@innvoid/getmarket-sdk 0.2.7 → 0.2.8

package/dist/index.d.cts

@@ -4,40 +4,33 @@ export { HEADER_AUTHORIZATION, HEADER_BRANCH_UID, HEADER_COMPANY_UID, HEADER_EMP
 import { R as RequestContext } from './parse-C4vk-fmH.cjs';
 export { g as getRequestContextFromHeaders } from './parse-C4vk-fmH.cjs';
 export { allowAuthAdminOrPerm, allowSysAdminOrAnyPermission, allowSysAdminOrPermissionsAll, allowSysAdminOrRoles, allowSysAdminOrRolesOrAnyPermission, internalAuth, parseHeaders, requestId, requireAnyPermission, requireAuthContext, requirePermissions, requireRoles, requireRolesOrAnyPermission, sendError, sendOk } from './middlewares/index.cjs';
-import { a as AuthMiddlewareOptions } from './types-CRECQuHp.cjs';
-export { A as AuthContext, b as AuthSession, c as AuthSubject, H as HydrateInput, d as HydrateResult, e as Hydrator, T as TokenType } from './types-CRECQuHp.cjs';
-import { Response, NextFunction } from 'express';
+import { a as AuthMiddlewareOptions } from './types-Cc_McZgD.cjs';
+export { A as AuthContext, b as AuthSession, c as AuthSubject, H as HydrateInput, d as HydrateResult, e as Hydrator, T as TokenType } from './types-Cc_McZgD.cjs';
 import { JwtPayload } from 'jsonwebtoken';
+import * as express from 'express';
+import { Response, NextFunction } from 'express';
 export { InternalBulkRefsOptions, ServiceClientEnv, createBulkRefsClient, createFisClient, createMdClient, createMediaClient, createMkpClient, createPayClient, createPlatformClient, createResClient, readServiceEnv } from './clients/index.cjs';
 export { BulkRefsResponse, BulkUidsRequest } from '@innvoid/getmarket-contracts';
 import 'axios';
 
+declare function getBearerToken(req: any): string | null;
+declare function normalizeUid(v: any): string | null;
 /**
- * ✅ Middleware estándar:
- * - Solo Authorization: Bearer
- * - Solo RS256
- * - Cero legacy
- * - Hidrata vía hook (OBLIGATORIO)
- */
-declare function createAuthMiddleware$1(opts: AuthMiddlewareOptions): (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
-
-/**
- * ✅ Keys viven en getmarket-stack:
- * - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub (recomendado)
+ * ✅ Keys centralizadas:
+ * - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub
  * - fallback env AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY
  */
 declare function readRs256PublicKey(): string;
 declare function verifyBackendJwtRS256(raw: string): JwtPayload;
+declare function extractEmployeeUid(decoded: any): string | null;
+declare function extractCustomerUid(decoded: any): string | null;
+
+declare function createAuthMiddleware(opts: AuthMiddlewareOptions): (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
 
-type Subject = "employee" | "customer";
-declare function createAuthMiddleware(opts: {
-    subject: Subject;
-    allowFirebaseIdToken?: boolean;
-}): (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
-declare const authEmployeeRequired: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
-declare const authCustomerRequired: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
-declare const authEmployeeAllowFirebase: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
-declare const authCustomerAllowFirebase: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+declare const authEmployeeRequired: (req: any, res: express.Response, next: express.NextFunction) => Promise<void | express.Response<any, Record<string, any>>>;
+declare const authCustomerRequired: (req: any, res: express.Response, next: express.NextFunction) => Promise<void | express.Response<any, Record<string, any>>>;
+declare const authEmployeeAllowFirebase: (req: any, res: express.Response, next: express.NextFunction) => Promise<void | express.Response<any, Record<string, any>>>;
+declare const authCustomerAllowFirebase: (req: any, res: express.Response, next: express.NextFunction) => Promise<void | express.Response<any, Record<string, any>>>;
 
 type InternalHttpMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
 type InternalHttpClientOptions = {
@@ -95,4 +88,4 @@ declare function newUidV4(): string;
 /** Validación para inputs que vengan de DB/requests durante migración. */
 declare function isUid(value: string): boolean;
 
