@innvoid/getmarket-sdk 0.2.8 → 0.2.9

package/dist/chunk-DT3AM34L.js

@@ -1,662 +0,0 @@
-import {
-  HEADER_INTERNAL_API_KEY,
-  getRequestContextFromHeaders
-} from "./chunk-KXXIMSON.js";
-
-// src/middlewares/parseHeaders.ts
-function parseHeaders(req, _res, next) {
-  req.context = getRequestContextFromHeaders(req.headers);
-  next();
-}
-
-// src/middlewares/requestId.ts
-import { randomUUID, randomBytes } from "crypto";
-var REQUEST_ID_HEADER = "x-request-id";
-var REQUEST_ID_HEADER_ALT = "x-requestid";
-var RESPONSE_REQUEST_ID_HEADER = "X-Request-Id";
-function requestId(req, res, next) {
-  const headerId = req.headers[REQUEST_ID_HEADER] || req.headers[REQUEST_ID_HEADER_ALT];
-  const id = headerId?.trim() || randomUUID();
-  req.requestId = id;
-  res.locals.requestId = id;
-  res.setHeader(RESPONSE_REQUEST_ID_HEADER, id);
-  next();
-}
-
-// src/middlewares/internalAuth.ts
-import fs from "fs";
-import crypto from "crypto";
-
-// src/middlewares/respond.ts
-function sendOk(_req, res, data, statusCode = 200) {
-  return res.status(statusCode).json({ ok: true, data, requestId: res.locals?.requestId ?? null });
-}
-function sendError(_req, res, statusCode, code, message, details) {
-  return res.status(statusCode).json({
-    ok: false,
-    error: { code, message, ...details !== void 0 ? { details } : {} },
-    requestId: res.locals?.requestId ?? null
-  });
-}
-
-// src/middlewares/internalAuth.ts
-function readSecretFile(path) {
-  if (!path) return null;
-  try {
-    const v = fs.readFileSync(path, "utf8").trim();
-    return v.length ? v : null;
-  } catch {
-    return null;
-  }
-}
-function splitKeys(v) {
-  if (!v) return [];
-  return v.split(",").map((s) => s.trim()).filter(Boolean);
-}
-function getExpectedKeys() {
-  const fileKey = readSecretFile(process.env.INTERNAL_API_KEY_FILE);
-  const envKey = (process.env.INTERNAL_API_KEY || "").trim();
-  const raw = fileKey || envKey;
-  return splitKeys(raw);
-}
-function extractToken(req) {
-  const apiKey = (req.header(HEADER_INTERNAL_API_KEY) || "").trim();
-  return apiKey || null;
-}
-function safeEquals(a, b) {
-  const aa = Buffer.from(a);
-  const bb = Buffer.from(b);
-  if (aa.length !== bb.length) return false;
-  return crypto.timingSafeEqual(aa, bb);
-}
-function internalAuth(req, res, next) {
-  const token = extractToken(req);
-  if (!token) {
-    return sendError(req, res, 401, "UNAUTHORIZED", `Missing internal api key (${HEADER_INTERNAL_API_KEY})`);
-  }
-  const expectedKeys = getExpectedKeys();
-  if (expectedKeys.length === 0) {
-    return sendError(
-      req,
-      res,
-      500,
-      "MISCONFIGURED_INTERNAL_AUTH",
-      "Internal api key not configured (INTERNAL_API_KEY or INTERNAL_API_KEY_FILE)"
-    );
-  }
-  const ok = expectedKeys.some((k) => safeEquals(token, k));
-  if (!ok) {
-    return sendError(req, res, 403, "FORBIDDEN", "Invalid internal api key");
-  }
-  return next();
-}
-
-// src/middlewares/authorization.ts
-function getAuth(req) {
-  return req.auth ?? {};
-}
-function normalizeCode(v) {
-  if (!v) return null;
-  if (typeof v === "string") return v;
-  if (typeof v === "object") return v.code || v.name || null;
-  return null;
-}
-function rolesSet(auth) {
-  const out = /* @__PURE__ */ new Set();
-  for (const r of auth.roles || []) {
-    const c = normalizeCode(r);
-    if (c) out.add(c);
-  }
-  return out;
-}
-function permsSet(list) {
-  const out = /* @__PURE__ */ new Set();
-  for (const p of list || []) {
-    const c = normalizeCode(p);
-    if (c) out.add(c);
-  }
-  return out;
-}
-function requireAuthContext() {
-  return (req, res, next) => {
-    if (!req.auth) {
-      return sendError(req, res, 401, "UNAUTHORIZED", "Missing auth context");
-    }
-    return next();
-  };
-}
-function isSysAdmin(auth, sysAdminRole) {
-  const have = rolesSet(auth);
-  return have.has(sysAdminRole);
-}
-function requirePermissions(perms, options) {
-  const sysAdminBypass = options?.sysAdminBypass !== false;
-  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
-  return (req, res, next) => {
-    const auth = getAuth(req);
-    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
-    const allow = permsSet(auth.permissions);
-    const deny = permsSet(auth.denied_permissions);
