npm - @innvoid/getmarket-sdk - Versions diffs - 0.1.8 → 0.1.9 - Mend

@innvoid/getmarket-sdk 0.1.8 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/dist/chunk-WKL4L67F.js +616 -0
package/dist/chunk-WKL4L67F.js.map +1 -0
package/dist/index.cjs +108 -0
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.js +16 -281
package/dist/index.js.map +1 -1
package/dist/middlewares/index.cjs +258 -0
package/dist/middlewares/index.cjs.map +1 -1
package/dist/middlewares/index.d.cts +19 -2
package/dist/middlewares/index.d.ts +19 -2
package/dist/middlewares/index.js +7 -1
package/package.json +1 -1
package/dist/chunk-JXOLNJ7J.js +0 -224
package/dist/chunk-JXOLNJ7J.js.map +0 -1

package/dist/index.d.cts CHANGED Viewed

@@ -1,7 +1,7 @@
 export { CacheProvider, TwoLevelCache, TwoLevelCacheOptions, closeCache, getOrSet, getTwoLevelCache } from './cache/index.cjs';
 export { AnyHeaders, ClientErrorCode, HttpClientOpts, InternalHttp, UpstreamError, createHttpClient, mapAxiosToUpstreamError, withRequestId, withRequestIdConfig } from './core/index.cjs';
 export { HEADER_AUTHORIZATION, HEADER_BRANCH_UID, HEADER_COMPANY_UID, HEADER_EMPLOYEE_UID, HEADER_INTERNAL_API_KEY, HEADER_REQUEST_ID, RequestContext, getRequestContextFromHeaders } from './headers/index.cjs';
-export { internalAuth, parseHeaders, requestId, requireAnyPermission, requireAuthContext, requirePermissions, requireRoles, requireRolesOrAnyPermission, sendError, sendOk } from './middlewares/index.cjs';
+export { allowSysAdminOrAnyPermission, allowSysAdminOrPermissionsAll, allowSysAdminOrRoles, internalAuth, parseHeaders, requestId, requireAnyPermission, requireAuthContext, requirePermissions, requireRoles, requireRolesOrAnyPermission, sendError, sendOk } from './middlewares/index.cjs';
 import { a as AuthMiddlewareOptions } from './types-CRECQuHp.cjs';
 export { A as AuthContext, b as AuthSession, c as AuthSubject, H as HydrateInput, d as HydrateResult, e as Hydrator, T as TokenType } from './types-CRECQuHp.cjs';
 import { Response, NextFunction } from 'express';

package/dist/index.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 export { CacheProvider, TwoLevelCache, TwoLevelCacheOptions, closeCache, getOrSet, getTwoLevelCache } from './cache/index.js';
 export { AnyHeaders, ClientErrorCode, HttpClientOpts, InternalHttp, UpstreamError, createHttpClient, mapAxiosToUpstreamError, withRequestId, withRequestIdConfig } from './core/index.js';
 export { HEADER_AUTHORIZATION, HEADER_BRANCH_UID, HEADER_COMPANY_UID, HEADER_EMPLOYEE_UID, HEADER_INTERNAL_API_KEY, HEADER_REQUEST_ID, RequestContext, getRequestContextFromHeaders } from './headers/index.js';
-export { internalAuth, parseHeaders, requestId, requireAnyPermission, requireAuthContext, requirePermissions, requireRoles, requireRolesOrAnyPermission, sendError, sendOk } from './middlewares/index.js';
+export { allowSysAdminOrAnyPermission, allowSysAdminOrPermissionsAll, allowSysAdminOrRoles, internalAuth, parseHeaders, requestId, requireAnyPermission, requireAuthContext, requirePermissions, requireRoles, requireRolesOrAnyPermission, sendError, sendOk } from './middlewares/index.js';
 import { a as AuthMiddlewareOptions } from './types-CRECQuHp.js';
 export { A as AuthContext, b as AuthSession, c as AuthSubject, H as HydrateInput, d as HydrateResult, e as Hydrator, T as TokenType } from './types-CRECQuHp.js';
 import { Response, NextFunction } from 'express';

package/dist/index.js CHANGED Viewed

@@ -13,16 +13,27 @@ import {
   withRequestIdConfig
 } from "./chunk-OSYBK5AN.js";
 import {
+  allowSysAdminOrAnyPermission,
+  allowSysAdminOrPermissionsAll,
+  allowSysAdminOrRoles,
+  authCustomerAllowFirebase,
+  authCustomerRequired,
+  authEmployeeAllowFirebase,
+  authEmployeeRequired,
+  createAuthMiddleware,
+  createAuthMiddleware2,
   internalAuth,
   parseHeaders,
+  readRs256PublicKey,
   requireAnyPermission,
   requireAuthContext,
   requirePermissions,
   requireRoles,
   requireRolesOrAnyPermission,
   sendError,
-  sendOk
-} from "./chunk-JXOLNJ7J.js";
+  sendOk,
+  verifyBackendJwtRS256
+} from "./chunk-WKL4L67F.js";
 import {
   requestId
 } from "./chunk-KJ64O2EG.js";
@@ -35,285 +46,6 @@ import {
   HEADER_REQUEST_ID,
   getRequestContextFromHeaders
 } from "./chunk-P2U3MT2E.js";
-// src/auth/jwt.ts
-import fs from "fs";
-import jwt from "jsonwebtoken";
-function readFileIfExists(path) {
-  if (!path) return null;
-  try {
-    const v = fs.readFileSync(path, "utf8").trim();
-    return v.length ? v : null;
-  } catch {
-    return null;
-  }
-}
-function readRs256PublicKey() {
-  const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);
-  if (fromFile) return fromFile;
-  const fromEnv = String(process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "").replace(/\\n/g, "\n").trim();
-  if (fromEnv) return fromEnv;
-  throw new Error("Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)");
-}
-function verifyBackendJwtRS256(raw) {
-  const publicKey = readRs256PublicKey();
