@jazzmind/busibox-app 3.0.18 → 3.0.19

package/dist/lib/auth/sso.js

@@ -1,282 +0,0 @@
-/**
- * SSO Authentication Library (Zero Trust JWKS)
- *
- * Validates RS256 JWT tokens issued by authz service via JWKS.
- * This is the standard authentication method for Busibox apps.
- *
- * Token Flow:
- * 1. User clicks app in Busibox Portal
- * 2. Busibox Portal exchanges user's session JWT for app-scoped token via authz
- * 3. authz verifies user has app access via RBAC bindings
- * 4. authz issues RS256 token with app_id claim and user's roles
- * 5. App validates token via authz JWKS endpoint
- *
- * Token validation is done via authz JWKS endpoint - no shared secrets needed.
- *
- * @example
- * ```typescript
- * import { validateSSOToken, createSessionFromSSO } from '@jazzmind/busibox-app/lib/auth';
- *
- * const validation = await validateSSOToken(token);
- * if (validation.valid) {
- *   const session = createSessionFromSSO(validation);
- * }
- * ```
- */
-import * as jose from "jose";
-// Default configuration from environment
-const getDefaultAuthzUrl = () => process.env.AUTHZ_BASE_URL || "http://authz-api:8010";
-const getDefaultAppName = () => process.env.APP_NAME || "app";
-const DEFAULT_ISSUER = "busibox-authz";
-// Cache JWKS for performance (keyed by authz URL)
-const jwksCache = new Map();
-const JWKS_CACHE_TTL = 5 * 60 * 1000; // 5 minutes
-// ============================================================================
-// JWKS Verification
-// ============================================================================
-/**
- * Get or create JWKS verifier from authz service
- */
-async function getJwksVerifier(authzUrl) {
-    const now = Date.now();
-    const cached = jwksCache.get(authzUrl);
-    // Return cached JWKS if still valid
-    if (cached && now - cached.time < JWKS_CACHE_TTL) {
-        return cached.verifier;
-    }
-    // Fetch fresh JWKS from authz
-    const jwksUrl = new URL("/.well-known/jwks.json", authzUrl);
-    console.log("[SSO] Fetching JWKS from:", jwksUrl.toString());
-    const verifier = jose.createRemoteJWKSet(jwksUrl);
-    jwksCache.set(authzUrl, { verifier, time: now });
-    return verifier;
-}
-/**
- * Invalidate JWKS cache (call this if key rotation is detected)
- */
-export function invalidateJwksCache(authzUrl) {
-    if (authzUrl) {
-        jwksCache.delete(authzUrl);
-    }
-    else {
-        jwksCache.clear();
-    }
-}
-// ============================================================================
-// Token Validation
-// ============================================================================
-/**
- * Validate app-scoped token from authz
- *
- * Token is RS256 signed by authz. We verify using authz JWKS endpoint.
- * No shared secrets needed - asymmetric verification.
- *
- * Handles multiple audience formats robustly:
- * - Short app IDs (e.g., "estimator", "dredge-estimator")
- * - Display names (e.g., "Dredging Cost Estimator")
- * - Explicit path/ID audiences (e.g., "projects", "busibox-projects")
- *
- * @param token - JWT token string
- * @param options - Validation options (authzUrl, appName, issuer)
- * @returns Validation result with user info or error
- *
- * @example
- * ```typescript
- * // Using environment variables
- * const result = await validateSSOToken(token);
- *
- * // With explicit options
- * const result = await validateSSOToken(token, {
- *   authzUrl: 'http://authz:8010',
- *   appName: 'My App',
- * });
- * ```
- */
-export async function validateSSOToken(token, options) {
-    const authzUrl = options?.authzUrl || getDefaultAuthzUrl();
-    const appName = options?.appName || getDefaultAppName();
-    const issuer = options?.issuer || DEFAULT_ISSUER;
-    try {
-        const jwks = await getJwksVerifier(authzUrl);
-        console.log(`[SSO] Validating token with expected audience: "${appName}"`);
-        // Debug: Log current time vs token expiration
-        try {
-            const parts = token.split('.');
-            if (parts.length === 3) {
-                const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
-                const now = Math.floor(Date.now() / 1000);
-                const exp = payload.exp;
-                const iat = payload.iat;
-                console.log(`[SSO] Token timing - Now: ${now}, Issued: ${iat}, Expires: ${exp}, Age: ${now - iat}s, TTL: ${exp - now}s`);
-            }
-        }
-        catch (e) {
-            // Ignore parsing errors
-        }
-        // Verify and decode token WITHOUT strict audience check
-        // We'll validate audience manually for more flexibility
-        // Add clock tolerance to handle clock skew between services
-        const { payload } = await jose.jwtVerify(token, jwks, {
-            issuer,
-            clockTolerance: 60, // Allow 60 seconds clock skew
-            // Don't enforce audience in jwtVerify - we'll check manually
-        });
-        const appToken = payload;
-        // Manual audience validation with flexible matching
-        const tokenAud = appToken.aud;
-        // Build list of acceptable audiences for this app.
