npm - @open-mercato/onboarding - Versions diffs - 0.6.5-develop.5099.1.85c0aff78c → 0.6.5-develop.5116.1.f0af9e5080 - Mend

@open-mercato/onboarding 0.6.5-develop.5099.1.85c0aff78c → 0.6.5-develop.5116.1.f0af9e5080

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/modules/onboarding/api/get/onboarding/status.js CHANGED Viewed

@@ -10,9 +10,27 @@ const metadata = {
     requireAuth: false
   }
 };
+const ONBOARDING_LOGIN_TENANT_COOKIE = "om_login_tenant";
 const onboardingStatusQuerySchema = z.object({
   tenantId: z.string().uuid()
 });
+function readCookie(req, name) {
+  const header = req.headers.get("cookie");
+  if (!header) return null;
+  for (const part of header.split(";")) {
+    const separatorIndex = part.indexOf("=");
+    if (separatorIndex === -1) continue;
+    const key = part.slice(0, separatorIndex).trim();
+    if (key !== name) continue;
+    const rawValue = part.slice(separatorIndex + 1).trim();
+    try {
+      return decodeURIComponent(rawValue);
+    } catch {
+      return rawValue;
+    }
+  }
+  return null;
+}
 async function GET(req) {
   const url = new URL(req.url);
   const tenantId = url.searchParams.get("tenantId") || url.searchParams.get("tenant") || "";
@@ -20,6 +38,10 @@ async function GET(req) {
   if (!parsed.success) {
     return NextResponse.json({ ok: false, error: "Invalid tenant id." }, { status: 400 });
   }
+  const loginTenantCookie = readCookie(req, ONBOARDING_LOGIN_TENANT_COOKIE);
+  if (!loginTenantCookie || loginTenantCookie !== parsed.data.tenantId) {
+    return NextResponse.json({ ok: false, error: "Not authorized for this tenant." }, { status: 403 });
+  }
   let baseUrl;
   try {
     baseUrl = getSecurityEmailBaseUrl(req);
@@ -88,6 +110,7 @@ const onboardingStatusDoc = {
   ],
   errors: [
     { status: 400, description: "Invalid tenant id or request origin.", schema: onboardingStatusErrorSchema },
+    { status: 403, description: "Caller is not authorized for this tenant.", schema: onboardingStatusErrorSchema },
     { status: 404, description: "Onboarding request not found.", schema: onboardingStatusErrorSchema },
     { status: 500, description: "Onboarding status is not configured.", schema: onboardingStatusErrorSchema }
   ]

package/dist/modules/onboarding/api/get/onboarding/status.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../../src/modules/onboarding/api/get/onboarding/status.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { getSecurityEmailBaseUrl, mapSecurityEmailUrlError } from '@open-mercato/shared/lib/url'\nimport { OnboardingService } from '@open-mercato/onboarding/modules/onboarding/lib/service'\nimport { sendWorkspaceReadyEmail } from '@open-mercato/onboarding/modules/onboarding/lib/ready-email'\nimport type { OpenApiMethodDoc, OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\n\nexport const metadata = {\n  path: '/onboarding/onboarding/status',\n  GET: {\n    requireAuth: false,\n  },\n}\n\nconst onboardingStatusQuerySchema = z.object({\n  tenantId: z.string().uuid(),\n})\n\nexport async function GET(req: Request) {\n  const url = new URL(req.url)\n  const tenantId = url.searchParams.get('tenantId') || url.searchParams.get('tenant') || ''\n  const parsed = onboardingStatusQuerySchema.safeParse({ tenantId })\n  if (!parsed.success) {\n    return NextResponse.json({ ok: false, error: 'Invalid tenant id.' }, { status: 