@innvoid/getmarket-sdk 0.1.4 → 0.1.6

package/dist/headers/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/headers/index.ts","../../src/headers/constants.ts","../../src/headers/parse.ts"],"sourcesContent":["export * from \"./constants\";\nexport * from \"./parse\";\n","export const HEADER_REQUEST_ID = \"x-request-id\";\n\nexport const HEADER_COMPANY_UID = \"x-company\";\nexport const HEADER_BRANCH_UID = \"x-branch\";\nexport const HEADER_EMPLOYEE_UID = \"x-employee-uid\";\n\nexport const HEADER_INTERNAL_API_KEY = \"x-internal-api-key\";\nexport const HEADER_AUTHORIZATION = \"authorization\";\n","import {\n    HEADER_BRANCH_UID,\n    HEADER_COMPANY_UID,\n    HEADER_EMPLOYEE_UID,\n    HEADER_REQUEST_ID,\n} from \"./constants\";\n\nexport type RequestContext = {\n    requestId?: string | null;\n\n    company_uid?: string | null;\n    branch_uid?: string | null;\n    employee_uid?: string | null;\n};\n\nfunction asString(v: unknown): string | null {\n    if (typeof v !== \"string\") return null;\n    const s = v.trim();\n    return s ? s : null;\n}\n\n/**\n * ✅ NO-LEGACY:\n * - x-company: <UID>\n * - x-branch: <UID>\n * - x-employee-uid: <UID> (opcional)\n * - x-request-id: string (opcional)\n *\n * 🚫 No JSON, no _id, no objetos.\n */\nexport function getRequestContextFromHeaders(headers: Record<string, any>): RequestContext {\n    return {\n        requestId: asString(headers[HEADER_REQUEST_ID]) ?? null,\n        company_uid: asString(headers[HEADER_COMPANY_UID]) ?? null,\n        branch_uid: asString(headers[HEADER_BRANCH_UID]) ?? null,\n        employee_uid: asString(headers[HEADER_EMPLOYEE_UID]) ?? null,\n    };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAO,IAAM,oBAAoB;AAE1B,IAAM,qBAAqB;AAC3B,IAAM,oBAAoB;AAC1B,IAAM,sBAAsB;AAE5B,IAAM,0BAA0B;AAChC,IAAM,uBAAuB;;;ACQpC,SAAS,SAAS,GAA2B;AACzC,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,QAAM,IAAI,EAAE,KAAK;AACjB,SAAO,IAAI,IAAI;AACnB;AAWO,SAAS,6BAA6B,SAA8C;AACvF,SAAO;AAAA,IACH,WAAW,SAAS,QAAQ,iBAAiB,CAAC,KAAK;AAAA,IACnD,aAAa,SAAS,QAAQ,kBAAkB,CAAC,KAAK;AAAA,IACtD,YAAY,SAAS,QAAQ,iBAAiB,CAAC,KAAK;AAAA,IACpD,cAAc,SAAS,QAAQ,mBAAmB,CAAC,KAAK;AAAA,EAC5D;AACJ;","names":[]}
+{"version":3,"sources":["../../src/headers/index.ts","../../src/headers/constants.ts","../../src/headers/parse.ts"],"sourcesContent":["export * from \"./constants\";\nexport * from \"./parse\";\n","export const HEADER_REQUEST_ID = \"x-request-id\";\n\nexport const HEADER_COMPANY_UID = \"x-company\";\nexport const HEADER_BRANCH_UID = \"x-branch\";\nexport const HEADER_EMPLOYEE_UID = \"x-employee-uid\";\n\nexport const HEADER_INTERNAL_API_KEY = \"x-internal-api-key\";\nexport const HEADER_AUTHORIZATION = \"authorization\";\n","import {\n    HEADER_BRANCH_UID,\n    HEADER_COMPANY_UID,\n    HEADER_EMPLOYEE_UID,\n    HEADER_REQUEST_ID,\n} from \"./constants\";\n\nexport type RequestContext = {\n    requestId?: string | null;\n    company_uid?: string | null;\n    branch_uid?: string | null;\n    employee_uid?: string | null;\n};\n\nfunction normalizeHeaderValue(v: unknown): string | null {\n    if (typeof v !== \"string\") return null;\n    const s = v.trim();\n    if (!s) return null;\n\n    // ✅ NO-LEGACY: bloquea JSON en headers\n    if (s.startsWith(\"{\") || s.startsWith(\"[\") || s.includes('\"')) return null;\n\n    // Evitar valores demasiado cortos (basura)\n    if (s.length < 6) return null;\n\n    return s;\n}\n\n/**\n * Lee header aunque venga en mayúsculas/minúsculas (Express suele bajar a lower-case).\n */\nfunction h(headers: Record<string, any>, key: string): unknown {\n    return headers[key] ?? headers[key.toLowerCase()] ?? headers[key.toUpperCase()];\n}\n\n/**\n * ✅ NO-LEGACY:\n * - x-company: <UID>\n * - x-branch: <UID>\n * - x-employee-uid: <UID> (opcional; NO reemplaza JWT)\n * - x-request-id: string (opcional)\n */\nexport function getRequestContextFromHeaders(headers: Record<string, any>): RequestContext {\n    return {\n        requestId: normalizeHeaderValue(h(headers, HEADER_REQUEST_ID)) ?? null,\n        company_uid: normalizeHeaderValue(h(headers, HEADER_COMPANY_UID)) ?? null,\n        branch_uid: normalizeHeaderValue(h(headers, HEADER_BRANCH_UID)) ?? null,\n        employee_uid: normalizeHeaderValue(h(headers, HEADER_EMPLOYEE_UID)) ?? null,\n    };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAO,IAAM,oBAAoB;AAE1B,IAAM,qBAAqB;AAC3B,IAAM,oBAAoB;AAC1B,IAAM,sBAAsB;AAE5B,IAAM,0BAA0B;AAChC,IAAM,uBAAuB;;;ACOpC,SAAS,qBAAqB,GAA2B;AACrD,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,QAAM,IAAI,EAAE,KAAK;AACjB,MAAI,CAAC,EAAG,QAAO;AAGf,MAAI,EAAE,WAAW,GAAG,KAAK,EAAE,WAAW,GAAG,KAAK,EAAE,SAAS,GAAG,EAAG,QAAO;AAGtE,MAAI,EAAE,SAAS,EAAG,QAAO;AAEzB,SAAO;AACX;AAKA,SAAS,EAAE,SAA8B,KAAsB;AAC3D,SAAO,QAAQ,GAAG,KAAK,QAAQ,IAAI,YAAY,CAAC,KAAK,QAAQ,IAAI,YAAY,CAAC;AAClF;AASO,SAAS,6BAA6B,SAA8C;AACvF,SAAO;AAAA,IACH,WAAW,qBAAqB,EAAE,SAAS,iBAAiB,CAAC,KAAK;AAAA,IAClE,aAAa,qBAAqB,EAAE,SAAS,kBAAkB,CAAC,KAAK;AAAA,IACrE,YAAY,qBAAqB,EAAE,SAAS,iBAAiB,CAAC,KAAK;AAAA,IACnE,cAAc,qBAAqB,EAAE,SAAS,mBAAmB,CAAC,KAAK;AAAA,EAC3E;AACJ;","names":[]}

