@intranefr/superbackend 1.4.4 → 1.5.1

package/src/routes/adminRbac.routes.js

@@ -0,0 +1,38 @@
+const express = require('express');
+const router = express.Router();
+
+const { basicAuth } = require('../middleware/auth');
+const controller = require('../controllers/adminRbac.controller');
+
+router.use(basicAuth);
+
+router.get('/rights', controller.listRights);
+router.get('/users', controller.searchUsers);
+router.get('/users/:userId/orgs', controller.getUserOrgs);
+router.post('/test', controller.testRight);
+
+router.get('/roles', controller.listRoles);
+router.post('/roles', controller.createRole);
+router.patch('/roles/:id', controller.updateRole);
+
+router.get('/groups', controller.listGroups);
+router.post('/groups', controller.createGroup);
+router.patch('/groups/:id', controller.updateGroup);
+router.get('/groups/:id/members', controller.listGroupMembers);
+router.post('/groups/:id/members', controller.addGroupMember);
+router.post('/groups/:id/members/bulk', controller.addGroupMembersBulk);
+router.delete('/groups/:id/members/:memberId', controller.removeGroupMember);
+router.post('/groups/:id/members/bulk-remove', controller.removeGroupMembersBulk);
+router.get('/groups/:id/roles', controller.listGroupRoles);
+router.post('/groups/:id/roles', controller.addGroupRole);
+router.delete('/groups/:id/roles/:groupRoleId', controller.removeGroupRole);
+
+router.get('/grants', controller.listGrants);
+router.post('/grants', controller.createGrant);
+router.delete('/grants/:id', controller.deleteGrant);
+
+router.get('/users/:userId/roles', controller.listUserRoles);
+router.post('/users/:userId/roles', controller.addUserRole);
+router.delete('/users/:userId/roles/:userRoleId', controller.removeUserRole);
+
+module.exports = router;

package/src/routes/adminScripts.routes.js

@@ -0,0 +1,21 @@
+const express = require('express');
+const router = express.Router();
+
+const { basicAuth } = require('../middleware/auth');
+const controller = require('../controllers/adminScripts.controller');
+
+router.use(basicAuth);
+
+router.get('/', controller.listScripts);
+router.post('/', controller.createScript);
+router.get('/runs', controller.listRuns);
+router.get('/runs/:runId', controller.getRun);
+router.get('/runs/:runId/stream', controller.streamRun);
+
+router.get('/:id', controller.getScript);
+router.put('/:id', controller.updateScript);
+router.delete('/:id', controller.deleteScript);
+
+router.post('/:id/run', controller.runScript);
+
+module.exports = router;

package/src/routes/adminSeoConfig.routes.js

@@ -3,18 +3,19 @@ const router = express.Router();
 
 const { basicAuth } = require('../middleware/auth');
 const adminSeoConfigController = require('../controllers/adminSeoConfig.controller');
+const rateLimiter = require('../services/rateLimiter.service');
 
 router.get('/', basicAuth, adminSeoConfigController.get);
 router.put('/', basicAuth, adminSeoConfigController.update);
 
 // SEO Config helpers
 router.get('/ai/views', basicAuth, adminSeoConfigController.seoConfigAiListViews);
-router.post('/ai/generate-entry', basicAuth, adminSeoConfigController.seoConfigAiGenerateEntry);
-router.post('/ai/improve-entry', basicAuth, adminSeoConfigController.seoConfigAiImproveEntry);
+router.post('/ai/generate-entry', basicAuth, rateLimiter.limit('seoAiLimiter'), adminSeoConfigController.seoConfigAiGenerateEntry);
+router.post('/ai/improve-entry', basicAuth, rateLimiter.limit('seoAiLimiter'), adminSeoConfigController.seoConfigAiImproveEntry);
 router.post('/pages/apply-entry', basicAuth, adminSeoConfigController.seoConfigApplyEntry);
 
