@atproto/oauth-scopes 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (169) hide show
  1. package/CHANGELOG.md +38 -0
  2. package/dist/atproto-oauth-scope.d.ts +17 -0
  3. package/dist/atproto-oauth-scope.d.ts.map +1 -0
  4. package/dist/atproto-oauth-scope.js +67 -0
  5. package/dist/atproto-oauth-scope.js.map +1 -0
  6. package/dist/index.d.ts +9 -13
  7. package/dist/index.d.ts.map +1 -1
  8. package/dist/index.js +9 -13
  9. package/dist/index.js.map +1 -1
  10. package/dist/lib/lexicon.d.ts +2 -0
  11. package/dist/lib/lexicon.d.ts.map +1 -0
  12. package/dist/lib/lexicon.js +3 -0
  13. package/dist/lib/lexicon.js.map +1 -0
  14. package/dist/lib/mime.d.ts +1 -1
  15. package/dist/lib/mime.d.ts.map +1 -1
  16. package/dist/lib/mime.js +2 -0
  17. package/dist/lib/mime.js.map +1 -1
  18. package/dist/lib/nsid.d.ts +2 -2
  19. package/dist/lib/nsid.d.ts.map +1 -1
  20. package/dist/lib/nsid.js +4 -6
  21. package/dist/lib/nsid.js.map +1 -1
  22. package/dist/lib/parser.d.ts +29 -0
  23. package/dist/lib/parser.d.ts.map +1 -0
  24. package/dist/lib/parser.js +152 -0
  25. package/dist/lib/parser.js.map +1 -0
  26. package/dist/lib/resource-permission.d.ts +10 -0
  27. package/dist/lib/resource-permission.d.ts.map +1 -0
  28. package/dist/lib/resource-permission.js +3 -0
  29. package/dist/lib/resource-permission.js.map +1 -0
  30. package/dist/lib/syntax-lexicon.d.ts +26 -0
  31. package/dist/lib/syntax-lexicon.d.ts.map +1 -0
  32. package/dist/lib/syntax-lexicon.js +58 -0
  33. package/dist/lib/syntax-lexicon.js.map +1 -0
  34. package/dist/lib/syntax-string.d.ts +16 -0
  35. package/dist/lib/syntax-string.d.ts.map +1 -0
  36. package/dist/lib/syntax-string.js +121 -0
  37. package/dist/lib/syntax-string.js.map +1 -0
  38. package/dist/lib/syntax.d.ts +23 -0
  39. package/dist/lib/syntax.d.ts.map +1 -0
  40. package/dist/lib/syntax.js +22 -0
  41. package/dist/lib/syntax.js.map +1 -0
  42. package/dist/lib/util.d.ts +5 -1
  43. package/dist/lib/util.d.ts.map +1 -1
  44. package/dist/lib/util.js +8 -12
  45. package/dist/lib/util.js.map +1 -1
  46. package/dist/scope-permissions-transition.d.ts +15 -0
  47. package/dist/scope-permissions-transition.d.ts.map +1 -0
  48. package/dist/{permission-set-transition.js → scope-permissions-transition.js} +5 -5
  49. package/dist/scope-permissions-transition.js.map +1 -0
  50. package/dist/scope-permissions.d.ts +22 -0
  51. package/dist/scope-permissions.d.ts.map +1 -0
  52. package/dist/{permission-set.js → scope-permissions.js} +20 -16
  53. package/dist/scope-permissions.js.map +1 -0
  54. package/dist/scopes/account-permission.d.ts +35 -0
  55. package/dist/scopes/account-permission.d.ts.map +1 -0
  56. package/dist/scopes/account-permission.js +71 -0
  57. package/dist/scopes/account-permission.js.map +1 -0
  58. package/dist/scopes/blob-permission.d.ts +27 -0
  59. package/dist/scopes/blob-permission.d.ts.map +1 -0
  60. package/dist/scopes/blob-permission.js +86 -0
  61. package/dist/scopes/blob-permission.js.map +1 -0
  62. package/dist/scopes/identity-permission.d.ts +25 -0
