@m5kdev/backend 0.5.0 → 0.7.0

package/dist/src/types.d.ts

@@ -4,13 +4,13 @@ import type { AuthService } from "./modules/auth/auth.service";
 import type { BillingService } from "./modules/billing/billing.service";
 import type { TRPCMethods } from "./utils/trpc";
 export declare const createAuthTRPCRouter: <MastraInstance extends Mastra>(trpcMethods: TRPCMethods, authService: AuthService, aiService: AIService<MastraInstance>, billingService: BillingService) => import("@trpc/server").TRPCBuiltRouter<{
-    ctx: import("./modules/auth/auth.lib").Context;
+    ctx: import("./utils/trpc").Context;
     meta: any;
     errorShape: import("@trpc/server").TRPCDefaultErrorShape;
     transformer: true;
 }, import("@trpc/server").TRPCDecorateCreateRouterOptions<{
     auth: import("@trpc/server").TRPCBuiltRouter<{
-        ctx: import("./modules/auth/auth.lib").Context;
+        ctx: import("./utils/trpc").Context;
         meta: any;
         errorShape: import("@trpc/server").TRPCDefaultErrorShape;
         transformer: true;
@@ -58,10 +58,10 @@ export declare const createAuthTRPCRouter: <MastraInstance extends Mastra>(trpcM
             input: void;
             output: {
                 id: string;
-                status: string;
                 createdAt: Date;
                 updatedAt: Date | null;
                 expiresAt: Date | null;
+                status: string;
                 claimUserId: string | null;
                 claimedAt: Date | null;
                 claimedEmail: string | null;
@@ -76,11 +76,11 @@ export declare const createAuthTRPCRouter: <MastraInstance extends Mastra>(trpcM
             output: {
                 id: string;
                 email: string;
-                url: string;
                 createdAt: Date;
-                userId: string;
                 expiresAt: Date | null;
+                userId: string;
                 claimId: string;
+                url: string;
             };
             meta: any;
         }>;
@@ -91,11 +91,11 @@ export declare const createAuthTRPCRouter: <MastraInstance extends Mastra>(trpcM
             output: {
                 id: string;
                 email: string;
-                url: string;
                 createdAt: Date;
-                userId: string;
                 expiresAt: Date | null;
+                userId: string;
                 claimId: string;
+                url: string;
             }[];
             meta: any;
         }>;
@@ -148,11 +148,11 @@ export declare const createAuthTRPCRouter: <MastraInstance extends Mastra>(trpcM
             input: void;
             output: {
                 id: string;
-                email: string | null;
                 name: string | null;
-                status: string;
+                email: string | null;
                 createdAt: Date;
                 updatedAt: Date | null;
+                status: string;
             }[];
             meta: any;
         }>;
@@ -162,11 +162,11 @@ export declare const createAuthTRPCRouter: <MastraInstance extends Mastra>(trpcM
             };
             output: {
                 id: string;
-                email: string | null;
                 name: string | null;
-                status: string;
+                email: string | null;
                 createdAt: Date;
                 updatedAt: Date | null;
+                status: string;
             };
             meta: any;
         }>;
@@ -193,11 +193,11 @@ export declare const createAuthTRPCRouter: <MastraInstance extends Mastra>(trpcM
             };
             output: {
                 id: string;
-                email: string | null;
                 name: string | null;
-                status: string;
+                email: string | null;
                 createdAt: Date;
                 updatedAt: Date | null;
+                status: string;
             };
             meta: any;
         }>;
@@ -207,11 +207,11 @@ export declare const createAuthTRPCRouter: <MastraInstance extends Mastra>(trpcM
             };
             output: {
                 id: string;
-                email: string | null;
                 name: string | null;
-                status: string;
+                email: string | null;
                 createdAt: Date;
                 updatedAt: Date | null;
+                status: string;
             };
             meta: any;
         }>;
@@ -221,11 +221,11 @@ export declare const createAuthTRPCRouter: <MastraInstance extends Mastra>(trpcM
             };
             output: {
                 id: string;
-                email: string | null;
                 name: string | null;
-                status: string;
+                email: string | null;
                 createdAt: Date;
                 updatedAt: Date | null;
+                status: string;
             };
             meta: any;
         }>;
@@ -300,7 +300,7 @@ export declare const createAuthTRPCRouter: <MastraInstance extends Mastra>(trpcM
         }>;
     }>>;
     ai: import("@trpc/server").TRPCBuiltRouter<{
-        ctx: import("./modules/auth/auth.lib").Context;
+        ctx: import("./utils/trpc").Context;
         meta: any;
         errorShape: import("@trpc/server").TRPCDefaultErrorShape;
         transformer: true;
@@ -319,7 +319,7 @@ export declare const createAuthTRPCRouter: <MastraInstance extends Mastra>(trpcM
         }>;
     }>>;
     billing: import("@trpc/server").TRPCBuiltRouter<{
-        ctx: import("./modules/auth/auth.lib").Context;
+        ctx: import("./utils/trpc").Context;
         meta: any;
         errorShape: import("@trpc/server").TRPCDefaultErrorShape;
         transformer: true;

