@arch-cadre/core 0.0.41 → 0.0.42

package/dist/core/auth/logic.js

@@ -1,264 +0,0 @@
-"use strict";
-"use server";
-var _a, _b, _c, _d;
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.augmentSession = exports.augmentUser = exports.registerPasswordResetSessionAugmenter = exports.registerSessionAugmenter = exports.registerIdentityAugmenter = void 0;
-exports.registerAuthValidator = registerAuthValidator;
-exports.registerPasswordResetValidator = registerPasswordResetValidator;
-exports.registerEmailVerificationValidator = registerEmailVerificationValidator;
-exports.registerSecurityRequirement = registerSecurityRequirement;
-exports.runPasswordResetValidators = runPasswordResetValidators;
-exports.runEmailVerificationValidators = runEmailVerificationValidators;
-exports.performFullUserAugmentation = performFullUserAugmentation;
-exports.checkSecurity = checkSecurity;
-exports.signIn = signIn;
-exports.signUp = signUp;
-exports.finalizeLogin = finalizeLogin;
-exports.signOut = signOut;
-const drizzle_orm_1 = require("drizzle-orm");
-const password_1 = require("../../server/auth/password");
-const user_1 = require("../../server/auth/user");
-const inject_1 = require("../../server/database/inject");
-const schema_1 = require("../../server/database/schema");
-const event_bus_1 = require("../event-bus");
-const augment_1 = require("./augment");
-Object.defineProperty(exports, "augmentSession", { enumerable: true, get: function () { return augment_1.augmentSession; } });
-Object.defineProperty(exports, "augmentUser", { enumerable: true, get: function () { return augment_1.augmentUser; } });
-Object.defineProperty(exports, "registerIdentityAugmenter", { enumerable: true, get: function () { return augment_1.registerIdentityAugmenter; } });
-Object.defineProperty(exports, "registerPasswordResetSessionAugmenter", { enumerable: true, get: function () { return augment_1.registerPasswordResetSessionAugmenter; } });
-Object.defineProperty(exports, "registerSessionAugmenter", { enumerable: true, get: function () { return augment_1.registerSessionAugmenter; } });
-const email_verification_1 = require("./email-verification");
-const session_1 = require("./session");
-const validation_1 = require("./validation");
-/**
- * Podstawowy moduł rozszerzający tożsamość dla ról i uprawnień
- */
-async function coreRbacAugmenter(user) {
-    try {
-        // 1. Fetch direct roles
-        const userRoles = await inject_1.db
-            .select({ name: schema_1.rolesTable.name })
-            .from(schema_1.usersToRolesTable)
-            .innerJoin(schema_1.rolesTable, (0, drizzle_orm_1.eq)(schema_1.usersToRolesTable.roleId, schema_1.rolesTable.id))
-            .where((0, drizzle_orm_1.eq)(schema_1.usersToRolesTable.userId, user.id));
-        const roles = userRoles.map((r) => r.name);
-        // 2. Fetch direct permissions
-        const userDirectPerms = await inject_1.db
-            .select({ name: schema_1.permissionsTable.name })
-            .from(schema_1.usersToPermissionsTable)
-            .innerJoin(schema_1.permissionsTable, (0, drizzle_orm_1.eq)(schema_1.usersToPermissionsTable.permissionId, schema_1.permissionsTable.id))
-            .where((0, drizzle_orm_1.eq)(schema_1.usersToPermissionsTable.userId, user.id));
-        const directPerms = userDirectPerms.map((p) => p.name);
-        // 3. Fetch permissions from roles
-        let rolePerms = [];
