npm - @rovela-ai/sdk - Versions diffs - 0.2.0 → 0.3.0 - Mend

@rovela-ai/sdk 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (178) hide show

package/dist/admin/api/accept-invite.d.ts +65 -0
package/dist/admin/api/accept-invite.d.ts.map +1 -0
package/dist/admin/api/accept-invite.js +115 -0
package/dist/admin/api/accept-invite.js.map +1 -0
package/dist/admin/api/categories.d.ts.map +1 -1
package/dist/admin/api/categories.js +21 -28
package/dist/admin/api/categories.js.map +1 -1
package/dist/admin/api/customers.d.ts.map +1 -1
package/dist/admin/api/customers.js +17 -25
package/dist/admin/api/customers.js.map +1 -1
package/dist/admin/api/forgot-password.d.ts +39 -0
package/dist/admin/api/forgot-password.d.ts.map +1 -0
package/dist/admin/api/forgot-password.js +66 -0
package/dist/admin/api/forgot-password.js.map +1 -0
package/dist/admin/api/index.d.ts +6 -0
package/dist/admin/api/index.d.ts.map +1 -1
package/dist/admin/api/index.js +9 -0
package/dist/admin/api/index.js.map +1 -1
package/dist/admin/api/me.d.ts +72 -0
package/dist/admin/api/me.d.ts.map +1 -0
package/dist/admin/api/me.js +177 -0
package/dist/admin/api/me.js.map +1 -0
package/dist/admin/api/orders.d.ts.map +1 -1
package/dist/admin/api/orders.js +21 -28
package/dist/admin/api/orders.js.map +1 -1
package/dist/admin/api/products.d.ts.map +1 -1
package/dist/admin/api/products.js +33 -37
package/dist/admin/api/products.js.map +1 -1
package/dist/admin/api/refund.d.ts.map +1 -1
package/dist/admin/api/refund.js +5 -7
package/dist/admin/api/refund.js.map +1 -1
package/dist/admin/api/reset-password.d.ts +49 -0
package/dist/admin/api/reset-password.d.ts.map +1 -0
package/dist/admin/api/reset-password.js +99 -0
package/dist/admin/api/reset-password.js.map +1 -0
package/dist/admin/api/return.d.ts.map +1 -1
package/dist/admin/api/return.js +9 -12
package/dist/admin/api/return.js.map +1 -1
package/dist/admin/api/settings.d.ts.map +1 -1
package/dist/admin/api/settings.js +9 -12
package/dist/admin/api/settings.js.map +1 -1
package/dist/admin/api/shipping.d.ts.map +1 -1
package/dist/admin/api/shipping.js +65 -61
package/dist/admin/api/shipping.js.map +1 -1
package/dist/admin/api/stats.d.ts.map +1 -1
package/dist/admin/api/stats.js +5 -7
package/dist/admin/api/stats.js.map +1 -1
package/dist/admin/api/stripe-status.d.ts.map +1 -1
package/dist/admin/api/stripe-status.js +5 -7
package/dist/admin/api/stripe-status.js.map +1 -1
package/dist/admin/api/tax-zones.d.ts.map +1 -1
package/dist/admin/api/tax-zones.js +21 -28
package/dist/admin/api/tax-zones.js.map +1 -1
package/dist/admin/api/users.d.ts +142 -0
package/dist/admin/api/users.d.ts.map +1 -0
package/dist/admin/api/users.js +356 -0
package/dist/admin/api/users.js.map +1 -0
package/dist/admin/components/AdminAcceptInviteForm.d.ts +3 -0
package/dist/admin/components/AdminAcceptInviteForm.d.ts.map +1 -0
package/dist/admin/components/AdminAcceptInviteForm.js +137 -0
package/dist/admin/components/AdminAcceptInviteForm.js.map +1 -0
package/dist/admin/components/AdminAccountPage.d.ts +10 -0
package/dist/admin/components/AdminAccountPage.d.ts.map +1 -0
package/dist/admin/components/AdminAccountPage.js +123 -0
package/dist/admin/components/AdminAccountPage.js.map +1 -0
package/dist/admin/components/AdminForgotPasswordForm.d.ts +8 -0
package/dist/admin/components/AdminForgotPasswordForm.d.ts.map +1 -0
package/dist/admin/components/AdminForgotPasswordForm.js +59 -0
package/dist/admin/components/AdminForgotPasswordForm.js.map +1 -0
package/dist/admin/components/AdminNav.d.ts.map +1 -1
package/dist/admin/components/AdminNav.js +39 -8
package/dist/admin/components/AdminNav.js.map +1 -1
package/dist/admin/components/AdminResetPasswordForm.d.ts +12 -0
package/dist/admin/components/AdminResetPasswordForm.d.ts.map +1 -0
package/dist/admin/components/AdminResetPasswordForm.js +134 -0
package/dist/admin/components/AdminResetPasswordForm.js.map +1 -0
package/dist/admin/components/AdminUserMenu.d.ts.map +1 -1
package/dist/admin/components/AdminUserMenu.js +2 -2
package/dist/admin/components/AdminUserMenu.js.map +1 -1
package/dist/admin/components/InviteUserDialog.d.ts +3 -0
package/dist/admin/components/InviteUserDialog.d.ts.map +1 -0
package/dist/admin/components/InviteUserDialog.js +127 -0
package/dist/admin/components/InviteUserDialog.js.map +1 -0
package/dist/admin/components/UsersTable.d.ts +3 -0
package/dist/admin/components/UsersTable.d.ts.map +1 -0