-export { AuthMiddlewareOptions, type InternalHttpClientOptions, InternalHttpError, type InternalHttpMethod, type InternalRequestOptions, RequestContext, authCustomerAllowFirebase, authCustomerRequired, authEmployeeAllowFirebase, authEmployeeRequired, buildInternalHeaders, createAuthMiddleware$1 as createAuthMiddleware, createAuthMiddleware as createAuthMiddlewareLegacySimple, createInternalHttpClient, isUid, newUid, newUidV4, readRs256PublicKey, verifyBackendJwtRS256 };
+export { AuthMiddlewareOptions, type InternalHttpClientOptions, InternalHttpError, type InternalHttpMethod, type InternalRequestOptions, RequestContext, authCustomerAllowFirebase, authCustomerRequired, authEmployeeAllowFirebase, authEmployeeRequired, buildInternalHeaders, createAuthMiddleware, createInternalHttpClient, extractCustomerUid, extractEmployeeUid, getBearerToken, isUid, newUid, newUidV4, normalizeUid, readRs256PublicKey, verifyBackendJwtRS256 };

package/dist/index.d.ts

@@ -4,40 +4,33 @@ export { HEADER_AUTHORIZATION, HEADER_BRANCH_UID, HEADER_COMPANY_UID, HEADER_EMP
 import { R as RequestContext } from './parse-C4vk-fmH.js';
 export { g as getRequestContextFromHeaders } from './parse-C4vk-fmH.js';
 export { allowAuthAdminOrPerm, allowSysAdminOrAnyPermission, allowSysAdminOrPermissionsAll, allowSysAdminOrRoles, allowSysAdminOrRolesOrAnyPermission, internalAuth, parseHeaders, requestId, requireAnyPermission, requireAuthContext, requirePermissions, requireRoles, requireRolesOrAnyPermission, sendError, sendOk } from './middlewares/index.js';
-import { a as AuthMiddlewareOptions } from './types-CRECQuHp.js';
-export { A as AuthContext, b as AuthSession, c as AuthSubject, H as HydrateInput, d as HydrateResult, e as Hydrator, T as TokenType } from './types-CRECQuHp.js';
-import { Response, NextFunction } from 'express';
+import { a as AuthMiddlewareOptions } from './types-Cc_McZgD.js';
+export { A as AuthContext, b as AuthSession, c as AuthSubject, H as HydrateInput, d as HydrateResult, e as Hydrator, T as TokenType } from './types-Cc_McZgD.js';
 import { JwtPayload } from 'jsonwebtoken';
+import * as express from 'express';
+import { Response, NextFunction } from 'express';
 export { InternalBulkRefsOptions, ServiceClientEnv, createBulkRefsClient, createFisClient, createMdClient, createMediaClient, createMkpClient, createPayClient, createPlatformClient, createResClient, readServiceEnv } from './clients/index.js';
 export { BulkRefsResponse, BulkUidsRequest } from '@innvoid/getmarket-contracts';
 import 'axios';
 
+declare function getBearerToken(req: any): string | null;
+declare function normalizeUid(v: any): string | null;
 /**
- * ✅ Middleware estándar:
- * - Solo Authorization: Bearer
- * - Solo RS256
- * - Cero legacy
- * - Hidrata vía hook (OBLIGATORIO)
- */
-declare function createAuthMiddleware$1(opts: AuthMiddlewareOptions): (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
-
-/**
- * ✅ Keys viven en getmarket-stack:
- * - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub (recomendado)
+ * ✅ Keys centralizadas:
+ * - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub
  * - fallback env AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY
  */
 declare function readRs256PublicKey(): string;
 declare function verifyBackendJwtRS256(raw: string): JwtPayload;
+declare function extractEmployeeUid(decoded: any): string | null;
+declare function extractCustomerUid(decoded: any): string | null;
+
+declare function createAuthMiddleware(opts: AuthMiddlewareOptions): (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
 
