npm - organify-auth-sdk - Versions diffs - 0.2.1 → 0.2.2 - Mend

organify-auth-sdk 0.2.1 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,271 @@
+'use strict';
+var jwt = require('jsonwebtoken');
+var msgpack = require('@msgpack/msgpack');
+var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+var jwt__default = /*#__PURE__*/_interopDefault(jwt);
+// src/types.ts
+var Permission = /* @__PURE__ */ ((Permission2) => {
+  Permission2["READ_OWN_PROFILE"] = "read:own_profile";
+  Permission2["UPDATE_OWN_PROFILE"] = "update:own_profile";
+  Permission2["READ_USERS"] = "read:users";
+  Permission2["CREATE_USERS"] = "create:users";
+  Permission2["UPDATE_USERS"] = "update:users";
+  Permission2["DELETE_USERS"] = "delete:users";
+  Permission2["READ_PROJECTS"] = "read:projects";
+  Permission2["CREATE_PROJECTS"] = "create:projects";
+  Permission2["UPDATE_PROJECTS"] = "update:projects";
+  Permission2["DELETE_PROJECTS"] = "delete:projects";
+  Permission2["READ_TASKS"] = "read:tasks";
+  Permission2["CREATE_TASKS"] = "create:tasks";
+  Permission2["UPDATE_TASKS"] = "update:tasks";
+  Permission2["DELETE_TASKS"] = "delete:tasks";
+  Permission2["READ_TEAMS"] = "read:teams";
+  Permission2["CREATE_TEAMS"] = "create:teams";
+  Permission2["UPDATE_TEAMS"] = "update:teams";
+  Permission2["DELETE_TEAMS"] = "delete:teams";
+  Permission2["MANAGE_TEAM_MEMBERS"] = "manage:team_members";
+  Permission2["READ_REPORTS"] = "read:reports";
+  Permission2["CREATE_REPORTS"] = "create:reports";
+  Permission2["USE_AI"] = "use:ai";
+  Permission2["READ_PLANS"] = "read:plans";
+  Permission2["CREATE_PLANS"] = "create:plans";
+  Permission2["UPDATE_PLANS"] = "update:plans";
+  Permission2["DELETE_PLANS"] = "delete:plans";
+  Permission2["MANAGE_INTEGRATIONS"] = "manage:integrations";
+  Permission2["MANAGE_AUTOMATIONS"] = "manage:automations";
+  Permission2["VIEW_ANALYTICS"] = "view:analytics";
+  return Permission2;
+})(Permission || {});
+var RolePermissions = {
+  admin: [...Object.values(Permission)],
+  manager: [
+    "read:own_profile" /* READ_OWN_PROFILE */,
+    "update:own_profile" /* UPDATE_OWN_PROFILE */,
+    "read:projects" /* READ_PROJECTS */,
+    "create:projects" /* CREATE_PROJECTS */,
+    "update:projects" /* UPDATE_PROJECTS */,
+    "read:tasks" /* READ_TASKS */,
+    "create:tasks" /* CREATE_TASKS */,
+    "update:tasks" /* UPDATE_TASKS */,
+    "delete:tasks" /* DELETE_TASKS */,
+    "read:teams" /* READ_TEAMS */,
+    "create:teams" /* CREATE_TEAMS */,
+    "update:teams" /* UPDATE_TEAMS */,
+    "manage:team_members" /* MANAGE_TEAM_MEMBERS */,
+    "read:reports" /* READ_REPORTS */,
+    "create:reports" /* CREATE_REPORTS */,
+    "use:ai" /* USE_AI */,
+    "view:analytics" /* VIEW_ANALYTICS */
+  ],
+  user: [
+    "read:own_profile" /* READ_OWN_PROFILE */,
+    "update:own_profile" /* UPDATE_OWN_PROFILE */,
+    "read:projects" /* READ_PROJECTS */,
+    "create:projects" /* CREATE_PROJECTS */,
+    "update:projects" /* UPDATE_PROJECTS */,
+    "read:tasks" /* READ_TASKS */,
+    "create:tasks" /* CREATE_TASKS */,
+    "update:tasks" /* UPDATE_TASKS */,
+    "delete:tasks" /* DELETE_TASKS */,
+    "read:teams" /* READ_TEAMS */,
+    "create:teams" /* CREATE_TEAMS */,
+    "read:reports" /* READ_REPORTS */,
+    "use:ai" /* USE_AI */
+  ]
+};
+function verifyToken(token, options) {
+  return jwt__default.default.verify(token, options.secret, {
+    ignoreExpiration: options.ignoreExpiration
+  });
+}
+function decodeToken(token) {
+  return jwt__default.default.decode(token);
+}
+function extractBearerToken(authHeader) {
+  if (!authHeader?.startsWith("Bearer ")) return null;
+  return authHeader.substring(7);
+}
+function extractCookieToken(cookieHeader, cookieName = "auth_token") {
+  if (!cookieHeader) return null;
+  const match = cookieHeader.split(";").map((s) => s.trim()).find((s) => s.startsWith(`${cookieName}=`));
+  if (!match) return null;
+  return decodeURIComponent(match.split("=")[1]);
+}
+function hasPermission(role, permission, rolePermissions) {
+  const perms = rolePermissions[role];
+  if (!perms) return false;
+  return perms.includes(permission);
+}
+function validateServiceToken(token, expectedToken) {
+  if (!token) return false;
+  return token === expectedToken;
+}
+// src/fb-token.ts
+var WINDOW_MS = 30 * 60 * 1e3;
+var cachedToken = null;
+var cachedWindowIndex = -1;
+function getTimeWindowIndex() {
+  return Math.floor(Date.now() / WINDOW_MS);
+}
+async function hmacSHA512(secret, message) {
+  const encoder = new TextEncoder();
+  const keyData = encoder.encode(secret);
