npm - @open-mercato/enterprise - Versions diffs - 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6 - Mend

@open-mercato/enterprise 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

package/dist/modules/sso/services/accountLinkingService.js ADDED Viewed

@@ -0,0 +1,298 @@
+import { User, UserRole, Role } from "@open-mercato/core/modules/auth/data/entities";
+import { findOneWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { computeEmailHash } from "@open-mercato/core/modules/auth/lib/emailHash";
+import { SsoIdentity, SsoRoleGrant, ScimToken } from "../data/entities.js";
+import { emitSsoEvent } from "../events.js";
+class AccountLinkingService {
+  constructor(em) {
+    this.em = em;
+  }
+  async resolveUser(config, idpPayload, tenantId) {
+    const existing = await this.findExistingLink(config.id, idpPayload.subject, tenantId, config.organizationId);
+    if (existing) {
+      await this.assignRolesFromSso(this.em, existing.user, config, tenantId, idpPayload.groups);
+      return existing;
+    }
+    if (idpPayload.emailVerified === false) {
+      throw new Error("IdP explicitly reported email as unverified \u2014 cannot link or provision account");
+    }
+    const emailDomain = idpPayload.email.split("@")[1]?.toLowerCase();
+    if (!emailDomain || !config.allowedDomains.some((d) => d.toLowerCase() === emailDomain)) {
+      throw new Error("Email domain is not in the allowed domains for this SSO configuration");
+    }
+    const emailLinked = config.autoLinkByEmail ? await this.linkByEmail(config, idpPayload, tenantId) : null;
+    if (emailLinked) {
+      await this.assignRolesFromSso(this.em, emailLinked.user, config, tenantId, idpPayload.groups);
+      return emailLinked;
+    }
+    if (config.jitEnabled) {
+      const scimActive = await this.em.count(ScimToken, { ssoConfigId: config.id, isActive: true }) > 0;
+      if (scimActive) {
+        throw new Error("JIT provisioning is disabled because SCIM directory sync is active");
+      }
+      return this.jitProvision(config, idpPayload, tenantId);
+    }
+    throw new Error("No matching user found and JIT provisioning is disabled");
+  }
+  async findExistingLink(ssoConfigId, idpSubject, tenantId, organizationId) {
+    const identity = await findOneWithDecryption(
+      this.em,
+      SsoIdentity,
+      { ssoConfigId, idpSubject, deletedAt: null },
+      {},
+      { tenantId, organizationId }
+    );
+    if (!identity) return null;
+    const user = await findOneWithDecryption(
+      this.em,
+      User,
+      { id: identity.userId, deletedAt: null },
+      {},
+      { tenantId, organizationId }
+    );
+    if (!user) {
+      identity.deletedAt = /* @__PURE__ */ new Date();
+      await this.em.flush();
+      return null;
+    }
+    identity.lastLoginAt = /* @__PURE__ */ new Date();
+    await this.em.flush();
+    return { user, identity };
+  }
+  async linkByEmail(config, idpPayload, tenantId) {
+    const emailHash = computeEmailHash(idpPayload.email);
+    const user = await findOneWithDecryption(
+      this.em,
+      User,
+      {
+        organizationId: config.organizationId,
+        deletedAt: null,
+        $or: [
+          { email: idpPayload.email },
+          { emailHash }
+        ]
+      },
+      {},
+      { tenantId, organizationId: config.organizationId }
+    );
+    if (!user) return null;
+    const now = /* @__PURE__ */ new Date();
+    const identity = this.em.create(SsoIdentity, {
+      tenantId,
+      organizationId: config.organizationId,
+      ssoConfigId: config.id,
+      userId: user.id,
+      idpSubject: idpPayload.subject,
+      idpEmail: idpPayload.email,
+      idpName: idpPayload.name ?? null,
+      idpGroups: idpPayload.groups ?? [],
+      provisioningMethod: "manual",
+      firstLoginAt: now,
+      lastLoginAt: now,
+      createdAt: now,
+      updatedAt: now
+    });
+    await this.em.persistAndFlush(identity);
+    void emitSsoEvent("sso.identity.linked", {
+      id: identity.id,
+      tenantId,
+      organizationId: config.organizationId
+    }).catch((e) => console.error("[SSO Event]", e));
+    return { user, identity };
+  }
+  async jitProvision(config, idpPayload, tenantId) {
+    return this.em.transactional(async (txEm) => {
+      const user = txEm.create(User, {
+        tenantId,
+        organizationId: config.organizationId,
+        email: idpPayload.email,
+        emailHash: computeEmailHash(idpPayload.email),
+        name: idpPayload.name ?? null,
+        passwordHash: null,
+        isConfirmed: true,
+        createdAt: /* @__PURE__ */ new Date()
+      });
+      await txEm.persistAndFlush(user);
+      await this.assignRolesFromSso(txEm, user, config, tenantId, idpPayload.groups);
+      const now = /* @__PURE__ */ new Date();
+      const identity = txEm.create(SsoIdentity, {
+        tenantId,
+        organizationId: config.organizationId,
+        ssoConfigId: config.id,
+        userId: user.id,
+        idpSubject: idpPayload.subject,
+        idpEmail: idpPayload.email,
+        idpName: idpPayload.name ?? null,
+        idpGroups: idpPayload.groups ?? [],
+        provisioningMethod: "jit",
+        firstLoginAt: now,
+        lastLoginAt: now,
+        createdAt: now,
+        updatedAt: now
+      });
+      await txEm.persistAndFlush(identity);
+      void emitSsoEvent("sso.identity.created", {
+        id: identity.id,
+        tenantId,
+        organizationId: config.organizationId
+      }).catch((e) => console.error("[SSO Event]", e));
+      return { user, identity };
+    });
+  }
+  async assignRolesFromSso(em, user, config, tenantId, idpGroups) {
+    const hasMappings = config.appRoleMappings && Object.keys(config.appRoleMappings).length > 0;
+    if (!hasMappings) return;
+    await this.syncMappedRoles(em, user, config, tenantId, idpGroups);
+    const hasAnySsoRole = await em.findOne(SsoRoleGrant, {
+      userId: user.id,
+      ssoConfigId: config.id
+    });
+    if (!hasAnySsoRole) {
+      throw new Error("No roles could be resolved from IdP groups \u2014 login denied. Configure role mappings or ensure the IdP sends matching group claims.");
+    }
+  }
+  /**
+   * Sync/replace SSO-sourced roles: on each login, SSO-managed roles are replaced
+   * with what the IdP sends, while manually-assigned roles are preserved.
