@open-mercato/shared 0.4.2-canary-c02407ff85

package/src/lib/api/scoped.ts

@@ -0,0 +1,239 @@
+import type { CrudCtx } from '@open-mercato/shared/lib/crud/factory'
+import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
+import { splitCustomFieldPayload } from '@open-mercato/shared/lib/crud/custom-fields'
+import type { CommandRuntimeContext } from '@open-mercato/shared/lib/commands'
+import type { z } from 'zod'
+
+export type ScopedContext = (CommandRuntimeContext | CrudCtx) & {
+  auth: { tenantId?: string | null; orgId?: string | null } | null
+  selectedOrganizationId?: string | null
+}
+
+export type TranslateFn = (key: string, fallback?: string) => string
+
+export type ScopedMessage = {
+  key: string
+  fallback: string
+}
+
+export type ScopedPayloadMessages = {
+  tenantRequired?: ScopedMessage
+  organizationRequired?: ScopedMessage
+  idRequired?: ScopedMessage
+  tenantForbidden?: ScopedMessage
+}
+
+export type ScopedPayloadOptions = {
+  requireOrganization?: boolean
+  messages?: ScopedPayloadMessages
+}
+
+const DEFAULT_MESSAGES: Required<ScopedPayloadMessages> = {
+  tenantRequired: { key: 'errors.tenant_required', fallback: 'Tenant context is required.' },
+  organizationRequired: { key: 'errors.organization_required', fallback: 'Organization context is required.' },
+  idRequired: { key: 'errors.id_required', fallback: 'Record identifier is required.' },
+  tenantForbidden: { key: 'errors.tenant_forbidden', fallback: 'You are not allowed to target this tenant.' },
+}
+
+function resolveMessage(messages: ScopedPayloadMessages | undefined, key: keyof ScopedPayloadMessages): ScopedMessage {
+  const override = messages?.[key]
+  if (override && typeof override.key === 'string' && override.key.length > 0) {
+    return {
+      key: override.key,
+      fallback: override.fallback ?? DEFAULT_MESSAGES[key]!.fallback,
+    }
+  }
+  return DEFAULT_MESSAGES[key]!
+}
+
+export function withScopedPayload<T extends Record<string, unknown>>(
+  payload: T | null | undefined,
+  ctx: ScopedContext,
+  translate: TranslateFn,
+  options: ScopedPayloadOptions = {}
+): T & { tenantId: string; organizationId?: string } {
+  const requireOrganization = options.requireOrganization !== false
+  const hasGlobalOrgAccess = ctx.organizationScope?.allowedIds === null
+  const source = payload ? { ...payload } : {}
+  const tenantId = (source as { tenantId?: string })?.tenantId ?? ctx.auth?.tenantId ?? null
+  if (!tenantId) {
+    const msg = resolveMessage(options.messages, 'tenantRequired')
+    throw new CrudHttpError(400, { error: translate(msg.key, msg.fallback) })
+  }
+
+  const resolvedOrg =
+    (source as { organizationId?: string })?.organizationId ??
+    ctx.selectedOrganizationId ??
+    ctx.auth?.orgId ??
