@naisys/erp 3.0.0-beta.36 → 3.0.0-beta.38

package/client-dist/assets/{index-jH5OYerq.js → index-By5W5npg.js}

@@ -724,7 +724,7 @@ var CompactMarkdown = ({ children }) => (0, import_jsx_runtime.jsx)(Markdown, {
 });
 //#endregion
 //#region ../../../packages/common-browser/dist/SecretField.js
-var SecretField = ({ value, onRotate, rotating }) => {
+var SecretField = ({ value, onRotate, rotating, emptyLabel = "Not set" }) => {
 	const [visible, setVisible] = (0, import_react.useState)(false);
 	return (0, import_jsx_runtime.jsxs)(Group, {
 		gap: "xs",
@@ -759,7 +759,7 @@ var SecretField = ({ value, onRotate, rotating }) => {
 		] }) : (0, import_jsx_runtime.jsx)(Text, {
 			c: "dimmed",
 			size: "sm",
-			children: "Not set"
+			children: emptyLabel
 		}), onRotate && (0, import_jsx_runtime.jsx)(Tooltip, {
 			label: value ? "Rotate key" : "Generate API key",
 			children: (0, import_jsx_runtime.jsx)(ActionIcon, {
@@ -1691,7 +1691,6 @@ CreateResponseSchema.extend({ runNo: number$2() });
 object$1({
 	id: number$2(),
 	username: string$1(),
-	apiKey: string$1().nullable().optional(),
 	_links: array$1(HateoasLinkSchema).optional(),
 	_actions: array$1(HateoasActionSchema).optional()
 });
@@ -1953,7 +1952,7 @@ object$1({
 	isAgent: boolean$1(),
 	createdAt: string$1(),
 	updatedAt: string$1(),
-	apiKey: string$1().nullable().optional(),
+	hasApiKey: boolean$1(),
 	permissions: array$1(UserPermissionSchema),
 	_links: array$1(any()).optional(),
 	_actions: array$1(any()).optional()
@@ -9731,6 +9730,7 @@ var UserDetail = () => {
 	const [editError, setEditError] = (0, import_react.useState)("");
 	const [grantPerm, setGrantPerm] = (0, import_react.useState)(null);
 	const [rotating, setRotating] = (0, import_react.useState)(false);
+	const [apiKey, setApiKey] = (0, import_react.useState)(null);
 	const [pwOpened, { open: openPw, close: closePw }] = useDisclosure();
 	const [newPassword, setNewPassword] = (0, import_react.useState)("");
 	const [pwSaving, setPwSaving] = (0, import_react.useState)(false);
@@ -9740,6 +9740,7 @@ var UserDetail = () => {
 		setLoading(true);
 		try {
 			setUser(await api.get(apiEndpoints.user(routeUsername)));
+			setApiKey(null);
 		} catch {} finally {
 			setLoading(false);
 		}
@@ -9806,11 +9807,15 @@ var UserDetail = () => {
 	};
 	const handleRotateKey = async () => {
 		if (!routeUsername) return;
-		if (!confirm("Rotate this user's API key? The old key will stop working immediately.")) return;
+		if (!confirm("Generate a new API key? The old key will stop working immediately.")) return;
 		setRotating(true);
 		try {
-			await api.post(apiEndpoints.userRotateKey(routeUsername), {});
-			fetchUser();
+			const result = await api.post(apiEndpoints.userRotateKey(routeUsername), {});
+			setApiKey(result.apiKey ?? null);
+			setUser((current) => current ? {
+				...current,
+				hasApiKey: !!result.apiKey
+			} : current);
 		} catch (err) {
 			showErrorNotification(err);
 		} finally {
@@ -9912,12 +9917,28 @@ var UserDetail = () => {
 							w: 120,
 							children: "Type:"
 						}), /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Text, { children: user.isAgent ? "Agent" : "User" })] }),
-						(user.apiKey || hasAction(user._actions, "rotate-key")) && /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Group, { children: [/* @__PURE__ */ (0, import_jsx_runtime.jsx)(Text, {
+						supervisorAuth ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Group, { children: [/* @__PURE__ */ (0, import_jsx_runtime.jsx)(Text, {
+							fw: 600,
+							w: 120,
+							children: "Credentials:"
+						}), /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Text, {
+							size: "sm",
+							children: [
+								"Password and API key are managed in the",
+								" ",
+								/* @__PURE__ */ (0, import_jsx_runtime.jsx)(Anchor, {
+									href: `/supervisor/users/${user.username}`,
+									children: "supervisor"
+								}),
+								"."
+							]
+						})] }) : (user.hasApiKey || hasAction(user._actions, "rotate-key")) && /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Group, { children: [/* @__PURE__ */ (0, import_jsx_runtime.jsx)(Text, {
 							fw: 600,
 							w: 120,
 							children: "API Key:"
 						}), /* @__PURE__ */ (0, import_jsx_runtime.jsx)(SecretField, {
-							value: user.apiKey ?? null,
+							value: apiKey,
+							emptyLabel: user.hasApiKey ? "Generated (hidden)" : "Not set",
 							onRotate: hasAction(user._actions, "rotate-key") ? handleRotateKey : void 0,
 							rotating
 						})] })

