@open-mercato/core 0.4.8-develop-28cee031d6 → 0.4.8-develop-15259be22b

package/dist/modules/customer_accounts/api/magic-link/verify.js

@@ -0,0 +1,114 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { magicLinkVerifySchema } from "@open-mercato/core/modules/customer_accounts/data/validators";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { CustomerUser } from "@open-mercato/core/modules/customer_accounts/data/entities";
+import { emitCustomerAccountsEvent } from "@open-mercato/core/modules/customer_accounts/events";
+import { getClientIp } from "@open-mercato/shared/lib/ratelimit/helpers";
+const metadata = {};
+async function POST(req) {
+  let body;
+  try {
+    body = await req.json();
+  } catch {
+    return NextResponse.json({ ok: false, error: "Invalid request body" }, { status: 400 });
+  }
+  const parsed = magicLinkVerifySchema.safeParse(body);
+  if (!parsed.success) {
+    return NextResponse.json({ ok: false, error: "Invalid token" }, { status: 400 });
+  }
+  const container = await createRequestContainer();
+  const customerTokenService = container.resolve("customerTokenService");
+  const customerUserService = container.resolve("customerUserService");
+  const customerSessionService = container.resolve("customerSessionService");
+  const customerRbacService = container.resolve("customerRbacService");
+  const em = container.resolve("em");
+  const result = await customerTokenService.verifyEmailToken(parsed.data.token, "magic_link");
+  if (!result) {
+    return NextResponse.json({ ok: false, error: "Invalid or expired token" }, { status: 400 });
+  }
+  const user = await customerUserService.findById(result.userId, result.tenantId);
+  if (!user || !user.isActive) {
+    return NextResponse.json({ ok: false, error: "Account not found or deactivated" }, { status: 401 });
+  }
+  if (!user.emailVerifiedAt) {
+    await em.nativeUpdate(CustomerUser, { id: user.id }, { emailVerifiedAt: /* @__PURE__ */ new Date() });
+    user.emailVerifiedAt = /* @__PURE__ */ new Date();
+  }
+  await customerUserService.resetFailedAttempts(user);
+  await customerUserService.updateLastLoginAt(user);
+  const acl = await customerRbacService.loadAcl(user.id, { tenantId: user.tenantId, organizationId: user.organizationId });
+  const resolvedFeatures = acl.features;
+  const ip = getClientIp(req, 0);
+  const userAgent = req.headers.get("user-agent") || null;
+  const { rawToken, jwt } = await customerSessionService.createSession(user, resolvedFeatures, ip, userAgent);
+  void emitCustomerAccountsEvent("customer_accounts.login.success", {
+    id: user.id,
+    email: user.email,
+    tenantId: user.tenantId,
+    organizationId: user.organizationId
+  }).catch(() => void 0);
+  const res = NextResponse.json({
+    ok: true,
+    user: {
+      id: user.id,
+      email: user.email,
+      displayName: user.displayName,
+      emailVerified: true
+    },
+    resolvedFeatures
+  });
+  res.cookies.set("customer_auth_token", jwt, {
+    httpOnly: true,
+    path: "/",
+    sameSite: "lax",
+    secure: process.env.NODE_ENV === "production",
+    maxAge: 60 * 60 * 8
+  });
+  res.cookies.set("customer_session_token", rawToken, {
+    httpOnly: true,
+    path: "/",
+    sameSite: "lax",
+    secure: process.env.NODE_ENV === "production",
+    maxAge: 60 * 60 * 24 * 30
+  });
+  return res;
+}
+const loginSuccessSchema = z.object({
+  ok: z.literal(true),
+  user: z.object({
+    id: z.string().uuid(),
+    email: z.string().email(),
+    displayName: z.string(),
+    emailVerified: z.boolean()
+  }),
+  resolvedFeatures: z.array(z.string())
+});
+const errorSchema = z.object({ ok: z.literal(false), error: z.string() });
+const methodDoc = {
+  summary: "Verify magic link token",
+  description: "Validates the magic link token, auto-verifies email, and creates a session.",
+  tags: ["Customer Authentication"],
+  requestBody: {
+    schema: magicLinkVerifySchema,
+    description: "Magic link verification token."
+  },
+  responses: [
+    { status: 200, description: "Login successful", schema: loginSuccessSchema }
+  ],
+  errors: [
+    { status: 400, description: "Invalid or expired token", schema: errorSchema },
+    { status: 401, description: "Account not found", schema: errorSchema }
+  ]
+};
+const openApi = {
+  summary: "Verify customer magic link",
+  description: "Handles magic link verification and auto-login.",
+  methods: { POST: methodDoc }
+};
+export {
+  POST,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=verify.js.map