-  const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
-  const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
-  return jwt.verify(raw, publicKey, {
-    algorithms: ["RS256"],
-    audience,
-    issuer
-  });
-}
-// src/auth/middleware.ts
-function getBearerToken(req) {
-  const auth = String(req.headers?.authorization || "");
-  if (!auth.startsWith("Bearer ")) return null;
-  const token = auth.slice(7).trim();
-  return token.length ? token : null;
-}
-function normalizeUid(v) {
-  const s = String(v ?? "").trim();
-  return s.length ? s : null;
-}
-function createAuthMiddleware(opts) {
-  const { subject, allowFirebaseIdToken = false, requireSubject = true, hydrate } = opts;
-  return async (req, res, next) => {
-    const token = getBearerToken(req);
-    if (!token) {
-      return res.status(401).json({
-        ok: false,
-        code: "AUTH_MISSING_TOKEN",
-        message: "Missing Authorization Bearer token"
-      });
-    }
-    const headerCtx = req.context || {};
-    const company_uid = normalizeUid(headerCtx.company_uid);
-    const branch_uid = normalizeUid(headerCtx.branch_uid);
-    try {
-      const decoded = verifyBackendJwtRS256(token);
-      const baseCtx = {
-        tokenType: "backend",
-        subject,
-        company_uid: company_uid ?? void 0,
-        branch_uid: branch_uid ?? void 0,
-        roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-        permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-        denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
-        session: {
-          jti: decoded?.jti,
-          device_id: decoded?.device_id,
-          expires_at: decoded?.exp
-        }
-      };
-      const hydrated = await hydrate({ decoded, req, subject, company_uid, branch_uid });
-      Object.assign(baseCtx, hydrated);
-      if (requireSubject) {
-        if (subject === "employee" && !baseCtx.employee) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMPLOYEE_NOT_FOUND",
-            message: "Employee not resolved by hydrator"
-          });
-        }
-        if (subject === "customer" && !baseCtx.customer) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_CUSTOMER_NOT_FOUND",
-            message: "Customer not resolved by hydrator"
-          });
-        }
-      }
-      req.auth = baseCtx;
-      return next();
-    } catch {
-      if (!allowFirebaseIdToken) {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
-      }
-      try {
-        const { default: admin2 } = await import("firebase-admin");
-        const firebaseDecoded = await admin2.auth().verifyIdToken(token);
-        if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMAIL_NOT_VERIFIED",
-            message: "Email not verified"
-          });
-        }
-        req.auth = {
-          tokenType: "backend",
-          subject,
-          firebase: firebaseDecoded,
-          company_uid: company_uid ?? void 0,
-          branch_uid: branch_uid ?? void 0,
-          companies: [],
-          roles: [],
-          permissions: [],
-          denied_permissions: []
-        };
-        return next();
-      } catch {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
-      }
-    }
-  };
-}
-// src/auth/authentication.ts
-import admin from "firebase-admin";
-import jwt2 from "jsonwebtoken";
-import fs2 from "fs";
-function getBearerToken2(req) {
-  const auth = String(req.headers?.authorization || "");
-  if (!auth.startsWith("Bearer ")) return null;
-  const token = auth.slice(7).trim();
-  return token.length ? token : null;
-}
-function readPublicKey() {
-  const publicKeyPath = process.env.JWT_PUBLIC_KEY_PATH;
-  const publicKeyEnv = process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "";
-  if (publicKeyPath) {
-    const v = fs2.readFileSync(publicKeyPath, "utf8").trim();
-    if (v) return v;
-  }
-  const envKey = publicKeyEnv.replace(/\\n/g, "\n").trim();
-  if (envKey) return envKey;
-  throw new Error(
-    "Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)"
-  );
-}
-function verifyBackendJwtRS2562(raw) {
-  const publicKey = readPublicKey();
-  const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
-  const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
-  return jwt2.verify(raw, publicKey, {
-    algorithms: ["RS256"],
-    audience,
-    issuer
-  });
-}
-function normalizeUid2(v) {
-  const s = String(v ?? "").trim();
-  return s.length ? s : null;
-}
-function deriveCompanyBranch(decoded, companyUid, branchUid) {
-  const companiesFromToken = Array.isArray(decoded?.companies) ? decoded.companies : [];
-  const company = decoded?.company ?? (companyUid ? companiesFromToken.find((c) => c?.uid === companyUid) : null) ?? null;
-  const branch = decoded?.branch ?? (branchUid && company?.branches ? (company.branches || []).find((b) => b?.uid === branchUid) : null) ?? null;
-  return { companiesFromToken, company, branch };
-}
-function createAuthMiddleware2(opts) {
-  const { subject, allowFirebaseIdToken = false } = opts;
