npm - @open-mercato/enterprise - Versions diffs - 0.6.5-develop.4863.1.169bfbb3a3 → 0.6.5-develop.4964.1.ae0edca575 - Mend

@open-mercato/enterprise 0.6.5-develop.4863.1.169bfbb3a3 → 0.6.5-develop.4964.1.ae0edca575

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

package/src/modules/security/commands/deleteEnforcementPolicy.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { z } from 'zod'
 import { registerCommand } from '@open-mercato/shared/lib/commands'
 import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import type { MfaEnforcementService } from '../services/MfaEnforcementService'
 export const commandId = 'security.enforcement.delete'
@@ -35,8 +36,12 @@ registerCommand({
     }
     const enforcementService = ctx.container.resolve<MfaEnforcementService>('mfaEnforcementService')
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
     try {
-      await enforcementService.deletePolicy(parsed.data.id)
+      await enforcementService.deletePolicy(parsed.data.id, {
+        tenantId: ctx.auth.tenantId ?? null,
+        isSuperAdmin,
+      })
       return { ok: true as const }
     } catch (error) {
       if (isEnforcementServiceError(error)) {

package/src/modules/security/commands/resetUserMfa.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { z } from 'zod'
 import { registerCommand } from '@open-mercato/shared/lib/commands'
 import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import type { MfaAdminService } from '../services/MfaAdminService'
 export const commandId = 'security.admin.mfa.reset'
@@ -36,8 +37,12 @@ registerCommand({
     }
     const mfaAdminService = ctx.container.resolve<MfaAdminService>('mfaAdminService')
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
     try {
-      await mfaAdminService.resetUserMfa(ctx.auth.sub, parsed.data.userId, parsed.data.reason)
+      await mfaAdminService.resetUserMfa(ctx.auth.sub, parsed.data.userId, parsed.data.reason, {
+        tenantId: ctx.auth.tenantId ?? null,
+        isSuperAdmin,
+      })
       return { ok: true as const }
     } catch (error) {
       if (isMfaAdminServiceError(error)) {

package/src/modules/security/commands/updateEnforcementPolicy.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { z } from 'zod'
 import { registerCommand } from '@open-mercato/shared/lib/commands'
 import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import { updateEnforcementPolicySchema } from '../data/validators'
 import type { MfaEnforcementService } from '../services/MfaEnforcementService'
@@ -37,8 +38,12 @@ registerCommand({
     }
     const enforcementService = ctx.container.resolve<MfaEnforcementService>('mfaEnforcementService')
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
     try {
-      await enforcementService.updatePolicy(parsed.data.id, parsed.data.data, ctx.auth.sub)
+      await enforcementService.updatePolicy(parsed.data.id, parsed.data.data, ctx.auth.sub, {
+        tenantId: ctx.auth.tenantId ?? null,
+        isSuperAdmin,
+      })
       return { ok: true as const }
     } catch (error) {
       if (isEnforcementServiceError(error)) {

package/src/modules/security/services/MfaAdminService.ts CHANGED Viewed

@@ -1,6 +1,6 @@
-import type { EntityManager } from '@mikro-orm/postgresql'
+import type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'
 import { User } from '@open-mercato/core/modules/auth/data/entities'
-import { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 import { MfaRecoveryCode, UserMfaMethod } from '../data/entities'
 import { emitSecurityEvent } from '../events'
 import type { MfaEnforcementService } from './MfaEnforcementService'
@@ -27,6 +27,11 @@ type BulkComplianceStatus = {
   lastLoginAt?: Date
 }
+type ActorContext = {
+  tenantId: string | null
+  isSuperAdmin: boolean
+}
 export class MfaAdminServiceError extends Error {
   constructor(
     message: string,
@@ -43,7 +48,7 @@ export class MfaAdminService {
     private readonly mfaEnforcementService: MfaEnforcementService,
   ) {}
-  async resetUserMfa(adminId: string, userId: string, reason: string): Promise<void> {
+  async resetUserMfa(adminId: string, userId: string, reason: string, actor?: ActorContext): Promise<void> {
     if (!adminId.trim()) {
       throw new MfaAdminServiceError('Admin ID is required', 400)
     }
@@ -60,6 +65,7 @@ export class MfaAdminService {
     if (!user) {
       throw new MfaAdminServiceError('User not found', 404)
     }
+    this.assertActorOwnsUser(user, actor)
     const activeMethods = await this.em.find(UserMfaMethod, {
       userId,
@@ -95,7 +101,7 @@ export class MfaAdminService {
     })
   }
-  async getUserMfaStatus(userId: string): Promise<UserMfaStatus> {
+  async getUserMfaStatus(userId: string, actor?: ActorContext): Promise<UserMfaStatus> {
     if (!userId.trim()) {
       throw new MfaAdminServiceError('User ID is required', 400)
     }
@@ -104,6 +110,7 @@ export class MfaAdminService {
     if (!user) {
       throw new MfaAdminServiceError('User not found', 404)
     }
+    this.assertActorOwnsUser(user, actor)
     const methods = await this.em.find(
       UserMfaMethod,
@@ -136,10 +143,13 @@ export class MfaAdminService {
     }
   }
-  async bulkComplianceCheck(tenantId: string): Promise<BulkComplianceStatus[]> {
+  async bulkComplianceCheck(tenantId: string, actor?: ActorContext): Promise<BulkComplianceStatus[]> {
     if (!tenantId.trim()) {
       throw new MfaAdminServiceError('Tenant ID is required', 400)
     }
+    if (actor && !actor.isSuperAdmin && tenantId !== actor.tenantId) {
+      throw new MfaAdminServiceError('Not authorized for the requested tenant scope.', 403)
+    }
     const users = await findWithDecryption(
       this.em,
@@ -186,8 +196,21 @@ export class MfaAdminService {
     })
   }
+  private assertActorOwnsUser(user: User, actor?: ActorContext): void {
+    if (!actor || actor.isSuperAdmin) return
+    if (!user.tenantId || user.tenantId !== actor.tenantId) {
+      throw new MfaAdminServiceError('User not found', 404)
+    }
+  }
   private async findUserById(userId: string): Promise<User | null> {
-    return this.em.findOne(User, { id: userId, deletedAt: null })
+    return findOneWithDecryption(
+      this.em,
+      User,
+      { id: userId, deletedAt: null } as FilterQuery<User>,
+      {},
+      { tenantId: null, organizationId: null },
+    )
   }
 }