+    null
+
+  if (requireOrganization && !hasGlobalOrgAccess && !resolvedOrg) {
+    const msg = resolveMessage(options.messages, 'organizationRequired')
+    throw new CrudHttpError(400, { error: translate(msg.key, msg.fallback) })
+  }
+
+  const scoped = {
+    ...source,
+    tenantId,
+  } as T & { tenantId: string; organizationId?: string }
+
+  if (resolvedOrg) scoped.organizationId = resolvedOrg
+
+  return scoped
+}
+
+export function parseScopedCommandInput<TSchema extends z.ZodTypeAny>(
+  schema: TSchema,
+  payload: unknown,
+  ctx: ScopedContext,
+  translate: TranslateFn,
+  options: ScopedPayloadOptions = {}
+): z.infer<TSchema> & { customFields?: Record<string, unknown> } {
+  const scoped = withScopedPayload(
+    (payload && typeof payload === 'object' ? payload : {}) as Record<string, unknown>,
+    ctx,
+    translate,
+    options
+  )
+  const actorTenantId = normalizeTenant(ctx.auth?.tenantId)
+  const requestedTenantId = normalizeTenant(scoped.tenantId)
+  const isSuperAdmin = authIsSuperAdmin(ctx.auth)
+  if (!isSuperAdmin) {
+    if (actorTenantId) {
+      if (!requestedTenantId || requestedTenantId !== actorTenantId) {
+        const msg = resolveMessage(options.messages, 'tenantForbidden')
+        throw new CrudHttpError(403, { error: translate(msg.key, msg.fallback) })
+      }
+    } else if (requestedTenantId) {
+      const msg = resolveMessage(options.messages, 'tenantForbidden')
+      throw new CrudHttpError(403, { error: translate(msg.key, msg.fallback) })
+    }
+  }
+  const { base, custom } = splitCustomFieldPayload(scoped)
+  const hasCustomFields = custom && Object.keys(custom).length > 0
+  const candidates: Array<Record<string, unknown>> = hasCustomFields
+    ? [base, { ...base, customFields: custom }]
+    : [base]
+
+  let parsed: z.infer<TSchema> | undefined
+  let lastError: unknown
+  for (const candidate of candidates) {
+    try {
+      parsed = schema.parse(candidate) as z.infer<TSchema>
+      break
+    } catch (err) {
+      lastError = err
+    }
+  }
+  if (!parsed) {
+    if (lastError instanceof Error) throw lastError
+    throw new CrudHttpError(400, { error: translate('errors.invalid_input', 'Invalid input') })
+  }
+
+  const parsedWithCustom = hasCustomFields
+    ? Object.assign({}, parsed, { customFields: custom })
+    : parsed
+
+  return parsedWithCustom as z.infer<TSchema> & { customFields?: Record<string, unknown> }
+}
+
+function normalizeTenant(candidate: unknown): string | null {
+  if (typeof candidate === 'string' && candidate.trim().length > 0) return candidate.trim()
+  return null
+}
+
+function authIsSuperAdmin(auth: ScopedContext['auth']): boolean {
+  if (!auth) return false
+  return (auth as Record<string, unknown>).isSuperAdmin === true
+}
+
+export function requireRecordId(
+  candidate: unknown,
+  ctx: ScopedContext,
+  translate: TranslateFn,
+  options: ScopedPayloadOptions = {}
+): string {
+  const fieldName = 'id'
+  const id =
+    typeof candidate === 'string'
+      ? candidate.trim()
+      : candidate && typeof candidate === 'object'
+        ? typeof (candidate as Record<string, unknown>)[fieldName] === 'string'
+          ? String((candidate as Record<string, unknown>)[fieldName])
+          : null
+        : null
+  if (id && id.length > 0) return id
+  const msg = resolveMessage(options.messages, 'idRequired')
+  throw new CrudHttpError(400, { error: translate(msg.key, msg.fallback) })
+}
+
+export function resolveCrudRecordId(
+  parsed: unknown,
+  ctx: ScopedContext,
+  translate: TranslateFn,