400 })\n  }\n\n  let baseUrl: string\n  try {\n    baseUrl = getSecurityEmailBaseUrl(req)\n  } catch (error) {\n    const mapped = mapSecurityEmailUrlError(error, {\n      scope: 'onboarding.status',\n      configMessage: 'Onboarding status is not configured.',\n    })\n    if (mapped) return NextResponse.json({ ok: false, error: mapped.body.error }, { status: mapped.status })\n    throw error\n  }\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  const service = new OnboardingService(em)\n  const request = await service.findLatestByTenantId(parsed.data.tenantId)\n  if (!request) {\n    return NextResponse.json({ ok: false, error: 'Onboarding request not found.' }, { status: 404 })\n  }\n\n  let emailSent = Boolean(request.readyEmailSentAt)\n  const ready = request.status === 'completed' && Boolean(request.preparationCompletedAt)\n  const loginUrl = ready && request.tenantId ? `${baseUrl}/login?tenant=${encodeURIComponent(request.tenantId)}` : null\n\n  if (ready && request.tenantId && !request.readyEmailSentAt) {\n    try {\n      emailSent = await sendWorkspaceReadyEmail({\n        requestId: request.id,\n        tenantId: request.tenantId,\n      })\n    } catch (error) {\n      console.error('[onboarding.status] ready email retry failed', {\n        requestId: request.id,\n        tenantId: request.tenantId,\n        organizationId: request.organizationId,\n        error,\n      })\n    }\n  }\n\n  return NextResponse.json({\n    ok: true,\n    status: request.status,\n    ready,\n    emailSent,\n    tenantId: request.tenantId ?? parsed.data.tenantId,\n    loginUrl,\n  })\n}\n\nconst onboardingTag = 'Onboarding'\n\nconst onboardingStatusSuccessSchema = z.object({\n  ok: z.literal(true),\n  status: z.enum(['pending', 'processing', 'completed', 'expired']),\n  ready: z.boolean(),\n  emailSent: z.boolean(),\n  tenantId: z.string().uuid(),\n  loginUrl: z.string().nullable(),\n})\n\nconst onboardingStatusErrorSchema = z.object({\n  ok: z.literal(false),\n  error: z.string(),\n})\n\nconst onboardingStatusDoc: OpenApiMethodDoc = {\n  summary: 'Get onboarding preparation status',\n  description: 'Resolves whether a tenant workspace finished deferred onboarding preparation and can be opened.',\n  tags: [onboardingTag],\n  query: onboardingStatusQuerySchema,\n  responses: [\n    { status: 200, description: 'Onboarding status resolved.', schema: onboardingStatusSuccessSchema },\n  ],\n  errors: [\n    { status: 400, description: 'Invalid tenant id or request origin.', schema: onboardingStatusErrorSchema },\n    { status: 404, description: 'Onboarding request not found.', schema: onboardingStatusErrorSchema },\n    { status: 500, description: 'Onboarding status is not configured.', schema: onboardingStatusErrorSchema },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: onboardingTag,\n  summary: 'Onboarding preparation status',\n  methods: {\n    GET: onboardingStatusDoc,\n  },\n}\n\nexport default