@innvoid/getmarket-sdk 0.2.8 → 0.2.9

package/dist/index.cjs

@@ -45,10 +45,6 @@ __export(src_exports, {
   allowSysAdminOrPermissionsAll: () => allowSysAdminOrPermissionsAll,
   allowSysAdminOrRoles: () => allowSysAdminOrRoles,
   allowSysAdminOrRolesOrAnyPermission: () => allowSysAdminOrRolesOrAnyPermission,
-  authCustomerAllowFirebase: () => authCustomerAllowFirebase,
-  authCustomerRequired: () => authCustomerRequired,
-  authEmployeeAllowFirebase: () => authEmployeeAllowFirebase,
-  authEmployeeRequired: () => authEmployeeRequired,
   buildInternalHeaders: () => buildInternalHeaders,
   closeCache: () => closeCache,
   createAuthMiddleware: () => createAuthMiddleware,
@@ -654,6 +650,9 @@ function internalAuth(req, res, next) {
 function getAuth(req) {
   return req.auth ?? {};
 }
+function hasAuthContext(req) {
+  return !!req.auth;
+}
 function normalizeCode(v) {
   if (!v) return null;
   if (typeof v === "string") return v;
@@ -678,7 +677,7 @@ function permsSet(list) {
 }
 function requireAuthContext() {
   return (req, res, next) => {
-    if (!req.auth) {
+    if (!hasAuthContext(req)) {
       return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
     }
     return next();
@@ -692,6 +691,9 @@ function requirePermissions(perms, options) {
   const sysAdminBypass = options?.sysAdminBypass !== false;
   const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
   return (req, res, next) => {
+    if (!hasAuthContext(req)) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
     const auth = getAuth(req);
     if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
     const allow = permsSet(auth.permissions);
@@ -717,6 +719,9 @@ function requireAnyPermission(perms, options) {
   const sysAdminBypass = options?.sysAdminBypass !== false;
   const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
   return (req, res, next) => {
+    if (!hasAuthContext(req)) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
     const auth = getAuth(req);
     if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
     const allow = permsSet(auth.permissions);
@@ -742,6 +747,9 @@ function requireRoles(roles, options) {
   const sysAdminBypass = options?.sysAdminBypass !== false;
   const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
   return (req, res, next) => {
+    if (!hasAuthContext(req)) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
     const auth = getAuth(req);
     if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
     const have = rolesSet(auth);
@@ -758,6 +766,9 @@ function requireRolesOrAnyPermission(roles, perms, options) {
   const sysAdminBypass = options?.sysAdminBypass !== false;
   const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
   return (req, res, next) => {
+    if (!hasAuthContext(req)) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
     const auth = getAuth(req);
     if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
     const haveRoles = rolesSet(auth);
@@ -783,6 +794,157 @@ function requireRolesOrAnyPermission(roles, perms, options) {
   };
 }
 
+// src/middlewares/guards.ts
+function normalizeRole(r) {
+  if (!r) return null;
+  if (typeof r === "string") return r;
+  return r.code || r.name || null;
+}
+function normalizePerm(p) {
+  if (!p) return null;
+  if (typeof p === "string") return p;
+  return p.code || p.name || null;
+}
+function getAuth2(req) {
+  return req.auth ?? {};
+}
+function roleSet(auth) {
+  return new Set(
+    (auth.roles ?? []).map(normalizeRole).filter(Boolean)
+  );
+}
+function permissionSets(auth) {
+  const allow = new Set(
+    (auth.permissions ?? []).map(normalizePerm).filter(Boolean)
+  );
+  const deny = new Set(
+    (auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean)
+  );
+  return { allow, deny };
+}
+function normalizeHandlers(auth) {
+  if (!auth) return [];
+  return Array.isArray(auth) ? auth : [auth];
+}
+function buildBaseChain(options) {
+  const chain = [];
+  if (options?.includeParseHeaders !== false) {