+  options: ScopedPayloadOptions & { fieldName?: string; queryParam?: string } = {}
+): string {
+  const fieldName = options.fieldName ?? 'id'
+  const queryParam = options.queryParam ?? fieldName
+
+  const tryRequire = (value: unknown): string | null => {
+    try {
+      return requireRecordId(value, ctx, translate, options)
+    } catch {
+      return null
+    }
+  }
+
+  if (parsed && typeof parsed === 'object') {
+    const body = (parsed as Record<string, unknown>).body
+    const fromBody = body && typeof body === 'object' ? tryRequire(body) : null
+    if (fromBody) return fromBody
+
+    const fallback = tryRequire(parsed)
+    if (fallback) return fallback
+
+    const query = (parsed as Record<string, unknown>).query
+    if (query && typeof query === 'object') {
+      const candidate = (query as Record<string, unknown>)[queryParam]
+      if (typeof candidate === 'string' && candidate.trim().length > 0) return candidate.trim()
+    }
+  }
+
+  if (ctx.request instanceof Request) {
+    const value = new URL(ctx.request.url).searchParams.get(queryParam)
+    if (value && value.trim().length > 0) return value.trim()
+  }
+
+  const msg = resolveMessage(options.messages, 'idRequired')
+  throw new CrudHttpError(400, { error: translate(msg.key, msg.fallback) })
+}
+
+export function createScopedApiHelpers(baseOptions?: ScopedPayloadOptions) {
+  return {
+    withScopedPayload: <T extends Record<string, unknown>>(
+      payload: T | null | undefined,
+      ctx: ScopedContext,
+      translate: TranslateFn,
+      options: ScopedPayloadOptions = {}
+    ) => withScopedPayload(payload, ctx, translate, { ...baseOptions, ...options }),
+    parseScopedCommandInput: <TSchema extends z.ZodTypeAny>(
+      schema: TSchema,
+      payload: unknown,
+      ctx: ScopedContext,
+      translate: TranslateFn,
+      options: ScopedPayloadOptions = {}
+    ) => parseScopedCommandInput(schema, payload, ctx, translate, { ...baseOptions, ...options }),
+    requireRecordId: (
+      candidate: unknown,
+      ctx: ScopedContext,
+      translate: TranslateFn,
+      options: ScopedPayloadOptions = {}
+    ) => requireRecordId(candidate, ctx, translate, { ...baseOptions, ...options }),
+    resolveCrudRecordId: (
+      parsed: unknown,
+      ctx: ScopedContext,
+      translate: TranslateFn,
+      options: ScopedPayloadOptions & { fieldName?: string; queryParam?: string } = {}
+    ) => resolveCrudRecordId(parsed, ctx, translate, { ...baseOptions, ...options }),
+  }
+}

package/src/lib/auth/jwt.ts

@@ -0,0 +1,39 @@
+import crypto from 'node:crypto'
+
+function base64url(input: Buffer | string) {
+  return (typeof input === 'string' ? Buffer.from(input) : input)
+    .toString('base64')
+    .replace(/=/g, '')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+}
+
+export type JwtPayload = Record<string, any>
+
+export function signJwt(payload: JwtPayload, secret = process.env.JWT_SECRET!, expiresInSec = 60 * 60 * 8) {
+  if (!secret) throw new Error('JWT_SECRET is not set')
+  const header = { alg: 'HS256', typ: 'JWT' }
+  const now = Math.floor(Date.now() / 1000)
+  const body = { iat: now, exp: now + expiresInSec, ...payload }
+  const encHeader = base64url(JSON.stringify(header))
+  const encBody = base64url(JSON.stringify(body))
+  const data = `${encHeader}.${encBody}`
+  const sig = crypto.createHmac('sha256', secret).update(data).digest()
+  const encSig = base64url(sig)
+  return `${data}.${encSig}`
+}
+
+export function verifyJwt(token: string, secret = process.env.JWT_SECRET!) {
+  if (!secret) throw new Error('JWT_SECRET is not set')
+  const parts = token.split('.')
