@innvoid/getmarket-sdk 0.1.5 → 0.1.8

package/dist/index.cjs

@@ -37,19 +37,29 @@ __export(src_exports, {
   HEADER_INTERNAL_API_KEY: () => HEADER_INTERNAL_API_KEY,
   HEADER_REQUEST_ID: () => HEADER_REQUEST_ID,
   InternalHttp: () => InternalHttp,
-  REQUEST_ID_HEADER: () => REQUEST_ID_HEADER,
-  REQUEST_ID_HEADER_ALT: () => REQUEST_ID_HEADER_ALT,
-  RESPONSE_REQUEST_ID_HEADER: () => RESPONSE_REQUEST_ID_HEADER,
   TwoLevelCache: () => TwoLevelCache,
   UpstreamError: () => UpstreamError,
+  authCustomerAllowFirebase: () => authCustomerAllowFirebase,
+  authCustomerRequired: () => authCustomerRequired,
+  authEmployeeAllowFirebase: () => authEmployeeAllowFirebase,
+  authEmployeeRequired: () => authEmployeeRequired,
   closeCache: () => closeCache,
   createAuthMiddleware: () => createAuthMiddleware,
+  createAuthMiddlewareLegacySimple: () => createAuthMiddleware2,
   createHttpClient: () => createHttpClient,
   getOrSet: () => getOrSet,
   getRequestContextFromHeaders: () => getRequestContextFromHeaders,
   getTwoLevelCache: () => getTwoLevelCache,
+  internalAuth: () => internalAuth,
   mapAxiosToUpstreamError: () => mapAxiosToUpstreamError,
+  parseHeaders: () => parseHeaders,
   readRs256PublicKey: () => readRs256PublicKey,
+  requestId: () => requestId,
+  requireAnyPermission: () => requireAnyPermission,
+  requireAuthContext: () => requireAuthContext,
+  requirePermissions: () => requirePermissions,
+  requireRoles: () => requireRoles,
+  requireRolesOrAnyPermission: () => requireRolesOrAnyPermission,
   sendError: () => sendError,
   sendOk: () => sendOk,
   verifyBackendJwtRS256: () => verifyBackendJwtRS256,
@@ -381,21 +391,30 @@ function mapAxiosToUpstreamError(err, svc) {
 var import_axios = __toESM(require("axios"), 1);
 
 // src/middlewares/requestId.ts
+var import_crypto = require("crypto");
 var REQUEST_ID_HEADER = "x-request-id";
 var REQUEST_ID_HEADER_ALT = "x-requestid";
 var RESPONSE_REQUEST_ID_HEADER = "X-Request-Id";
+function requestId(req, res, next) {
+  const headerId = req.headers[REQUEST_ID_HEADER] || req.headers[REQUEST_ID_HEADER_ALT];
+  const id = headerId?.trim() || (0, import_crypto.randomUUID)();
+  req.requestId = id;
+  res.locals.requestId = id;
+  res.setHeader(RESPONSE_REQUEST_ID_HEADER, id);
+  next();
+}
 
 // src/core/http.ts
-function withRequestId(headers, requestId) {
-  const h = headers && typeof headers === "object" ? { ...headers } : {};
-  const rid = (requestId || "").trim();
-  if (rid) h[REQUEST_ID_HEADER] = rid;
-  return h;
+function withRequestId(headers, requestId2) {
+  const h2 = headers && typeof headers === "object" ? { ...headers } : {};
+  const rid = (requestId2 || "").trim();
+  if (rid) h2[REQUEST_ID_HEADER] = rid;
+  return h2;
 }
-function withRequestIdConfig(config = {}, requestId) {
+function withRequestIdConfig(config = {}, requestId2) {
   return {
     ...config,
-    headers: withRequestId(config.headers, requestId)
+    headers: withRequestId(config.headers, requestId2)
   };
 }
 function createHttpClient(opts) {
@@ -519,20 +538,36 @@ var HEADER_INTERNAL_API_KEY = "x-internal-api-key";
 var HEADER_AUTHORIZATION = "authorization";
 
 // src/headers/parse.ts
-function asString(v) {
+function normalizeHeaderValue(v) {
   if (typeof v !== "string") return null;
   const s = v.trim();
-  return s ? s : null;
+  if (!s) return null;
+  if (s.startsWith("{") || s.startsWith("[") || s.includes('"')) return null;
+  if (s.length < 6) return null;
+  return s;
+}
+function h(headers, key) {
+  return headers[key] ?? headers[key.toLowerCase()] ?? headers[key.toUpperCase()];
 }
 function getRequestContextFromHeaders(headers) {
   return {
-    requestId: asString(headers[HEADER_REQUEST_ID]) ?? null,
-    company_uid: asString(headers[HEADER_COMPANY_UID]) ?? null,
-    branch_uid: asString(headers[HEADER_BRANCH_UID]) ?? null,
-    employee_uid: asString(headers[HEADER_EMPLOYEE_UID]) ?? null
+    requestId: normalizeHeaderValue(h(headers, HEADER_REQUEST_ID)) ?? null,
+    company_uid: normalizeHeaderValue(h(headers, HEADER_COMPANY_UID)) ?? null,
+    branch_uid: normalizeHeaderValue(h(headers, HEADER_BRANCH_UID)) ?? null,
+    employee_uid: normalizeHeaderValue(h(headers, HEADER_EMPLOYEE_UID)) ?? null
   };
 }
 