-type Subject = "employee" | "customer";
-declare function createAuthMiddleware(opts: {
-    subject: Subject;
-    allowFirebaseIdToken?: boolean;
-}): (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
-declare const authEmployeeRequired: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
-declare const authCustomerRequired: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
-declare const authEmployeeAllowFirebase: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
-declare const authCustomerAllowFirebase: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+declare const authEmployeeRequired: (req: any, res: express.Response, next: express.NextFunction) => Promise<void | express.Response<any, Record<string, any>>>;
+declare const authCustomerRequired: (req: any, res: express.Response, next: express.NextFunction) => Promise<void | express.Response<any, Record<string, any>>>;
+declare const authEmployeeAllowFirebase: (req: any, res: express.Response, next: express.NextFunction) => Promise<void | express.Response<any, Record<string, any>>>;
+declare const authCustomerAllowFirebase: (req: any, res: express.Response, next: express.NextFunction) => Promise<void | express.Response<any, Record<string, any>>>;
 
 type InternalHttpMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
 type InternalHttpClientOptions = {
@@ -95,4 +88,4 @@ declare function newUidV4(): string;
 /** Validación para inputs que vengan de DB/requests durante migración. */
 declare function isUid(value: string): boolean;
 
-export { AuthMiddlewareOptions, type InternalHttpClientOptions, InternalHttpError, type InternalHttpMethod, type InternalRequestOptions, RequestContext, authCustomerAllowFirebase, authCustomerRequired, authEmployeeAllowFirebase, authEmployeeRequired, buildInternalHeaders, createAuthMiddleware$1 as createAuthMiddleware, createAuthMiddleware as createAuthMiddlewareLegacySimple, createInternalHttpClient, isUid, newUid, newUidV4, readRs256PublicKey, verifyBackendJwtRS256 };
+export { AuthMiddlewareOptions, type InternalHttpClientOptions, InternalHttpError, type InternalHttpMethod, type InternalRequestOptions, RequestContext, authCustomerAllowFirebase, authCustomerRequired, authEmployeeAllowFirebase, authEmployeeRequired, buildInternalHeaders, createAuthMiddleware, createInternalHttpClient, extractCustomerUid, extractEmployeeUid, getBearerToken, isUid, newUid, newUidV4, normalizeUid, readRs256PublicKey, verifyBackendJwtRS256 };

package/dist/index.js

@@ -9,8 +9,11 @@ import {
   authEmployeeAllowFirebase,
   authEmployeeRequired,
   createAuthMiddleware,
-  createAuthMiddleware2,
+  extractCustomerUid,
+  extractEmployeeUid,
+  getBearerToken,
   internalAuth,
+  normalizeUid,
   parseHeaders,
   readRs256PublicKey,
   requestId,
@@ -22,7 +25,7 @@ import {
   sendError,
   sendOk,
   verifyBackendJwtRS256
-} from "./chunk-WM2QICZQ.js";
+} from "./chunk-DT3AM34L.js";
 import {
   InternalHttpError,
   buildInternalHeaders,
@@ -94,7 +97,6 @@ export {
   buildInternalHeaders,
   closeCache,
   createAuthMiddleware,
-  createAuthMiddleware2 as createAuthMiddlewareLegacySimple,
   createBulkRefsClient,
   createFisClient,
   createHttpClient,
@@ -105,6 +107,9 @@ export {
   createPayClient,
   createPlatformClient,
   createResClient,
+  extractCustomerUid,
+  extractEmployeeUid,
+  getBearerToken,
   getOrSet,
   getRequestContextFromHeaders,
   getTwoLevelCache,
@@ -113,6 +118,7 @@ export {
   mapAxiosToUpstreamError,
   newUid,
   newUidV4,
+  normalizeUid,
   parseHeaders,
   readRs256PublicKey,
   readServiceEnv,

