@innvoid/getmarket-sdk 0.2.7 → 0.2.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/chunk-HNOUEVHW.js +410 -0
- package/dist/chunk-HNOUEVHW.js.map +1 -0
- package/dist/express.d.cts +1 -1
- package/dist/express.d.ts +1 -1
- package/dist/index.cjs +282 -342
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +11 -24
- package/dist/index.d.ts +11 -24
- package/dist/index.js +196 -15
- package/dist/index.js.map +1 -1
- package/dist/middlewares/index.cjs +88 -204
- package/dist/middlewares/index.cjs.map +1 -1
- package/dist/middlewares/index.d.cts +34 -40
- package/dist/middlewares/index.d.ts +34 -40
- package/dist/middlewares/index.js +1 -1
- package/dist/{types-CRECQuHp.d.cts → types-Cc_McZgD.d.cts} +12 -10
- package/dist/{types-CRECQuHp.d.ts → types-Cc_McZgD.d.ts} +12 -10
- package/package.json +2 -2
- package/dist/chunk-WM2QICZQ.js +0 -666
- package/dist/chunk-WM2QICZQ.js.map +0 -1
package/dist/index.d.cts
CHANGED
|
@@ -4,40 +4,27 @@ export { HEADER_AUTHORIZATION, HEADER_BRANCH_UID, HEADER_COMPANY_UID, HEADER_EMP
|
|
|
4
4
|
import { R as RequestContext } from './parse-C4vk-fmH.cjs';
|
|
5
5
|
export { g as getRequestContextFromHeaders } from './parse-C4vk-fmH.cjs';
|
|
6
6
|
export { allowAuthAdminOrPerm, allowSysAdminOrAnyPermission, allowSysAdminOrPermissionsAll, allowSysAdminOrRoles, allowSysAdminOrRolesOrAnyPermission, internalAuth, parseHeaders, requestId, requireAnyPermission, requireAuthContext, requirePermissions, requireRoles, requireRolesOrAnyPermission, sendError, sendOk } from './middlewares/index.cjs';
|
|
7
|
-
import { a as AuthMiddlewareOptions } from './types-
|
|
8
|
-
export { A as AuthContext, b as AuthSession, c as AuthSubject, H as HydrateInput, d as HydrateResult, e as Hydrator, T as TokenType } from './types-
|
|
9
|
-
import { Response, NextFunction } from 'express';
|
|
7
|
+
import { a as AuthMiddlewareOptions } from './types-Cc_McZgD.cjs';
|
|
8
|
+
export { A as AuthContext, b as AuthSession, c as AuthSubject, H as HydrateInput, d as HydrateResult, e as Hydrator, T as TokenType } from './types-Cc_McZgD.cjs';
|
|
10
9
|
import { JwtPayload } from 'jsonwebtoken';
|
|
10
|
+
import { RequestHandler } from 'express';
|
|
11
11
|
export { InternalBulkRefsOptions, ServiceClientEnv, createBulkRefsClient, createFisClient, createMdClient, createMediaClient, createMkpClient, createPayClient, createPlatformClient, createResClient, readServiceEnv } from './clients/index.cjs';
|
|
12
12
|
export { BulkRefsResponse, BulkUidsRequest } from '@innvoid/getmarket-contracts';
|
|
13
13
|
import 'axios';
|
|
14
14
|
|
|
15
|
+
declare function getBearerToken(req: any): string | null;
|
|
16
|
+
declare function normalizeUid(v: any): string | null;
|
|
15
17
|
/**
|
|
16
|
-
*
|
|
17
|
-
* -
|
|
18
|
-
* - Solo RS256
|
|
19
|
-
* - Cero legacy
|
|
20
|
-
* - Hidrata vía hook (OBLIGATORIO)
|
|
21
|
-
*/
|
|
22
|
-
declare function createAuthMiddleware$1(opts: AuthMiddlewareOptions): (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
|
|
23
|
-
|
|
24
|
-
/**
|
|
25
|
-
* ✅ Keys viven en getmarket-stack:
|
|
26
|
-
* - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub (recomendado)
|
|
18
|
+
* Keys centralizadas:
|
|
19
|
+
* - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub
|
|
27
20
|
* - fallback env AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY
|
|
28
21
|
*/
|
|
29
22
|
declare function readRs256PublicKey(): string;
|
|
30
23
|
declare function verifyBackendJwtRS256(raw: string): JwtPayload;
|
|
24
|
+
declare function extractEmployeeUid(decoded: any): string | null;
|
|
25
|
+
declare function extractCustomerUid(decoded: any): string | null;
|
|
31
26
|
|
|
32
|
-
|
|
33
|
-
declare function createAuthMiddleware(opts: {
|
|
34
|
-
subject: Subject;
|
|
35
|
-
allowFirebaseIdToken?: boolean;
|
|
36
|
-
}): (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