package/dist/headers/index.d.cts

@@ -1,3 +1,5 @@
+export { R as RequestContext, g as getRequestContextFromHeaders } from '../parse-C4vk-fmH.cjs';
+
 declare const HEADER_REQUEST_ID = "x-request-id";
 declare const HEADER_COMPANY_UID = "x-company";
 declare const HEADER_BRANCH_UID = "x-branch";
@@ -5,21 +7,4 @@ declare const HEADER_EMPLOYEE_UID = "x-employee-uid";
 declare const HEADER_INTERNAL_API_KEY = "x-internal-api-key";
 declare const HEADER_AUTHORIZATION = "authorization";
 
-type RequestContext = {
-    requestId?: string | null;
-    company_uid?: string | null;
-    branch_uid?: string | null;
-    employee_uid?: string | null;
-};
-/**
- * ✅ NO-LEGACY:
- * - x-company: <UID>
- * - x-branch: <UID>
- * - x-employee-uid: <UID> (opcional)
- * - x-request-id: string (opcional)
- *
- * 🚫 No JSON, no _id, no objetos.
- */
-declare function getRequestContextFromHeaders(headers: Record<string, any>): RequestContext;
-
-export { HEADER_AUTHORIZATION, HEADER_BRANCH_UID, HEADER_COMPANY_UID, HEADER_EMPLOYEE_UID, HEADER_INTERNAL_API_KEY, HEADER_REQUEST_ID, type RequestContext, getRequestContextFromHeaders };
+export { HEADER_AUTHORIZATION, HEADER_BRANCH_UID, HEADER_COMPANY_UID, HEADER_EMPLOYEE_UID, HEADER_INTERNAL_API_KEY, HEADER_REQUEST_ID };