package/src/modules/security/services/MfaEnforcementService.ts CHANGED Viewed

@@ -28,6 +28,11 @@ type EnforcementPolicyListFilters = {
   scope?: EnforcementScope
 }
+export type EnforcementActorContext = {
+  tenantId: string | null
+  isSuperAdmin: boolean
+}
 type UserCompliance = {
   compliant: boolean
   deadline?: Date
@@ -65,12 +70,21 @@ export class MfaEnforcementService {
     return { enforced: true, policy }
   }
-  async listPolicies(filters?: EnforcementPolicyListFilters): Promise<MfaEnforcementPolicy[]> {
+  async getPolicyById(id: string): Promise<MfaEnforcementPolicy | null> {
+    return this.em.findOne(MfaEnforcementPolicy, { id, deletedAt: null })
+  }
+  async listPolicies(
+    filters?: EnforcementPolicyListFilters,
+    actor?: EnforcementActorContext,
+  ): Promise<MfaEnforcementPolicy[]> {
+    const tenantConstraint = actor && !actor.isSuperAdmin ? { tenantId: actor.tenantId } : {}
     return this.em.find(
       MfaEnforcementPolicy,
       {
         deletedAt: null,
         ...(filters?.scope ? { scope: filters.scope } : {}),
+        ...tenantConstraint,
       },
       {
         orderBy: { updatedAt: 'desc' },
@@ -81,8 +95,10 @@ export class MfaEnforcementService {
   async getComplianceReport(
     scope: EnforcementScope,
     scopeId?: string,
+    actor?: EnforcementActorContext,
   ): Promise<ComplianceReport> {
     const { tenantId, organizationId } = this.resolveScopeFilters(scope, scopeId)
+    this.assertActorOwnsScopeFilters(actor, scope, tenantId)
     const users = await this.em.find(User, {
       deletedAt: null,
       ...(tenantId ? { tenantId } : {}),
@@ -123,8 +139,10 @@ export class MfaEnforcementService {
   async createPolicy(
     data: EnforcementPolicyInput,
     adminId: string,
+    actor?: EnforcementActorContext,
   ): Promise<MfaEnforcementPolicy> {
     const normalized = this.normalizePolicyInput(data)
+    this.assertActorOwnsScopeFilters(actor, normalized.scope, normalized.tenantId)
     const existing = await this.findPolicyByScope(
       normalized.scope,
       normalized.tenantId ?? undefined,
@@ -176,6 +194,7 @@ export class MfaEnforcementService {
     id: string,
     data: UpdateEnforcementPolicyInput,
     adminId: string,
+    actor?: EnforcementActorContext,
   ): Promise<MfaEnforcementPolicy> {
     const policy = await this.em.findOne(MfaEnforcementPolicy, {
       id,
@@ -184,6 +203,7 @@ export class MfaEnforcementService {
     if (!policy) {
       throw new MfaEnforcementServiceError('Enforcement policy not found', 404)
     }
+    this.assertActorOwnsScopeFilters(actor, policy.scope, policy.tenantId ?? null)
     const mergedInput = this.normalizePolicyInput({
       scope: data.scope ?? policy.scope,
@@ -197,6 +217,8 @@ export class MfaEnforcementService {
           : data.enforcementDeadline,
     })
+    this.assertActorOwnsScopeFilters(actor, mergedInput.scope, mergedInput.tenantId)
     if (
       mergedInput.scope !== policy.scope ||
       mergedInput.tenantId !== (policy.tenantId ?? null) ||
@@ -231,7 +253,7 @@ export class MfaEnforcementService {
     return policy
   }
-  async deletePolicy(id: string): Promise<void> {
+  async deletePolicy(id: string, actor?: EnforcementActorContext): Promise<void> {
     const policy = await this.em.findOne(MfaEnforcementPolicy, {
       id,
       deletedAt: null,
@@ -239,6 +261,7 @@ export class MfaEnforcementService {
     if (!policy) {
       throw new MfaEnforcementServiceError('Enforcement policy not found', 404)
     }
+    this.assertActorOwnsScopeFilters(actor, policy.scope, policy.tenantId ?? null)
     const now = new Date()
     policy.deletedAt = now
@@ -314,6 +337,23 @@ export class MfaEnforcementService {
     )
   }
+  private assertActorOwnsScopeFilters(
+    actor: EnforcementActorContext | undefined,
+    scope: EnforcementScope,
+    tenantId: string | null | undefined,
+  ): void {
+    if (!actor || actor.isSuperAdmin) return
+    if (scope === EnforcementScope.PLATFORM) {
+      throw new MfaEnforcementServiceError(
+        'Platform scope requires platform administrator privileges.',
+        403,
+      )
+    }
+    if (!tenantId || tenantId !== actor.tenantId) {
+      throw new MfaEnforcementServiceError('Not authorized for the requested scope.', 403)
+    }
+  }
   private resolveScopeFilters(
     scope: EnforcementScope,
     scopeId?: string,