hydrate({ decoded, req, subject, company_uid, branch_uid });
+      Object.assign(baseCtx, hydrated);
+      if (requireSubject) {
+        if (subject === "employee" && !baseCtx.employee) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_EMPLOYEE_NOT_FOUND",
+            message: "Employee not resolved by hydrator"
+          });
+        }
+        if (subject === "customer" && !baseCtx.customer) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_CUSTOMER_NOT_FOUND",
+            message: "Customer not resolved by hydrator"
+          });
+        }
+      }
+      req.auth = baseCtx;
+      return next();
+    } catch (errJwt) {
+      if (!allowFirebaseIdToken) {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_INVALID_TOKEN",
+          message: "Invalid or expired token"
+        });
+      }
+      try {
+        const { default: admin } = await import("firebase-admin");
+        const firebaseDecoded = await admin.auth().verifyIdToken(token);
+        if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_EMAIL_NOT_VERIFIED",
+            message: "Email not verified"
+          });
+        }
+        req.auth = {
+          tokenType: "backend",
+          subject,
+          firebase: firebaseDecoded,
+          company_uid: company_uid ?? void 0,
+          branch_uid: branch_uid ?? void 0,
+          companies: [],
+          roles: [],
+          permissions: [],
+          denied_permissions: []
+        };
+        return next();
+      } catch {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_INVALID_TOKEN",
+          message: "Invalid or expired token"
+        });
+      }
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAuthMiddleware,
+  readRs256PublicKey,
+  verifyBackendJwtRS256
+});
+//# sourceMappingURL=index.cjs.map

