@arikajs/authorization 0.0.4 → 0.0.6

package/dist/src/Gate.js

@@ -0,0 +1,189 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Gate = void 0;
+const PolicyResolver_1 = require("./PolicyResolver");
+const AuthorizationException_1 = require("./Exceptions/AuthorizationException");
+const AuthResponse_1 = require("./AuthResponse");
+class Gate {
+    // ── Gate Definitions ────────────────────────────────────────────
+    /**
+     * Define a new ability.
+     */
+    static define(ability, callback) {
+        this.abilities.set(ability, callback);
+    }
+    /**
+     * Register a policy for a model.
+     */
+    static policy(model, policy) {
+        this.policyResolver.register(model, policy);
+    }
+    // ── Before / After Hooks ────────────────────────────────────────
+    /**
+     * Register a callback to run before all gate checks.
+     * Return `true` to allow immediately (super admin bypass).
+     * Return `false` to deny immediately.
+     * Return `null`/`undefined` to continue to the actual gate check.
+     */
+    static before(callback) {
+        this.beforeCallbacks.push(callback);
+    }
+    /**
+     * Register a callback to run after all gate checks.
+     * Useful for logging, auditing decisions, etc.
+     */
+    static after(callback) {
+        this.afterCallbacks.push(callback);
+    }
+    // ── User Binding ────────────────────────────────────────────────
+    /**
+     * Set the current user for authorization checks.
+     */
+    static forUser(user) {
+        this.currentUser = user;
+        return this;
+    }
+    // ── Single Ability Checks ───────────────────────────────────────
+    /**
+     * Determine if the user is authorized for an ability.
+     * Returns the AuthResponse for rich deny messages.
+     */
+    static async inspect(ability, ...args) {
+        // 1. Run before hooks
+        for (const cb of this.beforeCallbacks) {
+            const beforeResult = await cb(this.currentUser, ability, ...args);
+            if (beforeResult === true) {
+                return AuthResponse_1.AuthResponse.allow();
+            }
+            if (beforeResult === false) {
+                return AuthResponse_1.AuthResponse.deny();
+            }
+            // null/undefined = continue
+        }
+        // 2. Check policy before() method
+        if (args.length > 0) {
+            const resource = args[0];
+            const policy = this.policyResolver.resolvePolicy(resource);
+            if (policy) {
+                const instance = this.policyResolver.getInstance(policy);
+                if (typeof instance.before === 'function') {
+                    const policyBefore = await instance.before(this.currentUser, ability, ...args);
+                    if (policyBefore === true)
+                        return AuthResponse_1.AuthResponse.allow();
+                    if (policyBefore === false)
+                        return AuthResponse_1.AuthResponse.deny();
+                }
+                const method = this.policyResolver.getPolicyMethod(policy, ability);
+                if (method) {
+                    const result = await method(this.currentUser, ...args);
+                    const response = this.normalizeResult(result);
+                    await this.runAfterCallbacks(ability, response.allowed(), ...args);
+                    return response;
+                }
+            }
+        }
+        // 3. Check direct gate definition
+        if (this.abilities.has(ability)) {
