npm - @thebookingkit/server - Versions diffs - 0.1.2 → 0.1.3 - Mend

@thebookingkit/server 0.1.2 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (95) hide show

package/README.md +2 -2
package/dist/adapters/calendar-adapter.d.ts +47 -0
package/dist/adapters/calendar-adapter.d.ts.map +1 -0
package/dist/adapters/calendar-adapter.js +2 -0
package/dist/adapters/calendar-adapter.js.map +1 -0
package/dist/adapters/email-adapter.d.ts +65 -0
package/dist/adapters/email-adapter.d.ts.map +1 -0
package/dist/adapters/email-adapter.js +40 -0
package/dist/adapters/email-adapter.js.map +1 -0
package/dist/adapters/index.d.ts +9 -0
package/dist/adapters/index.d.ts.map +1 -0
package/dist/adapters/index.js +3 -0
package/dist/adapters/index.js.map +1 -0
package/dist/adapters/job-adapter.d.ts +26 -0
package/dist/adapters/job-adapter.d.ts.map +1 -0
package/dist/adapters/job-adapter.js +13 -0
package/dist/adapters/job-adapter.js.map +1 -0
package/dist/adapters/payment-adapter.d.ts +106 -0
package/dist/adapters/payment-adapter.d.ts.map +1 -0
package/dist/adapters/payment-adapter.js +8 -0
package/dist/adapters/payment-adapter.js.map +1 -0
package/dist/adapters/sms-adapter.d.ts +33 -0
package/dist/adapters/sms-adapter.d.ts.map +1 -0
package/dist/adapters/sms-adapter.js +8 -0
package/dist/adapters/sms-adapter.js.map +1 -0
package/{src/adapters/storage-adapter.ts → dist/adapters/storage-adapter.d.ts} +5 -4
package/dist/adapters/storage-adapter.d.ts.map +1 -0
package/dist/adapters/storage-adapter.js +2 -0
package/dist/adapters/storage-adapter.js.map +1 -0
package/dist/api.d.ts +223 -0
package/dist/api.d.ts.map +1 -0
package/dist/api.js +271 -0
package/dist/api.js.map +1 -0
package/dist/auth.d.ts +71 -0
package/dist/auth.d.ts.map +1 -0
package/dist/auth.js +81 -0
package/dist/auth.js.map +1 -0
package/dist/booking-tokens.d.ts +23 -0
package/dist/booking-tokens.d.ts.map +1 -0
package/dist/booking-tokens.js +52 -0
package/dist/booking-tokens.js.map +1 -0
package/dist/email-templates.d.ts +36 -0
package/dist/email-templates.d.ts.map +1 -0
package/{src/email-templates.ts → dist/email-templates.js} +6 -34
package/dist/email-templates.js.map +1 -0
package/dist/index.d.ts +13 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +22 -0
package/dist/index.js.map +1 -0
package/dist/multi-tenancy.d.ts +132 -0
package/dist/multi-tenancy.d.ts.map +1 -0
package/dist/multi-tenancy.js +188 -0
package/dist/multi-tenancy.js.map +1 -0
package/dist/notification-jobs.d.ts +143 -0
package/dist/notification-jobs.d.ts.map +1 -0
package/dist/notification-jobs.js +278 -0
package/dist/notification-jobs.js.map +1 -0
package/dist/serialization-retry.d.ts +28 -0
package/dist/serialization-retry.d.ts.map +1 -0
package/dist/serialization-retry.js +71 -0
package/dist/serialization-retry.js.map +1 -0
package/dist/webhooks.d.ts +164 -0
package/dist/webhooks.d.ts.map +1 -0
package/dist/webhooks.js +228 -0
package/dist/webhooks.js.map +1 -0
package/dist/workflows.d.ts +169 -0
package/dist/workflows.d.ts.map +1 -0
package/dist/workflows.js +251 -0
package/dist/workflows.js.map +1 -0
package/package.json +21 -2
package/CHANGELOG.md +0 -9
package/src/__tests__/api.test.ts +0 -354
package/src/__tests__/auth.test.ts +0 -111
package/src/__tests__/concurrent-booking.test.ts +0 -170
package/src/__tests__/multi-tenancy.test.ts +0 -267
package/src/__tests__/serialization-retry.test.ts +0 -76
package/src/__tests__/webhooks.test.ts +0 -412
package/src/__tests__/workflows.test.ts +0 -422
package/src/adapters/calendar-adapter.ts +0 -49
package/src/adapters/email-adapter.ts +0 -108
package/src/adapters/index.ts +0 -36
package/src/adapters/job-adapter.ts +0 -26
package/src/adapters/payment-adapter.ts +0 -118
package/src/adapters/sms-adapter.ts +0 -35
package/src/api.ts +0 -446
package/src/auth.ts +0 -146
package/src/booking-tokens.ts +0 -61
package/src/index.ts +0 -192
package/src/multi-tenancy.ts +0 -301
package/src/notification-jobs.ts +0 -428
package/src/serialization-retry.ts +0 -94
package/src/webhooks.ts +0 -378
package/src/workflows.ts +0 -441
package/tsconfig.json +0 -9
package/vitest.config.ts +0 -7

package/dist/api.d.ts ADDED Viewed

@@ -0,0 +1,223 @@
+/**
+ * REST API utilities for The Booking Kit.