+    chain.push(parseHeaders);
+  }
+  chain.push(...normalizeHandlers(options?.auth));
+  return chain;
+}
+function hasSysAdmin(auth, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  if (!sysAdminBypass) return false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
+  return roleSet(auth).has(sysAdminRole);
+}
+function allowSysAdminOrAnyPermission(perms, options) {
+  const required = (Array.isArray(perms) ? perms : [perms]).filter(Boolean);
+  return [
+    ...buildBaseChain(options),
+    (req, res, next) => {
+      const auth = getAuth2(req);
+      if (hasSysAdmin(auth, options)) return next();
+      const { allow, deny } = permissionSets(auth);
+      for (const p of required) {
+        if (deny.has(p)) {
+          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+            denied: p
+          });
+        }
+      }
+      const ok = required.some((p) => allow.has(p));
+      if (!ok) {
+        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ANY)", {
+          required,
+          mode: "ANY"
+        });
+      }
+      return next();
+    }
+  ];
+}
+function allowSysAdminOrPermissionsAll(perms, options) {
+  const required = (Array.isArray(perms) ? perms : [perms]).filter(Boolean);
+  return [
+    ...buildBaseChain(options),
+    (req, res, next) => {
+      const auth = getAuth2(req);
+      if (hasSysAdmin(auth, options)) return next();
+      const { allow, deny } = permissionSets(auth);
+      for (const p of required) {
+        if (deny.has(p)) {
+          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+            denied: p
+          });
+        }
+      }
+      const missing = required.filter((p) => !allow.has(p));
+      if (missing.length) {
+        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ALL)", {
+          required,
+          missing,
+          mode: "ALL"
+        });
+      }
+      return next();
+    }
+  ];
+}
+function allowSysAdminOrRoles(roles, options) {
+  const required = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);
+  return [
+    ...buildBaseChain(options),
+    (req, res, next) => {
+      const auth = getAuth2(req);
+      if (hasSysAdmin(auth, options)) return next();
+      const have = roleSet(auth);
+      const ok = required.some((r) => have.has(r));
+      if (!ok) {
+        return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", {
+          required,
+          mode: "ANY"
+        });
+      }
+      return next();
+    }
+  ];
+}
+function allowSysAdminOrRolesOrAnyPermission(roles, permissions, options) {
+  const requiredRoles = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);
+  const requiredPerms = (Array.isArray(permissions) ? permissions : [permissions]).filter(Boolean);
+  return [
+    ...buildBaseChain(options),
+    (req, res, next) => {
+      const auth = getAuth2(req);
+      if (hasSysAdmin(auth, options)) return next();
+      const { allow, deny } = permissionSets(auth);
+      const haveRoles = roleSet(auth);
+      for (const p of requiredPerms) {
+        if (deny.has(p)) {
+          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+            denied: p
+          });
+        }
+      }
+      const okRole = requiredRoles.some((r) => haveRoles.has(r));
+      if (okRole) return next();
+      const okPerm = requiredPerms.some((p) => allow.has(p));
+      if (okPerm) return next();
+      return sendError(req, res, 403, "FORBIDDEN", "Permission denied", {
+        roles: requiredRoles,
+        permissions: requiredPerms,
+        mode: "ROLES_OR_ANY_PERMISSION"
+      });
+    }
+  ];
+}
+function allowAuthAdminOrPerm(permission, options) {
+  return allowSysAdminOrRolesOrAnyPermission(["AUTH_ADMIN"], [permission], options);
+}
+
 // src/auth/jwt.ts
 var import_fs2 = __toESM(require("fs"), 1);
 var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
@@ -844,6 +1006,13 @@ function extractCustomerUid(decoded) {
 }
 
 // src/auth/middleware.ts
