npm - @open-mercato/core - Versions diffs - 0.6.4-develop.4382.1.6b4f656b77 → 0.6.4 - Mend

@open-mercato/core 0.6.4-develop.4382.1.6b4f656b77 → 0.6.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1795) hide show

package/dist/modules/auth/api/users/acl/route.js CHANGED Viewed

@@ -4,9 +4,15 @@ import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
 import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
 import { logCrudAccess } from "@open-mercato/shared/lib/crud/factory";
 import { forbidden, isCrudHttpError } from "@open-mercato/shared/lib/crud/errors";
-import { UserAcl } from "@open-mercato/core/modules/auth/data/entities";
+import { enforceCommandOptimisticLock } from "@open-mercato/shared/lib/crud/optimistic-lock-command";
 import { withAtomicFlush } from "@open-mercato/shared/lib/commands/flush";
-import { assertActorCanModifySuperAdminUserTarget } from "@open-mercato/core/modules/auth/lib/grantChecks";
+import { UserAcl } from "@open-mercato/core/modules/auth/data/entities";
+import {
+  assertActorCanAccessUserTarget,
+  assertActorCanGrantAcl,
+  assertActorCanModifySuperAdminUserTarget,
+  normalizeGrantFeatureList
+} from "@open-mercato/core/modules/auth/lib/grantChecks";
 const getSchema = z.object({ userId: z.string().uuid() });
 const putSchema = z.object({
   userId: z.string().uuid(),
@@ -22,7 +28,8 @@ const userAclResponseSchema = z.object({
   hasCustomAcl: z.boolean(),
   isSuperAdmin: z.boolean(),
   features: z.array(z.string()),
-  organizations: z.array(z.string()).nullable()
+  organizations: z.array(z.string()).nullable(),
+  updatedAt: z.string().nullable()
 });
 const userAclUpdateResponseSchema = z.object({
   ok: z.literal(true),
@@ -50,6 +57,15 @@ async function GET(req) {
         targetUserId: parsed.data.userId,
         actorIsSuperAdmin: false
       });
+      await assertActorCanAccessUserTarget({
+        em,
+        rbacService,
+        actorUserId: auth.sub,
+        tenantId: auth.tenantId ?? null,
+        organizationId: auth.orgId ?? null,
+        targetUserId: parsed.data.userId,
+        actorIsSuperAdmin: false
+      });
     } catch (err) {
       if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status });
       throw err;
@@ -60,8 +76,9 @@ async function GET(req) {
     hasCustomAcl: true,
     isSuperAdmin: !!acl.isSuperAdmin,
     features: Array.isArray(acl.featuresJson) ? acl.featuresJson : [],
-    organizations: Array.isArray(acl.organizationsJson) ? acl.organizationsJson : null
-  } : { hasCustomAcl: false, isSuperAdmin: false, features: [], organizations: null };
+    organizations: Array.isArray(acl.organizationsJson) ? acl.organizationsJson : null,
+    updatedAt: acl.updatedAt instanceof Date ? acl.updatedAt.toISOString() : null
+  } : { hasCustomAcl: false, isSuperAdmin: false, features: [], organizations: null, updatedAt: null };
   await logCrudAccess({
     container,
     auth,
@@ -98,18 +115,55 @@ async function PUT(req) {
         targetUserId: parsed.data.userId,
         actorIsSuperAdmin: false
       });
+      await assertActorCanAccessUserTarget({
+        em,
+        rbacService,
+        actorUserId: auth.sub,
+        tenantId: auth.tenantId ?? null,
+        organizationId: auth.orgId ?? null,
+        targetUserId: parsed.data.userId,
+        actorIsSuperAdmin: false
+      });
     } catch (err) {
       if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status });
       throw err;
     }
   }
-  const requestedFeatures = normalizeFeatureList(parsed.data.features);
-  const organizations = Array.isArray(parsed.data.organizations) ? parsed.data.organizations : null;
+  const requestedFeatures = normalizeGrantFeatureList(parsed.data.features);
+  const organizations = normalizeOrganizations(parsed.data.organizations);
   let acl = await em.findOne(UserAcl, { user: parsed.data.userId, tenantId: auth.tenantId });
+  if (acl) {
+    try {
+      enforceCommandOptimisticLock({
+        resourceKind: "auth.user_acl",
+        resourceId: acl.id,
+        current: acl.updatedAt ?? null,
+        request: req
+      });
+    } catch (err) {
+      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status });
+      throw err;
+    }
+  }
   const existingIsSuperAdmin = acl ? !!acl.isSuperAdmin : false;
-  const existingFeatures = acl && Array.isArray(acl.featuresJson) ? normalizeFeatureList(acl.featuresJson) : [];
-  const effectiveFeatures = actorIsSuperAdmin ? requestedFeatures : sanitizeTenantFeatures(requestedFeatures);
+  const existingFeatures = acl ? normalizeGrantFeatureList(acl.featuresJson) : [];
   const requestedIsSuperAdmin = parsed.data.isSuperAdmin ?? false;
+  try {
+    await assertActorCanGrantAcl({
+      em,
+      rbacService,
+      actorUserId: auth.sub,
+      tenantId: auth.tenantId ?? null,
+      organizationId: auth.orgId ?? null,
+      isSuperAdmin: requestedIsSuperAdmin,
+      features: requestedFeatures,
+      organizations
+    });
+  } catch (err) {
+    if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status });
+    throw err;
+  }
+  const effectiveFeatures = actorIsSuperAdmin ? requestedFeatures : sanitizeTenantFeatures(requestedFeatures);
   let effectiveIsSuperAdmin = requestedIsSuperAdmin;
   if (!actorIsSuperAdmin) {
     if (requestedIsSuperAdmin && !existingIsSuperAdmin) {
@@ -122,22 +176,29 @@ async function PUT(req) {
     }
   }
   const hasCustomAcl = effectiveIsSuperAdmin || effectiveFeatures.length > 0;
-  await withAtomicFlush(em, [
-    () => {
-      if (!hasCustomAcl) {
-        if (acl) em.remove(acl);
-      } else {
-        if (!acl) {
-          acl = em.create(UserAcl, { user: parsed.data.userId, tenantId: auth.tenantId });
-        }
-        const aclRecord = acl;
-        aclRecord.isSuperAdmin = effectiveIsSuperAdmin;
-        aclRecord.featuresJson = effectiveFeatures;
-        aclRecord.organizationsJson = organizations;
-        em.persist(acl);
-      }
+  if (!hasCustomAcl) {
+    if (acl) {
+      const aclToRemove = acl;
+      await withAtomicFlush(em, [() => em.remove(aclToRemove)], { transaction: true });
     }
-  ], { transaction: true });
+  } else {
+    if (!acl) {
+      acl = em.create(UserAcl, { user: parsed.data.userId, tenantId: auth.tenantId });
+    }
+    const aclRecord = acl;
+    await withAtomicFlush(
+      em,
+      [
+        () => {
+          aclRecord.isSuperAdmin = effectiveIsSuperAdmin;
+          aclRecord.featuresJson = effectiveFeatures;
+          aclRecord.organizationsJson = organizations;
+          em.persist(aclRecord);
+        }
+      ],
+      { transaction: true }
+    );
+  }
   await rbacService.invalidateUserCache(parsed.data.userId);
   try {
     const cache = container.resolve("cache");
@@ -149,16 +210,9 @@ async function PUT(req) {
     sanitized: !actorIsSuperAdmin && (hasRestrictedChanges(requestedFeatures, effectiveFeatures, existingFeatures) || requestedIsSuperAdmin !== effectiveIsSuperAdmin)
   });
 }
-function normalizeFeatureList(features) {
-  if (!Array.isArray(features)) return [];
-  const dedup = /* @__PURE__ */ new Set();
-  for (const value of features) {
-    if (typeof value !== "string") continue;
-    const trimmed = value.trim();
-    if (!trimmed) continue;
-    dedup.add(trimmed);
-  }
-  return Array.from(dedup);
+function normalizeOrganizations(organizations) {
+  if (!Array.isArray(organizations)) return null;
+  return normalizeGrantFeatureList(organizations);
 }
 function sanitizeTenantFeatures(features) {
   return features.filter((feature) => !isTenantRestrictedFeature(feature));

package/dist/modules/auth/api/users/acl/route.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../../src/modules/auth/api/users/acl/route.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { logCrudAccess } from '@open-mercato/shared/lib/crud/factory'\nimport { forbidden, isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport { UserAcl } from '@open-mercato/core/modules/auth/data/entities'\nimport { withAtomicFlush } from '@open-mercato/shared/lib/commands/flush'\nimport { assertActorCanModifySuperAdminUserTarget } from '@open-mercato/core/modules/auth/lib/grantChecks'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport type { EntityManager } from '@mikro-orm/postgresql'\n\nconst getSchema = z.object({ userId: z.string().uuid() })\nconst putSchema = z.object({\n  userId: z.string().uuid(),\n  isSuperAdmin: z.boolean().optional(),\n  features: z.array(z.string()).optional(),\n  organizations: z.array(z.string()).nullable().optional(),\n})\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['auth.acl.manage'] },\n  PUT: { requireAuth: true, requireFeatures: ['auth.acl.manage'] },\n}\n\nconst userAclResponseSchema = z.object({\n  hasCustomAcl: z.boolean(),\n  isSuperAdmin: z.boolean(),\n  features: z.array(z.string()),\n  organizations: z.array(z.string()).nullable(),\n})\n\nconst userAclUpdateResponseSchema = z.object({\n  ok: z.literal(true),\n  sanitized: z.boolean(),\n})\n\nconst userAclErrorSchema = z.object({ error: z.string() })\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  const url = new URL(req.url)\n  const parsed = getSchema.safeParse({ userId: url.searchParams.get('userId') })\n  if (!parsed.success) return NextResponse.json({ error: 'Invalid input' }, { status: 400 })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as any\n  const rbacService = container.resolve('rbacService') as any\n  const actorAcl = auth.sub\n    ? await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n    : null\n  if (!actorAcl?.isSuperAdmin && auth.sub) {\n    try {\n      await assertActorCanModifySuperAdminUserTarget({\n        em: em as EntityManager,\n        rbacService: rbacService as RbacService,\n        actorUserId: auth.sub,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        