+ *
+ * Provides standardized response formatting, API key management,
+ * rate limiting, pagination, and request validation helpers
+ * for Next.js API routes.
+ */
+/** Standard API error */
+export interface ApiError {
+    code: string;
+    message: string;
+    details?: Record<string, unknown>;
+}
+/** Standard error response envelope */
+export interface ApiErrorResponse {
+    error: ApiError;
+}
+/** Standard success response envelope */
+export interface ApiSuccessResponse<T> {
+    data: T;
+    meta?: ApiMeta;
+}
+/** Pagination metadata */
+export interface ApiMeta {
+    total?: number;
+    nextCursor?: string | null;
+    prevCursor?: string | null;
+    hasMore?: boolean;
+}
+/** Paginated list response */
+export interface PaginatedResponse<T> {
+    data: T[];
+    meta: {
+        nextCursor: string | null;
+        hasMore: boolean;
+        total?: number;
+    };
+}
+/** Standard API error codes */
+export declare const API_ERROR_CODES: {
+    readonly NOT_FOUND: "NOT_FOUND";
+    readonly UNAUTHORIZED: "UNAUTHORIZED";
+    readonly FORBIDDEN: "FORBIDDEN";
+    readonly VALIDATION_ERROR: "VALIDATION_ERROR";
+    readonly CONFLICT: "CONFLICT";
+    readonly RATE_LIMITED: "RATE_LIMITED";
+    readonly INTERNAL_ERROR: "INTERNAL_ERROR";
+    readonly PAYMENT_REQUIRED: "PAYMENT_REQUIRED";
+};
+export type ApiErrorCode = (typeof API_ERROR_CODES)[keyof typeof API_ERROR_CODES];
+/**
+ * Create a standardized API error response.
+ *
+ * @param code - Error code from API_ERROR_CODES
+ * @param message - Human-readable error message
+ * @param details - Optional additional details
+ * @returns Standardized error response object
+ */
+export declare function createErrorResponse(code: ApiErrorCode | string, message: string, details?: Record<string, unknown>): ApiErrorResponse;
+/**
+ * Create a standardized API success response.
+ *
+ * @param data - The response data
+ * @param meta - Optional pagination metadata
+ * @returns Standardized success response object
+ */
+export declare function createSuccessResponse<T>(data: T, meta?: ApiMeta): ApiSuccessResponse<T>;
+/**
+ * Create a paginated list response.
+ *
+ * @param items - The page of items
+ * @param nextCursor - Cursor for the next page (null if last page)
+ * @param total - Optional total count
+ * @returns Paginated response
+ */
+export declare function createPaginatedResponse<T>(items: T[], nextCursor: string | null, total?: number): PaginatedResponse<T>;
+/** An API key record */
+export interface ApiKeyRecord {
+    id: string;
+    name: string;
+    keyHash: string;
+    keyPrefix: string;
+    providerId?: string;
+    teamId?: string;
+    scopes: ApiKeyScope[];
+    rateLimit: number;
+    createdAt: Date;
+    expiresAt?: Date;
+    lastUsedAt?: Date;
+}
+/** API key scope */
+export type ApiKeyScope = "read:bookings" | "write:bookings" | "read:availability" | "write:availability" | "read:event-types" | "write:event-types" | "read:webhooks" | "write:webhooks" | "read:analytics" | "admin";
+/** Result of generating a new API key */
+export interface GeneratedApiKey {
+    /** The full key (only shown once) */
+    key: string;
+    /** The prefix for display (e.g., "sk_live_abc123...") */
+    prefix: string;
+    /** The hash stored in the database */
+    hash: string;
+}
+/**
+ * Generate a new API key.
+ *
+ * The full key is only returned once and should be displayed to the user.
+ * Only the hash is stored in the database.
+ *
+ * @param prefix - Key prefix (e.g., "sk_live_" or "sk_test_")
+ * @returns Generated key with hash for storage
+ */
+export declare function generateApiKey(prefix?: string): GeneratedApiKey;
+/**
+ * Hash an API key for secure storage.
+ *
+ * Uses HMAC-SHA256 with a secret from the THEBOOKINGKIT_API_KEY_SECRET
+ * environment variable. Throws if the secret is not configured.