-  return async (req, res, next) => {
-    const token = getBearerToken2(req);
-    if (!token) {
-      return res.status(401).json({
-        ok: false,
-        code: "AUTH_MISSING_TOKEN",
-        message: "Missing Authorization Bearer token"
-      });
-    }
-    try {
-      const decoded = verifyBackendJwtRS2562(token);
-      const headerCtx = req.context || {};
-      const companyUid = normalizeUid2(headerCtx.company_uid);
-      const branchUid = normalizeUid2(headerCtx.branch_uid);
-      const { companiesFromToken, company, branch } = deriveCompanyBranch(decoded, companyUid, branchUid);
-      const ctx = {
-        tokenType: "backend",
-        subject,
-        company_uid: companyUid ?? void 0,
-        branch_uid: branchUid ?? void 0,
-        companies: companiesFromToken,
-        company,
-        branch,
-        roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-        permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-        denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
-        session: {
-          jti: decoded?.jti,
-          device_id: decoded?.device_id,
-          expires_at: decoded?.exp
-        }
-      };
-      if (subject === "employee") {
-        const employee = decoded?.employee ?? decoded?.user ?? null;
-        if (!employee) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMPLOYEE_NOT_FOUND",
-            message: "Employee not found in token"
-          });
-        }
-        ctx.employee = employee;
-      } else {
-        const customer = decoded?.customer ?? null;
-        if (!customer) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_CUSTOMER_NOT_FOUND",
-            message: "Customer not found in token"
-          });
-        }
-        ctx.customer = customer;
-      }
-      req.auth = ctx;
-      return next();
-    } catch {
-      if (!allowFirebaseIdToken) {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
-      }
-      try {
-        const firebaseDecoded = await admin.auth().verifyIdToken(token);
-        if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMAIL_NOT_VERIFIED",
-            message: "Email not verified"
-          });
-        }
-        const headerCtx = req.context || {};
-        const companyUid = normalizeUid2(headerCtx.company_uid);
-        const branchUid = normalizeUid2(headerCtx.branch_uid);
-        req.auth = {
-          tokenType: "backend",
-          subject,
-          firebase: firebaseDecoded,
-          company_uid: companyUid ?? void 0,
-          branch_uid: branchUid ?? void 0,
-          companies: [],
-          roles: [],
-          permissions: [],
-          denied_permissions: []
-        };
-        return next();
-      } catch {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
-      }
-    }
-  };
-}
-var authEmployeeRequired = createAuthMiddleware2({ subject: "employee", allowFirebaseIdToken: false });
-var authCustomerRequired = createAuthMiddleware2({ subject: "customer", allowFirebaseIdToken: false });
-var authEmployeeAllowFirebase = createAuthMiddleware2({ subject: "employee", allowFirebaseIdToken: true });
-var authCustomerAllowFirebase = createAuthMiddleware2({ subject: "customer", allowFirebaseIdToken: true });
 export {
   HEADER_AUTHORIZATION,
   HEADER_BRANCH_UID,
@@ -324,6 +56,9 @@ export {
   InternalHttp,
   TwoLevelCache,
   UpstreamError,
+  allowSysAdminOrAnyPermission,
+  allowSysAdminOrPermissionsAll,
+  allowSysAdminOrRoles,
   authCustomerAllowFirebase,
   authCustomerRequired,
   authEmployeeAllowFirebase,

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/auth/jwt.ts","../src/auth/middleware.ts","../src/auth/authentication.ts"],"sourcesContent":["import fs from \"fs\";\nimport jwt, {JwtPayload} from \"jsonwebtoken\";\n\nfunction readFileIfExists(path?: string): string \| null {\n if (!path) return null;\n try {\n const v = fs.readFileSync(path, \"utf8\").trim();\n return v.length ? v : null;\n } catch {\n return null;\n }\n}\n\n/*\n ✅ Keys viven en getmarket-stack:\n * - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub (recomendado)\n * - fallback env AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY\n /\nexport function readRs256PublicKey(): string {\n const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);\n if (fromFile) return fromFile;\n\n const fromEnv = String(process.env.AUTH_JWT_PUBLIC_KEY \|\| process.env.AUTH_RSA_PUBLIC_KEY \|\| \"\")\n .replace(/\\\\n/g, \"\\n\")\n .trim();\n\n if (fromEnv) return fromEnv;\n\n throw new Error(\"Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)\");\n}\n\nexport function verifyBackendJwtRS256(raw: string): JwtPayload {\n const publicKey = readRs256PublicKey();\n\n const audience = process.env.JWT_AUDIENCE \|\| process.env.AUTH_JWT_AUDIENCE \|\| \"getmarket.api\";\n const issuer = process.env.JWT_ISSUER \|\| process.env.AUTH_JWT_ISSUER \|\| \"getmarket-auth\";\n\n // ✅ SOLO RS256\n return jwt.verify(raw, publicKey, {\n algorithms: [\"RS256\"],\n audience,\n issuer,\n }) as JwtPayload;\n}\n","import type {NextFunction, Response} from \"express\";\nimport {verifyBackendJwtRS256} from \"./jwt\";\nimport type {AuthContext, AuthMiddlewareOptions} from \"./types\";\n\nfunction getBearerToken(req: any): string \| null {\n const auth = String(req.headers?.authorization \|\| \"\");\n if (!auth.startsWith(\"Bearer \")) return null;\n const token = auth.slice(7).trim();\n return token.length ? token : null;\n}\n\nfunction normalizeUid(v: any): string \| null {\n const s = String(v ?? \"\").trim();\n return s.length ? s : null;\n}\n\n/\n ✅ Middleware estándar:\n * - Solo Authorization: Bearer\n * - Solo RS256\n * - Cero legacy\n * - Hidrata vía hook (OBLIGATORIO)\n /\nexport function createAuthMiddleware(opts: AuthMiddlewareOptions) {\n const {subject, allowFirebaseIdToken = false, requireSubject = true, hydrate} = opts;\n\n return async (req: any, res: Response, next: NextFunction) => {\n const token = getBearerToken(req);\n if (!token) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_MISSING_TOKEN\",\n message: \"Missing Authorization Bearer token\",\n });\n }\n\n // Contexto desde parseHeaders (SDK) -> req.context\n const headerCtx = (req as any).context \|\| {};\n const company_uid = normalizeUid(headerCtx.company_uid);\n const branch_uid = normalizeUid(headerCtx.branch_uid);\n\n // 1) RS256 backend JWT\n try {\n const decoded: any = verifyBackendJwtRS256(token);\n\n const baseCtx: AuthContext = {\n tokenType: \"backend\",\n subject,\n company_uid: company_uid ?? undefined,\n branch_uid: branch_uid ?? undefined,\n roles: Array.isArray(decoded?.roles) ? decoded.roles : [],\n permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],\n denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],\n session: {\n jti: decoded?.jti,\n device_id: decoded?.device_id,\n expires_at: decoded?.exp,\n },\n };\n\n // ✅ hydrate obligatorio\n const hydrated = await hydrate({decoded, req, subject, company_uid, branch_uid});\n Object.assign(baseCtx, hydrated);\n\n if (requireSubject) {\n if (subject === \"employee\" && !baseCtx.employee) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_EMPLOYEE_NOT_FOUND\",\n message: \"Employee not resolved by hydrator\",\n });\n }\n if (subject === \"customer\" && !baseCtx.customer) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_CUSTOMER_NOT_FOUND\",\n message: \"Customer not resolved by hydrator\",\n });\n }\n }\n\n (req as any).auth = baseCtx;\n return next();\n } catch {\n // 2) Firebase opcional\n if (!allowFirebaseIdToken) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_INVALID_TOKEN\",\n message: \"Invalid or expired token\",\n });\n }\n\n try {\n const {default: admin} = await import(\"firebase-admin\");\n const firebaseDecoded = await admin.auth().verifyIdToken(token);\n\n if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_EMAIL_NOT_VERIFIED\",\n message: \"Email not verified\",\n });\n }\n\n (req as any).auth = {\n tokenType: \"backend\",\n subject,\n firebase: firebaseDecoded,\n company_uid: company_uid ?? undefined,\n branch_uid: branch_uid ?? undefined,\n companies: [],\n roles: [],\n permissions: [],\n denied_permissions: [],\n } satisfies AuthContext;\n\n return next();\n } catch {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_INVALID_TOKEN\",\n message: \"Invalid or expired token\",\n });\n }\n }\n };\n}\n","// packages/sdk/src/auth/authentication.ts\nimport type {NextFunction, Response} from \"express\";\nimport admin from \"firebase-admin\";\nimport jwt, {JwtPayload} from \"jsonwebtoken\";\nimport fs from \"fs\";\n\ntype Subject = \"employee\" \| \"customer\";\ntype TokenType = \"backend\";\n\nexport interface AuthContext {\n tokenType: TokenType;\n subject: Subject;\n\n employee?: any;\n customer?: any;\n\n company_uid?: string;\n branch_uid?: string;\n\n company?: any;\n branch?: any;\n companies?: any[];\n\n roles?: string[];\n permissions?: string[];\n denied_permissions?: string[];\n\n session?: { jti?: string; device_id?: string; expires_at?: number };\n firebase?: admin.auth.DecodedIdToken;\n}\n\n/\n ✅ ÚNICO estándar:\n * - Authorization: Bearer <token>\n */\nfunction getBearerToken(req: any): string \| null {\n const auth = String(req.headers?.authorization \|\| \"\");\n if (!auth.startsWith(\"Bearer \")) return null;\n const token = auth.slice(7).trim();\n return token.length ? token : null;\n}\n\nfunction readPublicKey(): string {\n const publicKeyPath = process.env.JWT_PUBLIC_KEY_PATH;\n const publicKeyEnv = process.env.AUTH_JWT_PUBLIC_KEY \|\| process.env.AUTH_RSA_PUBLIC_KEY \|\| \"\";\n\n if (publicKeyPath) {\n const v = fs.readFileSync(publicKeyPath, \"utf8\").trim();\n if (v) return v;\n }\n\n const envKey = publicKeyEnv.replace(/\\\\n/g, \"\\n\").trim();\n if (envKey) return envKey;\n\n throw new Error(\n \"Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)\"\n );\n}\n\nfunction verifyBackendJwtRS256(raw: string): JwtPayload {\n const publicKey = readPublicKey();\n const audience = process.env.JWT_AUDIENCE \|\| process.env.AUTH_JWT_AUDIENCE \|\| \"getmarket.api\";\n const issuer = process.env.JWT_ISSUER \|\| process.env.AUTH_JWT_ISSUER \|\| \"getmarket-auth\";\n\n return jwt.verify(raw, publicKey, {\n algorithms: [\"RS256\"],\n audience,\n issuer,\n }) as JwtPayload;\n}\n\nfunction normalizeUid(v: any): string \| null {\n const s = String(v ?? \"\").trim();\n return s.length ? s : null;\n}\n\nfunction deriveCompanyBranch(decoded: any, companyUid: string \| null, branchUid: string \| null) {\n const companiesFromToken = Array.isArray(decoded?.companies) ? decoded.companies : [];\n\n const company =\n decoded?.company ??