npm - @auth-craft/tenant-access-control-dynamodb - Versions diffs - 0.0.1 - Mend

@auth-craft/tenant-access-control-dynamodb 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,148 @@
+# @auth-craft/tenant-access-control-dynamodb
+> ⚠️ **Experimental / Internal Use**
+>
+> This package is published for convenience only.
+>
+> - No stability guarantee
+> - Breaking changes may happen at any time
+> - No documentation
+> - No support
+>
+> Use at your own risk.
+---
+DynamoDB implementation for `@auth-craft/tenant-access-control`.
+## Installation
+```bash
+npm install @auth-craft/tenant-access-control @auth-craft/tenant-access-control-dynamodb
+```
+## Usage
+```typescript
+import { createTenantAccessSDK } from '@auth-craft/tenant-access-control';
+import { createTenantAccessDynamoDBPlugin } from '@auth-craft/tenant-access-control-dynamodb';
+// Create DynamoDB plugin
+const plugin = createTenantAccessDynamoDBPlugin({
+  tableName: 'your-auth-table',
+});
+// Create SDK with DynamoDB implementation
+const sdk = createTenantAccessSDK(plugin);
+// Use SDK
+const member = await sdk.getMember({ ... });
+```
+## Configuration
+### `createTenantAccessDynamoDBPlugin(config)`
+**Parameters:**
+```typescript
+interface TenantAccessDynamoDBConfig {
+  // DynamoDB table name (required)
+  tableName: string;
+  // Optional: Provide your own DynamoDB client
+  // If not provided, a new client will be created
+  client?: DynamoDBClient;
+}
+```
+### With Custom Client
+```typescript
+import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
+const client = new DynamoDBClient({
+  region: 'ap-southeast-1',
+  credentials: {
+    accessKeyId: '...',
+    secretAccessKey: '...',
+  },
+});
+const plugin = createTenantAccessDynamoDBPlugin({
+  tableName: 'auth-table',
+  client,
+});
+```
+### With Local DynamoDB
+```typescript
+const client = new DynamoDBClient({
+  endpoint: 'http://localhost:8000',
+  region: 'local',
+  credentials: {
+    accessKeyId: 'local',
+    secretAccessKey: 'local',
+  },
+});
+const plugin = createTenantAccessDynamoDBPlugin({
+  tableName: 'auth-table',
+  client,
+});
+```
+## Table Schema
+This package uses the same DynamoDB table schema as `@auth-craft/database-plugin-dynamodb`.
+### TenantMember Item
+| Attribute | Value |
+|-----------|-------|
+| PK | `TNT#{tenantId}` |
+| SK | `AUD#{audience}#USR#{userId}` |
+| userStatus | `invited` \| `active` \| `suspended` \| `removed` |
+| roleIds | JSON stringified array |
+| permMask | number |
+| createdAt | Unix milliseconds |
+| updatedAt | Unix milliseconds |
+### Session Item
+Uses existing session items with:
+- `tenantId` - Tenant identifier
+- `audience` - Target audience
+- GSI_ActiveSessions for querying active sessions
+## Advanced Usage
+### Direct Repository Access
+```typescript
+import {
+  DynamoDBTenantMemberRepository,
+  DynamoDBSessionRepository,
+} from '@auth-craft/tenant-access-control-dynamodb';
+import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
+const client = new DynamoDBClient({});
+const tenantMemberRepo = new DynamoDBTenantMemberRepository(client, 'auth-table');
+const sessionRepo = new DynamoDBSessionRepository(client, 'auth-table');
+// Use repositories directly
+const member = await tenantMemberRepo.get(tenantId, audience, userId);
+```
+## Dependencies
+- `@auth-craft/tenant-access-control` - SDK and interfaces
+- `@auth-craft/database-plugin-dynamodb` - Key patterns and utilities
+- `@aws-sdk/client-dynamodb` - AWS SDK DynamoDB client
+- `@aws-sdk/lib-dynamodb` - AWS SDK DynamoDB Document client
+## License
+MIT

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,272 @@
+'use strict';
+var clientDynamodb = require('@aws-sdk/client-dynamodb');
+var libDynamodb = require('@aws-sdk/lib-dynamodb');
+var tsMicroResult = require('ts-micro-result');
+var tenantAccessControl = require('@auth-craft/tenant-access-control');
+var databasePluginDynamodb = require('@auth-craft/database-plugin-dynamodb');
+// src/index.ts
+var DynamoDBTenantMemberRepository = class {
+  constructor(client, tableName) {
+    this.client = client;
+    this.tableName = tableName;
+    this.docClient = libDynamodb.DynamoDBDocumentClient.from(client, {
+      marshallOptions: { removeUndefinedValues: true }
+    });
+  }
+  docClient;
+  async get(tenantId, audience, userId) {
+    try {
+      const response = await this.docClient.send(
+        new libDynamodb.GetCommand({
+          TableName: this.tableName,
+          Key: {
+            [databasePluginDynamodb.TableAttr.PK]: databasePluginDynamodb.KeyPattern.TENANT_MEMBER_PK(tenantId),
+            [databasePluginDynamodb.TableAttr.SK]: databasePluginDynamodb.KeyPattern.TENANT_MEMBER_SK(audience, userId)
+          }
+        })
+      );
+      if (!response.Item) {
+        return tsMicroResult.ok(null);
+      }
+      return tsMicroResult.ok(this.mapItemToEntity(response.Item));
+    } catch {
+      return tsMicroResult.err(tenantAccessControl.tenantAccessErrors.DATABASE_ERROR());
+    }
+  }
+  async create(data) {
+    try {
+      const now = Date.now();
