@innvoid/getmarket-sdk 0.2.7 → 0.2.9

package/dist/index.cjs

@@ -45,14 +45,9 @@ __export(src_exports, {
   allowSysAdminOrPermissionsAll: () => allowSysAdminOrPermissionsAll,
   allowSysAdminOrRoles: () => allowSysAdminOrRoles,
   allowSysAdminOrRolesOrAnyPermission: () => allowSysAdminOrRolesOrAnyPermission,
-  authCustomerAllowFirebase: () => authCustomerAllowFirebase,
-  authCustomerRequired: () => authCustomerRequired,
-  authEmployeeAllowFirebase: () => authEmployeeAllowFirebase,
-  authEmployeeRequired: () => authEmployeeRequired,
   buildInternalHeaders: () => buildInternalHeaders,
   closeCache: () => closeCache,
   createAuthMiddleware: () => createAuthMiddleware,
-  createAuthMiddlewareLegacySimple: () => createAuthMiddleware2,
   createBulkRefsClient: () => createBulkRefsClient,
   createFisClient: () => createFisClient,
   createHttpClient: () => createHttpClient,
@@ -63,6 +58,9 @@ __export(src_exports, {
   createPayClient: () => createPayClient,
   createPlatformClient: () => createPlatformClient,
   createResClient: () => createResClient,
+  extractCustomerUid: () => extractCustomerUid,
+  extractEmployeeUid: () => extractEmployeeUid,
+  getBearerToken: () => getBearerToken,
   getOrSet: () => getOrSet,
   getRequestContextFromHeaders: () => getRequestContextFromHeaders,
   getTwoLevelCache: () => getTwoLevelCache,
@@ -71,6 +69,7 @@ __export(src_exports, {
   mapAxiosToUpstreamError: () => mapAxiosToUpstreamError,
   newUid: () => newUid,
   newUidV4: () => newUidV4,
+  normalizeUid: () => normalizeUid,
   parseHeaders: () => parseHeaders,
   readRs256PublicKey: () => readRs256PublicKey,
   readServiceEnv: () => readServiceEnv,
@@ -651,6 +650,9 @@ function internalAuth(req, res, next) {
 function getAuth(req) {
   return req.auth ?? {};
 }
+function hasAuthContext(req) {
+  return !!req.auth;
+}
 function normalizeCode(v) {
   if (!v) return null;
   if (typeof v === "string") return v;
@@ -675,7 +677,7 @@ function permsSet(list) {
 }
 function requireAuthContext() {
   return (req, res, next) => {
-    if (!req.auth) {
+    if (!hasAuthContext(req)) {
       return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
     }
     return next();
@@ -689,6 +691,9 @@ function requirePermissions(perms, options) {
   const sysAdminBypass = options?.sysAdminBypass !== false;
   const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
   return (req, res, next) => {
+    if (!hasAuthContext(req)) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
     const auth = getAuth(req);
     if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
     const allow = permsSet(auth.permissions);
@@ -714,6 +719,9 @@ function requireAnyPermission(perms, options) {
   const sysAdminBypass = options?.sysAdminBypass !== false;
   const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
   return (req, res, next) => {
+    if (!hasAuthContext(req)) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
     const auth = getAuth(req);
     if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
     const allow = permsSet(auth.permissions);
@@ -739,6 +747,9 @@ function requireRoles(roles, options) {
   const sysAdminBypass = options?.sysAdminBypass !== false;
   const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
   return (req, res, next) => {
+    if (!hasAuthContext(req)) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
     const auth = getAuth(req);
     if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
     const have = rolesSet(auth);
@@ -755,6 +766,9 @@ function requireRolesOrAnyPermission(roles, perms, options) {
   const sysAdminBypass = options?.sysAdminBypass !== false;
   const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
   return (req, res, next) => {
+    if (!hasAuthContext(req)) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
     const auth = getAuth(req);
     if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
     const haveRoles = rolesSet(auth);
@@ -780,6 +794,157 @@ function requireRolesOrAnyPermission(roles, perms, options) {
   };
 }
 
+// src/middlewares/guards.ts
+function normalizeRole(r) {
+  if (!r) return null;
+  if (typeof r === "string") return r;
+  return r.code || r.name || null;
+}
+function normalizePerm(p) {
+  if (!p) return null;
+  if (typeof p === "string") return p;
+  return p.code || p.name || null;
+}
+function getAuth2(req) {
+  return req.auth ?? {};
+}
+function roleSet(auth) {
+  return new Set(
