fase(9): auth module with casl rbac and session management

2026-03-05 09:57:49 -05:00
parent 39a5e41f75
commit 7526a5bc15
77 changed files with 3588 additions and 41 deletions
--- a/dist/modules/auth/application/middleware/AuthMiddleware.js
+++ b/dist/modules/auth/application/middleware/AuthMiddleware.js
@@ -0,0 +1,71 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthMiddleware = createAuthMiddleware;
+const crypto_1 = require("crypto");
+function createAuthMiddleware(userRepository, sessionRepository, apiKeyRepository) {
+    return async function authMiddleware(req, res, next) {
+        try {
+            // 1. Check session cookie
+            const sessionToken = req.cookies?.['abe_session'];
+            if (sessionToken) {
+                const session = await sessionRepository.findByToken(sessionToken);
+                if (session && session.expiresAt > new Date()) {
+                    const user = await userRepository.findById(session.userId);
+                    if (user) {
+                        req.user = {
+                            id: user.id.toString(),
+                            email: user.email.value,
+                            name: user.name,
+                            role: user.role.value,
+                            orgId: user.orgId,
+                        };
+                        return next();
+                    }
+                }
+            }
+            // 2. Check Bearer JWT (session token in header)
+            const authHeader = req.headers.authorization;
+            if (authHeader?.startsWith('Bearer ')) {
+                const token = authHeader.substring(7);
+                const session = await sessionRepository.findByToken(token);
+                if (session && session.expiresAt > new Date()) {
+                    const user = await userRepository.findById(session.userId);
+                    if (user) {
+                        req.user = {
+                            id: user.id.toString(),
+                            email: user.email.value,
+                            name: user.name,
+                            role: user.role.value,
+                            orgId: user.orgId,
+                        };
+                        return next();
+                    }
+                }
+            }
+            // 3. Check API key
+            const apiKeyHeader = req.headers['x-abe-api-key'];
+            if (apiKeyHeader && typeof apiKeyHeader === 'string') {
+                const keyHash = (0, crypto_1.createHash)('sha256').update(apiKeyHeader).digest('hex');
+                const apiKey = await apiKeyRepository.findByHash(keyHash);
+                if (apiKey && !apiKey.isExpired()) {
+                    const user = await userRepository.findById(apiKey.userId);
+                    if (user) {
+                        await apiKeyRepository.updateLastUsed(apiKey.id.toString(), new Date());
+                        req.user = {
+                            id: user.id.toString(),
+                            email: user.email.value,
+                            name: user.name,
+                            role: user.role.value,
+                            orgId: user.orgId,
+                        };
+                        return next();
+                    }
+                }
+            }
+            res.status(401).json({ error: 'Unauthorized' });
+        }
+        catch {
+            res.status(401).json({ error: 'Unauthorized' });
+        }
+    };
+}