-    for (const p of perms) {
-      if (deny.has(p)) {
-        return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
-          denied: p
-        });
-      }
-    }
-    const missing = perms.filter((p) => !allow.has(p));
-    if (missing.length) {
-      return sendError(req, res, 403, "FORBIDDEN", "Missing permissions", {
-        missing,
-        mode: "ALL"
-      });
-    }
-    return next();
-  };
-}
-function requireAnyPermission(perms, options) {
-  const sysAdminBypass = options?.sysAdminBypass !== false;
-  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
-  return (req, res, next) => {
-    const auth = getAuth(req);
-    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
-    const allow = permsSet(auth.permissions);
-    const deny = permsSet(auth.denied_permissions);
-    for (const p of perms) {
-      if (deny.has(p)) {
-        return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
-          denied: p
-        });
-      }
-    }
-    const ok = perms.some((p) => allow.has(p));
-    if (!ok) {
-      return sendError(req, res, 403, "FORBIDDEN", "Permission denied", {
-        required: perms,
-        mode: "ANY"
-      });
-    }
-    return next();
-  };
-}
-function requireRoles(roles, options) {
-  const sysAdminBypass = options?.sysAdminBypass !== false;
-  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
-  return (req, res, next) => {
-    const auth = getAuth(req);
-    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
-    const have = rolesSet(auth);
-    if (!roles.some((r) => have.has(r))) {
-      return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", {
-        required: roles,
-        mode: "ANY"
-      });
-    }
-    return next();
-  };
-}
-function requireRolesOrAnyPermission(roles, perms, options) {
-  const sysAdminBypass = options?.sysAdminBypass !== false;
-  const sysAdminRole = options?.sysAdminRole || "SYS_ADMIN";
-  return (req, res, next) => {
-    const auth = getAuth(req);
-    if (sysAdminBypass && isSysAdmin(auth, sysAdminRole)) return next();
-    const haveRoles = rolesSet(auth);
-    const allow = permsSet(auth.permissions);
-    const deny = permsSet(auth.denied_permissions);
-    for (const p of perms) {
-      if (deny.has(p)) {
-        return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, {
-          denied: p
-        });
-      }
-    }
-    const okRole = roles.some((r) => haveRoles.has(r));
-    const okPerm = perms.some((p) => allow.has(p));
-    if (!okRole && !okPerm) {
-      return sendError(req, res, 403, "FORBIDDEN", "Access denied", {
-        roles,
-        permissions: perms,
-        mode: "ROLES_OR_PERMS_ANY"
-      });
-    }
-    return next();
-  };
-}
-
-// src/auth/jwt.ts
-import fs2 from "fs";
-import jwt from "jsonwebtoken";
-function readFileIfExists(path) {
-  if (!path) return null;
-  try {
-    const v = fs2.readFileSync(path, "utf8").trim();
-    return v.length ? v : null;
-  } catch {
-    return null;
-  }
-}
-function getBearerToken(req) {
-  const auth = String(req?.headers?.authorization || "");
-  if (!auth.startsWith("Bearer ")) return null;
-  const token = auth.slice(7).trim();
-  return token.length ? token : null;
-}
-function normalizeUid(v) {
-  const s = String(v ?? "").trim();
-  return s.length ? s : null;
-}
-function readRs256PublicKey() {
-  const fromFile = readFileIfExists(process.env.JWT_PUBLIC_KEY_PATH);
-  if (fromFile) return fromFile;
-  const fromEnv = String(
-    process.env.AUTH_JWT_PUBLIC_KEY || process.env.AUTH_RSA_PUBLIC_KEY || ""
-  ).replace(/\\n/g, "\n").trim();
-  if (fromEnv) return fromEnv;
-  throw new Error(
-    "Missing RS256 public key (JWT_PUBLIC_KEY_PATH / AUTH_JWT_PUBLIC_KEY / AUTH_RSA_PUBLIC_KEY)"
-  );
-}
-function verifyBackendJwtRS256(raw) {
-  const publicKey = readRs256PublicKey();
-  const audience = process.env.JWT_AUDIENCE || process.env.AUTH_JWT_AUDIENCE || "getmarket.api";
-  const issuer = process.env.JWT_ISSUER || process.env.AUTH_JWT_ISSUER || "getmarket-auth";
-  return jwt.verify(raw, publicKey, {
-    algorithms: ["RS256"],
-    audience,
-    issuer
-  });
-}
-function extractEmployeeUid(decoded) {
-  const direct = normalizeUid(decoded?.employee_uid) ?? normalizeUid(decoded?.employee?.uid);