-        if (roles.length > 0) {
-            const roleIdsResult = await inject_1.db
-                .select({ id: schema_1.rolesTable.id })
-                .from(schema_1.rolesTable)
-                .where((0, drizzle_orm_1.inArray)(schema_1.rolesTable.name, roles));
-            const roleIds = roleIdsResult.map((r) => r.id);
-            if (roleIds.length > 0) {
-                const rolePermsData = await inject_1.db
-                    .select({ name: schema_1.permissionsTable.name })
-                    .from(schema_1.rolesToPermissionsTable)
-                    .innerJoin(schema_1.permissionsTable, (0, drizzle_orm_1.eq)(schema_1.rolesToPermissionsTable.permissionId, schema_1.permissionsTable.id))
-                    .where((0, drizzle_orm_1.inArray)(schema_1.rolesToPermissionsTable.roleId, roleIds));
-                rolePerms = rolePermsData.map((p) => p.name);
-            }
-        }
-        return {
-            roles,
-            permissions: Array.from(new Set([...directPerms, ...rolePerms])),
-        };
-    }
-    catch (error) {
-        console.error("[Auth:RBAC] Failed to augment user:", error);
-        return { roles: [], permissions: [] };
-    }
-}
-const globalForAuth = globalThis;
-const authValidators = (_a = globalForAuth.__KRYO_AUTH_VALIDATORS__) !== null && _a !== void 0 ? _a : new Set();
-const securityRequirements = (_b = globalForAuth.__KRYO_SECURITY_REQUIREMENTS__) !== null && _b !== void 0 ? _b : new Set();
-const passwordResetValidators = (_c = globalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__) !== null && _c !== void 0 ? _c : new Set();
-const emailVerificationValidators = (_d = globalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__) !== null && _d !== void 0 ? _d : new Set();
-globalForAuth.__KRYO_AUTH_VALIDATORS__ = authValidators;
-globalForAuth.__KRYO_SECURITY_REQUIREMENTS__ = securityRequirements;
-globalForAuth.__KRYO_PASSWORD_RESET_VALIDATORS__ = passwordResetValidators;
-globalForAuth.__KRYO_EMAIL_VERIFICATION_VALIDATORS__ =
-    emailVerificationValidators;
-async function registerAuthValidator(validator) {
-    authValidators.add(validator);
-}
-async function registerPasswordResetValidator(validator) {
-    passwordResetValidators.add(validator);
-}
-async function registerEmailVerificationValidator(validator) {
-    emailVerificationValidators.add(validator);
-}
-async function registerSecurityRequirement(requirement) {
-    securityRequirements.add(requirement);
-}
-async function runPasswordResetValidators(userId) {
-    for (const validator of passwordResetValidators) {
-        const interception = await validator(userId);
-        if (interception)
-            return interception;
-    }
-    return null;
-}
-async function runEmailVerificationValidators(userId) {
-    for (const validator of emailVerificationValidators) {
-        const interception = await validator(userId);
-        if (interception)
-            return interception;
-    }
-    return null;
-}
-/**
- * Augments a base user with data from all registered modules.
- * This is now just a wrapper that includes core RBAC data.
- */
-async function performFullUserAugmentation(user) {
-    const coreRbacData = await coreRbacAugmenter(user);
-    return await (0, augment_1.augmentUser)(user, coreRbacData);
-}
-/**
- * Checks if the current session satisfies all registered security requirements.