-        // Security: do not include global legacy wildcards like "Busibox App".
-        const acceptedAudiences = [];
-        const addAudience = (value) => {
-            const normalized = (value || "").trim();
-            if (!normalized)
-                return;
-            if (!acceptedAudiences.some((aud) => aud.toLowerCase() === normalized.toLowerCase())) {
-                acceptedAudiences.push(normalized);
-            }
-        };
-        // Primary configured app name
-        addAudience(appName);
-        // Explicit audience override(s), from options or env (comma-separated)
-        const ssoAudienceConfig = options?.ssoAudience || process.env.SSO_AUDIENCE || "";
-        for (const value of ssoAudienceConfig.split(",")) {
-            addAudience(value);
-        }
-        // Deployed path audience fallback (portal often uses this format)
-        const basePath = process.env.NEXT_PUBLIC_BASE_PATH || "";
-        if (basePath) {
-            addAudience(basePath.replace(/^\//, "").toLowerCase());
-        }
-        // Common variations based on appName
-        if (appName) {
-            addAudience(appName.toLowerCase().replace(/\s+/g, "-"));
-            addAudience(appName
-                .split(/[-_\s]+/)
-                .map((word) => word.charAt(0).toUpperCase() + word.slice(1).toLowerCase())
-                .join(" "));
-        }
-        // Check if token audience matches any accepted audience
-        const audMatch = acceptedAudiences.some(aud => {
-            // Exact match
-            if (tokenAud === aud)
-                return true;
-            // Case-insensitive match
-            if (typeof tokenAud === 'string' && tokenAud.toLowerCase() === aud.toLowerCase())
-                return true;
-            // Array of audiences (token can have multiple audiences)
-            if (Array.isArray(tokenAud) && tokenAud.some(a => a === aud || (typeof a === 'string' && a.toLowerCase() === aud.toLowerCase())))
-                return true;
-            return false;
-        });
-        if (!audMatch) {
-            console.error(`[SSO] Token audience mismatch. Expected one of:`, acceptedAudiences, `Got:`, tokenAud);
-            // Create a proper error without using JWTClaimValidationFailed constructor directly
-            const error = new Error('Token audience validation failed');
-            error.name = 'JWTClaimValidationFailed';
-            throw error;
-        }
-        console.log(`[SSO] Token audience validated:`, tokenAud);
-        // Extract email from various possible claims
-        // Session tokens include 'email', access tokens may not
-        const email = appToken.email ||
-            appToken.preferred_username ||
-            appToken.name ||
-            ''; // Empty if not found
-        console.log('[SSO] Token claims:', {
-            sub: appToken.sub,
-            email: appToken.email,
-            preferred_username: appToken.preferred_username,
-            name: appToken.name,
-            roles: appToken.roles?.map((r) => r.name),
-        });
-        // Token is valid - extract user info including profile fields
-        return {
-            valid: true,
-            userId: appToken.sub,
-            email,
-            roles: appToken.roles?.map((r) => r.name) || [],
-            appId: appToken.app_id,
-            scopes: appToken.scope?.split(" ").filter(Boolean) || [],
-            displayName: appToken.name || undefined,
-            firstName: appToken.given_name || undefined,
-            lastName: appToken.family_name || undefined,
-            avatarUrl: appToken.picture || undefined,
-            favoriteColor: appToken.favorite_color || undefined,
-        };
-    }