package/dist/src/utils/trpc.d.ts

@@ -2,8 +2,29 @@ import type { transformer } from "@m5kdev/commons/utils/trpc";
 import type { TRPCRootObject } from "@trpc/server";
 import type { CreateExpressContextOptions } from "@trpc/server/adapters/express";
 import type { Result } from "neverthrow";
-import type { BetterAuth, Context } from "../modules/auth/auth.lib";
+import type { BetterAuth, Session, User } from "../modules/auth/auth.lib";
+import { type OrganizationActor, type TeamActor, type UserActor } from "../modules/base/base.actor";
 import { ServerError } from "./errors";
+export type RequestContext = {
+    session: Session | null;
+    user: User | null;
+    actor: UserActor | null;
+};
+export type Context = {
+    session: Session;
+    user: User;
+    actor: UserActor;
+};
+export type OrganizationContext = {
+    session: Session;
+    user: User;
+    actor: OrganizationActor;
+};
+export type TeamContext = {
+    session: Session;
+    user: User;
+    actor: TeamActor;
+};
 type TRPCCreate = TRPCRootObject<Context, any, {
     transformer: typeof transformer;
 }>;
@@ -13,46 +34,15 @@ export type TRPCMethods = {
     privateProcedure: TRPCCreate["procedure"];
     adminProcedure: TRPCCreate["procedure"];
 };
-export declare function createAuthContext(auth: BetterAuth): ({ req }: CreateExpressContextOptions) => Promise<{
-    session: {
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        userId: string;
-        token: string;
-        expiresAt: Date;
-        ipAddress: string | null;
-        userAgent: string | null;
-        impersonatedBy: string | null;
-        activeOrganizationId: string | null;
-        activeOrganizationRole: string | null;
-        activeTeamId: string | null;
-        activeTeamRole: string | null;
-    };
-    user: {
-        id: string;
-        email: string;
-        name: string;
-        metadata: Record<string, unknown>;
-        emailVerified: boolean;
-        image: string | null;
-        createdAt: Date;
-        updatedAt: Date;
-        role: string | null;
-        banned: boolean | null;
-        banReason: string | null;
-        banExpires: Date | null;
-        stripeCustomerId: string | null;
-        paymentCustomerId: string | null;
-        paymentPlanTier: string | null;
-        paymentPlanExpiresAt: Date | null;
-        preferences: string | null;
-        onboarding: number | null;
-        flags: string | null;
-    };
-}>;
+export declare function createAuthContext(auth: BetterAuth): ({ req }: CreateExpressContextOptions) => Promise<RequestContext>;
 export declare function handleAsyncTRPCResult<T>(result: Promise<Result<T, ServerError>>): Promise<T>;
 export declare function handleTRPCResult<T>(result: Result<T, ServerError>): T;
-export declare function verifyProtectedProcedureContext(ctx: Context): void;
-export declare function verifyAdminProcedureContext(ctx: Context): void;
+export declare function verifyProtectedProcedureContext(ctx: RequestContext): Context;
+export declare function verifyOrganizationProcedureContext(ctx: Context): OrganizationContext;
+export declare function verifyTeamProcedureContext(ctx: Context): TeamContext;
+export declare function verifyAdminProcedureContext(ctx: RequestContext): Context;
+export declare function requireRequestUser(ctx: RequestContext): User;
+export declare function requireRequestActor(ctx: RequestContext): UserActor;
+export declare function requireRequestActor(ctx: RequestContext, scope: "organization"): OrganizationActor;
+export declare function requireRequestActor(ctx: RequestContext, scope: "team"): TeamActor;
 export {};

