feat: Update authentication middleware (#6447)

* authentication middleware update

* disable customer authentication

* call correct feature flag method

* fix authentication middleware for store/customers

* fix integration tests and add middleware for admin customers

* update seeders

* customer groups fix

* add authentication middleware for all admin endpoints

* Feat(medusa, user): require authentication for invite accept (#6448)

* initial invite token validation for authentication invocation

* remove invite auth

* remove unused import

* cleanup tests

* refactor to auth instead of auth_user

* pr feedback

* update authenticatedRequest type

* update store authenticated endpoints

* update routes with type

* fix build

* fix build

* fix build

* use auth middleware for api-keys

integration-tests/plugins/__tests__/api-key/admin/api-key.spec.ts

@@ -1,12 +1,14 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
+import { ApiKeyType } from "@medusajs/utils"
 import { IApiKeyModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
-import { ApiKeyType } from "@medusajs/utils"
 
 jest.setTimeout(50000)
 
@@ -36,7 +38,7 @@ describe("API Keys - Admin", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {
@@ -60,7 +62,7 @@ describe("API Keys - Admin", () => {
       expect.objectContaining({
         id: created.data.apiKey.id,
         title: "Test Secret Key",
-        created_by: "test",
+        created_by: "admin_user",
       })
     )
     // On create we get the token in raw form so we can store it.
@@ -92,7 +94,7 @@ describe("API Keys - Admin", () => {
     expect(revoked.data.apiKey).toEqual(
       expect.objectContaining({
         id: created.data.apiKey.id,
-        revoked_by: "test",
+        revoked_by: "admin_user",
       })
     )
     expect(revoked.data.apiKey.revoked_at).toBeTruthy()

integration-tests/plugins/__tests__/customer-group/admin/batch-add-customers.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("POST /admin/customer-groups/:id/customers/batch", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer-group/admin/batch-remove-customers.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("DELETE /admin/customer-groups/:id/customers/remove", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer-group/admin/create-customer-group.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,8 @@ describe("POST /admin/customer-groups", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
+    // await adminSeeder(dbConnection)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer-group/admin/delete-customer-group.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("DELETE /admin/customer-groups/:id", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer-group/admin/list-customer-group-customers.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("GET /admin/customer-groups/:id/customers", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer-group/admin/list-customer-groups.spec.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("GET /admin/customer-groups", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer-group/admin/retrieve-customer-group.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("GET /admin/customer-groups/:id", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer-group/admin/update-customer-group.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("POST /admin/customer-groups/:id", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer/admin/create-customer-addresses.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("POST /admin/customers/:id/addresses", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer/admin/create-customer.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("POST /admin/customers", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer/admin/delete-customer-address.spec.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("DELETE /admin/customers/:id/addresses/:address_id", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer/admin/delete-customer.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("DELETE /admin/customers/:id", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer/admin/list-customer-addresses.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("GET /admin/customers/:id/addresses", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer/admin/list-customers.spec.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("GET /admin/customers", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer/admin/update-customer-address.spec.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("POST /admin/customers/:id/addresses/:address_id", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer/admin/update-customer.ts

@@ -1,11 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +39,7 @@ describe("POST /admin/customers/:id", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/customer/store/create-customer.spec.ts

@@ -3,6 +3,7 @@ import { initDb, useDb } from "../../../../environment-helpers/use-db"
 
 import { ModuleRegistrationName } from "@medusajs/modules-sdk"
 import adminSeeder from "../../../../helpers/admin-seeder"
+import { createAdminUser } from "../../../helpers/create-admin-user"
 import { getContainer } from "../../../../environment-helpers/use-container"
 import jwt from "jsonwebtoken"
 import path from "path"

integration-tests/plugins/__tests__/invites/accept-invite.spec.ts

@@ -0,0 +1,112 @@
+import { IAuthModuleService, IUserModuleService } from "@medusajs/types"
+import { initDb, useDb } from "../../../environment-helpers/use-db"
+
+import { AxiosInstance } from "axios"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createAdminUser } from "../../helpers/create-admin-user"
+import { getContainer } from "../../../environment-helpers/use-container"
+import path from "path"
+import { startBootstrapApp } from "../../../environment-helpers/bootstrap-app"
+import { useApi } from "../../../environment-helpers/use-api"
+
+jest.setTimeout(50000)
+
+const env = { MEDUSA_FF_MEDUSA_V2: true }
+const adminHeaders = {
+  headers: { "x-medusa-access-token": "test_token" },
+}
+
+describe("GET /admin/invites/:id", () => {
+  let dbConnection
+  let appContainer
+  let shutdownServer
+  let userModuleService: IUserModuleService
+
+  beforeAll(async () => {
+    const cwd = path.resolve(path.join(__dirname, "..", ".."))
+    dbConnection = await initDb({ cwd, env } as any)
+    shutdownServer = await startBootstrapApp({ cwd, env })
+    appContainer = getContainer()
+    userModuleService = appContainer.resolve(ModuleRegistrationName.USER)
+  })
+
+  beforeEach(async () => {
+    await createAdminUser(dbConnection, adminHeaders)
+  })
+
+  afterAll(async () => {
+    const db = useDb()
+    await db.shutdown()
+    await shutdownServer()
+  })
+
+  afterEach(async () => {
+    const db = useDb()
+    await db.teardown()
+  })
+
+  it("should fail to accept an invite with an invalid invite token", async () => {
+    const api = useApi()! as AxiosInstance
+
+    const authResponse = await api.post(`/auth/admin/emailpass`, {
+      email: "potential_member@test.com",
+      password: "supersecret",
+    })
+
+    expect(authResponse.status).toEqual(200)
+    const token = authResponse.data.token
+
+    const acceptResponse = await api
+      .post(
+        `/admin/invites/accept?token=${"non-existing-token"}`,
+        {
+          first_name: "John",
+        },
+        {
+          headers: {
+            Authorization: `Bearer ${token}`,
+          },
+        }
+      )
+      .catch((e) => e)
+
+    expect(acceptResponse.response.status).toEqual(401)
+    expect(acceptResponse.response.data.message).toEqual("Unauthorized")
+  })
+
+  it("should accept an invite", async () => {
+    const invite = await userModuleService.createInvites({
+      email: "potential_member@test.com",
+    })
+
+    const api = useApi()! as AxiosInstance
+
+    const authResponse = await api.post(`/auth/admin/emailpass`, {
+      email: "potential_member@test.com",
+      password: "supersecret",
+    })
+
+    expect(authResponse.status).toEqual(200)
+    const token = authResponse.data.token
+
+    const acceptResponse = await api.post(
+      `/admin/invites/accept?token=${invite.token}`,
+      {
+        first_name: "John",
+      },
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+        },
+      }
+    )
+
+    expect(acceptResponse.status).toEqual(200)
+    expect(acceptResponse.data.user).toEqual(
+      expect.objectContaining({
+        email: "potential_member@test.com",
+        first_name: "John",
+      })
+    )
+  })
+})

integration-tests/plugins/__tests__/promotion/admin/create-campaign.spec.ts

@@ -1,11 +1,12 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { IPromotionModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +38,7 @@ describe("POST /admin/campaigns", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/promotion/admin/create-promotion.spec.ts

@@ -1,12 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { IPromotionModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
 import { PromotionType } from "@medusajs/utils"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -38,7 +39,7 @@ describe("POST /admin/promotions", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/promotion/admin/delete-campaign.spec.ts

@@ -1,11 +1,12 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { IPromotionModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +38,7 @@ describe("DELETE /admin/campaigns/:id", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/promotion/admin/delete-promotion.spec.ts

@@ -1,11 +1,12 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { IPromotionModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +38,7 @@ describe("DELETE /admin/promotions/:id", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/promotion/admin/list-campaigns.spec.ts

@@ -1,12 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
-import { IPromotionModuleService } from "@medusajs/types"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { CampaignBudgetType } from "@medusajs/utils"
+import { IPromotionModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -69,7 +70,7 @@ describe("GET /admin/campaigns", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
     await promotionModuleService.createCampaigns(campaignsData)
   })
 

integration-tests/plugins/__tests__/promotion/admin/list-promotions.spec.ts

@@ -1,12 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { IPromotionModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
 import { PromotionType } from "@medusajs/utils"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -38,7 +39,7 @@ describe("GET /admin/promotions", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/promotion/admin/retrieve-campaign.spec.ts

@@ -1,12 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
-import { IPromotionModuleService } from "@medusajs/types"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { CampaignBudgetType } from "@medusajs/utils"
+import { IPromotionModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -52,7 +53,7 @@ describe("GET /admin/campaigns", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/promotion/admin/retrieve-promotion.spec.ts

@@ -1,12 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { IPromotionModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
 import { PromotionType } from "@medusajs/utils"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -38,7 +39,7 @@ describe("GET /admin/promotions", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/promotion/admin/update-campaign.spec.ts

@@ -1,11 +1,12 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { IPromotionModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -37,7 +38,7 @@ describe("POST /admin/campaigns/:id", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/promotion/admin/update-promotion.spec.ts

@@ -1,12 +1,13 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { IPromotionModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
 import { PromotionType } from "@medusajs/utils"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -38,7 +39,7 @@ describe("POST /admin/promotions/:id", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterEach(async () => {

integration-tests/plugins/__tests__/regions/admin/regions.spec.ts

@@ -1,11 +1,12 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { initDb, useDb } from "../../../../environment-helpers/use-db"
+
 import { IRegionModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createAdminUser } from "../../../helpers/create-admin-user"
+import { getContainer } from "../../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../../environment-helpers/use-api"
-import { getContainer } from "../../../../environment-helpers/use-container"
-import { initDb, useDb } from "../../../../environment-helpers/use-db"
-import adminSeeder from "../../../../helpers/admin-seeder"
 
 jest.setTimeout(50000)
 