|
|
37
|
-
declare const authEmployeeRequired: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
|
|
38
|
-
declare const authCustomerRequired: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
|
|
39
|
-
declare const authEmployeeAllowFirebase: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
|
|
40
|
-
declare const authCustomerAllowFirebase: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
|
|
27
|
+
declare function createAuthMiddleware(opts: AuthMiddlewareOptions): RequestHandler;
|
|
41
28
|
|
|
42
29
|
type InternalHttpMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
|
|
43
30
|
type InternalHttpClientOptions = {
|
|
@@ -95,4 +82,4 @@ declare function newUidV4(): string;
|
|
|
95
82
|
/** Validación para inputs que vengan de DB/requests durante migración. */
|
|
96
83
|
declare function isUid(value: string): boolean;
|
|
97
84
|
|
|
98
|
-
export { AuthMiddlewareOptions, type InternalHttpClientOptions, InternalHttpError, type InternalHttpMethod, type InternalRequestOptions, RequestContext,
|
|
85
|
+
export { AuthMiddlewareOptions, type InternalHttpClientOptions, InternalHttpError, type InternalHttpMethod, type InternalRequestOptions, RequestContext, buildInternalHeaders, createAuthMiddleware, createInternalHttpClient, extractCustomerUid, extractEmployeeUid, getBearerToken, isUid, newUid, newUidV4, normalizeUid, readRs256PublicKey, verifyBackendJwtRS256 };
|
package/dist/index.d.ts
CHANGED
|
@@ -4,40 +4,27 @@ export { HEADER_AUTHORIZATION, HEADER_BRANCH_UID, HEADER_COMPANY_UID, HEADER_EMP
|
|
|
4
4
|
import { R as RequestContext } from './parse-C4vk-fmH.js';
|
|
5
5
|
export { g as getRequestContextFromHeaders } from './parse-C4vk-fmH.js';
|
|
6
6
|
export { allowAuthAdminOrPerm, allowSysAdminOrAnyPermission, allowSysAdminOrPermissionsAll, allowSysAdminOrRoles, allowSysAdminOrRolesOrAnyPermission, internalAuth, parseHeaders, requestId, requireAnyPermission, requireAuthContext, requirePermissions, requireRoles, requireRolesOrAnyPermission, sendError, sendOk } from './middlewares/index.js';
|
|
7
|
-
import { a as AuthMiddlewareOptions } from './types-
|
|
8
|
-
export { A as AuthContext, b as AuthSession, c as AuthSubject, H as HydrateInput, d as HydrateResult, e as Hydrator, T as TokenType } from './types-
|
|
9
|
-
import { Response, NextFunction } from 'express';
|
|
7
|
+
import { a as AuthMiddlewareOptions } from './types-Cc_McZgD.js';
|
|
8
|
+
export { A as AuthContext, b as AuthSession, c as AuthSubject, H as HydrateInput, d as HydrateResult, e as Hydrator, T as TokenType } from './types-Cc_McZgD.js';
|
|
10
9
|
import { JwtPayload } from 'jsonwebtoken';
|
|
10
|
+
import { RequestHandler } from 'express';
|
|
11
11
|
export { InternalBulkRefsOptions, ServiceClientEnv, createBulkRefsClient, createFisClient, createMdClient, createMediaClient, createMkpClient, createPayClient, createPlatformClient, createResClient, readServiceEnv } from './clients/index.js';
|
|
12
12
|
export { BulkRefsResponse, BulkUidsRequest } from '@innvoid/getmarket-contracts';
|
|
13
13
|
import 'axios';
|
|
14
14
|
|
|
15
|
+
declare function getBearerToken(req: any): string | null;
|
|
16
|
+
declare function normalizeUid(v: any): string | null;
|
|
15
17
|
/**
|
|
16
|
-
*
|
|
17
|
-
* -
|
|
18
|
-
* - Solo RS256
|
|
19
|
-
* - Cero legacy
|
|
20
|
-
* - Hidrata vía hook (OBLIGATORIO)
|
|
21
|
-
*/
|
|
22
|
-
declare function createAuthMiddleware$1(opts: AuthMiddlewareOptions): (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
|
|
23
|
-
|
|
24
|
-
/**
|
|
25
|
-
* ✅ Keys viven en getmarket-stack:
|
|
26
|
-
* - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub (recomendado)
|
|
18
|
+
* Keys centralizadas:
|
|
19
|
+
* - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub
|
|
27
20
|
* - fallback env AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY
|
|
28
21
|
*/
|
|
29
22
|
declare function readRs256PublicKey(): string;
|
|
30
23
|
declare function verifyBackendJwtRS256(raw: string): JwtPayload;
|
|
24
|
+
declare function extractEmployeeUid(decoded: any): string | null;
|
|
25
|
+
declare function extractCustomerUid(decoded: any): string | null;
|
|
31
26
|
|
|
32
|
-
|
|
33
|
-
declare function createAuthMiddleware(opts: {
|
|
34
|
-
subject: Subject;
|
|
35
|
-
allowFirebaseIdToken?: boolean;
|
|
36
|
-
}): (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
|
|
37
|
-
declare const authEmployeeRequired: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
|
|
38
|
-
declare const authCustomerRequired: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
|
|
39
|
-
declare const authEmployeeAllowFirebase: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
|
|
40
|
-
declare const authCustomerAllowFirebase: (req: any, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
|
|
27
|
+
declare function createAuthMiddleware(opts: AuthMiddlewareOptions): RequestHandler;
|
|
41
28
|
|
|
42
29
|
type InternalHttpMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
|
|
43
30
|
type InternalHttpClientOptions = {
|
|
@@ -95,4 +82,4 @@ declare function newUidV4(): string;
|
|
|
95
82
|
/** Validación para inputs que vengan de DB/requests durante migración. */
|
|
96
83
|
declare function isUid(value: string): boolean;
|
|
97
84
|
|
|
98
|
-
export { AuthMiddlewareOptions, type InternalHttpClientOptions, InternalHttpError, type InternalHttpMethod, type InternalRequestOptions, RequestContext,
|
|
85
|
+
export { AuthMiddlewareOptions, type InternalHttpClientOptions, InternalHttpError, type InternalHttpMethod, type InternalRequestOptions, RequestContext, buildInternalHeaders, createAuthMiddleware, createInternalHttpClient, extractCustomerUid, extractEmployeeUid, getBearerToken, isUid, newUid, newUidV4, normalizeUid, readRs256PublicKey, verifyBackendJwtRS256 };
|
package/dist/index.js
CHANGED
|
@@ -4,15 +4,8 @@ import {
|
|
|
4
4
|
allowSysAdminOrPermissionsAll,
|
|
5
5
|
allowSysAdminOrRoles,
|
|
6
6
|
allowSysAdminOrRolesOrAnyPermission,
|
|
7
|
-
authCustomerAllowFirebase,
|
|
8
|
-
authCustomerRequired,
|
|
9
|
-
authEmployeeAllowFirebase,
|
|
10
|
-
authEmployeeRequired,
|
|
11
|
-
createAuthMiddleware,
|
|
12
|
-
createAuthMiddleware2,
|
|
13
7
|
internalAuth,
|
|
14
8
|
parseHeaders,
|
|
15
|
-
readRs256PublicKey,
|
|
16
9
|
requestId,
|
|
17
10
|
requireAnyPermission,
|
|
18
11
|
requireAuthContext,
|
|
@@ -20,9 +13,8 @@ import {
|
|
|
20
13
|
requireRoles,
|
|
21
14
|
requireRolesOrAnyPermission,
|
|
22
15
|
sendError,
|
|
23
|
-
sendOk
|
|
24
|
-
|
|
25
|
-
} from "./chunk-WM2QICZQ.js";
|
|
16
|
+
sendOk
|
|
17
|
+
} from "./chunk-HNOUEVHW.js";
|
|
26
18
|
import {
|
|
27
19
|
InternalHttpError,
|
|
28
20
|
buildInternalHeaders,
|
|
@@ -60,6 +52,196 @@ import {
|
|
|
60
52
|
getRequestContextFromHeaders
|
|
61
53
|
} from "./chunk-KXXIMSON.js";
|
|
62
54
|
|
|
55
|
+
// src/auth/jwt.ts
|
|
56
|
+
import fs from "fs";
|
|
57
|
+
import jwt from "jsonwebtoken";
|
|
58
|
+
function readFileIfExists(path) {
|
|
59
|
+
if (!path) return null;
|
|
60
|
+
try {
|
|
61
|
+
const v = fs.readFileSync(path, "utf8").trim();
|
|
62
|
+
return v.length ? v : null;
|
|
63
|
+
} catch {
|
|
64
|
+
return null;
|
|
65
|
+
}
|
|
66
|
+
}
|
|
67
|
+
function getBearerToken(req) {
|
|
68
|
+
const auth = String(req?.headers?.authorization || "");
|
|
69
|
+
if (!auth.startsWith("Bearer ")) return null;
|
|
70
|
+
const token = auth.slice(7).trim();
|
|
71
|
+
return token.length ? token : null;
|
|
72
|
+
}
|
|
73
|
+
function normalizeUid(v) {
|
|
74
|
+
const s = String(v ?? "").trim();
|
|
75
|
+
return s.length ? s : null;
|
|
76
|
+
}
|
|
77
|
+
function readRs256PublicKey() {
|
|
78
|
+