 router.put('/og/svg', basicAuth, adminSeoConfigController.updateOgSvg);
-router.post('/og/generate-png', basicAuth, adminSeoConfigController.generateOgPng);
-router.post('/ai/edit-svg', basicAuth, adminSeoConfigController.aiEditSvg);
+router.post('/og/generate-png', basicAuth, rateLimiter.limit('seoAiLimiter'), adminSeoConfigController.generateOgPng);
+router.post('/ai/edit-svg', basicAuth, rateLimiter.limit('seoAiLimiter'), adminSeoConfigController.aiEditSvg);
 
 module.exports = router;

package/src/routes/adminTerminals.routes.js

@@ -0,0 +1,13 @@
+const express = require('express');
+const router = express.Router();
+
+const { basicAuth } = require('../middleware/auth');
+const controller = require('../controllers/adminTerminals.controller');
+
+router.use(basicAuth);
+
+router.post('/sessions', controller.createSession);
+router.get('/sessions', controller.listSessions);
+router.delete('/sessions/:sessionId', controller.killSession);
+
+module.exports = router;

package/src/routes/adminUiComponents.routes.js

@@ -0,0 +1,30 @@
+const express = require('express');
+const router = express.Router();
+
+const { basicAuth } = require('../middleware/auth');
+const adminUiComponentsController = require('../controllers/adminUiComponents.controller');
+const adminUiComponentsAiController = require('../controllers/adminUiComponentsAi.controller');
+const rateLimiter = require('../services/rateLimiter.service');
+
+router.use(basicAuth);
+
+router.get('/projects', adminUiComponentsController.listProjects);
+router.post('/projects', adminUiComponentsController.createProject);
+router.get('/projects/:projectId', adminUiComponentsController.getProject);
+router.put('/projects/:projectId', adminUiComponentsController.updateProject);
+router.delete('/projects/:projectId', adminUiComponentsController.deleteProject);
+router.post('/projects/:projectId/rotate-key', adminUiComponentsController.rotateProjectKey);
+
+router.get('/components', adminUiComponentsController.listComponents);
+router.post('/components', adminUiComponentsController.createComponent);
+router.get('/components/:code', adminUiComponentsController.getComponent);
+router.put('/components/:code', adminUiComponentsController.updateComponent);
+router.delete('/components/:code', adminUiComponentsController.deleteComponent);
+
+router.get('/projects/:projectId/components', adminUiComponentsController.listProjectAssignments);
+router.post('/projects/:projectId/components/:code', adminUiComponentsController.setAssignment);
+router.delete('/projects/:projectId/components/:code', adminUiComponentsController.deleteAssignment);
+
+router.post('/ai/components/:code/propose', rateLimiter.limit('aiOperationsLimiter'), adminUiComponentsAiController.propose);
+
+module.exports = router;

package/src/routes/blogInternal.routes.js

@@ -0,0 +1,14 @@
+const express = require('express');
+const router = express.Router();
+
+const controller = require('../controllers/blogInternal.controller');
+const { requireInternalCronToken } = require('../middleware/internalCronAuth');
+const rateLimiter = require('../services/rateLimiter.service');
+
+router.use(express.json({ limit: '1mb' }));
+router.use(requireInternalCronToken);
+
+router.post('/blog/automation/run', rateLimiter.limit('blogAiLimiter'), controller.runAutomation);
+router.post('/blog/publish-scheduled/run', controller.publishScheduled);
+
+module.exports = router;

package/src/routes/blogPublic.routes.js

@@ -0,0 +1,9 @@
+const express = require('express');
+const router = express.Router();
+
+const controller = require('../controllers/blogPublic.controller');
+
+router.get('/blog-posts', controller.listPublished);
+router.get('/blog-posts/:slug', controller.getPublishedBySlug);
+
+module.exports = router;

