"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.requireCompanyAuth = requireCompanyAuth; exports.requireCompanyDocumentAuth = requireCompanyDocumentAuth; const prisma_1 = require("../lib/prisma"); const authHelpers_1 = require("./authHelpers"); const tokens_1 = require("../security/tokens"); const sessionCookies_1 = require("../security/sessionCookies"); const rateLimiter_1 = require("./rateLimiter"); /** * Validates a company-scoped Bearer token and loads the employee + company onto `req`. * * Guarantees on success: * req.employee — full employee record (with company relation) * req.company — the employee's company * req.companyId — string shorthand for req.company.id */ async function authenticateCompanyRequest(req, res, next) { const token = (0, authHelpers_1.getAuthToken)(req, (0, sessionCookies_1.getSessionCookieName)('employee')); if (!token) return (0, authHelpers_1.sendUnauthorized)(res, 'unauthenticated', 'Authentication required'); let payload; try { payload = (0, tokens_1.verifyActorToken)(token, 'employee'); } catch { return (0, authHelpers_1.sendUnauthorized)(res, 'invalid_token', 'Invalid or expired session token'); } const employee = await prisma_1.prisma.employee.findUnique({ where: { id: payload.sub }, include: { company: true }, }); if (!employee || !employee.isActive) { return (0, authHelpers_1.sendUnauthorized)(res, 'unauthenticated', 'Employee account not found or inactive'); } req.employee = employee; req.company = employee.company; req.companyId = employee.companyId; return (0, rateLimiter_1.actorLimiter)(req, res, next); } async function requireCompanyAuth(req, res, next) { return authenticateCompanyRequest(req, res, next); } async function requireCompanyDocumentAuth(req, res, next) { return authenticateCompanyRequest(req, res, next); } //# sourceMappingURL=requireCompanyAuth.js.map