targetUserId: parsed.data.userId,\n        actorIsSuperAdmin: false,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n  const acl = await em.findOne(UserAcl, { user: parsed.data.userId as any, tenantId: auth.tenantId as any })\n  const response = acl\n    ? {\n        hasCustomAcl: true,\n        isSuperAdmin: !!acl.isSuperAdmin,\n        features: Array.isArray(acl.featuresJson) ? acl.featuresJson : [],\n        organizations: Array.isArray(acl.organizationsJson) ? acl.organizationsJson : null,\n      }\n    : { hasCustomAcl: false, isSuperAdmin: false, features: [], organizations: null }\n\n  await logCrudAccess({\n    container,\n    auth,\n    request: req,\n    items: [{ id: parsed.data.userId, ...response }],\n    idField: 'id',\n    resourceKind: 'auth.user_acl',\n    organizationId: auth.orgId ?? null,\n    tenantId: auth.tenantId ?? null,\n    query: { userId: parsed.data.userId },\n    accessType: 'read:item',\n  })\n\n  return NextResponse.json(response)\n}\n\nexport async function PUT(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  const body = await req.json().catch(() => ({}))\n  const parsed = putSchema.safeParse(body)\n  if (!parsed.success) return NextResponse.json({ error: 'Invalid input' }, { status: 400 })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as any\n  const rbacService = container.resolve('rbacService') as any\n\n  const actorAcl = auth.sub\n    ? await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n    : null\n  const actorIsSuperAdmin = !!actorAcl?.isSuperAdmin\n\n  if (!actorIsSuperAdmin && auth.sub) {\n    try {\n      await assertActorCanModifySuperAdminUserTarget({\n        em: em as EntityManager,\n        rbacService: rbacService as RbacService,\n        actorUserId: auth.sub,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        targetUserId: parsed.data.userId,\n        actorIsSuperAdmin: false,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n\n  const requestedFeatures = normalizeFeatureList(parsed.data.features)\n  const organizations = Array.isArray(parsed.data.organizations) ? parsed.data.organizations : null\n\n  let acl = await em.findOne(UserAcl, { user: parsed.data.userId as any, tenantId: auth.tenantId as any })\n  const existingIsSuperAdmin = acl ? !!acl.isSuperAdmin : false\n  const existingFeatures = acl && Array.isArray(acl.featuresJson) ? normalizeFeatureList(acl.featuresJson) : []\n\n  const effectiveFeatures = actorIsSuperAdmin\n    ? requestedFeatures\n    : sanitizeTenantFeatures(requestedFeatures)\n\n  const requestedIsSuperAdmin = parsed.data.isSuperAdmin ?? false\n  let effectiveIsSuperAdmin = requestedIsSuperAdmin\n\n  if (!actorIsSuperAdmin) {\n    if (requestedIsSuperAdmin && !existingIsSuperAdmin) {\n      throw forbidden('Only super administrators can grant super admin access.')\n    }\n    if (existingIsSuperAdmin && requestedIsSuperAdmin === false) {\n      effectiveIsSuperAdmin = false\n    } else {\n      effectiveIsSuperAdmin = existingIsSuperAdmin\n    }\n  }\n\n  const hasCustomAcl = effectiveIsSuperAdmin || effectiveFeatures.length > 0\n\n  await withAtomicFlush(em, [\n    () => {\n      if (!hasCustomAcl) {\n        if (acl) em.remove(acl)\n      } else {\n        if (!acl) {\n          acl = em.create(UserAcl, { user: parsed.data.userId as any, tenantId: auth.tenantId as any })\n        }\n        const aclRecord = acl as any\n        aclRecord.isSuperAdmin = effectiveIsSuperAdmin\n        aclRecord.featuresJson = effectiveFeatures\n        aclRecord.organizationsJson = organizations\n        em.persist(acl)\n      }\n    },\n  ], { transaction: true })\n\n  // Invalidate cache for this user\n  await rbacService.invalidateUserCache(parsed.data.userId)\n  try {\n    const cache = container.resolve('cache') as any\n    if (cache) await cache.deleteByTags([`rbac:user:${parsed.data.userId}`])\n  } catch {}\n\n  return NextResponse.json({\n    ok: true,\n    sanitized: !actorIsSuperAdmin && (hasRestrictedChanges(requestedFeatures, effectiveFeatures, existingFeatures) || requestedIsSuperAdmin !== effectiveIsSuperAdmin),\n  })\n}\n\nfunction normalizeFeatureList(features: unknown): string[] {\n  if (!Array.isArray(features)) return []\n  const dedup = new Set<string>()\n  for (const value of features) {\n    if (typeof value !== 'string') continue\n    const trimmed = value.trim()\n    if (!trimmed) continue\n    dedup.add(trimmed)\n  }\n  return Array.from(dedup)\n}\n\nfunction sanitizeTenantFeatures(features: string[]): string[] {\n  return features.filter((feature) => !isTenantRestrictedFeature(feature))\n}\n\nfunction isTenantRestrictedFeature(feature: string): boolean {\n  if (feature === '*' || feature === 'directory.*') return true\n  if (feature.startsWith('directory.tenants')) return true\n  return false\n}\n\nfunction hasRestrictedChanges(requested: string[], effective: string[], existing: string[]): boolean {\n  if (requested.length === effective.length) return false\n  const effectiveSet = new Set(effective)\n  const existingSet = new Set(existing)\n  // If the effective set matches existing, we only trimmed restricted duplicates and should not report\n  if (effectiveSet.size === existingSet.size) {\n    let identical = true\n    for (const value of effectiveSet) {\n      if (!existingSet.has(value)) {\n        identical = false\n        break\n      }\n    }\n    if (identical) return false\n  }\n  return true\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'User ACL management',\n  methods: {\n    GET: {\n      summary: 'Fetch user ACL',\n      description: 'Returns custom ACL overrides for a user within the current tenant, if any.',\n      query: getSchema,\n      responses: [\n        { status: 200, description: 'User ACL entry', schema: userAclResponseSchema },\n        { status: 400, description: 'Invalid user id', schema: userAclErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: userAclErrorSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update user ACL',\n      description: 'Configures per-user ACL overrides, including super admin access, feature list, and organization scope.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: putSchema,\n      },\n      responses: [\n        { status: 200, description: 'User ACL updated', schema: userAclUpdateResponseSchema },\n        { status: 400, description: 'Invalid payload', schema: userAclErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: userAclErrorSchema },\n        { status: 403, description: 'Insufficient privileges to modify ACL', schema: userAclErrorSchema },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,qBAAqB;AAC9B,SAAS,WAAW,uBAAuB;AAC3C,SAAS,eAAe;AACxB,SAAS,uBAAuB;AAChC,SAAS,gDAAgD;AAIzD,MAAM,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AACxD,MAAM,YAAY,EAAE,OAAO;AAAA,EACzB,QAAQ,EAAE,OAAO,EAAE,KAAK;AAAA,EACxB,cAAc,EAAE,QAAQ,EAAE,SAAS;AAAA,EACnC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACvC,eAAe,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS;AACzD,CAAC;AAEM,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AACjE;AAEA,MAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,cAAc,EAAE,QAAQ;AAAA,EACxB,cAAc,EAAE,QAAQ;AAAA,EACxB,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC5B,eAAe,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAC9C,CAAC;AAED,MAAM,8BAA8B,EAAE,OAAO;AAAA,EAC3C,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,WAAW,EAAE,QAAQ;AACvB,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAEzD,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,SAAS,UAAU,UAAU,EAAE,QAAQ,IAAI,aAAa,IAAI,QAAQ,EAAE,CAAC;AAC7E,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACzF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,WAAW,KAAK,MAClB,MAAM,YAAY,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC,IAC3G;AACJ,MAAI,CAAC,UAAU,gBAAgB,KAAK,KAAK;AACvC,QAAI;AACF,YAAM,yCAAyC;AAAA,QAC7C;AAAA,QACA;AAAA,QACA,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK,YAAY;AAAA,QAC3B,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AACA,QAAM,MAAM,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,OAAO,KAAK,QAAe,UAAU,KAAK,SAAgB,CAAC;AACzG,QAAM,WAAW,MACb;AAAA,IACE,cAAc;AAAA,IACd,cAAc,CAAC,CAAC,IAAI;AAAA,IACpB,UAAU,MAAM,QAAQ,IAAI,YAAY,IAAI,IAAI,eAAe,CAAC;AAAA,IAChE,eAAe,MAAM,QAAQ,IAAI,iBAAiB,IAAI,IAAI,oBAAoB;AAAA,EAChF,IACA,EAAE,cAAc,OAAO,cAAc,OAAO,UAAU,CAAC,GAAG,eAAe,KAAK;AAElF,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT,OAAO,CAAC,EAAE,IAAI,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,IAC/C,SAAS;AAAA,IACT,cAAc;AAAA,IACd,gBAAgB,KAAK,SAAS;AAAA,IAC9B,UAAU,KAAK,YAAY;AAAA,IAC3B,OAAO,EAAE,QAAQ,OAAO,KAAK,OAAO;AAAA,IACpC,YAAY;AAAA,EACd,CAAC;AAED,SAAO,aAAa,KAAK,QAAQ;AACnC;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9E,QAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AAC9C,QAAM,SAAS,UAAU,UAAU,IAAI;AACvC,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACzF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,cAAc,UAAU,QAAQ,aAAa;AAEnD,QAAM,WAAW,KAAK,MAClB,MAAM,YAAY,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC,IAC3G;AACJ,QAAM,oBAAoB,CAAC,CAAC,UAAU;AAEtC,MAAI,CAAC,qBAAqB,KAAK,KAAK;AAClC,QAAI;AACF,YAAM,yCAAyC;AAAA,QAC7C;AAAA,QACA;AAAA,QACA,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK,YAAY;AAAA,QAC3B,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AAEA,QAAM,oBAAoB,qBAAqB,OAAO,KAAK,QAAQ;AACnE,QAAM,gBAAgB,MAAM,QAAQ,OAAO,KAAK,aAAa,IAAI,OAAO,KAAK,gBAAgB;AAE7F,MAAI,MAAM,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,OAAO,KAAK,QAAe,UAAU,KAAK,SAAgB,CAAC;AACvG,QAAM,uBAAuB,MAAM,CAAC,CAAC,IAAI,eAAe;AACxD,QAAM,mBAAmB,OAAO,MAAM,QAAQ,IAAI,YAAY,IAAI,qBAAqB,IAAI,YAAY,IAAI,CAAC;AAE5G,QAAM,oBAAoB,oBACtB,oBACA,uBAAuB,iBAAiB;AAE5C,QAAM,wBAAwB,OAAO,KAAK,gBAAgB;AAC1D,MAAI,wBAAwB;AAE5B,MAAI,CAAC,mBAAmB;AACtB,QAAI,yBAAyB,CAAC,sBAAsB;AAClD,YAAM,UAAU,yDAAyD;AAAA,IAC3E;AACA,QAAI,wBAAwB,0BAA0B,OAAO;AAC3D,8BAAwB;AAAA,IAC1B,OAAO;AACL,8BAAwB;AAAA,IAC1B;AAAA,EACF;AAEA,QAAM,eAAe,yBAAyB,kBAAkB,SAAS;AAEzE,QAAM,gBAAgB,IAAI;AAAA,IACxB,MAAM;AACJ,UAAI,CAAC,cAAc;AACjB,YAAI,IAAK,IAAG,OAAO,GAAG;AAAA,MACxB,OAAO;AACL,YAAI,CAAC,KAAK;AACR,gBAAM,GAAG,OAAO,SAAS,EAAE,MAAM,OAAO,KAAK,QAAe,UAAU,KAAK,SAAgB,CAAC;AAAA,QAC9F;AACA,cAAM,YAAY;AAClB,kBAAU,eAAe;AACzB,kBAAU,eAAe;AACzB,kBAAU,oBAAoB;AAC9B,WAAG,QAAQ,GAAG;AAAA,MAChB;AAAA,IACF;AAAA,EACF,GAAG,EAAE,aAAa,KAAK,CAAC;AAGxB,QAAM,YAAY,oBAAoB,OAAO,KAAK,MAAM;AACxD,MAAI;AACF,UAAM,QAAQ,UAAU,QAAQ,OAAO;AACvC,QAAI,MAAO,OAAM,MAAM,aAAa,CAAC,aAAa,OAAO,KAAK,MAAM,EAAE,CAAC;AAAA,EACzE,QAAQ;AAAA,EAAC;AAET,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,WAAW,CAAC,sBAAsB,qBAAqB,mBAAmB,mBAAmB,gBAAgB,KAAK,0BAA0B;AAAA,EAC9I,CAAC;AACH;AAEA,SAAS,qBAAqB,UAA6B;AACzD,MAAI,CAAC,MAAM,QAAQ,QAAQ,EAAG,QAAO,CAAC;AACtC,QAAM,QAAQ,oBAAI,IAAY;AAC9B,aAAW,SAAS,UAAU;AAC5B,QAAI,OAAO,UAAU,SAAU;AAC/B,UAAM,UAAU,MAAM,KAAK;AAC3B,QAAI,CAAC,QAAS;AACd,UAAM,IAAI,OAAO;AAAA,EACnB;AACA,SAAO,MAAM,KAAK,KAAK;AACzB;AAEA,SAAS,uBAAuB,UAA8B;AAC5D,SAAO,SAAS,OAAO,CAAC,YAAY,CAAC,0BAA0B,OAAO,CAAC;AACzE;AAEA,SAAS,0BAA0B,SAA0B;AAC3D,MAAI,YAAY,OAAO,YAAY,cAAe,QAAO;AACzD,MAAI,QAAQ,WAAW,mBAAmB,EAAG,QAAO;AACpD,SAAO;AACT;AAEA,SAAS,qBAAqB,WAAqB,WAAqB,UAA6B;AACnG,MAAI,UAAU,WAAW,UAAU,OAAQ,QAAO;AAClD,QAAM,eAAe,IAAI,IAAI,SAAS;AACtC,QAAM,cAAc,IAAI,IAAI,QAAQ;AAEpC,MAAI,aAAa,SAAS,YAAY,MAAM;AAC1C,QAAI,YAAY;AAChB,eAAW,SAAS,cAAc;AAChC,UAAI,CAAC,YAAY,IAAI,KAAK,GAAG;AAC3B,oBAAY;AACZ;AAAA,MACF;AAAA,IACF;AACA,QAAI,UAAW,QAAO;AAAA,EACxB;AACA,SAAO;AACT;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO;AAAA,MACP,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,sBAAsB;AAAA,QAC5E,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,MACzE;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,oBAAoB,QAAQ,4BAA4B;AAAA,QACpF,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,yCAAyC,QAAQ,mBAAmB;AAAA,MAClG;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { logCrudAccess } from '@open-mercato/shared/lib/crud/factory'\nimport { forbidden, isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport { enforceCommandOptimisticLock } from '@open-mercato/shared/lib/crud/optimistic-lock-command'\nimport { withAtomicFlush } from '@open-mercato/shared/lib/commands/flush'\nimport { UserAcl } from '@open-mercato/core/modules/auth/data/entities'\nimport {\n  assertActorCanAccessUserTarget,\n  assertActorCanGrantAcl,\n  assertActorCanModifySuperAdminUserTarget,\n  normalizeGrantFeatureList,\n} from '@open-mercato/core/modules/auth/lib/grantChecks'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport type { EntityManager } from '@mikro-orm/postgresql'\n\nconst getSchema = z.object({ userId: z.string().uuid() })\nconst putSchema = z.object({\n  userId: z.string().uuid(),\n  isSuperAdmin: z.boolean().optional(),\n  features: z.array(z.string()).optional(),\n  organizations: z.array(z.string()).nullable().optional(),\n})\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['auth.acl.manage'] },\n  PUT: { requireAuth: true, requireFeatures: ['auth.acl.manage'] },\n}\n\nconst userAclResponseSchema = z.object({\n  hasCustomAcl: z.boolean(),\n  isSuperAdmin: z.boolean(),\n  features: z.array(z.string()),\n  organizations: z.array(z.string()).nullable(),\n  updatedAt: z.string().nullable(),\n})\n\nconst userAclUpdateResponseSchema = z.object({\n  ok: z.literal(true),\n  sanitized: z.boolean(),\n})\n\nconst userAclErrorSchema = z.object({ error: z.string() })\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  const url = new URL(req.url)\n  const parsed = getSchema.safeParse({ userId: url.searchParams.get('userId') })\n  if (!parsed.success) return NextResponse.json({ error: 'Invalid input' }, { status: 400 })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as any\n  const rbacService = container.resolve('rbacService') as any\n  const actorAcl = auth.sub\n    ? await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n    : null\n  if (!actorAcl?.isSuperAdmin && auth.sub) {\n    try {\n      await assertActorCanModifySuperAdminUserTarget({\n        em: em as EntityManager,\n        rbacService: rbacService as RbacService,\n        actorUserId: auth.sub,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        targetUserId: parsed.data.userId,\n        actorIsSuperAdmin: false,\n      })\n      await assertActorCanAccessUserTarget({\n        em: em as EntityManager,\n        rbacService: rbacService as RbacService,\n        actorUserId: auth.sub,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        targetUserId: parsed.data.userId,\n        actorIsSuperAdmin: false,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n  const acl = await em.findOne(UserAcl, { user: parsed.data.userId as any, tenantId: auth.tenantId as any })\n  const response = acl\n    ? {\n        hasCustomAcl: true,\n        isSuperAdmin: !!acl.isSuperAdmin,\n        features: Array.isArray(acl.featuresJson) ? acl.featuresJson : [],\n        organizations: Array.isArray(acl.organizationsJson) ? acl.organizationsJson : null,\n        updatedAt: acl.updatedAt instanceof Date ? acl.updatedAt.toISOString() : null,\n      }\n    : { hasCustomAcl: false, isSuperAdmin: false, features: [], organizations: null, updatedAt: null }\n\n  await logCrudAccess({\n    container,\n    auth,\n    request: req,\n    items: [{ id: parsed.data.userId, ...response }],\n    idField: 'id',\n    resourceKind: 'auth.user_acl',\n    organizationId: auth.orgId ?? null,\n    tenantId: auth.tenantId ?? null,\n    query: { userId: parsed.data.userId },\n    accessType: 'read:item',\n  })\n\n  return NextResponse.json(response)\n}\n\nexport async function PUT(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  const body = await req.json().catch(() => ({}))\n  const parsed = putSchema.safeParse(body)\n  if (!parsed.success) return NextResponse.json({ error: 'Invalid input' }, { status: 400 })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as any\n  const rbacService = container.resolve('rbacService') as any\n\n  const actorAcl = auth.sub\n    ? await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n    : null\n  const actorIsSuperAdmin = !!actorAcl?.isSuperAdmin\n\n  if (!actorIsSuperAdmin && auth.sub) {\n    try {\n      await assertActorCanModifySuperAdminUserTarget({\n        em: em as EntityManager,\n        rbacService: rbacService as RbacService,\n        actorUserId: auth.sub,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        targetUserId: parsed.data.userId,\n        actorIsSuperAdmin: false,\n      })\n      await assertActorCanAccessUserTarget({\n        em: em as EntityManager,\n        rbacService: rbacService as RbacService,\n        actorUserId: auth.sub,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        targetUserId: parsed.data.userId,\n        actorIsSuperAdmin: false,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n\n  const requestedFeatures = normalizeGrantFeatureList(parsed.data.features)\n  const organizations = normalizeOrganizations(parsed.data.organizations)\n\n  let acl = await em.findOne(UserAcl, { user: parsed.data.userId as any, tenantId: auth.tenantId as any })\n  // Optimistic lock: refuse a stale per-user ACL overwrite so concurrent edits\n  // cannot silently clobber each other (#2055). Strictly additive \u2014 a no-op when\n  // the client sends no expected-version header; skipped when no ACL row exists.\n  if (acl) {\n    try {\n      enforceCommandOptimisticLock({\n        resourceKind: 'auth.user_acl',\n        resourceId: acl.id,\n        current: acl.updatedAt ?? null,\n        request: req,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n  const existingIsSuperAdmin = acl ? !!acl.isSuperAdmin : false\n  const existingFeatures = acl ? normalizeGrantFeatureList(acl.featuresJson) : []\n\n  const requestedIsSuperAdmin = parsed.data.isSuperAdmin ?? false\n\n  try {\n    await assertActorCanGrantAcl({\n      em: em as EntityManager,\n      rbacService: rbacService as RbacService,\n      actorUserId: auth.sub,\n      tenantId: auth.tenantId ?? null,\n      organizationId: auth.orgId ?? null,\n      isSuperAdmin: requestedIsSuperAdmin,\n      features: requestedFeatures,\n      organizations,\n    })\n  } catch (err) {\n    if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n    throw err\n  }\n\n  const effectiveFeatures = actorIsSuperAdmin\n    ? requestedFeatures\n    : sanitizeTenantFeatures(requestedFeatures)\n\n  let effectiveIsSuperAdmin = requestedIsSuperAdmin\n\n  if (!actorIsSuperAdmin) {\n    if (requestedIsSuperAdmin && !existingIsSuperAdmin) {\n      throw forbidden('Only super administrators can grant super admin access.')\n    }\n    if (existingIsSuperAdmin && requestedIsSuperAdmin === false) {\n      effectiveIsSuperAdmin = false\n    } else {\n      effectiveIsSuperAdmin = existingIsSuperAdmin\n    }\n  }\n\n  const hasCustomAcl = effectiveIsSuperAdmin || effectiveFeatures.length > 0\n\n  // Persist the ACL mutation inside a transaction so the per-user permission\n  // write (or removal) commits atomically (proper ACL-edit transaction handling).\n  if (!hasCustomAcl) {\n    if (acl) {\n      const aclToRemove = acl\n      await withAtomicFlush(em, [() => em.remove(aclToRemove)], { transaction: true })\n    }\n  } else {\n    if (!acl) {\n      acl = em.create(UserAcl, { user: parsed.data.userId as any, tenantId: auth.tenantId as any })\n    }\n    const aclRecord = acl as any\n    await withAtomicFlush(\n      em,\n      [\n        () => {\n          aclRecord.isSuperAdmin = effectiveIsSuperAdmin\n          aclRecord.featuresJson = effectiveFeatures\n          aclRecord.organizationsJson = organizations\n          em.persist(aclRecord)\n        },\n      ],\n      { transaction: true },\n    )\n  }\n\n  // Invalidate cache for this user\n  await rbacService.invalidateUserCache(parsed.data.userId)\n  try {\n    const cache = container.resolve('cache') as any\n    if (cache) await cache.deleteByTags([`rbac:user:${parsed.data.userId}`])\n  } catch {}\n\n  return NextResponse.json({\n    ok: true,\n    sanitized: !actorIsSuperAdmin && (hasRestrictedChanges(requestedFeatures, effectiveFeatures, existingFeatures) || requestedIsSuperAdmin !