+// src/middlewares/parseHeaders.ts
+function parseHeaders(req, _res, next) {
+  req.context = getRequestContextFromHeaders(req.headers);
+  next();
+}
+
+// src/middlewares/internalAuth.ts
+var import_fs = __toESM(require("fs"), 1);
+var import_crypto2 = __toESM(require("crypto"), 1);
+
 // src/middlewares/respond.ts
 function sendOk(_req, res, data, statusCode = 200) {
   return res.status(statusCode).json({ ok: true, data, requestId: res.locals?.requestId ?? null });
@@ -545,13 +580,198 @@ function sendError(_req, res, statusCode, code, message, details) {
   });
 }
 
+// src/middlewares/internalAuth.ts
+function readSecretFile(path) {
+  if (!path) return null;
+  try {
+    const v = import_fs.default.readFileSync(path, "utf8").trim();
+    return v.length ? v : null;
+  } catch {
+    return null;
+  }
+}
+function splitKeys(v) {
+  if (!v) return [];
+  return v.split(",").map((s) => s.trim()).filter(Boolean);
+}
+function getExpectedKeys() {
+  const fileKey = readSecretFile(process.env.INTERNAL_API_KEY_FILE);
+  const envKey = (process.env.INTERNAL_API_KEY || "").trim();
+  const raw = fileKey || envKey;
+  return splitKeys(raw);
+}
+function extractToken(req) {
+  const apiKey = (req.header(HEADER_INTERNAL_API_KEY) || "").trim();
+  return apiKey || null;
+}
+function safeEquals(a, b) {
+  const aa = Buffer.from(a);
+  const bb = Buffer.from(b);
+  if (aa.length !== bb.length) return false;
+  return import_crypto2.default.timingSafeEqual(aa, bb);
+}
+function internalAuth(req, res, next) {
+  const token = extractToken(req);
+  if (!token) {
+    return sendError(req, res, 401, "UNAUTHORIZED", `Missing internal api key (${HEADER_INTERNAL_API_KEY})`);
+  }
+  const expectedKeys = getExpectedKeys();
+  if (expectedKeys.length === 0) {
+    return sendError(
+      req,
+      res,
+      500,
+      "MISCONFIGURED_INTERNAL_AUTH",
+      "Internal api key not configured (INTERNAL_API_KEY or INTERNAL_API_KEY_FILE)"
+    );
+  }
+  const ok = expectedKeys.some((k) => safeEquals(token, k));
+  if (!ok) {
+    return sendError(req, res, 403, "FORBIDDEN", "Invalid internal api key");
+  }
+  return next();
+}
+
+// src/middlewares/authorization.ts
+function getAuth(req) {
+  return req.auth ?? {};
+}
+function normalizeCode(v) {
+  if (!v) return null;
+  if (typeof v === "string") return v;
+  if (typeof v === "object") return v.code || v.name || null;
+  return null;
+}
+function rolesSet(auth) {
+  const out = /* @__PURE__ */ new Set();
+  for (const r of auth.roles || []) {
+    const c = normalizeCode(r);
+    if (c) out.add(c);
+  }
+  return out;
+}
+function permsSet(list) {
+  const out = /* @__PURE__ */ new Set();
+  for (const p of list || []) {
+    const c = normalizeCode(p);
+    if (c) out.add(c);
+  }
+  return out;
+}
+function requireAuthContext() {
+  return (req, res, next) => {
+    if (!req.auth) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
+    return next();
+  };
+}
+function isSysAdmin(auth, sysAdminRole) {
+  const have = rolesSet(auth);
+  return have.has(sysAdminRole);
+}
+function requirePermissions(perms, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
+  return (req, res, next) => {
+    const auth = getAuth(req);
+    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
+    const allow = permsSet(auth.permissions);
+    const deny = permsSet(auth.denied_permissions);
+    for (const p of perms) {
+      if (deny.has(p)) {
+        return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+          denied: p
+        });
+      }
+    }
+    const missing = perms.filter((p) => !allow.has(p));
+    if (missing.length) {
+      return sendError(req, res, 403, "FORBIDDEN", "Missing permissions", {
+        missing,
+        mode: "ALL"
+      });
+    }
+    return next();
+  };
+}
+function requireAnyPermission(perms, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
+  return (req, res, next) => {
+    const auth = getAuth(req);
+    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
+    const allow = permsSet(auth.permissions);
+    const deny = permsSet(auth.denied_permissions);
+    for (const p of perms) {
+      if (deny.has(p)) {
+        return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+          denied: p
+        });
+      }
+    }
+    const ok = perms.some((p) => allow.has(p));
+    if (!ok) {
+      return sendError(req, res, 403, "FORBIDDEN", "Permission denied", {
+        required: perms,
+        mode: "ANY"
+      });
+    }
