@innvoid/getmarket-sdk 0.2.8 → 0.2.9

package/dist/middlewares/index.cjs

@@ -168,6 +168,9 @@ function internalAuth(req, res, next) {
 function getAuth(req) {
   return req.auth ?? {};
 }
+function hasAuthContext(req) {
+  return !!req.auth;
+}
 function normalizeCode(v) {
   if (!v) return null;
   if (typeof v === "string") return v;
@@ -192,7 +195,7 @@ function permsSet(list) {
 }
 function requireAuthContext() {
   return (req, res, next) => {
-    if (!req.auth) {
+    if (!hasAuthContext(req)) {
       return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
     }
     return next();
@@ -206,6 +209,9 @@ function requirePermissions(perms, options) {
   const sysAdminBypass = options?.sysAdminBypass !== false;
   const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
   return (req, res, next) => {
+    if (!hasAuthContext(req)) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
     const auth = getAuth(req);
     if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
     const allow = permsSet(auth.permissions);
@@ -231,6 +237,9 @@ function requireAnyPermission(perms, options) {
   const sysAdminBypass = options?.sysAdminBypass !== false;
   const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
   return (req, res, next) => {
+    if (!hasAuthContext(req)) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
     const auth = getAuth(req);
     if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
     const allow = permsSet(auth.permissions);
@@ -256,6 +265,9 @@ function requireRoles(roles, options) {
   const sysAdminBypass = options?.sysAdminBypass !== false;
   const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
   return (req, res, next) => {
+    if (!hasAuthContext(req)) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
     const auth = getAuth(req);
     if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
     const have = rolesSet(auth);
@@ -272,6 +284,9 @@ function requireRolesOrAnyPermission(roles, perms, options) {
   const sysAdminBypass = options?.sysAdminBypass !== false;
   const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
   return (req, res, next) => {
+    if (!hasAuthContext(req)) {
+      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
+    }
     const auth = getAuth(req);
     if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
     const haveRoles = rolesSet(auth);
@@ -297,296 +312,6 @@ function requireRolesOrAnyPermission(roles, perms, options) {
   };
 }
 
-// src/auth/jwt.ts
-var import_fs2 = __toESM(require("fs"), 1);
-var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
-function readFileIfExists(path) {
-  if (!path) return null;
-  try {
-    const v = import_fs2.default.readFileSync(path, "utf8").trim();
-    return v.length ? v : null;
-  } catch {
-    return null;
-  }
-}
-function getBearerToken(req) {
-  const auth = String(req?.headers?.authorization || "");
-  if (!auth.startsWith("Bearer ")) return null;
-  const token = auth.slice(7).trim();
-  return token.length ? token : null;
-}
-function normalizeUid(v) {
-  const s = String(v ?? "").trim();
-  return s.length ? s : null;
-}
-function readRs256PublicKey() {
-  const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);
-  if (fromFile) return fromFile;
-  const fromEnv = String(
-    process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || ""
-  ).replace(/\\n/g, "\n").trim();
-  if (fromEnv) return fromEnv;
-  throw new Error(
-    "Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)"
-  );
-}
-function verifyBackendJwtRS256(raw) {
-  const publicKey = readRs256PublicKey();
-  const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
-  const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
-  return import_jsonwebtoken.default.verify(raw, publicKey, {
-    algorithms: ["RS256"],
-    audience,
-    issuer
-  });
-}
-function extractEmployeeUid(decoded) {
-  const direct = normalizeUid(decoded?.employee_uid) ?? normalizeUid(decoded?.employee?.uid);
-  if (direct) return direct;
-  const sub = normalizeUid(decoded?.sub);
-  if (!sub) return null;
-  const match = /^emp:(.+)$/i.exec(sub);
-  return match?.[1] ? normalizeUid(match[1]) : null;
-}
-function extractCustomerUid(decoded) {
-  const direct = normalizeUid(decoded?.customer_uid) ?? normalizeUid(decoded?.customer?.uid);
-  if (direct) return direct;
-  const sub = normalizeUid(decoded?.sub);
-  if (!sub) return null;
-  const match = /^cus:(.+)$/i.exec(sub);
-  return match?.[1] ? normalizeUid(match[1]) : null;
-}
-
-// src/auth/middleware.ts
-function createAuthMiddleware(opts) {
-  const {