package/src/routes/fileManager.routes.js

@@ -0,0 +1,62 @@
+const express = require('express');
+const router = express.Router();
+const multerModule = require('multer');
+// `multer` is normally a callable function. In some test environments it can be mocked as a plain object.
+const multerFactory = typeof multerModule === 'function' ? multerModule : () => multerModule;
+const memoryStorage =
+  typeof multerModule?.memoryStorage === 'function'
+    ? multerModule.memoryStorage
+    : () => ({});
+
+const { authenticate } = require('../middleware/auth');
+const { requireRight } = require('../middleware/rbac');
+const controller = require('../controllers/fileManager.controller');
+
+const fileManagerStoragePolicyService = require('../services/fileManagerStoragePolicy.service');
+const storagePolicyRoutes = require('./fileManagerStoragePolicy.routes');
+
+const dynamicUploadSingle = (fieldName) => async (req, res, next) => {
+  try {
+    const orgId = req.query.orgId || req.body?.orgId || req.headers['x-org-id'] || null;
+    const driveType = req.query.driveType || req.body?.driveType;
+    const driveId = req.query.driveId || req.body?.driveId;
+
+    const { maxUploadBytes } = await fileManagerStoragePolicyService.resolveEffectiveLimits({
+      userId: req.user._id,
+      orgId,
+      driveType,
+      driveId,
+    });
+
+    const fileSize = Number.isFinite(maxUploadBytes) && maxUploadBytes > 0 ? maxUploadBytes : 1073741824;
+
+    const upload = multerFactory({
+      storage: memoryStorage(),
+      limits: { fileSize },
+    }).single(fieldName);
+
+    upload(req, res, next);
+  } catch (error) {
+    next(error);
+  }
+};
+
+router.use(authenticate);
+
+router.use(storagePolicyRoutes);
+
+router.get('/drives', requireRight('file_manager:drives:read'), controller.listDrives);
+router.get('/folders', requireRight('file_manager:files:read'), controller.listFolder);
+
+router.post(
+  '/files/upload',
+  requireRight('file_manager:files:upload'),
+  dynamicUploadSingle('file'),
+  controller.upload
+);
+router.get('/files/:id/download', requireRight('file_manager:files:download'), controller.download);
+router.patch('/files/:id', requireRight('file_manager:files:update'), controller.update);
+router.delete('/files/:id', requireRight('file_manager:files:delete'), controller.delete);
+router.post('/files/:id/share', requireRight('file_manager:files:share'), controller.setShare);
+
+module.exports = router;

package/src/routes/fileManagerStoragePolicy.routes.js

@@ -0,0 +1,9 @@
+const express = require('express');
+const router = express.Router();
+
+const { requireRight } = require('../middleware/rbac');
+const controller = require('../controllers/fileManagerStoragePolicy.controller');
+
+router.get('/storage-policy', requireRight('file_manager:access'), controller.getStoragePolicy);
+
+module.exports = router;

package/src/routes/healthChecksPublic.routes.js

@@ -0,0 +1,9 @@
+const express = require('express');
+const router = express.Router();
+
+const controller = require('../controllers/healthChecksPublic.controller');
+
+router.get('/status', controller.getStatus);
+router.get('/status/json', controller.getStatusJson);
+
+module.exports = router;