package/dist/modules/customer_accounts/api/magic-link/verify.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../src/modules/customer_accounts/api/magic-link/verify.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'\nimport { magicLinkVerifySchema } from '@open-mercato/core/modules/customer_accounts/data/validators'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { CustomerTokenService } from '@open-mercato/core/modules/customer_accounts/services/customerTokenService'\nimport { CustomerUserService } from '@open-mercato/core/modules/customer_accounts/services/customerUserService'\nimport { CustomerSessionService } from '@open-mercato/core/modules/customer_accounts/services/customerSessionService'\nimport { CustomerRbacService } from '@open-mercato/core/modules/customer_accounts/services/customerRbacService'\nimport { CustomerUser } from '@open-mercato/core/modules/customer_accounts/data/entities'\nimport { emitCustomerAccountsEvent } from '@open-mercato/core/modules/customer_accounts/events'\nimport { getClientIp } from '@open-mercato/shared/lib/ratelimit/helpers'\n\nexport const metadata: { path?: string } = {}\n\nexport async function POST(req: Request) {\n  let body: unknown\n  try {\n    body = await req.json()\n  } catch {\n    return NextResponse.json({ ok: false, error: 'Invalid request body' }, { status: 400 })\n  }\n\n  const parsed = magicLinkVerifySchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json({ ok: false, error: 'Invalid token' }, { status: 400 })\n  }\n\n  const container = await createRequestContainer()\n  const customerTokenService = container.resolve('customerTokenService') as CustomerTokenService\n  const customerUserService = container.resolve('customerUserService') as CustomerUserService\n  const customerSessionService = container.resolve('customerSessionService') as CustomerSessionService\n  const customerRbacService = container.resolve('customerRbacService') as CustomerRbacService\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const result = await customerTokenService.verifyEmailToken(parsed.data.token, 'magic_link')\n  if (!result) {\n    return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })\n  }\n\n  const user = await customerUserService.findById(result.userId, result.tenantId)\n  if (!user || !user.isActive) {\n    return NextResponse.json({ ok: false, error: 'Account not found or deactivated' }, { status: 401 })\n  }\n\n  // Auto-verify email on magic link login\n  if (!user.emailVerifiedAt) {\n    await em.nativeUpdate(CustomerUser, { id: user.id }, { emailVerifiedAt: new Date() })\n    user.emailVerifiedAt = new Date()\n  }\n\n  await customerUserService.resetFailedAttempts(user)\n  await customerUserService.updateLastLoginAt(user)\n\n  const acl = await customerRbacService.loadAcl(user.id, { tenantId: user.tenantId, organizationId: user.organizationId })\n  const resolvedFeatures = acl.features\n\n  const ip = getClientIp(req, 0)\n  const userAgent = req.headers.get('user-agent') || null\n  const { rawToken, jwt } = await customerSessionService.createSession(user, resolvedFeatures, ip, userAgent)\n\n  void emitCustomerAccountsEvent('customer_accounts.login.success', {\n    id: user.id,\n    email: user.email,\n    tenantId: user.tenantId,\n    organizationId: user.organizationId,\n  }).catch(() => undefined)\n\n  const res = NextResponse.json({\n    ok: true,\n    user: {\n      id: user.id,\n      email: user.email,\n      displayName: user.displayName,\n      emailVerified: true,\n    },\n    resolvedFeatures,\n  })\n\n  res.cookies.set('customer_auth_token', jwt, {\n    httpOnly: true,\n    path: '/',\n    sameSite: 'lax',\n    secure: process.env.NODE_ENV === 'production',\n    maxAge: 60 * 60 * 8,\n  })\n  res.cookies.set('customer_session_token', rawToken, {\n    httpOnly: true,\n    path: '/',\n    sameSite: 'lax',\n    secure: process.env.NODE_ENV === 'production',\n    maxAge: 60 * 60 * 24 * 30,\n  })\n\n  return res\n}\n\nconst loginSuccessSchema = z.object({\n  ok: z.literal(true),\n  user: z.object({\n    id: z.string().uuid(),\n    email: z.string().email(),\n    displayName: z.string(),\n    emailVerified: z.boolean(),\n  }),\n  resolvedFeatures: z.array(z.string()),\n})\n\nconst errorSchema = z.object({ ok: z.literal(false), error: z.string() })\n\nconst methodDoc: OpenApiMethodDoc = {\n  summary: 'Verify magic link token',\n  description: 'Validates the magic link token, auto-verifies email, and creates a session.',\n  tags: ['Customer Authentication'],\n  requestBody: {\n    schema: magicLinkVerifySchema,\n    description: 'Magic link verification token.',\n  },\n  responses: [\n    { status: 200, description: 'Login successful', schema: loginSuccessSchema },\n  ],\n  errors: [\n    { status: 400, description: 'Invalid or expired token', schema: errorSchema },\n    { status: 401, description: 'Account not found', schema: errorSchema },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  summary: 'Verify customer magic link',\n  description: 'Handles magic link verification and auto-login.',\n  methods: { POST: methodDoc },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,6BAA6B;AACtC,SAAS,8BAA8B;AAKvC,SAAS,oBAAoB;AAC7B,SAAS,iCAAiC;AAC1C,SAAS,mBAAmB;AAErB,MAAM,WAA8B,CAAC;AAE5C,eAAsB,KAAK,KAAc;AACvC,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxF;AAEA,QAAM,SAAS,sBAAsB,UAAU,IAAI;AACnD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACjF;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,uBAAuB,UAAU,QAAQ,sBAAsB;AACrE,QAAM,sBAAsB,UAAU,QAAQ,qBAAqB;AACnE,QAAM,yBAAyB,UAAU,QAAQ,wBAAwB;AACzE,QAAM,sBAAsB,UAAU,QAAQ,qBAAqB;AACnE,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,SAAS,MAAM,qBAAqB,iBAAiB,OAAO,KAAK,OAAO,YAAY;AAC1F,MAAI,CAAC,QAAQ;AACX,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,QAAM,OAAO,MAAM,oBAAoB,SAAS,OAAO,QAAQ,OAAO,QAAQ;AAC9E,MAAI,CAAC,QAAQ,CAAC,KAAK,UAAU;AAC3B,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,mCAAmC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACpG;AAGA,MAAI,CAAC,KAAK,iBAAiB;AACzB,UAAM,GAAG,aAAa,cAAc,EAAE,IAAI,KAAK,GAAG,GAAG,EAAE,iBAAiB,oBAAI,KAAK,EAAE,CAAC;AACpF,SAAK,kBAAkB,oBAAI,KAAK;AAAA,EAClC;AAEA,QAAM,oBAAoB,oBAAoB,IAAI;AAClD,QAAM,oBAAoB,kBAAkB,IAAI;AAEhD,QAAM,MAAM,MAAM,oBAAoB,QAAQ,KAAK,IAAI,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,eAAe,CAAC;AACvH,QAAM,mBAAmB,IAAI;AAE7B,QAAM,KAAK,YAAY,KAAK,CAAC;AAC7B,QAAM,YAAY,IAAI,QAAQ,IAAI,YAAY,KAAK;AACnD,QAAM,EAAE,UAAU,IAAI,IAAI,MAAM,uBAAuB,cAAc,MAAM,kBAAkB,IAAI,SAAS;AAE1G,OAAK,0BAA0B,mCAAmC;AAAA,IAChE,IAAI,KAAK;AAAA,IACT,OAAO,KAAK;AAAA,IACZ,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC,EAAE,MAAM,MAAM,MAAS;AAExB,QAAM,MAAM,aAAa,KAAK;AAAA,IAC5B,IAAI;AAAA,IACJ,MAAM;AAAA,MACJ,IAAI,KAAK;AAAA,MACT,OAAO,KAAK;AAAA,MACZ,aAAa,KAAK;AAAA,MAClB,eAAe;AAAA,IACjB;AAAA,IACA;AAAA,EACF,CAAC;AAED,MAAI,QAAQ,IAAI,uBAAuB,KAAK;AAAA,IAC1C,UAAU;AAAA,IACV,MAAM;AAAA,IACN,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,QAAQ,KAAK,KAAK;AAAA,EACpB,CAAC;AACD,MAAI,QAAQ,IAAI,0BAA0B,UAAU;AAAA,IAClD,UAAU;AAAA,IACV,MAAM;AAAA,IACN,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,QAAQ,KAAK,KAAK,KAAK;AAAA,EACzB,CAAC;AAED,SAAO;AACT;AAEA,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,MAAM,EAAE,OAAO;AAAA,IACb,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,IACpB,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,IACxB,aAAa,EAAE,OAAO;AAAA,IACtB,eAAe,EAAE,QAAQ;AAAA,EAC3B,CAAC;AAAA,EACD,kBAAkB,EAAE,MAAM,EAAE,OAAO,CAAC;AACtC,CAAC;AAED,MAAM,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,KAAK,GAAG,OAAO,EAAE,OAAO,EAAE,CAAC;AAExE,MAAM,YAA8B;AAAA,EAClC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,aAAa;AAAA,IACX,QAAQ;AAAA,IACR,aAAa;AAAA,EACf;AAAA,EACA,WAAW;AAAA,IACT,EAAE,QAAQ,KAAK,aAAa,oBAAoB,QAAQ,mBAAmB;AAAA,EAC7E;AAAA,EACA,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,EACvE;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,SAAS,EAAE,MAAM,UAAU;AAC7B;",
+  "names": []
+}

package/dist/modules/customer_accounts/api/password/reset-confirm.js

@@ -0,0 +1,59 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { passwordResetConfirmSchema } from "@open-mercato/core/modules/customer_accounts/data/validators";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+const metadata = {};
+async function POST(req) {
+  let body;
+  try {
+    body = await req.json();
+  } catch {
+    return NextResponse.json({ ok: false, error: "Invalid request body" }, { status: 400 });
+  }
+  const parsed = passwordResetConfirmSchema.safeParse(body);
+  if (!parsed.success) {
+    return NextResponse.json({ ok: false, error: "Validation failed" }, { status: 400 });
+  }
+  const container = await createRequestContainer();
+  const customerTokenService = container.resolve("customerTokenService");
+  const customerUserService = container.resolve("customerUserService");
+  const customerSessionService = container.resolve("customerSessionService");
+  const result = await customerTokenService.verifyPasswordResetToken(parsed.data.token);
+  if (!result) {
+    return NextResponse.json({ ok: false, error: "Invalid or expired token" }, { status: 400 });
+  }
+  await customerUserService.updatePassword(
+    { id: result.userId },
+    parsed.data.password
+  );
+  await customerSessionService.revokeAllUserSessions(result.userId);
+  return NextResponse.json({ ok: true });
+}
+const successSchema = z.object({ ok: z.literal(true) });
+const errorSchema = z.object({ ok: z.literal(false), error: z.string() });
+const methodDoc = {
+  summary: "Confirm customer password reset",
+  description: "Validates the reset token and sets a new password. Revokes all existing sessions.",
+  tags: ["Customer Authentication"],
+  requestBody: {
+    schema: passwordResetConfirmSchema,
+    description: "Password reset confirmation with token and new password."
+  },
+  responses: [
+    { status: 200, description: "Password reset successful", schema: successSchema }
+  ],
+  errors: [
+    { status: 400, description: "Invalid or expired token", schema: errorSchema }
+  ]
+};
+const openApi = {
+  summary: "Confirm customer password reset",
+  description: "Handles password reset confirmation for customer accounts.",
+  methods: { POST: methodDoc }
+};
+export {
+  POST,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=reset-confirm.js.map