@@ -35,7 +36,7 @@ describe("Regions - Admin", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
 
     await service.createDefaultCountriesAndCurrencies()
   })

integration-tests/plugins/__tests__/users/create-user.spec.ts

@@ -1,13 +1,10 @@
 import { initDb, useDb } from "../../../environment-helpers/use-db"
 
-import { IUserModuleService } from "@medusajs/types"
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
-import { getContainer } from "../../../environment-helpers/use-container"
+import { AxiosInstance } from "axios"
+import { createAdminUser } from "../../helpers/create-admin-user"
 import path from "path"
 import { startBootstrapApp } from "../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../environment-helpers/use-api"
-import adminSeeder from "../../../helpers/admin-seeder"
-import { AxiosInstance } from "axios"
 
 jest.setTimeout(50000)
 
@@ -27,7 +24,7 @@ describe("POST /admin/users", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterAll(async () => {

integration-tests/plugins/__tests__/users/delete-user.spec.ts

@@ -1,13 +1,13 @@
 import { initDb, useDb } from "../../../environment-helpers/use-db"
 
+import { AxiosInstance } from "axios"
 import { IUserModuleService } from "@medusajs/types"
 import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createAdminUser } from "../../helpers/create-admin-user"
 import { getContainer } from "../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../environment-helpers/use-api"
-import adminSeeder from "../../../helpers/admin-seeder"
-import { AxiosInstance } from "axios"
 
 jest.setTimeout(50000)
 
@@ -31,7 +31,7 @@ describe("DELETE /admin/users/:id", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterAll(async () => {

integration-tests/plugins/__tests__/users/list-users.spec.ts

@@ -1,13 +1,13 @@
 import { initDb, useDb } from "../../../environment-helpers/use-db"
 
+import { AxiosInstance } from "axios"
 import { IUserModuleService } from "@medusajs/types"
 import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createAdminUser } from "../../helpers/create-admin-user"
 import { getContainer } from "../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../environment-helpers/use-api"
-import adminSeeder from "../../../helpers/admin-seeder"
-import { AxiosInstance } from "axios"
 
 jest.setTimeout(50000)
 
@@ -31,7 +31,7 @@ describe("GET /admin/users", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterAll(async () => {

integration-tests/plugins/__tests__/users/retrieve-user.spec.ts

@@ -1,13 +1,13 @@
 import { initDb, useDb } from "../../../environment-helpers/use-db"
 
+import { AxiosInstance } from "axios"
 import { IUserModuleService } from "@medusajs/types"
 import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createAdminUser } from "../../helpers/create-admin-user"
 import { getContainer } from "../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../environment-helpers/use-api"
-import adminSeeder from "../../../helpers/admin-seeder"
-import { AxiosInstance } from "axios"
 
 jest.setTimeout(50000)
 
@@ -31,7 +31,7 @@ describe("GET /admin/users/:id", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterAll(async () => {

integration-tests/plugins/__tests__/users/update-user.spec.ts

@@ -1,13 +1,13 @@
 import { initDb, useDb } from "../../../environment-helpers/use-db"
 
+import { AxiosInstance } from "axios"
 import { IUserModuleService } from "@medusajs/types"
 import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createAdminUser } from "../../helpers/create-admin-user"
 import { getContainer } from "../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../environment-helpers/bootstrap-app"
 import { useApi } from "../../../environment-helpers/use-api"
-import adminSeeder from "../../../helpers/admin-seeder"
-import { AxiosInstance } from "axios"
 
 jest.setTimeout(50000)
 
@@ -31,7 +31,7 @@ describe("POST /admin/users/:id", () => {
   })
 
   beforeEach(async () => {
-    await adminSeeder(dbConnection)
+    await createAdminUser(dbConnection, adminHeaders)
   })
 
   afterAll(async () => {

integration-tests/plugins/__tests__/workflow-engine/tests.ts

@@ -1,17 +1,18 @@
-import { useApi } from "../../../environment-helpers/use-api"
-import { initDb, useDb } from "../../../environment-helpers/use-db"
-
 import {
   createStep,
   createWorkflow,
   StepResponse,
   WorkflowData,
 } from "@medusajs/workflows-sdk"
+import { initDb, useDb } from "../../../environment-helpers/use-db"
+
 import { AxiosInstance } from "axios"
+import adminSeeder from "../../../helpers/admin-seeder"
+import { createAdminUser } from "../../helpers/create-admin-user"
+import { getContainer } from "../../../environment-helpers/use-container"
 import path from "path"
 import { startBootstrapApp } from "../../../environment-helpers/bootstrap-app"
-import { getContainer } from "../../../environment-helpers/use-container"
-import adminSeeder from "../../../helpers/admin-seeder"
+import { useApi } from "../../../environment-helpers/use-api"
 
 export const workflowEngineTestSuite = (env, extraParams = {}) => {
   const adminHeaders = {
@@ -31,7 +32,7 @@ export const workflowEngineTestSuite = (env, extraParams = {}) => {
       shutdownServer = await startBootstrapApp({ cwd, env })
       medusaContainer = getContainer()
 
-      await adminSeeder(dbConnection)
+      await createAdminUser(dbConnection, adminHeaders)
     })
 
     afterAll(async () => {

integration-tests/plugins/helpers/create-admin-user.ts

@@ -1,8 +1,8 @@
 import { IAuthModuleService } from "@medusajs/types"
 import { ModuleRegistrationName } from "@medusajs/modules-sdk"
 import adminSeeder from "../../helpers/admin-seeder"
-import jwt from "jsonwebtoken"
 import { getContainer } from "../../environment-helpers/use-container"
+import jwt from "jsonwebtoken"
 
 export const createAdminUser = async (dbConnection, adminHeaders) => {
   await adminSeeder(dbConnection)

integration-tests/plugins/medusa-config.js

@@ -43,6 +43,17 @@ module.exports = {
       scope: "internal",
       resources: "shared",
       resolve: "@medusajs/auth",
+      options: {
+        providers: [
+          {
+            name: "emailpass",
+            scopes: {
+              admin: {},
+              store: {},
+            },
+          },
+        ],
+      },
     },
     [Modules.USER]: {
       scope: "internal",

packages/medusa/src/api-v2/admin/api-keys/[id]/revoke/route.ts

@@ -1,15 +1,22 @@
-import { revokeApiKeysWorkflow } from "@medusajs/core-flows"
-import { RevokeApiKeyDTO } from "@medusajs/types"
-import { MedusaRequest, MedusaResponse } from "../../../../../types/routing"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../../types/routing"
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+import { RevokeApiKeyDTO } from "@medusajs/types"
+import { revokeApiKeysWorkflow } from "@medusajs/core-flows"
+
+export const POST = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const id = req.params.id
 
   const { result, errors } = await revokeApiKeysWorkflow(req.scope).run({
     input: {
       selector: { id: req.params.id },
       revoke: {
-        revoked_by: req.auth_user?.id,
+        revoked_by: req.auth.actor_id,
       } as RevokeApiKeyDTO,
     },
     throwOnError: false,

packages/medusa/src/api-v2/admin/api-keys/[id]/route.ts

@@ -1,13 +1,20 @@
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../types/routing"
 import {
   deleteApiKeysWorkflow,
   updateApiKeysWorkflow,
 } from "@medusajs/core-flows"
-import { UpdateApiKeyDTO } from "@medusajs/types"
-import { remoteQueryObjectFromString } from "@medusajs/utils"
-import { MedusaRequest, MedusaResponse } from "../../../../types/routing"
-import { defaultAdminApiKeyFields } from "../query-config"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { UpdateApiKeyDTO } from "@medusajs/types"
+import { defaultAdminApiKeyFields } from "../query-config"
+import { remoteQueryObjectFromString } from "@medusajs/utils"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const remoteQuery = req.scope.resolve("remoteQuery")
 
   const variables = { id: req.params.id }
@@ -23,11 +30,14 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ apiKey })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<Omit<UpdateApiKeyDTO, "id">>,
+  res: MedusaResponse
+) => {
   const { result, errors } = await updateApiKeysWorkflow(req.scope).run({
     input: {
       selector: { id: req.params.id },
-      update: req.validatedBody as Omit<UpdateApiKeyDTO, "id">,
+      update: req.validatedBody,
     },
     throwOnError: false,
   })
@@ -39,7 +49,10 @@ export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ apiKey: result[0] })
 }
 
-export const DELETE = async (req: MedusaRequest, res: MedusaResponse) => {
+export const DELETE = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const id = req.params.id
 
   const { errors } = await deleteApiKeysWorkflow(req.scope).run({

packages/medusa/src/api-v2/admin/api-keys/middlewares.ts

@@ -1,25 +1,21 @@
-import { transformBody, transformQuery } from "../../../api/middlewares"
-import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
 import * as QueryConfig from "./query-config"
+
 import {
-  AdminGetApiKeysParams,
   AdminGetApiKeysApiKeyParams,
-  AdminPostApiKeysReq,
+  AdminGetApiKeysParams,
   AdminPostApiKeysApiKeyReq,
+  AdminPostApiKeysReq,
   AdminRevokeApiKeysApiKeyReq,
 } from "./validators"
+import { transformBody, transformQuery } from "../../../api/middlewares"
+
+import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
+import { authenticate } from "../../../utils/authenticate-middleware"
 
 export const adminApiKeyRoutesMiddlewares: MiddlewareRoute[] = [
   {
     matcher: "/admin/api-keys*",
-    // middlewares: [authenticate("admin", ["bearer", "session"])],
-    // TODO: Apply authentication middleware correctly once https://github.com/medusajs/medusa/pull/6447 is merged.
-    middlewares: [
-      (req, res, next) => {
-        req.auth_user = { id: "test" }
-        next()
-      },
-    ],
+    middlewares: [authenticate("admin", ["bearer", "session"])],
   },
   {
     method: ["GET"],