- */
-async function checkSecurity(session, user, requiredRoles, requiredPermissions, fallbackRedirect) {
-    var _a;
-    if (!user) {
-        console.warn("User is required for security check");
-        return { satisfied: false, redirect: fallbackRedirect !== null && fallbackRedirect !== void 0 ? fallbackRedirect : "/signin" };
-    }
-    const userRoles = Array.isArray(user.roles) ? user.roles : [];
-    const userPermissions = Array.isArray(user.permissions)
-        ? user.permissions
-        : [];
-    // 1. Core Role Check (At least one role must match)
-    if (requiredRoles && requiredRoles.length > 0) {
-        const hasRole = requiredRoles.some((role) => userRoles.includes(role));
-        if (!hasRole) {
-            console.warn(`User lacks required roles: ${requiredRoles.join(", ")}`);
-            return {
-                satisfied: false,
-                redirect: fallbackRedirect,
-            };
-        }
-    }
-    // 2. Core Permission Check (ALL permissions must match)
-    if (requiredPermissions && requiredPermissions.length > 0) {
-        const hasAllPermissions = requiredPermissions.every((perm) => userPermissions.includes(perm));
-        if (!hasAllPermissions) {
-            console.warn(`User lacks required permissions: ${requiredPermissions.join(", ")}`);
-            return {
-                satisfied: false,
-                redirect: fallbackRedirect,
-            };
-        }
-    }
-    // 3. Modular Requirements Check
-    if (securityRequirements) {
-        for (const requirement of securityRequirements) {
-            try {
-                const result = await requirement(session, user);
-                if (result && !result.satisfied) {
-                    return {
-                        ...result,
-                        redirect: (_a = result.redirect) !== null && _a !== void 0 ? _a : fallbackRedirect,
-                    };
-                }
-            }
-            catch (error) {
-                console.error("[Auth:Security] Requirement failed:", error);
-            }
-        }
-    }
-    return { satisfied: true };
-}
-/**
- * Sign In Logic
- */
-async function signIn(data) {
-    const { email, password } = await validation_1.loginSchema.parseAsync(data);
-    const user = await (0, user_1.getUserFromEmail)(email);
-    if (!user) {
-        return { status: "ERROR", message: "Invalid email or password" };
-    }
-    const passwordHash = await (0, user_1.getUserPasswordHash)(user.id);
-    if (!passwordHash || !(await (0, password_1.verifyPasswordHash)(passwordHash, password))) {
-        return { status: "ERROR", message: "Invalid email or password" };
-    }
-    // Interception Layer
-    for (const validator of authValidators) {
-        const interception = await validator(user.id);
-        if (interception)
-            return interception;
-    }
-    const sessionFlags = {};
-    const sessionToken = await (0, session_1.generateSessionToken)();
-    const session = await (0, session_1.createSession)(sessionToken, user.id, sessionFlags);
-    await (0, session_1.setSessionTokenCookie)(sessionToken, session.expiresAt);
-    const fullUser = await performFullUserAugmentation(user);
-    await event_bus_1.eventBus.publish("auth:session-created", { session, user: fullUser });
-    return {
-        status: "SUCCESS",
-        session: { ...session },
-        user: { ...fullUser },
-    };
-}
-/**
- * Sign Up Logic
- */
-async function signUp(data) {
-    const { email, username, password } = validation_1.registerSchema.parse(data);
-    if (!(await (0, user_1.verifyUsernameInput)(username))) {
-        throw new Error("Invalid username");
-    }
-    if (!(await (0, password_1.verifyPasswordStrength)(password))) {
-        throw new Error("Weak password");
-    }
-    const user = await (0, user_1.createUser)(email, username, password);
-    const verificationRequest = await (0, email_verification_1.createEmailVerificationRequest)(user.id, user.email);
-    await (0, email_verification_1.sendVerificationEmail)(verificationRequest.email, verificationRequest.code);
-    await (0, email_verification_1.setEmailVerificationRequestCookie)(verificationRequest);
-    const sessionFlags = {};
-    const sessionToken = await (0, session_1.generateSessionToken)();
-    const session = await (0, session_1.createSession)(sessionToken, user.id, sessionFlags);
-    await (0, session_1.setSessionTokenCookie)(sessionToken, session.expiresAt);
-    const fullUser = await performFullUserAugmentation(user);
-    await event_bus_1.eventBus.publish("auth:session-created", { session, user: fullUser });
-    return {
-        session: { ...session },
-        user: { ...fullUser },
-    };
-}
-/**
- * Finalizes login after a challenge
- */
-async function finalizeLogin(userId, flags) {
-    const sessionToken = await (0, session_1.generateSessionToken)();
-    const session = await (0, session_1.createSession)(sessionToken, userId, flags);
-    await (0, session_1.setSessionTokenCookie)(sessionToken, session.expiresAt);
-    const user = await (0, user_1.getUserById)(userId);
-    if (user) {
-        await event_bus_1.eventBus.publish("auth:session-created", { session, user });
-    }
-    return {
-        session: session ? { ...session } : null,
-        user: user ? { ...user } : null,
-    };
-}
-/**
- * Sign Out
- */
-async function signOut() {
-    const { session, user } = await (0, session_1.getCurrentSession)();
-    if (session) {
-        if (user) {
-            await event_bus_1.eventBus.publish("auth:signed-out", { userId: user.id });
-        }
-        await (0, session_1.invalidateSession)(session.id);
-        await (0, session_1.deleteSessionTokenCookie)();
-    }
-}

package/dist/core/auth/password-reset.d.ts

@@ -1,35 +0,0 @@
-import type { PasswordResetAuthSession, PasswordResetSession } from "./types";
-/**
- * Creates a new password reset session.
