npm - @intranefr/superbackend - Versions diffs - 1.5.0 → 1.5.1 - Mend

@intranefr/superbackend 1.5.0 → 1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (171) hide show

package/.env.example +5 -0
package/README.md +11 -0
package/index.js +23 -0
package/package.json +7 -2
package/src/admin/endpointRegistry.js +120 -0
package/src/controllers/admin.controller.js +22 -5
package/src/controllers/adminBlockDefinitions.controller.js +127 -0
package/src/controllers/adminBlockDefinitionsAi.controller.js +54 -0
package/src/controllers/adminCache.controller.js +342 -0
package/src/controllers/adminContextBlockDefinitions.controller.js +141 -0
package/src/controllers/adminCrons.controller.js +388 -0
package/src/controllers/adminDbBrowser.controller.js +124 -0
package/src/controllers/adminEjsVirtual.controller.js +13 -3
package/src/controllers/adminHeadless.controller.js +9 -2
package/src/controllers/adminHealthChecks.controller.js +570 -0
package/src/controllers/adminI18n.controller.js +51 -29
package/src/controllers/adminLlm.controller.js +126 -2
package/src/controllers/adminPages.controller.js +720 -0
package/src/controllers/adminPagesContextBlocksAi.controller.js +54 -0
package/src/controllers/adminProxy.controller.js +113 -0
package/src/controllers/adminRateLimits.controller.js +138 -0
package/src/controllers/adminRbac.controller.js +803 -0
package/src/controllers/adminScripts.controller.js +93 -2
package/src/controllers/adminSeoConfig.controller.js +71 -48
package/src/controllers/blogAdmin.controller.js +279 -0
package/src/controllers/blogAiAdmin.controller.js +224 -0
package/src/controllers/blogAutomationAdmin.controller.js +141 -0
package/src/controllers/blogInternal.controller.js +26 -0
package/src/controllers/blogPublic.controller.js +89 -0
package/src/controllers/fileManager.controller.js +190 -0
package/src/controllers/fileManagerStoragePolicy.controller.js +23 -0
package/src/controllers/healthChecksPublic.controller.js +196 -0
package/src/controllers/metrics.controller.js +64 -4
package/src/controllers/orgAdmin.controller.js +80 -0
package/src/middleware/internalCronAuth.js +29 -0
package/src/middleware/rbac.js +62 -0
package/src/middleware.js +756 -48
package/src/models/BlockDefinition.js +27 -0
package/src/models/BlogAutomationLock.js +14 -0
package/src/models/BlogAutomationRun.js +39 -0
package/src/models/BlogPost.js +42 -0
package/src/models/CacheEntry.js +26 -0
package/src/models/ConsoleEntry.js +32 -0
package/src/models/ConsoleLog.js +23 -0
package/src/models/ContextBlockDefinition.js +33 -0
package/src/models/CronExecution.js +47 -0
package/src/models/CronJob.js +70 -0
package/src/models/ExternalDbConnection.js +49 -0
package/src/models/FileEntry.js +22 -0
package/src/models/HealthAutoHealAttempt.js +57 -0
package/src/models/HealthCheck.js +132 -0
package/src/models/HealthCheckRun.js +51 -0
package/src/models/HealthIncident.js +49 -0
package/src/models/Page.js +95 -0
package/src/models/PageCollection.js +42 -0
package/src/models/ProxyEntry.js +66 -0
package/src/models/RateLimitCounter.js +19 -0
package/src/models/RateLimitMetricBucket.js +20 -0
package/src/models/RbacGrant.js +25 -0
package/src/models/RbacGroup.js +16 -0
package/src/models/RbacGroupMember.js +13 -0
package/src/models/RbacGroupRole.js +13 -0
package/src/models/RbacRole.js +25 -0
package/src/models/RbacUserRole.js +13 -0
package/src/routes/adminBlog.routes.js +21 -0
package/src/routes/adminBlogAi.routes.js +16 -0
package/src/routes/adminBlogAutomation.routes.js +27 -0
package/src/routes/adminCache.routes.js +20 -0
package/src/routes/adminConsoleManager.routes.js +302 -0
package/src/routes/adminCrons.routes.js +25 -0
package/src/routes/adminDbBrowser.routes.js +65 -0
package/src/routes/adminEjsVirtual.routes.js +2 -1
package/src/routes/adminHeadless.routes.js +2 -1
package/src/routes/adminHealthChecks.routes.js +28 -0
package/src/routes/adminI18n.routes.js +4 -3
package/src/routes/adminLlm.routes.js +4 -2
package/src/routes/adminPages.routes.js +55 -0
package/src/routes/adminProxy.routes.js +15 -0
package/src/routes/adminRateLimits.routes.js +17 -0
package/src/routes/adminRbac.routes.js +38 -0
package/src/routes/adminSeoConfig.routes.js +5 -4
package/src/routes/adminUiComponents.routes.js +2 -1