packages/medusa/src/api-v2/admin/api-keys/route.ts

@@ -1,10 +1,17 @@
-import { createApiKeysWorkflow } from "@medusajs/core-flows"
-import { CreateApiKeyDTO } from "@medusajs/types"
-import { remoteQueryObjectFromString } from "@medusajs/utils"
-import { MedusaRequest, MedusaResponse } from "../../../types/routing"
-import { defaultAdminApiKeyFields } from "./query-config"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { CreateApiKeyDTO } from "@medusajs/types"
+import { createApiKeysWorkflow } from "@medusajs/core-flows"
+import { defaultAdminApiKeyFields } from "./query-config"
+import { remoteQueryObjectFromString } from "@medusajs/utils"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const remoteQuery = req.scope.resolve("remoteQuery")
 
   const queryObject = remoteQueryObjectFromString({
@@ -28,11 +35,14 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<Omit<CreateApiKeyDTO, "created_by">>,
+  res: MedusaResponse
+) => {
   const input = [
     {
-      ...(req.validatedBody as Omit<CreateApiKeyDTO, "created_by">),
-      created_by: req.auth_user?.id,
+      ...req.validatedBody,
+      created_by: req.auth.actor_id,
     } as CreateApiKeyDTO,
   ]
 

packages/medusa/src/api-v2/admin/campaigns/[id]/route.ts

@@ -1,12 +1,22 @@
+import {
+  AuthenticatedMedusaRequest,
+  MedusaRequest,
+  MedusaResponse,
+} from "../../../../types/routing"
 import {
   deleteCampaignsWorkflow,
   updateCampaignsWorkflow,
 } from "@medusajs/core-flows"
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
-import { IPromotionModuleService } from "@medusajs/types"
-import { MedusaRequest, MedusaResponse } from "../../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { AdminPostCampaignsReq } from "../validators"
+import { IPromotionModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { UpdateCampaignDTO } from "@medusajs/types"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const promotionModuleService: IPromotionModuleService = req.scope.resolve(
     ModuleRegistrationName.PROMOTION
   )
@@ -22,14 +32,17 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ campaign })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<AdminPostCampaignsReq>,
+  res: MedusaResponse
+) => {
   const updateCampaigns = updateCampaignsWorkflow(req.scope)
   const campaignsData = [
     {
       id: req.params.id,
-      ...(req.validatedBody || {}),
+      ...req.validatedBody,
     },
-  ]
+  ] as UpdateCampaignDTO[]
 
   const { result, errors } = await updateCampaigns.run({
     input: { campaignsData },
@@ -43,7 +56,10 @@ export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ campaign: result[0] })
 }
 
-export const DELETE = async (req: MedusaRequest, res: MedusaResponse) => {
+export const DELETE = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const id = req.params.id
   const manager = req.scope.resolve("manager")
   const deleteCampaigns = deleteCampaignsWorkflow(req.scope)

packages/medusa/src/api-v2/admin/campaigns/middlewares.ts

@@ -1,22 +1,25 @@
-import { MedusaV2Flag } from "@medusajs/utils"
-import {
-  isFeatureFlagEnabled,
-  transformBody,
-  transformQuery,
-} from "../../../api/middlewares"
-import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
 import * as QueryConfig from "./query-config"
+
 import {
   AdminGetCampaignsCampaignParams,
   AdminGetCampaignsParams,
   AdminPostCampaignsCampaignReq,
   AdminPostCampaignsReq,
 } from "./validators"
+import {
+  isFeatureFlagEnabled,
+  transformBody,
+  transformQuery,
+} from "../../../api/middlewares"
+
+import { MedusaV2Flag } from "@medusajs/utils"
+import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
+import { authenticate } from "../../../utils/authenticate-middleware"
 
 export const adminCampaignRoutesMiddlewares: MiddlewareRoute[] = [
   {
     matcher: "/admin/campaigns*",
-    middlewares: [isFeatureFlagEnabled(MedusaV2Flag.key)],
+    middlewares: [authenticate("admin", ["bearer", "session"])],
   },
   {
     method: ["GET"],

packages/medusa/src/api-v2/admin/campaigns/route.ts

@@ -1,9 +1,17 @@
-import { createCampaignsWorkflow } from "@medusajs/core-flows"
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaRequest,
+  MedusaResponse,
+} from "../../../types/routing"
 import { CreateCampaignDTO, IPromotionModuleService } from "@medusajs/types"
-import { MedusaRequest, MedusaResponse } from "../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createCampaignsWorkflow } from "@medusajs/core-flows"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const promotionModuleService: IPromotionModuleService = req.scope.resolve(
     ModuleRegistrationName.PROMOTION
   )
@@ -23,9 +31,12 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<CreateCampaignDTO>,
+  res: MedusaResponse
+) => {
   const createCampaigns = createCampaignsWorkflow(req.scope)
-  const campaignsData = [req.validatedBody as CreateCampaignDTO]
+  const campaignsData = [req.validatedBody]
 
   const { result, errors } = await createCampaigns.run({
     input: { campaignsData },

packages/medusa/src/api-v2/admin/campaigns/validators.ts

@@ -1,5 +1,4 @@
-import { CampaignBudgetType } from "@medusajs/utils"
-import { Type } from "class-transformer"
+import { FindParams, extendedFindParamsMixin } from "../../../types/common"
 import {
   IsArray,
   IsDateString,
@@ -10,7 +9,10 @@ import {
   IsString,
   ValidateNested,
 } from "class-validator"
-import { FindParams, extendedFindParamsMixin } from "../../../types/common"
+import { Transform, Type } from "class-transformer"
+
+import { CampaignBudgetType } from "@medusajs/utils"
+import { transformOptionalDate } from "../../../utils/validators/date-transform"
 
 export class AdminGetCampaignsCampaignParams extends FindParams {}
 

packages/medusa/src/api-v2/admin/customer-groups/[id]/customers/batch/route.ts

@@ -1,11 +1,18 @@
-import { createCustomerGroupCustomersWorkflow } from "@medusajs/core-flows"
-import { MedusaRequest, MedusaResponse } from "../../../../../../types/routing"
-import { AdminPostCustomerGroupsGroupCustomersBatchReq } from "../../../validators"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../../../types/routing"
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+import { AdminPostCustomerGroupsGroupCustomersBatchReq } from "../../../validators"
+import { createCustomerGroupCustomersWorkflow } from "@medusajs/core-flows"
+
+export const POST = async (
+  // eslint-disable-next-line max-len
+  req: AuthenticatedMedusaRequest<AdminPostCustomerGroupsGroupCustomersBatchReq>,
+  res: MedusaResponse
+) => {
   const { id } = req.params
-  const { customer_ids } =
-    req.validatedBody as AdminPostCustomerGroupsGroupCustomersBatchReq
+  const { customer_ids } = req.validatedBody
 
   const createCustomers = createCustomerGroupCustomersWorkflow(req.scope)
 

packages/medusa/src/api-v2/admin/customer-groups/[id]/customers/remove/route.ts

@@ -1,12 +1,18 @@
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../../../types/routing"
+
+import { AdminPostCustomerGroupsGroupCustomersBatchReq } from "../../../validators"
 import { deleteCustomerGroupCustomersWorkflow } from "@medusajs/core-flows"
 
-import { MedusaRequest, MedusaResponse } from "../../../../../../types/routing"
-import { AdminPostCustomerGroupsGroupCustomersBatchReq } from "../../../validators"
-
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  // eslint-disable-next-line max-len
+  req: AuthenticatedMedusaRequest<AdminPostCustomerGroupsGroupCustomersBatchReq>,
+  res: MedusaResponse
+) => {
   const { id } = req.params
-  const { customer_ids } =
-    req.validatedBody as AdminPostCustomerGroupsGroupCustomersBatchReq
+  const { customer_ids } = req.validatedBody
 
   const deleteCustomers = deleteCustomerGroupCustomersWorkflow(req.scope)
 

packages/medusa/src/api-v2/admin/customer-groups/[id]/customers/route.ts

@@ -1,8 +1,15 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
-import { ICustomerModuleService } from "@medusajs/types"
-import { MedusaRequest, MedusaResponse } from "../../../../../types/routing"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { ICustomerModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const { id } = req.params
 
   const service = req.scope.resolve<ICustomerModuleService>(

packages/medusa/src/api-v2/admin/customer-groups/[id]/route.ts

@@ -1,15 +1,22 @@
 import {
-  updateCustomerGroupsWorkflow,
-  deleteCustomerGroupsWorkflow,
-} from "@medusajs/core-flows"
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../types/routing"
 import {
   CustomerGroupUpdatableFields,
   ICustomerModuleService,
 } from "@medusajs/types"
-import { MedusaRequest, MedusaResponse } from "../../../../types/routing"
+import {
+  deleteCustomerGroupsWorkflow,
+  updateCustomerGroupsWorkflow,
+} from "@medusajs/core-flows"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const customerModuleService = req.scope.resolve<ICustomerModuleService>(
     ModuleRegistrationName.CUSTOMER
   )
@@ -25,12 +32,15 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ customer_group: group })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<CustomerGroupUpdatableFields>,
+  res: MedusaResponse
+) => {
   const updateGroups = updateCustomerGroupsWorkflow(req.scope)
   const { result, errors } = await updateGroups.run({
     input: {
       selector: { id: req.params.id },
-      update: req.validatedBody as CustomerGroupUpdatableFields,
+      update: req.validatedBody,
     },
     throwOnError: false,
   })
@@ -42,7 +52,10 @@ export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ customer_group: result[0] })
 }
 
