@open-mercato/core 0.4.11-develop.1365.0acff7b08e → 0.4.11-develop.1383.aeb2d4cdb5

package/src/modules/auth/api/admin/nav.ts

@@ -1,386 +1,179 @@
 import { NextResponse } from 'next/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { z } from 'zod'
-import { getModules } from '@open-mercato/shared/lib/i18n/server'
+import { getModules, resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
-import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
-import { hasAllFeatures } from '@open-mercato/shared/security/features'
-import { CustomEntity } from '@open-mercato/core/modules/entities/data/entities'
-import { slugifySidebarId } from '@open-mercato/shared/modules/navigation/sidebarPreferences'
-import { applySidebarPreference, loadFirstRoleSidebarPreference, loadSidebarPreference } from '../../services/sidebarPreferencesService'
-import { Role } from '../../data/entities'
+import { resolveFeatureCheckContext } from '@open-mercato/core/modules/directory/utils/organizationScope'
+import { resolveBackendChromePayload } from '../../lib/backendChrome'
 
 export const metadata = {
   GET: { requireAuth: true },
 }
 
-const sidebarNavItemSchema: z.ZodType<{ href: string; title: string; defaultTitle: string; enabled: boolean; hidden?: boolean; children?: any[] }> = z.lazy(() =>
+const sidebarNavItemSchema: z.ZodType<{
+  id?: string
+  href: string
+  title: string
+  defaultTitle?: string
+  enabled?: boolean
+  hidden?: boolean
+  pageContext?: 'main' | 'admin' | 'settings' | 'profile'
+  iconMarkup?: string
+  children?: any[]
+}> = z.lazy(() =>
   z.object({
+    id: z.string().optional(),
     href: z.string(),
     title: z.string(),
-    defaultTitle: z.string(),
-    enabled: z.boolean(),
+    defaultTitle: z.string().optional(),
+    enabled: z.boolean().optional(),
     hidden: z.boolean().optional(),
+    pageContext: z.enum(['main', 'admin', 'settings', 'profile']).optional(),
+    iconMarkup: z.string().optional(),
     children: z.array(sidebarNavItemSchema).optional(),
-  })
+  }),
+)
+
+const sectionItemSchema: z.ZodType<{
+  id: string
+  label: string
+  labelKey?: string
+  href: string
+  order?: number
+  iconMarkup?: string
+  children?: any[]
+}> = z.lazy(() =>
+  z.object({
+    id: z.string(),
+    label: z.string(),
+    labelKey: z.string().optional(),
+    href: z.string(),
+    order: z.number().optional(),
+    iconMarkup: z.string().optional(),
+    children: z.array(sectionItemSchema).optional(),
+  }),
 )
 
+const sectionGroupSchema = z.object({
+  id: z.string(),
+  label: z.string(),
+  labelKey: z.string().optional(),
+  order: z.number().optional(),
+  items: z.array(sectionItemSchema),
+})
+
 const adminNavResponseSchema = z.object({
   groups: z.array(
     z.object({
-      id: z.string(),
+      id: z.string().optional(),
       name: z.string(),
-      defaultName: z.string(),
+      defaultName: z.string().optional(),
       items: z.array(sidebarNavItemSchema),
-    })
+    }),
   ),
+  settingsSections: z.array(sectionGroupSchema),
+  settingsPathPrefixes: z.array(z.string()),
+  profileSections: z.array(sectionGroupSchema),
+  profilePathPrefixes: z.array(z.string()),
+  grantedFeatures: z.array(z.string()),
+  roles: z.array(z.string()),
 })
 
 const adminNavErrorSchema = z.object({
   error: z.string(),
 })
 
