npm - organify-auth-sdk - Versions diffs - 0.2.1 - Mend

organify-auth-sdk 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/chunk-M5JNBLJQ.js +158 -0
package/dist/chunk-M5JNBLJQ.js.map +1 -0
package/dist/index.d.ts +152 -0
package/dist/index.js +132 -0
package/dist/index.js.map +1 -0
package/dist/nestjs/index.d.ts +106 -0
package/dist/nestjs/index.js +7718 -0
package/dist/nestjs/index.js.map +1 -0
package/package.json +53 -0

package/dist/chunk-M5JNBLJQ.js ADDED Viewed

@@ -0,0 +1,158 @@
+import jwt from 'jsonwebtoken';
+import { encode, decode } from '@msgpack/msgpack';
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __decorateClass = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp(target, key, result);
+  return result;
+};
+function verifyToken(token, options) {
+  return jwt.verify(token, options.secret, {
+    ignoreExpiration: options.ignoreExpiration
+  });
+}
+function decodeToken(token) {
+  return jwt.decode(token);
+}
+function extractBearerToken(authHeader) {
+  if (!authHeader?.startsWith("Bearer ")) return null;
+  return authHeader.substring(7);
+}
+function extractCookieToken(cookieHeader, cookieName = "auth_token") {
+  if (!cookieHeader) return null;
+  const match = cookieHeader.split(";").map((s) => s.trim()).find((s) => s.startsWith(`${cookieName}=`));
+  if (!match) return null;
+  return decodeURIComponent(match.split("=")[1]);
+}
+function hasPermission(role, permission, rolePermissions) {
+  const perms = rolePermissions[role];
+  if (!perms) return false;
+  return perms.includes(permission);
+}
+function validateServiceToken(token, expectedToken) {
+  if (!token) return false;
+  return token === expectedToken;
+}
+var MSGPACK_MIME = "application/x-msgpack";
+var ServiceClient = class {
+  config;
+  constructor(config) {
+    this.config = {
+      serviceToken: config.serviceToken,
+      timeout: config.timeout ?? 1e4,
+      headers: config.headers ?? {}
+    };
+  }
+  // ─── HTTP Methods ─────────────────────────
+  async get(url, opts) {
+    return this.request("GET", url, void 0, opts);
+  }
+  async post(url, body, opts) {
+    return this.request("POST", url, body, opts);
+  }
+  async put(url, body, opts) {
+    return this.request("PUT", url, body, opts);
+  }
+  async patch(url, body, opts) {
+    return this.request("PATCH", url, body, opts);
+  }
+  async delete(url, opts) {
+    return this.request("DELETE", url, void 0, opts);
+  }
+  // ─── Core Request ─────────────────────────
+  async request(method, url, body, opts) {
+    const timeout = opts?.timeout ?? this.config.timeout;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeout);
+    try {
+      const headers = {
+        // Always use MessagePack for internal communication
+        "Accept": MSGPACK_MIME,
+        "X-Service-Token": this.config.serviceToken,
+        ...this.config.headers,
+        ...opts?.headers
+      };
+      if (opts?.userId) {
+        headers["x-user-id"] = opts.userId;
+      }
+      const fetchOpts = {
+        method,
+        headers,
+        signal: controller.signal
+      };
+      if (body !== void 0 && body !== null) {
+        const packed = encode(body);
+        fetchOpts.body = Buffer.from(packed.buffer, packed.byteOffset, packed.byteLength);
+        headers["Content-Type"] = MSGPACK_MIME;
+      }
+      const response = await fetch(url, fetchOpts);
+      const contentType = response.headers.get("content-type") || "";
+      let data;
+      if (/msgpack/i.test(contentType)) {
+        const buffer = await response.arrayBuffer();
+        data = decode(new Uint8Array(buffer));
+      } else {
+        const text = await response.text();
+        try {
+          data = JSON.parse(text);
+        } catch {
+          data = text;
+        }
+      }
+      const responseHeaders = {};
+      response.headers.forEach((value, key) => {
+        responseHeaders[key] = value;
+      });
+      if (!response.ok) {
+        throw new ServiceClientError(
+          `Service request failed: ${method} ${url} \u2192 ${response.status}`,
+          response.status,
+          data
+        );
+      }
+      return { data, status: response.status, headers: responseHeaders };
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+};
+var ServiceClientError = class extends Error {
+  constructor(message, status, response) {
+    super(message);
+    this.status = status;
+    this.response = response;
+    this.name = "ServiceClientError";
+  }
+};
+export { MSGPACK_MIME, ServiceClient, ServiceClientError, __commonJS, __decorateClass, __toESM, decodeToken, extractBearerToken, extractCookieToken, hasPermission, validateServiceToken, verifyToken };
+//# sourceMappingURL=chunk-M5JNBLJQ.js.map
+//# sourceMappingURL=chunk-M5JNBLJQ.js.map