package/dist/auth/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/auth/index.ts","../../src/auth/jwt.ts","../../src/auth/middleware.ts"],"sourcesContent":["export * from \"./types\";\nexport * from \"./jwt\";\nexport * from \"./middleware\";\n","import fs from \"fs\";\nimport jwt, {JwtPayload} from \"jsonwebtoken\";\n\nfunction readFileIfExists(path?: string): string | null {\n if (!path) return null;\n try {\n const v = fs.readFileSync(path, \"utf8\").trim();\n return v.length ? v : null;\n } catch {\n return null;\n }\n}\n\n/**\n * ✅ Keys viven en getmarket-stack:\n * - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub (recomendado)\n * - fallback env AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY\n */\nexport function readRs256PublicKey(): string {\n const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);\n if (fromFile) return fromFile;\n\n const fromEnv = String(process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || \"\")\n .replace(/\\\\n/g, \"\\n\")\n .trim();\n\n if (fromEnv) return fromEnv;\n\n throw new Error(\"Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)\");\n}\n\nexport function verifyBackendJwtRS256(raw: string): JwtPayload {\n const publicKey = readRs256PublicKey();\n\n const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || \"getmarket.api\";\n const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || \"getmarket-auth\";\n\n // ✅ SOLO RS256\n return jwt.verify(raw, publicKey, {\n algorithms: [\"RS256\"],\n audience,\n issuer,\n }) as JwtPayload;\n}\n","import type {NextFunction, Response} from \"express\";\nimport {verifyBackendJwtRS256} from \"./jwt\";\nimport type {AuthContext, AuthMiddlewareOptions} from \"./types\";\n\nfunction getBearerToken(req: any): string | null {\n const auth = String(req.headers?.authorization || \"\");\n if (!auth.startsWith(\"Bearer \")) return null;\n const token = auth.slice(7).trim();\n return token.length ? token : null;\n}\n\nfunction normalizeUid(v: any): string | null {\n const s = String(v ?? \"\").trim();\n return s.length ? s : null;\n}\n\n/**\n * ✅ Middleware estándar:\n * - Solo Authorization: Bearer\n * - Solo RS256\n * - Cero legacy\n * - Hidrata vía hook (OBLIGATORIO) para que cada micro no replique lógica\n */\nexport function createAuthMiddleware(opts: AuthMiddlewareOptions) {\n const {\n subject,\n allowFirebaseIdToken = false,\n requireSubject = true,\n hydrate,\n } = opts;\n\n return async (req: any, res: Response, next: NextFunction) => {\n const token = getBearerToken(req);\n if (!token) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_MISSING_TOKEN\",\n message: \"Missing Authorization Bearer token\",\n });\n }\n\n // Contexto desde parseHeaders (SDK) -> req.context\n const headerCtx = (req as any).context || {};\n const company_uid = normalizeUid(headerCtx.company_uid);\n const branch_uid = normalizeUid(headerCtx.branch_uid);\n\n // 1) RS256 backend JWT\n try {\n const decoded: any = verifyBackendJwtRS256(token);\n\n const baseCtx: AuthContext = {\n tokenType: \"backend\",\n subject,\n company_uid: company_uid ?? undefined,\n branch_uid: branch_uid ?? undefined,\n roles: Array.isArray(decoded?.roles) ? decoded.roles : [],\n permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],\n denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],\n session: {\n jti: decoded?.jti,\n device_id: decoded?.device_id,\n expires_at: decoded?.exp,\n },\n };\n\n // ✅ hydrate obligatorio (cero legacy)\n const hydrated = await hydrate({decoded, req, subject, company_uid, branch_uid});\n Object.assign(baseCtx, hydrated);\n\n if (requireSubject) {\n if (subject === \"employee\" && !baseCtx.employee) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_EMPLOYEE_NOT_FOUND\",\n message: \"Employee not resolved by hydrator\",\n });\n }\n if (subject === \"customer\" && !baseCtx.customer) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_CUSTOMER_NOT_FOUND\",\n message: \"Customer not resolved by hydrator\",\n });\n }\n }\n\n req.auth = baseCtx;\n return next();\n } catch (errJwt) {\n // 2) Firebase opcional (si está habilitado explícitamente)\n if (!allowFirebaseIdToken) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_INVALID_TOKEN\",\n message: \"Invalid or expired token\",\n });\n }\n\n try {\n // Import dinámico (pero firebase-admin está en deps del SDK)\n const {default: admin} = await import(\"firebase-admin\");\n const firebaseDecoded = await admin.auth().verifyIdToken(token);\n\n if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_EMAIL_NOT_VERIFIED\",\n message: \"Email not verified\",\n });\n }\n\n req.auth = {\n tokenType: \"backend\",\n subject,\n firebase: firebaseDecoded,\n company_uid: company_uid ?? undefined,\n branch_uid: branch_uid ?? undefined,\n companies: [],\n roles: [],\n permissions: [],\n denied_permissions: [],\n };\n\n return next();\n } catch {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_INVALID_TOKEN\",\n message: \"Invalid or expired token\",\n });\n }\n }\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,gBAAe;AACf,0BAA8B;AAE9B,SAAS,iBAAiB,MAA8B;AACpD,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI;AACA,UAAM,IAAI,UAAAA,QAAG,aAAa,MAAM,MAAM,EAAE,KAAK;AAC7C,WAAO,EAAE,SAAS,IAAI;AAAA,EAC1B,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAOO,SAAS,qBAA6B;AACzC,QAAM,WAAW,iBAAiB,QAAQ,IAAI,mBAAmB;AACjE,MAAI,SAAU,QAAO;AAErB,QAAM,UAAU,OAAO,QAAQ,IAAI,uBAAuB,QAAQ,IAAI,uBAAuB,EAAE,EAC1F,QAAQ,QAAQ,IAAI,EACpB,KAAK;AAEV,MAAI,QAAS,QAAO;AAEpB,QAAM,IAAI,MAAM,4FAA4F;AAChH;AAEO,SAAS,sBAAsB,KAAyB;AAC3D,QAAM,YAAY,mBAAmB;AAErC,QAAM,WAAW,QAAQ,IAAI,gBAAgB,QAAQ,IAAI,qBAAqB;AAC9E,QAAM,SAAS,QAAQ,IAAI,cAAc,QAAQ,IAAI,mBAAmB;AAGxE,SAAO,oBAAAC,QAAI,OAAO,KAAK,WAAW;AAAA,IAC9B,YAAY,CAAC,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,EACJ,CAAC;AACL;;;ACvCA,SAAS,eAAe,KAAyB;AAC7C,QAAM,OAAO,OAAO,IAAI,SAAS,iBAAiB,EAAE;AACpD,MAAI,CAAC,KAAK,WAAW,SAAS,EAAG,QAAO;AACxC,QAAM,QAAQ,KAAK,MAAM,CAAC,EAAE,KAAK;AACjC,SAAO,MAAM,SAAS,QAAQ;AAClC;AAEA,SAAS,aAAa,GAAuB;AACzC,QAAM,IAAI,OAAO,KAAK,EAAE,EAAE,KAAK;AAC/B,SAAO,EAAE,SAAS,IAAI;AAC1B;AASO,SAAS,qBAAqB,MAA6B;AAC9D,QAAM;AAAA,IACF;AAAA,IACA,uBAAuB;AAAA,IACvB,iBAAiB;AAAA,IACjB;AAAA,EACJ,IAAI;AAEJ,SAAO,OAAO,KAAU,KAAe,SAAuB;AAC1D,UAAM,QAAQ,eAAe,GAAG;AAChC,QAAI,CAAC,OAAO;AACR,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QACxB,IAAI;AAAA,QACJ,MAAM;AAAA,QACN,SAAS;AAAA,MACb,CAAC;AAAA,IACL;AAGA,UAAM,YAAa,IAAY,WAAW,CAAC;AAC3C,UAAM,cAAc,aAAa,UAAU,WAAW;AACtD,UAAM,aAAa,aAAa,UAAU,UAAU;AAGpD,QAAI;AACA,YAAM,UAAe,sBAAsB,KAAK;AAEhD,YAAM,UAAuB;AAAA,QACzB,WAAW;AAAA,QACX;AAAA,QACA,aAAa,eAAe;AAAA,QAC5B,YAAY,cAAc;AAAA,QAC1B,OAAO,MAAM,QAAQ,SAAS,KAAK,IAAI,QAAQ,QAAQ,CAAC;AAAA,QACxD,aAAa,MAAM,QAAQ,SAAS,WAAW,IAAI,QAAQ,cAAc,CAAC;AAAA,QAC1E,oBAAoB,MAAM,QAAQ,SAAS,kBAAkB,IAAI,QAAQ,qBAAqB,CAAC;AAAA,QAC/F,SAAS;AAAA,UACL,KAAK,SAAS;AAAA,UACd,WAAW,SAAS;AAAA,UACpB,YAAY,SAAS;AAAA,QACzB;AAAA,MACJ;AAGA,YAAM,WAAW,MAAM,QAAQ,EAAC,SAAS,KAAK,SAAS,aAAa,WAAU,CAAC;AAC/E,aAAO,OAAO,SAAS,QAAQ;AAE/B,UAAI,gBAAgB;AAChB,YAAI,YAAY,cAAc,CAAC,QAAQ,UAAU;AAC7C,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AACA,YAAI,YAAY,cAAc,CAAC,QAAQ,UAAU;AAC7C,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AAAA,MACJ;AAEA,UAAI,OAAO;AACX,aAAO,KAAK;AAAA,IAChB,SAAS,QAAQ;AAEb,UAAI,CAAC,sBAAsB;AACvB,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UACxB,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,SAAS;AAAA,QACb,CAAC;AAAA,MACL;AAEA,UAAI;AAEA,cAAM,EAAC,SAAS,MAAK,IAAI,MAAM,OAAO,gBAAgB;AACtD,cAAM,kBAAkB,MAAM,MAAM,KAAK,EAAE,cAAc,KAAK;AAE9D,YAAI,gBAAgB,SAAS,gBAAgB,mBAAmB,OAAO;AACnE,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AAEA,YAAI,OAAO;AAAA,UACP,WAAW;AAAA,UACX;AAAA,UACA,UAAU;AAAA,UACV,aAAa,eAAe;AAAA,UAC5B,YAAY,cAAc;AAAA,UAC1B,WAAW,CAAC;AAAA,UACZ,OAAO,CAAC;AAAA,UACR,aAAa,CAAC;AAAA,UACd,oBAAoB,CAAC;AAAA,QACzB;AAEA,eAAO,KAAK;AAAA,MAChB,QAAQ;AACJ,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UACxB,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,SAAS;AAAA,QACb,CAAC;AAAA,MACL;AAAA,IACJ;AAAA,EACJ;AACJ;","names":["fs","jwt"]}