-  if (direct) return direct;
-  const sub = normalizeUid(decoded?.sub);
-  if (!sub) return null;
-  const match = /^emp:(.+)$/i.exec(sub);
-  return match?.[1] ? normalizeUid(match[1]) : null;
-}
-function extractCustomerUid(decoded) {
-  const direct = normalizeUid(decoded?.customer_uid) ?? normalizeUid(decoded?.customer?.uid);
-  if (direct) return direct;
-  const sub = normalizeUid(decoded?.sub);
-  if (!sub) return null;
-  const match = /^cus:(.+)$/i.exec(sub);
-  return match?.[1] ? normalizeUid(match[1]) : null;
-}
-
-// src/auth/middleware.ts
-function createAuthMiddleware(opts) {
-  const {
-    subject,
-    allowFirebaseIdToken = false,
-    requireSubject = true,
-    hydrate
-  } = opts;
-  return async (req, res, next) => {
-    const token = getBearerToken(req);
-    if (!token) {
-      return res.status(401).json({
-        ok: false,
-        code: "AUTH_MISSING_TOKEN",
-        message: "Missing Authorization Bearer token"
-      });
-    }
-    const headerCtx = req.context || {};
-    const company_uid = normalizeUid(headerCtx.company_uid);
-    const branch_uid = normalizeUid(headerCtx.branch_uid);
-    try {
-      const decoded = verifyBackendJwtRS256(token);
-      const baseCtx = {
-        tokenType: "backend",
-        subject,
-        company_uid: company_uid ?? void 0,
-        branch_uid: branch_uid ?? void 0,
-        roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-        permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-        denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : [],
-        session: {
-          jti: decoded?.jti,
-          device_id: decoded?.device_id,
-          expires_at: decoded?.exp
-        }
-      };
-      if (subject === "employee") {
-        baseCtx.employee_uid = extractEmployeeUid(decoded) ?? void 0;
-      } else {
-        baseCtx.customer_uid = extractCustomerUid(decoded) ?? void 0;
-      }
-      const hydrated = await hydrate({
-        decoded,
-        req,
-        subject,
-        company_uid,
-        branch_uid
-      });
-      Object.assign(baseCtx, hydrated);
-      if (subject === "employee" && !baseCtx.employee_uid) {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_EMPLOYEE_UID_MISSING",
-          message: "employee_uid missing in token/context (expected employee_uid or sub=emp:<uid>)"
-        });
-      }
-      if (subject === "customer" && !baseCtx.customer_uid) {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_CUSTOMER_UID_MISSING",
-          message: "customer_uid missing in token/context (expected customer_uid or sub=cus:<uid>)"
-        });
-      }
-      if (requireSubject) {
-        if (subject === "employee" && !baseCtx.employee) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMPLOYEE_NOT_FOUND",
-            message: "Employee not resolved by hydrator"
-          });
-        }
-        if (subject === "customer" && !baseCtx.customer) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_CUSTOMER_NOT_FOUND",
-            message: "Customer not resolved by hydrator"
-          });
-        }
-      }
-      req.auth = baseCtx;
-      return next();
-    } catch {
-      if (!allowFirebaseIdToken) {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
-      }
-      try {
-        const { default: admin } = await import("firebase-admin");
-        const firebaseDecoded = await admin.auth().verifyIdToken(token);
-        if (firebaseDecoded.email && firebaseDecoded.email_verified === false) {
-          return res.status(401).json({
-            ok: false,
-            code: "AUTH_EMAIL_NOT_VERIFIED",
-            message: "Email not verified"
-          });
-        }
-        req.auth = {
-          tokenType: "backend",
-          subject,
-          firebase: firebaseDecoded,
-          company_uid: company_uid ?? void 0,
-          branch_uid: branch_uid ?? void 0,
-          companies: [],
-          roles: [],
-          permissions: [],
-          denied_permissions: []
-        };
-        return next();
-      } catch {
-        return res.status(401).json({
-          ok: false,
-          code: "AUTH_INVALID_TOKEN",
-          message: "Invalid or expired token"
-        });
-      }
-    }
-  };
-}
-
-// src/auth/authentication.ts
