npm - @open-mercato/core - Versions diffs - 0.4.8-develop-28cee031d6 → 0.4.8-develop-84f3678a58 - Mend

@open-mercato/core 0.4.8-develop-28cee031d6 → 0.4.8-develop-84f3678a58

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (330) hide show

package/src/modules/customer_accounts/migrations/Migration20260313222043.ts ADDED Viewed

@@ -0,0 +1,62 @@
+import { Migration } from '@mikro-orm/migrations';
+export class Migration20260313222043 extends Migration {
+  override async up(): Promise<void> {
+    this.addSql(`create table "customer_roles" ("id" uuid not null default gen_random_uuid(), "tenant_id" uuid not null, "organization_id" uuid not null, "name" text not null, "slug" text not null, "description" text null, "is_default" boolean not null default false, "is_system" boolean not null default false, "customer_assignable" boolean not null default false, "created_at" timestamptz not null, "updated_at" timestamptz null, "deleted_at" timestamptz null, constraint "customer_roles_pkey" primary key ("id"));`);
+    this.addSql(`alter table "customer_roles" add constraint "customer_roles_tenant_slug_uniq" unique ("tenant_id", "slug");`);
+    this.addSql(`create table "customer_role_acls" ("id" uuid not null default gen_random_uuid(), "role_id" uuid not null, "tenant_id" uuid not null, "features_json" jsonb null, "is_portal_admin" boolean not null default false, "created_at" timestamptz not null, "updated_at" timestamptz null, "deleted_at" timestamptz null, constraint "customer_role_acls_pkey" primary key ("id"));`);
+    this.addSql(`alter table "customer_role_acls" add constraint "customer_role_acls_role_tenant_uniq" unique ("role_id", "tenant_id");`);
+    this.addSql(`create table "customer_users" ("id" uuid not null default gen_random_uuid(), "tenant_id" uuid not null, "organization_id" uuid not null, "email" text not null, "email_hash" text not null, "password_hash" text null, "display_name" text not null, "email_verified_at" timestamptz null, "failed_login_attempts" int not null default 0, "locked_until" timestamptz null, "last_login_at" timestamptz null, "person_entity_id" uuid null, "customer_entity_id" uuid null, "is_active" boolean not null default true, "created_at" timestamptz not null, "updated_at" timestamptz null, "deleted_at" timestamptz null, constraint "customer_users_pkey" primary key ("id"));`);
+    this.addSql(`create index "customer_users_email_hash_idx" on "customer_users" ("email_hash");`);
+    this.addSql(`create index "customer_users_person_entity_idx" on "customer_users" ("person_entity_id");`);
+    this.addSql(`create index "customer_users_customer_entity_idx" on "customer_users" ("customer_entity_id");`);
+    this.addSql(`alter table "customer_users" add constraint "customer_users_tenant_email_hash_uniq" unique ("tenant_id", "email_hash");`);
+    this.addSql(`create table "customer_user_acls" ("id" uuid not null default gen_random_uuid(), "user_id" uuid not null, "tenant_id" uuid not null, "features_json" jsonb null, "is_portal_admin" boolean not null default false, "created_at" timestamptz not null, "updated_at" timestamptz null, "deleted_at" timestamptz null, constraint "customer_user_acls_pkey" primary key ("id"));`);
+    this.addSql(`alter table "customer_user_acls" add constraint "customer_user_acls_user_tenant_uniq" unique ("user_id", "tenant_id");`);
+    this.addSql(`create table "customer_user_email_verifications" ("id" uuid not null default gen_random_uuid(), "user_id" uuid not null, "token" text not null, "purpose" text not null default 'email_verification', "expires_at" timestamptz not null, "used_at" timestamptz null, "created_at" timestamptz not null, constraint "customer_user_email_verifications_pkey" primary key ("id"));`);
+    this.addSql(`create index "customer_user_email_verifications_token_idx" on "customer_user_email_verifications" ("token");`);
