@open-mercato/core 0.4.5-develop-03023b2707 → 0.4.5-develop-0c30cb4b11

package/dist/modules/widgets/lib/injection.js

@@ -5,6 +5,8 @@ import {
   getCoreInjectionTables,
   invalidateInjectionWidgetCache,
   loadAllInjectionWidgets,
+  loadInjectionDataWidgetById,
+  loadInjectionDataWidgetsForSpot,
   loadInjectionWidgetById,
   loadInjectionWidgetsForSpot
 } from "@open-mercato/shared/modules/widgets/injection-loader";
@@ -13,6 +15,8 @@ export {
   getCoreInjectionWidgets,
   invalidateInjectionWidgetCache,
   loadAllInjectionWidgets,
+  loadInjectionDataWidgetById,
+  loadInjectionDataWidgetsForSpot,
   loadInjectionWidgetById,
   loadInjectionWidgetsForSpot,
   registerCoreInjectionTables,

package/dist/modules/widgets/lib/injection.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/widgets/lib/injection.ts"],
-  "sourcesContent": ["// Re-export from shared for backward compatibility\n// New code should import directly from @open-mercato/shared/modules/widgets/injection-loader\nexport {\n  registerCoreInjectionWidgets,\n  getCoreInjectionWidgets,\n  registerCoreInjectionTables,\n  getCoreInjectionTables,\n  invalidateInjectionWidgetCache,\n  loadAllInjectionWidgets,\n  loadInjectionWidgetById,\n  loadInjectionWidgetsForSpot,\n  type LoadedInjectionWidget,\n} from '@open-mercato/shared/modules/widgets/injection-loader'\n"],
-  "mappings": "AAEA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;",
+  "sourcesContent": ["// Re-export from shared for backward compatibility\n// New code should import directly from @open-mercato/shared/modules/widgets/injection-loader\nexport {\n  registerCoreInjectionWidgets,\n  getCoreInjectionWidgets,\n  registerCoreInjectionTables,\n  getCoreInjectionTables,\n  invalidateInjectionWidgetCache,\n  loadAllInjectionWidgets,\n  loadInjectionDataWidgetById,\n  loadInjectionDataWidgetsForSpot,\n  loadInjectionWidgetById,\n  loadInjectionWidgetsForSpot,\n  type LoadedInjectionDataWidget,\n  type LoadedInjectionWidget,\n} from '@open-mercato/shared/modules/widgets/injection-loader'\n"],
+  "mappings": "AAEA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAGK;",
   "names": []
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/core",
-  "version": "0.4.5-develop-03023b2707",
+  "version": "0.4.5-develop-0c30cb4b11",
   "type": "module",
   "main": "./dist/index.js",
   "scripts": {
@@ -207,7 +207,7 @@
     }
   },
   "dependencies": {
-    "@open-mercato/shared": "0.4.5-develop-03023b2707",
+    "@open-mercato/shared": "0.4.5-develop-0c30cb4b11",
     "@types/semver": "^7.5.8",
     "@xyflow/react": "^12.6.0",
     "ai": "^6.0.0",

package/src/modules/auth/api/login.ts

@@ -98,13 +98,23 @@ export async function POST(req: Request) {
     email: user.email,
     roles: userRoleNames
   })
-  const res = NextResponse.json({ ok: true, token, redirect: '/backend' })
-  res.cookies.set('auth_token', token, { httpOnly: true, path: '/', sameSite: 'lax', secure: process.env.NODE_ENV === 'production', maxAge: 60 * 60 * 8 })
+  const responseData: { ok: true; token: string; redirect: string; refreshToken?: string } = {
+    ok: true,
+    token,
+    redirect: '/backend',
+  }
   if (remember) {
     const days = Number(process.env.REMEMBER_ME_DAYS || '30')
     const expiresAt = new Date(Date.now() + days * 24 * 60 * 60 * 1000)
     const sess = await auth.createSession(user, expiresAt)
-    res.cookies.set('session_token', sess.token, { httpOnly: true, path: '/', sameSite: 'lax', secure: process.env.NODE_ENV === 'production', expires: expiresAt })
+    responseData.refreshToken = sess.token
+  }
+  const res = NextResponse.json(responseData)
+  res.cookies.set('auth_token', token, { httpOnly: true, path: '/', sameSite: 'lax', secure: process.env.NODE_ENV === 'production', maxAge: 60 * 60 * 8 })
+  if (remember && responseData.refreshToken) {
+    const days = Number(process.env.REMEMBER_ME_DAYS || '30')
+    const expiresAt = new Date(Date.now() + days * 24 * 60 * 60 * 1000)
+    res.cookies.set('session_token', responseData.refreshToken, { httpOnly: true, path: '/', sameSite: 'lax', secure: process.env.NODE_ENV === 'production', expires: expiresAt })
   }
   return res
 }
@@ -118,6 +128,7 @@ const loginSuccessSchema = z.object({
   ok: z.literal(true),
   token: z.string().describe('JWT token issued for subsequent API calls'),
   redirect: z.string().nullable().describe('Next location the client should navigate to'),
+  refreshToken: z.string().optional().describe('Long-lived refresh token for obtaining new access tokens (only present when remember=true)'),
 })
 
 const loginErrorSchema = z.object({

package/src/modules/auth/api/profile/route.ts

@@ -15,6 +15,7 @@ import { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolic
 
 const profileResponseSchema = z.object({
   email: z.string().email(),
+  roles: z.array(z.string()),
 })
 
