npm - @naisys/erp - Versions diffs - 3.0.0-beta.9 → 3.0.1 - Mend

@naisys/erp 3.0.0-beta.9 → 3.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/dist/auth-middleware.js DELETED Viewed

@@ -1,203 +0,0 @@
-import { AuthCache } from "@naisys/common";
-import { extractBearerToken, hashToken, SESSION_COOKIE_NAME, } from "@naisys/common-node";
-import { findAgentByApiKey } from "@naisys/hub-database";
-import { findSession, findUserByApiKey } from "@naisys/supervisor-database";
-import erpDb from "./erpDb.js";
-import { isSupervisorAuth } from "./supervisorAuth.js";
-const PUBLIC_PREFIXES = ["/erp/api/auth/login", "/erp/api/client-config"];
-export const authCache = new AuthCache();
-async function loadPermissions(userId) {
-    const perms = await erpDb.userPermission.findMany({
-        where: { userId },
-        select: { permission: true },
-    });
-    return perms.map((p) => p.permission);
-}
-export function hasPermission(user, permission) {
-    if (!user)
-        return false;
-    return (user.permissions.includes(permission) ||
-        user.permissions.includes("erp_admin"));
-}
-export function requirePermission(permission) {
-    return async (request, reply) => {
-        if (!request.erpUser) {
-            reply.status(401).send({
-                statusCode: 401,
-                error: "Unauthorized",
-                message: "Authentication required",
-            });
-            return;
-        }
-        if (!hasPermission(request.erpUser, permission)) {
-            reply.status(403).send({
-                statusCode: 403,
-                error: "Forbidden",
-                message: `Permission '${permission}' required`,
-            });
-            return;
-        }
-    };
-}
-function isPublicRoute(url) {
-    // Exact match: API root
-    if (url === "/erp/api/" || url === "/erp/api")
-        return true;
-    // Prefix matches
-    for (const prefix of PUBLIC_PREFIXES) {
-        if (url.startsWith(prefix))
-            return true;
-    }
-    // Schema routes
-    if (url.startsWith("/erp/api/schemas"))
-        return true;
-    // Non-ERP-API paths (static files, supervisor routes, etc.)
-    if (!url.startsWith("/erp/api"))
-        return true;
-    return false;
-}
-export function registerAuthMiddleware(fastify) {
-    const publicRead = process.env.PUBLIC_READ === "true";
-    fastify.decorateRequest("erpUser", undefined);
-    fastify.addHook("onRequest", async (request, reply) => {
-        const token = request.cookies?.[SESSION_COOKIE_NAME];
-        if (token) {
-            const tokenHash = hashToken(token);
-            const cacheKey = `cookie:${tokenHash}`;
-            const cached = authCache.get(cacheKey);
-            if (cached !== undefined) {
-                // Cache hit (valid or negative)
-                if (cached)
-                    request.erpUser = cached;
-            }
-            else if (isSupervisorAuth()) {
-                // SSO mode: supervisor DB is source of truth for sessions
-                const session = await findSession(tokenHash);
-                if (session) {
-                    let localUser = await erpDb.user.findUnique({
-                        where: { uuid: session.uuid },
-                    });
-                    if (!localUser) {
-                        localUser = await erpDb.user.create({
-                            data: {
-                                uuid: session.uuid,
-                                username: session.username,
-                                passwordHash: session.passwordHash,
-                            },
-                        });
-                    }
-                    const permissions = await loadPermissions(localUser.id);
-                    const erpUser = {
-                        id: localUser.id,
-                        username: localUser.username,
-                        permissions,
-                    };
-                    authCache.set(cacheKey, erpUser);
-                    request.erpUser = erpUser;
-                }
-                else {
-                    authCache.set(cacheKey, null);
-                }
-            }
-            else {
-                // Standalone mode: local session only
-                const session = await erpDb.session.findUnique({
-                    where: {
-                        tokenHash,
-                        expiresAt: { gt: new Date() },
-                    },
-                    include: { user: true },
-                });
-                if (session) {
-                    const permissions = await loadPermissions(session.user.id);
-                    const erpUser = {
-                        id: session.user.id,
-                        username: session.user.username,
-                        permissions,
-                    };
-                    authCache.set(cacheKey, erpUser);
-                    request.erpUser = erpUser;
-                }
-                else {
-                    authCache.set(cacheKey, null);
-                }
-            }
-        }
-        // API key auth (for agents / machine-to-machine)
-        if (!request.erpUser) {
-            const apiKey = extractBearerToken(request.headers.authorization);
-            if (apiKey) {
-                const apiKeyHash = hashToken(apiKey);
-                const cacheKey = `apikey:${apiKeyHash}`;
-                const cached = authCache.get(cacheKey);
-                if (cached !== undefined) {
-                    if (cached)
-                        request.erpUser = cached;
-                }
-                else if (isSupervisorAuth()) {
-                    // SSO mode: try supervisor DB (human users), then hub DB (agents)
-                    const match = (await findUserByApiKey(apiKey)) ??
-                        (await findAgentByApiKey(apiKey));
-                    if (match) {
-                        let localUser = await erpDb.user.findUnique({
-                            where: { uuid: match.uuid },
-                        });
-                        if (!localUser) {
-                            localUser = await erpDb.user.create({
-                                data: {
-                                    uuid: match.uuid,
-                                    username: match.username,
-                                    passwordHash: "!api-key-only",
-                                    isAgent: true,
-                                },
-                            });
-                        }
-                        const permissions = await loadPermissions(localUser.id);
-                        const erpUser = {
-                            id: localUser.id,
-                            username: localUser.username,
-                            permissions,
-                        };
-                        authCache.set(cacheKey, erpUser);
-                        request.erpUser = erpUser;
-                    }
-                    else {
-                        authCache.set(cacheKey, null);
-                    }
-                }
-                else {
-                    // Standalone mode: check local ERP user table
-                    const localUser = await erpDb.user.findUnique({
-                        where: { apiKey },
-                    });
-                    if (localUser) {
-                        const permissions = await loadPermissions(localUser.id);
-                        const erpUser = {
-                            id: localUser.id,
-                            username: localUser.username,
-                            permissions,
-                        };
-                        authCache.set(cacheKey, erpUser);
-                        request.erpUser = erpUser;
-                    }
-                    else {
-                        authCache.set(cacheKey, null);
-                    }
-                }
-            }
-        }
-        // Check if auth is required
-        if (request.erpUser)
-            return; // Authenticated, always allowed
-        if (isPublicRoute(request.url))
-            return; // Public route
-        if (publicRead && request.method === "GET")
-            return; // Public read mode
-        reply.status(401).send({
-            statusCode: 401,
-            error: "Unauthorized",
-            message: "Authentication required",
-        });
-    });
-}
-//# sourceMappingURL=auth-middleware.js.map