+    (auth.roles ?? []).map(normalizeRole).filter(Boolean)
+  );
+}
+function permissionSets(auth) {
+  const allow = new Set(
+    (auth.permissions ?? []).map(normalizePerm).filter(Boolean)
+  );
+  const deny = new Set(
+    (auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean)
+  );
+  return { allow, deny };
+}
+function normalizeHandlers(auth) {
+  if (!auth) return [];
+  return Array.isArray(auth) ? auth : [auth];
+}
+function buildBaseChain(options) {
+  const chain = [];
+  if (options?.includeParseHeaders !== false) {
+    chain.push(parseHeaders);
+  }
+  chain.push(...normalizeHandlers(options?.auth));
+  return chain;
+}
+function hasSysAdmin(auth, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  if (!sysAdminBypass) return false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
+  return roleSet(auth).has(sysAdminRole);
+}
+function allowSysAdminOrAnyPermission(perms, options) {
+  const required = (Array.isArray(perms) ? perms : [perms]).filter(Boolean);
+  return [
+    ...buildBaseChain(options),
+    (req, res, next) => {
+      const auth = getAuth2(req);
+      if (hasSysAdmin(auth, options)) return next();
+      const { allow, deny } = permissionSets(auth);
+      for (const p of required) {
+        if (deny.has(p)) {
+          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+            denied: p
+          });
+        }
+      }
+      const ok = required.some((p) => allow.has(p));
+      if (!ok) {
+        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ANY)", {
+          required,
+          mode: "ANY"
+        });
+      }
+      return next();
+    }
+  ];
+}
+function allowSysAdminOrPermissionsAll(perms, options) {
+  const required = (Array.isArray(perms) ? perms : [perms]).filter(Boolean);
+  return [
+    ...buildBaseChain(options),
+    (req, res, next) => {
+      const auth = getAuth2(req);
+      if (hasSysAdmin(auth, options)) return next();
+      const { allow, deny } = permissionSets(auth);
+      for (const p of required) {
+        if (deny.has(p)) {
+          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+            denied: p
+          });
+        }
+      }
+      const missing = required.filter((p) => !allow.has(p));
+      if (missing.length) {
+        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ALL)", {
+          required,
+          missing,
+          mode: "ALL"
+        });
+      }
+      return next();
+    }
+  ];
+}
+function allowSysAdminOrRoles(roles, options) {
+  const required = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);
+  return [
+    ...buildBaseChain(options),
+    (req, res, next) => {
+      const auth = getAuth2(req);
+      if (hasSysAdmin(auth, options)) return next();
+      const have = roleSet(auth);
+      const ok = required.some((r) => have.has(r));
+      if (!ok) {
+        return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", {
+          required,
+          mode: "ANY"
+        });
+      }
+      return next();
+    }
+  ];
+}
+function allowSysAdminOrRolesOrAnyPermission(roles, permissions, options) {
+  const requiredRoles = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);
+  const requiredPerms = (Array.isArray(permissions) ? permissions : [permissions]).filter(Boolean);
+  return [
+    ...buildBaseChain(options),
+    (req, res, next) => {
+      const auth = getAuth2(req);
+      if (hasSysAdmin(auth, options)) return next();
+      const { allow, deny } = permissionSets(auth);
+      const haveRoles = roleSet(auth);
+      for (const p of requiredPerms) {
+        if (deny.has(p)) {
+          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+            denied: p
+          });
+        }
+      }
+      const okRole = requiredRoles.some((r) => haveRoles.has(r));
+      if (okRole) return next();
+      const okPerm = requiredPerms.some((p) => allow.has(p));
+      if (okPerm) return next();
+      return sendError(req, res, 403, "FORBIDDEN", "Permission denied", {
+        roles: requiredRoles,
+        permissions: requiredPerms,
+        mode: "ROLES_OR_ANY_PERMISSION"
+      });
+    }
+  ];
+}
+function allowAuthAdminOrPerm(permission, options) {
+  return allowSysAdminOrRolesOrAnyPermission(["AUTH_ADMIN"], [permission], options);
+}
+
 // src/auth/jwt.ts
 var import_fs2 = __toESM(require("fs"), 1);
 var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
@@ -792,12 +957,26 @@ function readFileIfExists(path) {