-type SidebarItemNode = {
-  href: string
-  title: string
-  defaultTitle: string
-  enabled: boolean
-  hidden?: boolean
-  children?: SidebarItemNode[]
-}
-
 export async function GET(req: Request) {
   const auth = await getAuthFromRequest(req)
   if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
 
   const { translate, locale } = await resolveTranslations()
-
-  const { resolve } = await createRequestContainer()
-  const em = resolve('em') as any
-  const rbac = resolve('rbacService') as any
-  const cache = resolve('cache') as any
-
-  // Cache key is user + tenant + organization scoped
-  const cacheKey = `nav:sidebar:${locale}:${auth.sub}:${auth.tenantId || 'null'}:${auth.orgId || 'null'}`
-  // try {
-  //   if (cache) {
-  //     const cached = await cache.get(cacheKey)
-  //     if (cached) return NextResponse.json(cached)
-  //   }
-  // } catch {}
-
-  // Load ACL once; we'll evaluate features locally without multiple calls
-  const acl = await rbac.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })
-
-  // Build nav entries from discovered backend routes
-  type Entry = {
-    groupId: string
-    groupName: string
-    groupKey?: string
-    title: string
-    titleKey?: string
-    href: string
-    enabled: boolean
-    order?: number
-    priority?: number
-    children?: Entry[]
-  }
-  const entries: Entry[] = []
-
-  function capitalize(s: string) { return s.charAt(0).toUpperCase() + s.slice(1) }
-  function deriveTitleFromPath(p: string) {
-    const seg = p.split('/').filter(Boolean).pop() || ''
-    return seg ? seg.split('-').map(capitalize).join(' ') : 'Home'
-  }
-
-  const ctx = { auth: { roles: auth.roles || [], sub: auth.sub, tenantId: auth.tenantId, orgId: auth.orgId } }
-  const modules = getModules()
-  for (const m of (modules as any[])) {
-    const groupDefault = capitalize(m.id)
-    for (const r of (m.backendRoutes || [])) {
-      const href = (r.pattern ?? r.path ?? '') as string
-      if (!href || href.includes('[')) continue
-      if ((r as any).navHidden) continue
-      const title = (r.title as string) || deriveTitleFromPath(href)
-      const titleKey = (r as any).pageTitleKey ?? (r as any).titleKey
-      const groupName = (r.group as string) || groupDefault
-      const groupKey = (r as any).pageGroupKey ?? (r as any).groupKey
-      const groupId = typeof groupKey === 'string' && groupKey ? groupKey : slugifySidebarId(groupName)
-      const visible = r.visible ? await Promise.resolve(r.visible(ctx)) : true
-      if (!visible) continue
-      const enabled = r.enabled ? await Promise.resolve(r.enabled(ctx)) : true
-      const requiredRoles = (r.requireRoles as string[]) || []
-      if (requiredRoles.length) {
-        const roles = auth.roles || []
-        const ok = requiredRoles.some((role) => roles.includes(role))
-        if (!ok) continue
-      }
-      const features = (r as any).requireFeatures as string[] | undefined
-      if (!acl.isSuperAdmin && !hasAllFeatures(acl.features, features)) continue
-      const order = (r as any).order as number | undefined
-      const priority = ((r as any).priority as number | undefined) ?? order
-      entries.push({ groupId, groupName, groupKey, title, titleKey, href, enabled, order, priority })
-    }
-  }
-
-  // Parent-child relationships within the same group by href prefix
-  const roots: any[] = []
-  for (const e of entries) {
-    let parent: any | undefined
-    for (const p of entries) {
-      if (p === e) continue
-      if (p.groupId !== e.groupId) continue
-      if (!e.href.startsWith(p.href + '/')) continue
-      if (!parent || p.href.length > parent.href.length) parent = p
-    }
-    if (parent) {
-      ;(parent as any).children = (parent as any).children || []
-      ;(parent as any).children.push(e)
-    } else {
-      roots.push(e)
-    }
-  }
-
-  // Add dynamic user entities into Data designer > User Entities
-  const where: any = { isActive: true, showInSidebar: true }
-  where.$and = [
-    { $or: [ { organizationId: auth.orgId ?? undefined as any }, { organizationId: null } ] },
-    { $or: [ { tenantId: auth.tenantId ?? undefined as any }, { tenantId: null } ] },
-  ]
+  const container = await createRequestContainer()
+  const cache = container.resolve('cache') as {
+    get?: (key: string) => Promise<unknown>
+    set?: (key: string, value: unknown, options?: { tags?: string[] }) => Promise<void>
+  } | null
+
+  let selectedOrganizationId: string | null | undefined
+  let selectedTenantId: string | null | undefined
   try {
-    const entities = await em.find(CustomEntity as any, where as any, { orderBy: { label: 'asc' } as any })
-    const items = (entities as any[]).map((e) => ({
-      entityId: e.entityId,
-      label: e.label,
-      href: `/backend/entities/user/${encodeURIComponent(e.entityId)}/records`
-    }))
-    if (items.length) {
-      const userEntitiesLegacyGroupKeys = new Set(['settings.sections.dataDesigner', 'entities.nav.group'])
-      const userEntitiesAnchor = entries.find((entry: Entry) => entry.href === '/backend/entities/user')
-        ?? entries.find((entry: Entry) =>
-          entry.titleKey === 'entities.nav.userEntities' &&
-          typeof entry.groupKey === 'string' &&
-          userEntitiesLegacyGroupKeys.has(entry.groupKey),
-        )
-      if (userEntitiesAnchor) {
-        const existing = userEntitiesAnchor.children || []
-        const dynamic = items.map((it) => ({
-          groupId: userEntitiesAnchor.groupId,
-          groupName: userEntitiesAnchor.groupName,
-          groupKey: userEntitiesAnchor.groupKey,
-          title: it.label,
-          href: it.href,
-          enabled: true,
-          order: 1000,
-          priority: 1000,
-        }))
-        const byHref = new Map<string, Entry>()
-        for (const c of existing) if (!byHref.has(c.href)) byHref.set(c.href, c)
-        for (const c of dynamic) if (!byHref.has(c.href)) byHref.set(c.href, c)
-        userEntitiesAnchor.children = Array.from(byHref.values())
-      }
-    }
-  } catch (e) {
-    console.error('Error loading user entities', e)
+    const url = new URL(req.url)
+    const orgParam = url.searchParams.get('orgId')
+    const tenantParam = url.searchParams.get('tenantId')
+    selectedOrganizationId = orgParam === null ? undefined : orgParam || null
+    selectedTenantId = tenantParam === null ? undefined : tenantParam || null
+  } catch {
+    selectedOrganizationId = undefined
+    selectedTenantId = undefined
   }
 