-    subject,
-    allowFirebaseIdToken = false,
-    requireSubject = true,
-    hydrate
-  } = opts;
-  return async (req, res, next) => {
-    const token = getBearerToken(req);
-    if (!token) {
-      return res.status(401).json({
-        ok: false,
-        code: "AUTH_MISSING_TOKEN",
-        message: "Missing Authorization Bearer token"
-      });
-    }
-    const headerCtx = req.context || {};
-    const company_uid = normalizeUid(headerCtx.company_uid);
-    const branch_uid = normalizeUid(headerCtx.branch_uid);
-    try {
-      const decoded = verifyBackendJwtRS256(token);
-      const baseCtx = {
-        tokenType: "backend",
-        subject,
-        company_uid: company_uid ?? void 0,
-        branch_uid: branch_uid ?? void 0,
-        roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-        permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-        denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
-        session: {
-          jti: decoded?.jti,
-          device_id: decoded?.device_id,
-          expires_at: decoded?.exp
-        }
-      };
-      if (subject === "employee") {
-        baseCtx.employee_uid = extractEmployeeUid(decoded) ?? void 0;
-      } else {
-        baseCtx.customer_uid = extractCustomerUid(decoded) ?? void 0;
-      }
-      const hydrated = await hydrate({
-        decoded,
-        req,
-        subject,
-        company_uid,
-        branch_uid
-      });
-      Object.assign(baseCtx, hydrated);
-      if (subject === "employee" && !baseCtx.employee_uid) {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_EMPLOYEE_UID_MISSING",
-          message: "employee_uid missing in token/context (expected employee_uid or sub=emp:<uid>)"
-        });
-      }
-      if (subject === "customer" && !baseCtx.customer_uid) {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_CUSTOMER_UID_MISSING",
-          message: "customer_uid missing in token/context (expected customer_uid or sub=cus:<uid>)"
-        });
-      }
-      if (requireSubject) {
-        if (subject === "employee" && !baseCtx.employee) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMPLOYEE_NOT_FOUND",
-            message: "Employee not resolved by hydrator"
-          });
-        }
-        if (subject === "customer" && !baseCtx.customer) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_CUSTOMER_NOT_FOUND",
-            message: "Customer not resolved by hydrator"
-          });
-        }
-      }
-      req.auth = baseCtx;
-      return next();
-    } catch {
-      if (!allowFirebaseIdToken) {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
-      }
-      try {
-        const { default: admin } = await import("firebase-admin");
-        const firebaseDecoded = await admin.auth().verifyIdToken(token);
-        if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMAIL_NOT_VERIFIED",
-            message: "Email not verified"
-          });
-        }
-        req.auth = {
-          tokenType: "backend",
-          subject,
-          firebase: firebaseDecoded,
-          company_uid: company_uid ?? void 0,
-          branch_uid: branch_uid ?? void 0,
-          companies: [],
-          roles: [],
-          permissions: [],
-          denied_permissions: []
-        };
-        return next();
-      } catch {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
-      }
-    }
-  };
-}
-
-// src/auth/authentication.ts
-function deriveCompanyBranch(decoded, companyUid, branchUid) {
-  const companiesFromToken = Array.isArray(decoded?.companies) ? decoded.companies : [];
-  const company = decoded?.company ?? (companyUid ? companiesFromToken.find((c) => c?.uid === companyUid) : null) ?? null;
-  const branch = decoded?.branch ?? (branchUid && company?.branches ? (company.branches || []).find((b) => b?.uid === branchUid) : null) ?? null;
-  return {
-    companiesFromToken,
-    company,
-    branch
-  };
-}
-var authEmployeeRequired = createAuthMiddleware({
-  subject: "employee",
-  allowFirebaseIdToken: false,
-  requireSubject: false,
-  hydrate: async ({ decoded, company_uid, branch_uid }) => {
-    const employee_uid = extractEmployeeUid(decoded) ?? normalizeUid(decoded?.employee?.uid);
-    const { companiesFromToken, company, branch } = deriveCompanyBranch(
-      decoded,
-      company_uid,
-      branch_uid
-    );
-    const employee = decoded?.employee && typeof decoded.employee === "object" ? decoded.employee : employee_uid ? { uid: employee_uid, email: decoded?.email ?? null } : void 0;
-    return {
-      employee_uid: employee_uid ?? void 0,
-      employee,
