@albirex/platformatic-logto 1.4.2 → 3.0.0

package/README.md

@@ -17,6 +17,9 @@ Based on [@platformatic/db-authorization](https://github.com/platformatic/platfo
 - Customizable Hooks: Extend and customize authentication flows to fit your application's needs.
 - TypeScript Support: Written in TypeScript for type safety and improved developer experience.
 
+## Compatibility 
+  For Platformatic 2.x use version < 3.x<br />
+  For Platformatic 3.x use version 3.x
 ## Installation
 To install the package, use your preferred package manager:
 

package/lib/index.cjs

@@ -276,7 +276,8 @@ var platformaticLogto = (0, import_fastify_plugin.default)(async (app, opts) =>
           role: PLT_ADMIN_ROLE,
           find: true,
           save: true,
-          delete: true
+          delete: true,
+          updateMany: true
         });
       }
       checkSaveMandatoryFieldsInRules(type, rules2);

package/lib/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts","../src/utils/find-rule.ts","../src/utils/utils.ts","../src/utils/errors.ts"],"sourcesContent":["import fp from 'fastify-plugin'\nimport * as fastifyUser from 'fastify-user'\n\nimport findRule from './utils/find-rule.js'\nimport { getRequestFromContext, getRoles } from './utils/utils.js'\nimport { Unauthorized, UnauthorizedField, MissingNotNullableError } from './utils/errors.js'\nimport fastifyLogto from '@albirex/fastify-logto';\nimport { FastifyInstance, FastifyPluginAsync } from 'fastify'\nimport type { FastifyUserPluginOptions } from 'fastify-user';\nimport type { Entity, PlatformaticContext } from '@platformatic/sql-mapper'\nexport { fastifyLogto } from '@albirex/fastify-logto';\n\nconst PLT_ADMIN_ROLE = 'platformatic-admin'\n\nexport type PlatformaticRule = {\n    role: string;\n    entity?: string;\n    entities?: string[];\n    defaults?: Record<string, string>;\n    checks?: boolean;\n    find?: boolean;\n    save?: boolean;\n    delete?: boolean;\n\n};\n\nexport type PlatformaticLogtoAuthOptions = {\n    logtoBaseUrl?: string;\n    logtoAppId?: string;\n    logtoAppSecret?: string;\n    adminSecret?: string;\n    rolePath?: string;\n    roleKey?: string;\n    userPath?: string;\n    userKey?: string;\n    anonymousRole?: string;\n    allowAnonymous?: boolean;\n    checks?: boolean;\n    defaults?: boolean;\n    jwtPlugin: FastifyUserPluginOptions\n};\n\nexport const platformaticLogto: FastifyPluginAsync<PlatformaticLogtoAuthOptions> = fp(async (app: FastifyInstance, opts: PlatformaticLogtoAuthOptions) => {\n    app.register(fastifyLogto, {\n        endpoint: opts.logtoBaseUrl || 'https://auth.example.com',\n        appId: opts.logtoAppId || 'your-app-id',\n        appSecret: opts.logtoAppSecret || 'your-app-secret',\n    });\n\n    await app.register(fastifyUser as unknown as FastifyPluginAsync, opts.jwtPlugin);\n\n    const adminSecret = opts.adminSecret\n    const roleKey = opts.rolePath || opts.roleKey || 'X-PLATFORMATIC-ROLE'\n    const userKey = opts.userPath || opts.userKey || 'X-PLATFORMATIC-USER-ID'\n    const isRolePath = !!opts.rolePath // if `true` the role is intepreted as path like `user.role`\n    const anonymousRole = opts.anonymousRole || 'anonymous'\n\n    async function composeLogToRules() {\n        const rolesResp = await app.logto.callAPI('/api/roles?type=User', 'GET');\n\n        if (!rolesResp.ok) {\n            throw rolesResp;\n        }\n\n        const roles = await rolesResp.json();\n        const rules: PlatformaticRule[] = [{\n            role: anonymousRole,\n            entities: Object.keys(app.platformatic.entities),\n            find: opts.allowAnonymous,\n            save: opts.allowAnonymous,\n            delete: opts.allowAnonymous,\n        }];\n\n        for (const role of roles) {\n            const scopesResp = await app.logto.callAPI(`/api/roles/${role.id}/scopes`, 'GET');\n\n            if (!scopesResp.ok) {\n                throw scopesResp;\n            }\n\n            const scopes = await scopesResp.json();\n\n            for (const scope of scopes) {\n                const roleName = role.name;\n                // eslint-disable-next-line prefer-const\n                let [scopeAction, entity] = scope.name.split(':');\n\n                if (!app.platformatic.entities[entity]) {\n                    app.log.debug(`Unknown entity '${entity}' in authorization rule`)\n                    continue;\n                }\n\n                switch (scopeAction) {\n                    case 'create':\n                        scopeAction = 'save'\n                        break;\n                    case 'read':\n                        scopeAction = 'find'\n                        break;\n                    case 'update':\n                        scopeAction = 'updateMany'\n                        break;\n                }\n\n                const checkExists = rules.find(r => r.role === roleName && r.entity === entity);\n                if (checkExists) {\n                    if (opts.checks) {\n                        checkExists[scopeAction] = {\n                            checks: {\n                                userId: userKey\n                            }\n                        };\n                    } else {\n                        checkExists[scopeAction] = true;\n                    }\n                } else {\n                    const newRule: PlatformaticRule = {\n                        role: roleName,\n                        entity,\n                    };\n\n                    if (opts.checks) {\n                        newRule[scopeAction] = {\n                            checks: {\n                                userId: userKey\n                            }\n                        };\n                    } else {\n                        newRule[scopeAction] = true;\n                    }\n\n                    if (opts.defaults) {\n                        newRule.defaults = {\n                            userId: userKey\n                        };\n                    }\n\n                    rules.push(newRule);\n                }\n            }\n        }\n\n        const logRules = rules.reduce((prev, curr) => {\n            (prev[curr['role']] ??= []).push(curr);\n            return prev;\n        }, {})\n\n        for (const key in logRules) {\n            app.log.info(`Rules set for role ${key}`);\n\n            for (const element of logRules[key]) {\n                // eslint-disable-next-line @typescript-eslint/no-unused-vars\n                const { entity, entities, role, ...other } = element;\n                app.log.info(`\\t${entity ?? entities.join(',')}: ${JSON.stringify(other)}`);\n            }\n        }\n\n        const missingEntities = Object.keys(app.platformatic.entities).filter((e) => !rules.map((r) => r.entity).includes(e));\n\n        if (missingEntities.length) {\n            app.log.warn(`Missing rules for entities: ${missingEntities.join(', ')}`);\n        }\n\n        app.log.debug('LogTo calculated rules');\n        app.log.debug(rules);\n        return rules;\n    }\n\n    app.decorateRequest('setupDBAuthorizationUser', setupUser)\n\n    async function setupUser() {\n        // if (!adminSecret) {\n        await this.extractUser()\n        // }\n\n        let forceAdminRole = false\n        if (adminSecret && this.headers['x-platformatic-admin-secret'] === adminSecret) {\n            if (opts.jwtPlugin.jwt) {\n                forceAdminRole = true\n            } else {\n                this.log.info('admin secret is valid')\n                this.user = new Proxy(this.headers, {\n                    get: (target, key) => {\n                        let value;\n                        if (!target[key.toString()]) {\n                            const newKey = key.toString().toLowerCase()\n                            value = target[newKey]\n                        } else {\n                            value = target[key.toString()]\n                        }\n\n                        if (!value && key.toString().toLowerCase() === roleKey.toLowerCase()) {\n                            value = PLT_ADMIN_ROLE\n                        }\n                        return value\n                    },\n                })\n            }\n        }\n\n        if (forceAdminRole) {\n            // We replace just the role in `request.user`, all the rest is untouched\n            this.user = {\n                // ...request.user,\n                [roleKey]: this.headers['x-platformatic-role'] ?? PLT_ADMIN_ROLE\n            }\n        }\n    }\n\n    app.addHook('onReady', async function () {\n        const rules = await composeLogToRules();\n\n        // TODO validate that there is at most a rule for a given role\n        const entityRules = {};\n        for (let i = 0; i < rules.length; i++) {\n            const rule = rules[i]\n\n            let ruleEntities = null\n            if (rule.entity) {\n                ruleEntities = [rule.entity]\n            } else if (rule.entities) {\n                ruleEntities = [...rule.entities]\n            } else {\n                throw new Error(`Missing entity in authorization rule ${i}`)\n            }\n\n            for (const ruleEntity of ruleEntities) {\n                const newRule = { ...rule, entity: ruleEntity, entities: undefined }\n                if (!app.platformatic.entities[newRule.entity]) {\n                    throw new Error(`Unknown entity '${ruleEntity}' in authorization rule ${i}`)\n                }\n\n                if (!entityRules[ruleEntity]) {\n                    entityRules[ruleEntity] = []\n                }\n                entityRules[ruleEntity].push(newRule)\n            }\n        }\n\n        for (const entityKey of Object.keys(app.platformatic.entities)) {\n            const rules = entityRules[entityKey] || []\n            const type = app.platformatic.entities[entityKey]\n\n            // We have subscriptions!\n            let userPropToFillForPublish\n            const topicsWithoutChecks = false\n\n            // mqtt\n            // if (app.platformatic.mq) {\n            //     for (const rule of rules) {\n            //         const checks = rule.find?.checks\n            //         if (typeof checks !== 'object') {\n            //             topicsWithoutChecks = !!rule.find\n            //             continue\n            //         }\n            //         const keys = Object.keys(checks)\n            //         if (keys.length !== 1) {\n            //             throw new Error(`Subscription requires that the role \"${rule.role}\" has only one check in the find rule for entity \"${rule.entity}\"`)\n            //         }\n            //         const key = keys[0]\n\n            //         const val = typeof checks[key] === 'object' ? checks[key].eq : checks[key]\n            //         if (userPropToFillForPublish && userPropToFillForPublish.val !== val) {\n            //             throw new Error('Unable to configure subscriptions and authorization due to multiple check clauses in find')\n            //         }\n            //         userPropToFillForPublish = { key, val }\n            //     }\n            // }\n\n            if (userPropToFillForPublish && topicsWithoutChecks) {\n                throw new Error(`Subscription for entity \"${entityKey}\" have conflictling rules across roles`)\n            }\n\n            // MUST set this after doing the security checks on the subscriptions\n            if (adminSecret) {\n                rules.push({\n                    role: PLT_ADMIN_ROLE,\n                    find: true,\n                    save: true,\n                    delete: true,\n                })\n            }\n\n            // If we have `fields` in save rules, we need to check if all the not-nullable\n            // fields are specified\n            checkSaveMandatoryFieldsInRules(type, rules)\n\n            function useOriginal(ctx: PlatformaticContext) {\n                return !ctx\n            }\n\n            app.platformatic.addEntityHooks(entityKey, {\n                async find(originalFind, { where, ctx, fields, ...restOpts } = {}) {\n                    if (useOriginal(ctx)) {\n                        return originalFind({ ...restOpts, where, ctx, fields })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n                    checkFieldsFromRule(rule.find, fields || Object.keys(app.platformatic.entities[entityKey].fields))\n                    where = await fromRuleToWhere(ctx, rule.find, where, request.user)\n\n                    return originalFind({ ...restOpts, where, ctx, fields })\n                },\n                async save(originalSave, { input, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalSave({ ctx, input, fields, ...restOpts })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    if (!rule.save) {\n                        throw new Unauthorized()\n                    }\n                    checkFieldsFromRule(rule.save, fields)\n                    checkInputFromRuleFields(rule.save, input)\n\n                    if (rule.defaults) {\n                        for (const key of Object.keys(rule.defaults)) {\n                            const defaults = rule.defaults[key]\n                            if (typeof defaults === 'function') {\n                                input[key] = await defaults({ user: request.user, ctx, input })\n                            } else {\n                                input[key] = request.user[defaults]\n                            }\n                        }\n                    }\n\n                    const hasAllPrimaryKeys = input[type.primaryKey] !== undefined;\n                    const whereConditions = {}\n                    whereConditions[type.primaryKey] = { eq: input[type.primaryKey] }\n\n                    if (hasAllPrimaryKeys) {\n                        const where = await fromRuleToWhere(ctx, rule.save, whereConditions, request.user)\n\n                        const found = await type.find({\n                            where,\n                            ctx,\n                            fields,\n                        })\n\n                        if (found.length === 0) {\n                            throw new Unauthorized()\n                        }\n\n                        return originalSave({ input, ctx, fields, ...restOpts })\n                    }\n\n                    return originalSave({ input, ctx, fields, ...restOpts })\n                },\n\n                async insert(originalInsert, { inputs, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalInsert({ inputs, ctx, fields, ...restOpts })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    if (!rule.save) {\n                        throw new Unauthorized()\n                    }\n\n                    checkFieldsFromRule(rule.save, fields)\n                    checkInputFromRuleFields(rule.save, inputs)\n\n                    /* istanbul ignore else */\n                    if (rule.defaults) {\n                        for (const input of inputs) {\n                            for (const key of Object.keys(rule.defaults)) {\n                                const defaults = rule.defaults[key]\n                                if (typeof defaults === 'function') {\n                                    input[key] = await defaults({ user: request.user, ctx, input })\n                                } else {\n                                    input[key] = request.user[defaults]\n                                }\n                            }\n                        }\n                    }\n\n                    return originalInsert({ inputs, ctx, fields, ...restOpts })\n                },\n\n                async delete(originalDelete, { where, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalDelete({ where, ctx, fields, ...restOpts })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    where = await fromRuleToWhere(ctx, rule.delete, where, request.user)\n\n                    return originalDelete({ where, ctx, fields, ...restOpts })\n                },\n\n                async updateMany(originalUpdateMany, { where, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalUpdateMany({ ...restOpts, where, ctx, fields })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    where = await fromRuleToWhere(ctx, rule.updateMany, where, request.user)\n\n                    return originalUpdateMany({ ...restOpts, where, ctx, fields })\n                },\n            })\n        }\n    })\n}, { name: '@albirex/platformatic-logto' });\n\nasync function fromRuleToWhere(ctx: PlatformaticContext, rule, where, user) {\n    if (!rule) {\n        throw new Unauthorized()\n    }\n    const request = getRequestFromContext(ctx)\n    /* istanbul ignore next */\n    where = where || {}\n\n    if (typeof rule === 'object') {\n        const { checks } = rule\n\n        /* istanbul ignore else */\n        if (checks) {\n            for (const key of Object.keys(checks)) {\n                const clauses = checks[key]\n                if (typeof clauses === 'string') {\n                    // case: \"userId\": \"X-PLATFORMATIC-USER-ID\"\n                    where[key] = {\n                        eq: request.user[clauses],\n                    }\n                } else {\n                    // case:\n                    // userId: {\n                    //   eq: 'X-PLATFORMATIC-USER-ID'\n                    // }\n                    for (const clauseKey of Object.keys(clauses)) {\n                        const clause = clauses[clauseKey]\n                        where[key] = {\n                            [clauseKey]: request.user[clause],\n                        }\n                    }\n                }\n            }\n        }\n    } else if (typeof rule === 'function') {\n        where = await rule({ user, ctx, where })\n    }\n    return where\n}\n\nasync function findRuleForRequestUser(ctx: PlatformaticContext, rules: PlatformaticRule[], roleKey: string, anonymousRole: string, isRolePath = false) {\n    const request = getRequestFromContext(ctx)\n    await request.setupDBAuthorizationUser()\n    const roles = getRoles(request, roleKey, anonymousRole, isRolePath)\n    const rule = findRule(rules, roles)\n    if (!rule) {\n        ctx.reply.request.log.warn({ roles, rules }, 'no rule for roles')\n        throw new Unauthorized()\n    }\n    ctx.reply.request.log.trace({ roles, rule }, 'found rule')\n    return rule\n}\n\nfunction checkFieldsFromRule(rule, fields) {\n    if (!rule) {\n        throw new Unauthorized()\n    }\n    const { fields: fieldsFromRule } = rule\n    /* istanbul ignore else */\n    if (fieldsFromRule) {\n        for (const field of fields) {\n            if (!fieldsFromRule.includes(field)) {\n                throw new UnauthorizedField(field)\n            }\n        }\n    }\n}\n\nconst validateInputs = (inputs, fieldsFromRule) => {\n    for (const input of inputs) {\n        const inputFields = Object.keys(input)\n        for (const inputField of inputFields) {\n            if (!fieldsFromRule.includes(inputField)) {\n                throw new UnauthorizedField(inputField)\n            }\n        }\n    }\n}\n\nfunction checkInputFromRuleFields(rule, inputs) {\n    const { fields: fieldsFromRule } = rule\n    /* istanbul ignore else */\n    if (fieldsFromRule) {\n        if (!Array.isArray(inputs)) {\n            // save\n            validateInputs([inputs], fieldsFromRule)\n        } else {\n            // insert\n            validateInputs(inputs, fieldsFromRule)\n        }\n    }\n}\n\nfunction checkSaveMandatoryFieldsInRules(type: Entity, rules) {\n    // List of not nullable, not PKs field to validate save/insert when allowed fields are specified on the rule\n    const mandatoryFields =\n        Object.values(type.fields)\n            .filter(k => (!k.isNullable && !k.primaryKey))\n            .map(({ camelcase }) => (camelcase))\n\n    for (const rule of rules) {\n        const { entity, save } = rule\n        if (save && save.fields) {\n            const fields = save.fields\n            for (const mField of mandatoryFields) {\n                if (!fields.includes(mField)) {\n                    throw new MissingNotNullableError(mField, entity)\n                }\n            }\n        }\n    }\n}\n\nexport default platformaticLogto;\n","'use strict'\n\nimport { PlatformaticRule } from '../index.js'\n\nfunction findRule(rules: PlatformaticRule[], roles: string[]) {\n  let found = null\n  for (const rule of rules) {\n    for (const role of roles) {\n      if (rule.role === role) {\n        found = rule\n        break\n      }\n    }\n    if (found) {\n      break\n    }\n  }\n  return found\n}\n\nexport default findRule\n","'use strict'\n\nexport function getRequestFromContext (ctx) {\n  if (ctx && !ctx.reply) {\n    throw new Error('Missing reply in context. You should call this function with { ctx: { reply }}')\n  }\n  return ctx.reply.request\n}\n\nexport function getRoles (request, roleKey, anonymousRole, isRolePath = false) {\n  let output = []\n  const user = request.user\n  if (!user) {\n    output.push(anonymousRole)\n    return output\n  }\n\n  let rolesRaw\n  if (isRolePath) {\n    const roleKeys = roleKey.split('.')\n    rolesRaw = user\n    for (const key of roleKeys) {\n      rolesRaw = rolesRaw[key]\n    }\n  } else {\n    rolesRaw = user[roleKey]\n  }\n\n  if (typeof rolesRaw === 'string') {\n    output = rolesRaw.split(',')\n  } else if (Array.isArray(rolesRaw)) {\n    output = rolesRaw\n  }\n  if (output.length === 0) {\n    output.push(anonymousRole)\n  }\n\n  return output\n}\n","'use strict'\n\nimport createError from '@fastify/error'\n\nconst ERROR_PREFIX = 'PLT_DB_AUTH'\n\nexport const Unauthorized = createError(`${ERROR_PREFIX}_UNAUTHORIZED`, 'operation not allowed', 401)\nexport const UnauthorizedField = createError(`${ERROR_PREFIX}_FIELD_UNAUTHORIZED`, 'field not allowed: %s', 401)\nexport const MissingNotNullableError = createError(`${ERROR_PREFIX}_NOT_NULLABLE_MISSING`, 'missing not nullable field: \"%s\" in save rule for entity \"%s\"')\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,4BAAe;AACf,kBAA6B;;;ACG7B,SAAS,SAAS,OAA2B,OAAiB;AAC5D,MAAI,QAAQ;AACZ,aAAW,QAAQ,OAAO;AACxB,eAAW,QAAQ,OAAO;AACxB,UAAI,KAAK,SAAS,MAAM;AACtB,gBAAQ;AACR;AAAA,MACF;AAAA,IACF;AACA,QAAI,OAAO;AACT;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAEA,IAAO,oBAAQ;;;AClBR,SAAS,sBAAuB,KAAK;AAC1C,MAAI,OAAO,CAAC,IAAI,OAAO;AACrB,UAAM,IAAI,MAAM,gFAAgF;AAAA,EAClG;AACA,SAAO,IAAI,MAAM;AACnB;AAEO,SAAS,SAAU,SAAS,SAAS,eAAe,aAAa,OAAO;AAC7E,MAAI,SAAS,CAAC;AACd,QAAM,OAAO,QAAQ;AACrB,MAAI,CAAC,MAAM;AACT,WAAO,KAAK,aAAa;AACzB,WAAO;AAAA,EACT;AAEA,MAAI;AACJ,MAAI,YAAY;AACd,UAAM,WAAW,QAAQ,MAAM,GAAG;AAClC,eAAW;AACX,eAAW,OAAO,UAAU;AAC1B,iBAAW,SAAS,GAAG;AAAA,IACzB;AAAA,EACF,OAAO;AACL,eAAW,KAAK,OAAO;AAAA,EACzB;AAEA,MAAI,OAAO,aAAa,UAAU;AAChC,aAAS,SAAS,MAAM,GAAG;AAAA,EAC7B,WAAW,MAAM,QAAQ,QAAQ,GAAG;AAClC,aAAS;AAAA,EACX;AACA,MAAI,OAAO,WAAW,GAAG;AACvB,WAAO,KAAK,aAAa;AAAA,EAC3B;AAEA,SAAO;AACT;;;ACpCA,mBAAwB;AAExB,IAAM,eAAe;AAEd,IAAM,mBAAe,aAAAA,SAAY,GAAG,YAAY,iBAAiB,yBAAyB,GAAG;AAC7F,IAAM,wBAAoB,aAAAA,SAAY,GAAG,YAAY,uBAAuB,yBAAyB,GAAG;AACxG,IAAM,8BAA0B,aAAAA,SAAY,GAAG,YAAY,yBAAyB,+DAA+D;;;AHF1J,2BAAyB;AAIzB,IAAAC,wBAA6B;AAE7B,IAAM,iBAAiB;AA8BhB,IAAM,wBAAsE,sBAAAC,SAAG,OAAO,KAAsB,SAAuC;AACtJ,MAAI,SAAS,qBAAAC,SAAc;AAAA,IACvB,UAAU,KAAK,gBAAgB;AAAA,IAC/B,OAAO,KAAK,cAAc;AAAA,IAC1B,WAAW,KAAK,kBAAkB;AAAA,EACtC,CAAC;AAED,QAAM,IAAI,SAAS,aAA8C,KAAK,SAAS;AAE/E,QAAM,cAAc,KAAK;AACzB,QAAM,UAAU,KAAK,YAAY,KAAK,WAAW;AACjD,QAAM,UAAU,KAAK,YAAY,KAAK,WAAW;AACjD,QAAM,aAAa,CAAC,CAAC,KAAK;AAC1B,QAAM,gBAAgB,KAAK,iBAAiB;AAE5C,iBAAe,oBAAoB;AAC/B,UAAM,YAAY,MAAM,IAAI,MAAM,QAAQ,wBAAwB,KAAK;AAEvE,QAAI,CAAC,UAAU,IAAI;AACf,YAAM;AAAA,IACV;AAEA,UAAM,QAAQ,MAAM,UAAU,KAAK;AACnC,UAAM,QAA4B,CAAC;AAAA,MAC/B,MAAM;AAAA,MACN,UAAU,OAAO,KAAK,IAAI,aAAa,QAAQ;AAAA,MAC/C,MAAM,KAAK;AAAA,MACX,MAAM,KAAK;AAAA,MACX,QAAQ,KAAK;AAAA,IACjB,CAAC;AAED,eAAW,QAAQ,OAAO;AACtB,YAAM,aAAa,MAAM,IAAI,MAAM,QAAQ,cAAc,KAAK,EAAE,WAAW,KAAK;AAEhF,UAAI,CAAC,WAAW,IAAI;AAChB,cAAM;AAAA,MACV;AAEA,YAAM,SAAS,MAAM,WAAW,KAAK;AAErC,iBAAW,SAAS,QAAQ;AACxB,cAAM,WAAW,KAAK;AAEtB,YAAI,CAAC,aAAa,MAAM,IAAI,MAAM,KAAK,MAAM,GAAG;AAEhD,YAAI,CAAC,IAAI,aAAa,SAAS,MAAM,GAAG;AACpC,cAAI,IAAI,MAAM,mBAAmB,MAAM,yBAAyB;AAChE;AAAA,QACJ;AAEA,gBAAQ,aAAa;AAAA,UACjB,KAAK;AACD,0BAAc;AACd;AAAA,UACJ,KAAK;AACD,0BAAc;AACd;AAAA,UACJ,KAAK;AACD,0BAAc;AACd;AAAA,QACR;AAEA,cAAM,cAAc,MAAM,KAAK,OAAK,EAAE,SAAS,YAAY,EAAE,WAAW,MAAM;AAC9E,YAAI,aAAa;AACb,cAAI,KAAK,QAAQ;AACb,wBAAY,WAAW,IAAI;AAAA,cACvB,QAAQ;AAAA,gBACJ,QAAQ;AAAA,cACZ;AAAA,YACJ;AAAA,UACJ,OAAO;AACH,wBAAY,WAAW,IAAI;AAAA,UAC/B;AAAA,QACJ,OAAO;AACH,gBAAM,UAA4B;AAAA,YAC9B,MAAM;AAAA,YACN;AAAA,UACJ;AAEA,cAAI,KAAK,QAAQ;AACb,oBAAQ,WAAW,IAAI;AAAA,cACnB,QAAQ;AAAA,gBACJ,QAAQ;AAAA,cACZ;AAAA,YACJ;AAAA,UACJ,OAAO;AACH,oBAAQ,WAAW,IAAI;AAAA,UAC3B;AAEA,cAAI,KAAK,UAAU;AACf,oBAAQ,WAAW;AAAA,cACf,QAAQ;AAAA,YACZ;AAAA,UACJ;AAEA,gBAAM,KAAK,OAAO;AAAA,QACtB;AAAA,MACJ;AAAA,IACJ;AAEA,UAAM,WAAW,MAAM,OAAO,CAAC,MAAM,SAAS;AAC1C,OAAC,KAAK,KAAK,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK,IAAI;AACrC,aAAO;AAAA,IACX,GAAG,CAAC,CAAC;AAEL,eAAW,OAAO,UAAU;AACxB,UAAI,IAAI,KAAK,sBAAsB,GAAG,EAAE;AAExC,iBAAW,WAAW,SAAS,GAAG,GAAG;AAEjC,cAAM,EAAE,QAAQ,UAAU,MAAM,GAAG,MAAM,IAAI;AAC7C,YAAI,IAAI,KAAK,IAAK,UAAU,SAAS,KAAK,GAAG,CAAC,KAAK,KAAK,UAAU,KAAK,CAAC,EAAE;AAAA,MAC9E;AAAA,IACJ;AAEA,UAAM,kBAAkB,OAAO,KAAK,IAAI,aAAa,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;AAEpH,QAAI,gBAAgB,QAAQ;AACxB,UAAI,IAAI,KAAK,+BAA+B,gBAAgB,KAAK,IAAI,CAAC,EAAE;AAAA,IAC5E;AAEA,QAAI,IAAI,MAAM,wBAAwB;AACtC,QAAI,IAAI,MAAM,KAAK;AACnB,WAAO;AAAA,EACX;AAEA,MAAI,gBAAgB,4BAA4B,SAAS;AAEzD,iBAAe,YAAY;AAEvB,UAAM,KAAK,YAAY;AAGvB,QAAI,iBAAiB;AACrB,QAAI,eAAe,KAAK,QAAQ,6BAA6B,MAAM,aAAa;AAC5E,UAAI,KAAK,UAAU,KAAK;AACpB,yBAAiB;AAAA,MACrB,OAAO;AACH,aAAK,IAAI,KAAK,uBAAuB;AACrC,aAAK,OAAO,IAAI,MAAM,KAAK,SAAS;AAAA,UAChC,KAAK,CAAC,QAAQ,QAAQ;AAClB,gBAAI;AACJ,gBAAI,CAAC,OAAO,IAAI,SAAS,CAAC,GAAG;AACzB,oBAAM,SAAS,IAAI,SAAS,EAAE,YAAY;AAC1C,sBAAQ,OAAO,MAAM;AAAA,YACzB,OAAO;AACH,sBAAQ,OAAO,IAAI,SAAS,CAAC;AAAA,YACjC;AAEA,gBAAI,CAAC,SAAS,IAAI,SAAS,EAAE,YAAY,MAAM,QAAQ,YAAY,GAAG;AAClE,sBAAQ;AAAA,YACZ;AACA,mBAAO;AAAA,UACX;AAAA,QACJ,CAAC;AAAA,MACL;AAAA,IACJ;AAEA,QAAI,gBAAgB;AAEhB,WAAK,OAAO;AAAA;AAAA,QAER,CAAC,OAAO,GAAG,KAAK,QAAQ,qBAAqB,KAAK;AAAA,MACtD;AAAA,IACJ;AAAA,EACJ;AAEA,MAAI,QAAQ,WAAW,iBAAkB;AACrC,UAAM,QAAQ,MAAM,kBAAkB;AAGtC,UAAM,cAAc,CAAC;AACrB,aAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACnC,YAAM,OAAO,MAAM,CAAC;AAEpB,UAAI,eAAe;AACnB,UAAI,KAAK,QAAQ;AACb,uBAAe,CAAC,KAAK,MAAM;AAAA,MAC/B,WAAW,KAAK,UAAU;AACtB,uBAAe,CAAC,GAAG,KAAK,QAAQ;AAAA,MACpC,OAAO;AACH,cAAM,IAAI,MAAM,wCAAwC,CAAC,EAAE;AAAA,MAC/D;AAEA,iBAAW,cAAc,cAAc;AACnC,cAAM,UAAU,EAAE,GAAG,MAAM,QAAQ,YAAY,UAAU,OAAU;AACnE,YAAI,CAAC,IAAI,aAAa,SAAS,QAAQ,MAAM,GAAG;AAC5C,gBAAM,IAAI,MAAM,mBAAmB,UAAU,2BAA2B,CAAC,EAAE;AAAA,QAC/E;AAEA,YAAI,CAAC,YAAY,UAAU,GAAG;AAC1B,sBAAY,UAAU,IAAI,CAAC;AAAA,QAC/B;AACA,oBAAY,UAAU,EAAE,KAAK,OAAO;AAAA,MACxC;AAAA,IACJ;AAEA,eAAW,aAAa,OAAO,KAAK,IAAI,aAAa,QAAQ,GAAG;AAgD5D,UAAS,cAAT,SAAqB,KAA0B;AAC3C,eAAO,CAAC;AAAA,MACZ;AAjDA,YAAMC,SAAQ,YAAY,SAAS,KAAK,CAAC;AACzC,YAAM,OAAO,IAAI,aAAa,SAAS,SAAS;AAGhD,UAAI;AACJ,YAAM,sBAAsB;AAwB5B,UAAI,4BAA4B,qBAAqB;AACjD,cAAM,IAAI,MAAM,4BAA4B,SAAS,wCAAwC;AAAA,MACjG;AAGA,UAAI,aAAa;AACb,QAAAA,OAAM,KAAK;AAAA,UACP,MAAM;AAAA,UACN,MAAM;AAAA,UACN,MAAM;AAAA,UACN,QAAQ;AAAA,QACZ,CAAC;AAAA,MACL;AAIA,sCAAgC,MAAMA,MAAK;AAM3C,UAAI,aAAa,eAAe,WAAW;AAAA,QACvC,MAAM,KAAK,cAAc,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,IAAI,CAAC,GAAG;AAC/D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,aAAa,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,UAC3D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AACxF,8BAAoB,KAAK,MAAM,UAAU,OAAO,KAAK,IAAI,aAAa,SAAS,SAAS,EAAE,MAAM,CAAC;AACjG,kBAAQ,MAAM,gBAAgB,KAAK,KAAK,MAAM,OAAO,QAAQ,IAAI;AAEjE,iBAAO,aAAa,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,QAC3D;AAAA,QACA,MAAM,KAAK,cAAc,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,GAAG;AAC1D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,aAAa,EAAE,KAAK,OAAO,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC3D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,cAAI,CAAC,KAAK,MAAM;AACZ,kBAAM,IAAI,aAAa;AAAA,UAC3B;AACA,8BAAoB,KAAK,MAAM,MAAM;AACrC,mCAAyB,KAAK,MAAM,KAAK;AAEzC,cAAI,KAAK,UAAU;AACf,uBAAW,OAAO,OAAO,KAAK,KAAK,QAAQ,GAAG;AAC1C,oBAAM,WAAW,KAAK,SAAS,GAAG;AAClC,kBAAI,OAAO,aAAa,YAAY;AAChC,sBAAM,GAAG,IAAI,MAAM,SAAS,EAAE,MAAM,QAAQ,MAAM,KAAK,MAAM,CAAC;AAAA,cAClE,OAAO;AACH,sBAAM,GAAG,IAAI,QAAQ,KAAK,QAAQ;AAAA,cACtC;AAAA,YACJ;AAAA,UACJ;AAEA,gBAAM,oBAAoB,MAAM,KAAK,UAAU,MAAM;AACrD,gBAAM,kBAAkB,CAAC;AACzB,0BAAgB,KAAK,UAAU,IAAI,EAAE,IAAI,MAAM,KAAK,UAAU,EAAE;AAEhE,cAAI,mBAAmB;AACnB,kBAAM,QAAQ,MAAM,gBAAgB,KAAK,KAAK,MAAM,iBAAiB,QAAQ,IAAI;AAEjF,kBAAM,QAAQ,MAAM,KAAK,KAAK;AAAA,cAC1B;AAAA,cACA;AAAA,cACA;AAAA,YACJ,CAAC;AAED,gBAAI,MAAM,WAAW,GAAG;AACpB,oBAAM,IAAI,aAAa;AAAA,YAC3B;AAEA,mBAAO,aAAa,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC3D;AAEA,iBAAO,aAAa,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,QAC3D;AAAA,QAEA,MAAM,OAAO,gBAAgB,EAAE,QAAQ,KAAK,QAAQ,GAAG,SAAS,GAAG;AAC/D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,eAAe,EAAE,QAAQ,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC9D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,cAAI,CAAC,KAAK,MAAM;AACZ,kBAAM,IAAI,aAAa;AAAA,UAC3B;AAEA,8BAAoB,KAAK,MAAM,MAAM;AACrC,mCAAyB,KAAK,MAAM,MAAM;AAG1C,cAAI,KAAK,UAAU;AACf,uBAAW,SAAS,QAAQ;AACxB,yBAAW,OAAO,OAAO,KAAK,KAAK,QAAQ,GAAG;AAC1C,sBAAM,WAAW,KAAK,SAAS,GAAG;AAClC,oBAAI,OAAO,aAAa,YAAY;AAChC,wBAAM,GAAG,IAAI,MAAM,SAAS,EAAE,MAAM,QAAQ,MAAM,KAAK,MAAM,CAAC;AAAA,gBAClE,OAAO;AACH,wBAAM,GAAG,IAAI,QAAQ,KAAK,QAAQ;AAAA,gBACtC;AAAA,cACJ;AAAA,YACJ;AAAA,UACJ;AAEA,iBAAO,eAAe,EAAE,QAAQ,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,QAC9D;AAAA,QAEA,MAAM,OAAO,gBAAgB,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,GAAG;AAC9D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,eAAe,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC7D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,kBAAQ,MAAM,gBAAgB,KAAK,KAAK,QAAQ,OAAO,QAAQ,IAAI;AAEnE,iBAAO,eAAe,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,QAC7D;AAAA,QAEA,MAAM,WAAW,oBAAoB,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,GAAG;AACtE,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,mBAAmB,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,UACjE;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,kBAAQ,MAAM,gBAAgB,KAAK,KAAK,YAAY,OAAO,QAAQ,IAAI;AAEvE,iBAAO,mBAAmB,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,QACjE;AAAA,MACJ,CAAC;AAAA,IACL;AAAA,EACJ,CAAC;AACL,GAAG,EAAE,MAAM,8BAA8B,CAAC;AAE1C,eAAe,gBAAgB,KAA0B,MAAM,OAAO,MAAM;AACxE,MAAI,CAAC,MAAM;AACP,UAAM,IAAI,aAAa;AAAA,EAC3B;AACA,QAAM,UAAU,sBAAsB,GAAG;AAEzC,UAAQ,SAAS,CAAC;AAElB,MAAI,OAAO,SAAS,UAAU;AAC1B,UAAM,EAAE,OAAO,IAAI;AAGnB,QAAI,QAAQ;AACR,iBAAW,OAAO,OAAO,KAAK,MAAM,GAAG;AACnC,cAAM,UAAU,OAAO,GAAG;AAC1B,YAAI,OAAO,YAAY,UAAU;AAE7B,gBAAM,GAAG,IAAI;AAAA,YACT,IAAI,QAAQ,KAAK,OAAO;AAAA,UAC5B;AAAA,QACJ,OAAO;AAKH,qBAAW,aAAa,OAAO,KAAK,OAAO,GAAG;AAC1C,kBAAM,SAAS,QAAQ,SAAS;AAChC,kBAAM,GAAG,IAAI;AAAA,cACT,CAAC,SAAS,GAAG,QAAQ,KAAK,MAAM;AAAA,YACpC;AAAA,UACJ;AAAA,QACJ;AAAA,MACJ;AAAA,IACJ;AAAA,EACJ,WAAW,OAAO,SAAS,YAAY;AACnC,YAAQ,MAAM,KAAK,EAAE,MAAM,KAAK,MAAM,CAAC;AAAA,EAC3C;AACA,SAAO;AACX;AAEA,eAAe,uBAAuB,KAA0B,OAA2B,SAAiB,eAAuB,aAAa,OAAO;AACnJ,QAAM,UAAU,sBAAsB,GAAG;AACzC,QAAM,QAAQ,yBAAyB;AACvC,QAAM,QAAQ,SAAS,SAAS,SAAS,eAAe,UAAU;AAClE,QAAM,OAAO,kBAAS,OAAO,KAAK;AAClC,MAAI,CAAC,MAAM;AACP,QAAI,MAAM,QAAQ,IAAI,KAAK,EAAE,OAAO,MAAM,GAAG,mBAAmB;AAChE,UAAM,IAAI,aAAa;AAAA,EAC3B;AACA,MAAI,MAAM,QAAQ,IAAI,MAAM,EAAE,OAAO,KAAK,GAAG,YAAY;AACzD,SAAO;AACX;AAEA,SAAS,oBAAoB,MAAM,QAAQ;AACvC,MAAI,CAAC,MAAM;AACP,UAAM,IAAI,aAAa;AAAA,EAC3B;AACA,QAAM,EAAE,QAAQ,eAAe,IAAI;AAEnC,MAAI,gBAAgB;AAChB,eAAW,SAAS,QAAQ;AACxB,UAAI,CAAC,eAAe,SAAS,KAAK,GAAG;AACjC,cAAM,IAAI,kBAAkB,KAAK;AAAA,MACrC;AAAA,IACJ;AAAA,EACJ;AACJ;AAEA,IAAM,iBAAiB,CAAC,QAAQ,mBAAmB;AAC/C,aAAW,SAAS,QAAQ;AACxB,UAAM,cAAc,OAAO,KAAK,KAAK;AACrC,eAAW,cAAc,aAAa;AAClC,UAAI,CAAC,eAAe,SAAS,UAAU,GAAG;AACtC,cAAM,IAAI,kBAAkB,UAAU;AAAA,MAC1C;AAAA,IACJ;AAAA,EACJ;AACJ;AAEA,SAAS,yBAAyB,MAAM,QAAQ;AAC5C,QAAM,EAAE,QAAQ,eAAe,IAAI;AAEnC,MAAI,gBAAgB;AAChB,QAAI,CAAC,MAAM,QAAQ,MAAM,GAAG;AAExB,qBAAe,CAAC,MAAM,GAAG,cAAc;AAAA,IAC3C,OAAO;AAEH,qBAAe,QAAQ,cAAc;AAAA,IACzC;AAAA,EACJ;AACJ;AAEA,SAAS,gCAAgC,MAAc,OAAO;AAE1D,QAAM,kBACF,OAAO,OAAO,KAAK,MAAM,EACpB,OAAO,OAAM,CAAC,EAAE,cAAc,CAAC,EAAE,UAAW,EAC5C,IAAI,CAAC,EAAE,UAAU,MAAO,SAAU;AAE3C,aAAW,QAAQ,OAAO;AACtB,UAAM,EAAE,QAAQ,KAAK,IAAI;AACzB,QAAI,QAAQ,KAAK,QAAQ;AACrB,YAAM,SAAS,KAAK;AACpB,iBAAW,UAAU,iBAAiB;AAClC,YAAI,CAAC,OAAO,SAAS,MAAM,GAAG;AAC1B,gBAAM,IAAI,wBAAwB,QAAQ,MAAM;AAAA,QACpD;AAAA,MACJ;AAAA,IACJ;AAAA,EACJ;AACJ;AAEA,IAAO,gBAAQ;","names":["createError","import_fastify_logto","fp","fastifyLogto","rules"]}
