@arikajs/authorization 0.0.4 → 0.0.5

package/README.md

@@ -1,10 +1,15 @@
 ## Arika Authorization
 
-`@arikajs/authorization` provides authorization (access control) for the ArikaJS framework.
+`@arikajs/authorization` provides a powerful, enterprise-grade authorization (access control) system for the ArikaJS framework.
 
-It answers one critical question: **“Is the authenticated user allowed to perform this action?”**
+It answers one critical question: **"Is the authenticated user allowed to perform this action?"**
 
-This package provides a powerful authorization system with Gates and Policies, designed specifically for a modular, TypeScript-first Node.js framework.
+```ts
+// Per-request scoped — safe for concurrent requests
+if (await req.can('edit-post', post)) {
+  // authorized
+}
+```
 
 ---
 
@@ -12,10 +17,14 @@ This package provides a powerful authorization system with Gates and Policies, d
 
 - **Stage**: Experimental / v0.x
 - **Scope**:
-  - Gate-based authorization
-  - Policy-based authorization
-  - Authorization middleware
-  - Centralized permission logic
+  - Gate-based authorization with `before()` / `after()` hooks
+  - Policy-based authorization with auto-discovery
+  - Response-based authorization (custom deny messages)
+  - Role & Permission system
+  - Bulk ability checks (`any` / `every` / `none`)
+  - Request-scoped authorization context (concurrency safe)
+  - Authorization middleware with role/permission support
+  - Result caching per-request for performance
 - **Design**:
   - Framework-agnostic (usable outside HTTP layer)
   - Decoupled from transport layer
@@ -36,12 +45,14 @@ This package works on top of `@arikajs/auth` but remains fully decoupled from it
 
 ## 🚀 Features
 
-- **Gate-based authorization**: Simple closure-based checks.
-- **Policy-based authorization**: Organize logic per model/resource.
-- **Middleware integration**: Protect routes easily.
-- **Controller & service-level checks**: Call authorization logic from anywhere.
-- **Type-safe APIs**: Built for TypeScript.
-- **Framework-agnostic**: Can be used in CLI, WebSocket, or HTTP contexts.
+- **Gate-based authorization** — Simple closure-based checks with before/after hooks.
+- **Policy-based authorization** — Organize logic per model/resource with `before()` bypass.
+- **Response-based authorization** — Return custom deny messages instead of plain booleans.
+- **Role & Permission system** — First-class role and permission checking.
+- **Bulk ability checks** — `Gate.any()`, `Gate.every()`, `Gate.none()` for multi-ability checks.
+- **Request-scoped context** — Memory-safe, per-request isolation with built-in result caching.
+- **Middleware integration** — Protect routes with `can:`, `role:`, and `permission:` prefixes.
+- **Type-safe APIs** — Built for TypeScript.
 
 ---
 
@@ -49,10 +60,6 @@ This package works on top of `@arikajs/auth` but remains fully decoupled from it
 
 ```bash
 npm install @arikajs/authorization
-# or
-yarn add @arikajs/authorization
-# or
-pnpm add @arikajs/authorization
 ```
 
 ---
@@ -74,13 +81,8 @@ Gate.define('edit-post', (user, post) => {
 **Usage:**
 
 ```ts
-if (Gate.allows('edit-post', post)) {
-  // ...
-}
-
-if (Gate.denies('edit-post', post)) {
-  // ...
-}
+if (await Gate.forUser(user).allows('edit-post', post)) { ... }
+if (await Gate.forUser(user).denies('edit-post', post)) { ... }
 ```
 
 ### 2️⃣ Policies
@@ -89,101 +91,204 @@ Policies organize authorization logic around a specific model or resource.
 
 ```ts
 class PostPolicy {
-  view(user, post) {
+  // Super admin bypass — runs before any check
+  before(user: any, ability: string) {
+    if (user.isSuperAdmin) return true;
+    return null; // continue to actual check
+  }
+
+  view(user: any, post: Post) {
     return true;
   }
 
-  update(user, post) {
+  update(user: any, post: Post) {
     return user.id === post.userId;
   }
+
+  delete(user: any, post: Post) {
+    if (user.id !== post.userId) {
+      return AuthResponse.deny('You do not own this post.', 'POST_NOT_OWNED');
+    }
+    return AuthResponse.allow();
+  }
 }
 ```
 