package/dist/modules/customer_accounts/api/password/reset-confirm.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../src/modules/customer_accounts/api/password/reset-confirm.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'\nimport { passwordResetConfirmSchema } from '@open-mercato/core/modules/customer_accounts/data/validators'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { CustomerUserService } from '@open-mercato/core/modules/customer_accounts/services/customerUserService'\nimport { CustomerTokenService } from '@open-mercato/core/modules/customer_accounts/services/customerTokenService'\nimport { CustomerSessionService } from '@open-mercato/core/modules/customer_accounts/services/customerSessionService'\n\nexport const metadata: { path?: string } = {}\n\nexport async function POST(req: Request) {\n  let body: unknown\n  try {\n    body = await req.json()\n  } catch {\n    return NextResponse.json({ ok: false, error: 'Invalid request body' }, { status: 400 })\n  }\n\n  const parsed = passwordResetConfirmSchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json({ ok: false, error: 'Validation failed' }, { status: 400 })\n  }\n\n  const container = await createRequestContainer()\n  const customerTokenService = container.resolve('customerTokenService') as CustomerTokenService\n  const customerUserService = container.resolve('customerUserService') as CustomerUserService\n  const customerSessionService = container.resolve('customerSessionService') as CustomerSessionService\n\n  const result = await customerTokenService.verifyPasswordResetToken(parsed.data.token)\n  if (!result) {\n    return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })\n  }\n\n  await customerUserService.updatePassword(\n    { id: result.userId } as any,\n    parsed.data.password,\n  )\n\n  // Revoke all existing sessions for security\n  await customerSessionService.revokeAllUserSessions(result.userId)\n\n  return NextResponse.json({ ok: true })\n}\n\nconst successSchema = z.object({ ok: z.literal(true) })\nconst errorSchema = z.object({ ok: z.literal(false), error: z.string() })\n\nconst methodDoc: OpenApiMethodDoc = {\n  summary: 'Confirm customer password reset',\n  description: 'Validates the reset token and sets a new password. Revokes all existing sessions.',\n  tags: ['Customer Authentication'],\n  requestBody: {\n    schema: passwordResetConfirmSchema,\n    description: 'Password reset confirmation with token and new password.',\n  },\n  responses: [\n    { status: 200, description: 'Password reset successful', schema: successSchema },\n  ],\n  errors: [\n    { status: 400, description: 'Invalid or expired token', schema: errorSchema },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  summary: 'Confirm customer password reset',\n  description: 'Handles password reset confirmation for customer accounts.',\n  methods: { POST: methodDoc },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,kCAAkC;AAC3C,SAAS,8BAA8B;AAKhC,MAAM,WAA8B,CAAC;AAE5C,eAAsB,KAAK,KAAc;AACvC,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxF;AAEA,QAAM,SAAS,2BAA2B,UAAU,IAAI;AACxD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrF;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,uBAAuB,UAAU,QAAQ,sBAAsB;AACrE,QAAM,sBAAsB,UAAU,QAAQ,qBAAqB;AACnE,QAAM,yBAAyB,UAAU,QAAQ,wBAAwB;AAEzE,QAAM,SAAS,MAAM,qBAAqB,yBAAyB,OAAO,KAAK,KAAK;AACpF,MAAI,CAAC,QAAQ;AACX,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,QAAM,oBAAoB;AAAA,IACxB,EAAE,IAAI,OAAO,OAAO;AAAA,IACpB,OAAO,KAAK;AAAA,EACd;AAGA,QAAM,uBAAuB,sBAAsB,OAAO,MAAM;AAEhE,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEA,MAAM,gBAAgB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;AACtD,MAAM,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,KAAK,GAAG,OAAO,EAAE,OAAO,EAAE,CAAC;AAExE,MAAM,YAA8B;AAAA,EAClC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,aAAa;AAAA,IACX,QAAQ;AAAA,IACR,aAAa;AAAA,EACf;AAAA,EACA,WAAW;AAAA,IACT,EAAE,QAAQ,KAAK,aAAa,6BAA6B,QAAQ,cAAc;AAAA,EACjF;AAAA,EACA,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,EAC9E;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,SAAS,EAAE,MAAM,UAAU;AAC7B;",
+  "names": []
+}

package/dist/modules/customer_accounts/api/password/reset-request.js

@@ -0,0 +1,77 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { passwordResetRequestSchema } from "@open-mercato/core/modules/customer_accounts/data/validators";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { rateLimitErrorSchema } from "@open-mercato/shared/lib/ratelimit/helpers";
+import {
+  checkAuthRateLimit,
+  customerPasswordResetRateLimitConfig,
+  customerPasswordResetIpRateLimitConfig
+} from "@open-mercato/core/modules/customer_accounts/lib/rateLimiter";
+const metadata = {};
+async function POST(req) {
+  const { error: rateLimitError } = await checkAuthRateLimit({
+    req,
+    ipConfig: customerPasswordResetIpRateLimitConfig,
+    compoundConfig: customerPasswordResetRateLimitConfig,
+    compoundIdentifier: ""
+  });
+  if (rateLimitError) return rateLimitError;
+  let body;
+  try {
+    body = await req.json();
+  } catch {
+    return NextResponse.json({ ok: true });
+  }
+  const parsed = passwordResetRequestSchema.safeParse(body);
+  if (!parsed.success) {
+    return NextResponse.json({ ok: true });
+  }
+  const { email, tenantId } = parsed.data;
+  if (!tenantId) {
+    return NextResponse.json({ ok: true });
+  }
+  const container = await createRequestContainer();
+  const customerUserService = container.resolve("customerUserService");
+  const customerTokenService = container.resolve("customerTokenService");
+  const user = await customerUserService.findByEmail(email, tenantId);
+  if (user) {
+    const token = await customerTokenService.createPasswordReset(user.id, tenantId);
+    void import("@open-mercato/core/modules/customer_accounts/events").then(
+      ({ emitCustomerAccountsEvent }) => emitCustomerAccountsEvent("customer_accounts.password.reset", {
+        userId: user.id,
+        email: user.email,
+        tenantId,
+        token
+      })
+    ).catch(() => void 0);
+  }
+  return NextResponse.json({ ok: true });
+}
+const successSchema = z.object({ ok: z.literal(true) });
+const methodDoc = {
+  summary: "Request customer password reset",
+  description: "Initiates a password reset flow. Always returns 200 to prevent email enumeration.",
+  tags: ["Customer Authentication"],
+  requestBody: {
+    schema: passwordResetRequestSchema,
+    description: "Password reset request with email."
+  },
+  responses: [
+    { status: 200, description: "Request accepted", schema: successSchema }
+  ],
+  errors: [
+    { status: 429, description: "Too many requests", schema: rateLimitErrorSchema }
+  ]
+};
+const openApi = {
+  summary: "Customer password reset request",
+  description: "Handles password reset initiation for customer accounts.",
+  methods: { POST: methodDoc }
+};
+export {
+  POST,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=reset-request.js.map