package/dist/auth/index.d.cts ADDED Viewed

@@ -0,0 +1,3 @@
+export { A as AuthContext, a as AuthMiddlewareOptions, b as AuthSession, c as AuthSubject, H as HydrateInput, d as HydrateResult, e as Hydrator, T as TokenType, f as createAuthMiddleware, r as readRs256PublicKey, v as verifyBackendJwtRS256 } from '../index-WbfzvmOt.cjs';
+import 'express';
+import 'jsonwebtoken';

package/dist/auth/index.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export { A as AuthContext, a as AuthMiddlewareOptions, b as AuthSession, c as AuthSubject, H as HydrateInput, d as HydrateResult, e as Hydrator, T as TokenType, f as createAuthMiddleware, r as readRs256PublicKey, v as verifyBackendJwtRS256 } from '../index-WbfzvmOt.js';
+import 'express';
+import 'jsonwebtoken';

package/dist/auth/index.js ADDED Viewed

@@ -0,0 +1,12 @@
+import {
+  createAuthMiddleware,
+  readRs256PublicKey,
+  verifyBackendJwtRS256
+} from "../chunk-W23UYULS.js";
+import "../chunk-PZ5AY32C.js";
+export {
+  createAuthMiddleware,
+  readRs256PublicKey,
+  verifyBackendJwtRS256
+};
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/cache/index.js CHANGED Viewed

@@ -4,6 +4,7 @@ import {
   getOrSet,
   getTwoLevelCache
 } from "../chunk-IYFWQDHD.js";
+import "../chunk-PZ5AY32C.js";
 export {
   TwoLevelCache,
   closeCache,

package/dist/chunk-PZ5AY32C.js ADDED Viewed

@@ -0,0 +1,10 @@
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+export {
+  __export
+};
+//# sourceMappingURL=chunk-PZ5AY32C.js.map

package/dist/chunk-PZ5AY32C.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/chunk-W23UYULS.js ADDED Viewed

@@ -0,0 +1,156 @@
+import {
+  __export
+} from "./chunk-PZ5AY32C.js";
+// src/auth/index.ts
+var auth_exports = {};
+__export(auth_exports, {
+  createAuthMiddleware: () => createAuthMiddleware,
+  readRs256PublicKey: () => readRs256PublicKey,
+  verifyBackendJwtRS256: () => verifyBackendJwtRS256
+});
+// src/auth/jwt.ts
+import fs from "fs";
+import jwt from "jsonwebtoken";
+function readFileIfExists(path) {
+  if (!path) return null;
+  try {
+    const v = fs.readFileSync(path, "utf8").trim();
+    return v.length ? v : null;
+  } catch {
+    return null;
+  }
+}
+function readRs256PublicKey() {
+  const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);
+  if (fromFile) return fromFile;
+  const fromEnv = String(process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "").replace(/\\n/g, "\n").trim();
+  if (fromEnv) return fromEnv;
+  throw new Error("Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)");
+}
+function verifyBackendJwtRS256(raw) {
+  const publicKey = readRs256PublicKey();
+  const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
+  const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
+  return jwt.verify(raw, publicKey, {
+    algorithms: ["RS256"],
+    audience,
+    issuer
+  });
+}
+// src/auth/middleware.ts
+function getBearerToken(req) {
+  const auth = String(req.headers?.authorization || "");
+  if (!auth.startsWith("Bearer ")) return null;
+  const token = auth.slice(7).trim();
+  return token.length ? token : null;
+}
+function normalizeUid(v) {
+  const s = String(v ?? "").trim();
+  return s.length ? s : null;
+}
+function createAuthMiddleware(opts) {
+  const {
+    subject,
+    allowFirebaseIdToken = false,
+    requireSubject = true,
+    hydrate
+  } = opts;
+  return async (req, res, next) => {
+    const token = getBearerToken(req);
+    if (!token) {
+      return res.status(401).json({
+        ok: false,
+        code: "AUTH_MISSING_TOKEN",
+        message: "Missing Authorization Bearer token"
+      });
+    }
+    const headerCtx = req.context || {};
+    const company_uid = normalizeUid(headerCtx.company_uid);
+    const branch_uid = normalizeUid(headerCtx.branch_uid);
+    try {
+      const decoded = verifyBackendJwtRS256(token);
+      const baseCtx = {
+        tokenType: "backend",
+        subject,
+        company_uid: company_uid ?? void 0,
+        branch_uid: branch_uid ?? void 0,
+        roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+        permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+        denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
+        session: {
+          jti: decoded?.jti,
+          device_id: decoded?.device_id,
+          expires_at: decoded?.exp
+        }
+      };
+      const hydrated = await hydrate({ decoded, req, subject, company_uid, branch_uid });
+      Object.assign(baseCtx, hydrated);
+      if (requireSubject) {
+        if (subject === "employee" && !baseCtx.employee) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_EMPLOYEE_NOT_FOUND",
+            message: "Employee not resolved by hydrator"
+          });
+        }
+        if (subject === "customer" && !baseCtx.customer) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_CUSTOMER_NOT_FOUND",
+            message: "Customer not resolved by hydrator"
+          });
+        }
+      }
+      req.auth = baseCtx;
+      return next();
+    } catch (errJwt) {
+      if (!allowFirebaseIdToken) {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_INVALID_TOKEN",
+          message: "Invalid or expired token"
+        });
+      }
+      try {
+        const { default: admin } = await import("firebase-admin");
+        const firebaseDecoded = await admin.auth().verifyIdToken(token);
+        if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_EMAIL_NOT_VERIFIED",
+            message: "Email not verified"
+          });
+        }
+        req.auth = {
+          tokenType: "backend",
+          subject,
+          firebase: firebaseDecoded,
+          company_uid: company_uid ?? void 0,
+          branch_uid: branch_uid ?? void 0,
+          companies: [],
+          roles: [],
+          permissions: [],
+          denied_permissions: []
+        };
+        return next();
+      } catch {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_INVALID_TOKEN",
+          message: "Invalid or expired token"
+        });
+      }
+    }
+  };
+}
+export {
+  readRs256PublicKey,
+  verifyBackendJwtRS256,
+  createAuthMiddleware,
+  auth_exports
+};
+//# sourceMappingURL=chunk-W23UYULS.js.map