- */
-export declare function createPasswordResetSession(token: string, userId: string, email: string): Promise<PasswordResetSession>;
-/**
- * Validates the password reset session token and retrieves user data.
- * The user data is augmented by registered modules (e.g. 2FA).
- */
-export declare function validatePasswordResetSessionToken(token: string): Promise<PasswordResetAuthSession>;
-/**
- * Marks the password reset session as email verified.
- */
-export declare function setPasswordResetSessionAsEmailVerified(sessionId: string): Promise<void>;
-/**
- * Invalidates all password reset sessions for a user.
- */
-export declare function invalidateUserPasswordResetSessions(userId: string): Promise<void>;
-/**
- * Validates the current password reset session from cookies.
- */
-export declare function getCurrentPasswordResetSession(): Promise<PasswordResetAuthSession>;
-/**
- * Sets the password reset session token cookie.
- */
-export declare function setPasswordResetSessionTokenCookie(token: string, expiresAt: Date): Promise<void>;
-/**
- * Deletes the password reset session token cookie.
- */
-export declare function deletePasswordResetSessionTokenCookie(): Promise<void>;
-/**
- * Sends a password reset email with the OTP code.
- */
-export declare function sendPasswordResetEmail(email: string, code: string): Promise<void>;
-//# sourceMappingURL=password-reset.d.ts.map

package/dist/core/auth/password-reset.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"password-reset.d.ts","sourceRoot":"","sources":["../../../src/core/auth/password-reset.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,wBAAwB,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAG9E;;GAEG;AACH,wBAAsB,0BAA0B,CAC9C,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,oBAAoB,CAAC,CAe/B;AAED;;;GAGG;AACH,wBAAsB,iCAAiC,CACrD,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,wBAAwB,CAAC,CAoCnC;AAED;;GAEG;AACH,wBAAsB,sCAAsC,CAC1D,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,IAAI,CAAC,CAOf;AAED;;GAEG;AACH,wBAAsB,mCAAmC,CACvD,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,IAAI,CAAC,CAIf;AAED;;GAEG;AACH,wBAAsB,8BAA8B,IAAI,OAAO,CAAC,wBAAwB,CAAC,CAexF;AAED;;GAEG;AACH,wBAAsB,kCAAkC,CACtD,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,IAAI,GACd,OAAO,CAAC,IAAI,CAAC,CAUf;AAED;;GAEG;AACH,wBAAsB,qCAAqC,IAAI,OAAO,CAAC,IAAI,CAAC,CAG3E;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,IAAI,CAAC,CAEf"}

package/dist/core/auth/password-reset.js

@@ -1,132 +0,0 @@
-"use strict";
-"use server";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createPasswordResetSession = createPasswordResetSession;
-exports.validatePasswordResetSessionToken = validatePasswordResetSessionToken;
-exports.setPasswordResetSessionAsEmailVerified = setPasswordResetSessionAsEmailVerified;
-exports.invalidateUserPasswordResetSessions = invalidateUserPasswordResetSessions;
-exports.getCurrentPasswordResetSession = getCurrentPasswordResetSession;
-exports.setPasswordResetSessionTokenCookie = setPasswordResetSessionTokenCookie;
-exports.deletePasswordResetSessionTokenCookie = deletePasswordResetSessionTokenCookie;
-exports.sendPasswordResetEmail = sendPasswordResetEmail;
-const sha2_1 = require("@oslojs/crypto/sha2");
-const encoding_1 = require("@oslojs/encoding");
-const date_fns_1 = require("date-fns");
-const drizzle_orm_1 = require("drizzle-orm");
-const headers_1 = require("next/headers");
-const inject_1 = require("../../server/database/inject");
-const schema_1 = require("../../server/database/schema");
-const index_1 = require("../../server/emails/index");
-const augment_1 = require("./augment");
-const logic_1 = require("./logic");
-const encode_1 = require("./utils/encode");
-/**
- * Creates a new password reset session.