-export const DELETE = async (req: MedusaRequest, res: MedusaResponse) => {
+export const DELETE = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const id = req.params.id
   const deleteCustomerGroups = deleteCustomerGroupsWorkflow(req.scope)
 

packages/medusa/src/api-v2/admin/customer-groups/middlewares.ts

@@ -1,16 +1,19 @@
-import { transformBody, transformQuery } from "../../../api/middlewares"
-import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
 import * as QueryConfig from "./query-config"
-import { listTransformQueryConfig as customersListTransformQueryConfig } from "../customers/query-config"
+
 import {
-  AdminGetCustomerGroupsParams,
-  AdminGetCustomerGroupsGroupParams,
-  AdminPostCustomerGroupsReq,
-  AdminPostCustomerGroupsGroupReq,
-  AdminGetCustomerGroupsGroupCustomersParams,
-  AdminPostCustomerGroupsGroupCustomersBatchReq,
   AdminDeleteCustomerGroupsGroupCustomersBatchReq,
+  AdminGetCustomerGroupsGroupCustomersParams,
+  AdminGetCustomerGroupsGroupParams,
+  AdminGetCustomerGroupsParams,
+  AdminPostCustomerGroupsGroupCustomersBatchReq,
+  AdminPostCustomerGroupsGroupReq,
+  AdminPostCustomerGroupsReq,
 } from "./validators"
+import { transformBody, transformQuery } from "../../../api/middlewares"
+
+import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
+import { authenticate } from "../../../utils/authenticate-middleware"
+import { listTransformQueryConfig as customersListTransformQueryConfig } from "../customers/query-config"
 
 export const adminCustomerGroupRoutesMiddlewares: MiddlewareRoute[] = [
   {
@@ -23,6 +26,11 @@ export const adminCustomerGroupRoutesMiddlewares: MiddlewareRoute[] = [
       ),
     ],
   },
+  {
+    method: ["ALL"],
+    matcher: "/admin/customer-groups*",
+    middlewares: [authenticate("admin", ["bearer", "session"])],
+  },
   {
     method: ["GET"],
     matcher: "/admin/customer-groups/:id",

packages/medusa/src/api-v2/admin/customer-groups/route.ts

@@ -1,9 +1,17 @@
-import { createCustomerGroupsWorkflow } from "@medusajs/core-flows"
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaRequest,
+  MedusaResponse,
+} from "../../../types/routing"
 import { CreateCustomerGroupDTO, ICustomerModuleService } from "@medusajs/types"
-import { MedusaRequest, MedusaResponse } from "../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createCustomerGroupsWorkflow } from "@medusajs/core-flows"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const customerModuleService = req.scope.resolve<ICustomerModuleService>(
     ModuleRegistrationName.CUSTOMER
   )
@@ -24,12 +32,15 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<CreateCustomerGroupDTO>,
+  res: MedusaResponse
+) => {
   const createGroups = createCustomerGroupsWorkflow(req.scope)
   const customersData = [
     {
-      ...(req.validatedBody as CreateCustomerGroupDTO),
-      created_by: req.user!.id,
+      ...req.validatedBody,
+      created_by: req.auth.actor_id,
     },
   ]
 

packages/medusa/src/api-v2/admin/customers/[id]/addresses/[address_id]/route.ts

@@ -1,12 +1,19 @@
 import {
-  updateCustomerAddressesWorkflow,
-  deleteCustomerAddressesWorkflow,
-} from "@medusajs/core-flows"
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../../../types/routing"
 import { CustomerAddressDTO, ICustomerModuleService } from "@medusajs/types"
-import { MedusaRequest, MedusaResponse } from "../../../../../../types/routing"
+import {
+  deleteCustomerAddressesWorkflow,
+  updateCustomerAddressesWorkflow,
+} from "@medusajs/core-flows"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const customerModuleService = req.scope.resolve<ICustomerModuleService>(
     ModuleRegistrationName.CUSTOMER
   )
@@ -22,12 +29,15 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ address })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<Partial<CustomerAddressDTO>>,
+  res: MedusaResponse
+) => {
   const updateAddresses = updateCustomerAddressesWorkflow(req.scope)
   const { result, errors } = await updateAddresses.run({
     input: {
       selector: { id: req.params.address_id, customer_id: req.params.id },
-      update: req.validatedBody as Partial<CustomerAddressDTO>,
+      update: req.validatedBody,
     },
     throwOnError: false,
   })
@@ -39,7 +49,10 @@ export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ address: result[0] })
 }
 
-export const DELETE = async (req: MedusaRequest, res: MedusaResponse) => {
+export const DELETE = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const id = req.params.address_id
   const deleteAddress = deleteCustomerAddressesWorkflow(req.scope)
 

packages/medusa/src/api-v2/admin/customers/[id]/addresses/route.ts

@@ -1,12 +1,19 @@
-import { createCustomerAddressesWorkflow } from "@medusajs/core-flows"
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../../types/routing"
 import {
   CreateCustomerAddressDTO,
   ICustomerModuleService,
 } from "@medusajs/types"
-import { MedusaRequest, MedusaResponse } from "../../../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createCustomerAddressesWorkflow } from "@medusajs/core-flows"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const customerId = req.params.id
 
   const customerModuleService = req.scope.resolve<ICustomerModuleService>(
@@ -28,12 +35,15 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<CreateCustomerAddressDTO>,
+  res: MedusaResponse
+) => {
   const customerId = req.params.id
   const createAddresses = createCustomerAddressesWorkflow(req.scope)
   const addresses = [
     {
-      ...(req.validatedBody as CreateCustomerAddressDTO),
+      ...req.validatedBody,
       customer_id: customerId,
     },
   ]

packages/medusa/src/api-v2/admin/customers/[id]/route.ts

@@ -1,15 +1,22 @@
 import {
-  updateCustomersWorkflow,
-  deleteCustomersWorkflow,
-} from "@medusajs/core-flows"
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../types/routing"
 import {
   CustomerUpdatableFields,
   ICustomerModuleService,
 } from "@medusajs/types"
-import { MedusaRequest, MedusaResponse } from "../../../../types/routing"
+import {
+  deleteCustomersWorkflow,
+  updateCustomersWorkflow,
+} from "@medusajs/core-flows"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const customerModuleService = req.scope.resolve<ICustomerModuleService>(
     ModuleRegistrationName.CUSTOMER
   )
@@ -22,12 +29,15 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ customer })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<CustomerUpdatableFields>,
+  res: MedusaResponse
+) => {
   const updateCustomers = updateCustomersWorkflow(req.scope)
   const { result, errors } = await updateCustomers.run({
     input: {
       selector: { id: req.params.id },
-      update: req.validatedBody as CustomerUpdatableFields,
+      update: req.validatedBody,
     },
     throwOnError: false,
   })
@@ -39,7 +49,10 @@ export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ customer: result[0] })
 }
 
-export const DELETE = async (req: MedusaRequest, res: MedusaResponse) => {
+export const DELETE = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const id = req.params.id
   const deleteCustomers = deleteCustomersWorkflow(req.scope)
 

packages/medusa/src/api-v2/admin/customers/middlewares.ts

@@ -1,17 +1,25 @@
-import { transformBody, transformQuery } from "../../../api/middlewares"
-import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
 import * as QueryConfig from "./query-config"
+
 import {
-  AdminGetCustomersParams,
-  AdminGetCustomersCustomerParams,
-  AdminPostCustomersReq,
-  AdminPostCustomersCustomerReq,
-  AdminPostCustomersCustomerAddressesReq,
   AdminGetCustomersCustomerAddressesParams,
+  AdminGetCustomersCustomerParams,
+  AdminGetCustomersParams,
   AdminPostCustomersCustomerAddressesAddressReq,
+  AdminPostCustomersCustomerAddressesReq,
+  AdminPostCustomersCustomerReq,
+  AdminPostCustomersReq,
 } from "./validators"
+import { transformBody, transformQuery } from "../../../api/middlewares"
+
+import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
+import { authenticate } from "../../../utils/authenticate-middleware"
 
 export const adminCustomerRoutesMiddlewares: MiddlewareRoute[] = [
+  {
+    method: ["ALL"],
+    matcher: "/admin/customers*",
+    middlewares: [authenticate("admin", ["bearer", "session"])],
+  },
   {
     method: ["GET"],
     matcher: "/admin/customers",

packages/medusa/src/api-v2/admin/customers/route.ts

@@ -1,9 +1,16 @@
-import { createCustomersWorkflow } from "@medusajs/core-flows"
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../types/routing"
 import { CreateCustomerDTO, ICustomerModuleService } from "@medusajs/types"
-import { MedusaRequest, MedusaResponse } from "../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createCustomersWorkflow } from "@medusajs/core-flows"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const customerModuleService = req.scope.resolve<ICustomerModuleService>(
     ModuleRegistrationName.CUSTOMER
   )
@@ -41,12 +48,16 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<CreateCustomerDTO>,
+  res: MedusaResponse
+) => {
   const createCustomers = createCustomersWorkflow(req.scope)
+
   const customersData = [
     {
-      ...(req.validatedBody as CreateCustomerDTO),
-      created_by: req.user!.id,
+      ...req.validatedBody,
+      created_by: req.auth?.actor_id,
     },
   ]
 

packages/medusa/src/api-v2/admin/invites/[id]/route.ts

@@ -1,15 +1,20 @@
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../types/routing"
 import {
   ContainerRegistrationKeys,
   MedusaError,
   remoteQueryObjectFromString,
 } from "@medusajs/utils"
-import { MedusaRequest, MedusaResponse } from "../../../../types/routing"
+
 import { deleteInvitesWorkflow } from "@medusajs/core-flows"
-import { IUserModuleService, UpdateUserDTO } from "@medusajs/types"
-import { ModuleRegistrationName } from "../../../../../../modules-sdk/dist"
 
 // Get invite
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const { id } = req.params
   const remoteQuery = req.scope.resolve(ContainerRegistrationKeys.REMOTE_QUERY)
 