+    this.addSql(`create table "customer_user_invitations" ("id" uuid not null default gen_random_uuid(), "tenant_id" uuid not null, "organization_id" uuid not null, "email" text not null, "email_hash" text not null, "token" text not null, "customer_entity_id" uuid null, "role_ids_json" jsonb null, "invited_by_user_id" uuid null, "invited_by_customer_user_id" uuid null, "display_name" text null, "expires_at" timestamptz not null, "accepted_at" timestamptz null, "cancelled_at" timestamptz null, "created_at" timestamptz not null, constraint "customer_user_invitations_pkey" primary key ("id"));`);
+    this.addSql(`create index "customer_user_invitations_tenant_email_hash_idx" on "customer_user_invitations" ("tenant_id", "email_hash");`);
+    this.addSql(`create index "customer_user_invitations_token_idx" on "customer_user_invitations" ("token");`);
+    this.addSql(`create table "customer_user_password_resets" ("id" uuid not null default gen_random_uuid(), "user_id" uuid not null, "token" text not null, "expires_at" timestamptz not null, "used_at" timestamptz null, "created_at" timestamptz not null, constraint "customer_user_password_resets_pkey" primary key ("id"));`);
+    this.addSql(`create index "customer_user_password_resets_token_idx" on "customer_user_password_resets" ("token");`);
+    this.addSql(`create table "customer_user_roles" ("id" uuid not null default gen_random_uuid(), "user_id" uuid not null, "role_id" uuid not null, "created_at" timestamptz not null, "deleted_at" timestamptz null, constraint "customer_user_roles_pkey" primary key ("id"));`);
+    this.addSql(`alter table "customer_user_roles" add constraint "customer_user_roles_user_role_uniq" unique ("user_id", "role_id");`);
+    this.addSql(`create table "customer_user_sessions" ("id" uuid not null default gen_random_uuid(), "user_id" uuid not null, "token_hash" text not null, "ip_address" text null, "user_agent" text null, "expires_at" timestamptz not null, "last_used_at" timestamptz null, "created_at" timestamptz not null, "deleted_at" timestamptz null, constraint "customer_user_sessions_pkey" primary key ("id"));`);
+    this.addSql(`create index "customer_user_sessions_token_hash_idx" on "customer_user_sessions" ("token_hash");`);
+    this.addSql(`alter table "customer_role_acls" add constraint "customer_role_acls_role_id_foreign" foreign key ("role_id") references "customer_roles" ("id") on update cascade;`);
+    this.addSql(`alter table "customer_user_acls" add constraint "customer_user_acls_user_id_foreign" foreign key ("user_id") references "customer_users" ("id") on update cascade;`);
+    this.addSql(`alter table "customer_user_email_verifications" add constraint "customer_user_email_verifications_user_id_foreign" foreign key ("user_id") references "customer_users" ("id") on update cascade;`);
+    this.addSql(`alter table "customer_user_password_resets" add constraint "customer_user_password_resets_user_id_foreign" foreign key ("user_id") references "customer_users" ("id") on update cascade;`);
+    this.addSql(`alter table "customer_user_roles" add constraint "customer_user_roles_user_id_foreign" foreign key ("user_id") references "customer_users" ("id") on update cascade;`);
+    this.addSql(`alter table "customer_user_roles" add constraint "customer_user_roles_role_id_foreign" foreign key ("role_id") references "customer_roles" ("id") on update cascade;`);
+    this.addSql(`alter table "customer_user_sessions" add constraint "customer_user_sessions_user_id_foreign" foreign key ("user_id") references "customer_users" ("id") on update cascade;`);
+  }
+  override async down(): Promise<void> {
+    this.addSql(`drop table if exists "customer_user_sessions" cascade;`);
+    this.addSql(`drop table if exists "customer_user_roles" cascade;`);
+    this.addSql(`drop table if exists "customer_user_password_resets" cascade;`);
+    this.addSql(`drop table if exists "customer_user_invitations" cascade;`);
+    this.addSql(`drop table if exists "customer_user_email_verifications" cascade;`);
+    this.addSql(`drop table if exists "customer_user_acls" cascade;`);
+    this.addSql(`drop table if exists "customer_role_acls" cascade;`);
+    this.addSql(`drop table if exists "customer_users" cascade;`);
+    this.addSql(`drop table if exists "customer_roles" cascade;`);
+  }
+}