package/dist/modules/customer_accounts/api/password/reset-request.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../src/modules/customer_accounts/api/password/reset-request.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'\nimport { passwordResetRequestSchema } from '@open-mercato/core/modules/customer_accounts/data/validators'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { CustomerUserService } from '@open-mercato/core/modules/customer_accounts/services/customerUserService'\nimport { CustomerTokenService } from '@open-mercato/core/modules/customer_accounts/services/customerTokenService'\nimport { rateLimitErrorSchema } from '@open-mercato/shared/lib/ratelimit/helpers'\nimport {\n  checkAuthRateLimit,\n  customerPasswordResetRateLimitConfig,\n  customerPasswordResetIpRateLimitConfig,\n} from '@open-mercato/core/modules/customer_accounts/lib/rateLimiter'\n\nexport const metadata: { path?: string } = {}\n\nexport async function POST(req: Request) {\n  const { error: rateLimitError } = await checkAuthRateLimit({\n    req,\n    ipConfig: customerPasswordResetIpRateLimitConfig,\n    compoundConfig: customerPasswordResetRateLimitConfig,\n    compoundIdentifier: '',\n  })\n  if (rateLimitError) return rateLimitError\n\n  let body: unknown\n  try {\n    body = await req.json()\n  } catch {\n    return NextResponse.json({ ok: true }) // Always 200\n  }\n\n  const parsed = passwordResetRequestSchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json({ ok: true }) // Always 200 to prevent enumeration\n  }\n\n  const { email, tenantId } = parsed.data\n  if (!tenantId) {\n    return NextResponse.json({ ok: true })\n  }\n\n  const container = await createRequestContainer()\n  const customerUserService = container.resolve('customerUserService') as CustomerUserService\n  const customerTokenService = container.resolve('customerTokenService') as CustomerTokenService\n\n  const user = await customerUserService.findByEmail(email, tenantId)\n  if (user) {\n    const token = await customerTokenService.createPasswordReset(user.id, tenantId)\n    // Token would be sent via email in production; emitting event for subscribers to handle\n    void import('@open-mercato/core/modules/customer_accounts/events').then(({ emitCustomerAccountsEvent }) =>\n      emitCustomerAccountsEvent('customer_accounts.password.reset', {\n        userId: user.id,\n        email: user.email,\n        tenantId,\n        token,\n      })\n    ).catch(() => undefined)\n  }\n\n  // Always return 200 to prevent email enumeration\n  return NextResponse.json({ ok: true })\n}\n\nconst successSchema = z.object({ ok: z.literal(true) })\n\nconst methodDoc: OpenApiMethodDoc = {\n  summary: 'Request customer password reset',\n  description: 'Initiates a password reset flow. Always returns 200 to prevent email enumeration.',\n  tags: ['Customer Authentication'],\n  requestBody: {\n    schema: passwordResetRequestSchema,\n    description: 'Password reset request with email.',\n  },\n  responses: [\n    { status: 200, description: 'Request accepted', schema: successSchema },\n  ],\n  errors: [\n    { status: 429, description: 'Too many requests', schema: rateLimitErrorSchema },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  summary: 'Customer password reset request',\n  description: 'Handles password reset initiation for customer accounts.',\n  methods: { POST: methodDoc },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,kCAAkC;AAC3C,SAAS,8BAA8B;AAGvC,SAAS,4BAA4B;AACrC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAEA,MAAM,WAA8B,CAAC;AAE5C,eAAsB,KAAK,KAAc;AACvC,QAAM,EAAE,OAAO,eAAe,IAAI,MAAM,mBAAmB;AAAA,IACzD;AAAA,IACA,UAAU;AAAA,IACV,gBAAgB;AAAA,IAChB,oBAAoB;AAAA,EACtB,CAAC;AACD,MAAI,eAAgB,QAAO;AAE3B,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAAA,EACvC;AAEA,QAAM,SAAS,2BAA2B,UAAU,IAAI;AACxD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAAA,EACvC;AAEA,QAAM,EAAE,OAAO,SAAS,IAAI,OAAO;AACnC,MAAI,CAAC,UAAU;AACb,WAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAAA,EACvC;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,sBAAsB,UAAU,QAAQ,qBAAqB;AACnE,QAAM,uBAAuB,UAAU,QAAQ,sBAAsB;AAErE,QAAM,OAAO,MAAM,oBAAoB,YAAY,OAAO,QAAQ;AAClE,MAAI,MAAM;AACR,UAAM,QAAQ,MAAM,qBAAqB,oBAAoB,KAAK,IAAI,QAAQ;AAE9E,SAAK,OAAO,qDAAqD,EAAE;AAAA,MAAK,CAAC,EAAE,0BAA0B,MACnG,0BAA0B,oCAAoC;AAAA,QAC5D,QAAQ,KAAK;AAAA,QACb,OAAO,KAAK;AAAA,QACZ;AAAA,QACA;AAAA,MACF,CAAC;AAAA,IACH,EAAE,MAAM,MAAM,MAAS;AAAA,EACzB;AAGA,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEA,MAAM,gBAAgB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;AAEtD,MAAM,YAA8B;AAAA,EAClC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,aAAa;AAAA,IACX,QAAQ;AAAA,IACR,aAAa;AAAA,EACf;AAAA,EACA,WAAW;AAAA,IACT,EAAE,QAAQ,KAAK,aAAa,oBAAoB,QAAQ,cAAc;AAAA,EACxE;AAAA,EACA,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,qBAAqB;AAAA,EAChF;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,SAAS,EAAE,MAAM,UAAU;AAC7B;",
+  "names": []
+}