+            const callback = this.abilities.get(ability);
+            const result = await callback(this.currentUser, ...args);
+            const response = this.normalizeResult(result);
+            await this.runAfterCallbacks(ability, response.allowed(), ...args);
+            return response;
+        }
+        // 4. Default deny
+        const response = AuthResponse_1.AuthResponse.deny();
+        await this.runAfterCallbacks(ability, false, ...args);
+        return response;
+    }
+    /**
+     * Determine if the user is authorized to perform an ability.
+     */
+    static async allows(ability, ...args) {
+        const response = await this.inspect(ability, ...args);
+        return response.allowed();
+    }
+    /**
+     * Determine if the user is NOT authorized.
+     */
+    static async denies(ability, ...args) {
+        return !(await this.allows(ability, ...args));
+    }
+    /**
+     * Authorize or throw exception with optional custom message.
+     */
+    static async authorize(ability, ...args) {
+        const response = await this.inspect(ability, ...args);
+        if (response.denied()) {
+            throw new AuthorizationException_1.AuthorizationException(response.message() || 'This action is unauthorized.', response.code());
+        }
+    }
+    /**
+     * Check authorization (alias for allows).
+     */
+    static async check(ability, ...args) {
+        return await this.allows(ability, ...args);
+    }
+    // ── Bulk Ability Checks ─────────────────────────────────────────
+    /**
+     * Check if the user can perform ANY of the given abilities.
+     */
+    static async any(abilities, ...args) {
+        for (const ability of abilities) {
+            if (await this.allows(ability, ...args)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Check if the user can perform ALL of the given abilities.
+     */
+    static async every(abilities, ...args) {
+        for (const ability of abilities) {
+            if (!(await this.allows(ability, ...args))) {
+                return false;
+            }
+        }
+        return true;
+    }
+    /**
+     * Check if the user can perform NONE of the given abilities.
+     */
+    static async none(abilities, ...args) {
+        for (const ability of abilities) {
+            if (await this.allows(ability, ...args)) {
+                return false;
+            }
+        }
+        return true;
+    }
+    // ── Internals ───────────────────────────────────────────────────
+    static normalizeResult(result) {
+        if (result instanceof AuthResponse_1.AuthResponse) {
+            return result;
+        }
+        return result ? AuthResponse_1.AuthResponse.allow() : AuthResponse_1.AuthResponse.deny();
+    }
+    static async runAfterCallbacks(ability, result, ...args) {
+        for (const cb of this.afterCallbacks) {
+            await cb(this.currentUser, ability, result, ...args);
+        }
+    }
+    /**
+     * Reset all gates, policies, and hooks (useful for testing).
+     */
+    static reset() {
+        this.abilities.clear();
+        this.policyResolver = new PolicyResolver_1.PolicyResolver();
+        this.beforeCallbacks = [];
+        this.afterCallbacks = [];
+        this.currentUser = null;
+    }
+}
+exports.Gate = Gate;
+Gate.abilities = new Map();
+Gate.policyResolver = new PolicyResolver_1.PolicyResolver();
+Gate.beforeCallbacks = [];
+Gate.afterCallbacks = [];
+Gate.currentUser = null;
+//# sourceMappingURL=Gate.js.map