package/src/routes/log.routes.js

@@ -1,66 +1,35 @@
 const express = require('express');
 const router = express.Router();
 const { logError, getConfig } = require('../services/errorLogger');
-const { verifyAccessToken } = require('../utils/jwt');
-
-const rateLimitStore = new Map();
-const CLEANUP_INTERVAL = 60000;
-
-setInterval(() => {
-  const now = Date.now();
-  for (const [key, data] of rateLimitStore) {
-    if (now - data.windowStart > 60000) {
-      rateLimitStore.delete(key);
-    }
-  }
-}, CLEANUP_INTERVAL);
-
-async function checkRateLimit(ip, isAuthenticated) {
-  const config = await getConfig();
-  const limit = isAuthenticated ? config.errorRateLimitPerMinute : config.errorRateLimitAnonPerMinute;
-  const key = `${ip}:${isAuthenticated ? 'auth' : 'anon'}`;
-  const now = Date.now();
-
-  let data = rateLimitStore.get(key);
-  if (!data || now - data.windowStart > 60000) {
-    data = { windowStart: now, count: 0 };
-    rateLimitStore.set(key, data);
-  }
-
-  data.count++;
-
-  if (data.count > limit) {
-    return { allowed: false, remaining: 0, limit };
-  }
-
-  return { allowed: true, remaining: limit - data.count, limit };
-}
-
-function extractUserFromToken(req) {
-  try {
-    const authHeader = req.headers.authorization;
-    if (!authHeader || !authHeader.startsWith('Bearer ')) return null;
-    const token = authHeader.slice(7).trim();
-    if (!token) return null;
-    const decoded = verifyAccessToken(token);
-    return { userId: decoded.userId, role: decoded.role };
-  } catch (e) {
-    return null;
-  }
-}
+const rateLimiter = require('../services/rateLimiter.service');
 
 router.post('/error', async (req, res) => {
   try {
-    const ip = req.ip || req.headers['x-forwarded-for']?.split(',')[0]?.trim() || 'unknown';
-    const user = extractUserFromToken(req);
-    const isAuthenticated = !!user;
-
-    const rateCheck = await checkRateLimit(ip, isAuthenticated);
-    res.setHeader('X-RateLimit-Limit', rateCheck.limit);
-    res.setHeader('X-RateLimit-Remaining', Math.max(0, rateCheck.remaining));
-
-    if (!rateCheck.allowed) {
-      return res.status(429).json({ error: 'Too many error reports. Please try again later.' });
+    // Determine if user is authenticated
+    const authHeader = req.headers.authorization;
+    const isAuthenticated = authHeader && authHeader.startsWith('Bearer ');
+    
+    // Choose appropriate limiter based on authentication status
+    const limiterId = isAuthenticated ? 'errorReportingAuthLimiter' : 'errorReportingAnonLimiter';
+    
+    // Perform rate limit check
+    let rateCheck;
+    try {
+      rateCheck = await rateLimiter.check(limiterId, { req });
+      
+      // Set rate limit headers to match current behavior
+      res.setHeader('X-RateLimit-Limit', rateCheck.limit.max);
+      res.setHeader('X-RateLimit-Remaining', Math.max(0, rateCheck.remaining));
+      
+      if (!rateCheck.allowed) {
+        return res.status(429).json({ 
+          error: 'Too many error reports. Please try again later.' 
+        });
+      }
+    } catch (rateLimitError) {
+      // If rate limiter fails, allow the request (fail open behavior)
+      console.error('[RateLimiter] Error checking rate limit:', rateLimitError);
+      // Continue with error logging without rate limiting
     }
 
     const config = await getConfig();
@@ -69,6 +38,20 @@ router.post('/error', async (req, res) => {
     }
 
     const body = req.body || {};
+    
+    // Extract user info for attribution (same as before)
+    let user = null;
+    if (isAuthenticated) {
+      try {
+        const token = authHeader.slice(7).trim();
+        const { verifyAccessToken } = require('../utils/jwt');
+        const decoded = verifyAccessToken(token);
+        user = { userId: decoded.userId, role: decoded.role };
+      } catch (e) {
+        // Invalid token, proceed as anonymous
+        console.error('[LogRoutes] Invalid token:', e.message);
+      }
+    }
 
     const event = {
       source: 'frontend',
@@ -78,9 +61,9 @@ router.post('/error', async (req, res) => {
       message: String(body.message || '').slice(0, 2000),
       stack: String(body.stack || '').slice(0, 5000),
       actor: {
-        userId: user?.userId,
-        role: user?.role,
-        ip,
+        userId: user?.userId || null,
+        role: user?.role || null,
+        ip: req.ip || req.headers['x-forwarded-for']?.split(',')[0]?.trim() || 'unknown',
         userAgent: req.headers['user-agent'],
       },
       request: {

package/src/routes/metrics.routes.js

@@ -2,8 +2,10 @@ const express = require('express');
 const router = express.Router();
 const metricsController = require('../controllers/metrics.controller');
 const asyncHandler = require('../utils/asyncHandler');
+const rateLimiter = require('../services/rateLimiter.service');
 