\n (companyUid ? companiesFromToken.find((c: any) => c?.uid === companyUid) : null) ??\n null;\n\n const branch =\n decoded?.branch ??\n (branchUid && company?.branches ? (company.branches \|\| []).find((b: any) => b?.uid === branchUid) : null) ??\n null;\n\n return {companiesFromToken, company, branch};\n}\n\nexport function createAuthMiddleware(opts: { subject: Subject; allowFirebaseIdToken?: boolean }) {\n const {subject, allowFirebaseIdToken = false} = opts;\n\n return async (req: any, res: Response, next: NextFunction) => {\n const token = getBearerToken(req);\n if (!token) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_MISSING_TOKEN\",\n message: \"Missing Authorization Bearer token\",\n });\n }\n\n try {\n const decoded: any = verifyBackendJwtRS256(token);\n\n const headerCtx = (req as any).context \|\| {};\n const companyUid = normalizeUid(headerCtx.company_uid);\n const branchUid = normalizeUid(headerCtx.branch_uid);\n\n const {companiesFromToken, company, branch} = deriveCompanyBranch(decoded, companyUid, branchUid);\n\n const ctx: AuthContext = {\n tokenType: \"backend\",\n subject,\n\n company_uid: companyUid ?? undefined,\n branch_uid: branchUid ?? undefined,\n\n companies: companiesFromToken,\n company,\n branch,\n\n roles: Array.isArray(decoded?.roles) ? decoded.roles : [],\n permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],\n denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],\n\n session: {\n jti: decoded?.jti,\n device_id: decoded?.device_id,\n expires_at: decoded?.exp,\n },\n };\n\n if (subject === \"employee\") {\n const employee = decoded?.employee ?? decoded?.user ?? null;\n if (!employee) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_EMPLOYEE_NOT_FOUND\",\n message: \"Employee not found in token\",\n });\n }\n ctx.employee = employee;\n } else {\n const customer = decoded?.customer ?? null;\n if (!customer) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_CUSTOMER_NOT_FOUND\",\n message: \"Customer not found in token\",\n });\n }\n ctx.customer = customer;\n }\n\n req.auth = ctx; // runtime OK\n return next();\n } catch {\n if (!allowFirebaseIdToken) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_INVALID_TOKEN\",\n message: \"Invalid or expired token\",\n });\n }\n\n try {\n const firebaseDecoded = await admin.auth().verifyIdToken(token);\n\n if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_EMAIL_NOT_VERIFIED\",\n message: \"Email not verified\",\n });\n }\n\n const headerCtx = (req as any).context \|\| {};\n const companyUid = normalizeUid(headerCtx.company_uid);\n const branchUid = normalizeUid(headerCtx.branch_uid);\n\n req.auth = {\n tokenType: \"backend\",\n subject,\n firebase: firebaseDecoded,\n company_uid: companyUid ?? undefined,\n branch_uid: branchUid ?? undefined,\n companies: [],\n roles: [],\n permissions: [],\n denied_permissions: [],\n };\n\n return next();\n } catch {\n return res.status(401).json({\n ok: false,\n code: \"AUTH_INVALID_TOKEN\",\n message: \"Invalid or expired token\",\n });\n }\n }\n };\n}\n\nexport const authEmployeeRequired = createAuthMiddleware({subject: \"employee\", allowFirebaseIdToken: false});\nexport const authCustomerRequired = createAuthMiddleware({subject: \"customer\", allowFirebaseIdToken: false});\nexport const authEmployeeAllowFirebase = createAuthMiddleware({subject: \"employee\", allowFirebaseIdToken: true});\nexport const authCustomerAllowFirebase = createAuthMiddleware({subject: \"customer\", allowFirebaseIdToken: true});\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,OAAO,QAAQ;AACf,OAAO,SAAuB;AAE9B,SAAS,iBAAiB,MAA8B;AACpD,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI;AACA,UAAM,IAAI,GAAG,aAAa,MAAM,MAAM,EAAE,KAAK;AAC7C,WAAO,EAAE,SAAS,IAAI;AAAA,EAC1B,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAOO,SAAS,qBAA6B;AACzC,QAAM,WAAW,iBAAiB,QAAQ,IAAI,mBAAmB;AACjE,MAAI,SAAU,QAAO;AAErB,QAAM,UAAU,OAAO,QAAQ,IAAI,uBAAuB,QAAQ,IAAI,uBAAuB,EAAE,EAC1F,QAAQ,QAAQ,IAAI,EACpB,KAAK;AAEV,MAAI,QAAS,QAAO;AAEpB,QAAM,IAAI,MAAM,4FAA4F;AAChH;AAEO,SAAS,sBAAsB,KAAyB;AAC3D,QAAM,YAAY,mBAAmB;AAErC,QAAM,WAAW,QAAQ,IAAI,gBAAgB,QAAQ,IAAI,qBAAqB;AAC9E,QAAM,SAAS,QAAQ,IAAI,cAAc,QAAQ,IAAI,mBAAmB;AAGxE,SAAO,IAAI,OAAO,KAAK,WAAW;AAAA,IAC9B,YAAY,CAAC,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,EACJ,CAAC;AACL;;;ACvCA,SAAS,eAAe,KAAyB;AAC7C,QAAM,OAAO,OAAO,IAAI,SAAS,iBAAiB,EAAE;AACpD,MAAI,CAAC,KAAK,WAAW,SAAS,EAAG,QAAO;AACxC,QAAM,QAAQ,KAAK,MAAM,CAAC,EAAE,KAAK;AACjC,SAAO,MAAM,SAAS,QAAQ;AAClC;AAEA,SAAS,aAAa,GAAuB;AACzC,QAAM,IAAI,OAAO,KAAK,EAAE,EAAE,KAAK;AAC/B,SAAO,EAAE,SAAS,IAAI;AAC1B;AASO,SAAS,qBAAqB,MAA6B;AAC9D,QAAM,EAAC,SAAS,uBAAuB,OAAO,iBAAiB,MAAM,QAAO,IAAI;AAEhF,SAAO,OAAO,KAAU,KAAe,SAAuB;AAC1D,UAAM,QAAQ,eAAe,GAAG;AAChC,QAAI,CAAC,OAAO;AACR,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QACxB,IAAI;AAAA,QACJ,MAAM;AAAA,QACN,SAAS;AAAA,MACb,CAAC;AAAA,IACL;AAGA,UAAM,YAAa,IAAY,WAAW,CAAC;AAC3C,UAAM,cAAc,aAAa,UAAU,WAAW;AACtD,UAAM,aAAa,aAAa,UAAU,UAAU;AAGpD,QAAI;AACA,YAAM,UAAe,sBAAsB,KAAK;AAEhD,YAAM,UAAuB;AAAA,QACzB,WAAW;AAAA,QACX;AAAA,QACA,aAAa,eAAe;AAAA,QAC5B,YAAY,cAAc;AAAA,QAC1B,OAAO,MAAM,QAAQ,SAAS,KAAK,IAAI,QAAQ,QAAQ,CAAC;AAAA,QACxD,aAAa,MAAM,QAAQ,SAAS,WAAW,IAAI,QAAQ,cAAc,CAAC;AAAA,QAC1E,oBAAoB,MAAM,QAAQ,SAAS,kBAAkB,IAAI,QAAQ,qBAAqB,CAAC;AAAA,QAC/F,SAAS;AAAA,UACL,KAAK,SAAS;AAAA,UACd,WAAW,SAAS;AAAA,UACpB,YAAY,SAAS;AAAA,QACzB;AAAA,MACJ;AAGA,YAAM,WAAW,MAAM,QAAQ,EAAC,SAAS,KAAK,SAAS,aAAa,WAAU,CAAC;AAC/E,aAAO,OAAO,SAAS,QAAQ;AAE/B,UAAI,gBAAgB;AAChB,YAAI,YAAY,cAAc,CAAC,QAAQ,UAAU;AAC7C,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AACA,YAAI,YAAY,cAAc,CAAC,QAAQ,UAAU;AAC7C,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AAAA,MACJ;AAEA,MAAC,IAAY,OAAO;AACpB,aAAO,KAAK;AAAA,IAChB,QAAQ;AAEJ,UAAI,CAAC,sBAAsB;AACvB,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UACxB,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,SAAS;AAAA,QACb,CAAC;AAAA,MACL;AAEA,UAAI;AACA,cAAM,EAAC,SAASA,OAAK,IAAI,MAAM,OAAO,gBAAgB;AACtD,cAAM,kBAAkB,MAAMA,OAAM,KAAK,EAAE,cAAc,KAAK;AAE9D,YAAI,gBAAgB,SAAS,gBAAgB,mBAAmB,OAAO;AACnE,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AAEA,QAAC,IAAY,OAAO;AAAA,UAChB,WAAW;AAAA,UACX;AAAA,UACA,UAAU;AAAA,UACV,aAAa,eAAe;AAAA,UAC5B,YAAY,cAAc;AAAA,UAC1B,WAAW,CAAC;AAAA,UACZ,OAAO,CAAC;AAAA,UACR,aAAa,CAAC;AAAA,UACd,oBAAoB,CAAC;AAAA,QACzB;AAEA,eAAO,KAAK;AAAA,MAChB,QAAQ;AACJ,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UACxB,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,SAAS;AAAA,QACb,CAAC;AAAA,MACL;AAAA,IACJ;AAAA,EACJ;AACJ;;;AC7HA,OAAO,WAAW;AAClB,OAAOC,UAAuB;AAC9B,OAAOC,SAAQ;AA+Bf,SAASC,gBAAe,KAAyB;AAC7C,QAAM,OAAO,OAAO,IAAI,SAAS,iBAAiB,EAAE;AACpD,MAAI,CAAC,KAAK,WAAW,SAAS,EAAG,QAAO;AACxC,QAAM,QAAQ,KAAK,MAAM,CAAC,EAAE,KAAK;AACjC,SAAO,MAAM,SAAS,QAAQ;AAClC;AAEA,SAAS,gBAAwB;AAC7B,QAAM,gBAAgB,QAAQ,IAAI;AAClC,QAAM,eAAe,QAAQ,IAAI,uBAAuB,QAAQ,IAAI,uBAAuB;AAE3F,MAAI,eAAe;AACf,UAAM,IAAID,IAAG,aAAa,eAAe,MAAM,EAAE,KAAK;AACtD,QAAI,EAAG,QAAO;AAAA,EAClB;AAEA,QAAM,SAAS,aAAa,QAAQ,QAAQ,IAAI,EAAE,KAAK;AACvD,MAAI,OAAQ,QAAO;AAEnB,QAAM,IAAI;AAAA,IACN;AAAA,EACJ;AACJ;AAEA,SAASE,uBAAsB,KAAyB;AACpD,QAAM,YAAY,cAAc;AAChC,QAAM,WAAW,QAAQ,IAAI,gBAAgB,QAAQ,IAAI,qBAAqB;AAC9E,QAAM,SAAS,QAAQ,IAAI,cAAc,QAAQ,IAAI,mBAAmB;AAExE,SAAOH,KAAI,OAAO,KAAK,WAAW;AAAA,IAC9B,YAAY,CAAC,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,EACJ,CAAC;AACL;AAEA,SAASI,cAAa,GAAuB;AACzC,QAAM,IAAI,OAAO,KAAK,EAAE,EAAE,KAAK;AAC/B,SAAO,EAAE,SAAS,IAAI;AAC1B;AAEA,SAAS,oBAAoB,SAAc,YAA2B,WAA0B;AAC5F,QAAM,qBAAqB,MAAM,QAAQ,SAAS,SAAS,IAAI,QAAQ,YAAY,CAAC;AAEpF,QAAM,UACF,SAAS,YACR,aAAa,mBAAmB,KAAK,CAAC,MAAW,GAAG,QAAQ,UAAU,IAAI,SAC3E;AAEJ,QAAM,SACF,SAAS,WACR,aAAa,SAAS,YAAY,QAAQ,YAAY,CAAC,GAAG,KAAK,CAAC,MAAW,GAAG,QAAQ,SAAS,IAAI,SACpG;AAEJ,SAAO,EAAC,oBAAoB,SAAS,OAAM;AAC/C;AAEO,SAASC,sBAAqB,MAA4D;AAC7F,QAAM,EAAC,SAAS,uBAAuB,MAAK,IAAI;AAEhD,SAAO,OAAO,KAAU,KAAe,SAAuB;AAC1D,UAAM,QAAQH,gBAAe,GAAG;AAChC,QAAI,CAAC,OAAO;AACR,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QACxB,IAAI;AAAA,QACJ,MAAM;AAAA,QACN,SAAS;AAAA,MACb,CAAC;AAAA,IACL;AAEA,QAAI;AACA,YAAM,UAAeC,uBAAsB,KAAK;AAEhD,YAAM,YAAa,IAAY,WAAW,CAAC;AAC3C,YAAM,aAAaC,cAAa,UAAU,WAAW;AACrD,YAAM,YAAYA,cAAa,UAAU,UAAU;AAEnD,YAAM,EAAC,oBAAoB,SAAS,OAAM,IAAI,oBAAoB,SAAS,YAAY,SAAS;AAEhG,YAAM,MAAmB;AAAA,QACrB,WAAW;AAAA,QACX;AAAA,QAEA,aAAa,cAAc;AAAA,QAC3B,YAAY,aAAa;AAAA,QAEzB,WAAW;AAAA,QACX;AAAA,QACA;AAAA,QAEA,OAAO,MAAM,QAAQ,SAAS,KAAK,IAAI,QAAQ,QAAQ,CAAC;AAAA,QACxD,aAAa,MAAM,QAAQ,SAAS,WAAW,IAAI,QAAQ,cAAc,CAAC;AAAA,QAC1E,oBAAoB,MAAM,QAAQ,SAAS,kBAAkB,IAAI,QAAQ,qBAAqB,CAAC;AAAA,QAE/F,SAAS;AAAA,UACL,KAAK,SAAS;AAAA,UACd,WAAW,SAAS;AAAA,UACpB,YAAY,SAAS;AAAA,QACzB;AAAA,MACJ;AAEA,UAAI,YAAY,YAAY;AACxB,cAAM,WAAW,SAAS,YAAY,SAAS,QAAQ;AACvD,YAAI,CAAC,UAAU;AACX,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AACA,YAAI,WAAW;AAAA,MACnB,OAAO;AACH,cAAM,WAAW,SAAS,YAAY;AACtC,YAAI,CAAC,UAAU;AACX,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AACA,YAAI,WAAW;AAAA,MACnB;AAEA,UAAI,OAAO;AACX,aAAO,KAAK;AAAA,IAChB,QAAQ;AACJ,UAAI,CAAC,sBAAsB;AACvB,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UACxB,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,SAAS;AAAA,QACb,CAAC;AAAA,MACL;AAEA,UAAI;AACA,cAAM,kBAAkB,MAAM,MAAM,KAAK,EAAE,cAAc,KAAK;AAE9D,YAAI,gBAAgB,SAAS,gBAAgB,mBAAmB,OAAO;AACnE,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACxB,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,UACb,CAAC;AAAA,QACL;AAEA,cAAM,YAAa,IAAY,WAAW,CAAC;