+    return next();
+  };
+}
+function requireRoles(roles, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
+  return (req, res, next) => {
+    const auth = getAuth(req);
+    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
+    const have = rolesSet(auth);
+    if (!roles.some((r) => have.has(r))) {
+      return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", {
+        required: roles,
+        mode: "ANY"
+      });
+    }
+    return next();
+  };
+}
+function requireRolesOrAnyPermission(roles, perms, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
+  return (req, res, next) => {
+    const auth = getAuth(req);
+    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
+    const haveRoles = rolesSet(auth);
+    const allow = permsSet(auth.permissions);
+    const deny = permsSet(auth.denied_permissions);
+    for (const p of perms) {
+      if (deny.has(p)) {
+        return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+          denied: p
+        });
+      }
+    }
+    const okRole = roles.some((r) => haveRoles.has(r));
+    const okPerm = perms.some((p) => allow.has(p));
+    if (!okRole && !okPerm) {
+      return sendError(req, res, 403, "FORBIDDEN", "Access denied", {
+        roles,
+        permissions: perms,
+        mode: "ROLES_OR_PERMS_ANY"
+      });
+    }
+    return next();
+  };
+}
+
 // src/auth/jwt.ts
-var import_fs = __toESM(require("fs"), 1);
+var import_fs2 = __toESM(require("fs"), 1);
 var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
 function readFileIfExists(path) {
   if (!path) return null;
   try {
-    const v = import_fs.default.readFileSync(path, "utf8").trim();
+    const v = import_fs2.default.readFileSync(path, "utf8").trim();
     return v.length ? v : null;
   } catch {
     return null;
@@ -587,12 +807,7 @@ function normalizeUid(v) {
   return s.length ? s : null;
 }
 function createAuthMiddleware(opts) {
-  const {
-    subject,
-    allowFirebaseIdToken = false,
-    requireSubject = true,
-    hydrate
-  } = opts;
+  const { subject, allowFirebaseIdToken = false, requireSubject = true, hydrate } = opts;
   return async (req, res, next) => {
     const token = getBearerToken(req);
     if (!token) {
@@ -650,8 +865,8 @@ function createAuthMiddleware(opts) {
         });
       }
       try {
-        const { default: admin } = await import("firebase-admin");
-        const firebaseDecoded = await admin.auth().verifyIdToken(token);
+        const { default: admin2 } = await import("firebase-admin");
+        const firebaseDecoded = await admin2.auth().verifyIdToken(token);
         if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
           return res.status(401).json({
             ok: false,
@@ -681,6 +896,153 @@ function createAuthMiddleware(opts) {
     }
   };
 }
+
+// src/auth/authentication.ts
+var import_firebase_admin = __toESM(require("firebase-admin"), 1);
+var import_jsonwebtoken2 = __toESM(require("jsonwebtoken"), 1);
+var import_fs3 = __toESM(require("fs"), 1);
+function getBearerToken2(req) {
+  const auth = String(req.headers?.authorization || "");
+  if (!auth.startsWith("Bearer ")) return null;
+  const token = auth.slice(7).trim();
+  return token.length ? token : null;
+}
+function readPublicKey() {
+  const publicKeyPath = process.env.JWT_PUBLIC_KEY_PATH;
+  const publicKeyEnv = process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "";
+  if (publicKeyPath) {
+    const v = import_fs3.default.readFileSync(publicKeyPath, "utf8").trim();
+    if (v) return v;
+  }
+  const envKey = publicKeyEnv.replace(/\\n/g, "\n").trim();
+  if (envKey) return envKey;
+  throw new Error(
+    "Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)"
+  );
+}
+function verifyBackendJwtRS2562(raw) {
+  const publicKey = readPublicKey();
+  const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
+  const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
+  return import_jsonwebtoken2.default.verify(raw, publicKey, {
+    algorithms: ["RS256"],
+    audience,
+    issuer
+  });
+}
+function normalizeUid2(v) {
+  const s = String(v ?? "").trim();
+  return s.length ? s : null;
+}
+function deriveCompanyBranch(decoded, companyUid, branchUid) {
+  const companiesFromToken = Array.isArray(decoded?.companies) ? decoded.companies : [];
+  const company = decoded?.company ?? (companyUid ? companiesFromToken.find((c) => c?.uid === companyUid) : null) ?? null;
+  const branch = decoded?.branch ?? (branchUid && company?.branches ? (company.branches || []).find((b) => b?.uid === branchUid) : null) ?? null;