     return null;
   }
 }
+function getBearerToken(req) {
+  const auth = String(req?.headers?.authorization || "");
+  if (!auth.startsWith("Bearer ")) return null;
+  const token = auth.slice(7).trim();
+  return token.length ? token : null;
+}
+function normalizeUid(v) {
+  const s = String(v ?? "").trim();
+  return s.length ? s : null;
+}
 function readRs256PublicKey() {
   const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);
   if (fromFile) return fromFile;
-  const fromEnv = String(process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "").replace(/\\n/g, "\n").trim();
+  const fromEnv = String(
+    process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || ""
+  ).replace(/\\n/g, "\n").trim();
   if (fromEnv) return fromEnv;
-  throw new Error("Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)");
+  throw new Error(
+    "Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)"
+  );
 }
 function verifyBackendJwtRS256(raw) {
   const publicKey = readRs256PublicKey();
@@ -809,28 +988,46 @@ function verifyBackendJwtRS256(raw) {
     issuer
   });
 }
+function extractEmployeeUid(decoded) {
+  const direct = normalizeUid(decoded?.employee_uid) ?? normalizeUid(decoded?.employee?.uid);
+  if (direct) return direct;
+  const sub = normalizeUid(decoded?.sub);
+  if (!sub) return null;
+  const match = /^emp:(.+)$/i.exec(sub);
+  return match?.[1] ? normalizeUid(match[1]) : null;
+}
+function extractCustomerUid(decoded) {
+  const direct = normalizeUid(decoded?.customer_uid) ?? normalizeUid(decoded?.customer?.uid);
+  if (direct) return direct;
+  const sub = normalizeUid(decoded?.sub);
+  if (!sub) return null;
+  const match = /^cus:(.+)$/i.exec(sub);
+  return match?.[1] ? normalizeUid(match[1]) : null;
+}
 
 // src/auth/middleware.ts
-function getBearerToken(req) {
-  const auth = String(req.headers?.authorization || "");
-  if (!auth.startsWith("Bearer ")) return null;
-  const token = auth.slice(7).trim();
-  return token.length ? token : null;
-}
-function normalizeUid(v) {
-  const s = String(v ?? "").trim();
-  return s.length ? s : null;
+function sendAuthError(res, code, message, status = 401) {
+  return res.status(status).json({
+    ok: false,
+    code,
+    message
+  });
 }
 function createAuthMiddleware(opts) {
-  const { subject, allowFirebaseIdToken = false, requireSubject = true, hydrate } = opts;
+  const {
+    subject,
+    allowFirebaseIdToken = false,
+    requireSubject = true,
+    hydrate
+  } = opts;
   return async (req, res, next) => {
     const token = getBearerToken(req);
     if (!token) {
-      return res.status(401).json({
-        ok: false,
-        code: "AUTH_MISSING_TOKEN",
-        message: "Missing Authorization Bearer token"
-      });
+      return sendAuthError(
+        res,
+        "AUTH_MISSING_TOKEN",
+        "Missing Authorization Bearer token"
+      );
     }
     const headerCtx = req.context || {};
     const company_uid = normalizeUid(headerCtx.company_uid);
@@ -851,45 +1048,70 @@ function createAuthMiddleware(opts) {
           expires_at: decoded?.exp
         }
       };
-      const hydrated = await hydrate({ decoded, req, subject, company_uid, branch_uid });
+      if (subject === "employee") {
+        baseCtx.employee_uid = extractEmployeeUid(decoded) ?? void 0;
+      } else {
+        baseCtx.customer_uid = extractCustomerUid(decoded) ?? void 0;
+      }
+      const hydrated = await hydrate({
+        decoded,
+        req,
+        subject,
+        company_uid,
+        branch_uid
+      });
       Object.assign(baseCtx, hydrated);
+      if (subject === "employee" && !baseCtx.employee_uid) {
+        return sendAuthError(
+          res,
+          "AUTH_EMPLOYEE_UID_MISSING",
+          "employee_uid missing in token/context (expected employee_uid or sub=emp:<uid>)"
+        );
+      }
+      if (subject === "customer" && !baseCtx.customer_uid) {
+        return sendAuthError(
+          res,
+          "AUTH_CUSTOMER_UID_MISSING",
+          "customer_uid missing in token/context (expected customer_uid or sub=cus:<uid>)"
+        );
+      }
       if (requireSubject) {
         if (subject === "employee" && !baseCtx.employee) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMPLOYEE_NOT_FOUND",
-            message: "Employee not resolved by hydrator"
-          });
+          return sendAuthError(
+            res,
+            "AUTH_EMPLOYEE_NOT_FOUND",
