@arcote.tech/arc-adapter-db-postgres 0.5.1 → 0.5.2

package/dist/index.js

@@ -2439,6 +2439,109 @@ class ArcObject extends ArcAbstract {
     return new ArcObject(partialShape);
   }
 }
+class DataStorage {
+  async commitChanges(changes) {
+    await Promise.all(changes.map(({ store, changes: changes2 }) => this.getStore(store).applyChanges(changes2)));
+  }
+}
+
+class ScopedStore {
+  #inner;
+  #restrictions;
+  #canWrite;
+  #storeName;
+  constructor(inner, restrictions, canWrite) {
+    this.#inner = inner;
+    this.#restrictions = restrictions;
+    this.#canWrite = canWrite;
+    this.#storeName = inner.storeName;
+  }
+  get storeName() {
+    return this.#storeName;
+  }
+  async find(options, listener) {
+    const restricted = this.#applyReadRestrictions(options);
+    return this.#inner.find(restricted, listener);
+  }
+  async set(item) {
+    this.#assertWriteAccess();
+    this.#validateScopeFields(item);
+    return this.#inner.set(item);
+  }
+  async remove(id) {
+    this.#assertWriteAccess();
+    return this.#inner.remove(id);
+  }
+  async modify(id, data) {
+    this.#assertWriteAccess();
+    this.#validateScopeFields(data);
+    return this.#inner.modify(id, data);
+  }
+  async applyChanges(changes) {
+    this.#assertWriteAccess();
+    for (const change of changes) {
+      if (change.type === "set") {
+        this.#validateScopeFields(change.data);
+      } else if (change.type === "modify") {
+        this.#validateScopeFields(change.data);
+      }
+    }
+    return this.#inner.applyChanges(changes);
+  }
+  unsubscribe(listener) {
+    this.#inner.unsubscribe(listener);
+  }
+  #applyReadRestrictions(options) {
+    if (Object.keys(this.#restrictions).length === 0) {
+      return options ?? {};
+    }
+    return {
+      ...options,
+      where: { ...options?.where ?? {}, ...this.#restrictions }
+    };
+  }
+  #assertWriteAccess() {
+    if (!this.#canWrite) {
+      throw new Error(`Scope violation: write access denied to store "${this.#storeName}" (read-only)`);
+    }
+  }
+  #validateScopeFields(data) {
+    for (const [key, value] of Object.entries(this.#restrictions)) {
+      if (key in data && data[key] !== value) {
+        throw new Error(`Scope violation: field "${key}" must be "${value}", got "${data[key]}" in store "${this.#storeName}"`);
+      }
+    }
+  }
+}
+
+class ScopedDataStorage extends DataStorage {
+  #inner;
+  #allowedStores;
+  #restrictions;
+  constructor(inner, allowedStores, restrictions) {
+    super();
+    this.#inner = inner;
+    this.#allowedStores = allowedStores;
+    this.#restrictions = restrictions;
+  }
+  getStore(storeName) {
+    const permission = this.#allowedStores.get(storeName);
+    if (!permission) {
+      throw new Error(`Scope violation: access denied to store "${storeName}" (not declared in query/mutate)`);
+    }
+    const inner = this.#inner.getStore(storeName);
+    return new ScopedStore(inner, this.#restrictions, permission === "read-write");
+  }
+  fork() {
+    return this.#inner.fork();
+  }
+  getReadTransaction() {
+    return this.#inner.getReadTransaction();
+  }
+  getReadWriteTransaction() {
+    return this.#inner.getReadWriteTransaction();
+  }
+}
 class ArcPrimitive extends ArcAbstract {
   serialize(value) {
     return value;
@@ -2623,6 +2726,54 @@ class ArcContextElement extends ArcFragmentBase {
     return this._seeds;
   }
 }
+function buildElementContext(queryElements, mutationElements, adapters) {
+  const queryMap = new Map;
+  const mutateMap = new Map;
+  const queryProps = {};
+  for (const element of queryElements) {
+    if (element.queryContext) {
+      const ctx = element.queryContext(adapters);
+      queryProps[element.name] = ctx;
+      queryMap.set(element, ctx);
+    }
+  }
+  const mutateProps = {};
+  for (const element of mutationElements) {
+    if (element.mutateContext) {
+      const ctx = element.mutateContext(adapters);
+      mutateProps[element.name] = ctx;
+      mutateMap.set(element, ctx);
+    }
+  }
+  const queryFn = (element) => {
+    const cached = queryMap.get(element);
+    if (cached)
+      return cached;
+    if (element.queryContext) {
+      const ctx = element.queryContext(adapters);
+      queryMap.set(element, ctx);
+      return ctx;
+    }
+    throw new Error(`Element "${element.name}" has no queryContext`);
+  };
+  Object.assign(queryFn, queryProps);
+  const mutateFn = (element) => {
+    const cached = mutateMap.get(element);
+    if (cached)
+      return cached;
+    if (element.mutateContext) {
+      const ctx = element.mutateContext(adapters);
+      mutateMap.set(element, ctx);
+      return ctx;
+    }
+    throw new Error(`Element "${element.name}" has no mutateContext`);
+  };
+  Object.assign(mutateFn, mutateProps);
+  return {
+    query: queryFn,
+    mutate: mutateFn
+  };
+}
 
