@innvoid/getmarket-sdk 0.1.6 → 0.1.9

package/dist/chunk-WKL4L67F.js

@@ -0,0 +1,616 @@
+import {
+  HEADER_INTERNAL_API_KEY,
+  getRequestContextFromHeaders
+} from "./chunk-P2U3MT2E.js";
+
+// src/middlewares/parseHeaders.ts
+function parseHeaders(req, _res, next) {
+  req.context = getRequestContextFromHeaders(req.headers);
+  next();
+}
+
+// src/middlewares/internalAuth.ts
+import fs from "fs";
+import crypto from "crypto";
+
+// src/middlewares/respond.ts
+function sendOk(_req, res, data, statusCode = 200) {
+  return res.status(statusCode).json({ ok: true, data, requestId: res.locals?.requestId ?? null });
+}
+function sendError(_req, res, statusCode, code, message, details) {
+  return res.status(statusCode).json({
+    ok: false,
+    error: { code, message, ...details !== void 0 ? { details } : {} },
+    requestId: res.locals?.requestId ?? null
+  });
+}
+
+// src/middlewares/internalAuth.ts
+function readSecretFile(path) {
+  if (!path) return null;
+  try {
+    const v = fs.readFileSync(path, "utf8").trim();
+    return v.length ? v : null;
+  } catch {
+    return null;
+  }
+}
+function splitKeys(v) {
+  if (!v) return [];
+  return v.split(",").map((s) => s.trim()).filter(Boolean);
+}
+function getExpectedKeys() {
+  const fileKey = readSecretFile(process.env.INTERNAL_API_KEY_FILE);
+  const envKey = (process.env.INTERNAL_API_KEY || "").trim();
+  const raw = fileKey || envKey;
+  return splitKeys(raw);
+}
+function extractToken(req) {
+  const apiKey = (req.header(HEADER_INTERNAL_API_KEY) || "").trim();
+  return apiKey || null;
+}
+function safeEquals(a, b) {
+  const aa = Buffer.from(a);
+  const bb = Buffer.from(b);
+  if (aa.length !== bb.length) return false;
+  return crypto.timingSafeEqual(aa, bb);
+}
+function internalAuth(req, res, next) {
+  const token = extractToken(req);
+  if (!token) {
+    return sendError(req, res, 401, "UNAUTHORIZED", `Missing internal api key (${HEADER_INTERNAL_API_KEY})`);
+  }
+  const expectedKeys = getExpectedKeys();
+  if (expectedKeys.length === 0) {
+    return sendError(
+      req,
+      res,
+      500,
+      "MISCONFIGURED_INTERNAL_AUTH",
+      "Internal api key not configured (INTERNAL_API_KEY or INTERNAL_API_KEY_FILE)"
+    );
+  }
+  const ok = expectedKeys.some((k) => safeEquals(token, k));
+  if (!ok) {
+    return sendError(req, res, 403, "FORBIDDEN", "Invalid internal api key");
+  }
+  return next();
+}
+
+// src/middlewares/authorization.ts
+function getAuth(req) {
+  return req.auth ?? {};
+}
+function normalizeCode(v) {
+  if (!v) return null;
+  if (typeof v === "string") return v;
+  if (typeof v === "object") return v.code || v.name || null;
+  return null;
+}
+function rolesSet(auth) {
+  const out = /* @__PURE__ */ new Set();
+  for (const r of auth.roles || []) {
+    const c = normalizeCode(r);
+    if (c) out.add(c);
+  }
+  return out;
+}
+function permsSet(list) {
+  const out = /* @__PURE__ */ new Set();
+  for (const p of list || []) {
+    const c = normalizeCode(p);
+    if (c) out.add(c);
+  }
+  return out;
+}
+function requireAuthContext() {
+  return (req, res, next) => {
+    if (!req.auth) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
+    return next();
+  };
+}
+function isSysAdmin(auth, sysAdminRole) {
+  const have = rolesSet(auth);
+  return have.has(sysAdminRole);
+}
+function requirePermissions(perms, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
+  return (req, res, next) => {
+    const auth = getAuth(req);
+    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
+    const allow = permsSet(auth.permissions);
+    const deny = permsSet(auth.denied_permissions);
+    for (const p of perms) {
+      if (deny.has(p)) {
+        return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+          denied: p
+        });
+      }
+    }
+    const missing = perms.filter((p) => !allow.has(p));
+    if (missing.length) {
+      return sendError(req, res, 403, "FORBIDDEN", "Missing permissions", {
+        missing,
+        mode: "ALL"
+      });
+    }
+    return next();
+  };
+}
+function requireAnyPermission(perms, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
+  return (req, res, next) => {
+    const auth = getAuth(req);
+    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
+    const allow = permsSet(auth.permissions);
+    const deny = permsSet(auth.denied_permissions);
+    for (const p of perms) {
+      if (deny.has(p)) {
+        return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+          denied: p
+        });
+      }
+    }
+    const ok = perms.some((p) => allow.has(p));
+    if (!ok) {
+      return sendError(req, res, 403, "FORBIDDEN", "Permission denied", {
