realtimex-crm 0.8.1 → 0.9.1

package/supabase/functions/_shared/apiKeyAuth.ts

@@ -0,0 +1,171 @@
+import { supabaseAdmin } from "./supabaseAdmin.ts";
+import { createErrorResponse } from "./utils.ts";
+
+// Rate limiting: Simple in-memory store (resets on function restart)
+const rateLimitStore = new Map<string, { count: number; resetAt: number }>();
+
+const RATE_LIMIT_MAX = 100; // requests per window
+const RATE_LIMIT_WINDOW = 60 * 1000; // 60 seconds
+
+interface ApiKey {
+  id: number;
+  sales_id: number;
+  name: string;
+  scopes: string[];
+  is_active: boolean;
+  expires_at: string | null;
+}
+
+/**
+ * Extract and validate API key from request
+ * Returns api key record or error response
+ */
+export async function validateApiKey(
+  req: Request
+): Promise<{ apiKey: ApiKey } | Response> {
+  const authHeader = req.headers.get("Authorization");
+
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    return createErrorResponse(401, "Missing or invalid Authorization header");
+  }
+
+  const apiKeyValue = authHeader.replace("Bearer ", "");
+
+  if (!apiKeyValue.startsWith("ak_live_")) {
+    return createErrorResponse(401, "Invalid API key format");
+  }
+
+  // Hash the API key for lookup
+  const encoder = new TextEncoder();
+  const data = encoder.encode(apiKeyValue);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  const keyHash = hashArray.map((b) => b.toString(16).padStart(2, "0")).join(
+    ""
+  );
+
+  // Lookup API key in database
+  const { data: apiKey, error } = await supabaseAdmin
+    .from("api_keys")
+    .select("id, sales_id, name, scopes, is_active, expires_at")
+    .eq("key_hash", keyHash)
+    .single();
+
+  if (error || !apiKey) {
+    return createErrorResponse(401, "Invalid API key");
+  }
+
+  // Check if active
+  if (!apiKey.is_active) {
+    return createErrorResponse(401, "API key is disabled");
+  }
+
+  // Check expiration
+  if (apiKey.expires_at && new Date(apiKey.expires_at) < new Date()) {
+    return createErrorResponse(401, "API key has expired");
+  }
+
+  // Update last_used_at (fire and forget)
+  supabaseAdmin
+    .from("api_keys")
+    .update({ last_used_at: new Date().toISOString() })
+    .eq("id", apiKey.id)
+    .then(() => {});
+
+  return { apiKey };
+}
+
+/**
+ * Check rate limit for API key
+ */
+export function checkRateLimit(apiKeyId: number): Response | null {
+  const now = Date.now();
+  const key = `ratelimit:${apiKeyId}`;
+
+  let bucket = rateLimitStore.get(key);
+
+  if (!bucket || now > bucket.resetAt) {
+    // Create new bucket
+    bucket = {
+      count: 1,
+      resetAt: now + RATE_LIMIT_WINDOW,
+    };
+    rateLimitStore.set(key, bucket);
+    return null;
+  }
+
+  if (bucket.count >= RATE_LIMIT_MAX) {
+    const retryAfter = Math.ceil((bucket.resetAt - now) / 1000);
+    return new Response(
+      JSON.stringify({
+        status: 429,
+        message: "Rate limit exceeded",
+        retry_after: retryAfter,
+      }),
+      {
+        status: 429,
+        headers: {
+          "Content-Type": "application/json",
+          "Retry-After": retryAfter.toString(),
+          "X-RateLimit-Limit": RATE_LIMIT_MAX.toString(),
+          "X-RateLimit-Remaining": "0",
+          "X-RateLimit-Reset": bucket.resetAt.toString(),
+        },
+      }
+    );
+  }
+
+  bucket.count++;
+
+  return null;
+}
+
+/**
+ * Check if API key has required scope
+ */
+export function hasScope(apiKey: ApiKey, requiredScope: string): boolean {
+  // Check for wildcard scope
+  if (apiKey.scopes.includes("*")) {
+    return true;
+  }
+
+  // Check for exact scope match
+  if (apiKey.scopes.includes(requiredScope)) {
+    return true;
+  }
+
+  // Check for resource wildcard (e.g., "contacts:*" matches "contacts:read")
+  const [resource] = requiredScope.split(":");
+  if (apiKey.scopes.includes(`${resource}:*`)) {
+    return true;
+  }
+
+  return false;
+}
+
+/**
+ * Log API request
+ */
+export async function logApiRequest(
+  apiKeyId: number,
+  endpoint: string,
+  method: string,
+  statusCode: number,
+  responseTimeMs: number,
+  req: Request,
+  errorMessage?: string
+) {
+  const ip = req.headers.get("x-forwarded-for")?.split(",")[0]?.trim();
+  const userAgent = req.headers.get("user-agent");
+
+  await supabaseAdmin.from("api_logs").insert({
+    api_key_id: apiKeyId,
+    endpoint,
+    method,
+    status_code: statusCode,
+    response_time_ms: responseTimeMs,
+    ip_address: ip,
+    user_agent: userAgent,
+    error_message: errorMessage,
+  });
+}