-    catch (error) {
-        console.error("[SSO] Token validation error:", error);
-        let errorMessage = "Invalid token";
-        if (error instanceof jose.errors.JWTExpired) {
-            errorMessage = "Token expired";
-        }
-        else if (error instanceof jose.errors.JWTClaimValidationFailed) {
-            errorMessage = "Token claims validation failed";
-        }
-        else if (error instanceof jose.errors.JWSSignatureVerificationFailed) {
-            errorMessage = "Token signature verification failed";
-            // Invalidate cache in case of key rotation
-            invalidateJwksCache(authzUrl);
-        }
-        return {
-            valid: false,
-            error: errorMessage,
-        };
-    }
-}
-/**
- * Full validation - validates the token via JWKS
- * @deprecated Use validateSSOToken instead
- */
-export async function validateSSOTokenFull(token, options) {
-    return validateSSOToken(token, options);
-}
-// ============================================================================
-// Session Management Helpers
-// ============================================================================
-/**
- * Create session data from validated SSO token
- *
- * @param validation - Result from validateSSOToken
- * @returns Session data object
- * @throws Error if validation result is invalid
- */
-export function createSessionFromSSO(validation) {
-    if (!validation.valid || !validation.userId) {
-        throw new Error("Invalid SSO validation result");
-    }
-    return {
-        userId: validation.userId,
-        email: validation.email || "",
-        roles: validation.roles || [],
-        appId: validation.appId || "",
-        scopes: validation.scopes || [],
-        authenticatedAt: new Date().toISOString(),
-        authMethod: "sso",
-        // Profile fields from JWT claims
-        displayName: validation.displayName,
-        firstName: validation.firstName,
-        lastName: validation.lastName,
-        avatarUrl: validation.avatarUrl,
-        favoriteColor: validation.favoriteColor,
-    };
-}
-/**
- * Check if session has specific role
- */
-export function hasSessionRole(session, roleName) {
-    return session.roles?.includes(roleName) || false;
-}
-/**
- * Check if session has specific scope
- */
-export function hasSessionScope(session, scope) {
-    return session.scopes?.includes(scope) || false;
-}
-/**
- * Check if session user is admin
- */
-export function isSessionAdmin(session) {
-    return hasSessionRole(session, "Admin") || hasSessionRole(session, "admin");
-}
-//# sourceMappingURL=sso.js.map

package/dist/lib/auth/sso.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"sso.js","sourceRoot":"","sources":["../../../src/lib/auth/sso.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAoB7B,yCAAyC;AACzC,MAAM,kBAAkB,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,uBAAuB,CAAC;AACvF,MAAM,iBAAiB,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,KAAK,CAAC;AAC9D,MAAM,cAAc,GAAG,eAAe,CAAC;AAEvC,kDAAkD;AAClD,MAAM,SAAS,GAAkE,IAAI,GAAG,EAAE,CAAC;AAC3F,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AAmElD,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;GAEG;AACH,KAAK,UAAU,eAAe,CAAC,QAAgB;IAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAEvC,oCAAoC;IACpC,IAAI,MAAM,IAAI,GAAG,GAAG,MAAM,CAAC,IAAI,GAAG,cAAc,EAAE,CAAC;QACjD,OAAO,MAAM,CAAC,QAAQ,CAAC;IACzB,CAAC;IAED,8BAA8B;IAC9B,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,wBAAwB,EAAE,QAAQ,CAAC,CAAC;IAC5D,OAAO,CAAC,GAAG,CAAC,2BAA2B,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAE7D,MAAM,QAAQ,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAClD,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IAEjD