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/common/ids.ts"],"sourcesContent":["// packages/sdk/src/common/ids.ts\nimport {v7 as uuidv7, v4 as uuidv4, validate as uuidValidate, version as uuidVersion} from \"uuid\";\n\n/**\n * UID canónico GetMarket.\n * - Por defecto genera UUIDv7 (time-ordered).\n * - Durante transición, aceptamos v4 y v7 como válidos.\n */\nexport function newUid(): string {\n  return uuidv7();\n}\n\n/** Útil si necesitas generar v4 puntualmente (idealmente no usarlo). */\nexport function newUidV4(): string {\n  return uuidv4();\n}\n\n/** Validación para inputs que vengan de DB/requests durante migración. */\nexport function isUid(value: string): boolean {\n  return uuidValidate(value) && (uuidVersion(value) === 7 || uuidVersion(value) === 4);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,SAAQ,MAAM,QAAQ,MAAM,QAAQ,YAAY,cAAc,WAAW,mBAAkB;AAOpF,SAAS,SAAiB;AAC/B,SAAO,OAAO;AAChB;AAGO,SAAS,WAAmB;AACjC,SAAO,OAAO;AAChB;AAGO,SAAS,MAAM,OAAwB;AAC5C,SAAO,aAAa,KAAK,MAAM,YAAY,KAAK,MAAM,KAAK,YAAY,KAAK,MAAM;AACpF;","names":[]}
+{"version":3,"sources":["../src/common/ids.ts"],"sourcesContent":["// packages/sdk/src/common/ids.ts\nimport {v7 as uuidv7, v4 as uuidv4, validate as uuidValidate, version as uuidVersion} from \"uuid\";\n\n/**\n * UID canónico GetMarket.\n * - Por defecto genera UUIDv7 (time-ordered).\n * - Durante transición, aceptamos v4 y v7 como válidos.\n */\nexport function newUid(): string {\n  return uuidv7();\n}\n\n/** Útil si necesitas generar v4 puntualmente (idealmente no usarlo). */\nexport function newUidV4(): string {\n  return uuidv4();\n}\n\n/** Validación para inputs que vengan de DB/requests durante migración. */\nexport function isUid(value: string): boolean {\n  return uuidValidate(value) && (uuidVersion(value) === 7 || uuidVersion(value) === 4);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,SAAQ,MAAM,QAAQ,MAAM,QAAQ,YAAY,cAAc,WAAW,mBAAkB;AAOpF,SAAS,SAAiB;AAC/B,SAAO,OAAO;AAChB;AAGO,SAAS,WAAmB;AACjC,SAAO,OAAO;AAChB;AAGO,SAAS,MAAM,OAAwB;AAC5C,SAAO,aAAa,KAAK,MAAM,YAAY,KAAK,MAAM,KAAK,YAAY,KAAK,MAAM;AACpF;","names":[]}

package/dist/middlewares/index.cjs

@@ -297,29 +297,41 @@ function requireRolesOrAnyPermission(roles, perms, options) {
   };
 }
 