package/dist/src/Gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Gate.js","sourceRoot":"","sources":["../../src/Gate.ts"],"names":[],"mappings":";;;AAAA,qDAAkD;AAClD,gFAA6E;AAC7E,iDAA8C;AAM9C,MAAa,IAAI;IAOb,mEAAmE;IAEnE;;OAEG;IACI,MAAM,CAAC,MAAM,CAAC,OAAe,EAAE,QAAsB;QACxD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,MAAM,CAAC,KAAU,EAAE,MAAW;QACxC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAChD,CAAC;IAED,mEAAmE;IAEnE;;;;;OAKG;IACI,MAAM,CAAC,MAAM,CAAC,QAAwB;QACzC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,QAAuB;QACvC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;IAED,mEAAmE;IAEnE;;OAEG;IACI,MAAM,CAAC,OAAO,CAAC,IAAS;QAC3B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QACxB,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,mEAAmE;IAEnE;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,OAAe,EAAE,GAAG,IAAW;QACvD,sBAAsB;QACtB,KAAK,MAAM,EAAE,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACpC,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;YAClE,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;gBACxB,OAAO,2BAAY,CAAC,KAAK,EAAE,CAAC;YAChC,CAAC;YACD,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;gBACzB,OAAO,2BAAY,CAAC,IAAI,EAAE,CAAC;YAC/B,CAAC;YACD,4BAA4B;QAChC,CAAC;QAED,kCAAkC;QAClC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YACzB,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;YAC3D,IAAI,MAAM,EAAE,CAAC;gBACT,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;gBACzD,IAAI,OAAO,QAAQ,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;oBACxC,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;oBAC/E,IAAI,YAAY,KAAK,IAAI;wBAAE,OAAO,2BAAY,CAAC,KAAK,EAAE,CAAC;oBACvD,IAAI,YAAY,KAAK,KAAK;wBAAE,OAAO,2BAAY,CAAC,IAAI,EAAE,CAAC;gBAC3D,CAAC;gBAED,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBACpE,IAAI,MAAM,EAAE,CAAC;oBACT,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,CAAC;oBACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;oBAC9C,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE,EAAE,GAAG,IAAI,CAAC,CAAC;oBACnE,OAAO,QAAQ,CAAC;gBACpB,CAAC;YACL,CAAC;QACL,CAAC;QAED,kCAAkC;QAClC,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAE,CAAC;YAC9C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,CAAC;YACzD,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;YAC9C,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE,EAAE,GAAG,IAAI,CAAC,CAAC;YACnE,OAAO,QAAQ,CAAC;QACpB,CAAC;QAED,kBAAkB;QAClB,MAAM,QAAQ,GAAG,2BAAY,CAAC,IAAI,EAAE,CAAC;QACrC,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC;QACtD,OAAO,QAAQ,CAAC;IACpB,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAG,IAAW;QACtD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;QACtD,OAAO,QAAQ,CAAC,OAAO,EAAE,CAAC;IAC9B,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAG,IAAW;QACtD,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IAClD,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,OAAe,EAAE,GAAG,IAAW;QACzD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;QACtD,IAAI,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;YACpB,MAAM,IAAI,+CAAsB,CAAC,QAAQ,CAAC,OAAO,EAAE,IAAI,8BAA8B,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QAC5G,CAAC;IACL,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,OAAe,EAAE,GAAG,IAAW;QACrD,OAAO,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAC/C,CAAC;IAED,mEAAmE;IAEnE;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,SAAmB,EAAE,GAAG,IAAW;QACvD,KAAK,MAAM,OAAO,IAAI,SAAS,EAAE,CAAC;YAC9B,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;gBACtC,OAAO,IAAI,CAAC;YAChB,CAAC;QACL,CAAC;QACD,OAAO,KAAK,CAAC;IACjB,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,SAAmB,EAAE,GAAG,IAAW;QACzD,KAAK,MAAM,OAAO,IAAI,SAAS,EAAE,CAAC;YAC9B,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,EAAE,CAAC;gBACzC,OAAO,KAAK,CAAC;YACjB,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC;IAChB,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAmB,EAAE,GAAG,IAAW;QACxD,KAAK,MAAM,OAAO,IAAI,SAAS,EAAE,CAAC;YAC9B,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;gBACtC,OAAO,KAAK,CAAC;YACjB,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,mEAAmE;IAE3D,MAAM,CAAC,eAAe,CAAC,MAA8B;QACzD,IAAI,MAAM,YAAY,2BAAY,EAAE,CAAC;YACjC,OAAO,MAAM,CAAC;QAClB,CAAC;QACD,OAAO,MAAM,CAAC,CAAC,CAAC,2BAAY,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,2BAAY,CAAC,IAAI,EAAE,CAAC;IAC/D,CAAC;IAEO,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,OAAe,EAAE,MAAe,EAAE,GAAG,IAAW;QACnF,KAAK,MAAM,EAAE,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACnC,MAAM,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC;QACzD,CAAC;IACL,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK;QACf,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;QACvB,IAAI,CAAC,cAAc,GAAG,IAAI,+BAAc,EAAE,CAAC;QAC3C,IAAI,CAAC,eAAe,GAAG,EAAE,CAAC;QAC1B,IAAI,CAAC,cAAc,GAAG,EAAE,CAAC;QACzB,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;IAC5B,CAAC;;AA3ML,oBA4MC;AA3MkB,cAAS,GAA8B,IAAI,GAAG,EAAE,CAAC;AACjD,mBAAc,GAAmB,IAAI,+BAAc,EAAE,CAAC;AACtD,oBAAe,GAAqB,EAAE,CAAC;AACvC,mBAAc,GAAoB,EAAE,CAAC;AACrC,gBAAW,GAAQ,IAAI,CAAC"}