+   */
+  async syncMappedRoles(em, user, config, tenantId, idpGroups) {
+    const resolvedTenantId = tenantId || user.tenantId || "";
+    if (!resolvedTenantId) return;
+    const allRoles = await em.find(Role, { tenantId: resolvedTenantId, deletedAt: null });
+    const roleByNormalizedName = /* @__PURE__ */ new Map();
+    for (const role of allRoles) {
+      const normalized = normalizeToken(role.name);
+      if (normalized) roleByNormalizedName.set(normalized, role);
+    }
+    const desiredRoleNames = resolveRoleNamesFromIdpGroups(idpGroups, config.appRoleMappings);
+    const desiredRoleIds = /* @__PURE__ */ new Set();
+    for (const roleName of desiredRoleNames) {
+      const role = roleByNormalizedName.get(roleName);
+      if (role) desiredRoleIds.add(role.id);
+    }
+    const existingGrants = await em.find(SsoRoleGrant, {
+      userId: user.id,
+      ssoConfigId: config.id
+    });
+    const existingGrantedRoleIds = new Set(existingGrants.map((g) => g.roleId));
+    const toAdd = [...desiredRoleIds].filter((id) => !existingGrantedRoleIds.has(id));
+    const toRemove = existingGrants.filter((g) => !desiredRoleIds.has(g.roleId));
+    for (const roleId of toAdd) {
+      const role = allRoles.find((r) => r.id === roleId);
+      if (!role) continue;
+      await this.ensureUserRole(em, user, role);
+      const grant = em.create(SsoRoleGrant, {
+        tenantId: resolvedTenantId,
+        organizationId: config.organizationId,
+        userId: user.id,
+        roleId,
+        ssoConfigId: config.id
+      });
+      em.persist(grant);
+    }
+    for (const grant of toRemove) {
+      const userRole = await em.findOne(UserRole, {
+        user: user.id,
+        role: grant.roleId,
+        deletedAt: null
+      });
+      if (userRole) {
+        em.remove(userRole);
+      }
+      em.remove(grant);
+    }
+    const allUserRoles = await em.find(UserRole, { user: user.id });
+    for (const ur of allUserRoles) {
+      if (ur.deletedAt) {
+        em.remove(ur);
+      }
+    }
+    if (toAdd.length > 0 || toRemove.length > 0 || allUserRoles.some((ur) => ur.deletedAt)) {
+      await em.flush();
+    }
+  }
+  async ensureUserRole(em, user, role) {
+    const existingLink = await em.findOne(UserRole, {
+      user: user.id,
+      role: role.id,
+      deletedAt: null
+    });
+    if (existingLink) return;
+    const userRole = em.create(UserRole, { user, role, createdAt: /* @__PURE__ */ new Date() });
+    await em.persistAndFlush(userRole);
+  }
+}
+function resolveRoleNamesFromIdpGroups(idpGroups, configMappings) {
+  if (!Array.isArray(idpGroups) || idpGroups.length === 0) return [];
+  const normalizedGroups = idpGroups.map((group) => normalizeToken(group)).filter((group) => group !== null);
+  if (normalizedGroups.length === 0) return [];
+  const mergedMappings = loadMergedMappings(configMappings);
+  const roleNames = /* @__PURE__ */ new Set();
+  for (const group of normalizedGroups) {
+    const mapped = mergedMappings.get(group);
+    if (mapped?.length) {
+      for (const role of mapped) roleNames.add(role);
+      continue;
+    }
+    roleNames.add(group);
+    const segmented = group.split(/[\\/:]/).map((part) => normalizeToken(part)).filter((part) => part !== null);
+    for (const candidate of segmented) {
+      roleNames.add(candidate);
+    }
+  }
+  return Array.from(roleNames);
+}
+function loadMergedMappings(configMappings) {
+  const envMappings = loadGroupRoleMappingsFromEnv();
+  if (configMappings && Object.keys(configMappings).length > 0) {
+    for (const [group, roleName] of Object.entries(configMappings)) {
+      const normalizedGroup = normalizeToken(group);
+      if (!normalizedGroup) continue;
+      const normalizedRole = normalizeToken(roleName);
+      if (!normalizedRole) continue;
+      envMappings.set(normalizedGroup, [normalizedRole]);
+    }
+  }
+  return envMappings;
+}
+function loadGroupRoleMappingsFromEnv() {