  63. package/dist/scopes/identity-permission.d.ts.map +1 -0
  64. package/dist/scopes/identity-permission.js +53 -0
  65. package/dist/scopes/identity-permission.js.map +1 -0
  66. package/dist/scopes/include-scope.d.ts +54 -0
  67. package/dist/scopes/include-scope.d.ts.map +1 -0
  68. package/dist/scopes/include-scope.js +156 -0
  69. package/dist/scopes/include-scope.js.map +1 -0
  70. package/dist/scopes/repo-permission.d.ts +40 -0
  71. package/dist/scopes/repo-permission.d.ts.map +1 -0
  72. package/dist/scopes/repo-permission.js +101 -0
  73. package/dist/scopes/repo-permission.js.map +1 -0
  74. package/dist/scopes/rpc-permission.d.ts +38 -0
  75. package/dist/scopes/rpc-permission.d.ts.map +1 -0
  76. package/dist/scopes/rpc-permission.js +81 -0
  77. package/dist/scopes/rpc-permission.js.map +1 -0
  78. package/dist/scopes-set.d.ts +12 -1
  79. package/dist/scopes-set.d.ts.map +1 -1
  80. package/dist/scopes-set.js +49 -3
  81. package/dist/scopes-set.js.map +1 -1
  82. package/package.json +7 -3
  83. package/src/atproto-oauth-scope.ts +79 -0
  84. package/src/index.ts +10 -14
  85. package/src/lib/lexicon.ts +1 -0
  86. package/src/lib/mime.ts +2 -1
  87. package/src/lib/nsid.ts +5 -6
  88. package/src/lib/parser.ts +176 -0
  89. package/src/lib/resource-permission.ts +10 -0
  90. package/src/lib/syntax-lexicon.ts +55 -0
  91. package/src/lib/syntax-string.test.ts +130 -0
  92. package/src/lib/syntax-string.ts +132 -0
  93. package/src/lib/syntax.test.ts +43 -0
  94. package/src/lib/syntax.ts +47 -0
  95. package/src/lib/util.ts +11 -12
  96. package/src/{permission-set-transition.test.ts → scope-permissions-transition.test.ts} +33 -20
  97. package/src/{permission-set-transition.ts → scope-permissions-transition.ts} +11 -11
  98. package/src/{permission-set.test.ts → scope-permissions.test.ts} +77 -35
  99. package/src/scope-permissions.ts +91 -0
  100. package/src/{resources/account-scope.test.ts → scopes/account-permission.test.ts} +45 -33
  101. package/src/scopes/account-permission.ts +75 -0
  102. package/src/{resources/blob-scope.test.ts → scopes/blob-permission.test.ts} +31 -23
  103. package/src/scopes/blob-permission.ts +105 -0
  104. package/src/{resources/identity-scope.test.ts → scopes/identity-permission.test.ts} +13 -13
  105. package/src/scopes/identity-permission.ts +54 -0
  106. package/src/scopes/include-scope.test.ts +626 -0
  107. package/src/scopes/include-scope.ts +168 -0
  108. package/src/{resources/repo-scope.test.ts → scopes/repo-permission.test.ts} +77 -65
  109. package/src/scopes/repo-permission.ts +111 -0
  110. package/src/scopes/rpc-permission.test.ts +323 -0
  111. package/src/scopes/rpc-permission.ts +85 -0
  112. package/src/scopes-set.test.ts +5 -5
  113. package/src/scopes-set.ts +79 -5
  114. package/tsconfig.build.tsbuildinfo +1 -1
  115. package/tsconfig.tests.tsbuildinfo +1 -1
  116. package/dist/lib/did.d.ts +0 -3
  117. package/dist/lib/did.d.ts.map +0 -1
  118. package/dist/lib/did.js +0 -6
  119. package/dist/lib/did.js.map +0 -1