+{"version":3,"sources":["../src/index.ts","../src/utils/find-rule.ts","../src/utils/utils.ts","../src/utils/errors.ts"],"sourcesContent":["import fp from 'fastify-plugin'\nimport * as fastifyUser from 'fastify-user'\n\nimport findRule from './utils/find-rule.js'\nimport { getRequestFromContext, getRoles } from './utils/utils.js'\nimport { Unauthorized, UnauthorizedField, MissingNotNullableError } from './utils/errors.js'\nimport fastifyLogto from '@albirex/fastify-logto';\nimport { FastifyInstance, FastifyPluginAsync } from 'fastify'\nimport type { FastifyUserPluginOptions } from 'fastify-user';\nimport type { Entity, PlatformaticContext } from '@platformatic/sql-mapper'\nexport { fastifyLogto } from '@albirex/fastify-logto';\n\nconst PLT_ADMIN_ROLE = 'platformatic-admin'\n\nexport type PlatformaticRule = {\n    role: string;\n    entity?: string;\n    entities?: string[];\n    defaults?: Record<string, string>;\n    checks?: boolean;\n    find?: boolean;\n    save?: boolean;\n    delete?: boolean;\n\n};\n\nexport type PlatformaticLogtoAuthOptions = {\n    logtoBaseUrl?: string;\n    logtoAppId?: string;\n    logtoAppSecret?: string;\n    adminSecret?: string;\n    rolePath?: string;\n    roleKey?: string;\n    userPath?: string;\n    userKey?: string;\n    anonymousRole?: string;\n    allowAnonymous?: boolean;\n    checks?: boolean;\n    defaults?: boolean;\n    jwtPlugin: FastifyUserPluginOptions\n};\n\nexport const platformaticLogto: FastifyPluginAsync<PlatformaticLogtoAuthOptions> = fp(async (app: FastifyInstance, opts: PlatformaticLogtoAuthOptions) => {\n    app.register(fastifyLogto, {\n        endpoint: opts.logtoBaseUrl || 'https://auth.example.com',\n        appId: opts.logtoAppId || 'your-app-id',\n        appSecret: opts.logtoAppSecret || 'your-app-secret',\n    });\n\n    await app.register(fastifyUser as unknown as FastifyPluginAsync, opts.jwtPlugin);\n\n    const adminSecret = opts.adminSecret\n    const roleKey = opts.rolePath || opts.roleKey || 'X-PLATFORMATIC-ROLE'\n    const userKey = opts.userPath || opts.userKey || 'X-PLATFORMATIC-USER-ID'\n    const isRolePath = !!opts.rolePath // if `true` the role is intepreted as path like `user.role`\n    const anonymousRole = opts.anonymousRole || 'anonymous'\n\n    async function composeLogToRules() {\n        const rolesResp = await app.logto.callAPI('/api/roles?type=User', 'GET');\n\n        if (!rolesResp.ok) {\n            throw rolesResp;\n        }\n\n        const roles = await rolesResp.json();\n        const rules: PlatformaticRule[] = [{\n            role: anonymousRole,\n            entities: Object.keys(app.platformatic.entities),\n            find: opts.allowAnonymous,\n            save: opts.allowAnonymous,\n            delete: opts.allowAnonymous,\n        }];\n\n        for (const role of roles) {\n            const scopesResp = await app.logto.callAPI(`/api/roles/${role.id}/scopes`, 'GET');\n\n            if (!scopesResp.ok) {\n                throw scopesResp;\n            }\n\n            const scopes = await scopesResp.json();\n\n            for (const scope of scopes) {\n                const roleName = role.name;\n                // eslint-disable-next-line prefer-const\n                let [scopeAction, entity] = scope.name.split(':');\n\n                if (!app.platformatic.entities[entity]) {\n                    app.log.debug(`Unknown entity '${entity}' in authorization rule`)\n                    continue;\n                }\n\n                switch (scopeAction) {\n                    case 'create':\n                        scopeAction = 'save'\n                        break;\n                    case 'read':\n                        scopeAction = 'find'\n                        break;\n                    case 'update':\n                        scopeAction = 'updateMany'\n                        break;\n                }\n\n                const checkExists = rules.find(r => r.role === roleName && r.entity === entity);\n                if (checkExists) {\n                    if (opts.checks) {\n                        checkExists[scopeAction] = {\n                            checks: {\n                                userId: userKey\n                            }\n                        };\n                    } else {\n                        checkExists[scopeAction] = true;\n                    }\n                } else {\n                    const newRule: PlatformaticRule = {\n                        role: roleName,\n                        entity,\n                    };\n\n                    if (opts.checks) {\n                        newRule[scopeAction] = {\n                            checks: {\n                                userId: userKey\n                            }\n                        };\n                    } else {\n                        newRule[scopeAction] = true;\n                    }\n\n                    if (opts.defaults) {\n                        newRule.defaults = {\n                            userId: userKey\n                        };\n                    }\n\n                    rules.push(newRule);\n                }\n            }\n        }\n\n        const logRules = rules.reduce((prev, curr) => {\n            (prev[curr['role']] ??= []).push(curr);\n            return prev;\n        }, {})\n\n        for (const key in logRules) {\n            app.log.info(`Rules set for role ${key}`);\n\n            for (const element of logRules[key]) {\n                // eslint-disable-next-line @typescript-eslint/no-unused-vars\n                const { entity, entities, role, ...other } = element;\n                app.log.info(`\\t${entity ?? entities.join(',')}: ${JSON.stringify(other)}`);\n            }\n        }\n\n        const missingEntities = Object.keys(app.platformatic.entities).filter((e) => !rules.map((r) => r.entity).includes(e));\n\n        if (missingEntities.length) {\n            app.log.warn(`Missing rules for entities: ${missingEntities.join(', ')}`);\n        }\n\n        app.log.debug('LogTo calculated rules');\n        app.log.debug(rules);\n        return rules;\n    }\n\n    app.decorateRequest('setupDBAuthorizationUser', setupUser)\n\n    async function setupUser() {\n        // if (!adminSecret) {\n        await this.extractUser()\n        // }\n\n        let forceAdminRole = false\n        if (adminSecret && this.headers['x-platformatic-admin-secret'] === adminSecret) {\n            if (opts.jwtPlugin.jwt) {\n                forceAdminRole = true\n            } else {\n                this.log.info('admin secret is valid')\n                this.user = new Proxy(this.headers, {\n                    get: (target, key) => {\n                        let value;\n                        if (!target[key.toString()]) {\n                            const newKey = key.toString().toLowerCase()\n                            value = target[newKey]\n                        } else {\n                            value = target[key.toString()]\n                        }\n\n                        if (!value && key.toString().toLowerCase() === roleKey.toLowerCase()) {\n                            value = PLT_ADMIN_ROLE\n                        }\n                        return value\n                    },\n                })\n            }\n        }\n\n        if (forceAdminRole) {\n            // We replace just the role in `request.user`, all the rest is untouched\n            this.user = {\n                // ...request.user,\n                [roleKey]: this.headers['x-platformatic-role'] ?? PLT_ADMIN_ROLE\n            }\n        }\n    }\n\n    app.addHook('onReady', async function () {\n        const rules = await composeLogToRules();\n\n        // TODO validate that there is at most a rule for a given role\n        const entityRules = {};\n        for (let i = 0; i < rules.length; i++) {\n            const rule = rules[i]\n\n            let ruleEntities = null\n            if (rule.entity) {\n                ruleEntities = [rule.entity]\n            } else if (rule.entities) {\n                ruleEntities = [...rule.entities]\n            } else {\n                throw new Error(`Missing entity in authorization rule ${i}`)\n            }\n\n            for (const ruleEntity of ruleEntities) {\n                const newRule = { ...rule, entity: ruleEntity, entities: undefined }\n                if (!app.platformatic.entities[newRule.entity]) {\n                    throw new Error(`Unknown entity '${ruleEntity}' in authorization rule ${i}`)\n                }\n\n                if (!entityRules[ruleEntity]) {\n                    entityRules[ruleEntity] = []\n                }\n                entityRules[ruleEntity].push(newRule)\n            }\n        }\n\n        for (const entityKey of Object.keys(app.platformatic.entities)) {\n            const rules = entityRules[entityKey] || []\n            const type = app.platformatic.entities[entityKey]\n\n            // We have subscriptions!\n            let userPropToFillForPublish\n            const topicsWithoutChecks = false\n\n            // mqtt\n            // if (app.platformatic.mq) {\n            //     for (const rule of rules) {\n            //         const checks = rule.find?.checks\n            //         if (typeof checks !== 'object') {\n            //             topicsWithoutChecks = !!rule.find\n            //             continue\n            //         }\n            //         const keys = Object.keys(checks)\n            //         if (keys.length !== 1) {\n            //             throw new Error(`Subscription requires that the role \"${rule.role}\" has only one check in the find rule for entity \"${rule.entity}\"`)\n            //         }\n            //         const key = keys[0]\n\n            //         const val = typeof checks[key] === 'object' ? checks[key].eq : checks[key]\n            //         if (userPropToFillForPublish && userPropToFillForPublish.val !== val) {\n            //             throw new Error('Unable to configure subscriptions and authorization due to multiple check clauses in find')\n            //         }\n            //         userPropToFillForPublish = { key, val }\n            //     }\n            // }\n\n            if (userPropToFillForPublish && topicsWithoutChecks) {\n                throw new Error(`Subscription for entity \"${entityKey}\" have conflictling rules across roles`)\n            }\n\n            // MUST set this after doing the security checks on the subscriptions\n            if (adminSecret) {\n                rules.push({\n                    role: PLT_ADMIN_ROLE,\n                    find: true,\n                    save: true,\n                    delete: true,\n                    updateMany: true\n                })\n            }\n\n            // If we have `fields` in save rules, we need to check if all the not-nullable\n            // fields are specified\n            checkSaveMandatoryFieldsInRules(type, rules)\n\n            function useOriginal(ctx: PlatformaticContext) {\n                return !ctx\n            }\n\n            app.platformatic.addEntityHooks(entityKey, {\n                async find(originalFind, { where, ctx, fields, ...restOpts } = {}) {\n                    if (useOriginal(ctx)) {\n                        return originalFind({ ...restOpts, where, ctx, fields })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n                    checkFieldsFromRule(rule.find, fields || Object.keys(app.platformatic.entities[entityKey].fields))\n                    where = await fromRuleToWhere(ctx, rule.find, where, request.user)\n\n                    return originalFind({ ...restOpts, where, ctx, fields })\n                },\n                async save(originalSave, { input, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalSave({ ctx, input, fields, ...restOpts })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    if (!rule.save) {\n                        throw new Unauthorized()\n                    }\n                    checkFieldsFromRule(rule.save, fields)\n                    checkInputFromRuleFields(rule.save, input)\n\n                    if (rule.defaults) {\n                        for (const key of Object.keys(rule.defaults)) {\n                            const defaults = rule.defaults[key]\n                            if (typeof defaults === 'function') {\n                                input[key] = await defaults({ user: request.user, ctx, input })\n                            } else {\n                                input[key] = request.user[defaults]\n                            }\n                        }\n                    }\n\n                    const hasAllPrimaryKeys = input[type.primaryKey] !== undefined;\n                    const whereConditions = {}\n                    whereConditions[type.primaryKey] = { eq: input[type.primaryKey] }\n\n                    if (hasAllPrimaryKeys) {\n                        const where = await fromRuleToWhere(ctx, rule.save, whereConditions, request.user)\n\n                        const found = await type.find({\n                            where,\n                            ctx,\n                            fields,\n                        })\n\n                        if (found.length === 0) {\n                            throw new Unauthorized()\n                        }\n\n                        return originalSave({ input, ctx, fields, ...restOpts })\n                    }\n\n                    return originalSave({ input, ctx, fields, ...restOpts })\n                },\n\n                async insert(originalInsert, { inputs, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalInsert({ inputs, ctx, fields, ...restOpts })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    if (!rule.save) {\n                        throw new Unauthorized()\n                    }\n\n                    checkFieldsFromRule(rule.save, fields)\n                    checkInputFromRuleFields(rule.save, inputs)\n\n                    /* istanbul ignore else */\n                    if (rule.defaults) {\n                        for (const input of inputs) {\n                            for (const key of Object.keys(rule.defaults)) {\n                                const defaults = rule.defaults[key]\n                                if (typeof defaults === 'function') {\n                                    input[key] = await defaults({ user: request.user, ctx, input })\n                                } else {\n                                    input[key] = request.user[defaults]\n                                }\n                            }\n                        }\n                    }\n\n                    return originalInsert({ inputs, ctx, fields, ...restOpts })\n                },\n\n                async delete(originalDelete, { where, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalDelete({ where, ctx, fields, ...restOpts })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    where = await fromRuleToWhere(ctx, rule.delete, where, request.user)\n\n                    return originalDelete({ where, ctx, fields, ...restOpts })\n                },\n\n                async updateMany(originalUpdateMany, { where, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalUpdateMany({ ...restOpts, where, ctx, fields })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    where = await fromRuleToWhere(ctx, rule.updateMany, where, request.user)\n\n                    return originalUpdateMany({ ...restOpts, where, ctx, fields })\n                },\n            })\n        }\n    })\n}, { name: '@albirex/platformatic-logto' });\n\nasync function fromRuleToWhere(ctx: PlatformaticContext, rule, where, user) {\n    if (!rule) {\n        throw new Unauthorized()\n    }\n    const request = getRequestFromContext(ctx)\n    /* istanbul ignore next */\n    where = where || {}\n\n    if (typeof rule === 