-**Register Policy:**
+**Register & Use:**
 
 ```ts
 Gate.policy(Post, PostPolicy);
+
+// Automatically resolves to PostPolicy.update
+await Gate.forUser(user).allows('update', post);
 ```
 
-**Usage:**
+### 3️⃣ Authorization Context (Per-Request)
+
+Each request should get its own `AuthorizationContext` for isolation and caching:
 
 ```ts
-// Automatically resolves to PostPolicy.update
-Gate.allows('update', post); 
+const ctx = new AuthorizationContext(user);
+
+await ctx.can('edit-post', post);     // true
+await ctx.cannot('delete-post', post); // true
+await ctx.authorize('edit-post', post); // throws if denied
 ```
 
-### 3️⃣ Authorization Manager
+---
+
+## 🔑 Role & Permission System
 
-The central engine that evaluates permissions.
+ArikaJS Authorization provides first-class role and permission checking:
 
 ```ts
-const authz = new AuthorizationManager(user);
-
-authz.can('edit-post', post);
-authz.cannot('delete-post', post);
+import { RolePermissionMixin, AuthorizationContext } from '@arikajs/authorization';
+
+// Direct usage
+RolePermissionMixin.hasRole(user, 'admin');           // true/false
+RolePermissionMixin.hasAnyRole(user, ['admin', 'editor']);
+RolePermissionMixin.hasPermission(user, 'edit-posts');
+RolePermissionMixin.hasAllPermissions(user, ['view-posts', 'edit-posts']);
+
+// Via request-scoped context
+const ctx = new AuthorizationContext(user);
+ctx.hasRole('admin');
+ctx.hasAnyPermission(['edit-posts', 'delete-posts']);
 ```
 
+User objects should have `roles` and `permissions` arrays (strings or `{name: string}` objects).
+
 ---
 
-## 🧩 Middleware Support
+## 🛡️ Before / After Hooks
 
-Protect routes using authorization middleware:
+### Global Before Hook (Super Admin Bypass)
 
 ```ts
-Route.get('/posts/:id/edit', controller)
-  .middleware('can:edit-post');
+Gate.before((user, ability) => {
+  if (user.isSuperAdmin) return true; // Bypasses ALL checks
+  return null; // Continue to actual check
+});
 ```
 
-WITH arguments (e.g. Policies):
+### Global After Hook (Audit Logging)
 
 ```ts
-.middleware('can:update,post');
+Gate.after((user, ability, result) => {
+  console.log(`${user.name} → ${ability}: ${result ? 'ALLOWED' : 'DENIED'}`);
+});
 ```
 
-Middleware automatically:
-1.  Resolves the authenticated user.
-2.  Executes the authorization check.
-3.  Throws `403 Forbidden` on failure.
+### Policy-Level Before Hook
+
+```ts
+class PostPolicy {
+  before(user, ability) {
+    if (user.isSuperAdmin) return true;
+    return null;
+  }
+}
+```
+
+---
+
+## 🔍 Bulk Ability Checks
+
+Check multiple abilities in a single call:
+
+```ts
+// Can the user do ANY of these?
+await Gate.forUser(user).any(['edit-post', 'delete-post'], post);
+
+// Can the user do ALL of these?
+await Gate.forUser(user).every(['edit-post', 'publish-post'], post);
+
+// Can the user do NONE of these?
+await Gate.forUser(user).none(['admin-only', 'super-admin-only']);
+```
 
