@innvoid/getmarket-sdk 0.2.7 → 0.2.8

package/dist/index.cjs

@@ -52,7 +52,6 @@ __export(src_exports, {
   buildInternalHeaders: () => buildInternalHeaders,
   closeCache: () => closeCache,
   createAuthMiddleware: () => createAuthMiddleware,
-  createAuthMiddlewareLegacySimple: () => createAuthMiddleware2,
   createBulkRefsClient: () => createBulkRefsClient,
   createFisClient: () => createFisClient,
   createHttpClient: () => createHttpClient,
@@ -63,6 +62,9 @@ __export(src_exports, {
   createPayClient: () => createPayClient,
   createPlatformClient: () => createPlatformClient,
   createResClient: () => createResClient,
+  extractCustomerUid: () => extractCustomerUid,
+  extractEmployeeUid: () => extractEmployeeUid,
+  getBearerToken: () => getBearerToken,
   getOrSet: () => getOrSet,
   getRequestContextFromHeaders: () => getRequestContextFromHeaders,
   getTwoLevelCache: () => getTwoLevelCache,
@@ -71,6 +73,7 @@ __export(src_exports, {
   mapAxiosToUpstreamError: () => mapAxiosToUpstreamError,
   newUid: () => newUid,
   newUidV4: () => newUidV4,
+  normalizeUid: () => normalizeUid,
   parseHeaders: () => parseHeaders,
   readRs256PublicKey: () => readRs256PublicKey,
   readServiceEnv: () => readServiceEnv,
@@ -792,12 +795,26 @@ function readFileIfExists(path) {
     return null;
   }
 }
+function getBearerToken(req) {
+  const auth = String(req?.headers?.authorization || "");
+  if (!auth.startsWith("Bearer ")) return null;
+  const token = auth.slice(7).trim();
+  return token.length ? token : null;
+}
+function normalizeUid(v) {
+  const s = String(v ?? "").trim();
+  return s.length ? s : null;
+}
 function readRs256PublicKey() {
   const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);
   if (fromFile) return fromFile;
-  const fromEnv = String(process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "").replace(/\\n/g, "\n").trim();
+  const fromEnv = String(
+    process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || ""
+  ).replace(/\\n/g, "\n").trim();
   if (fromEnv) return fromEnv;
-  throw new Error("Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)");
+  throw new Error(
+    "Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)"
+  );
 }
 function verifyBackendJwtRS256(raw) {
   const publicKey = readRs256PublicKey();
@@ -809,20 +826,31 @@ function verifyBackendJwtRS256(raw) {
     issuer
   });
 }
-
-// src/auth/middleware.ts
-function getBearerToken(req) {
-  const auth = String(req.headers?.authorization || "");
-  if (!auth.startsWith("Bearer ")) return null;
-  const token = auth.slice(7).trim();
-  return token.length ? token : null;
+function extractEmployeeUid(decoded) {
+  const direct = normalizeUid(decoded?.employee_uid) ?? normalizeUid(decoded?.employee?.uid);
+  if (direct) return direct;
+  const sub = normalizeUid(decoded?.sub);
+  if (!sub) return null;
+  const match = /^emp:(.+)$/i.exec(sub);
+  return match?.[1] ? normalizeUid(match[1]) : null;
 }
-function normalizeUid(v) {
-  const s = String(v ?? "").trim();
-  return s.length ? s : null;
+function extractCustomerUid(decoded) {
+  const direct = normalizeUid(decoded?.customer_uid) ?? normalizeUid(decoded?.customer?.uid);
+  if (direct) return direct;
+  const sub = normalizeUid(decoded?.sub);
+  if (!sub) return null;
+  const match = /^cus:(.+)$/i.exec(sub);
+  return match?.[1] ? normalizeUid(match[1]) : null;
 }
+
+// src/auth/middleware.ts
 function createAuthMiddleware(opts) {
-  const { subject, allowFirebaseIdToken = false, requireSubject = true, hydrate } = opts;
+  const {
+    subject,
+    allowFirebaseIdToken = false,
+    requireSubject = true,
+    hydrate
+  } = opts;
   return async (req, res, next) => {
     const token = getBearerToken(req);
     if (!token) {
@@ -851,8 +879,33 @@ function createAuthMiddleware(opts) {
           expires_at: decoded?.exp
         }
       };
-      const hydrated = await hydrate({ decoded, req, subject, company_uid, branch_uid });
+      if (subject === "employee") {
+        baseCtx.employee_uid = extractEmployeeUid(decoded) ?? void 0;
+      } else {