-router.post('/track', asyncHandler(metricsController.track));
-router.get('/impact', asyncHandler(metricsController.getImpact));
+// Add rate limiting to prevent abuse
+router.post('/track', rateLimiter.limit('metricsTrackLimiter'), asyncHandler(metricsController.track));
+router.get('/impact', rateLimiter.limit('metricsImpactLimiter'), asyncHandler(metricsController.getImpact));
 
 module.exports = router;

package/src/routes/orgAdmin.routes.js

@@ -6,9 +6,15 @@ const orgAdminController = require('../controllers/orgAdmin.controller');
 const asyncHandler = require('../utils/asyncHandler');
 
 router.get('/', basicAuth, asyncHandler(orgAdminController.listOrgs));
+router.post('/', basicAuth, asyncHandler(orgAdminController.createOrganization));
 router.get('/:orgId', basicAuth, asyncHandler(orgAdminController.getOrg));
+router.put('/:orgId', basicAuth, asyncHandler(orgAdminController.updateOrganization));
+router.patch('/:orgId/disable', basicAuth, asyncHandler(orgAdminController.disableOrganization));
+router.patch('/:orgId/enable', basicAuth, asyncHandler(orgAdminController.enableOrganization));
+router.delete('/:orgId', basicAuth, asyncHandler(orgAdminController.deleteOrganization));
 
 router.get('/:orgId/members', basicAuth, asyncHandler(orgAdminController.listMembers));
+router.post('/:orgId/members', basicAuth, asyncHandler(orgAdminController.addMember));
 router.patch('/:orgId/members/:memberId', basicAuth, asyncHandler(orgAdminController.updateMember));
 router.delete('/:orgId/members/:memberId', basicAuth, asyncHandler(orgAdminController.removeMember));
 