-// src/auth/authentication.ts
-var import_firebase_admin = __toESM(require("firebase-admin"), 1);
-var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
+// src/auth/jwt.ts
 var import_fs2 = __toESM(require("fs"), 1);
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
+function readFileIfExists(path) {
+  if (!path) return null;
+  try {
+    const v = import_fs2.default.readFileSync(path, "utf8").trim();
+    return v.length ? v : null;
+  } catch {
+    return null;
+  }
+}
 function getBearerToken(req) {
-  const auth = String(req.headers?.authorization || "");
+  const auth = String(req?.headers?.authorization || "");
   if (!auth.startsWith("Bearer ")) return null;
   const token = auth.slice(7).trim();
   return token.length ? token : null;
 }
-function readPublicKey() {
-  const publicKeyPath = process.env.JWT_PUBLIC_KEY_PATH;
-  const publicKeyEnv = process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "";
-  if (publicKeyPath) {
-    const v = import_fs2.default.readFileSync(publicKeyPath, "utf8").trim();
-    if (v) return v;
-  }
-  const envKey = publicKeyEnv.replace(/\\n/g, "\n").trim();
-  if (envKey) return envKey;
-  throw new Error("Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)");
+function normalizeUid(v) {
+  const s = String(v ?? "").trim();
+  return s.length ? s : null;
+}
+function readRs256PublicKey() {
+  const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);
+  if (fromFile) return fromFile;
+  const fromEnv = String(
+    process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || ""
+  ).replace(/\\n/g, "\n").trim();
+  if (fromEnv) return fromEnv;
+  throw new Error(
+    "Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)"
+  );
 }
 function verifyBackendJwtRS256(raw) {
-  const publicKey = readPublicKey();
+  const publicKey = readRs256PublicKey();
   const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
   const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
   return import_jsonwebtoken.default.verify(raw, publicKey, {
@@ -328,34 +340,31 @@ function verifyBackendJwtRS256(raw) {
     issuer
   });
 }
-function normalizeUid(v) {
-  const s = String(v ?? "").trim();
-  return s.length ? s : null;
-}
-function deriveCompanyBranch(decoded, companyUid, branchUid) {
-  const companiesFromToken = Array.isArray(decoded?.companies) ? decoded.companies : [];
-  const company = decoded?.company ?? (companyUid ? companiesFromToken.find((c) => c?.uid === companyUid) : null) ?? null;
-  const branch = decoded?.branch ?? (branchUid && company?.branches ? (company.branches || []).find((b) => b?.uid === branchUid) : null) ?? null;
-  return { companiesFromToken, company, branch };
-}
 function extractEmployeeUid(decoded) {
-  const direct = normalizeUid(decoded?.employee_uid);
+  const direct = normalizeUid(decoded?.employee_uid) ?? normalizeUid(decoded?.employee?.uid);
   if (direct) return direct;
   const sub = normalizeUid(decoded?.sub);
   if (!sub) return null;
-  const m = /^emp:(.+)$/i.exec(sub);
-  return m?.[1] ? normalizeUid(m[1]) : null;
+  const match = /^emp:(.+)$/i.exec(sub);
+  return match?.[1] ? normalizeUid(match[1]) : null;
 }
 function extractCustomerUid(decoded) {
-  const direct = normalizeUid(decoded?.customer_uid);
+  const direct = normalizeUid(decoded?.customer_uid) ?? normalizeUid(decoded?.customer?.uid);
   if (direct) return direct;
   const sub = normalizeUid(decoded?.sub);
   if (!sub) return null;
-  const m = /^cus:(.+)$/i.exec(sub);
-  return m?.[1] ? normalizeUid(m[1]) : null;
+  const match = /^cus:(.+)$/i.exec(sub);
+  return match?.[1] ? normalizeUid(match[1]) : null;
 }
+
+// src/auth/middleware.ts
 function createAuthMiddleware(opts) {
-  const { subject, allowFirebaseIdToken = false } = opts;
+  const {
+    subject,
+    allowFirebaseIdToken = false,
+    requireSubject = true,
+    hydrate
+  } = opts;
   return async (req, res, next) => {
     const token = getBearerToken(req);
     if (!token) {
@@ -365,20 +374,16 @@ function createAuthMiddleware(opts) {
         message: "Missing Authorization Bearer token"
       });
     }
+    const headerCtx = req.context || {};
+    const company_uid = normalizeUid(headerCtx.company_uid);
+    const branch_uid = normalizeUid(headerCtx.branch_uid);
     try {
       const decoded = verifyBackendJwtRS256(token);
-      const headerCtx = req.context || {};
-      const companyUid = normalizeUid(headerCtx.company_uid);
