npm - @marcwelti/mw-core - Versions diffs - 0.2.0 - Mend

@marcwelti/mw-core 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/README.md +141 -0
package/dist/context/index.d.mts +95 -0
package/dist/context/index.d.ts +95 -0
package/dist/context/index.js +280 -0
package/dist/context/index.js.map +1 -0
package/dist/context/index.mjs +276 -0
package/dist/context/index.mjs.map +1 -0
package/dist/firebase/index.d.mts +176 -0
package/dist/firebase/index.d.ts +176 -0
package/dist/firebase/index.js +393 -0
package/dist/firebase/index.js.map +1 -0
package/dist/firebase/index.mjs +318 -0
package/dist/firebase/index.mjs.map +1 -0
package/dist/hooks/index.d.mts +97 -0
package/dist/hooks/index.d.ts +97 -0
package/dist/hooks/index.js +618 -0
package/dist/hooks/index.js.map +1 -0
package/dist/hooks/index.mjs +611 -0
package/dist/hooks/index.mjs.map +1 -0
package/dist/index.d.mts +12 -0
package/dist/index.d.ts +12 -0
package/dist/index.js +922 -0
package/dist/index.js.map +1 -0
package/dist/index.mjs +843 -0
package/dist/index.mjs.map +1 -0
package/dist/server/index.d.mts +216 -0
package/dist/server/index.d.ts +216 -0
package/dist/server/index.js +309 -0
package/dist/server/index.js.map +1 -0
package/dist/server/index.mjs +276 -0
package/dist/server/index.mjs.map +1 -0
package/dist/storage-BU_rfYCi.d.mts +43 -0
package/dist/storage-BU_rfYCi.d.ts +43 -0
package/dist/types/index.d.mts +108 -0
package/dist/types/index.d.ts +108 -0
package/dist/types/index.js +12 -0
package/dist/types/index.js.map +1 -0
package/dist/types/index.mjs +3 -0
package/dist/types/index.mjs.map +1 -0
package/package.json +91 -0

package/dist/server/index.js ADDED Viewed

@@ -0,0 +1,309 @@
+'use strict';
+var app = require('firebase-admin/app');
+var auth = require('firebase-admin/auth');
+var firestore = require('firebase-admin/firestore');
+// src/server/admin.ts
+var _adminApp = null;
+var _adminAuth = null;
+var _adminDb = null;
+function getAdminCredentials() {
+  const projectId = process.env.FIREBASE_ADMIN_PROJECT_ID;
+  const clientEmail = process.env.FIREBASE_ADMIN_CLIENT_EMAIL;
+  const privateKey = process.env.FIREBASE_ADMIN_PRIVATE_KEY?.replace(/\\n/g, "\n");
+  if (!projectId || !clientEmail || !privateKey) {
+    throw new Error(
+      "[mw-core] Missing Firebase Admin credentials. Set FIREBASE_ADMIN_PROJECT_ID, FIREBASE_ADMIN_CLIENT_EMAIL, and FIREBASE_ADMIN_PRIVATE_KEY environment variables."
+    );
+  }
+  return {
+    projectId,
+    clientEmail,
+    privateKey
+  };
+}
+function initializeAdminApp() {
+  if (_adminApp) {
+    return _adminApp;
+  }
+  const existingApps = app.getApps();
+  if (existingApps.length > 0) {
+    _adminApp = existingApps[0];
+    return _adminApp;
+  }
+  const credentials = getAdminCredentials();
+  _adminApp = app.initializeApp({
+    credential: app.cert(credentials)
+  });
+  return _adminApp;
+}
+function getAdminAuth() {
+  if (!_adminAuth) {
+    _adminAuth = auth.getAuth(initializeAdminApp());
+  }
+  return _adminAuth;
+}
+function getAdminFirestore() {
+  if (!_adminDb) {
+    _adminDb = firestore.getFirestore(initializeAdminApp());
+  }
+  return _adminDb;
+}
+// src/server/session.ts
+var DEFAULT_SESSION_DURATION = 60 * 60 * 24 * 5 * 1e3;
+async function createSessionCookie(idToken, config) {
+  const auth = getAdminAuth();
+  const expiresIn = config.expiresIn || DEFAULT_SESSION_DURATION;
+  const sessionCookie = await auth.createSessionCookie(idToken, { expiresIn });
+  return sessionCookie;
+}
+function generateLoginCookieHeader(sessionCookie, config) {
+  const expiresIn = config.expiresIn || DEFAULT_SESSION_DURATION;
+  const maxAge = Math.floor(expiresIn / 1e3);
+  const secure = config.secure ?? process.env.NODE_ENV === "production";
+  const path = config.path || "/";
+  const parts = [
+    `session=${sessionCookie}`,
+    `Domain=${config.domain}`,
+    `Path=${path}`,
+    "HttpOnly",
+    "SameSite=Lax",
+    `Max-Age=${maxAge}`
+  ];
+  if (secure) {
+    parts.push("Secure");
+  }
+  return parts.join("; ");
+}
+function generateLogoutCookieHeader(config) {
+  const path = config.path || "/";
+  const secure = config.secure ?? process.env.NODE_ENV === "production";
+  const parts = [
+    "session=",
+    `Domain=${config.domain}`,
+    `Path=${path}`,
+    "HttpOnly",
+    "SameSite=Lax",
+    "Max-Age=0"
+  ];
+  if (secure) {
+    parts.push("Secure");
+  }
+  return parts.join("; ");
+}
+async function verifySessionCookie(sessionCookie, checkRevoked = true) {
+  const auth = getAdminAuth();
+  return auth.verifySessionCookie(sessionCookie, checkRevoked);
+}
+async function verifyIdToken(idToken) {
+  const auth = getAdminAuth();
+  return auth.verifyIdToken(idToken);
+}
+async function revokeUserTokens(uid) {
+  const auth = getAdminAuth();
+  await auth.revokeRefreshTokens(uid);
+}
+async function getSessionUser(sessionCookie) {
+  if (!sessionCookie) {
+    return null;
+  }
+  try {
+    const decodedClaims = await verifySessionCookie(sessionCookie);
+    return {
+      uid: decodedClaims.uid,
+      email: decodedClaims.email,
+      emailVerified: decodedClaims.email_verified || false,
+      displayName: decodedClaims.name,
+      photoURL: decodedClaims.picture
+    };
+  } catch {
+    return null;
+  }
+}
+// src/server/apiRoutes.ts
+async function handleLogin(idToken, config) {
+  await verifyIdToken(idToken);
+  const sessionCookie = await createSessionCookie(idToken, config);
+  return generateLoginCookieHeader(sessionCookie, config);
+}
+function handleLogout(config) {
+  return generateLogoutCookieHeader(config);
+}
+async function handleSession(sessionCookie) {
+  if (!sessionCookie) {
+    return { authenticated: false };
+  }
+  try {
+    const decodedClaims = await verifySessionCookie(sessionCookie);
+    return {
+      authenticated: true,
+      user: {
+        uid: decodedClaims.uid,
+        email: decodedClaims.email,
+        emailVerified: decodedClaims.email_verified || false,
+        displayName: decodedClaims.name,
+        photoURL: decodedClaims.picture
+      }
+    };
+  } catch {
+    return { authenticated: false };
+  }
+}
+var DEFAULT_SESSION_CONFIG = {
+  domain: ".marc-welti.ch",
+  expiresIn: 60 * 60 * 24 * 5 * 1e3,
+  // 5 days
+  path: "/",
+  secure: process.env.NODE_ENV === "production"
+};
+function createSessionConfig(domain, options) {
+  return {
+    ...DEFAULT_SESSION_CONFIG,
+    ...options,
+    domain
+  };
+}
+// src/server/middleware.ts
+async function verifyAuth(sessionCookie) {
+  if (!sessionCookie) {
+    return { authenticated: false, user: null };
+  }
+  try {
+    const decodedClaims = await verifySessionCookie(sessionCookie);
+    return {
+      authenticated: true,
+      user: {
+        uid: decodedClaims.uid,
+        email: decodedClaims.email,
+        emailVerified: decodedClaims.email_verified || false,
+        displayName: decodedClaims.name,
+        photoURL: decodedClaims.picture
+      }
+    };
+  } catch {
+    return { authenticated: false, user: null };
+  }
+}
+function isProtectedPath(pathname, protectedPaths) {
+  return protectedPaths.some((path) => {
+    return pathname === path || pathname.startsWith(`${path}/`);
+  });
+}
+var DEFAULT_MIDDLEWARE_CONFIG = {
+  protectedPaths: ["/account", "/dashboard"],
+  loginRedirectPath: "/login-required",
+  cookieName: "session"
+};
+function createMiddlewareConfig(protectedPaths, options) {
+  return {
+    ...DEFAULT_MIDDLEWARE_CONFIG,
+    ...options,
+    protectedPaths
+  };
+}
+// src/server/roles.ts
+var ROLE_DESCRIPTIONS = {
+  owner: "Full system access (Marc only)",
+  employee: "Limited access to assigned customers",
+  admin: "Technical support access",
+  user: "Customer access"
+};
+function hasRole(userRole, requiredRoles) {
+  if (!userRole) return false;
+  return requiredRoles.includes(userRole);
+}
+function isStaff(userRole) {
+  return hasRole(userRole, ["owner", "admin", "employee"]);
+}
+function isAdmin(userRole) {
+  return hasRole(userRole, ["owner", "admin"]);
+}
+function isOwner(userRole) {
+  return userRole === "owner";
+}
+function getRoleDisplayName(role) {
+  const names = {
+    owner: "Owner",