package/dist/admin/components/UsersTable.js +399 -0
package/dist/admin/components/UsersTable.js.map +1 -0
package/dist/admin/components/index.d.ts +9 -0
package/dist/admin/components/index.d.ts.map +1 -1
package/dist/admin/components/index.js +9 -0
package/dist/admin/components/index.js.map +1 -1
package/dist/admin/config.d.ts.map +1 -1
package/dist/admin/config.js +23 -1
package/dist/admin/config.js.map +1 -1
package/dist/admin/hooks/index.d.ts +4 -0
package/dist/admin/hooks/index.d.ts.map +1 -1
package/dist/admin/hooks/index.js +3 -0
package/dist/admin/hooks/index.js.map +1 -1
package/dist/admin/hooks/useAdminMe.d.ts +31 -0
package/dist/admin/hooks/useAdminMe.d.ts.map +1 -0
package/dist/admin/hooks/useAdminMe.js +103 -0
package/dist/admin/hooks/useAdminMe.js.map +1 -0
package/dist/admin/hooks/useAdminPermissions.d.ts +3 -0
package/dist/admin/hooks/useAdminPermissions.d.ts.map +1 -0
package/dist/admin/hooks/useAdminPermissions.js +51 -0
package/dist/admin/hooks/useAdminPermissions.js.map +1 -0
package/dist/admin/hooks/useAdminUsers.d.ts +3 -0
package/dist/admin/hooks/useAdminUsers.d.ts.map +1 -0
package/dist/admin/hooks/useAdminUsers.js +240 -0
package/dist/admin/hooks/useAdminUsers.js.map +1 -0
package/dist/admin/index.d.ts +4 -4
package/dist/admin/index.d.ts.map +1 -1
package/dist/admin/index.js +20 -2
package/dist/admin/index.js.map +1 -1
package/dist/admin/permissions.d.ts +92 -0
package/dist/admin/permissions.d.ts.map +1 -0
package/dist/admin/permissions.js +201 -0
package/dist/admin/permissions.js.map +1 -0
package/dist/admin/server/admin-invite.d.ts +122 -0
package/dist/admin/server/admin-invite.d.ts.map +1 -0
package/dist/admin/server/admin-invite.js +235 -0
package/dist/admin/server/admin-invite.js.map +1 -0
package/dist/admin/server/admin-password-reset.d.ts +87 -0
package/dist/admin/server/admin-password-reset.d.ts.map +1 -0
package/dist/admin/server/admin-password-reset.js +220 -0
package/dist/admin/server/admin-password-reset.js.map +1 -0
package/dist/admin/server/admin-self-service.d.ts +86 -0
package/dist/admin/server/admin-self-service.d.ts.map +1 -0
package/dist/admin/server/admin-self-service.js +188 -0
package/dist/admin/server/admin-self-service.js.map +1 -0
package/dist/admin/server/admin-service.d.ts.map +1 -1
package/dist/admin/server/admin-service.js +21 -2
package/dist/admin/server/admin-service.js.map +1 -1
package/dist/admin/server/admin-session.d.ts +126 -0
package/dist/admin/server/admin-session.d.ts.map +1 -0
package/dist/admin/server/admin-session.js +215 -0
package/dist/admin/server/admin-session.js.map +1 -0
package/dist/admin/server/index.d.ts +7 -0
package/dist/admin/server/index.d.ts.map +1 -1
package/dist/admin/server/index.js +20 -0
package/dist/admin/server/index.js.map +1 -1
package/dist/admin/server/user-management.d.ts +223 -0
package/dist/admin/server/user-management.d.ts.map +1 -0
package/dist/admin/server/user-management.js +846 -0
package/dist/admin/server/user-management.js.map +1 -0
package/dist/admin/types.d.ts +153 -2
package/dist/admin/types.d.ts.map +1 -1
package/dist/core/db/queries.d.ts +19 -13
package/dist/core/db/queries.d.ts.map +1 -1
package/dist/core/db/schema.d.ts +327 -9
package/dist/core/db/schema.d.ts.map +1 -1
package/dist/core/db/schema.js +80 -3
package/dist/core/db/schema.js.map +1 -1
package/dist/core/types.d.ts +19 -3
package/dist/core/types.d.ts.map +1 -1
package/dist/emails/index.d.ts +2 -2
package/dist/emails/index.d.ts.map +1 -1
package/dist/emails/index.js +3 -1
package/dist/emails/index.js.map +1 -1
package/dist/emails/send/admin-auth.d.ts +94 -0
package/dist/emails/send/admin-auth.d.ts.map +1 -0
package/dist/emails/send/admin-auth.js +118 -0
package/dist/emails/send/admin-auth.js.map +1 -0
package/dist/emails/send/index.d.ts +2 -0
package/dist/emails/send/index.d.ts.map +1 -1
package/dist/emails/send/index.js +4 -0
package/dist/emails/send/index.js.map +1 -1
package/dist/emails/templates/admin-invite.d.ts +40 -0
package/dist/emails/templates/admin-invite.d.ts.map +1 -0
package/dist/emails/templates/admin-invite.js +62 -0
package/dist/emails/templates/admin-invite.js.map +1 -0
package/dist/emails/templates/index.d.ts +1 -0
package/dist/emails/templates/index.d.ts.map +1 -1
package/dist/emails/templates/index.js +4 -0
package/dist/emails/templates/index.js.map +1 -1
package/dist/emails/types.d.ts +22 -1
package/dist/emails/types.d.ts.map +1 -1
package/package.json +21 -1