package/src/modules/customer_accounts/notifications.client.ts ADDED Viewed

@@ -0,0 +1,46 @@
+'use client'
+import type { NotificationTypeDefinition } from '@open-mercato/shared/modules/notifications/types'
+export const customerAccountsNotificationTypes: NotificationTypeDefinition[] = [
+  {
+    type: 'customer_accounts.user.signup',
+    module: 'customer_accounts',
+    titleKey: 'customer_accounts.notifications.user.signup.title',
+    bodyKey: 'customer_accounts.notifications.user.signup.body',
+    icon: 'user-plus',
+    severity: 'info',
+    actions: [
+      {
+        id: 'view',
+        labelKey: 'common.view',
+        variant: 'outline',
+        href: '/backend/customer_accounts/{sourceEntityId}',
+        icon: 'external-link',
+      },
+    ],
+    linkHref: '/backend/customer_accounts/{sourceEntityId}',
+    expiresAfterHours: 168,
+  },
+  {
+    type: 'customer_accounts.user.locked',
+    module: 'customer_accounts',
+    titleKey: 'customer_accounts.notifications.user.locked.title',
+    bodyKey: 'customer_accounts.notifications.user.locked.body',
+    icon: 'lock',
+    severity: 'warning',
+    actions: [
+      {
+        id: 'view',
+        labelKey: 'common.view',
+        variant: 'outline',
+        href: '/backend/customer_accounts/{sourceEntityId}',
+        icon: 'external-link',
+      },
+    ],
+    linkHref: '/backend/customer_accounts/{sourceEntityId}',
+    expiresAfterHours: 168,
+  },
+]
+export default customerAccountsNotificationTypes

package/src/modules/customer_accounts/notifications.ts ADDED Viewed

@@ -0,0 +1,44 @@
+import type { NotificationTypeDefinition } from '@open-mercato/shared/modules/notifications/types'
+export const notificationTypes: NotificationTypeDefinition[] = [
+  {
+    type: 'customer_accounts.user.signup',
+    module: 'customer_accounts',
+    titleKey: 'customer_accounts.notifications.user.signup.title',
+    bodyKey: 'customer_accounts.notifications.user.signup.body',
+    icon: 'user-plus',
+    severity: 'info',
+    actions: [
+      {
+        id: 'view',
+        labelKey: 'common.view',
+        variant: 'outline',
+        href: '/backend/customer_accounts/{sourceEntityId}',
+        icon: 'external-link',
+      },
+    ],
+    linkHref: '/backend/customer_accounts/{sourceEntityId}',
+    expiresAfterHours: 168,
+  },
+  {
+    type: 'customer_accounts.user.locked',
+    module: 'customer_accounts',
+    titleKey: 'customer_accounts.notifications.user.locked.title',
+    bodyKey: 'customer_accounts.notifications.user.locked.body',
+    icon: 'lock',
+    severity: 'warning',
+    actions: [
+      {
+        id: 'view',
+        labelKey: 'common.view',
+        variant: 'outline',
+        href: '/backend/customer_accounts/{sourceEntityId}',
+        icon: 'external-link',
+      },
+    ],
+    linkHref: '/backend/customer_accounts/{sourceEntityId}',
+    expiresAfterHours: 168,
+  },
+]
+export default notificationTypes