+        baseCtx.customer_uid = extractCustomerUid(decoded) ?? void 0;
+      }
+      const hydrated = await hydrate({
+        decoded,
+        req,
+        subject,
+        company_uid,
+        branch_uid
+      });
       Object.assign(baseCtx, hydrated);
+      if (subject === "employee" && !baseCtx.employee_uid) {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_EMPLOYEE_UID_MISSING",
+          message: "employee_uid missing in token/context (expected employee_uid or sub=emp:<uid>)"
+        });
+      }
+      if (subject === "customer" && !baseCtx.customer_uid) {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_CUSTOMER_UID_MISSING",
+          message: "customer_uid missing in token/context (expected customer_uid or sub=cus:<uid>)"
+        });
+      }
       if (requireSubject) {
         if (subject === "employee" && !baseCtx.employee) {
           return res.status(401).json({
@@ -880,8 +933,8 @@ function createAuthMiddleware(opts) {
         });
       }
       try {
-        const { default: admin2 } = await import("firebase-admin");
-        const firebaseDecoded = await admin2.auth().verifyIdToken(token);
+        const { default: admin } = await import("firebase-admin");
+        const firebaseDecoded = await admin.auth().verifyIdToken(token);
         if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
           return res.status(401).json({
             ok: false,
@@ -913,169 +966,112 @@ function createAuthMiddleware(opts) {
 }
 
 // src/auth/authentication.ts
-var import_firebase_admin = __toESM(require("firebase-admin"), 1);
-var import_jsonwebtoken2 = __toESM(require("jsonwebtoken"), 1);
-var import_fs3 = __toESM(require("fs"), 1);
-function getBearerToken2(req) {
-  const auth = String(req.headers?.authorization || "");
-  if (!auth.startsWith("Bearer ")) return null;
-  const token = auth.slice(7).trim();
-  return token.length ? token : null;
-}
-function readPublicKey() {
-  const publicKeyPath = process.env.JWT_PUBLIC_KEY_PATH;
-  const publicKeyEnv = process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "";
-  if (publicKeyPath) {
-    const v = import_fs3.default.readFileSync(publicKeyPath, "utf8").trim();
-    if (v) return v;
-  }
-  const envKey = publicKeyEnv.replace(/\\n/g, "\n").trim();
-  if (envKey) return envKey;
-  throw new Error("Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)");
-}
-function verifyBackendJwtRS2562(raw) {
-  const publicKey = readPublicKey();
-  const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
-  const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
-  return import_jsonwebtoken2.default.verify(raw, publicKey, {
-    algorithms: ["RS256"],
-    audience,
-    issuer
-  });
-}
-function normalizeUid2(v) {
-  const s = String(v ?? "").trim();
-  return s.length ? s : null;
-}
 function deriveCompanyBranch(decoded, companyUid, branchUid) {
   const companiesFromToken = Array.isArray(decoded?.companies) ? decoded.companies : [];
   const company = decoded?.company ?? (companyUid ? companiesFromToken.find((c) => c?.uid === companyUid) : null) ?? null;
   const branch = decoded?.branch ?? (branchUid && company?.branches ? (company.branches || []).find((b) => b?.uid === branchUid) : null) ?? null;
-  return { companiesFromToken, company, branch };
-}
-function extractEmployeeUid(decoded) {
-  const direct = normalizeUid2(decoded?.employee_uid);
-  if (direct) return direct;
-  const sub = normalizeUid2(decoded?.sub);
-  if (!sub) return null;
-  const m = /^emp:(.+)$/i.exec(sub);
-  return m?.[1] ? normalizeUid2(m[1]) : null;
-}
-function extractCustomerUid(decoded) {
-  const direct = normalizeUid2(decoded?.customer_uid);
-  if (direct) return direct;
-  const sub = normalizeUid2(decoded?.sub);
-  if (!sub) return null;
-  const m = /^cus:(.+)$/i.exec(sub);
-  return m?.[1] ? normalizeUid2(m[1]) : null;
-}
-function createAuthMiddleware2(opts) {
-  const { subject, allowFirebaseIdToken = false } = opts;
-  return async (req, res, next) => {
-    const token = getBearerToken2(req);
-    if (!token) {
-      return res.status(401).json({