+    employee: "Employee",
+    admin: "Administrator",
+    user: "User"
+  };
+  return names[role] || role;
+}
+// src/server/tiers.ts
+var ALL_TIERS = [
+  "MasterClass",
+  "MasterClassLight",
+  "PremiumOnlineKurs",
+  "MasterOnlineKurs",
+  "OnlineKursPro",
+  "PremiumTraining",
+  "VIPTraining"
+];
+var TIER_DISPLAY_NAMES = {
+  MasterClass: "MasterClass",
+  MasterClassLight: "MasterClass Light",
+  PremiumOnlineKurs: "Premium Online Kurs",
+  MasterOnlineKurs: "Master Online Kurs",
+  OnlineKursPro: "Online Kurs Pro",
+  PremiumTraining: "Premium Training",
+  VIPTraining: "VIP Training"
+};
+function hasAccess(userTier, requiredTiers) {
+  if (!userTier) return false;
+  return requiredTiers.includes(userTier);
+}
+function hasSubscription(userTier) {
+  return userTier !== null && userTier !== void 0;
+}
+function getTierDisplayName(tier) {
+  return TIER_DISPLAY_NAMES[tier] || tier;
+}
+function isSubscriptionExpired(subscription) {
+  if (!subscription.expirationDate) return false;
+  return /* @__PURE__ */ new Date() > subscription.expirationDate;
+}
+function isSubscriptionActive(subscription) {
+  return subscription.isActive && !isSubscriptionExpired(subscription);
+}
+exports.ALL_TIERS = ALL_TIERS;
+exports.DEFAULT_MIDDLEWARE_CONFIG = DEFAULT_MIDDLEWARE_CONFIG;
+exports.DEFAULT_SESSION_CONFIG = DEFAULT_SESSION_CONFIG;
+exports.ROLE_DESCRIPTIONS = ROLE_DESCRIPTIONS;
+exports.TIER_DISPLAY_NAMES = TIER_DISPLAY_NAMES;
+exports.createMiddlewareConfig = createMiddlewareConfig;
+exports.createSessionConfig = createSessionConfig;
+exports.createSessionCookie = createSessionCookie;
+exports.generateLoginCookieHeader = generateLoginCookieHeader;
+exports.generateLogoutCookieHeader = generateLogoutCookieHeader;
+exports.getAdminAuth = getAdminAuth;
+exports.getAdminFirestore = getAdminFirestore;
+exports.getRoleDisplayName = getRoleDisplayName;
+exports.getSessionUser = getSessionUser;
+exports.getTierDisplayName = getTierDisplayName;
+exports.handleLogin = handleLogin;
+exports.handleLogout = handleLogout;
+exports.handleSession = handleSession;
+exports.hasAccess = hasAccess;
+exports.hasRole = hasRole;
+exports.hasSubscription = hasSubscription;
+exports.initializeAdminApp = initializeAdminApp;
+exports.isAdmin = isAdmin;
+exports.isOwner = isOwner;
+exports.isProtectedPath = isProtectedPath;
+exports.isStaff = isStaff;
+exports.isSubscriptionActive = isSubscriptionActive;
+exports.isSubscriptionExpired = isSubscriptionExpired;
+exports.revokeUserTokens = revokeUserTokens;
+exports.verifyAuth = verifyAuth;
+exports.verifyIdToken = verifyIdToken;
+exports.verifySessionCookie = verifySessionCookie;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/server/admin.ts","../../src/server/session.ts","../../src/server/apiRoutes.ts","../../src/server/middleware.ts","../../src/server/roles.ts","../../src/server/tiers.ts"],"names":["getApps","initializeApp","cert","getAuth","getFirestore"],"mappings":";;;;;;;AAUA,IAAI,SAAA,GAAwB,IAAA;AAC5B,IAAI,UAAA,GAA0B,IAAA;AAC9B,IAAI,QAAA,GAA6B,IAAA;AAKjC,SAAS,mBAAA,GAAsC;AAC7C,EAAA,MAAM,SAAA,GAAY,QAAQ,GAAA,CAAI,yBAAA;AAC9B,EAAA,MAAM,WAAA,GAAc,QAAQ,GAAA,CAAI,2BAAA;AAChC,EAAA,MAAM,aAAa,OAAA,CAAQ,GAAA,CAAI,0BAAA,EAA4B,OAAA,CAAQ,QAAQ,IAAI,CAAA;AAE/E,EAAA,IAAI,CAAC,SAAA,IAAa,CAAC,WAAA,IAAe,CAAC,UAAA,EAAY;AAC7C,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KAEF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,SAAA;AAAA,IACA,WAAA;AAAA,IACA;AAAA,GACF;AACF;AAKO,SAAS,kBAAA,GAA0B;AACxC,EAAA,IAAI,SAAA,EAAW;AACb,IAAA,OAAO,SAAA;AAAA,EACT;AAEA,EAAA,MAAM,eAAeA,WAAA,EAAQ;AAC7B,EAAA,IAAI,YAAA,CAAa,SAAS,CAAA,EAAG;AAC3B,IAAA,SAAA,GAAY,aAAa,CAAC,CAAA;AAC1B,IAAA,OAAO,SAAA;AAAA,EACT;AAEA,EAAA,MAAM,cAAc,mBAAA,EAAoB;AACxC,EAAA,SAAA,GAAYC,iBAAA,CAAc;AAAA,IACxB,UAAA,EAAYC,SAAK,WAAW;AAAA,GAC7B,CAAA;AAED,EAAA,OAAO,SAAA;AACT;AAKO,SAAS,YAAA,GAAqB;AACnC,EAAA,IAAI,CAAC,UAAA,EAAY;AACf,IAAA,UAAA,GAAaC,YAAA,CAAQ,oBAAoB,CAAA;AAAA,EAC3C;AACA,EAAA,OAAO,UAAA;AACT;AAKO,SAAS,iBAAA,GAA+B;AAC7C,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,QAAA,GAAWC,sBAAA,CAAa,oBAAoB,CAAA;AAAA,EAC9C;AACA,EAAA,OAAO,QAAA;AACT;;;AC3DA,IAAM,wBAAA,GAA2B,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,CAAA,GAAI,GAAA;AAKpD,eAAsB,mBAAA,CACpB,SACA,MAAA,EACiB;AACjB,EAAA,MAAM,OAAO,YAAA,EAAa;AAC1B,EAAA,MAAM,SAAA,GAAY,OAAO,SAAA,IAAa,wBAAA;AAGtC,EAAA,MAAM,gBAAgB,MAAM,IAAA,CAAK,oBAAoB,OAAA,EAAS,EAAE,WAAW,CAAA;AAE3E,EAAA,OAAO,aAAA;AACT;AAKO,SAAS,yBAAA,CACd,eACA,MAAA,EACQ;AACR,EAAA,MAAM,SAAA,GAAY,OAAO,SAAA,IAAa,wBAAA;AACtC,EAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,SAAA,GAAY,GAAI,CAAA;AAC1C,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,MAAA,IAAU,OAAA,CAAQ,IAAI,QAAA,KAAa,YAAA;AACzD,EAAA,MAAM,IAAA,GAAO,OAAO,IAAA,IAAQ,GAAA;AAE5B,EAAA,MAAM,KAAA,GAAQ;AAAA,IACZ,WAAW,aAAa,CAAA,CAAA;AAAA,IACxB,CAAA,OAAA,EAAU,OAAO,MAAM,CAAA,CAAA;AAAA,IACvB,QAAQ,IAAI,CAAA,CAAA;AAAA,IACZ,UAAA;AAAA,IACA,cAAA;AAAA,IACA,WAAW,MAAM,CAAA;AAAA,GACnB;AAEA,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AAAA,EACrB;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,IAAI,CAAA;AACxB;AAKO,SAAS,2BAA2B,MAAA,EAA+B;AACxE,EAAA,MAAM,IAAA,GAAO,OAAO,IAAA,IAAQ,GAAA;AAC5B,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,MAAA,IAAU,OAAA,CAAQ,IAAI,QAAA,KAAa,YAAA;AAEzD,EAAA,MAAM,KAAA,GAAQ;AAAA,IACZ,UAAA;AAAA,IACA,CAAA,OAAA,EAAU,OAAO,MAAM,CAAA,CAAA;AAAA,IACvB,QAAQ,IAAI,CAAA,CAAA;AAAA,IACZ,UAAA;AAAA,IACA,cAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AAAA,EACrB;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,IAAI,CAAA;AACxB;AAKA,eAAsB,mBAAA,CACpB,aAAA,EACA,YAAA,GAAwB,IAAA,EACC;AACzB,EAAA,MAAM,OAAO,YAAA,EAAa;AAC1B,EAAA,OAAO,IAAA,CAAK,mBAAA,CAAoB,aAAA,EAAe,YAAY,CAAA;AAC7D;AAKA,eAAsB,cAAc,OAAA,EAA0C;AAC5E,EAAA,MAAM,OAAO,YAAA,EAAa;AAC1B,EAAA,OAAO,IAAA,CAAK,cAAc,OAAO,CAAA;AACnC;AAKA,eAAsB,iBAAiB,GAAA,EAA4B;AACjE,EAAA,MAAM,OAAO,YAAA,EAAa;AAC1B,EAAA,MAAM,IAAA,CAAK,oBAAoB,GAAG,CAAA;AACpC;AAgBA,eAAsB,eACpB,aAAA,EAC6B;AAC7B,EAAA,IAAI,CAAC,aAAA,EAAe;AAClB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,aAAA,GAAgB,MAAM,mBAAA,CAAoB,aAAa,CAAA;AAC7D,IAAA,OAAO;AAAA,MACL,KAAK,aAAA,CAAc,GAAA;AAAA,MACnB,OAAO,aAAA,CAAc,KAAA;AAAA,MACrB,aAAA,EAAe,cAAc,cAAA,IAAkB,KAAA;AAAA,MAC/C,aAAa,aAAA,CAAc,IAAA;AAAA,MAC3B,UAAU,aAAA,CAAc;AAAA,KAC1B;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;;;ACpIA,eAAsB,WAAA,CACpB,SACA,MAAA,EACiB;AAEjB,EAAA,MAAM,cAAc,OAAO,CAAA;AAG3B,EAAA,MAAM,aAAA,GAAgB,MAAM,mBAAA,CAAoB,OAAA,EAAS,MAAM,CAAA;AAG/D,EAAA,OAAO,yBAAA,CAA0B,eAAe,MAAM,CAAA;AACxD;AAMO,SAAS,aAAa,MAAA,EAA+B;AAC1D,EAAA,OAAO,2BAA2B,MAAM,CAAA;AAC1C;AAMA,eAAsB,cACpB,aAAA,EACyD;AACzD,EAAA,IAAI,CAAC,aAAA,EAAe;AAClB,IAAA,OAAO,EAAE,eAAe,KAAA,EAAM;AAAA,EAChC;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,aAAA,GAAgB,MAAM,mBAAA,CAAoB,aAAa,CAAA;AAC7D,IAAA,OAAO;AAAA,MACL,aAAA,EAAe,IAAA;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,KAAK,aAAA,CAAc,GAAA;AAAA,QACnB,OAAO,aAAA,CAAc,KAAA;AAAA,QACrB,aAAA,EAAe,cAAc,cAAA,IAAkB,KAAA;AAAA,QAC/C,aAAa,aAAA,CAAc,IAAA;AAAA,QAC3B,UAAU,aAAA,CAAc;AAAA;AAC1B,KACF;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,EAAE,eAAe,KAAA,EAAM;AAAA,EAChC;AACF;AAKO,IAAM,sBAAA,GAAwC;AAAA,EACnD,MAAA,EAAQ,gBAAA;AAAA,EACR,SAAA,EAAW,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,CAAA,GAAI,GAAA;AAAA;AAAA,EAC9B,IAAA,EAAM,GAAA;AAAA,EACN,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa;AACnC;AAKO,SAAS,mBAAA,CACd,QACA,OAAA,EACe;AACf,EAAA,OAAO;AAAA,IACL,GAAG,sBAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH;AAAA,GACF;AACF;;;ACxEA,eAAsB,WACpB,aAAA,EACqB;AACrB,EAAA,IAAI,CAAC,aAAA,EAAe;AAClB,IAAA,OAAO,EAAE,aAAA,EAAe,KAAA,EAAO,IAAA,EAAM,IAAA,EAAK;AAAA,EAC5C;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,aAAA,GAAgB,MAAM,mBAAA,CAAoB,aAAa,CAAA;AAC7D,IAAA,OAAO;AAAA,MACL,aAAA,EAAe,IAAA;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,KAAK,aAAA,CAAc,GAAA;AAAA,QACnB,OAAO,aAAA,CAAc,KAAA;AAAA,QACrB,aAAA,EAAe,cAAc,cAAA,IAAkB,KAAA;AAAA,QAC/C,aAAa,aAAA,CAAc,IAAA;AAAA,QAC3B,UAAU,aAAA,CAAc;AAAA;AAC1B,KACF;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,EAAE,aAAA,EAAe,KAAA,EAAO,IAAA,EAAM,IAAA,EAAK;AAAA,EAC5C;AACF;AAKO,SAAS,eAAA,CACd,UACA,cAAA,EACS;AACT,EAAA,OAAO,cAAA,CAAe,IAAA,CAAK,CAAC,IAAA,KAAS;AAEnC,IAAA,OAAO,aAAa,IAAA,IAAQ,QAAA,CAAS,UAAA,CAAW,CAAA,EAAG,IAAI,CAAA,CAAA,CAAG,CAAA;AAAA,EAC5D,CAAC,CAAA;AACH;AAiBO,IAAM,yBAAA,GAA8C;AAAA,EACzD,cAAA,EAAgB,CAAC,UAAA,EAAY,YAAY,CAAA;AAAA,EACzC,iBAAA,EAAmB,iBAAA;AAAA,EACnB,UAAA,EAAY;AACd;AAKO,SAAS,sBAAA,CACd,gBACA,OAAA,EACkB;AAClB,EAAA,OAAO;AAAA,IACL,GAAG,yBAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH;AAAA,GACF;AACF;;;ACvEO,IAAM,iBAAA,GAA8C;AAAA,EACzD,KAAA,EAAO,gCAAA;AAAA,EACP,QAAA,EAAU,sCAAA;AAAA,EACV,KAAA,EAAO,0BAAA;AAAA,EACP,IAAA,EAAM;AACR;AAKO,SAAS,OAAA,CACd,UACA,aAAA,EACS;AACT,EAAA,IAAI,CAAC,UAAU,OAAO,KAAA;AACtB,EAAA,OAAO,aAAA,CAAc,SAAS,QAAQ,CAAA;AACxC;AAKO,SAAS,QAAQ,QAAA,EAAgD;AACtE,EAAA,OAAO,QAAQ,QAAA,EAAU,CAAC,OAAA,EAAS,OAAA,EAAS,UAAU,CAAC,CAAA;AACzD;AAKO,SAAS,QAAQ,QAAA,EAAgD;AACtE,EAAA,OAAO,OAAA,CAAQ,QAAA,EAAU,CAAC,OAAA,EAAS,OAAO,CAAC,CAAA;AAC7C;AAKO,SAAS,QAAQ,QAAA,EAAgD;AACtE,EAAA,OAAO,QAAA,KAAa,OAAA;AACtB;AAKO,SAAS,mBAAmB,IAAA,EAAwB;AACzD,EAAA,MAAM,KAAA,GAAkC;AAAA,IACtC,KAAA,EAAO,OAAA;AAAA,IACP,QAAA,EAAU,UAAA;AAAA,IACV,KAAA,EAAO,eAAA;AAAA,IACP,IAAA,EAAM;AAAA,GACR;AACA,EAAA,OAAO,KAAA,CAAM,IAAI,CAAA,IAAK,IAAA;AACxB;;;AChDO,IAAM,SAAA,GAAgC;AAAA,EAC3C,aAAA;AAAA,EACA,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,kBAAA;AAAA,EACA,eAAA;AAAA,EACA,iBAAA;AAAA,EACA;AACF;AAKO,IAAM,kBAAA,GAAuD;AAAA,EAClE,WAAA,EAAa,aAAA;AAAA,EACb,gBAAA,EAAkB,mBAAA;AAAA,EAClB,iBAAA,EAAmB,qBAAA;AAAA,EACnB,gBAAA,EAAkB,oBAAA;AAAA,EAClB,aAAA,EAAe,iBAAA;AAAA,EACf,eAAA,EAAiB,kBAAA;AAAA,EACjB,WAAA,EAAa;AACf;AASO,SAAS,SAAA,CACd,UACA,aAAA,EACS;AACT,EAAA,IAAI,CAAC,UAAU,OAAO,KAAA;AACtB,EAAA,OAAO,aAAA,CAAc,SAAS,QAAQ,CAAA;AACxC;AAKO,SAAS,gBACd,QAAA,EACS;AACT,EAAA,OAAO,QAAA,KAAa,QAAQ,QAAA,KAAa,MAAA;AAC3C;AAKO,SAAS,mBAAmB,IAAA,EAAgC;AACjE,EAAA,OAAO,kBAAA,CAAmB,IAAI,CAAA,IAAK,IAAA;AACrC;AAeO,SAAS,sBAAsB,YAAA,EAAyC;AAC7E,EAAA,IAAI,CAAC,YAAA,CAAa,cAAA,EAAgB,OAAO,KAAA;AACzC,EAAA,uBAAO,IAAI,IAAA,EAAK,GAAI,YAAA,CAAa,cAAA;AACnC;AAKO,SAAS,qBAAqB,YAAA,EAAyC;AAC5E,EAAA,OAAO,YAAA,CAAa,QAAA,IAAY,CAAC,qBAAA,CAAsB,YAAY,CAAA;AACrE","file":"index.js","sourcesContent":["import {\n initializeApp,\n getApps,\n cert,\n App,\n ServiceAccount,\n} from 'firebase-admin/app';\nimport { getAuth, Auth } from 'firebase-admin/auth';\nimport { getFirestore, Firestore } from 'firebase-admin/firestore';\n\nlet _adminApp: App | null = null;\nlet _adminAuth: Auth | null = null;\nlet _adminDb: Firestore | null = null;\n\n/**\n * Get Firebase Admin credentials from environment variables\n */\nfunction getAdminCredentials(): ServiceAccount {\n const projectId = process.env.FIREBASE_ADMIN_PROJECT_ID;\n const clientEmail = process.env.FIREBASE_ADMIN_CLIENT_EMAIL;\n const privateKey = process.env.FIREBASE_ADMIN_PRIVATE_KEY?.replace(/\\\\n/g, '\\n');\n\n if (!projectId || !clientEmail || !privateKey) {\n throw new Error(\n '[mw-core] Missing Firebase Admin credentials. ' +\n 'Set FIREBASE_ADMIN_PROJECT_ID, FIREBASE_ADMIN_CLIENT_EMAIL, and FIREBASE_ADMIN_PRIVATE_KEY environment variables.'\n );\n }\n\n return {\n projectId,\n clientEmail,\n privateKey,\n };\n}\n\n/**\n * Initialize Firebase Admin SDK (singleton)\n */\nexport function initializeAdminApp(): App {\n if (_adminApp) {\n return _adminApp;\n }\n\n const existingApps = getApps();\n if (existingApps.length > 0) {\n _adminApp = existingApps[0];\n return _adminApp;\n }\n\n const credentials = getAdminCredentials();\n _adminApp = initializeApp({\n credential: cert(credentials),\n });\n\n return _adminApp;\n}\n\n/**\n * Get Firebase Admin Auth instance\n */\nexport function getAdminAuth(): Auth {\n if (!_adminAuth) {\n _adminAuth = getAuth(initializeAdminApp());\n }\n return _adminAuth;\n}\n\n/**\n * Get Firebase Admin Firestore instance\n */\nexport function getAdminFirestore(): Firestore {\n if (!_adminDb) {\n _adminDb = getFirestore(initializeAdminApp());\n }\n return _adminDb;\n}\n\n// Re-export types\nexport type { App, Auth, Firestore };\n\n","import { getAdminAuth } from './admin';\nimport { DecodedIdToken } from 'firebase-admin/auth';\n\n/**\n * Session cookie configuration\n */\nexport interface SessionConfig {\n /** Cookie domain (e.g., '.marc-welti.ch') */\n domain: string;\n /** Session duration in milliseconds (default: 5 days) */\n expiresIn?: number;\n /** Cookie path (default: '/') */\n path?: string;\n /** Use secure cookies (default: true in production) */\n secure?: boolean;\n}\n\nconst DEFAULT_SESSION_DURATION = 60 * 60 * 24 * 5 * 1000; // 5 days in milliseconds\n\n/**\n * Create a session cookie from a Firebase ID token\n */\nexport async function createSessionCookie(\n idToken: string,\n config: SessionConfig\n): Promise<string> {\n const auth = getAdminAuth();\n const expiresIn = config.expiresIn || DEFAULT_SESSION_DURATION;\n\n // Create session cookie\n const sessionCookie = await auth.createSessionCookie(idToken, { expiresIn });\n\n return sessionCookie;\n}\n\n/**\n * Generate the Set-Cookie header string for login\n */\nexport function generateLoginCookieHeader(\n sessionCookie: string,\n config: SessionConfig\n): string {\n const expiresIn = config.expiresIn || DEFAULT_SESSION_DURATION;\n const maxAge = Math.floor(expiresIn / 1000); // Convert to seconds\n const secure = config.secure ?? process.env.NODE_ENV === 'production';\n const path = config.path || '/';\n\n const parts = [\n `session=${sessionCookie}`,\n `Domain=${config.domain}`,\n `Path=${path}`,\n 'HttpOnly',\n 'SameSite=Lax',\n `Max-Age=${maxAge}`,\n ];\n\n if (secure) {\n parts.push('Secure');\n }\n\n return parts.join('; ');\n}\n\n/**\n * Generate the Set-Cookie header string for logout\n */\nexport function generateLogoutCookieHeader(config: SessionConfig): string {\n const path = config.path || '/';\n const secure = config.secure ?? process.env.NODE_ENV === 'production';\n\n const parts = [\n 'session=',\n `Domain=${config.domain}`,\n `Path=${path}`,\n 'HttpOnly',\n 'SameSite=Lax',\n 'Max-Age=0',\n ];\n\n if (secure) {\n parts.push('Secure');\n }\n\n return parts.join('; ');\n}\n\n/**\n * Verify a session cookie and return decoded claims\n */\nexport async function verifySessionCookie(\n sessionCookie: string,\n checkRevoked: boolean = true\n): Promise<DecodedIdToken> {\n const auth = getAdminAuth();\n return auth.verifySessionCookie(sessionCookie, checkRevoked);\n}\n\n/**\n * Verify an ID token (for initial login)\n */\nexport async function verifyIdToken(idToken: string): Promise<DecodedIdToken> {\n const auth = getAdminAuth();\n return auth.verifyIdToken(idToken);\n}\n\n/**\n * Revoke all refresh tokens for a user (force logout everywhere)\n */\nexport async function revokeUserTokens(uid: string): Promise<void> {\n const auth = getAdminAuth();\n await auth.revokeRefreshTokens(uid);\n}\n\n/**\n * Session user data extracted from verified session\n */\nexport interface SessionUser {\n uid: string;\n email: string | undefined;\n emailVerified: boolean;\n displayName?: string;\n photoURL?: string;\n}\n\n/**\n * Verify session and return user data\n */\nexport async function getSessionUser(\n sessionCookie: string | undefined\n): Promise<SessionUser | null> {\n if (!sessionCookie) {\n return null;\n }\n\n try {\n const decodedClaims = await verifySessionCookie(sessionCookie);\n return {\n uid: decodedClaims.uid,\n email: decodedClaims.email,\n emailVerified: decodedClaims.email_verified || false,\n displayName: decodedClaims.name,\n photoURL: decodedClaims.picture,\n };\n } catch {\n return null;\n }\n}\n\n// Re-export types\nexport type { DecodedIdToken };\n\n","import {\n createSessionCookie,\n generateLoginCookieHeader,\n generateLogoutCookieHeader,\n verifySessionCookie,\n verifyIdToken,\n SessionConfig,\n SessionUser,\n} from './session';\n\n/**\n * Handle login: verify ID token and create session cookie\n * Returns the Set-Cookie header value\n */\nexport async function handleLogin(\n idToken: string,\n config: SessionConfig\n): Promise<string> {\n // Verify the ID token first\n await verifyIdToken(idToken);\n \n // Create session cookie\n const sessionCookie = await createSessionCookie(idToken, config);\n \n // Generate Set-Cookie header\n return generateLoginCookieHeader(sessionCookie, config);\n}\n\n/**\n * Handle logout: generate cookie clearing header\n * Returns the Set-Cookie header value\n */\nexport