+function sendAuthError(res, code, message, status = 401) {
+  return res.status(status).json({
+    ok: false,
+    code,
+    message
+  });
+}
 function createAuthMiddleware(opts) {
   const {
     subject,
@@ -854,11 +1023,11 @@ function createAuthMiddleware(opts) {
   return async (req, res, next) => {
     const token = getBearerToken(req);
     if (!token) {
-      return res.status(401).json({
-        ok: false,
-        code: "AUTH_MISSING_TOKEN",
-        message: "Missing Authorization Bearer token"
-      });
+      return sendAuthError(
+        res,
+        "AUTH_MISSING_TOKEN",
+        "Missing Authorization Bearer token"
+      );
     }
     const headerCtx = req.context || {};
     const company_uid = normalizeUid(headerCtx.company_uid);
@@ -893,56 +1062,56 @@ function createAuthMiddleware(opts) {
       });
       Object.assign(baseCtx, hydrated);
       if (subject === "employee" && !baseCtx.employee_uid) {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_EMPLOYEE_UID_MISSING",
-          message: "employee_uid missing in token/context (expected employee_uid or sub=emp:<uid>)"
-        });
+        return sendAuthError(
+          res,
+          "AUTH_EMPLOYEE_UID_MISSING",
+          "employee_uid missing in token/context (expected employee_uid or sub=emp:<uid>)"
+        );
       }
       if (subject === "customer" && !baseCtx.customer_uid) {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_CUSTOMER_UID_MISSING",
-          message: "customer_uid missing in token/context (expected customer_uid or sub=cus:<uid>)"
-        });
+        return sendAuthError(
+          res,
+          "AUTH_CUSTOMER_UID_MISSING",
+          "customer_uid missing in token/context (expected customer_uid or sub=cus:<uid>)"
+        );
       }
       if (requireSubject) {
         if (subject === "employee" && !baseCtx.employee) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMPLOYEE_NOT_FOUND",
-            message: "Employee not resolved by hydrator"
-          });
+          return sendAuthError(
+            res,
+            "AUTH_EMPLOYEE_NOT_FOUND",
+            "Employee not resolved by hydrator"
+          );
         }
         if (subject === "customer" && !baseCtx.customer) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_CUSTOMER_NOT_FOUND",
-            message: "Customer not resolved by hydrator"
-          });
+          return sendAuthError(
+            res,
+            "AUTH_CUSTOMER_NOT_FOUND",
+            "Customer not resolved by hydrator"
+          );
         }
       }
       req.auth = baseCtx;
       return next();
-    } catch {
+    } catch (backendErr) {
       if (!allowFirebaseIdToken) {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
+        return sendAuthError(
+          res,
+          "AUTH_INVALID_TOKEN",
+          "Invalid or expired token"
+        );
       }
       try {
         const { default: admin } = await import("firebase-admin");
         const firebaseDecoded = await admin.auth().verifyIdToken(token);
         if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMAIL_NOT_VERIFIED",
-            message: "Email not verified"
-          });
+          return sendAuthError(
+            res,
+            "AUTH_EMAIL_NOT_VERIFIED",
+            "Email not verified"
+          );
         }
-        req.auth = {
+        const firebaseCtx = {
           tokenType: "backend",
           subject,
           firebase: firebaseDecoded,
@@ -953,243 +1122,19 @@ function createAuthMiddleware(opts) {
           permissions: [],
           denied_permissions: []
         };
+        req.auth = firebaseCtx;
         return next();
       } catch {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
+        return sendAuthError(
+          res,
+          "AUTH_INVALID_TOKEN",
+          "Invalid or expired token"
+        );
       }
     }
   };
 }
 
-// src/auth/authentication.ts
-function deriveCompanyBranch(decoded, companyUid, branchUid) {