 ---
 
-## 🧑💻 Controller Usage
+## 💬 Response-Based Authorization
+
+Instead of returning plain `true`/`false`, return an `AuthResponse` with custom error messages:
 
 ```ts
-class PostController {
-  update(request) {
-    Gate.authorize('update', request.post);
+import { AuthResponse } from '@arikajs/authorization';
 
-    // Authorized logic proceeds here...
+Gate.define('edit-post', (user, post) => {
+  if (user.id !== post.userId) {
+    return AuthResponse.deny('You do not own this post.', 'POST_NOT_OWNED');
   }
-}
+  return AuthResponse.allow();
+});
+
+// Inspect the full response
+const response = await Gate.forUser(user).inspect('edit-post', post);
+response.allowed();  // false
+response.message();  // 'You do not own this post.'
+response.code();     // 'POST_NOT_OWNED'
 ```
 
-If unauthorized, it throws an `AuthorizationException`, which is automatically handled by the HTTP layer.
+---
+
+## 🧩 Middleware Support
+
+Protect routes using authorization middleware with multiple strategies:
+
+```ts
+// Gate/Policy check
+Route.get('/posts/:id/edit', controller).middleware('can:edit-post');
+
+// Role-based
+Route.get('/admin', controller).middleware('role:admin');
+Route.get('/dashboard', controller).middleware('role:admin,editor');
+
+// Permission-based
+Route.get('/settings', controller).middleware('permission:manage-settings');
+```
+
+Middleware automatically:
+1.  Resolves the authenticated user.
+2.  Executes the authorization check.
+3.  Throws `403 Forbidden` on failure.
+
+---
+
+## ⚡ Performance
+
+- **Per-request caching**: `AuthorizationContext` caches ability results within a single request, preventing redundant gate/policy evaluation.
+- **Policy instance caching**: `PolicyResolver` caches instantiated policy objects instead of creating new ones on every call.
+- **Short-circuit evaluation**: `before()` hooks return immediately without running the actual check.
+- **Bulk checks early-exit**: `any()` returns on first `true`, `none()` returns on first `true`.
 