+            "Employee not resolved by hydrator"
+          );
         }
         if (subject === "customer" && !baseCtx.customer) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_CUSTOMER_NOT_FOUND",
-            message: "Customer not resolved by hydrator"
-          });
+          return sendAuthError(
+            res,
+            "AUTH_CUSTOMER_NOT_FOUND",
+            "Customer not resolved by hydrator"
+          );
         }
       }
       req.auth = baseCtx;
       return next();
-    } catch {
+    } catch (backendErr) {
       if (!allowFirebaseIdToken) {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
+        return sendAuthError(
+          res,
+          "AUTH_INVALID_TOKEN",
+          "Invalid or expired token"
+        );
       }
       try {
-        const { default: admin2 } = await import("firebase-admin");
-        const firebaseDecoded = await admin2.auth().verifyIdToken(token);
+        const { default: admin } = await import("firebase-admin");
+        const firebaseDecoded = await admin.auth().verifyIdToken(token);
         if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMAIL_NOT_VERIFIED",
-            message: "Email not verified"
-          });
+          return sendAuthError(
+            res,
+            "AUTH_EMAIL_NOT_VERIFIED",
+            "Email not verified"
+          );
         }
-        req.auth = {
+        const firebaseCtx = {
           tokenType: "backend",
           subject,
           firebase: firebaseDecoded,
@@ -900,302 +1122,21 @@ function createAuthMiddleware(opts) {
           permissions: [],
           denied_permissions: []
         };
+        req.auth = firebaseCtx;
         return next();
       } catch {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
-      }
-    }
-  };
-}
-
-// src/auth/authentication.ts
-var import_firebase_admin = __toESM(require("firebase-admin"), 1);
-var import_jsonwebtoken2 = __toESM(require("jsonwebtoken"), 1);
-var import_fs3 = __toESM(require("fs"), 1);
-function getBearerToken2(req) {
-  const auth = String(req.headers?.authorization || "");
-  if (!auth.startsWith("Bearer ")) return null;
-  const token = auth.slice(7).trim();
-  return token.length ? token : null;
-}
-function readPublicKey() {
-  const publicKeyPath = process.env.JWT_PUBLIC_KEY_PATH;
-  const publicKeyEnv = process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || "";
-  if (publicKeyPath) {
-    const v = import_fs3.default.readFileSync(publicKeyPath, "utf8").trim();
-    if (v) return v;
-  }
-  const envKey = publicKeyEnv.replace(/\\n/g, "\n").trim();
-  if (envKey) return envKey;
-  throw new Error("Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)");
-}
-function verifyBackendJwtRS2562(raw) {
-  const publicKey = readPublicKey();
-  const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
-  const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
-  return import_jsonwebtoken2.default.verify(raw, publicKey, {
-    algorithms: ["RS256"],
-    audience,
-    issuer
-  });
-}
-function normalizeUid2(v) {
-  const s = String(v ?? "").trim();
-  return s.length ? s : null;
-}
-function deriveCompanyBranch(decoded, companyUid, branchUid) {
-  const companiesFromToken = Array.isArray(decoded?.companies) ? decoded.companies : [];
-  const company = decoded?.company ?? (companyUid ? companiesFromToken.find((c) => c?.uid === companyUid) : null) ?? null;
-  const branch = decoded?.branch ?? (branchUid && company?.branches ? (company.branches || []).find((b) => b?.uid === branchUid) : null) ?? null;
-  return { companiesFromToken, company, branch };
-}
-function extractEmployeeUid(decoded) {
-  const direct = normalizeUid2(decoded?.employee_uid);
-  if (direct) return direct;
-  const sub = normalizeUid2(decoded?.sub);
-  if (!sub) return null;
-  const m = /^emp:(.+)$/i.exec(sub);
-  return m?.[1] ? normalizeUid2(m[1]) : null;
-}
-function extractCustomerUid(decoded) {
-  const direct = normalizeUid2(decoded?.customer_uid);
-  if (direct) return direct;
-  const sub = normalizeUid2(decoded?.sub);
-  if (!sub) return null;
-  const m = /^cus:(.+)$/i.exec(sub);
-  return m?.[1] ? normalizeUid2(m[1]) : null;
-}
-function createAuthMiddleware2(opts) {
-  const { subject, allowFirebaseIdToken = false } = opts;
-  return async (req, res, next) => {
-    const token = getBearerToken2(req);
-    if (!token) {
-      return res.status(401).json({
-        ok: false,