package/dist/headers/index.d.ts

@@ -1,3 +1,5 @@
+export { R as RequestContext, g as getRequestContextFromHeaders } from '../parse-C4vk-fmH.js';
+
 declare const HEADER_REQUEST_ID = "x-request-id";
 declare const HEADER_COMPANY_UID = "x-company";
 declare const HEADER_BRANCH_UID = "x-branch";
@@ -5,21 +7,4 @@ declare const HEADER_EMPLOYEE_UID = "x-employee-uid";
 declare const HEADER_INTERNAL_API_KEY = "x-internal-api-key";
 declare const HEADER_AUTHORIZATION = "authorization";
 
-type RequestContext = {
-    requestId?: string | null;
-    company_uid?: string | null;
-    branch_uid?: string | null;
-    employee_uid?: string | null;
-};
-/**
- * ✅ NO-LEGACY:
- * - x-company: <UID>
- * - x-branch: <UID>
- * - x-employee-uid: <UID> (opcional)
- * - x-request-id: string (opcional)
- *
- * 🚫 No JSON, no _id, no objetos.
- */
-declare function getRequestContextFromHeaders(headers: Record<string, any>): RequestContext;
-
-export { HEADER_AUTHORIZATION, HEADER_BRANCH_UID, HEADER_COMPANY_UID, HEADER_EMPLOYEE_UID, HEADER_INTERNAL_API_KEY, HEADER_REQUEST_ID, type RequestContext, getRequestContextFromHeaders };
+export { HEADER_AUTHORIZATION, HEADER_BRANCH_UID, HEADER_COMPANY_UID, HEADER_EMPLOYEE_UID, HEADER_INTERNAL_API_KEY, HEADER_REQUEST_ID };

package/dist/headers/index.js

@@ -6,8 +6,7 @@ import {
   HEADER_INTERNAL_API_KEY,
   HEADER_REQUEST_ID,
   getRequestContextFromHeaders
-} from "../chunk-65HACONF.js";
-import "../chunk-PZ5AY32C.js";
+} from "../chunk-P2U3MT2E.js";
 export {
   HEADER_AUTHORIZATION,
   HEADER_BRANCH_UID,

package/dist/index.cjs

@@ -37,10 +37,8 @@ __export(src_exports, {
   HEADER_INTERNAL_API_KEY: () => HEADER_INTERNAL_API_KEY,
   HEADER_REQUEST_ID: () => HEADER_REQUEST_ID,
   InternalHttp: () => InternalHttp,
-  REQUEST_ID_HEADER: () => REQUEST_ID_HEADER,
   TwoLevelCache: () => TwoLevelCache,
   UpstreamError: () => UpstreamError,
-  auth: () => auth_exports,
   closeCache: () => closeCache,
   createAuthMiddleware: () => createAuthMiddleware,
   createHttpClient: () => createHttpClient,
@@ -52,9 +50,11 @@ __export(src_exports, {
   parseHeaders: () => parseHeaders,
   readRs256PublicKey: () => readRs256PublicKey,
   requestId: () => requestId,
+  requireAnyPermission: () => requireAnyPermission,
   requireAuthContext: () => requireAuthContext,
   requirePermissions: () => requirePermissions,
   requireRoles: () => requireRoles,
+  requireRolesOrAnyPermission: () => requireRolesOrAnyPermission,
   sendError: () => sendError,
   sendOk: () => sendOk,
   verifyBackendJwtRS256: () => verifyBackendJwtRS256,
@@ -384,12 +384,27 @@ function mapAxiosToUpstreamError(err, svc) {
 