+ *
+ * @param key - The full API key
+ * @param secret - Optional HMAC secret (defaults to THEBOOKINGKIT_API_KEY_SECRET env var)
+ * @returns The hex-encoded hash
+ */
+export declare function hashApiKey(key: string, secret?: string): string;
+/**
+ * Verify an API key against a stored hash.
+ *
+ * @param key - The key to verify
+ * @param storedHash - The hash stored in the database
+ * @returns Whether the key is valid
+ */
+export declare function verifyApiKey(key: string, storedHash: string): boolean;
+/**
+ * Check if an API key has a required scope.
+ *
+ * Admin scope grants all permissions.
+ *
+ * @param keyScopes - The scopes granted to the API key
+ * @param requiredScope - The scope to check for
+ * @returns Whether the key has the required scope
+ */
+export declare function hasScope(keyScopes: ApiKeyScope[], requiredScope: ApiKeyScope): boolean;
+/**
+ * Check if an API key has expired.
+ *
+ * @param expiresAt - Optional expiry timestamp
+ * @returns Whether the key is expired
+ */
+export declare function isKeyExpired(expiresAt: Date | undefined | null): boolean;
+/** Rate limit state for a key */
+export interface RateLimitState {
+    count: number;
+    windowStartMs: number;
+}
+/** Rate limit check result */
+export interface RateLimitResult {
+    allowed: boolean;
+    remaining: number;
+    resetMs: number;
+    limit: number;
+}
+/**
+ * Check if a request should be allowed under rate limiting.
+ *
+ * Uses a fixed 1-minute window.
+ *
+ * @param state - Current rate limit state
+ * @param limit - Maximum requests per minute
+ * @param nowMs - Current timestamp in milliseconds
+ * @returns Rate limit check result
+ */
+export declare function checkRateLimit(state: RateLimitState | null, limit: number, nowMs?: number): {
+    result: RateLimitResult;
+    newState: RateLimitState;
+};
+/**
+ * Encode a cursor for pagination (base64 JSON).
+ *
+ * @param data - The cursor data to encode
+ * @returns Base64-encoded cursor string
+ */
+export declare function encodeCursor(data: Record<string, unknown>): string;
+/**
+ * Decode a pagination cursor.
+ *
+ * @param cursor - The base64-encoded cursor string
+ * @returns The decoded cursor data, or null if invalid
+ */
+export declare function decodeCursor(cursor: string): Record<string, unknown> | null;
+/** Validation error detail */
+export interface ValidationDetail {
+    field: string;
+    message: string;
+}
+/** Result of input validation */
+export interface ValidationResult {
+    valid: boolean;
+    errors: ValidationDetail[];
+}
+/**
+ * Validate API request parameters for slot queries.
+ *
+ * @param params - Query parameters
+ * @returns Validation result
+ */
+export declare function validateSlotQueryParams(params: {
+    providerId?: string;
+    teamId?: string;
+    eventTypeId?: string;
+    start?: string;
+    end?: string;
+    timezone?: string;
+}): ValidationResult;
+/**
+ * Parse and validate a sort parameter.
+ *
+ * @param sortParam - Sort string (e.g., "-createdAt" or "startsAt")
+ * @param allowedFields - Fields that can be sorted by
+ * @returns Parsed sort field and direction
+ */
+export declare function parseSortParam(sortParam: string | undefined, allowedFields: string[]): {
+    field: string;
+    direction: "asc" | "desc";
+} | null;
+//# sourceMappingURL=api.d.ts.map

package/dist/api.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAQH,yBAAyB;AACzB,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,uCAAuC;AACvC,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,QAAQ,CAAC;CACjB;AAED,yCAAyC;AACzC,MAAM,WAAW,kBAAkB,CAAC,CAAC;IACnC,IAAI,EAAE,CAAC,CAAC;IACR,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,0BAA0B;AAC1B,MAAM,WAAW,OAAO;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,8BAA8B;AAC9B,MAAM,WAAW,iBAAiB,CAAC,CAAC;IAClC,IAAI,EAAE,CAAC,EAAE,CAAC;IACV,IAAI,EAAE;QACJ,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,OAAO,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAMD,+BAA+B;AAC/B,eAAO,MAAM,eAAe;;;;;;;;;CASlB,CAAC;AAEX,MAAM,MAAM,YAAY,GAAG,CAAC,OAAO,eAAe,CAAC,CAAC,MAAM,OAAO,eAAe,CAAC,CAAC;AAMlF;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,YAAY,GAAG,MAAM,EAC3B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,gBAAgB,CAQlB;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,EACrC,IAAI,EAAE,CAAC,EACP,IAAI,CAAC,EAAE,OAAO,GACb,kBAAkB,CAAC,CAAC,CAAC,CAKvB;AAED;;;;;;;GAOG