npm - aaspai-authx - Versions diffs - 0.0.1 - Mend

aaspai-authx 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/LICENSE +3 -0
package/README.md +12 -0
package/dist/express/index.cjs +1699 -0
package/dist/express/index.cjs.map +1 -0
package/dist/express/index.d.cts +3 -0
package/dist/express/index.d.ts +3 -0
package/dist/express/index.js +1658 -0
package/dist/express/index.js.map +1 -0
package/dist/index-KOTz0ZcH.d.cts +23 -0
package/dist/index-KOTz0ZcH.d.ts +23 -0
package/dist/index.cjs +2266 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.cts +1420 -0
package/dist/index.d.ts +1420 -0
package/dist/index.js +2204 -0
package/dist/index.js.map +1 -0
package/dist/nest/index.cjs +1720 -0
package/dist/nest/index.cjs.map +1 -0
package/dist/nest/index.d.cts +28 -0
package/dist/nest/index.d.ts +28 -0
package/dist/nest/index.js +1683 -0
package/dist/nest/index.js.map +1 -0
package/package.json +96 -0

package/dist/index.js ADDED Viewed

@@ -0,0 +1,2204 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __decorateClass = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp(target, key, result);
+  return result;
+};
+// src/express/index.ts
+var express_exports = {};
+__export(express_exports, {
+  createAdminRouter: () => createAdminRouter,
+  createAuthRouter: () => createAuthRouter,
+  createDashboardRouter: () => createDashboardRouter,
+  createEmailRouter: () => createEmailRouter,
+  createProjectsRouter: () => createProjectsRouter
+});
+// src/express/auth.routes.ts
+import bcrypt2 from "bcryptjs";
+import { randomUUID } from "crypto";
+import express, { Router } from "express";
+import jwt4 from "jsonwebtoken";
+// src/config/loadConfig.ts
+function loadConfig() {
+  return {
+    orgDomain: process.env.ORG_DOMAIN,
+    orgId: process.env.ORG_ID,
+    email: {
+      host: process.env.EMAIL_HOST || "smtp.postmarkapp.com",
+      port: process.env.EMAIL_PORT ? Number(process.env.EMAIL_PORT) : 587,
+      secure: (process.env.EMAIL_SECURE || "false") === "true",
+      user: process.env.EMAIL_USER,
+      pass: process.env.EMAIL_PASSWORD,
+      from: process.env.EMAIL_FROM,
+      jwtSecret: process.env.EMAIL_JWT_SECRET
+    },
+    cookies: {
+      domain: process.env.COOKIE_DOMAIN,
+      secure: (process.env.COOKIE_SECURE || "true") === "true",
+      accessTtlMs: 24 * 60 * 60 * 1e3,
+      refreshTtlMs: 7 * 24 * 60 * 60 * 1e3
+    },
+    oidc: {
+      jwtSecret: process.env.JWT_SECRET
+    },
+    aws: {
+      bucket: process.env.AWS_S3_BUCKET,
+      region: process.env.AWS_REGION,
+      accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
+    }
+  };
+}
+// src/config/index.ts
+var config = loadConfig();
+function configureAuthX(overrides = {}) {
+  return deepMerge(config, overrides);
+}
+function deepMerge(target, source) {
+  if (!source) {
+    return target;
+  }
+  for (const key of Object.keys(source)) {
+    const value = source[key];
+    if (value === void 0) continue;
+    if (Array.isArray(value)) {
+      target[key] = [...value];
+      continue;
+    }
+    if (isPlainObject(value)) {
+      if (!isPlainObject(target[key])) {
+        target[key] = {};
+      }
+      deepMerge(target[key], value);
+      continue;
+    }
+    target[key] = value;
+  }
+  return target;
+}
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+// src/core/roles.config.ts
+var PLATFORM_ROLES = [
+  {
+    role: "platform_admin",
+    permissions: [
+      "projects.create",
+      "projects.read",
+      "projects.update",
+      "projects.delete",
+      "users.manage",
+      "api.manage"
+    ]
+  },
+  {
+    role: "platform_manager",
+    permissions: [
+      "projects.read",
+      "projects.update",
+      "users.read"
+    ]
+  },
+  {
+    role: "platform_user",
+    permissions: ["projects.read"]
+  }
+];
+function getPermissionsForRoles(roles) {
+  if (!Array.isArray(roles) || roles.length === 0) {
+    return [];
+  }
+  const permissionSet = /* @__PURE__ */ new Set();
+  for (const roleName of roles) {
+    const roleConfig = PLATFORM_ROLES.find((r) => r.role === roleName);
+    if (roleConfig && Array.isArray(roleConfig.permissions)) {
+      for (const perm of roleConfig.permissions) {
+        permissionSet.add(perm);
+      }
+    }
+  }
+  return Array.from(permissionSet);
+}
+// src/core/session.ts
+function buildSession(payload) {
+  const userId = payload?.sub || payload?.userId || payload?.id || "";
+  const email = payload?.email || payload?.email_address || "";
+  const roles = payload?.realm_access?.roles || payload?.roles || payload?.["cognito:groups"] || (Array.isArray(payload?.role) ? payload.role : []) || [];
+  const normalizedRoles = Array.isArray(roles) ? roles.map(String).filter(Boolean) : [];
+  const permissions = getPermissionsForRoles(normalizedRoles);
+  const session = {
+    userId,
+    email,
+    roles: normalizedRoles,
+    permissions
+  };
+  if (payload?.projectId) session.projectId = payload.projectId;
+  if (payload?.orgId) session.orgId = payload.orgId;
+  if (payload?.org_id) session.org_id = payload.org_id;
+  if (payload?.authType) session.authType = payload.authType;
+  Object.keys(payload || {}).forEach((key) => {
+    if (![
+      "sub",
+      "userId",
+      "id",
+      "email",
+      "email_address",
+      "realm_access",
+      "roles",
+      "cognito:groups",
+      "role",
+      "projectId",
+      "orgId",
+      "org_id",
+      "authType"
+    ].includes(key)) {
+      session[key] = payload[key];
+    }
+  });
+  return session;
+}
+// src/models/user.model.ts
+import mongoose from "mongoose";
+import { v4 as uuid } from "uuid";
+var MetadataSchema = new mongoose.Schema(
+  {
+    key: { type: String, required: true },
+    value: { type: mongoose.Schema.Types.Mixed, required: true }
+  },
+  { _id: false }
+);
+var OrgUserSchema = new mongoose.Schema(
+  {
+    id: { type: String, default: uuid(), index: true },
+    email: { type: String, required: true, unique: true },
+    firstName: { type: String, required: true },
+    lastName: { type: String, required: true },
+    orgId: { type: String },
+    projectId: { type: String, required: true },
+    roles: { type: [String], default: [] },
+    emailVerified: { type: Boolean, default: false },
+    lastEmailSent: { type: [Date], default: [] },
+    lastPasswordReset: { type: Date },
+    metadata: { type: [MetadataSchema], default: [] },
+    passwordHash: { type: String }
+  },
+  { timestamps: true, collection: "users" }
+);
+var OrgUser = mongoose.model("OrgUser", OrgUserSchema);
+// src/utils/extract.ts
+import { parse as parseCookie } from "cookie";
+function extractToken(req, opts) {
+  const headerNames = opts?.headerNames ?? ["authorization", "token"];
+  const cookieNames = opts?.cookieNames ?? ["access_token", "authorization"];
+  const queryNames = opts?.queryNames ?? ["access_token", "token"];
+  for (const h of headerNames) {
+    const raw = req.headers[h];
+    if (raw) {
+      const lower = raw.toLowerCase();
+      if (lower.startsWith("bearer ")) return raw.slice(7).trim();
+      if (!raw.includes(" ")) return raw.trim();
+    }
+  }
+  const ch = req.headers["cookie"];
+  if (typeof ch === "string") {
+    const parsed = parseCookie(ch);
+    for (const c of cookieNames) if (parsed[c]) return parsed[c];
+  }
+  for (const q of queryNames) {
+    const v = req.query?.[q];
+    if (typeof v === "string" && v) return v;
+  }
+  return null;
+}
+function readProjectId(req) {
+  const ch = req.headers["cookie"];
+  if (typeof ch === "string") {
+    try {
+      const parsed = parseCookie(ch);
+      return parsed["projectId"] || null;
+    } catch {
+    }
+  }
+  return null;
+}
+// src/utils/jwt.ts
+import jwt from "jsonwebtoken";
+function verifyJwt(token) {
+  return new Promise((resolve, reject) => {
+    jwt.verify(
+      token,
+      process.env.JWT_SECRET,
+      // This is your shared secret (string)
+      {
+        algorithms: ["HS256"],
+        // Only allow HS256
+        complete: false
+        // We only want payload
+      },
+      (err, decoded) => {
+        if (err) {
+          reject(err);
+        } else {
+          resolve(decoded);
+        }
+      }
+    );
+  });
+}
+// src/middlewares/auth.middleware.ts
+function requireAuth() {
+  return async (req, res, next) => {
+    try {
+      const apiKey = req.headers["x-api-key"] || req.headers["x-apikey"];
+      const userId = req.headers["x-user-id"] || req.headers["x-userId"];
+      if (apiKey) {
+        if (apiKey !== process.env.SERVER_API_KEY) {
+          return res.status(401).json({ error: "Invalid API key" });
+        }
+        if (!userId) {
+          return res.status(401).json({ error: "User Id is Required" });
+        }
+        const user = await OrgUser.findOne({ id: userId }).lean();
+        if (!user) {
+          return res.status(401).json({ error: "User not found" });