package/dist/src/Middleware/Authorize.d.ts

@@ -0,0 +1,13 @@
+export declare class Authorize {
+    /**
+     * Handle authorization middleware.
+     *
+     * Usage:
+     *   .middleware('can:edit-post')           → Gate check
+     *   .middleware('can:update,post')         → Policy check using req[resourceKey]
+     *   .middleware('role:admin')              → Role check
+     *   .middleware('permission:edit-posts')   → Permission check
+     */
+    handle(request: any, next: () => Promise<any>, ability: string, resourceKey?: string): Promise<any>;
+}
+//# sourceMappingURL=Authorize.d.ts.map

package/dist/src/Middleware/Authorize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Authorize.d.ts","sourceRoot":"","sources":["../../../src/Middleware/Authorize.ts"],"names":[],"mappings":"AAIA,qBAAa,SAAS;IAClB;;;;;;;;OAQG;IACU,MAAM,CACf,OAAO,EAAE,GAAG,EACZ,IAAI,EAAE,MAAM,OAAO,CAAC,GAAG,CAAC,EACxB,OAAO,EAAE,MAAM,EACf,WAAW,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC,GAAG,CAAC;CAsClB"}

package/dist/src/Middleware/Authorize.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Authorize = void 0;
+const Gate_1 = require("../Gate");
+const AuthorizationException_1 = require("../Exceptions/AuthorizationException");
+const RolePermission_1 = require("../RolePermission");
+class Authorize {
+    /**
+     * Handle authorization middleware.
+     *
+     * Usage:
+     *   .middleware('can:edit-post')           → Gate check
+     *   .middleware('can:update,post')         → Policy check using req[resourceKey]
+     *   .middleware('role:admin')              → Role check
+     *   .middleware('permission:edit-posts')   → Permission check
+     */
+    async handle(request, next, ability, resourceKey) {
+        const user = request.user || (request.auth && await request.auth.user());
+        if (!user) {
+            throw new AuthorizationException_1.AuthorizationException('User not authenticated.');
+        }
+        // Role-based check: 'role:admin' or 'role:admin,editor'
+        if (ability.startsWith('role:')) {
+            const roles = ability.substring(5).split(',');
+            if (!RolePermission_1.RolePermissionMixin.hasAnyRole(user, roles)) {
+                throw new AuthorizationException_1.AuthorizationException(`User does not have the required role.`);
+            }
+            return next();
+        }
+        // Permission-based check: 'permission:edit-posts'
+        if (ability.startsWith('permission:')) {
+            const permissions = ability.substring(11).split(',');
+            if (!RolePermission_1.RolePermissionMixin.hasAnyPermission(user, permissions)) {
+                throw new AuthorizationException_1.AuthorizationException(`User does not have the required permission.`);
+            }
+            return next();
+        }
+        // Standard gate/policy check
+        Gate_1.Gate.forUser(user);
+        const resource = resourceKey ? request[resourceKey] : null;
+        if (resource) {
+            await Gate_1.Gate.authorize(ability, resource);
+        }
+        else {
+            await Gate_1.Gate.authorize(ability);
+        }
+        return next();
+    }
+}
+exports.Authorize = Authorize;
+//# sourceMappingURL=Authorize.js.map

package/dist/src/Middleware/Authorize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Authorize.js","sourceRoot":"","sources":["../../../src/Middleware/Authorize.ts"],"names":[],"mappings":";;;AAAA,kCAA+B;AAC/B,iFAA8E;AAC9E,sDAAwD;AAExD,MAAa,SAAS;IAClB;;;;;;;;OAQG;IACI,KAAK,CAAC,MAAM,CACf,OAAY,EACZ,IAAwB,EACxB,OAAe,EACf,WAAoB;QAEpB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAEzE,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,MAAM,IAAI,+CAAsB,CAAC,yBAAyB,CAAC,CAAC;QAChE,CAAC;QAED,wDAAwD;QACxD,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,MAAM,KAAK,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC9C,IAAI,CAAC,oCAAmB,CAAC,UAAU,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;gBAC/C,MAAM,IAAI,+CAAsB,CAAC,uCAAuC,CAAC,CAAC;YAC9E,CAAC;YACD,OAAO,IAAI,EAAE,CAAC;QAClB,CAAC;QAED,kDAAkD;QAClD,IAAI,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YACpC,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACrD,IAAI,CAAC,oCAAmB,CAAC,gBAAgB,CAAC,IAAI,EAAE,WAAW,CAAC,EAAE,CAAC;gBAC3D,MAAM,IAAI,+CAAsB,CAAC,6CAA6C,CAAC,CAAC;YACpF,CAAC;YACD,OAAO,IAAI,EAAE,CAAC;QAClB,CAAC;QAED,6BAA6B;QAC7B,WAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAEnB,MAAM,QAAQ,GAAG,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAE3D,IAAI,QAAQ,EAAE,CAAC;YACX,MAAM,WAAI,CAAC,SAAS,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC5C,CAAC;aAAM,CAAC;YACJ,MAAM,WAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAClC,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAClB,CAAC;CACJ;AArDD,8BAqDC"}

package/dist/src/PolicyResolver.d.ts

@@ -0,0 +1,21 @@
+export declare class PolicyResolver {
+    private policies;
+    private instances;
+    /**
+     * Register a policy for a given model/class.
+     */
+    register(model: any, policy: any): void;
+    /**
+     * Resolve the policy class/constructor for a given resource.
+     */
+    resolvePolicy(resource: any): any | null;
+    /**
+     * Get or create a cached instance for a policy class.
+     */
+    getInstance(policy: any): any;
+    /**
+     * Get bound policy method for ability.
+     */
+    getPolicyMethod(policy: any, ability: string): Function | null;
+}
+//# sourceMappingURL=PolicyResolver.d.ts.map

