nextly 0.0.1 → 0.0.2-alpha.0

package/dist/chunk-2Q2SX2CS.mjs

@@ -0,0 +1,365 @@
+import {
+  rateLimiter
+} from "./chunk-DXGGXIUZ.mjs";
+import {
+  getSession
+} from "./chunk-UUOFWCM6.mjs";
+import {
+  hasAnyPermission,
+  hasPermission
+} from "./chunk-W5KKPZT5.mjs";
+import {
+  env
+} from "./chunk-UJ2IMJ4W.mjs";
+import {
+  container
+} from "./chunk-D5HQBNUB.mjs";
+import {
+  NextlyError
+} from "./chunk-NRUWQ5Z7.mjs";
+
+// src/auth/middleware/index.ts
+var DEFAULT_RATE_LIMIT = 1e3;
+var DEFAULT_RATE_WINDOW_MS = 36e5;
+function getRBACService() {
+  try {
+    if (container.has("rbacAccessControlService")) {
+      return container.get(
+        "rbacAccessControlService"
+      );
+    }
+  } catch {
+  }
+  return void 0;
+}
+function getApiKeyService() {
+  try {
+    if (container.has("apiKeyService")) {
+      return container.get("apiKeyService");
+    }
+  } catch {
+  }
+  return void 0;
+}
+function getConfig() {
+  try {
+    if (container.has("config")) {
+      return container.get("config");
+    }
+  } catch {
+  }
+  return void 0;
+}
+function createErrorResponse(statusCode, message, error, headers, code) {
+  return {
+    success: false,
+    statusCode,
+    message,
+    error: error || message,
+    data: null,
+    ...code && { code },
+    ...headers && { headers }
+  };
+}
+async function requireApiKeyAuth(req) {
+  const authHeader = req.headers.get("authorization");
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    return null;
+  }
+  const rawKey = authHeader.slice(7).trim();
+  if (!rawKey) {
+    return null;
+  }
+  const apiKeyService = getApiKeyService();
+  if (!apiKeyService) {
+    return createErrorResponse(
+      503,
+      "Service Unavailable",
+      "API key authentication service is not available"
+    );
+  }
+  const keyAuth = await apiKeyService.authenticateApiKey(rawKey);
+  if (!keyAuth) {
+    return createErrorResponse(
+      401,
+      "Invalid API key",
+      "The provided API key is invalid, expired, or revoked"
+    );
+  }
+  const cfg = getConfig();
+  const resolvedLimit = cfg?.apiKeys?.rateLimit.requestsPerHour ?? DEFAULT_RATE_LIMIT;
+  const resolvedWindowMs = cfg?.apiKeys?.rateLimit.windowMs ?? DEFAULT_RATE_WINDOW_MS;
+  const rl = rateLimiter.check(keyAuth.id, resolvedLimit, resolvedWindowMs);
+  if (!rl.allowed) {
+    const retryAfterSecs = Math.ceil(
+      (rl.resetAt.getTime() - Date.now()) / 1e3
+    );
+    return createErrorResponse(
+      429,
+      "Too Many Requests",
+      "Rate limit exceeded for this API key",
+      {
+        "Retry-After": String(retryAfterSecs),
+        "X-RateLimit-Limit": String(resolvedLimit),
+        "X-RateLimit-Remaining": "0"
+      }
+    );
+  }
+  const [permissions, roles] = await Promise.all([
+    apiKeyService.resolveApiKeyPermissions(
+      keyAuth.tokenType,
+      keyAuth.roleId,
+      keyAuth.userId,
+      keyAuth.id
+    ),
+    apiKeyService.resolveApiKeyRoles(
+      keyAuth.tokenType,
+      keyAuth.roleId,
+      keyAuth.userId
+    )
+  ]);
+  return { userId: keyAuth.userId, permissions, roles };
+}
+async function requireAuthentication(req) {
+  const sessionResult = await getSession(req, env.NEXTLY_SECRET || "");
+  if (sessionResult.authenticated) {
+    const { user } = sessionResult;
+    return {
+      userId: user.id,
+      userName: user.name ?? void 0,
+      userEmail: user.email ?? void 0,
+      permissions: [],
+      roles: user.roleIds,
+      authMethod: "session"
+    };
+  }
+  const apiKeyResult = await requireApiKeyAuth(req);
+  if (apiKeyResult === null) {
+    if (sessionResult.reason === "expired") {
+      return createErrorResponse(
+        401,
+        "Session expired",
+        "Your session has expired, please refresh",
+        void 0,
+        "TOKEN_EXPIRED"
+      );
+    }
+    return createErrorResponse(
+      401,
+      "Authentication required",
+      "You must be logged in to access this resource",
+      void 0,
+      "AUTH_REQUIRED"
+    );
+  }
+  if ("statusCode" in apiKeyResult) {
+    return apiKeyResult;
+  }
+  return {
+    userId: apiKeyResult.userId,
+    permissions: apiKeyResult.permissions,
+    roles: apiKeyResult.roles,
+    authMethod: "api-key"
+  };
+}
+async function requirePermission(req, action, resource) {
+  const authResult = await requireAuthentication(req);
+  if ("statusCode" in authResult) {
+    return authResult;
+  }
+  if (authResult.authMethod === "api-key") {
+    const slug = `${action}-${resource}`;
+    if (!authResult.permissions.includes(slug)) {
+      return createErrorResponse(
+        403,
+        "Forbidden",
+        `You do not have permission to ${action} ${resource}`
+      );
+    }
+    return authResult;
+  }
+  const rbac = getRBACService();
+  const hasAccess = rbac ? await rbac.checkAccess({
+    userId: authResult.userId,
+    operation: action,
+    resource
+  }) : await hasPermission(authResult.userId, action, resource);
+  if (!hasAccess) {
+    return createErrorResponse(
+      403,
+      "Forbidden",
+      `You do not have permission to ${action} ${resource}`
+    );
+  }