package/dist/chunk-M5JNBLJQ.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/jwt.ts","../src/service-client.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiBO,SAAS,WAAA,CACd,OACA,OAAA,EACoB;AACpB,EAAA,OAAO,GAAA,CAAI,MAAA,CAAO,KAAA,EAAO,OAAA,CAAQ,MAAA,EAAQ;AAAA,IACvC,kBAAkB,OAAA,CAAQ;AAAA,GAC3B,CAAA;AACH;AAKO,SAAS,YAAY,KAAA,EAA0C;AACpE,EAAA,OAAO,GAAA,CAAI,OAAO,KAAK,CAAA;AACzB;AAKO,SAAS,mBACd,UAAA,EACe;AACf,EAAA,IAAI,CAAC,UAAA,EAAY,UAAA,CAAW,SAAS,GAAG,OAAO,IAAA;AAC/C,EAAA,OAAO,UAAA,CAAW,UAAU,CAAC,CAAA;AAC/B;AAKO,SAAS,kBAAA,CACd,YAAA,EACA,UAAA,GAAa,YAAA,EACE;AACf,EAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAC1B,EAAA,MAAM,KAAA,GAAQ,aACX,KAAA,CAAM,GAAG,EACT,GAAA,CAAI,CAAC,MAAM,CAAA,CAAE,IAAA,EAAM,CAAA,CACnB,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,WAAW,CAAA,EAAG,UAAU,GAAG,CAAC,CAAA;AAC7C,EAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AACnB,EAAA,OAAO,mBAAmB,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAC/C;AAKO,SAAS,aAAA,CACd,IAAA,EACA,UAAA,EACA,eAAA,EACS;AACT,EAAA,MAAM,KAAA,GAAQ,gBAAgB,IAAI,CAAA;AAClC,EAAA,IAAI,CAAC,OAAO,OAAO,KAAA;AACnB,EAAA,OAAO,KAAA,CAAM,SAAS,UAAU,CAAA;AAClC;AAKO,SAAS,oBAAA,CACd,OACA,aAAA,EACS;AACT,EAAA,IAAI,CAAC,OAAO,OAAO,KAAA;AACnB,EAAA,OAAO,KAAA,KAAU,aAAA;AACnB;AC3DO,IAAM,YAAA,GAAe;AA0BrB,IAAM,gBAAN,MAAoB;AAAA,EACjB,MAAA;AAAA,EAIR,YAAY,MAAA,EAA6B;AACvC,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,cAAc,MAAA,CAAO,YAAA;AAAA,MACrB,OAAA,EAAS,OAAO,OAAA,IAAW,GAAA;AAAA,MAC3B,OAAA,EAAS,MAAA,CAAO,OAAA,IAAW;AAAC,KAC9B;AAAA,EACF;AAAA;AAAA,EAIA,MAAM,GAAA,CAAa,GAAA,EAAa,IAAA,EAA2D;AACzF,IAAA,OAAO,IAAA,CAAK,OAAA,CAAW,KAAA,EAAO,GAAA,EAAK,QAAW,IAAI,CAAA;AAAA,EACpD;AAAA,EAEA,MAAM,IAAA,CAAc,GAAA,EAAa,IAAA,EAAY,IAAA,EAA2D;AACtG,IAAA,OAAO,IAAA,CAAK,OAAA,CAAW,MAAA,EAAQ,GAAA,EAAK,MAAM,IAAI,CAAA;AAAA,EAChD;AAAA,EAEA,MAAM,GAAA,CAAa,GAAA,EAAa,IAAA,EAAY,IAAA,EAA2D;AACrG,IAAA,OAAO,IAAA,CAAK,OAAA,CAAW,KAAA,EAAO,GAAA,EAAK,MAAM,IAAI,CAAA;AAAA,EAC/C;AAAA,EAEA,MAAM,KAAA,CAAe,GAAA,EAAa,IAAA,EAAY,IAAA,EAA2D;AACvG,IAAA,OAAO,IAAA,CAAK,OAAA,CAAW,OAAA,EAAS,GAAA,EAAK,MAAM,IAAI,CAAA;AAAA,EACjD;AAAA,EAEA,MAAM,MAAA,CAAgB,GAAA,EAAa,IAAA,EAA2D;AAC5F,IAAA,OAAO,IAAA,CAAK,OAAA,CAAW,QAAA,EAAU,GAAA,EAAK,QAAW,IAAI,CAAA;AAAA,EACvD;AAAA;AAAA,EAIA,MAAc,OAAA,CACZ,MAAA,EACA,GAAA,EACA,MACA,IAAA,EAC6B;AAC7B,IAAA,MAAM,OAAA,GAAU,IAAA,EAAM,OAAA,IAAW,IAAA,CAAK,MAAA,CAAO,OAAA;AAC7C,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,IAAA,MAAM,QAAQ,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,OAAO,CAAA;AAE1D,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAkC;AAAA;AAAA,QAEtC,QAAA,EAAU,YAAA;AAAA,QACV,iBAAA,EAAmB,KAAK,MAAA,CAAO,YAAA;AAAA,QAC/B,GAAG,KAAK,MAAA,CAAO,OAAA;AAAA,QACf,GAAG,IAAA,EAAM;AAAA,OACX;AAGA,MAAA,IAAI,MAAM,MAAA,EAAQ;AAChB,QAAA,OAAA,CAAQ,WAAW,IAAI,IAAA,CAAK,MAAA;AAAA,MAC9B;AAEA,MAAA,MAAM,SAAA,GAAyB;AAAA,QAC7B,MAAA;AAAA,QACA,OAAA;AAAA,QACA,QAAQ,UAAA,CAAW;AAAA,OACrB;AAGA,MAAA,IAAI,IAAA,KAAS,KAAA,CAAA,IAAa,IAAA,KAAS,IAAA,EAAM;AACvC,QAAA,MAAM,MAAA,GAAS,OAAO,IAAI,CAAA;AAC1B,QAAA,SAAA,CAAU,IAAA,GAAO,OAAO,IAAA,CAAK,MAAA,CAAO,QAAQ,MAAA,CAAO,UAAA,EAAY,OAAO,UAAU,CAAA;AAChF,QAAA,OAAA,CAAQ,cAAc,CAAA,GAAI,YAAA;AAAA,MAC5B;AAEA,MAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK,SAAS,CAAA;AAG3C,MAAA,MAAM,WAAA,GAAc,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,IAAK,EAAA;AAC5D,MAAA,IAAI,IAAA;AAEJ,MAAA,IAAI,UAAA,CAAW,IAAA,CAAK,WAAW,CAAA,EAAG;AAChC,QAAA,MAAM,MAAA,GAAS,MAAM,QAAA,CAAS,WAAA,EAAY;AAC1C,QAAA,IAAA,GAAO,MAAA,CAAO,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AAAA,MACtC,CAAA,MAAO;AAEL,QAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AACjC,QAAA,IAAI;AACF,UAAA,IAAA,GAAO,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,QACxB,CAAA,CAAA,MAAQ;AACN,UAAA,IAAA,GAAO,IAAA;AAAA,QACT;AAAA,MACF;AAGA,MAAA,MAAM,kBAA0C,EAAC;AACjD,MAAA,QAAA,CAAS,OAAA,CAAQ,OAAA,CAAQ,CAAC,KAAA,EAAO,GAAA,KAAQ;AACvC,QAAA,eAAA,CAAgB,GAAG,CAAA,GAAI,KAAA;AAAA,MACzB,CAAC,CAAA;AAED,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,MAAM,IAAI,kBAAA;AAAA,UACR,2BAA2B,MAAM,CAAA,CAAA,EAAI,GAAG,CAAA,QAAA,EAAM,SAAS,MAAM,CAAA,CAAA;AAAA,UAC7D,QAAA,CAAS,MAAA;AAAA,UACT;AAAA,SACF;AAAA,MACF;AAEA,MAAA,OAAO,EAAE,IAAA,EAAM,MAAA,EAAQ,QAAA,CAAS,MAAA,EAAQ,SAAS,eAAA,EAAgB;AAAA,IACnE,CAAA,SAAE;AACA,MAAA,YAAA,CAAa,KAAK,CAAA;AAAA,IACpB;AAAA,EACF;AACF;AAIO,IAAM,kBAAA,GAAN,cAAiC,KAAA,CAAM;AAAA,EAC5C,WAAA,CACE,OAAA,EACgB,MAAA,EACA,QAAA,EAChB;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AAHG,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AAGhB,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AAAA,EACd;AACF","file":"chunk-M5JNBLJQ.js","sourcesContent":["// ─────────────────────────────────────────────\n// @organify/auth-sdk — JWT verification helpers\n// ─────────────────────────────────────────────\n\nimport jwt from 'jsonwebtoken';\nimport type { JwtPayload as OrganifyJwtPayload } from './types';\n\nexport interface VerifyOptions {\n secret: string;\n /** When true, expired tokens won't throw */\n ignoreExpiration?: boolean;\n}\n\n/**\n * Verify and decode a JWT token.\n * @throws Error if token is invalid or expired\n */\nexport function verifyToken(\n token: string,\n options: VerifyOptions,\n): OrganifyJwtPayload {\n return jwt.verify(token, options.secret, {\n ignoreExpiration: options.ignoreExpiration,\n }) as unknown as OrganifyJwtPayload;\n}\n\n/**\n * Decode a JWT without verifying (useful for debugging).