package/dist/admin/server/admin-password-reset.d.ts ADDED Viewed

@@ -0,0 +1,87 @@
+/**
+ * @rovela/sdk/admin/server/admin-password-reset
+ *
+ * Admin password reset token management.
+ *
+ * Mirrors `auth/server/password-reset-service.ts` (the customer version),
+ * with one critical addition: admins whose status is not 'active' are
+ * silently skipped. This blocks deactivated and invited admins from
+ * recovering access via the reset flow — deactivated admins must stay
+ * deactivated, invited admins must go through the invite-accept flow
+ * (Phase 3). The caller always receives `{success: true}` regardless
+ * to preserve enumeration safety.
+ *
+ * Each store has its own database (via Neon branches), so there's no
+ * tenant filtering. The `admin_password_reset_tokens` table was created
+ * for every active store during the Phase 0 migration.
+ */
+/**
+ * Request a password reset for an admin.
+ *
+ * Creates a token and sends the reset email. Always returns `{success: true}`
+ * regardless of whether the email belongs to a real admin — this prevents
+ * email enumeration attacks and keeps the HTTP response shape identical for
+ * all outcomes.
+ *
+ * Silently skipped cases (all return success without side effects):
+ *   - Email doesn't belong to any admin
+ *   - Admin exists but status !== 'active' (deactivated or invited)
+ *   - Email sending fails (error is logged, not exposed)
+ *
+ * @param email - The admin's email address
+ * @returns Always `{success: true}` — see above
+ *
+ * @example
+ * ```typescript
+ * await requestAdminPasswordReset('owner@store.com')
+ * // Always show: "If an account exists with this email, we've sent a reset link."
+ * ```
+ */
+export declare function requestAdminPasswordReset(email: string): Promise<{
+    success: boolean;
+}>;
+/**
+ * Validate a reset token without consuming it.
+ *
+ * Used by the reset page to decide whether to show the "enter new password"
+ * form or an "invalid/expired link" error. Expired tokens are cleaned up
+ * opportunistically as a side effect.
+ *
+ * @param token - The token from the reset link
+ */
+export declare function validateAdminResetToken(token: string): Promise<{
+    valid: boolean;
+    error?: string;
+}>;
+/**
+ * Reset an admin's password using a valid token.
+ *
+ * Validates the token, updates the password via `updateAdminPassword`
+ * (which handles hashing), then deletes ALL reset tokens for that admin
+ * so a stale link can't be reused after a successful reset.
+ *
+ * @param token - The token from the reset link
+ * @param newPassword - The new plain-text password (will be hashed)
+ */
+export declare function resetAdminPassword(token: string, newPassword: string): Promise<{
+    success: boolean;
+    error?: string;
+}>;
+/**
+ * Delete all password reset tokens for a specific admin.
+ *
+ * Called at two points:
+ *   1. Before issuing a new token (clear stale ones)
+ *   2. After a successful reset (invalidate the used batch)
+ */
+export declare function deleteAdminPasswordResetTokens(adminId: string): Promise<void>;
+/**
+ * Delete expired reset tokens across all admins.
+ *
+ * Optional hook for a periodic cleanup job (e.g. cron). Safe to call
+ * anytime — no-op if nothing is expired.
+ *
+ * @returns Number of tokens deleted
+ */
+export declare function cleanupExpiredAdminResetTokens(): Promise<number>;
+//# sourceMappingURL=admin-password-reset.d.ts.map

package/dist/admin/server/admin-password-reset.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"admin-password-reset.d.ts","sourceRoot":"","sources":["../../../src/admin/server/admin-password-reset.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAkCH;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,yBAAyB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IACtE,OAAO,EAAE,OAAO,CAAA;CACjB,CAAC,CAoDD;AAMD;;;;;;;;GAQG;AACH,wBAAsB,uBAAuB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IACpE,KAAK,EAAE,OAAO,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,CAAC,CA6BD;AAMD;;;;;;;;;GASG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAkC/C;AAMD;;;;;;GAMG;AACH,wBAAsB,8BAA8B,CAClD,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC,CAMf;AAED;;;;;;;GAOG;AACH,wBAAsB,8BAA8B,IAAI,OAAO,CAAC,MAAM,CAAC,CAStE"}