  120. package/dist/parser.d.ts +0 -31
  121. package/dist/parser.d.ts.map +0 -1
  122. package/dist/parser.js +0 -118
  123. package/dist/parser.js.map +0 -1
  124. package/dist/permission-set-transition.d.ts +0 -15
  125. package/dist/permission-set-transition.d.ts.map +0 -1
  126. package/dist/permission-set-transition.js.map +0 -1
  127. package/dist/permission-set.d.ts +0 -22
  128. package/dist/permission-set.d.ts.map +0 -1
  129. package/dist/permission-set.js.map +0 -1
  130. package/dist/resources/account-scope.d.ts +0 -35
  131. package/dist/resources/account-scope.d.ts.map +0 -1
  132. package/dist/resources/account-scope.js +0 -60
  133. package/dist/resources/account-scope.js.map +0 -1
  134. package/dist/resources/blob-scope.d.ts +0 -25
  135. package/dist/resources/blob-scope.d.ts.map +0 -1
  136. package/dist/resources/blob-scope.js +0 -74
  137. package/dist/resources/blob-scope.js.map +0 -1
  138. package/dist/resources/identity-scope.d.ts +0 -25
  139. package/dist/resources/identity-scope.d.ts.map +0 -1
  140. package/dist/resources/identity-scope.js +0 -46
  141. package/dist/resources/identity-scope.js.map +0 -1
  142. package/dist/resources/repo-scope.d.ts +0 -37
  143. package/dist/resources/repo-scope.d.ts.map +0 -1
  144. package/dist/resources/repo-scope.js +0 -92
  145. package/dist/resources/repo-scope.js.map +0 -1
  146. package/dist/resources/rpc-scope.d.ts +0 -31
  147. package/dist/resources/rpc-scope.d.ts.map +0 -1
  148. package/dist/resources/rpc-scope.js +0 -74
  149. package/dist/resources/rpc-scope.js.map +0 -1
  150. package/dist/syntax.d.ts +0 -76
  151. package/dist/syntax.d.ts.map +0 -1
  152. package/dist/syntax.js +0 -249
  153. package/dist/syntax.js.map +0 -1
  154. package/dist/utilities.d.ts +0 -17
  155. package/dist/utilities.d.ts.map +0 -1
  156. package/dist/utilities.js +0 -108
  157. package/dist/utilities.js.map +0 -1
  158. package/src/lib/did.ts +0 -3
  159. package/src/parser.ts +0 -150
  160. package/src/permission-set.ts +0 -78
  161. package/src/resources/account-scope.ts +0 -66
  162. package/src/resources/blob-scope.ts +0 -86
  163. package/src/resources/identity-scope.ts +0 -49
  164. package/src/resources/repo-scope.ts +0 -101
  165. package/src/resources/rpc-scope.test.ts +0 -280
  166. package/src/resources/rpc-scope.ts +0 -77
  167. package/src/syntax.test.ts +0 -203
  168. package/src/syntax.ts +0 -325
  169. package/src/utilities.ts +0 -109
@@ -0,0 +1,626 @@
1
+ import { ScopeStringFor } from '../lib/syntax'
2
+ import { LexPermissionSyntax } from '../lib/syntax-lexicon'
3
+ import { AccountPermission } from './account-permission'
4
+ import { IdentityPermission } from './identity-permission'
5
+ import { IncludeScope, LexPermissionSet } from './include-scope'
6
+
7
+ describe('IncludeScope', () => {
8
+ describe('static', () => {
9
+ describe('fromString', () => {
10
+ describe('enables', () => {
11
+ it('parsing of positional nsid', () => {
12
+ expect(
13
+ IncludeScope.fromString('include:com.example.bar'),
14
+ ).toMatchObject({
15
+ nsid: 'com.example.bar',