function handleLogout(config: SessionConfig): string {\n return generateLogoutCookieHeader(config);\n}\n\n/**\n * Handle session verification\n * Returns session user data or null if invalid\n */\nexport async function handleSession(\n sessionCookie: string | undefined\n): Promise<{ authenticated: boolean; user?: SessionUser }> {\n if (!sessionCookie) {\n return { authenticated: false };\n }\n\n try {\n const decodedClaims = await verifySessionCookie(sessionCookie);\n return {\n authenticated: true,\n user: {\n uid: decodedClaims.uid,\n email: decodedClaims.email,\n emailVerified: decodedClaims.email_verified || false,\n displayName: decodedClaims.name,\n photoURL: decodedClaims.picture,\n },\n };\n } catch {\n return { authenticated: false };\n }\n}\n\n/**\n * Default session config for marc-welti.ch\n */\nexport const DEFAULT_SESSION_CONFIG: SessionConfig = {\n domain: '.marc-welti.ch',\n expiresIn: 60 * 60 * 24 * 5 * 1000, // 5 days\n path: '/',\n secure: process.env.NODE_ENV === 'production',\n};\n\n/**\n * Create session config with custom domain\n */\nexport function createSessionConfig(\n domain: string,\n options?: Partial<Omit<SessionConfig, 'domain'>>\n): SessionConfig {\n return {\n ...DEFAULT_SESSION_CONFIG,\n ...options,\n domain,\n };\n}\n\n","import { verifySessionCookie, SessionUser } from './session';\n\n/**\n * Result of middleware authentication check\n */\nexport interface AuthResult {\n authenticated: boolean;\n user: SessionUser | null;\n}\n\n/**\n * Verify session from cookie value\n * Use this in Next.js middleware or API routes\n */\nexport async function verifyAuth(\n sessionCookie: string | undefined\n): Promise<AuthResult> {\n if (!sessionCookie) {\n return { authenticated: false, user: null };\n }\n\n try {\n const decodedClaims = await verifySessionCookie(sessionCookie);\n return {\n authenticated: true,\n user: {\n uid: decodedClaims.uid,\n email: decodedClaims.email,\n emailVerified: decodedClaims.email_verified || false,\n displayName: decodedClaims.name,\n photoURL: decodedClaims.picture,\n },\n };\n } catch {\n return { authenticated: false, user: null };\n }\n}\n\n/**\n * Check if a path matches any of the protected patterns\n */\nexport function isProtectedPath(\n pathname: string,\n protectedPaths: string[]\n): boolean {\n return protectedPaths.some((path) => {\n // Exact match or starts with path\n return pathname === path || pathname.startsWith(`${path}/`);\n });\n}\n\n/**\n * Configuration for auth middleware\n */\nexport interface MiddlewareConfig {\n /** Paths that require authentication */\n protectedPaths: string[];\n /** Path to redirect unauthenticated users to */\n loginRedirectPath?: string;\n /** Cookie name (default: 'session') */\n cookieName?: string;\n}\n\n/**\n * Default middleware configuration\n */\nexport const DEFAULT_MIDDLEWARE_CONFIG: MiddlewareConfig = {\n protectedPaths: ['/account', '/dashboard'],\n loginRedirectPath: '/login-required',\n cookieName: 'session',\n};\n\n/**\n * Create middleware config with custom options\n */\nexport function createMiddlewareConfig(\n protectedPaths: string[],\n options?: Partial<Omit<MiddlewareConfig, 'protectedPaths'>>\n): MiddlewareConfig {\n return {\n ...DEFAULT_MIDDLEWARE_CONFIG,\n ...options,\n protectedPaths,\n };\n}\n\n","/**\n * User roles in the system\n */\nexport type UserRole = 'owner' | 'employee' | 'admin' | 'user';\n\n/**\n * Role hierarchy and permissions\n * \n * - owner: Marc only, full system access\n * - employee: Team members, limited to assigned customers\n * - admin: External developers/support, full technical access\n * - user: Customers, customer-facing features only\n */\nexport const ROLE_DESCRIPTIONS: Record<UserRole, string> = {\n owner: 'Full system access (Marc only)',\n employee: 'Limited access to assigned customers',\n admin: 'Technical support access',\n user: 'Customer access',\n};\n\n/**\n * Check if user has one of the required roles\n */\nexport function hasRole(\n userRole: UserRole | undefined | null,\n requiredRoles: UserRole[]\n): boolean {\n if (!userRole) return false;\n return requiredRoles.includes(userRole);\n}\n\n/**\n * Check if user is an admin-level role (owner, admin, or employee)\n */\nexport function isStaff(userRole: UserRole | undefined | null): boolean {\n return hasRole(userRole, ['owner', 'admin', 'employee']);\n}\n\n/**\n * Check if user has full admin access (owner or admin)\n */\nexport function isAdmin(userRole: UserRole | undefined | null): boolean {\n return hasRole(userRole, ['owner', 'admin']);\n}\n\n/**\n * Check if user is the owner\n */\nexport function isOwner(userRole: UserRole | undefined | null): boolean {\n return userRole === 'owner';\n}\n\n/**\n * Get role display name\n */\nexport function getRoleDisplayName(role: UserRole): string {\n const names: Record<UserRole, string> = {\n owner: 'Owner',\n employee: 'Employee',\n admin: 'Administrator',\n user: 'User',\n };\n return names[role] || role;\n}\n\n","/**\n * Subscription tiers (independent, not hierarchical)\n */\nexport type SubscriptionTier =\n | 'MasterClass'\n | 'MasterClassLight'\n | 'PremiumOnlineKurs'\n | 'MasterOnlineKurs'\n | 'OnlineKursPro'\n | 'PremiumTraining'\n | 'VIPTraining';\n\n/**\n * All available tiers\n */\nexport const ALL_TIERS: SubscriptionTier[] = [\n 'MasterClass',\n 'MasterClassLight',\n 'PremiumOnlineKurs',\n 'MasterOnlineKurs',\n 'OnlineKursPro',\n 'PremiumTraining',\n 'VIPTraining',\n];\n\n/**\n * Tier display names (internal only - not shown to customers)\n */\nexport const TIER_DISPLAY_NAMES: Record<SubscriptionTier, string> = {\n MasterClass: 'MasterClass',\n MasterClassLight: 'MasterClass Light',\n PremiumOnlineKurs: 'Premium Online Kurs',\n MasterOnlineKurs: 'Master Online Kurs',\n OnlineKursPro: 'Online Kurs Pro',\n PremiumTraining: 'Premium Training',\n VIPTraining: 'VIP Training',\n};\n\n/**\n * Check if user has access to a tier-gated feature\n * \n * @param userTier - The user's current subscription tier (or null if none)\n * @param requiredTiers - List of tiers that have access to the feature\n * @returns true if user's tier is in the required list\n */\nexport function hasAccess(\n userTier: SubscriptionTier | null | undefined,\n requiredTiers: SubscriptionTier[]\n): boolean {\n if (!userTier) return false;\n return requiredTiers.includes(userTier);\n}\n\n/**\n * Check if user has any active subscription\n */\nexport function hasSubscription(\n userTier: SubscriptionTier | null | undefined\n): boolean {\n return userTier !== null && userTier !== undefined;\n}\n\n/**\n * Get tier display name\n */\nexport function getTierDisplayName(tier: SubscriptionTier): string {\n return TIER_DISPLAY_NAMES[tier] || tier;\n}\n\n/**\n * Subscription data stored in Firestore\n */\nexport interface UserSubscription {\n tier: SubscriptionTier;\n startDate: Date;\n expirationDate?: Date;\n isActive: boolean;\n}\n\n/**\n * Check if subscription is expired\n */\nexport function isSubscriptionExpired(subscription: UserSubscription): boolean {\n if (!subscription.expirationDate) return false;\n return new Date() > subscription.expirationDate;\n}\n\n/**\n * Check if subscription is currently active\n */\nexport function isSubscriptionActive(subscription: UserSubscription): boolean {\n return subscription.isActive && !isSubscriptionExpired(subscription);\n}\n\n"]}

package/dist/server/index.mjs ADDED Viewed

@@ -0,0 +1,276 @@
+import { getApps, initializeApp, cert } from 'firebase-admin/app';
+import { getAuth } from 'firebase-admin/auth';
+import { getFirestore } from 'firebase-admin/firestore';
+// src/server/admin.ts
+var _adminApp = null;
+var _adminAuth = null;
+var _adminDb = null;
+function getAdminCredentials() {
+  const projectId = process.env.FIREBASE_ADMIN_PROJECT_ID;
+  const clientEmail = process.env.FIREBASE_ADMIN_CLIENT_EMAIL;
+  const privateKey = process.env.FIREBASE_ADMIN_PRIVATE_KEY?.replace(/\\n/g, "\n");
+  if (!projectId || !clientEmail || !privateKey) {
+    throw new Error(
+      "[mw-core] Missing Firebase Admin credentials. Set FIREBASE_ADMIN_PROJECT_ID, FIREBASE_ADMIN_CLIENT_EMAIL, and FIREBASE_ADMIN_PRIVATE_KEY environment variables."
