npm - @open-mercato/core - Versions diffs - 0.6.6-develop.5483.1.a1129165ea → 0.6.6-develop.5503.1.6cdc4dda5f - Mend

@open-mercato/core 0.6.6-develop.5483.1.a1129165ea → 0.6.6-develop.5503.1.6cdc4dda5f

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/core",
-  "version": "0.6.6-develop.5483.1.a1129165ea",
+  "version": "0.6.6-develop.5503.1.6cdc4dda5f",
   "type": "module",
   "main": "./dist/index.js",
   "scripts": {
@@ -245,16 +245,16 @@
     "zod": "^4.4.3"
   },
   "peerDependencies": {
-    "@open-mercato/ai-assistant": "0.6.6-develop.5483.1.a1129165ea",
-    "@open-mercato/shared": "0.6.6-develop.5483.1.a1129165ea",
-    "@open-mercato/ui": "0.6.6-develop.5483.1.a1129165ea",
+    "@open-mercato/ai-assistant": "0.6.6-develop.5503.1.6cdc4dda5f",
+    "@open-mercato/shared": "0.6.6-develop.5503.1.6cdc4dda5f",
+    "@open-mercato/ui": "0.6.6-develop.5503.1.6cdc4dda5f",
     "react": "^19.0.0",
     "react-dom": "^19.0.0"
   },
   "devDependencies": {
-    "@open-mercato/ai-assistant": "0.6.6-develop.5483.1.a1129165ea",
-    "@open-mercato/shared": "0.6.6-develop.5483.1.a1129165ea",
-    "@open-mercato/ui": "0.6.6-develop.5483.1.a1129165ea",
+    "@open-mercato/ai-assistant": "0.6.6-develop.5503.1.6cdc4dda5f",
+    "@open-mercato/shared": "0.6.6-develop.5503.1.6cdc4dda5f",
+    "@open-mercato/ui": "0.6.6-develop.5503.1.6cdc4dda5f",
     "@testing-library/dom": "^10.4.1",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.1",

package/src/modules/auth/api/login.ts CHANGED Viewed

@@ -108,21 +108,21 @@ export async function POST(req: Request) {
     user = await auth.findUserByEmailAndTenant(parsed.data.email, tenantId)
   } else {
     const users = await auth.findUsersByEmail(parsed.data.email)
-    if (users.length > 1) {
-      return NextResponse.json({
-        ok: false,
-        error: translate('auth.login.errors.tenantRequired', 'Use the login link provided with your tenant activation to continue.'),
-      }, { status: 400 })
-    }
-    user = users[0] ?? null
-  }
-  if (!user || !user.passwordHash) {
-    void emitAuthEvent('auth.login.failed', { email: parsed.data.email, reason: 'invalid_credentials' }).catch(() => undefined)
-    return NextResponse.json({ ok: false, error: translate('auth.login.errors.invalidCredentials', 'Invalid email or password') }, { status: 401 })
+    // Never disclose that an email is registered across multiple tenants — a
+    // password-independent 400-vs-401 response is an account/topology oracle
+    // (issue #2242). Treat an ambiguous match as no resolvable user and fall
+    // through to the uniform invalid-credentials path; tenant-selection
+    // guidance is delivered out-of-band via the activation/login link.
+    user = users.length === 1 ? users[0] : null
   }
+  // Always verify the password — verifyPassword runs a constant-time bcrypt
+  // comparison even when the user is missing or has no hash — so unknown-email,
+  // wrong-password, and multi-tenant cases return an identical 401 with
+  // identical latency.
   const ok = await auth.verifyPassword(user, parsed.data.password)
-  if (!ok) {
-    void emitAuthEvent('auth.login.failed', { email: parsed.data.email, reason: 'invalid_password' }).catch(() => undefined)
+  if (!user || !ok) {
+    const reason = user?.passwordHash ? 'invalid_password' : 'invalid_credentials'
+    void emitAuthEvent('auth.login.failed', { email: parsed.data.email, reason }).catch(() => undefined)
     return NextResponse.json({ ok: false, error: translate('auth.login.errors.invalidCredentials', 'Invalid email or password') }, { status: 401 })
   }
   // Optional role requirement

package/src/modules/auth/i18n/de.json CHANGED Viewed

@@ -43,7 +43,6 @@
   "auth.login.errors.invalidCredentials": "Ungültige E-Mail oder ungültiges Passwort",
   "auth.login.errors.permissionDenied": "Du hast keine Berechtigung, auf diesen Bereich zuzugreifen. Bitte wende dich an deine Administration.",
   "auth.login.errors.tenantInvalid": "Tenant nicht gefunden. Entferne die Tenant-Auswahl und versuche es erneut.",
-  "auth.login.errors.tenantRequired": "Nutze den Login-Link aus deiner Tenant-Aktivierung, um fortzufahren.",
   "auth.login.featureDenied": "Du hast keinen Zugriff auf diese Funktion ({feature}). Bitte wende dich an deine Administration.",
   "auth.login.forgotPassword": "Passwort vergessen?",
   "auth.login.loading": "Wird geladen ...",