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAiB;IACnD,IAAI,QAAQ,EAAE,CAAC;QACb,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,SAAS,CAAC,KAAK,EAAE,CAAC;IACpB,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAa,EACb,OAA8B;IAE9B,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,kBAAkB,EAAE,CAAC;IAC3D,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,iBAAiB,EAAE,CAAC;IACxD,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI,cAAc,CAAC;IAEjD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;QAE7C,OAAO,CAAC,GAAG,CAAC,mDAAmD,OAAO,GAAG,CAAC,CAAC;QAE3E,8CAA8C;QAC9C,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;gBACvE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;gBAC1C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;gBACxB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;gBACxB,OAAO,CAAC,GAAG,CAAC,6BAA6B,GAAG,aAAa,GAAG,cAAc,GAAG,UAAU,GAAG,GAAG,GAAG,WAAW,GAAG,GAAG,GAAG,GAAG,CAAC,CAAC;YAC3H,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,wBAAwB;QAC1B,CAAC;QAED,wDAAwD;QACxD,wDAAwD;QACxD,4DAA4D;QAC5D,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;YACpD,MAAM;YACN,cAAc,EAAE,EAAE,EAAE,8BAA8B;YAClD,6DAA6D;SAC9D,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,OAAqC,CAAC;QAEvD,oDAAoD;QACpD,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC;QAE9B,mDAAmD;QACnD,uEAAuE;QACvE,MAAM,iBAAiB,GAAa,EAAE,CAAC;QACvC,MAAM,WAAW,GAAG,CAAC,KAAgC,EAAQ,EAAE;YAC7D,MAAM,UAAU,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACxC,IAAI,CAAC,UAAU;gBAAE,OAAO;YACxB,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,UAAU,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBACrF,iBAAiB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACrC,CAAC;QACH,CAAC,CAAC;QAEF,8BAA8B;QAC9B,WAAW,CAAC,OAAO,CAAC,CAAC;QAErB,uEAAuE;QACvE,MAAM,iBAAiB,GAAG,OAAO,EAAE,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;QACjF,KAAK,MAAM,KAAK,IAAI,iBAAiB,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACjD,WAAW,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;QAED,kEAAkE;QAClE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,EAAE,CAAC;QACzD,IAAI,QAAQ,EAAE,CAAC;YACb,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,qCAAqC;QACrC,IAAI,OAAO,EAAE,CAAC;YACZ,WAAW,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;YACxD,WAAW,CACT,OAAO;iBACJ,KAAK,CAAC,SAAS,CAAC;iBAChB,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;iBACzE,IAAI,CAAC,GAAG,CAAC,CACb,CAAC;QACJ,CAAC;QAED,wDAAwD;QACxD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;YAC5C,cAAc;YACd,IAAI,QAAQ,KAAK,GAAG;gBAAE,OAAO,IAAI,CAAC;YAElC,yBAAyB;YACzB,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,WAAW,EAAE,KAAK,GAAG,CAAC,WAAW,EAAE;gBAAE,OAAO,IAAI,CAAC;YAE9F,yDAAyD;YACzD,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC/C,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,WAAW,EAAE,KAAK,GAAG,CAAC,WAAW,EAAE,CAAC,CAC9E;gBAAE,OAAO,IAAI,CAAC;YAEf,OAAO,KAAK,CAAC;QACf,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,CAAC,KAAK,CAAC,iDAAiD,EAAE,iBAAiB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YACtG,oFAAoF;YACpF,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;YAC5D,KAAK,CAAC,IAAI,GAAG,0BAA0B,CAAC;YACxC,MAAM,KAAK,CAAC;QACd,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,iCAAiC,EAAE,QAAQ,CAAC,CAAC;QAEzD,6CAA6C;QAC7C,wDAAwD;QACxD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK;YACd,QAAQ,CAAC,kBAAkB;YAC3B,QAAQ,CAAC,IAAI;YACb,EAAE,CAAC,CAAC,qBAAqB;QAEvC,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE;YACjC,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB;YAC/C,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;SAC1C,CAAC,CAAC;QAEH,8DAA8D;QAC9D,OAAO;YACL,KAAK,EAAE,IAAI;YACX,MAAM,EAAE,QAAQ,CAAC,GAAG;YACpB,KAAK;YACL,