== effectiveIsSuperAdmin),\n  })\n}\n\nfunction normalizeOrganizations(organizations: unknown): string[] | null {\n  if (!Array.isArray(organizations)) return null\n  return normalizeGrantFeatureList(organizations)\n}\n\nfunction sanitizeTenantFeatures(features: string[]): string[] {\n  return features.filter((feature) => !isTenantRestrictedFeature(feature))\n}\n\nfunction isTenantRestrictedFeature(feature: string): boolean {\n  if (feature === '*' || feature === 'directory.*') return true\n  if (feature.startsWith('directory.tenants')) return true\n  return false\n}\n\nfunction hasRestrictedChanges(requested: string[], effective: string[], existing: string[]): boolean {\n  if (requested.length === effective.length) return false\n  const effectiveSet = new Set(effective)\n  const existingSet = new Set(existing)\n  // If the effective set matches existing, we only trimmed restricted duplicates and should not report\n  if (effectiveSet.size === existingSet.size) {\n    let identical = true\n    for (const value of effectiveSet) {\n      if (!existingSet.has(value)) {\n        identical = false\n        break\n      }\n    }\n    if (identical) return false\n  }\n  return true\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'User ACL management',\n  methods: {\n    GET: {\n      summary: 'Fetch user ACL',\n      description: 'Returns custom ACL overrides for a user within the current tenant, if any.',\n      query: getSchema,\n      responses: [\n        { status: 200, description: 'User ACL entry', schema: userAclResponseSchema },\n        { status: 400, description: 'Invalid user id', schema: userAclErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: userAclErrorSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update user ACL',\n      description: 'Configures per-user ACL overrides, including super admin access, feature list, and organization scope.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: putSchema,\n      },\n      responses: [\n        { status: 200, description: 'User ACL updated', schema: userAclUpdateResponseSchema },\n        { status: 400, description: 'Invalid payload', schema: userAclErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: userAclErrorSchema },\n        { status: 403, description: 'Insufficient privileges to modify ACL', schema: userAclErrorSchema },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,qBAAqB;AAC9B,SAAS,WAAW,uBAAuB;AAC3C,SAAS,oCAAoC;AAC7C,SAAS,uBAAuB;AAChC,SAAS,eAAe;AACxB;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAIP,MAAM,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AACxD,MAAM,YAAY,EAAE,OAAO;AAAA,EACzB,QAAQ,EAAE,OAAO,EAAE,KAAK;AAAA,EACxB,cAAc,EAAE,QAAQ,EAAE,SAAS;AAAA,EACnC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACvC,eAAe,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS;AACzD,CAAC;AAEM,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AACjE;AAEA,MAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,cAAc,EAAE,QAAQ;AAAA,EACxB,cAAc,EAAE,QAAQ;AAAA,EACxB,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC5B,eAAe,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAC5C,WAAW,EAAE,OAAO,EAAE,SAAS;AACjC,CAAC;AAED,MAAM,8BAA8B,EAAE,OAAO;AAAA,EAC3C,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,WAAW,EAAE,QAAQ;AACvB,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAEzD,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,SAAS,UAAU,UAAU,EAAE,QAAQ,IAAI,aAAa,IAAI,QAAQ,EAAE,CAAC;AAC7E,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACzF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,WAAW,KAAK,MAClB,MAAM,YAAY,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC,IAC3G;AACJ,MAAI,CAAC,UAAU,gBAAgB,KAAK,KAAK;AACvC,QAAI;AACF,YAAM,yCAAyC;AAAA,QAC7C;AAAA,QACA;AAAA,QACA,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK,YAAY;AAAA,QAC3B,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AACD,YAAM,+BAA+B;AAAA,QACnC;AAAA,QACA;AAAA,QACA,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK,YAAY;AAAA,QAC3B,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AACA,QAAM,MAAM,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,OAAO,KAAK,QAAe,UAAU,KAAK,SAAgB,CAAC;AACzG,QAAM,WAAW,MACb;AAAA,IACE,cAAc;AAAA,IACd,cAAc,CAAC,CAAC,IAAI;AAAA,IACpB,UAAU,MAAM,QAAQ,IAAI,YAAY,IAAI,IAAI,eAAe,CAAC;AAAA,IAChE,eAAe,MAAM,QAAQ,IAAI,iBAAiB,IAAI,IAAI,oBAAoB;AAAA,IAC9E,WAAW,IAAI,qBAAqB,OAAO,IAAI,UAAU,YAAY,IAAI;AAAA,EAC3E,IACA,EAAE,cAAc,OAAO,cAAc,OAAO,UAAU,CAAC,GAAG,eAAe,MAAM,WAAW,KAAK;AAEnG,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT,OAAO,CAAC,EAAE,IAAI,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,IAC/C,SAAS;AAAA,IACT,cAAc;AAAA,IACd,gBAAgB,KAAK,SAAS;AAAA,IAC9B,UAAU,KAAK,YAAY;AAAA,IAC3B,OAAO,EAAE,QAAQ,OAAO,KAAK,OAAO;AAAA,IACpC,YAAY;AAAA,EACd,CAAC;AAED,SAAO,aAAa,KAAK,QAAQ;AACnC;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9E,QAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AAC9C,QAAM,SAAS,UAAU,UAAU,IAAI;AACvC,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACzF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,cAAc,UAAU,QAAQ,aAAa;AAEnD,QAAM,WAAW,KAAK,MAClB,MAAM,YAAY,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC,IAC3G;AACJ,QAAM,oBAAoB,CAAC,CAAC,UAAU;AAEtC,MAAI,CAAC,qBAAqB,KAAK,KAAK;AAClC,QAAI;AACF,YAAM,yCAAyC;AAAA,QAC7C;AAAA,QACA;AAAA,QACA,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK,YAAY;AAAA,QAC3B,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AACD,YAAM,+BAA+B;AAAA,QACnC;AAAA,QACA;AAAA,QACA,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK,YAAY;AAAA,QAC3B,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AAEA,QAAM,oBAAoB,0BAA0B,OAAO,KAAK,QAAQ;AACxE,QAAM,gBAAgB,uBAAuB,OAAO,KAAK,aAAa;AAEtE,MAAI,MAAM,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,OAAO,KAAK,QAAe,UAAU,KAAK,SAAgB,CAAC;AAIvG,MAAI,KAAK;AACP,QAAI;AACF,mCAA6B;AAAA,QAC3B,cAAc;AAAA,QACd,YAAY,IAAI;AAAA,QAChB,SAAS,IAAI,aAAa;AAAA,QAC1B,SAAS;AAAA,MACX,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AACA,QAAM,uBAAuB,MAAM,CAAC,CAAC,IAAI,eAAe;AACxD,QAAM,mBAAmB,MAAM,0BAA0B,IAAI,YAAY,IAAI,CAAC;AAE9E,QAAM,wBAAwB,OAAO,KAAK,gBAAgB;AAE1D,MAAI;AACF,UAAM,uBAAuB;AAAA,MAC3B;AAAA,MACA;AAAA,MACA,aAAa,KAAK;AAAA,MAClB,UAAU,KAAK,YAAY;AAAA,MAC3B,gBAAgB,KAAK,SAAS;AAAA,MAC9B,cAAc;AAAA,MACd,UAAU;AAAA,MACV;AAAA,IACF,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,QAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,UAAM;AAAA,EACR;AAEA,QAAM,oBAAoB,oBACtB,oBACA,uBAAuB,iBAAiB;AAE5C,MAAI,wBAAwB;AAE5B,MAAI,CAAC,mBAAmB;AACtB,QAAI,yBAAyB,CAAC,sBAAsB;AAClD,YAAM,UAAU,yDAAyD;AAAA,IAC3E;AACA,QAAI,wBAAwB,0BAA0B,OAAO;AAC3D,8BAAwB;AAAA,IAC1B,OAAO;AACL,8BAAwB;AAAA,IAC1B;AAAA,EACF;AAEA,QAAM,eAAe,yBAAyB,kBAAkB,SAAS;AAIzE,MAAI,CAAC,cAAc;AACjB,QAAI,KAAK;AACP,YAAM,cAAc;AACpB,YAAM,gBAAgB,IAAI,CAAC,MAAM,GAAG,OAAO,WAAW,CAAC,GAAG,EAAE,aAAa,KAAK,CAAC;AAAA,IACjF;AAAA,EACF,OAAO;AACL,QAAI,CAAC,KAAK;AACR,YAAM,GAAG,OAAO,SAAS,EAAE,MAAM,OAAO,KAAK,QAAe,UAAU,KAAK,SAAgB,CAAC;AAAA,IAC9F;AACA,UAAM,YAAY;AAClB,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,QACE,MAAM;AACJ,oBAAU,eAAe;AACzB,oBAAU,eAAe;AACzB,oBAAU,oBAAoB;AAC9B,aAAG,QAAQ,SAAS;AAAA,QACtB;AAAA,MACF;AAAA,MACA,EAAE,aAAa,KAAK;AAAA,IACtB;AAAA,EACF;AAGA,QAAM,YAAY,oBAAoB,OAAO,KAAK,MAAM;AACxD,MAAI;AACF,UAAM,QAAQ,UAAU,QAAQ,OAAO;AACvC,QAAI,MAAO,OAAM,MAAM,aAAa,CAAC,aAAa,OAAO,KAAK,MAAM,EAAE,CAAC;AAAA,EACzE,QAAQ;AAAA,EAAC;AAET,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,WAAW,CAAC,sBAAsB,qBAAqB,mBAAmB,mBAAmB,gBAAgB,KAAK,0BAA0B;AAAA,EAC9I,CAAC;AACH;AAEA,SAAS,uBAAuB,eAAyC;AACvE,MAAI,CAAC,MAAM,QAAQ,aAAa,EAAG,QAAO;AAC1C,SAAO,0BAA0B,aAAa;AAChD;AAEA,SAAS,uBAAuB,UAA8B;AAC5D,SAAO,SAAS,OAAO,CAAC,YAAY,CAAC,0BAA0B,OAAO,CAAC;AACzE;AAEA,SAAS,0BAA0B,SAA0B;AAC3D,MAAI,YAAY,OAAO,YAAY,cAAe,QAAO;AACzD,MAAI,QAAQ,WAAW,mBAAmB,EAAG,QAAO;AACpD,SAAO;AACT;AAEA,SAAS,qBAAqB,WAAqB,WAAqB,UAA6B;AACnG,MAAI,UAAU,WAAW,UAAU,OAAQ,QAAO;AAClD,QAAM,eAAe,IAAI,IAAI,SAAS;AACtC,QAAM,cAAc,IAAI,IAAI,QAAQ;AAEpC,MAAI,aAAa,SAAS,YAAY,MAAM;AAC1C,QAAI,YAAY;AAChB,eAAW,SAAS,cAAc;AAChC,UAAI,CAAC,YAAY,IAAI,KAAK,GAAG;AAC3B,oBAAY;AACZ;AAAA,MACF;AAAA,IACF;AACA,QAAI,UAAW,QAAO;AAAA,EACxB;AACA,SAAO;AACT;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO;AAAA,MACP,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,sBAAsB;AAAA,QAC5E,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,MACzE;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,oBAAoB,QAAQ,4BAA4B;AAAA,QACpF,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,yCAAyC,QAAQ,mBAAmB;AAAA,MAClG;AAAA,IACF;AAAA,EACF;AACF;",
   "names": []
 }

package/dist/modules/auth/api/users/consents/route.js CHANGED Viewed

@@ -4,6 +4,8 @@ import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
 import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
 import { UserConsent } from "@open-mercato/core/modules/auth/data/entities";
 import { verifyConsentIntegrityHash } from "@open-mercato/core/modules/auth/lib/consentIntegrity";
+import { assertActorCanAccessUserTarget } from "@open-mercato/core/modules/auth/lib/grantChecks";
+import { isCrudHttpError } from "@open-mercato/shared/lib/crud/errors";
 import { findWithDecryption } from "@open-mercato/shared/lib/encryption/find";
 const metadata = {
   path: "/auth/users/consents",
@@ -29,6 +31,21 @@ async function GET(req) {
   const em = container.resolve("em");
   const tenantId = auth.tenantId ?? null;
   const organizationId = auth.orgId ?? null;
+  if (auth.sub) {
+    try {
+      await assertActorCanAccessUserTarget({
+        em,