\n */\nexport function decodeToken(token: string): OrganifyJwtPayload | null {\n return jwt.decode(token) as OrganifyJwtPayload | null;\n}\n\n/**\n * Extract Bearer token from Authorization header.\n */\nexport function extractBearerToken(\n authHeader: string | undefined,\n): string | null {\n if (!authHeader?.startsWith('Bearer ')) return null;\n return authHeader.substring(7);\n}\n\n/**\n * Extract a token from a cookie header string.\n */\nexport function extractCookieToken(\n cookieHeader: string | undefined,\n cookieName = 'auth_token',\n): string | null {\n if (!cookieHeader) return null;\n const match = cookieHeader\n .split(';')\n .map((s) => s.trim())\n .find((s) => s.startsWith(`${cookieName}=`));\n if (!match) return null;\n return decodeURIComponent(match.split('=')[1]);\n}\n\n/**\n * Check if a user has a specific permission based on their role.\n */\nexport function hasPermission(\n role: string,\n permission: string,\n rolePermissions: Record<string, string[]>,\n): boolean {\n const perms = rolePermissions[role];\n if (!perms) return false;\n return perms.includes(permission);\n}\n\n/**\n * Validate a service-to-service token.\n */\nexport function validateServiceToken(\n token: string | undefined,\n expectedToken: string,\n): boolean {\n if (!token) return false;\n return token === expectedToken;\n}\n","// ─────────────────────────────────────────────\n// ServiceClient — Inter-Service HTTP Client with MessagePack\n// ─────────────────────────────────────────────\n// All service-to-service communication uses MessagePack for\n// serialization/deserialization. This client:\n//\n// 1. Sends request bodies as MessagePack (Content-Type: application/x-msgpack)\n// 2. Requests MessagePack responses (Accept: application/x-msgpack)\n// 3. Injects X-Service-Token for authentication\n// 4. Automatically decodes MessagePack responses\n// 5. Falls back to JSON when MessagePack is not available\n//\n// Usage:\n// const client = new ServiceClient({\n// serviceToken: 'shared-secret',\n// });\n// const users = await client.get<User[]>('http://users:4001/api/internal/users/batch');\n// const workspace = await client.post('http://workspaces:4002/api/internal/workspaces/personal', { userId: '1', userName: 'John' });\n// ─────────────────────────────────────────────\n\nimport { encode, decode } from '@msgpack/msgpack';\n\nexport const MSGPACK_MIME = 'application/x-msgpack';\n\nexport interface ServiceClientConfig {\n /** Shared service-to-service token (SERVICE_TO_SERVICE_TOKEN) */\n serviceToken: string;\n /** Default timeout in ms (default: 10000) */\n timeout?: number;\n /** Additional default headers */\n headers?: Record<string, string>;\n}\n\nexport interface ServiceRequestOptions {\n /** Override timeout for this request */\n timeout?: number;\n /** Additional headers for this request */\n headers?: Record<string, string>;\n /** Override user ID to forward downstream */\n userId?: string;\n}\n\nexport interface ServiceResponse<T = any> {\n data: T;\n status: number;\n headers: Record<string, string>;\n}\n\nexport class ServiceClient {\n private config: Required<Pick<ServiceClientConfig, 'serviceToken' | 'timeout'>> & {\n headers: Record<string, string>;\n };\n\n constructor(config: ServiceClientConfig) {\n this.config = {\n serviceToken: config.serviceToken,\n timeout: config.timeout ?? 10_000,\n headers: config.headers ?? {},\n };\n }\n\n // ─── HTTP Methods ─────────────────────────\n\n async get<T = any>(url: string, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>> {\n return this.request<T>('GET', url, undefined, opts);\n }\n\n async post<T = any>(url: string, body?: any, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>> {\n return this.request<T>('POST', url, body, opts);\n }\n\n async put<T = any>(url: string, body?: any, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>> {\n return this.request<T>('PUT', url, body, opts);\n }\n\n async patch<T = any>(url: string, body?: any, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>> {\n return this.request<T>('PATCH', url, body, opts);\n }\n\n async delete<T = any>(url: string, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>> {\n return this.request<T>('DELETE', url, undefined, opts);\n }\n\n // ─── Core Request ─────────────────────────\n\n private async request<T>(\n method: string,\n url: string,\n body?: any,\n opts?: ServiceRequestOptions,\n ): Promise<ServiceResponse<T>> {\n const timeout = opts?.timeout ?? this.config.timeout;\n const controller = new AbortController();\n const timer = setTimeout(() => controller.abort(), timeout);\n\n try {\n const headers: Record<string, string> = {\n // Always use MessagePack for internal communication\n 'Accept': MSGPACK_MIME,\n 'X-Service-Token': this.config.serviceToken,\n ...this.config.headers,\n ...opts?.headers,\n };\n\n // Forward user identity if provided\n if (opts?.userId) {\n headers['x-user-id'] = opts.userId;\n }\n\n const fetchOpts: RequestInit = {\n method,\n headers,\n signal: controller.signal,\n };\n\n // Encode body as MessagePack if present\n if (body !== undefined && body !