package/client-dist/index.html

@@ -45,7 +45,7 @@
     <meta name="format-detection" content="telephone=no" />
 
     <title>NAISYS ERP</title>
-    <script type="module" crossorigin src="/erp/assets/index-jH5OYerq.js"></script>
+    <script type="module" crossorigin src="/erp/assets/index-By5W5npg.js"></script>
     <link rel="modulepreload" crossorigin href="/erp/assets/rolldown-runtime-CvHMtSRF.js">
     <link rel="modulepreload" crossorigin href="/erp/assets/vendor-DFaFIeiT.js">
     <link rel="stylesheet" crossorigin href="/erp/assets/vendor-CLUPjUnv.css">

package/dist/auth-middleware.js

@@ -1,4 +1,4 @@
-import { AuthCache } from "@naisys/common";
+import { AuthCache, urlMatchesPrefix } from "@naisys/common";
 import { extractBearerToken, hashToken, SESSION_COOKIE_NAME, } from "@naisys/common-node";
 import { findAgentByApiKey } from "@naisys/hub-database";
 import { findSession, findUserByApiKey } from "@naisys/supervisor-database";
@@ -13,6 +13,63 @@ async function loadPermissions(userId) {
     });
     return perms.map((p) => p.permission);
 }
+async function materializeErpUser(localUser) {
+    return {
+        id: localUser.id,
+        username: localUser.username,
+        permissions: await loadPermissions(localUser.id),
+    };
+}
+async function resolveCookie(token) {
+    const tokenHash = hashToken(token);
+    return authCache.getOrLoad(`cookie:${tokenHash}`, async () => {
+        const localUser = isSupervisorAuth()
+            ? await loadCookieUserSso(tokenHash)
+            : await loadCookieUserStandalone(tokenHash);
+        return localUser ? materializeErpUser(localUser) : null;
+    });
+}
+async function loadCookieUserSso(tokenHash) {
+    const session = await findSession(tokenHash);
+    if (!session)
+        return null;
+    return erpDb.user.upsert({
+        where: { uuid: session.uuid },
+        create: { uuid: session.uuid, username: session.username },
+        update: {},
+    });
+}
+async function loadCookieUserStandalone(tokenHash) {
+    const session = await erpDb.session.findUnique({
+        where: { tokenHash, expiresAt: { gt: new Date() } },
+        include: { user: true },
+    });
+    return session?.user ?? null;
+}
+async function resolveApiKey(apiKey) {
+    const apiKeyHash = hashToken(apiKey);
+    return authCache.getOrLoad(`apikey:${apiKeyHash}`, async () => {
+        const localUser = isSupervisorAuth()
+            ? await loadApiKeyUserSso(apiKey)
+            : await erpDb.user.findUnique({ where: { apiKeyHash } });
+        return localUser ? materializeErpUser(localUser) : null;
+    });
+}
+async function loadApiKeyUserSso(apiKey) {
+    // Try supervisor DB (humans + agents with external keys),
+    // then hub DB (agents matching their hub-issued runtime key).
+    const supervisorUser = await findUserByApiKey(apiKey);
+    const hubAgent = supervisorUser ? null : await findAgentByApiKey(apiKey);
+    const match = supervisorUser ?? hubAgent;
+    if (!match)
+        return null;
+    const isAgent = supervisorUser?.isAgent ?? !!hubAgent;
+    return erpDb.user.upsert({
+        where: { uuid: match.uuid },
+        create: { uuid: match.uuid, username: match.username, isAgent },
+        update: {},
+    });
+}
 export function hasPermission(user, permission) {
     if (!user)
         return false;
@@ -44,13 +101,11 @@ function isPublicRoute(url) {
     // Exact match: API root
     if (url === "/erp/api/" || url === "/erp/api")
         return true;
-    // Prefix matches
     for (const prefix of PUBLIC_PREFIXES) {
-        if (url.startsWith(prefix))
+        if (urlMatchesPrefix(url, prefix))
             return true;
     }
-    // Schema routes
-    if (url.startsWith("/erp/api/schemas"))
+    if (urlMatchesPrefix(url, "/erp/api/schemas"))
         return true;
     // Non-ERP-API paths (static files, supervisor routes, etc.)
     if (!url.startsWith("/erp/api"))
@@ -63,131 +118,18 @@ export function registerAuthMiddleware(fastify) {
     fastify.addHook("onRequest", async (request, reply) => {
         const token = request.cookies?.[SESSION_COOKIE_NAME];
         if (token) {
-            const tokenHash = hashToken(token);
-            const cacheKey = `cookie:${tokenHash}`;
-            const cached = authCache.get(cacheKey);
-            if (cached !== undefined) {
-                // Cache hit (valid or negative)
-                if (cached)
-                    request.erpUser = cached;
-            }
-            else if (isSupervisorAuth()) {
-                // SSO mode: supervisor DB is source of truth for sessions
-                const session = await findSession(tokenHash);
-                if (session) {
-                    let localUser = await erpDb.user.findUnique({
-                        where: { uuid: session.uuid },
-                    });
-                    if (!localUser) {
-                        localUser = await erpDb.user.create({
-                            data: {
-                                uuid: session.uuid,
-                                username: session.username,
-                                passwordHash: session.passwordHash,
-                            },
-                        });
-                    }
-                    const permissions = await loadPermissions(localUser.id);
-                    const erpUser = {