'object') {\n        const { checks } = rule\n\n        /* istanbul ignore else */\n        if (checks) {\n            for (const key of Object.keys(checks)) {\n                const clauses = checks[key]\n                if (typeof clauses === 'string') {\n                    // case: \"userId\": \"X-PLATFORMATIC-USER-ID\"\n                    where[key] = {\n                        eq: request.user[clauses],\n                    }\n                } else {\n                    // case:\n                    // userId: {\n                    //   eq: 'X-PLATFORMATIC-USER-ID'\n                    // }\n                    for (const clauseKey of Object.keys(clauses)) {\n                        const clause = clauses[clauseKey]\n                        where[key] = {\n                            [clauseKey]: request.user[clause],\n                        }\n                    }\n                }\n            }\n        }\n    } else if (typeof rule === 'function') {\n        where = await rule({ user, ctx, where })\n    }\n    return where\n}\n\nasync function findRuleForRequestUser(ctx: PlatformaticContext, rules: PlatformaticRule[], roleKey: string, anonymousRole: string, isRolePath = false) {\n    const request = getRequestFromContext(ctx)\n    await request.setupDBAuthorizationUser()\n    const roles = getRoles(request, roleKey, anonymousRole, isRolePath)\n    const rule = findRule(rules, roles)\n    if (!rule) {\n        ctx.reply.request.log.warn({ roles, rules }, 'no rule for roles')\n        throw new Unauthorized()\n    }\n    ctx.reply.request.log.trace({ roles, rule }, 'found rule')\n    return rule\n}\n\nfunction checkFieldsFromRule(rule, fields) {\n    if (!rule) {\n        throw new Unauthorized()\n    }\n    const { fields: fieldsFromRule } = rule\n    /* istanbul ignore else */\n    if (fieldsFromRule) {\n        for (const field of fields) {\n            if (!fieldsFromRule.includes(field)) {\n                throw new UnauthorizedField(field)\n            }\n        }\n    }\n}\n\nconst validateInputs = (inputs, fieldsFromRule) => {\n    for (const input of inputs) {\n        const inputFields = Object.keys(input)\n        for (const inputField of inputFields) {\n            if (!fieldsFromRule.includes(inputField)) {\n                throw new UnauthorizedField(inputField)\n            }\n        }\n    }\n}\n\nfunction checkInputFromRuleFields(rule, inputs) {\n    const { fields: fieldsFromRule } = rule\n    /* istanbul ignore else */\n    if (fieldsFromRule) {\n        if (!Array.isArray(inputs)) {\n            // save\n            validateInputs([inputs], fieldsFromRule)\n        } else {\n            // insert\n            validateInputs(inputs, fieldsFromRule)\n        }\n    }\n}\n\nfunction checkSaveMandatoryFieldsInRules(type: Entity, rules) {\n    // List of not nullable, not PKs field to validate save/insert when allowed fields are specified on the rule\n    const mandatoryFields =\n        Object.values(type.fields)\n            .filter(k => (!k.isNullable && !k.primaryKey))\n            .map(({ camelcase }) => (camelcase))\n\n    for (const rule of rules) {\n        const { entity, save } = rule\n        if (save && save.fields) {\n            const fields = save.fields\n            for (const mField of mandatoryFields) {\n                if (!fields.includes(mField)) {\n                    throw new MissingNotNullableError(mField, entity)\n                }\n            }\n        }\n    }\n}\n\nexport default platformaticLogto;\n","'use strict'\n\nimport { PlatformaticRule } from '../index.js'\n\nfunction findRule(rules: PlatformaticRule[], roles: string[]) {\n  let found = null\n  for (const rule of rules) {\n    for (const role of roles) {\n      if (rule.role === role) {\n        found = rule\n        break\n      }\n    }\n    if (found) {\n      break\n    }\n  }\n  return found\n}\n\nexport default findRule\n","'use strict'\n\nexport function getRequestFromContext (ctx) {\n  if (ctx && !ctx.reply) {\n    throw new Error('Missing reply in context. You should call this function with { ctx: { reply }}')\n  }\n  return ctx.reply.request\n}\n\nexport function getRoles (request, roleKey, anonymousRole, isRolePath = false) {\n  let output = []\n  const user = request.user\n  if (!user) {\n    output.push(anonymousRole)\n    return output\n  }\n\n  let rolesRaw\n  if (isRolePath) {\n    const roleKeys = roleKey.split('.')\n    rolesRaw = user\n    for (const key of roleKeys) {\n      rolesRaw = rolesRaw[key]\n    }\n  } else {\n    rolesRaw = user[roleKey]\n  }\n\n  if (typeof rolesRaw === 'string') {\n    output = rolesRaw.split(',')\n  } else if (Array.isArray(rolesRaw)) {\n    output = rolesRaw\n  }\n  if (output.length === 0) {\n    output.push(anonymousRole)\n  }\n\n  return output\n}\n","'use strict'\n\nimport createError from '@fastify/error'\n\nconst ERROR_PREFIX = 'PLT_DB_AUTH'\n\nexport const Unauthorized = createError(`${ERROR_PREFIX}_UNAUTHORIZED`, 'operation not allowed', 401)\nexport const UnauthorizedField = createError(`${ERROR_PREFIX}_FIELD_UNAUTHORIZED`, 'field not allowed: %s', 401)\nexport const MissingNotNullableError = createError(`${ERROR_PREFIX}_NOT_NULLABLE_MISSING`, 'missing not nullable field: \"%s\" in save rule for entity \"%s\"')\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,4BAAe;AACf,kBAA6B;;;ACG7B,SAAS,SAAS,OAA2B,OAAiB;AAC5D,MAAI,QAAQ;AACZ,aAAW,QAAQ,OAAO;AACxB,eAAW,QAAQ,OAAO;AACxB,UAAI,KAAK,SAAS,MAAM;AACtB,gBAAQ;AACR;AAAA,MACF;AAAA,IACF;AACA,QAAI,OAAO;AACT;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAEA,IAAO,oBAAQ;;;AClBR,SAAS,sBAAuB,KAAK;AAC1C,MAAI,OAAO,CAAC,IAAI,OAAO;AACrB,UAAM,IAAI,MAAM,gFAAgF;AAAA,EAClG;AACA,SAAO,IAAI,MAAM;AACnB;AAEO,SAAS,SAAU,SAAS,SAAS,eAAe,aAAa,OAAO;AAC7E,MAAI,SAAS,CAAC;AACd,QAAM,OAAO,QAAQ;AACrB,MAAI,CAAC,MAAM;AACT,WAAO,KAAK,aAAa;AACzB,WAAO;AAAA,EACT;AAEA,MAAI;AACJ,MAAI,YAAY;AACd,UAAM,WAAW,QAAQ,MAAM,GAAG;AAClC,eAAW;AACX,eAAW,OAAO,UAAU;AAC1B,iBAAW,SAAS,GAAG;AAAA,IACzB;AAAA,EACF,OAAO;AACL,eAAW,KAAK,OAAO;AAAA,EACzB;AAEA,MAAI,OAAO,aAAa,UAAU;AAChC,aAAS,SAAS,MAAM,GAAG;AAAA,EAC7B,WAAW,MAAM,QAAQ,QAAQ,GAAG;AAClC,aAAS;AAAA,EACX;AACA,MAAI,OAAO,WAAW,GAAG;AACvB,WAAO,KAAK,aAAa;AAAA,EAC3B;AAEA,SAAO;AACT;;;ACpCA,mBAAwB;AAExB,IAAM,eAAe;AAEd,IAAM,mBAAe,aAAAA,SAAY,GAAG,YAAY,iBAAiB,yBAAyB,GAAG;AAC7F,IAAM,wBAAoB,aAAAA,SAAY,GAAG,YAAY,uBAAuB,yBAAyB,GAAG;AACxG,IAAM,8BAA0B,aAAAA,SAAY,GAAG,YAAY,yBAAyB,+DAA+D;;;AHF1J,2BAAyB;AAIzB,IAAAC,wBAA6B;AAE7B,IAAM,iBAAiB;AA8BhB,IAAM,wBAAsE,sBAAAC,SAAG,OAAO,KAAsB,SAAuC;AACtJ,MAAI,SAAS,qBAAAC,SAAc;AAAA,IACvB,UAAU,KAAK,gBAAgB;AAAA,IAC/B,OAAO,KAAK,cAAc;AAAA,IAC1B,WAAW,KAAK,kBAAkB;AAAA,EACtC,CAAC;AAED,QAAM,IAAI,SAAS,aAA8C,KAAK,SAAS;AAE/E,QAAM,cAAc,KAAK;AACzB,QAAM,UAAU,KAAK,YAAY,KAAK,WAAW;AACjD,QAAM,UAAU,KAAK,YAAY,KAAK,WAAW;AACjD,QAAM,aAAa,CAAC,CAAC,KAAK;AAC1B,QAAM,gBAAgB,KAAK,iBAAiB;AAE5C,iBAAe,oBAAoB;AAC/B,UAAM,YAAY,MAAM,IAAI,MAAM,QAAQ,wBAAwB,KAAK;AAEvE,QAAI,CAAC,UAAU,IAAI;AACf,YAAM;AAAA,IACV;AAEA,UAAM,QAAQ,MAAM,UAAU,KAAK;AACnC,UAAM,QAA4B,CAAC;AAAA,MAC/B,MAAM;AAAA,MACN,UAAU,OAAO,KAAK,IAAI,aAAa,QAAQ;AAAA,MAC/C,MAAM,KAAK;AAAA,MACX,MAAM,KAAK;AAAA,MACX,QAAQ,KAAK;AAAA,IACjB,CAAC;AAED,eAAW,QAAQ,OAAO;AACtB,YAAM,aAAa,MAAM,IAAI,MAAM,QAAQ,cAAc,KAAK,EAAE,WAAW,KAAK;AAEhF,UAAI,CAAC,WAAW,IAAI;AAChB,cAAM;AAAA,MACV;AAEA,YAAM,SAAS,MAAM,WAAW,KAAK;AAErC,iBAAW,SAAS,QAAQ;AACxB,cAAM,WAAW,KAAK;AAEtB,YAAI,CAAC,aAAa,MAAM,IAAI,MAAM,KAAK,MAAM,GAAG;AAEhD,YAAI,CAAC,IAAI,aAAa,SAAS,MAAM,GAAG;AACpC,cAAI,IAAI,MAAM,mBAAmB,MAAM,yBAAyB;AAChE;AAAA,QACJ;AAEA,gBAAQ,aAAa;AAAA,UACjB,KAAK;AACD,0BAAc;AACd;AAAA,UACJ,KAAK;AACD,0BAAc;AACd;AAAA,UACJ,KAAK;AACD,0BAAc;AACd;AAAA,QACR;AAEA,cAAM,cAAc,MAAM,KAAK,OAAK,EAAE,SAAS,YAAY,EAAE,WAAW,MAAM;AAC9E,YAAI,aAAa;AACb,cAAI,KAAK,QAAQ;AACb,wBAAY,WAAW,IAAI;AAAA,cACvB,QAAQ;AAAA,gBACJ,QAAQ;AAAA,cACZ;AAAA,YACJ;AAAA,UACJ,OAAO;AACH,wBAAY,WAAW,IAAI;AAAA,UAC/B;AAAA,QACJ,OAAO;AACH,gBAAM,UAA4B;AAAA,YAC9B,MAAM;AAAA,YACN;AAAA,UACJ;AAEA,cAAI,KAAK,QAAQ;AACb,oBAAQ,WAAW,IAAI;AAAA,cACnB,QAAQ;AAAA,gBACJ,QAAQ;AAAA,cACZ;AAAA,YACJ;AAAA,UACJ,OAAO;AACH,oBAAQ,WAAW,IAAI;AAAA,UAC3B;AAEA,cAAI,KAAK,UAAU;AACf,oBAAQ,WAAW;AAAA,cACf,QAAQ;AAAA,YACZ;AAAA,UACJ;AAEA,gBAAM,KAAK,OAAO;AAAA,QACtB;AAAA,MACJ;AAAA,IACJ;AAEA,UAAM,WAAW,MAAM,OAAO,CAAC,MAAM,SAAS;AAC1C,OAAC,KAAK,KAAK,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK,IAAI;AACrC,aAAO;AAAA,IACX,GAAG,CAAC,CAAC;AAEL,eAAW,OAAO,UAAU;AACxB,UAAI,IAAI,KAAK,sBAAsB,GAAG,EAAE;AAExC,iBAAW,WAAW,SAAS,GAAG,GAAG;AAEjC,cAAM,EAAE,QAAQ,UAAU,MAAM,GAAG,MAAM,IAAI;AAC7C,YAAI,IAAI,KAAK,IAAK,UAAU,SAAS,KAAK,GAAG,CAAC,KAAK,KAAK,UAAU,KAAK,CAAC,EAAE;AAAA,MAC9E;AAAA,IACJ;AAEA,UAAM,kBAAkB,OAAO,KAAK,IAAI,aAAa,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;AAEpH,QAAI,gBAAgB,QAAQ;AACxB,UAAI,IAAI,KAAK,+BAA+B,gBAAgB,KAAK,IAAI,CAAC,EAAE;AAAA,IAC5E;AAEA,QAAI,IAAI,MAAM,wBAAwB;AACtC,QAAI,IAAI,MAAM,KAAK;AACnB,WAAO;AAAA,EACX;AAEA,MAAI,gBAAgB,4BAA4B,SAAS;AAEzD,iBAAe,YAAY;AAEvB,UAAM,KAAK,YAAY;AAGvB,QAAI,iBAAiB;AACrB,QAAI,eAAe,KAAK,QAAQ,6BAA6B,MAAM,aAAa;AAC5E,UAAI,KAAK,UAAU,KAAK;AACpB,yBAAiB;AAAA,MACrB,OAAO;AACH,aAAK,IAAI,KAAK,uBAAuB;AACrC,aAAK,OAAO,IAAI,MAAM,KAAK,SAAS;AAAA,UAChC,KAAK,CAAC,QAAQ,QAAQ;AAClB,gBAAI;AACJ,gBAAI,CAAC,OAAO,IAAI,SAAS,CAAC,GAAG;AACzB,oBAAM,SAAS,IAAI,SAAS,EAAE,YAAY;AAC1C,sBAAQ,OAAO,MAAM;AAAA,YACzB,OAAO;AACH,sBAAQ,OAAO,IAAI,SAAS,CAAC;AAAA,YACjC;AAEA,gBAAI,CAAC,SAAS,IAAI,SAAS,EAAE,YAAY,MAAM,QAAQ,YAAY,GAAG;AAClE,sBAAQ;AAAA,YACZ;AACA,mBAAO;AAAA,UACX;AAAA,QACJ,CAAC;AAAA,MACL;AAAA,IACJ;AAEA,QAAI,gBAAgB;AAEhB,WAAK,OAAO;AAAA;AAAA,QAER,CAAC,OAAO,GAAG,KAAK,QAAQ,qBAAqB,KAAK;AAAA,MACtD;AAAA,IACJ;AAAA,EACJ;AAEA,MAAI,QAAQ,WAAW,iBAAkB;AACrC,UAAM,QAAQ,MAAM,kBAAkB;AAGtC,UAAM,cAAc,CAAC;AACrB,aAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACnC,YAAM,OAAO,MAAM,CAAC;AAEpB,UAAI,eAAe;AACnB,UAAI,KAAK,QAAQ;AACb,uBAAe,CAAC,KAAK,MAAM;AAAA,MAC/B,WAAW,KAAK,UAAU;AACtB,uBAAe,CAAC,GAAG,KAAK,QAAQ;AAAA,MACpC,OAAO;AACH,cAAM,IAAI,MAAM,wCAAwC,CAAC,EAAE;AAAA,MAC/D;AAEA,iBAAW,cAAc,cAAc;AACnC,cAAM,UAAU,EAAE,GAAG,MAAM,QAAQ,YAAY,UAAU,OAAU;AACnE,YAAI,CAAC,IAAI,aAAa,SAAS,QAAQ,MAAM,GAAG;AAC5C,gBAAM,IAAI,MAAM,mBAAmB,UAAU,2BAA2B,CAAC,EAAE;AAAA,QAC/E;AAEA,YAAI,CAAC,YAAY,UAAU,GAAG;AAC1B,sBAAY,UAAU,IAAI,CAAC;AAAA,QAC/B;AACA,oBAAY,UAAU,EAAE,KAAK,OAAO;AAAA,MACxC;AAAA,IACJ;AAEA,eAAW,aAAa,OAAO,KAAK,IAAI,aAAa,QAAQ,GAAG;AAiD5D,UAAS,cAAT,SAAqB,KAA0B;AAC3C,eAAO,CAAC;AAAA,MACZ;AAlDA,YAAMC,SAAQ,YAAY,SAAS,KAAK,CAAC;AACzC,YAAM,OAAO,IAAI,aAAa,SAAS,SAAS;AAGhD,UAAI;AACJ,YAAM,sBAAsB;AAwB5B,UAAI,4BAA4B,qBAAqB;AACjD,cAAM,IAAI,MAAM,4BAA4B,SAAS,wCAAwC;AAAA,MACjG;AAGA,UAAI,aAAa;AACb,QAAAA,OAAM,KAAK;AAAA,UACP,MAAM;AAAA,UACN,MAAM;AAAA,UACN,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,YAAY;AAAA,QAChB,CAAC;AAAA,MACL;AAIA,sCAAgC,MAAMA,MAAK;AAM3C,UAAI,aAAa,eAAe,WAAW;AAAA,QACvC,MAAM,KAAK,cAAc,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,IAAI,CAAC,GAAG;AAC/D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,aAAa,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,UAC3D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AACxF,8BAAoB,KAAK,MAAM,UAAU,OAAO,KAAK,IAAI,aAAa,SAAS,SAAS,EAAE,MAAM,CAAC;AACjG,kBAAQ,MAAM,gBAAgB,KAAK,KAAK,MAAM,OAAO,QAAQ,IAAI;AAEjE,iBAAO,aAAa,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,QAC3D;AAAA,QACA,MAAM,KAAK,cAAc,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,GAAG;AAC1D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,aAAa,EAAE,KAAK,OAAO,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC3D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,cAAI,CAAC,KAAK,MAAM;AACZ,kBAAM,IAAI,aAAa;AAAA,UAC3B;AACA,8BAAoB,KAAK,MAAM,MAAM;AACrC,mCAAyB,KAAK,MAAM,KAAK;AAEzC,cAAI,KAAK,UAAU;AACf,uBAAW,OAAO,OAAO,KAAK,KAAK,QAAQ,GAAG;AAC1C,oBAAM,WAAW,KAAK,SAAS,GAAG;AAClC,kBAAI,OAAO,aAAa,YAAY;AAChC,sBAAM,GAAG,IAAI,MAAM,SAAS,EAAE,MAAM,QAAQ,MAAM,KAAK,MAAM,CAAC;AAAA,cAClE,OAAO;AACH,sBAAM,GAAG,IAAI,QAAQ,KAAK,QAAQ;AAAA,cACtC;AAAA,YACJ;AAAA,UACJ;AAEA,gBAAM,oBAAoB,MAAM,KAAK,UAAU,MAAM;AACrD,gBAAM,kBAAkB,CAAC;AACzB,0BAAgB,KAAK,UAAU,IAAI,EAAE,IAAI,MAAM,KAAK,UAAU,EAAE;AAEhE,cAAI,mBAAmB;AACnB,kBAAM,QAAQ,MAAM,gBAAgB,KAAK,KAAK,MAAM,iBAAiB,QAAQ,IAAI;AAEjF,kBAAM,QAAQ,MAAM,KAAK,KAAK;AAAA,cAC1B;AAAA,cACA;AAAA,cACA;AAAA,YACJ,CAAC;AAED,gBAAI,MAAM,WAAW,GAAG;AACpB,oBAAM,IAAI,aAAa;AAAA,YAC3B;AAEA,mBAAO,aAAa,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC3D;AAEA,iBAAO,aAAa,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,QAC3D;AAAA,QAEA,MAAM,OAAO,gBAAgB,EAAE,QAAQ,KAAK,QAAQ,GAAG,SAAS,GAAG;AAC/D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,eAAe,EAAE,QAAQ,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC9D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,cAAI,CAAC,KAAK,MAAM;AACZ,kBAAM,IAAI,aAAa;AAAA,UAC3B;AAEA,8BAAoB,KAAK,MAAM,MAAM;AACrC,mCAAyB,KAAK,MAAM,MAAM;AAG1C,cAAI,KAAK,UAAU;AACf,uBAAW,SAAS,QAAQ;AACxB,yBAAW,OAAO,OAAO,KAAK,KAAK,QAAQ,GAAG;AAC1C,sBAAM,WAAW,KAAK,SAAS,GAAG;AAClC,oBAAI,OAAO,aAAa,YAAY;AAChC,wBAAM,GAAG,IAAI,MAAM,SAAS,EAAE,MAAM,QAAQ,MAAM,KAAK,MAAM,CAAC;AAAA,gBAClE,OAAO;AACH,wBAAM,GAAG,IAAI,QAAQ,KAAK,QAAQ;AAAA,gBACtC;AAAA,cACJ;AAAA,YACJ;AAAA,UACJ;AAEA,iBAAO,eAAe,EAAE,QAAQ,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,QAC9D;AAAA,QAEA,MAAM,OAAO,gBAAgB,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,GAAG;AAC9D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,eAAe,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC7D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,kBAAQ,MAAM,gBAAgB,KAAK,KAAK,QAAQ,OAAO,QAAQ,IAAI;AAEnE,iBAAO,eAAe,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,QAC7D;AAAA,QAEA,MAAM,WAAW,oBAAoB,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,GAAG;AACtE,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,mBAAmB,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,UACjE;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,kBAAQ,MAAM,gBAAgB,KAAK,KAAK,YAAY,OAAO,QAAQ,IAAI;AAEvE,iBAAO,mBAAmB,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,QACjE;AAAA,MACJ,CAAC;AAAA,IACL;AAAA,EACJ,CAAC;AACL,GAAG,EAAE,MAAM,8BAA8B,CAAC;AAE1C,eAAe,gBAAgB,KAA0B,MAAM,OAAO,MAAM;AACxE,MAAI,CAAC,MAAM;AACP,UAAM,IAAI,aAAa;AAAA,EAC3B;AACA,QAAM,UAAU,sBAAsB,GAAG;AAEzC,UAAQ,SAAS,CAAC;AAElB,MAAI,OAAO,SAAS,UAAU;AAC1B,UAAM,EAAE,OAAO,IAAI;AAGnB,QAAI,QAAQ;AACR,iBAAW,OAAO,OAAO,KAAK,MAAM,GAAG;AACnC,cAAM,UAAU,OAAO,GAAG;AAC1B,YAAI,OAAO,YAAY,UAAU;AAE7B,gBAAM,GAAG,IAAI;AAAA,YACT,IAAI,QAAQ,KAAK,OAAO;AAAA,UAC5B;AAAA,QACJ,OAAO;AAKH,qBAAW,aAAa,OAAO,KAAK,OAAO,GAAG;AAC1C,kBAAM,SAAS,QAAQ,SAAS;AAChC,kBAAM,GAAG,IAAI;AAAA,cACT,CAAC,SAAS,GAAG,QAAQ,KAAK,MAAM;AAAA,YACpC;AAAA,UACJ;AAAA,QACJ;AAAA,MACJ;AAAA,IACJ;AAAA,EACJ,WAAW,OAAO,SAAS,YAAY;AACnC,YAAQ,MAAM,KAAK,EAAE,MAAM,KAAK,MAAM,CAAC;AAAA,EAC3C;AACA,SAAO;AACX;AAEA,eAAe,uBAAuB,KAA0B,OAA2B,SAAiB,eAAuB,aAAa,OAAO;AACnJ,QAAM,UAAU,sBAAsB,GAAG;AACzC,QAAM,QAAQ,yBAAyB;AACvC,QAAM,QAAQ,SAAS,SAAS,SAAS,eAAe,UAAU;AAClE,QAAM,OAAO,kBAAS,OAAO,KAAK;AAClC,MAAI,CAAC,MAAM;AACP,QAAI,MAAM,QAAQ,IAAI,KAAK,EAAE,OAAO,MAAM,GAAG,mBAAmB;AAChE,UAAM,IAAI,aAAa;AAAA,EAC3B;AACA,MAAI,MAAM,QAAQ,IAAI,MAAM,EAAE,OAAO,KAAK,GAAG,YAAY;AACzD,SAAO;AACX;AAEA,SAAS,oBAAoB,MAAM,QAAQ;AACvC,MAAI,CAAC,MAAM;AACP,UAAM,IAAI,aAAa;AAAA,EAC3B;AACA,QAAM,EAAE,QAAQ,eAAe,IAAI;AAEnC,MAAI,gBAAgB;AAChB,eAAW,SAAS,QAAQ;AACxB,UAAI,CAAC,eAAe,SAAS,KAAK,GAAG;AACjC,cAAM,IAAI,kBAAkB,KAAK;AAAA,MACrC;AAAA,IACJ;AAAA,EACJ;AACJ;AAEA,IAAM,iBAAiB,CAAC,QAAQ,mBAAmB;AAC/C,aAAW,SAAS,QAAQ;AACxB,UAAM,cAAc,OAAO,KAAK,KAAK;AACrC,eAAW,cAAc,aAAa;AAClC,UAAI,CAAC,eAAe,SAAS,UAAU,GAAG;AACtC,cAAM,IAAI,kBAAkB,UAAU;AAAA,MAC1C;AAAA,IACJ;AAAA,EACJ;AACJ;AAEA,SAAS,yBAAyB,MAAM,QAAQ;AAC5C,QAAM,EAAE,QAAQ,eAAe,IAAI;AAEnC,MAAI,gBAAgB;AAChB,QAAI,CAAC,MAAM,QAAQ,MAAM,GAAG;AAExB,qBAAe,CAAC,MAAM,GAAG,cAAc;AAAA,IAC3C,OAAO;AAEH,qBAAe,QAAQ,cAAc;AAAA,IACzC;AAAA,EACJ;AACJ;AAEA,SAAS,gCAAgC,MAAc,OAAO;AAE1D,QAAM,kBACF,OAAO,OAAO,KAAK,MAAM,EACpB,OAAO,OAAM,CAAC,EAAE,cAAc,CAAC,EAAE,UAAW,EAC5C,IAAI,CAAC,EAAE,UAAU,MAAO,SAAU;AAE3C,aAAW,QAAQ,OAAO;AACtB,UAAM,EAAE,QAAQ,KAAK,IAAI;AACzB,QAAI,QAAQ,KAAK,QAAQ;AACrB,YAAM,SAAS,KAAK;AACpB,iBAAW,UAAU,iBAAiB;AAClC,YAAI,CAAC,OAAO,SAAS,MAAM,GAAG;AAC1B,gBAAM,IAAI,wBAAwB,QAAQ,MAAM;AAAA,QACpD;AAAA,MACJ;AAAA,IACJ;AAAA,EACJ;AACJ;AAEA,IAAO,gBAAQ;","names":["createError","import_fastify_logto","fp","fastifyLogto","rules"]}

package/lib/index.js

@@ -241,7 +241,8 @@ var platformaticLogto = fp(async (app, opts) => {
           role: PLT_ADMIN_ROLE,
           find: true,
           save: true,
-          delete: true
+          delete: true,
+          updateMany: true
         });
       }