+  const raw = process.env.SSO_GROUP_ROLE_MAP;
+  if (!raw) return /* @__PURE__ */ new Map();
+  try {
+    const parsed = JSON.parse(raw);
+    const out = /* @__PURE__ */ new Map();
+    for (const [group, roleValue] of Object.entries(parsed)) {
+      const normalizedGroup = normalizeToken(group);
+      if (!normalizedGroup) continue;
+      const roles = normalizeRoleList(roleValue);
+      if (roles.length > 0) out.set(normalizedGroup, roles);
+    }
+    return out;
+  } catch {
+    return /* @__PURE__ */ new Map();
+  }
+}
+function normalizeRoleList(value) {
+  if (typeof value === "string") {
+    const token = normalizeToken(value);
+    return token ? [token] : [];
+  }
+  if (Array.isArray(value)) {
+    const out = /* @__PURE__ */ new Set();
+    for (const entry of value) {
+      const token = normalizeToken(entry);
+      if (token) out.add(token);
+    }
+    return Array.from(out);
+  }
+  return [];
+}
+function normalizeToken(value) {
+  if (typeof value !== "string") return null;
+  const normalized = value.trim().toLowerCase();
+  return normalized.length > 0 ? normalized : null;
+}
+export {
+  AccountLinkingService
+};
+//# sourceMappingURL=accountLinkingService.js.map

package/dist/modules/sso/services/accountLinkingService.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/services/accountLinkingService.ts"],
+  "sourcesContent": ["import { EntityManager, type FilterQuery, type RequiredEntityData } from '@mikro-orm/postgresql'\nimport { User, UserRole, Role } from '@open-mercato/core/modules/auth/data/entities'\nimport { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { SsoConfig, SsoIdentity, SsoRoleGrant, ScimToken } from '../data/entities'\nimport { emitSsoEvent } from '../events'\nimport type { SsoIdentityPayload } from '../lib/types'\n\nexport class AccountLinkingService {\n  constructor(private em: EntityManager) {}\n\n  async resolveUser(\n    config: SsoConfig,\n    idpPayload: SsoIdentityPayload,\n    tenantId: string,\n  ): Promise<{ user: User; identity: SsoIdentity }> {\n    const existing = await this.findExistingLink(config.id, idpPayload.subject, tenantId, config.organizationId)\n    if (existing) {\n      await this.assignRolesFromSso(this.em, existing.user, config, tenantId, idpPayload.groups)\n      return existing\n    }\n\n    if (idpPayload.emailVerified === false) {\n      throw new Error('IdP explicitly reported email as unverified \u2014 cannot link or provision account')\n    }\n\n    const emailDomain = idpPayload.email.split('@')[1]?.toLowerCase()\n    if (!emailDomain || !config.allowedDomains.some((d) => d.toLowerCase() === emailDomain)) {\n      throw new Error('Email domain is not in the allowed domains for this SSO configuration')\n    }\n\n    const emailLinked = config.autoLinkByEmail\n      ? await this.linkByEmail(config, idpPayload, tenantId)\n      : null\n    if (emailLinked) {\n      await this.assignRolesFromSso(this.em, emailLinked.user, config, tenantId, idpPayload.groups)\n      return emailLinked\n    }\n\n    if (config.jitEnabled) {\n      const scimActive = await this.em.count(ScimToken, { ssoConfigId: config.id, isActive: true }) > 0\n      if (scimActive) {\n        throw new Error('JIT provisioning is disabled because SCIM directory sync is active')\n      }\n      return this.jitProvision(config, idpPayload, tenantId)\n    }\n\n    throw new Error('No matching user found and JIT provisioning is disabled')\n  }\n\n  private async findExistingLink(\n    ssoConfigId: string,\n    idpSubject: string,\n    tenantId: string,\n    organizationId: string,\n  ): Promise<{ user: User; identity: SsoIdentity } | null> {\n    const identity = await findOneWithDecryption(\n      this.em,\n      SsoIdentity,\n      { ssoConfigId, idpSubject, deletedAt: null },\n      {},\n      { tenantId, organizationId },\n    )\n    if (!identity) return null\n\n    const user = await findOneWithDecryption(\n      