 ---
 
 ## 🏗 Architecture
 
-```
+```text
 authorization/
 ├── src/
-│   ├── Gate.ts                  ← Define & evaluate abilities
-│   ├── AuthorizationManager.ts  ← Core authorization engine
-│   ├── PolicyResolver.ts        ← Maps models to policies
-│   ├── Middleware/
-│   │   └── Authorize.ts         ← Route-level protection
-│   ├── Exceptions/
-│   │   └── AuthorizationException.ts
-│   ├── Contracts/
+│   ├── Contracts
 │   │   └── Policy.ts
-│   └── index.ts
+│   ├── Exceptions
+│   │   └── AuthorizationException.ts
+│   ├── Middleware
+│   │   └── Authorize.ts
+│   ├── AuthorizationContext.ts
+│   ├── AuthorizationManager.ts
+│   ├── AuthResponse.ts
+│   ├── Gate.ts
+│   ├── index.ts
+│   ├── PolicyResolver.ts
+│   └── RolePermission.ts
+├── tests/
 ├── package.json
 ├── tsconfig.json
-├── README.md
-└── LICENSE
+└── README.md
 ```
 
+
 ---
 
 ## 🔌 Integration with ArikaJS
@@ -197,25 +302,15 @@ authorization/
 
 ---
 
-## 🧪 Error Handling
-
-Unauthorized access throws:
-- `AuthorizationException` (403)
-
-Handled automatically by:
-- HTTP kernel
-- Middleware pipeline
-
----
-
 ## 📌 Design Philosophy
 
 - **Explicit over implicit**: Authorization rules should be clear.
 - **Centralized rules**: Keep logic in Gates or Policies, not controllers.
-- **Readable permission names**: Use descriptive names like `edit-post`.
+- **Rich feedback**: Return custom error messages, not just true/false.
+- **Performance first**: Cache results, short-circuit, instance re-use.
 - **Decoupled from transport layer**: Logic works for HTTP, CLI, etc.
 
-> “Authentication identifies the user. Authorization empowers or restricts them.”
+> "Authentication identifies the user. Authorization empowers or restricts them."
 
 ---
 

package/dist/AuthResponse.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Represents the result of an authorization check.
+ * Allows gates/policies to return custom denial messages instead of just true/false.
+ */
+export declare class AuthResponse {
+    private _allowed;
+    private _message;
+    private _code;
+    constructor(allowed: boolean, message?: string | null, code?: string | null);
+    allowed(): boolean;
+    denied(): boolean;
+    message(): string | null;
+    code(): string | null;
+    /**
+     * Create an "allow" response.
+     */
+    static allow(message?: string | null): AuthResponse;
+    /**
+     * Create a "deny" response with an optional custom message.
+     */
+    static deny(message?: string, code?: string | null): AuthResponse;
+}
+//# sourceMappingURL=AuthResponse.d.ts.map

package/dist/AuthResponse.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthResponse.d.ts","sourceRoot":"","sources":["../src/AuthResponse.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,qBAAa,YAAY;IACrB,OAAO,CAAC,QAAQ,CAAU;IAC1B,OAAO,CAAC,QAAQ,CAAgB;IAChC,OAAO,CAAC,KAAK,CAAgB;gBAEjB,OAAO,EAAE,OAAO,EAAE,OAAO,GAAE,MAAM,GAAG,IAAW,EAAE,IAAI,GAAE,MAAM,GAAG,IAAW;IAMhF,OAAO,IAAI,OAAO;IAIlB,MAAM,IAAI,OAAO;IAIjB,OAAO,IAAI,MAAM,GAAG,IAAI;IAIxB,IAAI,IAAI,MAAM,GAAG,IAAI;IAI5B;;OAEG;WACW,KAAK,CAAC,OAAO,GAAE,MAAM,GAAG,IAAW,GAAG,YAAY;IAIhE;;OAEG;WACW,IAAI,CAAC,OAAO,GAAE,MAAuC,EAAE,IAAI,GAAE,MAAM,GAAG,IAAW,GAAG,YAAY;CAGjH"}

package/dist/AuthResponse.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthResponse = void 0;
+/**
+ * Represents the result of an authorization check.
+ * Allows gates/policies to return custom denial messages instead of just true/false.
+ */
+class AuthResponse {
+    constructor(allowed, message = null, code = null) {
+        this._allowed = allowed;
+        this._message = message;
+        this._code = code;
+    }
+    allowed() {
+        return this._allowed;
+    }
+    denied() {
+        return !this._allowed;
+    }
+    message() {
+        return this._message;
+    }
+    code() {
+        return this._code;
+    }
+    /**
+     * Create an "allow" response.
+     */
+    static allow(message = null) {
+        return new AuthResponse(true, message);
+    }
+    /**
+     * Create a "deny" response with an optional custom message.
+     */
+    static deny(message = 'This action is unauthorized.', code = null) {
+        return new AuthResponse(false, message, code);
+    }
+}
+exports.AuthResponse = AuthResponse;
+//# sourceMappingURL=AuthResponse.js.map