GET\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,8BAA8B;AACvC,SAAS,yBAAyB,gCAAgC;AAClE,SAAS,yBAAyB;AAClC,SAAS,+BAA+B;AAGjC,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,KAAK;AAAA,IACH,aAAa;AAAA,EACf;AACF;AAEA,MAAM,8BAA8B,EAAE,OAAO;AAAA,EAC3C,UAAU,EAAE,OAAO,EAAE,KAAK;AAC5B,CAAC;AAED,eAAsB,IAAI,KAAc;AACtC,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,WAAW,IAAI,aAAa,IAAI,UAAU,KAAK,IAAI,aAAa,IAAI,QAAQ,KAAK;AACvF,QAAM,SAAS,4BAA4B,UAAU,EAAE,SAAS,CAAC;AACjE,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,qBAAqB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACtF;AAEA,MAAI;AACJ,MAAI;AACF,cAAU,wBAAwB,GAAG;AAAA,EACvC,SAAS,OAAO;AACd,UAAM,SAAS,yBAAyB,OAAO;AAAA,MAC7C,OAAO;AAAA,MACP,eAAe;AAAA,IACjB,CAAC;AACD,QAAI,OAAQ,QAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,OAAO,KAAK,MAAM,GAAG,EAAE,QAAQ,OAAO,OAAO,CAAC;AACvG,UAAM;AAAA,EACR;AACA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,UAAU,IAAI,kBAAkB,EAAE;AACxC,QAAM,UAAU,MAAM,QAAQ,qBAAqB,OAAO,KAAK,QAAQ;AACvE,MAAI,CAAC,SAAS;AACZ,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,gCAAgC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACjG;AAEA,MAAI,YAAY,QAAQ,QAAQ,gBAAgB;AAChD,QAAM,QAAQ,QAAQ,WAAW,eAAe,QAAQ,QAAQ,sBAAsB;AACtF,QAAM,WAAW,SAAS,QAAQ,WAAW,GAAG,OAAO,iBAAiB,mBAAmB,QAAQ,QAAQ,CAAC,KAAK;AAEjH,MAAI,SAAS,QAAQ,YAAY,CAAC,QAAQ,kBAAkB;AAC1D,QAAI;AACF,kBAAY,MAAM,wBAAwB;AAAA,QACxC,WAAW,QAAQ;AAAA,QACnB,UAAU,QAAQ;AAAA,MACpB,CAAC;AAAA,IACH,SAAS,OAAO;AACd,cAAQ,MAAM,gDAAgD;AAAA,QAC5D,WAAW,QAAQ;AAAA,QACnB,UAAU,QAAQ;AAAA,QAClB,gBAAgB,QAAQ;AAAA,QACxB;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA;AAAA,IACA,UAAU,QAAQ,YAAY,OAAO,KAAK;AAAA,IAC1C;AAAA,EACF,CAAC;AACH;AAEA,MAAM,gBAAgB;AAEtB,MAAM,gCAAgC,EAAE,OAAO;AAAA,EAC7C,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,QAAQ,EAAE,KAAK,CAAC,WAAW,cAAc,aAAa,SAAS,CAAC;AAAA,EAChE,OAAO,EAAE,QAAQ;AAAA,EACjB,WAAW,EAAE,QAAQ;AAAA,EACrB,UAAU,EAAE,OAAO,EAAE,KAAK;AAAA,EAC1B,UAAU,EAAE,OAAO,EAAE,SAAS;AAChC,CAAC;AAED,MAAM,8BAA8B,EAAE,OAAO;AAAA,EAC3C,IAAI,EAAE,QAAQ,KAAK;AAAA,EACnB,OAAO,EAAE,OAAO;AAClB,CAAC;AAED,MAAM,sBAAwC;AAAA,EAC5C,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,aAAa;AAAA,EACpB,OAAO;AAAA,EACP,WAAW;AAAA,IACT,EAAE,QAAQ,KAAK,aAAa,+BAA+B,QAAQ,8BAA8B;AAAA,EACnG;AAAA,EACA,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,4BAA4B;AAAA,IACxG,EAAE,QAAQ,KAAK,aAAa,iCAAiC,QAAQ,4BAA4B;AAAA,IACjG,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,4BAA4B;AAAA,EAC1G;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,EACP;AACF;AAEA,IAAO,iBAAQ;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { getSecurityEmailBaseUrl, mapSecurityEmailUrlError } from '@open-mercato/shared/lib/url'\nimport { OnboardingService } from '@open-mercato/onboarding/modules/onboarding/lib/service'\nimport { sendWorkspaceReadyEmail } from '@open-mercato/onboarding/modules/onboarding/lib/ready-email'\nimport type { OpenApiMethodDoc, OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\n\nexport const metadata = {\n  path: '/onboarding/onboarding/status',\n  GET: {\n    requireAuth: false,\n  },\n}\n\nconst ONBOARDING_LOGIN_TENANT_COOKIE = 'om_login_tenant'\n\nconst onboardingStatusQuerySchema = z.object({\n  tenantId: z.string().uuid(),\n})\n\nfunction readCookie(req: Request, name: string): string | null {\n  const header = req.headers.get('cookie')\n  if (!header) return null\n  for (const part of header.split(';')) {\n    const separatorIndex = part.indexOf('=')\n    if (separatorIndex === -1) continue\n    const key = part.slice(0, separatorIndex).trim()\n    if (key !