package/src/modules/auth/i18n/en.json CHANGED Viewed

@@ -43,7 +43,6 @@
   "auth.login.errors.invalidCredentials": "Invalid email or password",
   "auth.login.errors.permissionDenied": "You do not have permission to access this area. Please contact your administrator.",
   "auth.login.errors.tenantInvalid": "Tenant not found. Clear the tenant selection and try again.",
-  "auth.login.errors.tenantRequired": "Use the login link provided with your tenant activation to continue.",
   "auth.login.featureDenied": "You don't have access to this feature ({feature}). Please contact your administrator.",
   "auth.login.forgotPassword": "Forgot password?",
   "auth.login.loading": "Loading...",

package/src/modules/auth/i18n/es.json CHANGED Viewed

@@ -43,7 +43,6 @@
   "auth.login.errors.invalidCredentials": "Correo electrónico o contraseña no válidos",
   "auth.login.errors.permissionDenied": "No tienes permiso para acceder a esta área. Ponte en contacto con tu administrador.",
   "auth.login.errors.tenantInvalid": "No se encontró el inquilino. Borra la selección e inténtalo de nuevo.",
-  "auth.login.errors.tenantRequired": "Usa el enlace de inicio de sesión proporcionado con la activación de tu inquilino para continuar.",
   "auth.login.featureDenied": "No tienes acceso a esta funcionalidad ({feature}). Ponte en contacto con tu administrador.",
   "auth.login.forgotPassword": "¿Olvidaste tu contraseña?",
   "auth.login.loading": "Cargando...",

package/src/modules/auth/i18n/pl.json CHANGED Viewed

@@ -43,7 +43,6 @@
   "auth.login.errors.invalidCredentials": "Nieprawidłowy email lub hasło",
   "auth.login.errors.permissionDenied": "Nie masz uprawnień do tego obszaru. Skontaktuj się z administratorem.",
   "auth.login.errors.tenantInvalid": "Nie znaleziono najemcy. Wyczyść wybór i spróbuj ponownie.",
-  "auth.login.errors.tenantRequired": "Użyj linku logowania z aktywacji najemcy, aby kontynuować.",
   "auth.login.featureDenied": "Nie masz dostępu do tej funkcji ({feature}). Skontaktuj się z administratorem.",
   "auth.login.forgotPassword": "Nie pamiętasz hasła?",
   "auth.login.loading": "Ładowanie...",

package/src/modules/auth/services/authService.ts CHANGED Viewed

@@ -5,6 +5,13 @@ import { emailHashLookupValues } from '@open-mercato/core/modules/auth/lib/email
 import { generateAuthToken, hashAuthToken } from '@open-mercato/core/modules/auth/lib/tokenHash'
 import { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+// A fixed, valid bcrypt hash (cost 10) of a throwaway value no real password
+// can match. verifyPassword compares against it whenever the user is missing or
+// has no password hash, so a failed login spends the same bcrypt CPU time
+// regardless of whether the account exists — closing the timing side channel
+// for account enumeration (issue #2242).
+const TIMING_EQUALIZER_PASSWORD_HASH = '$2b$10$OcZrhmZpIzJOjkfwUrk7d.Nl0eHNzOvalBcBlt5Ran.4lj8R3HZg6'
 export class AuthService {
   constructor(private em: EntityManager) {}
@@ -48,9 +55,13 @@ export class AuthService {
     )
   }
-  async verifyPassword(user: User, password: string) {
-    if (!user.passwordHash) return false
-    return compare(password, user.passwordHash)
+  async verifyPassword(user: User | null, password: string) {
+    const storedHash = user?.passwordHash ?? null
+    // Always run a bcrypt comparison — against a fixed dummy hash when the user
+    // is absent or has no password — so login latency does not reveal whether
+    // the account exists (timing-based enumeration, issue #2242).
+    const matched = await compare(password, storedHash ?? TIMING_EQUALIZER_PASSWORD_HASH)
+    return storedHash !== null && matched
   }
   async updateLastLoginAt(user: User) {

package/src/modules/customers/backend/customers/people-v2/[id]/page.tsx CHANGED Viewed

@@ -37,6 +37,7 @@ import { ScheduleActivityDialog, type ScheduleActivityEditData } from '../../../
 import { PersonDetailHeader } from '../../../../components/detail/PersonDetailHeader'
 import { ChangelogTab } from '../../../../components/detail/ChangelogTab'
 import { PersonDetailTabs, resolveLegacyTab, type PersonTabId } from '../../../../components/detail/PersonDetailTabs'
+import { AddressesSection } from '../../../../components/detail/AddressesSection'
 import { PersonCompaniesSection } from '../../../../components/detail/PersonCompaniesSection'
 import { MobilePersonDetail } from '../../../../components/detail/MobilePersonDetail'
 import type { TagsSectionController } from '@open-mercato/ui/backend/detail'
@@ -541,6 +542,7 @@ export default function PersonDetailV2Page({ params }: { params?: { id?: string
                 activitiesCount={interactionCount}
                 dealsCount={dealCount}
                 companiesCount={companyCount}
+                addressesCount={data?.counts?.addresses ?? 0}
                 tasksCount={todoCount}
                 sectionAction={sectionAction}
               >
@@ -619,6 +621,22 @@ export default function PersonDetailV2Page({ params }: { params?: { id?: string
                     )
                   }
+                  if (activeTab === 'addresses') {
+                    return (
+                      <AddressesSection
+                        entityId={personId}
+                        emptyLabel={t('customers.people.detail.empty.addresses', 'No addresses linked to this person.')}
+                        addActionLabel={t('customers.people.detail.addresses.add', 'Add address')}
+                        emptyState={{
+                          title: t('customers.people.detail.emptyState.addresses.title', 'No addresses yet'),
+                          actionLabel: t('customers.people.detail.emptyState.addresses.action', 'Add address'),
+                        }}
+                        onActionChange={handleSectionActionChange}
+                        translator={detailTranslator}
+                      />
+                    )
+                  }
                   if (activeTab === 'tasks') {
                     return (
                       <TasksSection

package/src/modules/customers/components/detail/PersonDetailTabs.tsx CHANGED Viewed

@@ -13,6 +13,7 @@ import {
   History,
   Paperclip,
   Plus,
+  MapPin,
 } from 'lucide-react'
 import type { SectionAction } from '@open-mercato/ui/backend/detail'
@@ -21,6 +22,7 @@ export type PersonTabId =
   | 'emails'
   | 'deals'
   | 'companies'
+  | 'addresses'
   | 'tasks'
   | 'changelog'
   | 'files'
@@ -40,13 +42,14 @@ type PersonDetailTabsProps = {
   activitiesCount?: number
   dealsCount?: number
   companiesCount?: number
+  addressesCount?: number
   tasksCount?: number
   filesCount?: number
   sectionAction?: SectionAction | null
   children: React.ReactNode
 }
-const SUPPORTED_TAB_IDS = new Set<PersonTabId>(['activities', 'emails', 'deals', 'companies', 'tasks', 'changelog', 'files'])
+const SUPPORTED_TAB_IDS = new Set<PersonTabId>(['activities', 'emails', 'deals', 'companies', 'addresses', 'tasks', 'changelog', 'files'])
 export function resolveLegacyTab(tab: string | null | undefined): PersonTabId {
   if (!tab) return 'activities'
@@ -77,6 +80,7 @@ export function PersonDetailTabs({
   activitiesCount = 0,
   dealsCount = 0,
   companiesCount = 0,
+  addressesCount = 0,
   tasksCount = 0,
   filesCount = 0,
   sectionAction = null,
@@ -109,6 +113,12 @@ export function PersonDetailTabs({
         icon: <Building2 className="size-4" />,
         badge: <CountBadge count={companiesCount} />,
       },
+      {
+        id: 'addresses',
+        label: t('customers.people.detail.tabs.addresses', 'Addresses'),
+        icon: <MapPin className="size-4" />,
+        badge: <CountBadge count={addressesCount} />,
+      },
       {
         id: 'tasks',
         label: t('customers.people.detail.tabs.tasks', 'Tasks'),
@@ -128,7 +138,7 @@ export function PersonDetailTabs({
         badge: <CountBadge count={filesCount} />,
       },
     ],
-    [t, activitiesCount, dealsCount, companiesCount, tasksCount, filesCount],
+    [t, activitiesCount, dealsCount, companiesCount, addressesCount, tasksCount, filesCount],
   )
   const allTabs: TabDef[] = React.useMemo(

package/src/modules/sales/commands/documents.ts CHANGED Viewed

@@ -719,11 +719,13 @@ async function resolveAddressSnapshot(
   addressId?: string | null,
 ): Promise<Record<string, unknown> | null> {
   if (!addressId) return null;
-  const address = await em.findOne(CustomerAddress, {
-    id: addressId,
-    organizationId,
-    tenantId,
-  });
+  const address = await findOneWithDecryption(
+    em,
+    CustomerAddress,
+    { id: addressId, organizationId, tenantId },
+    undefined,
+    { tenantId, organizationId },
+  );
   if (!address) return null;
   return {