;AACH,wBAAgB,uBAAuB,CAAC,CAAC,EACvC,KAAK,EAAE,CAAC,EAAE,EACV,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,KAAK,CAAC,EAAE,MAAM,GACb,iBAAiB,CAAC,CAAC,CAAC,CAStB;AAMD,wBAAwB;AACxB,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,UAAU,CAAC,EAAE,IAAI,CAAC;CACnB;AAED,oBAAoB;AACpB,MAAM,MAAM,WAAW,GACnB,eAAe,GACf,gBAAgB,GAChB,mBAAmB,GACnB,oBAAoB,GACpB,kBAAkB,GAClB,mBAAmB,GACnB,eAAe,GACf,gBAAgB,GAChB,gBAAgB,GAChB,OAAO,CAAC;AAEZ,yCAAyC;AACzC,MAAM,WAAW,eAAe;IAC9B,qCAAqC;IACrC,GAAG,EAAE,MAAM,CAAC;IACZ,yDAAyD;IACzD,MAAM,EAAE,MAAM,CAAC;IACf,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,MAAM,GAAE,MAAmB,GAAG,eAAe,CAO3E;AAED;;;;;;;;;GASG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAU/D;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAerE;AAED;;;;;;;;GAQG;AACH,wBAAgB,QAAQ,CACtB,SAAS,EAAE,WAAW,EAAE,EACxB,aAAa,EAAE,WAAW,GACzB,OAAO,CAET;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,IAAI,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAGxE;AAMD,iCAAiC;AACjC,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,8BAA8B;AAC9B,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAC5B,KAAK,EAAE,cAAc,GAAG,IAAI,EAC5B,KAAK,EAAE,MAAM,EACb,KAAK,GAAE,MAAmB,GACzB;IAAE,MAAM,EAAE,eAAe,CAAC;IAAC,QAAQ,EAAE,cAAc,CAAA;CAAE,CA6BvD;AAMD;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAElE;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAC1B,MAAM,EAAE,MAAM,GACb,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAOhC;AAMD,8BAA8B;AAC9B,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,iCAAiC;AACjC,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,gBAAgB,EAAE,CAAC;CAC5B;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE;IAC9C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,gBAAgB,CAkCnB;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,aAAa,EAAE,MAAM,EAAE,GACtB;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,KAAK,GAAG,MAAM,CAAA;CAAE,GAAG,IAAI,CASrD"}

package/dist/api.js ADDED Viewed

@@ -0,0 +1,271 @@
+/**
+ * REST API utilities for The Booking Kit.
+ *
+ * Provides standardized response formatting, API key management,
+ * rate limiting, pagination, and request validation helpers
+ * for Next.js API routes.
+ */
+import { createHmac, randomBytes } from "node:crypto";
+// ---------------------------------------------------------------------------
+// Error Codes
+// ---------------------------------------------------------------------------
+/** Standard API error codes */
+export const API_ERROR_CODES = {
+    NOT_FOUND: "NOT_FOUND",
+    UNAUTHORIZED: "UNAUTHORIZED",
+    FORBIDDEN: "FORBIDDEN",
+    VALIDATION_ERROR: "VALIDATION_ERROR",
+    CONFLICT: "CONFLICT",
+    RATE_LIMITED: "RATE_LIMITED",
+    INTERNAL_ERROR: "INTERNAL_ERROR",
+    PAYMENT_REQUIRED: "PAYMENT_REQUIRED",
+};
+// ---------------------------------------------------------------------------
+// Response Helpers
+// ---------------------------------------------------------------------------
+/**
+ * Create a standardized API error response.
+ *
+ * @param code - Error code from API_ERROR_CODES
+ * @param message - Human-readable error message
+ * @param details - Optional additional details
+ * @returns Standardized error response object
+ */
+export function createErrorResponse(code, message, details) {
+    return {
+        error: {
+            code,
+            message,
+            ...(details ? { details } : {}),
+        },
+    };
+}
+/**
+ * Create a standardized API success response.
+ *
+ * @param data - The response data
+ * @param meta - Optional pagination metadata
+ * @returns Standardized success response object
+ */
+export function createSuccessResponse(data, meta) {
+    return {
+        data,
+        ...(meta ? { meta } : {}),
+    };
+}
+/**
+ * Create a paginated list response.
+ *
+ * @param items - The page of items
+ * @param nextCursor - Cursor for the next page (null if last page)
+ * @param total - Optional total count
+ * @returns Paginated response
+ */
+export function createPaginatedResponse(items, nextCursor, total) {
+    return {
+        data: items,
+        meta: {
+            nextCursor,
+            hasMore: nextCursor !== null,
+            ...(total !== undefined ? { total } : {}),
+        },
+    };
+}
+/**
+ * Generate a new API key.
+ *
+ * The full key is only returned once and should be displayed to the user.
+ * Only the hash is stored in the database.