+  const msgData = encoder.encode(message);
+  const key = await crypto.subtle.importKey(
+    "raw",
+    keyData,
+    { name: "HMAC", hash: "SHA-512" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign("HMAC", key, msgData);
+  const bytes = new Uint8Array(signature);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function getFBToken(secret) {
+  const windowIndex = getTimeWindowIndex();
+  if (cachedToken && cachedWindowIndex === windowIndex) {
+    return cachedToken;
+  }
+  const resolvedSecret = secret || typeof process !== "undefined" && process.env?.NEXT_PUBLIC_FB_TOKEN_SECRET || typeof ({ url: (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('index.cjs', document.baseURI).href)) }) !== "undefined" && undefined?.VITE_FB_TOKEN_SECRET || "";
+  if (!resolvedSecret) {
+    console.warn("[FBToken] No FB_TOKEN_SECRET configured");
+    return "";
+  }
+  const token = await hmacSHA512(
+    resolvedSecret,
+    `organify-fb-v1:${windowIndex}`
+  );
+  cachedToken = token;
+  cachedWindowIndex = windowIndex;
+  return token;
+}
+async function createFBTokenHeaders(secret) {
+  const token = await getFBToken(secret);
+  if (!token) return {};
+  return { "X-FB-Token": token };
+}
+function fbTokenAxiosInterceptor(secret) {
+  return async (config) => {
+    const token = await getFBToken(secret);
+    if (token) {
+      config.headers = config.headers || {};
+      config.headers["X-FB-Token"] = token;
+    }
+    return config;
+  };
+}
+var MSGPACK_MIME = "application/x-msgpack";
+var ServiceClient = class {
+  config;
+  constructor(config) {
+    this.config = {
+      serviceToken: config.serviceToken,
+      timeout: config.timeout ?? 1e4,
+      headers: config.headers ?? {}
+    };
+  }
+  // ─── HTTP Methods ─────────────────────────
+  async get(url, opts) {
+    return this.request("GET", url, void 0, opts);
+  }
+  async post(url, body, opts) {
+    return this.request("POST", url, body, opts);
+  }
+  async put(url, body, opts) {
+    return this.request("PUT", url, body, opts);
+  }
+  async patch(url, body, opts) {
+    return this.request("PATCH", url, body, opts);
+  }
+  async delete(url, opts) {
+    return this.request("DELETE", url, void 0, opts);
+  }
+  // ─── Core Request ─────────────────────────
+  async request(method, url, body, opts) {
+    const timeout = opts?.timeout ?? this.config.timeout;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeout);
+    try {
+      const headers = {
+        // Always use MessagePack for internal communication
+        "Accept": MSGPACK_MIME,
+        "X-Service-Token": this.config.serviceToken,
+        ...this.config.headers,
+        ...opts?.headers
+      };
+      if (opts?.userId) {
+        headers["x-user-id"] = opts.userId;
+      }
+      const fetchOpts = {
+        method,
+        headers,
+        signal: controller.signal
+      };
+      if (body !== void 0 && body !== null) {
+        const packed = msgpack.encode(body);
+        fetchOpts.body = Buffer.from(packed.buffer, packed.byteOffset, packed.byteLength);
+        headers["Content-Type"] = MSGPACK_MIME;
+      }
+      const response = await fetch(url, fetchOpts);
+      const contentType = response.headers.get("content-type") || "";
+      let data;
+      if (/msgpack/i.test(contentType)) {
+        const buffer = await response.arrayBuffer();
+        data = msgpack.decode(new Uint8Array(buffer));
+      } else {
+        const text = await response.text();
+        try {
+          data = JSON.parse(text);
+        } catch {
+          data = text;
+        }
+      }
+      const responseHeaders = {};
+      response.headers.forEach((value, key) => {
+        responseHeaders[key] = value;
+      });
+      if (!response.ok) {
+        throw new ServiceClientError(
+          `Service request failed: ${method} ${url} \u2192 ${response.status}`,
+          response.status,
+          data
+        );
+      }
+      return { data, status: response.status, headers: responseHeaders };
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+};
+var ServiceClientError = class extends Error {
+  constructor(message, status, response) {
+    super(message);
+    this.status = status;
+    this.response = response;
+    this.name = "ServiceClientError";
+  }
+};
+exports.MSGPACK_MIME = MSGPACK_MIME;
+exports.Permission = Permission;
+exports.RolePermissions = RolePermissions;
+exports.ServiceClient = ServiceClient;
+exports.ServiceClientError = ServiceClientError;
+exports.createFBTokenHeaders = createFBTokenHeaders;
+exports.decodeToken = decodeToken;
+exports.extractBearerToken = extractBearerToken;