package/src/modules/customer_accounts/search.ts ADDED Viewed

@@ -0,0 +1,134 @@
+import type {
+  SearchModuleConfig,
+  SearchBuildContext,
+  SearchResultPresenter,
+  SearchIndexSource,
+} from '@open-mercato/shared/modules/search'
+import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+function pickString(...candidates: Array<unknown>): string | null {
+  for (const candidate of candidates) {
+    if (typeof candidate !== 'string') continue
+    const trimmed = candidate.trim()
+    if (trimmed.length > 0) return trimmed
+  }
+  return null
+}
+function snippet(value: unknown, max = 140): string | undefined {
+  if (typeof value !== 'string') return undefined
+  const trimmed = value.trim()
+  if (!trimmed.length) return undefined
+  if (trimmed.length <= max) return trimmed
+  return `${trimmed.slice(0, max - 3)}...`
+}
+function appendLine(lines: string[], label: string, value: unknown) {
+  if (value === null || value === undefined) return
+  const text = typeof value === 'object' ? JSON.stringify(value) : String(value)
+  if (!text.trim()) return
+  lines.push(`${label}: ${text}`)
+}
+function formatSubtitle(...parts: Array<unknown>): string | undefined {
+  const text = parts
+    .map((part) => (part === null || part === undefined ? '' : String(part)))
+    .map((part) => part.trim())
+    .filter(Boolean)
+  if (text.length === 0) return undefined
+  return text.join(' · ')
+}
+function buildIndexSource(
+  ctx: SearchBuildContext,
+  presenter: SearchResultPresenter,
+  lines: string[],
+): SearchIndexSource | null {
+  if (!lines.length) return null
+  return {
+    text: lines,
+    presenter,
+    checksumSource: { record: ctx.record, customFields: ctx.customFields },
+  }
+}
+export const searchConfig: SearchModuleConfig = {
+  entities: [
+    {
+      entityId: 'customer_accounts:customer_user',
+      enabled: true,
+      priority: 6,
+      buildSource: async (ctx) => {
+        const { t } = await resolveTranslations()
+        const record = ctx.record
+        const lines: string[] = []
+        appendLine(lines, 'Name', record.display_name ?? record.displayName)
+        appendLine(lines, 'Email', record.email)
+        return buildIndexSource(
+          ctx,
+          {
+            title: pickString(record.display_name, record.displayName) ?? String(record.id),
+            subtitle: formatSubtitle(record.email),
+            icon: 'user',
+            badge: t('customer_accounts.search.badge.customerUser', 'Customer User'),
+          },
+          lines,
+        )
+      },
+      formatResult: async (ctx) => {
+        const { t } = await resolveTranslations()
+        const record = ctx.record
+        return {
+          title: pickString(record.display_name, record.displayName) ?? String(record.id),
+          subtitle: formatSubtitle(record.email),
+          icon: 'user',
+          badge: t('customer_accounts.search.badge.customerUser', 'Customer User'),
+        }
+      },
+      resolveUrl: async (ctx) => `/backend/customer-accounts/users/${encodeURIComponent(String(ctx.record.id))}`,
+      fieldPolicy: {
+        searchable: ['display_name', 'email'],
+        excluded: ['password_hash', 'email_hash'],
+      },
+    },
+    {
+      entityId: 'customer_accounts:customer_role',
+      enabled: true,
+      priority: 6,
+      buildSource: async (ctx) => {
+        const { t } = await resolveTranslations()
+        const record = ctx.record
+        const lines: string[] = []
+        appendLine(lines, 'Name', record.name)
+        appendLine(lines, 'Description', record.description)
+        return buildIndexSource(
+          ctx,
+          {
+            title: pickString(record.name) ?? String(record.id),
+            subtitle: formatSubtitle(snippet(record.description)),
+            icon: 'shield',
+            badge: t('customer_accounts.search.badge.customerRole', 'Customer Role'),
+          },
+          lines,
+        )
+      },
+      formatResult: async (ctx) => {
+        const { t } = await resolveTranslations()
+        const record = ctx.record
+        return {
+          title: pickString(record.name) ?? String(record.id),
+          subtitle: formatSubtitle(snippet(record.description)),
+          icon: 'shield',
+          badge: t('customer_accounts.search.badge.customerRole', 'Customer Role'),
+        }
+      },
+      resolveUrl: async (ctx) => `/backend/customer-accounts/roles/${encodeURIComponent(String(ctx.record.id))}/edit`,
+      fieldPolicy: {
+        searchable: ['name', 'description'],
+      },
+    },
+  ],
+}
+export default searchConfig
+export const config = searchConfig

package/src/modules/customer_accounts/services/customerInvitationService.ts ADDED Viewed