- */
-async function createPasswordResetSession(token, userId, email) {
-    const sessionId = (0, encoding_1.encodeHexLowerCase)((0, sha2_1.sha256)(new TextEncoder().encode(token)));
-    const [session] = await inject_1.db
-        .insert(schema_1.passwordResetSessionTable)
-        .values({
-        id: sessionId,
-        email: email,
-        code: (0, encode_1.generateRandomOTP)(),
-        expiresAt: new Date((0, date_fns_1.addHours)(new Date(), 1)),
-        userId: userId,
-    })
-        .returning();
-    return session;
-}
-/**
- * Validates the password reset session token and retrieves user data.
- * The user data is augmented by registered modules (e.g. 2FA).
- */
-async function validatePasswordResetSessionToken(token) {
-    const sessionId = (0, encoding_1.encodeHexLowerCase)((0, sha2_1.sha256)(new TextEncoder().encode(token)));
-    const [row] = await inject_1.db
-        .select({
-        session: schema_1.passwordResetSessionTable,
-        user: schema_1.userTable,
-    })
-        .from(schema_1.passwordResetSessionTable)
-        .innerJoin(schema_1.userTable, (0, drizzle_orm_1.eq)(schema_1.passwordResetSessionTable.userId, schema_1.userTable.id))
-        .where((0, drizzle_orm_1.eq)(schema_1.passwordResetSessionTable.id, sessionId));
-    if (!row || !row.user) {
-        return { session: null, user: null };
-    }
-    const { session: baseSession, user: baseUser } = row;
-    // Check for expiration
-    if (new Date() > baseSession.expiresAt) {
-        await inject_1.db
-            .delete(schema_1.passwordResetSessionTable)
-            .where((0, drizzle_orm_1.eq)(schema_1.passwordResetSessionTable.id, baseSession.id));
-        return { session: null, user: null };
-    }
-    // STRICTLY remove non-serializable and sensitive fields
-    const { password, recovery_code, ...safeUser } = baseUser;
-    // AUGMENT (EXTENSIBILITY POINTS)
-    const user = await (0, logic_1.performFullUserAugmentation)(safeUser);
-    const session = await (0, augment_1.augmentPasswordResetSession)(baseSession);
-    return { session, user };
-}
-/**
- * Marks the password reset session as email verified.
- */
-async function setPasswordResetSessionAsEmailVerified(sessionId) {
-    await inject_1.db
-        .update(schema_1.passwordResetSessionTable)
-        .set({
-        emailVerified: true,
-    })
-        .where((0, drizzle_orm_1.eq)(schema_1.passwordResetSessionTable.id, sessionId));
-}
-/**
- * Invalidates all password reset sessions for a user.
- */
-async function invalidateUserPasswordResetSessions(userId) {
-    await inject_1.db
-        .delete(schema_1.passwordResetSessionTable)
-        .where((0, drizzle_orm_1.eq)(schema_1.passwordResetSessionTable.userId, userId));
-}
-/**
- * Validates the current password reset session from cookies.