package/dist/modules/customer_accounts/api/portal/events/stream.js

@@ -0,0 +1,163 @@
+import { NextResponse } from "next/server";
+import { isPortalBroadcastEvent } from "@open-mercato/shared/modules/events";
+import { getCustomerAuthFromRequest } from "@open-mercato/core/modules/customer_accounts/lib/customerAuth";
+const metadata = {};
+const HEARTBEAT_INTERVAL_MS = 3e4;
+const MAX_PAYLOAD_BYTES = 4096;
+function normalizeAudience(data) {
+  const tenantId = typeof data.tenantId === "string" ? data.tenantId : null;
+  const organizationScopes = /* @__PURE__ */ new Set();
+  if (typeof data.organizationId === "string" && data.organizationId.trim().length > 0) {
+    organizationScopes.add(data.organizationId.trim());
+  }
+  if (Array.isArray(data.organizationIds)) {
+    for (const orgId of data.organizationIds) {
+      if (typeof orgId === "string" && orgId.trim().length > 0) {
+        organizationScopes.add(orgId.trim());
+      }
+    }
+  }
+  return { tenantId, organizationScopes: Array.from(organizationScopes) };
+}
+function matchesAudience(conn, audience) {
+  if (!audience.tenantId) return false;
+  if (conn.tenantId !== audience.tenantId) return false;
+  if (audience.organizationScopes.length > 0) {
+    if (!audience.organizationScopes.includes(conn.organizationId)) return false;
+  }
+  return true;
+}
+const portalConnections = /* @__PURE__ */ new Set();
+let portalTapRegistered = false;
+async function broadcastPortalEvent(eventName, payload) {
+  if (!eventName || portalConnections.size === 0) return;
+  if (!isPortalBroadcastEvent(eventName)) return;
+  const data = payload ?? {};
+  const audience = normalizeAudience(data);
+  const organizationId = audience.organizationScopes[0] ?? "";
+  let ssePayload = JSON.stringify({
+    id: eventName,
+    payload: data,
+    timestamp: Date.now(),
+    organizationId
+  });
+  if (new TextEncoder().encode(ssePayload).length > MAX_PAYLOAD_BYTES) {
+    const entityRef = { truncated: true };
+    if (typeof data.id === "string" && data.id.trim().length > 0) entityRef.id = data.id.trim();
+    if (typeof data.entityId === "string" && data.entityId.trim().length > 0) entityRef.entityId = data.entityId.trim();
+    ssePayload = JSON.stringify({
+      id: eventName,
+      payload: entityRef,
+      timestamp: Date.now(),
+      organizationId
+    });
+    if (new TextEncoder().encode(ssePayload).length > MAX_PAYLOAD_BYTES) {
+      return;
+    }
+  }
+  for (const conn of portalConnections) {
+    if (!matchesAudience(conn, audience)) continue;
+    try {
+      conn.send(ssePayload);
+    } catch {
+    }
+  }
+}
+function ensurePortalTap() {
+  if (portalTapRegistered) return;
+  portalTapRegistered = true;
+  import("@open-mercato/events/bus").then(({ registerGlobalEventTap, registerCrossProcessEventListener }) => {
+    registerGlobalEventTap(async (eventName, payload) => {
+      await broadcastPortalEvent(eventName, payload ?? {});
+    });
+    registerCrossProcessEventListener(async (envelope) => {
+      if (envelope.originPid === process.pid) return;
+      await broadcastPortalEvent(
+        envelope.event,
+        envelope.payload ?? {}
+      );
+    });
+  }).catch(() => {
+    portalTapRegistered = false;
+  });
+}
+async function GET(req) {
+  const auth = await getCustomerAuthFromRequest(req);
+  if (!auth) {
+    return NextResponse.json({ ok: false, error: "Authentication required" }, { status: 401 });
+  }
+  ensurePortalTap();
+  const encoder = new TextEncoder();
+  let heartbeatTimer = null;
+  let connection = null;
+  const stream = new ReadableStream({
+    start(controller) {
+      const send = (data) => {
+        controller.enqueue(encoder.encode(`data: ${data}
+
+`));
+      };
+      connection = {
+        tenantId: auth.tenantId,
+        organizationId: auth.orgId,
+        customerUserId: auth.sub,
+        send,
+        close: () => controller.close()
+      };
+      portalConnections.add(connection);
+      heartbeatTimer = setInterval(() => {
+        try {
+          controller.enqueue(encoder.encode(":heartbeat\n\n"));
+        } catch {
+        }
+      }, HEARTBEAT_INTERVAL_MS);
+    },
+    cancel() {
+      cleanup();
+    }
+  });
+  function cleanup() {
+    if (heartbeatTimer) {
+      clearInterval(heartbeatTimer);
+      heartbeatTimer = null;
+    }
+    if (connection) {
+      portalConnections.delete(connection);
+      connection = null;
+    }
+  }
+  req.signal.addEventListener("abort", cleanup);
+  return new Response(stream, {
+    status: 200,
+    headers: {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache, no-transform",
+      "Connection": "keep-alive",
+      "X-Accel-Buffering": "no"
+    }
+  });
+}
+const methodDoc = {
+  summary: "Subscribe to portal events via SSE (Portal Event Bridge)",
+  description: "Long-lived SSE connection that receives server-side events marked with portalBroadcast: true. Events are filtered by the customer's tenant and organization.",
+  tags: ["Customer Portal"],
+  responses: [
+    {
+      status: 200,
+      description: "Event stream (text/event-stream)"
+    }
+  ],
+  errors: [
+    { status: 401, description: "Not authenticated" }
+  ]
+};
+const openApi = {
+  summary: "Portal event stream",
+  methods: { GET: methodDoc }
+};
+export {
+  GET,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=stream.js.map