== null) {\n const packed = encode(body);\n fetchOpts.body = Buffer.from(packed.buffer, packed.byteOffset, packed.byteLength);\n headers['Content-Type'] = MSGPACK_MIME;\n }\n\n const response = await fetch(url, fetchOpts);\n\n // Parse response based on Content-Type\n const contentType = response.headers.get('content-type') || '';\n let data: T;\n\n if (/msgpack/i.test(contentType)) {\n const buffer = await response.arrayBuffer();\n data = decode(new Uint8Array(buffer)) as T;\n } else {\n // Fallback to JSON\n const text = await response.text();\n try {\n data = JSON.parse(text) as T;\n } catch {\n data = text as unknown as T;\n }\n }\n\n // Collect response headers\n const responseHeaders: Record<string, string> = {};\n response.headers.forEach((value, key) => {\n responseHeaders[key] = value;\n });\n\n if (!response.ok) {\n throw new ServiceClientError(\n `Service request failed: ${method} ${url} → ${response.status}`,\n response.status,\n data,\n );\n }\n\n return { data, status: response.status, headers: responseHeaders };\n } finally {\n clearTimeout(timer);\n }\n }\n}\n\n// ─── Error Class ────────────────────────────\n\nexport class ServiceClientError extends Error {\n constructor(\n message: string,\n public readonly status: number,\n public readonly response: any,\n ) {\n super(message);\n this.name = 'ServiceClientError';\n }\n}\n"]}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,152 @@
+interface JwtPayload {
+    /** User ID (subject) */
+    sub: number;
+    email: string;
+    name: string;
+    role: 'admin' | 'user' | 'manager';
+    plan: string;
+    teamIds: number[];
+    /** Token type — only present on refresh tokens */
+    tokenType?: 'refresh';
+    iat?: number;
+    exp?: number;
+}
+interface AuthenticatedUser {
+    userId: number;
+    email: string;
+    name: string;
+    role: string;
+    plan: string;
+}
+interface JwtTokens {
+    accessToken: string;
+    refreshToken: string;
+}
+declare enum Permission {
+    READ_OWN_PROFILE = "read:own_profile",
+    UPDATE_OWN_PROFILE = "update:own_profile",
+    READ_USERS = "read:users",
+    CREATE_USERS = "create:users",
+    UPDATE_USERS = "update:users",
+    DELETE_USERS = "delete:users",
+    READ_PROJECTS = "read:projects",
+    CREATE_PROJECTS = "create:projects",
+    UPDATE_PROJECTS = "update:projects",
+    DELETE_PROJECTS = "delete:projects",
+    READ_TASKS = "read:tasks",
+    CREATE_TASKS = "create:tasks",
+    UPDATE_TASKS = "update:tasks",
+    DELETE_TASKS = "delete:tasks",
+    READ_TEAMS = "read:teams",
+    CREATE_TEAMS = "create:teams",
+    UPDATE_TEAMS = "update:teams",
+    DELETE_TEAMS = "delete:teams",
+    MANAGE_TEAM_MEMBERS = "manage:team_members",
+    READ_REPORTS = "read:reports",
+    CREATE_REPORTS = "create:reports",
+    USE_AI = "use:ai",
+    READ_PLANS = "read:plans",
+    CREATE_PLANS = "create:plans",
+    UPDATE_PLANS = "update:plans",
+    DELETE_PLANS = "delete:plans",
+    MANAGE_INTEGRATIONS = "manage:integrations",
+    MANAGE_AUTOMATIONS = "manage:automations",
+    VIEW_ANALYTICS = "view:analytics"
+}
+declare const RolePermissions: Record<string, Permission[]>;
+interface VerifyOptions {
+    secret: string;
+    /** When true, expired tokens won't throw */
+    ignoreExpiration?: boolean;
+}
+/**
+ * Verify and decode a JWT token.
+ * @throws Error if token is invalid or expired
+ */
+declare function verifyToken(token: string, options: VerifyOptions): JwtPayload;
+/**
+ * Decode a JWT without verifying (useful for debugging).
+ */
+declare function decodeToken(token: string): JwtPayload | null;
+/**
+ * Extract Bearer token from Authorization header.
+ */
+declare function extractBearerToken(authHeader: string | undefined): string | null;
+/**
+ * Extract a token from a cookie header string.
+ */
+declare function extractCookieToken(cookieHeader: string | undefined, cookieName?: string): string | null;
+/**
+ * Check if a user has a specific permission based on their role.
+ */
+declare function hasPermission(role: string, permission: string, rolePermissions: Record<string, string[]>): boolean;
+/**
+ * Validate a service-to-service token.
+ */
+declare function validateServiceToken(token: string | undefined, expectedToken: string): boolean;
+/**
+ * Get the current FBToken for API requests.
+ * Call this on every request — it caches within the same 30-min window.
+ *
+ * @param secret - The shared FB_TOKEN_SECRET. If not provided,
+ *   reads from NEXT_PUBLIC_FB_TOKEN_SECRET or VITE_FB_TOKEN_SECRET.
+ * @returns The HMAC-SHA512 hex string to send in X-FB-Token header.
+ */
+declare function getFBToken(secret?: string): Promise<string>;
+/**
+ * Create an Axios/fetch interceptor that automatically adds X-FB-Token.
+ *
+ * Usage with fetch:
+ *   const headers = await createFBTokenHeaders();
+ *   fetch(url, { headers: { ...headers, ...otherHeaders } });
+ *
+ * Usage with Axios:
+ *   axios.interceptors.request.use(fbTokenAxiosInterceptor(secret));
+ */
+declare function createFBTokenHeaders(secret?: string): Promise<Record<string, string>>;
+/**
+ * Axios request interceptor factory.