-  const companiesFromToken = Array.isArray(decoded?.companies) ? decoded.companies : [];
-  const company = decoded?.company ?? (companyUid ? companiesFromToken.find((c) => c?.uid === companyUid) : null) ?? null;
-  const branch = decoded?.branch ?? (branchUid && company?.branches ? (company.branches || []).find((b) => b?.uid === branchUid) : null) ?? null;
-  return {
-    companiesFromToken,
-    company,
-    branch
-  };
-}
-var authEmployeeRequired = createAuthMiddleware({
-  subject: "employee",
-  allowFirebaseIdToken: false,
-  requireSubject: false,
-  hydrate: async ({ decoded, company_uid, branch_uid }) => {
-    const employee_uid = extractEmployeeUid(decoded) ?? normalizeUid(decoded?.employee?.uid);
-    const { companiesFromToken, company, branch } = deriveCompanyBranch(
-      decoded,
-      company_uid,
-      branch_uid
-    );
-    const employee = decoded?.employee && typeof decoded.employee === "object" ? decoded.employee : employee_uid ? { uid: employee_uid, email: decoded?.email ?? null } : void 0;
-    return {
-      employee_uid: employee_uid ?? void 0,
-      employee,
-      companies: companiesFromToken,
-      company,
-      branch,
-      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
-    };
-  }
-});
-var authCustomerRequired = createAuthMiddleware({
-  subject: "customer",
-  allowFirebaseIdToken: false,
-  requireSubject: false,
-  hydrate: async ({ decoded, company_uid, branch_uid }) => {
-    const customer_uid = extractCustomerUid(decoded) ?? normalizeUid(decoded?.customer?.uid);
-    const { companiesFromToken, company, branch } = deriveCompanyBranch(
-      decoded,
-      company_uid,
-      branch_uid
-    );
-    const customer = decoded?.customer && typeof decoded.customer === "object" ? decoded.customer : customer_uid ? { uid: customer_uid } : void 0;
-    return {
-      customer_uid: customer_uid ?? void 0,
-      customer,
-      companies: companiesFromToken,
-      company,
-      branch,
-      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
-    };
-  }
-});
-var authEmployeeAllowFirebase = createAuthMiddleware({
-  subject: "employee",
-  allowFirebaseIdToken: true,
-  requireSubject: false,
-  hydrate: async ({ decoded, company_uid, branch_uid }) => {
-    const employee_uid = extractEmployeeUid(decoded) ?? normalizeUid(decoded?.employee?.uid);
-    const { companiesFromToken, company, branch } = deriveCompanyBranch(
-      decoded,
-      company_uid,
-      branch_uid
-    );
-    const employee = decoded?.employee && typeof decoded.employee === "object" ? decoded.employee : employee_uid ? { uid: employee_uid, email: decoded?.email ?? null } : void 0;
-    return {
-      employee_uid: employee_uid ?? void 0,
-      employee,
-      companies: companiesFromToken,
-      company,
-      branch,
-      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
-    };
-  }
-});
-var authCustomerAllowFirebase = createAuthMiddleware({
-  subject: "customer",
-  allowFirebaseIdToken: true,
-  requireSubject: false,
-  hydrate: async ({ decoded, company_uid, branch_uid }) => {
-    const customer_uid = extractCustomerUid(decoded) ?? normalizeUid(decoded?.customer?.uid);
-    const { companiesFromToken, company, branch } = deriveCompanyBranch(
-      decoded,
-      company_uid,
-      branch_uid
-    );
-    const customer = decoded?.customer && typeof decoded.customer === "object" ? decoded.customer : customer_uid ? { uid: customer_uid } : void 0;
-    return {
-      customer_uid: customer_uid ?? void 0,
-      customer,
-      companies: companiesFromToken,
-      company,
-      branch,
-      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
-    };
-  }
-});
-
-// src/middlewares/guards.ts
-function normalizeRole(r) {
-  if (!r) return null;
-  if (typeof r === "string") return r;
-  return r.code || r.name || null;
-}
-function normalizePerm(p) {
-  if (!p) return null;
-  if (typeof p === "string") return p;
-  return p.code || p.name || null;
-}