+        rbacService: container.resolve("rbacService"),
+        actorUserId: auth.sub,
+        tenantId,
+        organizationId,
+        targetUserId: parsed.data.userId
+      });
+    } catch (err) {
+      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status });
+      throw err;
+    }
+  }
   const consents = await findWithDecryption(
     em,
     UserConsent,

package/dist/modules/auth/api/users/consents/route.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../../src/modules/auth/api/users/consents/route.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { UserConsent } from '@open-mercato/core/modules/auth/data/entities'\nimport { verifyConsentIntegrityHash } from '@open-mercato/core/modules/auth/lib/consentIntegrity'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport type { ConsentItem } from '@open-mercato/core/modules/auth/lib/consentTypes'\nimport type { OpenApiMethodDoc, OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\n\nexport const metadata = {\n  path: '/auth/users/consents',\n  GET: {\n    requireAuth: true,\n    requireFeatures: ['auth.users.edit'],\n  },\n}\n\nconst querySchema = z.object({\n  userId: z.string().uuid(),\n})\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Unauthorized' }, { status: 401 })\n  }\n\n  const url = new URL(req.url)\n  const parsed = querySchema.safeParse({ userId: url.searchParams.get('userId') })\n  if (!parsed.success) {\n    return NextResponse.json({ ok: false, error: 'Invalid userId' }, { status: 400 })\n  }\n\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  const tenantId = auth.tenantId ?? null\n  const organizationId = auth.orgId ?? null\n  const consents = await findWithDecryption(\n    em,\n    UserConsent,\n    {\n      userId: parsed.data.userId,\n      deletedAt: null,\n      ...(tenantId ? { tenantId } : {}),\n      ...(organizationId ? { organizationId } : {}),\n    },\n    { orderBy: { createdAt: 'DESC' } },\n    { tenantId, organizationId },\n  )\n\n  const items: ConsentItem[] = consents.map((c) => ({\n    id: c.id,\n    consentType: c.consentType,\n    isGranted: c.isGranted,\n    grantedAt: c.grantedAt?.toISOString() ?? null,\n    withdrawnAt: c.withdrawnAt?.toISOString() ?? null,\n    source: c.source ?? null,\n    ipAddress: c.ipAddress ?? null,\n    integrityValid: verifyConsentIntegrityHash({\n      userId: c.userId,\n      consentType: c.consentType,\n      isGranted: c.isGranted,\n      grantedAt: c.grantedAt,\n      withdrawnAt: c.withdrawnAt,\n      ipAddress: c.ipAddress,\n      source: c.source,\n    }, c.integrityHash),\n    createdAt: c.createdAt.toISOString(),\n    updatedAt: c.updatedAt?.toISOString() ?? null,\n  }))\n\n  return NextResponse.json({ ok: true, items })\n}\n\nexport default GET\n\nconst consentsGetDoc: OpenApiMethodDoc = {\n  summary: 'List user consents',\n  description: 'Returns all consent records for a given user, with integrity verification status.',\n  tags: ['Auth'],\n  query: querySchema,\n  responses: [\n    { status: 200, description: 'Consent list returned' },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Auth',\n  summary: 'User consents',\n  methods: {\n    GET: consentsGetDoc,\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,8BAA8B;AACvC,SAAS,0BAA0B;AACnC,SAAS,mBAAmB;AAC5B,SAAS,kCAAkC;AAC3C,SAAS,0BAA0B;AAI5B,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,KAAK;AAAA,IACH,aAAa;AAAA,IACb,iBAAiB,CAAC,iBAAiB;AAAA,EACrC;AACF;AAEA,MAAM,cAAc,EAAE,OAAO;AAAA,EAC3B,QAAQ,EAAE,OAAO,EAAE,KAAK;AAC1B,CAAC;AAED,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAChF;AAEA,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,SAAS,YAAY,UAAU,EAAE,QAAQ,IAAI,aAAa,IAAI,QAAQ,EAAE,CAAC;AAC/E,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,WAAW,KAAK,YAAY;AAClC,QAAM,iBAAiB,KAAK,SAAS;AACrC,QAAM,WAAW,MAAM;AAAA,IACrB;AAAA,IACA;AAAA,IACA;AAAA,MACE,QAAQ,OAAO,KAAK;AAAA,MACpB,WAAW;AAAA,MACX,GAAI,WAAW,EAAE,SAAS,IAAI,CAAC;AAAA,MAC/B,GAAI,iBAAiB,EAAE,eAAe,IAAI,CAAC;AAAA,IAC7C;AAAA,IACA,EAAE,SAAS,EAAE,WAAW,OAAO,EAAE;AAAA,IACjC,EAAE,UAAU,eAAe;AAAA,EAC7B;AAEA,QAAM,QAAuB,SAAS,IAAI,CAAC,OAAO;AAAA,IAChD,IAAI,EAAE;AAAA,IACN,aAAa,EAAE;AAAA,IACf,WAAW,EAAE;AAAA,IACb,WAAW,EAAE,WAAW,YAAY,KAAK;AAAA,IACzC,aAAa,EAAE,aAAa,YAAY,KAAK;AAAA,IAC7C,QAAQ,EAAE,UAAU;AAAA,IACpB,WAAW,EAAE,aAAa;AAAA,IAC1B,gBAAgB,2BAA2B;AAAA,MACzC,QAAQ,EAAE;AAAA,MACV,aAAa,EAAE;AAAA,MACf,WAAW,EAAE;AAAA,MACb,WAAW,EAAE;AAAA,MACb,aAAa,EAAE;AAAA,MACf,WAAW,EAAE;AAAA,MACb,QAAQ,EAAE;AAAA,IACZ,GAAG,EAAE,aAAa;AAAA,IAClB,WAAW,EAAE,UAAU,YAAY;AAAA,IACnC,WAAW,EAAE,WAAW,YAAY,KAAK;AAAA,EAC3C,EAAE;AAEF,SAAO,aAAa,KAAK,EAAE,IAAI,MAAM,MAAM,CAAC;AAC9C;AAEA,IAAO,gBAAQ;AAEf,MAAM,iBAAmC;AAAA,EACvC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,MAAM;AAAA,EACb,OAAO;AAAA,EACP,WAAW;AAAA,IACT,EAAE,QAAQ,KAAK,aAAa,wBAAwB;AAAA,EACtD;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,EACP;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { UserConsent } from '@open-mercato/core/modules/auth/data/entities'\nimport { verifyConsentIntegrityHash } from '@open-mercato/core/modules/auth/lib/consentIntegrity'\nimport { assertActorCanAccessUserTarget } from '@open-mercato/core/modules/auth/lib/grantChecks'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport type { ConsentItem } from '@open-mercato/core/modules/auth/lib/consentTypes'\nimport type { OpenApiMethodDoc, OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\n\nexport const metadata = {\n  path: '/auth/users/consents',\n  GET: {\n    requireAuth: true,\n    requireFeatures: ['auth.users.edit'],\n  },\n}\n\nconst querySchema = z.object({\n  userId: z.string().uuid(),\n})\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Unauthorized' }, { status: 401 })\n  }\n\n  const url = new URL(req.url)\n  const parsed = querySchema.safeParse({ userId: url.searchParams.get('userId') })\n  if (!parsed.success) {\n    return NextResponse.json({ ok: false, error: 'Invalid userId' }, { status: 400 })\n  }\n\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  const tenantId = auth.tenantId ?? null\n  const organizationId = auth.orgId ?? null\n\n  if (auth.sub) {\n    try {\n      await assertActorCanAccessUserTarget({\n        em,\n        rbacService: container.resolve('rbacService') as RbacService,\n        actorUserId: auth.sub,\n        tenantId,\n        organizationId,\n        targetUserId: parsed.data.userId,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n\n  const consents = await findWithDecryption(\n    em,\n    UserConsent,\n    {\n      userId: parsed.data.userId,\n      deletedAt: null,\n      ...(tenantId ? { tenantId } : {}),\n      ...(organizationId ? { organizationId } : {}),\n    },\n    { orderBy: { createdAt: 'DESC' } },\n    { tenantId, organizationId },\n  )\n\n  const items: ConsentItem[] = consents.map((c) => ({\n    id: c.id,\n    consentType: c.consentType,\n    isGranted: c.isGranted,\n    grantedAt: c.grantedAt?.toISOString() ?? null,\n    withdrawnAt: c.withdrawnAt?.toISOString() ?? null,\n    source: c.source ?? null,\n    ipAddress: c.ipAddress ?? null,\n    integrityValid: verifyConsentIntegrityHash({\n      userId: c.userId,\n      consentType: c.consentType,\n      isGranted: c.isGranted,\n      grantedAt: c.grantedAt,\n      withdrawnAt: c.withdrawnAt,\n      ipAddress: c.ipAddress,\n      source: c.source,\n    }, c.integrityHash),\n    createdAt: c.createdAt.toISOString(),\n    updatedAt: c.updatedAt?.toISOString() ?? null,\n  }))\n\n  return NextResponse.json({ ok: true, items })\n}\n\nexport default GET\n\nconst consentsGetDoc: OpenApiMethodDoc = {\n  summary: 'List user consents',\n  description: 'Returns all consent records for a given user, with integrity verification status.',\n  tags: ['Auth'],\n  query: querySchema,\n  responses: [\n    { status: 200, description: 'Consent list returned' },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Auth',\n  summary: 'User consents',\n  methods: {\n    GET: consentsGetDoc,\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,8BAA8B;AACvC,SAAS,0BAA0B;AACnC,SAAS,mBAAmB;AAC5B,SAAS,kCAAkC;AAC3C,SAAS,sCAAsC;AAE/C,SAAS,uBAAuB;AAChC,SAAS,0BAA0B;AAI5B,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,KAAK;AAAA,IACH,aAAa;AAAA,IACb,iBAAiB,CAAC,iBAAiB;AAAA,EACrC;AACF;AAEA,MAAM,cAAc,EAAE,OAAO;AAAA,EAC3B,QAAQ,EAAE,OAAO,EAAE,KAAK;AAC1B,CAAC;AAED,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAChF;AAEA,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,SAAS,YAAY,UAAU,EAAE,QAAQ,IAAI,aAAa,IAAI,QAAQ,EAAE,CAAC;AAC/E,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,WAAW,KAAK,YAAY;AAClC,QAAM,iBAAiB,KAAK,SAAS;AAErC,MAAI,KAAK,KAAK;AACZ,QAAI;AACF,YAAM,+BAA+B;AAAA,QACnC;AAAA,QACA,aAAa,UAAU,QAAQ,aAAa;AAAA,QAC5C,aAAa,KAAK;AAAA,QAClB;AAAA,QACA;AAAA,QACA,cAAc,OAAO,KAAK;AAAA,MAC5B,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AAEA,QAAM,WAAW,MAAM;AAAA,IACrB;AAAA,IACA;AAAA,IACA;AAAA,MACE,QAAQ,OAAO,KAAK;AAAA,MACpB,WAAW;AAAA,MACX,GAAI,WAAW,EAAE,SAAS,IAAI,CAAC;AAAA,MAC/B,GAAI,iBAAiB,EAAE,eAAe,IAAI,CAAC;AAAA,IAC7C;AAAA,IACA,EAAE,SAAS,EAAE,WAAW,OAAO,EAAE;AAAA,IACjC,EAAE,UAAU,eAAe;AAAA,EAC7B;AAEA,QAAM,QAAuB,SAAS,IAAI,CAAC,OAAO;AAAA,IAChD,IAAI,EAAE;AAAA,IACN,aAAa,EAAE;AAAA,IACf,WAAW,EAAE;AAAA,IACb,WAAW,EAAE,WAAW,YAAY,KAAK;AAAA,IACzC,aAAa,EAAE,aAAa,YAAY,KAAK;AAAA,IAC7C,QAAQ,EAAE,UAAU;AAAA,IACpB,WAAW,EAAE,aAAa;AAAA,IAC1B,gBAAgB,2BAA2B;AAAA,MACzC,QAAQ,EAAE;AAAA,MACV,aAAa,EAAE;AAAA,MACf,WAAW,EAAE;AAAA,MACb,WAAW,EAAE;AAAA,MACb,aAAa,EAAE;AAAA,MACf,WAAW,EAAE;AAAA,MACb,QAAQ,EAAE;AAAA,IACZ,GAAG,EAAE,aAAa;AAAA,IAClB,WAAW,EAAE,UAAU,YAAY;AAAA,IACnC,WAAW,EAAE,WAAW,YAAY,KAAK;AAAA,EAC3C,EAAE;AAEF,SAAO,aAAa,KAAK,EAAE,IAAI,MAAM,MAAM,CAAC;AAC9C;AAEA,IAAO,gBAAQ;AAEf,MAAM,iBAAmC;AAAA,EACvC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,MAAM;AAAA,EACb,OAAO;AAAA,EACP,WAAW;AAAA,IACT,EAAE,QAAQ,KAAK,aAAa,wBAAwB;AAAA,EACtD;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,EACP;AACF;",
