@intranefr/superbackend 1.4.3

package/src/routes/adminUploadNamespaces.routes.js

@@ -0,0 +1,13 @@
+const express = require('express');
+const router = express.Router();
+const { basicAuth } = require('../middleware/auth');
+const adminUploadNamespacesController = require('../controllers/adminUploadNamespaces.controller');
+
+router.get('/', basicAuth, adminUploadNamespacesController.listNamespaces);
+router.get('/summary', basicAuth, adminUploadNamespacesController.getNamespacesSummary);
+router.get('/:key', basicAuth, adminUploadNamespacesController.getNamespace);
+router.post('/', basicAuth, adminUploadNamespacesController.createNamespace);
+router.put('/:key', basicAuth, adminUploadNamespacesController.updateNamespace);
+router.delete('/:key', basicAuth, adminUploadNamespacesController.deleteNamespace);
+
+module.exports = router;

package/src/routes/assets.routes.js

@@ -0,0 +1,21 @@
+const express = require('express');
+const router = express.Router();
+const multer = require('multer');
+const { authenticate } = require('../middleware/auth');
+const assetsController = require('../controllers/assets.controller');
+const { auditMiddleware } = require('../services/auditLogger');
+
+const upload = multer({
+  storage: multer.memoryStorage(),
+  limits: {
+    fileSize: parseInt(process.env.MULTER_FILE_SIZE_LIMIT || '1073741824', 10)
+  }
+});
+
+router.post('/upload', authenticate, auditMiddleware('user.asset.upload', { entityType: 'Asset' }), upload.single('file'), assetsController.upload);
+router.get('/', authenticate, assetsController.list);
+router.get('/:id', authenticate, assetsController.get);
+router.get('/:id/download', authenticate, assetsController.download);
+router.delete('/:id', authenticate, auditMiddleware('user.asset.delete', { entityType: 'Asset', getEntityId: (req) => req.params.id }), assetsController.delete);
+
+module.exports = router;

package/src/routes/auth.routes.js

@@ -0,0 +1,12 @@
+const express = require('express');
+const router = express.Router();
+const authController = require('../controllers/auth.controller');
+const { authenticate } = require('../middleware/auth');
+const { auditMiddleware } = require('../services/auditLogger');
+
+router.post('/register', auditMiddleware('public.auth.register', { entityType: 'User' }), authController.register);
+router.post('/login', auditMiddleware('public.auth.login', { entityType: 'User' }), authController.login);
+router.post('/refresh-token', auditMiddleware('public.auth.refresh', { entityType: 'User' }), authController.refresh);
+router.get('/me', authenticate, authController.me);
+
+module.exports = router;

package/src/routes/billing.routes.js

@@ -0,0 +1,11 @@
+const express = require('express');
+const router = express.Router();
+const billingController = require('../controllers/billing.controller');
+const { authenticate } = require('../middleware/auth');
+const { auditMiddleware } = require('../services/auditLogger');
+
+router.post('/create-checkout-session', authenticate, auditMiddleware('user.billing.checkout_session.create', { entityType: 'StripeCheckoutSession' }), billingController.createCheckoutSession);
+router.post('/create-portal-session', authenticate, auditMiddleware('user.billing.portal_session.create', { entityType: 'StripePortalSession' }), billingController.createPortalSession);
+router.post('/reconcile-subscription', authenticate, auditMiddleware('user.billing.subscription.reconcile', { entityType: 'Subscription' }), billingController.reconcileSubscription);
+
+module.exports = router;

package/src/routes/errorTracking.routes.js

@@ -0,0 +1,31 @@
+const express = require('express');
+const path = require('path');
+const fs = require('fs');
+
+const router = express.Router();
+
+router.get('/browser-sdk', (req, res) => {
+  const filePath = path.join(
+    __dirname,
+    '..',
+    '..',
+    'sdk',
+    'error-tracking',
+    'browser',
+    'dist',
+    'embed.iife.js',
+  );
+
+  fs.readFile(filePath, 'utf8', (err, contents) => {
+    if (err) {
+      res.status(404).type('text/plain').send('Browser SDK not found');
+      return;
+    }
+
+    res.setHeader('Content-Type', 'application/javascript; charset=utf-8');
+    res.setHeader('Cache-Control', 'no-cache');
+    res.send(contents);
+  });
+});
+
+module.exports = router;