 // src/core/http.ts
 var import_axios = __toESM(require("axios"), 1);
+
+// src/middlewares/requestId.ts
+var import_crypto = require("crypto");
 var REQUEST_ID_HEADER = "x-request-id";
+var REQUEST_ID_HEADER_ALT = "x-requestid";
+var RESPONSE_REQUEST_ID_HEADER = "X-Request-Id";
+function requestId(req, res, next) {
+  const headerId = req.headers[REQUEST_ID_HEADER] || req.headers[REQUEST_ID_HEADER_ALT];
+  const id = headerId?.trim() || (0, import_crypto.randomUUID)();
+  req.requestId = id;
+  res.locals.requestId = id;
+  res.setHeader(RESPONSE_REQUEST_ID_HEADER, id);
+  next();
+}
+
+// src/core/http.ts
 function withRequestId(headers, requestId2) {
-  const h = headers && typeof headers === "object" ? { ...headers } : {};
+  const h2 = headers && typeof headers === "object" ? { ...headers } : {};
   const rid = (requestId2 || "").trim();
-  if (rid) h[REQUEST_ID_HEADER] = rid;
-  return h;
+  if (rid) h2[REQUEST_ID_HEADER] = rid;
+  return h2;
 }
 function withRequestIdConfig(config = {}, requestId2) {
   return {
@@ -518,42 +533,29 @@ var HEADER_INTERNAL_API_KEY = "x-internal-api-key";
 var HEADER_AUTHORIZATION = "authorization";
 
 // src/headers/parse.ts
-function asString(v) {
+function normalizeHeaderValue(v) {
   if (typeof v !== "string") return null;
   const s = v.trim();
-  return s ? s : null;
+  if (!s) return null;
+  if (s.startsWith("{") || s.startsWith("[") || s.includes('"')) return null;
+  if (s.length < 6) return null;
+  return s;
+}
+function h(headers, key) {
+  return headers[key] ?? headers[key.toLowerCase()] ?? headers[key.toUpperCase()];
 }
 function getRequestContextFromHeaders(headers) {
   return {
-    requestId: asString(headers[HEADER_REQUEST_ID]) ?? null,
-    company_uid: asString(headers[HEADER_COMPANY_UID]) ?? null,
-    branch_uid: asString(headers[HEADER_BRANCH_UID]) ?? null,
-    employee_uid: asString(headers[HEADER_EMPLOYEE_UID]) ?? null
+    requestId: normalizeHeaderValue(h(headers, HEADER_REQUEST_ID)) ?? null,
+    company_uid: normalizeHeaderValue(h(headers, HEADER_COMPANY_UID)) ?? null,
+    branch_uid: normalizeHeaderValue(h(headers, HEADER_BRANCH_UID)) ?? null,
+    employee_uid: normalizeHeaderValue(h(headers, HEADER_EMPLOYEE_UID)) ?? null
   };
 }
 
-// src/middlewares/requestId.ts
-var import_crypto = require("crypto");
-var REQUEST_ID_HEADER2 = "x-request-id";
-var REQUEST_ID_HEADER_ALT = "x-requestid";
-var RESPONSE_REQUEST_ID_HEADER = "X-Request-Id";
-function requestId(req, res, next) {
-  const headerId = req.headers[REQUEST_ID_HEADER2] || req.headers[REQUEST_ID_HEADER_ALT];
-  const id = headerId?.trim() || (0, import_crypto.randomUUID)();
-  req.requestId = id;
-  res.locals.requestId = id;
-  res.setHeader(RESPONSE_REQUEST_ID_HEADER, id);
-  next();
-}
-
 // src/middlewares/parseHeaders.ts
 function parseHeaders(req, _res, next) {
-  const context = getRequestContextFromHeaders(req.headers);
-  req.context = context;
-  const auth = req.auth ?? (req.auth = {});
-  if (context.company_uid) auth.company_uid = context.company_uid;
-  if (context.branch_uid) auth.branch_uid = context.branch_uid;
-  if (context.employee_uid) auth.employee_uid = context.employee_uid;
+  req.context = getRequestContextFromHeaders(req.headers);
   next();
 }
 
@@ -625,10 +627,32 @@ function internalAuth(req, res, next) {
   return next();
 }
 