package/dist/userService.js DELETED Viewed

@@ -1,118 +0,0 @@
-import { SUPER_ADMIN_USERNAME } from "@naisys/common";
-import { ensureSuperAdmin } from "@naisys/supervisor-database";
-import bcrypt from "bcryptjs";
-import { randomBytes, randomUUID } from "crypto";
-import readline from "readline/promises";
-import erpDb from "./erpDb.js";
-const SALT_ROUNDS = 10;
-/**
- * Ensure a superadmin user exists in the local ERP database.
- * For standalone mode (no supervisor auth).
- */
-export async function ensureLocalSuperAdmin() {
-    const existing = await erpDb.user.findUnique({
-        where: { username: SUPER_ADMIN_USERNAME },
-    });
-    if (existing) {
-        // Ensure superadmin has erp_admin permission
-        await ensureErpAdminPermission(existing.id);
-    }
-    else {
-        const password = randomUUID().slice(0, 8);
-        const hash = await bcrypt.hash(password, SALT_ROUNDS);
-        const user = await erpDb.user.create({
-            data: {
-                uuid: randomUUID(),
-                username: SUPER_ADMIN_USERNAME,
-                passwordHash: hash,
-                apiKey: randomBytes(32).toString("hex"),
-            },
-        });
-        await ensureErpAdminPermission(user.id);
-        console.log(`\n  ${SUPER_ADMIN_USERNAME} user created. Password: ${password}`);
-        console.log(`  Change it via --reset-password\n`);
-    }
-    // Warn if agent users exist without supervisor auth
-    const agentCount = await erpDb.user.count({ where: { isAgent: true } });
-    if (agentCount > 0) {
-        console.warn(`[ERP] Warning: ${agentCount} agent user(s) found but supervisor auth is disabled. ` +
-            `Agent API key lookups and authentication will not work. ` +
-            `Start with --supervisor-auth to enable.`);
-    }
-}
-/**
- * Sync superadmin from supervisor into ERP DB and ensure permissions.
- * For supervisor auth mode.
- */
-export async function ensureSupervisorSuperAdmin() {
-    const result = await ensureSuperAdmin();
-    await erpDb.user.upsert({
-        where: { uuid: result.user.uuid },
-        create: {
-            uuid: result.user.uuid,
-            username: result.user.username,
-            passwordHash: result.user.passwordHash,
-            apiKey: result.user.apiKey,
-        },
-        update: {
-            username: result.user.username,
-            passwordHash: result.user.passwordHash,
-            apiKey: result.user.apiKey,
-        },
-    });
-    const localSuperAdmin = await erpDb.user.findUnique({
-        where: { uuid: result.user.uuid },
-    });
-    if (localSuperAdmin) {
-        await ensureErpAdminPermission(localSuperAdmin.id);
-    }
-    if (result.created) {
-        console.log(`[ERP] ${SUPER_ADMIN_USERNAME} user created. Password: ${result.generatedPassword}`);
-    }
-}
-/**
- * Ensure a user has the erp_admin permission.
- */
-export async function ensureErpAdminPermission(userId) {
-    const existing = await erpDb.userPermission.findUnique({
-        where: { userId_permission: { userId, permission: "erp_admin" } },
-    });
-    if (!existing) {
-        await erpDb.userPermission.create({
-            data: { userId, permission: "erp_admin" },
-        });
-    }
-}
-/**
- * Interactive CLI to reset a local user's password.
- * For standalone mode (no supervisor auth).
- */
-export async function resetLocalPassword() {
-    const rl = readline.createInterface({
-        input: process.stdin,
-        output: process.stdout,
-    });
-    try {
-        const username = await rl.question("Username: ");
-        const user = await erpDb.user.findUnique({ where: { username } });
-        if (!user) {
-            console.error(`User '${username}' not found.`);
-            process.exit(1);
-        }
-        const password = await rl.question("New password: ");
-        if (password.length < 6) {
-            console.error("Password must be at least 6 characters.");
-            process.exit(1);
-        }
-        const hash = await bcrypt.hash(password, SALT_ROUNDS);
-        await erpDb.user.update({
-            where: { id: user.id },
-            data: { passwordHash: hash },
-        });
-        console.log(`Password reset for '${username}'.`);
-    }
-    finally {
-        rl.close();
-    }
-}
-//# sourceMappingURL=userService.js.map

/package/bin/{naisys-erp → naisys-erp.js} RENAMED Viewed

File without changes

/package/dist/{supervisorAuth.js → middleware/supervisorAuth.js} RENAMED Viewed

File without changes

/package/dist/{audit.js → services/audit.js} RENAMED Viewed

File without changes