package/supabase/functions/_shared/webhookSignature.ts

@@ -0,0 +1,23 @@
+/**
+ * Generate HMAC-SHA256 signature for webhook payload
+ */
+export async function generateWebhookSignature(
+  secret: string,
+  payload: string
+): Promise<string> {
+  const encoder = new TextEncoder();
+  const keyData = encoder.encode(secret);
+  const messageData = encoder.encode(payload);
+
+  const cryptoKey = await crypto.subtle.importKey(
+    "raw",
+    keyData,
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+
+  const signature = await crypto.subtle.sign("HMAC", cryptoKey, messageData);
+  const hashArray = Array.from(new Uint8Array(signature));
+  return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+}

package/supabase/functions/api-v1-activities/index.ts

@@ -0,0 +1,137 @@
+import "jsr:@supabase/functions-js/edge-runtime.d.ts";
+import { supabaseAdmin } from "../_shared/supabaseAdmin.ts";
+import { corsHeaders, createErrorResponse } from "../_shared/utils.ts";
+import {
+  validateApiKey,
+  checkRateLimit,
+  hasScope,
+  logApiRequest,
+} from "../_shared/apiKeyAuth.ts";
+
+Deno.serve(async (req: Request) => {
+  const startTime = Date.now();
+
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: corsHeaders });
+  }
+
+  const authResult = await validateApiKey(req);
+  if ("status" in authResult) {
+    return authResult;
+  }
+  const { apiKey } = authResult;
+
+  const rateLimitError = checkRateLimit(apiKey.id);
+  if (rateLimitError) {
+    await logApiRequest(
+      apiKey.id,
+      "/v1/activities",
+      req.method,
+      429,
+      Date.now() - startTime,
+      req
+    );
+    return rateLimitError;
+  }
+
+  try {
+    if (req.method === "POST") {
+      const response = await createActivity(apiKey, req);
+      const responseTime = Date.now() - startTime;
+      await logApiRequest(
+        apiKey.id,
+        "/v1/activities",
+        req.method,
+        response.status,
+        responseTime,
+        req
+      );
+      return response;
+    } else {
+      return createErrorResponse(404, "Not found");
+    }
+  } catch (error) {
+    const responseTime = Date.now() - startTime;
+    await logApiRequest(
+      apiKey.id,
+      "/v1/activities",
+      req.method,
+      500,
+      responseTime,
+      req,
+      error.message
+    );
+    return createErrorResponse(500, "Internal server error");
+  }
+});
+
+async function createActivity(apiKey: any, req: Request) {
+  if (!hasScope(apiKey, "activities:write")) {
+    return createErrorResponse(403, "Insufficient permissions");
+  }
+
+  const body = await req.json();
+  const { type, ...activityData } = body;
+
+  // Activities can be notes or tasks
+  if (type === "note" || type === "contact_note") {
+    const { data, error } = await supabaseAdmin
+      .from("contactNotes")
+      .insert({
+        ...activityData,
+        sales_id: apiKey.sales_id,
+      })
+      .select()
+      .single();
+
+    if (error) {
+      return createErrorResponse(400, error.message);
+    }
+
+    return new Response(JSON.stringify({ data, type: "note" }), {
+      status: 201,
+      headers: { "Content-Type": "application/json", ...corsHeaders },
+    });
+  } else if (type === "task") {
+    const { data, error } = await supabaseAdmin
+      .from("tasks")
+      .insert({
+        ...activityData,
+        sales_id: apiKey.sales_id,
+      })
+      .select()
+      .single();
+
+    if (error) {
+      return createErrorResponse(400, error.message);
+    }
+
+    return new Response(JSON.stringify({ data, type: "task" }), {
+      status: 201,
+      headers: { "Content-Type": "application/json", ...corsHeaders },
+    });
+  } else if (type === "deal_note") {
+    const { data, error } = await supabaseAdmin
+      .from("dealNotes")
+      .insert({
+        ...activityData,
+        sales_id: apiKey.sales_id,
+      })
+      .select()
+      .single();
+
+    if (error) {
+      return createErrorResponse(400, error.message);
+    }
+
+    return new Response(JSON.stringify({ data, type: "deal_note" }), {
+      status: 201,
+      headers: { "Content-Type": "application/json", ...corsHeaders },
+    });
+  } else {
+    return createErrorResponse(
+      400,
+      "Invalid activity type. Must be 'note', 'contact_note', 'task', or 'deal_note'"
+    );
+  }
+}