-// src/middlewares/autorization.ts
+// src/middlewares/authorization.ts
 function getAuth(req) {
   return req.auth ?? {};
 }
+function normalizeCode(v) {
+  if (!v) return null;
+  if (typeof v === "string") return v;
+  if (typeof v === "object") return v.code || v.name || null;
+  return null;
+}
+function rolesSet(auth) {
+  const out = /* @__PURE__ */ new Set();
+  for (const r of auth.roles || []) {
+    const c = normalizeCode(r);
+    if (c) out.add(c);
+  }
+  return out;
+}
+function permsSet(list) {
+  const out = /* @__PURE__ */ new Set();
+  for (const p of list || []) {
+    const c = normalizeCode(p);
+    if (c) out.add(c);
+  }
+  return out;
+}
 function requireAuthContext() {
   return (req, res, next) => {
     if (!req.auth) {
@@ -637,41 +661,104 @@ function requireAuthContext() {
     return next();
   };
 }
-function requirePermissions(...perms) {
+function isSysAdmin(auth, sysAdminRole) {
+  const have = rolesSet(auth);
+  return have.has(sysAdminRole);
+}
+function requirePermissions(perms, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
   return (req, res, next) => {
     const auth = getAuth(req);
-    const allow = new Set(auth.permissions ?? []);
-    const deny = new Set(auth.denied_permissions ?? []);
+    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
+    const allow = permsSet(auth.permissions);
+    const deny = permsSet(auth.denied_permissions);
     for (const p of perms) {
       if (deny.has(p)) {
-        return sendError(req, res, 403, "FORBIDDEN", `Denied: ${p}`);
+        return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+          denied: p
+        });
       }
     }
     const missing = perms.filter((p) => !allow.has(p));
     if (missing.length) {
-      return sendError(req, res, 403, "FORBIDDEN", "Missing permissions", { missing });
+      return sendError(req, res, 403, "FORBIDDEN", "Missing permissions", {
+        missing,
+        mode: "ALL"
+      });
+    }
+    return next();
+  };
+}
+function requireAnyPermission(perms, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
+  return (req, res, next) => {
+    const auth = getAuth(req);
+    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
+    const allow = permsSet(auth.permissions);
+    const deny = permsSet(auth.denied_permissions);
+    for (const p of perms) {
+      if (deny.has(p)) {
+        return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+          denied: p
+        });
+      }
+    }
+    const ok = perms.some((p) => allow.has(p));
+    if (!ok) {
+      return sendError(req, res, 403, "FORBIDDEN", "Permission denied", {
+        required: perms,
+        mode: "ANY"
+      });
     }
     return next();
   };
 }
-function requireRoles(...roles) {
+function requireRoles(roles, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
   return (req, res, next) => {
     const auth = getAuth(req);
-    const have = new Set(auth.roles ?? []);
+    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
+    const have = rolesSet(auth);
     if (!roles.some((r) => have.has(r))) {
-      return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", { required: roles });
+      return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", {
+        required: roles,
+        mode: "ANY"
+      });
+    }
+    return next();
+  };
+}
+function requireRolesOrAnyPermission(roles, perms, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
+  return (req, res, next) => {
+    const auth = getAuth(req);
+    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
+    const haveRoles = rolesSet(auth);
+    const allow = permsSet(auth.permissions);
+    const deny = permsSet(auth.denied_permissions);
+    for (const p of perms) {
+      if (deny.has(p)) {
+        return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+          denied: p
+        });
+      }
+    }
+    const okRole = roles.some((r) => haveRoles.has(r));
+    const okPerm = perms.some((p) => allow.has(p));
+    if (!okRole && !okPerm) {
+      return sendError(req, res, 403, "FORBIDDEN", "Access denied", {
+        roles,
+        permissions: perms,
+        mode: "ROLES_OR_PERMS_ANY"
+      });
     }
     return next();
   };
 }
-
-// src/auth/index.ts
-var auth_exports = {};
-__export(auth_exports, {
-  createAuthMiddleware: () => createAuthMiddleware,
-  readRs256PublicKey: () => readRs256PublicKey,
-  verifyBackendJwtRS256: () => verifyBackendJwtRS256
-});
 
 // src/auth/jwt.ts
 var import_fs2 = __toESM(require("fs"), 1);
@@ -769,7 +856,7 @@ function createAuthMiddleware(opts) {
       }
       req.auth = baseCtx;
       return next();
-    } catch (errJwt) {
+    } catch {
       if (!allowFirebaseIdToken) {
         return res.status(401).json({
           ok: false,
@@ -818,10 +905,8 @@ function createAuthMiddleware(opts) {
   HEADER_INTERNAL_API_KEY,
   HEADER_REQUEST_ID,
   InternalHttp,
-  REQUEST_ID_HEADER,
   TwoLevelCache,
   UpstreamError,
-  auth,
   closeCache,
   createAuthMiddleware,
   createHttpClient,
@@ -833,9 +918,11 @@ function createAuthMiddleware(opts) {
   parseHeaders,
   readRs256PublicKey,
   requestId,
+  requireAnyPermission,
   requireAuthContext,
   requirePermissions,
   requireRoles,
+  requireRolesOrAnyPermission,
   sendError,
   sendOk,
   verifyBackendJwtRS256,