package/dist/AuthResponse.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthResponse.js","sourceRoot":"","sources":["../src/AuthResponse.ts"],"names":[],"mappings":";;;AAAA;;;GAGG;AACH,MAAa,YAAY;IAKrB,YAAY,OAAgB,EAAE,UAAyB,IAAI,EAAE,OAAsB,IAAI;QACnF,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACxB,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACxB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;IACtB,CAAC;IAEM,OAAO;QACV,OAAO,IAAI,CAAC,QAAQ,CAAC;IACzB,CAAC;IAEM,MAAM;QACT,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;IAC1B,CAAC;IAEM,OAAO;QACV,OAAO,IAAI,CAAC,QAAQ,CAAC;IACzB,CAAC;IAEM,IAAI;QACP,OAAO,IAAI,CAAC,KAAK,CAAC;IACtB,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,UAAyB,IAAI;QAC7C,OAAO,IAAI,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,IAAI,CAAC,UAAkB,8BAA8B,EAAE,OAAsB,IAAI;QAC3F,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IAClD,CAAC;CACJ;AAxCD,oCAwCC"}

package/dist/AuthorizationContext.d.ts

@@ -0,0 +1,31 @@
+import { AuthResponse } from './AuthResponse';
+/**
+ * Per-request authorization context.
+ * Avoids the global mutable `Gate.currentUser` problem under concurrency.
+ * Each request gets its own `AuthorizationContext` with an isolated user reference.
+ */
+export declare class AuthorizationContext {
+    private user;
+    private cache;
+    constructor(user: any);
+    can(ability: string, ...args: any[]): Promise<boolean>;
+    cannot(ability: string, ...args: any[]): Promise<boolean>;
+    authorize(ability: string, ...args: any[]): Promise<void>;
+    inspect(ability: string, ...args: any[]): Promise<AuthResponse>;
+    any(abilities: string[], ...args: any[]): Promise<boolean>;
+    every(abilities: string[], ...args: any[]): Promise<boolean>;
+    none(abilities: string[], ...args: any[]): Promise<boolean>;
+    hasRole(role: string | string[]): boolean;
+    hasAnyRole(roles: string[]): boolean;
+    hasAllRoles(roles: string[]): boolean;
+    hasPermission(permission: string): boolean;
+    hasAnyPermission(permissions: string[]): boolean;
+    hasAllPermissions(permissions: string[]): boolean;
+    getUser(): any;
+    /**
+     * Clear the authorization cache (e.g. after role change mid-request).
+     */
+    flushCache(): void;
+    private buildCacheKey;
+}
+//# sourceMappingURL=AuthorizationContext.d.ts.map

package/dist/AuthorizationContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthorizationContext.d.ts","sourceRoot":"","sources":["../src/AuthorizationContext.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAG9C;;;;GAIG;AACH,qBAAa,oBAAoB;IAC7B,OAAO,CAAC,IAAI,CAAM;IAClB,OAAO,CAAC,KAAK,CAAmC;gBAEpC,IAAI,EAAE,GAAG;IAMR,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAWtD,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAIzD,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzD,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAM/D,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAI1D,KAAK,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAI5D,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAMjE,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,OAAO;IAIzC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO;IAIpC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO;IAIrC,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAI1C,gBAAgB,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO;IAIhD,iBAAiB,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO;IAMjD,OAAO,IAAI,GAAG;IAIrB;;OAEG;IACI,UAAU,IAAI,IAAI;IAIzB,OAAO,CAAC,aAAa;CASxB"}

package/dist/AuthorizationContext.js

@@ -0,0 +1,87 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationContext = void 0;
+const Gate_1 = require("./Gate");
+const RolePermission_1 = require("./RolePermission");
+/**
+ * Per-request authorization context.
+ * Avoids the global mutable `Gate.currentUser` problem under concurrency.
+ * Each request gets its own `AuthorizationContext` with an isolated user reference.
+ */
+class AuthorizationContext {
+    constructor(user) {
+        this.cache = new Map();
+        this.user = user;
+    }
+    // ── Single ability checks ───────────────────────────────────────
+    async can(ability, ...args) {
+        const cacheKey = this.buildCacheKey(ability, args);
+        if (this.cache.has(cacheKey)) {
+            return this.cache.get(cacheKey);
+        }
