aaspai-authx 0.0.2 → 0.0.4

package/dist/index.js

@@ -96,26 +96,15 @@ function isPlainObject(value) {
 var PLATFORM_ROLES = [
   {
     role: "platform_admin",
-    permissions: [
-      "projects.create",
-      "projects.read",
-      "projects.update",
-      "projects.delete",
-      "users.manage",
-      "api.manage"
-    ]
+    permissions: []
   },
   {
     role: "platform_manager",
-    permissions: [
-      "projects.read",
-      "projects.update",
-      "users.read"
-    ]
+    permissions: []
   },
   {
     role: "platform_user",
-    permissions: ["projects.read"]
+    permissions: []
   }
 ];
 function getPermissionsForRoles(roles) {
@@ -173,17 +162,36 @@ function buildSession(payload) {
   return session;
 }
 
+// src/models/rolePermission.model.ts
+import mongoose, { Schema } from "mongoose";
+var RolePermissionSchema = new Schema(
+  {
+    orgId: { type: String, default: null, index: true },
+    role: { type: String, required: true },
+    permissions: { type: [String], default: [] }
+  },
+  {
+    timestamps: true
+  }
+);
+RolePermissionSchema.index({ orgId: 1, role: 1 }, { unique: true });
+var RolePermissionModel = mongoose.model(
+  "RolePermission",
+  RolePermissionSchema,
+  "role_permissions"
+);
+
 // src/models/user.model.ts
-import mongoose from "mongoose";
+import mongoose2 from "mongoose";
 import { v4 as uuid } from "uuid";
-var MetadataSchema = new mongoose.Schema(
+var MetadataSchema = new mongoose2.Schema(
   {
     key: { type: String, required: true },
-    value: { type: mongoose.Schema.Types.Mixed, required: true }
+    value: { type: mongoose2.Schema.Types.Mixed, required: true }
   },
   { _id: false }
 );
-var OrgUserSchema = new mongoose.Schema(
+var OrgUserSchema = new mongoose2.Schema(
   {
     id: { type: String, default: uuid(), index: true },
     email: { type: String, required: true, unique: true },
@@ -200,7 +208,7 @@ var OrgUserSchema = new mongoose.Schema(
   },
   { timestamps: true, collection: "users" }
 );
-var OrgUser = mongoose.model("OrgUser", OrgUserSchema);
+var OrgUser = mongoose2.model("OrgUser", OrgUserSchema);
 
 // src/utils/extract.ts
 import { parse as parseCookie } from "cookie";
@@ -265,6 +273,27 @@ function verifyJwt(token) {
 }
 
 // src/middlewares/auth.middleware.ts
+async function mergeRolePermissions(session) {
+  const roles = Array.isArray(session.roles) ? session.roles : [];
+  if (!roles.length) return;
+  const orgContexts = /* @__PURE__ */ new Set();
+  if (session.orgId) orgContexts.add(session.orgId);
+  if (session.org_id) orgContexts.add(session.org_id);
+  if (session.projectId) orgContexts.add(session.projectId);
+  orgContexts.add(null);
+  const docs = await RolePermissionModel.find({
+    orgId: { $in: Array.from(orgContexts) },
+    role: { $in: roles }
+  }).lean().exec();
+  const dynamic = /* @__PURE__ */ new Set();
+  for (const doc of docs) {
+    for (const perm of doc.permissions || []) {
+      if (perm) dynamic.add(perm);
+    }
+  }
+  const existing = Array.isArray(session.permissions) ? session.permissions : [];
+  session.permissions = Array.from(/* @__PURE__ */ new Set([...existing, ...dynamic]));
+}
 function requireAuth() {
   return async (req, res, next) => {
     try {
@@ -281,26 +310,32 @@ function requireAuth() {
         if (!user) {
           return res.status(401).json({ error: "User not found" });
         }
-        const session2 = buildSession({
+        const session = buildSession({
           sub: user.id.toString(),
           email: user.email,
-          roles: user.roles || []
+          roles: user.roles || [],
+          orgId: user.orgId,
+          org_id: user.orgId,
+          projectId: user.projectId
         });
-        session2.authType = "api-key";
-        session2.projectId = readProjectId(req) || user.projectId || void 0;
-        req.user = session2;
+        session.authType = "api-key";
+        session.projectId = readProjectId(req) || user.projectId || void 0;
+        await mergeRolePermissions(session);
+        req.user = session;
         return next();
+      } else {
+        const token = extractToken(req);
+        if (!token) {
+          return res.status(401).json({ error: "Missing token" });
+        }
+        const claims = await verifyJwt(token);
+        const session = buildSession(claims);
+        const pid = readProjectId(req);
+        if (pid) session.projectId = pid;
+        await mergeRolePermissions(session);
+        req.user = session;
+        next();
       }
-      const token = extractToken(req);
-      if (!token) {
-        return res.status(401).json({ error: "Missing token" });
-      }
-      const claims = await verifyJwt(token);
-      const session = buildSession(claims);
-      const pid = readProjectId(req);
-      if (pid) session.projectId = pid;
-      req.user = session;
-      next();
     } catch (e) {
       res.status(401).json({ error: e?.message || "Unauthorized" });
     }
@@ -313,7 +348,6 @@ function authorize(roles = []) {
     if (!user) {
       return res.status(401).json({ error: "Unauthorized" });
     }
-    console.log(user, "user");
     const have = new Set((user.roles || []).map(String));
     const ok = roles.some((r) => have.has(r));
     if (!ok) {
@@ -370,8 +404,8 @@ function validateSendInvite(req, res, next) {
 }
 