16
+ aud: undefined,
17
+ })
18
+ })
19
+
20
+ it('parsing of positional nsid and aud param', () => {
21
+ expect(
22
+ IncludeScope.fromString(
23
+ 'include:com.example.baz?aud=did:web:example.com%23my_service',
24
+ ),
25
+ ).toMatchObject({
26
+ nsid: 'com.example.baz',
27
+ aud: 'did:web:example.com#my_service',
28
+ })
29
+ })
30
+
31
+ it('parsing of # character in query string', () => {
32
+ expect(
33
+ IncludeScope.fromString(
34
+ 'include:com.example.baz?aud=did:web:example.com#my_service',
35
+ ),
36
+ ).toMatchObject({
37
+ nsid: 'com.example.baz',
38
+ aud: 'did:web:example.com#my_service',
39
+ })
40
+ })
41
+
42
+ it('parsing of named nsid', () => {
43
+ expect(
44
+ IncludeScope.fromString('include?nsid=com.example.baz'),
45
+ ).toMatchObject({
46
+ nsid: 'com.example.baz',
47
+ aud: undefined,
48
+ })
49
+ })
50
+
51
+ it('parsing of named nsid and aud', () => {
52
+ expect(
53
+ IncludeScope.fromString(
54
+ 'include?aud=did:web:example.com%23my_service&nsid=com.example.baz',
55
+ ),
56
+ ).toMatchObject({
57
+ nsid: 'com.example.baz',
58
+ aud: 'did:web:example.com#my_service',
59
+ })
60
+ })
61
+ })
62
+
63
+ describe('rejects', () => {
64
+ for (const invalid of [
65
+ '',
66
+ 'repo:com.example.baz',
67
+ 'include',
68
+ 'include#',
69
+
70
+ // Invalid NSID
71
+ 'include:',
72
+ 'include:#',
73
+ 'include:&',
74
+ 'include:com..example',
75
+ 'include:com',
76
+ 'include:com.example',
77
+ 'include:9com.example.foo',
78
+ 'include:com.example.-bar',
79
+ 'include:invalid^nsid',
80
+ 'include:nsid',
81
+
82
+ // Invalid AUD
83
+ 'include:com.example.baz?aud=',
84
+ 'include:com.example.baz?aud=did:web:example.com',
85
+ 'include:com.example.baz?aud=invalid^did',
86
+ 'include:com.example.baz?aud=invalid^did',
87
+ ]) {
88
+ it(JSON.stringify(invalid), () => {
89
+ expect(IncludeScope.fromString(invalid)).toBeNull()
90
+ })
91
+ }
92
+ })
93
+ })
94
+ })
95
+
96
+ describe('instance', () => {
97
+ describe('toString', () => {
98
+ describe('enables', () => {
99
+ it('formating of scope without aud', () => {
100
+ expect(new IncludeScope('com.example.foo').toString()).toEqual(
101
+ 'include:com.example.foo',
102
+ )
103
+ })
104
+ it('formating of scope with aud', () => {
105
+ expect(
106
+ new IncludeScope(
107
+ 'com.example.foo',
108
+ 'did:web:example.com#my_service',
109
+ ).toString(),
110
+ ).toEqual(
111
+ 'include:com.example.foo?aud=did:web:example.com%23my_service',
112
+ )
113
+ })
114
+ })
115
+ })
116
+
117
+ describe('isParentAuthorityOf', () => {
118
+ const scope = new IncludeScope('com.example.foo.auth')
119
+
120
+ describe('enables', () => {
121
+ it('same authority', () => {
122
+ expect(scope.isParentAuthorityOf('com.example.foo.identifier')).toBe(
123
+ true,
124
+ )
125
+ })
126
+
127
+ it('child authorities', () => {
128
+ expect(scope.isParentAuthorityOf('com.example.foo.bar.baz')).toBe(
129
+ true,
130
+ )
131
+ expect(scope.isParentAuthorityOf('com.example.foo.bar.baz.quz')).toBe(
132
+ true,
133
+ )
134
+ })
135
+ })
136
+
137
+ describe('rejects', () => {