       checkSaveMandatoryFieldsInRules(type, rules2);

package/lib/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts","../src/utils/find-rule.ts","../src/utils/utils.ts","../src/utils/errors.ts"],"sourcesContent":["import fp from 'fastify-plugin'\nimport * as fastifyUser from 'fastify-user'\n\nimport findRule from './utils/find-rule.js'\nimport { getRequestFromContext, getRoles } from './utils/utils.js'\nimport { Unauthorized, UnauthorizedField, MissingNotNullableError } from './utils/errors.js'\nimport fastifyLogto from '@albirex/fastify-logto';\nimport { FastifyInstance, FastifyPluginAsync } from 'fastify'\nimport type { FastifyUserPluginOptions } from 'fastify-user';\nimport type { Entity, PlatformaticContext } from '@platformatic/sql-mapper'\nexport { fastifyLogto } from '@albirex/fastify-logto';\n\nconst PLT_ADMIN_ROLE = 'platformatic-admin'\n\nexport type PlatformaticRule = {\n    role: string;\n    entity?: string;\n    entities?: string[];\n    defaults?: Record<string, string>;\n    checks?: boolean;\n    find?: boolean;\n    save?: boolean;\n    delete?: boolean;\n\n};\n\nexport type PlatformaticLogtoAuthOptions = {\n    logtoBaseUrl?: string;\n    logtoAppId?: string;\n    logtoAppSecret?: string;\n    adminSecret?: string;\n    rolePath?: string;\n    roleKey?: string;\n    userPath?: string;\n    userKey?: string;\n    anonymousRole?: string;\n    allowAnonymous?: boolean;\n    checks?: boolean;\n    defaults?: boolean;\n    jwtPlugin: FastifyUserPluginOptions\n};\n\nexport const platformaticLogto: FastifyPluginAsync<PlatformaticLogtoAuthOptions> = fp(async (app: FastifyInstance, opts: PlatformaticLogtoAuthOptions) => {\n    app.register(fastifyLogto, {\n        endpoint: opts.logtoBaseUrl || 'https://auth.example.com',\n        appId: opts.logtoAppId || 'your-app-id',\n        appSecret: opts.logtoAppSecret || 'your-app-secret',\n    });\n\n    await app.register(fastifyUser as unknown as FastifyPluginAsync, opts.jwtPlugin);\n\n    const adminSecret = opts.adminSecret\n    const roleKey = opts.rolePath || opts.roleKey || 'X-PLATFORMATIC-ROLE'\n    const userKey = opts.userPath || opts.userKey || 'X-PLATFORMATIC-USER-ID'\n    const isRolePath = !!opts.rolePath // if `true` the role is intepreted as path like `user.role`\n    const anonymousRole = opts.anonymousRole || 'anonymous'\n\n    async function composeLogToRules() {\n        const rolesResp = await app.logto.callAPI('/api/roles?type=User', 'GET');\n\n        if (!rolesResp.ok) {\n            throw rolesResp;\n        }\n\n        const roles = await rolesResp.json();\n        const rules: PlatformaticRule[] = [{\n            role: anonymousRole,\n            entities: Object.keys(app.platformatic.entities),\n            find: opts.allowAnonymous,\n            save: opts.allowAnonymous,\n            delete: opts.allowAnonymous,\n        }];\n\n        for (const role of roles) {\n            const scopesResp = await app.logto.callAPI(`/api/roles/${role.id}/scopes`, 'GET');\n\n            if (!scopesResp.ok) {\n                throw scopesResp;\n            }\n\n            const scopes = await scopesResp.json();\n\n            for (const scope of scopes) {\n                const roleName = role.name;\n                // eslint-disable-next-line prefer-const\n                let [scopeAction, entity] = scope.name.split(':');\n\n                if (!app.platformatic.entities[entity]) {\n                    app.log.debug(`Unknown entity '${entity}' in authorization rule`)\n                    continue;\n                }\n\n                switch (scopeAction) {\n                    case 'create':\n                        scopeAction = 'save'\n                        break;\n                    case 'read':\n                        scopeAction = 'find'\n                        break;\n                    case 'update':\n                        scopeAction = 'updateMany'\n                        break;\n                }\n\n                const checkExists = rules.find(r => r.role === roleName && r.entity === entity);\n                if (checkExists) {\n                    if (opts.checks) {\n                        checkExists[scopeAction] = {\n                            checks: {\n                                userId: userKey\n                            }\n                        };\n                    } else {\n                        checkExists[scopeAction] = true;\n                    }\n                } else {\n                    const newRule: PlatformaticRule = {\n                        role: roleName,\n                        entity,\n                    };\n\n                    if (opts.checks) {\n                        newRule[scopeAction] = {\n                            checks: {\n                                userId: userKey\n                            }\n                        };\n                    } else {\n                        newRule[scopeAction] = true;\n                    }\n\n                    if (opts.defaults) {\n                        newRule.defaults = {\n                            userId: userKey\n                        };\n                    }\n\n                    rules.push(newRule);\n                }\n            }\n        }\n\n        const logRules = rules.reduce((prev, curr) => {\n            (prev[curr['role']] ??= []).push(curr);\n            return prev;\n        }, {})\n\n        for (const key in logRules) {\n            app.log.info(`Rules set for role ${key}`);\n\n            for (const element of logRules[key]) {\n                // eslint-disable-next-line @typescript-eslint/no-unused-vars\n                const { entity, entities, role, ...other } = element;\n                app.log.info(`\\t${entity ?? entities.join(',')}: ${JSON.stringify(other)}`);\n            }\n        }\n\n        const missingEntities = Object.keys(app.platformatic.entities).filter((e) => !rules.map((r) => r.entity).includes(e));\n\n        if (missingEntities.length) {\n            app.log.warn(`Missing rules for entities: ${missingEntities.join(', ')}`);\n        }\n\n        app.log.debug('LogTo calculated rules');\n        app.log.debug(rules);\n        return rules;\n    }\n\n    app.decorateRequest('setupDBAuthorizationUser', setupUser)\n\n    async function setupUser() {\n        // if (!adminSecret) {\n        await this.extractUser()\n        // }\n\n        let forceAdminRole = false\n        if (adminSecret && this.headers['x-platformatic-admin-secret'] === adminSecret) {\n            if (opts.jwtPlugin.jwt) {\n                forceAdminRole = true\n            } else {\n                this.log.info('admin secret is valid')\n                this.user = new Proxy(this.headers, {\n                    get: (target, key) => {\n                        let value;\n                        if (!target[key.toString()]) {\n                            const newKey = key.toString().toLowerCase()\n                            value = target[newKey]\n                        } else {\n                            value = target[key.toString()]\n                        }\n\n                        if (!value && key.toString().toLowerCase() === roleKey.toLowerCase()) {\n                            value = PLT_ADMIN_ROLE\n                        }\n                        return value\n                    },\n                })\n            }\n        }\n\n        if (forceAdminRole) {\n            // We replace just the role in `request.user`, all the rest is untouched\n            this.user = {\n                // ...request.user,\n                [roleKey]: this.headers['x-platformatic-role'] ?? PLT_ADMIN_ROLE\n            }\n        }\n    }\n\n    app.addHook('onReady', async function () {\n        const rules = await composeLogToRules();\n\n        // TODO validate that there is at most a rule for a given role\n        const entityRules = {};\n        for (let i = 0; i < rules.length; i++) {\n            const rule = rules[i]\n\n            let ruleEntities = null\n            if (rule.entity) {\n                ruleEntities = [rule.entity]\n            } else if (rule.entities) {\n                ruleEntities = [...rule.entities]\n            } else {\n                throw new Error(`Missing entity in authorization rule ${i}`)\n            }\n\n            for (const ruleEntity of ruleEntities) {\n                const newRule = { ...rule, entity: ruleEntity, entities: undefined }\n                if (!app.platformatic.entities[newRule.entity]) {\n                    throw new Error(`Unknown entity '${ruleEntity}' in authorization rule ${i}`)\n                }\n\n                if (!entityRules[ruleEntity]) {\n                    entityRules[ruleEntity] = []\n                }\n                entityRules[ruleEntity].push(newRule)\n            }\n        }\n\n        for (const entityKey of Object.keys(app.platformatic.entities)) {\n            const rules = entityRules[entityKey] || []\n            const type = app.platformatic.entities[entityKey]\n\n            // We have subscriptions!\n            let userPropToFillForPublish\n            const topicsWithoutChecks = false\n\n            // mqtt\n            // if (app.platformatic.mq) {\n            //     for (const rule of rules) {\n            //         const checks = rule.find?.checks\n            //         if (typeof checks !== 'object') {\n            //             topicsWithoutChecks = !!rule.find\n            //             continue\n            //         }\n            //         const keys = Object.keys(checks)\n            //         if (keys.length !== 1) {\n            //             throw new Error(`Subscription requires that the role \"${rule.role}\" has only one check in the find rule for entity \"${rule.entity}\"`)\n            //         }\n            //         const key = keys[0]\n\n            //         const val = typeof checks[key] === 'object' ? checks[key].eq : checks[key]\n            //         if (userPropToFillForPublish && userPropToFillForPublish.val !== val) {\n            //             throw new Error('Unable to configure subscriptions and authorization due to multiple check clauses in find')\n            //         }\n            //         userPropToFillForPublish = { key, val }\n            //     }\n            // }\n\n            if (userPropToFillForPublish && topicsWithoutChecks) {\n                throw new Error(`Subscription for entity \"${entityKey}\" have conflictling rules across roles`)\n            }\n\n            // MUST set this after doing the security checks on the subscriptions\n            if (adminSecret) {\n                rules.push({\n                    role: PLT_ADMIN_ROLE,\n                    find: true,\n                    save: true,\n                    delete: true,\n                })\n            }\n\n            // If we have `fields` in save rules, we need to check if all the not-nullable\n            // fields are specified\n            checkSaveMandatoryFieldsInRules(type, rules)\n\n            function useOriginal(ctx: PlatformaticContext) {\n                return !ctx\n            }\n\n            app.platformatic.addEntityHooks(entityKey, {\n                async find(originalFind, { where, ctx, fields, ...restOpts } = {}) {\n                    if (useOriginal(ctx)) {\n                        return originalFind({ ...restOpts, where, ctx, fields })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n                    checkFieldsFromRule(rule.find, fields || Object.keys(app.platformatic.entities[entityKey].fields))\n                    where = await fromRuleToWhere(ctx, rule.find, where, request.user)\n\n                    return originalFind({ ...restOpts, where, ctx, fields })\n                },\n                async save(originalSave, { input, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalSave({ ctx, input, fields, ...restOpts })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    if (!rule.save) {\n                        throw new Unauthorized()\n                    }\n                    checkFieldsFromRule(rule.save, fields)\n                    checkInputFromRuleFields(rule.save, input)\n\n                    if (rule.defaults) {\n                        for (const key of Object.keys(rule.defaults)) {\n                            const defaults = rule.defaults[key]\n                            if (typeof defaults === 'function') {\n                                input[key] = await defaults({ user: request.user, ctx, input })\n                            } else {\n                                input[key] = request.user[defaults]\n                            }\n                        }\n                    }\n\n                    const hasAllPrimaryKeys = input[type.primaryKey] !== undefined;\n                    const whereConditions = {}\n                    whereConditions[type.primaryKey] = { eq: input[type.primaryKey] }\n\n                    if (hasAllPrimaryKeys) {\n                        const where = await fromRuleToWhere(ctx, rule.save, whereConditions, request.user)\n\n                        const found = await type.find({\n                            where,\n                            ctx,\n                            fields,\n                        })\n\n                        if (found.length === 0) {\n                            throw new Unauthorized()\n                        }\n\n                        return originalSave({ input, ctx, fields, ...restOpts })\n                    }\n\n                    return originalSave({ input, ctx, fields, ...restOpts })\n                },\n\n                async insert(originalInsert, { inputs, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalInsert({ inputs, ctx, fields, ...restOpts })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    if (!rule.save) {\n                        throw new Unauthorized()\n                    }\n\n                    checkFieldsFromRule(rule.save, fields)\n                    checkInputFromRuleFields(rule.save, inputs)\n\n                    /* istanbul ignore else */\n                    if (rule.defaults) {\n                        for (const input of inputs) {\n                            for (const key of Object.keys(rule.defaults)) {\n                                const defaults = rule.defaults[key]\n                                if (typeof defaults === 'function') {\n                                    input[key] = await defaults({ user: request.user, ctx, input })\n                                } else {\n                                    input[key] = request.user[defaults]\n                                }\n                            }\n                        }\n                    }\n\n                    return originalInsert({ inputs, ctx, fields, ...restOpts })\n                },\n\n                async delete(originalDelete, { where, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalDelete({ where, ctx, fields, ...restOpts })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    where = await fromRuleToWhere(ctx, rule.delete, where, request.user)\n\n                    return originalDelete({ where, ctx, fields, ...restOpts })\n                },\n\n                async updateMany(originalUpdateMany, { where, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalUpdateMany({ ...restOpts, where, ctx, fields })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    where = await fromRuleToWhere(ctx, rule.updateMany, where, request.user)\n\n                    return originalUpdateMany({ ...restOpts, where, ctx, fields })\n                },\n            })\n        }\n    })\n}, { name: '@albirex/platformatic-logto' });\n\nasync function fromRuleToWhere(ctx: PlatformaticContext, rule, where, user) {\n    if (!rule) {\n        throw new Unauthorized()\n    }\n    const request = getRequestFromContext(ctx)\n    /* istanbul ignore next */\n    where = where || {}\n\n    if (typeof rule === 'object') {\n        const { checks } = rule\n\n        /* istanbul ignore else */\n        if (checks) {\n            for (const key of Object.keys(checks)) {\n                const clauses = checks[key]\n                if (typeof clauses === 