@arikajs/authorization 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 ArikaJs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,232 @@
+## Arika Authorization
+
+`@arikajs/authorization` provides authorization (access control) for the ArikaJS framework.
+
+It answers one critical question: **“Is the authenticated user allowed to perform this action?”**
+
+This package provides a powerful authorization system with Gates and Policies, designed specifically for a modular, TypeScript-first Node.js framework.
+
+---
+
+### Status
+
+- **Stage**: Experimental / v0.x
+- **Scope**:
+  - Gate-based authorization
+  - Policy-based authorization
+  - Authorization middleware
+  - Centralized permission logic
+- **Design**:
+  - Framework-agnostic (usable outside HTTP layer)
+  - Decoupled from transport layer
+  - Type-safe APIs
+
+---
+
+## ✨ Purpose
+
+Authorization is not authentication.
+
+- **Authentication** → Who is the user? (Handled by `@arikajs/auth`)
+- **Authorization** → What can the user do? (Handled by `@arikajs/authorization`)
+
+This package works on top of `@arikajs/auth` but remains fully decoupled from it.
+
+---
+
+## 🚀 Features
+
+- **Gate-based authorization**: Simple closure-based checks.
+- **Policy-based authorization**: Organize logic per model/resource.
+- **Middleware integration**: Protect routes easily.
+- **Controller & service-level checks**: Call authorization logic from anywhere.
+- **Type-safe APIs**: Built for TypeScript.
+- **Framework-agnostic**: Can be used in CLI, WebSocket, or HTTP contexts.
+
+---
+
+## 📦 Installation
+
+```bash
+npm install @arikajs/authorization
+# or
+yarn add @arikajs/authorization
+# or
+pnpm add @arikajs/authorization
+```
+
+---
+
+## 🧠 Core Concepts
+
+### 1️⃣ Gates
+
+Gates are simple ability checks defined globally.
+
+```ts
+import { Gate } from '@arikajs/authorization';
+
+Gate.define('edit-post', (user, post) => {
+  return user.id === post.userId;
+});
+```
+
+**Usage:**
+
+```ts
+if (Gate.allows('edit-post', post)) {
+  // ...
+}
+
+if (Gate.denies('edit-post', post)) {
+  // ...
+}
+```
+
+### 2️⃣ Policies
+
+Policies organize authorization logic around a specific model or resource.
+
+```ts
+class PostPolicy {
+  view(user, post) {
+    return true;
+  }
+
+  update(user, post) {
+    return user.id === post.userId;
+  }
+}
+```
+
+**Register Policy:**
+
+```ts
+Gate.policy(Post, PostPolicy);
+```
+
+**Usage:**
+
+```ts
+// Automatically resolves to PostPolicy.update
+Gate.allows('update', post); 
+```
+
+### 3️⃣ Authorization Manager
+
+The central engine that evaluates permissions.
+
+```ts
+const authz = new AuthorizationManager(user);
+
+authz.can('edit-post', post);
+authz.cannot('delete-post', post);
+```
+
+---
+
+## 🧩 Middleware Support
+
+Protect routes using authorization middleware:
+
+```ts
+Route.get('/posts/:id/edit', controller)
+  .middleware('can:edit-post');
+```
+
+WITH arguments (e.g. Policies):
+
+```ts
+.middleware('can:update,post');
+```
+
+Middleware automatically:
+1.  Resolves the authenticated user.
+2.  Executes the authorization check.
+3.  Throws `403 Forbidden` on failure.
+
+---
+
+## 🧑💻 Controller Usage
+
+```ts
+class PostController {
+  update(request) {
+    Gate.authorize('update', request.post);
+
+    // Authorized logic proceeds here...
+  }
+}
+```
+
+If unauthorized, it throws an `AuthorizationException`, which is automatically handled by the HTTP layer.
+
+---
+
+## 🏗 Architecture
+
+```
+authorization/
+├── src/
+│   ├── Gate.ts                  ← Define & evaluate abilities
+│   ├── AuthorizationManager.ts  ← Core authorization engine
+│   ├── PolicyResolver.ts        ← Maps models to policies
+│   ├── Middleware/
+│   │   └── Authorize.ts         ← Route-level protection
+│   ├── Exceptions/
+│   │   └── AuthorizationException.ts
+│   ├── Contracts/
+│   │   └── Policy.ts
+│   └── index.ts
+├── package.json
+├── tsconfig.json
+├── README.md
+└── LICENSE
+```
+
+---
+
+## 🔌 Integration with ArikaJS
+
+| Package | Responsibility |
+| :--- | :--- |
+| `@arikajs/auth` | User authentication |
+| `@arikajs/authorization` | Access control |
+| `@arikajs/router` | Route matching |
+| `@arikajs/http` | Request & response handling |
+
+---
+
+## 🧪 Error Handling
+
+Unauthorized access throws:
+- `AuthorizationException` (403)
+
+Handled automatically by:
+- HTTP kernel
+- Middleware pipeline
+
+---
+
+## 📌 Design Philosophy
+
+- **Explicit over implicit**: Authorization rules should be clear.
+- **Centralized rules**: Keep logic in Gates or Policies, not controllers.
+- **Readable permission names**: Use descriptive names like `edit-post`.
+- **Decoupled from transport layer**: Logic works for HTTP, CLI, etc.
+
+> “Authentication identifies the user. Authorization empowers or restricts them.”
+
+---
+
+## 🔄 Versioning & Stability
+
+- Current version: **v0.x** (Experimental)
+- API may change until **v1.0**
+- Will follow semantic versioning after stabilization
+
+---
+
+## 📜 License
+
+`@arikajs/authorization` is open-sourced software licensed under the **MIT License**.