+  return authResult;
+}
+async function requireAnyPermission(req, permissions) {
+  const authResult = await requireAuthentication(req);
+  if ("statusCode" in authResult) {
+    return authResult;
+  }
+  if (authResult.authMethod === "api-key") {
+    const hasAny = permissions.some(
+      ({ action, resource }) => authResult.permissions.includes(`${action}-${resource}`)
+    );
+    if (!hasAny) {
+      return createErrorResponse(
+        403,
+        "Forbidden",
+        `You do not have the required permissions to access this resource`
+      );
+    }
+    return authResult;
+  }
+  const hasAccess = await hasAnyPermission(authResult.userId, permissions);
+  if (!hasAccess) {
+    return createErrorResponse(
+      403,
+      "Forbidden",
+      `You do not have the required permissions to access this resource`
+    );
+  }
+  return authResult;
+}
+async function requireCollectionAccess(req, action, collectionSlug) {
+  const authResult = await requireAuthentication(req);
+  if ("statusCode" in authResult) {
+    return authResult;
+  }
+  if (authResult.authMethod === "api-key") {
+    const slug = `${action}-${collectionSlug}`;
+    if (!authResult.permissions.includes(slug)) {
+      return createErrorResponse(
+        403,
+        "Forbidden",
+        `You do not have permission to ${action} ${collectionSlug}`
+      );
+    }
+    const rbac2 = getRBACService();
+    if (rbac2) {
+      const codeAccess = rbac2.getRegisteredAccess(collectionSlug);
+      if (codeAccess) {
+        const denied = await evaluateCodeAccess(
+          codeAccess,
+          action,
+          collectionSlug,
+          authResult
+        );
+        if (denied) return denied;
+      }
+    }
+    return authResult;
+  }
+  const rbac = getRBACService();
+  const hasAccess = rbac ? await rbac.checkAccess({
+    userId: authResult.userId,
+    operation: action,
+    resource: collectionSlug
+  }) : await hasPermission(authResult.userId, action, collectionSlug);
+  if (!hasAccess) {
+    return createErrorResponse(
+      403,
+      "Forbidden",
+      `You do not have permission to ${action} ${collectionSlug}`
+    );
+  }
+  return authResult;
+}
+async function evaluateCodeAccess(codeAccess, operation, resource, authResult) {
+  const operationAccess = codeAccess[operation];
+  if (operationAccess === void 0) {
+    return null;
+  }
+  if (typeof operationAccess === "boolean") {
+    return operationAccess ? null : createErrorResponse(
+      403,
+      "Forbidden",
+      `You do not have permission to ${operation} ${resource}`
+    );
+  }
+  const ctx = {
+    user: { id: authResult.userId },
+    roles: authResult.roles,
+    permissions: authResult.permissions,
+    operation,
+    collection: resource
+  };
+  try {
+    const allowed = await operationAccess(ctx);
+    return allowed ? null : createErrorResponse(
+      403,
+      "Forbidden",
+      `You do not have permission to ${operation} ${resource}`
+    );
+  } catch (error) {
+    console.error(
+      `[auth] Code access function for ${operation}:${resource} threw:`,
+      error
+    );
+    return createErrorResponse(
+      403,
+      "Forbidden",
+      `You do not have permission to ${operation} ${resource}`
+    );
+  }
+}
+function createJsonErrorResponse(error) {
+  const { headers: extraHeaders, ...bodyPayload } = error;
+  const responseHeaders = {
+    "Content-Type": "application/json",
+    ...extraHeaders
+  };
+  return new Response(JSON.stringify({ data: bodyPayload }), {
+    status: error.statusCode,
+    headers: responseHeaders
+  });
+}
+function isErrorResponse(result) {
+  return "statusCode" in result;
+}
+
+// src/auth/middleware/to-nextly-error.ts
+function toNextlyAuthError(legacy) {
+  const logContext = {
+    legacyStatus: legacy.statusCode,
+    legacyMessage: legacy.message,
+    legacyError: legacy.error
+  };
+  if (legacy.code) logContext.legacyCode = legacy.code;
+  if (legacy.statusCode === 401) {
+    if (legacy.code === "TOKEN_EXPIRED") {
+      return new NextlyError({
+        code: "TOKEN_EXPIRED",
+        publicMessage: "Authentication required.",
+        logContext
+      });
+    }
+    return NextlyError.authRequired({ logContext });
+  }
+  if (legacy.statusCode === 403) {
+    return NextlyError.forbidden({ logContext });
+  }
+  if (legacy.statusCode === 429) {
+    const headerLookup = legacy.headers ? new Headers(legacy.headers) : void 0;
+    const retryAfterRaw = headerLookup?.get("retry-after") ?? void 0;
+    const retryAfterSeconds = retryAfterRaw ? Number(retryAfterRaw) : void 0;
+    return NextlyError.rateLimited({
+      retryAfterSeconds: typeof retryAfterSeconds === "number" && Number.isFinite(retryAfterSeconds) ? retryAfterSeconds : void 0,
+      logContext
+    });
+  }
+  if (legacy.statusCode === 503) {
+    return NextlyError.serviceUnavailable({ logContext });
+  }
+  return NextlyError.internal({ logContext });
+}
+
+export {
+  requireAuthentication,
+  requirePermission,
+  requireAnyPermission,
+  requireCollectionAccess,
+  createJsonErrorResponse,
+  isErrorResponse,
+  toNextlyAuthError
+};