'string') {\n                    // case: \"userId\": \"X-PLATFORMATIC-USER-ID\"\n                    where[key] = {\n                        eq: request.user[clauses],\n                    }\n                } else {\n                    // case:\n                    // userId: {\n                    //   eq: 'X-PLATFORMATIC-USER-ID'\n                    // }\n                    for (const clauseKey of Object.keys(clauses)) {\n                        const clause = clauses[clauseKey]\n                        where[key] = {\n                            [clauseKey]: request.user[clause],\n                        }\n                    }\n                }\n            }\n        }\n    } else if (typeof rule === 'function') {\n        where = await rule({ user, ctx, where })\n    }\n    return where\n}\n\nasync function findRuleForRequestUser(ctx: PlatformaticContext, rules: PlatformaticRule[], roleKey: string, anonymousRole: string, isRolePath = false) {\n    const request = getRequestFromContext(ctx)\n    await request.setupDBAuthorizationUser()\n    const roles = getRoles(request, roleKey, anonymousRole, isRolePath)\n    const rule = findRule(rules, roles)\n    if (!rule) {\n        ctx.reply.request.log.warn({ roles, rules }, 'no rule for roles')\n        throw new Unauthorized()\n    }\n    ctx.reply.request.log.trace({ roles, rule }, 'found rule')\n    return rule\n}\n\nfunction checkFieldsFromRule(rule, fields) {\n    if (!rule) {\n        throw new Unauthorized()\n    }\n    const { fields: fieldsFromRule } = rule\n    /* istanbul ignore else */\n    if (fieldsFromRule) {\n        for (const field of fields) {\n            if (!fieldsFromRule.includes(field)) {\n                throw new UnauthorizedField(field)\n            }\n        }\n    }\n}\n\nconst validateInputs = (inputs, fieldsFromRule) => {\n    for (const input of inputs) {\n        const inputFields = Object.keys(input)\n        for (const inputField of inputFields) {\n            if (!fieldsFromRule.includes(inputField)) {\n                throw new UnauthorizedField(inputField)\n            }\n        }\n    }\n}\n\nfunction checkInputFromRuleFields(rule, inputs) {\n    const { fields: fieldsFromRule } = rule\n    /* istanbul ignore else */\n    if (fieldsFromRule) {\n        if (!Array.isArray(inputs)) {\n            // save\n            validateInputs([inputs], fieldsFromRule)\n        } else {\n            // insert\n            validateInputs(inputs, fieldsFromRule)\n        }\n    }\n}\n\nfunction checkSaveMandatoryFieldsInRules(type: Entity, rules) {\n    // List of not nullable, not PKs field to validate save/insert when allowed fields are specified on the rule\n    const mandatoryFields =\n        Object.values(type.fields)\n            .filter(k => (!k.isNullable && !k.primaryKey))\n            .map(({ camelcase }) => (camelcase))\n\n    for (const rule of rules) {\n        const { entity, save } = rule\n        if (save && save.fields) {\n            const fields = save.fields\n            for (const mField of mandatoryFields) {\n                if (!fields.includes(mField)) {\n                    throw new MissingNotNullableError(mField, entity)\n                }\n            }\n        }\n    }\n}\n\nexport default platformaticLogto;\n","'use strict'\n\nimport { PlatformaticRule } from '../index.js'\n\nfunction findRule(rules: PlatformaticRule[], roles: string[]) {\n  let found = null\n  for (const rule of rules) {\n    for (const role of roles) {\n      if (rule.role === role) {\n        found = rule\n        break\n      }\n    }\n    if (found) {\n      break\n    }\n  }\n  return found\n}\n\nexport default findRule\n","'use strict'\n\nexport function getRequestFromContext (ctx) {\n  if (ctx && !ctx.reply) {\n    throw new Error('Missing reply in context. You should call this function with { ctx: { reply }}')\n  }\n  return ctx.reply.request\n}\n\nexport function getRoles (request, roleKey, anonymousRole, isRolePath = false) {\n  let output = []\n  const user = request.user\n  if (!user) {\n    output.push(anonymousRole)\n    return output\n  }\n\n  let rolesRaw\n  if (isRolePath) {\n    const roleKeys = roleKey.split('.')\n    rolesRaw = user\n    for (const key of roleKeys) {\n      rolesRaw = rolesRaw[key]\n    }\n  } else {\n    rolesRaw = user[roleKey]\n  }\n\n  if (typeof rolesRaw === 'string') {\n    output = rolesRaw.split(',')\n  } else if (Array.isArray(rolesRaw)) {\n    output = rolesRaw\n  }\n  if (output.length === 0) {\n    output.push(anonymousRole)\n  }\n\n  return output\n}\n","'use strict'\n\nimport createError from '@fastify/error'\n\nconst ERROR_PREFIX = 'PLT_DB_AUTH'\n\nexport const Unauthorized = createError(`${ERROR_PREFIX}_UNAUTHORIZED`, 'operation not allowed', 401)\nexport const UnauthorizedField = createError(`${ERROR_PREFIX}_FIELD_UNAUTHORIZED`, 'field not allowed: %s', 401)\nexport const MissingNotNullableError = createError(`${ERROR_PREFIX}_NOT_NULLABLE_MISSING`, 'missing not nullable field: \"%s\" in save rule for entity \"%s\"')\n"],"mappings":";AAAA,OAAO,QAAQ;AACf,YAAY,iBAAiB;;;ACG7B,SAAS,SAAS,OAA2B,OAAiB;AAC5D,MAAI,QAAQ;AACZ,aAAW,QAAQ,OAAO;AACxB,eAAW,QAAQ,OAAO;AACxB,UAAI,KAAK,SAAS,MAAM;AACtB,gBAAQ;AACR;AAAA,MACF;AAAA,IACF;AACA,QAAI,OAAO;AACT;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAEA,IAAO,oBAAQ;;;AClBR,SAAS,sBAAuB,KAAK;AAC1C,MAAI,OAAO,CAAC,IAAI,OAAO;AACrB,UAAM,IAAI,MAAM,gFAAgF;AAAA,EAClG;AACA,SAAO,IAAI,MAAM;AACnB;AAEO,SAAS,SAAU,SAAS,SAAS,eAAe,aAAa,OAAO;AAC7E,MAAI,SAAS,CAAC;AACd,QAAM,OAAO,QAAQ;AACrB,MAAI,CAAC,MAAM;AACT,WAAO,KAAK,aAAa;AACzB,WAAO;AAAA,EACT;AAEA,MAAI;AACJ,MAAI,YAAY;AACd,UAAM,WAAW,QAAQ,MAAM,GAAG;AAClC,eAAW;AACX,eAAW,OAAO,UAAU;AAC1B,iBAAW,SAAS,GAAG;AAAA,IACzB;AAAA,EACF,OAAO;AACL,eAAW,KAAK,OAAO;AAAA,EACzB;AAEA,MAAI,OAAO,aAAa,UAAU;AAChC,aAAS,SAAS,MAAM,GAAG;AAAA,EAC7B,WAAW,MAAM,QAAQ,QAAQ,GAAG;AAClC,aAAS;AAAA,EACX;AACA,MAAI,OAAO,WAAW,GAAG;AACvB,WAAO,KAAK,aAAa;AAAA,EAC3B;AAEA,SAAO;AACT;;;ACpCA,OAAO,iBAAiB;AAExB,IAAM,eAAe;AAEd,IAAM,eAAe,YAAY,GAAG,YAAY,iBAAiB,yBAAyB,GAAG;AAC7F,IAAM,oBAAoB,YAAY,GAAG,YAAY,uBAAuB,yBAAyB,GAAG;AACxG,IAAM,0BAA0B,YAAY,GAAG,YAAY,yBAAyB,+DAA+D;;;AHF1J,OAAO,kBAAkB;AAIzB,SAAS,gBAAAA,qBAAoB;AAE7B,IAAM,iBAAiB;AA8BhB,IAAM,oBAAsE,GAAG,OAAO,KAAsB,SAAuC;AACtJ,MAAI,SAAS,cAAc;AAAA,IACvB,UAAU,KAAK,gBAAgB;AAAA,IAC/B,OAAO,KAAK,cAAc;AAAA,IAC1B,WAAW,KAAK,kBAAkB;AAAA,EACtC,CAAC;AAED,QAAM,IAAI,SAAS,aAA8C,KAAK,SAAS;AAE/E,QAAM,cAAc,KAAK;AACzB,QAAM,UAAU,KAAK,YAAY,KAAK,WAAW;AACjD,QAAM,UAAU,KAAK,YAAY,KAAK,WAAW;AACjD,QAAM,aAAa,CAAC,CAAC,KAAK;AAC1B,QAAM,gBAAgB,KAAK,iBAAiB;AAE5C,iBAAe,oBAAoB;AAC/B,UAAM,YAAY,MAAM,IAAI,MAAM,QAAQ,wBAAwB,KAAK;AAEvE,QAAI,CAAC,UAAU,IAAI;AACf,YAAM;AAAA,IACV;AAEA,UAAM,QAAQ,MAAM,UAAU,KAAK;AACnC,UAAM,QAA4B,CAAC;AAAA,MAC/B,MAAM;AAAA,MACN,UAAU,OAAO,KAAK,IAAI,aAAa,QAAQ;AAAA,MAC/C,MAAM,KAAK;AAAA,MACX,MAAM,KAAK;AAAA,MACX,QAAQ,KAAK;AAAA,IACjB,CAAC;AAED,eAAW,QAAQ,OAAO;AACtB,YAAM,aAAa,MAAM,IAAI,MAAM,QAAQ,cAAc,KAAK,EAAE,WAAW,KAAK;AAEhF,UAAI,CAAC,WAAW,IAAI;AAChB,cAAM;AAAA,MACV;AAEA,YAAM,SAAS,MAAM,WAAW,KAAK;AAErC,iBAAW,SAAS,QAAQ;AACxB,cAAM,WAAW,KAAK;AAEtB,YAAI,CAAC,aAAa,MAAM,IAAI,MAAM,KAAK,MAAM,GAAG;AAEhD,YAAI,CAAC,IAAI,aAAa,SAAS,MAAM,GAAG;AACpC,cAAI,IAAI,MAAM,mBAAmB,MAAM,yBAAyB;AAChE;AAAA,QACJ;AAEA,gBAAQ,aAAa;AAAA,UACjB,KAAK;AACD,0BAAc;AACd;AAAA,UACJ,KAAK;AACD,0BAAc;AACd;AAAA,UACJ,KAAK;AACD,0BAAc;AACd;AAAA,QACR;AAEA,cAAM,cAAc,MAAM,KAAK,OAAK,EAAE,SAAS,YAAY,EAAE,WAAW,MAAM;AAC9E,YAAI,aAAa;AACb,cAAI,KAAK,QAAQ;AACb,wBAAY,WAAW,IAAI;AAAA,cACvB,QAAQ;AAAA,gBACJ,QAAQ;AAAA,cACZ;AAAA,YACJ;AAAA,UACJ,OAAO;AACH,wBAAY,WAAW,IAAI;AAAA,UAC/B;AAAA,QACJ,OAAO;AACH,gBAAM,UAA4B;AAAA,YAC9B,MAAM;AAAA,YACN;AAAA,UACJ;AAEA,cAAI,KAAK,QAAQ;AACb,oBAAQ,WAAW,IAAI;AAAA,cACnB,QAAQ;AAAA,gBACJ,QAAQ;AAAA,cACZ;AAAA,YACJ;AAAA,UACJ,OAAO;AACH,oBAAQ,WAAW,IAAI;AAAA,UAC3B;AAEA,cAAI,KAAK,UAAU;AACf,oBAAQ,WAAW;AAAA,cACf,QAAQ;AAAA,YACZ;AAAA,UACJ;AAEA,gBAAM,KAAK,OAAO;AAAA,QACtB;AAAA,MACJ;AAAA,IACJ;AAEA,UAAM,WAAW,MAAM,OAAO,CAAC,MAAM,SAAS;AAC1C,OAAC,KAAK,KAAK,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK,IAAI;AACrC,aAAO;AAAA,IACX,GAAG,CAAC,CAAC;AAEL,eAAW,OAAO,UAAU;AACxB,UAAI,IAAI,KAAK,sBAAsB,GAAG,EAAE;AAExC,iBAAW,WAAW,SAAS,GAAG,GAAG;AAEjC,cAAM,EAAE,QAAQ,UAAU,MAAM,GAAG,MAAM,IAAI;AAC7C,YAAI,IAAI,KAAK,IAAK,UAAU,SAAS,KAAK,GAAG,CAAC,KAAK,KAAK,UAAU,KAAK,CAAC,EAAE;AAAA,MAC9E;AAAA,IACJ;AAEA,UAAM,kBAAkB,OAAO,KAAK,IAAI,aAAa,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;AAEpH,QAAI,gBAAgB,QAAQ;AACxB,UAAI,IAAI,KAAK,+BAA+B,gBAAgB,KAAK,IAAI,CAAC,EAAE;AAAA,IAC5E;AAEA,QAAI,IAAI,MAAM,wBAAwB;AACtC,QAAI,IAAI,MAAM,KAAK;AACnB,WAAO;AAAA,EACX;AAEA,MAAI,gBAAgB,4BAA4B,SAAS;AAEzD,iBAAe,YAAY;AAEvB,UAAM,KAAK,YAAY;AAGvB,QAAI,iBAAiB;AACrB,QAAI,eAAe,KAAK,QAAQ,6BAA6B,MAAM,aAAa;AAC5E,UAAI,KAAK,UAAU,KAAK;AACpB,yBAAiB;AAAA,MACrB,OAAO;AACH,aAAK,IAAI,KAAK,uBAAuB;AACrC,aAAK,OAAO,IAAI,MAAM,KAAK,SAAS;AAAA,UAChC,KAAK,CAAC,QAAQ,QAAQ;AAClB,gBAAI;AACJ,gBAAI,CAAC,OAAO,IAAI,SAAS,CAAC,GAAG;AACzB,oBAAM,SAAS,IAAI,SAAS,EAAE,YAAY;AAC1C,sBAAQ,OAAO,MAAM;AAAA,YACzB,OAAO;AACH,sBAAQ,OAAO,IAAI,SAAS,CAAC;AAAA,YACjC;AAEA,gBAAI,CAAC,SAAS,IAAI,SAAS,EAAE,YAAY,MAAM,QAAQ,YAAY,GAAG;AAClE,sBAAQ;AAAA,YACZ;AACA,mBAAO;AAAA,UACX;AAAA,QACJ,CAAC;AAAA,MACL;AAAA,IACJ;AAEA,QAAI,gBAAgB;AAEhB,WAAK,OAAO;AAAA;AAAA,QAER,CAAC,OAAO,GAAG,KAAK,QAAQ,qBAAqB,KAAK;AAAA,MACtD;AAAA,IACJ;AAAA,EACJ;AAEA,MAAI,QAAQ,WAAW,iBAAkB;AACrC,UAAM,QAAQ,MAAM,kBAAkB;AAGtC,UAAM,cAAc,CAAC;AACrB,aAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACnC,YAAM,OAAO,MAAM,CAAC;AAEpB,UAAI,eAAe;AACnB,UAAI,KAAK,QAAQ;AACb,uBAAe,CAAC,KAAK,MAAM;AAAA,MAC/B,WAAW,KAAK,UAAU;AACtB,uBAAe,CAAC,GAAG,KAAK,QAAQ;AAAA,MACpC,OAAO;AACH,cAAM,IAAI,MAAM,wCAAwC,CAAC,EAAE;AAAA,MAC/D;AAEA,iBAAW,cAAc,cAAc;AACnC,cAAM,UAAU,EAAE,GAAG,MAAM,QAAQ,YAAY,UAAU,OAAU;AACnE,YAAI,CAAC,IAAI,aAAa,SAAS,QAAQ,MAAM,GAAG;AAC5C,gBAAM,IAAI,MAAM,mBAAmB,UAAU,2BAA2B,CAAC,EAAE;AAAA,QAC/E;AAEA,YAAI,CAAC,YAAY,UAAU,GAAG;AAC1B,sBAAY,UAAU,IAAI,CAAC;AAAA,QAC/B;AACA,oBAAY,UAAU,EAAE,KAAK,OAAO;AAAA,MACxC;AAAA,IACJ;AAEA,eAAW,aAAa,OAAO,KAAK,IAAI,aAAa,QAAQ,GAAG;AAgD5D,UAAS,cAAT,SAAqB,KAA0B;AAC3C,eAAO,CAAC;AAAA,MACZ;AAjDA,YAAMC,SAAQ,YAAY,SAAS,KAAK,CAAC;AACzC,YAAM,OAAO,IAAI,aAAa,SAAS,SAAS;AAGhD,UAAI;AACJ,YAAM,sBAAsB;AAwB5B,UAAI,4BAA4B,qBAAqB;AACjD,cAAM,IAAI,MAAM,4BAA4B,SAAS,wCAAwC;AAAA,MACjG;AAGA,UAAI,aAAa;AACb,QAAAA,OAAM,KAAK;AAAA,UACP,MAAM;AAAA,UACN,MAAM;AAAA,UACN,MAAM;AAAA,UACN,QAAQ;AAAA,QACZ,CAAC;AAAA,MACL;AAIA,sCAAgC,MAAMA,MAAK;AAM3C,UAAI,aAAa,eAAe,WAAW;AAAA,QACvC,MAAM,KAAK,cAAc,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,IAAI,CAAC,GAAG;AAC/D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,aAAa,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,UAC3D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AACxF,8BAAoB,KAAK,MAAM,UAAU,OAAO,KAAK,IAAI,aAAa,SAAS,SAAS,EAAE,MAAM,CAAC;AACjG,kBAAQ,MAAM,gBAAgB,KAAK,KAAK,MAAM,OAAO,QAAQ,IAAI;AAEjE,iBAAO,aAAa,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,QAC3D;AAAA,QACA,MAAM,KAAK,cAAc,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,GAAG;AAC1D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,aAAa,EAAE,KAAK,OAAO,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC3D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,cAAI,CAAC,KAAK,MAAM;AACZ,kBAAM,IAAI,aAAa;AAAA,UAC3B;AACA,8BAAoB,KAAK,MAAM,MAAM;AACrC,mCAAyB,KAAK,MAAM,KAAK;AAEzC,cAAI,KAAK,UAAU;AACf,uBAAW,OAAO,OAAO,KAAK,KAAK,QAAQ,GAAG;AAC1C,oBAAM,WAAW,KAAK,SAAS,GAAG;AAClC,kBAAI,OAAO,aAAa,YAAY;AAChC,sBAAM,GAAG,IAAI,MAAM,SAAS,EAAE,MAAM,QAAQ,MAAM,KAAK,MAAM,CAAC;AAAA,cAClE,OAAO;AACH,sBAAM,GAAG,IAAI,QAAQ,KAAK,QAAQ;AAAA,cACtC;AAAA,YACJ;AAAA,UACJ;AAEA,gBAAM,oBAAoB,MAAM,KAAK,UAAU,MAAM;AACrD,gBAAM,kBAAkB,CAAC;AACzB,0BAAgB,KAAK,UAAU,IAAI,EAAE,IAAI,MAAM,KAAK,UAAU,EAAE;AAEhE,cAAI,mBAAmB;AACnB,kBAAM,QAAQ,MAAM,gBAAgB,KAAK,KAAK,MAAM,iBAAiB,QAAQ,IAAI;AAEjF,kBAAM,QAAQ,MAAM,KAAK,KAAK;AAAA,cAC1B;AAAA,cACA;AAAA,cACA;AAAA,YACJ,CAAC;AAED,gBAAI,MAAM,WAAW,GAAG;AACpB,oBAAM,IAAI,aAAa;AAAA,YAC3B;AAEA,mBAAO,aAAa,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC3D;AAEA,iBAAO,aAAa,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,QAC3D;AAAA,QAEA,MAAM,OAAO,gBAAgB,EAAE,QAAQ,KAAK,QAAQ,GAAG,SAAS,GAAG;AAC/D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,eAAe,EAAE,QAAQ,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC9D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,cAAI,CAAC,KAAK,MAAM;AACZ,kBAAM,IAAI,aAAa;AAAA,UAC3B;AAEA,8BAAoB,KAAK,MAAM,MAAM;AACrC,mCAAyB,KAAK,MAAM,MAAM;AAG1C,cAAI,KAAK,UAAU;AACf,uBAAW,SAAS,QAAQ;AACxB,yBAAW,OAAO,OAAO,KAAK,KAAK,QAAQ,GAAG;AAC1C,sBAAM,WAAW,KAAK,SAAS,GAAG;AAClC,oBAAI,OAAO,aAAa,YAAY;AAChC,wBAAM,GAAG,IAAI,MAAM,SAAS,EAAE,MAAM,QAAQ,MAAM,KAAK,MAAM,CAAC;AAAA,gBAClE,OAAO;AACH,wBAAM,GAAG,IAAI,QAAQ,KAAK,QAAQ;AAAA,gBACtC;AAAA,cACJ;AAAA,YACJ;AAAA,UACJ;AAEA,iBAAO,eAAe,EAAE,QAAQ,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,QAC9D;AAAA,QAEA,MAAM,OAAO,gBAAgB,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,GAAG;AAC9D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,eAAe,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC7D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,kBAAQ,MAAM,gBAAgB,KAAK,KAAK,QAAQ,OAAO,QAAQ,IAAI;AAEnE,iBAAO,eAAe,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,QAC7D;AAAA,QAEA,MAAM,WAAW,oBAAoB,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,GAAG;AACtE,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,mBAAmB,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,UACjE;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,kBAAQ,MAAM,gBAAgB,KAAK,KAAK,YAAY,OAAO,QAAQ,IAAI;AAEvE,iBAAO,mBAAmB,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,QACjE;AAAA,MACJ,CAAC;AAAA,IACL;AAAA,EACJ,CAAC;AACL,GAAG,EAAE,MAAM,8BAA8B,CAAC;AAE1C,eAAe,gBAAgB,KAA0B,MAAM,OAAO,MAAM;AACxE,MAAI,CAAC,MAAM;AACP,UAAM,IAAI,aAAa;AAAA,EAC3B;AACA,QAAM,UAAU,sBAAsB,GAAG;AAEzC,UAAQ,SAAS,CAAC;AAElB,MAAI,OAAO,SAAS,UAAU;AAC1B,UAAM,EAAE,OAAO,IAAI;AAGnB,QAAI,QAAQ;AACR,iBAAW,OAAO,OAAO,KAAK,MAAM,GAAG;AACnC,cAAM,UAAU,OAAO,GAAG;AAC1B,YAAI,OAAO,YAAY,UAAU;AAE7B,gBAAM,GAAG,IAAI;AAAA,YACT,IAAI,QAAQ,KAAK,OAAO;AAAA,UAC5B;AAAA,QACJ,OAAO;AAKH,qBAAW,aAAa,OAAO,KAAK,OAAO,GAAG;AAC1C,kBAAM,SAAS,QAAQ,SAAS;AAChC,kBAAM,GAAG,IAAI;AAAA,cACT,CAAC,SAAS,GAAG,QAAQ,KAAK,MAAM;AAAA,YACpC;AAAA,UACJ;AAAA,QACJ;AAAA,MACJ;AAAA,IACJ;AAAA,EACJ,WAAW,OAAO,SAAS,YAAY;AACnC,YAAQ,MAAM,KAAK,EAAE,MAAM,KAAK,MAAM,CAAC;AAAA,EAC3C;AACA,SAAO;AACX;AAEA,eAAe,uBAAuB,KAA0B,OAA2B,SAAiB,eAAuB,aAAa,OAAO;AACnJ,QAAM,UAAU,sBAAsB,GAAG;AACzC,QAAM,QAAQ,yBAAyB;AACvC,QAAM,QAAQ,SAAS,SAAS,SAAS,eAAe,UAAU;AAClE,QAAM,OAAO,kBAAS,OAAO,KAAK;AAClC,MAAI,CAAC,MAAM;AACP,QAAI,MAAM,QAAQ,IAAI,KAAK,EAAE,OAAO,MAAM,GAAG,mBAAmB;AAChE,UAAM,IAAI,aAAa;AAAA,EAC3B;AACA,MAAI,MAAM,QAAQ,IAAI,MAAM,EAAE,OAAO,KAAK,GAAG,YAAY;AACzD,SAAO;AACX;AAEA,SAAS,oBAAoB,MAAM,QAAQ;AACvC,MAAI,CAAC,MAAM;AACP,UAAM,IAAI,aAAa;AAAA,EAC3B;AACA,QAAM,EAAE,QAAQ,eAAe,IAAI;AAEnC,MAAI,gBAAgB;AAChB,eAAW,SAAS,QAAQ;AACxB,UAAI,CAAC,eAAe,SAAS,KAAK,GAAG;AACjC,cAAM,IAAI,kBAAkB,KAAK;AAAA,MACrC;AAAA,IACJ;AAAA,EACJ;AACJ;AAEA,IAAM,iBAAiB,CAAC,QAAQ,mBAAmB;AAC/C,aAAW,SAAS,QAAQ;AACxB,UAAM,cAAc,OAAO,KAAK,KAAK;AACrC,eAAW,cAAc,aAAa;AAClC,UAAI,CAAC,eAAe,SAAS,UAAU,GAAG;AACtC,cAAM,IAAI,kBAAkB,UAAU;AAAA,MAC1C;AAAA,IACJ;AAAA,EACJ;AACJ;AAEA,SAAS,yBAAyB,MAAM,QAAQ;AAC5C,QAAM,EAAE,QAAQ,eAAe,IAAI;AAEnC,MAAI,gBAAgB;AAChB,QAAI,CAAC,MAAM,QAAQ,MAAM,GAAG;AAExB,qBAAe,CAAC,MAAM,GAAG,cAAc;AAAA,IAC3C,OAAO;AAEH,qBAAe,QAAQ,cAAc;AAAA,IACzC;AAAA,EACJ;AACJ;AAEA,SAAS,gCAAgC,MAAc,OAAO;AAE1D,QAAM,kBACF,OAAO,OAAO,KAAK,MAAM,EACpB,OAAO,OAAM,CAAC,EAAE,cAAc,CAAC,EAAE,UAAW,EAC5C,IAAI,CAAC,EAAE,UAAU,MAAO,SAAU;AAE3C,aAAW,QAAQ,OAAO;AACtB,UAAM,EAAE,QAAQ,KAAK,IAAI;AACzB,QAAI,QAAQ,KAAK,QAAQ;AACrB,YAAM,SAAS,KAAK;AACpB,iBAAW,UAAU,iBAAiB;AAClC,YAAI,CAAC,OAAO,SAAS,MAAM,GAAG;AAC1B,gBAAM,IAAI,wBAAwB,QAAQ,MAAM;AAAA,QACpD;AAAA,MACJ;AAAA,IACJ;AAAA,EACJ;AACJ;AAEA,IAAO,gBAAQ;","names":["fastifyLogto","rules"]}