AAC3C,cAAM,aAAaA,cAAa,UAAU,WAAW;AACrD,cAAM,YAAYA,cAAa,UAAU,UAAU;AAEnD,YAAI,OAAO;AAAA,UACP,WAAW;AAAA,UACX;AAAA,UACA,UAAU;AAAA,UACV,aAAa,cAAc;AAAA,UAC3B,YAAY,aAAa;AAAA,UACzB,WAAW,CAAC;AAAA,UACZ,OAAO,CAAC;AAAA,UACR,aAAa,CAAC;AAAA,UACd,oBAAoB,CAAC;AAAA,QACzB;AAEA,eAAO,KAAK;AAAA,MAChB,QAAQ;AACJ,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UACxB,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,SAAS;AAAA,QACb,CAAC;AAAA,MACL;AAAA,IACJ;AAAA,EACJ;AACJ;AAEO,IAAM,uBAAuBC,sBAAqB,EAAC,SAAS,YAAY,sBAAsB,MAAK,CAAC;AACpG,IAAM,uBAAuBA,sBAAqB,EAAC,SAAS,YAAY,sBAAsB,MAAK,CAAC;AACpG,IAAM,4BAA4BA,sBAAqB,EAAC,SAAS,YAAY,sBAAsB,KAAI,CAAC;AACxG,IAAM,4BAA4BA,sBAAqB,EAAC,SAAS,YAAY,sBAAsB,KAAI,CAAC;","names":["admin","jwt","fs","getBearerToken","verifyBackendJwtRS256","normalizeUid","createAuthMiddleware"]}
1	+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/middlewares/index.cjs CHANGED Viewed

@@ -30,6 +30,9 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/middlewares/index.ts
 var middlewares_exports = {};
 __export(middlewares_exports, {
+  allowSysAdminOrAnyPermission: () => allowSysAdminOrAnyPermission,
+  allowSysAdminOrPermissionsAll: () => allowSysAdminOrPermissionsAll,
+  allowSysAdminOrRoles: () => allowSysAdminOrRoles,
   internalAuth: () => internalAuth,
   parseHeaders: () => parseHeaders,
   requestId: () => requestId,
@@ -291,8 +294,263 @@ function requireRolesOrAnyPermission(roles, perms, options) {
     return next();
   };
 }
+// src/auth/jwt.ts
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
+// src/auth/authentication.ts
+var import_firebase_admin = __toESM(require("firebase-admin"), 1);
+var import_jsonwebtoken2 = __toESM(require("jsonwebtoken"), 1);
+var import_fs2 = __toESM(require("fs"), 1);
+function getBearerToken(req) {
+  const auth = String(req.headers?.authorization || "");
+  if (!auth.startsWith("Bearer ")) return null;
+  const token = auth.slice(7).trim();
+  return token.length ? token : null;
+}
+function readPublicKey() {
+  const publicKeyPath = process.env.JWT_PUBLIC_KEY_PATH;
+  const publicKeyEnv = process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "";
+  if (publicKeyPath) {
+    const v = import_fs2.default.readFileSync(publicKeyPath, "utf8").trim();
+    if (v) return v;
+  }
+  const envKey = publicKeyEnv.replace(/\\n/g, "\n").trim();
+  if (envKey) return envKey;
+  throw new Error(
+    "Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)"
+  );
+}
+function verifyBackendJwtRS2562(raw) {
+  const publicKey = readPublicKey();
+  const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
+  const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
+  return import_jsonwebtoken2.default.verify(raw, publicKey, {
+    algorithms: ["RS256"],
+    audience,
+    issuer
+  });
+}
+function normalizeUid(v) {
+  const s = String(v ?? "").trim();
+  return s.length ? s : null;
+}
+function deriveCompanyBranch(decoded, companyUid, branchUid) {
+  const companiesFromToken = Array.isArray(decoded?.companies) ? decoded.companies : [];
+  const company = decoded?.company ?? (companyUid ? companiesFromToken.find((c) => c?.uid === companyUid) : null) ?? null;
+  const branch = decoded?.branch ?? (branchUid && company?.branches ? (company.branches || []).find((b) => b?.uid === branchUid) : null) ?? null;
+  return { companiesFromToken, company, branch };
+}
+function createAuthMiddleware(opts) {
+  const { subject, allowFirebaseIdToken = false } = opts;
+  return async (req, res, next) => {
+    const token = getBearerToken(req);
+    if (!token) {
+      return res.status(401).json({
+        ok: false,
+        code: "AUTH_MISSING_TOKEN",
+        message: "Missing Authorization Bearer token"
+      });
+    }
+    try {
+      const decoded = verifyBackendJwtRS2562(token);
+      const headerCtx = req.context || {};
+      const companyUid = normalizeUid(headerCtx.company_uid);
+      const branchUid = normalizeUid(headerCtx.branch_uid);
+      const { companiesFromToken, company, branch } = deriveCompanyBranch(decoded, companyUid, branchUid);
+      const ctx = {
+        tokenType: "backend",
+        subject,
+        company_uid: companyUid ?? void 0,
+        branch_uid: branchUid ?? void 0,
+        companies: companiesFromToken,
+        company,
+        branch,
+        roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+        permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+        denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
+        session: {
+          jti: decoded?.jti,
+          device_id: decoded?.device_id,
+          expires_at: decoded?.exp
+        }
+      };
+      if (subject === "employee") {
+        const employee = decoded?.employee ?? decoded?.user ?? null;
+        if (!employee) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_EMPLOYEE_NOT_FOUND",
+            message: "Employee not found in token"
+          });
+        }
+        ctx.employee = employee;
+      } else {