-                        id: localUser.id,
-                        username: localUser.username,
-                        permissions,
-                    };
-                    authCache.set(cacheKey, erpUser);
-                    request.erpUser = erpUser;
-                }
-                else {
-                    authCache.set(cacheKey, null);
-                }
-            }
-            else {
-                // Standalone mode: local session only
-                const session = await erpDb.session.findUnique({
-                    where: {
-                        tokenHash,
-                        expiresAt: { gt: new Date() },
-                    },
-                    include: { user: true },
-                });
-                if (session) {
-                    const permissions = await loadPermissions(session.user.id);
-                    const erpUser = {
-                        id: session.user.id,
-                        username: session.user.username,
-                        permissions,
-                    };
-                    authCache.set(cacheKey, erpUser);
-                    request.erpUser = erpUser;
-                }
-                else {
-                    authCache.set(cacheKey, null);
-                }
-            }
+            const user = await resolveCookie(token);
+            if (user)
+                request.erpUser = user;
         }
-        // API key auth (for agents / machine-to-machine)
         if (!request.erpUser) {
             const apiKey = extractBearerToken(request.headers.authorization);
             if (apiKey) {
-                const apiKeyHash = hashToken(apiKey);
-                const cacheKey = `apikey:${apiKeyHash}`;
-                const cached = authCache.get(cacheKey);
-                if (cached !== undefined) {
-                    if (cached)
-                        request.erpUser = cached;
-                }
-                else if (isSupervisorAuth()) {
-                    // SSO mode: try supervisor DB (human users), then hub DB (agents)
-                    const match = (await findUserByApiKey(apiKey)) ??
-                        (await findAgentByApiKey(apiKey));
-                    if (match) {
-                        let localUser = await erpDb.user.findUnique({
-                            where: { uuid: match.uuid },
-                        });
-                        if (!localUser) {
-                            localUser = await erpDb.user.create({
-                                data: {
-                                    uuid: match.uuid,
-                                    username: match.username,
-                                    passwordHash: "!api-key-only",
-                                    isAgent: true,
-                                },
-                            });
-                        }
-                        const permissions = await loadPermissions(localUser.id);
-                        const erpUser = {
-                            id: localUser.id,
-                            username: localUser.username,
-                            permissions,
-                        };
-                        authCache.set(cacheKey, erpUser);
-                        request.erpUser = erpUser;
-                    }
-                    else {
-                        authCache.set(cacheKey, null);
-                    }
-                }
-                else {
-                    // Standalone mode: check local ERP user table
-                    const localUser = await erpDb.user.findUnique({
-                        where: { apiKey },
-                    });
-                    if (localUser) {
-                        const permissions = await loadPermissions(localUser.id);
-                        const erpUser = {
-                            id: localUser.id,
-                            username: localUser.username,
-                            permissions,
-                        };
-                        authCache.set(cacheKey, erpUser);
-                        request.erpUser = erpUser;
-                    }
-                    else {
-                        authCache.set(cacheKey, null);
-                    }
-                }
+                const user = await resolveApiKey(apiKey);
+                if (user)
+                    request.erpUser = user;
             }
         }
-        // Check if auth is required
         if (request.erpUser)
             return; // Authenticated, always allowed
         if (isPublicRoute(request.url))

package/dist/dbConfig.js

@@ -6,5 +6,5 @@ export function erpDbUrl() {
     return "file:" + erpDbPath();
 }
 /** We run migration scripts if this is greater than what's in the schema_version table */
-export const ERP_DB_VERSION = 43;
+export const ERP_DB_VERSION = 44;
 //# sourceMappingURL=dbConfig.js.map

package/dist/erpServer.js

@@ -129,6 +129,9 @@ async function startServer(wizardRan) {
     const isProd = process.env.NODE_ENV === "production";
     const fastify = Fastify({
         pluginTimeout: 60_000,
+        // trustProxy: TLS terminates at the reverse proxy, so honor X-Forwarded-*
+        // headers — otherwise request.protocol reads the internal http hop.
+        trustProxy: true,
         logger: {
             transport: {
                 target: "pino-pretty",