package/dist/chunk-W23UYULS.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/auth/index.ts","../src/auth/jwt.ts","../src/auth/middleware.ts"],"sourcesContent":["export * from \"./types\";\nexport * from \"./jwt\";\nexport * from \"./middleware\";\n","import fs from \"fs\";\nimport jwt, {JwtPayload} from \"jsonwebtoken\";\n\nfunction readFileIfExists(path?: string): string | null {\n if (!path) return null;\n try {\n const v = fs.readFileSync(path, \"utf8\").trim();\n return v.length ? v : null;\n } catch {\n return null;\n }\n}\n\n/**\n * ✅ Keys viven en getmarket-stack:\n * - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub (recomendado)\n * - fallback env AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY\n */\nexport function readRs256PublicKey(): string {\n const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);\n if (fromFile) return fromFile;\n\n const fromEnv = String(process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || \"\")\n .replace(/\\\\n/g, \"\\n\")\n .trim();\n\n if (fromEnv) return fromEnv;\n\n throw new Error(\"Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)\");\n}\n\nexport function verifyBackendJwtRS256(raw: string): JwtPayload {\n const publicKey = readRs256PublicKey();\n\n const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || \"getmarket.api\";\n const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || \"getmarket-auth\";\n\n // ✅ SOLO RS256\n return jwt.verify(raw, publicKey, {\n algorithms: [\"RS256\"],\n audience,\n issuer,\n }) as JwtPayload;\n}\n","import type {NextFunction, Response} from \"express\";\nimport {verifyBackendJwtRS256} from \"./jwt\";\nimport type {AuthContext, AuthMiddlewareOptions} from \"./types\";\n\nfunction getBearerToken(req: any): string | null {\n const auth = String(req.headers?.authorization || \"\");\n if (!auth.startsWith(\"Bearer \")) return null;\n const token = auth.slice(7).trim();\n return token.length ? token : null;\n}\n\nfunction normalizeUid(v: any): string | null {\n const s = String(v ?? \"\").trim();\n return s.length ? s : null;\n}\n\n/**\n * ✅ Middleware estándar:\n * - Solo Authorization: Bearer\n * - Solo RS256\n * - Cero legacy\n * - Hidrata vía hook (OBLIGATORIO) para que cada micro no replique lógica\n */\nexport function createAuthMiddleware(opts: AuthMiddlewareOptions) {\n const {\n subject,\n allowFirebaseIdToken = false,\n requireSubject = true,\n hydrate,\n } = opts;\n\n return async (req: any, res: Response, next: NextFunction) => {\n const token = getBearerToken(req);\n if (!token) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_MISSING_TOKEN\",\n message: \"Missing Authorization Bearer token\",\n });\n }\n\n // Contexto desde parseHeaders (SDK) -> req.context\n const headerCtx = (req as any).context || {};\n const company_uid = normalizeUid(headerCtx.company_uid);\n const branch_uid = normalizeUid(headerCtx.branch_uid);\n\n // 1) RS256 backend JWT\n try {\n const decoded: any = verifyBackendJwtRS256(token);\n\n const baseCtx: AuthContext = {\n tokenType: \"backend\",\n subject,\n company_uid: company_uid ?? undefined,\n branch_uid: branch_uid ?? undefined,\n roles: Array.isArray(decoded?.roles) ? decoded.roles : [],\n permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],\n denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],\n session: {\n jti: decoded?.jti,\n device_id: decoded?.device_id,\n expires_at: decoded?.exp,\n },\n };\n\n // ✅ hydrate obligatorio (cero legacy)\n const hydrated = await hydrate({decoded, req, subject, company_uid, branch_uid});\n Object.assign(baseCtx, hydrated);\n\n if (requireSubject) {\n if (subject === \"employee\" && !baseCtx.employee) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_EMPLOYEE_NOT_FOUND\",\n message: \"Employee not resolved by hydrator\",\n });\n }\n if (subject === \"customer\" && !baseCtx.customer) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_CUSTOMER_NOT_FOUND\",\n message: \"Customer not resolved by hydrator\",\n });\n }\n }\n\n req.auth = baseCtx;\n return next();\n } catch (errJwt) {\n // 2) Firebase opcional (si está habilitado explícitamente)\n if (!allowFirebaseIdToken) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_INVALID_TOKEN\",\n message: \"Invalid or expired token\",\n });\n }\n\n try {\n // Import dinámico (pero firebase-admin está en deps del SDK)\n const {default: admin} = await import(\"firebase-admin\");\n const firebaseDecoded = await admin.auth().verifyIdToken(token);\n\n if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_EMAIL_NOT_VERIFIED\",\n message: \"Email not verified\",\n });\n }\n\n req.auth = {\n tokenType: \"backend\",\n subject,\n firebase: firebaseDecoded,\n company_uid: company_uid ?? undefined,\n branch_uid: branch_uid ?? undefined,\n companies: [],\n roles: [],\n permissions: [],\n denied_permissions: [],\n };\n\n return next();\n } catch {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_INVALID_TOKEN\",\n message: \"Invalid or expired token\",\n });\n }\n }\n };\n}\n"],"mappings":";;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,OAAO,QAAQ;AACf,OAAO,SAAuB;AAE9B,SAAS,iBAAiB,MAA8B;AACpD,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI;AACA,UAAM,IAAI,GAAG,aAAa,MAAM,MAAM,EAAE,KAAK;AAC7C,WAAO,EAAE,SAAS,IAAI;AAAA,EAC1B,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAOO,SAAS,qBAA6B;AACzC,QAAM,WAAW,iBAAiB,QAAQ,IAAI,mBAAmB;AACjE,MAAI,SAAU,QAAO;AAErB,QAAM,UAAU,OAAO,QAAQ,IAAI,uBAAuB,QAAQ,IAAI,uBAAuB,EAAE,EAC1F,QAAQ,QAAQ,IAAI,EACpB,KAAK;AAEV,MAAI,QAAS,QAAO;AAEpB,QAAM,IAAI,MAAM,4FAA4F;AAChH;AAEO,SAAS,sBAAsB,KAAyB;AAC3D,QAAM,YAAY,mBAAmB;AAErC,QAAM,WAAW,QAAQ,IAAI,gBAAgB,QAAQ,IAAI,qBAAqB;AAC9E,QAAM,SAAS,QAAQ,IAAI,cAAc,QAAQ,IAAI,mBAAmB;AAGxE,SAAO,IAAI,OAAO,KAAK,WAAW;AAAA,IAC9B,YAAY,CAAC,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,EACJ,CAAC;AACL;;;ACvCA,SAAS,eAAe,KAAyB;AAC7C,QAAM,OAAO,OAAO,IAAI,SAAS,iBAAiB,EAAE;AACpD,MAAI,CAAC,KAAK,WAAW,SAAS,EAAG,QAAO;AACxC,QAAM,QAAQ,KAAK,MAAM,CAAC,EAAE,KAAK;AACjC,SAAO,MAAM,SAAS,QAAQ;AAClC;AAEA,SAAS,aAAa,GAAuB;AACzC,QAAM,IAAI,OAAO,KAAK,EAAE,EAAE,KAAK;AAC/B,SAAO,EAAE,SAAS,IAAI;AAC1B;AASO,SAAS,qBAAqB,MAA6B;AAC9D,QAAM;AAAA,IACF;AAAA,IACA,uBAAuB;AAAA,IACvB,iBAAiB;AAAA,IACjB;AAAA,EACJ,IAAI;AAEJ,SAAO,OAAO,KAAU,KAAe,SAAuB;AAC1D,UAAM,QAAQ,eAAe,GAAG;AAChC,QAAI,CAAC,OAAO;AACR,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QACxB,IAAI;AAAA,QACJ,MAAM;AAAA,QACN,SAAS;AAAA,MACb,CAAC;AAAA,IACL;AAGA,UAAM,YAAa,IAAY,WAAW,CAAC;AAC3C,UAAM,cAAc,aAAa,UAAU,WAAW;AACtD,UAAM,aAAa,aAAa,UAAU,UAAU;AAGpD,QAAI;AACA,YAAM,UAAe,sBAAsB,KAAK;AAEhD,YAAM,UAAuB;AAAA,QACzB,WAAW;AAAA,QACX;AAAA,QACA,aAAa,eAAe;AAAA,QAC5B,YAAY,cAAc;AAAA,QAC1B,OAAO,MAAM,QAAQ,SAAS,KAAK,IAAI,QAAQ,QAAQ,CAAC;AAAA,QACxD,aAAa,MAAM,QAAQ,SAAS,WAAW,IAAI,QAAQ,cAAc,CAAC;AAAA,QAC1E,oBAAoB,MAAM,QAAQ,SAAS,kBAAkB,IAAI,QAAQ,qBAAqB,CAAC;AAAA,QAC/F,SAAS;AAAA,UACL,KAAK,SAAS;AAAA,UACd,WAAW,SAAS;AAAA,UACpB,YAAY,SAAS;AAAA,QACzB;AAAA,MACJ;AAGA,YAAM,WAAW,MAAM,QAAQ,EAAC,SAAS,KAAK,SAAS,aAAa,WAAU,CAAC;AAC/E,aAAO,OAAO,SAAS,QAAQ;AAE/B,UAAI,gBAAgB;AAChB,YAAI,YAAY,cAAc,CAAC,QAAQ,UAAU;AAC7C,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AACA,YAAI,YAAY,cAAc,CAAC,QAAQ,UAAU;AAC7C,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AAAA,MACJ;AAEA,UAAI,OAAO;AACX,aAAO,KAAK;AAAA,IAChB,SAAS,QAAQ;AAEb,UAAI,CAAC,sBAAsB;AACvB,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UACxB,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,SAAS;AAAA,QACb,CAAC;AAAA,MACL;AAEA,UAAI;AAEA,cAAM,EAAC,SAAS,MAAK,IAAI,MAAM,OAAO,gBAAgB;AACtD,cAAM,kBAAkB,MAAM,MAAM,KAAK,EAAE,cAAc,KAAK;AAE9D,YAAI,gBAAgB,SAAS,gBAAgB,mBAAmB,OAAO;AACnE,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AAEA,YAAI,OAAO;AAAA,UACP,WAAW;AAAA,UACX;AAAA,UACA,UAAU;AAAA,UACV,aAAa,eAAe;AAAA,UAC5B,YAAY,cAAc;AAAA,UAC1B,WAAW,CAAC;AAAA,UACZ,OAAO,CAAC;AAAA,UACR,aAAa,CAAC;AAAA,UACd,oBAAoB,CAAC;AAAA,QACzB;AAEA,eAAO,KAAK;AAAA,MAChB,QAAQ;AACJ,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UACxB,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,SAAS;AAAA,QACb,CAAC;AAAA,MACL;AAAA,IACJ;AAAA,EACJ;AACJ;","names":[]}