138
+ it('invalid nsids', () => {
139
+ // @ts-expect-error
140
+ expect(scope.isParentAuthorityOf('com')).toBe(false)
141
+ // @ts-expect-error
142
+ expect(scope.isParentAuthorityOf('com.example')).toBe(false)
143
+ })
144
+
145
+ it('siblings of root domain', () => {
146
+ expect(scope.isParentAuthorityOf('com.example.bar')).toBe(false)
147
+ expect(scope.isParentAuthorityOf('com.example.bar.foo')).toBe(false)
148
+ expect(scope.isParentAuthorityOf('com.example.bar.qux')).toBe(false)
149
+ })
150
+
151
+ it('other domains', () => {
152
+ expect(scope.isParentAuthorityOf('com.atproto.foo')).toBe(false)
153
+ expect(scope.isParentAuthorityOf('com.atproto.foo.auth')).toBe(false)
154
+ expect(scope.isParentAuthorityOf('com.atproto.foo.bar')).toBe(false)
155
+ expect(scope.isParentAuthorityOf('com.atproto.foo.bar')).toBe(false)
156
+ })
157
+ })
158
+ })
159
+
160
+ describe('toPermissions', () => {
161
+ /**
162
+ * Utility that transforms an "include:<nsid>" scope and matching
163
+ * (resolved) permission set into the list of permission scopes.
164
+ */
165
+ const compilePermissions = (
166
+ scope: ScopeStringFor<'include'>,
167
+ permissionSet: LexPermissionSet,
168
+ ) =>
169
+ IncludeScope.fromString(scope)?.toPermissions(permissionSet).map(String)
170
+
171
+ describe('blob', () => {
172
+ describe('enables', () => {
173
+ it('valid permissions', () => {
174
+ expect(
175
+ compilePermissions('include:com.example.calendar.auth', {
176
+ type: 'permission-set',
177
+ permissions: [
178
+ {
179
+ type: 'permission',
180
+ resource: 'blob',
181
+ accept: ['image/*'],
182
+ },
183
+ ],
184
+ }),
185
+ ).toEqual(['blob:image/*'])
186
+ })
187
+ })
188
+
189
+ describe('rejects', () => {
190
+ it('invalid permissions', () => {
191
+ expect(
192
+ compilePermissions('include:com.example.calendar.auth', {
193
+ type: 'permission-set',
194
+ permissions: [
195
+ {
196
+ type: 'permission',
197
+ resource: 'blob',
198
+ accept: 'image/*',
199
+ },
200
+ ],
201
+ }),
202
+ ).toEqual([])
203
+
204
+ expect(
205
+ compilePermissions('include:com.example.calendar.auth', {
206
+ type: 'permission-set',
207
+ permissions: [
208
+ {
209
+ type: 'permission',
210
+ resource: 'blob',
211
+ accept: ['image/*'],
212
+ extra: 'property',
213
+ },
214
+ ],
215
+ }),
216
+ ).toEqual([])
217
+ })
218
+ })
219
+ })
220
+
221
+ describe('rpc', () => {
222
+ describe('enables', () => {
223
+ it('valid permissions', () => {
224
+ expect(
225
+ compilePermissions('include:com.example.calendar.auth', {
226
+ type: 'permission-set',
227
+ permissions: [
228
+ {
229
+ type: 'permission',
230
+ resource: 'rpc',
231
+ aud: 'did:web:example.com#foo',
232
+ lxm: ['com.example.calendar.listEvents'],
233
+ },
234
+ ],
235
+ }),
236
+ ).toEqual([
237
+ 'rpc:com.example.calendar.listEvents?aud=did:web:example.com%23foo',
238
+ ])
239
+ })
240
+
241
+ it('valid inherited-aud permissions', () => {
242
+ expect(
243
+ compilePermissions(
244
+ 'include:com.example.calendar.auth?aud=did:web:example.com#foo',
245
+ {
246
+ type: 'permission-set',