== name) continue\n    const rawValue = part.slice(separatorIndex + 1).trim()\n    try {\n      return decodeURIComponent(rawValue)\n    } catch {\n      return rawValue\n    }\n  }\n  return null\n}\n\nexport async function GET(req: Request) {\n  const url = new URL(req.url)\n  const tenantId = url.searchParams.get('tenantId') || url.searchParams.get('tenant') || ''\n  const parsed = onboardingStatusQuerySchema.safeParse({ tenantId })\n  if (!parsed.success) {\n    return NextResponse.json({ ok: false, error: 'Invalid tenant id.' }, { status: 400 })\n  }\n\n  const loginTenantCookie = readCookie(req, ONBOARDING_LOGIN_TENANT_COOKIE)\n  if (!loginTenantCookie || loginTenantCookie !== parsed.data.tenantId) {\n    return NextResponse.json({ ok: false, error: 'Not authorized for this tenant.' }, { status: 403 })\n  }\n\n  let baseUrl: string\n  try {\n    baseUrl = getSecurityEmailBaseUrl(req)\n  } catch (error) {\n    const mapped = mapSecurityEmailUrlError(error, {\n      scope: 'onboarding.status',\n      configMessage: 'Onboarding status is not configured.',\n    })\n    if (mapped) return NextResponse.json({ ok: false, error: mapped.body.error }, { status: mapped.status })\n    throw error\n  }\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  const service = new OnboardingService(em)\n  const request = await service.findLatestByTenantId(parsed.data.tenantId)\n  if (!request) {\n    return NextResponse.json({ ok: false, error: 'Onboarding request not found.' }, { status: 404 })\n  }\n\n  let emailSent = Boolean(request.readyEmailSentAt)\n  const ready = request.status === 'completed' && Boolean(request.preparationCompletedAt)\n  const loginUrl = ready && request.tenantId ? `${baseUrl}/login?tenant=${encodeURIComponent(request.tenantId)}` : null\n\n  if (ready && request.tenantId && !request.readyEmailSentAt) {\n    try {\n      emailSent = await sendWorkspaceReadyEmail({\n        requestId: request.id,\n        tenantId: request.tenantId,\n      })\n    } catch (error) {\n      console.error('[onboarding.status] ready email retry failed', {\n        requestId: request.id,\n        tenantId: request.tenantId,\n        organizationId: request.organizationId,\n        error,\n      })\n    }\n  }\n\n  return NextResponse.json({\n    ok: true,\n    status: request.status,\n    ready,\n    emailSent,\n    tenantId: request.tenantId ?? parsed.data.tenantId,\n    loginUrl,\n  })\n}\n\nconst onboardingTag = 'Onboarding'\n\nconst onboardingStatusSuccessSchema = z.object({\n  ok: z.literal(true),\n  status: z.enum(['pending', 'processing', 'completed', 'expired']),\n  ready: z.boolean(),\n  emailSent: z.boolean(),\n  tenantId: z.string().uuid(),\n  loginUrl: z.string().nullable(),\n})\n\nconst onboardingStatusErrorSchema = z.object({\n  ok: z.literal(false),\n  error: z.string(),\n})\n\nconst onboardingStatusDoc: OpenApiMethodDoc = {\n  summary: 'Get onboarding preparation status',\n  description: 'Resolves whether a tenant workspace finished deferred onboarding preparation and can be opened.',\n  tags: [onboardingTag],\n  query: onboardingStatusQuerySchema,\n  responses: [\n    { status: 200, description: 'Onboarding status resolved.', schema: onboardingStatusSuccessSchema },\n  ],\n  errors: [\n    { status: 400, description: 'Invalid tenant id or request origin.', schema: onboardingStatusErrorSchema },\n    { status: 403, description: 'Caller is not authorized for this tenant.', schema: onboardingStatusErrorSchema },\n    { status: 404, description: 'Onboarding request not found.', schema: onboardingStatusErrorSchema },\n    { status: 500, description: 'Onboarding status is not