-        code: "AUTH_MISSING_TOKEN",
-        message: "Missing Authorization Bearer token"
-      });
-    }
-    try {
-      const decoded = verifyBackendJwtRS2562(token);
-      const headerCtx = req.context || {};
-      const companyUid = normalizeUid2(headerCtx.company_uid);
-      const branchUid = normalizeUid2(headerCtx.branch_uid);
-      const { companiesFromToken, company, branch } = deriveCompanyBranch(decoded, companyUid, branchUid);
-      const ctx = {
-        tokenType: "backend",
-        subject,
-        company_uid: companyUid ?? void 0,
-        branch_uid: branchUid ?? void 0,
-        companies: companiesFromToken,
-        company,
-        branch,
-        roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-        permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-        denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
-        session: {
-          jti: decoded?.jti,
-          device_id: decoded?.device_id,
-          expires_at: decoded?.exp
-        }
-      };
-      if (subject === "employee") {
-        const employee_uid = extractEmployeeUid(decoded);
-        if (!employee_uid) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMPLOYEE_UID_MISSING",
-            message: "employee_uid missing in token (expected employee_uid or sub=emp:<uid>)"
-          });
-        }
-        ctx.employee_uid = employee_uid;
-        const embedded = decoded?.employee ?? decoded?.user ?? null;
-        ctx.employee = embedded && typeof embedded === "object" ? embedded : { uid: employee_uid, email: decoded?.email ?? null };
-      } else {
-        const customer_uid = extractCustomerUid(decoded);
-        if (!customer_uid) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_CUSTOMER_UID_MISSING",
-            message: "customer_uid missing in token (expected customer_uid or sub=cus:<uid>)"
-          });
-        }
-        ctx.customer_uid = customer_uid;
-        const embedded = decoded?.customer ?? null;
-        ctx.customer = embedded && typeof embedded === "object" ? embedded : { uid: customer_uid };
-      }
-      req.auth = ctx;
-      return next();
-    } catch {
-      if (!allowFirebaseIdToken) {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
-      }
-      try {
-        const firebaseDecoded = await import_firebase_admin.default.auth().verifyIdToken(token);
-        if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMAIL_NOT_VERIFIED",
-            message: "Email not verified"
-          });
-        }
-        const headerCtx = req.context || {};
-        const companyUid = normalizeUid2(headerCtx.company_uid);
-        const branchUid = normalizeUid2(headerCtx.branch_uid);
-        req.auth = {
-          tokenType: "backend",
-          subject,
-          firebase: firebaseDecoded,
-          company_uid: companyUid ?? void 0,
-          branch_uid: branchUid ?? void 0,
-          companies: [],
-          roles: [],
-          permissions: [],
-          denied_permissions: []
-        };
-        return next();
-      } catch {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
+        return sendAuthError(
+          res,
+          "AUTH_INVALID_TOKEN",
+          "Invalid or expired token"
+        );
       }
     }
   };
 }
-var authEmployeeRequired = createAuthMiddleware2({ subject: "employee", allowFirebaseIdToken: false });
-var authCustomerRequired = createAuthMiddleware2({ subject: "customer", allowFirebaseIdToken: false });
-var authEmployeeAllowFirebase = createAuthMiddleware2({ subject: "employee", allowFirebaseIdToken: true });
-var authCustomerAllowFirebase = createAuthMiddleware2({ subject: "customer", allowFirebaseIdToken: true });
-
-// src/middlewares/guards.ts
-function normalizeRole(r) {
-  if (!r) return null;
-  if (typeof r === "string") return r;
-  return r.code || r.name || null;
-}
-function normalizePerm(p) {
-  if (!p) return null;
-  if (typeof p === "string") return p;
-  return p.code || p.name || null;
-}
-function isSysAdmin2(roles) {
-  if (!Array.isArray(roles)) return false;
-  return roles.some((r) => normalizeRole(r) === "SYS_ADMIN");
-}
-function getAuth2(req) {
-  return req.auth ?? {};
-}
-function permissionSets(auth) {
-  const allow = new Set((auth.permissions ?? []).map(normalizePerm).filter(Boolean));
-  const deny = new Set((auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean));
-  return { allow, deny };
-}
-function roleSet(auth) {