+exports.extractCookieToken = extractCookieToken;
+exports.fbTokenAxiosInterceptor = fbTokenAxiosInterceptor;
+exports.getFBToken = getFBToken;
+exports.hasPermission = hasPermission;
+exports.validateServiceToken = validateServiceToken;
+exports.verifyToken = verifyToken;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/types.ts","../src/jwt.ts","../src/fb-token.ts","../src/service-client.ts"],"names":["Permission","jwt","encode","decode"],"mappings":";;;;;;;;;;;AAiCO,IAAK,UAAA,qBAAAA,WAAAA,KAAL;AACL,EAAAA,YAAA,kBAAA,CAAA,GAAmB,kBAAA;AACnB,EAAAA,YAAA,oBAAA,CAAA,GAAqB,oBAAA;AACrB,EAAAA,YAAA,YAAA,CAAA,GAAa,YAAA;AACb,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,eAAA,CAAA,GAAgB,eAAA;AAChB,EAAAA,YAAA,iBAAA,CAAA,GAAkB,iBAAA;AAClB,EAAAA,YAAA,iBAAA,CAAA,GAAkB,iBAAA;AAClB,EAAAA,YAAA,iBAAA,CAAA,GAAkB,iBAAA;AAClB,EAAAA,YAAA,YAAA,CAAA,GAAa,YAAA;AACb,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,YAAA,CAAA,GAAa,YAAA;AACb,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,qBAAA,CAAA,GAAsB,qBAAA;AACtB,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,gBAAA,CAAA,GAAiB,gBAAA;AACjB,EAAAA,YAAA,QAAA,CAAA,GAAS,QAAA;AACT,EAAAA,YAAA,YAAA,CAAA,GAAa,YAAA;AACb,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,YAAA,qBAAA,CAAA,GAAsB,qBAAA;AACtB,EAAAA,YAAA,oBAAA,CAAA,GAAqB,oBAAA;AACrB,EAAAA,YAAA,gBAAA,CAAA,GAAiB,gBAAA;AA7BP,EAAA,OAAAA,WAAAA;AAAA,CAAA,EAAA,UAAA,IAAA,EAAA;AAgCL,IAAM,eAAA,GAAgD;AAAA,EAC3D,OAAO,CAAC,GAAG,MAAA,CAAO,MAAA,CAAO,UAAU,CAAC,CAAA;AAAA,EACpC,OAAA,EAAS;AAAA,IACP,kBAAA;AAAA,IACA,oBAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,iBAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,qBAAA;AAAA,IACA,cAAA;AAAA,IACA,gBAAA;AAAA,IACA,QAAA;AAAA,IACA,gBAAA;AAAA,GACF;AAAA,EACA,IAAA,EAAM;AAAA,IACJ,kBAAA;AAAA,IACA,oBAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,iBAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,QAAA;AAAA;AAEJ;ACpFO,SAAS,WAAA,CACd,OACA,OAAA,EACoB;AACpB,EAAA,OAAOC,oBAAA,CAAI,MAAA,CAAO,KAAA,EAAO,OAAA,CAAQ,MAAA,EAAQ;AAAA,IACvC,kBAAkB,OAAA,CAAQ;AAAA,GAC3B,CAAA;AACH;AAKO,SAAS,YAAY,KAAA,EAA0C;AACpE,EAAA,OAAOA,oBAAA,CAAI,OAAO,KAAK,CAAA;AACzB;AAKO,SAAS,mBACd,UAAA,EACe;AACf,EAAA,IAAI,CAAC,UAAA,EAAY,UAAA,CAAW,SAAS,GAAG,OAAO,IAAA;AAC/C,EAAA,OAAO,UAAA,CAAW,UAAU,CAAC,CAAA;AAC/B;AAKO,SAAS,kBAAA,CACd,YAAA,EACA,UAAA,GAAa,YAAA,EACE;AACf,EAAA,IAAI,CAAC,cAAc,OAAO,IAAA;AAC1B,EAAA,MAAM,KAAA,GAAQ,aACX,KAAA,CAAM,GAAG,EACT,GAAA,CAAI,CAAC,MAAM,CAAA,CAAE,IAAA,EAAM,CAAA,CACnB,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,WAAW,CAAA,EAAG,UAAU,GAAG,CAAC,CAAA;AAC7C,EAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AACnB,EAAA,OAAO,mBAAmB,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAC/C;AAKO,SAAS,aAAA,CACd,IAAA,EACA,UAAA,EACA,eAAA,EACS;AACT,EAAA,MAAM,KAAA,GAAQ,gBAAgB,IAAI,CAAA;AAClC,EAAA,IAAI,CAAC,OAAO,OAAO,KAAA;AACnB,EAAA,OAAO,KAAA,CAAM,SAAS,UAAU,CAAA;AAClC;AAKO,SAAS,oBAAA,CACd,OACA,aAAA,EACS;AACT,EAAA,IAAI,CAAC,OAAO,OAAO,KAAA;AACnB,EAAA,OAAO,KAAA,KAAU,aAAA;AACnB;;;AC9DA,IAAM,SAAA,GAAY,KAAK,EAAA,GAAK,GAAA;AAG5B,IAAI,WAAA,GAA6B,IAAA;AACjC,IAAI,iBAAA,GAAoB,EAAA;AAKxB,SAAS,kBAAA,GAA6B;AACpC,EAAA,OAAO,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,SAAS,CAAA;AAC1C;AAKA,eAAe,UAAA,CAAW,QAAgB,OAAA,EAAkC;AAC1E,EAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAChC,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,MAAM,CAAA;AACrC,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,OAAO,CAAA;AAEtC,EAAA,MAAM,GAAA,GAAM,MAAM,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,IAC9B,KAAA;AAAA,IACA,OAAA;AAAA,IACA,EAAE,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,SAAA,EAAU;AAAA,IAChC,KAAA;AAAA,IACA,CAAC,MAAM;AAAA,GACT;AAEA,EAAA,MAAM,YAAY,MAAM,MAAA,CAAO,OAAO,IAAA,CAAK,MAAA,EAAQ,KAAK,OAAO,CAAA;AAC/D,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,SAAS,CAAA;AAGtC,EAAA,OAAO,MAAM,IAAA,CAAK,KAAK,CAAA,CACpB,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,QAAA,CAAS,EAAE,EAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAC1C,KAAK,EAAE,CAAA;AACZ;AAUA,eAAsB,WAAW,MAAA,EAAkC;AACjE,EAAA,MAAM,cAAc,kBAAA,EAAmB;AAGvC,EAAA,IAAI,WAAA,IAAe,sBAAsB,WAAA,EAAa;AACpD,IAAA,OAAO,WAAA;AAAA,EACT;AAEA,EAAA,MAAM,cAAA,GACJ,MAAA,IACC,OAAO,OAAA,KAAY,WAAA,IAAgB,OAAA,CAAQ,GAAA,EAAa,2BAAA,IACxD,OAAO,sQAAA,KAAgB,WAAA,IAAgB,WAA0B,oBAAA,IAClE,EAAA;AAEF,EAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,IAAA,OAAA,CAAQ,KAAK,yCAAyC,CAAA;AACtD,IAAA,OAAO,EAAA;AAAA,EACT;AAEA,EAAA,MAAM,QAAQ,MAAM,UAAA;AAAA,IAClB,cAAA;AAAA,IACA,kBAAkB,WAAW,CAAA;AAAA,GAC/B;AAEA,EAAA,WAAA,GAAc,KAAA;AACd,EAAA,iBAAA,GAAoB,WAAA;AAEpB,EAAA,OAAO,KAAA;AACT;AAYA,eAAsB,qBAAqB,MAAA,EAAkD;AAC3F,EAAA,MAAM,KAAA,GAAQ,MAAM,UAAA,CAAW,MAAM,CAAA;AACrC,EAAA,IAAI,CAAC,KAAA,EAAO,OAAO,EAAC;AACpB,EAAA,OAAO,EAAE,cAAc,KAAA,EAAM;AAC/B;AAKO,SAAS,wBAAwB,MAAA,EAAiB;AACvD,EAAA,OAAO,OAAO,MAAA,KAAgB;AAC5B,IAAA,MAAM,KAAA,GAAQ,MAAM,UAAA,CAAW,MAAM,CAAA;AACrC,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,MAAA,CAAO,OAAA,GAAU,MAAA,CAAO,OAAA,IAAW,EAAC;AACpC,MAAA,MAAA,CAAO,OAAA,CAAQ,YAAY,CAAA,GAAI,KAAA;AAAA,IACjC;AACA,IAAA,OAAO,MAAA;AAAA,EACT,CAAA;AACF;ACrGO,IAAM,YAAA,GAAe;AA0BrB,IAAM,gBAAN,MAAoB;AAAA,EACjB,MAAA;AAAA,EAIR,YAAY,MAAA,EAA6B;AACvC,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,cAAc,MAAA,CAAO,YAAA;AAAA,MACrB,OAAA,EAAS,OAAO,OAAA,IAAW,GAAA;AAAA,MAC3B,OAAA,EAAS,MAAA,CAAO,OAAA,IAAW;AAAC,KAC9B;AAAA,EACF;AAAA;AAAA,EAIA,MAAM,GAAA,CAAa,GAAA,EAAa,IAAA,EAA2D;AACzF,IAAA,OAAO,IAAA,CAAK,OAAA,CAAW,KAAA,EAAO,GAAA,EAAK,QAAW,IAAI,CAAA;AAAA,EACpD;AAAA,EAEA,MAAM,IAAA,CAAc,GAAA,EAAa,IAAA,EAAY,IAAA,EAA2D;AACtG,IAAA,OAAO,IAAA,CAAK,OAAA,CAAW,MAAA,EAAQ,GAAA,EAAK,MAAM,IAAI,CAAA;AAAA,EAChD;AAAA,EAEA,MAAM,GAAA,CAAa,GAAA,EAAa,IAAA,EAAY,IAAA,EAA2D;AACrG,IAAA,OAAO,IAAA,CAAK,OAAA,CAAW,KAAA,EAAO,GAAA,EAAK,MAAM,IAAI,CAAA;AAAA,EAC/C;AAAA,EAEA,MAAM,KAAA,CAAe,GAAA,EAAa,IAAA,EAAY,IAAA,EAA2D;AACvG,IAAA,OAAO,IAAA,CAAK,OAAA,CAAW,OAAA,EAAS,GAAA,EAAK,MAAM,IAAI,CAAA;AAAA,EACjD;AAAA,EAEA,MAAM,MAAA,CAAgB,GAAA,EAAa,IAAA,EAA2D;AAC5F,IAAA,OAAO,IAAA,CAAK,OAAA,CAAW,QAAA,EAAU,GAAA,EAAK,QAAW,IAAI,CAAA;AAAA,EACvD;AAAA;AAAA,EAIA,MAAc,OAAA,CACZ,MAAA,EACA,GAAA,EACA,MACA,IAAA,EAC6B;AAC7B,IAAA,MAAM,OAAA,GAAU,IAAA,EAAM,OAAA,IAAW,IAAA,CAAK,MAAA,CAAO,OAAA;AAC7C,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,IAAA,MAAM,QAAQ,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,OAAO,CAAA;AAE1D,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAkC;AAAA;AAAA,QAEtC,QAAA,EAAU,YAAA;AAAA,QACV,iBAAA,EAAmB,KAAK,MAAA,CAAO,YAAA;AAAA,QAC/B,GAAG,KAAK,MAAA,CAAO,OAAA;AAAA,QACf,GAAG,IAAA,EAAM;AAAA,OACX;AAGA,MAAA,IAAI,MAAM,MAAA,EAAQ;AAChB,QAAA,OAAA,CAAQ,WAAW,IAAI,IAAA,CAAK,MAAA;AAAA,MAC9B;AAEA,MAAA,MAAM,SAAA,GAAyB;AAAA,QAC7B,MAAA;AAAA,QACA,OAAA;AAAA,QACA,QAAQ,UAAA,CAAW;AAAA,OACrB;AAGA,MAAA,IAAI,IAAA,KAAS,KAAA,CAAA,IAAa,IAAA,KAAS,IAAA,EAAM;AACvC,QAAA,MAAM,MAAA,GAASC,eAAO,IAAI,CAAA;AAC1B,QAAA,SAAA,CAAU,IAAA,GAAO,OAAO,IAAA,CAAK,MAAA,CAAO,QAAQ,MAAA,CAAO,UAAA,EAAY,OAAO,UAAU,CAAA;AAChF,QAAA,OAAA,CAAQ,cAAc,CAAA,GAAI,YAAA;AAAA,MAC5B;AAEA,MAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK,SAAS,CAAA;AAG3C,MAAA,MAAM,WAAA,GAAc,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,IAAK,EAAA;AAC5D,MAAA,IAAI,IAAA;AAEJ,MAAA,IAAI,UAAA,CAAW,IAAA,CAAK,WAAW,CAAA,EAAG;AAChC,QAAA,MAAM,MAAA,GAAS,MAAM,QAAA,CAAS,WAAA,EAAY;AAC1C,QAAA,IAAA,GAAOC,cAAA,CAAO,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AAAA,MACtC,CAAA,MAAO;AAEL,QAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AACjC,QAAA,IAAI;AACF,UAAA,IAAA,GAAO,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,QACxB,CAAA,CAAA,MAAQ;AACN,UAAA,IAAA,GAAO,IAAA;AAAA,QACT;AAAA,MACF;AAGA,MAAA,MAAM,kBAA0C,EAAC;AACjD,MAAA,QAAA,CAAS,OAAA,CAAQ,OAAA,CAAQ,CAAC,KAAA,EAAO,GAAA,KAAQ;AACvC,QAAA,eAAA,CAAgB,GAAG,CAAA,GAAI,KAAA;AAAA,MACzB,CAAC,CAAA;AAED,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,MAAM,IAAI,kBAAA;AAAA,UACR,2BAA2B,MAAM,CAAA,CAAA,EAAI,GAAG,CAAA,QAAA,EAAM,SAAS,MAAM,CAAA,CAAA;AAAA,UAC7D,QAAA,CAAS,MAAA;AAAA,UACT;AAAA,SACF;AAAA,MACF;AAEA,MAAA,OAAO,EAAE,IAAA,EAAM,MAAA,EAAQ,QAAA,CAAS,MAAA,EAAQ,SAAS,eAAA,EAAgB;AAAA,IACnE,CAAA,SAAE;AACA,MAAA,YAAA,CAAa,KAAK,CAAA;AAAA,IACpB;AAAA,EACF;AACF;AAIO,IAAM,kBAAA,GAAN,cAAiC,KAAA,CAAM;AAAA,EAC5C,WAAA,CACE,OAAA,EACgB,MAAA,EACA,QAAA,EAChB;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AAHG,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AAGhB,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AAAA,EACd;AACF","file":"index.cjs","sourcesContent":["// ─────────────────────────────────────────────\n// @organify/auth-sdk — Shared Auth Types\n// ─────────────────────────────────────────────\n\nexport interface JwtPayload {\n /** User ID (subject) */\n sub: number;\n email: string;\n name: string;\n role: 'admin' | 'user' | 'manager';\n plan: string;\n teamIds: number[];\n /** Token type — only present on refresh tokens */\n tokenType?: 'refresh';\n iat?: number;\n exp?: number;\n}\n\nexport interface AuthenticatedUser {\n userId: number;\n email: string;\n name: string;\n role: string;\n plan: string;\n}\n\nexport interface JwtTokens {\n accessToken: string;\n refreshToken: string;\n}\n\n// ─── Permissions ────────────────────────────\n\nexport enum Permission {\n READ_OWN_PROFILE = 'read:own_profile',\n UPDATE_OWN_PROFILE = 'update:own_profile',\n READ_USERS = 'read:users',\n CREATE_USERS = 'create:users',\n UPDATE_USERS = 