-function isSysAdmin2(roles) {
-  if (!Array.isArray(roles)) return false;
-  return roles.some((r) => normalizeRole(r) === "SYS_ADMIN");
-}
-function getAuth2(req) {
-  return req.auth ?? {};
-}
-function permissionSets(auth) {
-  const allow = new Set((auth.permissions ?? []).map(normalizePerm).filter(Boolean));
-  const deny = new Set((auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean));
-  return { allow, deny };
-}
-function roleSet(auth) {
-  return new Set((auth.roles ?? []).map(normalizeRole).filter(Boolean));
-}
-function allowSysAdminOrAnyPermission(...perms) {
-  const required = (perms ?? []).filter(Boolean);
-  return [
-    parseHeaders,
-    authEmployeeRequired,
-    (req, res, next) => {
-      const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
-      const { allow, deny } = permissionSets(auth);
-      for (const p of required) {
-        if (deny.has(p)) {
-          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, { denied: p });
-        }
-      }
-      const ok = required.some((p) => allow.has(p));
-      if (!ok) {
-        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ANY)", { required });
-      }
-      return next();
-    }
-  ];
-}
-function allowSysAdminOrPermissionsAll(...perms) {
-  const required = (perms ?? []).filter(Boolean);
-  return [
-    parseHeaders,
-    authEmployeeRequired,
-    (req, res, next) => {
-      const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
-      const { allow, deny } = permissionSets(auth);
-      for (const p of required) {
-        if (deny.has(p)) {
-          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, { denied: p });
-        }
-      }
-      const missing = required.filter((p) => !allow.has(p));
-      if (missing.length) {
-        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ALL)", { required, missing });
-      }
-      return next();
-    }
-  ];
-}
-function allowSysAdminOrRoles(...roles) {
-  const required = (roles ?? []).filter(Boolean);
-  return [
-    parseHeaders,
-    authEmployeeRequired,
-    (req, res, next) => {
-      const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
-      const have = roleSet(auth);
-      const ok = required.some((r) => have.has(r));
-      if (!ok) {
-        return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", { required });
-      }
-      return next();
-    }
-  ];
-}
-function allowSysAdminOrRolesOrAnyPermission(roles, permissions) {
-  const requiredRoles = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);
-  const requiredPerms = (Array.isArray(permissions) ? permissions : [permissions]).filter(Boolean);
-  return [
-    parseHeaders,
-    authEmployeeRequired,
-    (req, res, next) => {
-      const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
-      const { allow, deny } = permissionSets(auth);
-      for (const p of requiredPerms) {
-        if (deny.has(p)) {
-          return sendError(req, res, 403, "FORBIDDEN", `Denied: ${p}`, { permission: p });
-        }
-      }
-      const haveRoles = roleSet(auth);
-      if (requiredRoles.some((r) => haveRoles.has(r))) return next();
-      if (requiredPerms.some((p) => allow.has(p))) return next();
-      return sendError(req, res, 403, "FORBIDDEN", "Permission denied", {
-        roles: requiredRoles,
-        permissions: requiredPerms,
-        mode: "ROLES_OR_ANY_PERMISSION"
-      });
-    }
-  ];
-}
-function allowAuthAdminOrPerm(permission) {
-  return allowSysAdminOrRolesOrAnyPermission(["AUTH_ADMIN"], [permission]);
-}
-
 // src/internalHttpClient.ts
 var import_fs3 = __toESM(require("fs"), 1);
 var InternalHttpError = class extends Error {
@@ -1890,10 +1835,6 @@ function isUid(value) {
   allowSysAdminOrPermissionsAll,
   allowSysAdminOrRoles,
   allowSysAdminOrRolesOrAnyPermission,
-  authCustomerAllowFirebase,
-  authCustomerRequired,
-  authEmployeeAllowFirebase,
-  authEmployeeRequired,
   buildInternalHeaders,
   closeCache,
   createAuthMiddleware,