+ */
+declare function fbTokenAxiosInterceptor(secret?: string): (config: any) => Promise<any>;
+declare const MSGPACK_MIME = "application/x-msgpack";
+interface ServiceClientConfig {
+    /** Shared service-to-service token (SERVICE_TO_SERVICE_TOKEN) */
+    serviceToken: string;
+    /** Default timeout in ms (default: 10000) */
+    timeout?: number;
+    /** Additional default headers */
+    headers?: Record<string, string>;
+}
+interface ServiceRequestOptions {
+    /** Override timeout for this request */
+    timeout?: number;
+    /** Additional headers for this request */
+    headers?: Record<string, string>;
+    /** Override user ID to forward downstream */
+    userId?: string;
+}
+interface ServiceResponse<T = any> {
+    data: T;
+    status: number;
+    headers: Record<string, string>;
+}
+declare class ServiceClient {
+    private config;
+    constructor(config: ServiceClientConfig);
+    get<T = any>(url: string, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>>;
+    post<T = any>(url: string, body?: any, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>>;
+    put<T = any>(url: string, body?: any, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>>;
+    patch<T = any>(url: string, body?: any, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>>;
+    delete<T = any>(url: string, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>>;
+    private request;
+}
+declare class ServiceClientError extends Error {
+    readonly status: number;
+    readonly response: any;
+    constructor(message: string, status: number, response: any);
+}
+export { type AuthenticatedUser, type JwtPayload, type JwtTokens, MSGPACK_MIME, Permission, RolePermissions, ServiceClient, type ServiceClientConfig, ServiceClientError, type ServiceRequestOptions, type ServiceResponse, type VerifyOptions, createFBTokenHeaders, decodeToken, extractBearerToken, extractCookieToken, fbTokenAxiosInterceptor, getFBToken, hasPermission, validateServiceToken, verifyToken };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,132 @@
+export { MSGPACK_MIME, ServiceClient, ServiceClientError, decodeToken, extractBearerToken, extractCookieToken, hasPermission, validateServiceToken, verifyToken } from './chunk-M5JNBLJQ.js';
+// src/types.ts
+var Permission = /* @__PURE__ */ ((Permission2) => {
+  Permission2["READ_OWN_PROFILE"] = "read:own_profile";
+  Permission2["UPDATE_OWN_PROFILE"] = "update:own_profile";
+  Permission2["READ_USERS"] = "read:users";
+  Permission2["CREATE_USERS"] = "create:users";
+  Permission2["UPDATE_USERS"] = "update:users";
+  Permission2["DELETE_USERS"] = "delete:users";
+  Permission2["READ_PROJECTS"] = "read:projects";
+  Permission2["CREATE_PROJECTS"] = "create:projects";
+  Permission2["UPDATE_PROJECTS"] = "update:projects";
+  Permission2["DELETE_PROJECTS"] = "delete:projects";
+  Permission2["READ_TASKS"] = "read:tasks";
+  Permission2["CREATE_TASKS"] = "create:tasks";
+  Permission2["UPDATE_TASKS"] = "update:tasks";
+  Permission2["DELETE_TASKS"] = "delete:tasks";
+  Permission2["READ_TEAMS"] = "read:teams";
+  Permission2["CREATE_TEAMS"] = "create:teams";
+  Permission2["UPDATE_TEAMS"] = "update:teams";
+  Permission2["DELETE_TEAMS"] = "delete:teams";
+  Permission2["MANAGE_TEAM_MEMBERS"] = "manage:team_members";
+  Permission2["READ_REPORTS"] = "read:reports";
+  Permission2["CREATE_REPORTS"] = "create:reports";
+  Permission2["USE_AI"] = "use:ai";
+  Permission2["READ_PLANS"] = "read:plans";
+  Permission2["CREATE_PLANS"] = "create:plans";
+  Permission2["UPDATE_PLANS"] = "update:plans";
+  Permission2["DELETE_PLANS"] = "delete:plans";
+  Permission2["MANAGE_INTEGRATIONS"] = "manage:integrations";
+  Permission2["MANAGE_AUTOMATIONS"] = "manage:automations";
+  Permission2["VIEW_ANALYTICS"] = "view:analytics";
+  return Permission2;
+})(Permission || {});
+var RolePermissions = {
+  admin: [...Object.values(Permission)],
+  manager: [
+    "read:own_profile" /* READ_OWN_PROFILE */,
+    "update:own_profile" /* UPDATE_OWN_PROFILE */,
+    "read:projects" /* READ_PROJECTS */,
+    "create:projects" /* CREATE_PROJECTS */,
+    "update:projects" /* UPDATE_PROJECTS */,
+    "read:tasks" /* READ_TASKS */,
+    "create:tasks" /* CREATE_TASKS */,
+    "update:tasks" /* UPDATE_TASKS */,
+    "delete:tasks" /* DELETE_TASKS */,
+    "read:teams" /* READ_TEAMS */,
+    "create:teams" /* CREATE_TEAMS */,
+    "update:teams" /* UPDATE_TEAMS */,
+    "manage:team_members" /* MANAGE_TEAM_MEMBERS */,
+    "read:reports" /* READ_REPORTS */,
+    "create:reports" /* CREATE_REPORTS */,
+    "use:ai" /* USE_AI */,
+    "view:analytics" /* VIEW_ANALYTICS */
+  ],
+  user: [
+    "read:own_profile" /* READ_OWN_PROFILE */,
+    "update:own_profile" /* UPDATE_OWN_PROFILE */,
+    "read:projects" /* READ_PROJECTS */,
+    "create:projects" /* CREATE_PROJECTS */,
+    "update:projects" /* UPDATE_PROJECTS */,
+    "read:tasks" /* READ_TASKS */,
+    "create:tasks" /* CREATE_TASKS */,
+    "update:tasks" /* UPDATE_TASKS */,
+    "delete:tasks" /* DELETE_TASKS */,
+    "read:teams" /* READ_TEAMS */,
+    "create:teams" /* CREATE_TEAMS */,
+    "read:reports" /* READ_REPORTS */,
+    "use:ai" /* USE_AI */
+  ]