package/dist/modules/customer_accounts/api/portal/events/stream.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../src/modules/customer_accounts/api/portal/events/stream.ts"],
+  "sourcesContent": ["/**\n * Portal SSE Event Stream \u2014 Portal Event Bridge\n *\n * Server-Sent Events endpoint that bridges server-side events to the customer portal.\n * Only events with `portalBroadcast: true` in their EventDefinition are sent.\n * Events are scoped to the authenticated customer's tenant and organization.\n *\n * Uses customer JWT auth (cookie or Bearer token) instead of staff auth.\n *\n * Client consumer: `packages/ui/src/portal/hooks/usePortalEventBridge.ts`\n */\n\nimport { NextResponse } from 'next/server'\nimport { isPortalBroadcastEvent } from '@open-mercato/shared/modules/events'\nimport { getCustomerAuthFromRequest } from '@open-mercato/core/modules/customer_accounts/lib/customerAuth'\nimport type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'\n\nexport const metadata: { path?: string } = {}\n\nconst HEARTBEAT_INTERVAL_MS = 30_000\nconst MAX_PAYLOAD_BYTES = 4096\n\ntype PortalSseConnection = {\n  tenantId: string\n  organizationId: string\n  customerUserId: string\n  send: (data: string) => void\n  close: () => void\n}\n\nfunction normalizeAudience(data: Record<string, unknown>): {\n  tenantId: string | null\n  organizationScopes: string[]\n} {\n  const tenantId = typeof data.tenantId === 'string' ? data.tenantId : null\n  const organizationScopes = new Set<string>()\n  if (typeof data.organizationId === 'string' && data.organizationId.trim().length > 0) {\n    organizationScopes.add(data.organizationId.trim())\n  }\n  if (Array.isArray(data.organizationIds)) {\n    for (const orgId of data.organizationIds) {\n      if (typeof orgId === 'string' && orgId.trim().length > 0) {\n        organizationScopes.add(orgId.trim())\n      }\n    }\n  }\n  return { tenantId, organizationScopes: Array.from(organizationScopes) }\n}\n\nfunction matchesAudience(conn: PortalSseConnection, audience: ReturnType<typeof normalizeAudience>): boolean {\n  if (!audience.tenantId) return false\n  if (conn.tenantId !== audience.tenantId) return false\n  if (audience.organizationScopes.length > 0) {\n    if (!audience.organizationScopes.includes(conn.organizationId)) return false\n  }\n  return true\n}\n\nconst portalConnections = new Set<PortalSseConnection>()\n\nlet portalTapRegistered = false\n\nasync function broadcastPortalEvent(eventName: string, payload: Record<string, unknown>): Promise<void> {\n  if (!eventName || portalConnections.size === 0) return\n  if (!isPortalBroadcastEvent(eventName)) return\n\n  const data = payload ?? {}\n  const audience = normalizeAudience(data)\n  const organizationId = audience.organizationScopes[0] ?? ''\n\n  let ssePayload = JSON.stringify({\n    id: eventName,\n    payload: data,\n    timestamp: Date.now(),\n    organizationId,\n  })\n\n  if (new TextEncoder().encode(ssePayload).length > MAX_PAYLOAD_BYTES) {\n    const entityRef: Record<string, unknown> = { truncated: true }\n    if (typeof data.id === 'string' && data.id.trim().length > 0) entityRef.id = data.id.trim()\n    if (typeof data.entityId === 'string' && data.entityId.trim().length > 0) entityRef.entityId = data.entityId.trim()\n    ssePayload = JSON.stringify({\n      id: eventName,\n      payload: entityRef,\n      timestamp: Date.now(),\n      organizationId,\n    })\n    if (new TextEncoder().encode(ssePayload).length > MAX_PAYLOAD_BYTES) {\n      return\n    }\n  }\n\n  for (const conn of portalConnections) {\n    if (!matchesAudience(conn, audience)) continue\n    try {\n      conn.send(ssePayload)\n    } catch {\n      // Connection may have been closed\n    }\n  }\n}\n\nfunction ensurePortalTap(): void {\n  if (portalTapRegistered) return\n  portalTapRegistered = true\n\n  // Dynamically import to avoid circular dependency \u2014 the events bus\n  // registers a global tap that fires for every emitted event.\n  import('@open-mercato/events/bus').then(({ registerGlobalEventTap, registerCrossProcessEventListener }) => {\n    registerGlobalEventTap(async (eventName, payload) => {\n      await broadcastPortalEvent(eventName, (payload ?? {}) as Record<string, unknown>)\n    })\n\n    registerCrossProcessEventListener(async (envelope) => {\n      if (envelope.originPid === process.pid) return\n      await broadcastPortalEvent(\n        envelope.event,\n        (envelope.payload ?? {}) as Record<string, unknown>,\n      )\n    })\n  }).catch(() => {\n    // Silently ignore if events package is not available\n    portalTapRegistered = false\n  })\n}\n\nexport async function GET(req: Request): Promise<Response> {\n  const auth = await getCustomerAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  ensurePortalTap()\n\n  const encoder = new TextEncoder()\n  let heartbeatTimer: ReturnType<typeof setInterval> | null = null\n  let connection: PortalSseConnection | null = null\n\n  const stream = new ReadableStream({\n    start(controller) {\n      const send = (data: string) => {\n        controller.enqueue(encoder.encode(`data: ${data}\\n\\n`))\n      }\n\n      connection = {\n        tenantId: auth.tenantId,\n        organizationId: auth.orgId,\n        customerUserId: auth.sub,\n        send,\n        close: () => controller.close(),\n      }\n      portalConnections.add(connection)\n\n      heartbeatTimer = setInterval(() => {\n        try {\n          controller.enqueue(encoder.encode(':heartbeat\\n\\n'))\n        } catch {\n          // Stream may have been closed\n        }\n      }, HEARTBEAT_INTERVAL_MS)\n    },\n    cancel() {\n      cleanup()\n    },\n  })\n\n  function cleanup() {\n    if (heartbeatTimer) {\n      clearInterval(heartbeatTimer)\n      heartbeatTimer = null\n    }\n    if (connection) {\n      portalConnections.delete(connection)\n      connection = null\n    }\n  }\n\n  req.signal.addEventListener('abort', cleanup)\n\n  return new Response(stream, {\n    status: 200,\n    headers: {\n      'Content-Type': 'text/event-stream',\n      'Cache-Control': 'no-cache, no-transform',\n      'Connection': 'keep-alive',\n      'X-Accel-Buffering': 'no',\n    },\n  })\n}\n\nconst methodDoc: OpenApiMethodDoc = {\n  summary: 'Subscribe to portal events via SSE (Portal Event Bridge)',\n  description: 'Long-lived SSE connection that receives server-side events marked with portalBroadcast: true. Events are filtered by the customer\\'s tenant and organization.',\n  tags: ['Customer Portal'],\n  responses: [\n    {\n      status: 200,\n      description: 'Event stream (text/event-stream)',\n    },\n  ],\n  errors: [\n    { status: 401, description: 'Not authenticated' },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  summary: 'Portal event stream',\n  methods: { GET: methodDoc },\n}\n"],
+  "mappings": "AAYA,SAAS,oBAAoB;AAC7B,SAAS,8BAA8B;AACvC,SAAS,kCAAkC;AAGpC,MAAM,WAA8B,CAAC;AAE5C,MAAM,wBAAwB;AAC9B,MAAM,oBAAoB;AAU1B,SAAS,kBAAkB,MAGzB;AACA,QAAM,WAAW,OAAO,KAAK,aAAa,WAAW,KAAK,WAAW;AACrE,QAAM,qBAAqB,oBAAI,IAAY;AAC3C,MAAI,OAAO,KAAK,mBAAmB,YAAY,KAAK,eAAe,KAAK,EAAE,SAAS,GAAG;AACpF,uBAAmB,IAAI,KAAK,eAAe,KAAK,CAAC;AAAA,EACnD;AACA,MAAI,MAAM,QAAQ,KAAK,eAAe,GAAG;AACvC,eAAW,SAAS,KAAK,iBAAiB;AACxC,UAAI,OAAO,UAAU,YAAY,MAAM,KAAK,EAAE,SAAS,GAAG;AACxD,2BAAmB,IAAI,MAAM,KAAK,CAAC;AAAA,MACrC;AAAA,IACF;AAAA,EACF;AACA,SAAO,EAAE,UAAU,oBAAoB,MAAM,KAAK,kBAAkB,EAAE;AACxE;AAEA,SAAS,gBAAgB,MAA2B,UAAyD;AAC3G,MAAI,CAAC,SAAS,SAAU,QAAO;AAC/B,MAAI,KAAK,aAAa,SAAS,SAAU,QAAO;AAChD,MAAI,SAAS,mBAAmB,SAAS,GAAG;AAC1C,QAAI,CAAC,SAAS,mBAAmB,SAAS,KAAK,cAAc,EAAG,QAAO;AAAA,EACzE;AACA,SAAO;AACT;AAEA,MAAM,oBAAoB,oBAAI,IAAyB;AAEvD,IAAI,sBAAsB;AAE1B,eAAe,qBAAqB,WAAmB,SAAiD;AACtG,MAAI,CAAC,aAAa,kBAAkB,SAAS,EAAG;AAChD,MAAI,CAAC,uBAAuB,SAAS,EAAG;AAExC,QAAM,OAAO,WAAW,CAAC;AACzB,QAAM,WAAW,kBAAkB,IAAI;AACvC,QAAM,iBAAiB,SAAS,mBAAmB,CAAC,KAAK;AAEzD,MAAI,aAAa,KAAK,UAAU;AAAA,IAC9B,IAAI;AAAA,IACJ,SAAS;AAAA,IACT,WAAW,KAAK,IAAI;AAAA,IACpB;AAAA,EACF,CAAC;AAED,MAAI,IAAI,YAAY,EAAE,OAAO,UAAU,EAAE,SAAS,mBAAmB;AACnE,UAAM,YAAqC,EAAE,WAAW,KAAK;AAC7D,QAAI,OAAO,KAAK,OAAO,YAAY,KAAK,GAAG,KAAK,EAAE,SAAS,EAAG,WAAU,KAAK,KAAK,GAAG,KAAK;AAC1F,QAAI,OAAO,KAAK,aAAa,YAAY,KAAK,SAAS,KAAK,EAAE,SAAS,EAAG,WAAU,WAAW,KAAK,SAAS,KAAK;AAClH,iBAAa,KAAK,UAAU;AAAA,MAC1B,IAAI;AAAA,MACJ,SAAS;AAAA,MACT,WAAW,KAAK,IAAI;AAAA,MACpB;AAAA,IACF,CAAC;AACD,QAAI,IAAI,YAAY,EAAE,OAAO,UAAU,EAAE,SAAS,mBAAmB;AACnE;AAAA,IACF;AAAA,EACF;AAEA,aAAW,QAAQ,mBAAmB;AACpC,QAAI,CAAC,gBAAgB,MAAM,QAAQ,EAAG;AACtC,QAAI;AACF,WAAK,KAAK,UAAU;AAAA,IACtB,QAAQ;AAAA,IAER;AAAA,EACF;AACF;AAEA,SAAS,kBAAwB;AAC/B,MAAI,oBAAqB;AACzB,wBAAsB;AAItB,SAAO,0BAA0B,EAAE,KAAK,CAAC,EAAE,wBAAwB,kCAAkC,MAAM;AACzG,2BAAuB,OAAO,WAAW,YAAY;AACnD,YAAM,qBAAqB,WAAY,WAAW,CAAC,CAA6B;AAAA,IAClF,CAAC;AAED,sCAAkC,OAAO,aAAa;AACpD,UAAI,SAAS,cAAc,QAAQ,IAAK;AACxC,YAAM;AAAA,QACJ,SAAS;AAAA,QACR,SAAS,WAAW,CAAC;AAAA,MACxB;AAAA,IACF,CAAC;AAAA,EACH,CAAC,EAAE,MAAM,MAAM;AAEb,0BAAsB;AAAA,EACxB,CAAC;AACH;AAEA,eAAsB,IAAI,KAAiC;AACzD,QAAM,OAAO,MAAM,2BAA2B,GAAG;AACjD,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,kBAAgB;AAEhB,QAAM,UAAU,IAAI,YAAY;AAChC,MAAI,iBAAwD;AAC5D,MAAI,aAAyC;AAE7C,QAAM,SAAS,IAAI,eAAe;AAAA,IAChC,MAAM,YAAY;AAChB,YAAM,OAAO,CAAC,SAAiB;AAC7B,mBAAW,QAAQ,QAAQ,OAAO,SAAS,IAAI;AAAA;AAAA,CAAM,CAAC;AAAA,MACxD;AAEA,mBAAa;AAAA,QACX,UAAU,KAAK;AAAA,QACf,gBAAgB,KAAK;AAAA,QACrB,gBAAgB,KAAK;AAAA,QACrB;AAAA,QACA,OAAO,MAAM,WAAW,MAAM;AAAA,MAChC;AACA,wBAAkB,IAAI,UAAU;AAEhC,uBAAiB,YAAY,MAAM;AACjC,YAAI;AACF,qBAAW,QAAQ,QAAQ,OAAO,gBAAgB,CAAC;AAAA,QACrD,QAAQ;AAAA,QAER;AAAA,MACF,GAAG,qBAAqB;AAAA,IAC1B;AAAA,IACA,SAAS;AACP,cAAQ;AAAA,IACV;AAAA,EACF,CAAC;AAED,WAAS,UAAU;AACjB,QAAI,gBAAgB;AAClB,oBAAc,cAAc;AAC5B,uBAAiB;AAAA,IACnB;AACA,QAAI,YAAY;AACd,wBAAkB,OAAO,UAAU;AACnC,mBAAa;AAAA,IACf;AAAA,EACF;AAEA,MAAI,OAAO,iBAAiB,SAAS,OAAO;AAE5C,SAAO,IAAI,SAAS,QAAQ;AAAA,IAC1B,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,gBAAgB;AAAA,MAChB,iBAAiB;AAAA,MACjB,cAAc;AAAA,MACd,qBAAqB;AAAA,IACvB;AAAA,EACF,CAAC;AACH;AAEA,MAAM,YAA8B;AAAA,EAClC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,iBAAiB;AAAA,EACxB,WAAW;AAAA,IACT;AAAA,MACE,QAAQ;AAAA,MACR,aAAa;AAAA,IACf;AAAA,EACF;AAAA,EACA,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,oBAAoB;AAAA,EAClD;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,SAAS;AAAA,EACT,SAAS,EAAE,KAAK,UAAU;AAC5B;",
+  "names": []
+}