package/dist/chunk-2TFX4ND3.mjs

@@ -0,0 +1,13 @@
+// src/observability/on-error.ts
+var globalOnError;
+function setGlobalOnError(hook) {
+  globalOnError = hook;
+}
+function getGlobalOnError() {
+  return globalOnError;
+}
+
+export {
+  setGlobalOnError,
+  getGlobalOnError
+};

package/dist/chunk-2TWPDSYD.mjs

@@ -0,0 +1,87 @@
+// src/database/schema-registry.ts
+import { getTableName, is } from "drizzle-orm";
+import { MySqlTable } from "drizzle-orm/mysql-core";
+import { PgTable } from "drizzle-orm/pg-core";
+import { SQLiteTable } from "drizzle-orm/sqlite-core";
+var SchemaRegistry = class {
+  dialect;
+  // Keyed by SQL table name (e.g., "dynamic_collections", not "dynamicCollections")
+  staticSchemas = {};
+  dynamicSchemas = /* @__PURE__ */ new Map();
+  constructor(dialect) {
+    this.dialect = dialect;
+  }
+  getDialect() {
+    return this.dialect;
+  }
+  // Register system tables from the dialect schema exports.
+  // Converts from JS export names (camelCase) to SQL table names (snake_case)
+  // so that getTable("dynamic_collections") works correctly.
+  registerStaticSchemas(schemas) {
+    this.staticSchemas = {};
+    for (const [key, value] of Object.entries(schemas)) {
+      if (this.isDrizzleTable(value)) {
+        try {
+          const sqlName = getTableName(value);
+          this.staticSchemas[sqlName] = value;
+        } catch {
+          this.staticSchemas[key] = value;
+        }
+      } else {
+        this.staticSchemas[key] = value;
+      }
+    }
+  }
+  // Register a single dynamic collection's table object.
+  // Called per collection when loading from dynamic_collections table.
+  // tableName should be the SQL table name (e.g., "dc_products").
+  registerDynamicSchema(tableName, table) {
+    this.dynamicSchemas.set(tableName, table);
+  }
+  // Look up a table object by SQL table name (for queries).
+  // Checks dynamic schemas first since they may override static in edge cases.
+  getTable(tableName) {
+    if (this.dynamicSchemas.has(tableName)) {
+      return this.dynamicSchemas.get(tableName);
+    }
+    if (tableName in this.staticSchemas) {
+      return this.staticSchemas[tableName];
+    }
+    return null;
+  }
+  // Get all schemas merged (for pushSchema() and drizzle() init).
+  // Dynamic schemas override static schemas with the same key.
+  getAllSchemas() {
+    const dynamicObj = {};
+    for (const [key, value] of this.dynamicSchemas) {
+      dynamicObj[key] = value;
+    }
+    return { ...this.staticSchemas, ...dynamicObj };
+  }
+  // Get only dynamic table names (for cleanup, debugging)
+  getDynamicTableNames() {
+    return Array.from(this.dynamicSchemas.keys());
+  }
+  // Clear dynamic schemas (before reload on restart)
+  clear() {
+    this.dynamicSchemas.clear();
+  }
+  // Check if a table exists in the registry
+  hasTable(tableName) {
+    return this.dynamicSchemas.has(tableName) || tableName in this.staticSchemas;
+  }
+  // Check if a value is a Drizzle table object
+  isDrizzleTable(value) {
+    if (!value || typeof value !== "object") return false;
+    try {
+      return is(value, PgTable) || is(value, MySqlTable) || is(value, SQLiteTable);
+    } catch {
+      const obj = value;
+      return "_" in obj && typeof obj._?.name === "string";
+    }
+  }
+};
+
+export {
+  SchemaRegistry
+};