+        required: perms,
+        mode: "ANY"
+      });
+    }
+    return next();
+  };
+}
+function requireRoles(roles, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
+  return (req, res, next) => {
+    const auth = getAuth(req);
+    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
+    const have = rolesSet(auth);
+    if (!roles.some((r) => have.has(r))) {
+      return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", {
+        required: roles,
+        mode: "ANY"
+      });
+    }
+    return next();
+  };
+}
+function requireRolesOrAnyPermission(roles, perms, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
+  return (req, res, next) => {
+    const auth = getAuth(req);
+    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
+    const haveRoles = rolesSet(auth);
+    const allow = permsSet(auth.permissions);
+    const deny = permsSet(auth.denied_permissions);
+    for (const p of perms) {
+      if (deny.has(p)) {
+        return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+          denied: p
+        });
+      }
+    }
+    const okRole = roles.some((r) => haveRoles.has(r));
+    const okPerm = perms.some((p) => allow.has(p));
+    if (!okRole && !okPerm) {
+      return sendError(req, res, 403, "FORBIDDEN", "Access denied", {
+        roles,
+        permissions: perms,
+        mode: "ROLES_OR_PERMS_ANY"
+      });
+    }
+    return next();
+  };
+}
+
+// src/auth/jwt.ts
+import fs2 from "fs";
+import jwt from "jsonwebtoken";
+function readFileIfExists(path) {
+  if (!path) return null;
+  try {
+    const v = fs2.readFileSync(path, "utf8").trim();
+    return v.length ? v : null;
+  } catch {
+    return null;
+  }
+}
+function readRs256PublicKey() {
+  const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);
+  if (fromFile) return fromFile;
+  const fromEnv = String(process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "").replace(/\\n/g, "\n").trim();
+  if (fromEnv) return fromEnv;
+  throw new Error("Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)");
+}
+function verifyBackendJwtRS256(raw) {
+  const publicKey = readRs256PublicKey();
+  const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
+  const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
+  return jwt.verify(raw, publicKey, {
+    algorithms: ["RS256"],
+    audience,
+    issuer
+  });
+}
+
+// src/auth/middleware.ts
+function getBearerToken(req) {
+  const auth = String(req.headers?.authorization || "");
+  if (!auth.startsWith("Bearer ")) return null;
+  const token = auth.slice(7).trim();
+  return token.length ? token : null;
+}
+function normalizeUid(v) {
+  const s = String(v ?? "").trim();
+  return s.length ? s : null;
+}
+function createAuthMiddleware(opts) {
+  const { subject, allowFirebaseIdToken = false, requireSubject = true, hydrate } = opts;
+  return async (req, res, next) => {
+    const token = getBearerToken(req);
+    if (!token) {
+      return res.status(401).json({
+        ok: false,
+        code: "AUTH_MISSING_TOKEN",
+        message: "Missing Authorization Bearer token"
+      });
+    }
+    const headerCtx = req.context || {};
+    const company_uid = normalizeUid(headerCtx.company_uid);
+    const branch_uid = normalizeUid(headerCtx.branch_uid);
+    try {
+      const decoded = verifyBackendJwtRS256(token);
+      const baseCtx = {
+        tokenType: "backend",
+        subject,
+        company_uid: company_uid ?? void 0,
+        branch_uid: branch_uid ?? void 0,
+        roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+        permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+        denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
+        session: {
+          jti: decoded?.jti,
+          device_id: decoded?.device_id,
+          expires_at: decoded?.exp
+        }
+      };
+      const hydrated = await hydrate({ decoded, req, subject, company_uid, branch_uid });
+      Object.assign(baseCtx, hydrated);
+      if (requireSubject) {
+        if (subject === "employee" && !baseCtx.employee) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_EMPLOYEE_NOT_FOUND",
+            message: "Employee not resolved by hydrator"
+          });
+        }
+        if (subject === "customer" && !baseCtx.customer) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_CUSTOMER_NOT_FOUND",
+            message: "Customer not resolved by hydrator"
+          });
+        }
+      }
+      req.auth = baseCtx;
+      return next();
+    } catch {
+      if (!allowFirebaseIdToken) {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_INVALID_TOKEN",
+          message: "Invalid or expired token"
+        });
+      }
+      try {