+        }
+        const session2 = buildSession({
+          sub: user.id.toString(),
+          email: user.email,
+          roles: user.roles || []
+        });
+        session2.authType = "api-key";
+        session2.projectId = readProjectId(req) || user.projectId || void 0;
+        req.user = session2;
+        return next();
+      }
+      const token = extractToken(req);
+      if (!token) {
+        return res.status(401).json({ error: "Missing token" });
+      }
+      const claims = await verifyJwt(token);
+      const session = buildSession(claims);
+      const pid = readProjectId(req);
+      if (pid) session.projectId = pid;
+      req.user = session;
+      next();
+    } catch (e) {
+      res.status(401).json({ error: e?.message || "Unauthorized" });
+    }
+  };
+}
+function authorize(roles = []) {
+  return (req, res, next) => {
+    if (!roles || roles.length === 0) return next();
+    const user = req.user;
+    if (!user) {
+      return res.status(401).json({ error: "Unauthorized" });
+    }
+    console.log(user, "user");
+    const have = new Set((user.roles || []).map(String));
+    const ok = roles.some((r) => have.has(r));
+    if (!ok) {
+      return res.status(403).json({ error: `Requires one of roles: ${roles.join(", ")}` });
+    }
+    next();
+  };
+}
+// src/middlewares/validators.ts
+function isEmail(v) {
+  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(v);
+}
+function isPasswordStrong(v) {
+  return typeof v === "string" && v.length >= 6 && /[A-Z]/.test(v) && /[^a-zA-Z0-9]/.test(v);
+}
+function validateSignup(req, res, next) {
+  const { firstName, lastName, email, password, projectId, metadata } = req.body || {};
+  if (!firstName || !lastName)
+    return res.status(400).json({ error: "firstName,lastName required" });
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  if (!isPasswordStrong(password))
+    return res.status(400).json({ error: "weak password" });
+  if (!projectId) return res.status(400).json({ error: "projectId required" });
+  if (!Array.isArray(metadata))
+    return res.status(400).json({ error: "metadata must be array" });
+  next();
+}
+function validateLogin(req, res, next) {
+  const { email, password } = req.body || {};
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  if (typeof password !== "string")
+    return res.status(400).json({ error: "password required" });
+  next();
+}
+function validateResetPassword(req, res, next) {
+  const { token, newPassword } = req.body || {};
+  if (!token) return res.status(400).json({ error: "token required" });
+  if (!isPasswordStrong(newPassword))
+    return res.status(400).json({ error: "weak password" });
+  next();
+}
+function validateResendEmail(req, res, next) {
+  const { email } = req.body || {};
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  next();
+}
+function validateSendInvite(req, res, next) {
+  const { email, role } = req.body || {};
+  if (!isEmail(email)) return res.status(400).json({ error: "invalid email" });
+  if (!["platform_user", "org_admin"].includes(role))
+    return res.status(400).json({ error: "invalid role" });
+  next();
+}
+// src/models/invite.model.ts
+import mongoose2 from "mongoose";
+var InviteSchema = new mongoose2.Schema(
+  {
+    id: { type: String, required: true, index: true },
+    email: { type: String, required: true },
+    role: {
+      type: String,
+      enum: ["platform_user", "org_admin"],
+      required: true
+    },
+    invitedBy: { type: String },
+    usedBy: { type: String },
+    isUsed: { type: Boolean, default: false },
+    usedAt: { type: Date },
+    expiresAt: { type: Date },
+    isExpired: { type: Boolean, default: false }
+  },
+  { timestamps: true, collection: "invites" }
+);
+var Invite = mongoose2.model("Invite", InviteSchema);
+// src/services/auth-admin.service.ts
+import bcrypt from "bcrypt";
+import jwt2 from "jsonwebtoken";
+// src/models/client.model.ts
+import mongoose3, { Schema } from "mongoose";
+var ClientSchema = new Schema(
+  {
+    clientId: {
+      type: String,
+      required: true,
+      unique: true,
+      index: true
+    },
+    redirectUris: {
+      type: [String],
+      default: []
+    },
+    publicClient: {
+      type: Boolean,
+      default: false
+    },
+    // Optional: if you want confidential clients
+    secret: {
+      type: String,
+      required: function() {
+        return !this.publicClient;
+      }
+    }
+  },
+  {
+    timestamps: true
+  }
+);
+var ClientModel = mongoose3.models.Client || mongoose3.model("Client", ClientSchema);
+// src/models/rolePermission.model.ts
+import mongoose4, { Schema as Schema2 } from "mongoose";
+var RolePermissionSchema = new Schema2(
+  {
+    orgId: { type: String, default: null, index: true },
+    role: { type: String, required: true },
+    permissions: { type: [String], default: [] }
+  },
+  {
+    timestamps: true
+  }
+);
+RolePermissionSchema.index({ orgId: 1, role: 1 }, { unique: true });
+var RolePermissionModel = mongoose4.model(
+  "RolePermission",
+  RolePermissionSchema,
+  "role_permissions"
+);
+// src/services/auth-admin.service.ts
+var AuthAdminService = class {
+  token;
+  async getAdminToken() {
+    return this.ensureAdminToken();
+  }
+  // -------------------------------------------------------------------
+  // CLIENTS
+  // -------------------------------------------------------------------
+  async createClient(clientId, redirectUris = [], publicClient = false) {
+    const client = await ClientModel.create({
+      clientId,
+      redirectUris,
+      publicClient
+    });
+    return client;
+  }
+  async updateClient(id, patch) {
+    await ClientModel.findByIdAndUpdate(id, patch);
+  }
+  // -------------------------------------------------------------------
+  // USERS
+  // -------------------------------------------------------------------
+  async listUsersInRealm(_realm, filter) {
+    return OrgUser.find(filter || {});
+  }
+  async getUserById(userId) {
+    return OrgUser.findOne({ id: userId });
+  }
+  async isUserEmailVerified(userId) {
+    const user = await OrgUser.findOne({ id: userId });
+    return user?.emailVerified;
+  }
+  async createUserInRealm(payload) {
+    const hashedPassword = payload.credentials?.[0]?.value ? await bcrypt.hash(payload.credentials[0].value, 10) : void 0;
+    const user = await OrgUser.create({
+      username: payload.username,
+      email: payload.email,
+      firstName: payload.firstName,
+      lastName: payload.lastName,
+      projectId: payload.projectId,
+      emailVerified: payload.emailVerified || false,
+      passwordHash: hashedPassword,
+      enabled: true
+    });
+    return user;
+  }
+  async assignRealmRole(userId, roleName) {
+    const role = await RolePermissionModel.findOne({ name: roleName });
+    if (!role) throw new Error(`Role not found: ${roleName}`);
+    await OrgUser.findOneAndUpdate(
+      { id: userId },
+      {
+        $addToSet: { roles: role._id }
+      }
+    );
+  }
+  async updateUserEmailVerified(userId, emailVerified) {
+    await OrgUser.findOneAndUpdate({ id: userId }, { emailVerified });
+  }
+  async updateUserPassword(userId, newPassword) {
+    const hashed = await bcrypt.hash(newPassword, 10);
+    await OrgUser.findOneAndUpdate({ id: userId }, { password: hashed });
+  }
+  // -------------------------------------------------------------------
+  // ADMIN TOKEN (self-issued JWT)
+  // -------------------------------------------------------------------
+  async ensureAdminToken() {
+    const now = Math.floor(Date.now() / 1e3);
+    if (this.token && this.token.exp - 30 > now) {
+      return this.token.accessToken;
+    }
+    const payload = {
+      type: "admin",
+      system: true
+    };
+    const accessToken = jwt2.sign(payload, process.env.JWT_SECRET, {
+      expiresIn: "1h"
+    });
+    this.token = {
+      accessToken,
+      exp: now + 3600
+    };
+    return this.token.accessToken;
+  }
+};
+// src/services/email.service.ts
+import jwt3 from "jsonwebtoken";
+import nodemailer from "nodemailer";
+var EmailService = class {
+  transporter;
+  MAX_EMAILS = 5;
+  WINDOW_MINUTES = 15;
+  BLOCK_HOURS = 1;
+  constructor() {
+    this.transporter = nodemailer.createTransport({
+      host: process.env.EMAIL_HOST || "smtp.postmarkapp.com",
+      port: process.env.EMAIL_PORT ? Number(process.env.EMAIL_PORT) : 587,
+      secure: (process.env.EMAIL_SECURE || "false") === "true",
+      auth: { user: process.env.EMAIL_USER, pass: process.env.EMAIL_PASSWORD }
+    });
+  }
+  sign(payload, ttlSec = 60 * 60 * 24) {
+    return jwt3.sign(payload, process.env.EMAIL_JWT_SECRET, { expiresIn: ttlSec });
+  }
+  verify(token) {
+    return jwt3.verify(token, process.env.EMAIL_JWT_SECRET);
+  }
+  async send(to, subject, html) {
+    await this.transporter.sendMail({
+      from: process.env.EMAIL_FROM,
+      to,
+      subject,
+      html
+    });
+  }
+  canSend(lastEmailSent) {
+    const now = Date.now();
+    const windowStart = now - this.WINDOW_MINUTES * 60 * 1e3;
+    const emailsInWindow = (lastEmailSent || []).map((d) => new Date(d)).filter((d) => d.getTime() >= windowStart);
+    if (emailsInWindow.length >= this.MAX_EMAILS)
+      return {
+        ok: false,
+        reason: "RATE_LIMIT",
+        waitMs: this.BLOCK_HOURS * 60 * 60 * 1e3
+      };
+    return { ok: true };
+  }
+};
+// src/utils/cookie.ts
+function cookieOpts(isRefresh = false) {
+  const maxAge = isRefresh ? config.cookies.refreshTtlMs : config.cookies.accessTtlMs;
+  const secure = process.env.NODE_ENV === "production" ? process.env.COOKIE_SECURE ?? true : false;
+  return {
+    httpOnly: true,
+    secure,
+    sameSite: "none",
+    domain: process.env.COOKIE_DOMAIN,
+    maxAge
+  };
+}
+function clearOpts() {
+  const secure = process.env.NODE_ENV === "production" ? process.env.COOKIE_SECURE ?? true : false;
+  return {
+    domain: process.env.COOKIE_DOMAIN,
+    sameSite: "none",
+    secure
+  };
+}
+// src/express/auth.routes.ts
+function createAuthRouter(options = {}) {
+  if (options.config) {
+    configureAuthX(options.config);
+  }
+  const r = Router();
+  const email = new EmailService();
+  const authAdmin = new AuthAdminService();
+  r.use(express.json());
+  r.use(express.urlencoded({ extended: true }));
+  r.get(
+    "/healthz",
+    (_req, res) => res.json({ status: "ok", server: "org-server" })
+  );
+  r.post("/login", validateLogin, async (req, res) => {
+    const { email: emailAddress, password } = req.body || {};
+    try {
+      const user = await OrgUser.findOne({ email: emailAddress }).select("+password").lean();
+      if (!user) {
+        return res.status(400).json({
+          error: "Invalid email or password",
+          code: "INVALID_CREDENTIALS"
+        });
+      }
+      if (!user.emailVerified) {
+        return res.status(400).json({
+          error: "Please verify your email before logging in.",
+          code: "EMAIL_NOT_VERIFIED"
+        });
+      }
+      const isPasswordValid = user.passwordHash ? await bcrypt2.compare(password, user.passwordHash) : false;
+      if (!isPasswordValid) {
+        return res.status(400).json({
+          error: "Invalid email or password",
+          code: "INVALID_CREDENTIALS"
+        });
+      }
+      const tokens = generateTokens(user);
+      setAuthCookies(res, tokens);
+      if (user.projectId) {
+        res.cookie(options.projectCookieName || "projectId", user.projectId, {
+          ...cookieOpts(false),
+          httpOnly: true
+        });
+      }
+      return res.json({
+        message: "Login successful",
+        user: toUserResponse(user)
+      });
+    } catch (err) {
+      console.error("Login error:", err);
+      return res.status(500).json({ error: "Internal server error" });
+    }
+  });
+  r.post("/signup", validateSignup, async (req, res) => {
+    const {
+      firstName,
+      lastName,
+      email: emailAddress,
+      password,
+      projectId,
+      metadata
+    } = req.body || {};
+    try {
+      const kcUser = await authAdmin.createUserInRealm({
+        username: emailAddress,
+        email: emailAddress,
+        firstName,
+        lastName,
+        projectId,
+        credentials: [{ type: "password", value: password, temporary: false }]
+      });
+      await authAdmin.assignRealmRole(kcUser.id, "platform_user");
+      const user = await OrgUser.findOneAndUpdate(
+        { email: kcUser.email },
+        {
+          id: kcUser.id,
+          email: kcUser.email,
+          firstName,
+          lastName,
+          projectId,
+          metadata,
+          roles: ["platform_user"],
+          emailVerified: false
+        },
+        { upsert: true, new: true, setDefaultsOnInsert: true }
+      );
+      const emailResult = await sendRateLimitedEmail({
+        emailService: email,
+        user,
+        subject: "Verify your email",
+        html: buildVerificationTemplate(
+          email.sign({ userId: kcUser.id, email: kcUser.email }),
+          options
+        )
+      });
+      if (emailResult.rateLimited) {
+        return res.status(429).json({
+          ok: false,
+          error: "Too many verification emails sent. Please try again later.",
+          waitMs: emailResult.waitMs
+        });
+      }
+      return res.json({
+        id: user.id,
+        email: user.email,
+        message: "Verification email sent. Please check your inbox."
+      });
+    } catch (err) {
+      return respondWithKeycloakError(res, err, "Signup failed");
+    }
+  });
+  r.get("/me", requireAuth(), (req, res) => {
+    return res.json(req.user || null);
+  });
+  r.post("/logout", async (_req, res) => {
+    res.clearCookie("access_token", clearOpts());
+    res.clearCookie("refresh_token", clearOpts());
+    res.json({ ok: true });
+  });
+  r.put("/:userId/metadata", requireAuth(), async (req, res) => {
+    const { userId } = req.params;
+    const { metadata } = req.body || {};
+    const user = await OrgUser.findOne({ id: userId });
+    if (!user)
+      return res.status(404).json({ ok: false, error: "User not found" });
+    const map = new Map(
+      (user.metadata || []).map((m) => [m.key, m.value])
+    );
+    for (const item of metadata || []) map.set(item.key, item.value);
+    user.metadata = Array.from(map.entries()).map(([key, value]) => ({
+      key,
+      value
+    }));
+    await user.save();
+    res.json({ ok: true, metadata: user.metadata });
+  });
+  r.get("/verify-email", async (req, res) => {
+    const token = String(req.query.token || "");
+    if (!token) {
+      return res.status(400).json({ error: "Verification token is required" });
+    }
+    try {
+      const payload = email.verify(token);
+      await authAdmin.updateUserEmailVerified(payload.userId, true);
+      await OrgUser.updateOne(
+        { id: payload.userId },
+        { $set: { emailVerified: true } }
+      );
+      res.json({ ok: true, message: "Email verified" });
+    } catch (err) {
+      res.status(400).json({ ok: false, error: err?.message || "Invalid token" });
+    }
+  });
+  r.post(
+    "/resend-verification-email",
+    validateResendEmail,
+    async (req, res) => {
+      const user = await OrgUser.findOne({ email: req.body.email });
+      if (!user)
+        return res.status(404).json({ ok: false, error: "User not found" });
+      const verified = await authAdmin.isUserEmailVerified(user.id);
+      if (verified) {
+        return res.status(400).json({ ok: false, error: "Email is already verified" });
+      }
+      const token = email.sign({
+        email: user.email,
+        userId: user.id
+      });
+      const resendResult = await sendRateLimitedEmail({
+        emailService: email,
+        user,
+        subject: "Verify your email",
+        html: buildVerificationTemplate(token, options)
+      });
+      if (resendResult.rateLimited) {
+        return res.status(429).json({
+          ok: false,
+          error: "Too many verification emails sent. Please try again later.",
+          waitMs: resendResult.waitMs
+        });
+      }
+      res.json({ ok: true });
+    }
+  );
+  r.post("/forgot-password", validateResendEmail, async (req, res) => {
+    const user = await OrgUser.findOne({ email: req.body.email });
+    if (!user)
+      return res.status(404).json({ ok: false, error: "User not found" });
+    const resetToken = email.sign(
+      {
+        userId: user.id,
+        email: user.email,
+        firstName: user.firstName,
+        lastName: user.lastName
+      },
+      60 * 60
+    );
+    const resetResult = await sendRateLimitedEmail({
+      emailService: email,
+      user,
+      subject: "Reset password",
+      html: buildResetTemplate(resetToken, options)
+    });
+    if (resetResult.rateLimited) {
+      return res.status(429).json({
+        ok: false,
+        error: "Please wait before requesting another password reset email.",
+        waitMs: resetResult.waitMs
+      });
+    }
+    res.json({ ok: true, message: "Password reset email sent" });
+  });
+  r.post("/reset-password", validateResetPassword, async (req, res) => {
+    const { token, newPassword } = req.body || {};
+    try {
+      const payload = email.verify(token);
+      const user = await OrgUser.findOne({ keycloakId: payload.userId });
+      if (!user) {
+        return res.status(404).json({ ok: false, error: "User not found" });
+      }
+      if (user.lastPasswordReset && payload.iat * 1e3 < user.lastPasswordReset.getTime()) {
+        return res.status(400).json({
+          ok: false,
+          error: "This reset link has already been used. Please request a new one."
+        });
+      }
+      await authAdmin.updateUserPassword(payload.userId, newPassword);
+      user.lastPasswordReset = /* @__PURE__ */ new Date();
+      await user.save();
+      res.json({ ok: true, message: "Password updated successfully" });
+    } catch (err) {
+      res.status(400).json({ ok: false, error: err?.message || "Invalid or expired token" });
+    }
+  });
+  r.post(
+    "/send-invite",
+    requireAuth(),
+    validateSendInvite,
+    async (req, res) => {
+      const { email: emailAddress, role } = req.body || {};
+      const existingUser = await OrgUser.findOne({ email: emailAddress });
+      if (existingUser) {
+        return res.status(400).json({ ok: false, error: "User with this email already exists" });
+      }
+      const existingInvite = await Invite.findOne({
+        email: emailAddress,
+        isUsed: false,
+        isExpired: false
+      });
+      if (existingInvite) {
+        return res.status(400).json({
+          ok: false,
+          error: "An active invite already exists for this email"
+        });
+      }
+      const token = email.sign({
+        email: emailAddress,
+        role,
+        inviteId: randomUUID()
+      });
+      const invite = await Invite.create({
+        id: token,
+        email: emailAddress,
+        role,
+        invitedBy: req.user?.sub,
+        isUsed: false,
+        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3)
+      });
+      await email.send(
+        emailAddress,
+        "You are invited",
+        `<a href="${getFrontendBaseUrl(options)}/auth/accept-invite?token=${token}">Accept</a>`
+      );
+      res.json({
+        ok: true,
+        inviteId: invite.id,
+        email: invite.email,
+        role: invite.role,
+        expiresAt: invite.expiresAt
+      });
+    }
+  );
+  r.get("/accept-invite", async (req, res) => {
+    const inv = await Invite.findOne({ id: String(req.query.token) });
+    res.json({ ok: !!inv && !inv.isUsed && !inv.isExpired });
+  });
+  r.post("/accept-invite", async (req, res) => {
+    const { token, firstName, lastName, password, projectId } = req.body || {};
+    if (!token || !firstName || !lastName || !isPasswordStrong(password || "")) {
+      return res.status(400).json({ ok: false, error: "Invalid payload" });
+    }
+    const invite = await Invite.findOne({
+      id: token,
+      isUsed: false,
+      isExpired: false
+    });
+    if (!invite) {
+      return res.status(400).json({ ok: false, error: "Invitation not found or already used" });
+    }
+    if (invite.expiresAt && invite.expiresAt.getTime() < Date.now()) {
+      invite.isExpired = true;
+      await invite.save();
+      return res.status(400).json({ ok: false, error: "Invitation has expired" });
+    }
+    try {
+      const kcUser = await authAdmin.createUserInRealm({
+        username: invite.email,
+        email: invite.email,
+        firstName,
+        lastName,
+        projectId,
+        emailVerified: true,
+        credentials: [{ type: "password", value: password, temporary: false }]
+      });
+      await authAdmin.assignRealmRole(kcUser.id, invite.role);
+      await OrgUser.findOneAndUpdate(
+        { email: invite.email },
+        {
+          id: kcUser.id,
+          email: invite.email,
+          firstName,
+          lastName,
+          roles: [invite.role],
+          emailVerified: true
+        },
+        { upsert: true, new: true, setDefaultsOnInsert: true }
+      );
+      invite.isUsed = true;
+      invite.usedAt = /* @__PURE__ */ new Date();
+      invite.usedBy = kcUser.id;
+      await invite.save();
+      res.json({
+        ok: true,
+        message: "Account created successfully.",
+        email: invite.email
+      });
+    } catch (err) {
+      res.status(400).json({
+        ok: false,
+        error: err?.response?.data?.error_description || err?.message || "Failed to create account"
+      });
+    }
+  });
+  r.get("/invites", requireAuth(), async (_req, res) => {
+    const invites = await Invite.find().sort({ createdAt: -1 }).lean();
+    res.json(invites);
+  });
+  r.delete("/invites/:inviteId", requireAuth(), async (req, res) => {
+    await Invite.deleteOne({ id: req.params.inviteId });
+    res.json({ ok: true });
+  });
+  r.get("/get-user-by-email", async (req, res) => {
+    const user = await OrgUser.findOne({ email: req.query.email }).lean();
+    res.json(user || null);
+  });
+  r.get("/google", async (_req, res) => {
+    res.json({ url: "/auth/google/callback?code=demo" });
+  });
+  r.get("/google/callback", async (_req, res) => {
+    res.cookie(
+      "access_token",
+      "ACCESS.TOKEN.PLACEHOLDER",
+      cookieOpts(false)
+    );
+    res.redirect("/");
+  });
+  r.get("/get-users", async (req, res) => {
+    const user = await OrgUser.find({ projectId: req.query.projectId }).lean();
+    res.json(user || null);
+  });
+  return r;
+}
+function setAuthCookies(res, tokens) {
+  if (tokens?.access_token) {
+    res.cookie("access_token", tokens.access_token, {
+      httpOnly: true,
+      secure: false,
+      sameSite: "lax",
+      maxAge: 24 * 60 * 60 * 1e3,
+      // 24 hours
+      path: "/"
+    });
+  }
+  if (tokens?.refresh_token) {
+    res.cookie("refresh_token", tokens.refresh_token, {
+      httpOnly: true,
+      secure: false,
+      sameSite: "lax",
+      maxAge: 24 * 60 * 60 * 1e3,
+      // 24 hours
+      path: "/"
+    });
+  }
+}
+function toUserResponse(user) {
+  if (!user) return null;
+  return {
+    sub: user.id || user.keycloakId,
+    email: user.email,
+    firstName: user.firstName,
+    lastName: user.lastName,
+    projectId: user.projectId,
+    metadata: user.metadata,
+    roles: user.roles
+  };
+}
+function respondWithKeycloakError(res, err, fallback, status = 400) {
+  const description = err?.response?.data?.error_description || err?.response?.data?.errorMessage || err?.message || fallback;
+  return res.status(status).json({ ok: false, error: description });
+}
+function buildVerificationTemplate(token, options) {
+  return `<a href="${getFrontendBaseUrl(options)}/auth/verify-email?token=${token}">Verify</a>`;
+}
+function buildResetTemplate(token, options) {
+  return `<a href="${getFrontendBaseUrl(options)}/auth/reset-password?token=${token}">Reset</a>`;
+}
+function getFrontendBaseUrl(options) {
+  if (options.frontendBaseUrl)
+    return options.frontendBaseUrl.replace(/\/$/, "");
+  const domain = process.env.ORG_DOMAIN?.replace(/\/$/, "");
+  if (!domain) return "";
+  return domain.startsWith("http") ? domain : `https://${domain}`;
+}
+async function sendRateLimitedEmail({
+  emailService,
+  user,
+  subject,
+  html
+}) {
+  const can = emailService.canSend(user?.lastEmailSent || []);
+  if (!can.ok) {
+    return { rateLimited: true, waitMs: can.waitMs };
+  }
+  await emailService.send(user.email, subject, html);
+  user.lastEmailSent = [...user.lastEmailSent || [], /* @__PURE__ */ new Date()];
+  await user.save();
+  return { rateLimited: false };
+}
+function generateTokens(user) {
+  const accessToken = jwt4.sign(
+    {
+      sub: user.id.toString(),
+      email: user.email,
+      roles: user.roles || [],
+      type: "user"
+    },
+    process.env.JWT_SECRET,
+    { expiresIn: "1h" }
+  );
+  const refreshToken = jwt4.sign(
+    { sub: user._id.toString() },
+    process.env.JWT_SECRET,
+    { expiresIn: "30d" }
+  );
+  return { access_token: accessToken, refresh_token: refreshToken };
+}
+// src/express/dashboards.routes.ts
+import express2, { Router as Router2 } from "express";
+function createDashboardRouter(options) {
+  const r = Router2();
+  const kc = new AuthAdminService();
+  r.use(express2.json());
+  r.post("/", requireAuth(), async (req, res, next) => {
+    try {
+      const { slug, isPublic, authFlow, orgDomain } = req.body || {};
+      const redirectUris = [`https://${slug}.${orgDomain}/*`];
+      const created = await kc.createClient(slug, redirectUris, !!isPublic);
+      if (authFlow || isPublic != null) {
+        await kc.updateClient(created.id, {
+          authenticationFlowBindingOverrides: authFlow ? { browser: authFlow } : void 0,
+          registrationAllowed: !!isPublic
+        });
+      }
+      res.json({ clientId: created.clientId });
+    } catch (e) {
+      next(e);
+    }
+  });
+  return r;
+}
+// src/express/email.routes.ts
+import { Router as Router3 } from "express";
+function createEmailRouter(options) {
+  const r = Router3();
+  r.get(
+    "/verify",
+    (req, res) => res.json({ ok: true, token: req.query.token })
+  );
+  return r;
+}
+// src/express/projects.routes.ts
+import { Router as Router4 } from "express";
+// src/services/projects.service.ts
+import { randomUUID as randomUUID2 } from "crypto";
+// src/models/moduleConnection.model.ts
+import mongoose5 from "mongoose";
+var ModuleItemSchema = new mongoose5.Schema(
+  { id: { type: String, required: true } },
+  { _id: false }
+);
+var ModuleConnectionSchema = new mongoose5.Schema(
+  {
+    projectId: { type: String, required: true, index: true },
+    modules: {
+      data: { type: [ModuleItemSchema], default: [] },
+      integration: { type: [ModuleItemSchema], default: [] },
+      storage: { type: [ModuleItemSchema], default: [] }
+    }
+  },
+  { timestamps: true, collection: "module_connection" }
+);
+var ModuleConnection = mongoose5.model(
+  "ModuleConnection",
+  ModuleConnectionSchema
+);
+// src/models/project.model.ts
+import mongoose6 from "mongoose";
+var ProjectSchema = new mongoose6.Schema(
+  {
+    _id: { type: String, required: true },
+    org_id: { type: String, required: true, index: true },
+    name: { type: String, required: true },
+    description: { type: String },
+    secret: { type: String, required: true }
+  },
+  { timestamps: true, collection: "projects" }
+);
+var Project = mongoose6.model("Project", ProjectSchema);
+// src/services/projects.service.ts
+var ProjectsService = class {
+  async create(org_id, name, description) {
+    const _id = randomUUID2();
+    const secret = randomUUID2();
+    const p = await Project.create({ _id, org_id, name, description, secret });
+    await ModuleConnection.create({
+      projectId: _id,
+      modules: { data: [], integration: [], storage: [] }
+    });
+    return p.toObject();
+  }
+  async list(org_id) {
+    return Project.find({ org_id }).lean();
+  }
+  async get(org_id, id) {
+    return Project.findOne({ org_id, _id: id }).lean();
+  }
+  async update(org_id, id, patch) {
+    return Project.findOneAndUpdate(
+      { org_id, _id: id },
+      { $set: patch },
+      { new: true }
+    ).lean();
+  }
+  async remove(org_id, id) {
+    await Project.deleteOne({ org_id, _id: id });
+    await ModuleConnection.deleteMany({ projectId: id });
+    return { ok: true };
+  }
+};
+// src/express/projects.routes.ts
+function createProjectsRouter(options) {
+  const r = Router4();
+  const svc = new ProjectsService();
+  r.post("/create", requireAuth(), async (req, res) => {
+    const { org_id, name, description } = req.body || {};
+    const p = await svc.create(org_id, name, description);
+    res.json(p);
+  });
+  r.get("/:org_id", requireAuth(), async (req, res) => {
+    res.json(await svc.list(req.params.org_id));
+  });
+  r.get("/:org_id/:id", requireAuth(), async (req, res) => {
+    res.json(await svc.get(req.params.org_id, req.params.id));
+  });
+  r.put("/:org_id/:id", requireAuth(), async (req, res) => {
+    res.json(
+      await svc.update(req.params.org_id, req.params.id, req.body || {})
+    );
+  });
+  r.delete("/:org_id/:id", requireAuth(), async (req, res) => {
+    res.json(await svc.remove(req.params.org_id, req.params.id));
+  });
+  return r;
+}
+// src/express/admin/admin.routes.ts
+import bcrypt3 from "bcryptjs";
+import { randomUUID as randomUUID3 } from "crypto";
+import express3, { Router as Router5 } from "express";
+// src/core/utils.ts
+function hasRole(session, role) {
+  if (!session || !session.roles) return false;
+  return session.roles.includes(role);
+}
+function hasAnyRole(session, roles) {
+  if (!session || !session.roles || !Array.isArray(roles) || roles.length === 0) {
+    return false;
+  }
+  return roles.some((role) => session.roles.includes(role));
+}
+function hasAllRoles(session, roles) {
+  if (!session || !session.roles || !Array.isArray(roles) || roles.length === 0) {
+    return false;
+  }
+  return roles.every((role) => session.roles.includes(role));
+}
+function hasPermission(session, permission) {
+  if (!session || !session.permissions) return false;
+  return session.permissions.includes(permission);
+}
+function hasAnyPermission(session, permissions) {
+  if (!session || !session.permissions || !Array.isArray(permissions) || permissions.length === 0) {
+    return false;
+  }
+  return permissions.some((perm) => session.permissions.includes(perm));
+}
+function hasAllPermissions(session, permissions) {
+  if (!session || !session.permissions || !Array.isArray(permissions) || permissions.length === 0) {
+    return false;
+  }
+  return permissions.every((perm) => session.permissions.includes(perm));
+}
+// src/middlewares/requireRole.ts
+function requireRole(...roles) {
+  return (req, res, next) => {
+    const user = req.user;
+    if (!user) {
+      return res.status(401).json({ error: "Unauthorized" });
+    }
+    if (!roles || roles.length === 0) {
+      return next();
+    }
+    if (!hasAnyRole(user, roles)) {
+      return res.status(403).json({
+        error: `Requires one of roles: ${roles.join(", ")}`,
+        required: roles,
+        userRoles: user.roles
+      });
+    }
+    next();
+  };
+}
+// src/models/permissions.model.ts
+import mongoose7, { Schema as Schema3 } from "mongoose";
+var PermissionsSchema = new Schema3(
+  {
+    id: { type: String, required: true, index: true },
+    orgId: { type: String, default: null, index: true },
+    key: { type: String, required: true },
+    type: { type: String, required: true },
+    apiId: { type: String, required: false },
+    description: { type: String },
+    isInternal: { type: Boolean, default: false }
+  },
+  {
+    timestamps: true
+  }
+);
+PermissionsSchema.index({ orgId: 1, key: 1 }, { unique: true });
+var PermissionsModel = mongoose7.model(
+  "Permissions",
+  PermissionsSchema,
+  "permissions"
+);
+// src/express/admin/admin.routes.ts
+function resolveOrgId(req) {
+  const user = req.user || {};
+  const fromUser = user.orgId || user.org_id || null;
+  const fromQuery = req.query.orgId || null;
+  const fromBody = req.body && req.body.orgId || null;
+  return fromQuery || fromBody || fromUser;
+}
+function resolveProjectId(req) {
+  const user = req.user || {};
+  const fromUser = user.projectId || null;
+  const fromQuery = req.query.projectId || null;
+  const fromBody = req.body && req.body.projectId || null;
+  return fromQuery || fromBody || fromUser;
+}
+function createAdminRouter(_options = {}) {
+  const r = Router5();
+  r.use(express3.json());
+  r.use(express3.urlencoded({ extended: true }));
+  const adminGuards = [requireAuth(), requireRole("platform_admin")];
+  r.post(
+    "/users",
+    ...adminGuards,
+    async (req, res) => {
+      const {
+        firstName,
+        lastName,
+        email: emailAddress,
+        password,
+        emailVerified = false,
+        roles = []
+      } = req.body || {};
+      const projectId = resolveProjectId(req);
+      try {
+        const hashedPassword = password ? await bcrypt3.hash(password, 10) : void 0;
+        const user = await OrgUser.create({
+          id: randomUUID3(),
+          email: emailAddress,
+          orgId: process.env.ORG_ID,
+          firstName,
+          lastName,
+          projectId,
+          emailVerified,
+          metadata: [],
+          passwordHash: hashedPassword,
+          roles
+        });
+        return res.json({
+          id: user.id,
+          email: user.email,
+          message: "Verification email sent. Please check your inbox."
+        });
+      } catch (err) {
+        console.error("Create user error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.delete(
+    "/users",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const userId = req?.body?.id || req?.query?.id;
+        if (!userId) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "UserId is required (send in body.id or ?id=...)"
+          });
+        }
+        const deleted = await OrgUser.findOneAndDelete({ id: userId }).exec();
+        if (!deleted) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "User not found or already deleted"
+          });
+        }
+        return res.status(200).json({
+          ok: true,
+          message: "User deleted successfully",
+          deletedUser: {
+            id: deleted.id,
+            firstName: deleted.firstName,
+            email: deleted.email,
+            orgId: deleted.orgId
+          }
+        });
+      } catch (err) {
+        console.error("Delete user error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.put(
+    "/users/:id",
+    ...adminGuards,
+    async (req, res) => {
+      const userId = req.params.id;
+      const {
+        firstName,
+        lastName,
+        email: emailAddress,
+        password,
+        emailVerified,
+        roles
+      } = req.body || {};
+      try {
+        const existingUser = await OrgUser.findOne({
+          id: userId,
+          orgId: process.env.ORG_ID
+        });
+        if (!existingUser) {
+          return res.status(404).json({ error: "USER_NOT_FOUND" });
+        }
+        if (firstName !== void 0) existingUser.firstName = firstName;
+        if (lastName !== void 0) existingUser.lastName = lastName;
+        if (emailAddress !== void 0) existingUser.email = emailAddress;
+        if (emailVerified !== void 0)
+          existingUser.emailVerified = emailVerified;
+        if (roles !== void 0) existingUser.roles = roles;
+        if (password) {
+          existingUser.passwordHash = await bcrypt3.hash(password, 10);
+        }
+        await existingUser.save();
+        return res.json({
+          id: existingUser.id,
+          email: existingUser.email,
+          message: "User updated successfully."
+        });
+      } catch (err) {
+        console.error("Update user error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.get(
+    "/permissions",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const filter = {};
+        if (orgId !== null) {
+          filter.orgId = orgId;
+        } else {
+          filter.orgId = null;
+        }
+        const items = await PermissionsModel.find(filter).lean().exec();
+        return res.json(items);
+      } catch (err) {
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.post(
+    "/permissions",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const {
+          key,
+          type,
+          apiId,
+          description,
+          isInternal = false
+        } = req.body || {};
+        if (!key || !type) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "permission key, and permission type are required"
+          });
+        }
+        const id = randomUUID3();
+        const permission = await PermissionsModel.create({
+          id,
+          orgId: orgId ?? null,
+          key,
+          type,
+          apiId,
+          description,
+          isInternal: !!isInternal
+        });
+        await RolePermissionModel.findOneAndUpdate(
+          { orgId: orgId ?? null, role: "platform_admin" },
+          { $addToSet: { permissions: key } },
+          { upsert: true, new: true }
+        ).exec();
+        return res.status(201).json(permission);
+      } catch (err) {
+        if (err && err.code === 11e3) {
+          return res.status(409).json({
+            error: "DUPLICATE_PERMISSION",
+            message: "Permission key already exists for this org"
+          });
+        }
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.put(
+    "/permissions/:id",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const permissionId = req.params.id;
+        const { key, type, apiId, description, isInternal } = req.body || {};
+        const existing = await PermissionsModel.findOne({
+          id: permissionId,
+          orgId: orgId ?? null
+        });
+        if (!existing) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "Permission does not exist"
+          });
+        }
+        const oldKey = existing.key;
+        if (key !== void 0) existing.key = key;
+        if (type !== void 0) existing.type = type;
+        if (apiId !== void 0) existing.apiId = apiId;
+        if (description !== void 0) existing.description = description;
+        if (isInternal !== void 0) existing.isInternal = !!isInternal;
+        await existing.save();
+        if (oldKey !== key) {
+          await RolePermissionModel.updateMany(
+            {
+              orgId: orgId ?? null,
+              permissions: oldKey
+            },
+            {
+              $pull: { permissions: oldKey }
+            }
+          );
+          await RolePermissionModel.updateMany(
+            {
+              orgId: orgId ?? null
+            },
+            {
+              $addToSet: { permissions: key }
+            }
+          );
+        }
+        return res.json(existing);
+      } catch (err) {
+        if (err && err.code === 11e3) {
+          return res.status(409).json({
+            error: "DUPLICATE_PERMISSION",
+            message: "Permission key already exists for this org"
+          });
+        }
+        console.error("Update permission error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.delete(
+    "/permissions",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const permissionId = req?.body?.id || req?.query?.id;
+        if (!permissionId) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "Permission id is required (send in body.id or ?id=...)"
+          });
+        }
+        const existing = await PermissionsModel.findOne({ id: permissionId });
+        if (!existing) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "Permission not found or already deleted"
+          });
+        }
+        const { key, orgId } = existing;
+        await PermissionsModel.deleteOne({ id: permissionId });
+        await RolePermissionModel.updateMany(
+          { orgId: orgId ?? null },
+          { $pull: { permissions: key } }
+        );
+        return res.status(200).json({
+          ok: true,
+          message: "Permission deleted successfully",
+          deletedPermission: {
+            id: existing.id,
+            key: existing.key,
+            type: existing.type,
+            apiId: existing.apiId,
+            description: existing.description,
+            isInternal: existing.isInternal,
+            orgId: existing.orgId
+          }
+        });
+      } catch (err) {
+        console.error("Delete permission error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.get(
+    "/roles",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const filter = {};
+        if (orgId !== null) {
+          filter.orgId = orgId;
+        } else {
+          filter.orgId = null;
+        }
+        const roles = await RolePermissionModel.find(filter).lean().exec();
+        return res.json(roles);
+      } catch (err) {
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.post(
+    "/roles",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const { role, permissions } = req.body || {};
+        if (!role || !Array.isArray(permissions)) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "role and permissions[] are required"
+          });
+        }
+        const id = randomUUID3();
+        const doc = await RolePermissionModel.findOneAndUpdate(
+          { orgId: orgId ?? null, role },
+          { $set: { permissions } },
+          { upsert: true, new: true }
+        ).exec();
+        return res.status(200).json(doc);
+      } catch (err) {
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.put(
+    "/roles/:id",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const orgId = resolveOrgId(req);
+        const roleId = req.params.id;
+        const { role: newRoleName, permissions } = req.body || {};
+        if (!newRoleName || !Array.isArray(permissions)) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "role and permissions are required"
+          });
+        }
+        const existing = await RolePermissionModel.findById(roleId);
+        if (!existing) {
+          return res.status(404).json({
+            error: "ROLE_NOT_FOUND",
+            message: "Role does not exist"
+          });
+        }
+        const oldRoleName = existing.role;
+        existing.role = newRoleName;
+        existing.permissions = permissions;
+        await existing.save();
+        if (oldRoleName !== newRoleName) {
+          await OrgUser.updateMany(
+            {
+              orgId: orgId ?? null,
+              roles: oldRoleName
+            },
+            {
+              $pull: { roles: oldRoleName }
+            }
+          );
+          await OrgUser.updateMany(
+            {
+              orgId: orgId ?? null,
+              roles: { $ne: newRoleName }
+              // avoid duplicates
+            },
+            {
+              $addToSet: { roles: newRoleName }
+            }
+          );
+        }
+        return res.status(200).json(existing);
+      } catch (err) {
+        console.error("Update role error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  r.delete(
+    "/roles",
+    ...adminGuards,
+    async (req, res) => {
+      try {
+        const roleId = req?.body?.id || req?.query?.id;
+        if (!roleId) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "Role _id is required (send in body.id or ?id=...)"
+          });
+        }
+        if (!/^[0-9a-fA-F]{24}$/.test(roleId)) {
+          return res.status(400).json({
+            error: "VALIDATION_ERROR",
+            message: "Invalid role _id format"
+          });
+        }
+        const deleted = await RolePermissionModel.findByIdAndDelete(roleId).exec();
+        if (!deleted) {
+          return res.status(404).json({
+            error: "NOT_FOUND",
+            message: "Role not found or already deleted"
+          });
+        }
+        return res.status(200).json({
+          ok: true,
+          message: "Role deleted successfully",
+          deletedRole: {
+            _id: deleted._id,
+            role: deleted.role,
+            orgId: deleted.orgId
+          }
+        });
+      } catch (err) {
+        console.error("Delete role error:", err);
+        return res.status(500).json({ error: "INTERNAL_ERROR" });
+      }
+    }
+  );
+  return r;
+}
+// src/nest/index.ts
+var nest = {
+  mountAuthRouter(app, options) {
+    const httpAdapter = app.getHttpAdapter().getInstance();
+    const authRouter = createAuthRouter(options.routerOptions || {});
+    const authPath = options.authBasePath || "/auth";
+    httpAdapter.use(authPath, authRouter);
+    const adminRouter = createAdminRouter(options);
+    const adminPath = options.adminBasePath || "/admin";
+    httpAdapter.use(adminPath, adminRouter);
+    const dashboardRouter = createDashboardRouter(options);
+    const dashboardPath = options.dashboardBasePath || "/dashboards";
+    httpAdapter.use(dashboardPath, dashboardRouter);
+    const emailRouter = createEmailRouter(options);
+    const emailPath = options.emailBasePath || "/email";
+    httpAdapter.use(emailPath, emailRouter);
+    const projectsRouter = createProjectsRouter(options);
+    const projectsPath = options.projectsBasePath || "/projects";
+    httpAdapter.use(projectsPath, projectsRouter);
+    return {
+      authRouter,
+      dashboardRouter,
+      emailRouter,
+      projectsRouter,
+      adminRouter
+    };
+  }
+};
+// src/middlewares/permission.middleware.ts
+function requirePermission(permissionKey) {
+  return async (req, res, next) => {
+    try {
+      console.log("INSIDE PERMISSION MIDDLEWARE", permissionKey);
+      const user = req.user;
+      if (!user) {
+        return res.status(401).json({ error: "Unauthorized" });
+      }
+      const roles = Array.isArray(user.roles) ? user.roles : [];
+      if (!roles.length) {
+        return res.status(403).json({ error: "Forbidden", reason: "NO_ROLES" });
+      }
+      if (roles.includes("platform_admin")) {
+        return next();
+      }
+      const orgId = user.orgId || user.org_id || user.projectId || null;
+      const rolePermissions = await RolePermissionModel.find({
+        orgId,
+        role: { $in: roles }
+      }).lean().exec();
+      const allowed = /* @__PURE__ */ new Set();
+      for (const rp of rolePermissions) {
+        if (Array.isArray(rp.permissions)) {
+          for (const p of rp.permissions) {
+            allowed.add(p);
+          }
+        }
+      }
+      if (!allowed.has(permissionKey)) {
+        return res.status(403).json({
+          error: "Forbidden",
+          reason: "MISSING_PERMISSION",
+          permission: permissionKey
+        });
+      }
+      return next();
+    } catch (err) {
+      return next(err);
+    }
+  };
+}
+// src/middlewares/requirePermission.ts
+function requirePermission2(permission) {
+  return (req, res, next) => {
+    const user = req.user;
+    if (!user) {
+      return res.status(401).json({ error: "Unauthorized" });
+    }
+    if (!permission) {
+      return next();
+    }
+    if (!hasPermission(user, permission)) {
+      return res.status(403).json({
+        error: "Forbidden",
+        reason: "MISSING_PERMISSION",
+        permission,
+        userPermissions: user.permissions
+      });
+    }
+    next();
+  };
+}
+// src/services/upload.service.ts
+import { PutObjectCommand, S3Client } from "@aws-sdk/client-s3";
+import { randomUUID as randomUUID4 } from "crypto";
+var UploadsService = class {
+  s3;
+  constructor() {
+    this.s3 = new S3Client({
+      region: process.env.AWS_REGION,
+      credentials: {
+        accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+        secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
+      }
+    });
+  }
+  async uploadPublicImage(buffer, mimetype, ext) {
+    const key = `${randomUUID4()}.${ext}`;
+    await this.s3.send(
+      new PutObjectCommand({
+        Bucket: process.env.AWS_S3_BUCKET,
+        Key: key,
+        Body: buffer,
+        ACL: "public-read",
+        ContentType: mimetype
+      })
+    );
+    return `https://${process.env.AWS_S3_BUCKET}.s3.${process.env.AWS_REGION}.amazonaws.com/${key}`;
+  }
+};
+// src/nest/authx.guard.ts
+import {
+  ForbiddenException,
+  Injectable,
+  UnauthorizedException
+} from "@nestjs/common";
+import { Reflector } from "@nestjs/core";
+import { AuthGuard } from "@nestjs/passport";
+// src/nest/decorators/permissions.decorator.ts
+import { SetMetadata } from "@nestjs/common";
+var PERMISSIONS_KEY = "permissions";
+var Permissions = (...permissions) => SetMetadata(PERMISSIONS_KEY, permissions);
+// src/nest/decorators/roles.decorator.ts
+import { SetMetadata as SetMetadata2 } from "@nestjs/common";
+var ROLES_KEY = "roles";
+var Roles = (...roles) => SetMetadata2(ROLES_KEY, roles);
+// src/nest/authx.guard.ts
+var AuthXGuard = class extends AuthGuard("authx") {
+  reflector = new Reflector();
+  constructor() {
+    super();
+  }
+  /**
+   * Override handleRequest to convert Passport errors to NestJS exceptions
+   * This prevents the "Right-hand side of 'instanceof' is not an object" error
+   */
+  handleRequest(err, user, info, context) {
+    if (err || !user) {
+      const message = err?.message || info?.message || "Authentication required";
+      throw new UnauthorizedException(message);
+    }
+    return user;
+  }
+  async canActivate(context) {
+    try {
+      let authenticated;
+      try {
+        authenticated = await super.canActivate(context);
+      } catch (passportError) {
+        const message = passportError?.message || "Authentication required";
+        throw new UnauthorizedException(message);
+      }
+      if (!authenticated) {
+        throw new UnauthorizedException("Authentication required");
+      }
+      const request = context.switchToHttp().getRequest();
+      const user = request.user;
+      if (!user) {
+        throw new UnauthorizedException("Authentication required");
+      }
+      const requiredRoles = this.reflector.getAllAndOverride(
+        ROLES_KEY,
+        [context.getHandler(), context.getClass()]
+      );
+      const requiredPermissions = this.reflector.getAllAndOverride(
+        PERMISSIONS_KEY,
+        [context.getHandler(), context.getClass()]
+      );
+      if (requiredRoles && requiredRoles.length > 0) {
+        if (!hasAnyRole(user, requiredRoles)) {
+          throw new ForbiddenException(
+            `Requires one of roles: ${requiredRoles.join(", ")}`
+          );
+        }
+      }
+      if (requiredPermissions && requiredPermissions.length > 0) {
+        if (!hasAnyPermission(user, requiredPermissions)) {
+          throw new ForbiddenException(
+            `Requires one of permissions: ${requiredPermissions.join(", ")}`
+          );
+        }
+      }
+      return true;
+    } catch (error) {
+      if (error instanceof UnauthorizedException || error instanceof ForbiddenException) {
+        throw error;
+      }
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      throw new UnauthorizedException(errorMessage || "Authentication failed");
+    }
+  }
+};
+AuthXGuard = __decorateClass([
+  Injectable()
+], AuthXGuard);
+// src/nest/decorators/session.decorator.ts
+import { createParamDecorator } from "@nestjs/common";
+var AuthXSessionDecorator = createParamDecorator(
+  (data, ctx) => {
+    const request = ctx.switchToHttp().getRequest();
+    return request.user || null;
+  }
+);
+// src/passport/authx.strategy.ts
+import { Strategy } from "passport";
+var AuthXStrategy = class extends Strategy {
+  name = "authx";
+  authenticate(req) {
+    try {
+      console.log("AuthXStrategy.authenticate - starting");
+      const token = extractToken(req);
+      console.log("AuthXStrategy.authenticate - token extracted:", token ? "yes" : "no");
+      if (!token) {
+        console.log("AuthXStrategy.authenticate - no token, failing");
+        return this.fail({ message: "Missing token" }, 401);
+      }
+      console.log("AuthXStrategy.authenticate - verifying JWT");
+      verifyJwt(token).then((claims) => {
+        console.log("AuthXStrategy.authenticate - JWT verified successfully");
+        const session = buildSession(claims);
+        req.user = session;
+        return this.success(session);
+      }).catch((error) => {
+        console.log("AuthXStrategy.authenticate - JWT verification failed:", error?.message || error);
+        return this.fail({ message: error?.message || "Unauthorized" }, 401);
+      });
+    } catch (error) {
+      console.log("AuthXStrategy.authenticate - exception caught:", error?.message || error);
+      return this.fail({ message: error?.message || "Unauthorized" }, 401);
+    }
+  }
+};
+function createAuthXStrategy() {
+  return new AuthXStrategy();
+}
+// src/next/server/authx.ts
+import { cookies } from "next/headers";
+async function authx() {
+  try {
+    const cookieStore = await cookies();
+    const token = cookieStore.get("access_token")?.value || cookieStore.get("authorization")?.value || cookieStore.get("auth_token")?.value || null;
+    if (!token) {
+      return { session: null };
+    }
+    const claims = await verifyJwt(token);
+    const session = buildSession(claims);
+    return { session };
+  } catch (error) {
+    return { session: null };
+  }
+}
+// src/next/server/withAuthRoute.ts
+import { NextResponse } from "next/server";
+function withAuthRoute(permissionOrHandler, handler) {
+  let permission;
+  let routeHandler;
+  if (typeof permissionOrHandler === "string") {
+    permission = permissionOrHandler;
+    routeHandler = handler;
+  } else {
+    permission = void 0;
+    routeHandler = permissionOrHandler;
+  }
+  return async (req, context) => {
+    const { session } = await authx();
+    if (!session) {
+      return new NextResponse(
+        JSON.stringify({ error: "Unauthorized" }),
+        { status: 401, headers: { "Content-Type": "application/json" } }
+      );
+    }
+    if (permission && !hasPermission(session, permission)) {
+      return new NextResponse(
+        JSON.stringify({
+          error: "Forbidden",
+          reason: "MISSING_PERMISSION",
+          permission
+        }),
+        { status: 403, headers: { "Content-Type": "application/json" } }
+      );
+    }
+    return routeHandler(req, session, context);
+  };
+}
+// src/next/client/AuthXProvider.tsx
+import { createContext, useContext, useEffect, useState } from "react";
+import { jsx } from "react/jsx-runtime";
+var AuthXContext = createContext(void 0);
+function AuthXProvider({ children, apiUrl = "/auth/me" }) {
+  const [session, setSession] = useState(null);
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const fetchSession = async () => {
+    try {
+      setIsLoading(true);
+      setError(null);
+      const response = await fetch(apiUrl, {
+        credentials: "include"
+        // Include cookies
+      });
+      if (!response.ok) {
+        if (response.status === 401) {
+          setSession(null);
+          return;
+        }
+        throw new Error(`Failed to fetch session: ${response.statusText}`);
+      }
+      const data = await response.json();
+      setSession(data.user || data.session || data);
+    } catch (err) {
+      setError(err instanceof Error ? err : new Error("Unknown error"));
+      setSession(null);
+    } finally {
+      setIsLoading(false);
+    }
+  };
+  useEffect(() => {
+    fetchSession();
+  }, [apiUrl]);
+  const value = {
+    session,
+    isLoading,
+    error,
+    refetch: fetchSession
+  };
+  return /* @__PURE__ */ jsx(AuthXContext.Provider, { value, children });
+}
+function useAuthXContext() {
+  const context = useContext(AuthXContext);
+  if (context === void 0) {
+    throw new Error("useAuthX must be used within an AuthXProvider");
+  }
+  return context;
+}
+// src/next/client/HasPermission.tsx
+import { Fragment, jsx as jsx2 } from "react/jsx-runtime";
+function HasPermission({
+  permission,
+  children,
+  fallback = null
+}) {
+  const { session, isLoading } = useAuthXContext();
+  if (isLoading) {
+    return null;
+  }
+  if (!session) {
+    return /* @__PURE__ */ jsx2(Fragment, { children: fallback });
+  }
+  const hasPerm = hasPermission(session, permission);
+  if (!hasPerm) {
+    return /* @__PURE__ */ jsx2(Fragment, { children: fallback });
+  }
+  return /* @__PURE__ */ jsx2(Fragment, { children });
+}
+// src/next/client/HasRole.tsx
+import { Fragment as Fragment2, jsx as jsx3 } from "react/jsx-runtime";
+function HasRole({ role, children, fallback = null }) {
+  const { session, isLoading } = useAuthXContext();
+  if (isLoading) {
+    return null;
+  }
+  if (!session) {
+    return /* @__PURE__ */ jsx3(Fragment2, { children: fallback });
+  }
+  const roles = Array.isArray(role) ? role : [role];
+  const hasRole2 = hasAnyRole(session, roles);
+  if (!hasRole2) {
+    return /* @__PURE__ */ jsx3(Fragment2, { children: fallback });
+  }
+  return /* @__PURE__ */ jsx3(Fragment2, { children });
+}
+// src/next/client/SignedIn.tsx
+import { Fragment as Fragment3, jsx as jsx4 } from "react/jsx-runtime";
+function SignedIn({ children, fallback = null }) {
+  const { session, isLoading } = useAuthXContext();
+  if (isLoading) {
+    return null;
+  }
+  if (!session) {
+    return /* @__PURE__ */ jsx4(Fragment3, { children: fallback });
+  }
+  return /* @__PURE__ */ jsx4(Fragment3, { children });
+}
+// src/next/client/SignedOut.tsx
+import { Fragment as Fragment4, jsx as jsx5 } from "react/jsx-runtime";
+function SignedOut({ children, fallback = null }) {
+  const { session, isLoading } = useAuthXContext();
+  if (isLoading) {
+    return null;
+  }
+  if (session) {
+    return /* @__PURE__ */ jsx5(Fragment4, { children: fallback });
+  }
+  return /* @__PURE__ */ jsx5(Fragment4, { children });
+}
+// src/next/client/useAuthX.ts
+function useAuthX() {
+  const { session, isLoading, error, refetch } = useAuthXContext();
+  return {
+    session,
+    isLoading,
+    error,
+    refetch,
+    isSignedIn: !!session,
+    userId: session?.userId || null,
+    email: session?.email || null,
+    roles: session?.roles || [],
+    permissions: session?.permissions || []
+  };
+}
+function useHasRole(role) {
+  const { session } = useAuthXContext();
+  if (!session || !session.roles) return false;
+  return session.roles.includes(role);
+}
+function useHasPermission(permission) {
+  const { session } = useAuthXContext();
+  if (!session || !session.permissions) return false;
+  return session.permissions.includes(permission);
+}
+export {
+  AuthAdminService,
+  AuthXGuard,
+  AuthXProvider,
+  AuthXSessionDecorator,
+  AuthXStrategy,
+  EmailService,
+  HasPermission,
+  HasRole,
+  PLATFORM_ROLES,
+  Permissions,
+  ProjectsService,
+  Roles,
+  SignedIn,
+  SignedOut,
+  UploadsService,
+  authorize,
+  authx,
+  buildSession,
+  createAuthXStrategy,
+  express_exports as express,
+  getPermissionsForRoles,
+  hasAllPermissions,
+  hasAllRoles,
+  hasAnyPermission,
+  hasAnyRole,
+  hasPermission,
+  hasRole,
+  nest,
+  requireAuth,
+  requirePermission2 as requirePermission,
+  requirePermission as requirePermissionLegacy,
+  requireRole,
+  useAuthX,
+  useAuthXContext,
+  useHasPermission,
+  useHasRole,
+  withAuthRoute
+};
+//# sourceMappingURL=index.js.map