-  // Sort roots and children
-  const sortItems = (arr: any[]) => {
-    arr.sort((a, b) => {
-      if (a.group !== b.group) return a.group.localeCompare(b.group)
-      const ap = a.priority ?? a.order ?? 10000
-      const bp = b.priority ?? b.order ?? 10000
-      if (ap !== bp) return ap - bp
-      return String(a.title).localeCompare(String(b.title))
+  let cacheScopeTenantId = auth.tenantId ?? null
+  let cacheScopeOrganizationId = auth.orgId ?? null
+  try {
+    const { organizationId, scope } = await resolveFeatureCheckContext({
+      container,
+      auth,
+      selectedId: selectedOrganizationId,
+      tenantId: selectedTenantId,
+      request: req,
     })
-    for (const it of arr) if (it.children?.length) sortItems(it.children)
-  }
-  sortItems(roots)
-
-  // Group into sidebar groups
-  type GroupBucket = {
-    id: string
-    rawName: string
-    key?: string
-    weight: number
-    entries: Entry[]
-  }
-
-  const groupBuckets = new Map<string, GroupBucket>()
-  for (const entry of roots) {
-    const weight = entry.priority ?? entry.order ?? 10_000
-    if (!groupBuckets.has(entry.groupId)) {
-      groupBuckets.set(entry.groupId, {
-        id: entry.groupId,
-        rawName: entry.groupName,
-        key: entry.groupKey as string | undefined,
-        weight,
-        entries: [entry],
-      })
-    } else {
-      const bucket = groupBuckets.get(entry.groupId)!
-      bucket.entries.push(entry)
-      if (weight < bucket.weight) bucket.weight = weight
-      if (!bucket.key && entry.groupKey) bucket.key = entry.groupKey as string
-      if (!bucket.rawName && entry.groupName) bucket.rawName = entry.groupName
-    }
+    cacheScopeOrganizationId = organizationId
+    cacheScopeTenantId = scope.tenantId ?? auth.tenantId ?? null
+  } catch {
+    cacheScopeOrganizationId = auth.orgId ?? null
+    cacheScopeTenantId = auth.tenantId ?? null
   }
 