package/supabase/functions/api-v1-companies/index.ts

@@ -0,0 +1,166 @@
+import "jsr:@supabase/functions-js/edge-runtime.d.ts";
+import { supabaseAdmin } from "../_shared/supabaseAdmin.ts";
+import { corsHeaders, createErrorResponse } from "../_shared/utils.ts";
+import {
+  validateApiKey,
+  checkRateLimit,
+  hasScope,
+  logApiRequest,
+} from "../_shared/apiKeyAuth.ts";
+
+Deno.serve(async (req: Request) => {
+  const startTime = Date.now();
+
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: corsHeaders });
+  }
+
+  const authResult = await validateApiKey(req);
+  if ("status" in authResult) {
+    return authResult;
+  }
+  const { apiKey } = authResult;
+
+  const rateLimitError = checkRateLimit(apiKey.id);
+  if (rateLimitError) {
+    await logApiRequest(
+      apiKey.id,
+      "/v1/companies",
+      req.method,
+      429,
+      Date.now() - startTime,
+      req
+    );
+    return rateLimitError;
+  }
+
+  try {
+    const url = new URL(req.url);
+    const pathParts = url.pathname.split("/").filter(Boolean);
+    const companyId = pathParts[1];
+
+    let response: Response;
+
+    if (req.method === "GET" && companyId) {
+      response = await getCompany(apiKey, companyId);
+    } else if (req.method === "POST") {
+      response = await createCompany(apiKey, req);
+    } else if (req.method === "PATCH" && companyId) {
+      response = await updateCompany(apiKey, companyId, req);
+    } else if (req.method === "DELETE" && companyId) {
+      response = await deleteCompany(apiKey, companyId);
+    } else {
+      response = createErrorResponse(404, "Not found");
+    }
+
+    const responseTime = Date.now() - startTime;
+    await logApiRequest(
+      apiKey.id,
+      url.pathname,
+      req.method,
+      response.status,
+      responseTime,
+      req
+    );
+
+    return response;
+  } catch (error) {
+    const responseTime = Date.now() - startTime;
+    await logApiRequest(
+      apiKey.id,
+      new URL(req.url).pathname,
+      req.method,
+      500,
+      responseTime,
+      req,
+      error.message
+    );
+    return createErrorResponse(500, "Internal server error");
+  }
+});
+
+async function getCompany(apiKey: any, companyId: string) {
+  if (!hasScope(apiKey, "companies:read")) {
+    return createErrorResponse(403, "Insufficient permissions");
+  }
+
+  const { data, error } = await supabaseAdmin
+    .from("companies")
+    .select("*")
+    .eq("id", companyId)
+    .single();
+
+  if (error || !data) {
+    return createErrorResponse(404, "Company not found");
+  }
+
+  return new Response(JSON.stringify({ data }), {
+    headers: { "Content-Type": "application/json", ...corsHeaders },
+  });
+}
+
+async function createCompany(apiKey: any, req: Request) {
+  if (!hasScope(apiKey, "companies:write")) {
+    return createErrorResponse(403, "Insufficient permissions");
+  }
+
+  const body = await req.json();
+
+  const { data, error } = await supabaseAdmin
+    .from("companies")
+    .insert({
+      ...body,
+      sales_id: apiKey.sales_id,
+    })
+    .select()
+    .single();
+
+  if (error) {
+    return createErrorResponse(400, error.message);
+  }
+
+  return new Response(JSON.stringify({ data }), {
+    status: 201,
+    headers: { "Content-Type": "application/json", ...corsHeaders },
+  });
+}
+
+async function updateCompany(apiKey: any, companyId: string, req: Request) {
+  if (!hasScope(apiKey, "companies:write")) {
+    return createErrorResponse(403, "Insufficient permissions");
+  }
+
+  const body = await req.json();
+
+  const { data, error } = await supabaseAdmin
+    .from("companies")
+    .update(body)
+    .eq("id", companyId)
+    .select()
+    .single();
+
+  if (error || !data) {
+    return createErrorResponse(404, "Company not found");
+  }
+
+  return new Response(JSON.stringify({ data }), {
+    headers: { "Content-Type": "application/json", ...corsHeaders },
+  });
+}
+
+async function deleteCompany(apiKey: any, companyId: string) {
+  if (!hasScope(apiKey, "companies:write")) {
+    return createErrorResponse(403, "Insufficient permissions");
+  }
+
+  const { error } = await supabaseAdmin
+    .from("companies")
+    .delete()
+    .eq("id", companyId);
+
+  if (error) {
+    return createErrorResponse(404, "Company not found");
+  }
+
+  return new Response(null, { status: 204, headers: corsHeaders });
+}