package/dist/{chunk-HTHX24NK.js → chunk-Y2JJLHAY.js} RENAMED Viewed

@@ -96,11 +96,54 @@ function internalAuth(req, res, next) {
   return next();
 }
+// src/middlewares/autorization.ts
+function getAuth(req) {
+  return req.auth ?? {};
+}
+function requireAuthContext() {
+  return (req, res, next) => {
+    if (!req.auth) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
+    return next();
+  };
+}
+function requirePermissions(...perms) {
+  return (req, res, next) => {
+    const auth = getAuth(req);
+    const allow = new Set(auth.permissions ?? []);
+    const deny = new Set(auth.denied_permissions ?? []);
+    for (const p of perms) {
+      if (deny.has(p)) {
+        return sendError(req, res, 403, "FORBIDDEN", `Denied: ${p}`);
+      }
+    }
+    const missing = perms.filter((p) => !allow.has(p));
+    if (missing.length) {
+      return sendError(req, res, 403, "FORBIDDEN", "Missing permissions", { missing });
+    }
+    return next();
+  };
+}
+function requireRoles(...roles) {
+  return (req, res, next) => {
+    const auth = getAuth(req);
+    const have = new Set(auth.roles ?? []);
+    if (!roles.some((r) => have.has(r))) {
+      return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", { required: roles });
+    }
+    return next();
+  };
+}
 export {
   requestId,
   parseHeaders,
   sendOk,
   sendError,
-  internalAuth
+  internalAuth,
+  requireAuthContext,
+  requirePermissions,
+  requireRoles
 };
-//# sourceMappingURL=chunk-HTHX24NK.js.map
+//# sourceMappingURL=chunk-Y2JJLHAY.js.map