-      const branchUid = normalizeUid(headerCtx.branch_uid);
-      const { companiesFromToken, company, branch } = deriveCompanyBranch(decoded, companyUid, branchUid);
-      const ctx = {
+      const baseCtx = {
         tokenType: "backend",
         subject,
-        company_uid: companyUid ?? void 0,
-        branch_uid: branchUid ?? void 0,
-        companies: companiesFromToken,
-        company,
-        branch,
+        company_uid: company_uid ?? void 0,
+        branch_uid: branch_uid ?? void 0,
         roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
         permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
         denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
@@ -389,31 +394,49 @@ function createAuthMiddleware(opts) {
         }
       };
       if (subject === "employee") {
-        const employee_uid = extractEmployeeUid(decoded);
-        if (!employee_uid) {
+        baseCtx.employee_uid = extractEmployeeUid(decoded) ?? void 0;
+      } else {
+        baseCtx.customer_uid = extractCustomerUid(decoded) ?? void 0;
+      }
+      const hydrated = await hydrate({
+        decoded,
+        req,
+        subject,
+        company_uid,
+        branch_uid
+      });
+      Object.assign(baseCtx, hydrated);
+      if (subject === "employee" && !baseCtx.employee_uid) {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_EMPLOYEE_UID_MISSING",
+          message: "employee_uid missing in token/context (expected employee_uid or sub=emp:<uid>)"
+        });
+      }
+      if (subject === "customer" && !baseCtx.customer_uid) {
+        return res.status(401).json({
+          ok: false,
+          code: "AUTH_CUSTOMER_UID_MISSING",
+          message: "customer_uid missing in token/context (expected customer_uid or sub=cus:<uid>)"
+        });
+      }
+      if (requireSubject) {
+        if (subject === "employee" && !baseCtx.employee) {
           return res.status(401).json({
             ok: false,
-            code: "AUTH_EMPLOYEE_UID_MISSING",
-            message: "employee_uid missing in token (expected employee_uid or sub=emp:<uid>)"
+            code: "AUTH_EMPLOYEE_NOT_FOUND",
+            message: "Employee not resolved by hydrator"
           });
         }
-        ctx.employee_uid = employee_uid;
-        const embedded = decoded?.employee ?? decoded?.user ?? null;
-        ctx.employee = embedded && typeof embedded === "object" ? embedded : { uid: employee_uid, email: decoded?.email ?? null };
-      } else {
-        const customer_uid = extractCustomerUid(decoded);
-        if (!customer_uid) {
+        if (subject === "customer" && !baseCtx.customer) {
           return res.status(401).json({
             ok: false,
-            code: "AUTH_CUSTOMER_UID_MISSING",
-            message: "customer_uid missing in token (expected customer_uid or sub=cus:<uid>)"
+            code: "AUTH_CUSTOMER_NOT_FOUND",
+            message: "Customer not resolved by hydrator"
           });
         }
-        ctx.customer_uid = customer_uid;
-        const embedded = decoded?.customer ?? null;
-        ctx.customer = embedded && typeof embedded === "object" ? embedded : { uid: customer_uid };
       }
-      req.auth = ctx;
+      req.auth = baseCtx;
       return next();
     } catch {
       if (!allowFirebaseIdToken) {
@@ -424,7 +447,8 @@ function createAuthMiddleware(opts) {
         });
       }
       try {
-        const firebaseDecoded = await import_firebase_admin.default.auth().verifyIdToken(token);
+        const { default: admin } = await import("firebase-admin");
+        const firebaseDecoded = await admin.auth().verifyIdToken(token);
         if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
           return res.status(401).json({
             ok: false,
@@ -432,15 +456,12 @@ function createAuthMiddleware(opts) {
             message: "Email not verified"
           });
         }
-        const headerCtx = req.context || {};
-        const companyUid = normalizeUid(headerCtx.company_uid);
-        const branchUid = normalizeUid(headerCtx.branch_uid);
         req.auth = {
           tokenType: "backend",
           subject,
           firebase: firebaseDecoded,
-          company_uid: companyUid ?? void 0,
-          branch_uid: branchUid ?? void 0,
+          company_uid: company_uid ?? void 0,
+          branch_uid: branch_uid ?? void 0,
           companies: [],
           roles: [],
           permissions: [],