package/dist/admin/server/admin-password-reset.js ADDED Viewed

@@ -0,0 +1,220 @@
+/**
+ * @rovela/sdk/admin/server/admin-password-reset
+ *
+ * Admin password reset token management.
+ *
+ * Mirrors `auth/server/password-reset-service.ts` (the customer version),
+ * with one critical addition: admins whose status is not 'active' are
+ * silently skipped. This blocks deactivated and invited admins from
+ * recovering access via the reset flow — deactivated admins must stay
+ * deactivated, invited admins must go through the invite-accept flow
+ * (Phase 3). The caller always receives `{success: true}` regardless
+ * to preserve enumeration safety.
+ *
+ * Each store has its own database (via Neon branches), so there's no
+ * tenant filtering. The `admin_password_reset_tokens` table was created
+ * for every active store during the Phase 0 migration.
+ */
+import { eq, lt } from 'drizzle-orm';
+import { nanoid } from 'nanoid';
+import { getDb } from '../../core/db/client';
+import * as schema from '../../core/db/schema';
+import { findAdminByEmail, updateAdminPassword } from './admin-service';
+import { sendAdminPasswordResetEmail } from '../../emails/send/admin-auth';
+import { getStoreUrl } from '../../emails/config';
+// =============================================================================
+// Constants
+// =============================================================================
+/**
+ * Password reset token expiry time in milliseconds (1 hour).
+ * Matches customer reset flow.
+ */
+const TOKEN_EXPIRY_MS = 60 * 60 * 1000;
+/**
+ * Token length (URL-safe, ~192 bits of entropy with nanoid).
+ */
+const TOKEN_LENGTH = 32;
+/**
+ * Display string for the expiry duration — passed to the email template.
+ */
+const TOKEN_EXPIRY_HOURS = '1';
+// =============================================================================
+// Request reset
+// =============================================================================
+/**
+ * Request a password reset for an admin.
+ *
+ * Creates a token and sends the reset email. Always returns `{success: true}`
+ * regardless of whether the email belongs to a real admin — this prevents
+ * email enumeration attacks and keeps the HTTP response shape identical for
+ * all outcomes.
+ *
+ * Silently skipped cases (all return success without side effects):
+ *   - Email doesn't belong to any admin
+ *   - Admin exists but status !== 'active' (deactivated or invited)
+ *   - Email sending fails (error is logged, not exposed)
+ *
+ * @param email - The admin's email address
+ * @returns Always `{success: true}` — see above
+ *
+ * @example
+ * ```typescript
+ * await requestAdminPasswordReset('owner@store.com')
+ * // Always show: "If an account exists with this email, we've sent a reset link."
+ * ```
+ */
+export async function requestAdminPasswordReset(email) {
+    const admin = await findAdminByEmail(email);
+    // Enumeration-safe fast exits
+    if (!admin) {
+        return { success: true };
+    }
+    // Block deactivated and invited admins from using the reset flow.
+    // Deactivated: must stay locked out. Invited: should use the invite
+    // accept flow (Phase 3), not the reset flow.
+    const status = admin.status ?? 'active';
+    if (status !== 'active') {
+        return { success: true };
+    }
+    // Clear any existing reset tokens for this admin — "only the latest
+    // reset link works" policy, same as customer flow.
+    await deleteAdminPasswordResetTokens(admin.id);
+    // Generate new token
+    const db = getDb();
+    const token = nanoid(TOKEN_LENGTH);
+    const expires = new Date(Date.now() + TOKEN_EXPIRY_MS);
+    await db.insert(schema.adminPasswordResetTokens).values({
+        adminId: admin.id,
+        token,
+        expires,
+    });
+    // Send the email. Failures are logged but never propagated — returning
+    // success keeps the enumeration-safe contract and prevents leaking
+    // infrastructure state (e.g. "Resend is down").
+    try {
+        const storeUrl = getStoreUrl();
+        const resetLink = `${storeUrl}/admin/reset-password?token=${encodeURIComponent(token)}`;
+        await sendAdminPasswordResetEmail({
+            to: email,
+            adminName: admin.name,
+            resetLink,
+            expiryTime: TOKEN_EXPIRY_HOURS,
+        });
+    }
+    catch (error) {
+        console.error('[admin-password-reset] Failed to send reset email:', error instanceof Error ? error.message : error);
+        // Do not fail the request — enumeration safety + infra privacy.
+    }
+    return { success: true };
+}
+// =============================================================================
+// Validate token (non-destructive check)
+// =============================================================================
+/**
+ * Validate a reset token without consuming it.
+ *
+ * Used by the reset page to decide whether to show the "enter new password"
+ * form or an "invalid/expired link" error. Expired tokens are cleaned up
+ * opportunistically as a side effect.
+ *
+ * @param token - The token from the reset link
+ */
+export async function validateAdminResetToken(token) {
+    const db = getDb();
+    const [record] = await db
+        .select()
+        .from(schema.adminPasswordResetTokens)
+        .where(eq(schema.adminPasswordResetTokens.token, token))
+        .limit(1);
+    if (!record) {
+        return {
+            valid: false,
+            error: 'Invalid or expired reset link. Please request a new one.',
+        };
+    }
+    if (new Date() > record.expires) {
+        // Opportunistic cleanup
+        await db
+            .delete(schema.adminPasswordResetTokens)
+            .where(eq(schema.adminPasswordResetTokens.id, record.id));
+        return {
+            valid: false,
+            error: 'Reset link has expired. Please request a new one.',
+        };
+    }
+    return { valid: true };
+}
+// =============================================================================
+// Reset password (consumes token)
+// =============================================================================
+/**
+ * Reset an admin's password using a valid token.
+ *
+ * Validates the token, updates the password via `updateAdminPassword`
+ * (which handles hashing), then deletes ALL reset tokens for that admin
+ * so a stale link can't be reused after a successful reset.
+ *
+ * @param token - The token from the reset link
+ * @param newPassword - The new plain-text password (will be hashed)
+ */
+export async function resetAdminPassword(token, newPassword) {
+    const db = getDb();
+    const [record] = await db
+        .select()
+        .from(schema.adminPasswordResetTokens)
+        .where(eq(schema.adminPasswordResetTokens.token, token))
+        .limit(1);
+    if (!record) {
+        return {
+            success: false,
+            error: 'Invalid or expired reset link. Please request a new one.',
+        };
+    }
+    if (new Date() > record.expires) {
+        await db
+            .delete(schema.adminPasswordResetTokens)
+            .where(eq(schema.adminPasswordResetTokens.id, record.id));
+        return {
+            success: false,
+            error: 'Reset link has expired. Please request a new one.',
+        };
+    }
+    // Hash + update via the existing admin-service helper
+    await updateAdminPassword(record.adminId, newPassword);
+    // Wipe all reset tokens for this admin — one-time use for the whole batch
+    await deleteAdminPasswordResetTokens(record.adminId);
+    return { success: true };
+}
+// =============================================================================
+// Housekeeping
+// =============================================================================
+/**
+ * Delete all password reset tokens for a specific admin.
+ *
+ * Called at two points:
+ *   1. Before issuing a new token (clear stale ones)
+ *   2. After a successful reset (invalidate the used batch)
+ */
+export async function deleteAdminPasswordResetTokens(adminId) {
+    const db = getDb();
+    await db
+        .delete(schema.adminPasswordResetTokens)
+        .where(eq(schema.adminPasswordResetTokens.adminId, adminId));
+}
+/**
+ * Delete expired reset tokens across all admins.
+ *
+ * Optional hook for a periodic cleanup job (e.g. cron). Safe to call
+ * anytime — no-op if nothing is expired.
+ *
+ * @returns Number of tokens deleted
+ */
+export async function cleanupExpiredAdminResetTokens() {
+    const db = getDb();
+    const result = await db
+        .delete(schema.adminPasswordResetTokens)
+        .where(lt(schema.adminPasswordResetTokens.expires, new Date()))
+        .returning({ id: schema.adminPasswordResetTokens.id });
+    return result.length;
+}
+//# sourceMappingURL=admin-password-reset.js.map