this.em,\n      User,\n      { id: identity.userId, deletedAt: null },\n      {},\n      { tenantId, organizationId },\n    )\n    if (!user) {\n      identity.deletedAt = new Date()\n      await this.em.flush()\n      return null\n    }\n\n    identity.lastLoginAt = new Date()\n    await this.em.flush()\n\n    return { user, identity }\n  }\n\n  private async linkByEmail(\n    config: SsoConfig,\n    idpPayload: SsoIdentityPayload,\n    tenantId: string,\n  ): Promise<{ user: User; identity: SsoIdentity } | null> {\n    const emailHash = computeEmailHash(idpPayload.email)\n    const user = await findOneWithDecryption(\n      this.em,\n      User,\n      {\n        organizationId: config.organizationId,\n        deletedAt: null,\n        $or: [\n          { email: idpPayload.email },\n          { emailHash },\n        ],\n      } as FilterQuery<User>,\n      {},\n      { tenantId, organizationId: config.organizationId },\n    )\n    if (!user) return null\n\n    const now = new Date()\n    const identity = this.em.create(SsoIdentity, {\n      tenantId,\n      organizationId: config.organizationId,\n      ssoConfigId: config.id,\n      userId: user.id,\n      idpSubject: idpPayload.subject,\n      idpEmail: idpPayload.email,\n      idpName: idpPayload.name ?? null,\n      idpGroups: idpPayload.groups ?? [],\n      provisioningMethod: 'manual',\n      firstLoginAt: now,\n      lastLoginAt: now,\n      createdAt: now,\n      updatedAt: now,\n    } as RequiredEntityData<SsoIdentity>)\n    await this.em.persistAndFlush(identity)\n\n    void emitSsoEvent('sso.identity.linked', {\n      id: identity.id,\n      tenantId,\n      organizationId: config.organizationId,\n    }).catch((e) => console.error('[SSO Event]', e))\n\n    return { user, identity }\n  }\n\n  private async jitProvision(\n    config: SsoConfig,\n    idpPayload: SsoIdentityPayload,\n    tenantId: string,\n  ): Promise<{ user: User; identity: SsoIdentity }> {\n    return this.em.transactional(async (txEm) => {\n      const user = txEm.create(User, {\n        tenantId,\n        organizationId: config.organizationId,\n        email: idpPayload.email,\n        emailHash: computeEmailHash(idpPayload.email),\n        name: idpPayload.name ?? null,\n        passwordHash: null,\n        isConfirmed: true,\n        createdAt: new Date(),\n      })\n      await txEm.persistAndFlush(user)\n\n      await this.assignRolesFromSso(txEm, user, config, tenantId, idpPayload.groups)\n\n      const now = new Date()\n      const identity = txEm.create(SsoIdentity, {\n        tenantId,\n        organizationId: config.organizationId,\n        ssoConfigId: config.id,\n        userId: user.id,\n        idpSubject: idpPayload.subject,\n        idpEmail: idpPayload.email,\n        idpName: idpPayload.name ?? null,\n        idpGroups: idpPayload.groups ?? [],\n        provisioningMethod: 'jit',\n        firstLoginAt: now,\n        lastLoginAt: now,\n        createdAt: now,\n        updatedAt: now,\n      } as RequiredEntityData<SsoIdentity>)\n      await txEm.persistAndFlush(identity)\n\n      void emitSsoEvent('sso.identity.created', {\n        id: identity.id,\n        tenantId,\n        organizationId: config.organizationId,\n      }).catch((e) => console.error('[SSO Event]', e))\n\n      return { user, identity }\n    })\n  }\n\n  private async assignRolesFromSso(\n    em: EntityManager,\n    user: User,\n    config: SsoConfig,\n    tenantId: string,\n    idpGroups?: string[],\n  ): Promise<void> {\n    const hasMappings = config.appRoleMappings && Object.keys(config.appRoleMappings).length > 0\n    if (!hasMappings) return\n\n    await this.syncMappedRoles(em, user, config, tenantId, idpGroups)\n\n    const hasAnySsoRole = await em.findOne(SsoRoleGrant, {\n      userId: user.id,\n      ssoConfigId: config.id,\n    })\n    if (!hasAnySsoRole) {\n      throw new Error('No roles could be resolved from IdP groups \u2014 login denied. Configure role mappings or ensure the IdP sends matching group claims.')