package/src/routes/pages.routes.js

@@ -0,0 +1,123 @@
+const express = require('express');
+const router = express.Router();
+const pagesService = require('../services/pages.service');
+const { basicAuth } = require('../middleware/auth');
+
+router.get('*', async (req, res, next) => {
+  try {
+    const pagesPrefix = req.app.get('pagesPrefix') || '/';
+    const adminPath = req.app.get('adminPath') || '/admin';
+    const routePath = req.path;
+
+    const draft = req.query?.draft === '1' || req.query?.draft === 'true';
+    const statuses = draft ? ['published', 'draft'] : ['published'];
+
+    if (draft) {
+      let nextCalled = false;
+      basicAuth(req, res, () => {
+        nextCalled = true;
+      });
+
+      // If basicAuth did not call next(), it likely ended the response.
+      if (!nextCalled) {
+        return;
+      }
+    }
+
+    const firstSegment = routePath.replace(/^\//, '').split('/')[0];
+    if (pagesService.isReservedSegment(firstSegment, adminPath)) {
+      return next();
+    }
+
+    const page = await pagesService.findPageByRoutePath(routePath, {
+      pagesPrefix,
+      tenantId: null,
+      includeGlobal: true,
+      statuses,
+    });
+
+    if (!page) {
+      return next();
+    }
+
+    const viewsRoot = req.app.get('views') || undefined;
+    const html = await pagesService.renderPage(page, { viewsRoot, req, res });
+    
+    if (!html || html.trim() === '') {
+      throw new Error('Page rendered as empty content');
+    }
+    
+    res.send(html);
+  } catch (err) {
+    if (err.code === 'NOT_FOUND') {
+      return next();
+    }
+    console.error(`[pages] render error for path ${req.path}:`, err);
+    
+    // Render a friendly error page if possible, otherwise send a simple message
+    try {
+      const errorHtml = `
+        <!DOCTYPE html>
+        <html>
+          <head>
+            <title>Page Rendering Error</title>
+            <script src="https://cdn.tailwindcss.com"></script>
+          </head>
+          <body class="bg-gray-50 flex items-center justify-center min-h-screen p-4 font-sans">
+            <div class="max-w-2xl w-full bg-white shadow-xl rounded-xl p-8 border-t-8 border-red-500">
+              <div class="flex items-center gap-4 mb-6">
+                <div class="bg-red-100 p-3 rounded-full">
+                  <svg class="w-8 h-8 text-red-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z"></path>
+                  </svg>
+                </div>
+                <h1 class="text-3xl font-extrabold text-gray-900">Rendering Error</h1>
+              </div>
+              
+              <p class="text-lg text-gray-700 mb-6">
+                We encountered a technical issue while trying to display this page. 
+                This usually happens when a template or a content block is missing or contains an error.
+              </p>
+              
+              <div class="bg-red-50 border-l-4 border-red-400 p-4 mb-8">
+                <div class="flex">
+                  <div class="flex-shrink-0">
+                    <svg class="h-5 w-5 text-red-400" viewBox="0 0 20 20" fill="currentColor">
+                      <path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zM8.707 7.293a1 1 0 00-1.414 1.414L8.586 10l-1.293 1.293a1 1 0 101.414 1.414L10 11.414l1.293 1.293a1 1 0 001.414-1.414L11.414 10l1.293-1.293a1 1 0 00-1.414-1.414L10 8.586 8.707 7.293z" clip-rule="evenodd" />
+                    </svg>
+                  </div>
+                  <div class="ml-3">
+                    <h3 class="text-sm font-medium text-red-800">Error Details</h3>
+                    <div class="mt-2 text-sm text-red-700">
+                      <p class="font-mono break-all">${err.message}</p>
+                    </div>
+                  </div>
+                </div>
+              </div>
+
+              <div class="flex flex-col sm:flex-row gap-4">
+                <a href="/" class="inline-flex items-center justify-center px-5 py-3 border border-transparent text-base font-medium rounded-md text-white bg-blue-600 hover:bg-blue-700 transition">
+                  Go to Homepage
+                </a>
+                <button onclick="window.location.reload()" class="inline-flex items-center justify-center px-5 py-3 border border-gray-300 text-base font-medium rounded-md text-gray-700 bg-white hover:bg-gray-50 transition">
+                  Try Again
+                </button>
+              </div>
+              
+              <div class="mt-10 pt-6 border-t border-gray-100">
+                <p class="text-sm text-gray-500">
+                  If you are the administrator, please check the server logs for more information.
+                </p>
+              </div>
+            </div>
+          </body>
+        </html>
+      `;
+      res.status(500).send(errorHtml);
+    } catch (e) {
+      res.status(500).send('Error rendering page and error page');
+    }
+  }
+});
+
+module.exports = router;

package/src/routes/proxy.routes.js

@@ -0,0 +1,46 @@
+const express = require('express');
+const router = express.Router();
+
+const { proxyRequest } = require('../services/proxy.service');
+
+function extractTargetUrl(req) {
+  const originalUrl = String(req.originalUrl || '');
+  const baseUrl = String(req.baseUrl || '');
+
+  const prefix = `${baseUrl}/`;
+  let remainder = originalUrl;
+  if (prefix && remainder.startsWith(prefix)) {
+    remainder = remainder.slice(prefix.length);
+  }
+
+  // remove any leading slash
+  remainder = remainder.replace(/^\//, '');
+
+  // remainder begins with the encoded/decoded target URL
+  return remainder;
+}
+
+router.all('/*', async (req, res) => {
+  try {
+    const targetUrl = extractTargetUrl(req);
+    req.proxyTargetUrl = targetUrl;
+
+    const result = await proxyRequest(req);
+
+    res.status(result.status);
+    const headers = result.headers && typeof result.headers === 'object' ? result.headers : {};
+    for (const [k, v] of Object.entries(headers)) {
+      if (v === undefined || v === null) continue;
+      try {
+        res.setHeader(k, v);
+      } catch {
+      }
+    }
+
+    return res.send(result.body);
+  } catch (e) {
+    return res.status(500).json({ error: 'Proxy failed' });
+  }
+});
+
+module.exports = router;