package/dist/src/PolicyResolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PolicyResolver.d.ts","sourceRoot":"","sources":["../../src/PolicyResolver.ts"],"names":[],"mappings":"AAEA,qBAAa,cAAc;IACvB,OAAO,CAAC,QAAQ,CAA4B;IAC5C,OAAO,CAAC,SAAS,CAA4B;IAE7C;;OAEG;IACI,QAAQ,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,GAAG,IAAI;IAI9C;;OAEG;IACI,aAAa,CAAC,QAAQ,EAAE,GAAG,GAAG,GAAG,GAAG,IAAI;IA4B/C;;OAEG;IACI,WAAW,CAAC,MAAM,EAAE,GAAG,GAAG,GAAG;IASpC;;OAEG;IACI,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,GAAG,QAAQ,GAAG,IAAI;CAWxE"}

package/dist/src/PolicyResolver.js

@@ -0,0 +1,67 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PolicyResolver = void 0;
+class PolicyResolver {
+    constructor() {
+        this.policies = new Map();
+        this.instances = new Map();
+    }
+    /**
+     * Register a policy for a given model/class.
+     */
+    register(model, policy) {
+        this.policies.set(model, policy);
+    }
+    /**
+     * Resolve the policy class/constructor for a given resource.
+     */
+    resolvePolicy(resource) {
+        if (!resource)
+            return null;
+        // Check by constructor
+        const constructor = resource.constructor;
+        if (constructor && this.policies.has(constructor)) {
+            return this.policies.get(constructor);
+        }
+        // Direct lookup
+        if (this.policies.has(resource)) {
+            return this.policies.get(resource);
+        }
+        // Auto-discovery by naming convention
+        if (constructor && constructor.name) {
+            const policyName = `${constructor.name}Policy`;
+            for (const [, policy] of this.policies) {
+                const pName = typeof policy === 'function' ? policy.name : policy.constructor?.name;
+                if (pName === policyName) {
+                    return policy;
+                }
+            }
+        }
+        return null;
+    }
+    /**
+     * Get or create a cached instance for a policy class.
+     */
+    getInstance(policy) {
+        if (typeof policy !== 'function')
+            return policy;
+        if (!this.instances.has(policy)) {
+            this.instances.set(policy, new policy());
+        }
+        return this.instances.get(policy);
+    }
+    /**
+     * Get bound policy method for ability.
+     */
+    getPolicyMethod(policy, ability) {
+        if (!policy)
+            return null;
+        const instance = this.getInstance(policy);
+        if (typeof instance[ability] === 'function') {
+            return instance[ability].bind(instance);
+        }
+        return null;
+    }
+}
+exports.PolicyResolver = PolicyResolver;
+//# sourceMappingURL=PolicyResolver.js.map

package/dist/src/PolicyResolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"PolicyResolver.js","sourceRoot":"","sources":["../../src/PolicyResolver.ts"],"names":[],"mappings":";;;AAEA,MAAa,cAAc;IAA3B;QACY,aAAQ,GAAkB,IAAI,GAAG,EAAE,CAAC;QACpC,cAAS,GAAkB,IAAI,GAAG,EAAE,CAAC;IAkEjD,CAAC;IAhEG;;OAEG;IACI,QAAQ,CAAC,KAAU,EAAE,MAAW;QACnC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC;IAED;;OAEG;IACI,aAAa,CAAC,QAAa;QAC9B,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAE3B,uBAAuB;QACvB,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC;QACzC,IAAI,WAAW,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;YAChD,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAC1C,CAAC;QAED,gBAAgB;QAChB,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC;QAED,sCAAsC;QACtC,IAAI,WAAW,IAAI,WAAW,CAAC,IAAI,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,GAAG,WAAW,CAAC,IAAI,QAAQ,CAAC;YAC/C,KAAK,MAAM,CAAC,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACrC,MAAM,KAAK,GAAG,OAAO,MAAM,KAAK,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC;gBACpF,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;oBACvB,OAAO,MAAM,CAAC;gBAClB,CAAC;YACL,CAAC;QACL,CAAC;QAED,OAAO,IAAI,CAAC;IAChB,CAAC;IAED;;OAEG;IACI,WAAW,CAAC,MAAW;QAC1B,IAAI,OAAO,MAAM,KAAK,UAAU;YAAE,OAAO,MAAM,CAAC;QAEhD,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9B,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,MAAM,EAAE,CAAC,CAAC;QAC7C,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACI,eAAe,CAAC,MAAW,EAAE,OAAe;QAC/C,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAE1C,IAAI,OAAO,QAAQ,CAAC,OAAO,CAAC,KAAK,UAAU,EAAE,CAAC;YAC1C,OAAO,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,IAAI,CAAC;IAChB,CAAC;CACJ;AApED,wCAoEC"}