\n    }\n  }\n\n  /**\n   * Sync/replace SSO-sourced roles: on each login, SSO-managed roles are replaced\n   * with what the IdP sends, while manually-assigned roles are preserved.\n   */\n  private async syncMappedRoles(\n    em: EntityManager,\n    user: User,\n    config: SsoConfig,\n    tenantId: string,\n    idpGroups?: string[],\n  ): Promise<void> {\n    const resolvedTenantId = tenantId || user.tenantId || ''\n    if (!resolvedTenantId) return\n\n    const allRoles = await em.find(Role, { tenantId: resolvedTenantId, deletedAt: null } as FilterQuery<Role>)\n    const roleByNormalizedName = new Map<string, Role>()\n    for (const role of allRoles) {\n      const normalized = normalizeToken(role.name)\n      if (normalized) roleByNormalizedName.set(normalized, role)\n    }\n\n    // Resolve desired role IDs from IdP groups using merged mappings\n    const desiredRoleNames = resolveRoleNamesFromIdpGroups(idpGroups, config.appRoleMappings)\n    const desiredRoleIds = new Set<string>()\n    for (const roleName of desiredRoleNames) {\n      const role = roleByNormalizedName.get(roleName)\n      if (role) desiredRoleIds.add(role.id)\n    }\n\n    // Query current SSO grants for this user+config\n    const existingGrants = await em.find(SsoRoleGrant, {\n      userId: user.id,\n      ssoConfigId: config.id,\n    })\n    const existingGrantedRoleIds = new Set(existingGrants.map((g) => g.roleId))\n\n    // Compute diff\n    const toAdd = [...desiredRoleIds].filter((id) => !existingGrantedRoleIds.has(id))\n    const toRemove = existingGrants.filter((g) => !desiredRoleIds.has(g.roleId))\n\n    // Add new roles\n    for (const roleId of toAdd) {\n      const role = allRoles.find((r) => r.id === roleId)\n      if (!role) continue\n      await this.ensureUserRole(em, user, role)\n      const grant = em.create(SsoRoleGrant, {\n        tenantId: resolvedTenantId,\n        organizationId: config.organizationId,\n        userId: user.id,\n        roleId,\n        ssoConfigId: config.id,\n      } as RequiredEntityData<SsoRoleGrant>)\n      em.persist(grant)\n    }\n\n    // Remove stale SSO-sourced roles\n    for (const grant of toRemove) {\n      const userRole = await em.findOne(UserRole, {\n        user: user.id,\n        role: grant.roleId,\n        deletedAt: null,\n      } as FilterQuery<UserRole>)\n      if (userRole) {\n        em.remove(userRole)\n      }\n      em.remove(grant)\n    }\n\n    // Clean up orphaned soft-deleted UserRole rows (ghost rows from previous soft-delete logic)\n    const allUserRoles = await em.find(UserRole, { user: user.id } as FilterQuery<UserRole>)\n    for (const ur of allUserRoles) {\n      if (ur.deletedAt) {\n        em.remove(ur)\n      }\n    }\n\n    if (toAdd.length > 0 || toRemove.length > 0 || allUserRoles.some((ur) => ur.deletedAt)) {\n      await em.flush()\n    }\n  }\n\n  private async ensureUserRole(em: EntityManager, user: User, role: Role): Promise<void> {\n    const existingLink = await em.findOne(UserRole, {\n      user: user.id,\n      role: role.id,\n      deletedAt: null,\n    } as FilterQuery<UserRole>)\n    if (existingLink) return\n\n    const userRole = em.create(UserRole, { user, role, createdAt: new Date() })\n    await em.persistAndFlush(userRole)\n  }\n}\n\nfunction resolveRoleNamesFromIdpGroups(\n  idpGroups?: string[],\n  configMappings?: Record<string, string>,\n): string[] {\n  if (!Array.isArray(idpGroups) || idpGroups.length === 0) return []\n\n  const normalizedGroups = idpGroups\n    .map((group) => normalizeToken(group))\n    .filter((group): group is string => group !== null)\n  if (normalizedGroups.length === 0) return []\n\n  const mergedMappings = loadMergedMappings(configMappings)\n  const roleNames = new Set<string>()\n\n  for (const group of normalizedGroups) {\n    const mapped = mergedMappings.get(group)\n    if (mapped?.length) {\n      for (const role of mapped) roleNames.add(role)\n      continue\n    }\n\n    roleNames.add(group)\n    const segmented = group.split(/[\\\\/:]/).map((part) => normalizeToken(part)).filter((part): part is string => part !