- */
-async function getCurrentPasswordResetSession() {
-    var _a, _b;
-    const cookieStore = await (0, headers_1.cookies)();
-    const token = (_b = (_a = cookieStore.get("password_reset_session")) === null || _a === void 0 ? void 0 : _a.value) !== null && _b !== void 0 ? _b : null;
-    if (token === null) {
-        return { session: null, user: null };
-    }
-    const result = await validatePasswordResetSessionToken(token);
-    if (result.session === null) {
-        await deletePasswordResetSessionTokenCookie();
-    }
-    return result;
-}
-/**
- * Sets the password reset session token cookie.
- */
-async function setPasswordResetSessionTokenCookie(token, expiresAt) {
-    const cookieStore = await (0, headers_1.cookies)();
-    cookieStore.set("password_reset_session", token, {
-        expires: expiresAt,
-        sameSite: "lax",
-        httpOnly: true,
-        path: "/",
-        secure: process.env.NODE_ENV === "production",
-    });
-}
-/**
- * Deletes the password reset session token cookie.
- */
-async function deletePasswordResetSessionTokenCookie() {
-    const cookieStore = await (0, headers_1.cookies)();
-    cookieStore.delete("password_reset_session");
-}
-/**
- * Sends a password reset email with the OTP code.
- */
-async function sendPasswordResetEmail(email, code) {
-    await (0, index_1.sendResetPassword)(email, code);
-}

package/dist/core/auth/rbac.d.ts

@@ -1,56 +0,0 @@
-/**
- * CORE RBAC LOGIC
- * This file handles all database operations for Roles and Permissions.
- */
-export declare function getRoles(): Promise<{
-    id: string;
-    name: string;
-    description: string | null;
-}[]>;
-export declare function getRoleById(roleId: string): Promise<{
-    id: string;
-    name: string;
-    description: string | null;
-}>;
-export declare function createRole(name: string, description?: string): Promise<{
-    id: string;
-    name: string;
-    description: string | null;
-}[]>;
-export declare function deleteRole(roleId: string): Promise<import("pg").QueryResult<never>>;
-export declare function getPermissions(): Promise<{
-    id: string;
-    name: string;
-    description: string | null;
-}[]>;
-export declare function createPermission(name: string, description?: string): Promise<{
-    id: string;
-    name: string;
-    description: string | null;
-}[]>;
-export declare function deletePermission(permissionId: string): Promise<import("pg").QueryResult<never>>;
-export declare function getRolePermissions(roleId: string): Promise<{
-    id: string;
-    name: string;
-}[]>;
-export declare function assignPermissionToRole(roleId: string, permissionId: string): Promise<import("pg").QueryResult<never>>;
-export declare function revokePermissionFromRole(roleId: string, permissionId: string): Promise<import("pg").QueryResult<never>>;
-export declare function assignRoleToUser(userId: string, roleId: string): Promise<import("pg").QueryResult<never>>;
-export declare function revokeRoleFromUser(userId: string, roleId: string): Promise<import("pg").QueryResult<never>>;
-export declare function assignPermissionToUser(userId: string, permissionId: string): Promise<import("pg").QueryResult<never>>;
-export declare function revokePermissionFromUser(userId: string, permissionId: string): Promise<import("pg").QueryResult<never>>;
-export declare function getUserRbacData(userId: string): Promise<{
-    roles: {
-        id: string;
-        name: string;
-    }[];
-    directPermissions: {
-        id: string;
-        name: string;
-    }[];
-    effectivePermissions: {
-        id: string;
-        name: string;
-    }[];
-}>;
-//# sourceMappingURL=rbac.d.ts.map