-        ok: false,
-        code: "AUTH_MISSING_TOKEN",
-        message: "Missing Authorization Bearer token"
-      });
-    }
-    try {
-      const decoded = verifyBackendJwtRS2562(token);
-      const headerCtx = req.context || {};
-      const companyUid = normalizeUid2(headerCtx.company_uid);
-      const branchUid = normalizeUid2(headerCtx.branch_uid);
-      const { companiesFromToken, company, branch } = deriveCompanyBranch(decoded, companyUid, branchUid);
-      const ctx = {
-        tokenType: "backend",
-        subject,
-        company_uid: companyUid ?? void 0,
-        branch_uid: branchUid ?? void 0,
-        companies: companiesFromToken,
-        company,
-        branch,
-        roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-        permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-        denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
-        session: {
-          jti: decoded?.jti,
-          device_id: decoded?.device_id,
-          expires_at: decoded?.exp
-        }
-      };
-      if (subject === "employee") {
-        const employee_uid = extractEmployeeUid(decoded);
-        if (!employee_uid) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMPLOYEE_UID_MISSING",
-            message: "employee_uid missing in token (expected employee_uid or sub=emp:<uid>)"
-          });
-        }
-        ctx.employee_uid = employee_uid;
-        const embedded = decoded?.employee ?? decoded?.user ?? null;
-        ctx.employee = embedded && typeof embedded === "object" ? embedded : { uid: employee_uid, email: decoded?.email ?? null };
-      } else {
-        const customer_uid = extractCustomerUid(decoded);
-        if (!customer_uid) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_CUSTOMER_UID_MISSING",
-            message: "customer_uid missing in token (expected customer_uid or sub=cus:<uid>)"
-          });
-        }
-        ctx.customer_uid = customer_uid;
-        const embedded = decoded?.customer ?? null;
-        ctx.customer = embedded && typeof embedded === "object" ? embedded : { uid: customer_uid };
-      }
-      req.auth = ctx;
-      return next();
-    } catch {
-      if (!allowFirebaseIdToken) {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
-      }
-      try {
-        const firebaseDecoded = await import_firebase_admin.default.auth().verifyIdToken(token);
-        if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMAIL_NOT_VERIFIED",
-            message: "Email not verified"
-          });
-        }
-        const headerCtx = req.context || {};
-        const companyUid = normalizeUid2(headerCtx.company_uid);
-        const branchUid = normalizeUid2(headerCtx.branch_uid);
-        req.auth = {
-          tokenType: "backend",
-          subject,
-          firebase: firebaseDecoded,
-          company_uid: companyUid ?? void 0,
-          branch_uid: branchUid ?? void 0,
-          companies: [],
-          roles: [],
-          permissions: [],
-          denied_permissions: []
-        };
-        return next();
-      } catch {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
-      }
-    }
+  return {
+    companiesFromToken,
+    company,
+    branch
   };
 }
-var authEmployeeRequired = createAuthMiddleware2({ subject: "employee", allowFirebaseIdToken: false });
-var authCustomerRequired = createAuthMiddleware2({ subject: "customer", allowFirebaseIdToken: false });
-var authEmployeeAllowFirebase = createAuthMiddleware2({ subject: "employee", allowFirebaseIdToken: true });
-var authCustomerAllowFirebase = createAuthMiddleware2({ subject: "customer", allowFirebaseIdToken: true });
+var authEmployeeRequired = createAuthMiddleware({
+  subject: "employee",
+  allowFirebaseIdToken: false,
+  requireSubject: false,
+  hydrate: async ({ decoded, company_uid, branch_uid }) => {
+    const employee_uid = extractEmployeeUid(decoded) ?? normalizeUid(decoded?.employee?.uid);
+    const { companiesFromToken, company, branch } = deriveCompanyBranch(
+      decoded,
+      company_uid,
+      branch_uid
+    );