 const passwordSchema = buildPasswordSchema()
@@ -67,7 +68,7 @@ export async function GET(req: Request) {
     if (!user) {
       return NextResponse.json({ error: translate('auth.users.form.errors.notFound', 'User not found') }, { status: 404 })
     }
-    return NextResponse.json({ email: String(user.email) })
+    return NextResponse.json({ email: String(user.email), roles: auth.roles ?? [] })
   } catch (err) {
     console.error('auth.profile.load failed', err)
     return NextResponse.json({ error: translate('auth.profile.form.errors.load', 'Failed to load profile.') }, { status: 400 })

package/src/modules/auth/api/session/refresh.ts

@@ -41,25 +41,104 @@ export async function GET(req: Request) {
   return res
 }
 
+export async function POST(req: Request) {
+  let token: string | null = null
+
+  try {
+    const body = await req.json()
+    const parsed = refreshRequestSchema.safeParse(body)
+    if (parsed.success) {
+      token = parsed.data.refreshToken
+    }
+  } catch {
+    // Invalid JSON
+  }
+
+  if (!token) {
+    return NextResponse.json({ ok: false, error: 'Missing or invalid refresh token' }, { status: 400 })
+  }
+
+  const c = await createRequestContainer()
+  const auth = c.resolve<AuthService>('authService')
+  const ctx = await auth.refreshFromSessionToken(token)
+
+  if (!ctx) {
+    return NextResponse.json({ ok: false, error: 'Invalid or expired refresh token' }, { status: 401 })
+  }
+
+  const { user, roles } = ctx
+  const jwt = signJwt({
+    sub: String(user.id),
+    tenantId: String(user.tenantId),
+    orgId: String(user.organizationId),
+    email: user.email,
+    roles,
+  })
+
+  const res = NextResponse.json({
+    ok: true,
+    accessToken: jwt,
+    expiresIn: 60 * 60 * 8,
+  })
+
+  res.cookies.set('auth_token', jwt, {
+    httpOnly: true,
+    path: '/',
+    sameSite: 'lax',
+    secure: process.env.NODE_ENV === 'production',
+    maxAge: 60 * 60 * 8,
+  })
+
+  return res
+}
+
 export const metadata = {
   GET: { requireAuth: false },
+  POST: { requireAuth: false },
 }
 
 const refreshQuerySchema = z.object({
   redirect: z.string().optional().describe('Absolute or relative URL to redirect after refresh'),
 })
 
+const refreshRequestSchema = z.object({
+  refreshToken: z.string().min(1).describe('The refresh token obtained from login'),
+})
+
+const refreshSuccessSchema = z.object({
+  ok: z.literal(true),
+  accessToken: z.string().describe('New JWT access token'),
+  expiresIn: z.number().describe('Token expiration time in seconds'),
+})
+
+const refreshErrorSchema = z.object({
+  ok: z.literal(false),
+  error: z.string(),
+})
+
 export const openApi: OpenApiRouteDoc = {
   tag: 'Authentication & Accounts',
   summary: 'Refresh session token',
   methods: {
     GET: {
-      summary: 'Refresh auth cookie from session token',
+      summary: 'Refresh auth cookie from session token (browser)',
       description: 'Exchanges an existing `session_token` cookie for a fresh JWT auth cookie and redirects the browser.',
       query: refreshQuerySchema,
       responses: [
         { status: 302, description: 'Redirect to target location when session is valid', mediaType: 'text/html' },
       ],
     },
+    POST: {
+      summary: 'Refresh access token (API/mobile)',
+      description: 'Exchanges a refresh token for a new JWT access token. Pass the refresh token obtained from login in the request body.',
+      requestBody: { schema: refreshRequestSchema, contentType: 'application/json' },
+      responses: [
+        { status: 200, description: 'New access token issued', schema: refreshSuccessSchema },
+      ],
+      errors: [
+        { status: 400, description: 'Missing refresh token', schema: refreshErrorSchema },
+        { status: 401, description: 'Invalid or expired token', schema: refreshErrorSchema },
+      ],
+    },
   },
 }

package/src/modules/auth/services/sidebarPreferencesService.ts

@@ -20,6 +20,7 @@ export type RoleSidebarPreferenceScope = {
 }
 
 export type SidebarItemLike<T = Record<string, unknown>> = {
+  id?: string
   href: string
   title: string
   defaultTitle: string
@@ -160,11 +161,17 @@ export function applySidebarPreference<T extends SidebarGroupLike>(
     if (!orderIndex.has(id)) orderIndex.set(id, idx)
   })
   const hiddenSet = new Set(normalized.hiddenItems ?? [])
+  const resolveItemKey = (item: SidebarItemLike): string => {
+    const candidate = item.id?.trim()
+    if (candidate && candidate.length > 0) return candidate
+    return item.href
+  }
   const applyItems = <TI extends SidebarItemLike>(items: TI[]): TI[] => {
     return items.map((item) => {
-      const override = normalized.itemLabels?.[item.href]
+      const itemKey = resolveItemKey(item)
+      const override = normalized.itemLabels?.[itemKey] ?? normalized.itemLabels?.[item.href]
       const nextChildren = item.children ? applyItems(item.children) : undefined
-      const hidden = hiddenSet.has(item.href)
+      const hidden = hiddenSet.has(itemKey) || hiddenSet.has(item.href)
       const next = {
         ...item,
         title: override && override.trim().length > 0 ? override.trim() : item.defaultTitle,

package/src/modules/customers/api/people/route.ts

@@ -60,6 +60,7 @@ const crud = makeCrudRoute({
     tenantField: 'tenantId',
     softDeleteField: 'deletedAt',
   },
+  enrichers: { entityId: 'customers.person' },
   list: {
     schema: listSchema,
     entityId: E.customers.customer_entity,