-  const toItem = (entry: Entry): SidebarItemNode => {
-    const defaultTitle = entry.titleKey ? translate(entry.titleKey, entry.title) : entry.title
-    return {
-      href: entry.href,
-      title: defaultTitle,
-      defaultTitle,
-      enabled: entry.enabled,
-      children: entry.children?.map((child) => toItem(child)),
+  const cacheKey = `nav:sidebar:${locale}:${auth.sub}:${cacheScopeTenantId || 'null'}:${cacheScopeOrganizationId || 'null'}`
+  try {
+    if (cache?.get) {
+      const cached = await cache.get(cacheKey)
+      if (cached) return NextResponse.json(cached)
     }
+  } catch {
+    // ignore cache read failures
   }
 
-  const groups = Array.from(groupBuckets.values()).map((bucket) => {
-    const defaultName = bucket.key ? translate(bucket.key, bucket.rawName) : bucket.rawName
-    return {
-      id: bucket.id,
-      key: bucket.key,
-      name: defaultName,
-      defaultName,
-      weight: bucket.weight,
-      items: bucket.entries.map((entry) => toItem(entry)),
-    }
-  })
-  const defaultGroupOrder = [
-    'customers.nav.group',
-    'catalog.nav.group',
-    'customers~sales.nav.group',
-    'resources.nav.group',
-    'staff.nav.group',
-    'entities.nav.group',
-    'directory.nav.group',
-    'customers.storage.nav.group',
-  ]
-  const groupOrderIndex = new Map(defaultGroupOrder.map((id, index) => [id, index]))
-  groups.sort((a, b) => {
-    const aIndex = groupOrderIndex.get(a.id)
-    const bIndex = groupOrderIndex.get(b.id)
-    if (aIndex !== undefined || bIndex !== undefined) {
-      if (aIndex === undefined) return 1
-      if (bIndex === undefined) return -1
-      if (aIndex !== bIndex) return aIndex - bIndex
-    }
-    if (a.weight !== b.weight) return a.weight - b.weight
-    return a.name.localeCompare(b.name)
-  })
-  const defaultGroupCount = defaultGroupOrder.length
-  groups.forEach((group, index) => {
-    const rank = groupOrderIndex.get(group.id)
-    const fallbackWeight = typeof group.weight === 'number' ? group.weight : 10_000
-    const normalized =
-      (rank !== undefined ? rank : defaultGroupCount + index) * 1_000_000 +
-      Math.min(Math.max(fallbackWeight, 0), 999_999)
-    group.weight = normalized
+  const payload = await resolveBackendChromePayload({
+    auth,
+    locale,
+    modules: getModules(),
+    translate: (key, fallback) => (key ? translate(key, fallback) : fallback),
+    selectedOrganizationId,
+    selectedTenantId,
   })
 