package/src/routes/blogInternal.routes.js +14 -0
package/src/routes/blogPublic.routes.js +9 -0
package/src/routes/fileManager.routes.js +62 -0
package/src/routes/fileManagerStoragePolicy.routes.js +9 -0
package/src/routes/healthChecksPublic.routes.js +9 -0
package/src/routes/log.routes.js +43 -60
package/src/routes/metrics.routes.js +4 -2
package/src/routes/orgAdmin.routes.js +1 -0
package/src/routes/pages.routes.js +123 -0
package/src/routes/proxy.routes.js +46 -0
package/src/routes/rbac.routes.js +47 -0
package/src/routes/webhook.routes.js +2 -1
package/src/routes/workflows.routes.js +4 -0
package/src/services/blockDefinitionsAi.service.js +247 -0
package/src/services/blog.service.js +99 -0
package/src/services/blogAutomation.service.js +978 -0
package/src/services/blogCronsBootstrap.service.js +184 -0
package/src/services/blogPublishing.service.js +58 -0
package/src/services/cacheLayer.service.js +696 -0
package/src/services/consoleManager.service.js +700 -0
package/src/services/consoleOverride.service.js +6 -1
package/src/services/cronScheduler.service.js +350 -0
package/src/services/dbBrowser.service.js +536 -0
package/src/services/ejsVirtual.service.js +102 -32
package/src/services/fileManager.service.js +475 -0
package/src/services/fileManagerStoragePolicy.service.js +285 -0
package/src/services/healthChecks.service.js +650 -0
package/src/services/healthChecksBootstrap.service.js +109 -0
package/src/services/healthChecksScheduler.service.js +106 -0
package/src/services/llmDefaults.service.js +190 -0
package/src/services/migrationAssets/s3.js +2 -2
package/src/services/pages.service.js +602 -0
package/src/services/pagesContext.service.js +331 -0
package/src/services/pagesContextBlocksAi.service.js +349 -0
package/src/services/proxy.service.js +535 -0
package/src/services/rateLimiter.service.js +623 -0
package/src/services/rbac.service.js +212 -0
package/src/services/scriptsRunner.service.js +1 -1
package/src/services/uiComponentsAi.service.js +6 -19
package/src/services/workflow.service.js +23 -8
package/src/utils/orgRoles.js +14 -0
package/src/utils/rbac/engine.js +60 -0
package/src/utils/rbac/rightsRegistry.js +29 -0
package/views/admin-blog-automation.ejs +877 -0
package/views/admin-blog-edit.ejs +542 -0
package/views/admin-blog.ejs +399 -0
package/views/admin-cache.ejs +681 -0
package/views/admin-console-manager.ejs +680 -0
package/views/admin-crons.ejs +645 -0
package/views/admin-db-browser.ejs +445 -0
package/views/admin-ejs-virtual.ejs +16 -10
package/views/admin-file-manager.ejs +942 -0
package/views/admin-health-checks.ejs +725 -0
package/views/admin-i18n.ejs +59 -5
package/views/admin-llm.ejs +99 -1
package/views/admin-organizations.ejs +163 -1
package/views/admin-pages.ejs +2424 -0
package/views/admin-proxy.ejs +491 -0
package/views/admin-rate-limiter.ejs +625 -0
package/views/admin-rbac.ejs +1331 -0
package/views/admin-scripts.ejs +1 -1
package/views/admin-seo-config.ejs +61 -7
package/views/admin-ui-components.ejs +57 -25
package/views/admin-workflows.ejs +7 -7
package/views/file-manager.ejs +866 -0
package/views/pages/blocks/contact.ejs +27 -0
package/views/pages/blocks/cta.ejs +18 -0
package/views/pages/blocks/faq.ejs +20 -0
package/views/pages/blocks/features.ejs +19 -0
package/views/pages/blocks/hero.ejs +13 -0
package/views/pages/blocks/html.ejs +5 -0
package/views/pages/blocks/image.ejs +14 -0
package/views/pages/blocks/testimonials.ejs +26 -0
package/views/pages/blocks/text.ejs +10 -0
package/views/pages/layouts/default.ejs +51 -0
package/views/pages/layouts/minimal.ejs +42 -0
package/views/pages/layouts/sidebar.ejs +54 -0
package/views/pages/partials/footer.ejs +13 -0
package/views/pages/partials/header.ejs +12 -0
package/views/pages/partials/sidebar.ejs +8 -0
package/views/pages/runtime/page.ejs +10 -0
package/views/pages/templates/article.ejs +20 -0
package/views/pages/templates/default.ejs +12 -0
package/views/pages/templates/landing.ejs +14 -0
package/views/pages/templates/listing.ejs +15 -0
package/views/partials/admin-image-upload-modal.ejs +221 -0
package/views/partials/dashboard/nav-items.ejs +11 -0
package/views/partials/llm-provider-model-picker.ejs +183 -0
package/src/routes/llmUi.routes.js +0 -26