+ *
+ * @param prefix - Key prefix (e.g., "sk_live_" or "sk_test_")
+ * @returns Generated key with hash for storage
+ */
+export function generateApiKey(prefix = "sk_live_") {
+    const rawKey = randomBytes(32).toString("hex");
+    const key = `${prefix}${rawKey}`;
+    const hash = hashApiKey(key);
+    const displayPrefix = key.slice(0, prefix.length + 8) + "...";
+    return { key, prefix: displayPrefix, hash };
+}
+/**
+ * Hash an API key for secure storage.
+ *
+ * Uses HMAC-SHA256 with a secret from the THEBOOKINGKIT_API_KEY_SECRET
+ * environment variable. Throws if the secret is not configured.
+ *
+ * @param key - The full API key
+ * @param secret - Optional HMAC secret (defaults to THEBOOKINGKIT_API_KEY_SECRET env var)
+ * @returns The hex-encoded hash
+ */
+export function hashApiKey(key, secret) {
+    const hmacSecret = secret ?? process.env.THEBOOKINGKIT_API_KEY_SECRET;
+    if (!hmacSecret) {
+        throw new Error("THEBOOKINGKIT_API_KEY_SECRET environment variable is required for API key hashing. " +
+            "Set it to a random 32+ character string.");
+    }
+    return createHmac("sha256", hmacSecret).update(key).digest("hex");
+}
+/**
+ * Verify an API key against a stored hash.
+ *
+ * @param key - The key to verify
+ * @param storedHash - The hash stored in the database
+ * @returns Whether the key is valid
+ */
+export function verifyApiKey(key, storedHash) {
+    const hash = hashApiKey(key);
+    if (hash.length !== storedHash.length)
+        return false;
+    // Constant-time comparison
+    const a = Buffer.from(hash, "hex");
+    const b = Buffer.from(storedHash, "hex");
+    if (a.length !== b.length)
+        return false;
+    let mismatch = 0;
+    for (let i = 0; i < a.length; i++) {
+        mismatch |= a[i] ^ b[i];
+    }
+    return mismatch === 0;
+}
+/**
+ * Check if an API key has a required scope.
+ *
+ * Admin scope grants all permissions.
+ *
+ * @param keyScopes - The scopes granted to the API key
+ * @param requiredScope - The scope to check for
+ * @returns Whether the key has the required scope
+ */
+export function hasScope(keyScopes, requiredScope) {
+    return keyScopes.includes("admin") || keyScopes.includes(requiredScope);
+}
+/**
+ * Check if an API key has expired.
+ *
+ * @param expiresAt - Optional expiry timestamp
+ * @returns Whether the key is expired
+ */
+export function isKeyExpired(expiresAt) {
+    if (!expiresAt)
+        return false;
+    return expiresAt.getTime() < Date.now();
+}
+/**
+ * Check if a request should be allowed under rate limiting.
+ *
+ * Uses a fixed 1-minute window.
+ *
+ * @param state - Current rate limit state
+ * @param limit - Maximum requests per minute
+ * @param nowMs - Current timestamp in milliseconds
+ * @returns Rate limit check result
+ */
+export function checkRateLimit(state, limit, nowMs = Date.now()) {
+    const windowMs = 60 * 1000; // 1 minute
+    const windowStart = nowMs - (nowMs % windowMs);
+    // New window or no existing state
+    if (!state || state.windowStartMs !== windowStart) {
+        return {
+            result: {
+                allowed: true,
+                remaining: limit - 1,
+                resetMs: windowStart + windowMs,
+                limit,
+            },
+            newState: { count: 1, windowStartMs: windowStart },
+        };
+    }
+    const newCount = state.count + 1;
+    const allowed = newCount <= limit;
+    return {
+        result: {
+            allowed,
+            remaining: Math.max(0, limit - newCount),
+            resetMs: windowStart + windowMs,
+            limit,
+        },
+        newState: { count: newCount, windowStartMs: windowStart },
+    };
+}
+// ---------------------------------------------------------------------------
+// Pagination
+// ---------------------------------------------------------------------------
+/**
+ * Encode a cursor for pagination (base64 JSON).
+ *
+ * @param data - The cursor data to encode
+ * @returns Base64-encoded cursor string
+ */
+export function encodeCursor(data) {
+    return Buffer.from(JSON.stringify(data)).toString("base64url");
+}
+/**
+ * Decode a pagination cursor.
+ *
+ * @param cursor - The base64-encoded cursor string
+ * @returns The decoded cursor data, or null if invalid
+ */
+export function decodeCursor(cursor) {
+    try {
+        const json = Buffer.from(cursor, "base64url").toString("utf-8");
+        return JSON.parse(json);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Validate API request parameters for slot queries.