-  let rolePreference = null
-  if (Array.isArray(auth.roles) && auth.roles.length) {
-    const roleScope = auth.tenantId
-      ? { $or: [{ tenantId: auth.tenantId }, { tenantId: null }] }
-      : { tenantId: null }
-    const roleRecords = await em.find(Role, {
-      name: { $in: auth.roles },
-      ...roleScope,
-    } as any)
-    const roleIds = roleRecords.map((role: Role) => role.id)
-    if (roleIds.length) {
-      rolePreference = await loadFirstRoleSidebarPreference(em, {
-        roleIds,
-        tenantId: auth.tenantId ?? null,
-        locale,
-      })
-    }
-  }
-
-  const groupsWithRole = rolePreference ? applySidebarPreference(groups, rolePreference) : groups
-  const baseForUser = adoptSidebarDefaults(groupsWithRole)
-
-  // For API key auth, use userId (the actual user) if available; otherwise skip user preferences
-  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
-  const preference = effectiveUserId
-    ? await loadSidebarPreference(em, {
-        userId: effectiveUserId,
-        tenantId: auth.tenantId ?? null,
-        organizationId: auth.orgId ?? null,
-        locale,
-      })
-    : null
-
-  const withPreference = applySidebarPreference(baseForUser, preference)
-
-  const payload = {
-    groups: withPreference.map((group) => ({
-      id: group.id,
-      name: group.name,
-      defaultName: group.defaultName,
-      items: (group.items as SidebarItemNode[]).map((item) => ({
-        href: item.href,
-        title: item.title,
-        defaultTitle: item.defaultTitle,
-        enabled: item.enabled,
-        hidden: item.hidden,
-        children: item.children?.map((child) => ({
-          href: child.href,
-          title: child.title,
-          defaultTitle: child.defaultTitle,
-          enabled: child.enabled,
-          hidden: child.hidden,
-        })),
-      })),
-    })),
-  }
-
   try {
-    if (cache) {
+    if (cache?.set) {
       const tags = [
         `rbac:user:${auth.sub}`,
-        auth.tenantId ? `rbac:tenant:${auth.tenantId}` : undefined,
-        `nav:entities:${auth.tenantId || 'null'}`,
+        cacheScopeTenantId ? `rbac:tenant:${cacheScopeTenantId}` : undefined,
+        `nav:entities:${cacheScopeTenantId || 'null'}`,
         `nav:locale:${locale}`,
         `nav:sidebar:user:${auth.sub}`,
-        `nav:sidebar:scope:${auth.sub}:${auth.tenantId || 'null'}:${auth.orgId || 'null'}:${locale}`,
-        ...(Array.isArray(auth.roles) ? auth.roles.map((role: string) => `nav:sidebar:role:${role}`) : []),
+        `nav:sidebar:scope:${auth.sub}:${cacheScopeTenantId || 'null'}:${cacheScopeOrganizationId || 'null'}:${locale}`,
+        ...((Array.isArray(auth.roles) ? auth.roles : []).map((role) => `nav:sidebar:role:${role}`)),
       ].filter(Boolean) as string[]
       await cache.set(cacheKey, payload, { tags })
     }
-  } catch {}
+  } catch {
+    // ignore cache write failures
+  }
 
   return NextResponse.json(payload)
 }
 
-function adoptSidebarDefaults(groups: ReturnType<typeof applySidebarPreference>) {
-  const adoptItems = <T extends { title: string; defaultTitle?: string; children?: T[] }>(items: T[]): T[] =>
-    items.map((item) => ({
-      ...item,
-      defaultTitle: item.title,
-      children: item.children ? adoptItems(item.children) : undefined,
-    }))
-
-  return groups.map((group) => ({
-    ...group,
-    defaultName: group.name,
-    items: adoptItems(group.items),
-  }))
-}
-
 export const openApi: OpenApiRouteDoc = {
   tag: 'Authentication & Accounts',
   summary: 'Admin sidebar navigation',
   methods: {
     GET: {
-      summary: 'Resolve sidebar entries',
+      summary: 'Resolve backend chrome bootstrap payload',
       description:
-        'Returns the backend navigation tree available to the authenticated administrator after applying role and personal sidebar preferences.',
+        'Returns the backend chrome payload available to the authenticated administrator after applying scope, RBAC, role defaults, and personal sidebar preferences.',
       responses: [
-        { status: 200, description: 'Sidebar navigation structure', schema: adminNavResponseSchema },
+        { status: 200, description: 'Backend chrome payload', schema: adminNavResponseSchema },
         { status: 401, description: 'Unauthorized', schema: adminNavErrorSchema },
       ],
     },