package/dist/core/auth/rbac.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"rbac.d.ts","sourceRoot":"","sources":["../../../src/core/auth/rbac.ts"],"names":[],"mappings":"AAkBA;;;GAGG;AAIH,wBAAsB,QAAQ;;;;KAE7B;AAED,wBAAsB,WAAW,CAAC,MAAM,EAAE,MAAM;;;;GAM/C;AAED,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM;;;;KAElE;AAED,wBAAsB,UAAU,CAAC,MAAM,EAAE,MAAM,4CAE9C;AAID,wBAAsB,cAAc;;;;KAKnC;AAED,wBAAsB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM;;;;KAKxE;AAED,wBAAsB,gBAAgB,CAAC,YAAY,EAAE,MAAM,4CAI1D;AAID,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM;;;KAYtD;AAED,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,4CAMrB;AAED,wBAAsB,wBAAwB,CAC5C,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,4CAUrB;AAID,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,4CAKpE;AAED,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,4CAStE;AAED,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,4CAMrB;AAED,wBAAsB,wBAAwB,CAC5C,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,4CAUrB;AAED,wBAAsB,eAAe,CAAC,MAAM,EAAE,MAAM;;;;;;;;;;YAwCP,MAAM;cAAQ,MAAM;;GAUhE"}

package/dist/core/auth/rbac.js

@@ -1,151 +0,0 @@
-"use strict";
-"use server";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getRoles = getRoles;
-exports.getRoleById = getRoleById;
-exports.createRole = createRole;
-exports.deleteRole = deleteRole;
-exports.getPermissions = getPermissions;
-exports.createPermission = createPermission;
-exports.deletePermission = deletePermission;
-exports.getRolePermissions = getRolePermissions;
-exports.assignPermissionToRole = assignPermissionToRole;
-exports.revokePermissionFromRole = revokePermissionFromRole;
-exports.assignRoleToUser = assignRoleToUser;
-exports.revokeRoleFromUser = revokeRoleFromUser;
-exports.assignPermissionToUser = assignPermissionToUser;
-exports.revokePermissionFromUser = revokePermissionFromUser;
-exports.getUserRbacData = getUserRbacData;
-const drizzle_orm_1 = require("drizzle-orm");
-const inject_1 = require("../../server/database/inject");
-const schema_1 = require("../../server/database/schema");
-const index_1 = require("../notifications/index");
-// Ensure notification service is loaded
-if (typeof window === "undefined") {
-    index_1.notificationService.init();
-}
-/**
- * CORE RBAC LOGIC
- * This file handles all database operations for Roles and Permissions.
- */
-// --- Roles ---
-async function getRoles() {
-    return await inject_1.db.select().from(schema_1.rolesTable).orderBy(schema_1.rolesTable.name);
-}
-async function getRoleById(roleId) {
-    const [role] = await inject_1.db
-        .select()
-        .from(schema_1.rolesTable)
-        .where((0, drizzle_orm_1.eq)(schema_1.rolesTable.id, roleId));
-    return role;
-}
-async function createRole(name, description) {
-    return await inject_1.db.insert(schema_1.rolesTable).values({ name, description }).returning();
-}
-async function deleteRole(roleId) {
-    return await inject_1.db.delete(schema_1.rolesTable).where((0, drizzle_orm_1.eq)(schema_1.rolesTable.id, roleId));
-}
-// --- Permissions ---
-async function getPermissions() {
-    return await inject_1.db
-        .select()
-        .from(schema_1.permissionsTable)
-        .orderBy(schema_1.permissionsTable.name);
-}
-async function createPermission(name, description) {
-    return await inject_1.db
-        .insert(schema_1.permissionsTable)
-        .values({ name, description })
-        .returning();
-}
-async function deletePermission(permissionId) {
-    return await inject_1.db
-        .delete(schema_1.permissionsTable)
-        .where((0, drizzle_orm_1.eq)(schema_1.permissionsTable.id, permissionId));
-}
-// --- Mappings ---
-async function getRolePermissions(roleId) {
-    return await inject_1.db
-        .select({
-        id: schema_1.permissionsTable.id,
-        name: schema_1.permissionsTable.name,
-    })
-        .from(schema_1.rolesToPermissionsTable)