const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);
|
|
79
|
+
if (fromFile) return fromFile;
|
|
80
|
+
const fromEnv = String(
|
|
81
|
+
process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || ""
|
|
82
|
+
).replace(/\\n/g, "\n").trim();
|
|
83
|
+
if (fromEnv) return fromEnv;
|
|
84
|
+
throw new Error(
|
|
85
|
+
"Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)"
|
|
86
|
+
);
|
|
87
|
+
}
|
|
88
|
+
function verifyBackendJwtRS256(raw) {
|
|
89
|
+
const publicKey = readRs256PublicKey();
|
|
90
|
+
const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
|
|
91
|
+
const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
|
|
92
|
+
return jwt.verify(raw, publicKey, {
|
|
93
|
+
algorithms: ["RS256"],
|
|
94
|
+
audience,
|
|
95
|
+
issuer
|
|
96
|
+
});
|
|
97
|
+
}
|
|
98
|
+
function extractEmployeeUid(decoded) {
|
|
99
|
+
const direct = normalizeUid(decoded?.employee_uid) ?? normalizeUid(decoded?.employee?.uid);
|
|
100
|
+
if (direct) return direct;
|
|
101
|
+
const sub = normalizeUid(decoded?.sub);
|
|
102
|
+
if (!sub) return null;
|
|
103
|
+
const match = /^emp:(.+)$/i.exec(sub);
|
|
104
|
+
return match?.[1] ? normalizeUid(match[1]) : null;
|
|
105
|
+
}
|
|
106
|
+
function extractCustomerUid(decoded) {
|
|
107
|
+
const direct = normalizeUid(decoded?.customer_uid) ?? normalizeUid(decoded?.customer?.uid);
|
|
108
|
+
if (direct) return direct;
|
|
109
|
+
const sub = normalizeUid(decoded?.sub);
|
|
110
|
+
if (!sub) return null;
|
|
111
|
+
const match = /^cus:(.+)$/i.exec(sub);
|
|
112
|
+
return match?.[1] ? normalizeUid(match[1]) : null;
|
|
113
|
+
}
|
|
114
|
+
|
|
115
|
+
// src/auth/middleware.ts
|
|
116
|
+
function sendAuthError(res, code, message, status = 401) {
|
|
117
|
+
return res.status(status).json({
|
|
118
|
+
ok: false,
|
|
119
|
+
code,
|
|
120
|
+
message
|
|
121
|
+
});
|
|
122
|
+
}
|
|
123
|
+
function createAuthMiddleware(opts) {
|
|
124
|
+
const {
|
|
125
|
+
subject,
|
|
126
|
+
allowFirebaseIdToken = false,
|
|
127
|
+
requireSubject = true,
|
|
128
|
+
hydrate
|
|
129
|
+
} = opts;
|
|
130
|
+
return async (req, res, next) => {
|
|
131
|
+
const token = getBearerToken(req);
|
|
132
|
+
if (!token) {
|
|
133
|
+
return sendAuthError(
|
|
134
|
+
res,
|
|
135
|
+
"AUTH_MISSING_TOKEN",
|
|
136
|
+
"Missing Authorization Bearer token"
|
|
137
|
+
);
|
|
138
|
+
}
|
|
139
|
+
const headerCtx = req.context || {};
|
|
140
|
+
const company_uid = normalizeUid(headerCtx.company_uid);
|
|
141
|
+
const branch_uid = normalizeUid(headerCtx.branch_uid);
|
|
142
|
+
try {
|
|
143
|
+
const decoded = verifyBackendJwtRS256(token);
|
|
144
|
+
const baseCtx = {
|
|
145
|
+
tokenType: "backend",
|
|
146
|
+
subject,
|
|
147
|
+
company_uid: company_uid ?? void 0,
|
|
148
|
+
branch_uid: branch_uid ?? void 0,
|
|
149
|
+
roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
|
|
150
|
+
permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
|
|
151
|
+
denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
|
|
152
|
+
session: {
|
|
153
|
+
jti: decoded?.jti,
|
|
154
|
+
device_id: decoded?.device_id,
|
|
155
|
+
expires_at: decoded?.exp
|
|
156
|
+
}
|
|
157
|
+
};
|
|
158
|
+
if (subject === "employee") {
|
|
159
|
+
baseCtx.employee_uid = extractEmployeeUid(decoded) ?? void 0;
|
|
160
|
+
} else {
|
|
161
|
+
baseCtx.customer_uid = extractCustomerUid(decoded) ?? void 0;
|
|
162
|
+
}
|
|
163
|
+
const hydrated = await hydrate({
|
|
164
|
+
decoded,
|
|
165
|
+
req,
|
|
166
|
+
subject,
|
|
167
|
+
company_uid,
|
|
168
|
+
branch_uid
|
|
169
|
+
});
|
|
170
|
+
Object.assign(baseCtx, hydrated);
|
|
171
|
+
if (subject === "employee" && !baseCtx.employee_uid) {
|
|
172
|
+
return sendAuthError(
|
|
173
|
+
res,
|
|
174
|
+
"AUTH_EMPLOYEE_UID_MISSING",
|
|
175
|
+
"employee_uid missing in token/context (expected employee_uid or sub=emp:<uid>)"