package/src/routes/featureFlags.routes.js

@@ -0,0 +1,9 @@
+const express = require('express');
+const router = express.Router();
+const { authenticate } = require('../middleware/auth');
+const featureFlagsController = require('../controllers/featureFlags.controller');
+
+router.get('/public', featureFlagsController.getPublicFlags);
+router.get('/', authenticate, featureFlagsController.getEvaluatedFlags);
+
+module.exports = router;

package/src/routes/forms.routes.js

@@ -0,0 +1,9 @@
+const express = require('express');
+const router = express.Router();
+const formsController = require('../controllers/forms.controller');
+const asyncHandler = require('../utils/asyncHandler');
+const { auditMiddleware } = require('../services/auditLogger');
+
+router.post('/submit/:formId', auditMiddleware('public.form.submit', { entityType: 'FormSubmission' }), asyncHandler(formsController.submit));
+
+module.exports = router;

package/src/routes/formsAdmin.routes.js

@@ -0,0 +1,13 @@
+const express = require('express');
+const router = express.Router();
+const { basicAuth } = require('../middleware/auth');
+const formsController = require('../controllers/forms.controller');
+const asyncHandler = require('../utils/asyncHandler');
+
+router.get('/', basicAuth, asyncHandler(formsController.adminList));
+router.delete('/:id', basicAuth, asyncHandler(formsController.deleteSubmission));
+router.get('/definitions', basicAuth, asyncHandler(formsController.getForms));
+router.post('/definitions', basicAuth, asyncHandler(formsController.saveForm));
+router.delete('/definitions/:id', basicAuth, asyncHandler(formsController.deleteForm));
+
+module.exports = router;

package/src/routes/globalSettings.routes.js

@@ -0,0 +1,18 @@
+const express = require('express');
+const router = express.Router();
+const { basicAuth } = require('../middleware/auth');
+const globalSettingsController = require('../controllers/globalSettings.controller');
+
+// Public route (no auth)
+router.get('/public', globalSettingsController.getPublicSettings);
+
+// Protected routes (Basic Auth)
+router.get('/', basicAuth, globalSettingsController.getAllSettings);
+// more specific path before :key catch-all
+router.get('/:key/reveal', basicAuth, globalSettingsController.revealSetting);
+router.get('/:key', basicAuth, globalSettingsController.getSetting);
+router.put('/:key', basicAuth, globalSettingsController.updateSetting);
+router.post('/', basicAuth, globalSettingsController.createSetting);
+router.delete('/:key', basicAuth, globalSettingsController.deleteSetting);
+
+module.exports = router;

package/src/routes/headless.routes.js

@@ -0,0 +1,15 @@
+const express = require('express');
+const router = express.Router();
+
+const headlessCrudController = require('../controllers/headlessCrud.controller');
+const { headlessApiTokenAuth, requireHeadlessPermission } = require('../middleware/headlessApiTokenAuth');
+
+router.use(headlessApiTokenAuth());
+
+router.get('/:modelCode', requireHeadlessPermission(), headlessCrudController.list);
+router.post('/:modelCode', requireHeadlessPermission(), headlessCrudController.create);
+router.get('/:modelCode/:id', requireHeadlessPermission(), headlessCrudController.get);
+router.put('/:modelCode/:id', requireHeadlessPermission(), headlessCrudController.update);
+router.delete('/:modelCode/:id', requireHeadlessPermission(), headlessCrudController.remove);
+
+module.exports = router;

package/src/routes/i18n.routes.js

@@ -0,0 +1,8 @@
+const express = require('express');
+const router = express.Router();
+
+const i18nController = require('../controllers/i18n.controller');
+
+router.get('/bundle', i18nController.getBundle);
+
+module.exports = router;