 class ArcBoolean extends ArcPrimitive {
   hasToBeTrue() {
@@ -2826,55 +2977,6 @@ class ArcEvent extends ArcContextElement {
     return ArcEvent.sharedDatabaseStoreSchema();
   }
 }
-function buildElementContext(queryElements, mutationElements, adapters) {
-  const queryMap = new Map;
-  const mutateMap = new Map;
-  const queryProps = {};
-  for (const element of queryElements) {
-    if (element.queryContext) {
-      const ctx = element.queryContext(adapters);
-      queryProps[element.name] = ctx;
-      queryMap.set(element, ctx);
-    }
-  }
-  const mutateProps = {};
-  for (const element of mutationElements) {
-    if (element.mutateContext) {
-      const ctx = element.mutateContext(adapters);
-      mutateProps[element.name] = ctx;
-      mutateMap.set(element, ctx);
-    }
-  }
-  const queryFn = (element) => {
-    const cached = queryMap.get(element);
-    if (cached)
-      return cached;
-    if (element.queryContext) {
-      const ctx = element.queryContext(adapters);
-      queryMap.set(element, ctx);
-      return ctx;
-    }
-    throw new Error(`Element "${element.name}" has no queryContext`);
-  };
-  Object.assign(queryFn, queryProps);
-  const mutateFn = (element) => {
-    const cached = mutateMap.get(element);
-    if (cached)
-      return cached;
-    if (element.mutateContext) {
-      const ctx = element.mutateContext(adapters);
-      mutateMap.set(element, ctx);
-      return ctx;
-    }
-    throw new Error(`Element "${element.name}" has no mutateContext`);
-  };
-  Object.assign(mutateFn, mutateProps);
-  return {
-    query: queryFn,
-    mutate: mutateFn
-  };
-}
-
 class ArcFunction {
   data;
   constructor(data) {
@@ -3191,9 +3293,10 @@ class ArcListener extends ArcContextElement {
   async handleEvent(event2, adapters) {
     if (!this.data.handler)
       return;
-    const context2 = this.#fn.buildContext(adapters);
-    if (adapters.authAdapter) {
-      const decoded = adapters.authAdapter.getDecoded();
+    const scopedAdapters = this.buildScopedAdapters(event2, adapters);
+    const context2 = this.#fn.buildContext(scopedAdapters);
+    if (scopedAdapters.authAdapter) {
+      const decoded = scopedAdapters.authAdapter.getDecoded();
       if (decoded) {
         context2.$auth = {
           params: decoded.params,
@@ -3209,6 +3312,37 @@ class ArcListener extends ArcContextElement {
       await this.data.handler(context2, event2);
     }
   }
+  buildScopedAdapters(event2, adapters) {
+    if (adapters.authAdapter?.isAuthenticated()) {
+      return adapters;
+    }
+    const allElements = [
+      ...this.data.queryElements,
+      ...this.data.mutationElements
+    ];
+    let tokenName = null;
+    for (const element of allElements) {
+      const protections = element.__aggregateProtections ?? element.data?.protections;
+      if (protections?.length > 0) {
+        tokenName = protections[0].token.name;
+        break;
+      }
+    }
+    if (!tokenName || !event2.payload) {
+      return adapters;
+    }
+    const scopedAuth = new AuthAdapter;
+    scopedAuth.scopes = new Map([
+      ["default", {
+        raw: "",
+        decoded: {
+          tokenName,
+          params: event2.payload
+        }
+      }]
+    ]);
+    return { ...adapters, authAdapter: scopedAuth };
+  }
   destroy() {
     for (const unsubscribe of this.unsubscribers) {
       unsubscribe();
@@ -3313,12 +3447,6 @@ class ArcRoute extends ArcContextElement {
     return context2;
   }
 }
-class DataStorage {
-  async commitChanges(changes) {
-    await Promise.all(changes.map(({ store, changes: changes2 }) => this.getStore(store).applyChanges(changes2)));
-  }
-}
-
 class StoreState {
   storeName;
   dataStorage;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcote.tech/arc-adapter-db-postgres",
-  "version": "0.5.1",
+  "version": "0.5.2",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -23,7 +23,7 @@
     "postgres": "^3.4.4"
   },
   "peerDependencies": {
-    "@arcote.tech/arc": "^0.5.1"
+    "@arcote.tech/arc": "^0.5.2"
   },
   "devDependencies": {
     "@types/pg": "^8.11.0",