-      companies: companiesFromToken,
-      company,
-      branch,
-      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
-    };
-  }
-});
-var authCustomerRequired = createAuthMiddleware({
-  subject: "customer",
-  allowFirebaseIdToken: false,
-  requireSubject: false,
-  hydrate: async ({ decoded, company_uid, branch_uid }) => {
-    const customer_uid = extractCustomerUid(decoded) ?? normalizeUid(decoded?.customer?.uid);
-    const { companiesFromToken, company, branch } = deriveCompanyBranch(
-      decoded,
-      company_uid,
-      branch_uid
-    );
-    const customer = decoded?.customer && typeof decoded.customer === "object" ? decoded.customer : customer_uid ? { uid: customer_uid } : void 0;
-    return {
-      customer_uid: customer_uid ?? void 0,
-      customer,
-      companies: companiesFromToken,
-      company,
-      branch,
-      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
-    };
-  }
-});
-var authEmployeeAllowFirebase = createAuthMiddleware({
-  subject: "employee",
-  allowFirebaseIdToken: true,
-  requireSubject: false,
-  hydrate: async ({ decoded, company_uid, branch_uid }) => {
-    const employee_uid = extractEmployeeUid(decoded) ?? normalizeUid(decoded?.employee?.uid);
-    const { companiesFromToken, company, branch } = deriveCompanyBranch(
-      decoded,
-      company_uid,
-      branch_uid
-    );
-    const employee = decoded?.employee && typeof decoded.employee === "object" ? decoded.employee : employee_uid ? { uid: employee_uid, email: decoded?.email ?? null } : void 0;
-    return {
-      employee_uid: employee_uid ?? void 0,
-      employee,
-      companies: companiesFromToken,
-      company,
-      branch,
-      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
-    };
-  }
-});
-var authCustomerAllowFirebase = createAuthMiddleware({
-  subject: "customer",
-  allowFirebaseIdToken: true,
-  requireSubject: false,
-  hydrate: async ({ decoded, company_uid, branch_uid }) => {
-    const customer_uid = extractCustomerUid(decoded) ?? normalizeUid(decoded?.customer?.uid);
-    const { companiesFromToken, company, branch } = deriveCompanyBranch(
-      decoded,
-      company_uid,
-      branch_uid
-    );
-    const customer = decoded?.customer && typeof decoded.customer === "object" ? decoded.customer : customer_uid ? { uid: customer_uid } : void 0;
-    return {
-      customer_uid: customer_uid ?? void 0,
-      customer,
-      companies: companiesFromToken,
-      company,
-      branch,
-      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
-    };
-  }
-});
-
 // src/middlewares/guards.ts
 function normalizeRole(r) {
   if (!r) return null;
@@ -598,100 +323,134 @@ function normalizePerm(p) {
   if (typeof p === "string") return p;
   return p.code || p.name || null;
 }
-function isSysAdmin2(roles) {
-  if (!Array.isArray(roles)) return false;
-  return roles.some((r) => normalizeRole(r) === "SYS_ADMIN");
-}
 function getAuth2(req) {
   return req.auth ?? {};
 }
+function roleSet(auth) {
+  return new Set(
+    (auth.roles ?? []).map(normalizeRole).filter(Boolean)
+  );
+}
 function permissionSets(auth) {
-  const allow = new Set((auth.permissions ?? []).map(normalizePerm).filter(Boolean));
-  const deny = new Set((auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean));
+  const allow = new Set(
+    (auth.permissions ?? []).map(normalizePerm).filter(Boolean)
+  );
+  const deny = new Set(
+    (auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean)
+  );
   return { allow, deny };
 }
-function roleSet(auth) {
-  return new Set((auth.roles ?? []).map(normalizeRole).filter(Boolean));
+function normalizeHandlers(auth) {
+  if (!auth) return [];
+  return Array.isArray(auth) ? auth : [auth];
+}
+function buildBaseChain(options) {
+  const chain = [];
+  if (options?.includeParseHeaders !== false) {
+    chain.push(parseHeaders);
+  }
+  chain.push(...normalizeHandlers(options?.auth));
+  return chain;
+}
+function hasSysAdmin(auth, options) {
+  const sysAdminBypass = options?.sysAdminBypass !== false;
+  if (!sysAdminBypass) return false;
+  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
+  return roleSet(auth).has(sysAdminRole);
 }
-function allowSysAdminOrAnyPermission(...perms) {
-  const required = (perms ?? []).filter(Boolean);
+function allowSysAdminOrAnyPermission(perms, options) {
+  const required = (Array.isArray(perms) ? perms : [perms]).filter(Boolean);
   return [
-    parseHeaders,
-    authEmployeeRequired,
+    ...buildBaseChain(options),
     (req, res, next) => {
       const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