package/dist/chunk-Y2JJLHAY.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/middlewares/requestId.ts","../src/middlewares/parseHeaders.ts","../src/middlewares/internalAuth.ts","../src/middlewares/respond.ts","../src/middlewares/autorization.ts"],"sourcesContent":["// middlewares/requestId.ts\nimport type {Request, Response, NextFunction} from \"express\";\nimport {randomUUID, randomBytes} from \"crypto\";\n\nexport const REQUEST_ID_HEADER = \"x-request-id\";\nexport const REQUEST_ID_HEADER_ALT = \"x-requestid\";\nexport const RESPONSE_REQUEST_ID_HEADER = \"X-Request-Id\";\n\n// Si quieres IDs más cortos (opcional). Por defecto usamos UUID.\nfunction nanoidLike(len = 21) {\n return randomBytes(16).toString(\"base64url\").slice(0, len);\n}\n\nexport default function requestId(req: Request, res: Response, next: NextFunction) {\n const headerId = (req.headers[REQUEST_ID_HEADER] || req.headers[REQUEST_ID_HEADER_ALT]) as\n | string\n | undefined;\n\n // ✅ estándar único: usa UUID (o cambia a nanoidLike() si prefieres corto)\n const id = headerId?.trim() || randomUUID();\n\n // ✅ estándar único (no legacy)\n (req as any).requestId = id;\n res.locals.requestId = id;\n\n // ✅ respuesta\n res.setHeader(RESPONSE_REQUEST_ID_HEADER, id);\n\n next();\n}\n","import type {Request, Response, NextFunction} from \"express\";\nimport {getRequestContextFromHeaders} from \"../headers\";\n\n/**\n * ✅ NO-LEGACY:\n * - solo setea UIDs\n * - no crea objetos company/branch\n * - no copia provider\n */\nexport default function parseHeaders(req: Request, _res: Response, next: NextFunction) {\n const context = getRequestContextFromHeaders(req.headers as any);\n\n (req as any).context = context;\n\n const auth: any = (req as any).auth ?? ((req as any).auth = {});\n if (context.company_uid) auth.company_uid = context.company_uid;\n if (context.branch_uid) auth.branch_uid = context.branch_uid;\n if (context.employee_uid) auth.employee_uid = context.employee_uid;\n\n next();\n}\n","import type {Request, Response, NextFunction} from \"express\";\nimport fs from \"fs\";\nimport crypto from \"crypto\";\nimport {sendError} from \"./respond\";\nimport {HEADER_INTERNAL_API_KEY} from \"../headers\";\n\nfunction readSecretFile(path?: string): string | null {\n if (!path) return null;\n try {\n const v = fs.readFileSync(path, \"utf8\").trim();\n return v.length ? v : null;\n } catch {\n return null;\n }\n}\n\nfunction splitKeys(v?: string | null): string[] {\n if (!v) return [];\n return v.split(\",\").map((s) => s.trim()).filter(Boolean);\n}\n\nfunction getExpectedKeys(): string[] {\n const fileKey = readSecretFile(process.env.INTERNAL_API_KEY_FILE);\n const envKey = (process.env.INTERNAL_API_KEY || \"\").trim();\n const raw = fileKey || envKey;\n return splitKeys(raw);\n}\n\nfunction extractToken(req: Request): string | null {\n const apiKey = (req.header(HEADER_INTERNAL_API_KEY) || \"\").trim();\n return apiKey || null;\n}\n\nfunction safeEquals(a: string, b: string): boolean {\n const aa = Buffer.from(a);\n const bb = Buffer.from(b);\n if (aa.length !== bb.length) return false;\n return crypto.timingSafeEqual(aa, bb);\n}\n\nexport default function internalAuth(req: Request, res: Response, next: NextFunction) {\n const token = extractToken(req);\n\n if (!token) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", `Missing internal api key (${HEADER_INTERNAL_API_KEY})`);\n }\n\n const expectedKeys = getExpectedKeys();\n if (expectedKeys.length === 0) {\n return sendError(\n req,\n res,\n 500,\n \"MISCONFIGURED_INTERNAL_AUTH\",\n \"Internal api key not configured (INTERNAL_API_KEY or INTERNAL_API_KEY_FILE)\"\n );\n }\n\n const ok = expectedKeys.some((k) => safeEquals(token, k));\n if (!ok) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Invalid internal api key\");\n }\n\n return next();\n}\n","import type {Request, Response} from \"express\";\n\nexport function sendOk<T>(_req: Request, res: Response, data: T, statusCode = 200) {\n return res.status(statusCode).json({ok: true, data, requestId: res.locals?.requestId ?? null});\n}\n\nexport function sendError(\n _req: Request,\n res: Response,\n statusCode: number,\n code: string,\n message: string,\n details?: any\n) {\n return res.status(statusCode).json({\n ok: false,\n error: {code, message, ...(details !== undefined ? {details} : {})},\n requestId: res.locals?.requestId ?? null,\n });\n}\n","// packages/sdk/src/middlewares/authorization.ts\nimport type {Request, Response, NextFunction} from \"express\";\nimport {sendError} from \"./respond\";\n\ntype AuthShape = {\n roles?: string[];\n permissions?: string[];\n denied_permissions?: string[];\n};\n\nfunction getAuth(req: Request): AuthShape {\n return ((req as any).auth ?? {}) as AuthShape;\n}\n\n/**\n * 401 si no existe req.auth (contexto auth).