@api-client/core 0.20.1 → 0.20.3

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@api-client/core",
   "description": "The API Client's core client library. Works in NodeJS and in a ES enabled browser.",
-  "version": "0.20.1",
+  "version": "0.20.3",
   "license": "UNLICENSED",
   "exports": {
     "./browser.js": {
@@ -154,7 +154,8 @@
     "build:node": "tsc --project tsconfig.node.json",
     "build": "npm run build:ts && npm run copy:assets",
     "prepare": "husky && npm run build:ts",
-    "tsc": "tsc",
+    "tsc": "tsc --project tsconfig.json",
+    "typecheck": "tsc --noEmit --project tsconfig.json",
     "tsc:tests": "tsc --project tsconfig.browser.json",
     "tsc:watch": "tsc --watch --project tsconfig.json",
     "test:browser": "wtr --playwright --browsers chromium",

package/src/modeling/RuntimeApiModel.ts

@@ -39,19 +39,20 @@ export interface RuntimeApiModelSchema extends ApiModelSchema {
 }
 
 export interface RuntimeResolvedAction {
-  entity: ExposedEntity
+  exposure: ExposedEntity
+  entity: DomainEntity
   action: Action
   params: Record<string, string>
 }
 
 export type RuleEvaluator = (rule: AccessRule) => Promise<boolean | undefined> | boolean | undefined
 
-interface PhaseRules {
+export interface PhaseRules {
   permissionRules: AccessRule[]
   mandatoryRules: AccessRule[]
 }
 
-interface ActionRulesCache {
+export interface ActionRulesCache {
   preFetch: PhaseRules
   fetch: PhaseRules
   postFetch: PhaseRules
@@ -281,17 +282,23 @@ export class RuntimeApiModel extends ApiModel {
 
     const params = exec(path, matchedRoute)
 
-    const entity = this.exposes.get(def.lookup.exposedEntityKey)
-    if (!entity) {
-      return undefined
+    const exposure = this.exposes.get(def.lookup.exposedEntityKey)
+    if (!exposure) {
+      throw new Exception('Missing exposure ' + def.lookup.exposedEntityKey, { code: 'API_MODEL_ERROR', status: 500 })
     }
 
-    const action = entity.actions.find((a) => a.kind === def.lookup.actionKind)
+    const action = exposure.actions.find((a) => a.kind === def.lookup.actionKind)
     if (!action) {
-      return undefined
+      throw new Exception('Missing action ' + def.lookup.actionKind, { code: 'API_MODEL_ERROR', status: 500 })
+    }
+
+    const entity = this.domain?.findEntity(exposure.entity.key, exposure.entity.domain)
+    if (!entity) {
+      throw new Exception('Missing entity ' + exposure.entity.key, { code: 'API_MODEL_ERROR', status: 500 })
     }
 
     return {
+      exposure,
       entity,
       action,
       params,
@@ -299,64 +306,15 @@ export class RuntimeApiModel extends ApiModel {
   }
 
   /**
-   * Evaluates access rules for a given action and phase.
-   *
-   * The evaluation process follows two phases per execution phase (PRE_FETCH, FETCH, POST_FETCH):
-   * 1. Mandatory Phase: All rules marked as `mandatory: true` across all levels must return true.
-   *    If any fail, the request is immediately rejected.
-   * 2. Permission Phase: Evaluation follows the hierarchy from most specific to most general:
-   *    Action -> Endpoint (ExposedEntity) -> API Model.
-   *    If an explicit allow (true) or deny (false) is hit, evaluation stops and returns the result.
-   *    If no rules match (all return undefined), the request is rejected by default.
-   *
-   * @param action The resolved action to evaluate.
-   * @param evaluator A callback that evaluates a single rule. Should return true (allow),
-   *                  false (deny), or undefined (no hit).
-   * @param phase The execution phase to evaluate.
-   * @returns A promise that resolves to true if access is granted, false if denied.
+   * Retrieves the precomputed and shadowed effective rules for a given action.
    */
-  async evaluateAccess(
-    action: RuntimeResolvedAction,
-    evaluator: RuleEvaluator,
-    phase: AccessRuleExecutionPhase
-  ): Promise<boolean> {
+  getEffectiveRules(action: RuntimeResolvedAction): ActionRulesCache {
     let cachedRules = this.#actionRulesCache.get(action.action)
     if (!cachedRules) {
-      // Fallback if somehow action is not cached (e.g. dynamically added after initialization or in tests)
-      cachedRules = this.#computeEffectiveRules(action.action, action.entity)
+      cachedRules = this.#computeEffectiveRules(action.action, action.exposure)
       this.#actionRulesCache.set(action.action, cachedRules)
     }
-
-    let rulesForPhase
-    if (phase === AccessRuleExecutionPhase.POST_FETCH) {
-      rulesForPhase = cachedRules.postFetch
-    } else if (phase === AccessRuleExecutionPhase.FETCH) {
-      rulesForPhase = cachedRules.fetch
-    } else {
-      rulesForPhase = cachedRules.preFetch
-    }
-
-    // Step 1: Mandatory Phase
-    for (const rule of rulesForPhase.mandatoryRules) {
-      const result = await evaluator(rule)
-      if (result !== true) {
-        return false // Immediately reject if any mandatory rule fails
-      }
-    }
-
-    // Step 2-4: Permission Phase
-    for (const rule of rulesForPhase.permissionRules) {
-      const result = await evaluator(rule)
-      if (result === true) {
-        return true
-      }
-      if (result === false) {
-        return false
-      }
-    }
-
-    // Default: no hit
-    return false
+    return cachedRules
   }
 
   override toJSON(): RuntimeApiModelSchema {