+  return { companiesFromToken, company, branch };
+}
+function createAuthMiddleware2(opts) {
+  const { subject, allowFirebaseIdToken = false } = opts;
+  return async (req, res, next) => {
+    const token = getBearerToken2(req);
+    if (!token) {
+      return res.status(401).json({
+        ok: false,
+        code: "AUTH_MISSING_TOKEN",
+        message: "Missing Authorization Bearer token"
+      });
+    }
+    try {
+      const decoded = verifyBackendJwtRS2562(token);
+      const headerCtx = req.context || {};
+      const companyUid = normalizeUid2(headerCtx.company_uid);
+      const branchUid = normalizeUid2(headerCtx.branch_uid);
+      const { companiesFromToken, company, branch } = deriveCompanyBranch(decoded, companyUid, branchUid);
+      const ctx = {
+        tokenType: "backend",
+        subject,
+        company_uid: companyUid ?? void 0,
+        branch_uid: branchUid ?? void 0,
+        companies: companiesFromToken,
+        company,
+        branch,
+        roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+        permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+        denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
+        session: {
+          jti: decoded?.jti,
+          device_id: decoded?.device_id,
+          expires_at: decoded?.exp
+        }
+      };
+      if (subject === "employee") {
+        const employee = decoded?.employee ?? decoded?.user ?? null;
+        if (!employee) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_EMPLOYEE_NOT_FOUND",
+            message: "Employee not found in token"
+          });
+        }
+        ctx.employee = employee;
+      } else {
+        const customer = decoded?.customer ?? null;
+        if (!customer) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_CUSTOMER_NOT_FOUND",
+            message: "Customer not found in token"
+          });
+        }
+        ctx.customer = customer;
+      }
+      req.auth = ctx;
+      return next();
+    } catch {
+      if (!allowFirebaseIdToken) {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_INVALID_TOKEN",
+          message: "Invalid or expired token"
+        });
+      }
+      try {
+        const firebaseDecoded = await import_firebase_admin.default.auth().verifyIdToken(token);
+        if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_EMAIL_NOT_VERIFIED",
+            message: "Email not verified"
+          });
+        }
+        const headerCtx = req.context || {};
+        const companyUid = normalizeUid2(headerCtx.company_uid);
+        const branchUid = normalizeUid2(headerCtx.branch_uid);
+        req.auth = {
+          tokenType: "backend",
+          subject,
+          firebase: firebaseDecoded,
+          company_uid: companyUid ?? void 0,
+          branch_uid: branchUid ?? void 0,
+          companies: [],
+          roles: [],
+          permissions: [],
+          denied_permissions: []
+        };
+        return next();
+      } catch {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_INVALID_TOKEN",
+          message: "Invalid or expired token"
+        });
+      }
+    }
+  };
+}
+var authEmployeeRequired = createAuthMiddleware2({ subject: "employee", allowFirebaseIdToken: false });
+var authCustomerRequired = createAuthMiddleware2({ subject: "customer", allowFirebaseIdToken: false });
+var authEmployeeAllowFirebase = createAuthMiddleware2({ subject: "employee", allowFirebaseIdToken: true });
+var authCustomerAllowFirebase = createAuthMiddleware2({ subject: "customer", allowFirebaseIdToken: true });
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   HEADER_AUTHORIZATION,
@@ -690,19 +1052,29 @@ function createAuthMiddleware(opts) {
   HEADER_INTERNAL_API_KEY,
   HEADER_REQUEST_ID,
   InternalHttp,
-  REQUEST_ID_HEADER,
-  REQUEST_ID_HEADER_ALT,
-  RESPONSE_REQUEST_ID_HEADER,
   TwoLevelCache,
   UpstreamError,
+  authCustomerAllowFirebase,
+  authCustomerRequired,
+  authEmployeeAllowFirebase,
+  authEmployeeRequired,
   closeCache,
   createAuthMiddleware,
+  createAuthMiddlewareLegacySimple,
   createHttpClient,
   getOrSet,
   getRequestContextFromHeaders,
   getTwoLevelCache,
+  internalAuth,
   mapAxiosToUpstreamError,
+  parseHeaders,
   readRs256PublicKey,
+  requestId,
+  requireAnyPermission,
+  requireAuthContext,
+  requirePermissions,
+  requireRoles,
+  requireRolesOrAnyPermission,
   sendError,
   sendOk,
   verifyBackendJwtRS256,