+    );
+  }
+  return {
+    projectId,
+    clientEmail,
+    privateKey
+  };
+}
+function initializeAdminApp() {
+  if (_adminApp) {
+    return _adminApp;
+  }
+  const existingApps = getApps();
+  if (existingApps.length > 0) {
+    _adminApp = existingApps[0];
+    return _adminApp;
+  }
+  const credentials = getAdminCredentials();
+  _adminApp = initializeApp({
+    credential: cert(credentials)
+  });
+  return _adminApp;
+}
+function getAdminAuth() {
+  if (!_adminAuth) {
+    _adminAuth = getAuth(initializeAdminApp());
+  }
+  return _adminAuth;
+}
+function getAdminFirestore() {
+  if (!_adminDb) {
+    _adminDb = getFirestore(initializeAdminApp());
+  }
+  return _adminDb;
+}
+// src/server/session.ts
+var DEFAULT_SESSION_DURATION = 60 * 60 * 24 * 5 * 1e3;
+async function createSessionCookie(idToken, config) {
+  const auth = getAdminAuth();
+  const expiresIn = config.expiresIn || DEFAULT_SESSION_DURATION;
+  const sessionCookie = await auth.createSessionCookie(idToken, { expiresIn });
+  return sessionCookie;
+}
+function generateLoginCookieHeader(sessionCookie, config) {
+  const expiresIn = config.expiresIn || DEFAULT_SESSION_DURATION;
+  const maxAge = Math.floor(expiresIn / 1e3);
+  const secure = config.secure ?? process.env.NODE_ENV === "production";
+  const path = config.path || "/";
+  const parts = [
+    `session=${sessionCookie}`,
+    `Domain=${config.domain}`,
+    `Path=${path}`,
+    "HttpOnly",
+    "SameSite=Lax",
+    `Max-Age=${maxAge}`
+  ];
+  if (secure) {
+    parts.push("Secure");
+  }
+  return parts.join("; ");
+}
+function generateLogoutCookieHeader(config) {
+  const path = config.path || "/";
+  const secure = config.secure ?? process.env.NODE_ENV === "production";
+  const parts = [
+    "session=",
+    `Domain=${config.domain}`,
+    `Path=${path}`,
+    "HttpOnly",
+    "SameSite=Lax",
+    "Max-Age=0"
+  ];
+  if (secure) {
+    parts.push("Secure");
+  }
+  return parts.join("; ");
+}
+async function verifySessionCookie(sessionCookie, checkRevoked = true) {
+  const auth = getAdminAuth();
+  return auth.verifySessionCookie(sessionCookie, checkRevoked);
+}
+async function verifyIdToken(idToken) {
+  const auth = getAdminAuth();
+  return auth.verifyIdToken(idToken);
+}
+async function revokeUserTokens(uid) {
+  const auth = getAdminAuth();
+  await auth.revokeRefreshTokens(uid);
+}
+async function getSessionUser(sessionCookie) {
+  if (!sessionCookie) {
+    return null;
+  }
+  try {
+    const decodedClaims = await verifySessionCookie(sessionCookie);
+    return {
+      uid: decodedClaims.uid,
+      email: decodedClaims.email,
+      emailVerified: decodedClaims.email_verified || false,
+      displayName: decodedClaims.name,
+      photoURL: decodedClaims.picture
+    };
+  } catch {
+    return null;
+  }
+}
+// src/server/apiRoutes.ts
+async function handleLogin(idToken, config) {
+  await verifyIdToken(idToken);
+  const sessionCookie = await createSessionCookie(idToken, config);
+  return generateLoginCookieHeader(sessionCookie, config);
+}
+function handleLogout(config) {
+  return generateLogoutCookieHeader(config);
+}
+async function handleSession(sessionCookie) {
+  if (!sessionCookie) {
+    return { authenticated: false };
+  }
+  try {
+    const decodedClaims = await verifySessionCookie(sessionCookie);
+    return {
+      authenticated: true,
+      user: {
+        uid: decodedClaims.uid,
+        email: decodedClaims.email,
+        emailVerified: decodedClaims.email_verified || false,
+        displayName: decodedClaims.name,
+        photoURL: decodedClaims.picture
+      }
+    };
+  } catch {
+    return { authenticated: false };
+  }
+}
+var DEFAULT_SESSION_CONFIG = {
+  domain: ".marc-welti.ch",
+  expiresIn: 60 * 60 * 24 * 5 * 1e3,
+  // 5 days
+  path: "/",
+  secure: process.env.NODE_ENV === "production"
+};
+function createSessionConfig(domain, options) {
+  return {
+    ...DEFAULT_SESSION_CONFIG,
+    ...options,
+    domain
+  };
+}
+// src/server/middleware.ts
+async function verifyAuth(sessionCookie) {
+  if (!sessionCookie) {
+    return { authenticated: false, user: null };
+  }
+  try {
+    const decodedClaims = await verifySessionCookie(sessionCookie);
+    return {
+      authenticated: true,
+      user: {
+        uid: decodedClaims.uid,
+        email: decodedClaims.email,
+        emailVerified: decodedClaims.email_verified || false,
+        displayName: decodedClaims.name,
+        photoURL: decodedClaims.picture
+      }
+    };
+  } catch {
+    return { authenticated: false, user: null };
+  }
+}
+function isProtectedPath(pathname, protectedPaths) {
+  return protectedPaths.some((path) => {
+    return pathname === path || pathname.startsWith(`${path}/`);
+  });
+}
+var DEFAULT_MIDDLEWARE_CONFIG = {
+  protectedPaths: ["/account", "/dashboard"],
+  loginRedirectPath: "/login-required",
+  cookieName: "session"
+};
+function createMiddlewareConfig(protectedPaths, options) {
+  return {
+    ...DEFAULT_MIDDLEWARE_CONFIG,
+    ...options,
+    protectedPaths
+  };
+}
+// src/server/roles.ts
+var ROLE_DESCRIPTIONS = {
+  owner: "Full system access (Marc only)",
+  employee: "Limited access to assigned customers",
+  admin: "Technical support access",
+  user: "Customer access"
+};
+function hasRole(userRole, requiredRoles) {
+  if (!userRole) return false;
+  return requiredRoles.includes(userRole);
+}
+function isStaff(userRole) {
+  return hasRole(userRole, ["owner", "admin", "employee"]);
+}
+function isAdmin(userRole) {
+  return hasRole(userRole, ["owner", "admin"]);
+}
+function isOwner(userRole) {
+  return userRole === "owner";
+}
+function getRoleDisplayName(role) {
+  const names = {
+    owner: "Owner",
+    employee: "Employee",
+    admin: "Administrator",
+    user: "User"
+  };
+  return names[role] || role;
+}
+// src/server/tiers.ts
+var ALL_TIERS = [
+  "MasterClass",
+  "MasterClassLight",
+  "PremiumOnlineKurs",
+  "MasterOnlineKurs",
+  "OnlineKursPro",
+  "PremiumTraining",
+  "VIPTraining"
+];
+var TIER_DISPLAY_NAMES = {
+  MasterClass: "MasterClass",
+  MasterClassLight: "MasterClass Light",
+  PremiumOnlineKurs: "Premium Online Kurs",
+  MasterOnlineKurs: "Master Online Kurs",
+  OnlineKursPro: "Online Kurs Pro",
+  PremiumTraining: "Premium Training",
+  VIPTraining: "VIP Training"
+};
+function hasAccess(userTier, requiredTiers) {
+  if (!userTier) return false;
+  return requiredTiers.includes(userTier);
+}
+function hasSubscription(userTier) {
+  return userTier !== null && userTier !== void 0;
+}
+function getTierDisplayName(tier) {
+  return TIER_DISPLAY_NAMES[tier] || tier;
+}
+function isSubscriptionExpired(subscription) {
+  if (!subscription.expirationDate) return false;
+  return /* @__PURE__ */ new Date() > subscription.expirationDate;
+}
+function isSubscriptionActive(subscription) {
+  return subscription.isActive && !isSubscriptionExpired(subscription);
+}