-function deriveCompanyBranch(decoded, companyUid, branchUid) {
-  const companiesFromToken = Array.isArray(decoded?.companies) ? decoded.companies : [];
-  const company = decoded?.company ?? (companyUid ? companiesFromToken.find((c) => c?.uid === companyUid) : null) ?? null;
-  const branch = decoded?.branch ?? (branchUid && company?.branches ? (company.branches || []).find((b) => b?.uid === branchUid) : null) ?? null;
-  return {
-    companiesFromToken,
-    company,
-    branch
-  };
-}
-var authEmployeeRequired = createAuthMiddleware({
-  subject: "employee",
-  allowFirebaseIdToken: false,
-  requireSubject: false,
-  hydrate: async ({ decoded, company_uid, branch_uid }) => {
-    const employee_uid = extractEmployeeUid(decoded) ?? normalizeUid(decoded?.employee?.uid);
-    const { companiesFromToken, company, branch } = deriveCompanyBranch(
-      decoded,
-      company_uid,
-      branch_uid
-    );
-    const employee = decoded?.employee && typeof decoded.employee === "object" ? decoded.employee : employee_uid ? { uid: employee_uid, email: decoded?.email ?? null } : void 0;
-    return {
-      employee_uid: employee_uid ?? void 0,
-      employee,
-      companies: companiesFromToken,
-      company,
-      branch,
-      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
-    };
-  }
-});
-var authCustomerRequired = createAuthMiddleware({
-  subject: "customer",
-  allowFirebaseIdToken: false,
-  requireSubject: false,
-  hydrate: async ({ decoded, company_uid, branch_uid }) => {
-    const customer_uid = extractCustomerUid(decoded) ?? normalizeUid(decoded?.customer?.uid);
-    const { companiesFromToken, company, branch } = deriveCompanyBranch(
-      decoded,
-      company_uid,
-      branch_uid
-    );
-    const customer = decoded?.customer && typeof decoded.customer === "object" ? decoded.customer : customer_uid ? { uid: customer_uid } : void 0;
-    return {
-      customer_uid: customer_uid ?? void 0,
-      customer,
-      companies: companiesFromToken,
-      company,
-      branch,
-      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
-    };
-  }
-});
-var authEmployeeAllowFirebase = createAuthMiddleware({
-  subject: "employee",
-  allowFirebaseIdToken: true,
-  requireSubject: false,
-  hydrate: async ({ decoded, company_uid, branch_uid }) => {
-    const employee_uid = extractEmployeeUid(decoded) ?? normalizeUid(decoded?.employee?.uid);
-    const { companiesFromToken, company, branch } = deriveCompanyBranch(
-      decoded,
-      company_uid,
-      branch_uid
-    );
-    const employee = decoded?.employee && typeof decoded.employee === "object" ? decoded.employee : employee_uid ? { uid: employee_uid, email: decoded?.email ?? null } : void 0;
-    return {
-      employee_uid: employee_uid ?? void 0,
-      employee,
-      companies: companiesFromToken,
-      company,
-      branch,
-      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
-    };
-  }
-});
-var authCustomerAllowFirebase = createAuthMiddleware({
-  subject: "customer",
-  allowFirebaseIdToken: true,
-  requireSubject: false,
-  hydrate: async ({ decoded, company_uid, branch_uid }) => {
-    const customer_uid = extractCustomerUid(decoded) ?? normalizeUid(decoded?.customer?.uid);
-    const { companiesFromToken, company, branch } = deriveCompanyBranch(
-      decoded,
-      company_uid,
-      branch_uid
-    );
-    const customer = decoded?.customer && typeof decoded.customer === "object" ? decoded.customer : customer_uid ? { uid: customer_uid } : void 0;
-    return {
-      customer_uid: customer_uid ?? void 0,
-      customer,
-      companies: companiesFromToken,
-      company,
-      branch,
-      roles: Array.isArray(decoded?.roles) ? decoded.roles : [],
-      permissions: Array.isArray(decoded?.permissions) ? decoded.permissions : [],
-      denied_permissions: Array.isArray(decoded?.denied_permissions) ? decoded.denied_permissions : []
-    };
-  }
-});
-
-// src/middlewares/guards.ts
-function normalizeRole(r) {
-  if (!r) return null;
-  if (typeof r === "string") return r;
-  return r.code || r.name || null;
-}
-function normalizePerm(p) {
-  if (!p) return null;
-  if (typeof p === "string") return p;
-  return p.code || p.name || null;
-}