+        const result = await Gate_1.Gate.forUser(this.user).allows(ability, ...args);
+        this.cache.set(cacheKey, result);
+        return result;
+    }
+    async cannot(ability, ...args) {
+        return !(await this.can(ability, ...args));
+    }
+    async authorize(ability, ...args) {
+        await Gate_1.Gate.forUser(this.user).authorize(ability, ...args);
+    }
+    async inspect(ability, ...args) {
+        return await Gate_1.Gate.forUser(this.user).inspect(ability, ...args);
+    }
+    // ── Bulk ability checks ─────────────────────────────────────────
+    async any(abilities, ...args) {
+        return await Gate_1.Gate.forUser(this.user).any(abilities, ...args);
+    }
+    async every(abilities, ...args) {
+        return await Gate_1.Gate.forUser(this.user).every(abilities, ...args);
+    }
+    async none(abilities, ...args) {
+        return await Gate_1.Gate.forUser(this.user).none(abilities, ...args);
+    }
+    // ── Role & Permission checks (via mixin) ────────────────────────
+    hasRole(role) {
+        return RolePermission_1.RolePermissionMixin.hasRole(this.user, role);
+    }
+    hasAnyRole(roles) {
+        return RolePermission_1.RolePermissionMixin.hasAnyRole(this.user, roles);
+    }
+    hasAllRoles(roles) {
+        return RolePermission_1.RolePermissionMixin.hasAllRoles(this.user, roles);
+    }
+    hasPermission(permission) {
+        return RolePermission_1.RolePermissionMixin.hasPermission(this.user, permission);
+    }
+    hasAnyPermission(permissions) {
+        return RolePermission_1.RolePermissionMixin.hasAnyPermission(this.user, permissions);
+    }
+    hasAllPermissions(permissions) {
+        return RolePermission_1.RolePermissionMixin.hasAllPermissions(this.user, permissions);
+    }
+    // ── Internals ───────────────────────────────────────────────────
+    getUser() {
+        return this.user;
+    }
+    /**
+     * Clear the authorization cache (e.g. after role change mid-request).
+     */
+    flushCache() {
+        this.cache.clear();
+    }
+    buildCacheKey(ability, args) {
+        // Build a simple cache key from ability + resource IDs
+        const argIds = args.map(a => {
+            if (a && typeof a === 'object' && a.id !== undefined)
+                return `${a.constructor?.name || 'obj'}:${a.id}`;
+            if (a && typeof a === 'object' && a.constructor)
+                return a.constructor.name;
+            return String(a);
+        });
+        return `${ability}:${argIds.join(',')}`;
+    }
+}
+exports.AuthorizationContext = AuthorizationContext;
+//# sourceMappingURL=AuthorizationContext.js.map

package/dist/AuthorizationContext.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthorizationContext.js","sourceRoot":"","sources":["../src/AuthorizationContext.ts"],"names":[],"mappings":";;;AAAA,iCAA8B;AAE9B,qDAAuD;AAEvD;;;;GAIG;AACH,MAAa,oBAAoB;IAI7B,YAAY,IAAS;QAFb,UAAK,GAAyB,IAAI,GAAG,EAAE,CAAC;QAG5C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACrB,CAAC;IAED,mEAAmE;IAE5D,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,GAAG,IAAW;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACnD,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAE,CAAC;QACrC,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,WAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;QACtE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACjC,OAAO,MAAM,CAAC;IAClB,CAAC;IAEM,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAG,IAAW;QAC/C,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IAC/C,CAAC;IAEM,KAAK,CAAC,SAAS,CAAC,OAAe,EAAE,GAAG,IAAW;QAClD,MAAM,WAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAC9D,CAAC;IAEM,KAAK,CAAC,OAAO,CAAC,OAAe,EAAE,GAAG,IAAW;QAChD,OAAO,MAAM,WAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IACnE,CAAC;IAED,mEAAmE;IAE5D,KAAK,CAAC,GAAG,CAAC,SAAmB,EAAE,GAAG,IAAW;QAChD,OAAO,MAAM,WAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,IAAI,CAAC,CAAC;IACjE,CAAC;IAEM,KAAK,CAAC,KAAK,CAAC,SAAmB,EAAE,GAAG,IAAW;QAClD,OAAO,MAAM,WAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,SAAS,EAAE,GAAG,IAAI,CAAC,CAAC;IACnE,CAAC;IAEM,KAAK,CAAC,IAAI,CAAC,SAAmB,EAAE,GAAG,IAAW;QACjD,OAAO,MAAM,WAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,IAAI,CAAC,CAAC;IAClE,CAAC;IAED,mEAAmE;IAE5D,OAAO,CAAC,IAAuB;QAClC,OAAO,oCAAmB,