   "names": []
 }

package/dist/modules/auth/api/users/resend-invite/route.js CHANGED Viewed

@@ -14,6 +14,8 @@ import { validateCrudMutationGuard, runCrudMutationGuardAfterSuccess } from "@op
 import { INVITE_TOKEN_TTL_MS } from "@open-mercato/core/modules/auth/lib/inviteToken";
 import { getSecurityEmailBaseUrl, mapSecurityEmailUrlError } from "@open-mercato/shared/lib/url";
 import { generateAuthToken, hashAuthToken } from "@open-mercato/core/modules/auth/lib/tokenHash";
+import { assertActorCanAccessUserTarget } from "@open-mercato/core/modules/auth/lib/grantChecks";
+import { isCrudHttpError } from "@open-mercato/shared/lib/crud/errors";
 const resendInviteRateLimitConfig = readEndpointRateLimitConfig("RESEND_INVITE", {
   points: 3,
   duration: 300,
@@ -67,6 +69,22 @@ async function POST(req) {
   } catch (err) {
     console.error("[auth.users.resend-invite] Failed to resolve rbac:", err);
   }
+  if (auth.sub) {
+    try {
+      await assertActorCanAccessUserTarget({
+        em,
+        rbacService: container.resolve("rbacService"),
+        actorUserId: auth.sub,
+        tenantId: auth.tenantId ?? null,
+        organizationId: auth.orgId ?? null,
+        targetUserId: parsed.data.id,
+        actorIsSuperAdmin: isSuperAdmin
+      });
+    } catch (err) {
+      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status });
+      throw err;
+    }
+  }
   const where = { id: parsed.data.id, deletedAt: null };
   if (!isSuperAdmin) {
     if (!auth.tenantId) return NextResponse.json({ error: "User not found" }, { status: 404 });

package/dist/modules/auth/api/users/resend-invite/route.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../../src/modules/auth/api/users/resend-invite/route.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { User, PasswordReset } from '@open-mercato/core/modules/auth/data/entities'\nimport { sendEmail } from '@open-mercato/shared/lib/email/send'\nimport InviteUserEmail from '@open-mercato/core/modules/auth/emails/InviteUserEmail'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { readJsonSafe } from '@open-mercato/shared/lib/http/readJsonSafe'\nimport { rateLimitErrorSchema } from '@open-mercato/shared/lib/ratelimit/helpers'\nimport { readEndpointRateLimitConfig } from '@open-mercato/shared/lib/ratelimit/config'\nimport { checkAuthRateLimit } from '@open-mercato/core/modules/auth/lib/rateLimitCheck'\nimport { validateCrudMutationGuard, runCrudMutationGuardAfterSuccess } from '@open-mercato/shared/lib/crud/mutation-guard'\nimport { INVITE_TOKEN_TTL_MS } from '@open-mercato/core/modules/auth/lib/inviteToken'\nimport { getSecurityEmailBaseUrl, mapSecurityEmailUrlError } from '@open-mercato/shared/lib/url'\nimport { generateAuthToken, hashAuthToken } from '@open-mercato/core/modules/auth/lib/tokenHash'\nimport type { EntityManager } from '@mikro-orm/postgresql'\n\nconst resendInviteRateLimitConfig = readEndpointRateLimitConfig('RESEND_INVITE', {\n  points: 3, duration: 300, blockDuration: 300, keyPrefix: 'resend-invite',\n})\n\nconst requestSchema = z.object({\n  id: z.string().uuid(),\n})\n\nconst responseSchema = z.object({\n  ok: z.literal(true),\n})\n\nconst errorSchema = z.object({\n  error: z.string(),\n})\n\nconst validationErrorSchema = z.object({\n  error: z.string(),\n  fieldErrors: z.record(z.string(), z.array(z.string())).optional(),\n})\n\nexport const metadata = {\n  POST: { requireAuth: true, requireFeatures: ['auth.users.create'] },\n}\n\nexport async function POST(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n\n  const { error: rateLimitError } = await checkAuthRateLimit({\n    req,\n    ipConfig: resendInviteRateLimitConfig,\n  })\n  if (rateLimitError) return rateLimitError\n\n  const body = await readJsonSafe(req, {})\n  const parsed = requestSchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json(\n      { error: 'Validation failed', fieldErrors: parsed.error.flatten().fieldErrors },\n      { status: 422 },\n    )\n  }\n\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n\n  let isSuperAdmin = false\n  try {\n    if (auth.sub) {\n      const rbacService = container.resolve('rbacService') as {\n        loadAcl: (userId: string, scope: { tenantId: string | null; organizationId: string | null }) => Promise<{ isSuperAdmin?: boolean } | null>\n      }\n      const acl = await rbacService.loadAcl(auth.sub, {\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n      })\n      isSuperAdmin = !!acl?.isSuperAdmin\n    }\n  } catch (err) {\n    console.error('[auth.users.resend-invite] Failed to resolve rbac:', err)\n  }\n\n  const where: Record<string, unknown> = { id: parsed.data.id, deletedAt: null }\n  if (!isSuperAdmin) {\n    if (!auth.tenantId) return NextResponse.json({ error: 'User not found' }, { status: 404 })\n    where.tenantId = auth.tenantId\n  }\n\n  const user = await em.findOne(User, where as any)\n  if (!user) return NextResponse.json({ error: 'User not found' }, { status: 404 })\n\n  if (user.passwordHash) {\n    return NextResponse.json({ error: 'User already has a password' }, { status: 409 })\n  }\n\n  const guardResult = await validateCrudMutationGuard(container, {\n    tenantId: user.tenantId ? String(user.tenantId) : auth.tenantId ?? '',\n    organizationId: user.organizationId ? String(user.organizationId) : null,\n    userId: auth.sub ?? '',\n    resourceKind: 'auth.user',\n    resourceId: String(user.id),\n    operation: 'custom',\n    requestMethod: 'POST',\n    requestHeaders: req.headers,\n  })\n  if (guardResult && !guardResult.ok) {\n    return NextResponse.json(guardResult.body, { status: guardResult.status })\n  }\n\n  let base: string\n  try {\n    base = getSecurityEmailBaseUrl(req.url)\n  } catch (error) {\n    const mapped = mapSecurityEmailUrlError(error, {\n      scope: 'auth.users.resend-invite',\n      configMessage: 'Invitation email is not configured',\n    })\n    if (mapped) return NextResponse.json(mapped.body, { status: mapped.status })\n    throw error\n  }\n\n  await em.nativeUpdate(\n    PasswordReset,\n    { user: user.id, usedAt: null } as any,\n    { usedAt: new Date() },\n  )\n\n  const rawToken = generateAuthToken()\n  const tokenHash = hashAuthToken(rawToken)\n  const expiresAt = new Date(Date.now() + INVITE_TOKEN_TTL_MS)\n  const row = em.create(PasswordReset, { user, token: tokenHash, expiresAt, createdAt: new Date() })\n  await em.persist(row).flush()\n\n  const inviteUrl = `${base}/reset/${rawToken}`\n\n  const { translate } = await resolveTranslations()\n  const subject = translate('auth.email.invite.subject', 'You have been invited')\n  const copy = {\n    preview: translate('auth.email.invite.preview', 'Set up your account'),\n    title: translate('auth.email.invite.title', 'You have been invited'),\n    body: translate('auth.email.invite.body', 'An administrator has created an account for you. Click the link below to set your password. This link will expire in 48 hours.'),\n    cta: translate('auth.email.invite.cta', 'Set up your password'),\n    hint: translate('auth.email.invite.hint', 'If you did not expect this invitation, you can safely ignore this email.'),\n  }\n\n  let emailSent = true\n  try {\n    await sendEmail({ to: user.email, subject, react: InviteUserEmail({ inviteUrl, copy }) })\n  } catch (err) {\n    console.error('[auth.users.resend-invite] Failed to send invitation email:', err)\n    emailSent = false\n  }\n\n  if (guardResult?.shouldRunAfterSuccess) {\n    await runCrudMutationGuardAfterSuccess(container, {\n      tenantId: user.tenantId ? String(user.tenantId) : auth.tenantId ?? '',\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      userId: auth.sub ?? '',\n      resourceKind: 'auth.user',\n      resourceId: String(user.id),\n      operation: 'custom',\n      requestMethod: 'POST',\n      requestHeaders: req.headers,\n      metadata: guardResult.metadata,\n    })\n  }\n\n  if (!emailSent) {\n    return NextResponse.json({ ok: true, warning: 'invite_email_failed' })\n  }\n\n  return NextResponse.json({ ok: true })\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Resend user invite',\n  methods: {\n    POST: {\n      summary: 'Resend invitation email',\n      description: 'Resends the invitation email to a user who has not yet set up their password. Generates a new 48-hour setup token and invalidates prior tokens.