+      await this.docClient.send(
+        new libDynamodb.PutCommand({
+          TableName: this.tableName,
+          Item: {
+            [databasePluginDynamodb.TableAttr.PK]: databasePluginDynamodb.KeyPattern.TENANT_MEMBER_PK(data.tenantId),
+            [databasePluginDynamodb.TableAttr.SK]: databasePluginDynamodb.KeyPattern.TENANT_MEMBER_SK(data.audience, data.userId),
+            userStatus: data.status,
+            roleIds: JSON.stringify(data.roleIds),
+            permMask: data.permMask ?? 0,
+            createdAt: now,
+            updatedAt: now
+          },
+          ConditionExpression: "attribute_not_exists(PK)"
+        })
+      );
+      return tsMicroResult.ok();
+    } catch (error) {
+      if (error.name === "ConditionalCheckFailedException") {
+        return tsMicroResult.err(tenantAccessControl.tenantAccessErrors.MEMBER_ALREADY_EXISTS());
+      }
+      return tsMicroResult.err(tenantAccessControl.tenantAccessErrors.DATABASE_ERROR());
+    }
+  }
+  async updatePermissions(tenantId, audience, userId, updates) {
+    try {
+      const setClauses = ["#updatedAt = :updatedAt"];
+      const names = { "#updatedAt": "updatedAt" };
+      const values = { ":updatedAt": Date.now() };
+      if (updates.roleIds !== void 0) {
+        setClauses.push("#roleIds = :roleIds");
+        names["#roleIds"] = "roleIds";
+        values[":roleIds"] = JSON.stringify(updates.roleIds);
+      }
+      if (updates.permMask !== void 0) {
+        setClauses.push("#permMask = :permMask");
+        names["#permMask"] = "permMask";
+        values[":permMask"] = updates.permMask;
+      }
+      await this.docClient.send(
+        new libDynamodb.UpdateCommand({
+          TableName: this.tableName,
+          Key: {
+            [databasePluginDynamodb.TableAttr.PK]: databasePluginDynamodb.KeyPattern.TENANT_MEMBER_PK(tenantId),
+            [databasePluginDynamodb.TableAttr.SK]: databasePluginDynamodb.KeyPattern.TENANT_MEMBER_SK(audience, userId)
+          },
+          UpdateExpression: `SET ${setClauses.join(", ")}`,
+          ExpressionAttributeNames: names,
+          ExpressionAttributeValues: values,
+          ConditionExpression: "attribute_exists(PK)"
+        })
+      );
+      return tsMicroResult.ok();
+    } catch (error) {
+      if (error.name === "ConditionalCheckFailedException") {
+        return tsMicroResult.err(tenantAccessControl.tenantAccessErrors.MEMBER_NOT_FOUND());
+      }
+      return tsMicroResult.err(tenantAccessControl.tenantAccessErrors.DATABASE_ERROR());
+    }
+  }
+  async updateStatus(tenantId, audience, userId, status) {
+    try {
+      await this.docClient.send(
+        new libDynamodb.UpdateCommand({
+          TableName: this.tableName,
+          Key: {
+            [databasePluginDynamodb.TableAttr.PK]: databasePluginDynamodb.KeyPattern.TENANT_MEMBER_PK(tenantId),
+            [databasePluginDynamodb.TableAttr.SK]: databasePluginDynamodb.KeyPattern.TENANT_MEMBER_SK(audience, userId)
+          },
+          UpdateExpression: "SET #status = :status, #updatedAt = :updatedAt",
+          ExpressionAttributeNames: {
+            "#status": "userStatus",
+            "#updatedAt": "updatedAt"
+          },
+          ExpressionAttributeValues: {
+            ":status": status,
+            ":updatedAt": Date.now()
+          },
+          ConditionExpression: "attribute_exists(PK)"
+        })
+      );
+      return tsMicroResult.ok();
+    } catch (error) {
+      if (error.name === "ConditionalCheckFailedException") {
+        return tsMicroResult.err(tenantAccessControl.tenantAccessErrors.MEMBER_NOT_FOUND());
+      }
+      return tsMicroResult.err(tenantAccessControl.tenantAccessErrors.DATABASE_ERROR());
+    }
+  }
+  async remove(tenantId, audience, userId) {
+    try {
+      await this.docClient.send(
+        new libDynamodb.DeleteCommand({
+          TableName: this.tableName,
+          Key: {
+            [databasePluginDynamodb.TableAttr.PK]: databasePluginDynamodb.KeyPattern.TENANT_MEMBER_PK(tenantId),
+            [databasePluginDynamodb.TableAttr.SK]: databasePluginDynamodb.KeyPattern.TENANT_MEMBER_SK(audience, userId)
+          }
+        })
+      );
+      return tsMicroResult.ok();
+    } catch {
+      return tsMicroResult.err(tenantAccessControl.tenantAccessErrors.DATABASE_ERROR());
+    }
+  }
+  mapItemToEntity(item) {
+    const tenantId = databasePluginDynamodb.KeyExtractor.tenantId(item[databasePluginDynamodb.TableAttr.PK]);
+    const skInfo = databasePluginDynamodb.KeyExtractor.tenantMemberSKInfo(item[databasePluginDynamodb.TableAttr.SK]);
+    return {
+      tenantId,
+      audience: skInfo?.audience ?? "",
+      userId: skInfo?.userId ?? "",
+      status: item["userStatus"],
+      roleIds: JSON.parse(item["roleIds"]),
+      permMask: item["permMask"] ?? 0,
+      createdAt: databasePluginDynamodb.millisToDate(item["createdAt"]),
+      updatedAt: databasePluginDynamodb.millisToDate(item["updatedAt"])
+    };
+  }
+};
+var DynamoDBSessionRepository = class {
+  constructor(client, tableName) {