+  if (parts.length !== 3) return null
+  const [h, p, s] = parts
+  const data = `${h}.${p}`
+  const expected = base64url(crypto.createHmac('sha256', secret).update(data).digest())
+  if (!crypto.timingSafeEqual(Buffer.from(s), Buffer.from(expected))) return null
+  const payload = JSON.parse(Buffer.from(p, 'base64').toString('utf8'))
+  const now = Math.floor(Date.now() / 1000)
+  if (payload.exp && now > payload.exp) return null
+  return payload
+}
+

package/src/lib/auth/server.ts

@@ -0,0 +1,199 @@
+import { cookies } from 'next/headers'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import { verifyJwt } from './jwt'
+
+const TENANT_COOKIE_NAME = 'om_selected_tenant'
+const ORGANIZATION_COOKIE_NAME = 'om_selected_org'
+const ALL_ORGANIZATIONS_COOKIE_VALUE = '__all__'
+const SUPERADMIN_ROLE = 'superadmin'
+
+export type AuthContext = {
+  sub: string
+  tenantId: string | null
+  orgId: string | null
+  email?: string
+  roles?: string[]
+  isApiKey?: boolean
+  keyId?: string
+  keyName?: string
+  [k: string]: unknown
+} | null
+
+type CookieOverride = { applied: boolean; value: string | null }
+
+function decodeCookieValue(raw: string | undefined): string | null {
+  if (raw === undefined) return null
+  try {
+    const decoded = decodeURIComponent(raw)
+    return decoded ?? null
+  } catch {
+    return raw ?? null
+  }
+}
+
+function readCookieFromHeader(header: string | null | undefined, name: string): string | undefined {
+  if (!header) return undefined
+  const parts = header.split(';')
+  for (const part of parts) {
+    const trimmed = part.trim()
+    if (trimmed.startsWith(`${name}=`)) {
+      return trimmed.slice(name.length + 1)
+    }
+  }
+  return undefined
+}
+
+function resolveTenantOverride(raw: string | undefined): CookieOverride {
+  if (raw === undefined) return { applied: false, value: null }
+  const decoded = decodeCookieValue(raw)
+  if (!decoded) return { applied: true, value: null }
+  const trimmed = decoded.trim()
+  if (!trimmed) return { applied: true, value: null }
+  return { applied: true, value: trimmed }
+}
+
+function resolveOrganizationOverride(raw: string | undefined): CookieOverride {
+  if (raw === undefined) return { applied: false, value: null }
+  const decoded = decodeCookieValue(raw)
+  if (!decoded || decoded === ALL_ORGANIZATIONS_COOKIE_VALUE) {
+    return { applied: true, value: null }
+  }
+  const trimmed = decoded.trim()
+  if (!trimmed || trimmed === ALL_ORGANIZATIONS_COOKIE_VALUE) {
+    return { applied: true, value: null }
+  }
+  return { applied: true, value: trimmed }
+}
+
+function isSuperAdminAuth(auth: AuthContext | null | undefined): boolean {
+  if (!auth) return false
+  if ((auth as Record<string, unknown>).isSuperAdmin === true) return true
+  const roles = Array.isArray(auth?.roles) ? auth.roles : []
+  return roles.some((role) => typeof role === 'string' && role.trim().toLowerCase() === SUPERADMIN_ROLE)
+}
+
+function applySuperAdminScope(
+  auth: AuthContext,
+  tenantCookie: string | undefined,
+  orgCookie: string | undefined
+): AuthContext {
+  if (!auth || !isSuperAdminAuth(auth)) return auth
+
+  const tenantOverride = resolveTenantOverride(tenantCookie)
+  const orgOverride = resolveOrganizationOverride(orgCookie)
+  if (!tenantOverride.applied && !orgOverride.applied) return auth
+
+  type MutableAuthContext = Exclude<AuthContext, null> & {
+    actorTenantId?: string | null
+    actorOrgId?: string | null
+  }
+  const baseAuth = auth as Exclude<AuthContext, null>
+  const next: MutableAuthContext = { ...baseAuth }
+  if (tenantOverride.applied) {
+    if (!('actorTenantId' in next)) next.actorTenantId = auth?.tenantId ?? null