@@ -34,7 +39,10 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
 }
 
 // delete invite
-export const DELETE = async (req: MedusaRequest, res: MedusaResponse) => {
+export const DELETE = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const { id } = req.params
   const workflow = deleteInvitesWorkflow(req.scope)
 

packages/medusa/src/api-v2/admin/invites/accept/route.ts

@@ -1,16 +1,23 @@
-import { acceptInviteWorkflow } from "@medusajs/core-flows"
-import { MedusaRequest, MedusaResponse } from "../../../../types/routing"
-import { InviteWorkflow } from "@medusajs/types"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../types/routing"
+
 import { AdminPostInvitesInviteAcceptReq } from "../validators"
 import { IUserModuleService } from "@medusajs/types"
+import { InviteWorkflow } from "@medusajs/types"
 import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { acceptInviteWorkflow } from "@medusajs/core-flows"
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
-  if (req.auth_user?.app_metadata?.user_id) {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<AdminPostInvitesInviteAcceptReq>,
+  res: MedusaResponse
+) => {
+  if (req.auth.actor_id) {
     const moduleService: IUserModuleService = req.scope.resolve(
       ModuleRegistrationName.USER
     )
-    const user = moduleService.retrieve(req.auth_user.app_metadata.user_id)
+    const user = moduleService.retrieve(req.auth.actor_id)
     res.status(200).json({ user })
     return
   }
@@ -19,11 +26,18 @@ export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
 
   const input = {
     invite_token: req.filterableFields.token as string,
-    auth_user_id: req.auth_user!.id,
-    user: req.validatedBody as AdminPostInvitesInviteAcceptReq,
+    auth_user_id: req.auth?.auth_user_id,
+    user: req.validatedBody,
   } as InviteWorkflow.AcceptInviteWorkflowInputDTO
 
-  const { result: users } = await workflow.run({ input })
+  let users
+  try {
+    const { result } = await workflow.run({ input })
+    users = result
+  } catch (e) {
+    res.status(401).json({ message: "Unauthorized" })
+    return
+  }
 
   // Set customer_id on session user if we are in session
   if (req.session.auth_user) {

packages/medusa/src/api-v2/admin/invites/middlewares.ts

@@ -1,19 +1,35 @@
-import { transformBody, transformQuery } from "../../../api/middlewares"
+import * as QueryConfig from "./query-config"
+
 import {
   AdminCreateInviteRequest,
-  AdminGetInvitesParams,
   AdminGetInvitesInviteParams,
-  AdminPostInvitesInviteAcceptReq,
+  AdminGetInvitesParams,
   AdminPostInvitesInviteAcceptParams,
+  AdminPostInvitesInviteAcceptReq,
 } from "./validators"
-import * as QueryConfig from "./query-config"
+import { transformBody, transformQuery } from "../../../api/middlewares"
+
 import { MiddlewareRoute } from "../../../types/middlewares"
 import { authenticate } from "../../../utils/authenticate-middleware"
 
 export const adminInviteRoutesMiddlewares: MiddlewareRoute[] = [
   {
     method: "ALL",
-    matcher: "/admin/invites*",
+    matcher: "/admin/invites",
+    middlewares: [authenticate("admin", ["session", "bearer"])],
+  },
+  {
+    method: "POST",
+    matcher: "/admin/invites/accept",
+    middlewares: [
+      authenticate("admin", ["session", "bearer"], {
+        allowUnregistered: true,
+      }),
+    ],
+  },
+  {
+    method: ["GET", "DELETE"],
+    matcher: "/admin/invites/:id",
     middlewares: [authenticate("admin", ["session", "bearer"])],
   },
   {

packages/medusa/src/api-v2/admin/invites/route.ts

@@ -1,13 +1,20 @@
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../types/routing"
 import {
   ContainerRegistrationKeys,
   remoteQueryObjectFromString,
 } from "@medusajs/utils"
-import { MedusaRequest, MedusaResponse } from "../../../types/routing"
+
+import { CreateInviteDTO } from "@medusajs/types"
 import { createInvitesWorkflow } from "@medusajs/core-flows"
-import { CreateInviteDTO, CreateUserDTO } from "@medusajs/types"
 
 // List invites
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const remoteQuery = req.scope.resolve(ContainerRegistrationKeys.REMOTE_QUERY)
 
   const query = remoteQueryObjectFromString({
@@ -34,12 +41,15 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
 }
 
 // Create invite
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<CreateInviteDTO>,
+  res: MedusaResponse
+) => {
   const workflow = createInvitesWorkflow(req.scope)
 
   const input = {
     input: {
-      invites: [req.validatedBody as CreateInviteDTO],
+      invites: [req.validatedBody],
     },
   }
 

packages/medusa/src/api-v2/admin/promotions/[id]/route.ts

@@ -1,12 +1,22 @@
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../types/routing"
 import {
   deletePromotionsWorkflow,
   updatePromotionsWorkflow,
 } from "@medusajs/core-flows"
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
-import { IPromotionModuleService } from "@medusajs/types"
-import { MedusaRequest, MedusaResponse } from "../../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { AdminPostPromotionsPromotionReq } from "../validators"
+import { IPromotionModuleService } from "@medusajs/types"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { UpdateApplicationMethodDTO } from "@medusajs/types"
+import { UpdatePromotionDTO } from "@medusajs/types"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const promotionModuleService: IPromotionModuleService = req.scope.resolve(
     ModuleRegistrationName.PROMOTION
   )
@@ -19,14 +29,17 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ promotion })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<AdminPostPromotionsPromotionReq>,
+  res: MedusaResponse
+) => {
   const updatePromotions = updatePromotionsWorkflow(req.scope)
   const promotionsData = [
     {
       id: req.params.id,
-      ...(req.validatedBody || {}),
+      ...req.validatedBody,
     },
-  ]
+  ] as UpdatePromotionDTO[]
 
   const { result, errors } = await updatePromotions.run({
     input: { promotionsData },
@@ -40,7 +53,10 @@ export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ promotion: result[0] })
 }
 
-export const DELETE = async (req: MedusaRequest, res: MedusaResponse) => {
+export const DELETE = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const id = req.params.id
   const manager = req.scope.resolve("manager")
   const deletePromotions = deletePromotionsWorkflow(req.scope)

packages/medusa/src/api-v2/admin/promotions/middlewares.ts

@@ -1,23 +1,25 @@
-import { MedusaV2Flag } from "@medusajs/utils"
-
-import {
-  isFeatureFlagEnabled,
-  transformBody,
-  transformQuery,
-} from "../../../api/middlewares"
-import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
 import * as QueryConfig from "./query-config"
+
 import {
   AdminGetPromotionsParams,
   AdminGetPromotionsPromotionParams,
   AdminPostPromotionsPromotionReq,
   AdminPostPromotionsReq,
 } from "./validators"
+import {
+  isFeatureFlagEnabled,
+  transformBody,
+  transformQuery,
+} from "../../../api/middlewares"
+
+import { MedusaV2Flag } from "@medusajs/utils"
+import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
+import { authenticate } from "../../../utils/authenticate-middleware"
 
 export const adminPromotionRoutesMiddlewares: MiddlewareRoute[] = [
   {
     matcher: "/admin/promotions*",
-    middlewares: [isFeatureFlagEnabled(MedusaV2Flag.key)],
+    middlewares: [authenticate("admin", ["bearer", "session"])],
   },
   {
     method: ["GET"],

packages/medusa/src/api-v2/admin/promotions/route.ts

@@ -1,9 +1,16 @@
-import { createPromotionsWorkflow } from "@medusajs/core-flows"
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../types/routing"
 import { CreatePromotionDTO, IPromotionModuleService } from "@medusajs/types"
-import { MedusaRequest, MedusaResponse } from "../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createPromotionsWorkflow } from "@medusajs/core-flows"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const promotionModuleService: IPromotionModuleService = req.scope.resolve(
     ModuleRegistrationName.PROMOTION
   )
@@ -23,9 +30,12 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<CreatePromotionDTO>,
+  res: MedusaResponse
+) => {
   const createPromotions = createPromotionsWorkflow(req.scope)
-  const promotionsData = [req.validatedBody as CreatePromotionDTO]
+  const promotionsData = [req.validatedBody]
 
   const { result, errors } = await createPromotions.run({
     input: { promotionsData },

packages/medusa/src/api-v2/admin/regions/[id]/route.ts

@@ -1,13 +1,20 @@
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../types/routing"
 import {
   deleteRegionsWorkflow,
   updateRegionsWorkflow,
 } from "@medusajs/core-flows"
-import { UpdateRegionDTO } from "@medusajs/types"
-import { remoteQueryObjectFromString } from "@medusajs/utils"
-import { MedusaRequest, MedusaResponse } from "../../../../types/routing"
-import { defaultAdminRegionFields } from "../query-config"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { UpdateRegionDTO } from "@medusajs/types"
+import { defaultAdminRegionFields } from "../query-config"
+import { remoteQueryObjectFromString } from "@medusajs/utils"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const remoteQuery = req.scope.resolve("remoteQuery")
 
   const variables = { id: req.params.id }
@@ -23,11 +30,14 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ region })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<UpdateRegionDTO>,
+  res: MedusaResponse
+) => {
   const { result, errors } = await updateRegionsWorkflow(req.scope).run({
     input: {
       selector: { id: req.params.id },
-      update: req.validatedBody as UpdateRegionDTO,
+      update: req.validatedBody,
     },
     throwOnError: false,
   })
@@ -39,7 +49,10 @@ export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ region: result[0] })
 }
 