-function isSysAdmin2(roles) {
-  if (!Array.isArray(roles)) return false;
-  return roles.some((r) => normalizeRole(r) === "SYS_ADMIN");
-}
-function getAuth2(req) {
-  return req.auth ?? {};
-}
-function permissionSets(auth) {
-  const allow = new Set((auth.permissions ?? []).map(normalizePerm).filter(Boolean));
-  const deny = new Set((auth.denied_permissions ?? []).map(normalizePerm).filter(Boolean));
-  return { allow, deny };
-}
-function roleSet(auth) {
-  return new Set((auth.roles ?? []).map(normalizeRole).filter(Boolean));
-}
-function allowSysAdminOrAnyPermission(...perms) {
-  const required = (perms ?? []).filter(Boolean);
-  return [
-    parseHeaders,
-    authEmployeeRequired,
-    (req, res, next) => {
-      const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
-      const { allow, deny } = permissionSets(auth);
-      for (const p of required) {
-        if (deny.has(p)) {
-          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, { denied: p });
-        }
-      }
-      const ok = required.some((p) => allow.has(p));
-      if (!ok) {
-        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ANY)", { required });
-      }
-      return next();
-    }
-  ];
-}
-function allowSysAdminOrPermissionsAll(...perms) {
-  const required = (perms ?? []).filter(Boolean);
-  return [
-    parseHeaders,
-    authEmployeeRequired,
-    (req, res, next) => {
-      const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
-      const { allow, deny } = permissionSets(auth);
-      for (const p of required) {
-        if (deny.has(p)) {
-          return sendError(req, res, 403, "FORBIDDEN", `Denied permission: ${p}`, { denied: p });
-        }
-      }
-      const missing = required.filter((p) => !allow.has(p));
-      if (missing.length) {
-        return sendError(req, res, 403, "FORBIDDEN", "Missing permissions (ALL)", { required, missing });
-      }
-      return next();
-    }
-  ];
-}
-function allowSysAdminOrRoles(...roles) {
-  const required = (roles ?? []).filter(Boolean);
-  return [
-    parseHeaders,
-    authEmployeeRequired,
-    (req, res, next) => {
-      const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
-      const have = roleSet(auth);
-      const ok = required.some((r) => have.has(r));
-      if (!ok) {
-        return sendError(req, res, 403, "FORBIDDEN", "Role not allowed", { required });
-      }
-      return next();
-    }
-  ];
-}
-function allowSysAdminOrRolesOrAnyPermission(roles, permissions) {
-  const requiredRoles = (Array.isArray(roles) ? roles : [roles]).filter(Boolean);
-  const requiredPerms = (Array.isArray(permissions) ? permissions : [permissions]).filter(Boolean);
-  return [
-    parseHeaders,
-    authEmployeeRequired,
-    (req, res, next) => {
-      const auth = getAuth2(req);
-      if (isSysAdmin2(auth.roles)) return next();
-      const { allow, deny } = permissionSets(auth);
-      for (const p of requiredPerms) {
-        if (deny.has(p)) {
-          return sendError(req, res, 403, "FORBIDDEN", `Denied: ${p}`, { permission: p });
-        }
-      }
-      const haveRoles = roleSet(auth);
-      if (requiredRoles.some((r) => haveRoles.has(r))) return next();
-      if (requiredPerms.some((p) => allow.has(p))) return next();
-      return sendError(req, res, 403, "FORBIDDEN", "Permission denied", {
-        roles: requiredRoles,
-        permissions: requiredPerms,
-        mode: "ROLES_OR_ANY_PERMISSION"
-      });
-    }
-  ];
-}
-function allowAuthAdminOrPerm(permission) {
-  return allowSysAdminOrRolesOrAnyPermission(["AUTH_ADMIN"], [permission]);
-}
-
-export {
-  parseHeaders,
-  requestId,
-  sendOk,
-  sendError,
-  internalAuth,
-  requireAuthContext,
-  requirePermissions,
-  requireAnyPermission,
-  requireRoles,
-  requireRolesOrAnyPermission,
-  getBearerToken,
-  normalizeUid,
-  readRs256PublicKey,
-  verifyBackendJwtRS256,
-  extractEmployeeUid,
-  extractCustomerUid,
-  createAuthMiddleware,
-  authEmployeeRequired,
-  authCustomerRequired,
-  authEmployeeAllowFirebase,
-  authCustomerAllowFirebase,
-  allowSysAdminOrAnyPermission,
-  allowSysAdminOrPermissionsAll,
-  allowSysAdminOrRoles,
-  allowSysAdminOrRolesOrAnyPermission,
-  allowAuthAdminOrPerm
-};
-//# sourceMappingURL=chunk-DT3AM34L.js.map