-  return new Set((auth.roles ?? []).map(normalizeRole).filter(Boolean));
-}
-function allowSysAdminOrAnyPermission(...perms) {
-  const required = (perms ?? []).filter(Boolean);
-  return [
-    parseHeaders,
-    authEmployeeRequired,
-    (req, res, next) => {
-      const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
-      const { allow, deny } = permissionSets(auth);
-      for (const p of required) {
-        if (deny.has(p)) {
-          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, { denied: p });
-        }
-      }
-      const ok = required.some((p) => allow.has(p));
-      if (!ok) {
-        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ANY)", { required });
-      }
-      return next();
-    }
-  ];
-}
-function allowSysAdminOrPermissionsAll(...perms) {
-  const required = (perms ?? []).filter(Boolean);
-  return [
-    parseHeaders,
-    authEmployeeRequired,
-    (req, res, next) => {
-      const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
-      const { allow, deny } = permissionSets(auth);
-      for (const p of required) {
-        if (deny.has(p)) {
-          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, { denied: p });
-        }
-      }
-      const missing = required.filter((p) => !allow.has(p));
-      if (missing.length) {
-        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ALL)", { required, missing });
-      }
-      return next();
-    }
-  ];
-}
-function allowSysAdminOrRoles(...roles) {
-  const required = (roles ?? []).filter(Boolean);
-  return [
-    parseHeaders,
-    authEmployeeRequired,
-    (req, res, next) => {
-      const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
-      const have = roleSet(auth);
-      const ok = required.some((r) => have.has(r));
-      if (!ok) {
-        return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", { required });
-      }
-      return next();
-    }
-  ];
-}
-function allowSysAdminOrRolesOrAnyPermission(roles, permissions) {
-  const requiredRoles = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);
-  const requiredPerms = (Array.isArray(permissions) ? permissions : [permissions]).filter(Boolean);
-  return [
-    parseHeaders,
-    authEmployeeRequired,
-    (req, res, next) => {
-      const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
-      const { allow, deny } = permissionSets(auth);
-      for (const p of requiredPerms) {
-        if (deny.has(p)) {
-          return sendError(req, res, 403, "FORBIDDEN", `Denied: ${p}`, { permission: p });
-        }
-      }
-      const haveRoles = roleSet(auth);
-      if (requiredRoles.some((r) => haveRoles.has(r))) return next();
-      if (requiredPerms.some((p) => allow.has(p))) return next();
-      return sendError(req, res, 403, "FORBIDDEN", "Permission denied", {
-        roles: requiredRoles,
-        permissions: requiredPerms,
-        mode: "ROLES_OR_ANY_PERMISSION"
-      });
-    }
-  ];
-}
-function allowAuthAdminOrPerm(permission) {
-  return allowSysAdminOrRolesOrAnyPermission(["AUTH_ADMIN"], [permission]);
-}
 
 // src/internalHttpClient.ts
-var import_fs4 = __toESM(require("fs"), 1);
+var import_fs3 = __toESM(require("fs"), 1);
 var InternalHttpError = class extends Error {
   status;
   code;
@@ -1210,7 +1151,7 @@ var InternalHttpError = class extends Error {
 function readSecretFile2(path) {
   if (!path) return null;
   try {
-    const v = import_fs4.default.readFileSync(path, "utf8").trim();
+    const v = import_fs3.default.readFileSync(path, "utf8").trim();
     return v.length ? v : null;
   } catch {
     return null;
@@ -1894,14 +1835,9 @@ function isUid(value) {
   allowSysAdminOrPermissionsAll,
   allowSysAdminOrRoles,
   allowSysAdminOrRolesOrAnyPermission,
-  authCustomerAllowFirebase,
-  authCustomerRequired,
-  authEmployeeAllowFirebase,
-  authEmployeeRequired,
   buildInternalHeaders,
   closeCache,
   createAuthMiddleware,
-  createAuthMiddlewareLegacySimple,
   createBulkRefsClient,
   createFisClient,
   createHttpClient,
@@ -1912,6 +1848,9 @@ function isUid(value) {
   createPayClient,
   createPlatformClient,
   createResClient,
+  extractCustomerUid,
+  extractEmployeeUid,
+  getBearerToken,
   getOrSet,
   getRequestContextFromHeaders,
   getTwoLevelCache,
@@ -1920,6 +1859,7 @@ function isUid(value) {
   mapAxiosToUpstreamError,
   newUid,
   newUidV4,
+  normalizeUid,
   parseHeaders,
   readRs256PublicKey,
   readServiceEnv,