package/dist/admin/server/admin-password-reset.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"admin-password-reset.js","sourceRoot":"","sources":["../../../src/admin/server/admin-password-reset.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAC/B,OAAO,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAC5C,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAA;AAC9C,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAA;AACvE,OAAO,EAAE,2BAA2B,EAAE,MAAM,8BAA8B,CAAA;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAA;AAEjD,gFAAgF;AAChF,YAAY;AACZ,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;AAEtC;;GAEG;AACH,MAAM,YAAY,GAAG,EAAE,CAAA;AAEvB;;GAEG;AACH,MAAM,kBAAkB,GAAG,GAAG,CAAA;AAE9B,gFAAgF;AAChF,gBAAgB;AAChB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAAC,KAAa;IAG3D,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAA;IAE3C,8BAA8B;IAC9B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;IAC1B,CAAC;IAED,kEAAkE;IAClE,oEAAoE;IACpE,6CAA6C;IAC7C,MAAM,MAAM,GAAI,KAA6B,CAAC,MAAM,IAAI,QAAQ,CAAA;IAChE,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;IAC1B,CAAC;IAED,oEAAoE;IACpE,mDAAmD;IACnD,MAAM,8BAA8B,CAAC,KAAK,CAAC,EAAE,CAAC,CAAA;IAE9C,qBAAqB;IACrB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAClB,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,CAAA;IAClC,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC,CAAA;IAEtD,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,wBAAwB,CAAC,CAAC,MAAM,CAAC;QACtD,OAAO,EAAE,KAAK,CAAC,EAAE;QACjB,KAAK;QACL,OAAO;KACR,CAAC,CAAA;IAEF,uEAAuE;IACvE,mEAAmE;IACnE,gDAAgD;IAChD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAA;QAC9B,MAAM,SAAS,GAAG,GAAG,QAAQ,+BAA+B,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAA;QACvF,MAAM,2BAA2B,CAAC;YAChC,EAAE,EAAE,KAAK;YACT,SAAS,EAAE,KAAK,CAAC,IAAI;YACrB,SAAS;YACT,UAAU,EAAE,kBAAkB;SAC/B,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CACX,oDAAoD,EACpD,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAC/C,CAAA;QACD,gEAAgE;IAClE,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;AAC1B,CAAC;AAED,gFAAgF;AAChF,yCAAyC;AACzC,gFAAgF;AAEhF;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,KAAa;IAIzD,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,EAAE;SACtB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,wBAAwB,CAAC;SACrC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,wBAAwB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;SACvD,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,0DAA0D;SAClE,CAAA;IACH,CAAC;IAED,IAAI,IAAI,IAAI,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;QAChC,wBAAwB;QACxB,MAAM,EAAE;aACL,MAAM,CAAC,MAAM,CAAC,wBAAwB,CAAC;aACvC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,wBAAwB,CAAC,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,CAAA;QAE3D,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,mDAAmD;SAC3D,CAAA;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAA;AACxB,CAAC;AAED,gFAAgF;AAChF,kCAAkC;AAClC,gFAAgF;AAEhF;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAa,EACb,WAAmB;IAEnB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,EAAE;SACtB,MAAM,EAAE;SACR,IAAI,CAAC,MAAM,CAAC,wBAAwB,CAAC;SACrC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,wBAAwB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;SACvD,KAAK,CAAC,CAAC,CAAC,CAAA;IAEX,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,0DAA0D;SAClE,CAAA;IACH,CAAC;IAED,IAAI,IAAI,IAAI,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;QAChC,MAAM,EAAE;aACL,MAAM,CAAC,MAAM,CAAC,wBAAwB,CAAC;aACvC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,wBAAwB,CAAC,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,CAAA;QAE3D,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,mDAAmD;SAC3D,CAAA;IACH,CAAC;IAED,sDAAsD;IACtD,MAAM,mBAAmB,CAAC,MAAM,CAAC,OAAO,EAAE,WAAW,CAAC,CAAA;IAEtD,0EAA0E;IAC1E,MAAM,8BAA8B,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IAEpD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;AAC1B,CAAC;AAED,gFAAgF;AAChF,eAAe;AACf,gFAAgF;AAEhF;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,OAAe;IAEf,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,EAAE;SACL,MAAM,CAAC,MAAM,CAAC,wBAAwB,CAAC;SACvC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,wBAAwB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAA;AAChE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B;IAClD,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;IAElB,MAAM,MAAM,GAAG,MAAM,EAAE;SACpB,MAAM,CAAC,MAAM,CAAC,wBAAwB,CAAC;SACvC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,wBAAwB,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;SAC9D,SAAS,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,wBAAwB,CAAC,EAAE,EAAE,CAAC,CAAA;IAExD,OAAO,MAAM,CAAC,MAAM,CAAA;AACtB,CAAC"}