'update:users',\n DELETE_USERS = 'delete:users',\n READ_PROJECTS = 'read:projects',\n CREATE_PROJECTS = 'create:projects',\n UPDATE_PROJECTS = 'update:projects',\n DELETE_PROJECTS = 'delete:projects',\n READ_TASKS = 'read:tasks',\n CREATE_TASKS = 'create:tasks',\n UPDATE_TASKS = 'update:tasks',\n DELETE_TASKS = 'delete:tasks',\n READ_TEAMS = 'read:teams',\n CREATE_TEAMS = 'create:teams',\n UPDATE_TEAMS = 'update:teams',\n DELETE_TEAMS = 'delete:teams',\n MANAGE_TEAM_MEMBERS = 'manage:team_members',\n READ_REPORTS = 'read:reports',\n CREATE_REPORTS = 'create:reports',\n USE_AI = 'use:ai',\n READ_PLANS = 'read:plans',\n CREATE_PLANS = 'create:plans',\n UPDATE_PLANS = 'update:plans',\n DELETE_PLANS = 'delete:plans',\n MANAGE_INTEGRATIONS = 'manage:integrations',\n MANAGE_AUTOMATIONS = 'manage:automations',\n VIEW_ANALYTICS = 'view:analytics',\n}\n\nexport const RolePermissions: Record<string, Permission[]> = {\n admin: [...Object.values(Permission)],\n manager: [\n Permission.READ_OWN_PROFILE,\n Permission.UPDATE_OWN_PROFILE,\n Permission.READ_PROJECTS,\n Permission.CREATE_PROJECTS,\n Permission.UPDATE_PROJECTS,\n Permission.READ_TASKS,\n Permission.CREATE_TASKS,\n Permission.UPDATE_TASKS,\n Permission.DELETE_TASKS,\n Permission.READ_TEAMS,\n Permission.CREATE_TEAMS,\n Permission.UPDATE_TEAMS,\n Permission.MANAGE_TEAM_MEMBERS,\n Permission.READ_REPORTS,\n Permission.CREATE_REPORTS,\n Permission.USE_AI,\n Permission.VIEW_ANALYTICS,\n ],\n user: [\n Permission.READ_OWN_PROFILE,\n Permission.UPDATE_OWN_PROFILE,\n Permission.READ_PROJECTS,\n Permission.CREATE_PROJECTS,\n Permission.UPDATE_PROJECTS,\n Permission.READ_TASKS,\n Permission.CREATE_TASKS,\n Permission.UPDATE_TASKS,\n Permission.DELETE_TASKS,\n Permission.READ_TEAMS,\n Permission.CREATE_TEAMS,\n Permission.READ_REPORTS,\n Permission.USE_AI,\n ],\n};\n","// ─────────────────────────────────────────────\n// @organify/auth-sdk — JWT verification helpers\n// ─────────────────────────────────────────────\n\nimport jwt from 'jsonwebtoken';\nimport type { JwtPayload as OrganifyJwtPayload } from './types';\n\nexport interface VerifyOptions {\n secret: string;\n /** When true, expired tokens won't throw */\n ignoreExpiration?: boolean;\n}\n\n/**\n * Verify and decode a JWT token.\n * @throws Error if token is invalid or expired\n */\nexport function verifyToken(\n token: string,\n options: VerifyOptions,\n): OrganifyJwtPayload {\n return jwt.verify(token, options.secret, {\n ignoreExpiration: options.ignoreExpiration,\n }) as unknown as OrganifyJwtPayload;\n}\n\n/**\n * Decode a JWT without verifying (useful for debugging).\n */\nexport function decodeToken(token: string): OrganifyJwtPayload | null {\n return jwt.decode(token) as OrganifyJwtPayload | null;\n}\n\n/**\n * Extract Bearer token from Authorization header.\n */\nexport function extractBearerToken(\n authHeader: string | undefined,\n): string | null {\n if (!authHeader?.startsWith('Bearer ')) return null;\n return authHeader.substring(7);\n}\n\n/**\n * Extract a token from a cookie header string.\n */\nexport function extractCookieToken(\n cookieHeader: string | undefined,\n cookieName = 'auth_token',\n): string | null {\n if (!cookieHeader) return null;\n const match = cookieHeader\n .split(';')\n .map((s) => s.trim())\n .find((s) => s.startsWith(`${cookieName}=`));\n if (!match) return null;\n return decodeURIComponent(match.split('=')[1]);\n}\n\n/**\n * Check if a user has a specific permission based on their role.\n */\nexport function hasPermission(\n role: string,\n permission: string,\n rolePermissions: Record<string, string[]>,\n): boolean {\n const perms = rolePermissions[role];\n if (!perms) return false;\n return perms.includes(permission);\n}\n\n/**\n * Validate a service-to-service token.\n */\nexport function validateServiceToken(\n token: string | undefined,\n expectedToken: string,\n): boolean {\n if (!token) return false;\n return token === expectedToken;\n}\n","// ─────────────────────────────────────────────\n// FBToken Client — Front-to-Back Token for API Requests\n// ─────────────────────────────────────────────\n// Computes HMAC-SHA512(secret, timeWindow) matching the gateway.\n// Every 30 minutes the token rotates.\n//\n// Usage in frontend:\n// import { getFBToken } from '@organify/auth-sdk/fb-token';\n// headers['X-FB-Token'] = getFBToken();\n//\n// Usage in Web Components:\n// Same import, same usage.