+ *
+ * @param params - Query parameters
+ * @returns Validation result
+ */
+export function validateSlotQueryParams(params) {
+    const errors = [];
+    if (!params.providerId && !params.teamId) {
+        errors.push({
+            field: "providerId",
+            message: "Either providerId or teamId is required",
+        });
+    }
+    if (!params.start) {
+        errors.push({ field: "start", message: "start date is required" });
+    }
+    else if (isNaN(Date.parse(params.start))) {
+        errors.push({
+            field: "start",
+            message: `Invalid date: "${params.start}"`,
+        });
+    }
+    if (!params.end) {
+        errors.push({ field: "end", message: "end date is required" });
+    }
+    else if (isNaN(Date.parse(params.end))) {
+        errors.push({ field: "end", message: `Invalid date: "${params.end}"` });
+    }
+    if (params.start && params.end) {
+        const start = new Date(params.start);
+        const end = new Date(params.end);
+        if (!isNaN(start.getTime()) && !isNaN(end.getTime()) && end <= start) {
+            errors.push({ field: "end", message: "end must be after start" });
+        }
+    }
+    return { valid: errors.length === 0, errors };
+}
+/**
+ * Parse and validate a sort parameter.
+ *
+ * @param sortParam - Sort string (e.g., "-createdAt" or "startsAt")
+ * @param allowedFields - Fields that can be sorted by
+ * @returns Parsed sort field and direction
+ */
+export function parseSortParam(sortParam, allowedFields) {
+    if (!sortParam)
+        return null;
+    const descending = sortParam.startsWith("-");
+    const field = descending ? sortParam.slice(1) : sortParam;
+    if (!allowedFields.includes(field))
+        return null;
+    return { field, direction: descending ? "desc" : "asc" };
+}
+//# sourceMappingURL=api.js.map

package/dist/api.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"api.js","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AA0CtD,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,+BAA+B;AAC/B,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,SAAS,EAAE,WAAW;IACtB,YAAY,EAAE,cAAc;IAC5B,SAAS,EAAE,WAAW;IACtB,gBAAgB,EAAE,kBAAkB;IACpC,QAAQ,EAAE,UAAU;IACpB,YAAY,EAAE,cAAc;IAC5B,cAAc,EAAE,gBAAgB;IAChC,gBAAgB,EAAE,kBAAkB;CAC5B,CAAC;AAIX,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,IAA2B,EAC3B,OAAe,EACf,OAAiC;IAEjC,OAAO;QACL,KAAK,EAAE;YACL,IAAI;YACJ,OAAO;YACP,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAChC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CACnC,IAAO,EACP,IAAc;IAEd,OAAO;QACL,IAAI;QACJ,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1B,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,uBAAuB,CACrC,KAAU,EACV,UAAyB,EACzB,KAAc;IAEd,OAAO;QACL,IAAI,EAAE,KAAK;QACX,IAAI,EAAE;YACJ,UAAU;YACV,OAAO,EAAE,UAAU,KAAK,IAAI;YAC5B,GAAG,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC1C;KACF,CAAC;AACJ,CAAC;AA4CD;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAAC,SAAiB,UAAU;IACxD,MAAM,MAAM,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC/C,MAAM,GAAG,GAAG,GAAG,MAAM,GAAG,MAAM,EAAE,CAAC;IACjC,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAC7B,MAAM,aAAa,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC;IAE9D,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;AAC9C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW,EAAE,MAAe;IACrD,MAAM,UAAU,GACd,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;IACrD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CACb,qFAAqF;YACnF,0CAA0C,CAC7C,CAAC;IACJ,CAAC;IACD,OAAO,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACpE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,GAAW,EAAE,UAAkB;IAC1D,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,IAAI,CAAC,MAAM,KAAK,UAAU,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAEpD,2BAA2B;IAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACnC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAEzC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAExC,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,QAAQ,KAAK,CAAC,CAAC;AACxB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,QAAQ,CACtB,SAAwB,EACxB,aAA0B;IAE1B,OAAO,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;AAC1E,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,SAAkC;IAC7D,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAC7B,OAAO,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;AAC1C,CAAC;AAoBD;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAC5B,KAA4B,EAC5B,KAAa,EACb,QAAgB,IAAI,CAAC,GAAG,EAAE;IAE1B,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW;IACvC,MAAM,WAAW,GAAG,KAAK,GAAG,CAAC,KAAK,GAAG,QAAQ,CAAC,CAAC;IAE/C,kCAAkC;IAClC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,aAAa,KAAK,WAAW,EAAE,CAAC;QAClD,OAAO;YACL,MAAM,EAAE;gBACN,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,KAAK,GAAG,CAAC;gBACpB,OAAO,EAAE,WAAW,GAAG,QAAQ;gBAC/B,KAAK;aACN;YACD,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,aAAa,EAAE,WAAW,EAAE;SACnD,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC;IACjC,MAAM,OAAO,GAAG,QAAQ,IAAI,KAAK,CAAC;IAElC,OAAO;QACL,MAAM,EAAE;YACN,OAAO;YACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,QAAQ,CAAC;YACxC,OAAO,EAAE,WAAW,GAAG,QAAQ;YAC/B,KAAK;SACN;QACD,QAAQ,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,aAAa,EAAE,WAAW,EAAE;KAC1D,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,IAA6B;IACxD,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACjE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAC1B,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAChE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAkBD;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAOvC;IACC,MAAM,MAAM,GAAuB,EAAE,CAAC;IAEtC,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC;YACV,KAAK,EAAE,YAAY;YACnB,OAAO,EAAE,yCAAyC;SACnD,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC,CAAC;IACrE,CAAC;SAAM,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC;YACV,KAAK,EAAE,OAAO;YACd,OAAO,EAAE,kBAAkB,MAAM,CAAC,KAAK,GAAG;SAC3C,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC,CAAC;IACjE,CAAC;SAAM,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,kBAAkB,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,IAAI,GAAG,IAAI,KAAK,EAAE,CAAC;YACrE,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;AAChD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAC5B,SAA6B,EAC7B,aAAuB;IAEvB,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAE5B,MAAM,UAAU,GAAG,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAE1D,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEhD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC;AAC3D,CAAC"}

package/dist/auth.d.ts ADDED Viewed

@@ -0,0 +1,71 @@
+/** Represents an authenticated user in the system */
+export interface AuthUser {
+    id: string;
+    email: string;
+    name?: string;
+    role?: "admin" | "provider" | "customer";
+}
+/** Session returned by the auth adapter */
+export interface AuthSession {
+    user: AuthUser;
+    expires: Date;
+}
+/**
+ * Pluggable authentication adapter interface.
+ * Default implementation uses NextAuth.js.
+ * Swap to Supabase Auth, Clerk, or Lucia by implementing this interface.
+ */
+export interface AuthAdapter {
+    /** Get the currently authenticated user from the request */
+    getCurrentUser(request: Request): Promise<AuthUser | null>;
+    /** Get the full session */
+    getSession(request: Request): Promise<AuthSession | null>;
+    /** Verify an API token or signed booking token */
+    verifyToken(token: string): Promise<AuthUser | null>;
+}
+/** Request with injected auth context */
+export interface AuthenticatedRequest extends Request {
+    user: AuthUser;
+}
+/** Options for the withAuth middleware */
+export interface WithAuthOptions {
+    /** Require a specific role */
+    requiredRole?: "admin" | "provider" | "customer";
+}
+/**
+ * Middleware wrapper that injects the authenticated user into every request.
+ *
+ * - Rejects unauthenticated requests with 401.
+ * - Optionally checks user role.
+ * - Passes the authenticated user to the handler.
+ *
+ * @example
+ * ```ts
+ * // In a Next.js API route
+ * export const GET = withAuth(authAdapter, async (req) => {
+ *   const userId = req.user.id;
+ *   // Provider can only access their own data
+ *   const bookings = await db.query.bookings.findMany({
+ *     where: eq(bookings.providerId, userId)
+ *   });
+ *   return Response.json(bookings);
+ * });
+ * ```
+ */
+export declare function withAuth(adapter: AuthAdapter, handler: (req: AuthenticatedRequest) => Promise<Response>, options?: WithAuthOptions): (req: Request) => Promise<Response>;
+/**
+ * Helper to scope database queries to the authenticated user.
+ * Providers can only access their own rows (user_id matches).
+ *
+ * @example
+ * ```ts
+ * const provider = await assertOwnership(db, providers, req.user.id, providerId);
+ * ```
+ */
+export declare function assertProviderOwnership(userId: string, resourceUserId: string): void;
+/**
+ * Helper to verify customer access to their own bookings.
+ * Customers can only access bookings where customer_email matches.
+ */
+export declare function assertCustomerAccess(userEmail: string, bookingCustomerEmail: string): void;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAEA,qDAAqD;AACrD,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,UAAU,CAAC;CAC1C;AAED,2CAA2C;AAC3C,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,QAAQ,CAAC;IACf,OAAO,EAAE,IAAI,CAAC;CACf;AAED;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,4DAA4D;IAC5D,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IAC3D,2BAA2B;IAC3B,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC1D,kDAAkD;IAClD,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;CACtD;AAED,yCAAyC;AACzC,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,IAAI,EAAE,QAAQ,CAAC;CAChB;AAED,0CAA0C;AAC1C,MAAM,WAAW,eAAe;IAC9B,8BAA8B;IAC9B,YAAY,CAAC,EAAE,OAAO,GAAG,UAAU,GAAG,UAAU,CAAC;CAClD;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,QAAQ,CACtB,OAAO,EAAE,WAAW,EACpB,OAAO,EAAE,CAAC,GAAG,EAAE,oBAAoB,KAAK,OAAO,CAAC,QAAQ,CAAC,EACzD,OAAO,CAAC,EAAE,eAAe,GACxB,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CA6CrC;AAED;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,MAAM,GACrB,IAAI,CAMN;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,SAAS,EAAE,MAAM,EACjB,oBAAoB,EAAE,MAAM,GAC3B,IAAI,CAMN"}

package/dist/auth.js ADDED Viewed

@@ -0,0 +1,81 @@
+import { UnauthorizedError, ForbiddenError } from "@thebookingkit/core";
+/**
+ * Middleware wrapper that injects the authenticated user into every request.