package/dist/AuthorizationManager.d.ts

@@ -0,0 +1,17 @@
+export declare class AuthorizationManager {
+    private user;
+    constructor(user: any);
+    /**
+     * Determine if the user can perform the given ability.
+     */
+    can(ability: string, ...args: any[]): Promise<boolean>;
+    /**
+     * Determine if the user cannot perform the given ability.
+     */
+    cannot(ability: string, ...args: any[]): Promise<boolean>;
+    /**
+     * Authorize or throw exception.
+     */
+    authorize(ability: string, ...args: any[]): Promise<void>;
+}
+//# sourceMappingURL=AuthorizationManager.d.ts.map

package/dist/AuthorizationManager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthorizationManager.d.ts","sourceRoot":"","sources":["../src/AuthorizationManager.ts"],"names":[],"mappings":"AAAA,qBAAa,oBAAoB;IAC7B,OAAO,CAAC,IAAI,CAAM;gBAEN,IAAI,EAAE,GAAG;IAIrB;;OAEG;IACU,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAKnE;;OAEG;IACU,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAItE;;OAEG;IACU,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;CAIzE"}

package/dist/AuthorizationManager.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationManager = void 0;
+class AuthorizationManager {
+    constructor(user) {
+        this.user = user;
+    }
+    /**
+     * Determine if the user can perform the given ability.
+     */
+    async can(ability, ...args) {
+        const { Gate } = require('./Gate');
+        return await Gate.forUser(this.user).allows(ability, ...args);
+    }
+    /**
+     * Determine if the user cannot perform the given ability.
+     */
+    async cannot(ability, ...args) {
+        return !(await this.can(ability, ...args));
+    }
+    /**
+     * Authorize or throw exception.
+     */
+    async authorize(ability, ...args) {
+        const { Gate } = require('./Gate');
+        await Gate.forUser(this.user).authorize(ability, ...args);
+    }
+}
+exports.AuthorizationManager = AuthorizationManager;
+//# sourceMappingURL=AuthorizationManager.js.map

package/dist/AuthorizationManager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthorizationManager.js","sourceRoot":"","sources":["../src/AuthorizationManager.ts"],"names":[],"mappings":";;;AAAA,MAAa,oBAAoB;IAG7B,YAAY,IAAS;QACjB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACrB,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,GAAG,IAAW;QAC5C,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QACnC,OAAO,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAClE,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAG,IAAW;QAC/C,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,SAAS,CAAC,OAAe,EAAE,GAAG,IAAW;QAClD,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAC9D,CAAC;CACJ;AA7BD,oDA6BC"}

package/dist/Contracts/Policy.d.ts

@@ -0,0 +1,4 @@
+export interface Policy {
+    [method: string]: ((user: any, ...args: any[]) => boolean | Promise<boolean>) | any;
+}
+//# sourceMappingURL=Policy.d.ts.map

package/dist/Contracts/Policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Policy.d.ts","sourceRoot":"","sources":["../../src/Contracts/Policy.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,MAAM;IACnB,CAAC,MAAM,EAAE,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,GAAG,CAAC;CACvF"}

package/dist/Contracts/Policy.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=Policy.js.map

package/dist/Contracts/Policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Policy.js","sourceRoot":"","sources":["../../src/Contracts/Policy.ts"],"names":[],"mappings":""}