-export const DELETE = async (req: MedusaRequest, res: MedusaResponse) => {
+export const DELETE = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const id = req.params.id
 
   const { errors } = await deleteRegionsWorkflow(req.scope).run({

packages/medusa/src/api-v2/admin/regions/middlewares.ts

@@ -1,14 +1,22 @@
-import { transformBody, transformQuery } from "../../../api/middlewares"
-import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
 import * as QueryConfig from "./query-config"
+
 import {
   AdminGetRegionsParams,
   AdminGetRegionsRegionParams,
   AdminPostRegionsRegionReq,
   AdminPostRegionsReq,
 } from "./validators"
+import { transformBody, transformQuery } from "../../../api/middlewares"
+
+import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
+import { authenticate } from "../../../utils/authenticate-middleware"
 
 export const adminRegionRoutesMiddlewares: MiddlewareRoute[] = [
+  {
+    method: ["ALL"],
+    matcher: "/admin/regions*",
+    middlewares: [authenticate("admin", ["bearer", "session"])],
+  },
   {
     method: ["GET"],
     matcher: "/admin/regions",

packages/medusa/src/api-v2/admin/regions/route.ts

@@ -1,10 +1,17 @@
-import { createRegionsWorkflow } from "@medusajs/core-flows"
-import { CreateRegionDTO } from "@medusajs/types"
-import { remoteQueryObjectFromString } from "@medusajs/utils"
-import { MedusaRequest, MedusaResponse } from "../../../types/routing"
-import { defaultAdminRegionFields } from "./query-config"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { CreateRegionDTO } from "@medusajs/types"
+import { createRegionsWorkflow } from "@medusajs/core-flows"
+import { defaultAdminRegionFields } from "./query-config"
+import { remoteQueryObjectFromString } from "@medusajs/utils"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const remoteQuery = req.scope.resolve("remoteQuery")
 
   const queryObject = remoteQueryObjectFromString({
@@ -28,10 +35,13 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<CreateRegionDTO>,
+  res: MedusaResponse
+) => {
   const input = [
     {
-      ...(req.validatedBody as CreateRegionDTO),
+      ...req.validatedBody,
     },
   ]
 

packages/medusa/src/api-v2/admin/users/[id]/route.ts

@@ -1,15 +1,18 @@
 import {
-  ContainerRegistrationKeys,
-  remoteQueryObjectFromString,
-} from "@medusajs/utils"
-import { MedusaRequest, MedusaResponse } from "../../../../types/routing"
-import { deleteUsersWorkflow, updateUsersWorkflow } from "@medusajs/core-flows"
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../types/routing"
 import { IUserModuleService, UpdateUserDTO } from "@medusajs/types"
-import { ModuleRegistrationName } from "../../../../../../modules-sdk/dist"
+import { deleteUsersWorkflow, updateUsersWorkflow } from "@medusajs/core-flows"
+
 import { AdminUpdateUserRequest } from "../validators"
+import { ModuleRegistrationName } from "../../../../../../modules-sdk/dist"
 
 // Get user
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const { id } = req.params
 
   const moduleService: IUserModuleService = req.scope.resolve(
@@ -21,14 +24,17 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
 }
 
 // update user
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<AdminUpdateUserRequest>,
+  res: MedusaResponse
+) => {
   const workflow = updateUsersWorkflow(req.scope)
 
   const input = {
     updates: [
       {
         id: req.params.id,
-        ...(req.validatedBody as AdminUpdateUserRequest),
+        ...req.validatedBody,
       } as UpdateUserDTO,
     ],
   }
@@ -41,7 +47,10 @@ export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
 }
 
 // delete user
-export const DELETE = async (req: MedusaRequest, res: MedusaResponse) => {
+export const DELETE = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const { id } = req.params
   const workflow = deleteUsersWorkflow(req.scope)
 

packages/medusa/src/api-v2/admin/users/middlewares.ts

@@ -1,14 +1,22 @@
-import { transformBody, transformQuery } from "../../../api/middlewares"
+import * as QueryConfig from "./query-config"
+
 import {
   AdminCreateUserRequest,
   AdminGetUsersParams,
   AdminGetUsersUserParams,
   AdminUpdateUserRequest,
 } from "./validators"
-import * as QueryConfig from "./query-config"
+import { transformBody, transformQuery } from "../../../api/middlewares"
+
 import { MiddlewareRoute } from "../../../types/middlewares"
+import { authenticate } from "../../../utils/authenticate-middleware"
 
 export const adminUserRoutesMiddlewares: MiddlewareRoute[] = [
+  {
+    method: ["ALL"],
+    matcher: "/admin/users*",
+    middlewares: [authenticate("admin", ["bearer", "session"])],
+  },
   {
     method: ["GET"],
     matcher: "/admin/users",

packages/medusa/src/api-v2/admin/users/route.ts

@@ -1,12 +1,19 @@
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../types/routing"
 import {
   ContainerRegistrationKeys,
   remoteQueryObjectFromString,
 } from "@medusajs/utils"
-import { MedusaRequest, MedusaResponse } from "../../../types/routing"
-import { createUsersWorkflow } from "@medusajs/core-flows"
-import { CreateUserDTO } from "@medusajs/types"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { CreateUserDTO } from "@medusajs/types"
+import { createUsersWorkflow } from "@medusajs/core-flows"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const remoteQuery = req.scope.resolve(ContainerRegistrationKeys.REMOTE_QUERY)
 
   const query = remoteQueryObjectFromString({
@@ -32,12 +39,15 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<CreateUserDTO>,
+  res: MedusaResponse
+) => {
   const workflow = createUsersWorkflow(req.scope)
 
   const input = {
     input: {
-      users: [req.validatedBody as CreateUserDTO],
+      users: [req.validatedBody],
     },
   }
 

packages/medusa/src/api-v2/admin/workflows-executions/[id]/route.ts

@@ -1,8 +1,15 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
-import { IWorkflowEngineService } from "@medusajs/workflows-sdk"
-import { MedusaRequest, MedusaResponse } from "../../../../types/routing"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { IWorkflowEngineService } from "@medusajs/workflows-sdk"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const workflowEngineService: IWorkflowEngineService = req.scope.resolve(
     ModuleRegistrationName.WORKFLOW_ENGINE
   )

packages/medusa/src/api-v2/admin/workflows-executions/[workflow_id]/[transaction_id]/[step_id]/subscribe/route.ts

@@ -1,11 +1,15 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
-import { IWorkflowEngineService } from "@medusajs/workflows-sdk"
 import {
-  MedusaRequest,
+  AuthenticatedMedusaRequest,
   MedusaResponse,
 } from "../../../../../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { IWorkflowEngineService } from "@medusajs/workflows-sdk"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const workflowEngineService: IWorkflowEngineService = req.scope.resolve(
     ModuleRegistrationName.WORKFLOW_ENGINE
   )

packages/medusa/src/api-v2/admin/workflows-executions/[workflow_id]/[transaction_id]/route.ts

@@ -1,8 +1,15 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
-import { IWorkflowEngineService } from "@medusajs/workflows-sdk"
-import { MedusaRequest, MedusaResponse } from "../../../../../types/routing"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { IWorkflowEngineService } from "@medusajs/workflows-sdk"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const workflowEngineService: IWorkflowEngineService = req.scope.resolve(
     ModuleRegistrationName.WORKFLOW_ENGINE
   )

packages/medusa/src/api-v2/admin/workflows-executions/[workflow_id]/run/route.ts

@@ -1,20 +1,26 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../../types/routing"
 import {
   IWorkflowEngineService,
   WorkflowOrchestratorTypes,
 } from "@medusajs/workflows-sdk"
-import { MedusaRequest, MedusaResponse } from "../../../../../types/routing"
-import { AdminPostWorkflowsRunReq } from "../../validators"
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+import { AdminPostWorkflowsRunReq } from "../../validators"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+
+export const POST = async (
+  req: AuthenticatedMedusaRequest<AdminPostWorkflowsRunReq>,
+  res: MedusaResponse
+) => {
   const workflowEngineService: IWorkflowEngineService = req.scope.resolve(
     ModuleRegistrationName.WORKFLOW_ENGINE
   )
 
   const { workflow_id } = req.params
 
-  const { transaction_id, input } =
-    req.validatedBody as AdminPostWorkflowsRunReq
+  const { transaction_id, input } = req.validatedBody
 
   const options = {
     transactionId: transaction_id,

packages/medusa/src/api-v2/admin/workflows-executions/[workflow_id]/steps/failure/route.ts

@@ -1,17 +1,24 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
-import { TransactionHandlerType, isDefined } from "@medusajs/utils"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../../../types/routing"
 import { IWorkflowEngineService, StepResponse } from "@medusajs/workflows-sdk"
-import { MedusaRequest, MedusaResponse } from "../../../../../../types/routing"
-import { AdminPostWorkflowsAsyncResponseReq } from "../../../validators"
+import { TransactionHandlerType, isDefined } from "@medusajs/utils"
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+import { AdminPostWorkflowsAsyncResponseReq } from "../../../validators"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+
+export const POST = async (
+  req: AuthenticatedMedusaRequest<AdminPostWorkflowsAsyncResponseReq>,
+  res: MedusaResponse
+) => {
   const workflowEngineService: IWorkflowEngineService = req.scope.resolve(
     ModuleRegistrationName.WORKFLOW_ENGINE
   )
 
   const { workflow_id } = req.params
 
-  const body = req.validatedBody as AdminPostWorkflowsAsyncResponseReq
+  const body = req.validatedBody
 
   const { transaction_id, step_id } = body
 

packages/medusa/src/api-v2/admin/workflows-executions/[workflow_id]/steps/success/route.ts

@@ -1,17 +1,24 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
-import { TransactionHandlerType, isDefined } from "@medusajs/utils"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../../../types/routing"
 import { IWorkflowEngineService, StepResponse } from "@medusajs/workflows-sdk"
-import { MedusaRequest, MedusaResponse } from "../../../../../../types/routing"
-import { AdminPostWorkflowsAsyncResponseReq } from "../../../validators"
+import { TransactionHandlerType, isDefined } from "@medusajs/utils"
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+import { AdminPostWorkflowsAsyncResponseReq } from "../../../validators"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+
+export const POST = async (
+  req: AuthenticatedMedusaRequest<AdminPostWorkflowsAsyncResponseReq>,
+  res: MedusaResponse
+) => {
   const workflowEngineService: IWorkflowEngineService = req.scope.resolve(
     ModuleRegistrationName.WORKFLOW_ENGINE
   )
 
   const { workflow_id } = req.params
 
-  const body = req.validatedBody as AdminPostWorkflowsAsyncResponseReq
+  const body = req.validatedBody
 
   const { transaction_id, step_id } = body
 

packages/medusa/src/api-v2/admin/workflows-executions/[workflow_id]/subscribe/route.ts