configured.', schema: onboardingStatusErrorSchema },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: onboardingTag,\n  summary: 'Onboarding preparation status',\n  methods: {\n    GET: onboardingStatusDoc,\n  },\n}\n\nexport default GET\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,8BAA8B;AACvC,SAAS,yBAAyB,gCAAgC;AAClE,SAAS,yBAAyB;AAClC,SAAS,+BAA+B;AAGjC,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,KAAK;AAAA,IACH,aAAa;AAAA,EACf;AACF;AAEA,MAAM,iCAAiC;AAEvC,MAAM,8BAA8B,EAAE,OAAO;AAAA,EAC3C,UAAU,EAAE,OAAO,EAAE,KAAK;AAC5B,CAAC;AAED,SAAS,WAAW,KAAc,MAA6B;AAC7D,QAAM,SAAS,IAAI,QAAQ,IAAI,QAAQ;AACvC,MAAI,CAAC,OAAQ,QAAO;AACpB,aAAW,QAAQ,OAAO,MAAM,GAAG,GAAG;AACpC,UAAM,iBAAiB,KAAK,QAAQ,GAAG;AACvC,QAAI,mBAAmB,GAAI;AAC3B,UAAM,MAAM,KAAK,MAAM,GAAG,cAAc,EAAE,KAAK;AAC/C,QAAI,QAAQ,KAAM;AAClB,UAAM,WAAW,KAAK,MAAM,iBAAiB,CAAC,EAAE,KAAK;AACrD,QAAI;AACF,aAAO,mBAAmB,QAAQ;AAAA,IACpC,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,WAAW,IAAI,aAAa,IAAI,UAAU,KAAK,IAAI,aAAa,IAAI,QAAQ,KAAK;AACvF,QAAM,SAAS,4BAA4B,UAAU,EAAE,SAAS,CAAC;AACjE,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,qBAAqB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACtF;AAEA,QAAM,oBAAoB,WAAW,KAAK,8BAA8B;AACxE,MAAI,CAAC,qBAAqB,sBAAsB,OAAO,KAAK,UAAU;AACpE,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,kCAAkC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnG;AAEA,MAAI;AACJ,MAAI;AACF,cAAU,wBAAwB,GAAG;AAAA,EACvC,SAAS,OAAO;AACd,UAAM,SAAS,yBAAyB,OAAO;AAAA,MAC7C,OAAO;AAAA,MACP,eAAe;AAAA,IACjB,CAAC;AACD,QAAI,OAAQ,QAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,OAAO,KAAK,MAAM,GAAG,EAAE,QAAQ,OAAO,OAAO,CAAC;AACvG,UAAM;AAAA,EACR;AACA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,UAAU,IAAI,kBAAkB,EAAE;AACxC,QAAM,UAAU,MAAM,QAAQ,qBAAqB,OAAO,KAAK,QAAQ;AACvE,MAAI,CAAC,SAAS;AACZ,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,gCAAgC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACjG;AAEA,MAAI,YAAY,QAAQ,QAAQ,gBAAgB;AAChD,QAAM,QAAQ,QAAQ,WAAW,eAAe,QAAQ,QAAQ,sBAAsB;AACtF,QAAM,WAAW,SAAS,QAAQ,WAAW,GAAG,OAAO,iBAAiB,mBAAmB,QAAQ,QAAQ,CAAC,KAAK;AAEjH,MAAI,SAAS,QAAQ,YAAY,CAAC,QAAQ,kBAAkB;AAC1D,QAAI;AACF,kBAAY,MAAM,wBAAwB;AAAA,QACxC,WAAW,QAAQ;AAAA,QACnB,UAAU,QAAQ;AAAA,MACpB,CAAC;AAAA,IACH,SAAS,OAAO;AACd,cAAQ,MAAM,gDAAgD;AAAA,QAC5D,WAAW,QAAQ;AAAA,QACnB,UAAU,QAAQ;AAAA,QAClB,gBAAgB,QAAQ;AAAA,QACxB;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA;AAAA,IACA,UAAU,QAAQ,YAAY,OAAO,KAAK;AAAA,IAC1C;AAAA,EACF,CAAC;AACH;AAEA,MAAM,gBAAgB;AAEtB,MAAM,gCAAgC,EAAE,OAAO;AAAA,EAC7C,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,QAAQ,EAAE,KAAK,CAAC,WAAW,cAAc,aAAa,SAAS,CAAC;AAAA,EAChE,OAAO,EAAE,QAAQ;AAAA,EACjB,WAAW,EAAE,QAAQ;AAAA,EACrB,UAAU,EAAE,OAAO,EAAE,KAAK;AAAA,EAC1B,UAAU,EAAE,OAAO,EAAE,SAAS;AAChC,CAAC;AAED,MAAM,8BAA8B,EAAE,OAAO;AAAA,EAC3C,IAAI,EAAE,QAAQ,KAAK;AAAA,EACnB,OAAO,EAAE,OAAO;AAClB,CAAC;AAED,MAAM,sBAAwC;AAAA,EAC5C,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,aAAa;AAAA,EACpB,OAAO;AAAA,EACP,WAAW;AAAA,IACT,EAAE,QAAQ,KAAK,aAAa,+BAA+B,QAAQ,8BAA8B;AAAA,EACnG;AAAA,EACA,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,4BAA4B;AAAA,IACxG,EAAE,QAAQ,KAAK,aAAa,6CAA6C,QAAQ,4BAA4B;AAAA,IAC7G,EAAE,QAAQ,KAAK,aAAa,iCAAiC,QAAQ,4BAA4B;AAAA,IACjG,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,4BAA4B;AAAA,EAC1G;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,EACP;AACF;AAEA,IAAO,iBAAQ;",
   "names": []