@@ -0,0 +1,109 @@
+import { EntityManager } from '@mikro-orm/postgresql'
+import { hash } from 'bcryptjs'
+import {
+  CustomerUser,
+  CustomerUserInvitation,
+  CustomerUserRole,
+  CustomerRole,
+} from '@open-mercato/core/modules/customer_accounts/data/entities'
+import { generateSecureToken, hashToken } from '@open-mercato/core/modules/customer_accounts/lib/tokenGenerator'
+import { hashForLookup } from '@open-mercato/shared/lib/encryption/aes'
+const BCRYPT_COST = 10
+const INVITATION_TTL_MS = 72 * 60 * 60 * 1000 // 72 hours
+export class CustomerInvitationService {
+  constructor(private em: EntityManager) {}
+  async createInvitation(
+    email: string,
+    scope: { tenantId: string; organizationId: string },
+    options: {
+      customerEntityId?: string | null
+      roleIds: string[]
+      invitedByUserId?: string | null
+      invitedByCustomerUserId?: string | null
+      displayName?: string | null
+    },
+  ): Promise<{ invitation: CustomerUserInvitation; rawToken: string }> {
+    const token = generateSecureToken()
+    const emailHash = hashForLookup(email)
+    const expiresAt = new Date(Date.now() + INVITATION_TTL_MS)
+    const tokenHashed = hashToken(token)
+    const invitation = this.em.create(CustomerUserInvitation, {
+      tenantId: scope.tenantId,
+      organizationId: scope.organizationId,
+      email: email.toLowerCase().trim(),
+      emailHash,
+      token: tokenHashed,
+      customerEntityId: options.customerEntityId || null,
+      roleIdsJson: options.roleIds,
+      invitedByUserId: options.invitedByUserId || null,
+      invitedByCustomerUserId: options.invitedByCustomerUserId || null,
+      displayName: options.displayName || null,
+      expiresAt,
+      createdAt: new Date(),
+    } as any) as CustomerUserInvitation
+    await this.em.persistAndFlush(invitation)
+    return { invitation, rawToken: token }
+  }
+  async findByToken(token: string): Promise<CustomerUserInvitation | null> {
+    const tokenHashed = hashToken(token)
+    const invitation = await this.em.findOne(CustomerUserInvitation, { token: tokenHashed })
+    if (!invitation) return null
+    if (invitation.acceptedAt) return null
+    if (invitation.cancelledAt) return null
+    if (invitation.expiresAt.getTime() < Date.now()) return null
+    return invitation
+  }
+  async acceptInvitation(
+    token: string,
+    password: string,
+    displayName: string,
+  ): Promise<{ user: CustomerUser; invitation: CustomerUserInvitation } | null> {
+    const invitation = await this.findByToken(token)
+    if (!invitation) return null
+    const passwordHash = await hash(password, BCRYPT_COST)
+    const emailHash = hashForLookup(invitation.email)
+    // Create user
+    const user = this.em.create(CustomerUser, {
+      email: invitation.email,
+      emailHash,
+      passwordHash,
+      displayName: displayName || invitation.displayName || invitation.email,
+      tenantId: invitation.tenantId,
+      organizationId: invitation.organizationId,
+      customerEntityId: invitation.customerEntityId || null,
+      isActive: true,
+      emailVerifiedAt: new Date(), // Invitation implicitly verifies email
+      failedLoginAttempts: 0,
+      createdAt: new Date(),
+    } as any) as CustomerUser
+    this.em.persist(user)
+    // Assign roles
+    const roleIds = Array.isArray(invitation.roleIdsJson) ? invitation.roleIdsJson : []
+    for (const roleId of roleIds) {
+      const role = await this.em.findOne(CustomerRole, { id: roleId, tenantId: invitation.tenantId, deletedAt: null })
+      if (role) {
+        const userRole = this.em.create(CustomerUserRole, {
+          user,
+          role,
+          createdAt: new Date(),
+        } as any)
+        this.em.persist(userRole)
+      }
+    }
+    // Mark invitation as accepted
+    invitation.acceptedAt = new Date()
+    await this.em.flush()
+    return { user, invitation }
+  }
+}

package/src/modules/customer_accounts/services/customerRbacService.ts ADDED Viewed