package/dist/Exceptions/AuthorizationException.d.ts

@@ -0,0 +1,5 @@
+export declare class AuthorizationException extends Error {
+    statusCode: number;
+    constructor(message?: string);
+}
+//# sourceMappingURL=AuthorizationException.d.ts.map

package/dist/Exceptions/AuthorizationException.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthorizationException.d.ts","sourceRoot":"","sources":["../../src/Exceptions/AuthorizationException.ts"],"names":[],"mappings":"AAAA,qBAAa,sBAAuB,SAAQ,KAAK;IACtC,UAAU,EAAE,MAAM,CAAO;gBAEpB,OAAO,GAAE,MAAuC;CAI/D"}

package/dist/Exceptions/AuthorizationException.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationException = void 0;
+class AuthorizationException extends Error {
+    constructor(message = 'This action is unauthorized.') {
+        super(message);
+        this.statusCode = 403;
+        this.name = 'AuthorizationException';
+    }
+}
+exports.AuthorizationException = AuthorizationException;
+//# sourceMappingURL=AuthorizationException.js.map

package/dist/Exceptions/AuthorizationException.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthorizationException.js","sourceRoot":"","sources":["../../src/Exceptions/AuthorizationException.ts"],"names":[],"mappings":";;;AAAA,MAAa,sBAAuB,SAAQ,KAAK;IAG7C,YAAY,UAAkB,8BAA8B;QACxD,KAAK,CAAC,OAAO,CAAC,CAAC;QAHZ,eAAU,GAAW,GAAG,CAAC;QAI5B,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;IACzC,CAAC;CACJ;AAPD,wDAOC"}

package/dist/Gate.d.ts

@@ -0,0 +1,40 @@
+type GateCallback = (user: any, ...args: any[]) => boolean | Promise<boolean>;
+export declare class Gate {
+    private static abilities;
+    private static policyResolver;
+    private static currentUser;
+    /**
+     * Define a new ability.
+     */
+    static define(ability: string, callback: GateCallback): void;
+    /**
+     * Register a policy for a model.
+     */
+    static policy(model: any, policy: any): void;
+    /**
+     * Set the current user for authorization checks.
+     */
+    static forUser(user: any): typeof Gate;
+    /**
+     * Determine if the user is authorized to perform an ability.
+     */
+    static allows(ability: string, ...args: any[]): Promise<boolean>;
+    /**
+     * Determine if the user is NOT authorized.
+     */
+    static denies(ability: string, ...args: any[]): Promise<boolean>;
+    /**
+     * Authorize or throw exception.
+     */
+    static authorize(ability: string, ...args: any[]): Promise<void>;
+    /**
+     * Check authorization (alias for allows).
+     */
+    static check(ability: string, ...args: any[]): Promise<boolean>;
+    /**
+     * Reset all gates and policies (useful for testing).
+     */
+    static reset(): void;
+}
+export {};
+//# sourceMappingURL=Gate.d.ts.map

package/dist/Gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Gate.d.ts","sourceRoot":"","sources":["../src/Gate.ts"],"names":[],"mappings":"AAGA,KAAK,YAAY,GAAG,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAE9E,qBAAa,IAAI;IACb,OAAO,CAAC,MAAM,CAAC,SAAS,CAAwC;IAChE,OAAO,CAAC,MAAM,CAAC,cAAc,CAAwC;IACrE,OAAO,CAAC,MAAM,CAAC,WAAW,CAAa;IAEvC;;OAEG;WACW,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,GAAG,IAAI;IAInE;;OAEG;WACW,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,GAAG,IAAI;IAInD;;OAEG;WACW,OAAO,CAAC,IAAI,EAAE,GAAG,GAAG,OAAO,IAAI;IAK7C;;OAEG;WACiB,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAwB7E;;OAEG;WACiB,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAI7E;;OAEG;WACiB,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAM7E;;OAEG;WACiB,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAI5E;;OAEG;WACW,KAAK,IAAI,IAAI;CAK9B"}