package/src/modules/auth/api/login.ts

@@ -25,15 +25,62 @@ export const metadata = {}
 
 // validation comes from userLoginSchema
 
+type ParsedLoginForm = {
+  email: string
+  password: string
+  remember: boolean
+  tenantIdRaw: string
+  requiredRoles: string[]
+}
+
+function parseRequiredRoles(rawValue: string): string[] {
+  return rawValue
+    .split(',')
+    .map((value) => value.trim())
+    .filter(Boolean)
+}
+
+async function parseLoginForm(req: Request): Promise<ParsedLoginForm> {
+  const rawContentType = req.headers.get('content-type') ?? ''
+  const contentType = rawContentType.split(';')[0].trim().toLowerCase()
+
+  try {
+    if (contentType === 'application/x-www-form-urlencoded') {
+      const body = await req.text()
+      const params = new URLSearchParams(body)
+      const requireRoleRaw = String(params.get('requireRole') ?? params.get('role') ?? '').trim()
+      return {
+        email: String(params.get('email') ?? ''),
+        password: String(params.get('password') ?? ''),
+        remember: parseBooleanToken(params.get('remember')) === true,
+        tenantIdRaw: String(params.get('tenantId') ?? params.get('tenant') ?? '').trim(),
+        requiredRoles: requireRoleRaw ? parseRequiredRoles(requireRoleRaw) : [],
+      }
+    }
+
+    const form = await req.formData()
+    const requireRoleRaw = String(form.get('requireRole') ?? form.get('role') ?? '').trim()
+    return {
+      email: String(form.get('email') ?? ''),
+      password: String(form.get('password') ?? ''),
+      remember: parseBooleanToken(form.get('remember')?.toString()) === true,
+      tenantIdRaw: String(form.get('tenantId') ?? form.get('tenant') ?? '').trim(),
+      requiredRoles: requireRoleRaw ? parseRequiredRoles(requireRoleRaw) : [],
+    }
+  } catch {
+    return {
+      email: '',
+      password: '',
+      remember: false,
+      tenantIdRaw: '',
+      requiredRoles: [],
+    }
+  }
+}
+
 export async function POST(req: Request) {
   const { translate } = await resolveTranslations()
-  const form = await req.formData()
-  const email = String(form.get('email') ?? '')
-  const password = String(form.get('password') ?? '')
-  const remember = parseBooleanToken(form.get('remember')?.toString()) === true
-  const tenantIdRaw = String(form.get('tenantId') ?? form.get('tenant') ?? '').trim()
-  const requireRoleRaw = (String(form.get('requireRole') ?? form.get('role') ?? '')).trim()
-  const requiredRoles = requireRoleRaw ? requireRoleRaw.split(',').map((s) => s.trim()).filter(Boolean) : []
+  const { email, password, remember, tenantIdRaw, requiredRoles } = await parseLoginForm(req)
   // Rate limit — two layers, both checked before validation and DB work
   const { error: rateLimitError, compoundKey: rateLimitCompoundKey } = await checkAuthRateLimit({
     req, ipConfig: loginIpRateLimitConfig, compoundConfig: loginRateLimitConfig, compoundIdentifier: email,
@@ -103,14 +150,14 @@ export async function POST(req: Request) {
     roles: userRoleNames
   })
   void emitAuthEvent('auth.login.success', { id: String(user.id), email: user.email, tenantId: resolvedTenantId, organizationId: user.organizationId ? String(user.organizationId) : null }).catch(() => undefined)
+  const rememberMeDays = Number(process.env.REMEMBER_ME_DAYS || '30')
   const responseData: { ok: true; token: string; redirect: string; refreshToken?: string } = {
     ok: true,
     token,
     redirect: '/backend',
   }
   if (remember) {
-    const days = Number(process.env.REMEMBER_ME_DAYS || '30')
-    const expiresAt = new Date(Date.now() + days * 24 * 60 * 60 * 1000)
+    const expiresAt = new Date(Date.now() + rememberMeDays * 24 * 60 * 60 * 1000)
     const sess = await auth.createSession(user, expiresAt)
     responseData.refreshToken = sess.token
   }
@@ -154,8 +201,7 @@ export async function POST(req: Request) {
   const res = NextResponse.json(interceptedBody, { status: interceptedResponse.statusCode })
   res.cookies.set('auth_token', authTokenForCookie, { httpOnly: true, path: '/', sameSite: 'lax', secure: process.env.NODE_ENV === 'production', maxAge: 60 * 60 * 8 })
   if (remember && refreshTokenForCookie) {
-    const days = Number(process.env.REMEMBER_ME_DAYS || '30')
-    const expiresAt = new Date(Date.now() + days * 24 * 60 * 60 * 1000)
+    const expiresAt = new Date(Date.now() + rememberMeDays * 24 * 60 * 60 * 1000)
     res.cookies.set('session_token', refreshTokenForCookie, { httpOnly: true, path: '/', sameSite: 'lax', secure: process.env.NODE_ENV === 'production', expires: expiresAt })
   }
   return res