+    next.tenantId = tenantOverride.value
+  }
+  if (orgOverride.applied) {
+    if (!('actorOrgId' in next)) next.actorOrgId = auth?.orgId ?? null
+    next.orgId = orgOverride.value
+  }
+  next.isSuperAdmin = true
+  const existingRoles = Array.isArray(next.roles) ? next.roles : []
+  if (!existingRoles.some((role) => typeof role === 'string' && role.trim().toLowerCase() === SUPERADMIN_ROLE)) {
+    next.roles = [...existingRoles, 'superadmin']
+  }
+  return next
+}
+
+async function resolveApiKeyAuth(secret: string): Promise<AuthContext> {
+  if (!secret) return null
+  try {
+    const { createRequestContainer } = await import('@open-mercato/shared/lib/di/container')
+    const container = await createRequestContainer()
+    const em = (container.resolve('em') as EntityManager)
+    const { findApiKeyBySecret } = await import('@open-mercato/core/modules/api_keys/services/apiKeyService')
+    const { Role } = await import('@open-mercato/core/modules/auth/data/entities')
+
+    const record = await findApiKeyBySecret(em, secret)
+    if (!record) return null
+
+    const roleIds = Array.isArray(record.rolesJson)
+      ? record.rolesJson.filter((value): value is string => typeof value === 'string' && value.length > 0)
+      : []
+    const roles = roleIds.length
+      ? await em.find(Role, { id: { $in: roleIds } })
+      : []
+    const roleNames = roles.map((role) => role.name).filter((name): name is string => typeof name === 'string' && name.length > 0)
+
+    try {
+      record.lastUsedAt = new Date()
+      await em.persistAndFlush(record)
+    } catch {
+      // best-effort update; ignore write failures
+    }
+
+    return {
+      sub: `api_key:${record.id}`,
+      tenantId: record.tenantId ?? null,
+      orgId: record.organizationId ?? null,
+      roles: roleNames,
+      isApiKey: true,
+      keyId: record.id,
+      keyName: record.name,
+    }
+  } catch {
+    return null
+  }
+}
+
+function extractApiKey(req: Request): string | null {
+  const header = (req.headers.get('x-api-key') || '').trim()
+  if (header) return header
+  const authHeader = (req.headers.get('authorization') || '').trim()
+  if (authHeader.toLowerCase().startsWith('apikey ')) {
+    return authHeader.slice(7).trim()
+  }
+  return null
+}
+
+export async function getAuthFromCookies(): Promise<AuthContext> {
+  const cookieStore = await cookies()
+  const token = cookieStore.get('auth_token')?.value
+  if (!token) return null
+  try {
+    const payload = verifyJwt(token) as AuthContext
+    if (!payload) return null
+    const tenantCookie = cookieStore.get(TENANT_COOKIE_NAME)?.value
+    const orgCookie = cookieStore.get(ORGANIZATION_COOKIE_NAME)?.value
+    return applySuperAdminScope(payload, tenantCookie, orgCookie)
+  } catch {
+    return null
+  }
+}
+
+export async function getAuthFromRequest(req: Request): Promise<AuthContext> {
+  const cookieHeader = req.headers.get('cookie') || ''
+  const tenantCookie = readCookieFromHeader(cookieHeader, TENANT_COOKIE_NAME)
+  const orgCookie = readCookieFromHeader(cookieHeader, ORGANIZATION_COOKIE_NAME)
+  const authHeader = (req.headers.get('authorization') || '').trim()
+  let token: string | undefined
+  if (authHeader.toLowerCase().startsWith('bearer ')) token = authHeader.slice(7).trim()
+  if (!token) {
+    const match = cookieHeader.match(/(?:^|;\s*)auth_token=([^;]+)/)
+    if (match) token = decodeURIComponent(match[1])
+  }
+  if (token) {
+    try {
+      const payload = verifyJwt(token) as AuthContext
+      if (payload) return applySuperAdminScope(payload, tenantCookie, orgCookie)
+    } catch {
+      // fall back to API key detection
+    }
+  }
+
+  const apiKey = extractApiKey(req)
