2026-05-29 23:29:31 +03:30
|
|
|
import { cookies } from "next/headers";
|
|
|
|
|
|
|
|
|
|
import { gatewayFetch } from "@/lib/api/gateway";
|
|
|
|
|
import { ACCESS_TOKEN_COOKIE } from "@/lib/auth/constants";
|
|
|
|
|
import { decodeJwt, isJwtExpired, type JwtClaims } from "@/lib/auth/jwt";
|
|
|
|
|
|
|
|
|
|
export interface Session {
|
|
|
|
|
userId: string;
|
|
|
|
|
email?: string;
|
|
|
|
|
tenantId?: string;
|
|
|
|
|
isAdmin: boolean;
|
|
|
|
|
claims: JwtClaims;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** Raw access token from the httpOnly cookie (for proxying to the gateway). */
|
|
|
|
|
export async function getAccessToken(): Promise<string | null> {
|
|
|
|
|
const store = await cookies();
|
|
|
|
|
return store.get(ACCESS_TOKEN_COOKIE)?.value ?? null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Decode the current session from the access-token cookie. Returns null when there is
|
|
|
|
|
* no token, it is malformed, or it has expired. Use in server components / layouts to
|
|
|
|
|
* guard rendering; the gateway is still the authority on every API call.
|
|
|
|
|
*/
|
|
|
|
|
export async function getSession(): Promise<Session | null> {
|
|
|
|
|
const token = await getAccessToken();
|
|
|
|
|
if (!token) return null;
|
|
|
|
|
const claims = decodeJwt(token);
|
|
|
|
|
if (!claims || isJwtExpired(claims) || !claims.sub) return null;
|
|
|
|
|
return {
|
|
|
|
|
userId: String(claims.sub),
|
|
|
|
|
email: claims.email ? String(claims.email) : undefined,
|
|
|
|
|
tenantId: claims.tenant_id ? String(claims.tenant_id) : undefined,
|
|
|
|
|
isAdmin: String(claims.is_admin) === "true",
|
|
|
|
|
claims,
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface IdentityUser {
|
|
|
|
|
id: string;
|
|
|
|
|
email?: string | null;
|
|
|
|
|
full_name?: string | null;
|
|
|
|
|
avatar_url?: string | null;
|
|
|
|
|
is_admin?: boolean;
|
|
|
|
|
[key: string]: unknown;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Fetch the full current-user profile from Identity (`/v1/users/me`) using the access
|
|
|
|
|
* cookie. Returns null when signed out or the token is rejected — use this as the
|
|
|
|
|
* authoritative server-side guard (it validates the token against the service).
|
|
|
|
|
*/
|
|
|
|
|
export async function getCurrentUser(): Promise<IdentityUser | null> {
|
|
|
|
|
const token = await getAccessToken();
|
|
|
|
|
if (!token) return null;
|
|
|
|
|
const res = await gatewayFetch("/v1/users/me", {
|
|
|
|
|
headers: { Authorization: `Bearer ${token}` },
|
|
|
|
|
});
|
|
|
|
|
if (!res.ok) return null;
|
|
|
|
|
return (await res.json().catch(() => null)) as IdentityUser | null;
|
|
|
|
|
}
|
2026-06-05 00:34:25 +03:30
|
|
|
|
|
|
|
|
/** Minimal, serializable user summary for the navbar/profile menu (passed from
|
|
|
|
|
* server layouts into client components). Null when signed out. */
|
|
|
|
|
export interface NavUser {
|
|
|
|
|
name: string;
|
|
|
|
|
email: string;
|
|
|
|
|
avatarUrl: string | null;
|
|
|
|
|
isAdmin: boolean;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export async function getNavUser(): Promise<NavUser | null> {
|
|
|
|
|
const user = await getCurrentUser();
|
|
|
|
|
if (!user) return null;
|
|
|
|
|
const email = user.email ?? "";
|
|
|
|
|
const fullName = typeof user.full_name === "string" ? user.full_name.trim() : "";
|
|
|
|
|
return {
|
|
|
|
|
name: fullName || (email ? email.split("@")[0] : "User"),
|
|
|
|
|
email,
|
|
|
|
|
avatarUrl: (user.avatar_url as string | null) ?? null,
|
|
|
|
|
isAdmin: Boolean(user.is_admin) || Boolean((user as Record<string, unknown>).is_tenant_admin),
|
|
|
|
|
};
|
|
|
|
|
}
|