\n//\n// The secret comes from an environment variable:\n// NEXT_PUBLIC_FB_TOKEN_SECRET (Next.js)\n// VITE_FB_TOKEN_SECRET (Vite)\n// ─────────────────────────────────────────────\n\n/** Duration of each time window in milliseconds (30 minutes) */\nconst WINDOW_MS = 30 * 60 * 1000;\n\n/** Cache: avoid recomputing on every request within same window */\nlet cachedToken: string | null = null;\nlet cachedWindowIndex = -1;\n\n/**\n * Compute the current time-window index (epoch / 30min).\n */\nfunction getTimeWindowIndex(): number {\n return Math.floor(Date.now() / WINDOW_MS);\n}\n\n/**\n * HMAC-SHA512 using Web Crypto API (works in browser + Edge + Node 18+).\n */\nasync function hmacSHA512(secret: string, message: string): Promise<string> {\n const encoder = new TextEncoder();\n const keyData = encoder.encode(secret);\n const msgData = encoder.encode(message);\n\n const key = await crypto.subtle.importKey(\n 'raw',\n keyData,\n { name: 'HMAC', hash: 'SHA-512' },\n false,\n ['sign'],\n );\n\n const signature = await crypto.subtle.sign('HMAC', key, msgData);\n const bytes = new Uint8Array(signature);\n\n // Convert to hex\n return Array.from(bytes)\n .map((b) => b.toString(16).padStart(2, '0'))\n .join('');\n}\n\n/**\n * Get the current FBToken for API requests.\n * Call this on every request — it caches within the same 30-min window.\n *\n * @param secret - The shared FB_TOKEN_SECRET. If not provided,\n * reads from NEXT_PUBLIC_FB_TOKEN_SECRET or VITE_FB_TOKEN_SECRET.\n * @returns The HMAC-SHA512 hex string to send in X-FB-Token header.\n */\nexport async function getFBToken(secret?: string): Promise<string> {\n const windowIndex = getTimeWindowIndex();\n\n // Return cached token if still in same window\n if (cachedToken && cachedWindowIndex === windowIndex) {\n return cachedToken;\n }\n\n const resolvedSecret =\n secret ||\n (typeof process !== 'undefined' && (process.env as any)?.NEXT_PUBLIC_FB_TOKEN_SECRET) ||\n (typeof import.meta !== 'undefined' && (import.meta as any)?.env?.VITE_FB_TOKEN_SECRET) ||\n '';\n\n if (!resolvedSecret) {\n console.warn('[FBToken] No FB_TOKEN_SECRET configured');\n return '';\n }\n\n const token = await hmacSHA512(\n resolvedSecret,\n `organify-fb-v1:${windowIndex}`,\n );\n\n cachedToken = token;\n cachedWindowIndex = windowIndex;\n\n return token;\n}\n\n/**\n * Create an Axios/fetch interceptor that automatically adds X-FB-Token.\n *\n * Usage with fetch:\n * const headers = await createFBTokenHeaders();\n * fetch(url, { headers: { ...headers, ...otherHeaders } });\n *\n * Usage with Axios:\n * axios.interceptors.request.use(fbTokenAxiosInterceptor(secret));\n */\nexport async function createFBTokenHeaders(secret?: string): Promise<Record<string, string>> {\n const token = await getFBToken(secret);\n if (!token) return {};\n return { 'X-FB-Token': token };\n}\n\n/**\n * Axios request interceptor factory.\n */\nexport function fbTokenAxiosInterceptor(secret?: string) {\n return async (config: any) => {\n const token = await getFBToken(secret);\n if (token) {\n config.headers = config.headers || {};\n config.headers['X-FB-Token'] = token;\n }\n return config;\n };\n}\n","// ─────────────────────────────────────────────\n// ServiceClient — Inter-Service HTTP Client with MessagePack\n// ─────────────────────────────────────────────\n// All service-to-service communication uses MessagePack for\n// serialization/deserialization. This client:\n//\n// 1. Sends request bodies as MessagePack (Content-Type: application/x-msgpack)\n// 2. Requests MessagePack responses (Accept: application/x-msgpack)\n// 3. Injects X-Service-Token for authentication\n// 4. Automatically decodes MessagePack responses\n// 5. Falls back to JSON when MessagePack is not available\n//\n// Usage:\n// const client = new ServiceClient({\n// serviceToken: 'shared-secret',\n// });\n// const users = await client.get<User[]>('http://users:4001/api/internal/users/batch');\n// const workspace = await client.post('http://workspaces:4002/api/internal/workspaces/personal', { userId: '1', userName: 'John' });\n// ─────────────────────────────────────────────\n\nimport { encode, decode } from '@msgpack/msgpack';\n\nexport const MSGPACK_MIME = 'application/x-msgpack';\n\nexport interface ServiceClientConfig {\n /** Shared service-to-service token (SERVICE_TO_SERVICE_TOKEN) */\n serviceToken: string;\n /** Default timeout in ms (default: 10000) */\n timeout?: number;\n /** Additional default headers */\n headers?: Record<string, string>;\n}\n\nexport interface ServiceRequestOptions {\n /** Override timeout for this request */\n timeout?: number;\n /** Additional headers for this request */\n headers?: Record<string, string>;\n /** Override user ID to forward downstream */\n userId?: string;\n}\n\nexport interface ServiceResponse<T = any> {\n data: T;\n status: number;\n headers: Record<string, string>;\n}\n\nexport class ServiceClient {\n private config: Required<Pick<ServiceClientConfig, 'serviceToken' | 'timeout'>> & {\n headers: Record<string, string>;\n };\n\n constructor(config: ServiceClientConfig) {\n this.config = {\n serviceToken: config.serviceToken,\n timeout: config.timeout ?? 