+        const { default: admin2 } = await import("firebase-admin");
+        const firebaseDecoded = await admin2.auth().verifyIdToken(token);
+        if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_EMAIL_NOT_VERIFIED",
+            message: "Email not verified"
+          });
+        }
+        req.auth = {
+          tokenType: "backend",
+          subject,
+          firebase: firebaseDecoded,
+          company_uid: company_uid ?? void 0,
+          branch_uid: branch_uid ?? void 0,
+          companies: [],
+          roles: [],
+          permissions: [],
+          denied_permissions: []
+        };
+        return next();
+      } catch {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_INVALID_TOKEN",
+          message: "Invalid or expired token"
+        });
+      }
+    }
+  };
+}
+
+// src/auth/authentication.ts
+import admin from "firebase-admin";
+import jwt2 from "jsonwebtoken";
+import fs3 from "fs";
+function getBearerToken2(req) {
+  const auth = String(req.headers?.authorization || "");
+  if (!auth.startsWith("Bearer ")) return null;
+  const token = auth.slice(7).trim();
+  return token.length ? token : null;
+}
+function readPublicKey() {
+  const publicKeyPath = process.env.JWT_PUBLIC_KEY_PATH;
+  const publicKeyEnv = process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "";
+  if (publicKeyPath) {
+    const v = fs3.readFileSync(publicKeyPath, "utf8").trim();
+    if (v) return v;
+  }
+  const envKey = publicKeyEnv.replace(/\\n/g, "\n").trim();
+  if (envKey) return envKey;
+  throw new Error(
+    "Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)"
+  );
+}
+function verifyBackendJwtRS2562(raw) {
+  const publicKey = readPublicKey();
+  const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
+  const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
+  return jwt2.verify(raw, publicKey, {
+    algorithms: ["RS256"],
+    audience,
+    issuer
+  });
+}
+function normalizeUid2(v) {
+  const s = String(v ?? "").trim();
+  return s.length ? s : null;
+}
+function deriveCompanyBranch(decoded, companyUid, branchUid) {
+  const companiesFromToken = Array.isArray(decoded?.companies) ? decoded.companies : [];
+  const company = decoded?.company ?? (companyUid ? companiesFromToken.find((c) => c?.uid === companyUid) : null) ?? null;
+  const branch = decoded?.branch ?? (branchUid && company?.branches ? (company.branches || []).find((b) => b?.uid === branchUid) : null) ?? null;
+  return { companiesFromToken, company, branch };
+}
+function createAuthMiddleware2(opts) {
+  const { subject, allowFirebaseIdToken = false } = opts;
+  return async (req, res, next) => {
+    const token = getBearerToken2(req);
+    if (!token) {
+      return res.status(401).json({
+        ok: false,
+        code: "AUTH_MISSING_TOKEN",
+        message: "Missing Authorization Bearer token"
+      });
+    }
+    try {
+      const decoded = verifyBackendJwtRS2562(token);
+      const headerCtx = req.context || {};
+      const companyUid = normalizeUid2(headerCtx.company_uid);
+      const branchUid = normalizeUid2(headerCtx.branch_uid);
+      const { companiesFromToken, company, branch } = deriveCompanyBranch(decoded, companyUid, branchUid);
+      const ctx = {
+        tokenType: "backend",
+        subject,
+        company_uid: companyUid ?? void 0,
+        branch_uid: branchUid ?? void 0,
+        companies: companiesFromToken,
+        company,
+        branch,
+        roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+        permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+        denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
+        session: {
+          jti: decoded?.jti,
+          device_id: decoded?.device_id,
+          expires_at: decoded?.exp
+        }
+      };
+      if (subject === "employee") {
+        const employee = decoded?.employee ?? decoded?.user ?? null;
+        if (!employee) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_EMPLOYEE_NOT_FOUND",
+            message: "Employee not found in token"
+          });
+        }
+        ctx.employee = employee;
+      } else {
+        const customer = decoded?.customer ?? null;
+        if (!customer) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_CUSTOMER_NOT_FOUND",
+            message: "Customer not found in token"
+          });
+        }
+        ctx.customer = customer;
+      }
+      req.auth = ctx;
+      return next();
+    } catch {
+      if (!allowFirebaseIdToken) {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_INVALID_TOKEN",
+          message: "Invalid or expired token"
+        });
+      }
+      try {
+        const firebaseDecoded = await admin.auth().verifyIdToken(token);