+};
+// src/fb-token.ts
+var WINDOW_MS = 30 * 60 * 1e3;
+var cachedToken = null;
+var cachedWindowIndex = -1;
+function getTimeWindowIndex() {
+  return Math.floor(Date.now() / WINDOW_MS);
+}
+async function hmacSHA512(secret, message) {
+  const encoder = new TextEncoder();
+  const keyData = encoder.encode(secret);
+  const msgData = encoder.encode(message);
+  const key = await crypto.subtle.importKey(
+    "raw",
+    keyData,
+    { name: "HMAC", hash: "SHA-512" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign("HMAC", key, msgData);
+  const bytes = new Uint8Array(signature);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function getFBToken(secret) {
+  const windowIndex = getTimeWindowIndex();
+  if (cachedToken && cachedWindowIndex === windowIndex) {
+    return cachedToken;
+  }
+  const resolvedSecret = secret || typeof process !== "undefined" && process.env?.NEXT_PUBLIC_FB_TOKEN_SECRET || typeof import.meta !== "undefined" && import.meta?.env?.VITE_FB_TOKEN_SECRET || "";
+  if (!resolvedSecret) {
+    console.warn("[FBToken] No FB_TOKEN_SECRET configured");
+    return "";
+  }
+  const token = await hmacSHA512(
+    resolvedSecret,
+    `organify-fb-v1:${windowIndex}`
+  );
+  cachedToken = token;
+  cachedWindowIndex = windowIndex;
+  return token;
+}
+async function createFBTokenHeaders(secret) {
+  const token = await getFBToken(secret);
+  if (!token) return {};
+  return { "X-FB-Token": token };
+}
+function fbTokenAxiosInterceptor(secret) {
+  return async (config) => {
+    const token = await getFBToken(secret);
+    if (token) {
+      config.headers = config.headers || {};
+      config.headers["X-FB-Token"] = token;
+    }
+    return config;
+  };
+}
+export { Permission, RolePermissions, createFBTokenHeaders, fbTokenAxiosInterceptor, getFBToken };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/types.ts","../src/fb-token.ts"],"names":["Permission"],"mappings":";;;AAiCO,IAAK,UAAA,qBAAAA,WAAAA,KAAL;AACL,EAAAA,YAAA,kBAAA,CAAA,GAAmB,kBAAA;AACnB,EAAAA,YAAA,oBAAA,CAAA,GAAqB,oBAAA;AACrB,EAAAA,YAAA,YAAA,CAAA,GAAa,YAAA;AACb,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,eAAA,CAAA,GAAgB,eAAA;AAChB,EAAAA,YAAA,iBAAA,CAAA,GAAkB,iBAAA;AAClB,EAAAA,YAAA,iBAAA,CAAA,GAAkB,iBAAA;AAClB,EAAAA,YAAA,iBAAA,CAAA,GAAkB,iBAAA;AAClB,EAAAA,YAAA,YAAA,CAAA,GAAa,YAAA;AACb,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,YAAA,CAAA,GAAa,YAAA;AACb,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,qBAAA,CAAA,GAAsB,qBAAA;AACtB,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,gBAAA,CAAA,GAAiB,gBAAA;AACjB,EAAAA,YAAA,QAAA,CAAA,GAAS,QAAA;AACT,EAAAA,YAAA,YAAA,CAAA,GAAa,YAAA;AACb,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,qBAAA,CAAA,GAAsB,qBAAA;AACtB,EAAAA,YAAA,oBAAA,CAAA,GAAqB,oBAAA;AACrB,EAAAA,YAAA,gBAAA,CAAA,GAAiB,gBAAA;AA7BP,EAAA,OAAAA,WAAAA;AAAA,CAAA,EAAA,UAAA,IAAA,EAAA;AAgCL,IAAM,eAAA,GAAgD;AAAA,EAC3D,OAAO,CAAC,GAAG,MAAA,CAAO,MAAA,CAAO,UAAU,CAAC,CAAA;AAAA,EACpC,OAAA,EAAS;AAAA,IACP,kBAAA;AAAA,IACA,oBAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,iBAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,qBAAA;AAAA,IACA,cAAA;AAAA,IACA,gBAAA;AAAA,IACA,QAAA;AAAA,IACA,gBAAA;AAAA,GACF;AAAA,EACA,IAAA,EAAM;AAAA,IACJ,kBAAA;AAAA,IACA,oBAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,iBAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,QAAA;AAAA;AAEJ;;;AClFA,IAAM,SAAA,GAAY,KAAK,EAAA,GAAK,GAAA;AAG5B,IAAI,WAAA,GAA6B,IAAA;AACjC,IAAI,iBAAA,GAAoB,EAAA;AAKxB,SAAS,kBAAA,GAA6B;AACpC,EAAA,OAAO,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,SAAS,CAAA;AAC1C;AAKA,eAAe,UAAA,CAAW,QAAgB,OAAA,EAAkC;AAC1E,EAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAChC,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,MAAM,CAAA;AACrC,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,OAAO,CAAA;AAEtC,EAAA,MAAM,GAAA,GAAM,MAAM,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,IAC9B,KAAA;AAAA,IACA,OAAA;AAAA,IACA,EAAE,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,SAAA,EAAU;AAAA,IAChC,KAAA;AAAA,IACA,CAAC,MAAM;AAAA,GACT;AAEA,EAAA,MAAM,YAAY,MAAM,MAAA,CAAO,OAAO,IAAA,CAAK,MAAA,EAAQ,KAAK,OAAO,CAAA;AAC/D,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,SAAS,CAAA;AAGtC,EAAA,OAAO,MAAM,IAAA,CAAK,KAAK,CAAA,CACpB,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,QAAA,CAAS,EAAE,EAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAC1C,KAAK,EAAE,CAAA;AACZ;AAUA,eAAsB,WAAW,MAAA,EAAkC;AACjE,EAAA,MAAM,cAAc,kBAAA,EAAmB;AAGvC,EAAA,IAAI,WAAA,IAAe,sBAAsB,WAAA,EAAa;AACpD,IAAA,OAAO,WAAA;AAAA,EACT;AAEA,EAAA,MAAM,cAAA,GACJ,MAAA,IACC,OAAO,OAAA,KAAY,WAAA,IAAgB,OAAA,CAAQ,GAAA,EAAa,2BAAA,IACxD,OAAO,MAAA,CAAA,IAAA,KAAgB,WAAA,IAAgB,MAAA,CAAA,IAAA,EAAqB,KAAK,oBAAA,IAClE,EAAA;AAEF,EAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,IAAA,OAAA,CAAQ,KAAK,yCAAyC,CAAA;AACtD,IAAA,OAAO,EAAA;AAAA,EACT;AAEA,EAAA,MAAM,QAAQ,MAAM,UAAA;AAAA,IAClB,cAAA;AAAA,IACA,kBAAkB,WAAW,CAAA;AAAA,GAC/B;AAEA,EAAA,WAAA,GAAc,KAAA;AACd,EAAA,iBAAA,GAAoB,WAAA;AAEpB,EAAA,OAAO,KAAA;AACT;AAYA,eAAsB,qBAAqB,MAAA,EAAkD;AAC3F,EAAA,MAAM,KAAA,GAAQ,MAAM,UAAA,CAAW,MAAM,CAAA;AACrC,EAAA,IAAI,CAAC,KAAA,EAAO,OAAO,EAAC;AACpB,EAAA,OAAO,EAAE,cAAc,KAAA,EAAM;AAC/B;AAKO,SAAS,wBAAwB,MAAA,EAAiB;AACvD,EAAA,OAAO,OAAO,MAAA,KAAgB;AAC5B,IAAA,MAAM,KAAA,GAAQ,MAAM,UAAA,CAAW,MAAM,CAAA;AACrC,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,MAAA,CAAO,OAAA,GAAU,MAAA,CAAO,OAAA,IAAW,EAAC;AACpC,MAAA,MAAA,CAAO,OAAA,CAAQ,YAAY,CAAA,GAAI,KAAA;AAAA,IACjC;AACA,IAAA,OAAO,MAAA;AAAA,EACT,CAAA;AACF","file":"index.js","sourcesContent":["// ─────────────────────────────────────────────\n// @organify/auth-sdk — Shared Auth Types\n// ─────────────────────────────────────────────\n\nexport interface JwtPayload {\n /** User ID (subject) */\n sub: number;\n email: string;\n name: string;\n role: 'admin' | 'user' | 'manager';\n plan: string;\n teamIds: number[];\n /** Token type — only present on refresh tokens */\n tokenType?: 'refresh';\n iat?: number;\n exp?: number;\n}\n\nexport interface AuthenticatedUser {\n userId: number;\n email: string;\n name: string;\n role: string;\n plan: string;\n}\n\nexport interface JwtTokens {\n accessToken: string;\n refreshToken: string;\n}\n\n// ─── Permissions ────────────────────────────\n\nexport enum Permission {\n READ_OWN_PROFILE = 'read:own_profile',\n UPDATE_OWN_PROFILE = 'update:own_profile',\n READ_USERS = 'read:users',\n CREATE_USERS = 'create:users',\n UPDATE_USERS = 'update:users',\n DELETE_USERS = 'delete:users',\n READ_PROJECTS = 'read:projects',\n CREATE_PROJECTS = 'create:projects',\n UPDATE_PROJECTS = 'update:projects',\n DELETE_PROJECTS = 'delete:projects',\n READ_TASKS = 'read:tasks',\n CREATE_TASKS = 'create:tasks',\n UPDATE_TASKS = 'update:tasks',\n DELETE_TASKS = 'delete:tasks',\n READ_TEAMS = 'read:teams',\n CREATE_TEAMS = 'create:teams',\n UPDATE_TEAMS = 'update:teams',\n DELETE_TEAMS = 'delete:teams',\n MANAGE_TEAM_MEMBERS = 'manage:team_members',\n READ_REPORTS = 'read:reports',\n CREATE_REPORTS = 'create:reports',\n USE_AI = 'use:ai',\n READ_PLANS = 'read:plans',\n CREATE_PLANS = 'create:plans',\n UPDATE_PLANS = 'update:plans',\n DELETE_PLANS = 'delete:plans',\n MANAGE_INTEGRATIONS = 'manage:integrations',\n MANAGE_AUTOMATIONS = 'manage:automations',\n VIEW_ANALYTICS = 'view:analytics',\n}\n\nexport const RolePermissions: Record<string, Permission[]> = {\n admin: [...Object.values(Permission)],\n manager: [\n Permission.READ_OWN_PROFILE,\n Permission.UPDATE_OWN_PROFILE,\n Permission.READ_PROJECTS,\n Permission.CREATE_PROJECTS,\n Permission.UPDATE_PROJECTS,\n Permission.READ_TASKS,\n Permission.CREATE_TASKS,\n Permission.UPDATE_TASKS,\n Permission.DELETE_TASKS,\n Permission.READ_TEAMS,\n Permission.CREATE_TEAMS,\n Permission.UPDATE_TEAMS,\n Permission.MANAGE_TEAM_MEMBERS,\n Permission.READ_REPORTS,\n Permission.CREATE_REPORTS,\n Permission.USE_AI,\n Permission.VIEW_ANALYTICS,\n ],\n user: [\n Permission.READ_OWN_PROFILE,\n Permission.UPDATE_OWN_PROFILE,\n Permission.READ_PROJECTS,\n Permission.CREATE_PROJECTS,\n Permission.UPDATE_PROJECTS,\n Permission.READ_TASKS,\n Permission.CREATE_TASKS,\n Permission.UPDATE_TASKS,\n Permission.DELETE_TASKS,\n Permission.READ_TEAMS,\n Permission.CREATE_TEAMS,\n Permission.READ_REPORTS,\n Permission.USE_AI,\n ],\n};\n","// ─────────────────────────────────────────────\n// FBToken Client — Front-to-Back Token for API Requests\n// ─────────────────────────────────────────────\n// Computes HMAC-SHA512(secret, timeWindow) matching the gateway.\n// Every 30 minutes the token rotates.\n//\n// Usage in frontend:\n// import { getFBToken } from '@organify/auth-sdk/fb-token';\n// headers['X-FB-Token'] = getFBToken();\n//\n// Usage in Web Components:\n// Same import, same usage.\n//\n// The secret comes from an environment variable:\n// NEXT_PUBLIC_FB_TOKEN_SECRET (Next.js)\n// VITE_FB_TOKEN_SECRET (Vite)\n// ─────────────────────────────────────────────\n\n/** Duration of each time window in milliseconds (30 minutes) */\nconst WINDOW_MS = 30 * 60 * 1000;\n\n/** Cache: avoid recomputing on every request within same window */\nlet cachedToken: string | null = null;\nlet cachedWindowIndex = -1;\n\n/**\n * Compute the current time-window index (epoch / 30min).\n */\nfunction getTimeWindowIndex(): number {\n return Math.floor(Date.now() / WINDOW_MS);\n}\n\n/**\n * HMAC-SHA512 using Web Crypto API (works in browser + Edge + Node 18+).\n */\nasync function hmacSHA512(secret: string, message: string): Promise<string> {\n const encoder = new TextEncoder();\n const keyData = encoder.encode(secret);\n const msgData = encoder.encode(message);\n\n const key = await crypto.subtle.importKey(\n 'raw',\n keyData,\n { name: 'HMAC', hash: 'SHA-512' },\n false,\n ['sign'],\n );\n\n const signature = await crypto.subtle.sign('HMAC', key, msgData);\n const bytes = new Uint8Array(signature);\n\n // Convert to hex\n return Array.from(bytes)\n .map((b) => b.toString(16).padStart(2, '0'))\n .join('');\n}\n\n/**\n * Get the current FBToken for API requests.\n * Call this on every request — it caches within the same 30-min window.\n *\n * @param secret - The shared FB_TOKEN_SECRET. If not provided,\n * reads from NEXT_PUBLIC_FB_TOKEN_SECRET or VITE_FB_TOKEN_SECRET.\n * @returns The HMAC-SHA512 hex string to send in X-FB-Token header.\n */\nexport async function getFBToken(secret?: string): Promise<string> {\n const windowIndex = getTimeWindowIndex();\n\n // Return cached token if still in same window\n if (cachedToken && cachedWindowIndex === windowIndex) {\n return cachedToken;\n }\n\n const resolvedSecret =\n secret ||\n (typeof process !