247
+ permissions: [
248
+ {
249
+ type: 'permission',
250
+ resource: 'rpc',
251
+ inheritAud: true,
252
+ lxm: ['com.example.calendar.listEvents'],
253
+ },
254
+ {
255
+ type: 'permission',
256
+ resource: 'rpc',
257
+ inheritAud: true,
258
+ lxm: ['com.example.calendar.getEventDetails'],
259
+ },
260
+ ],
261
+ },
262
+ ),
263
+ ).toEqual([
264
+ 'rpc:com.example.calendar.listEvents?aud=did:web:example.com%23foo',
265
+ 'rpc:com.example.calendar.getEventDetails?aud=did:web:example.com%23foo',
266
+ ])
267
+ })
268
+ })
269
+
270
+ describe('rejects', () => {
271
+ it('invalid "lxm" syntax', () => {
272
+ expect(
273
+ compilePermissions('include:com.example.calendar.auth', {
274
+ type: 'permission-set',
275
+ permissions: [
276
+ {
277
+ type: 'permission',
278
+ resource: 'rpc',
279
+ aud: 'did:web:example.com#foo',
280
+ lxm: 'com.example.calendar.listEvents',
281
+ },
282
+ ],
283
+ }),
284
+ ).toEqual([])
285
+ })
286
+
287
+ it('extra properties', () => {
288
+ expect(
289
+ compilePermissions('include:com.example.calendar.auth', {
290
+ type: 'permission-set',
291
+ permissions: [
292
+ {
293
+ type: 'permission',
294
+ resource: 'rpc',
295
+ aud: 'did:web:example.com#foo',
296
+ lxm: ['com.example.calendar.listEvents'],
297
+ extra: 'property',
298
+ },
299
+ ],
300
+ }),
301
+ ).toEqual([])
302
+ })
303
+
304
+ it('missing "lxm"', () => {
305
+ expect(
306
+ compilePermissions('include:com.example.calendar.auth', {
307
+ type: 'permission-set',
308
+ permissions: [
309
+ {
310
+ type: 'permission',
311
+ resource: 'rpc',
312
+ aud: 'did:web:example.com#foo',
313
+ },
314
+ ],
315
+ }),
316
+ ).toEqual([])
317
+ })
318
+
319
+ it('missing "aud"', () => {
320
+ expect(
321
+ compilePermissions('include:com.example.calendar.auth', {
322
+ type: 'permission-set',
323
+ permissions: [
324
+ {
325
+ type: 'permission',
326
+ resource: 'rpc',
327
+ lxm: ['com.example.calendar.listEvents'],
328
+ },
329
+ ],
330
+ }),
331
+ ).toEqual([])
332
+ })
333
+
334
+ it('missing "aud" and "lxm"', () => {
335
+ expect(
336
+ compilePermissions('include:com.example.calendar.auth', {
337
+ type: 'permission-set',
338
+ permissions: [
339
+ {
340
+ type: 'permission',
341
+ resource: 'rpc',
342
+ },
343
+ ],
344
+ }),
345
+ ).toEqual([])
346
+ })
347
+
348
+ it('both "inheritAud" and "aud" specified', () => {
349
+ expect(
350
+ compilePermissions(
351
+ 'include:com.example.calendar.auth?aud=did:web:example.com#bar',
352
+ {
353
+ type: 'permission-set',
354
+ permissions: [
355
+ {
356
+ type: 'permission',
357
+ resource: 'rpc',
358
+ aud: 'did:web:example.com#foo',
359
+ inheritAud: true,
360
+ lxm: ['com.example.calendar.listEvents'],
361
+ },
362
+ ],
363
+ },
364
+ ),
365
+ ).toEqual([])
366
+ })
367
+
368
+ it('invalid authority', () => {
369
+ expect(
370
+ compilePermissions('include:com.example.calendar.auth', {
371
+ type: 'permission-set',
372
+ permissions: [
373
+ {
374
+ type: 'permission',
375
+ resource: 'rpc',
376
+ aud: 'did:web:example.com#foo',
377
+ lxm: ['com.atproto.moderation.createReport'],
378