+        if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_EMAIL_NOT_VERIFIED",
+            message: "Email not verified"
+          });
+        }
+        const headerCtx = req.context || {};
+        const companyUid = normalizeUid2(headerCtx.company_uid);
+        const branchUid = normalizeUid2(headerCtx.branch_uid);
+        req.auth = {
+          tokenType: "backend",
+          subject,
+          firebase: firebaseDecoded,
+          company_uid: companyUid ?? void 0,
+          branch_uid: branchUid ?? void 0,
+          companies: [],
+          roles: [],
+          permissions: [],
+          denied_permissions: []
+        };
+        return next();
+      } catch {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_INVALID_TOKEN",
+          message: "Invalid or expired token"
+        });
+      }
+    }
+  };
+}
+var authEmployeeRequired = createAuthMiddleware2({ subject: "employee", allowFirebaseIdToken: false });
+var authCustomerRequired = createAuthMiddleware2({ subject: "customer", allowFirebaseIdToken: false });
+var authEmployeeAllowFirebase = createAuthMiddleware2({ subject: "employee", allowFirebaseIdToken: true });
+var authCustomerAllowFirebase = createAuthMiddleware2({ subject: "customer", allowFirebaseIdToken: true });
+
+// src/middlewares/guards.ts
+function normalizeRole(r) {
+  if (!r) return null;
+  if (typeof r === "string") return r;
+  return r.code || r.name || null;
+}
+function normalizePerm(p) {
+  if (!p) return null;
+  if (typeof p === "string") return p;
+  return p.code || p.name || null;
+}
+function isSysAdmin2(roles) {
+  if (!Array.isArray(roles)) return false;
+  return roles.some((r) => normalizeRole(r) === "SYS_ADMIN");
+}
+function getAuth2(req) {
+  return req.auth ?? {};
+}
+function permissionSets(auth) {
+  const allow = new Set(
+    (auth.permissions ?? []).map(normalizePerm).filter(Boolean)
+  );
+  const deny = new Set(
+    (auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean)
+  );
+  return { allow, deny };
+}
+function allowSysAdminOrAnyPermission(...perms) {
+  const required = (perms ?? []).filter(Boolean);
+  return [
+    parseHeaders,
+    authEmployeeRequired,
+    (req, res, next) => {
+      const auth = getAuth2(req);
+      if (isSysAdmin2(auth.roles)) return next();
+      const { allow, deny } = permissionSets(auth);
+      for (const p of required) {
+        if (deny.has(p)) {
+          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+            denied: p
+          });
+        }
+      }
+      const ok = required.some((p) => allow.has(p));
+      if (!ok) {
+        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ANY)", {
+          required
+        });
+      }
+      return next();
+    }
+  ];
+}
+function allowSysAdminOrPermissionsAll(...perms) {
+  const required = (perms ?? []).filter(Boolean);
+  return [
+    parseHeaders,
+    authEmployeeRequired,
+    (req, res, next) => {
+      const auth = getAuth2(req);
+      if (isSysAdmin2(auth.roles)) return next();
+      const { allow, deny } = permissionSets(auth);
+      for (const p of required) {
+        if (deny.has(p)) {
+          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+            denied: p
+          });
+        }
+      }
+      const missing = required.filter((p) => !allow.has(p));
+      if (missing.length) {
+        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ALL)", {
+          required,
+          missing
+        });
+      }
+      return next();
+    }
+  ];
+}
+function allowSysAdminOrRoles(...roles) {
+  const required = (roles ?? []).filter(Boolean);
+  return [
+    parseHeaders,
+    authEmployeeRequired,
+    (req, res, next) => {
+      const auth = getAuth2(req);
+      if (isSysAdmin2(auth.roles)) return next();
+      const have = new Set(
+        (auth.roles ?? []).map(normalizeRole).filter(Boolean)
+      );
+      const ok = required.some((r) => have.has(r));
+      if (!ok) {
+        return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", {
+          required
+        });
+      }
+      return next();
+    }
+  ];
+}
+
+export {
+  parseHeaders,
+  sendOk,
+  sendError,
+  internalAuth,
+  requireAuthContext,
+  requirePermissions,
+  requireAnyPermission,
+  requireRoles,
+  requireRolesOrAnyPermission,
+  readRs256PublicKey,
+  verifyBackendJwtRS256,
+  createAuthMiddleware,
+  createAuthMiddleware2,
+  authEmployeeRequired,
+  authCustomerRequired,
+  authEmployeeAllowFirebase,
+  authCustomerAllowFirebase,
+  allowSysAdminOrAnyPermission,
+  allowSysAdminOrPermissionsAll,
+  allowSysAdminOrRoles
+};
+//# sourceMappingURL=chunk-WKL4L67F.js.map