package/src/routes/rbac.routes.js

@@ -0,0 +1,47 @@
+const express = require('express');
+const router = express.Router();
+
+const { authenticate } = require('../middleware/auth');
+const rbacService = require('../services/rbac.service');
+
+router.get('/my-orgs', authenticate, async (req, res) => {
+  const orgIds = await rbacService.getUserOrgIds(req.user._id);
+  return res.json({ orgIds });
+});
+
+router.get('/my-rights', authenticate, async (req, res) => {
+  const { orgId } = req.query;
+  if (!orgId) {
+    return res.status(400).json({ error: 'orgId is required' });
+  }
+
+  const { grants, explain, orgMember } = await rbacService.getEffectiveGrants({ userId: req.user._id, orgId });
+  if (!orgMember) {
+    return res.status(403).json({ error: 'You are not a member of this organization' });
+  }
+
+  return res.json({
+    grants: grants.map((g) => ({
+      id: String(g._id),
+      right: g.right,
+      effect: g.effect,
+      subjectType: g.subjectType,
+      subjectId: String(g.subjectId),
+      scopeType: g.scopeType,
+      scopeId: g.scopeId ? String(g.scopeId) : null,
+    })),
+    explain,
+  });
+});
+
+router.post('/check', authenticate, async (req, res) => {
+  const { orgId, right } = req.body || {};
+  if (!orgId || !right) {
+    return res.status(400).json({ error: 'orgId and right are required' });
+  }
+
+  const result = await rbacService.checkRight({ userId: req.user._id, orgId, right });
+  return res.json({ allowed: result.allowed, reason: result.reason, decisionLayer: result.decisionLayer || null });
+});
+
+module.exports = router;

package/src/routes/uiComponentsPublic.routes.js

@@ -0,0 +1,9 @@
+const express = require('express');
+const router = express.Router();
+
+const uiComponentsPublicController = require('../controllers/uiComponentsPublic.controller');
+
+router.get('/projects/:projectId/manifest', uiComponentsPublicController.getManifest);
+router.get('/projects/:projectId/components/:code', uiComponentsPublicController.getComponent);
+
+module.exports = router;

package/src/routes/webhook.routes.js

@@ -3,6 +3,7 @@ const router = express.Router();
 const webhookController = require('../controllers/webhook.controller');
 const authMiddleware = require('../middleware/auth');
 const orgMiddleware = require('../middleware/org');
+const rateLimiter = require('../services/rateLimiter.service');
 
 // Webhook routes support both User (JWT) and SuperAdmin (Basic Auth)
 router.use((req, res, next) => {
@@ -27,6 +28,6 @@ router.post('/', webhookController.create);
 router.patch('/:id', webhookController.update);
 router.get('/:id/history', webhookController.getHistory);
 router.delete('/:id', webhookController.delete);
-router.post('/:id/test', webhookController.test);
+router.post('/:id/test', rateLimiter.limit('webhookTestLimiter'), webhookController.test);
 
 module.exports = router;

package/src/routes/workflows.routes.js

@@ -1,9 +1,13 @@
 const express = require('express');
 const router = express.Router();
+const { basicAuth } = require('../middleware/auth');
 const Workflow = require('../models/Workflow');
 const WorkflowExecution = require('../models/WorkflowExecution');
 const workflowService = require('../services/workflow.service');
 
+// Apply basic authentication to all workflows endpoints
+router.use(basicAuth);
+
 // List workflows
 router.get('/', async (req, res) => {
   const query = req.currentOrganization ? { organizationId: req.currentOrganization.id } : {};