+export { ALL_TIERS, DEFAULT_MIDDLEWARE_CONFIG, DEFAULT_SESSION_CONFIG, ROLE_DESCRIPTIONS, TIER_DISPLAY_NAMES, createMiddlewareConfig, createSessionConfig, createSessionCookie, generateLoginCookieHeader, generateLogoutCookieHeader, getAdminAuth, getAdminFirestore, getRoleDisplayName, getSessionUser, getTierDisplayName, handleLogin, handleLogout, handleSession, hasAccess, hasRole, hasSubscription, initializeAdminApp, isAdmin, isOwner, isProtectedPath, isStaff, isSubscriptionActive, isSubscriptionExpired, revokeUserTokens, verifyAuth, verifyIdToken, verifySessionCookie };
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map

package/dist/server/index.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/server/admin.ts","../../src/server/session.ts","../../src/server/apiRoutes.ts","../../src/server/middleware.ts","../../src/server/roles.ts","../../src/server/tiers.ts"],"names":[],"mappings":";;;;;AAUA,IAAI,SAAA,GAAwB,IAAA;AAC5B,IAAI,UAAA,GAA0B,IAAA;AAC9B,IAAI,QAAA,GAA6B,IAAA;AAKjC,SAAS,mBAAA,GAAsC;AAC7C,EAAA,MAAM,SAAA,GAAY,QAAQ,GAAA,CAAI,yBAAA;AAC9B,EAAA,MAAM,WAAA,GAAc,QAAQ,GAAA,CAAI,2BAAA;AAChC,EAAA,MAAM,aAAa,OAAA,CAAQ,GAAA,CAAI,0BAAA,EAA4B,OAAA,CAAQ,QAAQ,IAAI,CAAA;AAE/E,EAAA,IAAI,CAAC,SAAA,IAAa,CAAC,WAAA,IAAe,CAAC,UAAA,EAAY;AAC7C,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KAEF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,SAAA;AAAA,IACA,WAAA;AAAA,IACA;AAAA,GACF;AACF;AAKO,SAAS,kBAAA,GAA0B;AACxC,EAAA,IAAI,SAAA,EAAW;AACb,IAAA,OAAO,SAAA;AAAA,EACT;AAEA,EAAA,MAAM,eAAe,OAAA,EAAQ;AAC7B,EAAA,IAAI,YAAA,CAAa,SAAS,CAAA,EAAG;AAC3B,IAAA,SAAA,GAAY,aAAa,CAAC,CAAA;AAC1B,IAAA,OAAO,SAAA;AAAA,EACT;AAEA,EAAA,MAAM,cAAc,mBAAA,EAAoB;AACxC,EAAA,SAAA,GAAY,aAAA,CAAc;AAAA,IACxB,UAAA,EAAY,KAAK,WAAW;AAAA,GAC7B,CAAA;AAED,EAAA,OAAO,SAAA;AACT;AAKO,SAAS,YAAA,GAAqB;AACnC,EAAA,IAAI,CAAC,UAAA,EAAY;AACf,IAAA,UAAA,GAAa,OAAA,CAAQ,oBAAoB,CAAA;AAAA,EAC3C;AACA,EAAA,OAAO,UAAA;AACT;AAKO,SAAS,iBAAA,GAA+B;AAC7C,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,QAAA,GAAW,YAAA,CAAa,oBAAoB,CAAA;AAAA,EAC9C;AACA,EAAA,OAAO,QAAA;AACT;;;AC3DA,IAAM,wBAAA,GAA2B,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,CAAA,GAAI,GAAA;AAKpD,eAAsB,mBAAA,CACpB,SACA,MAAA,EACiB;AACjB,EAAA,MAAM,OAAO,YAAA,EAAa;AAC1B,EAAA,MAAM,SAAA,GAAY,OAAO,SAAA,IAAa,wBAAA;AAGtC,EAAA,MAAM,gBAAgB,MAAM,IAAA,CAAK,oBAAoB,OAAA,EAAS,EAAE,WAAW,CAAA;AAE3E,EAAA,OAAO,aAAA;AACT;AAKO,SAAS,yBAAA,CACd,eACA,MAAA,EACQ;AACR,EAAA,MAAM,SAAA,GAAY,OAAO,SAAA,IAAa,wBAAA;AACtC,EAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,SAAA,GAAY,GAAI,CAAA;AAC1C,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,MAAA,IAAU,OAAA,CAAQ,IAAI,QAAA,KAAa,YAAA;AACzD,EAAA,MAAM,IAAA,GAAO,OAAO,IAAA,IAAQ,GAAA;AAE5B,EAAA,MAAM,KAAA,GAAQ;AAAA,IACZ,WAAW,aAAa,CAAA,CAAA;AAAA,IACxB,CAAA,OAAA,EAAU,OAAO,MAAM,CAAA,CAAA;AAAA,IACvB,QAAQ,IAAI,CAAA,CAAA;AAAA,IACZ,UAAA;AAAA,IACA,cAAA;AAAA,IACA,WAAW,MAAM,CAAA;AAAA,GACnB;AAEA,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AAAA,EACrB;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,IAAI,CAAA;AACxB;AAKO,SAAS,2BAA2B,MAAA,EAA+B;AACxE,EAAA,MAAM,IAAA,GAAO,OAAO,IAAA,IAAQ,GAAA;AAC5B,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,MAAA,IAAU,OAAA,CAAQ,IAAI,QAAA,KAAa,YAAA;AAEzD,EAAA,MAAM,KAAA,GAAQ;AAAA,IACZ,UAAA;AAAA,IACA,CAAA,OAAA,EAAU,OAAO,MAAM,CAAA,CAAA;AAAA,IACvB,QAAQ,IAAI,CAAA,CAAA;AAAA,IACZ,UAAA;AAAA,IACA,cAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,IAAI,MAAA,EAAQ;AACV,IAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AAAA,EACrB;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,IAAI,CAAA;AACxB;AAKA,eAAsB,mBAAA,CACpB,aAAA,EACA,YAAA,GAAwB,IAAA,EACC;AACzB,EAAA,MAAM,OAAO,YAAA,EAAa;AAC1B,EAAA,OAAO,IAAA,CAAK,mBAAA,CAAoB,aAAA,EAAe,YAAY,CAAA;AAC7D;AAKA,eAAsB,cAAc,OAAA,EAA0C;AAC5E,EAAA,MAAM,OAAO,YAAA,EAAa;AAC1B,EAAA,OAAO,IAAA,CAAK,cAAc,OAAO,CAAA;AACnC;AAKA,eAAsB,iBAAiB,GAAA,EAA4B;AACjE,EAAA,MAAM,OAAO,YAAA,EAAa;AAC1B,EAAA,MAAM,IAAA,CAAK,oBAAoB,GAAG,CAAA;AACpC;AAgBA,eAAsB,eACpB,aAAA,EAC6B;AAC7B,EAAA,IAAI,CAAC,aAAA,EAAe;AAClB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,aAAA,GAAgB,MAAM,mBAAA,CAAoB,aAAa,CAAA;AAC7D,IAAA,OAAO;AAAA,MACL,KAAK,aAAA,CAAc,GAAA;AAAA,MACnB,OAAO,aAAA,CAAc,KAAA;AAAA,MACrB,aAAA,EAAe,cAAc,cAAA,IAAkB,KAAA;AAAA,MAC/C,aAAa,aAAA,CAAc,IAAA;AAAA,MAC3B,UAAU,aAAA,CAAc;AAAA,KAC1B;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;;;ACpIA,eAAsB,WAAA,CACpB,SACA,MAAA,EACiB;AAEjB,EAAA,MAAM,cAAc,OAAO,CAAA;AAG3B,EAAA,MAAM,aAAA,GAAgB,MAAM,mBAAA,CAAoB,OAAA,EAAS,MAAM,CAAA;AAG/D,EAAA,OAAO,yBAAA,CAA0B,eAAe,MAAM,CAAA;AACxD;AAMO,SAAS,aAAa,MAAA,EAA+B;AAC1D,EAAA,OAAO,2BAA2B,MAAM,CAAA;AAC1C;AAMA,eAAsB,cACpB,aAAA,EACyD;AACzD,EAAA,IAAI,CAAC,aAAA,EAAe;AAClB,IAAA,OAAO,EAAE,eAAe,KAAA,EAAM;AAAA,EAChC;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,aAAA,GAAgB,MAAM,mBAAA,CAAoB,aAAa,CAAA;AAC7D,IAAA,OAAO;AAAA,MACL,aAAA,EAAe,IAAA;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,KAAK,aAAA,CAAc,GAAA;AAAA,QACnB,OAAO,aAAA,CAAc,KAAA;AAAA,QACrB,aAAA,EAAe,cAAc,cAAA,IAAkB,KAAA;AAAA,QAC/C,aAAa,aAAA,CAAc,IAAA;AAAA,QAC3B,UAAU,aAAA,CAAc;AAAA;AAC1B,KACF;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,EAAE,eAAe,KAAA,EAAM;AAAA,EAChC;AACF;AAKO,IAAM,sBAAA,GAAwC;AAAA,EACnD,MAAA,EAAQ,gBAAA;AAAA,EACR,SAAA,EAAW,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,CAAA,GAAI,GAAA;AAAA;AAAA,EAC9B,IAAA,EAAM,GAAA;AAAA,EACN,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa;AACnC;AAKO,SAAS,mBAAA,CACd,QACA,OAAA,EACe;AACf,EAAA,OAAO;AAAA,IACL,GAAG,sBAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH;AAAA,GACF;AACF;;;ACxEA,eAAsB,WACpB,aAAA,EACqB;AACrB,EAAA,IAAI,CAAC,aAAA,EAAe;AAClB,IAAA,OAAO,EAAE,aAAA,EAAe,KAAA,EAAO,IAAA,EAAM,IAAA,EAAK;AAAA,EAC5C;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,aAAA,GAAgB,MAAM,mBAAA,CAAoB,aAAa,CAAA;AAC7D,IAAA,OAAO;AAAA,MACL,aAAA,EAAe,IAAA;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,KAAK,aAAA,CAAc,GAAA;AAAA,QACnB,OAAO,aAAA,CAAc,KAAA;AAAA,QACrB,aAAA,EAAe,cAAc,cAAA,IAAkB,KAAA;AAAA,QAC/C,aAAa,aAAA,CAAc,IAAA;AAAA,QAC3B,UAAU,aAAA,CAAc;AAAA;AAC1B,KACF;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,EAAE,aAAA,EAAe,KAAA,EAAO,IAAA,EAAM,IAAA,EAAK;AAAA,EAC5C;AACF;AAKO,SAAS,eAAA,CACd,UACA,cAAA,EACS;AACT,EAAA,OAAO,cAAA,CAAe,IAAA,CAAK,CAAC,IAAA,KAAS;AAEnC,IAAA,OAAO,aAAa,IAAA,IAAQ,QAAA,CAAS,UAAA,CAAW,CAAA,EAAG,IAAI,CAAA,CAAA,CAAG,CAAA;AAAA,EAC5D,CAAC,CAAA;AACH;AAiBO,IAAM,yBAAA,GAA8C;AAAA,EACzD,cAAA,EAAgB,CAAC,UAAA,EAAY,YAAY,CAAA;AAAA,EACzC,iBAAA,EAAmB,iBAAA;AAAA,EACnB,UAAA,EAAY;AACd;AAKO,SAAS,sBAAA,CACd,gBACA,OAAA,EACkB;AAClB,EAAA,OAAO;AAAA,IACL,GAAG,yBAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH;AAAA,GACF;AACF;;;ACvEO,IAAM,iBAAA,GAA8C;AAAA,EACzD,KAAA,EAAO,gCAAA;AAAA,EACP,QAAA,EAAU,sCAAA;AAAA,EACV,KAAA,EAAO,0BAAA;AAAA,EACP,IAAA,EAAM;AACR;AAKO,SAAS,OAAA,CACd,UACA,aAAA,EACS;AACT,EAAA,IAAI,CAAC,UAAU,OAAO,KAAA;AACtB,EAAA,OAAO,aAAA,CAAc,SAAS,QAAQ,CAAA;AACxC;AAKO,SAAS,QAAQ,QAAA,EAAgD;AACtE,EAAA,OAAO,QAAQ,QAAA,EAAU,CAAC,OAAA,EAAS,OAAA,EAAS,UAAU,CAAC,CAAA;AACzD;AAKO,SAAS,QAAQ,QAAA,EAAgD;AACtE,EAAA,OAAO,OAAA,CAAQ,QAAA,EAAU,CAAC,OAAA,EAAS,OAAO,CAAC,CAAA;AAC7C;AAKO,SAAS,QAAQ,QAAA,EAAgD;AACtE,EAAA,OAAO,QAAA,KAAa,OAAA;AACtB;AAKO,SAAS,mBAAmB,IAAA,EAAwB;AACzD,EAAA,MAAM,KAAA,GAAkC;AAAA,IACtC,KAAA,EAAO,OAAA;AAAA,IACP,QAAA,EAAU,UAAA;AAAA,IACV,KAAA,EAAO,eAAA;AAAA,IACP,IAAA,EAAM;AAAA,GACR;AACA,EAAA,OAAO,KAAA,CAAM,IAAI,CAAA,IAAK,IAAA;AACxB;;;AChDO,IAAM,SAAA,GAAgC;AAAA,EAC3C,aAAA;AAAA,EACA,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,kBAAA;AAAA,EACA,eAAA;AAAA,EACA,iBAAA;AAAA,EACA;AACF;AAKO,IAAM,kBAAA,GAAuD;AAAA,EAClE,WAAA,EAAa,aAAA;AAAA,EACb,gBAAA,EAAkB,mBAAA;AAAA,EAClB,iBAAA,EAAmB,qBAAA;AAAA,EACnB,gBAAA,EAAkB,oBAAA;AAAA,EAClB,aAAA,EAAe,iBAAA;AAAA,EACf,eAAA,EAAiB,kBAAA;AAAA,EACjB,WAAA,EAAa;AACf;AASO,SAAS,SAAA,CACd,UACA,aAAA,EACS;AACT,EAAA,IAAI,CAAC,UAAU,OAAO,KAAA;AACtB,EAAA,OAAO,aAAA,CAAc,SAAS,QAAQ,CAAA;AACxC;AAKO,SAAS,gBACd,QAAA,EACS;AACT,EAAA,OAAO,QAAA,KAAa,QAAQ,QAAA,KAAa,MAAA;AAC3C;AAKO,SAAS,mBAAmB,IAAA,EAAgC;AACjE,EAAA,OAAO,kBAAA,CAAmB,IAAI,CAAA,IAAK,IAAA;AACrC;AAeO,SAAS,sBAAsB,YAAA,EAAyC;AAC7E,EAAA,IAAI,CAAC,YAAA,CAAa,cAAA,EAAgB,OAAO,KAAA;AACzC,EAAA,uBAAO,IAAI,IAAA,EAAK,GAAI,YAAA,CAAa,cAAA;AACnC;AAKO,SAAS,qBAAqB,YAAA,EAAyC;AAC5E,EAAA,OAAO,YAAA,CAAa,QAAA,IAAY,CAAC,qBAAA,CAAsB,YAAY,CAAA;AACrE","file":"index.mjs","sourcesContent":["import {\n initializeApp,\n getApps,\n cert,\n App,\n ServiceAccount,\n} from 'firebase-admin/app';\nimport { getAuth, Auth } from 'firebase-admin/auth';\nimport { getFirestore, Firestore } from 'firebase-admin/firestore';\n\nlet _adminApp: App | null = null;\nlet _adminAuth: Auth | null = null;\nlet _adminDb: Firestore | null = null;\n\n/**\n * Get Firebase Admin credentials from environment variables\n */\nfunction getAdminCredentials(): ServiceAccount {\n const projectId = process.env.FIREBASE_ADMIN_PROJECT_ID;\n const clientEmail = process.env.FIREBASE_ADMIN_CLIENT_EMAIL;\n const privateKey = process.env.FIREBASE_ADMIN_PRIVATE_KEY?.replace(/\\\\n/g, '\\n');\n\n if (!projectId || !clientEmail || !privateKey) {\n throw new Error(\n '[mw-core] Missing Firebase Admin credentials. ' +\n 'Set FIREBASE_ADMIN_PROJECT_ID, FIREBASE_ADMIN_CLIENT_EMAIL, and FIREBASE_ADMIN_PRIVATE_KEY environment variables.'\n );\n }\n\n return {\n projectId,\n clientEmail,\n privateKey,\n };\n}\n\n/**\n * Initialize Firebase Admin SDK (singleton)\n */\nexport function initializeAdminApp(): App {\n if (_adminApp) {\n return _adminApp;\n }\n\n const existingApps = getApps();\n if (existingApps.length > 0) {\n _adminApp = existingApps[0];\n return _adminApp;\n }\n\n const credentials = getAdminCredentials();\n _adminApp = initializeApp({\n credential: cert(credentials),\n });\n\n return _adminApp;\n}\n\n/**\n * Get Firebase Admin Auth instance\n */\nexport function getAdminAuth(): Auth {\n if (!_adminAuth) {\n _adminAuth = getAuth(initializeAdminApp());\n }\n return _adminAuth;\n}\n\n/**\n * Get Firebase Admin Firestore instance\n */\nexport function getAdminFirestore(): Firestore {\n if (!_adminDb) {\n _adminDb = getFirestore(initializeAdminApp());\n }\n return _adminDb;\n}\n\n// Re-export types\nexport type { App, Auth, Firestore };\n\n","import { getAdminAuth } from './admin';\nimport { DecodedIdToken } from 'firebase-admin/auth';\n\n/**\n * Session cookie configuration\n */\nexport interface SessionConfig {\n /** Cookie domain (e.g., '.marc-welti.ch') */\n domain: string;\n /** Session duration in milliseconds (default: 5 days) */\n expiresIn?: number;\n /** Cookie path (default: '/') */\n path?: string;\n /** Use secure cookies (default: true in production) */\n secure?: boolean;\n}\n\nconst DEFAULT_SESSION_DURATION = 60 * 60 * 24 * 5 * 1000; // 5 days in milliseconds\n\n/**\n * Create a session cookie from a Firebase ID token\n */\nexport async function createSessionCookie(\n idToken: string,\n config: SessionConfig\n): Promise<string> {\n const auth = getAdminAuth();\n const expiresIn = config.expiresIn || DEFAULT_SESSION_DURATION;\n\n // Create session cookie\n const sessionCookie = await auth.createSessionCookie(idToken, { expiresIn });\n\n return sessionCookie;\n}\n\n/**\n * Generate the Set-Cookie header string for login\n */\nexport function generateLoginCookieHeader(\n sessionCookie: string,\n config: SessionConfig\n): string {\n const expiresIn = config.expiresIn || DEFAULT_SESSION_DURATION;\n const maxAge = Math.floor(expiresIn / 1000); // Convert to seconds\n const secure = config.secure ?? process.env.NODE_ENV === 'production';\n const path = config.path || '/';\n\n const parts = [\n `session=${sessionCookie}`,\n `Domain=${config.domain}`,\n `Path=${path}`,\n 'HttpOnly',\n 'SameSite=Lax',\n `Max-Age=${maxAge}`,\n ];\n\n if (secure) {\n parts.push('Secure');\n }\n\n return parts.join('; ');\n}\n\n/**\n * Generate the Set-Cookie header string for logout\n */\nexport function generateLogoutCookieHeader(config: SessionConfig): string {\n const path = config.path || '/';\n const secure = config.secure ?? process.env.NODE_ENV === 'production';\n\n const parts = [\n 'session=',\n `Domain=${config.domain}`,\n `Path=${path}`,\n 'HttpOnly',\n 'SameSite=Lax',\n 'Max-Age=0',\n ];\n\n if (secure) {\n parts.push('Secure');\n }\n\n return parts.join('; ');\n}\n\n/**\n * Verify a session cookie and return decoded claims\n */\nexport async function verifySessionCookie(\n sessionCookie: string,\n checkRevoked: boolean = true\n): Promise<DecodedIdToken> {\n const auth = getAdminAuth();\n return auth.verifySessionCookie(sessionCookie, checkRevoked);\n}\n\n/**\n * Verify an ID token (for initial login)\n */\nexport async function verifyIdToken(idToken: string): Promise<DecodedIdToken> {\n const auth = getAdminAuth();\n return auth.verifyIdToken(idToken);\n}\n\n/**\n * Revoke all refresh tokens for a user (force logout everywhere)\n */\nexport async function revokeUserTokens(uid: string): Promise<void> {\n const auth = getAdminAuth();\n await auth.revokeRefreshTokens(uid);\n}\n\n/**\n * Session user data extracted from verified session\n */\nexport interface SessionUser {\n uid: string;\n email: string | undefined;\n emailVerified: boolean;\n displayName?: string;\n photoURL?: string;\n}\n\n/**\n * Verify session and return user data\n */\nexport async function getSessionUser(\n sessionCookie: string | undefined\n): Promise<SessionUser | null> {\n if (!sessionCookie) {\n return null;\n }\n\n try {\n const decodedClaims = await verifySessionCookie(sessionCookie);\n return {\n uid: decodedClaims.uid,\n email: decodedClaims.email,\n emailVerified: decodedClaims.email_verified || false,\n displayName: decodedClaims.name,\n photoURL: decodedClaims.picture,\n };\n } catch {\n return null;\n }\n}\n\n// Re-export types\nexport type { DecodedIdToken };\n\n","import {\n createSessionCookie,\n generateLoginCookieHeader,\n generateLogoutCookieHeader,\n verifySessionCookie,\n verifyIdToken,\n SessionConfig,\n SessionUser,\n} from './session';\n\n/**\n * Handle login: verify ID token and create session cookie\n * Returns the Set-Cookie header value\n */\nexport async function handleLogin(\n idToken: string,\n config: SessionConfig\n): Promise<string> {\n // Verify the ID token first\n await verifyIdToken(idToken);\n \n // Create session cookie\n const sessionCookie = await createSessionCookie(idToken, config);\n \n // Generate Set-Cookie header\n return generateLoginCookieHeader(sessionCookie, config);\n}\n\n/**\n * Handle logout: generate cookie clearing header\n * Returns the Set-Cookie header value\n */\nexport function handleLogout(config: SessionConfig): string {\n return generateLogoutCookieHeader(config);\n}\n\n/**\n * Handle session verification\n * Returns session user data or null if invalid\n */\nexport async function handleSession(\n sessionCookie: string | undefined\n): Promise<{ authenticated: boolean; user?: SessionUser }> {\n if (!sessionCookie) {\n return { authenticated: false };\n }\n\n try {\n const decodedClaims = await verifySessionCookie(sessionCookie);\n return {\n authenticated: true,\n user: {\n uid: decodedClaims.uid,\n email: decodedClaims.email,\n emailVerified: decodedClaims.email_verified || false,\n displayName: decodedClaims.name,\n photoURL: decodedClaims.picture,\n },\n };\n } catch {\n return { authenticated: false };\n }\n}\n\n/**\n * Default session config for marc-welti.ch\n */\nexport const DEFAULT_SESSION_CONFIG: SessionConfig = {\n domain: '.marc-welti.ch',\n expiresIn: 60 * 60 * 24 * 5 * 1000, // 5 days\n path: '/',\n secure: process.env.NODE_ENV === 'production',\n};\n\n/**\n * Create session config with custom domain\n */\nexport function createSessionConfig(\n domain: string,\n options?: Partial<Omit<SessionConfig, 'domain'>>\n): SessionConfig {\n return {\n ...DEFAULT_SESSION_CONFIG,\n ...options,\n domain,\n };\n}\n\n","import { verifySessionCookie, SessionUser } from './session';\n\n/**\n * Result of middleware authentication check\n */\nexport interface AuthResult {\n authenticated: boolean;\n user: SessionUser | null;\n}\n\n/**\n * Verify session from cookie value\n * Use this in Next.js middleware or API routes\n */\nexport async function verifyAuth(\n sessionCookie: string | undefined\n): Promise<AuthResult> {\n if (!sessionCookie) {\n return { authenticated: false, user: null };\n }\n\n try {\n const decodedClaims = await verifySessionCookie(sessionCookie);\n return {\n authenticated: true,\n user: {\n uid: decodedClaims.uid,\n email: decodedClaims.email,\n emailVerified: decodedClaims.email_verified || false,\n displayName: decodedClaims.name,\n photoURL: decodedClaims.picture,\n },\n };\n } catch {\n return { authenticated: false, user: null };\n }\n}\n\n/**\n * Check if a path matches any of the protected patterns\n */\nexport function isProtectedPath(\n pathname: string,\n protectedPaths: string[]\n): boolean {\n return protectedPaths.some((path) => {\n // Exact match or starts with path\n return pathname === path || pathname.startsWith(`${path}/`);\n });\n}\n\n/**\n * Configuration for auth middleware\n */\nexport interface MiddlewareConfig {\n /** Paths that require authentication */\n protectedPaths: string[];\n /** Path to redirect unauthenticated users to */\n loginRedirectPath?: string;\n /** Cookie name (default: 'session') */\n cookieName?: string;\n}\n\n/**\n * Default middleware configuration\n */\nexport const DEFAULT_MIDDLEWARE_CONFIG: MiddlewareConfig = {\n protectedPaths: ['/account', '/dashboard'],\n loginRedirectPath: '/login-required',\n cookieName: 'session',\n};\n\n/**\n * Create middleware config with custom options\n */\nexport function createMiddlewareConfig(\n protectedPaths: string[],\n options?: Partial<Omit<MiddlewareConfig, 'protectedPaths'>>\n): MiddlewareConfig {\n return {\n ...DEFAULT_MIDDLEWARE_CONFIG,\n ...options,\n protectedPaths,\n };\n}\n\n","/**\n * User roles in the system\n */\nexport type UserRole = 'owner' | 'employee' | 'admin' | 'user';\n\n/**\n * Role hierarchy and permissions\n * \n * - owner: Marc only, full system access\n * - employee: Team members, limited to assigned customers\n * - admin: External developers/support, full technical access\n * - user: Customers, customer-facing features only\n */\nexport const ROLE_DESCRIPTIONS: Record<UserRole, string> = {\n owner: 'Full system access (Marc only)',\n employee: 'Limited access to assigned customers',\n admin: 'Technical support access',\n user: 'Customer access',\n};\n\n/**\n * Check if user has one of the required roles\n */\nexport function hasRole(\n userRole: UserRole | undefined | null,\n requiredRoles: UserRole[]\n): boolean {\n if (!userRole) return false;\n return requiredRoles.includes(userRole);\n}\n\n/**\n * Check if user is an admin-level role (owner, admin, or employee)\n */\nexport function isStaff(userRole: UserRole | undefined | null): boolean {\n return hasRole(userRole, ['owner', 'admin', 'employee']);\n}\n\n/**\n * Check if user has full admin access (owner or admin)\n */\nexport function isAdmin(userRole: UserRole | undefined | null): boolean {\n return hasRole(userRole, ['owner', 'admin']);\n}\n\n/**\n * Check if user is the owner\n */\nexport function isOwner(userRole: UserRole | undefined | null): boolean {\n return userRole === 'owner';\n}\n\n/**\n * Get role display name\n */\nexport function getRoleDisplayName(role: UserRole): string {\n const names: Record<UserRole, string> = {\n owner: 'Owner',\n employee: 'Employee',\n admin: 'Administrator',\n user: 'User',\n };\n return names[role] || role;\n}\n\n","/**\n * Subscription tiers (independent, not hierarchical)\n */\nexport type SubscriptionTier =\n | 'MasterClass'\n | 'MasterClassLight'\n | 'PremiumOnlineKurs'\n | 'MasterOnlineKurs'\n | 'OnlineKursPro'\n | 'PremiumTraining'\n | 'VIPTraining';\n\n/**\n * All available tiers\n */\nexport const ALL_TIERS: SubscriptionTier[] = [\n 'MasterClass',\n 'MasterClassLight',\n 'PremiumOnlineKurs',\n 'MasterOnlineKurs',\n 'OnlineKursPro',\n 'PremiumTraining',\n 'VIPTraining',\n];\n\n/**\n * Tier display names (internal only - not shown to customers)\n */\nexport const TIER_DISPLAY_NAMES: Record<SubscriptionTier, string> = {\n MasterClass: 'MasterClass',\n MasterClassLight: 'MasterClass Light',\n PremiumOnlineKurs: 'Premium Online Kurs',\n MasterOnlineKurs: 'Master Online Kurs',\n OnlineKursPro: 'Online Kurs Pro',\n PremiumTraining: 'Premium Training',\n VIPTraining: 'VIP Training',\n};\n\n/**\n * Check if user has access to a tier-gated feature\n * \n * @param userTier - The user's current subscription tier (or null if none)\n * @param requiredTiers - List of tiers that have access to the feature\n * @returns true if user's tier is in the required list\n */\nexport function hasAccess(\n userTier: SubscriptionTier | null | undefined,\n requiredTiers: SubscriptionTier[]\n): boolean {\n if (!userTier) return false;\n return requiredTiers.includes(userTier);\n}\n\n/**\n * Check if user has any active subscription\n */\nexport function hasSubscription(\n userTier: SubscriptionTier | null | undefined\n): boolean {\n return userTier !== null && userTier !== undefined;\n}\n\n/**\n * Get tier display name\n */\nexport function getTierDisplayName(tier: SubscriptionTier): string {\n return TIER_DISPLAY_NAMES[tier] || tier;\n}\n\n/**\n * Subscription data stored in Firestore\n */\nexport interface UserSubscription {\n tier: SubscriptionTier;\n startDate: Date;\n expirationDate?: Date;\n isActive: boolean;\n}\n\n/**\n * Check if subscription is expired\n */\nexport function isSubscriptionExpired(subscription: UserSubscription): boolean {\n if (!subscription.expirationDate) return false;\n return new Date() > subscription.expirationDate;\n}\n\n/**\n * Check if subscription is currently active\n */\nexport function isSubscriptionActive(subscription: UserSubscription): boolean {\n return subscription.isActive && !isSubscriptionExpired(subscription);\n}\n\n"]}