@oxyhq/core 1.11.10 → 1.11.11

package/dist/esm/OxyServices.base.js

@@ -138,6 +138,27 @@ export class OxyServicesBase {
     getAccessToken() {
         return this.httpService.getAccessToken();
     }
+    /**
+     * Set the acting-as identity for managed accounts.
+     *
+     * When set, all subsequent API requests will include the `X-Acting-As` header,
+     * causing the server to attribute actions to the managed account. The
+     * authenticated user must be an authorized manager of the target account.
+     *
+     * Pass `null` to clear and revert to the authenticated user's own identity.
+     *
+     * @param userId - The managed account user ID, or null to clear
+     */
+    setActingAs(userId) {
+        this.httpService.setActingAs(userId);
+    }
+    /**
+     * Get the current acting-as identity (managed account user ID), or null
+     * if operating as the authenticated user's own identity.
+     */
+    getActingAs() {
+        return this.httpService.getActingAs();
+    }
     /**
      * Wait for authentication to be ready
      *

package/dist/esm/mixins/OxyServices.managedAccounts.js

@@ -0,0 +1,114 @@
+export function OxyServicesManagedAccountsMixin(Base) {
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * Create a new managed account (sub-account).
+         *
+         * The server creates a User document with `isManagedAccount: true` and links
+         * it to the authenticated user as owner.
+         */
+        async createManagedAccount(data) {
+            try {
+                return await this.makeRequest('POST', '/managed-accounts', data, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * List all accounts the authenticated user manages.
+         */
+        async getManagedAccounts() {
+            try {
+                return await this.makeRequest('GET', '/managed-accounts', undefined, {
+                    cache: true,
+                    cacheTTL: 2 * 60 * 1000, // 2 minutes cache
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Get details for a specific managed account.
+         */
+        async getManagedAccountDetails(accountId) {
+            try {
+                return await this.makeRequest('GET', `/managed-accounts/${accountId}`, undefined, {
+                    cache: true,
+                    cacheTTL: 2 * 60 * 1000,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Update a managed account's profile data.
+         * Requires owner or admin role.
+         */
+        async updateManagedAccount(accountId, data) {
+            try {
+                return await this.makeRequest('PUT', `/managed-accounts/${accountId}`, data, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Delete a managed account permanently.
+         * Requires owner role.
+         */
+        async deleteManagedAccount(accountId) {
+            try {
+                await this.makeRequest('DELETE', `/managed-accounts/${accountId}`, undefined, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Add a manager to a managed account.
+         * Requires owner or admin role on the account.
+         *
+         * @param accountId - The managed account to add the manager to
+         * @param userId - The user to grant management access
+         * @param role - The role to assign: 'admin' or 'editor'
+         */
+        async addManager(accountId, userId, role) {
+            try {
+                await this.makeRequest('POST', `/managed-accounts/${accountId}/managers`, { userId, role }, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Remove a manager from a managed account.
+         * Requires owner role.
+         *
+         * @param accountId - The managed account
+         * @param userId - The manager to remove
+         */
+        async removeManager(accountId, userId) {
+            try {
+                await this.makeRequest('DELETE', `/managed-accounts/${accountId}/managers/${userId}`, undefined, {
+                    cache: false,
+                });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+    };
+}