== null)\n    for (const candidate of segmented) {\n      roleNames.add(candidate)\n    }\n  }\n\n  return Array.from(roleNames)\n}\n\nfunction loadMergedMappings(configMappings?: Record<string, string>): Map<string, string[]> {\n  const envMappings = loadGroupRoleMappingsFromEnv()\n\n  // Per-config mappings take precedence over env var\n  if (configMappings && Object.keys(configMappings).length > 0) {\n    for (const [group, roleName] of Object.entries(configMappings)) {\n      const normalizedGroup = normalizeToken(group)\n      if (!normalizedGroup) continue\n      const normalizedRole = normalizeToken(roleName)\n      if (!normalizedRole) continue\n      envMappings.set(normalizedGroup, [normalizedRole])\n    }\n  }\n\n  return envMappings\n}\n\nfunction loadGroupRoleMappingsFromEnv(): Map<string, string[]> {\n  const raw = process.env.SSO_GROUP_ROLE_MAP\n  if (!raw) return new Map()\n\n  try {\n    const parsed = JSON.parse(raw) as Record<string, unknown>\n    const out = new Map<string, string[]>()\n    for (const [group, roleValue] of Object.entries(parsed)) {\n      const normalizedGroup = normalizeToken(group)\n      if (!normalizedGroup) continue\n      const roles = normalizeRoleList(roleValue)\n      if (roles.length > 0) out.set(normalizedGroup, roles)\n    }\n    return out\n  } catch {\n    return new Map()\n  }\n}\n\nfunction normalizeRoleList(value: unknown): string[] {\n  if (typeof value === 'string') {\n    const token = normalizeToken(value)\n    return token ? [token] : []\n  }\n\n  if (Array.isArray(value)) {\n    const out = new Set<string>()\n    for (const entry of value) {\n      const token = normalizeToken(entry)\n      if (token) out.add(token)\n    }\n    return Array.from(out)\n  }\n\n  return []\n}\n\nfunction normalizeToken(value: unknown): string | null {\n  if (typeof value !== 'string') return null\n  const normalized = value.trim().toLowerCase()\n  return normalized.length > 0 ? normalized : null\n}\n"],
+  "mappings": "AACA,SAAS,MAAM,UAAU,YAAY;AACrC,SAAS,6BAA6B;AACtC,SAAS,wBAAwB;AACjC,SAAoB,aAAa,cAAc,iBAAiB;AAChE,SAAS,oBAAoB;AAGtB,MAAM,sBAAsB;AAAA,EACjC,YAAoB,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAExC,MAAM,YACJ,QACA,YACA,UACgD;AAChD,UAAM,WAAW,MAAM,KAAK,iBAAiB,OAAO,IAAI,WAAW,SAAS,UAAU,OAAO,cAAc;AAC3G,QAAI,UAAU;AACZ,YAAM,KAAK,mBAAmB,KAAK,IAAI,SAAS,MAAM,QAAQ,UAAU,WAAW,MAAM;AACzF,aAAO;AAAA,IACT;AAEA,QAAI,WAAW,kBAAkB,OAAO;AACtC,YAAM,IAAI,MAAM,qFAAgF;AAAA,IAClG;AAEA,UAAM,cAAc,WAAW,MAAM,MAAM,GAAG,EAAE,CAAC,GAAG,YAAY;AAChE,QAAI,CAAC,eAAe,CAAC,OAAO,eAAe,KAAK,CAAC,MAAM,EAAE,YAAY,MAAM,WAAW,GAAG;AACvF,YAAM,IAAI,MAAM,uEAAuE;AAAA,IACzF;AAEA,UAAM,cAAc,OAAO,kBACvB,MAAM,KAAK,YAAY,QAAQ,YAAY,QAAQ,IACnD;AACJ,QAAI,aAAa;AACf,YAAM,KAAK,mBAAmB,KAAK,IAAI,YAAY,MAAM,QAAQ,UAAU,WAAW,MAAM;AAC5F,aAAO;AAAA,IACT;AAEA,QAAI,OAAO,YAAY;AACrB,YAAM,aAAa,MAAM,KAAK,GAAG,MAAM,WAAW,EAAE,aAAa,OAAO,IAAI,UAAU,KAAK,CAAC,IAAI;AAChG,UAAI,YAAY;AACd,cAAM,IAAI,MAAM,oEAAoE;AAAA,MACtF;AACA,aAAO,KAAK,aAAa,QAAQ,YAAY,QAAQ;AAAA,IACvD;AAEA,UAAM,IAAI,MAAM,yDAAyD;AAAA,EAC3E;AAAA,EAEA,MAAc,iBACZ,aACA,YACA,UACA,gBACuD;AACvD,UAAM,WAAW,MAAM;AAAA,MACrB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,aAAa,YAAY,WAAW,KAAK;AAAA,MAC3C,CAAC;AAAA,MACD,EAAE,UAAU,eAAe;AAAA,IAC7B;AACA,QAAI,CAAC,SAAU,QAAO;AAEtB,UAAM,OAAO,MAAM;AAAA,MACjB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,IAAI,SAAS,QAAQ,WAAW,KAAK;AAAA,MACvC,CAAC;AAAA,MACD,EAAE,UAAU,eAAe;AAAA,IAC7B;AACA,QAAI,CAAC,MAAM;AACT,eAAS,YAAY,oBAAI,KAAK;AAC9B,YAAM,KAAK,GAAG,MAAM;AACpB,aAAO;AAAA,IACT;AAEA,aAAS,cAAc,oBAAI,KAAK;AAChC,UAAM,KAAK,GAAG,MAAM;AAEpB,WAAO,EAAE,MAAM,SAAS;AAAA,EAC1B;AAAA,EAEA,MAAc,YACZ,QACA,YACA,UACuD;AACvD,UAAM,YAAY,iBAAiB,WAAW,KAAK;AACnD,UAAM,OAAO,MAAM;AAAA,MACjB,KAAK;AAAA,MACL;AAAA,MACA;AAAA,QACE,gBAAgB,OAAO;AAAA,QACvB,WAAW;AAAA,QACX,KAAK;AAAA,UACH,EAAE,OAAO,WAAW,MAAM;AAAA,UAC1B,EAAE,UAAU;AAAA,QACd;AAAA,MACF;AAAA,MACA,CAAC;AAAA,MACD,EAAE,UAAU,gBAAgB,OAAO,eAAe;AAAA,IACpD;AACA,QAAI,CAAC,KAAM,QAAO;AAElB,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,WAAW,KAAK,GAAG,OAAO,aAAa;AAAA,MAC3C;AAAA,MACA,gBAAgB,OAAO;AAAA,MACvB,aAAa,OAAO;AAAA,MACpB,QAAQ,KAAK;AAAA,MACb,YAAY,WAAW;AAAA,MACvB,UAAU,WAAW;AAAA,MACrB,SAAS,WAAW,QAAQ;AAAA,MAC5B,WAAW,WAAW,UAAU,CAAC;AAAA,MACjC,oBAAoB;AAAA,MACpB,cAAc;AAAA,MACd,aAAa;AAAA,MACb,WAAW;AAAA,MACX,WAAW;AAAA,IACb,CAAoC;AACpC,UAAM,KAAK,GAAG,gBAAgB,QAAQ;AAEtC,SAAK,aAAa,uBAAuB;AAAA,MACvC,IAAI,SAAS;AAAA,MACb;AAAA,MACA,gBAAgB,OAAO;AAAA,IACzB,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAE/C,WAAO,EAAE,MAAM,SAAS;AAAA,EAC1B;AAAA,EAEA,MAAc,aACZ,QACA,YACA,UACgD;AAChD,WAAO,KAAK,GAAG,cAAc,OAAO,SAAS;AAC3C,YAAM,OAAO,KAAK,OAAO,MAAM;AAAA,QAC7B;AAAA,QACA,gBAAgB,OAAO;AAAA,QACvB,OAAO,WAAW;AAAA,QAClB,WAAW,iBAAiB,WAAW,KAAK;AAAA,QAC5C,MAAM,WAAW,QAAQ;AAAA,QACzB,cAAc;AAAA,QACd,aAAa;AAAA,QACb,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC;AACD,YAAM,KAAK,gBAAgB,IAAI;AAE/B,YAAM,KAAK,mBAAmB,MAAM,MAAM,QAAQ,UAAU,WAAW,MAAM;AAE7E,YAAM,MAAM,oBAAI,KAAK;AACrB,YAAM,WAAW,KAAK,OAAO,aAAa;AAAA,QACxC;AAAA,QACA,gBAAgB,OAAO;AAAA,QACvB,aAAa,OAAO;AAAA,QACpB,QAAQ,KAAK;AAAA,QACb,YAAY,WAAW;AAAA,QACvB,UAAU,WAAW;AAAA,QACrB,SAAS,WAAW,QAAQ;AAAA,QAC5B,WAAW,WAAW,UAAU,CAAC;AAAA,QACjC,oBAAoB;AAAA,QACpB,cAAc;AAAA,QACd,aAAa;AAAA,QACb,WAAW;AAAA,QACX,WAAW;AAAA,MACb,CAAoC;AACpC,YAAM,KAAK,gBAAgB,QAAQ;AAEnC,WAAK,aAAa,wBAAwB;AAAA,QACxC,IAAI,SAAS;AAAA,QACb;AAAA,QACA,gBAAgB,OAAO;AAAA,MACzB,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAE/C,aAAO,EAAE,MAAM,SAAS;AAAA,IAC1B,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,mBACZ,IACA,MACA,QACA,UACA,WACe;AACf,UAAM,cAAc,OAAO,mBAAmB,OAAO,KAAK,OAAO,eAAe,EAAE,SAAS;AAC3F,QAAI,CAAC,YAAa;AAElB,UAAM,KAAK,gBAAgB,IAAI,MAAM,QAAQ,UAAU,SAAS;AAEhE,UAAM,gBAAgB,MAAM,GAAG,QAAQ,cAAc;AAAA,MACnD,QAAQ,KAAK;AAAA,MACb,aAAa,OAAO;AAAA,IACtB,CAAC;AACD,QAAI,CAAC,eAAe;AAClB,YAAM,IAAI,MAAM,wIAAmI;AAAA,IACrJ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,gBACZ,IACA,MACA,QACA,UACA,WACe;AACf,UAAM,mBAAmB,YAAY,KAAK,YAAY;AACtD,QAAI,CAAC,iBAAkB;AAEvB,UAAM,WAAW,MAAM,GAAG,KAAK,MAAM,EAAE,UAAU,kBAAkB,WAAW,KAAK,CAAsB;AACzG,UAAM,uBAAuB,oBAAI,IAAkB;AACnD,eAAW,QAAQ,UAAU;AAC3B,YAAM,aAAa,eAAe,KAAK,IAAI;AAC3C,UAAI,WAAY,sBAAqB,IAAI,YAAY,IAAI;AAAA,IAC3D;AAGA,UAAM,mBAAmB,8BAA8B,WAAW,OAAO,eAAe;AACxF,UAAM,iBAAiB,oBAAI,IAAY;AACvC,eAAW,YAAY,kBAAkB;AACvC,YAAM,OAAO,qBAAqB,IAAI,QAAQ;AAC9C,UAAI,KAAM,gBAAe,IAAI,KAAK,EAAE;AAAA,IACtC;AAGA,UAAM,iBAAiB,MAAM,GAAG,KAAK,cAAc;AAAA,MACjD,QAAQ,KAAK;AAAA,MACb,aAAa,OAAO;AAAA,IACtB,CAAC;AACD,UAAM,yBAAyB,IAAI,IAAI,eAAe,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;AAG1E,UAAM,QAAQ,CAAC,GAAG,cAAc,EAAE,OAAO,CAAC,OAAO,CAAC,uBAAuB,IAAI,EAAE,CAAC;AAChF,UAAM,WAAW,eAAe,OAAO,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,MAAM,CAAC;AAG3E,eAAW,UAAU,OAAO;AAC1B,YAAM,OAAO,SAAS,KAAK,CAAC,MAAM,EAAE,OAAO,MAAM;AACjD,UAAI,CAAC,KAAM;AACX,YAAM,KAAK,eAAe,IAAI,MAAM,IAAI;AACxC,YAAM,QAAQ,GAAG,OAAO,cAAc;AAAA,QACpC,UAAU;AAAA,QACV,gBAAgB,OAAO;AAAA,QACvB,QAAQ,KAAK;AAAA,QACb;AAAA,QACA,aAAa,OAAO;AAAA,MACtB,CAAqC;AACrC,SAAG,QAAQ,KAAK;AAAA,IAClB;AAGA,eAAW,SAAS,UAAU;AAC5B,YAAM,WAAW,MAAM,GAAG,QAAQ,UAAU;AAAA,QAC1C,MAAM,KAAK;AAAA,QACX,MAAM,MAAM;AAAA,QACZ,WAAW;AAAA,MACb,CAA0B;AAC1B,UAAI,UAAU;AACZ,WAAG,OAAO,QAAQ;AAAA,MACpB;AACA,SAAG,OAAO,KAAK;AAAA,IACjB;AAGA,UAAM,eAAe,MAAM,GAAG,KAAK,UAAU,EAAE,MAAM,KAAK,GAAG,CAA0B;AACvF,eAAW,MAAM,cAAc;AAC7B,UAAI,GAAG,WAAW;AAChB,WAAG,OAAO,EAAE;AAAA,MACd;AAAA,IACF;AAEA,QAAI,MAAM,SAAS,KAAK,SAAS,SAAS,KAAK,aAAa,KAAK,CAAC,OAAO,GAAG,SAAS,GAAG;AACtF,YAAM,GAAG,MAAM;AAAA,IACjB;AAAA,EACF;AAAA,EAEA,MAAc,eAAe,IAAmB,MAAY,MAA2B;AACrF,UAAM,eAAe,MAAM,GAAG,QAAQ,UAAU;AAAA,MAC9C,MAAM,KAAK;AAAA,MACX,MAAM,KAAK;AAAA,MACX,WAAW;AAAA,IACb,CAA0B;AAC1B,QAAI,aAAc;AAElB,UAAM,WAAW,GAAG,OAAO,UAAU,EAAE,MAAM,MAAM,WAAW,oBAAI,KAAK,EAAE,CAAC;AAC1E,UAAM,GAAG,gBAAgB,QAAQ;AAAA,EACnC;AACF;AAEA,SAAS,8BACP,WACA,gBACU;AACV,MAAI,CAAC,MAAM,QAAQ,SAAS,KAAK,UAAU,WAAW,EAAG,QAAO,CAAC;AAEjE,QAAM,mBAAmB,UACtB,IAAI,CAAC,UAAU,eAAe,KAAK,CAAC,EACpC,OAAO,CAAC,UAA2B,UAAU,IAAI;AACpD,MAAI,iBAAiB,WAAW,EAAG,QAAO,CAAC;AAE3C,QAAM,iBAAiB,mBAAmB,cAAc;AACxD,QAAM,YAAY,oBAAI,IAAY;AAElC,aAAW,SAAS,kBAAkB;AACpC,UAAM,SAAS,eAAe,IAAI,KAAK;AACvC,QAAI,QAAQ,QAAQ;AAClB,iBAAW,QAAQ,OAAQ,WAAU,IAAI,IAAI;AAC7C;AAAA,IACF;AAEA,cAAU,IAAI,KAAK;AACnB,UAAM,YAAY,MAAM,MAAM,QAAQ,EAAE,IAAI,CAAC,SAAS,eAAe,IAAI,CAAC,EAAE,OAAO,CAAC,SAAyB,SAAS,IAAI;AAC1H,eAAW,aAAa,WAAW;AACjC,gBAAU,IAAI,SAAS;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,MAAM,KAAK,SAAS;AAC7B;AAEA,SAAS,mBAAmB,gBAAgE;AAC1F,QAAM,cAAc,6BAA6B;AAGjD,MAAI,kBAAkB,OAAO,KAAK,cAAc,EAAE,SAAS,GAAG;AAC5D,eAAW,CAAC,OAAO,QAAQ,KAAK,OAAO,QAAQ,cAAc,GAAG;AAC9D,YAAM,kBAAkB,eAAe,KAAK;AAC5C,UAAI,CAAC,gBAAiB;AACtB,YAAM,iBAAiB,eAAe,QAAQ;AAC9C,UAAI,CAAC,eAAgB;AACrB,kBAAY,IAAI,iBAAiB,CAAC,cAAc,CAAC;AAAA,IACnD;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,+BAAsD;AAC7D,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,CAAC,IAAK,QAAO,oBAAI,IAAI;AAEzB,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,UAAM,MAAM,oBAAI,IAAsB;AACtC,eAAW,CAAC,OAAO,SAAS,KAAK,OAAO,QAAQ,MAAM,GAAG;AACvD,YAAM,kBAAkB,eAAe,KAAK;AAC5C,UAAI,CAAC,gBAAiB;AACtB,YAAM,QAAQ,kBAAkB,SAAS;AACzC,UAAI,MAAM,SAAS,EAAG,KAAI,IAAI,iBAAiB,KAAK;AAAA,IACtD;AACA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO,oBAAI,IAAI;AAAA,EACjB;AACF;AAEA,SAAS,kBAAkB,OAA0B;AACnD,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,QAAQ,eAAe,KAAK;AAClC,WAAO,QAAQ,CAAC,KAAK,IAAI,CAAC;AAAA,EAC5B;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,UAAM,MAAM,oBAAI,IAAY;AAC5B,eAAW,SAAS,OAAO;AACzB,YAAM,QAAQ,eAAe,KAAK;AAClC,UAAI,MAAO,KAAI,IAAI,KAAK;AAAA,IAC1B;AACA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AAEA,SAAO,CAAC;AACV;AAEA,SAAS,eAAe,OAA+B;AACrD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,QAAM,aAAa,MAAM,KAAK,EAAE,YAAY;AAC5C,SAAO,WAAW,SAAS,IAAI,aAAa;AAC9C;",
+  "names": []
+}

package/dist/modules/sso/services/hrdService.js ADDED Viewed

@@ -0,0 +1,18 @@
+import { SsoConfig } from "../data/entities.js";
+class HrdService {
+  constructor(em) {
+    this.em = em;
+  }
+  async findActiveConfigByEmailDomain(email) {
+    const domain = email.split("@")[1]?.toLowerCase();
+    if (!domain) return null;
+    const knex = this.em.getKnex();
+    const row = await knex("sso_configs").whereRaw("allowed_domains @> ?::jsonb", [JSON.stringify([domain])]).where("is_active", true).whereNull("deleted_at").first();
+    if (!row) return null;
+    return this.em.map(SsoConfig, row);
+  }
+}
+export {
+  HrdService
+};
+//# sourceMappingURL=hrdService.js.map

package/dist/modules/sso/services/hrdService.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/services/hrdService.ts"],
+  "sourcesContent": ["import { EntityManager } from '@mikro-orm/postgresql'\nimport { SsoConfig } from '../data/entities'\n\nexport class HrdService {\n  constructor(private em: EntityManager) {}\n\n  async findActiveConfigByEmailDomain(email: string): Promise<SsoConfig | null> {\n    const domain = email.split('@')[1]?.toLowerCase()\n    if (!domain) return null\n\n    const knex = this.em.getKnex()\n    const row = await knex('sso_configs')\n      .whereRaw(\"allowed_domains @> ?::jsonb\", [JSON.stringify([domain])])\n      .where('is_active', true)\n      .whereNull('deleted_at')\n      .first()\n\n    if (!row) return null\n\n    return this.em.map(SsoConfig, row)\n  }\n}\n"],
+  "mappings": "AACA,SAAS,iBAAiB;AAEnB,MAAM,WAAW;AAAA,EACtB,YAAoB,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAExC,MAAM,8BAA8B,OAA0C;AAC5E,UAAM,SAAS,MAAM,MAAM,GAAG,EAAE,CAAC,GAAG,YAAY;AAChD,QAAI,CAAC,OAAQ,QAAO;AAEpB,UAAM,OAAO,KAAK,GAAG,QAAQ;AAC7B,UAAM,MAAM,MAAM,KAAK,aAAa,EACjC,SAAS,+BAA+B,CAAC,KAAK,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAClE,MAAM,aAAa,IAAI,EACvB,UAAU,YAAY,EACtB,MAAM;AAET,QAAI,CAAC,IAAK,QAAO;AAEjB,WAAO,KAAK,GAAG,IAAI,WAAW,GAAG;AAAA,EACnC;AACF;",
+  "names": []
+}