@@ -1,8 +1,15 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
-import { IWorkflowEngineService } from "@medusajs/workflows-sdk"
-import { MedusaRequest, MedusaResponse } from "../../../../../types/routing"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { IWorkflowEngineService } from "@medusajs/workflows-sdk"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const workflowEngineService: IWorkflowEngineService = req.scope.resolve(
     ModuleRegistrationName.WORKFLOW_ENGINE
   )

packages/medusa/src/api-v2/admin/workflows-executions/middlewares.ts

@@ -1,14 +1,22 @@
-import { transformBody, transformQuery } from "../../../api/middlewares"
-import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
 import * as QueryConfig from "./query-config"
+
 import {
   AdminGetWorkflowExecutionDetailsParams,
   AdminGetWorkflowExecutionsParams,
   AdminPostWorkflowsAsyncResponseReq,
   AdminPostWorkflowsRunReq,
 } from "./validators"
+import { transformBody, transformQuery } from "../../../api/middlewares"
+
+import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
+import { authenticate } from "../../../utils/authenticate-middleware"
 
 export const adminWorkflowsExecutionsMiddlewares: MiddlewareRoute[] = [
+  {
+    method: ["ALL"],
+    matcher: "/admin/workflows-executions*",
+    middlewares: [authenticate("admin", ["bearer", "session"])],
+  },
   {
     method: ["GET"],
     matcher: "/admin/workflows-executions",

packages/medusa/src/api-v2/admin/workflows-executions/route.ts

@@ -1,8 +1,15 @@
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
-import { IWorkflowEngineService } from "@medusajs/workflows-sdk"
-import { MedusaRequest, MedusaResponse } from "../../../types/routing"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { IWorkflowEngineService } from "@medusajs/workflows-sdk"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const workflowEngineService: IWorkflowEngineService = req.scope.resolve(
     ModuleRegistrationName.WORKFLOW_ENGINE
   )

packages/medusa/src/api-v2/auth/session/route.ts

@@ -1,7 +1,13 @@
-import { MedusaRequest, MedusaResponse } from "../../../types/routing"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../types/routing"
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
-  req.session.auth_user = req.auth_user
+export const POST = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
+  req.session.auth_user = req.auth
 
-  res.status(200).json({ user: req.auth_user })
+  res.status(200).json({ user: req.auth })
 }

packages/medusa/src/api-v2/store/carts/[id]/route.ts

@@ -1,9 +1,9 @@
-import { updateCartsWorkflow } from "@medusajs/core-flows"
-import { UpdateCartDataDTO } from "@medusajs/types"
 import { MedusaRequest, MedusaResponse } from "../../../../types/routing"
 
-import { remoteQueryObjectFromString } from "@medusajs/utils"
+import { UpdateCartDataDTO } from "@medusajs/types"
 import { defaultStoreCartFields } from "../query-config"
+import { remoteQueryObjectFromString } from "@medusajs/utils"
+import { updateCartsWorkflow } from "@medusajs/core-flows"
 
 export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   const remoteQuery = req.scope.resolve("remoteQuery")
@@ -20,12 +20,15 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   res.json({ cart })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: MedusaRequest<UpdateCartDataDTO>,
+  res: MedusaResponse
+) => {
   const updateCartWorkflow = updateCartsWorkflow(req.scope)
 
   const workflowInput = {
     selector: { id: req.params.id },
-    update: req.validatedBody as UpdateCartDataDTO,
+    update: req.validatedBody,
   }
 
   const { result, errors } = await updateCartWorkflow.run({

packages/medusa/src/api-v2/store/carts/route.ts

@@ -1,15 +1,24 @@
-import { createCartWorkflow } from "@medusajs/core-flows"
-import { CreateCartWorkflowInputDTO } from "@medusajs/types"
-import { remoteQueryObjectFromString } from "@medusajs/utils"
-import { MedusaRequest, MedusaResponse } from "../../../types/routing"
-import { defaultStoreCartFields } from "../carts/query-config"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaRequest,
+  MedusaResponse,
+} from "../../../types/routing"
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
-  const workflowInput = req.validatedBody as CreateCartWorkflowInputDTO
+import { CreateCartWorkflowInputDTO } from "@medusajs/types"
+import { StorePostCartReq } from "./validators"
+import { createCartWorkflow } from "@medusajs/core-flows"
+import { defaultStoreCartFields } from "../carts/query-config"
+import { remoteQueryObjectFromString } from "@medusajs/utils"
+
+export const POST = async (
+  req: AuthenticatedMedusaRequest<CreateCartWorkflowInputDTO>,
+  res: MedusaResponse
+) => {
+  const workflowInput = req.validatedBody
 
   // If the customer is logged in, we auto-assign them to the cart
-  if (req.auth_user?.app_metadata?.customer_id) {
-    workflowInput.customer_id = req.auth_user!.app_metadata?.customer_id
+  if (req.auth?.actor_id) {
+    workflowInput.customer_id = req.auth.actor_id
   }
 
   const { result, errors } = await createCartWorkflow(req.scope).run({

packages/medusa/src/api-v2/store/customers/me/addresses/[address_id]/route.ts

@@ -1,14 +1,22 @@
 import {
-  updateCustomerAddressesWorkflow,
-  deleteCustomerAddressesWorkflow,
-} from "@medusajs/core-flows"
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+  AuthenticatedMedusaRequest,
+  MedusaRequest,
+  MedusaResponse,
+} from "../../../../../../types/routing"
 import { CustomerAddressDTO, ICustomerModuleService } from "@medusajs/types"
-import { MedusaError } from "@medusajs/utils"
-import { MedusaRequest, MedusaResponse } from "../../../../../../types/routing"
+import {
+  deleteCustomerAddressesWorkflow,
+  updateCustomerAddressesWorkflow,
+} from "@medusajs/core-flows"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
-  const id = req.auth_user!.app_metadata.customer_id
+import { MedusaError } from "@medusajs/utils"
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
+  const id = req.auth.actor_id
 
   const customerModuleService = req.scope.resolve<ICustomerModuleService>(
     ModuleRegistrationName.CUSTOMER
@@ -25,8 +33,11 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ address })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
-  const id = req.auth_user!.app_metadata.customer_id
+export const POST = async (
+  req: AuthenticatedMedusaRequest<Partial<CustomerAddressDTO>>,
+  res: MedusaResponse
+) => {
+  const id = req.auth.actor_id!
   const service = req.scope.resolve<ICustomerModuleService>(
     ModuleRegistrationName.CUSTOMER
   )
@@ -37,7 +48,7 @@ export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
   const { result, errors } = await updateAddresses.run({
     input: {
       selector: { id: req.params.address_id, customer_id: req.params.id },
-      update: req.validatedBody as Partial<CustomerAddressDTO>,
+      update: req.validatedBody,
     },
     throwOnError: false,
   })
@@ -49,8 +60,11 @@ export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
   res.status(200).json({ address: result[0] })
 }
 
-export const DELETE = async (req: MedusaRequest, res: MedusaResponse) => {
-  const id = req.auth_user!.app_metadata.customer_id
+export const DELETE = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
+  const id = req.auth.actor_id
 
   const service = req.scope.resolve<ICustomerModuleService>(
     ModuleRegistrationName.CUSTOMER

packages/medusa/src/api-v2/store/customers/me/addresses/route.ts

@@ -1,13 +1,21 @@
-import { createCustomerAddressesWorkflow } from "@medusajs/core-flows"
-import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaRequest,
+  MedusaResponse,
+} from "../../../../../types/routing"
 import {
   CreateCustomerAddressDTO,
   ICustomerModuleService,
 } from "@medusajs/types"
-import { MedusaRequest, MedusaResponse } from "../../../../../types/routing"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
-  const customerId = req.auth_user!.app_metadata.customer_id
+import { ModuleRegistrationName } from "@medusajs/modules-sdk"
+import { createCustomerAddressesWorkflow } from "@medusajs/core-flows"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
+  const customerId = req.auth.actor_id
 
   const customerModuleService = req.scope.resolve<ICustomerModuleService>(
     ModuleRegistrationName.CUSTOMER
@@ -28,13 +36,16 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
-  const customerId = req.auth_user!.app_metadata.customer_id
+export const POST = async (
+  req: AuthenticatedMedusaRequest<CreateCustomerAddressDTO>,
+  res: MedusaResponse
+) => {
+  const customerId = req.auth.actor_id
 
   const createAddresses = createCustomerAddressesWorkflow(req.scope)
   const addresses = [
     {
-      ...(req.validatedBody as CreateCustomerAddressDTO),
+      ...req.validatedBody,
       customer_id: customerId,
     },
   ]

packages/medusa/src/api-v2/store/customers/me/route.ts

@@ -1,9 +1,15 @@
-import { MedusaRequest, MedusaResponse } from "../../../../types/routing"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../types/routing"
 
 import { ModuleRegistrationName } from "@medusajs/modules-sdk"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
-  const id = req.auth_user!.app_metadata?.customer_id
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
+  const id = req.auth.actor_id
 
   const customerModule = req.scope.resolve(ModuleRegistrationName.CUSTOMER)
 

packages/medusa/src/api-v2/store/customers/middlewares.ts

@@ -1,22 +1,30 @@
-import { transformBody, transformQuery } from "../../../api/middlewares"
-import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
-import {
-  StorePostCustomersReq,
-  StoreGetCustomersMeParams,
-  StorePostCustomersMeAddressesReq,
-  StorePostCustomersMeAddressesAddressReq,
-  StoreGetCustomersMeAddressesParams,
-} from "./validators"
 import * as QueryConfig from "./query-config"
 