10_000,\n headers: config.headers ?? {},\n };\n }\n\n // ─── HTTP Methods ─────────────────────────\n\n async get<T = any>(url: string, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>> {\n return this.request<T>('GET', url, undefined, opts);\n }\n\n async post<T = any>(url: string, body?: any, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>> {\n return this.request<T>('POST', url, body, opts);\n }\n\n async put<T = any>(url: string, body?: any, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>> {\n return this.request<T>('PUT', url, body, opts);\n }\n\n async patch<T = any>(url: string, body?: any, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>> {\n return this.request<T>('PATCH', url, body, opts);\n }\n\n async delete<T = any>(url: string, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>> {\n return this.request<T>('DELETE', url, undefined, opts);\n }\n\n // ─── Core Request ─────────────────────────\n\n private async request<T>(\n method: string,\n url: string,\n body?: any,\n opts?: ServiceRequestOptions,\n ): Promise<ServiceResponse<T>> {\n const timeout = opts?.timeout ?? this.config.timeout;\n const controller = new AbortController();\n const timer = setTimeout(() => controller.abort(), timeout);\n\n try {\n const headers: Record<string, string> = {\n // Always use MessagePack for internal communication\n 'Accept': MSGPACK_MIME,\n 'X-Service-Token': this.config.serviceToken,\n ...this.config.headers,\n ...opts?.headers,\n };\n\n // Forward user identity if provided\n if (opts?.userId) {\n headers['x-user-id'] = opts.userId;\n }\n\n const fetchOpts: RequestInit = {\n method,\n headers,\n signal: controller.signal,\n };\n\n // Encode body as MessagePack if present\n if (body !== undefined && body !== null) {\n const packed = encode(body);\n fetchOpts.body = Buffer.from(packed.buffer, packed.byteOffset, packed.byteLength);\n headers['Content-Type'] = MSGPACK_MIME;\n }\n\n const response = await fetch(url, fetchOpts);\n\n // Parse response based on Content-Type\n const contentType = response.headers.get('content-type') || '';\n let data: T;\n\n if (/msgpack/i.test(contentType)) {\n const buffer = await response.arrayBuffer();\n data = decode(new Uint8Array(buffer)) as T;\n } else {\n // Fallback to JSON\n const text = await response.text();\n try {\n data = JSON.parse(text) as T;\n } catch {\n data = text as unknown as T;\n }\n }\n\n // Collect response headers\n const responseHeaders: Record<string, string> = {};\n response.headers.forEach((value, key) => {\n responseHeaders[key] = value;\n });\n\n if (!response.ok) {\n throw new ServiceClientError(\n `Service request failed: ${method} ${url} → ${response.status}`,\n response.status,\n data,\n );\n }\n\n return { data, status: response.status, headers: responseHeaders };\n } finally {\n clearTimeout(timer);\n }\n }\n}\n\n// ─── Error Class ────────────────────────────\n\nexport class ServiceClientError extends Error {\n constructor(\n message: string,\n public readonly status: number,\n public readonly response: any,\n ) {\n super(message);\n this.name = 'ServiceClientError';\n }\n}\n"]}

package/dist/index.d.cts ADDED Viewed

@@ -0,0 +1,152 @@
+interface JwtPayload {
+    /** User ID (subject) */
+    sub: number;
+    email: string;
+    name: string;
+    role: 'admin' | 'user' | 'manager';
+    plan: string;
+    teamIds: number[];
+    /** Token type — only present on refresh tokens */
+    tokenType?: 'refresh';
+    iat?: number;
+    exp?: number;
+}
+interface AuthenticatedUser {
+    userId: number;
+    email: string;
+    name: string;
+    role: string;
+    plan: string;
+}
+interface JwtTokens {
+    accessToken: string;
+    refreshToken: string;
+}
+declare enum Permission {
+    READ_OWN_PROFILE = "read:own_profile",
+    UPDATE_OWN_PROFILE = "update:own_profile",
+    READ_USERS = "read:users",
+    CREATE_USERS = "create:users",
+    UPDATE_USERS = "update:users",
+    DELETE_USERS = "delete:users",
+    READ_PROJECTS = "read:projects",
+    CREATE_PROJECTS = "create:projects",
+    UPDATE_PROJECTS = "update:projects",
+    DELETE_PROJECTS = "delete:projects",
+    READ_TASKS = "read:tasks",
+    CREATE_TASKS = "create:tasks",
+    UPDATE_TASKS = "update:tasks",
+    DELETE_TASKS = "delete:tasks",