package/dist/src/utils/trpc.js

@@ -4,8 +4,13 @@ exports.createAuthContext = createAuthContext;
 exports.handleAsyncTRPCResult = handleAsyncTRPCResult;
 exports.handleTRPCResult = handleTRPCResult;
 exports.verifyProtectedProcedureContext = verifyProtectedProcedureContext;
+exports.verifyOrganizationProcedureContext = verifyOrganizationProcedureContext;
+exports.verifyTeamProcedureContext = verifyTeamProcedureContext;
 exports.verifyAdminProcedureContext = verifyAdminProcedureContext;
+exports.requireRequestUser = requireRequestUser;
+exports.requireRequestActor = requireRequestActor;
 const node_1 = require("better-auth/node");
+const base_actor_1 = require("../modules/base/base.actor");
 const errors_1 = require("./errors");
 const logger_1 = require("./logger");
 function createAuthContext(auth) {
@@ -15,9 +20,11 @@ function createAuthContext(auth) {
         });
         const user = data?.user || null;
         const session = data?.session || null;
+        const actor = user && session ? (0, base_actor_1.createActorFromContext)({ user, session }, "user") : null;
         return {
             session,
             user,
+            actor,
         };
     };
 }
@@ -37,6 +44,34 @@ function handleTRPCResult(result) {
     return result.value;
 }
 function verifyProtectedProcedureContext(ctx) {
+    if (!ctx.user || !ctx.session || !ctx.actor) {
+        throw new errors_1.ServerError({
+            code: "UNAUTHORIZED",
+            layer: "controller",
+            layerName: "TRPCController",
+        }).toTRPC();
+    }
+    return ctx;
+}
+function verifyOrganizationProcedureContext(ctx) {
+    if (!ctx.user || !ctx.session) {
+        throw new errors_1.ServerError({
+            code: "UNAUTHORIZED",
+            layer: "controller",
+            layerName: "TRPCController",
+        }).toTRPC();
+    }
+    try {
+        const actor = (0, base_actor_1.createActorFromContext)({ user: ctx.user, session: ctx.session }, "organization");
+        return { ...ctx, actor };
+    }
+    catch (e) {
+        if (e instanceof errors_1.ServerError)
+            throw e.toTRPC();
+        throw e;
+    }
+}
+function verifyTeamProcedureContext(ctx) {
     if (!ctx.user || !ctx.session) {
         throw new errors_1.ServerError({
             code: "UNAUTHORIZED",
@@ -44,6 +79,15 @@ function verifyProtectedProcedureContext(ctx) {
             layerName: "TRPCController",
         }).toTRPC();
     }
+    try {
+        const actor = (0, base_actor_1.createActorFromContext)({ user: ctx.user, session: ctx.session }, "team");
+        return { ...ctx, actor };
+    }
+    catch (e) {
+        if (e instanceof errors_1.ServerError)
+            throw e.toTRPC();
+        throw e;
+    }
 }
 function verifyAdminProcedureContext(ctx) {
     if (!ctx.user || !ctx.session) {
@@ -60,4 +104,55 @@ function verifyAdminProcedureContext(ctx) {
             layerName: "TRPCController",
         }).toTRPC();
     }
+    if (!ctx.actor) {
+        throw new errors_1.ServerError({
+            code: "UNAUTHORIZED",
+            layer: "controller",
+            layerName: "TRPCController",
+        }).toTRPC();
+    }
+    return ctx;
+}
+function requireRequestUser(ctx) {
+    return verifyProtectedProcedureContext(ctx).user;
+}
+function requireRequestActor(ctx, scope = "user") {
+    const verified = verifyProtectedProcedureContext(ctx);
+    if (scope === "user") {
+        if (!(0, base_actor_1.validateActor)(verified.actor, "user")) {
+            throw new errors_1.ServerError({
+                code: "FORBIDDEN",
+                layer: "controller",
+                layerName: "TRPCController",
+            }).toTRPC();
+        }
+        return verified.actor;
+    }
+    try {
+        if (scope === "organization") {
+            const actor = (0, base_actor_1.createActorFromContext)({ user: verified.user, session: verified.session }, "organization");
+            if (!(0, base_actor_1.validateActor)(actor, "organization")) {
+                throw new errors_1.ServerError({
+                    code: "FORBIDDEN",
+                    layer: "controller",
+                    layerName: "TRPCController",
+                }).toTRPC();
+            }
+            return actor;
+        }
+        const actor = (0, base_actor_1.createActorFromContext)({ user: verified.user, session: verified.session }, "team");
+        if (!(0, base_actor_1.validateActor)(actor, "team")) {
+            throw new errors_1.ServerError({
+                code: "FORBIDDEN",
+                layer: "controller",
+                layerName: "TRPCController",
+            }).toTRPC();
+        }
+        return actor;
+    }
+    catch (e) {
+        if (e instanceof errors_1.ServerError)
+            throw e.toTRPC();
+        throw e;
+    }
 }

package/dist/src/utils/trpc.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/src/utils/trpc.test.js