@@ -0,0 +1,144 @@
+import { EntityManager } from '@mikro-orm/postgresql'
+import type { CacheStrategy } from '@open-mercato/cache'
+import {
+  CustomerUserAcl,
+  CustomerRoleAcl,
+  CustomerUserRole,
+} from '@open-mercato/core/modules/customer_accounts/data/entities'
+import { hasAllFeatures } from '@open-mercato/shared/lib/auth/featureMatch'
+interface CustomerAclData {
+  isPortalAdmin: boolean
+  features: string[]
+}
+function isCustomerAclData(value: unknown): value is CustomerAclData {
+  if (typeof value !== 'object' || value === null) return false
+  const record = value as Partial<CustomerAclData>
+  if (typeof record.isPortalAdmin !== 'boolean') return false
+  if (!Array.isArray(record.features) || record.features.some((f) => typeof f !== 'string')) return false
+  return true
+}
+export class CustomerRbacService {
+  private cacheTtlMs: number = 5 * 60 * 1000
+  private cache: CacheStrategy | null = null
+  constructor(private em: EntityManager, cache?: CacheStrategy) {
+    this.cache = cache || null
+  }
+  private getCacheKey(userId: string, scope: { tenantId: string; organizationId: string }): string {
+    return `customer_rbac:${userId}:${scope.tenantId}:${scope.organizationId}`
+  }
+  private getUserTag(userId: string): string {
+    return `customer_rbac:user:${userId}`
+  }
+  private getTenantTag(tenantId: string): string {
+    return `customer_rbac:tenant:${tenantId}`
+  }
+  private async getFromCache(cacheKey: string): Promise<CustomerAclData | null> {
+    if (!this.cache) return null
+    const cached = await this.cache.get(cacheKey)
+    if (!cached) return null
+    return isCustomerAclData(cached) ? cached : null
+  }
+  private async setCache(
+    cacheKey: string,
+    data: CustomerAclData,
+    userId: string,
+    scope: { tenantId: string; organizationId: string },
+  ): Promise<void> {
+    if (!this.cache) return
+    const tags = [
+      this.getUserTag(userId),
+      this.getTenantTag(scope.tenantId),
+      'customer_rbac:all',
+    ]
+    await this.cache.set(cacheKey, data, { ttl: this.cacheTtlMs, tags })
+  }
+  async loadAcl(
+    userId: string,
+    scope: { tenantId: string; organizationId: string },
+  ): Promise<CustomerAclData> {
+    const cacheKey = this.getCacheKey(userId, scope)
+    const cached = await this.getFromCache(cacheKey)
+    if (cached) return cached
+    const em = this.em.fork()
+    // Per-user ACL first
+    const userAcl = await em.findOne(CustomerUserAcl, {
+      user: userId as any,
+      tenantId: scope.tenantId,
+    })
+    if (userAcl) {
+      const result: CustomerAclData = {
+        isPortalAdmin: !!userAcl.isPortalAdmin,
+        features: Array.isArray(userAcl.featuresJson) ? userAcl.featuresJson : [],
+      }
+      await this.setCache(cacheKey, result, userId, scope)
+      return result
+    }
+    // Aggregate role ACLs
+    const links = await em.find(CustomerUserRole, {
+      user: userId as any,
+      deletedAt: null,
+    }, { populate: ['role'] })
+    const roleIds = links.map((l) => (l.role as any)?.id).filter(Boolean)
+    let isPortalAdmin = false
+    const features: string[] = []
+    if (roleIds.length) {
+      const roleAcls = await em.find(CustomerRoleAcl, {
+        tenantId: scope.tenantId,
+        role: { $in: roleIds as any },
+      } as any)
+      for (const acl of roleAcls) {
+        isPortalAdmin = isPortalAdmin || !!acl.isPortalAdmin
+        if (Array.isArray(acl.featuresJson)) {
+          for (const f of acl.featuresJson) {
+            if (!features.includes(f)) features.push(f)
+          }
+        }
+      }
+    }
+    const result: CustomerAclData = { isPortalAdmin, features }
+    await this.setCache(cacheKey, result, userId, scope)
+    return result
+  }
+  async userHasAllFeatures(
+    userId: string,
+    required: string[],
+    scope: { tenantId: string; organizationId: string },
+  ): Promise<boolean> {
+    if (!required.length) return true
+    const acl = await this.loadAcl(userId, scope)
+    if (acl.isPortalAdmin) return true
+    return hasAllFeatures(required, acl.features)
+  }
+  async invalidateUserCache(userId: string): Promise<void> {
+    if (!this.cache) return
+    await this.cache.deleteByTags([this.getUserTag(userId)])
+  }
+  async invalidateRoleCache(roleId: string): Promise<void> {
+    if (!this.cache) return
+    // When a role changes, invalidate all customer RBAC caches since we don't track role→user mappings
+    await this.cache.deleteByTags(['customer_rbac:all'])
+  }
+  async invalidateTenantCache(tenantId: string): Promise<void> {
+    if (!this.cache) return
+    await this.cache.deleteByTags([this.getTenantTag(tenantId)])
+  }
+}

package/src/modules/customer_accounts/services/customerSessionService.ts ADDED Viewed