+    READ_TEAMS = "read:teams",
+    CREATE_TEAMS = "create:teams",
+    UPDATE_TEAMS = "update:teams",
+    DELETE_TEAMS = "delete:teams",
+    MANAGE_TEAM_MEMBERS = "manage:team_members",
+    READ_REPORTS = "read:reports",
+    CREATE_REPORTS = "create:reports",
+    USE_AI = "use:ai",
+    READ_PLANS = "read:plans",
+    CREATE_PLANS = "create:plans",
+    UPDATE_PLANS = "update:plans",
+    DELETE_PLANS = "delete:plans",
+    MANAGE_INTEGRATIONS = "manage:integrations",
+    MANAGE_AUTOMATIONS = "manage:automations",
+    VIEW_ANALYTICS = "view:analytics"
+}
+declare const RolePermissions: Record<string, Permission[]>;
+interface VerifyOptions {
+    secret: string;
+    /** When true, expired tokens won't throw */
+    ignoreExpiration?: boolean;
+}
+/**
+ * Verify and decode a JWT token.
+ * @throws Error if token is invalid or expired
+ */
+declare function verifyToken(token: string, options: VerifyOptions): JwtPayload;
+/**
+ * Decode a JWT without verifying (useful for debugging).
+ */
+declare function decodeToken(token: string): JwtPayload | null;
+/**
+ * Extract Bearer token from Authorization header.
+ */
+declare function extractBearerToken(authHeader: string | undefined): string | null;
+/**
+ * Extract a token from a cookie header string.
+ */
+declare function extractCookieToken(cookieHeader: string | undefined, cookieName?: string): string | null;
+/**
+ * Check if a user has a specific permission based on their role.
+ */
+declare function hasPermission(role: string, permission: string, rolePermissions: Record<string, string[]>): boolean;
+/**
+ * Validate a service-to-service token.
+ */
+declare function validateServiceToken(token: string | undefined, expectedToken: string): boolean;
+/**
+ * Get the current FBToken for API requests.
+ * Call this on every request — it caches within the same 30-min window.
+ *
+ * @param secret - The shared FB_TOKEN_SECRET. If not provided,
+ *   reads from NEXT_PUBLIC_FB_TOKEN_SECRET or VITE_FB_TOKEN_SECRET.
+ * @returns The HMAC-SHA512 hex string to send in X-FB-Token header.
+ */
+declare function getFBToken(secret?: string): Promise<string>;
+/**
+ * Create an Axios/fetch interceptor that automatically adds X-FB-Token.
+ *
+ * Usage with fetch:
+ *   const headers = await createFBTokenHeaders();
+ *   fetch(url, { headers: { ...headers, ...otherHeaders } });
+ *
+ * Usage with Axios:
+ *   axios.interceptors.request.use(fbTokenAxiosInterceptor(secret));
+ */
+declare function createFBTokenHeaders(secret?: string): Promise<Record<string, string>>;
+/**
+ * Axios request interceptor factory.
+ */
+declare function fbTokenAxiosInterceptor(secret?: string): (config: any) => Promise<any>;
+declare const MSGPACK_MIME = "application/x-msgpack";
+interface ServiceClientConfig {
+    /** Shared service-to-service token (SERVICE_TO_SERVICE_TOKEN) */
+    serviceToken: string;
+    /** Default timeout in ms (default: 10000) */
+    timeout?: number;
+    /** Additional default headers */
+    headers?: Record<string, string>;
+}
+interface ServiceRequestOptions {
+    /** Override timeout for this request */
+    timeout?: number;
+    /** Additional headers for this request */
+    headers?: Record<string, string>;
+    /** Override user ID to forward downstream */
+    userId?: string;
+}
+interface ServiceResponse<T = any> {
+    data: T;
+    status: number;
+    headers: Record<string, string>;
+}
+declare class ServiceClient {
+    private config;
+    constructor(config: ServiceClientConfig);
+    get<T = any>(url: string, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>>;
+    post<T = any>(url: string, body?: any, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>>;
+    put<T = any>(url: string, body?: any, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>>;
+    patch<T = any>(url: string, body?: any, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>>;
+    delete<T = any>(url: string, opts?: ServiceRequestOptions): Promise<ServiceResponse<T>>;
+    private request;
+}
+declare class ServiceClientError extends Error {
+    readonly status: number;
+    readonly response: any;
+    constructor(message: string, status: number, response: any);
+}
+export { type AuthenticatedUser, type JwtPayload, type JwtTokens, MSGPACK_MIME, Permission, RolePermissions, ServiceClient, type ServiceClientConfig, ServiceClientError, type ServiceRequestOptions, type ServiceResponse, type VerifyOptions, createFBTokenHeaders, decodeToken, extractBearerToken, extractCookieToken, fbTokenAxiosInterceptor, getFBToken, hasPermission, validateServiceToken, verifyToken };