package/dist/Gate.js

@@ -0,0 +1,82 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Gate = void 0;
+const PolicyResolver_1 = require("./PolicyResolver");
+const AuthorizationException_1 = require("./Exceptions/AuthorizationException");
+class Gate {
+    /**
+     * Define a new ability.
+     */
+    static define(ability, callback) {
+        this.abilities.set(ability, callback);
+    }
+    /**
+     * Register a policy for a model.
+     */
+    static policy(model, policy) {
+        this.policyResolver.register(model, policy);
+    }
+    /**
+     * Set the current user for authorization checks.
+     */
+    static forUser(user) {
+        this.currentUser = user;
+        return this;
+    }
+    /**
+     * Determine if the user is authorized to perform an ability.
+     */
+    static async allows(ability, ...args) {
+        // 1. Check if it's a direct gate definition
+        if (this.abilities.has(ability)) {
+            const callback = this.abilities.get(ability);
+            return await callback(this.currentUser, ...args);
+        }
+        // 2. Check if it's a policy method
+        if (args.length > 0) {
+            const resource = args[0];
+            const policy = this.policyResolver.resolvePolicy(resource);
+            if (policy) {
+                const method = this.policyResolver.getPolicyMethod(policy, ability);
+                if (method) {
+                    return await method(this.currentUser, ...args);
+                }
+            }
+        }
+        // 3. Default deny
+        return false;
+    }
+    /**
+     * Determine if the user is NOT authorized.
+     */
+    static async denies(ability, ...args) {
+        return !(await this.allows(ability, ...args));
+    }
+    /**
+     * Authorize or throw exception.
+     */
+    static async authorize(ability, ...args) {
+        if (!(await this.allows(ability, ...args))) {
+            throw new AuthorizationException_1.AuthorizationException();
+        }
+    }
+    /**
+     * Check authorization (alias for allows).
+     */
+    static async check(ability, ...args) {
+        return await this.allows(ability, ...args);
+    }
+    /**
+     * Reset all gates and policies (useful for testing).
+     */
+    static reset() {
+        this.abilities.clear();
+        this.policyResolver = new PolicyResolver_1.PolicyResolver();
+        this.currentUser = null;
+    }
+}
+exports.Gate = Gate;
+Gate.abilities = new Map();
+Gate.policyResolver = new PolicyResolver_1.PolicyResolver();
+Gate.currentUser = null;
+//# sourceMappingURL=Gate.js.map

package/dist/Gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Gate.js","sourceRoot":"","sources":["../src/Gate.ts"],"names":[],"mappings":";;;AAAA,qDAAkD;AAClD,gFAA6E;AAI7E,MAAa,IAAI;IAKb;;OAEG;IACI,MAAM,CAAC,MAAM,CAAC,OAAe,EAAE,QAAsB;QACxD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,MAAM,CAAC,KAAU,EAAE,MAAW;QACxC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAChD,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,OAAO,CAAC,IAAS;QAC3B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QACxB,OAAO,IAAI,CAAC;IAChB,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAG,IAAW;QACtD,4CAA4C;QAC5C,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAE,CAAC;YAC9C,OAAO,MAAM,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,CAAC;QACrD,CAAC;QAED,mCAAmC;QACnC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YACzB,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;YAE3D,IAAI,MAAM,EAAE,CAAC;gBACT,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBACpE,IAAI,MAAM,EAAE,CAAC;oBACT,OAAO,MAAM,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,CAAC;gBACnD,CAAC;YACL,CAAC;QACL,CAAC;QAED,kBAAkB;QAClB,OAAO,KAAK,CAAC;IACjB,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAG,IAAW;QACtD,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IAClD,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,OAAe,EAAE,GAAG,IAAW;QACzD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,+CAAsB,EAAE,CAAC;QACvC,CAAC;IACL,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,OAAe,EAAE,GAAG,IAAW;QACrD,OAAO,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAC/C,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK;QACf,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;QACvB,IAAI,CAAC,cAAc,GAAG,IAAI,+BAAc,EAAE,CAAC;QAC3C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;IAC5B,CAAC;;AApFL,oBAqFC;AApFkB,cAAS,GAA8B,IAAI,GAAG,EAAE,CAAC;AACjD,mBAAc,GAAmB,IAAI,+BAAc,EAAE,CAAC;AACtD,gBAAW,GAAQ,IAAI,CAAC"}

package/dist/Middleware/Authorize.d.ts

@@ -0,0 +1,12 @@
+export declare class Authorize {
+    /**
+     * Handle authorization middleware.
+     *
+     * @param request - The request object (should have user attached)
+     * @param next - The next middleware function
+     * @param ability - The ability to check (e.g., 'edit-post' or 'update')
+     * @param resourceKey - Optional resource key from request (e.g., 'post')
+     */
+    handle(request: any, next: () => Promise<any>, ability: string, resourceKey?: string): Promise<any>;
+}
+//# sourceMappingURL=Authorize.d.ts.map