== 'undefined' && (process.env as any)?.NEXT_PUBLIC_FB_TOKEN_SECRET) ||\n (typeof import.meta !== 'undefined' && (import.meta as any)?.env?.VITE_FB_TOKEN_SECRET) ||\n '';\n\n if (!resolvedSecret) {\n console.warn('[FBToken] No FB_TOKEN_SECRET configured');\n return '';\n }\n\n const token = await hmacSHA512(\n resolvedSecret,\n `organify-fb-v1:${windowIndex}`,\n );\n\n cachedToken = token;\n cachedWindowIndex = windowIndex;\n\n return token;\n}\n\n/**\n * Create an Axios/fetch interceptor that automatically adds X-FB-Token.\n *\n * Usage with fetch:\n * const headers = await createFBTokenHeaders();\n * fetch(url, { headers: { ...headers, ...otherHeaders } });\n *\n * Usage with Axios:\n * axios.interceptors.request.use(fbTokenAxiosInterceptor(secret));\n */\nexport async function createFBTokenHeaders(secret?: string): Promise<Record<string, string>> {\n const token = await getFBToken(secret);\n if (!token) return {};\n return { 'X-FB-Token': token };\n}\n\n/**\n * Axios request interceptor factory.\n */\nexport function fbTokenAxiosInterceptor(secret?: string) {\n return async (config: any) => {\n const token = await getFBToken(secret);\n if (token) {\n config.headers = config.headers || {};\n config.headers['X-FB-Token'] = token;\n }\n return config;\n };\n}\n"]}

package/dist/nestjs/index.d.ts ADDED Viewed

@@ -0,0 +1,106 @@
+import * as _nestjs_common from '@nestjs/common';
+import { CanActivate, ExecutionContext, NestInterceptor, CallHandler, DynamicModule } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { ConfigService } from '@nestjs/config';
+import { Observable } from 'rxjs';
+/**
+ * Reusable JWT Auth Guard for any NestJS microservice.
+ * Validates JWT from Authorization header or auth_token cookie.
+ * Skips routes marked with @Public().
+ *
+ * Requires JWT_SECRET in ConfigService.
+ */
+declare class AuthGuard implements CanActivate {
+    private reflector;
+    private config;
+    constructor(reflector: Reflector, config: ConfigService);
+    canActivate(context: ExecutionContext): boolean;
+}
+/**
+ * Guard for service-to-service authentication.
+ * Validates x-service-token / x-access-token header against
+ * SERVICE_TO_SERVICE_TOKEN env var.
+ */
+declare class ServiceAuthGuard implements CanActivate {
+    private config;
+    constructor(config: ConfigService);
+    canActivate(context: ExecutionContext): boolean;
+}
+/**
+ * Reusable Roles Guard for any NestJS microservice.
+ * Checks request.user.role against @Roles() decorator.
+ */
+declare class RolesGuard implements CanActivate {
+    private reflector;
+    constructor(reflector: Reflector);
+    canActivate(context: ExecutionContext): boolean;
+}
+/**
+ * Extract the authenticated user from request.
+ * Usage: @CurrentUser() user: AuthenticatedUser
+ */
+declare const CurrentUser: (...dataOrPipes: unknown[]) => ParameterDecorator;
+/**
+ * Extract the user ID from request headers.
+ * The API Gateway sets `x-user-id` after JWT decode.
+ *
+ * Usage (REST):  @CurrentUserId() userId: string
+ * Usage (GQL):   @CurrentUserId() userId: string
+ */
+declare const CurrentUserId: (...dataOrPipes: unknown[]) => ParameterDecorator;
+declare const IS_PUBLIC_KEY = "isPublic";
+declare const Public: () => _nestjs_common.CustomDecorator<string>;
+declare const ROLES_KEY = "roles";
+declare const Roles: (...roles: string[]) => _nestjs_common.CustomDecorator<string>;
+interface SecurityContext {
+    ipAddress: string;
+    userAgent: string;
+}
+/**
+ * Extract IP + User-Agent from the request as SecurityContext.
+ * Usage: @SecurityCtx() ctx: SecurityContext
+ */
+declare const SecurityCtx: (...dataOrPipes: unknown[]) => ParameterDecorator;
+/**
+ * Interceptor that ALWAYS responds with MessagePack.
+ * Designed for internal/service-to-service endpoints where
+ * both sides speak MessagePack via ServiceClient.
+ */
+declare class InternalMsgPackInterceptor implements NestInterceptor {
+    intercept(context: ExecutionContext, next: CallHandler): Observable<any>;
+}
+/**
+ * Decorator shorthand — applies InternalMsgPackInterceptor.
+ *
+ * Usage:
+ *   @Controller('internal')
+ *   @UseMsgPack()
+ *   @UseGuards(ServiceAuthGuard)
+ *   export class InternalController { ... }
+ */
+declare function UseMsgPack(): ClassDecorator & MethodDecorator;
+declare const SERVICE_CLIENT = "SERVICE_CLIENT";
+interface ServiceClientModuleOptions {
+    /** Override the service token (default: reads SERVICE_TO_SERVICE_TOKEN from env) */
+    serviceToken?: string;
+    /** Default timeout in ms (default: 10000) */
+    timeout?: number;
+}
+declare class ServiceClientModule {
+    /**
+     * Register with default config (reads SERVICE_TO_SERVICE_TOKEN from env).
+     */
+    static register(options?: ServiceClientModuleOptions): DynamicModule;
+}
+export { AuthGuard, CurrentUser, CurrentUserId, IS_PUBLIC_KEY, InternalMsgPackInterceptor, Public, ROLES_KEY, Roles, RolesGuard, SERVICE_CLIENT, type SecurityContext, SecurityCtx, ServiceAuthGuard, ServiceClientModule, type ServiceClientModuleOptions, UseMsgPack };