package/src/routes/invite.routes.js

@@ -0,0 +1,9 @@
+const express = require('express');
+const router = express.Router();
+const inviteController = require('../controllers/invite.controller');
+const { auditMiddleware } = require('../services/auditLogger');
+
+router.get('/info', inviteController.getInviteInfo);
+router.post('/accept', auditMiddleware('user.invite.accept', { entityType: 'Invite' }), inviteController.acceptInvite);
+
+module.exports = router;

package/src/routes/jsonConfigs.routes.js

@@ -0,0 +1,8 @@
+const express = require('express');
+const router = express.Router();
+
+const jsonConfigsController = require('../controllers/jsonConfigs.controller');
+
+router.get('/:slug', jsonConfigsController.getPublic);
+
+module.exports = router;

package/src/routes/log.routes.js

@@ -0,0 +1,111 @@
+const express = require('express');
+const router = express.Router();
+const { logError, getConfig } = require('../services/errorLogger');
+const { verifyAccessToken } = require('../utils/jwt');
+
+const rateLimitStore = new Map();
+const CLEANUP_INTERVAL = 60000;
+
+setInterval(() => {
+  const now = Date.now();
+  for (const [key, data] of rateLimitStore) {
+    if (now - data.windowStart > 60000) {
+      rateLimitStore.delete(key);
+    }
+  }
+}, CLEANUP_INTERVAL);
+
+async function checkRateLimit(ip, isAuthenticated) {
+  const config = await getConfig();
+  const limit = isAuthenticated ? config.errorRateLimitPerMinute : config.errorRateLimitAnonPerMinute;
+  const key = `${ip}:${isAuthenticated ? 'auth' : 'anon'}`;
+  const now = Date.now();
+
+  let data = rateLimitStore.get(key);
+  if (!data || now - data.windowStart > 60000) {
+    data = { windowStart: now, count: 0 };
+    rateLimitStore.set(key, data);
+  }
+
+  data.count++;
+
+  if (data.count > limit) {
+    return { allowed: false, remaining: 0, limit };
+  }
+
+  return { allowed: true, remaining: limit - data.count, limit };
+}
+
+function extractUserFromToken(req) {
+  try {
+    const authHeader = req.headers.authorization;
+    if (!authHeader || !authHeader.startsWith('Bearer ')) return null;
+    const token = authHeader.slice(7).trim();
+    if (!token) return null;
+    const decoded = verifyAccessToken(token);
+    return { userId: decoded.userId, role: decoded.role };
+  } catch (e) {
+    return null;
+  }
+}
+
+router.post('/error', async (req, res) => {
+  try {
+    const ip = req.ip || req.headers['x-forwarded-for']?.split(',')[0]?.trim() || 'unknown';
+    const user = extractUserFromToken(req);
+    const isAuthenticated = !!user;
+
+    const rateCheck = await checkRateLimit(ip, isAuthenticated);
+    res.setHeader('X-RateLimit-Limit', rateCheck.limit);
+    res.setHeader('X-RateLimit-Remaining', Math.max(0, rateCheck.remaining));
+
+    if (!rateCheck.allowed) {
+      return res.status(429).json({ error: 'Too many error reports. Please try again later.' });
+    }
+
+    const config = await getConfig();
+    if (!config.errorTrackingEnabled) {
+      return res.status(200).json({ ok: true, tracked: false });
+    }
+
+    const body = req.body || {};
+
+    const event = {
+      source: 'frontend',
+      severity: body.severity || 'error',
+      errorName: body.errorName || body.name || 'Error',
+      errorCode: body.errorCode || body.code,
+      message: String(body.message || '').slice(0, 2000),
+      stack: String(body.stack || '').slice(0, 5000),
+      actor: {
+        userId: user?.userId,
+        role: user?.role,
+        ip,
+        userAgent: req.headers['user-agent'],
+      },
+      request: {
+        method: body.request?.method,
+        path: body.request?.path || body.url,
+        statusCode: body.request?.statusCode || body.statusCode,
+        requestId: body.request?.requestId || req.headers['x-request-id'],
+      },
+      runtime: {
+        url: String(body.url || body.runtime?.url || '').slice(0, 500),
+        referrer: String(body.referrer || body.runtime?.referrer || '').slice(0, 500),
+        viewport: body.runtime?.viewport,
+        locale: body.runtime?.locale,
+        appVersion: body.runtime?.appVersion,
+      },
+      extra: body.extra,
+    };
+
+    await logError(event);
+
+    return res.status(200).json({ ok: true, tracked: true });
+  } catch (err) {
+    console.log('[LogRoutes] Error logging frontend error:', err.message);
+    return res.status(500).json({ error: 'Failed to log error' });
+  }
+});
+
+module.exports = router;