@@ -0,0 +1,90 @@
+import { EntityManager } from '@mikro-orm/postgresql'
+import { CustomerUser, CustomerUserSession } from '@open-mercato/core/modules/customer_accounts/data/entities'
+import { generateSecureToken, hashToken } from '@open-mercato/core/modules/customer_accounts/lib/tokenGenerator'
+import { signJwt } from '@open-mercato/shared/lib/auth/jwt'
+const DEFAULT_SESSION_TTL_DAYS = 30
+export class CustomerSessionService {
+  constructor(private em: EntityManager) {}
+  async createSession(
+    user: CustomerUser,
+    resolvedFeatures: string[],
+    ip?: string | null,
+    userAgent?: string | null,
+  ): Promise<{ rawToken: string; jwt: string; session: CustomerUserSession }> {
+    const rawToken = generateSecureToken()
+    const tokenHash = hashToken(rawToken)
+    const days = Number(process.env.CUSTOMER_SESSION_TTL_DAYS || DEFAULT_SESSION_TTL_DAYS)
+    const expiresAt = new Date(Date.now() + days * 24 * 60 * 60 * 1000)
+    const session = this.em.create(CustomerUserSession, {
+      user,
+      tokenHash,
+      ipAddress: ip || null,
+      userAgent: userAgent || null,
+      expiresAt,
+      lastUsedAt: new Date(),
+      createdAt: new Date(),
+    } as any) as CustomerUserSession
+    await this.em.persistAndFlush(session)
+    const jwt = this.signCustomerJwt(user, resolvedFeatures)
+    return { rawToken, jwt, session }
+  }
+  signCustomerJwt(user: CustomerUser, resolvedFeatures: string[]): string {
+    return signJwt({
+      sub: user.id,
+      type: 'customer',
+      tenantId: user.tenantId,
+      orgId: user.organizationId,
+      email: user.email,
+      displayName: user.displayName || '',
+      customerEntityId: user.customerEntityId || null,
+      personEntityId: user.personEntityId || null,
+      resolvedFeatures,
+    })
+  }
+  async findByToken(rawToken: string, tenantId?: string): Promise<CustomerUserSession | null> {
+    const tokenHash = hashToken(rawToken)
+    const session = await this.em.findOne(CustomerUserSession, {
+      tokenHash,
+      deletedAt: null,
+    }, { populate: ['user'] })
+    if (!session) return null
+    if (session.expiresAt.getTime() < Date.now()) return null
+    const user = session.user as CustomerUser
+    if (tenantId && user?.tenantId !== tenantId) return null
+    return session
+  }
+  async refreshSession(
+    rawToken: string,
+    resolvedFeatures: string[],
+  ): Promise<{ jwt: string; user: CustomerUser } | null> {
+    const session = await this.findByToken(rawToken)
+    if (!session) return null
+    const user = session.user as CustomerUser
+    if (!user || user.deletedAt || !user.isActive) return null
+    await this.em.nativeUpdate(CustomerUserSession, { id: session.id }, { lastUsedAt: new Date() })
+    const jwt = this.signCustomerJwt(user, resolvedFeatures)
+    return { jwt, user }
+  }
+  async revokeSession(sessionId: string): Promise<void> {
+    await this.em.nativeUpdate(CustomerUserSession, { id: sessionId }, { deletedAt: new Date() })
+  }
+  async revokeAllUserSessions(userId: string): Promise<void> {
+    await this.em.nativeUpdate(
+      CustomerUserSession,
+      { user: userId as any, deletedAt: null },
+      { deletedAt: new Date() },
+    )
+  }
+}