+        const customer = decoded?.customer ?? null;
+        if (!customer) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_CUSTOMER_NOT_FOUND",
+            message: "Customer not found in token"
+          });
+        }
+        ctx.customer = customer;
+      }
+      req.auth = ctx;
+      return next();
+    } catch {
+      if (!allowFirebaseIdToken) {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_INVALID_TOKEN",
+          message: "Invalid or expired token"
+        });
+      }
+      try {
+        const firebaseDecoded = await import_firebase_admin.default.auth().verifyIdToken(token);
+        if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
+          return res.status(401).json({
+            ok: false,
+            code: "AUTH_EMAIL_NOT_VERIFIED",
+            message: "Email not verified"
+          });
+        }
+        const headerCtx = req.context || {};
+        const companyUid = normalizeUid(headerCtx.company_uid);
+        const branchUid = normalizeUid(headerCtx.branch_uid);
+        req.auth = {
+          tokenType: "backend",
+          subject,
+          firebase: firebaseDecoded,
+          company_uid: companyUid ?? void 0,
+          branch_uid: branchUid ?? void 0,
+          companies: [],
+          roles: [],
+          permissions: [],
+          denied_permissions: []
+        };
+        return next();
+      } catch {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_INVALID_TOKEN",
+          message: "Invalid or expired token"
+        });
+      }
+    }
+  };
+}
+var authEmployeeRequired = createAuthMiddleware({ subject: "employee", allowFirebaseIdToken: false });
+var authCustomerRequired = createAuthMiddleware({ subject: "customer", allowFirebaseIdToken: false });
+var authEmployeeAllowFirebase = createAuthMiddleware({ subject: "employee", allowFirebaseIdToken: true });
+var authCustomerAllowFirebase = createAuthMiddleware({ subject: "customer", allowFirebaseIdToken: true });
+// src/middlewares/guards.ts
+function normalizeRole(r) {
+  if (!r) return null;
+  if (typeof r === "string") return r;
+  return r.code || r.name || null;
+}
+function normalizePerm(p) {
+  if (!p) return null;
+  if (typeof p === "string") return p;
+  return p.code || p.name || null;
+}
+function isSysAdmin2(roles) {
+  if (!Array.isArray(roles)) return false;
+  return roles.some((r) => normalizeRole(r) === "SYS_ADMIN");
+}
+function getAuth2(req) {
+  return req.auth ?? {};
+}
+function permissionSets(auth) {
+  const allow = new Set(
+    (auth.permissions ?? []).map(normalizePerm).filter(Boolean)
+  );
+  const deny = new Set(
+    (auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean)
+  );
+  return { allow, deny };
+}
+function allowSysAdminOrAnyPermission(...perms) {
+  const required = (perms ?? []).filter(Boolean);
+  return [
+    parseHeaders,
+    authEmployeeRequired,
+    (req, res, next) => {
+      const auth = getAuth2(req);
+      if (isSysAdmin2(auth.roles)) return next();
+      const { allow, deny } = permissionSets(auth);
+      for (const p of required) {
+        if (deny.has(p)) {
+          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+            denied: p
+          });
+        }
+      }
+      const ok = required.some((p) => allow.has(p));
+      if (!ok) {
+        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ANY)", {
+          required
+        });
+      }
+      return next();
+    }
+  ];
+}
+function allowSysAdminOrPermissionsAll(...perms) {
+  const required = (perms ?? []).filter(Boolean);
+  return [
+    parseHeaders,
+    authEmployeeRequired,
+    (req, res, next) => {
+      const auth = getAuth2(req);
+      if (isSysAdmin2(auth.roles)) return next();
+      const { allow, deny } = permissionSets(auth);
+      for (const p of required) {
+        if (deny.has(p)) {
+          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+            denied: p
+          });
+        }
+      }
+      const missing = required.filter((p) => !allow.has(p));
+      if (missing.length) {
+        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ALL)", {
+          required,
+          missing
+        });
+      }
+      return next();
+    }
+  ];
+}
+function allowSysAdminOrRoles(...roles) {
+  const required = (roles ?? []).filter(Boolean);
+  return [
+    parseHeaders,
+    authEmployeeRequired,
+    (req, res, next) => {
+      const auth = getAuth2(req);
+      if (isSysAdmin2(auth.roles)) return next();
+      const have = new Set(
+        (auth.roles ?? []).map(normalizeRole).filter(Boolean)
+      );
+      const ok = required.some((r) => have.has(r));
+      if (!ok) {
+        return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", {
+          required
+        });
+      }
+      return next();
+    }
+  ];
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  allowSysAdminOrAnyPermission,
+  allowSysAdminOrPermissionsAll,
+  allowSysAdminOrRoles,
   internalAuth,
   parseHeaders,
   requestId,