package/src/controllers/healthChecksPublic.controller.js ADDED Viewed

@@ -0,0 +1,196 @@
+const HealthCheck = require('../models/HealthCheck');
+const HealthIncident = require('../models/HealthIncident');
+const globalSettingsService = require('../services/globalSettings.service');
+const PUBLIC_STATUS_SETTING_KEY = 'healthChecks.publicStatusEnabled';
+function escapeHtml(unsafe) {
+  return String(unsafe || '')
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+function renderHtml(payload) {
+  const status = payload.status || 'unknown';
+  const badgeClass = status === 'ok' ? 'badge-success' : status === 'degraded' ? 'badge-warning' : 'badge-error';
+  const checks = Array.isArray(payload.checks) ? payload.checks : [];
+  const bodyRows = checks.length > 0
+    ? checks
+        .map((c) => {
+          const cStatus = String(c.status || 'unknown');
+          const cBadgeClass = cStatus === 'healthy' ? 'badge-success' : cStatus === 'unhealthy' ? 'badge-error' : 'badge-ghost';
+          const incident = c.incident;
+          const incidentLabel = incident ? `${incident.status} (${incident.severity})` : '-';
+          return `
+        <tr>
+          <td class="font-medium">${escapeHtml(c.name)}</td>
+          <td><span class="badge ${cBadgeClass}">${escapeHtml(cStatus)}</span></td>
+          <td class="text-slate-500">${c.lastRunAt ? new Date(c.lastRunAt).toLocaleString() : '-'}</td>
+          <td class="text-slate-500">${c.lastLatencyMs != null ? escapeHtml(String(c.lastLatencyMs)) + ' ms' : '-'}</td>
+          <td class="text-xs">${escapeHtml(incidentLabel)}</td>
+        </tr>`;
+        })
+        .join('')
+    : '<tr><td colspan="5" class="text-slate-500 text-center">No checks found</td></tr>';
+  return `<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Health Checks Status</title>
+    <script src="https://cdn.tailwindcss.com"></script>
+    <link href="https://cdn.jsdelivr.net/npm/daisyui@4.12.10/dist/full.min.css" rel="stylesheet" type="text/css" />
+  </head>
+  <body class="bg-slate-50">
+    <div class="max-w-5xl mx-auto px-6 py-8">
+      <div class="flex items-start justify-between gap-4">
+        <div>
+          <h1 class="text-2xl font-semibold text-slate-900">Health Checks</h1>
+          <div class="text-sm text-slate-500">Public status summary</div>
+        </div>
+        <div class="text-right">
+          <div class="text-sm text-slate-500">Overall</div>
+          <div class="badge ${badgeClass} badge-lg">${escapeHtml(status)}</div>
+          <div class="text-xs text-slate-500 mt-1">Updated: ${escapeHtml(payload.updatedAt || '')}</div>
+        </div>
+      </div>
+      <div class="mt-6 grid grid-cols-2 gap-3">
+        <div class="card bg-white border border-slate-200">
+          <div class="card-body py-4">
+            <div class="text-sm text-slate-500">Total checks</div>
+            <div class="text-xl font-semibold">${payload.totalChecks || 0}</div>
+          </div>
+        </div>
+        <div class="card bg-white border border-slate-200">
+          <div class="card-body py-4">
+            <div class="text-sm text-slate-500">Unhealthy</div>
+            <div class="text-xl font-semibold">${payload.unhealthyCount || 0}</div>
+          </div>
+        </div>
+      </div>
+      <div class="mt-6 card bg-white border border-slate-200">
+        <div class="card-body p-0">