+import {
+  StoreGetCustomersMeAddressesParams,
+  StoreGetCustomersMeParams,
+  StorePostCustomersMeAddressesAddressReq,
+  StorePostCustomersMeAddressesReq,
+  StorePostCustomersReq,
+} from "./validators"
+import { transformBody, transformQuery } from "../../../api/middlewares"
+
+import { MiddlewareRoute } from "../../../loaders/helpers/routing/types"
 import { authenticate } from "../../../utils/authenticate-middleware"
 
 export const storeCustomerRoutesMiddlewares: MiddlewareRoute[] = [
   {
     method: "ALL",
-    matcher: "/store/customers*",
+    matcher: "/store/customers/me*",
     middlewares: [authenticate("store", ["session", "bearer"])],
   },
+  {
+    method: "POST",
+    matcher: "/store/customers",
+    middlewares: [
+      authenticate("store", ["session", "bearer"], { allowUnregistered: true }),
+    ],
+  },
   {
     method: ["POST"],
     matcher: "/store/customers",

packages/medusa/src/api-v2/store/customers/route.ts

@@ -1,21 +1,27 @@
-import { MedusaRequest, MedusaResponse } from "../../../types/routing"
-
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../types/routing"
 import {
   ContainerRegistrationKeys,
   remoteQueryObjectFromString,
 } from "@medusajs/utils"
+
 import { CreateCustomerDTO } from "@medusajs/types"
 import { createCustomerAccountWorkflow } from "@medusajs/core-flows"
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
-  if (req.auth_user?.app_metadata?.customer_id) {
+export const POST = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
+  if (req.auth.actor_id) {
     const remoteQuery = req.scope.resolve(
       ContainerRegistrationKeys.REMOTE_QUERY
     )
 
     const query = remoteQueryObjectFromString({
       entryPoint: "customer",
-      variables: { id: req.auth_user.app_metadata.customer_id },
+      variables: { id: req.auth.actor_id },
       fields: [],
     })
     const [customer] = await remoteQuery(query)
@@ -29,7 +35,7 @@ export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
   const customersData = req.validatedBody as CreateCustomerDTO
 
   const { result } = await createCustomers.run({
-    input: { customersData, authUserId: req.auth_user!.id },
+    input: { customersData, authUserId: req.auth.auth_user_id },
   })
 
   // Set customer_id on session user if we are in session

packages/medusa/src/api/middlewares/authenticate-customer.ts

@@ -1,4 +1,6 @@
+import { ContainerRegistrationKeys, MedusaV2Flag } from "@medusajs/utils"
 import { NextFunction, Request, RequestHandler, Response } from "express"
+
 import passport from "passport"
 
 // Optional customer authentication
@@ -6,6 +8,13 @@ import passport from "passport"
 // If you want to require authentication, use `requireCustomerAuthentication` in `packages/medusa/src/api/middlewares/require-customer-authentication.ts`
 export default (): RequestHandler => {
   return (req: Request, res: Response, next: NextFunction): void => {
+    const featureFlagRouter = req.scope.resolve(
+      ContainerRegistrationKeys.FEATURE_FLAG_ROUTER
+    )
+    if (featureFlagRouter.isFeatureEnabled(MedusaV2Flag.key)) {
+      return next()
+    }
+
     passport.authenticate(
       ["store-session", "store-bearer"],
       { session: false },

packages/medusa/src/api/middlewares/authenticate.ts

@@ -1,12 +1,19 @@
+import { ContainerRegistrationKeys, MedusaV2Flag } from "@medusajs/utils"
 import { NextFunction, Request, RequestHandler, Response } from "express"
+
 import passport from "passport"
 
 export default (): RequestHandler => {
   return (req: Request, res: Response, next: NextFunction): void => {
-    passport.authenticate(["admin-session", "admin-bearer", "admin-api-token"], { session: false })(
-      req,
-      res,
-      next
+    const featureFlagRouter = req.scope.resolve(
+      ContainerRegistrationKeys.FEATURE_FLAG_ROUTER
     )
+    if (featureFlagRouter.isFeatureEnabled(MedusaV2Flag.key)) {
+      return next()
+    }
+    passport.authenticate(
+      ["admin-session", "admin-bearer", "admin-api-token"],
+      { session: false }
+    )(req, res, next)
   }
 }

packages/medusa/src/types/routing.ts

@@ -1,15 +1,30 @@
+import type { Customer, User } from "../models"
 import type { NextFunction, Request, Response } from "express"
 
-import type { Customer, User } from "../models"
 import { MedusaContainer } from "@medusajs/types"
+import { RequestQueryFields } from "@medusajs/types"
 
-export interface MedusaRequest extends Request {
-  user?: (User | Customer) & { customer_id?: string; userId?: string }
+export interface MedusaRequest<Body = unknown> extends Request {
+  validatedBody: Body
+  validatedQuery: RequestQueryFields & Record<string, unknown>
+  allowedProperties: string[]
+  includes?: Record<string, boolean>
+  errors: string[]
   scope: MedusaContainer
   session?: any
   rawBody?: any
   requestId?: string
-  auth_user?: { id: string; app_metadata: Record<string, any>; scope: string }
+}
+
+export interface AuthenticatedMedusaRequest<Body = never>
+  extends MedusaRequest<Body> {
+  user: (User | Customer) & { customer_id?: string; userId?: string } // TODO: Remove this property when v2 is released
+  auth: {
+    actor_id: string
+    auth_user_id: string
+    app_metadata: Record<string, any>
+    scope: string
+  }
 }
 
 export type MedusaResponse = Response
@@ -17,7 +32,7 @@ export type MedusaResponse = Response
 export type MedusaNextFunction = NextFunction
 
 export type MedusaRequestHandler = (
-  req: MedusaRequest,
+  req: MedusaRequest<unknown>,
   res: MedusaResponse,
   next: MedusaNextFunction
 ) => Promise<void> | void

packages/medusa/src/utils/authenticate-middleware.ts

@@ -1,8 +1,13 @@
-import { MedusaRequest, MedusaResponse } from "../types/routing"
+import { AuthUserDTO, IUserModuleService } from "@medusajs/types"
+import {
+  AuthenticatedMedusaRequest,
+  MedusaRequest,
+  MedusaResponse,
+} from "../types/routing"
 import { NextFunction, RequestHandler } from "express"
 import jwt, { JwtPayload } from "jsonwebtoken"
 
-import { AuthUserDTO } from "@medusajs/types"
+import { StringChain } from "lodash"
 import { stringEqualsOrRegexMatch } from "@medusajs/utils"
 
 const SESSION_AUTH = "session"
@@ -18,7 +23,7 @@ type AuthType = "session" | "bearer"
 export const authenticate = (
   authScope: string | RegExp,
   authType: AuthType | AuthType[],
-  options: { allowUnauthenticated?: boolean } = {}
+  options: { allowUnauthenticated?: boolean; allowUnregistered?: boolean } = {}
 ): RequestHandler => {
   return async (
     req: MedusaRequest,
@@ -67,9 +72,24 @@ export const authenticate = (
       }
     }
 
-    if (authUser) {
-      req.auth_user = {
-        id: authUser.id,
+    const isMedusaScope =
+      stringEqualsOrRegexMatch(authScope, "admin") ||
+      stringEqualsOrRegexMatch(authScope, "store")
+
+    const isRegistered =
+      !isMedusaScope ||
+      (authUser?.app_metadata?.user_id &&
+        stringEqualsOrRegexMatch(authScope, "admin")) ||
+      (authUser?.app_metadata?.customer_id &&
+        stringEqualsOrRegexMatch(authScope, "store"))
+
+    if (
+      authUser &&
+      (isRegistered || (!isRegistered && options.allowUnregistered))
+    ) {
+      ;(req as AuthenticatedMedusaRequest).auth = {
+        actor_id: getActorId(authUser, authScope) as string, // TODO: fix types for auth_users not in the medusa system
+        auth_user_id: authUser.id,
         app_metadata: authUser.app_metadata,
         scope: authUser.scope,
       }
@@ -83,3 +103,18 @@ export const authenticate = (
     res.status(401).json({ message: "Unauthorized" })
   }
 }
+
+const getActorId = (
+  authUser: AuthUserDTO,
+  scope: string | RegExp
+): string | undefined => {
+  if (stringEqualsOrRegexMatch(scope, "admin")) {
+    return authUser.app_metadata.user_id as string
+  }
+
+  if (stringEqualsOrRegexMatch(scope, "store")) {
+    return authUser.app_metadata.customer_id as string
+  }
+
+  return undefined
+}

packages/types/src/promotion/common/promotion.ts

@@ -1,13 +1,14 @@
-import { BaseFilterable } from "../../dal"
-import { CreateCampaignDTO } from "../mutations"
 import {
   ApplicationMethodDTO,
   CreateApplicationMethodDTO,
   UpdateApplicationMethodDTO,
 } from "./application-method"
-import { CampaignDTO } from "./campaign"
 import { CreatePromotionRuleDTO, PromotionRuleDTO } from "./promotion-rule"
 
+import { BaseFilterable } from "../../dal"
+import { CampaignDTO } from "./campaign"
+import { CreateCampaignDTO } from "../mutations"
+
 export type PromotionTypeValues = "standard" | "buyget"
 
 export interface PromotionDTO {

packages/user/src/services/invite.ts

@@ -4,9 +4,10 @@ import {
   MedusaError,
   ModulesSdkUtils,
 } from "@medusajs/utils"
+import jwt, { JwtPayload } from "jsonwebtoken"
+
 import { Invite } from "@models"
 import { InviteServiceTypes } from "@types"
-import jwt, { JwtPayload } from "jsonwebtoken"
 
 type InjectedDependencies = {
   inviteRepository: DAL.RepositoryService
@@ -91,7 +92,16 @@ export default class InviteService<
   ): Promise<TEntity> {
     const decoded = this.validateToken(token)
 
-    return await super.retrieve(decoded.payload.id, {}, context)
+    const invite = await super.retrieve(decoded.payload.id, {}, context)
+
+    if (invite.expires_at < new Date()) {
+      throw new MedusaError(
+        MedusaError.Types.INVALID_DATA,
+        "The invite has expired"
+      )
+    }
+
+    return invite
   }
 
   private generateToken(data: any): string {

packages/utils/src/common/container.ts

@@ -5,4 +5,5 @@ export const ContainerRegistrationKeys = {
   LOGGER: "logger",
   REMOTE_QUERY: "remoteQuery",
   REMOTE_LINK: "remoteLink",
+  FEATURE_FLAG_ROUTER: "featureFlagRouter",
 }