"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.createAuthMiddleware = createAuthMiddleware; const crypto_1 = require("crypto"); function createAuthMiddleware(userRepository, sessionRepository, apiKeyRepository) { return async function authMiddleware(req, res, next) { try { // 1. Check session cookie const sessionToken = req.cookies?.['abe_session']; if (sessionToken) { const session = await sessionRepository.findByToken(sessionToken); if (session && session.expiresAt > new Date()) { const user = await userRepository.findById(session.userId); if (user) { req.user = { id: user.id.toString(), email: user.email.value, name: user.name, role: user.role.value, orgId: user.orgId, }; return next(); } } } // 2. Check Bearer JWT (session token in header) const authHeader = req.headers.authorization; if (authHeader?.startsWith('Bearer ')) { const token = authHeader.substring(7); const session = await sessionRepository.findByToken(token); if (session && session.expiresAt > new Date()) { const user = await userRepository.findById(session.userId); if (user) { req.user = { id: user.id.toString(), email: user.email.value, name: user.name, role: user.role.value, orgId: user.orgId, }; return next(); } } } // 3. Check API key const apiKeyHeader = req.headers['x-abe-api-key']; if (apiKeyHeader && typeof apiKeyHeader === 'string') { const keyHash = (0, crypto_1.createHash)('sha256').update(apiKeyHeader).digest('hex'); const apiKey = await apiKeyRepository.findByHash(keyHash); if (apiKey && !apiKey.isExpired()) { const user = await userRepository.findById(apiKey.userId); if (user) { await apiKeyRepository.updateLastUsed(apiKey.id.toString(), new Date()); req.user = { id: user.id.toString(), email: user.email.value, name: user.name, role: user.role.value, orgId: user.orgId, }; return next(); } } } res.status(401).json({ error: 'Unauthorized' }); } catch { res.status(401).json({ error: 'Unauthorized' }); } }; }