|
|
176
|
+
);
|
|
177
|
+
}
|
|
178
|
+
if (subject === "customer" && !baseCtx.customer_uid) {
|
|
179
|
+
return sendAuthError(
|
|
180
|
+
res,
|
|
181
|
+
"AUTH_CUSTOMER_UID_MISSING",
|
|
182
|
+
"customer_uid missing in token/context (expected customer_uid or sub=cus:<uid>)"
|
|
183
|
+
);
|
|
184
|
+
}
|
|
185
|
+
if (requireSubject) {
|
|
186
|
+
if (subject === "employee" && !baseCtx.employee) {
|
|
187
|
+
return sendAuthError(
|
|
188
|
+
res,
|
|
189
|
+
"AUTH_EMPLOYEE_NOT_FOUND",
|
|
190
|
+
"Employee not resolved by hydrator"
|
|
191
|
+
);
|
|
192
|
+
}
|
|
193
|
+
if (subject === "customer" && !baseCtx.customer) {
|
|
194
|
+
return sendAuthError(
|
|
195
|
+
res,
|
|
196
|
+
"AUTH_CUSTOMER_NOT_FOUND",
|
|
197
|
+
"Customer not resolved by hydrator"
|
|
198
|
+
);
|
|
199
|
+
}
|
|
200
|
+
}
|
|
201
|
+
req.auth = baseCtx;
|
|
202
|
+
return next();
|
|
203
|
+
} catch (backendErr) {
|
|
204
|
+
if (!allowFirebaseIdToken) {
|
|
205
|
+
return sendAuthError(
|
|
206
|
+
res,
|
|
207
|
+
"AUTH_INVALID_TOKEN",
|
|
208
|
+
"Invalid or expired token"
|
|
209
|
+
);
|
|
210
|
+
}
|
|
211
|
+
try {
|
|
212
|
+
const { default: admin } = await import("firebase-admin");
|
|
213
|
+
const firebaseDecoded = await admin.auth().verifyIdToken(token);
|
|
214
|
+
if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
|
|
215
|
+
return sendAuthError(
|
|
216
|
+
res,
|
|
217
|
+
"AUTH_EMAIL_NOT_VERIFIED",
|
|
218
|
+
"Email not verified"
|
|
219
|
+
);
|
|
220
|
+
}
|
|
221
|
+
const firebaseCtx = {
|
|
222
|
+
tokenType: "backend",
|
|
223
|
+
subject,
|
|
224
|
+
firebase: firebaseDecoded,
|
|
225
|
+
company_uid: company_uid ?? void 0,
|
|
226
|
+
branch_uid: branch_uid ?? void 0,
|
|
227
|
+
companies: [],
|
|
228
|
+
roles: [],
|
|
229
|
+
permissions: [],
|
|
230
|
+
denied_permissions: []
|
|
231
|
+
};
|
|
232
|
+
req.auth = firebaseCtx;
|
|
233
|
+
return next();
|
|
234
|
+
} catch {
|
|
235
|
+
return sendAuthError(
|
|
236
|
+
res,
|
|
237
|
+
"AUTH_INVALID_TOKEN",
|
|
238
|
+
"Invalid or expired token"
|
|
239
|
+
);
|
|
240
|
+
}
|
|
241
|
+
}
|
|
242
|
+
};
|
|
243
|
+
}
|
|
244
|
+
|
|
63
245
|
// src/common/ids.ts
|
|
64
246
|
import { v7 as uuidv7, v4 as uuidv4, validate as uuidValidate, version as uuidVersion } from "uuid";
|
|
65
247
|
function newUid() {
|
|
@@ -87,14 +269,9 @@ export {
|
|
|
87
269
|
allowSysAdminOrPermissionsAll,
|
|
88
270
|
allowSysAdminOrRoles,
|
|
89
271
|
allowSysAdminOrRolesOrAnyPermission,
|
|
90
|
-
authCustomerAllowFirebase,
|
|
91
|
-
authCustomerRequired,
|
|
92
|
-
authEmployeeAllowFirebase,
|
|
93
|
-
authEmployeeRequired,
|
|
94
272
|
buildInternalHeaders,
|
|
95
273
|
closeCache,
|
|
96
274
|
createAuthMiddleware,
|
|
97
|
-
createAuthMiddleware2 as createAuthMiddlewareLegacySimple,
|
|
98
275
|
createBulkRefsClient,
|
|
99
276
|
createFisClient,
|
|
100
277
|
createHttpClient,
|
|
@@ -105,6 +282,9 @@ export {
|
|
|
105
282
|
createPayClient,
|
|
106
283
|
createPlatformClient,
|
|
107
284
|
createResClient,
|
|
285
|
+
extractCustomerUid,
|
|
286
|
+
extractEmployeeUid,
|
|
287
|
+
getBearerToken,
|
|
108
288
|
getOrSet,
|
|
109
289
|
getRequestContextFromHeaders,
|
|
110
290
|
getTwoLevelCache,
|
|
@@ -113,6 +293,7 @@ export {
|
|
|
113
293
|
mapAxiosToUpstreamError,
|
|
114
294
|
newUid,
|
|
115
295
|
newUidV4,
|
|
296
|
+
normalizeUid,
|
|
116
297
|
parseHeaders,
|
|
117
298
|
readRs256PublicKey,
|
|
118
299
|
readServiceEnv,