+    this.client = client;
+    this.tableName = tableName;
+    this.docClient = libDynamodb.DynamoDBDocumentClient.from(client);
+  }
+  docClient;
+  async findActiveByUserId(userId, options) {
+    try {
+      const limit = Math.min(options?.limit ?? 50, 100);
+      let exclusiveStartKey;
+      if (options?.cursor) {
+        try {
+          exclusiveStartKey = JSON.parse(
+            Buffer.from(options.cursor, "base64url").toString("utf-8")
+          );
+        } catch {
+          return tsMicroResult.err(tenantAccessControl.tenantAccessErrors.INVALID_CURSOR());
+        }
+      }
+      const response = await this.docClient.send(
+        new libDynamodb.QueryCommand({
+          TableName: this.tableName,
+          IndexName: databasePluginDynamodb.GSIName.ACTIVE_SESSIONS,
+          KeyConditionExpression: `${databasePluginDynamodb.TableAttr.ACTIVE_SESSION_PK} = :activePk`,
+          ExpressionAttributeValues: {
+            ":activePk": databasePluginDynamodb.GSIKeys.ACTIVE_SESSION_PK(userId)
+          },
+          ProjectionExpression: `${databasePluginDynamodb.TableAttr.PK}, ${databasePluginDynamodb.TableAttr.TENANT_ID}, ${databasePluginDynamodb.TableAttr.AUDIENCE}, ${databasePluginDynamodb.TableAttr.USER_ID}`,
+          Limit: limit,
+          ExclusiveStartKey: exclusiveStartKey,
+          ScanIndexForward: false
+        })
+      );
+      const sessions = (response.Items ?? []).map((item) => ({
+        id: databasePluginDynamodb.KeyExtractor.sessionId(item[databasePluginDynamodb.TableAttr.PK]),
+        userId: item[databasePluginDynamodb.TableAttr.USER_ID],
+        tenantId: item[databasePluginDynamodb.TableAttr.TENANT_ID],
+        audience: item[databasePluginDynamodb.TableAttr.AUDIENCE]
+      }));
+      const hasNext = !!response.LastEvaluatedKey;
+      const cursor = hasNext ? Buffer.from(JSON.stringify(response.LastEvaluatedKey)).toString("base64url") : null;
+      const pagination = {
+        type: "cursor",
+        limit,
+        count: sessions.length,
+        hasNext,
+        hasPrev: !!options?.cursor,
+        cursor
+      };
+      return tsMicroResult.ok(sessions, { pagination });
+    } catch {
+      return tsMicroResult.err(tenantAccessControl.tenantAccessErrors.DATABASE_ERROR());
+    }
+  }
+  async revokeBatch(sessionIds) {
+    if (sessionIds.length === 0) {
+      return tsMicroResult.ok(0);
+    }
+    try {
+      const revokedAt = Date.now();
+      let count = 0;
+      const batchSize = 25;
+      for (let i = 0; i < sessionIds.length; i += batchSize) {
+        const batch = sessionIds.slice(i, i + batchSize);
+        const transactItems = batch.map((sessionId) => ({
+          Update: {
+            TableName: this.tableName,
+            Key: {
+              [databasePluginDynamodb.TableAttr.PK]: databasePluginDynamodb.KeyPattern.SESSION_PK(sessionId),
+              [databasePluginDynamodb.TableAttr.SK]: databasePluginDynamodb.KeyPattern.SESSION_SK()
+            },
+            UpdateExpression: `SET #revokedAt = :revokedAt REMOVE #activePk, #activeSk`,
+            ExpressionAttributeNames: {
+              "#revokedAt": databasePluginDynamodb.TableAttr.REVOKED_AT,
+              "#activePk": databasePluginDynamodb.TableAttr.ACTIVE_SESSION_PK,
+              "#activeSk": databasePluginDynamodb.TableAttr.ACTIVE_SESSION_SK
+            },
+            ExpressionAttributeValues: {
+              ":revokedAt": revokedAt
+            },
+            ConditionExpression: `attribute_exists(${databasePluginDynamodb.TableAttr.PK}) AND attribute_not_exists(#revokedAt)`
+          }
+        }));
+        try {
+          await this.docClient.send(
+            new libDynamodb.TransactWriteCommand({ TransactItems: transactItems })
+          );
+          count += batch.length;
+        } catch {
+        }
+      }
+      return tsMicroResult.ok(count);
+    } catch {
+      return tsMicroResult.err(tenantAccessControl.tenantAccessErrors.DATABASE_ERROR());
+    }
+  }
+};
+// src/index.ts
+function createTenantAccessDynamoDBPlugin(config) {
+  const client = config.client ?? new clientDynamodb.DynamoDBClient({});
+  return {
+    tenantMemberRepository: new DynamoDBTenantMemberRepository(client, config.tableName),
+    sessionRepository: new DynamoDBSessionRepository(client, config.tableName)
+  };
+}
+exports.DynamoDBSessionRepository = DynamoDBSessionRepository;
+exports.DynamoDBTenantMemberRepository = DynamoDBTenantMemberRepository;