package/dist/modules/customer_accounts/api/portal/feature-check.js

@@ -0,0 +1,57 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { getCustomerAuthFromRequest } from "@open-mercato/core/modules/customer_accounts/lib/customerAuth";
+import { matchFeature } from "@open-mercato/shared/lib/auth/featureMatch";
+const metadata = {};
+const requestSchema = z.object({
+  features: z.array(z.string()).min(1).max(100)
+});
+async function POST(req) {
+  const auth = await getCustomerAuthFromRequest(req);
+  if (!auth) {
+    return NextResponse.json({ ok: false, error: "Authentication required" }, { status: 401 });
+  }
+  let body;
+  try {
+    const raw = await req.json();
+    body = requestSchema.parse(raw);
+  } catch {
+    return NextResponse.json({ ok: false, error: "Invalid request body" }, { status: 400 });
+  }
+  const granted = body.features.filter(
+    (feature) => auth.resolvedFeatures.some((g) => matchFeature(feature, g))
+  );
+  return NextResponse.json({ ok: true, granted });
+}
+const methodDoc = {
+  summary: "Check customer portal feature access",
+  description: "Checks which of the requested features the authenticated customer user has. Used by portal menu injection for feature-gating.",
+  tags: ["Customer Portal"],
+  requestBody: {
+    schema: requestSchema
+  },
+  responses: [
+    {
+      status: 200,
+      description: "Feature check result",
+      schema: z.object({
+        ok: z.literal(true),
+        granted: z.array(z.string())
+      })
+    }
+  ],
+  errors: [
+    { status: 401, description: "Not authenticated", schema: z.object({ ok: z.literal(false), error: z.string() }) },
+    { status: 400, description: "Invalid request", schema: z.object({ ok: z.literal(false), error: z.string() }) }
+  ]
+};
+const openApi = {
+  summary: "Portal feature check",
+  methods: { POST: methodDoc }
+};
+export {
+  POST,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=feature-check.js.map

package/dist/modules/customer_accounts/api/portal/feature-check.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../src/modules/customer_accounts/api/portal/feature-check.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'\nimport { getCustomerAuthFromRequest } from '@open-mercato/core/modules/customer_accounts/lib/customerAuth'\nimport { hasAllFeatures, matchFeature } from '@open-mercato/shared/lib/auth/featureMatch'\n\nexport const metadata: { path?: string } = {}\n\nconst requestSchema = z.object({\n  features: z.array(z.string()).min(1).max(100),\n})\n\nexport async function POST(req: Request) {\n  const auth = await getCustomerAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  let body: z.infer<typeof requestSchema>\n  try {\n    const raw = await req.json()\n    body = requestSchema.parse(raw)\n  } catch {\n    return NextResponse.json({ ok: false, error: 'Invalid request body' }, { status: 400 })\n  }\n\n  const granted = body.features.filter((feature) =>\n    auth.resolvedFeatures.some((g) => matchFeature(feature, g)),\n  )\n\n  return NextResponse.json({ ok: true, granted })\n}\n\nconst methodDoc: OpenApiMethodDoc = {\n  summary: 'Check customer portal feature access',\n  description: 'Checks which of the requested features the authenticated customer user has. Used by portal menu injection for feature-gating.',\n  tags: ['Customer Portal'],\n  requestBody: {\n    schema: requestSchema,\n  },\n  responses: [\n    {\n      status: 200,\n      description: 'Feature check result',\n      schema: z.object({\n        ok: z.literal(true),\n        granted: z.array(z.string()),\n      }),\n    },\n  ],\n  errors: [\n    { status: 401, description: 'Not authenticated', schema: z.object({ ok: z.literal(false), error: z.string() }) },\n    { status: 400, description: 'Invalid request', schema: z.object({ ok: z.literal(false), error: z.string() }) },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  summary: 'Portal feature check',\n  methods: { POST: methodDoc },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,kCAAkC;AAC3C,SAAyB,oBAAoB;AAEtC,MAAM,WAA8B,CAAC;AAE5C,MAAM,gBAAgB,EAAE,OAAO;AAAA,EAC7B,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG;AAC9C,CAAC;AAED,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,2BAA2B,GAAG;AACjD,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,MAAI;AACJ,MAAI;AACF,UAAM,MAAM,MAAM,IAAI,KAAK;AAC3B,WAAO,cAAc,MAAM,GAAG;AAAA,EAChC,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxF;AAEA,QAAM,UAAU,KAAK,SAAS;AAAA,IAAO,CAAC,YACpC,KAAK,iBAAiB,KAAK,CAAC,MAAM,aAAa,SAAS,CAAC,CAAC;AAAA,EAC5D;AAEA,SAAO,aAAa,KAAK,EAAE,IAAI,MAAM,QAAQ,CAAC;AAChD;AAEA,MAAM,YAA8B;AAAA,EAClC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,iBAAiB;AAAA,EACxB,aAAa;AAAA,IACX,QAAQ;AAAA,EACV;AAAA,EACA,WAAW;AAAA,IACT;AAAA,MACE,QAAQ;AAAA,MACR,aAAa;AAAA,MACb,QAAQ,EAAE,OAAO;AAAA,QACf,IAAI,EAAE,QAAQ,IAAI;AAAA,QAClB,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,MAC7B,CAAC;AAAA,IACH;AAAA,EACF;AAAA,EACA,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,KAAK,GAAG,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,IAC/G,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,KAAK,GAAG,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,EAC/G;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,SAAS;AAAA,EACT,SAAS,EAAE,MAAM,UAAU;AAC7B;",
+  "names": []
+}