 // src/models/invite.model.ts
-import mongoose2 from "mongoose";
-var InviteSchema = new mongoose2.Schema(
+import mongoose3 from "mongoose";
+var InviteSchema = new mongoose3.Schema(
   {
     id: { type: String, required: true, index: true },
     email: { type: String, required: true },
@@ -389,15 +423,15 @@ var InviteSchema = new mongoose2.Schema(
   },
   { timestamps: true, collection: "invites" }
 );
-var Invite = mongoose2.model("Invite", InviteSchema);
+var Invite = mongoose3.model("Invite", InviteSchema);
 
 // src/services/auth-admin.service.ts
 import bcrypt from "bcrypt";
 import jwt2 from "jsonwebtoken";
 
 // src/models/client.model.ts
-import mongoose3, { Schema } from "mongoose";
-var ClientSchema = new Schema(
+import mongoose4, { Schema as Schema2 } from "mongoose";
+var ClientSchema = new Schema2(
   {
     clientId: {
       type: String,
@@ -425,26 +459,7 @@ var ClientSchema = new Schema(
     timestamps: true
   }
 );
-var ClientModel = mongoose3.models.Client || mongoose3.model("Client", ClientSchema);
-
-// src/models/rolePermission.model.ts
-import mongoose4, { Schema as Schema2 } from "mongoose";
-var RolePermissionSchema = new Schema2(
-  {
-    orgId: { type: String, default: null, index: true },
-    role: { type: String, required: true },
-    permissions: { type: [String], default: [] }
-  },
-  {
-    timestamps: true
-  }
-);
-RolePermissionSchema.index({ orgId: 1, role: 1 }, { unique: true });
-var RolePermissionModel = mongoose4.model(
-  "RolePermission",
-  RolePermissionSchema,
-  "role_permissions"
-);
+var ClientModel = mongoose4.models.Client || mongoose4.model("Client", ClientSchema);
 
 // src/services/auth-admin.service.ts
 var AuthAdminService = class {
@@ -1038,16 +1053,18 @@ async function sendRateLimitedEmail({
   return { rateLimited: false };
 }
 function generateTokens(user) {
-  const accessToken = jwt4.sign(
-    {
-      sub: user.id.toString(),
-      email: user.email,
-      roles: user.roles || [],
-      type: "user"
-    },
-    process.env.JWT_SECRET,
-    { expiresIn: "1h" }
-  );
+  const accessPayload = {
+    sub: user.id.toString(),
+    email: user.email,
+    roles: user.roles || [],
+    orgId: user.orgId || null,
+    org_id: user.orgId || null,
+    projectId: user.projectId || null,
+    type: "user"
+  };
+  const accessToken = jwt4.sign(accessPayload, process.env.JWT_SECRET, {
+    expiresIn: "1h"
+  });
   const refreshToken = jwt4.sign(
     { sub: user._id.toString() },
     process.env.JWT_SECRET,
@@ -1941,27 +1958,44 @@ var AuthXSessionDecorator = createParamDecorator(
 import { Strategy } from "passport";
 var AuthXStrategy = class extends Strategy {
   name = "authx";
-  authenticate(req) {
+  async authenticate(req) {
     try {
-      console.log("AuthXStrategy.authenticate - starting");
-      const token = extractToken(req);
-      console.log("AuthXStrategy.authenticate - token extracted:", token ? "yes" : "no");
-      if (!token) {
-        console.log("AuthXStrategy.authenticate - no token, failing");
-        return this.fail({ message: "Missing token" }, 401);
-      }
-      console.log("AuthXStrategy.authenticate - verifying JWT");
-      verifyJwt(token).then((claims) => {
-        console.log("AuthXStrategy.authenticate - JWT verified successfully");
-        const session = buildSession(claims);
+      const apiKey = req.headers["x-api-key"];
+      const userId = req.headers["x-user-id"];
+      if (apiKey) {
+        if (apiKey !== process.env.SERVER_API_KEY) {
+          return this.fail({ message: "Invalid API key" }, 401);
+        }
+        if (!userId) {
+          return this.fail({ message: "User Id is required" }, 401);
+        }
+        const user = await OrgUser.findOne({
+          id: userId,
+          orgId: process.env.ORG_ID || null
+        });
+        if (!user) {
+          return this.fail({ message: "User not found" }, 401);
+        }
+        const session = buildSession(user);
         req.user = session;
         return this.success(session);
-      }).catch((error) => {
-        console.log("AuthXStrategy.authenticate - JWT verification failed:", error?.message || error);
-        return this.fail({ message: error?.message || "Unauthorized" }, 401);
-      });
+      } else {
+        const token = extractToken(req);
+        if (!token) {
+          return this.fail({ message: "Missing token" }, 401);
+        }
+        verifyJwt(token).then((claims) => {
+          const session = buildSession(claims);
+          req.user = session;
+          return this.success(session);
+        }).catch((error) => {
+          return this.fail(
+            { message: error?.message || "Unauthorized" },
+            401
+          );
+        });
+      }
     } catch (error) {
-      console.log("AuthXStrategy.authenticate - exception caught:", error?.message || error);
       return this.fail({ message: error?.message || "Unauthorized" }, 401);
     }
   }