package/dist/Middleware/Authorize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Authorize.d.ts","sourceRoot":"","sources":["../../src/Middleware/Authorize.ts"],"names":[],"mappings":"AAGA,qBAAa,SAAS;IAClB;;;;;;;OAOG;IACU,MAAM,CACf,OAAO,EAAE,GAAG,EACZ,IAAI,EAAE,MAAM,OAAO,CAAC,GAAG,CAAC,EACxB,OAAO,EAAE,MAAM,EACf,WAAW,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC,GAAG,CAAC;CAoBlB"}

package/dist/Middleware/Authorize.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Authorize = void 0;
+const Gate_1 = require("../Gate");
+const AuthorizationException_1 = require("../Exceptions/AuthorizationException");
+class Authorize {
+    /**
+     * Handle authorization middleware.
+     *
+     * @param request - The request object (should have user attached)
+     * @param next - The next middleware function
+     * @param ability - The ability to check (e.g., 'edit-post' or 'update')
+     * @param resourceKey - Optional resource key from request (e.g., 'post')
+     */
+    async handle(request, next, ability, resourceKey) {
+        const user = request.user;
+        if (!user) {
+            throw new AuthorizationException_1.AuthorizationException('User not authenticated.');
+        }
+        Gate_1.Gate.forUser(user);
+        // If resourceKey is provided, get resource from request
+        const resource = resourceKey ? request[resourceKey] : null;
+        if (resource) {
+            await Gate_1.Gate.authorize(ability, resource);
+        }
+        else {
+            await Gate_1.Gate.authorize(ability);
+        }
+        return next();
+    }
+}
+exports.Authorize = Authorize;
+//# sourceMappingURL=Authorize.js.map

package/dist/Middleware/Authorize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Authorize.js","sourceRoot":"","sources":["../../src/Middleware/Authorize.ts"],"names":[],"mappings":";;;AAAA,kCAA+B;AAC/B,iFAA8E;AAE9E,MAAa,SAAS;IAClB;;;;;;;OAOG;IACI,KAAK,CAAC,MAAM,CACf,OAAY,EACZ,IAAwB,EACxB,OAAe,EACf,WAAoB;QAEpB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QAE1B,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,MAAM,IAAI,+CAAsB,CAAC,yBAAyB,CAAC,CAAC;QAChE,CAAC;QAED,WAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAEnB,wDAAwD;QACxD,MAAM,QAAQ,GAAG,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAE3D,IAAI,QAAQ,EAAE,CAAC;YACX,MAAM,WAAI,CAAC,SAAS,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC5C,CAAC;aAAM,CAAC;YACJ,MAAM,WAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAClC,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAClB,CAAC;CACJ;AAlCD,8BAkCC"}

package/dist/PolicyResolver.d.ts

@@ -0,0 +1,16 @@
+export declare class PolicyResolver {
+    private policies;
+    /**
+     * Register a policy for a given model/class.
+     */
+    register(model: any, policy: any): void;
+    /**
+     * Resolve the policy for a given resource.
+     */
+    resolvePolicy(resource: any): any | null;
+    /**
+     * Get policy method for ability.
+     */
+    getPolicyMethod(policy: any, ability: string): Function | null;
+}
+//# sourceMappingURL=PolicyResolver.d.ts.map

package/dist/PolicyResolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PolicyResolver.d.ts","sourceRoot":"","sources":["../src/PolicyResolver.ts"],"names":[],"mappings":"AAEA,qBAAa,cAAc;IACvB,OAAO,CAAC,QAAQ,CAA4B;IAE5C;;OAEG;IACI,QAAQ,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,GAAG,IAAI;IAI9C;;OAEG;IACI,aAAa,CAAC,QAAQ,EAAE,GAAG,GAAG,GAAG,GAAG,IAAI;IAiB/C;;OAEG;IACI,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,GAAG,QAAQ,GAAG,IAAI;CAWxE"}