package/src/routes/metrics.routes.js

@@ -0,0 +1,9 @@
+const express = require('express');
+const router = express.Router();
+const metricsController = require('../controllers/metrics.controller');
+const asyncHandler = require('../utils/asyncHandler');
+
+router.post('/track', asyncHandler(metricsController.track));
+router.get('/impact', asyncHandler(metricsController.getImpact));
+
+module.exports = router;

package/src/routes/notificationAdmin.routes.js

@@ -0,0 +1,15 @@
+const express = require('express');
+const router = express.Router();
+
+const { basicAuth } = require('../middleware/auth');
+const notificationAdminController = require('../controllers/notificationAdmin.controller');
+const asyncHandler = require('../utils/asyncHandler');
+
+router.get('/stats', basicAuth, asyncHandler(notificationAdminController.getNotificationStats));
+router.get('/', basicAuth, asyncHandler(notificationAdminController.listNotifications));
+router.post('/send', basicAuth, asyncHandler(notificationAdminController.sendNotification));
+router.post('/broadcast', basicAuth, asyncHandler(notificationAdminController.broadcastNotification));
+router.delete('/:id', basicAuth, asyncHandler(notificationAdminController.deleteNotification));
+router.post('/:id/retry-email', basicAuth, asyncHandler(notificationAdminController.retryEmailNotification));
+
+module.exports = router;

package/src/routes/notifications.routes.js

@@ -0,0 +1,12 @@
+const express = require('express');
+const router = express.Router();
+const { authenticate } = require('../middleware/auth');
+const notificationsController = require('../controllers/notifications.controller');
+const { auditMiddleware } = require('../services/auditLogger');
+
+router.get('/notifications', authenticate, notificationsController.getNotifications);
+router.put('/notifications/:id/read', authenticate, auditMiddleware('user.notification.read', { entityType: 'Notification', getEntityId: (req) => req.params.id }), notificationsController.markNotificationAsRead);
+router.get('/activity-log', authenticate, notificationsController.getActivityLog);
+router.post('/activity-log', authenticate, auditMiddleware('user.activity_log.create', { entityType: 'ActivityLog' }), notificationsController.createActivityLog);
+
+module.exports = router;