package/dist/modules/customer_accounts/api/portal/logout.js

@@ -0,0 +1,64 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+const metadata = {};
+function readCookieFromHeader(header, name) {
+  if (!header) return void 0;
+  const parts = header.split(";");
+  for (const part of parts) {
+    const trimmed = part.trim();
+    if (trimmed.startsWith(`${name}=`)) {
+      return trimmed.slice(name.length + 1);
+    }
+  }
+  return void 0;
+}
+async function POST(req) {
+  const cookieHeader = req.headers.get("cookie") || "";
+  const sessionToken = readCookieFromHeader(cookieHeader, "customer_session_token");
+  if (sessionToken) {
+    try {
+      const decodedToken = decodeURIComponent(sessionToken);
+      const container = await createRequestContainer();
+      const customerSessionService = container.resolve("customerSessionService");
+      const session = await customerSessionService.findByToken(decodedToken);
+      if (session) {
+        await customerSessionService.revokeSession(session.id);
+      }
+    } catch {
+    }
+  }
+  const res = NextResponse.json({ ok: true });
+  res.cookies.set("customer_auth_token", "", {
+    httpOnly: true,
+    path: "/",
+    sameSite: "lax",
+    secure: process.env.NODE_ENV === "production",
+    maxAge: 0
+  });
+  res.cookies.set("customer_session_token", "", {
+    httpOnly: true,
+    path: "/",
+    sameSite: "lax",
+    secure: process.env.NODE_ENV === "production",
+    maxAge: 0
+  });
+  return res;
+}
+const successSchema = z.object({ ok: z.literal(true) });
+const methodDoc = {
+  summary: "Customer logout",
+  description: "Revokes the current session and clears authentication cookies.",
+  tags: ["Customer Portal"],
+  responses: [{ status: 200, description: "Logged out", schema: successSchema }]
+};
+const openApi = {
+  summary: "Customer logout",
+  methods: { POST: methodDoc }
+};
+export {
+  POST,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=logout.js.map

package/dist/modules/customer_accounts/api/portal/logout.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../src/modules/customer_accounts/api/portal/logout.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { CustomerSessionService } from '@open-mercato/core/modules/customer_accounts/services/customerSessionService'\n\nexport const metadata: { path?: string } = {}\n\nfunction readCookieFromHeader(header: string | null | undefined, name: string): string | undefined {\n  if (!header) return undefined\n  const parts = header.split(';')\n  for (const part of parts) {\n    const trimmed = part.trim()\n    if (trimmed.startsWith(`${name}=`)) {\n      return trimmed.slice(name.length + 1)\n    }\n  }\n  return undefined\n}\n\nexport async function POST(req: Request) {\n  const cookieHeader = req.headers.get('cookie') || ''\n  const sessionToken = readCookieFromHeader(cookieHeader, 'customer_session_token')\n\n  if (sessionToken) {\n    try {\n      const decodedToken = decodeURIComponent(sessionToken)\n      const container = await createRequestContainer()\n      const customerSessionService = container.resolve('customerSessionService') as CustomerSessionService\n      const session = await customerSessionService.findByToken(decodedToken)\n      if (session) {\n        await customerSessionService.revokeSession(session.id)\n      }\n    } catch {\n      // Best effort \u2014 clear cookies regardless\n    }\n  }\n\n  const res = NextResponse.json({ ok: true })\n\n  res.cookies.set('customer_auth_token', '', {\n    httpOnly: true,\n    path: '/',\n    sameSite: 'lax',\n    secure: process.env.NODE_ENV === 'production',\n    maxAge: 0,\n  })\n  res.cookies.set('customer_session_token', '', {\n    httpOnly: true,\n    path: '/',\n    sameSite: 'lax',\n    secure: process.env.NODE_ENV === 'production',\n    maxAge: 0,\n  })\n\n  return res\n}\n\nconst successSchema = z.object({ ok: z.literal(true) })\n\nconst methodDoc: OpenApiMethodDoc = {\n  summary: 'Customer logout',\n  description: 'Revokes the current session and clears authentication cookies.',\n  tags: ['Customer Portal'],\n  responses: [{ status: 200, description: 'Logged out', schema: successSchema }],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  summary: 'Customer logout',\n  methods: { POST: methodDoc },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,8BAA8B;AAGhC,MAAM,WAA8B,CAAC;AAE5C,SAAS,qBAAqB,QAAmC,MAAkC;AACjG,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,QAAQ,OAAO,MAAM,GAAG;AAC9B,aAAW,QAAQ,OAAO;AACxB,UAAM,UAAU,KAAK,KAAK;AAC1B,QAAI,QAAQ,WAAW,GAAG,IAAI,GAAG,GAAG;AAClC,aAAO,QAAQ,MAAM,KAAK,SAAS,CAAC;AAAA,IACtC;AAAA,EACF;AACA,SAAO;AACT;AAEA,eAAsB,KAAK,KAAc;AACvC,QAAM,eAAe,IAAI,QAAQ,IAAI,QAAQ,KAAK;AAClD,QAAM,eAAe,qBAAqB,cAAc,wBAAwB;AAEhF,MAAI,cAAc;AAChB,QAAI;AACF,YAAM,eAAe,mBAAmB,YAAY;AACpD,YAAM,YAAY,MAAM,uBAAuB;AAC/C,YAAM,yBAAyB,UAAU,QAAQ,wBAAwB;AACzE,YAAM,UAAU,MAAM,uBAAuB,YAAY,YAAY;AACrE,UAAI,SAAS;AACX,cAAM,uBAAuB,cAAc,QAAQ,EAAE;AAAA,MACvD;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,QAAM,MAAM,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAE1C,MAAI,QAAQ,IAAI,uBAAuB,IAAI;AAAA,IACzC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,QAAQ;AAAA,EACV,CAAC;AACD,MAAI,QAAQ,IAAI,0BAA0B,IAAI;AAAA,IAC5C,UAAU;AAAA,IACV,MAAM;AAAA,IACN,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,QAAQ;AAAA,EACV,CAAC;AAED,SAAO;AACT;AAEA,MAAM,gBAAgB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;AAEtD,MAAM,YAA8B;AAAA,EAClC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,iBAAiB;AAAA,EACxB,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,cAAc,QAAQ,cAAc,CAAC;AAC/E;AAEO,MAAM,UAA2B;AAAA,EACtC,SAAS;AAAA,EACT,SAAS,EAAE,MAAM,UAAU;AAC7B;",
+  "names": []
+}