ante-erp-cli 1.11.42 → 1.11.43

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ante-erp-cli",
-  "version": "1.11.42",
+  "version": "1.11.43",
   "description": "Comprehensive CLI tool for managing ANTE ERP self-hosted installations",
   "type": "module",
   "bin": {

package/src/commands/update.js

@@ -8,6 +8,7 @@ import { pullImagesSilent, stopServicesSilent, startServicesSilent, waitForServi
 import { backup } from './backup.js';
 import { getCurrentVersion, getLatestVersion } from './update-cli.js';
 import { generateDockerCompose } from '../templates/docker-compose.yml.js';
+import { generateSecurePassword } from '../utils/password.js';
 
 /**
  * Check if gate-app, guardian-app, facial-web, or pos-app is installed by checking docker-compose.yml
@@ -236,6 +237,83 @@ COMPANY_ID=1
   writeFileSync(envFile, envContent);
 }
 
+/**
+ * Ensure customer app JWT configuration exists in .env file
+ * @param {string} envFile - Path to .env file
+ */
+function ensureCustomerAppJwtConfig(envFile) {
+  let envContent = readFileSync(envFile, 'utf8');
+  let modified = false;
+
+  // Check if CUSTOMER_APP_JWT_SECRET exists
+  if (!envContent.includes('CUSTOMER_APP_JWT_SECRET=')) {
+    console.log('⚙️  Adding missing CUSTOMER_APP_JWT_SECRET...');
+
+    // Generate new secret
+    const customerAppJwtSecret = generateSecurePassword(64);
+
+    // Find the ENCRYPTION_KEY line and add after it
+    if (envContent.includes('ENCRYPTION_KEY=')) {
+      envContent = envContent.replace(
+        /(ENCRYPTION_KEY=.*\n)/,
+        `$1\n# Customer App JWT Configuration\nCUSTOMER_APP_JWT_SECRET=${customerAppJwtSecret}\n`
+      );
+    } else {
+      // Fallback: add to security keys section or end of file
+      envContent += `\n# Customer App JWT Configuration\nCUSTOMER_APP_JWT_SECRET=${customerAppJwtSecret}\n`;
+    }
+    modified = true;
+  }
+
+  // Check if CUSTOMER_APP_JWT_EXPIRY exists
+  if (!envContent.includes('CUSTOMER_APP_JWT_EXPIRY=')) {
+    console.log('⚙️  Adding CUSTOMER_APP_JWT_EXPIRY...');
+    envContent = envContent.replace(
+      /(CUSTOMER_APP_JWT_SECRET=.*\n)/,
+      `$1CUSTOMER_APP_JWT_EXPIRY=1y\n`
+    );
+    modified = true;
+  } else {
+    // Update old expiry value (15m -> 1y)
+    if (envContent.includes('CUSTOMER_APP_JWT_EXPIRY=15m')) {
+      console.log('⚙️  Updating CUSTOMER_APP_JWT_EXPIRY from 15m to 1y...');
+      envContent = envContent.replace(
+        /CUSTOMER_APP_JWT_EXPIRY=15m/,
+        'CUSTOMER_APP_JWT_EXPIRY=1y'
+      );
+      modified = true;
+    }
+  }
+
+  // Check if CUSTOMER_APP_REFRESH_TOKEN_EXPIRY exists
+  if (!envContent.includes('CUSTOMER_APP_REFRESH_TOKEN_EXPIRY=')) {
+    console.log('⚙️  Adding CUSTOMER_APP_REFRESH_TOKEN_EXPIRY...');
+    envContent = envContent.replace(
+      /(CUSTOMER_APP_JWT_EXPIRY=.*\n)/,
+      `$1CUSTOMER_APP_REFRESH_TOKEN_EXPIRY=1y\n`
+    );
+    modified = true;
+  } else {
+    // Update old expiry value (30d -> 1y)
+    if (envContent.includes('CUSTOMER_APP_REFRESH_TOKEN_EXPIRY=30d')) {
+      console.log('⚙️  Updating CUSTOMER_APP_REFRESH_TOKEN_EXPIRY from 30d to 1y...');
+      envContent = envContent.replace(
+        /CUSTOMER_APP_REFRESH_TOKEN_EXPIRY=30d/,
+        'CUSTOMER_APP_REFRESH_TOKEN_EXPIRY=1y'
+      );
+      modified = true;
+    }
+  }
+
+  // Write back if modified
+  if (modified) {
+    writeFileSync(envFile, envContent);
+    console.log('✅ Customer app JWT configuration updated');
+  }
+
+  return modified;
+}
+
 /**
  * Format step title with numbering
  * @param {number} step - Current step number
@@ -298,6 +376,10 @@ export async function update(options) {
     // POS App health check removed - not required
     if (!options.skipCleanup) totalSteps++; // Cleanup step
 
+    // Ensure customer app JWT configuration exists (run before tasks)
+    console.log(chalk.gray('Checking customer app JWT configuration...'));
+    ensureCustomerAppJwtConfig(envFile);
+
     // Pre-calculate step numbers for each task (fixes step numbering bug)
     let currentStep = 0;
     const stepPreStart = !options.skipBackup ? ++currentStep : null;

package/src/templates/docker-compose.yml.js

@@ -134,6 +134,9 @@ services:
       JWT_EXPIRATION: \${JWT_EXPIRATION:-24h}
       DEVELOPER_KEY: \${DEVELOPER_KEY}
       ENCRYPTION_KEY: \${ENCRYPTION_KEY}
+      CUSTOMER_APP_JWT_SECRET: \${CUSTOMER_APP_JWT_SECRET}
+      CUSTOMER_APP_JWT_EXPIRY: \${CUSTOMER_APP_JWT_EXPIRY:-1y}
+      CUSTOMER_APP_REFRESH_TOKEN_EXPIRY: \${CUSTOMER_APP_REFRESH_TOKEN_EXPIRY:-1y}
       FRONTEND_URL: \${FRONTEND_URL:-http://localhost:${frontendPort}}
       API_URL: \${API_URL:-http://localhost:${backendPort}}
       SOCKET_URL: \${SOCKET_URL:-http://localhost:${backendPort}}

package/src/templates/env.js

@@ -55,6 +55,11 @@ JWT_EXPIRATION=24h
 DEVELOPER_KEY=${credentials.developerKey}
 ENCRYPTION_KEY=${credentials.encryptionKey}
 
+# Customer App JWT Configuration
+CUSTOMER_APP_JWT_SECRET=${credentials.customerAppJwtSecret}
+CUSTOMER_APP_JWT_EXPIRY=1y
+CUSTOMER_APP_REFRESH_TOKEN_EXPIRY=1y
+
 # ------------------------------------------------------------------------------
 # APPLICATION URLs
 # ------------------------------------------------------------------------------

package/src/utils/password.js

@@ -36,6 +36,7 @@ export function generateCredentials() {
     jwtSecret: generateSecurePassword(64),
     developerKey: generateRandomHex(16),
     encryptionKey: generateRandomHex(16),
+    customerAppJwtSecret: generateSecurePassword(64),
   };
 }