+exports.createTenantAccessDynamoDBPlugin = createTenantAccessDynamoDBPlugin;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/dynamodb-tenant-member-repo.ts","../src/dynamodb-session-repo.ts","../src/index.ts"],"names":["DynamoDBDocumentClient","GetCommand","TableAttr","KeyPattern","ok","err","tenantAccessErrors","PutCommand","UpdateCommand","DeleteCommand","KeyExtractor","millisToDate","QueryCommand","GSIName","GSIKeys","TransactWriteCommand","DynamoDBClient"],"mappings":";;;;;;;;;AA8BO,IAAM,iCAAN,MAAuE;AAAA,EAG5E,WAAA,CACU,QACA,SAAA,EACR;AAFQ,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AAER,IAAA,IAAA,CAAK,SAAA,GAAYA,kCAAA,CAAuB,IAAA,CAAK,MAAA,EAAQ;AAAA,MACnD,eAAA,EAAiB,EAAE,qBAAA,EAAuB,IAAA;AAAK,KAChD,CAAA;AAAA,EACH;AAAA,EATQ,SAAA;AAAA,EAWR,MAAM,GAAA,CACJ,QAAA,EACA,QAAA,EACA,MAAA,EACsC;AACtC,IAAA,IAAI;AACF,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,SAAA,CAAU,IAAA;AAAA,QACpC,IAAIC,sBAAA,CAAW;AAAA,UACb,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,GAAA,EAAK;AAAA,YACH,CAACC,gCAAA,CAAU,EAAE,GAAGC,iCAAA,CAAW,iBAAiB,QAAQ,CAAA;AAAA,YACpD,CAACD,gCAAA,CAAU,EAAE,GAAGC,iCAAA,CAAW,gBAAA,CAAiB,UAAU,MAAM;AAAA;AAC9D,SACD;AAAA,OACH;AAEA,MAAA,IAAI,CAAC,SAAS,IAAA,EAAM;AAClB,QAAA,OAAOC,iBAAG,IAAI,CAAA;AAAA,MAChB;AAEA,MAAA,OAAOA,gBAAA,CAAG,IAAA,CAAK,eAAA,CAAgB,QAAA,CAAS,IAAI,CAAC,CAAA;AAAA,IAC/C,CAAA,CAAA,MAAQ;AACN,MAAA,OAAOC,iBAAA,CAAIC,sCAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,IAChD;AAAA,EACF;AAAA,EAEA,MAAM,OAAO,IAAA,EAAqD;AAChE,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAErB,MAAA,MAAM,KAAK,SAAA,CAAU,IAAA;AAAA,QACnB,IAAIC,sBAAA,CAAW;AAAA,UACb,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,IAAA,EAAM;AAAA,YACJ,CAACL,gCAAA,CAAU,EAAE,GAAGC,iCAAA,CAAW,gBAAA,CAAiB,KAAK,QAAQ,CAAA;AAAA,YACzD,CAACD,iCAAU,EAAE,GAAGC,kCAAW,gBAAA,CAAiB,IAAA,CAAK,QAAA,EAAU,IAAA,CAAK,MAAM,CAAA;AAAA,YACtE,YAAY,IAAA,CAAK,MAAA;AAAA,YACjB,OAAA,EAAS,IAAA,CAAK,SAAA,CAAU,IAAA,CAAK,OAAO,CAAA;AAAA,YACpC,QAAA,EAAU,KAAK,QAAA,IAAY,CAAA;AAAA,YAC3B,SAAA,EAAW,GAAA;AAAA,YACX,SAAA,EAAW;AAAA,WACb;AAAA,UACA,mBAAA,EAAqB;AAAA,SACtB;AAAA,OACH;AAEA,MAAA,OAAOC,gBAAA,EAAG;AAAA,IACZ,SAAS,KAAA,EAAgB;AACvB,MAAA,IAAK,KAAA,CAA4B,SAAS,iCAAA,EAAmC;AAC3E,QAAA,OAAOC,iBAAA,CAAIC,sCAAA,CAAmB,qBAAA,EAAuB,CAAA;AAAA,MACvD;AACA,MAAA,OAAOD,iBAAA,CAAIC,sCAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,IAChD;AAAA,EACF;AAAA,EAEA,MAAM,iBAAA,CACJ,QAAA,EACA,QAAA,EACA,QACA,OAAA,EACuB;AACvB,IAAA,IAAI;AACF,MAAA,MAAM,UAAA,GAAuB,CAAC,yBAAyB,CAAA;AACvD,MAAA,MAAM,KAAA,GAAgC,EAAE,YAAA,EAAc,WAAA,EAAY;AAClE,MAAA,MAAM,MAAA,GAAkC,EAAE,YAAA,EAAc,IAAA,CAAK,KAAI,EAAE;AAEnE,MAAA,IAAI,OAAA,CAAQ,YAAY,KAAA,CAAA,EAAW;AACjC,QAAA,UAAA,CAAW,KAAK,qBAAqB,CAAA;AACrC,QAAA,KAAA,CAAM,UAAU,CAAA,GAAI,SAAA;AACpB,QAAA,MAAA,CAAO,UAAU,CAAA,GAAI,IAAA,CAAK,SAAA,CAAU,QAAQ,OAAO,CAAA;AAAA,MACrD;AAEA,MAAA,IAAI,OAAA,CAAQ,aAAa,KAAA,CAAA,EAAW;AAClC,QAAA,UAAA,CAAW,KAAK,uBAAuB,CAAA;AACvC,QAAA,KAAA,CAAM,WAAW,CAAA,GAAI,UAAA;AACrB,QAAA,MAAA,CAAO,WAAW,IAAI,OAAA,CAAQ,QAAA;AAAA,MAChC;AAEA,MAAA,MAAM,KAAK,SAAA,CAAU,IAAA;AAAA,QACnB,IAAIE,yBAAA,CAAc;AAAA,UAChB,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,GAAA,EAAK;AAAA,YACH,CAACN,gCAAA,CAAU,EAAE,GAAGC,iCAAA,CAAW,iBAAiB,QAAQ,CAAA;AAAA,YACpD,CAACD,gCAAA,CAAU,EAAE,GAAGC,iCAAA,CAAW,gBAAA,CAAiB,UAAU,MAAM;AAAA,WAC9D;AAAA,UACA,gBAAA,EAAkB,CAAA,IAAA,EAAO,UAAA,CAAW,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,UAC9C,wBAAA,EAA0B,KAAA;AAAA,UAC1B,yBAAA,EAA2B,MAAA;AAAA,UAC3B,mBAAA,EAAqB;AAAA,SACtB;AAAA,OACH;AAEA,MAAA,OAAOC,gBAAA,EAAG;AAAA,IACZ,SAAS,KAAA,EAAgB;AACvB,MAAA,IAAK,KAAA,CAA4B,SAAS,iCAAA,EAAmC;AAC3E,QAAA,OAAOC,iBAAA,CAAIC,sCAAA,CAAmB,gBAAA,EAAkB,CAAA;AAAA,MAClD;AACA,MAAA,OAAOD,iBAAA,CAAIC,sCAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,IAChD;AAAA,EACF;AAAA,EAEA,MAAM,YAAA,CACJ,QAAA,EACA,QAAA,EACA,QACA,MAAA,EACuB;AACvB,IAAA,IAAI;AACF,MAAA,MAAM,KAAK,SAAA,CAAU,IAAA;AAAA,QACnB,IAAIE,yBAAA,CAAc;AAAA,UAChB,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,GAAA,EAAK;AAAA,YACH,CAACN,gCAAA,CAAU,EAAE,GAAGC,iCAAA,CAAW,iBAAiB,QAAQ,CAAA;AAAA,YACpD,CAACD,gCAAA,CAAU,EAAE,GAAGC,iCAAA,CAAW,gBAAA,CAAiB,UAAU,MAAM;AAAA,WAC9D;AAAA,UACA,gBAAA,EAAkB,gDAAA;AAAA,UAClB,wBAAA,EAA0B;AAAA,YACxB,SAAA,EAAW,YAAA;AAAA,YACX,YAAA,EAAc;AAAA,WAChB;AAAA,UACA,yBAAA,EAA2B;AAAA,YACzB,SAAA,EAAW,MAAA;AAAA,YACX,YAAA,EAAc,KAAK,GAAA;AAAI,WACzB;AAAA,UACA,mBAAA,EAAqB;AAAA,SACtB;AAAA,OACH;AAEA,MAAA,OAAOC,gBAAA,EAAG;AAAA,IACZ,SAAS,KAAA,EAAgB;AACvB,MAAA,IAAK,KAAA,CAA4B,SAAS,iCAAA,EAAmC;AAC3E,QAAA,OAAOC,iBAAA,CAAIC,sCAAA,CAAmB,gBAAA,EAAkB,CAAA;AAAA,MAClD;AACA,MAAA,OAAOD,iBAAA,CAAIC,sCAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,IAChD;AAAA,EACF;AAAA,EAEA,MAAM,MAAA,CAAO,QAAA,EAAoB,QAAA,EAAkB,MAAA,EAAuC;AACxF,IAAA,IAAI;AACF,MAAA,MAAM,KAAK,SAAA,CAAU,IAAA;AAAA,QACnB,IAAIG,yBAAA,CAAc;AAAA,UAChB,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,GAAA,EAAK;AAAA,YACH,CAACP,gCAAA,CAAU,EAAE,GAAGC,iCAAA,CAAW,iBAAiB,QAAQ,CAAA;AAAA,YACpD,CAACD,gCAAA,CAAU,EAAE,GAAGC,iCAAA,CAAW,gBAAA,CAAiB,UAAU,MAAM;AAAA;AAC9D,SACD;AAAA,OACH;AAEA,MAAA,OAAOC,gBAAA,EAAG;AAAA,IACZ,CAAA,CAAA,MAAQ;AACN,MAAA,OAAOC,iBAAA,CAAIC,sCAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,IAChD;AAAA,EACF;AAAA,EAEQ,gBAAgB,IAAA,EAA6C;AACnE,IAAA,MAAM,WAAWI,mCAAA,CAAa,QAAA,CAAS,IAAA,CAAKR,gCAAA,CAAU,EAAE,CAAW,CAAA;AACnE,IAAA,MAAM,SAASQ,mCAAA,CAAa,kBAAA,CAAmB,IAAA,CAAKR,gCAAA,CAAU,EAAE,CAAW,CAAA;AAE3E,IAAA,OAAO;AAAA,MACL,QAAA;AAAA,MACA,QAAA,EAAU,QAAQ,QAAA,IAAY,EAAA;AAAA,MAC9B,MAAA,EAAS,QAAQ,MAAA,IAAU,EAAA;AAAA,MAC3B,MAAA,EAAQ,KAAK,YAAY,CAAA;AAAA,MACzB,OAAA,EAAS,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,SAAS,CAAW,CAAA;AAAA,MAC7C,QAAA,EAAW,IAAA,CAAK,UAAU,CAAA,IAAgB,CAAA;AAAA,MAC1C,SAAA,EAAWS,mCAAA,CAAa,IAAA,CAAK,WAAW,CAAW,CAAA;AAAA,MACnD,SAAA,EAAWA,mCAAA,CAAa,IAAA,CAAK,WAAW,CAAW;AAAA,KACrD;AAAA,EACF;AACF;ACrLO,IAAM,4BAAN,MAA6D;AAAA,EAGlE,WAAA,CACU,QACA,SAAA,EACR;AAFQ,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AAER,IAAA,IAAA,CAAK,SAAA,GAAYX,kCAAAA,CAAuB,IAAA,CAAK,MAAM,CAAA;AAAA,EACrD;AAAA,EAPQ,SAAA;AAAA,EASR,MAAM,kBAAA,CACJ,MAAA,EACA,OAAA,EACuC;AACvC,IAAA,IAAI;AACF,MAAA,MAAM,QAAQ,IAAA,CAAK,GAAA,CAAI,OAAA,EAAS,KAAA,IAAS,IAAI,GAAG,CAAA;AAChD,MAAA,IAAI,iBAAA;AAEJ,MAAA,IAAI,SAAS,MAAA,EAAQ;AACnB,QAAA,IAAI;AACF,UAAA,iBAAA,GAAoB,IAAA,CAAK,KAAA;AAAA,YACvB,OAAO,IAAA,CAAK,OAAA,CAAQ,QAAQ,WAAW,CAAA,CAAE,SAAS,OAAO;AAAA,WAC3D;AAAA,QACF,CAAA,CAAA,MAAQ;AACN,UAAA,OAAOK,iBAAAA,CAAIC,sCAAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,QAChD;AAAA,MACF;AAEA,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,SAAA,CAAU,IAAA;AAAA,QACpC,IAAIM,wBAAA,CAAa;AAAA,UACf,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,WAAWC,8BAAA,CAAQ,eAAA;AAAA,UACnB,sBAAA,EAAwB,CAAA,EAAGX,gCAAAA,CAAU,iBAAiB,CAAA,YAAA,CAAA;AAAA,UACtD,yBAAA,EAA2B;AAAA,YACzB,WAAA,EAAaY,8BAAA,CAAQ,iBAAA,CAAkB,MAAM;AAAA,WAC/C;AAAA,UACA,oBAAA,EAAsB,CAAA,EAAGZ,gCAAAA,CAAU,EAAE,CAAA,EAAA,EAAKA,gCAAAA,CAAU,SAAS,CAAA,EAAA,EAAKA,gCAAAA,CAAU,QAAQ,CAAA,EAAA,EAAKA,gCAAAA,CAAU,OAAO,CAAA,CAAA;AAAA,UAC1G,KAAA,EAAO,KAAA;AAAA,UACP,iBAAA,EAAmB,iBAAA;AAAA,UACnB,gBAAA,EAAkB;AAAA,SACnB;AAAA,OACH;AAEA,MAAA,MAAM,YAA2B,QAAA,CAAS,KAAA,IAAS,EAAC,EAAG,GAAA,CAAI,CAAC,IAAA,MAAU;AAAA,QACpE,IAAIQ,mCAAAA,CAAa,SAAA,CAAU,IAAA,CAAKR,gCAAAA,CAAU,EAAE,CAAW,CAAA;AAAA,QACvD,MAAA,EAAQ,IAAA,CAAKA,gCAAAA,CAAU,OAAO,CAAA;AAAA,QAC9B,QAAA,EAAU,IAAA,CAAKA,gCAAAA,CAAU,SAAS,CAAA;AAAA,QAClC,QAAA,EAAU,IAAA,CAAKA,gCAAAA,CAAU,QAAQ;AAAA,OACnC,CAAE,CAAA;AAEF,MAAA,MAAM,OAAA,GAAU,CAAC,CAAC,QAAA,CAAS,gBAAA;AAC3B,MAAA,MAAM,MAAA,GAAS,OAAA,GACX,MAAA,CAAO,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,QAAA,CAAS,gBAAgB,CAAC,CAAA,CAAE,QAAA,CAAS,WAAW,CAAA,GAC3E,IAAA;AAEJ,MAAA,MAAM,UAAA,GAA+B;AAAA,QACnC,IAAA,EAAM,QAAA;AAAA,QACN,KAAA;AAAA,QACA,OAAO,QAAA,CAAS,MAAA;AAAA,QAChB,OAAA;AAAA,QACA,OAAA,EAAS,CAAC,CAAC,OAAA,EAAS,MAAA;AAAA,QACpB;AAAA,OACF;AAEA,MAAA,OAAOE,gBAAAA,CAAG,QAAA,EAAU,EAAE,UAAA,EAAY,CAAA;AAAA,IACpC,CAAA,CAAA,MAAQ;AACN,MAAA,OAAOC,iBAAAA,CAAIC,sCAAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,IAChD;AAAA,EACF;AAAA,EAEA,MAAM,YAAY,UAAA,EAAkD;AAClE,IAAA,IAAI,UAAA,CAAW,WAAW,CAAA,EAAG;AAC3B,MAAA,OAAOF,iBAAG,CAAC,CAAA;AAAA,IACb;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAC3B,MAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,MAAA,MAAM,SAAA,GAAY,EAAA;AAElB,MAAA,KAAA,IAAS,IAAI,CAAA,EAAG,CAAA,GAAI,UAAA,CAAW,MAAA,EAAQ,KAAK,SAAA,EAAW;AACrD,QAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,CAAA,EAAG,IAAI,SAAS,CAAA;AAE/C,QAAA,MAAM,aAAA,GAAgB,KAAA,CAAM,GAAA,CAAI,CAAC,SAAA,MAAe;AAAA,UAC9C,MAAA,EAAQ;AAAA,YACN,WAAW,IAAA,CAAK,SAAA;AAAA,YAChB,GAAA,EAAK;AAAA,cACH,CAACF,gCAAAA,CAAU,EAAE,GAAGC,iCAAAA,CAAW,WAAW,SAAS,CAAA;AAAA,cAC/C,CAACD,gCAAAA,CAAU,EAAE,GAAGC,kCAAW,UAAA;AAAW,aACxC;AAAA,YACA,gBAAA,EAAkB,CAAA,uDAAA,CAAA;AAAA,YAClB,wBAAA,EAA0B;AAAA,cACxB,cAAcD,gCAAAA,CAAU,UAAA;AAAA,cACxB,aAAaA,gCAAAA,CAAU,iBAAA;AAAA,cACvB,aAAaA,gCAAAA,CAAU;AAAA,aACzB;AAAA,YACA,yBAAA,EAA2B;AAAA,cACzB,YAAA,EAAc;AAAA,aAChB;AAAA,YACA,mBAAA,EAAqB,CAAA,iBAAA,EAAoBA,gCAAAA,CAAU,EAAE,CAAA,sCAAA;AAAA;AACvD,SACF,CAAE,CAAA;AAEF,QAAA,IAAI;AACF,UAAA,MAAM,KAAK,SAAA,CAAU,IAAA;AAAA,YACnB,IAAIa,gCAAA,CAAqB,EAAE,aAAA,EAAe,eAAe;AAAA,WAC3D;AACA,UAAA,KAAA,IAAS,KAAA,CAAM,MAAA;AAAA,QACjB,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAEA,MAAA,OAAOX,iBAAG,KAAK,CAAA;AAAA,IACjB,CAAA,CAAA,MAAQ;AACN,MAAA,OAAOC,iBAAAA,CAAIC,sCAAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,IAChD;AAAA,EACF;AACF;;;ACrHO,SAAS,iCACd,MAAA,EACyB;AACzB,EAAA,MAAM,SAAS,MAAA,CAAO,MAAA,IAAU,IAAIU,6BAAAA,CAAe,EAAE,CAAA;AAErD,EAAA,OAAO;AAAA,IACL,sBAAA,EAAwB,IAAI,8BAAA,CAA+B,MAAA,EAAQ,OAAO,SAAS,CAAA;AAAA,IACnF,iBAAA,EAAmB,IAAI,yBAAA,CAA0B,MAAA,EAAQ,OAAO,SAAS;AAAA,GAC3E;AACF","file":"index.cjs","sourcesContent":["/**\r\n * DynamoDB TenantMember Repository Implementation\r\n */\r\n\r\nimport { DynamoDBClient } from '@aws-sdk/client-dynamodb';\r\nimport {\r\n DynamoDBDocumentClient,\r\n GetCommand,\r\n PutCommand,\r\n UpdateCommand,\r\n DeleteCommand,\r\n} from '@aws-sdk/lib-dynamodb';\r\nimport { ok, err, type Result } from 'ts-micro-result';\r\nimport type {\r\n TenantMemberRepository,\r\n TenantMember,\r\n TenantMemberStatus,\r\n CreateTenantMemberData,\r\n UpdateTenantMemberPermissionsData,\r\n TenantId,\r\n UserId,\r\n} from '@auth-craft/tenant-access-control';\r\nimport { tenantAccessErrors } from '@auth-craft/tenant-access-control';\r\nimport {\r\n KeyPattern,\r\n KeyExtractor,\r\n TableAttr,\r\n millisToDate,\r\n} from '@auth-craft/database-plugin-dynamodb';\r\n\r\nexport class DynamoDBTenantMemberRepository implements TenantMemberRepository {\r\n private docClient: DynamoDBDocumentClient;\r\n\r\n constructor(\r\n private client: DynamoDBClient,\r\n private tableName: string\r\n ) {\r\n this.docClient = DynamoDBDocumentClient.from(client, {\r\n marshallOptions: { removeUndefinedValues: true },\r\n });\r\n }\r\n\r\n async get(\r\n tenantId: TenantId,\r\n audience: string,\r\n userId: UserId\r\n ): Promise<Result<TenantMember | null>> {\r\n try {\r\n const response = await this.docClient.send(\r\n new GetCommand({\r\n TableName: this.tableName,\r\n Key: {\r\n [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),\r\n [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId),\r\n },\r\n })\r\n );\r\n\r\n if (!response.Item) {\r\n return ok(null);\r\n }\r\n\r\n return ok(this.mapItemToEntity(response.Item));\r\n } catch {\r\n return err(tenantAccessErrors.DATABASE_ERROR());\r\n }\r\n }\r\n\r\n async create(data: CreateTenantMemberData): Promise<Result<void>> {\r\n try {\r\n const now = Date.now();\r\n\r\n await this.docClient.send(\r\n new PutCommand({\r\n TableName: this.tableName,\r\n Item: {\r\n [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(data.tenantId),\r\n [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(data.audience, data.userId),\r\n userStatus: data.status,\r\n roleIds: JSON.stringify(data.roleIds),\r\n permMask: data.permMask ?? 0,\r\n createdAt: now,\r\n updatedAt: now,\r\n },\r\n ConditionExpression: 'attribute_not_exists(PK)',\r\n })\r\n );\r\n\r\n return ok();\r\n } catch (error: unknown) {\r\n if ((error as { name?: string }).name === 'ConditionalCheckFailedException') {\r\n return err(tenantAccessErrors.MEMBER_ALREADY_EXISTS());\r\n }\r\n return err(tenantAccessErrors.DATABASE_ERROR());\r\n }\r\n }\r\n\r\n async updatePermissions(\r\n tenantId: TenantId,\r\n audience: string,\r\n userId: UserId,\r\n updates: UpdateTenantMemberPermissionsData\r\n ): Promise<Result<void>> {\r\n try {\r\n const setClauses: string[] = ['#updatedAt = :updatedAt'];\r\n const names: Record<string, string> = { '#updatedAt': 'updatedAt' };\r\n const values: Record<string, unknown> = { ':updatedAt': Date.now() };\r\n\r\n if (updates.roleIds !== undefined) {\r\n setClauses.push('#roleIds = :roleIds');\r\n names['#roleIds'] = 'roleIds';\r\n values[':roleIds'] = JSON.stringify(updates.roleIds);\r\n }\r\n\r\n if (updates.permMask !== undefined) {\r\n setClauses.push('#permMask = :permMask');\r\n names['#permMask'] = 'permMask';\r\n values[':permMask'] = updates.permMask;\r\n }\r\n\r\n await this.docClient.send(\r\n new UpdateCommand({\r\n TableName: this.tableName,\r\n Key: {\r\n [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),\r\n [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId),\r\n },\r\n UpdateExpression: `SET ${setClauses.join(', ')}`,\r\n ExpressionAttributeNames: names,\r\n ExpressionAttributeValues: values,\r\n ConditionExpression: 'attribute_exists(PK)',\r\n })\r\n );\r\n\r\n return ok();\r\n } catch (error: unknown) {\r\n if ((error as { name?: string }).name === 'ConditionalCheckFailedException') {\r\n return err(tenantAccessErrors.MEMBER_NOT_FOUND());\r\n }\r\n return err(tenantAccessErrors.DATABASE_ERROR());\r\n }\r\n }\r\n\r\n async updateStatus(\r\n tenantId: TenantId,\r\n audience: string,\r\n userId: UserId,\r\n status: TenantMemberStatus\r\n ): Promise<Result<void>> {\r\n try {\r\n await this.docClient.send(\r\n new UpdateCommand({\r\n TableName: this.tableName,\r\n Key: {\r\n [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),\r\n [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId),\r\n },\r\n UpdateExpression: 'SET #status = :status, #updatedAt = :updatedAt',\r\n ExpressionAttributeNames: {\r\n '#status': 'userStatus',\r\n '#updatedAt': 'updatedAt',\r\n },\r\n ExpressionAttributeValues: {\r\n ':status': status,\r\n ':updatedAt': Date.now(),\r\n },\r\n ConditionExpression: 'attribute_exists(PK)',\r\n })\r\n );\r\n\r\n return ok();\r\n } catch (error: unknown) {\r\n if ((error as { name?: string }).name === 'ConditionalCheckFailedException') {\r\n return err(tenantAccessErrors.MEMBER_NOT_FOUND());\r\n }\r\n return err(tenantAccessErrors.DATABASE_ERROR());\r\n }\r\n }\r\n\r\n async remove(tenantId: TenantId, audience: string, userId: UserId): Promise<Result<void>> {\r\n try {\r\n await this.docClient.send(\r\n new DeleteCommand({\r\n TableName: this.tableName,\r\n Key: {\r\n [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),\r\n [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId),\r\n },\r\n })\r\n );\r\n\r\n return ok();\r\n } catch {\r\n return err(tenantAccessErrors.DATABASE_ERROR());\r\n }\r\n }\r\n\r\n private mapItemToEntity(item: Record<string, unknown>): TenantMember {\r\n const tenantId = KeyExtractor.tenantId(item[TableAttr.PK] as string) as TenantId;\r\n const skInfo = KeyExtractor.tenantMemberSKInfo(item[TableAttr.SK] as string);\r\n\r\n return {\r\n tenantId,\r\n audience: skInfo?.audience ?? '',\r\n userId: (skInfo?.userId ?? '') as UserId,\r\n status: item['userStatus'] as TenantMemberStatus,\r\n roleIds: JSON.parse(item['roleIds'] as string),\r\n permMask: (item['permMask'] as number) ?? 