feat(api): add unified v2 gateway and mobile read slice

backend/unified-api/src/services/auth-service.js

@@ -0,0 +1,157 @@
+import { z } from 'zod';
+import { AppError } from '../lib/errors.js';
+import { withTransaction } from './db.js';
+import { verifyFirebaseToken, revokeUserSessions } from './firebase-auth.js';
+import { deleteAccount, signInWithPassword, signUpWithPassword } from './identity-toolkit.js';
+import { loadActorContext } from './user-context.js';
+
+const clientSignInSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8),
+});
+
+const clientSignUpSchema = z.object({
+  companyName: z.string().min(2).max(120),
+  email: z.string().email(),
+  password: z.string().min(8),
+  displayName: z.string().min(2).max(120).optional(),
+});
+
+function slugify(input) {
+  return input
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '-')
+    .replace(/^-+|-+$/g, '')
+    .slice(0, 50);
+}
+
+function buildAuthEnvelope(authPayload, context) {
+  return {
+    sessionToken: authPayload.idToken,
+    refreshToken: authPayload.refreshToken,
+    expiresInSeconds: Number.parseInt(`${authPayload.expiresIn || 3600}`, 10),
+    user: {
+      id: context.user?.userId || authPayload.localId,
+      email: context.user?.email || null,
+      displayName: context.user?.displayName || null,
+      phone: context.user?.phone || null,
+    },
+    tenant: context.tenant,
+    business: context.business,
+    vendor: context.vendor,
+    staff: context.staff,
+  };
+}
+
+export function parseClientSignIn(body) {
+  const parsed = clientSignInSchema.safeParse(body || {});
+  if (!parsed.success) {
+    throw new AppError('VALIDATION_ERROR', 'Invalid client sign-in payload', 400, {
+      issues: parsed.error.issues,
+    });
+  }
+  return parsed.data;
+}
+
+export function parseClientSignUp(body) {
+  const parsed = clientSignUpSchema.safeParse(body || {});
+  if (!parsed.success) {
+    throw new AppError('VALIDATION_ERROR', 'Invalid client sign-up payload', 400, {
+      issues: parsed.error.issues,
+    });
+  }
+  return parsed.data;
+}
+
+export async function getSessionForActor(actor) {
+  return loadActorContext(actor.uid);
+}
+
+export async function signInClient(payload, { fetchImpl = fetch } = {}) {
+  const authPayload = await signInWithPassword(payload, fetchImpl);
+  const decoded = await verifyFirebaseToken(authPayload.idToken);
+  const context = await loadActorContext(decoded.uid);
+
+  if (!context.user || !context.business) {
+    throw new AppError('FORBIDDEN', 'Authenticated user does not have a client business membership', 403, {
+      uid: decoded.uid,
+      email: decoded.email || null,
+    });
+  }
+
+  return buildAuthEnvelope(authPayload, context);
+}
+
+export async function signUpClient(payload, { fetchImpl = fetch } = {}) {
+  const authPayload = await signUpWithPassword(payload, fetchImpl);
+
+  try {
+    const decoded = await verifyFirebaseToken(authPayload.idToken);
+    const defaultDisplayName = payload.displayName || payload.companyName;
+    const tenantSlug = slugify(payload.companyName);
+    const businessSlug = tenantSlug;
+
+    await withTransaction(async (client) => {
+      await client.query(
+        `
+        INSERT INTO users (id, email, display_name, status, metadata)
+        VALUES ($1, $2, $3, 'ACTIVE', '{}'::jsonb)
+        ON CONFLICT (id) DO UPDATE
+          SET email = EXCLUDED.email,
+              display_name = EXCLUDED.display_name,
+              updated_at = NOW()
+        `,
+        [decoded.uid, payload.email, defaultDisplayName]
+      );
+
+      const tenantResult = await client.query(
+        `
+        INSERT INTO tenants (slug, name, status, metadata)
+        VALUES ($1, $2, 'ACTIVE', '{"source":"unified-api-sign-up"}'::jsonb)
+        RETURNING id, slug, name
+        `,
+        [tenantSlug, payload.companyName]
+      );
+      const tenant = tenantResult.rows[0];
+
+      const businessResult = await client.query(
+        `
+        INSERT INTO businesses (
+          tenant_id, slug, business_name, status, contact_name, contact_email, metadata
+        )
+        VALUES ($1, $2, $3, 'ACTIVE', $4, $5, '{"source":"unified-api-sign-up"}'::jsonb)
+        RETURNING id, slug, business_name
+        `,
+        [tenant.id, businessSlug, payload.companyName, defaultDisplayName, payload.email]
+      );
+      const business = businessResult.rows[0];
+
+      await client.query(
+        `
+        INSERT INTO tenant_memberships (tenant_id, user_id, membership_status, base_role, metadata)
+        VALUES ($1, $2, 'ACTIVE', 'admin', '{"source":"sign-up"}'::jsonb)
+        `,
+        [tenant.id, decoded.uid]
+      );
+
+      await client.query(
+        `
+        INSERT INTO business_memberships (tenant_id, business_id, user_id, membership_status, business_role, metadata)
+        VALUES ($1, $2, $3, 'ACTIVE', 'owner', '{"source":"sign-up"}'::jsonb)
+        `,
+        [tenant.id, business.id, decoded.uid]
+      );
+    });
+
+    const context = await loadActorContext(decoded.uid);
+    return buildAuthEnvelope(authPayload, context);
+  } catch (error) {
+    await deleteAccount({ idToken: authPayload.idToken }, fetchImpl).catch(() => null);
+    throw error;
+  }
+}
+
+export async function signOutActor(actor) {
+  await revokeUserSessions(actor.uid);
+  return { signedOut: true };
+}