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/onboarding",
-  "version": "0.6.5-develop.5099.1.85c0aff78c",
+  "version": "0.6.5-develop.5116.1.f0af9e5080",
   "type": "module",
   "main": "./dist/index.js",
   "scripts": {
@@ -69,10 +69,10 @@
     }
   },
   "peerDependencies": {
-    "@open-mercato/shared": "0.6.5-develop.5099.1.85c0aff78c"
+    "@open-mercato/shared": "0.6.5-develop.5116.1.f0af9e5080"
   },
   "devDependencies": {
-    "@open-mercato/shared": "0.6.5-develop.5099.1.85c0aff78c",
+    "@open-mercato/shared": "0.6.5-develop.5116.1.f0af9e5080",
     "@types/jest": "^30.0.0",
     "jest": "^30.4.2",
     "ts-jest": "^29.4.11"

package/src/__tests__/status-endpoint-auth.test.ts ADDED Viewed

@@ -0,0 +1,111 @@
+import { OnboardingRequest } from '../modules/onboarding/data/entities'
+const findLatestByTenantId = jest.fn()
+const sendWorkspaceReadyEmail = jest.fn()
+jest.mock('@open-mercato/shared/lib/di/container', () => ({
+  createRequestContainer: jest.fn(async () => ({
+    resolve: (name: string) => {
+      if (name === 'em') return {}
+      throw new Error(`unexpected resolve(${name})`)
+    },
+  })),
+}))
+jest.mock('@open-mercato/shared/lib/url', () => ({
+  getSecurityEmailBaseUrl: () => 'https://app.example.com',
+  mapSecurityEmailUrlError: () => null,
+}))
+jest.mock('@open-mercato/onboarding/modules/onboarding/lib/service', () => ({
+  OnboardingService: jest.fn().mockImplementation(() => ({
+    findLatestByTenantId,
+  })),
+}))
+jest.mock('@open-mercato/onboarding/modules/onboarding/lib/ready-email', () => ({
+  sendWorkspaceReadyEmail,
+}))
+import { GET } from '../modules/onboarding/api/get/onboarding/status'
+const TENANT_ID = '11111111-1111-4111-8111-111111111111'
+const OTHER_TENANT_ID = '22222222-2222-4222-8222-222222222222'
+function makeRequest(overrides: Record<string, unknown> = {}) {
+  return Object.assign(new OnboardingRequest(), {
+    id: 'req-1',
+    status: 'completed',
+    tenantId: TENANT_ID,
+    organizationId: 'org-1',
+    preparationCompletedAt: new Date(),
+    readyEmailSentAt: new Date(),
+    ...overrides,
+  })
+}
+function buildRequest(args: { tenantId: string; cookie?: string }) {
+  const headers = new Headers()
+  if (args.cookie !== undefined) headers.set('cookie', args.cookie)
+  return new Request(`https://app.example.com/api/onboarding/onboarding/status?tenantId=${args.tenantId}`, {
+    headers,
+  })
+}
+describe('onboarding status endpoint authorization', () => {
+  beforeEach(() => {
+    findLatestByTenantId.mockReset()
+    sendWorkspaceReadyEmail.mockReset()
+    findLatestByTenantId.mockResolvedValue(makeRequest())
+  })
+  it('returns 403 and does not look up tenant state when no om_login_tenant cookie is present', async () => {
+    const res = await GET(buildRequest({ tenantId: TENANT_ID }))
+    expect(res.status).toBe(403)
+    const body = await res.json()
+    expect(body).toEqual({ ok: false, error: 'Not authorized for this tenant.' })
+    expect(findLatestByTenantId).not.toHaveBeenCalled()
+    expect(sendWorkspaceReadyEmail).not.toHaveBeenCalled()
+  })
+  it('returns 403 when the om_login_tenant cookie is for a different tenant', async () => {
+    const res = await GET(
+      buildRequest({ tenantId: TENANT_ID, cookie: `om_login_tenant=${OTHER_TENANT_ID}` }),
+    )
+    expect(res.status).toBe(403)
+    expect(findLatestByTenantId).not.toHaveBeenCalled()