+{"version":3,"sources":["../src/index.ts","../src/utils/find-rule.ts","../src/utils/utils.ts","../src/utils/errors.ts"],"sourcesContent":["import fp from 'fastify-plugin'\nimport * as fastifyUser from 'fastify-user'\n\nimport findRule from './utils/find-rule.js'\nimport { getRequestFromContext, getRoles } from './utils/utils.js'\nimport { Unauthorized, UnauthorizedField, MissingNotNullableError } from './utils/errors.js'\nimport fastifyLogto from '@albirex/fastify-logto';\nimport { FastifyInstance, FastifyPluginAsync } from 'fastify'\nimport type { FastifyUserPluginOptions } from 'fastify-user';\nimport type { Entity, PlatformaticContext } from '@platformatic/sql-mapper'\nexport { fastifyLogto } from '@albirex/fastify-logto';\n\nconst PLT_ADMIN_ROLE = 'platformatic-admin'\n\nexport type PlatformaticRule = {\n    role: string;\n    entity?: string;\n    entities?: string[];\n    defaults?: Record<string, string>;\n    checks?: boolean;\n    find?: boolean;\n    save?: boolean;\n    delete?: boolean;\n\n};\n\nexport type PlatformaticLogtoAuthOptions = {\n    logtoBaseUrl?: string;\n    logtoAppId?: string;\n    logtoAppSecret?: string;\n    adminSecret?: string;\n    rolePath?: string;\n    roleKey?: string;\n    userPath?: string;\n    userKey?: string;\n    anonymousRole?: string;\n    allowAnonymous?: boolean;\n    checks?: boolean;\n    defaults?: boolean;\n    jwtPlugin: FastifyUserPluginOptions\n};\n\nexport const platformaticLogto: FastifyPluginAsync<PlatformaticLogtoAuthOptions> = fp(async (app: FastifyInstance, opts: PlatformaticLogtoAuthOptions) => {\n    app.register(fastifyLogto, {\n        endpoint: opts.logtoBaseUrl || 'https://auth.example.com',\n        appId: opts.logtoAppId || 'your-app-id',\n        appSecret: opts.logtoAppSecret || 'your-app-secret',\n    });\n\n    await app.register(fastifyUser as unknown as FastifyPluginAsync, opts.jwtPlugin);\n\n    const adminSecret = opts.adminSecret\n    const roleKey = opts.rolePath || opts.roleKey || 'X-PLATFORMATIC-ROLE'\n    const userKey = opts.userPath || opts.userKey || 'X-PLATFORMATIC-USER-ID'\n    const isRolePath = !!opts.rolePath // if `true` the role is intepreted as path like `user.role`\n    const anonymousRole = opts.anonymousRole || 'anonymous'\n\n    async function composeLogToRules() {\n        const rolesResp = await app.logto.callAPI('/api/roles?type=User', 'GET');\n\n        if (!rolesResp.ok) {\n            throw rolesResp;\n        }\n\n        const roles = await rolesResp.json();\n        const rules: PlatformaticRule[] = [{\n            role: anonymousRole,\n            entities: Object.keys(app.platformatic.entities),\n            find: opts.allowAnonymous,\n            save: opts.allowAnonymous,\n            delete: opts.allowAnonymous,\n        }];\n\n        for (const role of roles) {\n            const scopesResp = await app.logto.callAPI(`/api/roles/${role.id}/scopes`, 'GET');\n\n            if (!scopesResp.ok) {\n                throw scopesResp;\n            }\n\n            const scopes = await scopesResp.json();\n\n            for (const scope of scopes) {\n                const roleName = role.name;\n                // eslint-disable-next-line prefer-const\n                let [scopeAction, entity] = scope.name.split(':');\n\n                if (!app.platformatic.entities[entity]) {\n                    app.log.debug(`Unknown entity '${entity}' in authorization rule`)\n                    continue;\n                }\n\n                switch (scopeAction) {\n                    case 'create':\n                        scopeAction = 'save'\n                        break;\n                    case 'read':\n                        scopeAction = 'find'\n                        break;\n                    case 'update':\n                        scopeAction = 'updateMany'\n                        break;\n                }\n\n                const checkExists = rules.find(r => r.role === roleName && r.entity === entity);\n                if (checkExists) {\n                    if (opts.checks) {\n                        checkExists[scopeAction] = {\n                            checks: {\n                                userId: userKey\n                            }\n                        };\n                    } else {\n                        checkExists[scopeAction] = true;\n                    }\n                } else {\n                    const newRule: PlatformaticRule = {\n                        role: roleName,\n                        entity,\n                    };\n\n                    if (opts.checks) {\n                        newRule[scopeAction] = {\n                            checks: {\n                                userId: userKey\n                            }\n                        };\n                    } else {\n                        newRule[scopeAction] = true;\n                    }\n\n                    if (opts.defaults) {\n                        newRule.defaults = {\n                            userId: userKey\n                        };\n                    }\n\n                    rules.push(newRule);\n                }\n            }\n        }\n\n        const logRules = rules.reduce((prev, curr) => {\n            (prev[curr['role']] ??= []).push(curr);\n            return prev;\n        }, {})\n\n        for (const key in logRules) {\n            app.log.info(`Rules set for role ${key}`);\n\n            for (const element of logRules[key]) {\n                // eslint-disable-next-line @typescript-eslint/no-unused-vars\n                const { entity, entities, role, ...other } = element;\n                app.log.info(`\\t${entity ?? entities.join(',')}: ${JSON.stringify(other)}`);\n            }\n        }\n\n        const missingEntities = Object.keys(app.platformatic.entities).filter((e) => !rules.map((r) => r.entity).includes(e));\n\n        if (missingEntities.length) {\n            app.log.warn(`Missing rules for entities: ${missingEntities.join(', ')}`);\n        }\n\n        app.log.debug('LogTo calculated rules');\n        app.log.debug(rules);\n        return rules;\n    }\n\n    app.decorateRequest('setupDBAuthorizationUser', setupUser)\n\n    async function setupUser() {\n        // if (!adminSecret) {\n        await this.extractUser()\n        // }\n\n        let forceAdminRole = false\n        if (adminSecret && this.headers['x-platformatic-admin-secret'] === adminSecret) {\n            if (opts.jwtPlugin.jwt) {\n                forceAdminRole = true\n            } else {\n                this.log.info('admin secret is valid')\n                this.user = new Proxy(this.headers, {\n                    get: (target, key) => {\n                        let value;\n                        if (!target[key.toString()]) {\n                            const newKey = key.toString().toLowerCase()\n                            value = target[newKey]\n                        } else {\n                            value = target[key.toString()]\n                        }\n\n                        if (!value && key.toString().toLowerCase() === roleKey.toLowerCase()) {\n                            value = PLT_ADMIN_ROLE\n                        }\n                        return value\n                    },\n                })\n            }\n        }\n\n        if (forceAdminRole) {\n            // We replace just the role in `request.user`, all the rest is untouched\n            this.user = {\n                // ...request.user,\n                [roleKey]: this.headers['x-platformatic-role'] ?? PLT_ADMIN_ROLE\n            }\n        }\n    }\n\n    app.addHook('onReady', async function () {\n        const rules = await composeLogToRules();\n\n        // TODO validate that there is at most a rule for a given role\n        const entityRules = {};\n        for (let i = 0; i < rules.length; i++) {\n            const rule = rules[i]\n\n            let ruleEntities = null\n            if (rule.entity) {\n                ruleEntities = [rule.entity]\n            } else if (rule.entities) {\n                ruleEntities = [...rule.entities]\n            } else {\n                throw new Error(`Missing entity in authorization rule ${i}`)\n            }\n\n            for (const ruleEntity of ruleEntities) {\n                const newRule = { ...rule, entity: ruleEntity, entities: undefined }\n                if (!app.platformatic.entities[newRule.entity]) {\n                    throw new Error(`Unknown entity '${ruleEntity}' in authorization rule ${i}`)\n                }\n\n                if (!entityRules[ruleEntity]) {\n                    entityRules[ruleEntity] = []\n                }\n                entityRules[ruleEntity].push(newRule)\n            }\n        }\n\n        for (const entityKey of Object.keys(app.platformatic.entities)) {\n            const rules = entityRules[entityKey] || []\n            const type = app.platformatic.entities[entityKey]\n\n            // We have subscriptions!\n            let userPropToFillForPublish\n            const topicsWithoutChecks = false\n\n            // mqtt\n            // if (app.platformatic.mq) {\n            //     for (const rule of rules) {\n            //         const checks = rule.find?.checks\n            //         if (typeof checks !== 'object') {\n            //             topicsWithoutChecks = !!rule.find\n            //             continue\n            //         }\n            //         const keys = Object.keys(checks)\n            //         if (keys.length !== 1) {\n            //             throw new Error(`Subscription requires that the role \"${rule.role}\" has only one check in the find rule for entity \"${rule.entity}\"`)\n            //         }\n            //         const key = keys[0]\n\n            //         const val = typeof checks[key] === 'object' ? checks[key].eq : checks[key]\n            //         if (userPropToFillForPublish && userPropToFillForPublish.val !== val) {\n            //             throw new Error('Unable to configure subscriptions and authorization due to multiple check clauses in find')\n            //         }\n            //         userPropToFillForPublish = { key, val }\n            //     }\n            // }\n\n            if (userPropToFillForPublish && topicsWithoutChecks) {\n                throw new Error(`Subscription for entity \"${entityKey}\" have conflictling rules across roles`)\n            }\n\n            // MUST set this after doing the security checks on the subscriptions\n            if (adminSecret) {\n                rules.push({\n                    role: PLT_ADMIN_ROLE,\n                    find: true,\n                    save: true,\n                    delete: true,\n                    updateMany: true\n                })\n            }\n\n            // If we have `fields` in save rules, we need to check if all the not-nullable\n            // fields are specified\n            checkSaveMandatoryFieldsInRules(type, rules)\n\n            function useOriginal(ctx: PlatformaticContext) {\n                return !ctx\n            }\n\n            app.platformatic.addEntityHooks(entityKey, {\n                async find(originalFind, { where, ctx, fields, ...restOpts } = {}) {\n                    if (useOriginal(ctx)) {\n                        return originalFind({ ...restOpts, where, ctx, fields })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n                    checkFieldsFromRule(rule.find, fields || Object.keys(app.platformatic.entities[entityKey].fields))\n                    where = await fromRuleToWhere(ctx, rule.find, where, request.user)\n\n                    return originalFind({ ...restOpts, where, ctx, fields })\n                },\n                async save(originalSave, { input, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalSave({ ctx, input, fields, ...restOpts })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    if (!rule.save) {\n                        throw new Unauthorized()\n                    }\n                    checkFieldsFromRule(rule.save, fields)\n                    checkInputFromRuleFields(rule.save, input)\n\n                    if (rule.defaults) {\n                        for (const key of Object.keys(rule.defaults)) {\n                            const defaults = rule.defaults[key]\n                            if (typeof defaults === 'function') {\n                                input[key] = await defaults({ user: request.user, ctx, input })\n                            } else {\n                                input[key] = request.user[defaults]\n                            }\n                        }\n                    }\n\n                    const hasAllPrimaryKeys = input[type.primaryKey] !== undefined;\n                    const whereConditions = {}\n                    whereConditions[type.primaryKey] = { eq: input[type.primaryKey] }\n\n                    if (hasAllPrimaryKeys) {\n                        const where = await fromRuleToWhere(ctx, rule.save, whereConditions, request.user)\n\n                        const found = await type.find({\n                            where,\n                            ctx,\n                            fields,\n                        })\n\n                        if (found.length === 0) {\n                            throw new Unauthorized()\n                        }\n\n                        return originalSave({ input, ctx, fields, ...restOpts })\n                    }\n\n                    return originalSave({ input, ctx, fields, ...restOpts })\n                },\n\n                async insert(originalInsert, { inputs, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalInsert({ inputs, ctx, fields, ...restOpts })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    if (!rule.save) {\n                        throw new Unauthorized()\n                    }\n\n                    checkFieldsFromRule(rule.save, fields)\n                    checkInputFromRuleFields(rule.save, inputs)\n\n                    /* istanbul ignore else */\n                    if (rule.defaults) {\n                        for (const input of inputs) {\n                            for (const key of Object.keys(rule.defaults)) {\n                                const defaults = rule.defaults[key]\n                                if (typeof defaults === 'function') {\n                                    input[key] = await defaults({ user: request.user, ctx, input })\n                                } else {\n                                    input[key] = request.user[defaults]\n                                }\n                            }\n                        }\n                    }\n\n                    return originalInsert({ inputs, ctx, fields, ...restOpts })\n                },\n\n                async delete(originalDelete, { where, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalDelete({ where, ctx, fields, ...restOpts })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    where = await fromRuleToWhere(ctx, rule.delete, where, request.user)\n\n                    return originalDelete({ where, ctx, fields, ...restOpts })\n                },\n\n                async updateMany(originalUpdateMany, { where, ctx, fields, ...restOpts }) {\n                    if (useOriginal(ctx)) {\n                        return originalUpdateMany({ ...restOpts, where, ctx, fields })\n                    }\n                    const request = getRequestFromContext(ctx)\n                    const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)\n\n                    where = await fromRuleToWhere(ctx, rule.updateMany, where, request.user)\n\n                    return originalUpdateMany({ ...restOpts, where, ctx, fields })\n                },\n            })\n        }\n    })\n}, { name: '@albirex/platformatic-logto' });\n\nasync function fromRuleToWhere(ctx: PlatformaticContext, rule, where, user) {\n    if (!rule) {\n        throw new Unauthorized()\n    }\n    const request = getRequestFromContext(ctx)\n    /* istanbul ignore next */\n    where = where || {}\n\n    if (typeof rule === 'object') {\n        const { checks } = rule\n\n        /* istanbul ignore else */\n        if (checks) {\n            for (const key of Object.keys(checks)) {\n                const clauses = checks[key]\n                if (typeof clauses === 'string') {\n                    // case: \"userId\": \"X-PLATFORMATIC-USER-ID\"\n                    where[key] = {\n                        eq: request.user[clauses],\n                    }\n                } else {\n                    // case:\n                    // userId: {\n                    //   eq: 'X-PLATFORMATIC-USER-ID'\n                    // }\n                    for (const clauseKey of Object.keys(clauses)) {\n                        const clause = clauses[clauseKey]\n                        