@@ -0,0 +1,154 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const server_1 = require("@trpc/server");
+const trpc_1 = require("./trpc");
+jest.mock("better-auth/node", () => ({
+    fromNodeHeaders: (headers) => headers,
+}));
+function expectTRPCCode(fn, code) {
+    try {
+        fn();
+        throw new Error(`Expected TRPC error with code ${code}`);
+    }
+    catch (error) {
+        expect(error).toBeInstanceOf(server_1.TRPCError);
+        expect(error.code).toBe(code);
+    }
+}
+function createUser(overrides = {}) {
+    return {
+        id: "user-1",
+        role: "member",
+        email: "user@example.com",
+        emailVerified: true,
+        name: "User One",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        onboarding: null,
+        preferences: null,
+        flags: null,
+        stripeCustomerId: null,
+        paymentCustomerId: null,
+        paymentPlanTier: null,
+        paymentPlanExpiresAt: null,
+        ...overrides,
+    };
+}
+function createSession(overrides = {}) {
+    return {
+        id: "session-1",
+        userId: "user-1",
+        expiresAt: new Date(Date.now() + 60_000),
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        token: "token",
+        ipAddress: null,
+        userAgent: null,
+        activeOrganizationId: null,
+        activeOrganizationRole: null,
+        activeTeamId: null,
+        activeTeamRole: null,
+        ...overrides,
+    };
+}
+function createRequestContext(overrides = {}) {
+    const user = overrides.user ?? createUser();
+    const session = overrides.session ?? createSession();
+    const actor = overrides.actor ??
+        (user && session
+            ? {
+                userId: user.id,
+                userRole: user.role,
+                organizationId: session.activeOrganizationId,
+                organizationRole: session.activeOrganizationRole,
+                teamId: session.activeTeamId,
+                teamRole: session.activeTeamRole,
+            }
+            : null);
+    return {
+        user,
+        session,
+        actor,
+        ...overrides,
+    };
+}
+describe("trpc auth helpers", () => {
+    it("stores a user-scoped actor on the request context while copying session ids", async () => {
+        const user = createUser();
+        const session = createSession({
+            activeOrganizationId: "org-1",
+            activeOrganizationRole: "owner",
+            activeTeamId: "team-1",
+            activeTeamRole: "manager",
+        });
+        const auth = {
+            api: {
+                getSession: jest.fn().mockResolvedValue({ user, session }),
+            },
+        };
+        const createContext = (0, trpc_1.createAuthContext)(auth);
+        const ctx = await createContext({
+            req: { headers: {} },
+        });
+        expect(ctx.actor).toEqual({
+            userId: "user-1",
+            userRole: "member",
+            organizationId: "org-1",
+            organizationRole: "owner",
+            teamId: "team-1",
+            teamRole: "manager",
+        });
+    });
+    it("throws FORBIDDEN when a broader actor scope is required than the session allows", () => {
+        const actor = (0, trpc_1.requireRequestActor)(createRequestContext({
+            user: createUser(),
+            session: createSession(),
+            actor: {
+                userId: "user-1",
+                userRole: "member",
+                organizationId: null,
+                organizationRole: null,
+                teamId: null,
+                teamRole: null,
+            },
+        }));
+        expect(actor.userId).toBe("user-1");
+        expectTRPCCode(() => (0, trpc_1.requireRequestActor)(createRequestContext({
+            user: createUser(),
+            session: createSession(),
+            actor: {
+                userId: "user-1",
+                userRole: "member",
+                organizationId: null,
+                organizationRole: null,
+                teamId: null,
+                teamRole: null,
+            },
+        }), "organization"), "FORBIDDEN");
+    });
+    it("throws UNAUTHORIZED when request user access is missing", () => {
+        expectTRPCCode(() => (0, trpc_1.requireRequestUser)({
+            user: null,
+            session: null,
+            actor: null,
+        }), "UNAUTHORIZED");
+    });
+    it("verifies admin access from the raw request user", () => {
+        const ctx = createRequestContext({
+            user: createUser({ role: "admin" }),
+            actor: {
+                userId: "user-1",
+                userRole: "admin",
+                organizationId: "org-1",
+                organizationRole: "owner",
+                teamId: null,
+                teamRole: null,
+            },
+        });
+        expect((0, trpc_1.verifyAdminProcedureContext)(ctx).user.role).toBe("admin");
+        expectTRPCCode(() => (0, trpc_1.verifyAdminProcedureContext)(createRequestContext({
+            user: createUser({ role: "member" }),
+            actor: ctx.actor,
+        })), "FORBIDDEN");
+    });
+});