package/dist/PolicyResolver.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PolicyResolver = void 0;
+class PolicyResolver {
+    constructor() {
+        this.policies = new Map();
+    }
+    /**
+     * Register a policy for a given model/class.
+     */
+    register(model, policy) {
+        this.policies.set(model, policy);
+    }
+    /**
+     * Resolve the policy for a given resource.
+     */
+    resolvePolicy(resource) {
+        if (!resource)
+            return null;
+        // Check if resource has a constructor
+        const constructor = resource.constructor;
+        if (constructor && this.policies.has(constructor)) {
+            return this.policies.get(constructor);
+        }
+        // Direct lookup
+        if (this.policies.has(resource)) {
+            return this.policies.get(resource);
+        }
+        return null;
+    }
+    /**
+     * Get policy method for ability.
+     */
+    getPolicyMethod(policy, ability) {
+        if (!policy)
+            return null;
+        const instance = typeof policy === 'function' ? new policy() : policy;
+        if (typeof instance[ability] === 'function') {
+            return instance[ability].bind(instance);
+        }
+        return null;
+    }
+}
+exports.PolicyResolver = PolicyResolver;
+//# sourceMappingURL=PolicyResolver.js.map

package/dist/PolicyResolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"PolicyResolver.js","sourceRoot":"","sources":["../src/PolicyResolver.ts"],"names":[],"mappings":";;;AAEA,MAAa,cAAc;IAA3B;QACY,aAAQ,GAAkB,IAAI,GAAG,EAAE,CAAC;IA2ChD,CAAC;IAzCG;;OAEG;IACI,QAAQ,CAAC,KAAU,EAAE,MAAW;QACnC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC;IAED;;OAEG;IACI,aAAa,CAAC,QAAa;QAC9B,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAE3B,sCAAsC;QACtC,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC;QACzC,IAAI,WAAW,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;YAChD,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAC1C,CAAC;QAED,gBAAgB;QAChB,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC;QAED,OAAO,IAAI,CAAC;IAChB,CAAC;IAED;;OAEG;IACI,eAAe,CAAC,MAAW,EAAE,OAAe;QAC/C,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,MAAM,QAAQ,GAAG,OAAO,MAAM,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,MAAM,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;QAEtE,IAAI,OAAO,QAAQ,CAAC,OAAO,CAAC,KAAK,UAAU,EAAE,CAAC;YAC1C,OAAO,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,IAAI,CAAC;IAChB,CAAC;CACJ;AA5CD,wCA4CC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export * from './Gate';
+export * from './AuthorizationManager';
+export * from './PolicyResolver';
+export * from './Contracts/Policy';
+export * from './Exceptions/AuthorizationException';
+export * from './Middleware/Authorize';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,QAAQ,CAAC;AACvB,cAAc,wBAAwB,CAAC;AACvC,cAAc,kBAAkB,CAAC;AACjC,cAAc,oBAAoB,CAAC;AACnC,cAAc,qCAAqC,CAAC;AACpD,cAAc,wBAAwB,CAAC"}

package/dist/index.js

@@ -0,0 +1,23 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./Gate"), exports);
+__exportStar(require("./AuthorizationManager"), exports);
+__exportStar(require("./PolicyResolver"), exports);
+__exportStar(require("./Contracts/Policy"), exports);
+__exportStar(require("./Exceptions/AuthorizationException"), exports);
+__exportStar(require("./Middleware/Authorize"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,yCAAuB;AACvB,yDAAuC;AACvC,mDAAiC;AACjC,qDAAmC;AACnC,sEAAoD;AACpD,yDAAuC"}

package/package.json

@@ -0,0 +1,44 @@
+{
+    "name": "@arikajs/authorization",
+    "version": "0.1.0",
+    "description": "Authorization (access control) for the ArikaJS framework.",
+    "license": "MIT",
+    "main": "dist/index.js",
+    "types": "dist/index.d.ts",
+    "scripts": {
+        "build": "tsc -p tsconfig.json",
+        "build:tests": "tsc -p tsconfig.test.json",
+        "clean": "rm -rf dist",
+        "prepare": "echo skip",
+        "test": "npm run build && npm run build:tests && node scripts/fix-test-imports.js && node --test 'dist/tests/**/*.test.js'",
+        "test:watch": "npm run build && npm run build:tests && node --test --watch 'dist/tests/**/*.test.js'"
+    },
+    "files": [
+        "dist"
+    ],
+    "keywords": [
+        "arika",
+        "arika-js",
+        "framework",
+        "authorization",
+        "access-control",
+        "policy",
+        "gate"
+    ],
+    "engines": {
+        "node": ">=20.0.0"
+    },
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/arikajs/authorization.git"
+    },
+    "bugs": {
+        "url": "https://github.com/arikajs/authorization/issues"
+    },
+    "homepage": "https://github.com/arikajs/authorization#readme",
+    "devDependencies": {
+        "@types/node": "^20.11.24",
+        "typescript": "^5.3.3"
+    },
+    "author": "Prakash Tank"
+}