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE;YAC/C,KAAK,EAAE,QAAQ,CAAC,MAAM;YACtB,MAAM,EAAE,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE;YACxD,WAAW,EAAE,QAAQ,CAAC,IAAI,IAAI,SAAS;YACvC,SAAS,EAAE,QAAQ,CAAC,UAAU,IAAI,SAAS;YAC3C,QAAQ,EAAE,QAAQ,CAAC,WAAW,IAAI,SAAS;YAC3C,SAAS,EAAE,QAAQ,CAAC,OAAO,IAAI,SAAS;YACxC,aAAa,EAAE,QAAQ,CAAC,cAAc,IAAI,SAAS;SACpD,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;QAEtD,IAAI,YAAY,GAAG,eAAe,CAAC;QACnC,IAAI,KAAK,YAAY,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;YAC5C,YAAY,GAAG,eAAe,CAAC;QACjC,CAAC;aAAM,IAAI,KAAK,YAAY,IAAI,CAAC,MAAM,CAAC,wBAAwB,EAAE,CAAC;YACjE,YAAY,GAAG,gCAAgC,CAAC;QAClD,CAAC;aAAM,IAAI,KAAK,YAAY,IAAI,CAAC,MAAM,CAAC,8BAA8B,EAAE,CAAC;YACvE,YAAY,GAAG,qCAAqC,CAAC;YACrD,2CAA2C;YAC3C,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;QAED,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,YAAY;SACpB,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,KAAa,EACb,OAA8B;IAE9B,OAAO,gBAAgB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;AAC1C,CAAC;AAED,+EAA+E;AAC/E,6BAA6B;AAC7B,+EAA+E;AAE/E;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAClC,UAA+B;IAE/B,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,OAAO;QACL,MAAM,EAAE,UAAU,CAAC,MAAM;QACzB,KAAK,EAAE,UAAU,CAAC,KAAK,IAAI,EAAE;QAC7B,KAAK,EAAE,UAAU,CAAC,KAAK,IAAI,EAAE;QAC7B,KAAK,EAAE,UAAU,CAAC,KAAK,IAAI,EAAE;QAC7B,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,EAAE;QAC/B,eAAe,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACzC,UAAU,EAAE,KAAK;QACjB,iCAAiC;QACjC,WAAW,EAAE,UAAU,CAAC,WAAW;QACnC,SAAS,EAAE,UAAU,CAAC,SAAS;QAC/B,QAAQ,EAAE,UAAU,CAAC,QAAQ;QAC7B,SAAS,EAAE,UAAU,CAAC,SAAS;QAC/B,aAAa,EAAE,UAAU,CAAC,aAAa;KACxC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,OAA6B,EAC7B,QAAgB;IAEhB,OAAO,OAAO,CAAC,KAAK,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,OAA8B,EAC9B,KAAa;IAEb,OAAO,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAA6B;IAC1D,OAAO,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;AAC9E,CAAC"}

package/dist/lib/authz/email.d.ts

@@ -1,65 +0,0 @@
-/**
- * Email Sending — Bridge API Client
- *
- * All outbound email is delegated to the Bridge API service.
- * Busibox Portal no longer holds SMTP or Resend secrets.
- *
- * Bridge API endpoints (internal network, no auth required):
- *   POST /api/v1/email/send-magic-link        — magic link + TOTP code
- *   POST /api/v1/email/send-magic-link-simple  — simple magic link
- *   POST /api/v1/email/send                    — generic email
- *   POST /api/v1/email/send-welcome            — welcome email
- *   POST /api/v1/email/send-account-deactivated
- *   POST /api/v1/email/send-account-reactivated
- *   POST /api/v1/email/test                    — test email
- */
-/**
- * Send a magic-link + TOTP code email via Bridge API.
- */
-export declare function sendMagicLinkWithCodeEmail(email: string, magicLinkUrl: string, totpCode: string): Promise<{
-    data: any;
-    error: null;
-}>;
-/**
- * Send a simple magic-link email (no TOTP) via Bridge API.
- */
-export declare function sendMagicLinkEmail(email: string, magicLinkUrl: string): Promise<{
-    data: any;
-    error: null;
-}>;
-/**
- * Send a welcome email via Bridge API.
- */
-export declare function sendWelcomeEmail(email: string, userName?: string): Promise<{
-    data: any;
-    error: null;
-}>;
-/**
- * Send an account-deactivated email via Bridge API.
- */
-export declare function sendAccountDeactivatedEmail(email: string): Promise<{
-    data: any;
-    error: null;
-}>;
-/**
- * Send an account-reactivated email via Bridge API.
- */
-export declare function sendAccountReactivatedEmail(email: string): Promise<{
-    data: any;
-    error: null;
-}>;
-/**
- * Send a test email via Bridge API.