+ },
379
+ ],
380
+ }),
381
+ ).toEqual([])
382
+ })
383
+
384
+ it('un-specified inherited-aud', () => {
385
+ expect(
386
+ compilePermissions('include:com.example.calendar.auth', {
387
+ type: 'permission-set',
388
+ permissions: [
389
+ {
390
+ type: 'permission',
391
+ resource: 'rpc',
392
+ inheritAud: true,
393
+ lxm: ['com.example.calendar.listEvents'],
394
+ },
395
+ ],
396
+ }),
397
+ ).toEqual([])
398
+ })
399
+
400
+ it('wildcard-aud', () => {
401
+ expect(
402
+ compilePermissions('include:com.example.calendar.auth', {
403
+ type: 'permission-set',
404
+ permissions: [
405
+ {
406
+ type: 'permission',
407
+ resource: 'rpc',
408
+ aud: '*',
409
+ lxm: ['com.example.calendar.listEvents'],
410
+ },
411
+ ],
412
+ }),
413
+ ).toEqual(['rpc:com.example.calendar.listEvents?aud=*'])
414
+ })
415
+
416
+ it('wildcard-aud for invalid authority', () => {
417
+ expect(
418
+ compilePermissions('include:com.example.calendar.auth', {
419
+ type: 'permission-set',
420
+ permissions: [
421
+ {
422
+ type: 'permission',
423
+ resource: 'rpc',
424
+ aud: '*',
425
+ lxm: ['com.atproto.moderation.createReport'],
426
+ },
427
+ ],
428
+ }),
429
+ ).toEqual([])
430
+ })
431
+ })
432
+ })
433
+
434
+ describe('repo', () => {
435
+ describe('enabled', () => {
436
+ it('valid permission', () => {
437
+ expect(
438
+ compilePermissions('include:com.example.calendar.auth', {
439
+ type: 'permission-set',
440
+ permissions: [
441
+ {
442
+ type: 'permission',
443
+ resource: 'repo',
444
+ collection: ['com.example.calendar.event'],
445
+ action: ['create', 'update', 'delete'],
446
+ },
447
+ ],
448
+ }),
449
+ ).toEqual(['repo:com.example.calendar.event'])
450
+ })
451
+
452
+ it('valid permission with partial actions', () => {
453
+ expect(
454
+ compilePermissions('include:com.example.calendar.auth', {
455
+ type: 'permission-set',
456
+ permissions: [
457
+ {
458
+ type: 'permission',
459
+ resource: 'repo',
460
+ collection: ['com.example.calendar.event'],
461
+ action: ['delete', 'update'],
462
+ },
463
+ {
464
+ type: 'permission',
465
+ resource: 'repo',
466
+ collection: [
467
+ 'com.example.calendar.event',
468
+ 'com.example.calendar.rsvp',
469
+ ],
470
+ action: ['delete', 'create'],
471
+ },
472
+ ],
473
+ }),
474
+ ).toEqual([
475
+ 'repo:com.example.calendar.event?action=update&action=delete',
476
+ 'repo?collection=com.example.calendar.event&collection=com.example.calendar.rsvp&action=create&action=delete',
477
+ ])
478
+ })
479
+ })
480
+
481
+ describe('rejects', () => {
482
+ it('invalid "collection" syntax', () => {
483
+ expect(
484
+ compilePermissions('include:com.example.calendar.auth', {
485
+ type: 'permission-set',
486
+ permissions: [
487
+ {
488
+ type: 'permission',
489
+ resource: 'repo',
490
+ collection: 'com.example.calendar.event',
491
+ action: ['create', 'update', 'delete'],
492
+ },
493
+ ],
494
+ }),
495
+ ).toEqual([])
496
+ })
497
+
498
+ it('invalid "action" syntax', () => {
499
+ expect(
500
+ compilePermissions('include:com.example.calendar.auth', {
501
+ type: 'permission-set',
502