+          <div class="overflow-x-auto">
+            <table class="table table-zebra w-full">
+              <thead>
+                <tr>
+                  <th>Name</th>
+                  <th>Status</th>
+                  <th>Last run</th>
+                  <th>Latency</th>
+                  <th>Incident</th>
+                </tr>
+              </thead>
+              <tbody>
+                ${bodyRows}
+              </tbody>
+            </table>
+          </div>
+        </div>
+      </div>
+      <div class="mt-4 text-xs text-slate-500">
+        Tip: add <code class="px-1 py-0.5 bg-slate-100 rounded">/json</code> to the URL for JSON format.
+      </div>
+    </div>
+  </body>
+</html>`;
+}
+async function computeStatusPayload() {
+  const checks = await HealthCheck.find({ enabled: true }).sort({ name: 1 }).lean();
+  const checkIds = checks.map((c) => String(c._id));
+  const incidents = await HealthIncident.find({
+    healthCheckId: { $in: checkIds },
+    status: { $in: ['open', 'acknowledged'] },
+  }).lean();
+  const incidentMap = {};
+  for (const incident of incidents) {
+    if (!incidentMap[incident.healthCheckId]) {
+      incidentMap[incident.healthCheckId] = incident;
+    }
+  }
+  const summaries = checks.map((check) => {
+    const incident = incidentMap[String(check._id)];
+    return {
+      id: String(check._id),
+      name: check.name,
+      status: incident ? incident.status : (check.lastStatus || 'unknown'),
+      lastRunAt: check.lastRunAt || null,
+      lastLatencyMs: check.lastLatencyMs || null,
+      incident: incident
+        ? {
+            id: String(incident._id),
+            status: incident.status,
+            severity: incident.severity,
+            openedAt: incident.openedAt,
+            lastSeenAt: incident.lastSeenAt,
+          }
+        : null,
+    };
+  });
+  const unhealthyCount = summaries.filter((s) => s.status === 'unhealthy' || s.incident).length;
+  const overallStatus = unhealthyCount > 0 ? 'degraded' : 'ok';
+  return {
+    ok: overallStatus === 'ok',
+    status: overallStatus,
+    updatedAt: new Date().toISOString(),
+    totalChecks: summaries.length,
+    unhealthyCount,
+    checks: summaries,
+  };
+}
+exports.getStatus = async (req, res) => {
+  try {
+    const raw = await globalSettingsService.getSettingValue(PUBLIC_STATUS_SETTING_KEY, 'false');
+    const enabled = String(raw) === 'true';
+    if (!enabled) {
+      return res.status(404).json({ error: 'Not found' });
+    }
+    const payload = await computeStatusPayload();
+    const html = renderHtml(payload);
+    res.setHeader('Content-Type', 'text/html; charset=utf-8');
+    return res.status(200).send(html);
+  } catch (error) {
+    console.error('Failed to compute health checks status:', error);
+    return res.status(500).json({ error: 'Failed to compute status' });
+  }
+};
+exports.getStatusJson = async (req, res) => {
+  try {
+    const raw = await globalSettingsService.getSettingValue(PUBLIC_STATUS_SETTING_KEY, 'false');
+    const enabled = String(raw) === 'true';
+    if (!enabled) {
+      return res.status(404).json({ error: 'Not found' });
+    }
+    const payload = await computeStatusPayload();
+    return res.json(payload);
+  } catch (error) {
+    console.error('Failed to compute health checks status json:', error);
+    return res.status(500).json({ error: 'Failed to compute status' });
+  }
+};