- * Returns the provider that was used.
- */
-export declare function sendTestEmail(to: string): Promise<{
-    provider: string;
-}>;
-/**
- * Send a generic email via Bridge API.
- */
-export declare function sendEmail(to: string, subject: string, html: string, text: string): Promise<{
-    data: any;
-    error: null;
-}>;
-//# sourceMappingURL=email.d.ts.map

package/dist/lib/authz/email.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"email.d.ts","sourceRoot":"","sources":["../../../src/lib/authz/email.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAiCH;;GAEG;AACH,wBAAsB,0BAA0B,CAC9C,KAAK,EAAE,MAAM,EACb,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM;;;GASjB;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM;;;GAO3E;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;;;GAStE;AAED;;GAEG;AACH,wBAAsB,2BAA2B,CAAC,KAAK,EAAE,MAAM;;;GAK9D;AAED;;GAEG;AACH,wBAAsB,2BAA2B,CAAC,KAAK,EAAE,MAAM;;;GAQ9D;AAED;;;GAGG;AACH,wBAAsB,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAM7E;AAED;;GAEG;AACH,wBAAsB,SAAS,CAC7B,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM;;;GAIb"}

package/dist/lib/authz/email.js

@@ -1,112 +0,0 @@
-/**
- * Email Sending — Bridge API Client
- *
- * All outbound email is delegated to the Bridge API service.
- * Busibox Portal no longer holds SMTP or Resend secrets.
- *
- * Bridge API endpoints (internal network, no auth required):
- *   POST /api/v1/email/send-magic-link        — magic link + TOTP code
- *   POST /api/v1/email/send-magic-link-simple  — simple magic link
- *   POST /api/v1/email/send                    — generic email
- *   POST /api/v1/email/send-welcome            — welcome email
- *   POST /api/v1/email/send-account-deactivated
- *   POST /api/v1/email/send-account-reactivated
- *   POST /api/v1/email/test                    — test email
- */
-import { getBridgeApiUrl } from '../next/api-url';
-// ---------------------------------------------------------------------------
-// Low-level bridge call
-// ---------------------------------------------------------------------------
-async function bridgePost(path, body) {
-    const url = `${getBridgeApiUrl()}${path}`;
-    const resp = await fetch(url, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify(body),
-    });
-    if (!resp.ok) {
-        const text = await resp.text().catch(() => '');
-        let detail = text;
-        try {
-            const json = JSON.parse(text);
-            detail = json.detail || json.error || text;
-        }
-        catch { /* use raw text */ }
-        throw new Error(`Bridge API ${resp.status} ${path}: ${detail}`);
-    }
-    return resp.json();
-}
-// ---------------------------------------------------------------------------
-// Public API — mirrors the old email.ts exports
-// ---------------------------------------------------------------------------
-/**
- * Send a magic-link + TOTP code email via Bridge API.
- */
-export async function sendMagicLinkWithCodeEmail(email, magicLinkUrl, totpCode) {
-    console.log('[EMAIL] Sending magic link + TOTP via Bridge API for', email);
-    const result = await bridgePost('/api/v1/email/send-magic-link', {
-        to: email,
-        magic_link_url: magicLinkUrl,
-        totp_code: totpCode,
-    });
-    return { data: result, error: null };
-}
-/**
- * Send a simple magic-link email (no TOTP) via Bridge API.
- */
-export async function sendMagicLinkEmail(email, magicLinkUrl) {
-    console.log('[EMAIL] Sending magic link via Bridge API for', email);
-    const result = await bridgePost('/api/v1/email/send-magic-link-simple', {
-        to: email,
-        magic_link_url: magicLinkUrl,
-    });
-    return { data: result, error: null };
-}
-/**
- * Send a welcome email via Bridge API.
- */
-export async function sendWelcomeEmail(email, userName) {
-    const portalUrl = process.env.APP_URL || process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000';
-    const result = await bridgePost('/api/v1/email/send-welcome', {
-        to: email,
-        user_name: userName || null,
-        portal_url: portalUrl,
-    });
-    return { data: result, error: null };
-}
-/**
- * Send an account-deactivated email via Bridge API.