package/dist/esm/mixins/OxyServices.utility.js

@@ -10,6 +10,41 @@ export function OxyServicesUtilityMixin(Base) {
     return class extends Base {
         constructor(...args) {
             super(...args);
+            /** @internal In-memory cache for acting-as verification results (TTL: 5 min) */
+            this._actingAsCache = new Map();
+        }
+        /**
+         * Verify that a user is authorized to act as a managed account.
+         * Results are cached in-memory for 5 minutes to avoid repeated API calls.
+         *
+         * @internal Used by the auth() middleware — not part of the public API
+         */
+        async verifyActingAs(userId, accountId) {
+            const cacheKey = `${userId}:${accountId}`;
+            const now = Date.now();
+            // Check cache
+            const cached = this._actingAsCache.get(cacheKey);
+            if (cached && cached.expiresAt > now) {
+                return cached.result;
+            }
+            // Query the API
+            try {
+                const result = await this.makeRequest('GET', '/managed-accounts/verify', { accountId, userId }, { cache: false, retry: false, timeout: 5000 });
+                // Cache successful result for 5 minutes
+                this._actingAsCache.set(cacheKey, {
+                    result: result && result.authorized ? result : null,
+                    expiresAt: now + 5 * 60 * 1000,
+                });
+                return result && result.authorized ? result : null;
+            }
+            catch {
+                // Cache negative result for 1 minute to avoid hammering on transient errors
+                this._actingAsCache.set(cacheKey, {
+                    result: null,
+                    expiresAt: now + 1 * 60 * 1000,
+                });
+                return null;
+            }
         }
         /**
          * Fetch link metadata
@@ -72,6 +107,45 @@ export function OxyServicesUtilityMixin(Base) {
             const oxyInstance = this;
             // Return an async middleware function
             return async (req, res, next) => {
+                // Process X-Acting-As header for managed account identity delegation.
+                // Called after successful authentication, before next(). If the header
+                // is present, verifies authorization and swaps the request identity to
+                // the managed account, preserving the original user for audit trails.
+                const processActingAs = async () => {
+                    const actingAsUserId = req.headers['x-acting-as'];
+                    if (!actingAsUserId)
+                        return true; // No header, proceed normally
+                    const verification = await oxyInstance.verifyActingAs(req.userId, actingAsUserId);
+                    if (!verification) {
+                        const error = {
+                            error: 'ACTING_AS_UNAUTHORIZED',
+                            message: 'Not authorized to act as this account',
+                            code: 'ACTING_AS_UNAUTHORIZED',
+                            status: 403,
+                        };
+                        if (onError) {
+                            onError(error);
+                        }
+                        else {
+                            res.status(403).json(error);
+                        }
+                        return false;
+                    }
+                    // Preserve original user for audit trails
+                    req.originalUser = { id: req.userId, ...req.user };
+                    req.actingAs = { userId: actingAsUserId, role: verification.role };
+                    // Swap user identity to the managed account
+                    req.userId = actingAsUserId;
+                    req.user = { id: actingAsUserId };
+                    // Also set _id for routes that use Pattern B (req.user._id)
+                    if (req.user) {
+                        req.user._id = actingAsUserId;
+                    }
+                    if (debug) {
+                        console.log(`[oxy.auth] Acting as ${actingAsUserId} (role=${verification.role}) original=${req.originalUser.id}`);
+                    }
+                    return true;
+                };
                 try {
                     // Extract token from Authorization header or query params
                     const authHeader = req.headers['authorization'];
@@ -294,7 +368,10 @@ export function OxyServicesUtilityMixin(Base) {
                             if (debug) {
                                 console.log(`[oxy.auth] OK user=${userId} session=${decoded.sessionId}`);
                             }
-                            return next();
+                            // Process X-Acting-As header before proceeding
+                            if (await processActingAs())
+                                return next();
+                            return;
                         }
                         catch (validationError) {
                             if (debug) {
@@ -345,7 +422,9 @@ export function OxyServicesUtilityMixin(Base) {
                     if (debug) {
                         console.log(`[oxy.auth] OK user=${userId} (no session)`);
                     }
-                    next();
+                    // Process X-Acting-As header before proceeding
+                    if (await processActingAs())
+                        next();
                 }
                 catch (error) {
                     const apiError = oxyInstance.handleError(error);

package/dist/esm/mixins/index.js

@@ -23,6 +23,7 @@ import { OxyServicesSecurityMixin } from './OxyServices.security.js';
 import { OxyServicesUtilityMixin } from './OxyServices.utility.js';
 import { OxyServicesFeaturesMixin } from './OxyServices.features.js';
 import { OxyServicesTopicsMixin } from './OxyServices.topics.js';
+import { OxyServicesManagedAccountsMixin } from './OxyServices.managedAccounts.js';
 /**
  * Mixin pipeline - applied in order from first to last.
  *
@@ -60,6 +61,7 @@ const MIXIN_PIPELINE = [
     OxyServicesSecurityMixin,
     OxyServicesFeaturesMixin,
     OxyServicesTopicsMixin,
+    OxyServicesManagedAccountsMixin,
     // Utility (last, can use all above)
     OxyServicesUtilityMixin,
 ];