package/dist/admin/server/admin-self-service.d.ts ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * @rovela/sdk/admin/server/admin-self-service
+ *
+ * Self-service helpers for logged-in admins — change their own password,
+ * edit their own profile. Never accepts an `actor` vs `target` distinction:
+ * these operations always act on the caller themselves, enforced by the
+ * API layer passing `session.user.id` as the adminId.
+ *
+ * # What these do that admin-service.ts doesn't
+ *
+ * `admin-service.ts` has the raw CRUD helpers (`updateAdmin`,
+ * `updateAdminPassword`). Those are called from multiple contexts —
+ * forgot-password flow, invite acceptance, emergency reset, user-management
+ * actions. This file wraps them in self-service semantics:
+ *
+ *   1. `changeOwnPassword` requires the current password as proof of
+ *      identity. Mere session possession isn't enough — we want defense
+ *      against "attacker on coffee shop laptop" scenarios where the
+ *      session cookie is borrowed.
+ *
+ *   2. `updateOwnProfile` checks email uniqueness against every other
+ *      admin (not just-not-self) before persisting, to surface clean
+ *      error codes to the caller.
+ *
+ * Both helpers return typed discriminated unions — they never throw on
+ * business errors, only on unexpected infra failures (DB connectivity,
+ * which the API layer catches).
+ */
+import type { StoreAdmin } from '../../core/db/schema';
+export interface SelfServiceError {
+    code: 'NOT_FOUND' | 'INVALID_CREDENTIALS' | 'VALIDATION_ERROR' | 'EMAIL_EXISTS';
+    message: string;
+}
+export type ChangeOwnPasswordResult = {
+    ok: true;
+} | {
+    ok: false;
+    error: SelfServiceError;
+};
+export type UpdateOwnProfileResult = {
+    ok: true;
+    admin: StoreAdmin;
+} | {
+    ok: false;
+    error: SelfServiceError;
+};
+/**
+ * Change the logged-in admin's password.
+ *
+ * Requires the current password as proof of identity. Validates the new
+ * password via the shared `validatePassword` helper (min 8 chars). On
+ * success, bumps `session_version` (via `updateAdminPassword`), cleans up
+ * any stale reset tokens, and invalidates the in-memory session cache so
+ * other active sessions for this admin are kicked out on their next
+ * request.
+ *
+ * The admin's CURRENT session (the one that initiated this change) also
+ * carries a now-stale `sessionVersion` JWT claim, which means the next
+ * request from that session will also fail `requireAdmin`'s version
+ * check → forced logout. That's correct behavior: after a password
+ * rotation, the user must re-authenticate with the new password.
+ *
+ * If that's undesirable (the UI would need to immediately re-sign-in),
+ * the API handler can call `nextAuthSignIn` server-side after a
+ * successful change. For Phase 4, we accept the forced re-login as the
+ * honest behavior.
+ */
+export declare function changeOwnPassword(adminId: string, currentPassword: string, newPassword: string): Promise<ChangeOwnPasswordResult>;
+/**
+ * Update the logged-in admin's name and/or email.
+ *
+ * Email uniqueness is checked against every OTHER admin (not self). If
+ * both fields are omitted, returns a VALIDATION_ERROR so the caller gets
+ * a clean error rather than a silent no-op.
+ *
+ * Changing email does NOT require a separate re-verification — the admin
+ * is already authenticated and the client-side confirmation dialog in
+ * `AdminAccountPage` warns them about the forgot-password implication.
+ *
+ * No sessionVersion bump — profile changes don't invalidate sessions.
+ */
+export declare function updateOwnProfile(adminId: string, data: {
+    name?: string;
+    email?: string;
+}): Promise<UpdateOwnProfileResult>;
+//# sourceMappingURL=admin-self-service.d.ts.map

package/dist/admin/server/admin-self-service.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"admin-self-service.d.ts","sourceRoot":"","sources":["../../../src/admin/server/admin-self-service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AASH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAMtD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EACA,WAAW,GACX,qBAAqB,GACrB,kBAAkB,GAClB,cAAc,CAAA;IAClB,OAAO,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,MAAM,uBAAuB,GAC/B;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,gBAAgB,CAAA;CAAE,CAAA;AAE1C,MAAM,MAAM,sBAAsB,GAC9B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,GAC/B;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,gBAAgB,CAAA;CAAE,CAAA;AAM1C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,EACvB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,uBAAuB,CAAC,CA0DlC;AAMD;;;;;;;;;;;;GAYG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACtC,OAAO,CAAC,sBAAsB,CAAC,CAuEjC"}