- */
-export async function sendAccountDeactivatedEmail(email) {
-    const result = await bridgePost('/api/v1/email/send-account-deactivated', {
-        to: email,
-    });
-    return { data: result, error: null };
-}
-/**
- * Send an account-reactivated email via Bridge API.
- */
-export async function sendAccountReactivatedEmail(email) {
-    const portalUrl = process.env.APP_URL || process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000';
-    const result = await bridgePost('/api/v1/email/send-account-reactivated', {
-        to: email,
-        portal_url: portalUrl,
-    });
-    return { data: result, error: null };
-}
-/**
- * Send a test email via Bridge API.
- * Returns the provider that was used.
- */
-export async function sendTestEmail(to) {
-    const result = await bridgePost('/api/v1/email/test', { to });
-    return { provider: result.provider };
-}
-/**
- * Send a generic email via Bridge API.
- */
-export async function sendEmail(to, subject, html, text) {
-    const result = await bridgePost('/api/v1/email/send', { to, subject, html, text });
-    return { data: result, error: null };
-}
-//# sourceMappingURL=email.js.map

package/dist/lib/authz/email.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"email.js","sourceRoot":"","sources":["../../../src/lib/authz/email.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E,KAAK,UAAU,UAAU,CAAU,IAAY,EAAE,IAA6B;IAC5E,MAAM,GAAG,GAAG,GAAG,eAAe,EAAE,GAAG,IAAI,EAAE,CAAC;IAC1C,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC5B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC/C,IAAI,MAAM,GAAG,IAAI,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC9B,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,cAAc,IAAI,CAAC,MAAM,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC,CAAC;IAClE,CAAC;IAED,OAAO,IAAI,CAAC,IAAI,EAAE,CAAC;AACrB,CAAC;AAED,8EAA8E;AAC9E,gDAAgD;AAChD,8EAA8E;AAE9E;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,KAAa,EACb,YAAoB,EACpB,QAAgB;IAEhB,OAAO,CAAC,GAAG,CAAC,sDAAsD,EAAE,KAAK,CAAC,CAAC;IAC3E,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,+BAA+B,EAAE;QAC/D,EAAE,EAAE,KAAK;QACT,cAAc,EAAE,YAAY;QAC5B,SAAS,EAAE,QAAQ;KACpB,CAAC,CAAC;IACH,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,KAAa,EAAE,YAAoB;IAC1E,OAAO,CAAC,GAAG,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;IACpE,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,sCAAsC,EAAE;QACtE,EAAE,EAAE,KAAK;QACT,cAAc,EAAE,YAAY;KAC7B,CAAC,CAAC;IACH,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAa,EAAE,QAAiB;IACrE,MAAM,SAAS,GACb,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,uBAAuB,CAAC;IACpF,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,4BAA4B,EAAE;QAC5D,EAAE,EAAE,KAAK;QACT,SAAS,EAAE,QAAQ,IAAI,IAAI;QAC3B,UAAU,EAAE,SAAS;KACtB,CAAC,CAAC;IACH,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAAC,KAAa;IAC7D,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,wCAAwC,EAAE;QACxE,EAAE,EAAE,KAAK;KACV,CAAC,CAAC;IACH,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAAC,KAAa;IAC7D,MAAM,SAAS,GACb,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,uBAAuB,CAAC;IACpF,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,wCAAwC,EAAE;QACxE,EAAE,EAAE,KAAK;QACT,UAAU,EAAE,SAAS;KACtB,CAAC,CAAC;IACH,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,EAAU;IAC5C,MAAM,MAAM,GAAG,MAAM,UAAU,CAC7B,oBAAoB,EACpB,EAAE,EAAE,EAAE,CACP,CAAC;IACF,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,EAAU,EACV,OAAe,EACf,IAAY,EACZ,IAAY;IAEZ,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,oBAAoB,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;IACnF,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACvC,CAAC"}

package/dist/lib/authz/permissions.d.ts

@@ -1,109 +0,0 @@
-/**
- * RBAC Permission Checking Utilities (busibox-portal wrapper)
- *
- * Zero Trust Architecture:
- * All authorization checks are delegated to the authz service via busibox-app.