package/dist/src/RolePermission.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Contracts for entities that have roles and permissions.
+ */
+export interface HasRoles {
+    roles?: string[] | {
+        name: string;
+    }[];
+    hasRole(role: string | string[]): boolean;
+    hasAnyRole(roles: string[]): boolean;
+    hasAllRoles(roles: string[]): boolean;
+}
+export interface HasPermissions {
+    permissions?: string[] | {
+        name: string;
+    }[];
+    hasPermission(permission: string): boolean;
+    hasAnyPermission(permissions: string[]): boolean;
+    hasAllPermissions(permissions: string[]): boolean;
+}
+/**
+ * Mixin helper to add Role & Permission checking to any user object.
+ * Works with both string arrays and object arrays ({name: string}).
+ */
+export declare class RolePermissionMixin {
+    /**
+     * Normalize roles/permissions to string arrays.
+     */
+    private static normalize;
+    static hasRole(user: any, role: string | string[]): boolean;
+    static hasAnyRole(user: any, roles: string[]): boolean;
+    static hasAllRoles(user: any, roles: string[]): boolean;
+    static hasPermission(user: any, permission: string): boolean;
+    static hasAnyPermission(user: any, permissions: string[]): boolean;
+    static hasAllPermissions(user: any, permissions: string[]): boolean;
+}
+//# sourceMappingURL=RolePermission.d.ts.map

package/dist/src/RolePermission.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RolePermission.d.ts","sourceRoot":"","sources":["../../src/RolePermission.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,QAAQ;IACrB,KAAK,CAAC,EAAE,MAAM,EAAE,GAAG;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IACtC,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,OAAO,CAAC;IAC1C,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IACrC,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;CACzC;AAED,MAAM,WAAW,cAAc;IAC3B,WAAW,CAAC,EAAE,MAAM,EAAE,GAAG;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAC5C,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC;IAC3C,gBAAgB,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IACjD,iBAAiB,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;CACrD;AAED;;;GAGG;AACH,qBAAa,mBAAmB;IAE5B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,SAAS;WAKV,OAAO,CAAC,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,OAAO;WAQpD,UAAU,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO;WAK/C,WAAW,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO;WAKhD,aAAa,CAAC,IAAI,EAAE,GAAG,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO;WAiBrD,gBAAgB,CAAC,IAAI,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO;WAI3D,iBAAiB,CAAC,IAAI,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO;CAG7E"}

package/dist/src/RolePermission.js

@@ -0,0 +1,59 @@
+"use strict";
+/**
+ * Contracts for entities that have roles and permissions.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RolePermissionMixin = void 0;
+/**
+ * Mixin helper to add Role & Permission checking to any user object.
+ * Works with both string arrays and object arrays ({name: string}).
+ */
+class RolePermissionMixin {
+    /**
+     * Normalize roles/permissions to string arrays.
+     */
+    static normalize(items) {
+        if (!items)
+            return [];
+        return items.map((item) => typeof item === 'string' ? item : item.name);
+    }
+    static hasRole(user, role) {
+        const userRoles = this.normalize(user.roles);
+        if (Array.isArray(role)) {
+            return role.every(r => userRoles.includes(r));
+        }
+        return userRoles.includes(role);
+    }
+    static hasAnyRole(user, roles) {
+        const userRoles = this.normalize(user.roles);
+        return roles.some(r => userRoles.includes(r));
+    }
+    static hasAllRoles(user, roles) {
+        const userRoles = this.normalize(user.roles);
+        return roles.every(r => userRoles.includes(r));
+    }
+    static hasPermission(user, permission) {
+        // Check direct permissions
+        const userPerms = this.normalize(user.permissions);
+        if (userPerms.includes(permission))
+            return true;
+        // Check role-based permissions via a role→permissions map if user has rolePermissions
+        if (user.rolePermissions && typeof user.rolePermissions === 'object') {
+            const userRoles = this.normalize(user.roles);
+            for (const role of userRoles) {
+                const rolePerms = user.rolePermissions[role] || [];
+                if (rolePerms.includes(permission))
+                    return true;
+            }
+        }
+        return false;
+    }
+    static hasAnyPermission(user, permissions) {
+        return permissions.some(p => this.hasPermission(user, p));
+    }
+    static hasAllPermissions(user, permissions) {
+        return permissions.every(p => this.hasPermission(user, p));
+    }
+}
+exports.RolePermissionMixin = RolePermissionMixin;
+//# sourceMappingURL=RolePermission.js.map