+ *
+ * - Rejects unauthenticated requests with 401.
+ * - Optionally checks user role.
+ * - Passes the authenticated user to the handler.
+ *
+ * @example
+ * ```ts
+ * // In a Next.js API route
+ * export const GET = withAuth(authAdapter, async (req) => {
+ *   const userId = req.user.id;
+ *   // Provider can only access their own data
+ *   const bookings = await db.query.bookings.findMany({
+ *     where: eq(bookings.providerId, userId)
+ *   });
+ *   return Response.json(bookings);
+ * });
+ * ```
+ */
+export function withAuth(adapter, handler, options) {
+    return async (req) => {
+        try {
+            // Try to get user from session first
+            let user = await adapter.getCurrentUser(req);
+            // If no session, try Bearer token
+            if (!user) {
+                const authHeader = req.headers.get("authorization");
+                if (authHeader?.startsWith("Bearer ")) {
+                    const token = authHeader.slice(7);
+                    user = await adapter.verifyToken(token);
+                }
+            }
+            if (!user) {
+                throw new UnauthorizedError();
+            }
+            // Check required role if specified
+            if (options?.requiredRole && user.role !== options.requiredRole) {
+                throw new ForbiddenError();
+            }
+            // Inject user into request
+            const authReq = req;
+            authReq.user = user;
+            return await handler(authReq);
+        }
+        catch (error) {
+            if (error instanceof UnauthorizedError) {
+                return Response.json({ error: error.message, code: error.code }, { status: 401 });
+            }
+            if (error instanceof ForbiddenError) {
+                return Response.json({ error: error.message, code: error.code }, { status: 403 });
+            }
+            throw error;
+        }
+    };
+}
+/**
+ * Helper to scope database queries to the authenticated user.
+ * Providers can only access their own rows (user_id matches).
+ *
+ * @example
+ * ```ts
+ * const provider = await assertOwnership(db, providers, req.user.id, providerId);
+ * ```
+ */
+export function assertProviderOwnership(userId, resourceUserId) {
+    if (userId !== resourceUserId) {
+        throw new ForbiddenError("You do not have permission to access this provider's data.");
+    }
+}
+/**
+ * Helper to verify customer access to their own bookings.
+ * Customers can only access bookings where customer_email matches.
+ */
+export function assertCustomerAccess(userEmail, bookingCustomerEmail) {
+    if (userEmail !== bookingCustomerEmail) {
+        throw new ForbiddenError("You do not have permission to access this booking.");
+    }
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAyCxE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,QAAQ,CACtB,OAAoB,EACpB,OAAyD,EACzD,OAAyB;IAEzB,OAAO,KAAK,EAAE,GAAY,EAAqB,EAAE;QAC/C,IAAI,CAAC;YACH,qCAAqC;YACrC,IAAI,IAAI,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YAE7C,kCAAkC;YAClC,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;gBACpD,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;oBACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;oBAClC,IAAI,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;gBAC1C,CAAC;YACH,CAAC;YAED,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,iBAAiB,EAAE,CAAC;YAChC,CAAC;YAED,mCAAmC;YACnC,IAAI,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,CAAC,YAAY,EAAE,CAAC;gBAChE,MAAM,IAAI,cAAc,EAAE,CAAC;YAC7B,CAAC;YAED,2BAA2B;YAC3B,MAAM,OAAO,GAAG,GAA2B,CAAC;YAC5C,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;YAEpB,OAAO,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;QAChC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,iBAAiB,EAAE,CAAC;gBACvC,OAAO,QAAQ,CAAC,IAAI,CAClB,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,EAC1C,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;YACJ,CAAC;YACD,IAAI,KAAK,YAAY,cAAc,EAAE,CAAC;gBACpC,OAAO,QAAQ,CAAC,IAAI,CAClB,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,EAC1C,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;YACJ,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,uBAAuB,CACrC,MAAc,EACd,cAAsB;IAEtB,IAAI,MAAM,KAAK,cAAc,EAAE,CAAC;QAC9B,MAAM,IAAI,cAAc,CACtB,4DAA4D,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,SAAiB,EACjB,oBAA4B;IAE5B,IAAI,SAAS,KAAK,oBAAoB,EAAE,CAAC;QACvC,MAAM,IAAI,cAAc,CACtB,oDAAoD,CACrD,CAAC;IACJ,CAAC;AACH,CAAC"}