package/src/routes/org.routes.js

@@ -0,0 +1,31 @@
+const express = require('express');
+const router = express.Router();
+const { authenticate } = require('../middleware/auth');
+const { loadOrgContext, requireOrgMember, requireOrgRoleAtLeast, requireOrgRole } = require('../middleware/org');
+const orgController = require('../controllers/org.controller');
+const inviteController = require('../controllers/invite.controller');
+const { auditMiddleware } = require('../services/auditLogger');
+
+router.get('/public', orgController.listPublicOrgs);
+
+router.get('/', authenticate, auditMiddleware('user.org.list', { entityType: 'Org' }), orgController.listOrgs);
+router.post('/', authenticate, auditMiddleware('user.org.create', { entityType: 'Org' }), orgController.createOrg);
+
+router.get('/:orgId/public', orgController.getOrgPublic);
+
+router.get('/:orgId', authenticate, loadOrgContext, requireOrgMember, auditMiddleware('user.org.get', { entityType: 'Org', getEntityId: (req) => req.params.orgId }), orgController.getOrg);
+router.put('/:orgId', authenticate, loadOrgContext, requireOrgRoleAtLeast('admin'), auditMiddleware('user.org.update', { entityType: 'Org', getEntityId: (req) => req.params.orgId }), orgController.updateOrg);
+router.delete('/:orgId', authenticate, loadOrgContext, requireOrgRole('owner'), auditMiddleware('user.org.delete', { entityType: 'Org', getEntityId: (req) => req.params.orgId }), orgController.deleteOrg);
+
+router.post('/:orgId/join', authenticate, loadOrgContext, auditMiddleware('user.org.join', { entityType: 'Org', getEntityId: (req) => req.params.orgId }), orgController.joinOrg);
+
+router.get('/:orgId/members', authenticate, loadOrgContext, requireOrgMember, auditMiddleware('user.org.members.list', { entityType: 'Org', getEntityId: (req) => req.params.orgId }), orgController.listMembers);
+router.post('/:orgId/members', authenticate, loadOrgContext, requireOrgRoleAtLeast('admin'), auditMiddleware('user.org.member.add', { entityType: 'Org', getEntityId: (req) => req.params.orgId }), orgController.addMember);
+router.put('/:orgId/members/:userId/role', authenticate, loadOrgContext, requireOrgRoleAtLeast('admin'), auditMiddleware('user.org.member.role.update', { entityType: 'Org', getEntityId: (req) => req.params.orgId }), orgController.updateMemberRole);
+router.delete('/:orgId/members/:userId', authenticate, loadOrgContext, requireOrgRoleAtLeast('admin'), auditMiddleware('user.org.member.remove', { entityType: 'Org', getEntityId: (req) => req.params.orgId }), orgController.removeMember);
+
+router.get('/:orgId/invites', authenticate, loadOrgContext, requireOrgRoleAtLeast('admin'), auditMiddleware('user.org.invites.list', { entityType: 'Org', getEntityId: (req) => req.params.orgId }), inviteController.listInvites);
+router.post('/:orgId/invites', authenticate, loadOrgContext, requireOrgRoleAtLeast('admin'), auditMiddleware('user.org.invite.create', { entityType: 'OrgInvite', getEntityId: (req) => req.params.inviteId || req.params.orgId }), inviteController.createInvite);
+router.delete('/:orgId/invites/:inviteId', authenticate, loadOrgContext, requireOrgRoleAtLeast('admin'), auditMiddleware('user.org.invite.revoke', { entityType: 'OrgInvite', getEntityId: (req) => req.params.inviteId }), inviteController.revokeInvite);
+
+module.exports = router;

package/src/routes/orgAdmin.routes.js

@@ -0,0 +1,20 @@
+const express = require('express');
+const router = express.Router();
+
+const { basicAuth } = require('../middleware/auth');
+const orgAdminController = require('../controllers/orgAdmin.controller');
+const asyncHandler = require('../utils/asyncHandler');
+
+router.get('/', basicAuth, asyncHandler(orgAdminController.listOrgs));
+router.get('/:orgId', basicAuth, asyncHandler(orgAdminController.getOrg));
+
+router.get('/:orgId/members', basicAuth, asyncHandler(orgAdminController.listMembers));
+router.patch('/:orgId/members/:memberId', basicAuth, asyncHandler(orgAdminController.updateMember));
+router.delete('/:orgId/members/:memberId', basicAuth, asyncHandler(orgAdminController.removeMember));
+
+router.get('/:orgId/invites', basicAuth, asyncHandler(orgAdminController.listInvites));
+router.post('/:orgId/invites', basicAuth, asyncHandler(orgAdminController.createInvite));
+router.delete('/:orgId/invites/:inviteId', basicAuth, asyncHandler(orgAdminController.revokeInvite));
+router.post('/:orgId/invites/:inviteId/resend', basicAuth, asyncHandler(orgAdminController.resendInvite));
+
+module.exports = router;

package/src/routes/publicAssets.routes.js

@@ -0,0 +1,7 @@
+const express = require('express');
+const router = express.Router();
+const assetsController = require('../controllers/assets.controller');
+
+router.get('/*', assetsController.getPublicAsset);
+
+module.exports = router;