where[key] = {\n                            [clauseKey]: request.user[clause],\n                        }\n                    }\n                }\n            }\n        }\n    } else if (typeof rule === 'function') {\n        where = await rule({ user, ctx, where })\n    }\n    return where\n}\n\nasync function findRuleForRequestUser(ctx: PlatformaticContext, rules: PlatformaticRule[], roleKey: string, anonymousRole: string, isRolePath = false) {\n    const request = getRequestFromContext(ctx)\n    await request.setupDBAuthorizationUser()\n    const roles = getRoles(request, roleKey, anonymousRole, isRolePath)\n    const rule = findRule(rules, roles)\n    if (!rule) {\n        ctx.reply.request.log.warn({ roles, rules }, 'no rule for roles')\n        throw new Unauthorized()\n    }\n    ctx.reply.request.log.trace({ roles, rule }, 'found rule')\n    return rule\n}\n\nfunction checkFieldsFromRule(rule, fields) {\n    if (!rule) {\n        throw new Unauthorized()\n    }\n    const { fields: fieldsFromRule } = rule\n    /* istanbul ignore else */\n    if (fieldsFromRule) {\n        for (const field of fields) {\n            if (!fieldsFromRule.includes(field)) {\n                throw new UnauthorizedField(field)\n            }\n        }\n    }\n}\n\nconst validateInputs = (inputs, fieldsFromRule) => {\n    for (const input of inputs) {\n        const inputFields = Object.keys(input)\n        for (const inputField of inputFields) {\n            if (!fieldsFromRule.includes(inputField)) {\n                throw new UnauthorizedField(inputField)\n            }\n        }\n    }\n}\n\nfunction checkInputFromRuleFields(rule, inputs) {\n    const { fields: fieldsFromRule } = rule\n    /* istanbul ignore else */\n    if (fieldsFromRule) {\n        if (!Array.isArray(inputs)) {\n            // save\n            validateInputs([inputs], fieldsFromRule)\n        } else {\n            // insert\n            validateInputs(inputs, fieldsFromRule)\n        }\n    }\n}\n\nfunction checkSaveMandatoryFieldsInRules(type: Entity, rules) {\n    // List of not nullable, not PKs field to validate save/insert when allowed fields are specified on the rule\n    const mandatoryFields =\n        Object.values(type.fields)\n            .filter(k => (!k.isNullable && !k.primaryKey))\n            .map(({ camelcase }) => (camelcase))\n\n    for (const rule of rules) {\n        const { entity, save } = rule\n        if (save && save.fields) {\n            const fields = save.fields\n            for (const mField of mandatoryFields) {\n                if (!fields.includes(mField)) {\n                    throw new MissingNotNullableError(mField, entity)\n                }\n            }\n        }\n    }\n}\n\nexport default platformaticLogto;\n","'use strict'\n\nimport { PlatformaticRule } from '../index.js'\n\nfunction findRule(rules: PlatformaticRule[], roles: string[]) {\n  let found = null\n  for (const rule of rules) {\n    for (const role of roles) {\n      if (rule.role === role) {\n        found = rule\n        break\n      }\n    }\n    if (found) {\n      break\n    }\n  }\n  return found\n}\n\nexport default findRule\n","'use strict'\n\nexport function getRequestFromContext (ctx) {\n  if (ctx && !ctx.reply) {\n    throw new Error('Missing reply in context. You should call this function with { ctx: { reply }}')\n  }\n  return ctx.reply.request\n}\n\nexport function getRoles (request, roleKey, anonymousRole, isRolePath = false) {\n  let output = []\n  const user = request.user\n  if (!user) {\n    output.push(anonymousRole)\n    return output\n  }\n\n  let rolesRaw\n  if (isRolePath) {\n    const roleKeys = roleKey.split('.')\n    rolesRaw = user\n    for (const key of roleKeys) {\n      rolesRaw = rolesRaw[key]\n    }\n  } else {\n    rolesRaw = user[roleKey]\n  }\n\n  if (typeof rolesRaw === 'string') {\n    output = rolesRaw.split(',')\n  } else if (Array.isArray(rolesRaw)) {\n    output = rolesRaw\n  }\n  if (output.length === 0) {\n    output.push(anonymousRole)\n  }\n\n  return output\n}\n","'use strict'\n\nimport createError from '@fastify/error'\n\nconst ERROR_PREFIX = 'PLT_DB_AUTH'\n\nexport const Unauthorized = createError(`${ERROR_PREFIX}_UNAUTHORIZED`, 'operation not allowed', 401)\nexport const UnauthorizedField = createError(`${ERROR_PREFIX}_FIELD_UNAUTHORIZED`, 'field not allowed: %s', 401)\nexport const MissingNotNullableError = createError(`${ERROR_PREFIX}_NOT_NULLABLE_MISSING`, 'missing not nullable field: \"%s\" in save rule for entity \"%s\"')\n"],"mappings":";AAAA,OAAO,QAAQ;AACf,YAAY,iBAAiB;;;ACG7B,SAAS,SAAS,OAA2B,OAAiB;AAC5D,MAAI,QAAQ;AACZ,aAAW,QAAQ,OAAO;AACxB,eAAW,QAAQ,OAAO;AACxB,UAAI,KAAK,SAAS,MAAM;AACtB,gBAAQ;AACR;AAAA,MACF;AAAA,IACF;AACA,QAAI,OAAO;AACT;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAEA,IAAO,oBAAQ;;;AClBR,SAAS,sBAAuB,KAAK;AAC1C,MAAI,OAAO,CAAC,IAAI,OAAO;AACrB,UAAM,IAAI,MAAM,gFAAgF;AAAA,EAClG;AACA,SAAO,IAAI,MAAM;AACnB;AAEO,SAAS,SAAU,SAAS,SAAS,eAAe,aAAa,OAAO;AAC7E,MAAI,SAAS,CAAC;AACd,QAAM,OAAO,QAAQ;AACrB,MAAI,CAAC,MAAM;AACT,WAAO,KAAK,aAAa;AACzB,WAAO;AAAA,EACT;AAEA,MAAI;AACJ,MAAI,YAAY;AACd,UAAM,WAAW,QAAQ,MAAM,GAAG;AAClC,eAAW;AACX,eAAW,OAAO,UAAU;AAC1B,iBAAW,SAAS,GAAG;AAAA,IACzB;AAAA,EACF,OAAO;AACL,eAAW,KAAK,OAAO;AAAA,EACzB;AAEA,MAAI,OAAO,aAAa,UAAU;AAChC,aAAS,SAAS,MAAM,GAAG;AAAA,EAC7B,WAAW,MAAM,QAAQ,QAAQ,GAAG;AAClC,aAAS;AAAA,EACX;AACA,MAAI,OAAO,WAAW,GAAG;AACvB,WAAO,KAAK,aAAa;AAAA,EAC3B;AAEA,SAAO;AACT;;;ACpCA,OAAO,iBAAiB;AAExB,IAAM,eAAe;AAEd,IAAM,eAAe,YAAY,GAAG,YAAY,iBAAiB,yBAAyB,GAAG;AAC7F,IAAM,oBAAoB,YAAY,GAAG,YAAY,uBAAuB,yBAAyB,GAAG;AACxG,IAAM,0BAA0B,YAAY,GAAG,YAAY,yBAAyB,+DAA+D;;;AHF1J,OAAO,kBAAkB;AAIzB,SAAS,gBAAAA,qBAAoB;AAE7B,IAAM,iBAAiB;AA8BhB,IAAM,oBAAsE,GAAG,OAAO,KAAsB,SAAuC;AACtJ,MAAI,SAAS,cAAc;AAAA,IACvB,UAAU,KAAK,gBAAgB;AAAA,IAC/B,OAAO,KAAK,cAAc;AAAA,IAC1B,WAAW,KAAK,kBAAkB;AAAA,EACtC,CAAC;AAED,QAAM,IAAI,SAAS,aAA8C,KAAK,SAAS;AAE/E,QAAM,cAAc,KAAK;AACzB,QAAM,UAAU,KAAK,YAAY,KAAK,WAAW;AACjD,QAAM,UAAU,KAAK,YAAY,KAAK,WAAW;AACjD,QAAM,aAAa,CAAC,CAAC,KAAK;AAC1B,QAAM,gBAAgB,KAAK,iBAAiB;AAE5C,iBAAe,oBAAoB;AAC/B,UAAM,YAAY,MAAM,IAAI,MAAM,QAAQ,wBAAwB,KAAK;AAEvE,QAAI,CAAC,UAAU,IAAI;AACf,YAAM;AAAA,IACV;AAEA,UAAM,QAAQ,MAAM,UAAU,KAAK;AACnC,UAAM,QAA4B,CAAC;AAAA,MAC/B,MAAM;AAAA,MACN,UAAU,OAAO,KAAK,IAAI,aAAa,QAAQ;AAAA,MAC/C,MAAM,KAAK;AAAA,MACX,MAAM,KAAK;AAAA,MACX,QAAQ,KAAK;AAAA,IACjB,CAAC;AAED,eAAW,QAAQ,OAAO;AACtB,YAAM,aAAa,MAAM,IAAI,MAAM,QAAQ,cAAc,KAAK,EAAE,WAAW,KAAK;AAEhF,UAAI,CAAC,WAAW,IAAI;AAChB,cAAM;AAAA,MACV;AAEA,YAAM,SAAS,MAAM,WAAW,KAAK;AAErC,iBAAW,SAAS,QAAQ;AACxB,cAAM,WAAW,KAAK;AAEtB,YAAI,CAAC,aAAa,MAAM,IAAI,MAAM,KAAK,MAAM,GAAG;AAEhD,YAAI,CAAC,IAAI,aAAa,SAAS,MAAM,GAAG;AACpC,cAAI,IAAI,MAAM,mBAAmB,MAAM,yBAAyB;AAChE;AAAA,QACJ;AAEA,gBAAQ,aAAa;AAAA,UACjB,KAAK;AACD,0BAAc;AACd;AAAA,UACJ,KAAK;AACD,0BAAc;AACd;AAAA,UACJ,KAAK;AACD,0BAAc;AACd;AAAA,QACR;AAEA,cAAM,cAAc,MAAM,KAAK,OAAK,EAAE,SAAS,YAAY,EAAE,WAAW,MAAM;AAC9E,YAAI,aAAa;AACb,cAAI,KAAK,QAAQ;AACb,wBAAY,WAAW,IAAI;AAAA,cACvB,QAAQ;AAAA,gBACJ,QAAQ;AAAA,cACZ;AAAA,YACJ;AAAA,UACJ,OAAO;AACH,wBAAY,WAAW,IAAI;AAAA,UAC/B;AAAA,QACJ,OAAO;AACH,gBAAM,UAA4B;AAAA,YAC9B,MAAM;AAAA,YACN;AAAA,UACJ;AAEA,cAAI,KAAK,QAAQ;AACb,oBAAQ,WAAW,IAAI;AAAA,cACnB,QAAQ;AAAA,gBACJ,QAAQ;AAAA,cACZ;AAAA,YACJ;AAAA,UACJ,OAAO;AACH,oBAAQ,WAAW,IAAI;AAAA,UAC3B;AAEA,cAAI,KAAK,UAAU;AACf,oBAAQ,WAAW;AAAA,cACf,QAAQ;AAAA,YACZ;AAAA,UACJ;AAEA,gBAAM,KAAK,OAAO;AAAA,QACtB;AAAA,MACJ;AAAA,IACJ;AAEA,UAAM,WAAW,MAAM,OAAO,CAAC,MAAM,SAAS;AAC1C,OAAC,KAAK,KAAK,MAAM,CAAC,MAAM,CAAC,GAAG,KAAK,IAAI;AACrC,aAAO;AAAA,IACX,GAAG,CAAC,CAAC;AAEL,eAAW,OAAO,UAAU;AACxB,UAAI,IAAI,KAAK,sBAAsB,GAAG,EAAE;AAExC,iBAAW,WAAW,SAAS,GAAG,GAAG;AAEjC,cAAM,EAAE,QAAQ,UAAU,MAAM,GAAG,MAAM,IAAI;AAC7C,YAAI,IAAI,KAAK,IAAK,UAAU,SAAS,KAAK,GAAG,CAAC,KAAK,KAAK,UAAU,KAAK,CAAC,EAAE;AAAA,MAC9E;AAAA,IACJ;AAEA,UAAM,kBAAkB,OAAO,KAAK,IAAI,aAAa,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;AAEpH,QAAI,gBAAgB,QAAQ;AACxB,UAAI,IAAI,KAAK,+BAA+B,gBAAgB,KAAK,IAAI,CAAC,EAAE;AAAA,IAC5E;AAEA,QAAI,IAAI,MAAM,wBAAwB;AACtC,QAAI,IAAI,MAAM,KAAK;AACnB,WAAO;AAAA,EACX;AAEA,MAAI,gBAAgB,4BAA4B,SAAS;AAEzD,iBAAe,YAAY;AAEvB,UAAM,KAAK,YAAY;AAGvB,QAAI,iBAAiB;AACrB,QAAI,eAAe,KAAK,QAAQ,6BAA6B,MAAM,aAAa;AAC5E,UAAI,KAAK,UAAU,KAAK;AACpB,yBAAiB;AAAA,MACrB,OAAO;AACH,aAAK,IAAI,KAAK,uBAAuB;AACrC,aAAK,OAAO,IAAI,MAAM,KAAK,SAAS;AAAA,UAChC,KAAK,CAAC,QAAQ,QAAQ;AAClB,gBAAI;AACJ,gBAAI,CAAC,OAAO,IAAI,SAAS,CAAC,GAAG;AACzB,oBAAM,SAAS,IAAI,SAAS,EAAE,YAAY;AAC1C,sBAAQ,OAAO,MAAM;AAAA,YACzB,OAAO;AACH,sBAAQ,OAAO,IAAI,SAAS,CAAC;AAAA,YACjC;AAEA,gBAAI,CAAC,SAAS,IAAI,SAAS,EAAE,YAAY,MAAM,QAAQ,YAAY,GAAG;AAClE,sBAAQ;AAAA,YACZ;AACA,mBAAO;AAAA,UACX;AAAA,QACJ,CAAC;AAAA,MACL;AAAA,IACJ;AAEA,QAAI,gBAAgB;AAEhB,WAAK,OAAO;AAAA;AAAA,QAER,CAAC,OAAO,GAAG,KAAK,QAAQ,qBAAqB,KAAK;AAAA,MACtD;AAAA,IACJ;AAAA,EACJ;AAEA,MAAI,QAAQ,WAAW,iBAAkB;AACrC,UAAM,QAAQ,MAAM,kBAAkB;AAGtC,UAAM,cAAc,CAAC;AACrB,aAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACnC,YAAM,OAAO,MAAM,CAAC;AAEpB,UAAI,eAAe;AACnB,UAAI,KAAK,QAAQ;AACb,uBAAe,CAAC,KAAK,MAAM;AAAA,MAC/B,WAAW,KAAK,UAAU;AACtB,uBAAe,CAAC,GAAG,KAAK,QAAQ;AAAA,MACpC,OAAO;AACH,cAAM,IAAI,MAAM,wCAAwC,CAAC,EAAE;AAAA,MAC/D;AAEA,iBAAW,cAAc,cAAc;AACnC,cAAM,UAAU,EAAE,GAAG,MAAM,QAAQ,YAAY,UAAU,OAAU;AACnE,YAAI,CAAC,IAAI,aAAa,SAAS,QAAQ,MAAM,GAAG;AAC5C,gBAAM,IAAI,MAAM,mBAAmB,UAAU,2BAA2B,CAAC,EAAE;AAAA,QAC/E;AAEA,YAAI,CAAC,YAAY,UAAU,GAAG;AAC1B,sBAAY,UAAU,IAAI,CAAC;AAAA,QAC/B;AACA,oBAAY,UAAU,EAAE,KAAK,OAAO;AAAA,MACxC;AAAA,IACJ;AAEA,eAAW,aAAa,OAAO,KAAK,IAAI,aAAa,QAAQ,GAAG;AAiD5D,UAAS,cAAT,SAAqB,KAA0B;AAC3C,eAAO,CAAC;AAAA,MACZ;AAlDA,YAAMC,SAAQ,YAAY,SAAS,KAAK,CAAC;AACzC,YAAM,OAAO,IAAI,aAAa,SAAS,SAAS;AAGhD,UAAI;AACJ,YAAM,sBAAsB;AAwB5B,UAAI,4BAA4B,qBAAqB;AACjD,cAAM,IAAI,MAAM,4BAA4B,SAAS,wCAAwC;AAAA,MACjG;AAGA,UAAI,aAAa;AACb,QAAAA,OAAM,KAAK;AAAA,UACP,MAAM;AAAA,UACN,MAAM;AAAA,UACN,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,YAAY;AAAA,QAChB,CAAC;AAAA,MACL;AAIA,sCAAgC,MAAMA,MAAK;AAM3C,UAAI,aAAa,eAAe,WAAW;AAAA,QACvC,MAAM,KAAK,cAAc,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,IAAI,CAAC,GAAG;AAC/D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,aAAa,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,UAC3D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AACxF,8BAAoB,KAAK,MAAM,UAAU,OAAO,KAAK,IAAI,aAAa,SAAS,SAAS,EAAE,MAAM,CAAC;AACjG,kBAAQ,MAAM,gBAAgB,KAAK,KAAK,MAAM,OAAO,QAAQ,IAAI;AAEjE,iBAAO,aAAa,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,QAC3D;AAAA,QACA,MAAM,KAAK,cAAc,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,GAAG;AAC1D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,aAAa,EAAE,KAAK,OAAO,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC3D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,cAAI,CAAC,KAAK,MAAM;AACZ,kBAAM,IAAI,aAAa;AAAA,UAC3B;AACA,8BAAoB,KAAK,MAAM,MAAM;AACrC,mCAAyB,KAAK,MAAM,KAAK;AAEzC,cAAI,KAAK,UAAU;AACf,uBAAW,OAAO,OAAO,KAAK,KAAK,QAAQ,GAAG;AAC1C,oBAAM,WAAW,KAAK,SAAS,GAAG;AAClC,kBAAI,OAAO,aAAa,YAAY;AAChC,sBAAM,GAAG,IAAI,MAAM,SAAS,EAAE,MAAM,QAAQ,MAAM,KAAK,MAAM,CAAC;AAAA,cAClE,OAAO;AACH,sBAAM,GAAG,IAAI,QAAQ,KAAK,QAAQ;AAAA,cACtC;AAAA,YACJ;AAAA,UACJ;AAEA,gBAAM,oBAAoB,MAAM,KAAK,UAAU,MAAM;AACrD,gBAAM,kBAAkB,CAAC;AACzB,0BAAgB,KAAK,UAAU,IAAI,EAAE,IAAI,MAAM,KAAK,UAAU,EAAE;AAEhE,cAAI,mBAAmB;AACnB,kBAAM,QAAQ,MAAM,gBAAgB,KAAK,KAAK,MAAM,iBAAiB,QAAQ,IAAI;AAEjF,kBAAM,QAAQ,MAAM,KAAK,KAAK;AAAA,cAC1B;AAAA,cACA;AAAA,cACA;AAAA,YACJ,CAAC;AAED,gBAAI,MAAM,WAAW,GAAG;AACpB,oBAAM,IAAI,aAAa;AAAA,YAC3B;AAEA,mBAAO,aAAa,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC3D;AAEA,iBAAO,aAAa,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,QAC3D;AAAA,QAEA,MAAM,OAAO,gBAAgB,EAAE,QAAQ,KAAK,QAAQ,GAAG,SAAS,GAAG;AAC/D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,eAAe,EAAE,QAAQ,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC9D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,cAAI,CAAC,KAAK,MAAM;AACZ,kBAAM,IAAI,aAAa;AAAA,UAC3B;AAEA,8BAAoB,KAAK,MAAM,MAAM;AACrC,mCAAyB,KAAK,MAAM,MAAM;AAG1C,cAAI,KAAK,UAAU;AACf,uBAAW,SAAS,QAAQ;AACxB,yBAAW,OAAO,OAAO,KAAK,KAAK,QAAQ,GAAG;AAC1C,sBAAM,WAAW,KAAK,SAAS,GAAG;AAClC,oBAAI,OAAO,aAAa,YAAY;AAChC,wBAAM,GAAG,IAAI,MAAM,SAAS,EAAE,MAAM,QAAQ,MAAM,KAAK,MAAM,CAAC;AAAA,gBAClE,OAAO;AACH,wBAAM,GAAG,IAAI,QAAQ,KAAK,QAAQ;AAAA,gBACtC;AAAA,cACJ;AAAA,YACJ;AAAA,UACJ;AAEA,iBAAO,eAAe,EAAE,QAAQ,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,QAC9D;AAAA,QAEA,MAAM,OAAO,gBAAgB,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,GAAG;AAC9D,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,eAAe,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,UAC7D;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,kBAAQ,MAAM,gBAAgB,KAAK,KAAK,QAAQ,OAAO,QAAQ,IAAI;AAEnE,iBAAO,eAAe,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,QAC7D;AAAA,QAEA,MAAM,WAAW,oBAAoB,EAAE,OAAO,KAAK,QAAQ,GAAG,SAAS,GAAG;AACtE,cAAI,YAAY,GAAG,GAAG;AAClB,mBAAO,mBAAmB,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,UACjE;AACA,gBAAM,UAAU,sBAAsB,GAAG;AACzC,gBAAM,OAAO,MAAM,uBAAuB,KAAKA,QAAO,SAAS,eAAe,UAAU;AAExF,kBAAQ,MAAM,gBAAgB,KAAK,KAAK,YAAY,OAAO,QAAQ,IAAI;AAEvE,iBAAO,mBAAmB,EAAE,GAAG,UAAU,OAAO,KAAK,OAAO,CAAC;AAAA,QACjE;AAAA,MACJ,CAAC;AAAA,IACL;AAAA,EACJ,CAAC;AACL,GAAG,EAAE,MAAM,8BAA8B,CAAC;AAE1C,eAAe,gBAAgB,KAA0B,MAAM,OAAO,MAAM;AACxE,MAAI,CAAC,MAAM;AACP,UAAM,IAAI,aAAa;AAAA,EAC3B;AACA,QAAM,UAAU,sBAAsB,GAAG;AAEzC,UAAQ,SAAS,CAAC;AAElB,MAAI,OAAO,SAAS,UAAU;AAC1B,UAAM,EAAE,OAAO,IAAI;AAGnB,QAAI,QAAQ;AACR,iBAAW,OAAO,OAAO,KAAK,MAAM,GAAG;AACnC,cAAM,UAAU,OAAO,GAAG;AAC1B,YAAI,OAAO,YAAY,UAAU;AAE7B,gBAAM,GAAG,IAAI;AAAA,YACT,IAAI,QAAQ,KAAK,OAAO;AAAA,UAC5B;AAAA,QACJ,OAAO;AAKH,qBAAW,aAAa,OAAO,KAAK,OAAO,GAAG;AAC1C,kBAAM,SAAS,QAAQ,SAAS;AAChC,kBAAM,GAAG,IAAI;AAAA,cACT,CAAC,SAAS,GAAG,QAAQ,KAAK,MAAM;AAAA,YACpC;AAAA,UACJ;AAAA,QACJ;AAAA,MACJ;AAAA,IACJ;AAAA,EACJ,WAAW,OAAO,SAAS,YAAY;AACnC,YAAQ,MAAM,KAAK,EAAE,MAAM,KAAK,MAAM,CAAC;AAAA,EAC3C;AACA,SAAO;AACX;AAEA,eAAe,uBAAuB,KAA0B,OAA2B,SAAiB,eAAuB,aAAa,OAAO;AACnJ,QAAM,UAAU,sBAAsB,GAAG;AACzC,QAAM,QAAQ,yBAAyB;AACvC,QAAM,QAAQ,SAAS,SAAS,SAAS,eAAe,UAAU;AAClE,QAAM,OAAO,kBAAS,OAAO,KAAK;AAClC,MAAI,CAAC,MAAM;AACP,QAAI,MAAM,QAAQ,IAAI,KAAK,EAAE,OAAO,MAAM,GAAG,mBAAmB;AAChE,UAAM,IAAI,aAAa;AAAA,EAC3B;AACA,MAAI,MAAM,QAAQ,IAAI,MAAM,EAAE,OAAO,KAAK,GAAG,YAAY;AACzD,SAAO;AACX;AAEA,SAAS,oBAAoB,MAAM,QAAQ;AACvC,MAAI,CAAC,MAAM;AACP,UAAM,IAAI,aAAa;AAAA,EAC3B;AACA,QAAM,EAAE,QAAQ,eAAe,IAAI;AAEnC,MAAI,gBAAgB;AAChB,eAAW,SAAS,QAAQ;AACxB,UAAI,CAAC,eAAe,SAAS,KAAK,GAAG;AACjC,cAAM,IAAI,kBAAkB,KAAK;AAAA,MACrC;AAAA,IACJ;AAAA,EACJ;AACJ;AAEA,IAAM,iBAAiB,CAAC,QAAQ,mBAAmB;AAC/C,aAAW,SAAS,QAAQ;AACxB,UAAM,cAAc,OAAO,KAAK,KAAK;AACrC,eAAW,cAAc,aAAa;AAClC,UAAI,CAAC,eAAe,SAAS,UAAU,GAAG;AACtC,cAAM,IAAI,kBAAkB,UAAU;AAAA,MAC1C;AAAA,IACJ;AAAA,EACJ;AACJ;AAEA,SAAS,yBAAyB,MAAM,QAAQ;AAC5C,QAAM,EAAE,QAAQ,eAAe,IAAI;AAEnC,MAAI,gBAAgB;AAChB,QAAI,CAAC,MAAM,QAAQ,MAAM,GAAG;AAExB,qBAAe,CAAC,MAAM,GAAG,cAAc;AAAA,IAC3C,OAAO;AAEH,qBAAe,QAAQ,cAAc;AAAA,IACzC;AAAA,EACJ;AACJ;AAEA,SAAS,gCAAgC,MAAc,OAAO;AAE1D,QAAM,kBACF,OAAO,OAAO,KAAK,MAAM,EACpB,OAAO,OAAM,CAAC,EAAE,cAAc,CAAC,EAAE,UAAW,EAC5C,IAAI,CAAC,EAAE,UAAU,MAAO,SAAU;AAE3C,aAAW,QAAQ,OAAO;AACtB,UAAM,EAAE,QAAQ,KAAK,IAAI;AACzB,QAAI,QAAQ,KAAK,QAAQ;AACrB,YAAM,SAAS,KAAK;AACpB,iBAAW,UAAU,iBAAiB;AAClC,YAAI,CAAC,OAAO,SAAS,MAAM,GAAG;AAC1B,gBAAM,IAAI,wBAAwB,QAAQ,MAAM;AAAA,QACpD;AAAA,MACJ;AAAA,IACJ;AAAA,EACJ;AACJ;AAEA,IAAO,gBAAQ;","names":["fastifyLogto","rules"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@albirex/platformatic-logto",
-  "version": "1.4.2",
+  "version": "3.0.0",
   "description": "LogTo roles and scopes integrated in Platformatic authorization",
   "type": "module",
   "main": "./lib/index.cjs",
@@ -21,13 +21,13 @@
     "url": "https://github.com/albiper/platformatic-logto"
   },
   "peerDependencies": {
-    "@platformatic/db": "^2.0.0",
+    "@platformatic/db": "^3.0.0",
     "fastify": "^5.5",
-    "platformatic": "^2.0.0"
+    "platformatic": "^3.0.0"
   },
   "devDependencies": {
     "@eslint/js": "^9.12.0",
-    "@platformatic/db-core": "^2.75.0",
+    "@platformatic/db-core": "^3.20.0",
     "@types/node": "^22.10.1",
     "dotenv": "^16.5.0",
     "eslint": "^9.12.0",
@@ -41,8 +41,8 @@
     "@fastify/error": "^4.1.0",
     "@logto/js": "^5.1.1",
     "@logto/node": "^3.1.4",
-    "@platformatic/db-authorization": "^2.66.0",
-    "@platformatic/sql-mapper": "^2.66.0",
+    "@platformatic/db-authorization": "^3.20.0",
+    "@platformatic/sql-mapper": "^3.20.0",
     "@sinclair/typebox": "^0.34.14",
     "fastify-plugin": "^5.0.1",
     "fastify-user": "^1.4.0",