0,\r\n createdAt: millisToDate(item['createdAt'] as number),\r\n updatedAt: millisToDate(item['updatedAt'] as number),\r\n };\r\n }\r\n}\r\n","/**\r\n * DynamoDB Session Repository Implementation (Limited)\r\n *\r\n * Only implements methods needed for tenant access control:\r\n * - findActiveByUserId: Query active sessions\r\n * - revokeBatch: Batch revoke sessions\r\n */\r\n\r\nimport { DynamoDBClient } from '@aws-sdk/client-dynamodb';\r\nimport {\r\n DynamoDBDocumentClient,\r\n QueryCommand,\r\n TransactWriteCommand,\r\n} from '@aws-sdk/lib-dynamodb';\r\nimport { ok, err, type Result, type PaginatedResult, type CursorPagination } from 'ts-micro-result';\r\nimport type {\r\n SessionRepository,\r\n SessionInfo,\r\n SessionId,\r\n UserId,\r\n TenantId,\r\n} from '@auth-craft/tenant-access-control';\r\nimport { tenantAccessErrors } from '@auth-craft/tenant-access-control';\r\nimport {\r\n KeyPattern,\r\n KeyExtractor,\r\n TableAttr,\r\n GSIName,\r\n GSIKeys,\r\n} from '@auth-craft/database-plugin-dynamodb';\r\n\r\nexport class DynamoDBSessionRepository implements SessionRepository {\r\n private docClient: DynamoDBDocumentClient;\r\n\r\n constructor(\r\n private client: DynamoDBClient,\r\n private tableName: string\r\n ) {\r\n this.docClient = DynamoDBDocumentClient.from(client);\r\n }\r\n\r\n async findActiveByUserId(\r\n userId: UserId,\r\n options?: { limit?: number; cursor?: string }\r\n ): Promise<PaginatedResult<SessionInfo>> {\r\n try {\r\n const limit = Math.min(options?.limit ?? 50, 100);\r\n let exclusiveStartKey: Record<string, unknown> | undefined;\r\n\r\n if (options?.cursor) {\r\n try {\r\n exclusiveStartKey = JSON.parse(\r\n Buffer.from(options.cursor, 'base64url').toString('utf-8')\r\n );\r\n } catch {\r\n return err(tenantAccessErrors.INVALID_CURSOR()) as PaginatedResult<SessionInfo>;\r\n }\r\n }\r\n\r\n const response = await this.docClient.send(\r\n new QueryCommand({\r\n TableName: this.tableName,\r\n IndexName: GSIName.ACTIVE_SESSIONS,\r\n KeyConditionExpression: `${TableAttr.ACTIVE_SESSION_PK} = :activePk`,\r\n ExpressionAttributeValues: {\r\n ':activePk': GSIKeys.ACTIVE_SESSION_PK(userId),\r\n },\r\n ProjectionExpression: `${TableAttr.PK}, ${TableAttr.TENANT_ID}, ${TableAttr.AUDIENCE}, ${TableAttr.USER_ID}`,\r\n Limit: limit,\r\n ExclusiveStartKey: exclusiveStartKey,\r\n ScanIndexForward: false,\r\n })\r\n );\r\n\r\n const sessions: SessionInfo[] = (response.Items ?? []).map((item) => ({\r\n id: KeyExtractor.sessionId(item[TableAttr.PK] as string) as SessionId,\r\n userId: item[TableAttr.USER_ID] as UserId,\r\n tenantId: item[TableAttr.TENANT_ID] as TenantId | undefined,\r\n audience: item[TableAttr.AUDIENCE] as string,\r\n }));\r\n\r\n const hasNext = !!response.LastEvaluatedKey;\r\n const cursor = hasNext\r\n ? Buffer.from(JSON.stringify(response.LastEvaluatedKey)).toString('base64url')\r\n : null;\r\n\r\n const pagination: CursorPagination = {\r\n type: 'cursor',\r\n limit,\r\n count: sessions.length,\r\n hasNext,\r\n hasPrev: !!options?.cursor,\r\n cursor,\r\n };\r\n\r\n return ok(sessions, { pagination }) as PaginatedResult<SessionInfo>;\r\n } catch {\r\n return err(tenantAccessErrors.DATABASE_ERROR()) as PaginatedResult<SessionInfo>;\r\n }\r\n }\r\n\r\n async revokeBatch(sessionIds: SessionId[]): Promise<Result<number>> {\r\n if (sessionIds.length === 0) {\r\n return ok(0);\r\n }\r\n\r\n try {\r\n const revokedAt = Date.now();\r\n let count = 0;\r\n const batchSize = 25;\r\n\r\n for (let i = 0; i < sessionIds.length; i += batchSize) {\r\n const batch = sessionIds.slice(i, i + batchSize);\r\n\r\n const transactItems = batch.map((sessionId) => ({\r\n Update: {\r\n TableName: this.tableName,\r\n Key: {\r\n [TableAttr.PK]: KeyPattern.SESSION_PK(sessionId),\r\n [TableAttr.SK]: KeyPattern.SESSION_SK(),\r\n },\r\n UpdateExpression: `SET #revokedAt = :revokedAt REMOVE #activePk, #activeSk`,\r\n ExpressionAttributeNames: {\r\n '#revokedAt': TableAttr.REVOKED_AT,\r\n '#activePk': TableAttr.ACTIVE_SESSION_PK,\r\n '#activeSk': TableAttr.ACTIVE_SESSION_SK,\r\n },\r\n ExpressionAttributeValues: {\r\n ':revokedAt': revokedAt,\r\n },\r\n ConditionExpression: `attribute_exists(${TableAttr.PK}) AND attribute_not_exists(#revokedAt)`,\r\n },\r\n }));\r\n\r\n try {\r\n await this.docClient.send(\r\n new TransactWriteCommand({ TransactItems: transactItems })\r\n );\r\n count += batch.length;\r\n } catch {\r\n // Some sessions may already be revoked, continue with remaining batches\r\n }\r\n }\r\n\r\n return ok(count);\r\n } catch {\r\n return err(tenantAccessErrors.DATABASE_ERROR());\r\n }\r\n }\r\n}\r\n","/**\r\n * @auth-craft/tenant-access-control-dynamodb\r\n *\r\n * DynamoDB implementation for tenant-access-control.