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/common/ids.ts"],"sourcesContent":["// packages/sdk/src/common/ids.ts\nimport {v7 as uuidv7, v4 as uuidv4, validate as uuidValidate, version as uuidVersion} from \"uuid\";\n\n/**\n * UID canónico GetMarket.\n * - Por defecto genera UUIDv7 (time-ordered).\n * - Durante transición, aceptamos v4 y v7 como válidos.\n */\nexport function newUid(): string {\n return uuidv7();\n}\n\n/** Útil si necesitas generar v4 puntualmente (idealmente no usarlo). */\nexport function newUidV4(): string {\n return uuidv4();\n}\n\n/** Validación para inputs que vengan de DB/requests durante migración. */\nexport function isUid(value: string): boolean {\n return uuidValidate(value) && (uuidVersion(value) === 7 || uuidVersion(value) === 4);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,SAAQ,MAAM,QAAQ,MAAM,QAAQ,YAAY,cAAc,WAAW,mBAAkB;AAOpF,SAAS,SAAiB;AAC/B,SAAO,OAAO;AAChB;AAGO,SAAS,WAAmB;AACjC,SAAO,OAAO;AAChB;AAGO,SAAS,MAAM,OAAwB;AAC5C,SAAO,aAAa,KAAK,MAAM,YAAY,KAAK,MAAM,KAAK,YAAY,KAAK,MAAM;AACpF;","names":[]}
|
|
1
|
+
{"version":3,"sources":["../src/auth/jwt.ts","../src/auth/middleware.ts","../src/common/ids.ts"],"sourcesContent":["import fs from \"fs\";\nimport jwt, {JwtPayload} from \"jsonwebtoken\";\n\nfunction readFileIfExists(path?: string): string | null {\n if (!path) return null;\n try {\n const v = fs.readFileSync(path, \"utf8\").trim();\n return v.length ? v : null;\n } catch {\n return null;\n }\n}\n\nexport function getBearerToken(req: any): string | null {\n const auth = String(req?.headers?.authorization || \"\");\n if (!auth.startsWith(\"Bearer \")) return null;\n\n const token = auth.slice(7).trim();\n return token.length ? token : null;\n}\n\nexport function normalizeUid(v: any): string | null {\n const s = String(v ?? \"\").trim();\n return s.length ? s : null;\n}\n\n/**\n * Keys centralizadas:\n * - JWT_PUBLIC_KEY_PATH=/run/secrets/jwtRS256.key.pub\n * - fallback env AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY\n */\nexport function readRs256PublicKey(): string {\n const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);\n if (fromFile) return fromFile;\n\n const fromEnv = String(\n process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || \"\"\n )\n .replace(/\\\\n/g, \"\\n\")\n .trim();\n\n if (fromEnv) return fromEnv;\n\n throw new Error(\n \"Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)\"\n );\n}\n\nexport function verifyBackendJwtRS256(raw: string): JwtPayload {\n const publicKey = readRs256PublicKey();\n\n const audience =\n process.env.JWT_AUDIENCE ||\n process.env.AUTH_JWT_AUDIENCE ||\n \"getmarket.api\";\n\n const issuer =\n process.env.JWT_ISSUER ||\n process.env.AUTH_JWT_ISSUER ||\n \"getmarket-auth\";\n\n return jwt.verify(raw, publicKey, {\n algorithms: [\"RS256\"],\n audience,\n issuer,\n }) as JwtPayload;\n}\n\nexport function extractEmployeeUid(decoded: any): string | null {\n const direct =\n normalizeUid(decoded?.employee_uid) ??\n normalizeUid(decoded?.employee?.uid);\n\n if (direct) return direct;\n\n const sub = normalizeUid(decoded?.sub);\n if (!sub) return null;\n\n const match = /^emp:(.+)$/i.exec(sub);\n return match?.[1] ? normalizeUid(match[1]) : null;\n}\n\nexport function extractCustomerUid(decoded: any): string | null {\n const direct =\n normalizeUid(decoded?.customer_uid) ??\n normalizeUid(decoded?.customer?.uid);\n\n if (direct) return direct;\n\n const sub = normalizeUid(decoded?.sub);\n if (!sub) return null;\n\n const match = /^cus:(.+)$/i.exec(sub);\n return match?.[1] ? normalizeUid(match[1]) : null;\n}\n","import type {NextFunction, RequestHandler, Response} from \"express\";\nimport type {AuthContext, AuthMiddlewareOptions} from \"./types\";\nimport {\n extractCustomerUid,\n extractEmployeeUid,\n getBearerToken,\n normalizeUid,\n verifyBackendJwtRS256,\n} from \"./jwt\";\n\nfunction sendAuthError(\n res: Response,\n code: string,\n message: string,\n status = 401\n) {\n return res.status(status).json({\n ok: false,\n code,\n message,\n });\n}\n\nexport function createAuthMiddleware(opts: AuthMiddlewareOptions): RequestHandler {\n const {\n subject,\n allowFirebaseIdToken = false,\n requireSubject = true,\n hydrate,\n } = opts;\n\n return