+    expect(sendWorkspaceReadyEmail).not.toHaveBeenCalled()
+  })
+  it('does not trigger the ready email side effect for an unauthorized caller', async () => {
+    findLatestByTenantId.mockResolvedValue(
+      makeRequest({ readyEmailSentAt: null }),
+    )
+    const res = await GET(
+      buildRequest({ tenantId: TENANT_ID, cookie: `om_login_tenant=${OTHER_TENANT_ID}` }),
+    )
+    expect(res.status).toBe(403)
+    expect(sendWorkspaceReadyEmail).not.toHaveBeenCalled()
+  })
+  it('returns the status when the om_login_tenant cookie matches the requested tenant', async () => {
+    const res = await GET(
+      buildRequest({ tenantId: TENANT_ID, cookie: `other=foo; om_login_tenant=${TENANT_ID}` }),
+    )
+    expect(res.status).toBe(200)
+    const body = await res.json()
+    expect(body.ok).toBe(true)
+    expect(body.tenantId).toBe(TENANT_ID)
+    expect(body.ready).toBe(true)
+    expect(body.loginUrl).toBe(`https://app.example.com/login?tenant=${TENANT_ID}`)
+    expect(findLatestByTenantId).toHaveBeenCalledWith(TENANT_ID)
+  })
+  it('returns 404 for an authorized caller when no onboarding record exists', async () => {
+    findLatestByTenantId.mockResolvedValue(null)
+    const res = await GET(
+      buildRequest({ tenantId: TENANT_ID, cookie: `om_login_tenant=${TENANT_ID}` }),
+    )
+    expect(res.status).toBe(404)
+  })
+})

package/src/modules/onboarding/api/get/onboarding/status.ts CHANGED Viewed

@@ -14,10 +14,30 @@ export const metadata = {
   },
 }
+const ONBOARDING_LOGIN_TENANT_COOKIE = 'om_login_tenant'
 const onboardingStatusQuerySchema = z.object({
   tenantId: z.string().uuid(),
 })
+function readCookie(req: Request, name: string): string | null {
+  const header = req.headers.get('cookie')
+  if (!header) return null
+  for (const part of header.split(';')) {
+    const separatorIndex = part.indexOf('=')
+    if (separatorIndex === -1) continue
+    const key = part.slice(0, separatorIndex).trim()
+    if (key !== name) continue
+    const rawValue = part.slice(separatorIndex + 1).trim()
+    try {
+      return decodeURIComponent(rawValue)
+    } catch {
+      return rawValue
+    }
+  }
+  return null
+}
 export async function GET(req: Request) {
   const url = new URL(req.url)
   const tenantId = url.searchParams.get('tenantId') || url.searchParams.get('tenant') || ''
@@ -26,6 +46,11 @@ export async function GET(req: Request) {
     return NextResponse.json({ ok: false, error: 'Invalid tenant id.' }, { status: 400 })
   }
+  const loginTenantCookie = readCookie(req, ONBOARDING_LOGIN_TENANT_COOKIE)
+  if (!loginTenantCookie || loginTenantCookie !== parsed.data.tenantId) {
+    return NextResponse.json({ ok: false, error: 'Not authorized for this tenant.' }, { status: 403 })
+  }
   let baseUrl: string
   try {
     baseUrl = getSecurityEmailBaseUrl(req)
@@ -101,6 +126,7 @@ const onboardingStatusDoc: OpenApiMethodDoc = {
   ],
   errors: [
     { status: 400, description: 'Invalid tenant id or request origin.', schema: onboardingStatusErrorSchema },
+    { status: 403, description: 'Caller is not authorized for this tenant.', schema: onboardingStatusErrorSchema },
     { status: 404, description: 'Onboarding request not found.', schema: onboardingStatusErrorSchema },
     { status: 500, description: 'Onboarding status is not configured.', schema: onboardingStatusErrorSchema },
   ],