- *
- * For user self-service operations (checking own access, listing own resources),
- * the session JWT is passed directly to authz - no token exchange required.
- *
- * Token exchange is only needed for:
- * - Admin operations on other users
- * - Downstream service access (busibox-agents, etc.)
- */
-import { type Role } from '@jazzmind/busibox-app';
-/**
- * Check if a user can access a specific app
- *
- * Queries the authz service to check if the user has any role
- * that is bound to the specified app.
- *
- * @param userId - User ID to check
- * @param appId - App ID to check access for
- * @param accessToken - Optional access token for authenticated check
- * @returns true if user has permission, false otherwise
- */
-export declare function canAccessApp(userId: string, appId: string, accessToken?: string): Promise<boolean>;
-/**
- * Get all apps a user can access
- *
- * Queries the authz service for accessible app IDs, then fetches
- * app details from the local database.
- *
- * @param userId - User ID
- * @param accessToken - Optional access token for authenticated check
- * @returns Array of apps the user has permission to access
- */
-export declare function getUserApps(userId: string, accessToken?: string): Promise<{
-    id: string;
-    name: string;
-    description: string | null;
-    type: import("../deploy/app-config").AppConfigType;
-    url: string | null;
-    iconUrl: string | null;
-    selectedIcon: string | null;
-    displayOrder: number;
-    isActive: boolean;
-}[]>;
-/**
- * Get user's roles from authz service
- *
- * @deprecated Use busibox-app's getUserRoles() directly
- */
-export declare function getUserRoles(userId: string): Promise<Role[]>;
-/**
- * Get user's role names
- *
- * @deprecated Use busibox-app's getUserRoleNames() directly
- */
-export declare function getUserRoleNames(userId: string): Promise<string[]>;
-/**
- * Check if user has a specific role
- *
- * @deprecated Use busibox-app's hasRole() directly
- */
-export declare function hasRole(userId: string, roleName: string): Promise<boolean>;
-/**
- * Check if user is an admin
- *
- * @deprecated Use busibox-app's isAdmin() directly
- */
-export declare function isAdmin(userId: string): Promise<boolean>;
-/**
- * Check if user is a guest
- *
- * @deprecated Use busibox-app's isGuest() directly
- */
-export declare function isGuest(userId: string): Promise<boolean>;
-/**
- * Check if user has any of the specified roles
- *
- * @deprecated Use busibox-app's hasAnyRole() directly
- */
-export declare function hasAnyRole(userId: string, roleNames: string[]): Promise<boolean>;
-/**
- * Check if user has all of the specified roles
- *
- * @deprecated Use busibox-app's hasAllRoles() directly
- */
-export declare function hasAllRoles(userId: string, roleNames: string[]): Promise<boolean>;
-/**
- * Check if user is active
- *
- * This checks the authz service.
- */
-export declare function isUserActive(userId: string): Promise<boolean>;
-/**
- * Get user with roles from authz service
- */
-export declare function getUserWithRoles(userId: string): Promise<{
-    id: string;
-    email: string;
-    status: string | undefined;
-    lastLoginAt: Date | null;
-    createdAt: Date;
-    updatedAt: Date;
-    roles: Role[];
-} | null>;
-export type { Role } from '@jazzmind/busibox-app';
-//# sourceMappingURL=permissions.d.ts.map

package/dist/lib/authz/permissions.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../../src/lib/authz/permissions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAML,KAAK,IAAI,EAEV,MAAM,uBAAuB,CAAC;AA0B/B;;;;;;;;;;GAUG;AACH,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAqBxG;AAED;;;;;;;;;GASG;AACH,wBAAsB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM;;;;;;;;;;KAkCrE;AAMD;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,CAGlE;AAED;;;;GAIG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAIxE;AAED;;;;GAIG;AACH,wBAAsB,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAGhF;AAED;;;;GAIG;AACH,wBAAsB,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAG9D;AAED;;;;GAIG;AACH,wBAAsB,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAG9D;AAED;;;;GAIG;AACH,wBAAsB,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAKtF;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAKvF;AAMD;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CASnE;AAYD;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM;;;;;;;;UA0BpD;AAGD,YAAY,EAAE,IAAI,EAAE,MAAM,uBAAuB,CAAC"}