+    const employee = decoded?.employee && typeof decoded.employee === "object" ? decoded.employee : employee_uid ? { uid: employee_uid, email: decoded?.email ?? null } : void 0;
+    return {
+      employee_uid: employee_uid ?? void 0,
+      employee,
+      companies: companiesFromToken,
+      company,
+      branch,
+      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
+    };
+  }
+});
+var authCustomerRequired = createAuthMiddleware({
+  subject: "customer",
+  allowFirebaseIdToken: false,
+  requireSubject: false,
+  hydrate: async ({ decoded, company_uid, branch_uid }) => {
+    const customer_uid = extractCustomerUid(decoded) ?? normalizeUid(decoded?.customer?.uid);
+    const { companiesFromToken, company, branch } = deriveCompanyBranch(
+      decoded,
+      company_uid,
+      branch_uid
+    );
+    const customer = decoded?.customer && typeof decoded.customer === "object" ? decoded.customer : customer_uid ? { uid: customer_uid } : void 0;
+    return {
+      customer_uid: customer_uid ?? void 0,
+      customer,
+      companies: companiesFromToken,
+      company,
+      branch,
+      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
+    };
+  }
+});
+var authEmployeeAllowFirebase = createAuthMiddleware({
+  subject: "employee",
+  allowFirebaseIdToken: true,
+  requireSubject: false,
+  hydrate: async ({ decoded, company_uid, branch_uid }) => {
+    const employee_uid = extractEmployeeUid(decoded) ?? normalizeUid(decoded?.employee?.uid);
+    const { companiesFromToken, company, branch } = deriveCompanyBranch(
+      decoded,
+      company_uid,
+      branch_uid
+    );
+    const employee = decoded?.employee && typeof decoded.employee === "object" ? decoded.employee : employee_uid ? { uid: employee_uid, email: decoded?.email ?? null } : void 0;
+    return {
+      employee_uid: employee_uid ?? void 0,
+      employee,
+      companies: companiesFromToken,
+      company,
+      branch,
+      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
+    };
+  }
+});
+var authCustomerAllowFirebase = createAuthMiddleware({
+  subject: "customer",
+  allowFirebaseIdToken: true,
+  requireSubject: false,
+  hydrate: async ({ decoded, company_uid, branch_uid }) => {
+    const customer_uid = extractCustomerUid(decoded) ?? normalizeUid(decoded?.customer?.uid);
+    const { companiesFromToken, company, branch } = deriveCompanyBranch(
+      decoded,
+      company_uid,
+      branch_uid
+    );
+    const customer = decoded?.customer && typeof decoded.customer === "object" ? decoded.customer : customer_uid ? { uid: customer_uid } : void 0;
+    return {
+      customer_uid: customer_uid ?? void 0,
+      customer,
+      companies: companiesFromToken,
+      company,
+      branch,
+      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
+    };
+  }
+});
 
 // src/middlewares/guards.ts
 function normalizeRole(r) {
@@ -1195,7 +1191,7 @@ function allowAuthAdminOrPerm(permission) {
 }
 
 // src/internalHttpClient.ts
-var import_fs4 = __toESM(require("fs"), 1);
+var import_fs3 = __toESM(require("fs"), 1);
 var InternalHttpError = class extends Error {
   status;
   code;
@@ -1210,7 +1206,7 @@ var InternalHttpError = class extends Error {
 function readSecretFile2(path) {
   if (!path) return null;
   try {
-    const v = import_fs4.default.readFileSync(path, "utf8").trim();
+    const v = import_fs3.default.readFileSync(path, "utf8").trim();
     return v.length ? v : null;
   } catch {
     return null;
@@ -1901,7 +1897,6 @@ function isUid(value) {
   buildInternalHeaders,
   closeCache,
   createAuthMiddleware,
-  createAuthMiddlewareLegacySimple,
   createBulkRefsClient,
   createFisClient,
   createHttpClient,
@@ -1912,6 +1907,9 @@ function isUid(value) {
   createPayClient,
   createPlatformClient,
   createResClient,
+  extractCustomerUid,
+  extractEmployeeUid,
+  getBearerToken,
   getOrSet,
   getRequestContextFromHeaders,
   getTwoLevelCache,
@@ -1920,6 +1918,7 @@ function isUid(value) {
   mapAxiosToUpstreamError,
   newUid,
   newUidV4,
+  normalizeUid,
   parseHeaders,
   readRs256PublicKey,
   readServiceEnv,