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: requestSchema,\n      },\n      responses: [\n        { status: 200, description: 'Invite email sent', schema: responseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid request origin', schema: errorSchema },\n        { status: 404, description: 'User not found', schema: errorSchema },\n        { status: 409, description: 'User already has a password', schema: errorSchema },\n        { status: 422, description: 'Validation error', schema: validationErrorSchema },\n        { status: 429, description: 'Rate limit exceeded', schema: rateLimitErrorSchema },\n        { status: 500, description: 'Invitation email origin is not configured', schema: errorSchema },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,MAAM,qBAAqB;AACpC,SAAS,iBAAiB;AAC1B,OAAO,qBAAqB;AAC5B,SAAS,2BAA2B;AACpC,SAAS,oBAAoB;AAC7B,SAAS,4BAA4B;AACrC,SAAS,mCAAmC;AAC5C,SAAS,0BAA0B;AACnC,SAAS,2BAA2B,wCAAwC;AAC5E,SAAS,2BAA2B;AACpC,SAAS,yBAAyB,gCAAgC;AAClE,SAAS,mBAAmB,qBAAqB;AAGjD,MAAM,8BAA8B,4BAA4B,iBAAiB;AAAA,EAC/E,QAAQ;AAAA,EAAG,UAAU;AAAA,EAAK,eAAe;AAAA,EAAK,WAAW;AAC3D,CAAC;AAED,MAAM,gBAAgB,EAAE,OAAO;AAAA,EAC7B,IAAI,EAAE,OAAO,EAAE,KAAK;AACtB,CAAC;AAED,MAAM,iBAAiB,EAAE,OAAO;AAAA,EAC9B,IAAI,EAAE,QAAQ,IAAI;AACpB,CAAC;AAED,MAAM,cAAc,EAAE,OAAO;AAAA,EAC3B,OAAO,EAAE,OAAO;AAClB,CAAC;AAED,MAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,OAAO,EAAE,OAAO;AAAA,EAChB,aAAa,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,EAAE,SAAS;AAClE,CAAC;AAEM,MAAM,WAAW;AAAA,EACtB,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACpE;AAEA,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE9E,QAAM,EAAE,OAAO,eAAe,IAAI,MAAM,mBAAmB;AAAA,IACzD;AAAA,IACA,UAAU;AAAA,EACZ,CAAC;AACD,MAAI,eAAgB,QAAO;AAE3B,QAAM,OAAO,MAAM,aAAa,KAAK,CAAC,CAAC;AACvC,QAAM,SAAS,cAAc,UAAU,IAAI;AAC3C,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,qBAAqB,aAAa,OAAO,MAAM,QAAQ,EAAE,YAAY;AAAA,MAC9E,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,MAAI,eAAe;AACnB,MAAI;AACF,QAAI,KAAK,KAAK;AACZ,YAAM,cAAc,UAAU,QAAQ,aAAa;AAGnD,YAAM,MAAM,MAAM,YAAY,QAAQ,KAAK,KAAK;AAAA,QAC9C,UAAU,KAAK,YAAY;AAAA,QAC3B,gBAAgB,KAAK,SAAS;AAAA,MAChC,CAAC;AACD,qBAAe,CAAC,CAAC,KAAK;AAAA,IACxB;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,MAAM,sDAAsD,GAAG;AAAA,EACzE;AAEA,QAAM,QAAiC,EAAE,IAAI,OAAO,KAAK,IAAI,WAAW,KAAK;AAC7E,MAAI,CAAC,cAAc;AACjB,QAAI,CAAC,KAAK,SAAU,QAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACzF,UAAM,WAAW,KAAK;AAAA,EACxB;AAEA,QAAM,OAAO,MAAM,GAAG,QAAQ,MAAM,KAAY;AAChD,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAEhF,MAAI,KAAK,cAAc;AACrB,WAAO,aAAa,KAAK,EAAE,OAAO,8BAA8B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACpF;AAEA,QAAM,cAAc,MAAM,0BAA0B,WAAW;AAAA,IAC7D,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,KAAK,YAAY;AAAA,IACnE,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,IACpE,QAAQ,KAAK,OAAO;AAAA,IACpB,cAAc;AAAA,IACd,YAAY,OAAO,KAAK,EAAE;AAAA,IAC1B,WAAW;AAAA,IACX,eAAe;AAAA,IACf,gBAAgB,IAAI;AAAA,EACtB,CAAC;AACD,MAAI,eAAe,CAAC,YAAY,IAAI;AAClC,WAAO,aAAa,KAAK,YAAY,MAAM,EAAE,QAAQ,YAAY,OAAO,CAAC;AAAA,EAC3E;AAEA,MAAI;AACJ,MAAI;AACF,WAAO,wBAAwB,IAAI,GAAG;AAAA,EACxC,SAAS,OAAO;AACd,UAAM,SAAS,yBAAyB,OAAO;AAAA,MAC7C,OAAO;AAAA,MACP,eAAe;AAAA,IACjB,CAAC;AACD,QAAI,OAAQ,QAAO,aAAa,KAAK,OAAO,MAAM,EAAE,QAAQ,OAAO,OAAO,CAAC;AAC3E,UAAM;AAAA,EACR;AAEA,QAAM,GAAG;AAAA,IACP;AAAA,IACA,EAAE,MAAM,KAAK,IAAI,QAAQ,KAAK;AAAA,IAC9B,EAAE,QAAQ,oBAAI,KAAK,EAAE;AAAA,EACvB;AAEA,QAAM,WAAW,kBAAkB;AACnC,QAAM,YAAY,cAAc,QAAQ;AACxC,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,mBAAmB;AAC3D,QAAM,MAAM,GAAG,OAAO,eAAe,EAAE,MAAM,OAAO,WAAW,WAAW,WAAW,oBAAI,KAAK,EAAE,CAAC;AACjG,QAAM,GAAG,QAAQ,GAAG,EAAE,MAAM;AAE5B,QAAM,YAAY,GAAG,IAAI,UAAU,QAAQ;AAE3C,QAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,QAAM,UAAU,UAAU,6BAA6B,uBAAuB;AAC9E,QAAM,OAAO;AAAA,IACX,SAAS,UAAU,6BAA6B,qBAAqB;AAAA,IACrE,OAAO,UAAU,2BAA2B,uBAAuB;AAAA,IACnE,MAAM,UAAU,0BAA0B,gIAAgI;AAAA,IAC1K,KAAK,UAAU,yBAAyB,sBAAsB;AAAA,IAC9D,MAAM,UAAU,0BAA0B,0EAA0E;AAAA,EACtH;AAEA,MAAI,YAAY;AAChB,MAAI;AACF,UAAM,UAAU,EAAE,IAAI,KAAK,OAAO,SAAS,OAAO,gBAAgB,EAAE,WAAW,KAAK,CAAC,EAAE,CAAC;AAAA,EAC1F,SAAS,KAAK;AACZ,YAAQ,MAAM,+DAA+D,GAAG;AAChF,gBAAY;AAAA,EACd;AAEA,MAAI,aAAa,uBAAuB;AACtC,UAAM,iCAAiC,WAAW;AAAA,MAChD,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,KAAK,YAAY;AAAA,MACnE,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,QAAQ,KAAK,OAAO;AAAA,MACpB,cAAc;AAAA,MACd,YAAY,OAAO,KAAK,EAAE;AAAA,MAC1B,WAAW;AAAA,MACX,eAAe;AAAA,MACf,gBAAgB,IAAI;AAAA,MACpB,UAAU,YAAY;AAAA,IACxB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,MAAM,SAAS,sBAAsB,CAAC;AAAA,EACvE;AAEA,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,eAAe;AAAA,MAC1E;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,0BAA0B,QAAQ,YAAY;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,YAAY;AAAA,QAClE,EAAE,QAAQ,KAAK,aAAa,+BAA+B,QAAQ,YAAY;AAAA,QAC/E,EAAE,QAAQ,KAAK,aAAa,oBAAoB,QAAQ,sBAAsB;AAAA,QAC9E,EAAE,QAAQ,KAAK,aAAa,uBAAuB,QAAQ,qBAAqB;AAAA,QAChF,EAAE,QAAQ,KAAK,aAAa,6CAA6C,QAAQ,YAAY;AAAA,MAC/F;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { User, PasswordReset } from '@open-mercato/core/modules/auth/data/entities'\nimport { sendEmail } from '@open-mercato/shared/lib/email/send'\nimport InviteUserEmail from '@open-mercato/core/modules/auth/emails/InviteUserEmail'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { readJsonSafe } from '@open-mercato/shared/lib/http/readJsonSafe'\nimport { rateLimitErrorSchema } from '@open-mercato/shared/lib/ratelimit/helpers'\nimport { readEndpointRateLimitConfig } from '@open-mercato/shared/lib/ratelimit/config'\nimport { checkAuthRateLimit } from '@open-mercato/core/modules/auth/lib/rateLimitCheck'\nimport { validateCrudMutationGuard, runCrudMutationGuardAfterSuccess } from '@open-mercato/shared/lib/crud/mutation-guard'\nimport { INVITE_TOKEN_TTL_MS } from '@open-mercato/core/modules/auth/lib/inviteToken'\nimport { getSecurityEmailBaseUrl, mapSecurityEmailUrlError } from '@open-mercato/shared/lib/url'\nimport { generateAuthToken, hashAuthToken } from '@open-mercato/core/modules/auth/lib/tokenHash'\nimport { assertActorCanAccessUserTarget } from '@open-mercato/core/modules/auth/lib/grantChecks'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport type { EntityManager } from '@mikro-orm/postgresql'\n\nconst resendInviteRateLimitConfig = readEndpointRateLimitConfig('RESEND_INVITE', {\n  points: 3, duration: 300, blockDuration: 300, keyPrefix: 'resend-invite',\n})\n\nconst requestSchema = z.object({\n  id: z.string().uuid(),\n})\n\nconst responseSchema = z.object({\n  ok: z.literal(true),\n})\n\nconst errorSchema = z.object({\n  error: z.string(),\n})\n\nconst validationErrorSchema = z.object({\n  error: z.string(),\n  fieldErrors: z.record(z.string(), z.array(z.string())).optional(),\n})\n\nexport const metadata = {\n  POST: { requireAuth: true, requireFeatures: ['auth.users.create'] },\n}\n\nexport async function POST(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n\n  const { error: rateLimitError } = await checkAuthRateLimit({\n    req,\n    ipConfig: resendInviteRateLimitConfig,\n  })\n  if (rateLimitError) return rateLimitError\n\n  const body = await readJsonSafe(req, {})\n  const parsed = requestSchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json(\n      { error: 'Validation failed', fieldErrors: parsed.error.flatten().fieldErrors },\n      { status: 422 },\n    )\n  }\n\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n\n  let isSuperAdmin = false\n  try {\n    if (auth.sub) {\n      const rbacService = container.resolve('rbacService') as {\n        loadAcl: (userId: string, scope: { tenantId: string | null; organizationId: string | null }) => Promise<{ isSuperAdmin?: boolean } | null>\n      }\n      const acl = await rbacService.loadAcl(auth.sub, {\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n      })\n      isSuperAdmin = !!acl?.isSuperAdmin\n    }\n  } catch (err) {\n    console.error('[auth.users.resend-invite] Failed to resolve rbac:', err)\n  }\n\n  if (auth.sub) {\n    try {\n      await assertActorCanAccessUserTarget({\n        em,\n        rbacService: container.resolve('rbacService') as RbacService,\n        actorUserId: auth.sub,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        targetUserId: parsed.data.id,\n        actorIsSuperAdmin: isSuperAdmin,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n\n  const where: Record<string, unknown> = { id: parsed.data.id, deletedAt: null }\n  if (!isSuperAdmin) {\n    if (!auth.tenantId) return NextResponse.json({ error: 'User not found' }, { status: 404 })\n    where.tenantId = auth.tenantId\n  }\n\n  const user = await em.findOne(User, where as any)\n  if (!user) return NextResponse.json({ error: 'User not found' }, { status: 404 })\n\n  if (user.passwordHash) {\n    return NextResponse.json({ error: 'User already has a password' }, { status: 409 })\n  }\n\n  const guardResult = await validateCrudMutationGuard(container, {\n    tenantId: user.tenantId ? String(user.tenantId) : auth.tenantId ?? '',\n    organizationId: user.organizationId ? String(user.organizationId) : null,\n    userId: auth.sub ?? '',\n    resourceKind: 'auth.user',\n    resourceId: String(user.id),\n    operation: 'custom',\n    requestMethod: 'POST',\n    requestHeaders: req.headers,\n  })\n  if (guardResult && !guardResult.ok) {\n    return NextResponse.json(guardResult.body, { status: guardResult.status })\n  }\n\n  let base: string\n  try {\n    base = getSecurityEmailBaseUrl(req.url)\n  } catch (error) {\n    const mapped = mapSecurityEmailUrlError(error, {\n      scope: 'auth.users.resend-invite',\n      configMessage: 'Invitation email is not configured',\n    })\n    if (mapped) return NextResponse.json(mapped.body, { status: mapped.status })\n    throw error\n  }\n\n  await em.nativeUpdate(\n    PasswordReset,\n    { user: user.id, usedAt: null } as any,\n    { usedAt: new Date() },\n  )\n\n  const rawToken = generateAuthToken()\n  const tokenHash = hashAuthToken(rawToken)\n  const expiresAt = new Date(Date.now() + INVITE_TOKEN_TTL_MS)\n  const row = em.create(PasswordReset, { user, token: tokenHash, expiresAt, createdAt: new Date() })\n  await em.persist(row).flush()\n\n  const inviteUrl = `${base}/reset/${rawToken}`\n\n  const { translate } = await resolveTranslations()\n  const subject = translate('auth.email.invite.subject', 'You have been invited')\n  const copy = {\n    preview: translate('auth.email.invite.preview', 'Set up your account'),\n    title: translate('auth.email.invite.title', 'You have been invited'),\n    body: translate('auth.email.invite.body', 'An administrator has created an account for you. Click the link below to set your password. This link will expire in 48 hours.'),\n    cta: translate('auth.email.invite.cta', 'Set up your password'),\n    hint: translate('auth.email.invite.hint', 'If you did not expect this invitation, you can safely ignore this email.'),\n  }\n\n  let emailSent = true\n  try {\n    await sendEmail({ to: user.email, subject, react: InviteUserEmail({ inviteUrl, copy }) })\n  } catch (err) {\n    console.error('[auth.users.resend-invite] Failed to send invitation email:', err)\n    emailSent = false\n  }\n\n  if (guardResult?.shouldRunAfterSuccess) {\n    await runCrudMutationGuardAfterSuccess(container, {\n      tenantId: user.tenantId ? String(user.tenantId) : auth.tenantId ?? '',\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      userId: auth.sub ?? '',\n      resourceKind: 'auth.user',\n      resourceId: String(user.id),\n      operation: 'custom',\n      requestMethod: 'POST',\n      requestHeaders: req.headers,\n      metadata: guardResult.metadata,\n    })\n  }\n\n  if (!emailSent) {\n    return NextResponse.json({ ok: true, warning: 'invite_email_failed' })\n  }\n\n  return NextResponse.json({ ok: true })\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Resend user invite',\n  methods: {\n    POST: {\n      summary: 'Resend invitation email',\n      description: 'Resends the invitation email to a user who has not yet set up their password. Generates a new 48-hour setup token and invalidates prior tokens.