package/src/routes/stripeAdmin.routes.js

@@ -0,0 +1,20 @@
+const express = require('express');
+const router = express.Router();
+
+const { basicAuth } = require('../middleware/auth');
+const stripeAdminController = require('../controllers/stripeAdmin.controller');
+const asyncHandler = require('../utils/asyncHandler');
+
+router.get('/status', basicAuth, asyncHandler(stripeAdminController.getStripeStatus));
+router.get('/catalog', basicAuth, asyncHandler(stripeAdminController.listCatalog));
+router.get('/catalog/:id', basicAuth, asyncHandler(stripeAdminController.getCatalogItem));
+router.post('/catalog/upsert', basicAuth, asyncHandler(stripeAdminController.upsertCatalogItem));
+router.post('/catalog/import', basicAuth, asyncHandler(stripeAdminController.importStripePrice));
+router.post('/catalog/:id/deactivate', basicAuth, asyncHandler(stripeAdminController.deactivateCatalogItem));
+router.post('/catalog/:id/activate', basicAuth, asyncHandler(stripeAdminController.activateCatalogItem));
+router.delete('/catalog/:id', basicAuth, asyncHandler(stripeAdminController.deleteCatalogItem));
+router.get('/products', basicAuth, asyncHandler(stripeAdminController.listStripeProducts));
+router.get('/prices', basicAuth, asyncHandler(stripeAdminController.listStripePrices));
+router.post('/env/sync', basicAuth, asyncHandler(stripeAdminController.syncEnvFromCatalog));
+
+module.exports = router;

package/src/routes/user.routes.js

@@ -0,0 +1,22 @@
+const express = require('express');
+const router = express.Router();
+const { authenticate } = require('../middleware/auth');
+const userController = require('../controllers/user.controller');
+const { auditMiddleware } = require('../services/auditLogger');
+
+// Profile management
+router.put('/profile', authenticate, auditMiddleware('user.profile.update', { entityType: 'User' }), userController.updateProfile);
+
+// Password management
+router.put('/password', authenticate, auditMiddleware('user.password.change', { entityType: 'User' }), userController.changePassword);
+router.post('/password-reset-request', auditMiddleware('user.password_reset.request', { entityType: 'User' }), userController.requestPasswordReset);
+router.post('/password-reset-confirm', auditMiddleware('user.password_reset.confirm', { entityType: 'User' }), userController.confirmPasswordReset);
+
+// Account deletion
+router.delete('/account', authenticate, auditMiddleware('user.account.delete', { entityType: 'User' }), userController.deleteAccount);
+
+// Settings
+router.get('/settings', authenticate, auditMiddleware('user.settings.get', { entityType: 'User' }), userController.getSettings);
+router.put('/settings', authenticate, auditMiddleware('user.settings.update', { entityType: 'User' }), userController.updateSettings);
+
+module.exports = router;

package/src/routes/userAdmin.routes.js

@@ -0,0 +1,15 @@
+const express = require('express');
+const router = express.Router();
+
+const { basicAuth } = require('../middleware/auth');
+const userAdminController = require('../controllers/userAdmin.controller');
+const asyncHandler = require('../utils/asyncHandler');
+
+router.get('/stats', basicAuth, asyncHandler(userAdminController.getUserStats));
+router.get('/', basicAuth, asyncHandler(userAdminController.listUsers));
+router.get('/:id', basicAuth, asyncHandler(userAdminController.getUser));
+router.patch('/:id', basicAuth, asyncHandler(userAdminController.updateUser));
+router.post('/:id/disable', basicAuth, asyncHandler(userAdminController.disableUser));
+router.post('/:id/enable', basicAuth, asyncHandler(userAdminController.enableUser));
+
+module.exports = router;

package/src/routes/waitingList.routes.js

@@ -0,0 +1,13 @@
+const express = require('express');
+const router = express.Router();
+const waitingListController = require('../controllers/waitingList.controller');
+const asyncHandler = require('../utils/asyncHandler');
+const { auditMiddleware } = require('../services/auditLogger');
+
+// POST /api/waiting-list/subscribe - Subscribe to waiting list
+router.post('/subscribe', auditMiddleware('public.waiting_list.subscribe', { entityType: 'WaitingList' }), asyncHandler(waitingListController.subscribe));
+
+// GET /api/waiting-list/stats - Get waiting list statistics (public)
+router.get('/stats', asyncHandler(waitingListController.getStats));
+
+module.exports = router;