package/src/controllers/metrics.controller.js CHANGED Viewed

@@ -55,14 +55,35 @@ async function tryAttachUser(req) {
 exports.track = async (req, res) => {
   try {
+    // Validate request size to prevent abuse
+    const contentLength = req.headers['content-length'];
+    if (contentLength && parseInt(contentLength) > 1024 * 10) { // 10KB limit
+      return res.status(413).json({ error: 'Request too large' });
+    }
     await tryAttachUser(req);
     const action = String(req.body?.action || '').trim();
     const meta = req.body?.meta ?? null;
+    // Validate action field
     if (!action) {
       return res.status(400).json({ error: 'action is required' });
     }
+    if (action.length > 100) {
+      return res.status(400).json({ error: 'action too long (max 100 characters)' });
+    }
+    // Validate action format (allow only alphanumeric, underscores, hyphens, dots)
+    if (!/^[a-zA-Z0-9._-]+$/.test(action)) {
+      return res.status(400).json({ error: 'invalid action format' });
+    }
+    // Validate meta size
+    if (meta && JSON.stringify(meta).length > 1024 * 5) { // 5KB limit
+      return res.status(400).json({ error: 'meta data too large' });
+    }
     let actorType = 'anonymous';
     let actorId = getAnonId(req);
@@ -98,12 +119,48 @@ exports.track = async (req, res) => {
 exports.getImpact = async (req, res) => {
   try {
-    const { start, end } = getMonthRange(new Date());
+    // Validate query parameters
+    const { start, end } = req.query;
+    // Allow custom time ranges but restrict to reasonable limits
+    let startTime, endTime;
+    if (start || end) {
+      // Parse custom range if provided
+      startTime = start ? new Date(start) : null;
+      endTime = end ? new Date(end) : null;
+      // Validate dates
+      if ((start && isNaN(startTime.getTime())) || (end && isNaN(endTime.getTime()))) {
+        return res.status(400).json({ error: 'Invalid date format' });
+      }
+      // Restrict range to maximum 1 year
+      if (startTime && endTime) {
+        const rangeMs = endTime.getTime() - startTime.getTime();
+        const maxRangeMs = 365 * 24 * 60 * 60 * 1000; // 1 year
+        if (rangeMs > maxRangeMs) {
+          return res.status(400).json({ error: 'Time range too large (max 1 year)' });
+        }
+      }
+      // Default to current month if range is incomplete
+      if (!startTime || !endTime) {
+        const currentMonth = getMonthRange(new Date());
+        startTime = startTime || currentMonth.start;
+        endTime = endTime || currentMonth.end;
+      }
+    } else {
+      // Default to current month
+      const currentMonth = getMonthRange(new Date());
+      startTime = currentMonth.start;
+      endTime = currentMonth.end;
+    }
     const activeActorsAgg = await ActionEvent.aggregate([
       {
         $match: {
-          createdAt: { $gte: start, $lt: end },
+          createdAt: { $gte: startTime, $lt: endTime },
           actorType: { $in: ['user', 'anonymous'] },
         },
       },
@@ -122,7 +179,7 @@ exports.getImpact = async (req, res) => {
     const servicesConsulted = await ActionEvent.countDocuments({
       action: 'service_view',
-      createdAt: { $gte: start, $lt: end },
+      createdAt: { $gte: startTime, $lt: endTime },
     });
     const newsletterSetting = await GlobalSetting.findOne({ key: 'newsletter_list' }).lean();
@@ -136,8 +193,11 @@ exports.getImpact = async (req, res) => {
       }
     }
+    // Add cache headers for better performance
+    res.set('Cache-Control', 'public, max-age=300'); // 5 minutes cache
     return res.json({
-      range: { start: start.toISOString(), end: end.toISOString() },
+      range: { start: startTime.toISOString(), end: endTime.toISOString() },
       activeUsers,
       servicesConsulted,
       newsletterSubscribers,