async (req: any, res: Response, next: NextFunction) => {\n const token = getBearerToken(req);\n\n if (!token) {\n return sendAuthError(\n res,\n \"AUTH_MISSING_TOKEN\",\n \"Missing Authorization Bearer token\"\n );\n }\n\n const headerCtx = req.context || {};\n const company_uid = normalizeUid(headerCtx.company_uid);\n const branch_uid = normalizeUid(headerCtx.branch_uid);\n\n try {\n const decoded: any = verifyBackendJwtRS256(token);\n\n const baseCtx: AuthContext = {\n tokenType: \"backend\",\n subject,\n company_uid: company_uid ?? undefined,\n branch_uid: branch_uid ?? undefined,\n roles: Array.isArray(decoded?.roles) ? decoded.roles : [],\n permissions: Array.isArray(decoded?.permissions)\n ? decoded.permissions\n : [],\n denied_permissions: Array.isArray(decoded?.denied_permissions)\n ? decoded.denied_permissions\n : [],\n session: {\n jti: decoded?.jti,\n device_id: decoded?.device_id,\n expires_at: decoded?.exp,\n },\n };\n\n if (subject === \"employee\") {\n baseCtx.employee_uid = extractEmployeeUid(decoded) ?? undefined;\n } else {\n baseCtx.customer_uid = extractCustomerUid(decoded) ?? undefined;\n }\n\n const hydrated = await hydrate({\n decoded,\n req,\n subject,\n company_uid,\n branch_uid,\n });\n\n Object.assign(baseCtx, hydrated);\n\n if (subject === \"employee\" && !baseCtx.employee_uid) {\n return sendAuthError(\n res,\n \"AUTH_EMPLOYEE_UID_MISSING\",\n \"employee_uid missing in token/context (expected employee_uid or sub=emp:<uid>)\"\n );\n }\n\n if (subject === \"customer\" && !baseCtx.customer_uid) {\n return sendAuthError(\n res,\n \"AUTH_CUSTOMER_UID_MISSING\",\n \"customer_uid missing in token/context (expected customer_uid or sub=cus:<uid>)\"\n );\n }\n\n if (requireSubject) {\n if (subject === \"employee\" && !baseCtx.employee) {\n return sendAuthError(\n res,\n \"AUTH_EMPLOYEE_NOT_FOUND\",\n \"Employee not resolved by hydrator\"\n );\n }\n\n if (subject === \"customer\" && !baseCtx.customer) {\n return sendAuthError(\n res,\n \"AUTH_CUSTOMER_NOT_FOUND\",\n \"Customer not resolved by hydrator\"\n );\n }\n }\n\n req.auth = baseCtx;\n return next();\n } catch (backendErr) {\n if (!allowFirebaseIdToken) {\n return sendAuthError(\n res,\n \"AUTH_INVALID_TOKEN\",\n \"Invalid or expired token\"\n );\n }\n\n try {\n const {default: admin} = await import(\"firebase-admin\");\n const firebaseDecoded = await admin.auth().verifyIdToken(token);\n\n if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {\n return sendAuthError(\n res,\n \"AUTH_EMAIL_NOT_VERIFIED\",\n \"Email not verified\"\n );\n }\n\n const firebaseCtx: AuthContext = {\n tokenType: \"backend\",\n subject,\n firebase: firebaseDecoded,\n company_uid: company_uid ?? undefined,\n branch_uid: branch_uid ?? undefined,\n companies: [],\n roles: [],\n permissions: [],\n denied_permissions: [],\n };\n\n req.auth = firebaseCtx;\n return next();\n } catch {\n return sendAuthError(\n res,\n \"AUTH_INVALID_TOKEN\",\n \"Invalid or expired token\"\n );\n }\n }\n };\n}\n","// packages/sdk/src/common/ids.ts\nimport {v7 as uuidv7, v4 as uuidv4, validate as uuidValidate, version as uuidVersion} from \"uuid\";\n\n/**\n * UID canónico GetMarket.\n * - Por defecto genera UUIDv7 (time-ordered).\n * - Durante transición, aceptamos v4 y v7 como válidos.\n */\nexport function newUid(): string {\n return uuidv7();\n}\n\n/** Útil si necesitas generar v4 puntualmente (idealmente no usarlo). */\nexport function newUidV4(): string {\n return uuidv4();\n}\n\n/** Validación para inputs que vengan de DB/requests durante migración. */\nexport function isUid(value: string): boolean {\n return uuidValidate(value) && (uuidVersion(value) === 7 || uuidVersion(value) === 