\n * Útil para proteger rutas internas donde SIEMPRE debe existir auth.\n */\nexport function requireAuthContext() {\n return (req: Request, res: Response, next: NextFunction) => {\n if (!(req as any).auth) {\n return sendError(req, res, 401, \"UNAUTHORIZED\", \"Missing auth context\");\n }\n return next();\n };\n}\n\n/**\n * Requiere TODOS los permisos indicados.\n * Regla: denied_permissions siempre gana sobre permissions.\n */\nexport function requirePermissions(...perms: string[]) {\n return (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n\n const allow = new Set<string>(auth.permissions ?? []);\n const deny = new Set<string>(auth.denied_permissions ?? []);\n\n // deny gana siempre\n for (const p of perms) {\n if (deny.has(p)) {\n return sendError(req, res, 403, \"FORBIDDEN\", `Denied: ${p}`);\n }\n }\n\n const missing = perms.filter((p) => !allow.has(p));\n if (missing.length) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Missing permissions\", {missing});\n }\n\n return next();\n };\n}\n\n/**\n * Requiere al menos 1 de los roles indicados.\n */\nexport function requireRoles(...roles: string[]) {\n return (req: Request, res: Response, next: NextFunction) => {\n const auth = getAuth(req);\n const have = new Set<string>(auth.roles ?? []);\n\n if (!roles.some((r) => have.has(r))) {\n return sendError(req, res, 403, \"FORBIDDEN\", \"Role not allowed\", {required: roles});\n }\n\n return next();\n };\n}\n"],"mappings":";;;;;;AAEA,SAAQ,YAAY,mBAAkB;AAE/B,IAAM,oBAAoB;AAC1B,IAAM,wBAAwB;AAC9B,IAAM,6BAA6B;AAO3B,SAAR,UAA2B,KAAc,KAAe,MAAoB;AAC/E,QAAM,WAAY,IAAI,QAAQ,iBAAiB,KAAK,IAAI,QAAQ,qBAAqB;AAKrF,QAAM,KAAK,UAAU,KAAK,KAAK,WAAW;AAG1C,EAAC,IAAY,YAAY;AACzB,MAAI,OAAO,YAAY;AAGvB,MAAI,UAAU,4BAA4B,EAAE;AAE5C,OAAK;AACT;;;ACpBe,SAAR,aAA8B,KAAc,MAAgB,MAAoB;AACnF,QAAM,UAAU,6BAA6B,IAAI,OAAc;AAE/D,EAAC,IAAY,UAAU;AAEvB,QAAM,OAAa,IAAY,SAAU,IAAY,OAAO,CAAC;AAC7D,MAAI,QAAQ,YAAa,MAAK,cAAc,QAAQ;AACpD,MAAI,QAAQ,WAAY,MAAK,aAAa,QAAQ;AAClD,MAAI,QAAQ,aAAc,MAAK,eAAe,QAAQ;AAEtD,OAAK;AACT;;;ACnBA,OAAO,QAAQ;AACf,OAAO,YAAY;;;ACAZ,SAAS,OAAU,MAAe,KAAe,MAAS,aAAa,KAAK;AAC/E,SAAO,IAAI,OAAO,UAAU,EAAE,KAAK,EAAC,IAAI,MAAM,MAAM,WAAW,IAAI,QAAQ,aAAa,KAAI,CAAC;AACjG;AAEO,SAAS,UACZ,MACA,KACA,YACA,MACA,SACA,SACF;AACE,SAAO,IAAI,OAAO,UAAU,EAAE,KAAK;AAAA,IAC/B,IAAI;AAAA,IACJ,OAAO,EAAC,MAAM,SAAS,GAAI,YAAY,SAAY,EAAC,QAAO,IAAI,CAAC,EAAE;AAAA,IAClE,WAAW,IAAI,QAAQ,aAAa;AAAA,EACxC,CAAC;AACL;;;ADbA,SAAS,eAAe,MAA8B;AAClD,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI;AACA,UAAM,IAAI,GAAG,aAAa,MAAM,MAAM,EAAE,KAAK;AAC7C,WAAO,EAAE,SAAS,IAAI;AAAA,EAC1B,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAEA,SAAS,UAAU,GAA6B;AAC5C,MAAI,CAAC,EAAG,QAAO,CAAC;AAChB,SAAO,EAAE,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AAC3D;AAEA,SAAS,kBAA4B;AACjC,QAAM,UAAU,eAAe,QAAQ,IAAI,qBAAqB;AAChE,QAAM,UAAU,QAAQ,IAAI,oBAAoB,IAAI,KAAK;AACzD,QAAM,MAAM,WAAW;AACvB,SAAO,UAAU,GAAG;AACxB;AAEA,SAAS,aAAa,KAA6B;AAC/C,QAAM,UAAU,IAAI,OAAO,uBAAuB,KAAK,IAAI,KAAK;AAChE,SAAO,UAAU;AACrB;AAEA,SAAS,WAAW,GAAW,GAAoB;AAC/C,QAAM,KAAK,OAAO,KAAK,CAAC;AACxB,QAAM,KAAK,OAAO,KAAK,CAAC;AACxB,MAAI,GAAG,WAAW,GAAG,OAAQ,QAAO;AACpC,SAAO,OAAO,gBAAgB,IAAI,EAAE;AACxC;AAEe,SAAR,aAA8B,KAAc,KAAe,MAAoB;AAClF,QAAM,QAAQ,aAAa,GAAG;AAE9B,MAAI,CAAC,OAAO;AACR,WAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,6BAA6B,uBAAuB,GAAG;AAAA,EAC3G;AAEA,QAAM,eAAe,gBAAgB;AACrC,MAAI,aAAa,WAAW,GAAG;AAC3B,WAAO;AAAA,MACH;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACJ;AAAA,EACJ;AAEA,QAAM,KAAK,aAAa,KAAK,CAAC,MAAM,WAAW,OAAO,CAAC,CAAC;AACxD,MAAI,CAAC,IAAI;AACL,WAAO,UAAU,KAAK,KAAK,KAAK,aAAa,0BAA0B;AAAA,EAC3E;AAEA,SAAO,KAAK;AAChB;;;AEtDA,SAAS,QAAQ,KAAyB;AACtC,SAAS,IAAY,QAAQ,CAAC;AAClC;AAMO,SAAS,qBAAqB;AACjC,SAAO,CAAC,KAAc,KAAe,SAAuB;AACxD,QAAI,CAAE,IAAY,MAAM;AACpB,aAAO,UAAU,KAAK,KAAK,KAAK,gBAAgB,sBAAsB;AAAA,IAC1E;AACA,WAAO,KAAK;AAAA,EAChB;AACJ;AAMO,SAAS,sBAAsB,OAAiB;AACnD,SAAO,CAAC,KAAc,KAAe,SAAuB;AACxD,UAAM,OAAO,QAAQ,GAAG;AAExB,UAAM,QAAQ,IAAI,IAAY,KAAK,eAAe,CAAC,CAAC;AACpD,UAAM,OAAO,IAAI,IAAY,KAAK,sBAAsB,CAAC,CAAC;AAG1D,eAAW,KAAK,OAAO;AACnB,UAAI,KAAK,IAAI,CAAC,GAAG;AACb,eAAO,UAAU,KAAK,KAAK,KAAK,aAAa,WAAW,CAAC,EAAE;AAAA,MAC/D;AAAA,IACJ;AAEA,UAAM,UAAU,MAAM,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC;AACjD,QAAI,QAAQ,QAAQ;AAChB,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,uBAAuB,EAAC,QAAO,CAAC;AAAA,IACjF;AAEA,WAAO,KAAK;AAAA,EAChB;AACJ;AAKO,SAAS,gBAAgB,OAAiB;AAC7C,SAAO,CAAC,KAAc,KAAe,SAAuB;AACxD,UAAM,OAAO,QAAQ,GAAG;AACxB,UAAM,OAAO,IAAI,IAAY,KAAK,SAAS,CAAC,CAAC;AAE7C,QAAI,CAAC,MAAM,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,GAAG;AACjC,aAAO,UAAU,KAAK,KAAK,KAAK,aAAa,oBAAoB,EAAC,UAAU,MAAK,CAAC;AAAA,IACtF;AAEA,WAAO,KAAK;AAAA,EAChB;AACJ;","names":[]}