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: requestSchema,\n      },\n      responses: [\n        { status: 200, description: 'Invite email sent', schema: responseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid request origin', schema: errorSchema },\n        { status: 404, description: 'User not found', schema: errorSchema },\n        { status: 409, description: 'User already has a password', schema: errorSchema },\n        { status: 422, description: 'Validation error', schema: validationErrorSchema },\n        { status: 429, description: 'Rate limit exceeded', schema: rateLimitErrorSchema },\n        { status: 500, description: 'Invitation email origin is not configured', schema: errorSchema },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,MAAM,qBAAqB;AACpC,SAAS,iBAAiB;AAC1B,OAAO,qBAAqB;AAC5B,SAAS,2BAA2B;AACpC,SAAS,oBAAoB;AAC7B,SAAS,4BAA4B;AACrC,SAAS,mCAAmC;AAC5C,SAAS,0BAA0B;AACnC,SAAS,2BAA2B,wCAAwC;AAC5E,SAAS,2BAA2B;AACpC,SAAS,yBAAyB,gCAAgC;AAClE,SAAS,mBAAmB,qBAAqB;AACjD,SAAS,sCAAsC;AAE/C,SAAS,uBAAuB;AAGhC,MAAM,8BAA8B,4BAA4B,iBAAiB;AAAA,EAC/E,QAAQ;AAAA,EAAG,UAAU;AAAA,EAAK,eAAe;AAAA,EAAK,WAAW;AAC3D,CAAC;AAED,MAAM,gBAAgB,EAAE,OAAO;AAAA,EAC7B,IAAI,EAAE,OAAO,EAAE,KAAK;AACtB,CAAC;AAED,MAAM,iBAAiB,EAAE,OAAO;AAAA,EAC9B,IAAI,EAAE,QAAQ,IAAI;AACpB,CAAC;AAED,MAAM,cAAc,EAAE,OAAO;AAAA,EAC3B,OAAO,EAAE,OAAO;AAClB,CAAC;AAED,MAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,OAAO,EAAE,OAAO;AAAA,EAChB,aAAa,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,EAAE,SAAS;AAClE,CAAC;AAEM,MAAM,WAAW;AAAA,EACtB,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACpE;AAEA,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE9E,QAAM,EAAE,OAAO,eAAe,IAAI,MAAM,mBAAmB;AAAA,IACzD;AAAA,IACA,UAAU;AAAA,EACZ,CAAC;AACD,MAAI,eAAgB,QAAO;AAE3B,QAAM,OAAO,MAAM,aAAa,KAAK,CAAC,CAAC;AACvC,QAAM,SAAS,cAAc,UAAU,IAAI;AAC3C,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,qBAAqB,aAAa,OAAO,MAAM,QAAQ,EAAE,YAAY;AAAA,MAC9E,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,MAAI,eAAe;AACnB,MAAI;AACF,QAAI,KAAK,KAAK;AACZ,YAAM,cAAc,UAAU,QAAQ,aAAa;AAGnD,YAAM,MAAM,MAAM,YAAY,QAAQ,KAAK,KAAK;AAAA,QAC9C,UAAU,KAAK,YAAY;AAAA,QAC3B,gBAAgB,KAAK,SAAS;AAAA,MAChC,CAAC;AACD,qBAAe,CAAC,CAAC,KAAK;AAAA,IACxB;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,MAAM,sDAAsD,GAAG;AAAA,EACzE;AAEA,MAAI,KAAK,KAAK;AACZ,QAAI;AACF,YAAM,+BAA+B;AAAA,QACnC;AAAA,QACA,aAAa,UAAU,QAAQ,aAAa;AAAA,QAC5C,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK,YAAY;AAAA,QAC3B,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AAEA,QAAM,QAAiC,EAAE,IAAI,OAAO,KAAK,IAAI,WAAW,KAAK;AAC7E,MAAI,CAAC,cAAc;AACjB,QAAI,CAAC,KAAK,SAAU,QAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACzF,UAAM,WAAW,KAAK;AAAA,EACxB;AAEA,QAAM,OAAO,MAAM,GAAG,QAAQ,MAAM,KAAY;AAChD,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAEhF,MAAI,KAAK,cAAc;AACrB,WAAO,aAAa,KAAK,EAAE,OAAO,8BAA8B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACpF;AAEA,QAAM,cAAc,MAAM,0BAA0B,WAAW;AAAA,IAC7D,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,KAAK,YAAY;AAAA,IACnE,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,IACpE,QAAQ,KAAK,OAAO;AAAA,IACpB,cAAc;AAAA,IACd,YAAY,OAAO,KAAK,EAAE;AAAA,IAC1B,WAAW;AAAA,IACX,eAAe;AAAA,IACf,gBAAgB,IAAI;AAAA,EACtB,CAAC;AACD,MAAI,eAAe,CAAC,YAAY,IAAI;AAClC,WAAO,aAAa,KAAK,YAAY,MAAM,EAAE,QAAQ,YAAY,OAAO,CAAC;AAAA,EAC3E;AAEA,MAAI;AACJ,MAAI;AACF,WAAO,wBAAwB,IAAI,GAAG;AAAA,EACxC,SAAS,OAAO;AACd,UAAM,SAAS,yBAAyB,OAAO;AAAA,MAC7C,OAAO;AAAA,MACP,eAAe;AAAA,IACjB,CAAC;AACD,QAAI,OAAQ,QAAO,aAAa,KAAK,OAAO,MAAM,EAAE,QAAQ,OAAO,OAAO,CAAC;AAC3E,UAAM;AAAA,EACR;AAEA,QAAM,GAAG;AAAA,IACP;AAAA,IACA,EAAE,MAAM,KAAK,IAAI,QAAQ,KAAK;AAAA,IAC9B,EAAE,QAAQ,oBAAI,KAAK,EAAE;AAAA,EACvB;AAEA,QAAM,WAAW,kBAAkB;AACnC,QAAM,YAAY,cAAc,QAAQ;AACxC,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,mBAAmB;AAC3D,QAAM,MAAM,GAAG,OAAO,eAAe,EAAE,MAAM,OAAO,WAAW,WAAW,WAAW,oBAAI,KAAK,EAAE,CAAC;AACjG,QAAM,GAAG,QAAQ,GAAG,EAAE,MAAM;AAE5B,QAAM,YAAY,GAAG,IAAI,UAAU,QAAQ;AAE3C,QAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,QAAM,UAAU,UAAU,6BAA6B,uBAAuB;AAC9E,QAAM,OAAO;AAAA,IACX,SAAS,UAAU,6BAA6B,qBAAqB;AAAA,IACrE,OAAO,UAAU,2BAA2B,uBAAuB;AAAA,IACnE,MAAM,UAAU,0BAA0B,gIAAgI;AAAA,IAC1K,KAAK,UAAU,yBAAyB,sBAAsB;AAAA,IAC9D,MAAM,UAAU,0BAA0B,0EAA0E;AAAA,EACtH;AAEA,MAAI,YAAY;AAChB,MAAI;AACF,UAAM,UAAU,EAAE,IAAI,KAAK,OAAO,SAAS,OAAO,gBAAgB,EAAE,WAAW,KAAK,CAAC,EAAE,CAAC;AAAA,EAC1F,SAAS,KAAK;AACZ,YAAQ,MAAM,+DAA+D,GAAG;AAChF,gBAAY;AAAA,EACd;AAEA,MAAI,aAAa,uBAAuB;AACtC,UAAM,iCAAiC,WAAW;AAAA,MAChD,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,KAAK,YAAY;AAAA,MACnE,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,QAAQ,KAAK,OAAO;AAAA,MACpB,cAAc;AAAA,MACd,YAAY,OAAO,KAAK,EAAE;AAAA,MAC1B,WAAW;AAAA,MACX,eAAe;AAAA,MACf,gBAAgB,IAAI;AAAA,MACpB,UAAU,YAAY;AAAA,IACxB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,MAAM,SAAS,sBAAsB,CAAC;AAAA,EACvE;AAEA,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,eAAe;AAAA,MAC1E;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,0BAA0B,QAAQ,YAAY;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,YAAY;AAAA,QAClE,EAAE,QAAQ,KAAK,aAAa,+BAA+B,QAAQ,YAAY;AAAA,QAC/E,EAAE,QAAQ,KAAK,aAAa,oBAAoB,QAAQ,sBAAsB;AAAA,QAC9E,EAAE,QAAQ,KAAK,aAAa,uBAAuB,QAAQ,qBAAqB;AAAA,QAChF,EAAE,QAAQ,KAAK,aAAa,6CAA6C,QAAQ,YAAY;AAAA,MAC/F;AAAA,IACF;AAAA,EACF;AACF;",
   "names": []
 }

package/dist/modules/auth/api/users/route.js CHANGED Viewed

@@ -10,6 +10,7 @@ import { E } from "../../../../generated/entities.ids.generated.js";
 import { loadCustomFieldValues } from "@open-mercato/shared/lib/crud/custom-fields";
 import { userCrudEvents, userCrudIndexer } from "@open-mercato/core/modules/auth/commands/users";
 import {
+  assertActorCanAccessUserTarget,
   assertActorCanGrantRoleTokens,
   assertActorCanModifySuperAdminUserTarget,
   listSuperAdminUserIds
@@ -68,7 +69,9 @@ const userListItemSchema = z.object({
   tenantId: z.string().uuid().nullable(),
   tenantName: z.string().nullable(),
   roles: z.array(z.string()),
-  roleIds: z.array(z.string().uuid()).optional()
+  roleIds: z.array(z.string().uuid()).optional(),
+  hasPassword: z.boolean().optional(),
+  updatedAt: z.string().nullable().optional()
 });
 const userListResponseSchema = z.object({
   items: z.array(userListItemSchema),
@@ -119,6 +122,7 @@ const crud = makeCrudRoute({
         if (ctx.request) {
           if (typeof parsed.id === "string" && parsed.id.length) {
             await assertCanModifySuperAdminTarget(ctx.request, parsed.id);
+            await assertCanAccessUserTarget(ctx.request, parsed.id);
           }
           await assertCanAssignRoles(ctx.request, parsed.roles, parsed);
         }
@@ -128,6 +132,14 @@ const crud = makeCrudRoute({
     },
     delete: {
       commandId: "auth.users.delete",
+      mapInput: async ({ parsed, raw, ctx }) => {
+        const targetId = resolveDeleteTargetId(parsed, raw);
+        if (ctx.request && targetId) {
+          await assertCanModifySuperAdminTarget(ctx.request, targetId);
+          await assertCanAccessUserTarget(ctx.request, targetId);
+        }
+        return parsed;
+      },
       response: () => ({ ok: true })
     }
   }
@@ -384,7 +396,8 @@ async function GET(req) {
       tenantName: u.tenantId ? tenantMap[String(u.tenantId)] ?? String(u.tenantId) : null,
       roles: roleMap[uid] || [],
       roleIds: roleIdMap[uid] || [],
-      hasPassword: !!u.passwordHash,
+      ...id ? { hasPassword: !!u.passwordHash } : {},
+      updatedAt: u.updatedAt instanceof Date ? u.updatedAt.toISOString() : null,
       ...cfByUser[uid] || {}
     };
   });
@@ -414,6 +427,7 @@ const DELETE = async (req) => {
   if (targetId) {
     try {
       await assertCanModifySuperAdminTarget(req, targetId);
+      await assertCanAccessUserTarget(req, targetId);
     } catch (err) {
       if (err instanceof CrudHttpError) {
         return NextResponse.json(err.body, { status: err.status });
@@ -455,6 +469,30 @@ async function assertCanModifySuperAdminTarget(req, targetUserId) {
     targetUserId
   });
 }
+async function assertCanAccessUserTarget(req, targetUserId) {
+  const auth = await getAuthFromRequest(req);
+  if (!auth?.sub) throw new CrudHttpError(401, { error: "Unauthorized" });
+  const container = await createRequestContainer();
+  const em = container.resolve("em");
+  await assertActorCanAccessUserTarget({
+    em,
+    rbacService: container.resolve("rbacService"),
+    actorUserId: auth.sub,
+    tenantId: auth.tenantId ?? null,
+    organizationId: auth.orgId ?? null,
+    targetUserId
+  });
+}
+function resolveDeleteTargetId(parsed, raw) {
+  const fromParsed = readId(parsed);
+  if (fromParsed) return fromParsed;
+  const rawRecord = raw;
+  return readId(rawRecord?.query) ?? readId(rawRecord?.body);
+}
+function readId(record) {
+  const value = record?.id;
+  return typeof value === "string" && value.length > 0 ? value : null;
+}
 async function assertCanAssignRoles(req, roles, payload) {
   if (!Array.isArray(roles)) return;
   const auth = await getAuthFromRequest(req);