@@ -457,10 +478,114 @@ function createAuthMiddleware(opts) {
     }
   };
 }
-var authEmployeeRequired = createAuthMiddleware({ subject: "employee", allowFirebaseIdToken: false });
-var authCustomerRequired = createAuthMiddleware({ subject: "customer", allowFirebaseIdToken: false });
-var authEmployeeAllowFirebase = createAuthMiddleware({ subject: "employee", allowFirebaseIdToken: true });
-var authCustomerAllowFirebase = createAuthMiddleware({ subject: "customer", allowFirebaseIdToken: true });
+
+// src/auth/authentication.ts
+function deriveCompanyBranch(decoded, companyUid, branchUid) {
+  const companiesFromToken = Array.isArray(decoded?.companies) ? decoded.companies : [];
+  const company = decoded?.company ?? (companyUid ? companiesFromToken.find((c) => c?.uid === companyUid) : null) ?? null;
+  const branch = decoded?.branch ?? (branchUid && company?.branches ? (company.branches || []).find((b) => b?.uid === branchUid) : null) ?? null;
+  return {
+    companiesFromToken,
+    company,
+    branch
+  };
+}
+var authEmployeeRequired = createAuthMiddleware({
+  subject: "employee",
+  allowFirebaseIdToken: false,
+  requireSubject: false,
+  hydrate: async ({ decoded, company_uid, branch_uid }) => {
+    const employee_uid = extractEmployeeUid(decoded) ?? normalizeUid(decoded?.employee?.uid);
+    const { companiesFromToken, company, branch } = deriveCompanyBranch(
+      decoded,
+      company_uid,
+      branch_uid
+    );
+    const employee = decoded?.employee && typeof decoded.employee === "object" ? decoded.employee : employee_uid ? { uid: employee_uid, email: decoded?.email ?? null } : void 0;
+    return {
+      employee_uid: employee_uid ?? void 0,
+      employee,
+      companies: companiesFromToken,
+      company,
+      branch,
+      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
+    };
+  }
+});
+var authCustomerRequired = createAuthMiddleware({
+  subject: "customer",
+  allowFirebaseIdToken: false,
+  requireSubject: false,
+  hydrate: async ({ decoded, company_uid, branch_uid }) => {
+    const customer_uid = extractCustomerUid(decoded) ?? normalizeUid(decoded?.customer?.uid);
+    const { companiesFromToken, company, branch } = deriveCompanyBranch(
+      decoded,
+      company_uid,
+      branch_uid
+    );
+    const customer = decoded?.customer && typeof decoded.customer === "object" ? decoded.customer : customer_uid ? { uid: customer_uid } : void 0;
+    return {
+      customer_uid: customer_uid ?? void 0,
+      customer,
+      companies: companiesFromToken,
+      company,
+      branch,
+      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
+    };
+  }
+});
+var authEmployeeAllowFirebase = createAuthMiddleware({
+  subject: "employee",
+  allowFirebaseIdToken: true,
+  requireSubject: false,
+  hydrate: async ({ decoded, company_uid, branch_uid }) => {
+    const employee_uid = extractEmployeeUid(decoded) ?? normalizeUid(decoded?.employee?.uid);
+    const { companiesFromToken, company, branch } = deriveCompanyBranch(
+      decoded,
+      company_uid,
+      branch_uid
+    );
+    const employee = decoded?.employee && typeof decoded.employee === "object" ? decoded.employee : employee_uid ? { uid: employee_uid, email: decoded?.email ?? null } : void 0;
+    return {
+      employee_uid: employee_uid ?? void 0,
+      employee,
+      companies: companiesFromToken,
+      company,
+      branch,
+      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
+    };
+  }
+});
+var authCustomerAllowFirebase = createAuthMiddleware({
+  subject: "customer",
+  allowFirebaseIdToken: true,
+  requireSubject: false,
+  hydrate: async ({ decoded, company_uid, branch_uid }) => {
+    const customer_uid = extractCustomerUid(decoded) ?? normalizeUid(decoded?.customer?.uid);
+    const { companiesFromToken, company, branch } = deriveCompanyBranch(
+      decoded,
+      company_uid,
+      branch_uid
+    );
+    const customer = decoded?.customer && typeof decoded.customer === "object" ? decoded.customer : customer_uid ? { uid: customer_uid } : void 0;
+    return {
+      customer_uid: customer_uid ?? void 0,
+      customer,
+      companies: companiesFromToken,
+      company,
+      branch,
+      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
+      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
+      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
+    };
+  }
+});
 
 // src/middlewares/guards.ts
 function normalizeRole(r) {