package/src/routes/waitingListAdmin.routes.js

@@ -0,0 +1,9 @@
+const express = require('express');
+const router = express.Router();
+const { basicAuth } = require('../middleware/auth');
+const waitingListController = require('../controllers/waitingList.controller');
+const asyncHandler = require('../utils/asyncHandler');
+
+router.get('/', basicAuth, asyncHandler(waitingListController.adminList));
+
+module.exports = router;

package/src/routes/webhook.routes.js

@@ -0,0 +1,32 @@
+const express = require('express');
+const router = express.Router();
+const webhookController = require('../controllers/webhook.controller');
+const authMiddleware = require('../middleware/auth');
+const orgMiddleware = require('../middleware/org');
+
+// Webhook routes support both User (JWT) and SuperAdmin (Basic Auth)
+router.use((req, res, next) => {
+  // If already authenticated via Basic Auth (SuperAdmin), skip JWT check
+  const authHeader = req.headers.authorization;
+  if (authHeader && authHeader.startsWith('Basic ')) {
+    return authMiddleware.basicAuth(req, res, next);
+  }
+  // Otherwise require JWT
+  authMiddleware.authenticate(req, res, next);
+});
+
+// Optional organization context: required for non-admins
+router.use((req, res, next) => {
+  const isBasicAuth = req.headers.authorization?.startsWith('Basic ');
+  if (isBasicAuth) return next();
+  orgMiddleware.loadOrgContext(req, res, next);
+});
+
+router.get('/', webhookController.getAll);
+router.post('/', webhookController.create);
+router.patch('/:id', webhookController.update);
+router.get('/:id/history', webhookController.getHistory);
+router.delete('/:id', webhookController.delete);
+router.post('/:id/test', webhookController.test);
+
+module.exports = router;

package/src/routes/workflowWebhook.routes.js

@@ -0,0 +1,54 @@
+const express = require('express');
+const router = express.Router();
+const Workflow = require('../models/Workflow');
+const workflowService = require('../services/workflow.service');
+
+// Public Webhook Entrypoint
+router.all('/:webhookId', async (req, res) => {
+  const workflow = await Workflow.findOne({
+    $or: [{ _id: req.params.webhookId }, { webhookSlug: req.params.webhookId }]
+  });
+
+  if (!workflow) return res.status(404).json({ error: 'Workflow not found' });
+  
+  // Method Restriction
+  if (workflow.entrypoint?.allowedMethods?.length > 0 && !workflow.entrypoint.allowedMethods.includes(req.method)) {
+    return res.status(405).json({ error: `Method ${req.method} not allowed` });
+  }
+
+  // Auth Checks
+  if (workflow.entrypoint?.auth?.type === 'header') {
+    const val = req.headers[workflow.entrypoint.auth.headerName?.toLowerCase()];
+    if (val !== workflow.entrypoint.auth.headerValue) return res.status(401).json({ error: 'Unauthorized' });
+  } else if (workflow.entrypoint?.auth?.type === 'bearer') {
+    const authHeader = req.headers['authorization'];
+    if (!authHeader || !authHeader.startsWith('Bearer ') || authHeader.split(' ')[1] !== workflow.entrypoint.auth.headerValue) {
+      return res.status(401).json({ error: 'Unauthorized' });
+    }
+  }
+
+  if (workflow.status !== 'active' && !workflow.entrypoint?.testMode) {
+    return res.status(403).json({ error: 'Workflow is inactive' });
+  }
+
+  const initialContext = {
+    body: req.body,
+    query: req.query,
+    headers: req.headers,
+    method: req.method
+  };
+
+  if (workflow.entrypoint?.awaitResponse) {
+    try {
+      const service = await workflowService.execute(workflow._id, initialContext);
+      res.status(200).json(service.context.lastNode || { success: true });
+    } catch (err) {
+      res.status(500).json({ error: 'Execution failed', message: err.message });
+    }
+  } else {
+    workflowService.execute(workflow._id, initialContext).catch(console.error);
+    res.status(201).json({ message: 'Triggered', executionId: Date.now().toString() });
+  }
+});
+
+module.exports = router;