-        .innerJoin(schema_1.permissionsTable, (0, drizzle_orm_1.eq)(schema_1.rolesToPermissionsTable.permissionId, schema_1.permissionsTable.id))
-        .where((0, drizzle_orm_1.eq)(schema_1.rolesToPermissionsTable.roleId, roleId));
-}
-async function assignPermissionToRole(roleId, permissionId) {
-    return await inject_1.db
-        .insert(schema_1.rolesToPermissionsTable)
-        .values({ roleId, permissionId })
-        .onConflictDoNothing();
-}
-async function revokePermissionFromRole(roleId, permissionId) {
-    return await inject_1.db
-        .delete(schema_1.rolesToPermissionsTable)
-        .where((0, drizzle_orm_1.and)((0, drizzle_orm_1.eq)(schema_1.rolesToPermissionsTable.roleId, roleId), (0, drizzle_orm_1.eq)(schema_1.rolesToPermissionsTable.permissionId, permissionId)));
-}
-// --- User Assignment ---
-async function assignRoleToUser(userId, roleId) {
-    return await inject_1.db
-        .insert(schema_1.usersToRolesTable)
-        .values({ userId, roleId })
-        .onConflictDoNothing();
-}
-async function revokeRoleFromUser(userId, roleId) {
-    return await inject_1.db
-        .delete(schema_1.usersToRolesTable)
-        .where((0, drizzle_orm_1.and)((0, drizzle_orm_1.eq)(schema_1.usersToRolesTable.userId, userId), (0, drizzle_orm_1.eq)(schema_1.usersToRolesTable.roleId, roleId)));
-}
-async function assignPermissionToUser(userId, permissionId) {
-    return await inject_1.db
-        .insert(schema_1.usersToPermissionsTable)
-        .values({ userId, permissionId })
-        .onConflictDoNothing();
-}
-async function revokePermissionFromUser(userId, permissionId) {
-    return await inject_1.db
-        .delete(schema_1.usersToPermissionsTable)
-        .where((0, drizzle_orm_1.and)((0, drizzle_orm_1.eq)(schema_1.usersToPermissionsTable.userId, userId), (0, drizzle_orm_1.eq)(schema_1.usersToPermissionsTable.permissionId, permissionId)));
-}
-async function getUserRbacData(userId) {
-    const roles = await inject_1.db
-        .select({
-        id: schema_1.rolesTable.id,
-        name: schema_1.rolesTable.name,
-    })
-        .from(schema_1.usersToRolesTable)
-        .innerJoin(schema_1.rolesTable, (0, drizzle_orm_1.eq)(schema_1.usersToRolesTable.roleId, schema_1.rolesTable.id))
-        .where((0, drizzle_orm_1.eq)(schema_1.usersToRolesTable.userId, userId));
-    const directPermissions = await inject_1.db
-        .select({
-        id: schema_1.permissionsTable.id,
-        name: schema_1.permissionsTable.name,
-    })
-        .from(schema_1.usersToPermissionsTable)
-        .innerJoin(schema_1.permissionsTable, (0, drizzle_orm_1.eq)(schema_1.usersToPermissionsTable.permissionId, schema_1.permissionsTable.id))
-        .where((0, drizzle_orm_1.eq)(schema_1.usersToPermissionsTable.userId, userId));
-    // Fetch inherited permissions from roles
-    let rolePermissions = [];
-    if (roles.length > 0) {
-        const roleIds = roles.map((r) => r.id);
-        rolePermissions = await inject_1.db
-            .select({
-            id: schema_1.permissionsTable.id,
-            name: schema_1.permissionsTable.name,
-        })
-            .from(schema_1.rolesToPermissionsTable)
-            .innerJoin(schema_1.permissionsTable, (0, drizzle_orm_1.eq)(schema_1.rolesToPermissionsTable.permissionId, schema_1.permissionsTable.id))
-            .where((0, drizzle_orm_1.inArray)(schema_1.rolesToPermissionsTable.roleId, roleIds));
-    }
-    // Combine for effective permissions
-    const effectiveMap = new Map();
-    for (const p of [...directPermissions, ...rolePermissions]) {
-        effectiveMap.set(p.id, p);
-    }
-    return {
-        roles,
-        directPermissions,
-        effectivePermissions: Array.from(effectiveMap.values()),
-    };
-}