package/supabase/functions/api-v1-contacts/index.ts

@@ -0,0 +1,171 @@
+import "jsr:@supabase/functions-js/edge-runtime.d.ts";
+import { supabaseAdmin } from "../_shared/supabaseAdmin.ts";
+import { corsHeaders, createErrorResponse } from "../_shared/utils.ts";
+import {
+  validateApiKey,
+  checkRateLimit,
+  hasScope,
+  logApiRequest,
+} from "../_shared/apiKeyAuth.ts";
+
+Deno.serve(async (req: Request) => {
+  const startTime = Date.now();
+
+  // Handle CORS
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: corsHeaders });
+  }
+
+  // Validate API key
+  const authResult = await validateApiKey(req);
+  if ("status" in authResult) {
+    return authResult; // Error response
+  }
+  const { apiKey } = authResult;
+
+  // Check rate limit
+  const rateLimitError = checkRateLimit(apiKey.id);
+  if (rateLimitError) {
+    await logApiRequest(
+      apiKey.id,
+      "/v1/contacts",
+      req.method,
+      429,
+      Date.now() - startTime,
+      req
+    );
+    return rateLimitError;
+  }
+
+  try {
+    const url = new URL(req.url);
+    const pathParts = url.pathname.split("/").filter(Boolean);
+    // pathParts: ["api-v1-contacts", "{id}"]
+    const contactId = pathParts[1];
+
+    let response: Response;
+
+    if (req.method === "GET" && contactId) {
+      response = await getContact(apiKey, contactId);
+    } else if (req.method === "POST") {
+      response = await createContact(apiKey, req);
+    } else if (req.method === "PATCH" && contactId) {
+      response = await updateContact(apiKey, contactId, req);
+    } else if (req.method === "DELETE" && contactId) {
+      response = await deleteContact(apiKey, contactId);
+    } else {
+      response = createErrorResponse(404, "Not found");
+    }
+
+    const responseTime = Date.now() - startTime;
+    await logApiRequest(
+      apiKey.id,
+      url.pathname,
+      req.method,
+      response.status,
+      responseTime,
+      req
+    );
+
+    return response;
+  } catch (error) {
+    const responseTime = Date.now() - startTime;
+    await logApiRequest(
+      apiKey.id,
+      new URL(req.url).pathname,
+      req.method,
+      500,
+      responseTime,
+      req,
+      error.message
+    );
+    return createErrorResponse(500, "Internal server error");
+  }
+});
+
+async function getContact(apiKey: any, contactId: string) {
+  if (!hasScope(apiKey, "contacts:read")) {
+    return createErrorResponse(403, "Insufficient permissions");
+  }
+
+  const id = parseInt(contactId, 10);
+  const { data, error } = await supabaseAdmin
+    .from("contacts")
+    .select("*")
+    .eq("id", id)
+    .single();
+
+  if (error || !data) {
+    return createErrorResponse(404, "Contact not found");
+  }
+
+  return new Response(JSON.stringify({ data }), {
+    headers: { "Content-Type": "application/json", ...corsHeaders },
+  });
+}
+
+async function createContact(apiKey: any, req: Request) {
+  if (!hasScope(apiKey, "contacts:write")) {
+    return createErrorResponse(403, "Insufficient permissions");
+  }
+
+  const body = await req.json();
+
+  const { data, error } = await supabaseAdmin
+    .from("contacts")
+    .insert({
+      ...body,
+      sales_id: apiKey.sales_id, // Associate with API key owner
+    })
+    .select()
+    .single();
+
+  if (error) {
+    return createErrorResponse(400, error.message);
+  }
+
+  return new Response(JSON.stringify({ data }), {
+    status: 201,
+    headers: { "Content-Type": "application/json", ...corsHeaders },
+  });
+}
+
+async function updateContact(apiKey: any, contactId: string, req: Request) {
+  if (!hasScope(apiKey, "contacts:write")) {
+    return createErrorResponse(403, "Insufficient permissions");
+  }
+
+  const body = await req.json();
+
+  const { data, error } = await supabaseAdmin
+    .from("contacts")
+    .update(body)
+    .eq("id", parseInt(contactId, 10))
+    .select()
+    .single();
+
+  if (error || !data) {
+    return createErrorResponse(404, "Contact not found");
+  }
+
+  return new Response(JSON.stringify({ data }), {
+    headers: { "Content-Type": "application/json", ...corsHeaders },
+  });
+}
+
+async function deleteContact(apiKey: any, contactId: string) {
+  if (!hasScope(apiKey, "contacts:write")) {
+    return createErrorResponse(403, "Insufficient permissions");
+  }
+
+  const { error } = await supabaseAdmin
+    .from("contacts")
+    .delete()
+    .eq("id", parseInt(contactId, 10));
+
+  if (error) {
+    return createErrorResponse(404, "Contact not found");
+  }
+
+  return new Response(null, { status: 204, headers: corsHeaders });
+}