package/dist/admin/server/admin-self-service.js ADDED Viewed

@@ -0,0 +1,188 @@
+/**
+ * @rovela/sdk/admin/server/admin-self-service
+ *
+ * Self-service helpers for logged-in admins — change their own password,
+ * edit their own profile. Never accepts an `actor` vs `target` distinction:
+ * these operations always act on the caller themselves, enforced by the
+ * API layer passing `session.user.id` as the adminId.
+ *
+ * # What these do that admin-service.ts doesn't
+ *
+ * `admin-service.ts` has the raw CRUD helpers (`updateAdmin`,
+ * `updateAdminPassword`). Those are called from multiple contexts —
+ * forgot-password flow, invite acceptance, emergency reset, user-management
+ * actions. This file wraps them in self-service semantics:
+ *
+ *   1. `changeOwnPassword` requires the current password as proof of
+ *      identity. Mere session possession isn't enough — we want defense
+ *      against "attacker on coffee shop laptop" scenarios where the
+ *      session cookie is borrowed.
+ *
+ *   2. `updateOwnProfile` checks email uniqueness against every other
+ *      admin (not just-not-self) before persisting, to surface clean
+ *      error codes to the caller.
+ *
+ * Both helpers return typed discriminated unions — they never throw on
+ * business errors, only on unexpected infra failures (DB connectivity,
+ * which the API layer catches).
+ */
+import { eq, and, ne } from 'drizzle-orm';
+import { getDb } from '../../core/db/client';
+import * as schema from '../../core/db/schema';
+import { verifyPassword, validatePassword } from '../../auth/server/password';
+import { findAdminById, updateAdminPassword, updateAdmin } from './admin-service';
+import { deleteAdminPasswordResetTokens } from './admin-password-reset';
+import { invalidateAdminSession } from './admin-session';
+// =============================================================================
+// Change own password
+// =============================================================================
+/**
+ * Change the logged-in admin's password.
+ *
+ * Requires the current password as proof of identity. Validates the new
+ * password via the shared `validatePassword` helper (min 8 chars). On
+ * success, bumps `session_version` (via `updateAdminPassword`), cleans up
+ * any stale reset tokens, and invalidates the in-memory session cache so
+ * other active sessions for this admin are kicked out on their next
+ * request.
+ *
+ * The admin's CURRENT session (the one that initiated this change) also
+ * carries a now-stale `sessionVersion` JWT claim, which means the next
+ * request from that session will also fail `requireAdmin`'s version
+ * check → forced logout. That's correct behavior: after a password
+ * rotation, the user must re-authenticate with the new password.
+ *
+ * If that's undesirable (the UI would need to immediately re-sign-in),
+ * the API handler can call `nextAuthSignIn` server-side after a
+ * successful change. For Phase 4, we accept the forced re-login as the
+ * honest behavior.
+ */
+export async function changeOwnPassword(adminId, currentPassword, newPassword) {
+    // 1. Load the current admin
+    const admin = await findAdminById(adminId);
+    if (!admin) {
+        return {
+            ok: false,
+            error: { code: 'NOT_FOUND', message: 'Admin not found.' },
+        };
+    }
+    // 2. No password on file → invited admin can't self-service
+    if (!admin.passwordHash) {
+        return {
+            ok: false,
+            error: {
+                code: 'INVALID_CREDENTIALS',
+                message: 'Current password is incorrect.',
+            },
+        };
+    }
+    // 3. Verify current password — same generic error message on failure
+    // so we never reveal whether the account exists or is in a weird state.
+    const isValid = await verifyPassword(currentPassword, admin.passwordHash);
+    if (!isValid) {
+        return {
+            ok: false,
+            error: {
+                code: 'INVALID_CREDENTIALS',
+                message: 'Current password is incorrect.',
+            },
+        };
+    }
+    // 4. Validate new password strength
+    const check = validatePassword(newPassword);
+    if (!check.valid) {
+        return {
+            ok: false,
+            error: {
+                code: 'VALIDATION_ERROR',
+                message: check.error || 'Invalid new password.',
+            },
+        };
+    }
+    // 5. Update (bumps session_version internally)
+    await updateAdminPassword(adminId, newPassword);
+    // 6. Defensive cleanup — any stale reset tokens shouldn't grant
+    // post-rotation access.
+    await deleteAdminPasswordResetTokens(adminId);
+    // 7. Flush the 30s per-admin status cache so the next request reads
+    // the new session_version immediately.
+    invalidateAdminSession(adminId);
+    return { ok: true };
+}
+// =============================================================================
+// Update own profile
+// =============================================================================
+/**
+ * Update the logged-in admin's name and/or email.
+ *
+ * Email uniqueness is checked against every OTHER admin (not self). If
+ * both fields are omitted, returns a VALIDATION_ERROR so the caller gets
+ * a clean error rather than a silent no-op.
+ *
+ * Changing email does NOT require a separate re-verification — the admin
+ * is already authenticated and the client-side confirmation dialog in
+ * `AdminAccountPage` warns them about the forgot-password implication.
+ *
+ * No sessionVersion bump — profile changes don't invalidate sessions.
+ */
+export async function updateOwnProfile(adminId, data) {
+    const name = typeof data.name === 'string' ? data.name.trim() : undefined;
+    const email = typeof data.email === 'string' ? data.email.trim().toLowerCase() : undefined;
+    if (name === undefined && email === undefined) {
+        return {
+            ok: false,
+            error: {
+                code: 'VALIDATION_ERROR',
+                message: 'Provide at least one field to update (name or email).',
+            },
+        };
+    }
+    // Validate name length (if provided)
+    if (name !== undefined && name.length < 2) {
+        return {
+            ok: false,
+            error: {
+                code: 'VALIDATION_ERROR',
+                message: 'Name must be at least 2 characters.',
+            },
+        };
+    }
+    // Validate email format (if provided)
+    if (email !== undefined && !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+        return {
+            ok: false,
+            error: {
+                code: 'VALIDATION_ERROR',
+                message: 'Please enter a valid email address.',
+            },
+        };
+    }
+    // Email uniqueness — only if email is being changed
+    if (email !== undefined) {
+        const db = getDb();
+        const [collision] = await db
+            .select({ id: schema.storeAdmins.id })
+            .from(schema.storeAdmins)
+            .where(and(eq(schema.storeAdmins.email, email), ne(schema.storeAdmins.id, adminId)))
+            .limit(1);
+        if (collision) {
+            return {
+                ok: false,
+                error: {
+                    code: 'EMAIL_EXISTS',
+                    message: 'Another admin already uses this email.',
+                },
+            };
+        }
+    }
+    // Delegate to the shared helper
+    const updated = await updateAdmin(adminId, { name, email });
+    if (!updated) {
+        return {
+            ok: false,
+            error: { code: 'NOT_FOUND', message: 'Admin not found.' },
+        };
+    }
+    return { ok: true, admin: updated };
+}
+//# sourceMappingURL=admin-self-service.js.map