4);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,OAAO,QAAQ;AACf,OAAO,SAAuB;AAE9B,SAAS,iBAAiB,MAA8B;AACtD,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI;AACF,UAAM,IAAI,GAAG,aAAa,MAAM,MAAM,EAAE,KAAK;AAC7C,WAAO,EAAE,SAAS,IAAI;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,eAAe,KAAyB;AACtD,QAAM,OAAO,OAAO,KAAK,SAAS,iBAAiB,EAAE;AACrD,MAAI,CAAC,KAAK,WAAW,SAAS,EAAG,QAAO;AAExC,QAAM,QAAQ,KAAK,MAAM,CAAC,EAAE,KAAK;AACjC,SAAO,MAAM,SAAS,QAAQ;AAChC;AAEO,SAAS,aAAa,GAAuB;AAClD,QAAM,IAAI,OAAO,KAAK,EAAE,EAAE,KAAK;AAC/B,SAAO,EAAE,SAAS,IAAI;AACxB;AAOO,SAAS,qBAA6B;AAC3C,QAAM,WAAW,iBAAiB,QAAQ,IAAI,mBAAmB;AACjE,MAAI,SAAU,QAAO;AAErB,QAAM,UAAU;AAAA,IACd,QAAQ,IAAI,uBAAuB,QAAQ,IAAI,uBAAuB;AAAA,EACxE,EACG,QAAQ,QAAQ,IAAI,EACpB,KAAK;AAER,MAAI,QAAS,QAAO;AAEpB,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;AAEO,SAAS,sBAAsB,KAAyB;AAC7D,QAAM,YAAY,mBAAmB;AAErC,QAAM,WACJ,QAAQ,IAAI,gBACZ,QAAQ,IAAI,qBACZ;AAEF,QAAM,SACJ,QAAQ,IAAI,cACZ,QAAQ,IAAI,mBACZ;AAEF,SAAO,IAAI,OAAO,KAAK,WAAW;AAAA,IAChC,YAAY,CAAC,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEO,SAAS,mBAAmB,SAA6B;AAC9D,QAAM,SACJ,aAAa,SAAS,YAAY,KAClC,aAAa,SAAS,UAAU,GAAG;AAErC,MAAI,OAAQ,QAAO;AAEnB,QAAM,MAAM,aAAa,SAAS,GAAG;AACrC,MAAI,CAAC,IAAK,QAAO;AAEjB,QAAM,QAAQ,cAAc,KAAK,GAAG;AACpC,SAAO,QAAQ,CAAC,IAAI,aAAa,MAAM,CAAC,CAAC,IAAI;AAC/C;AAEO,SAAS,mBAAmB,SAA6B;AAC9D,QAAM,SACJ,aAAa,SAAS,YAAY,KAClC,aAAa,SAAS,UAAU,GAAG;AAErC,MAAI,OAAQ,QAAO;AAEnB,QAAM,MAAM,aAAa,SAAS,GAAG;AACrC,MAAI,CAAC,IAAK,QAAO;AAEjB,QAAM,QAAQ,cAAc,KAAK,GAAG;AACpC,SAAO,QAAQ,CAAC,IAAI,aAAa,MAAM,CAAC,CAAC,IAAI;AAC/C;;;ACpFA,SAAS,cACP,KACA,MACA,SACA,SAAS,KACT;AACA,SAAO,IAAI,OAAO,MAAM,EAAE,KAAK;AAAA,IAC7B,IAAI;AAAA,IACJ;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEO,SAAS,qBAAqB,MAA6C;AAChF,QAAM;AAAA,IACJ;AAAA,IACA,uBAAuB;AAAA,IACvB,iBAAiB;AAAA,IACjB;AAAA,EACF,IAAI;AAEJ,SAAO,OAAO,KAAU,KAAe,SAAuB;AAC5D,UAAM,QAAQ,eAAe,GAAG;AAEhC,QAAI,CAAC,OAAO;AACV,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,YAAY,IAAI,WAAW,CAAC;AAClC,UAAM,cAAc,aAAa,UAAU,WAAW;AACtD,UAAM,aAAa,aAAa,UAAU,UAAU;AAEpD,QAAI;AACF,YAAM,UAAe,sBAAsB,KAAK;AAEhD,YAAM,UAAuB;AAAA,QAC3B,WAAW;AAAA,QACX;AAAA,QACA,aAAa,eAAe;AAAA,QAC5B,YAAY,cAAc;AAAA,QAC1B,OAAO,MAAM,QAAQ,SAAS,KAAK,IAAI,QAAQ,QAAQ,CAAC;AAAA,QACxD,aAAa,MAAM,QAAQ,SAAS,WAAW,IAC3C,QAAQ,cACR,CAAC;AAAA,QACL,oBAAoB,MAAM,QAAQ,SAAS,kBAAkB,IACzD,QAAQ,qBACR,CAAC;AAAA,QACL,SAAS;AAAA,UACP,KAAK,SAAS;AAAA,UACd,WAAW,SAAS;AAAA,UACpB,YAAY,SAAS;AAAA,QACvB;AAAA,MACF;AAEA,UAAI,YAAY,YAAY;AAC1B,gBAAQ,eAAe,mBAAmB,OAAO,KAAK;AAAA,MACxD,OAAO;AACL,gBAAQ,eAAe,mBAAmB,OAAO,KAAK;AAAA,MACxD;AAEA,YAAM,WAAW,MAAM,QAAQ;AAAA,QAC7B;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,CAAC;AAED,aAAO,OAAO,SAAS,QAAQ;AAE/B,UAAI,YAAY,cAAc,CAAC,QAAQ,cAAc;AACnD,eAAO;AAAA,UACL;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAEA,UAAI,YAAY,cAAc,CAAC,QAAQ,cAAc;AACnD,eAAO;AAAA,UACL;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAEA,UAAI,gBAAgB;AAClB,YAAI,YAAY,cAAc,CAAC,QAAQ,UAAU;AAC/C,iBAAO;AAAA,YACL;AAAA,YACA;AAAA,YACA;AAAA,UACF;AAAA,QACF;AAEA,YAAI,YAAY,cAAc,CAAC,QAAQ,UAAU;AAC/C,iBAAO;AAAA,YACL;AAAA,YACA;AAAA,YACA;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAEA,UAAI,OAAO;AACX,aAAO,KAAK;AAAA,IACd,SAAS,YAAY;AACnB,UAAI,CAAC,sBAAsB;AACzB,eAAO;AAAA,UACL;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAEA,UAAI;AACF,cAAM,EAAC,SAAS,MAAK,IAAI,MAAM,OAAO,gBAAgB;AACtD,cAAM,kBAAkB,MAAM,MAAM,KAAK,EAAE,cAAc,KAAK;AAE9D,YAAI,gBAAgB,SAAS,gBAAgB,mBAAmB,OAAO;AACrE,iBAAO;AAAA,YACL;AAAA,YACA;AAAA,YACA;AAAA,UACF;AAAA,QACF;AAEA,cAAM,cAA2B;AAAA,UAC/B,WAAW;AAAA,UACX;AAAA,UACA,UAAU;AAAA,UACV,aAAa,eAAe;AAAA,UAC5B,YAAY,cAAc;AAAA,UAC1B,WAAW,CAAC;AAAA,UACZ,OAAO,CAAC;AAAA,UACR,aAAa,CAAC;AAAA,UACd,oBAAoB,CAAC;AAAA,QACvB;AAEA,YAAI,OAAO;AACX,eAAO,KAAK;AAAA,MACd,QAAQ;AACN,eAAO;AAAA,UACL;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;;;ACnKA,SAAQ,MAAM,QAAQ,MAAM,QAAQ,YAAY,cAAc,WAAW,mBAAkB;AAOpF,SAAS,SAAiB;AAC/B,SAAO,OAAO;AAChB;AAGO,SAAS,WAAmB;AACjC,SAAO,OAAO;AAChB;AAGO,SAAS,MAAM,OAAwB;AAC5C,SAAO,aAAa,KAAK,MAAM,YAAY,KAAK,MAAM,KAAK,YAAY,KAAK,MAAM;AACpF;","names":[]}
|