package/dist/src/RolePermission.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"RolePermission.js","sourceRoot":"","sources":["../../src/RolePermission.ts"],"names":[],"mappings":";AAAA;;GAEG;;;AAgBH;;;GAGG;AACH,MAAa,mBAAmB;IAE5B;;OAEG;IACK,MAAM,CAAC,SAAS,CAAC,KAAwB;QAC7C,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QACtB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAS,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjF,CAAC;IAEM,MAAM,CAAC,OAAO,CAAC,IAAS,EAAE,IAAuB;QACpD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7C,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;IAEM,MAAM,CAAC,UAAU,CAAC,IAAS,EAAE,KAAe;QAC/C,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7C,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAClD,CAAC;IAEM,MAAM,CAAC,WAAW,CAAC,IAAS,EAAE,KAAe;QAChD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7C,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,CAAC;IAEM,MAAM,CAAC,aAAa,CAAC,IAAS,EAAE,UAAkB;QACrD,2BAA2B;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACnD,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QAEhD,sFAAsF;QACtF,IAAI,IAAI,CAAC,eAAe,IAAI,OAAO,IAAI,CAAC,eAAe,KAAK,QAAQ,EAAE,CAAC;YACnE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC7C,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;gBAC3B,MAAM,SAAS,GAAa,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC7D,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;oBAAE,OAAO,IAAI,CAAC;YACpD,CAAC;QACL,CAAC;QAED,OAAO,KAAK,CAAC;IACjB,CAAC;IAEM,MAAM,CAAC,gBAAgB,CAAC,IAAS,EAAE,WAAqB;QAC3D,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9D,CAAC;IAEM,MAAM,CAAC,iBAAiB,CAAC,IAAS,EAAE,WAAqB;QAC5D,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/D,CAAC;CACJ;AApDD,kDAoDC"}

package/dist/src/index.d.ts

@@ -0,0 +1,10 @@
+export * from './Gate';
+export * from './AuthorizationManager';
+export * from './AuthorizationContext';
+export * from './AuthResponse';
+export * from './PolicyResolver';
+export * from './RolePermission';
+export * from './Contracts/Policy';
+export * from './Exceptions/AuthorizationException';
+export * from './Middleware/Authorize';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,QAAQ,CAAC;AACvB,cAAc,wBAAwB,CAAC;AACvC,cAAc,wBAAwB,CAAC;AACvC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,oBAAoB,CAAC;AACnC,cAAc,qCAAqC,CAAC;AACpD,cAAc,wBAAwB,CAAC"}

package/dist/src/index.js

@@ -0,0 +1,26 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./Gate"), exports);
+__exportStar(require("./AuthorizationManager"), exports);
+__exportStar(require("./AuthorizationContext"), exports);
+__exportStar(require("./AuthResponse"), exports);
+__exportStar(require("./PolicyResolver"), exports);
+__exportStar(require("./RolePermission"), exports);
+__exportStar(require("./Contracts/Policy"), exports);
+__exportStar(require("./Exceptions/AuthorizationException"), exports);
+__exportStar(require("./Middleware/Authorize"), exports);
+//# sourceMappingURL=index.js.map

package/dist/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,yCAAuB;AACvB,yDAAuC;AACvC,yDAAuC;AACvC,iDAA+B;AAC/B,mDAAiC;AACjC,mDAAiC;AACjC,qDAAmC;AACnC,sEAAoD;AACpD,yDAAuC"}

package/dist/tests/Authorization.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=Authorization.test.d.ts.map

package/dist/tests/Authorization.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Authorization.test.d.ts","sourceRoot":"","sources":["../../tests/Authorization.test.ts"],"names":[],"mappings":""}