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACxD,CAAC;IAEM,UAAU,CAAC,KAAe;QAC7B,OAAO,oCAAmB,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC5D,CAAC;IAEM,WAAW,CAAC,KAAe;QAC9B,OAAO,oCAAmB,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC7D,CAAC;IAEM,aAAa,CAAC,UAAkB;QACnC,OAAO,oCAAmB,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IACpE,CAAC;IAEM,gBAAgB,CAAC,WAAqB;QACzC,OAAO,oCAAmB,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACxE,CAAC;IAEM,iBAAiB,CAAC,WAAqB;QAC1C,OAAO,oCAAmB,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACzE,CAAC;IAED,mEAAmE;IAE5D,OAAO;QACV,OAAO,IAAI,CAAC,IAAI,CAAC;IACrB,CAAC;IAED;;OAEG;IACI,UAAU;QACb,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAEO,aAAa,CAAC,OAAe,EAAE,IAAW;QAC9C,uDAAuD;QACvD,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;YACxB,IAAI,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,EAAE,KAAK,SAAS;gBAAE,OAAO,GAAG,CAAC,CAAC,WAAW,EAAE,IAAI,IAAI,KAAK,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC;YACvG,IAAI,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,WAAW;gBAAE,OAAO,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC;YAC3E,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;QACrB,CAAC,CAAC,CAAC;QACH,OAAO,GAAG,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;IAC5C,CAAC;CACJ;AA/FD,oDA+FC"}

package/dist/AuthorizationManager.d.ts

@@ -1,17 +1,25 @@
+import { AuthorizationContext } from './AuthorizationContext';
+import { AuthResponse } from './AuthResponse';
 export declare class AuthorizationManager {
     private user;
+    private context;
     constructor(user: any);
     /**
-     * Determine if the user can perform the given ability.
+     * Create a request-scoped authorization context and bind it to the request.
      */
+    static createContext(request: any): AuthorizationContext;
     can(ability: string, ...args: any[]): Promise<boolean>;
-    /**
-     * Determine if the user cannot perform the given ability.
-     */
     cannot(ability: string, ...args: any[]): Promise<boolean>;
-    /**
-     * Authorize or throw exception.
-     */
     authorize(ability: string, ...args: any[]): Promise<void>;
+    inspect(ability: string, ...args: any[]): Promise<AuthResponse>;
+    any(abilities: string[], ...args: any[]): Promise<boolean>;
+    every(abilities: string[], ...args: any[]): Promise<boolean>;
+    none(abilities: string[], ...args: any[]): Promise<boolean>;
+    hasRole(role: string | string[]): boolean;
+    hasAnyRole(roles: string[]): boolean;
+    hasAllRoles(roles: string[]): boolean;
+    hasPermission(permission: string): boolean;
+    hasAnyPermission(permissions: string[]): boolean;
+    hasAllPermissions(permissions: string[]): boolean;
 }
 //# sourceMappingURL=AuthorizationManager.d.ts.map

package/dist/AuthorizationManager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthorizationManager.d.ts","sourceRoot":"","sources":["../src/AuthorizationManager.ts"],"names":[],"mappings":"AAAA,qBAAa,oBAAoB;IAC7B,OAAO,CAAC,IAAI,CAAM;gBAEN,IAAI,EAAE,GAAG;IAIrB;;OAEG;IACU,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAKnE;;OAEG;IACU,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAItE;;OAEG;IACU,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;CAIzE"}
+{"version":3,"file":"AuthorizationManager.d.ts","sourceRoot":"","sources":["../src/AuthorizationManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,qBAAa,oBAAoB;IAC7B,OAAO,CAAC,IAAI,CAAM;IAClB,OAAO,CAAC,OAAO,CAAuB;gBAE1B,IAAI,EAAE,GAAG;IAKrB;;OAEG;WACW,aAAa,CAAC,OAAO,EAAE,GAAG,GAAG,oBAAoB;IAWlD,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAItD,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAIzD,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAIzD,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAI/D,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAI1D,KAAK,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAI5D,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAMjE,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,OAAO;IAIzC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO;IAIpC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO;IAIrC,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAI1C,gBAAgB,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO;IAIhD,iBAAiB,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO;CAG3D"}