package/dist/admin/server/admin-self-service.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"admin-self-service.js","sourceRoot":"","sources":["../../../src/admin/server/admin-self-service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAC5C,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAA;AAC9C,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAA;AAC7E,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AACjF,OAAO,EAAE,8BAA8B,EAAE,MAAM,wBAAwB,CAAA;AACvE,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAA;AAwBxD,gFAAgF;AAChF,sBAAsB;AACtB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAe,EACf,eAAuB,EACvB,WAAmB;IAEnB,4BAA4B;IAC5B,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,CAAA;IAC1C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,kBAAkB,EAAE;SAC1D,CAAA;IACH,CAAC;IAED,4DAA4D;IAC5D,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;QACxB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,gCAAgC;aAC1C;SACF,CAAA;IACH,CAAC;IAED,qEAAqE;IACrE,wEAAwE;IACxE,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,eAAe,EAAE,KAAK,CAAC,YAAY,CAAC,CAAA;IACzE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,gCAAgC;aAC1C;SACF,CAAA;IACH,CAAC;IAED,oCAAoC;IACpC,MAAM,KAAK,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAA;IAC3C,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACjB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,KAAK,CAAC,KAAK,IAAI,uBAAuB;aAChD;SACF,CAAA;IACH,CAAC;IAED,+CAA+C;IAC/C,MAAM,mBAAmB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAA;IAE/C,gEAAgE;IAChE,wBAAwB;IACxB,MAAM,8BAA8B,CAAC,OAAO,CAAC,CAAA;IAE7C,oEAAoE;IACpE,uCAAuC;IACvC,sBAAsB,CAAC,OAAO,CAAC,CAAA;IAE/B,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;AACrB,CAAC;AAED,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAe,EACf,IAAuC;IAEvC,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAA;IACzE,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS,CAAA;IAE1F,IAAI,IAAI,KAAK,SAAS,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC9C,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,uDAAuD;aACjE;SACF,CAAA;IACH,CAAC;IAED,qCAAqC;IACrC,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,qCAAqC;aAC/C;SACF,CAAA;IACH,CAAC;IAED,sCAAsC;IACtC,IAAI,KAAK,KAAK,SAAS,IAAI,CAAC,4BAA4B,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACrE,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,qCAAqC;aAC/C;SACF,CAAA;IACH,CAAC;IAED,oDAAoD;IACpD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,MAAM,EAAE,GAAG,KAAK,EAAE,CAAA;QAClB,MAAM,CAAC,SAAS,CAAC,GAAG,MAAM,EAAE;aACzB,MAAM,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;aACrC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;aACxB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,EACnC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CACnC,CACF;aACA,KAAK,CAAC,CAAC,CAAC,CAAA;QAEX,IAAI,SAAS,EAAE,CAAC;YACd,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE;oBACL,IAAI,EAAE,cAAc;oBACpB,OAAO,EAAE,wCAAwC;iBAClD;aACF,CAAA;QACH,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;IAC3D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,kBAAkB,EAAE;SAC1D,CAAA;IACH,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAA;AACrC,CAAC"}

package/dist/admin/server/admin-service.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"admin-service.d.ts","sourceRoot":"","sources":["../../../src/admin/server/admin-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAA;AAE9C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAA;AAM5C,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC,UAAU,CAAA;CACzB;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,IAAI,CAAA;IACb,KAAK,EAAE,MAAM,CAAC,UAAU,CAAA;CACzB;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,KAAK,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,qBAAqB,GAAG,iBAAiB,CAAA;CAChD;AAMD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,uBAAuB,GAAG,sBAAsB,CAAC,~~CA6B3D~~;AAMD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,OAAO,GAAG,OAAiB,GAChC,OAAO,CAAC,iBAAiB,CAAC,CA0B5B;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAwB9B;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAUnC;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAUnC;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACtC,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAyBnC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC,~~CASf~~;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAGtE;AAED;;;GAGG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC,CAQnD"}
1	+ {"version":3,"file":"admin-service.d.ts","sourceRoot":"","sources":["../../../src/admin/server/admin-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,MAAM,MAAM,sBAAsB,CAAA;AAE9C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAA;AAM5C,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC,UAAU,CAAA;CACzB;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,IAAI,CAAA;IACb,KAAK,EAAE,MAAM,CAAC,UAAU,CAAA;CACzB;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,KAAK,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,qBAAqB,GAAG,iBAAiB,CAAA;CAChD;AAMD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,uBAAuB,GAAG,sBAAsB,CAAC,CA0C3D;AAMD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,OAAO,GAAG,OAAiB,GAChC,OAAO,CAAC,iBAAiB,CAAC,CA0B5B;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAwB9B;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAUnC;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAUnC;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACtC,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAyBnC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC,CAgBf;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAGtE;AAED;;;GAGG;AACH,wBAAsB,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC,CAQnD"}

package/dist/admin/server/admin-service.js CHANGED Viewed

@@ -4,7 +4,7 @@
  * Admin CRUD operations.
  * Each store has its own database (via Neon branches) - no tenant isolation needed.
  */
-import { eq } from 'drizzle-orm';
+import { eq, sql } from 'drizzle-orm';
 import { getDb } from '../../core/db/client';
 import * as schema from '../../core/db/schema';
 import { hashPassword, verifyPassword } from '../../auth/server/password';
@@ -43,6 +43,18 @@ export async function authenticateAdmin(email, password) {
             code: 'INVALID_CREDENTIALS',
         };
     }
+    // Block 'deactivated' and 'invited' admins. 'invited' admins have no
+    // password hash yet (they must accept their invite first); 'deactivated'
+    // admins are blocked entirely. Return the same generic error message as
+    // wrong-password so we don't reveal account state.
+    const adminStatus = admin.status ?? 'active';
+    if (adminStatus !== 'active' || !admin.passwordHash) {
+        return {
+            success: false,
+            error: 'Invalid email or password',
+            code: 'INVALID_CREDENTIALS',
+        };
+    }
     // Verify password
     const isValidPassword = await verifyPassword(password, admin.passwordHash);
     if (!isValidPassword) {
@@ -215,9 +227,16 @@ export async function updateAdmin(adminId, data) {
 export async function updateAdminPassword(adminId, newPassword) {
     const db = getDb();
     const passwordHash = await hashPassword(newPassword);
+    // Bump session_version atomically so all existing JWTs for this admin
+    // are invalidated on their next request. Every caller (self-service,
+    // forgot-password reset, accept-invite, emergency reset) gets this
+    // invalidation semantics consistently.
     await db
         .update(schema.storeAdmins)
-        .set({ passwordHash })
+        .set({
+        passwordHash,
+        sessionVersion: sql `${schema.storeAdmins.sessionVersion} + 1`,
+    })
         .where(eq(schema.storeAdmins.id, adminId));
 }
 /**