+ permissions: [
503
+ {
504
+ type: 'permission',
505
+ resource: 'repo',
506
+ collection: ['com.example.calendar.event'],
507
+ action: 'all',
508
+ },
509
+ ],
510
+ }),
511
+ ).toEqual([])
512
+ })
513
+
514
+ it('invalid "action" values', () => {
515
+ expect(
516
+ compilePermissions('include:com.example.calendar.auth', {
517
+ type: 'permission-set',
518
+ permissions: [
519
+ {
520
+ type: 'permission',
521
+ resource: 'repo',
522
+ collection: ['com.example.calendar.event'],
523
+ action: ['create', 'update', 'manage'],
524
+ },
525
+ ],
526
+ }),
527
+ ).toEqual([])
528
+ })
529
+
530
+ it('invalid authority', () => {
531
+ expect(
532
+ compilePermissions('include:com.example.calendar.auth', {
533
+ type: 'permission-set',
534
+ permissions: [
535
+ {
536
+ type: 'permission',
537
+ resource: 'repo',
538
+ collection: ['app.bsky.feed.post'],
539
+ action: ['create', 'update', 'delete'],
540
+ },
541
+ ],
542
+ }),
543
+ ).toEqual([])
544
+ })
545
+
546
+ it('permissions with one valid and one invalid authority', () => {
547
+ expect(
548
+ compilePermissions('include:com.example.calendar.auth', {
549
+ type: 'permission-set',
550
+ permissions: [
551
+ {
552
+ type: 'permission',
553
+ resource: 'repo',
554
+ collection: [
555
+ 'com.example.calendar.event',
556
+ 'app.bsky.feed.post',
557
+ ],
558
+ action: ['create', 'update', 'delete'],
559
+ },
560
+ ],
561
+ }),
562
+ ).toEqual([])
563
+ })
564
+ })
565
+ })
566
+
567
+ describe('account', () => {
568
+ const permission = {
569
+ type: 'permission',
570
+ resource: 'account',
571
+ attr: 'email',
572
+ action: 'read',
573
+ } as const
574
+
575
+ it('parses valid permission syntax', () => {
576
+ // Just to make sure that the test bellow doesn't give a false negative
577
+ const syntax = new LexPermissionSyntax(permission)
578
+ expect(AccountPermission.fromSyntax(syntax)).toMatchObject({
579
+ constructor: AccountPermission,
580
+ attr: 'email',
581
+ action: 'read',
582
+ })
583
+ })
584
+
585
+ describe('rejects', () => {
586
+ it('account permissions', () => {
587
+ expect(
588
+ compilePermissions('include:com.example.calendar.auth', {
589
+ type: 'permission-set',
590
+ permissions: [permission],
591
+ }),
592
+ ).toEqual([])
593
+ })
594
+ })
595
+ })
596
+
597
+ describe('identity', () => {
598
+ const permission = {
599
+ type: 'permission',
600
+ resource: 'identity',
601
+ attr: 'handle',
602
+ } as const
603
+
604
+ it('parses valid permission syntax', () => {
605
+ // Just to make sure that the test bellow doesn't give a false negative
606
+ const syntax = new LexPermissionSyntax(permission)
607
+ expect(IdentityPermission.fromSyntax(syntax)).toMatchObject({
608
+ constructor: IdentityPermission,
609
+ attr: 'handle',
610
+ })
611
+ })
612
+
613
+ describe('rejects', () => {
614
+ it('identity permissions', () => {
615
+ expect(
616
+ compilePermissions('include:com.example.calendar.auth', {
617
+ type: 'permission-set',
618
+ permissions: [permission],
619
+ }),
620
+ ).toEqual([])
621
+ })
622
+ })
623
+ })
624
+ })
625
+ })
626
+ })