+  if (!apiKey) return null
+  const apiAuth = await resolveApiKeyAuth(apiKey)
+  if (!apiAuth) return null
+  return applySuperAdminScope(apiAuth, tenantCookie, orgCookie)
+}

package/src/lib/boolean.ts

@@ -0,0 +1,17 @@
+export const TRUE_VALUES = new Set(['1', 'true', 'yes', 'y', 'on', 'enable', 'enabled'])
+export const FALSE_VALUES = new Set(['0', 'false', 'no', 'n', 'off', 'disable', 'disabled'])
+
+export function parseBooleanToken(raw: string | null | undefined): boolean | null {
+  if (typeof raw !== 'string') return null
+  const trimmed = raw.trim()
+  if (!trimmed) return null
+  const normalized = trimmed.toLowerCase()
+  if (TRUE_VALUES.has(normalized)) return true
+  if (FALSE_VALUES.has(normalized)) return false
+  return null
+}
+
+export function parseBooleanWithDefault(raw: string | null | undefined, fallback: boolean): boolean {
+  const parsed = parseBooleanToken(raw)
+  return parsed === null ? fallback : parsed
+}

package/src/lib/bootstrap/appResolver.ts

@@ -0,0 +1,85 @@
+import path from 'node:path'
+import fs from 'node:fs'
+
+export interface AppRoot {
+  appDir: string
+  mercatoDir: string
+  generatedDir: string
+}
+
+/**
+ * Find the Next.js app root by searching for next.config.ts/js/mjs.
+ *
+ * Starts from the given directory (defaults to cwd) and walks up the
+ * directory tree until it finds a Next.js config file with a .mercato/generated
+ * directory.
+ *
+ * @param startDir - Directory to start searching from (defaults to process.cwd())
+ * @returns The resolved app root paths, or null if not found
+ */
+export function findAppRoot(startDir: string = process.cwd()): AppRoot | null {
+  let current = startDir
+
+  while (current !== path.dirname(current)) {
+    const configTs = path.join(current, 'next.config.ts')
+    const configJs = path.join(current, 'next.config.js')
+    const configMjs = path.join(current, 'next.config.mjs')
+
+    if (fs.existsSync(configTs) || fs.existsSync(configJs) || fs.existsSync(configMjs)) {
+      const mercatoDir = path.join(current, '.mercato')
+      const generatedDir = path.join(mercatoDir, 'generated')
+
+      // Only return if .mercato/generated exists
+      if (fs.existsSync(generatedDir)) {
+        return { appDir: current, mercatoDir, generatedDir }
+      }
+
+      // Found Next.js config but no .mercato/generated - return anyway for generate command
+      // The caller can decide whether to create the directory
+      return { appDir: current, mercatoDir, generatedDir }
+    }
+
+    current = path.dirname(current)
+  }
+
+  return null
+}
+
+/**
+ * Find all apps with .mercato directories in a monorepo.
+ *
+ * Scans the apps/ directory for Next.js apps with .mercato/generated directories.
+ *
+ * @param rootDir - The monorepo root directory
+ * @returns Array of app root paths
+ */
+export function findAllApps(rootDir: string): AppRoot[] {
+  const appsDir = path.join(rootDir, 'apps')
+  if (!fs.existsSync(appsDir)) return []
+
+  const apps: AppRoot[] = []
+  const entries = fs.readdirSync(appsDir, { withFileTypes: true })
+
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue
+
+    const appDir = path.join(appsDir, entry.name)
+
+    // Check for Next.js config
+    const hasNextConfig =
+      fs.existsSync(path.join(appDir, 'next.config.ts')) ||
+      fs.existsSync(path.join(appDir, 'next.config.js')) ||
+      fs.existsSync(path.join(appDir, 'next.config.mjs'))
+
+    if (!hasNextConfig) continue
+
+    const mercatoDir = path.join(appDir, '.mercato')
+    const generatedDir = path.join(mercatoDir, 'generated')
+
+    if (fs.existsSync(generatedDir)) {
+      apps.push({ appDir, mercatoDir, generatedDir })
+    }
+  }
+
+  return apps
+}