+      if (hasSysAdmin(auth, options)) return next();
       const { allow, deny } = permissionSets(auth);
       for (const p of required) {
         if (deny.has(p)) {
-          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, { denied: p });
+          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+            denied: p
+          });
         }
       }
       const ok = required.some((p) => allow.has(p));
       if (!ok) {
-        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ANY)", { required });
+        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ANY)", {
+          required,
+          mode: "ANY"
+        });
       }
       return next();
     }
   ];
 }
-function allowSysAdminOrPermissionsAll(...perms) {
-  const required = (perms ?? []).filter(Boolean);
+function allowSysAdminOrPermissionsAll(perms, options) {
+  const required = (Array.isArray(perms) ? perms : [perms]).filter(Boolean);
   return [
-    parseHeaders,
-    authEmployeeRequired,
+    ...buildBaseChain(options),
     (req, res, next) => {
       const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
+      if (hasSysAdmin(auth, options)) return next();
       const { allow, deny } = permissionSets(auth);
       for (const p of required) {
         if (deny.has(p)) {
-          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, { denied: p });
+          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+            denied: p
+          });
         }
       }
       const missing = required.filter((p) => !allow.has(p));
       if (missing.length) {
-        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ALL)", { required, missing });
+        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ALL)", {
+          required,
+          missing,
+          mode: "ALL"
+        });
       }
       return next();
     }
   ];
 }
-function allowSysAdminOrRoles(...roles) {
-  const required = (roles ?? []).filter(Boolean);
+function allowSysAdminOrRoles(roles, options) {
+  const required = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);
   return [
-    parseHeaders,
-    authEmployeeRequired,
+    ...buildBaseChain(options),
     (req, res, next) => {
       const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
+      if (hasSysAdmin(auth, options)) return next();
       const have = roleSet(auth);
       const ok = required.some((r) => have.has(r));
       if (!ok) {
-        return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", { required });
+        return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", {
+          required,
+          mode: "ANY"
+        });
       }
       return next();
     }
   ];
 }
-function allowSysAdminOrRolesOrAnyPermission(roles, permissions) {
+function allowSysAdminOrRolesOrAnyPermission(roles, permissions, options) {
   const requiredRoles = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);
   const requiredPerms = (Array.isArray(permissions) ? permissions : [permissions]).filter(Boolean);
   return [
-    parseHeaders,
-    authEmployeeRequired,
+    ...buildBaseChain(options),
     (req, res, next) => {
       const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
+      if (hasSysAdmin(auth, options)) return next();
       const { allow, deny } = permissionSets(auth);
+      const haveRoles = roleSet(auth);
       for (const p of requiredPerms) {
         if (deny.has(p)) {
-          return sendError(req, res, 403, "FORBIDDEN", `Denied: ${p}`, { permission: p });
+          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
+            denied: p
+          });
         }
       }
-      const haveRoles = roleSet(auth);
-      if (requiredRoles.some((r) => haveRoles.has(r))) return next();
-      if (requiredPerms.some((p) => allow.has(p))) return next();
+      const okRole = requiredRoles.some((r) => haveRoles.has(r));
+      if (okRole) return next();
+      const okPerm = requiredPerms.some((p) => allow.has(p));
+      if (okPerm) return next();
       return sendError(req, res, 403, "FORBIDDEN", "Permission denied", {
         roles: requiredRoles,
         permissions: requiredPerms,
@@ -700,8 +459,8 @@ function allowSysAdminOrRolesOrAnyPermission(roles, permissions) {
     }
   ];
 }
-function allowAuthAdminOrPerm(permission) {
-  return allowSysAdminOrRolesOrAnyPermission(["AUTH_ADMIN"], [permission]);
+function allowAuthAdminOrPerm(permission, options) {
+  return allowSysAdminOrRolesOrAnyPermission(["AUTH_ADMIN"], [permission], options);
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {