aaspai-authx 0.0.2 → 0.0.4

package/dist/index.cjs

@@ -161,26 +161,15 @@ function isPlainObject(value) {
 var PLATFORM_ROLES = [
   {
     role: "platform_admin",
-    permissions: [
-      "projects.create",
-      "projects.read",
-      "projects.update",
-      "projects.delete",
-      "users.manage",
-      "api.manage"
-    ]
+    permissions: []
   },
   {
     role: "platform_manager",
-    permissions: [
-      "projects.read",
-      "projects.update",
-      "users.read"
-    ]
+    permissions: []
   },
   {
     role: "platform_user",
-    permissions: ["projects.read"]
+    permissions: []
   }
 ];
 function getPermissionsForRoles(roles) {
@@ -238,17 +227,36 @@ function buildSession(payload) {
   return session;
 }
 
-// src/models/user.model.ts
+// src/models/rolePermission.model.ts
 var import_mongoose = __toESM(require("mongoose"), 1);
+var RolePermissionSchema = new import_mongoose.Schema(
+  {
+    orgId: { type: String, default: null, index: true },
+    role: { type: String, required: true },
+    permissions: { type: [String], default: [] }
+  },
+  {
+    timestamps: true
+  }
+);
+RolePermissionSchema.index({ orgId: 1, role: 1 }, { unique: true });
+var RolePermissionModel = import_mongoose.default.model(
+  "RolePermission",
+  RolePermissionSchema,
+  "role_permissions"
+);
+
+// src/models/user.model.ts
+var import_mongoose2 = __toESM(require("mongoose"), 1);
 var import_uuid = require("uuid");
-var MetadataSchema = new import_mongoose.default.Schema(
+var MetadataSchema = new import_mongoose2.default.Schema(
   {
     key: { type: String, required: true },
-    value: { type: import_mongoose.default.Schema.Types.Mixed, required: true }
+    value: { type: import_mongoose2.default.Schema.Types.Mixed, required: true }
   },
   { _id: false }
 );
-var OrgUserSchema = new import_mongoose.default.Schema(
+var OrgUserSchema = new import_mongoose2.default.Schema(
   {
     id: { type: String, default: (0, import_uuid.v4)(), index: true },
     email: { type: String, required: true, unique: true },
@@ -265,7 +273,7 @@ var OrgUserSchema = new import_mongoose.default.Schema(
   },
   { timestamps: true, collection: "users" }
 );
-var OrgUser = import_mongoose.default.model("OrgUser", OrgUserSchema);
+var OrgUser = import_mongoose2.default.model("OrgUser", OrgUserSchema);
 
 // src/utils/extract.ts
 var import_cookie = require("cookie");
@@ -330,6 +338,27 @@ function verifyJwt(token) {
 }
 
 // src/middlewares/auth.middleware.ts
+async function mergeRolePermissions(session) {
+  const roles = Array.isArray(session.roles) ? session.roles : [];
+  if (!roles.length) return;
+  const orgContexts = /* @__PURE__ */ new Set();
+  if (session.orgId) orgContexts.add(session.orgId);
+  if (session.org_id) orgContexts.add(session.org_id);
+  if (session.projectId) orgContexts.add(session.projectId);
+  orgContexts.add(null);
+  const docs = await RolePermissionModel.find({
+    orgId: { $in: Array.from(orgContexts) },
+    role: { $in: roles }
+  }).lean().exec();
+  const dynamic = /* @__PURE__ */ new Set();
+  for (const doc of docs) {
+    for (const perm of doc.permissions || []) {
+      if (perm) dynamic.add(perm);
+    }
+  }
+  const existing = Array.isArray(session.permissions) ? session.permissions : [];
+  session.permissions = Array.from(/* @__PURE__ */ new Set([...existing, ...dynamic]));
+}
 function requireAuth() {
   return async (req, res, next) => {
     try {
@@ -346,26 +375,32 @@ function requireAuth() {
         if (!user) {
           return res.status(401).json({ error: "User not found" });
         }
-        const session2 = buildSession({
+        const session = buildSession({
           sub: user.id.toString(),
           email: user.email,
-          roles: user.roles || []
+          roles: user.roles || [],
+          orgId: user.orgId,
+          org_id: user.orgId,
+          projectId: user.projectId
         });
-        session2.authType = "api-key";
-        session2.projectId = readProjectId(req) || user.projectId || void 0;
-        req.user = session2;
+        session.authType = "api-key";
+        session.projectId = readProjectId(req) || user.projectId || void 0;
+        await mergeRolePermissions(session);
+        req.user = session;
         return next();
+      } else {
+        const token = extractToken(req);
+        if (!token) {
+          return res.status(401).json({ error: "Missing token" });
+        }
+        const claims = await verifyJwt(token);
+        const session = buildSession(claims);
+        const pid = readProjectId(req);
+        if (pid) session.projectId = pid;
+        await mergeRolePermissions(session);
+        req.user = session;
+        next();
       }
-      const token = extractToken(req);
-      if (!token) {
-        return res.status(401).json({ error: "Missing token" });
-      }
-      const claims = await verifyJwt(token);
-      const session = buildSession(claims);
-      const pid = readProjectId(req);
-      if (pid) session.projectId = pid;
-      req.user = session;
-      next();
     } catch (e) {
       res.status(401).json({ error: e?.message || "Unauthorized" });
     }
@@ -378,7 +413,6 @@ function authorize(roles = []) {
     if (!user) {
       return res.status(401).json({ error: "Unauthorized" });
     }
-    console.log(user, "user");
     const have = new Set((user.roles || []).map(String));
     const ok = roles.some((r) => have.has(r));
     if (!ok) {
@@ -435,8 +469,8 @@ function validateSendInvite(req, res, next) {
 }
 
 // src/models/invite.model.ts
-var import_mongoose2 = __toESM(require("mongoose"), 1);
-var InviteSchema = new import_mongoose2.default.Schema(
+var import_mongoose3 = __toESM(require("mongoose"), 1);
+var InviteSchema = new import_mongoose3.default.Schema(
   {
     id: { type: String, required: true, index: true },
     email: { type: String, required: true },
@@ -454,15 +488,15 @@ var InviteSchema = new import_mongoose2.default.Schema(
   },
   { timestamps: true, collection: "invites" }
 );
-var Invite = import_mongoose2.default.model("Invite", InviteSchema);
+var Invite = import_mongoose3.default.model("Invite", InviteSchema);
 
 // src/services/auth-admin.service.ts
 var import_bcrypt = __toESM(require("bcrypt"), 1);
 var import_jsonwebtoken2 = __toESM(require("jsonwebtoken"), 1);
 
 // src/models/client.model.ts
-var import_mongoose3 = __toESM(require("mongoose"), 1);
-var ClientSchema = new import_mongoose3.Schema(
+var import_mongoose4 = __toESM(require("mongoose"), 1);
+var ClientSchema = new import_mongoose4.Schema(
   {
     clientId: {
       type: String,
@@ -490,26 +524,7 @@ var ClientSchema = new import_mongoose3.Schema(
     timestamps: true
   }
 );
-var ClientModel = import_mongoose3.default.models.Client || import_mongoose3.default.model("Client", ClientSchema);
-
-// src/models/rolePermission.model.ts
-var import_mongoose4 = __toESM(require("mongoose"), 1);
-var RolePermissionSchema = new import_mongoose4.Schema(
-  {
-    orgId: { type: String, default: null, index: true },
-    role: { type: String, required: true },
-    permissions: { type: [String], default: [] }
-  },
-  {
-    timestamps: true
-  }
-);
-RolePermissionSchema.index({ orgId: 1, role: 1 }, { unique: true });
-var RolePermissionModel = import_mongoose4.default.model(
-  "RolePermission",
-  RolePermissionSchema,
-  "role_permissions"
-);
+var ClientModel = import_mongoose4.default.models.Client || import_mongoose4.default.model("Client", ClientSchema);
 
 // src/services/auth-admin.service.ts
 var AuthAdminService = class {
@@ -1103,16 +1118,18 @@ async function sendRateLimitedEmail({
   return { rateLimited: false };
 }
 function generateTokens(user) {
-  const accessToken = import_jsonwebtoken4.default.sign(
-    {
-      sub: user.id.toString(),
-      email: user.email,
-      roles: user.roles || [],
-      type: "user"
-    },
-    process.env.JWT_SECRET,
-    { expiresIn: "1h" }
-  );
+  const accessPayload = {
+    sub: user.id.toString(),
+    email: user.email,
+    roles: user.roles || [],
+    orgId: user.orgId || null,
+    org_id: user.orgId || null,
+    projectId: user.projectId || null,
+    type: "user"
+  };
+  const accessToken = import_jsonwebtoken4.default.sign(accessPayload, process.env.JWT_SECRET, {
+    expiresIn: "1h"
+  });
   const refreshToken = import_jsonwebtoken4.default.sign(
     { sub: user._id.toString() },
     process.env.JWT_SECRET,
@@ -2002,27 +2019,44 @@ var AuthXSessionDecorator = (0, import_common4.createParamDecorator)(
 var import_passport2 = require("passport");
 var AuthXStrategy = class extends import_passport2.Strategy {
   name = "authx";
-  authenticate(req) {
+  async authenticate(req) {
     try {
-      console.log("AuthXStrategy.authenticate - starting");
-      const token = extractToken(req);
-      console.log("AuthXStrategy.authenticate - token extracted:", token ? "yes" : "no");
-      if (!token) {
-        console.log("AuthXStrategy.authenticate - no token, failing");
-        return this.fail({ message: "Missing token" }, 401);
-      }
-      console.log("AuthXStrategy.authenticate - verifying JWT");
-      verifyJwt(token).then((claims) => {
-        console.log("AuthXStrategy.authenticate - JWT verified successfully");
-        const session = buildSession(claims);
+      const apiKey = req.headers["x-api-key"];
+      const userId = req.headers["x-user-id"];
+      if (apiKey) {
+        if (apiKey !== process.env.SERVER_API_KEY) {
+          return this.fail({ message: "Invalid API key" }, 401);
+        }
+        if (!userId) {
+          return this.fail({ message: "User Id is required" }, 401);
+        }
+        const user = await OrgUser.findOne({
+          id: userId,
+          orgId: process.env.ORG_ID || null
+        });
+        if (!user) {
+          return this.fail({ message: "User not found" }, 401);
+        }
+        const session = buildSession(user);
         req.user = session;
         return this.success(session);
-      }).catch((error) => {
-        console.log("AuthXStrategy.authenticate - JWT verification failed:", error?.message || error);
-        return this.fail({ message: error?.message || "Unauthorized" }, 401);
-      });
+      } else {
+        const token = extractToken(req);
+        if (!token) {
+          return this.fail({ message: "Missing token" }, 401);
+        }
+        verifyJwt(token).then((claims) => {
+          const session = buildSession(claims);
+          req.user = session;
+          return this.success(session);
+        }).catch((error) => {
+          return this.fail(
+            { message: error?.message || "Unauthorized" },
+            401
+          );
+        });
+      }
     } catch (error) {
-      console.log("AuthXStrategy.authenticate - exception caught:", error?.message || error);
       return this.fail({ message: error?.message || "Unauthorized" }, 401);
     }
   }