package/dist/core/index.js CHANGED Viewed

@@ -7,6 +7,7 @@ import {
   withRequestId,
   withRequestIdConfig
 } from "../chunk-GG7EI74E.js";
+import "../chunk-PZ5AY32C.js";
 export {
   InternalHttp,
   REQUEST_ID_HEADER,

package/dist/headers/index.js CHANGED Viewed

@@ -7,6 +7,7 @@ import {
   HEADER_REQUEST_ID,
   getRequestContextFromHeaders
 } from "../chunk-65HACONF.js";
+import "../chunk-PZ5AY32C.js";
 export {
   HEADER_AUTHORIZATION,
   HEADER_BRANCH_UID,

package/dist/index-WbfzvmOt.d.cts ADDED Viewed

@@ -0,0 +1,87 @@
+import { Request, Response, NextFunction } from 'express';
+import { JwtPayload } from 'jsonwebtoken';
+type AuthSubject = "employee" | "customer";
+type TokenType = "backend";
+type AuthSession = {
+    jti?: string;
+    device_id?: string;
+    expires_at?: number;
+};
+type AuthContext = {
+    tokenType: TokenType;
+    subject: AuthSubject;
+    employee?: any;
+    customer?: any;
+    company_uid?: string;
+    branch_uid?: string;
+    companies?: any[];
+    company?: any;
+    branch?: any;
+    roles?: string[];
+    permissions?: string[];
+    denied_permissions?: string[];
+    session?: AuthSession;
+    firebase?: any;
+};
+type HydrateInput = {
+    decoded: any;
+    req: Request;
+    subject: AuthSubject;
+    company_uid: string | null;
+    branch_uid: string | null;
+};
+type HydrateResult = Partial<Pick<AuthContext, "employee" | "customer" | "companies" | "company" | "branch" | "roles" | "permissions" | "denied_permissions">>;
+type Hydrator = (input: HydrateInput) => Promise<HydrateResult> | HydrateResult;
+type AuthMiddlewareOptions = {
+    subject: AuthSubject;
+    /**
+     * ✅ Si true, exige que el sujeto (employee/customer) exista tras hydrate.
+     * Default: true
+     */
+    requireSubject?: boolean;
+    /**
+     * Si true, permite fallback a Firebase idToken.
+     * Default: false
+     */
+    allowFirebaseIdToken?: boolean;
+    /**
+     * ✅ OBLIGATORIO para evitar "legacy" o acoplamientos:
+     * el micro decide cómo hidratar (DB local / AuthClient / etc).
+     */
+    hydrate: Hydrator;
+};
+/**
+ * ✅ Keys viven en getmarket-stack:
+ * - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub (recomendado)
+ * - fallback env AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY
+ */
+declare function readRs256PublicKey(): string;
+declare function verifyBackendJwtRS256(raw: string): JwtPayload;
+/**
+ * ✅ Middleware estándar:
+ * - Solo Authorization: Bearer
+ * - Solo RS256
+ * - Cero legacy
+ * - Hidrata vía hook (OBLIGATORIO) para que cada micro no replique lógica
+ */
+declare function createAuthMiddleware(opts: AuthMiddlewareOptions): (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+type index_AuthContext = AuthContext;
+type index_AuthMiddlewareOptions = AuthMiddlewareOptions;
+type index_AuthSession = AuthSession;
+type index_AuthSubject = AuthSubject;
+type index_HydrateInput = HydrateInput;
+type index_HydrateResult = HydrateResult;
+type index_Hydrator = Hydrator;
+type index_TokenType = TokenType;
+declare const index_createAuthMiddleware: typeof createAuthMiddleware;
+declare const index_readRs256PublicKey: typeof readRs256PublicKey;
+declare const index_verifyBackendJwtRS256: typeof verifyBackendJwtRS256;
+declare namespace index {
+  export { type index_AuthContext as AuthContext, type index_AuthMiddlewareOptions as AuthMiddlewareOptions, type index_AuthSession as AuthSession, type index_AuthSubject as AuthSubject, type index_HydrateInput as HydrateInput, type index_HydrateResult as HydrateResult, type index_Hydrator as Hydrator, type index_TokenType as TokenType, index_createAuthMiddleware as createAuthMiddleware, index_readRs256PublicKey as readRs256PublicKey, index_verifyBackendJwtRS256 as verifyBackendJwtRS256 };
+}
+export { type AuthContext as A, type HydrateInput as H, type TokenType as T, type AuthMiddlewareOptions as a, type AuthSession as b, type AuthSubject as c, type HydrateResult as d, type Hydrator as e, createAuthMiddleware as f, index as i, readRs256PublicKey as r, verifyBackendJwtRS256 as v };