package/src/controllers/orgAdmin.controller.js CHANGED Viewed

@@ -270,6 +270,86 @@ exports.removeMember = async (req, res) => {
   }
 };
+exports.addMember = async (req, res) => {
+  try {
+    const { orgId } = req.params;
+    const { userId, role } = req.body;
+    if (!orgId || !mongoose.Types.ObjectId.isValid(String(orgId))) {
+      return res.status(400).json({ error: 'Invalid organization ID' });
+    }
+    if (!userId || !mongoose.Types.ObjectId.isValid(String(userId))) {
+      return res.status(400).json({ error: 'Invalid user ID' });
+    }
+    // Validate role
+    const defaultRole = await getDefaultOrgRole();
+    const memberRole = role || defaultRole;
+    if (!(await isValidOrgRole(memberRole))) {
+      const allowed = await getAllowedOrgRoles();
+      return res.status(400).json({ error: 'Invalid role', allowedRoles: allowed });
+    }
+    // Check if organization exists
+    const org = await Organization.findById(orgId);
+    if (!org) {
+      return res.status(404).json({ error: 'Organization not found' });
+    }
+    // Check if user exists
+    const user = await User.findById(userId);
+    if (!user) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+    // Check if user is already a member
+    const existingMember = await OrganizationMember.findOne({
+      orgId,
+      userId,
+      status: { $in: ['active', 'removed'] }
+    });
+    if (existingMember) {
+      if (existingMember.status === 'active') {
+        return res.status(409).json({ error: 'User is already a member of this organization' });
+      } else {
+        // Reactivate removed member
+        existingMember.status = 'active';
+        existingMember.role = memberRole;
+        existingMember.addedByUserId = req.user?.id || org.ownerUserId;
+        await existingMember.save();
+        return res.json({
+          message: 'Member reactivated successfully',
+          member: existingMember.toObject()
+        });
+      }
+    }
+    // Create new member
+    const member = await OrganizationMember.create({
+      orgId,
+      userId,
+      role: memberRole,
+      status: 'active',
+      addedByUserId: req.user?.id || org.ownerUserId,
+    });
+    // Populate user data for response
+    const populatedMember = await OrganizationMember.findById(member._id)
+      .populate('userId', 'email name')
+      .lean();
+    return res.status(201).json({
+      message: 'Member added successfully',
+      member: populatedMember
+    });
+  } catch (error) {
+    console.error('Admin org member add error:', error);
+    return res.status(500).json({ error: 'Failed to add member' });
+  }
+};
 exports.listInvites = async (req, res) => {
   try {
     const { orgId } = req.params;

package/src/middleware/internalCronAuth.js ADDED Viewed

@@ -0,0 +1,29 @@
+const globalSettingsService = require('../services/globalSettings.service');
+const { INTERNAL_CRON_TOKEN_SETTING_KEY } = require('../services/blogCronsBootstrap.service');
+async function requireInternalCronToken(req, res, next) {
+  try {
+    const header = String(req.headers.authorization || '');
+    if (!header.startsWith('Bearer ')) {
+      return res.status(401).json({ error: 'Authentication required' });
+    }
+    const token = header.slice('Bearer '.length).trim();
+    const expected = String(
+      await globalSettingsService.getSettingValue(INTERNAL_CRON_TOKEN_SETTING_KEY, ''),
+    ).trim();
+    if (!expected || token !== expected) {
+      return res.status(403).json({ error: 'Forbidden' });
+    }
+    next();
+  } catch (error) {
+    console.error('internal cron auth error:', error);
+    res.status(500).json({ error: 'Internal auth failed' });
+  }
+}
+module.exports = {
+  requireInternalCronToken,
+};

package/src/middleware/rbac.js ADDED Viewed

@@ -0,0 +1,62 @@
+const rbacService = require('../services/rbac.service');
+function isBasicAuthSuperAdmin(req) {
+  const authHeader = req.headers?.authorization || '';
+  if (!authHeader.startsWith('Basic ')) return false;
+  try {
+    const credentials = Buffer.from(authHeader.substring(6), 'base64').toString('utf-8');
+    const [username, password] = credentials.split(':');
+    const adminUsername = process.env.ADMIN_USERNAME || 'admin';
+    const adminPassword = process.env.ADMIN_PASSWORD || 'admin';
+    return username === adminUsername && password === adminPassword;
+  } catch (e) {
+    return false;
+  }
+}
+function requireRight(requiredRight, options = {}) {
+  const getOrgId = options.getOrgId || ((req) => req.params?.orgId || req.query?.orgId || req.body?.orgId);
+  return async (req, res, next) => {
+    try {
+      if (isBasicAuthSuperAdmin(req)) {
+        return next();
+      }
+      if (!req.user) {
+        return res.status(401).json({ error: 'Authentication required' });
+      }
+      const orgId = getOrgId(req);
+      if (!orgId) {
+        return res.status(400).json({ error: 'orgId is required for RBAC checks' });
+      }
+      const result = await rbacService.checkRight({
+        userId: req.user._id,
+        orgId,
+        right: requiredRight,
+      });
+      if (!result.allowed) {
+        return res.status(403).json({
+          error: 'Access denied',
+          reason: result.reason,
+        });
+      }
+      return next();
+    } catch (error) {
+      console.error('RBAC requireRight error:', error);
+      return res.status(500).json({ error: 'Failed to evaluate RBAC rights' });
+    }
+  };
+}
+module.exports = {
+  requireRight,
+  isBasicAuthSuperAdmin,
+};