\r\n *\r\n * @example\r\n * ```typescript\r\n * import { createTenantAccessSDK } from '@auth-craft/tenant-access-control';\r\n * import { createTenantAccessDynamoDBPlugin } from '@auth-craft/tenant-access-control-dynamodb';\r\n *\r\n * // Create DynamoDB plugin\r\n * const plugin = createTenantAccessDynamoDBPlugin({\r\n * tableName: 'auth-table',\r\n * });\r\n *\r\n * // Create SDK with DynamoDB implementation\r\n * const sdk = createTenantAccessSDK(plugin);\r\n * ```\r\n */\r\n\r\nimport { DynamoDBClient } from '@aws-sdk/client-dynamodb';\r\nimport type { TenantAccessControlDeps } from '@auth-craft/tenant-access-control';\r\nimport { DynamoDBTenantMemberRepository } from './dynamodb-tenant-member-repo';\r\nimport { DynamoDBSessionRepository } from './dynamodb-session-repo';\r\nimport type { TenantAccessDynamoDBConfig } from './config';\r\n\r\n/**\r\n * Create DynamoDB plugin for Tenant Access Control\r\n *\r\n * @param config - DynamoDB configuration\r\n * @returns TenantAccessControlDeps - Dependencies for createTenantAccessSDK\r\n */\r\nexport function createTenantAccessDynamoDBPlugin(\r\n config: TenantAccessDynamoDBConfig\r\n): TenantAccessControlDeps {\r\n const client = config.client ?? new DynamoDBClient({});\r\n\r\n return {\r\n tenantMemberRepository: new DynamoDBTenantMemberRepository(client, config.tableName),\r\n sessionRepository: new DynamoDBSessionRepository(client, config.tableName),\r\n };\r\n}\r\n\r\n// Export config type\r\nexport type { TenantAccessDynamoDBConfig } from './config';\r\n\r\n// Export repositories for advanced use cases\r\nexport { DynamoDBTenantMemberRepository } from './dynamodb-tenant-member-repo';\r\nexport { DynamoDBSessionRepository } from './dynamodb-session-repo';\r\n"]}

package/dist/index.d.cts ADDED Viewed

@@ -0,0 +1,86 @@
+import { TenantMemberRepository, TenantId, UserId, TenantMember, CreateTenantMemberData, UpdateTenantMemberPermissionsData, TenantMemberStatus, SessionRepository, SessionInfo, SessionId, TenantAccessControlDeps } from '@auth-craft/tenant-access-control';
+import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
+import { Result, PaginatedResult } from 'ts-micro-result';
+/**
+ * Configuration for Tenant Access Control DynamoDB Plugin
+ */
+interface TenantAccessDynamoDBConfig {
+    /**
+     * DynamoDB table name
+     */
+    tableName: string;
+    /**
+     * Optional DynamoDB client instance
+     * If not provided, a new client will be created
+     */
+    client?: DynamoDBClient;
+}
+/**
+ * DynamoDB TenantMember Repository Implementation
+ */
+declare class DynamoDBTenantMemberRepository implements TenantMemberRepository {
+    private client;
+    private tableName;
+    private docClient;
+    constructor(client: DynamoDBClient, tableName: string);
+    get(tenantId: TenantId, audience: string, userId: UserId): Promise<Result<TenantMember | null>>;
+    create(data: CreateTenantMemberData): Promise<Result<void>>;
+    updatePermissions(tenantId: TenantId, audience: string, userId: UserId, updates: UpdateTenantMemberPermissionsData): Promise<Result<void>>;
+    updateStatus(tenantId: TenantId, audience: string, userId: UserId, status: TenantMemberStatus): Promise<Result<void>>;
+    remove(tenantId: TenantId, audience: string, userId: UserId): Promise<Result<void>>;
+    private mapItemToEntity;
+}
+/**
+ * DynamoDB Session Repository Implementation (Limited)
+ *
+ * Only implements methods needed for tenant access control:
+ * - findActiveByUserId: Query active sessions
+ * - revokeBatch: Batch revoke sessions
+ */
+declare class DynamoDBSessionRepository implements SessionRepository {
+    private client;
+    private tableName;
+    private docClient;
+    constructor(client: DynamoDBClient, tableName: string);
+    findActiveByUserId(userId: UserId, options?: {
+        limit?: number;
+        cursor?: string;
+    }): Promise<PaginatedResult<SessionInfo>>;
+    revokeBatch(sessionIds: SessionId[]): Promise<Result<number>>;
+}
+/**
+ * @auth-craft/tenant-access-control-dynamodb
+ *
+ * DynamoDB implementation for tenant-access-control.
+ *
+ * @example
+ * ```typescript
+ * import { createTenantAccessSDK } from '@auth-craft/tenant-access-control';
+ * import { createTenantAccessDynamoDBPlugin } from '@auth-craft/tenant-access-control-dynamodb';
+ *
+ * // Create DynamoDB plugin
+ * const plugin = createTenantAccessDynamoDBPlugin({
+ *   tableName: 'auth-table',
+ * });
+ *
+ * // Create SDK with DynamoDB implementation
+ * const sdk = createTenantAccessSDK(plugin);
+ * ```
+ */
+/**
+ * Create DynamoDB plugin for Tenant Access Control
+ *
+ * @param config - DynamoDB configuration
+ * @returns TenantAccessControlDeps - Dependencies for createTenantAccessSDK
+ */
+declare function createTenantAccessDynamoDBPlugin(config: TenantAccessDynamoDBConfig): TenantAccessControlDeps;
+export { DynamoDBSessionRepository, DynamoDBTenantMemberRepository, type TenantAccessDynamoDBConfig, createTenantAccessDynamoDBPlugin };

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,86 @@
+import { TenantMemberRepository, TenantId, UserId, TenantMember, CreateTenantMemberData, UpdateTenantMemberPermissionsData, TenantMemberStatus, SessionRepository, SessionInfo, SessionId, TenantAccessControlDeps } from '@auth-craft/tenant-access-control';
+import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
+import { Result, PaginatedResult } from 'ts-micro-result';
+/**
+ * Configuration for Tenant Access Control DynamoDB Plugin
+ */
+interface TenantAccessDynamoDBConfig {
+    /**
+     * DynamoDB table name
+     */
+    tableName: string;
+    /**
+     * Optional DynamoDB client instance
+     * If not provided, a new client will be created
+     */
+    client?: DynamoDBClient;
+}
+/**
+ * DynamoDB TenantMember Repository Implementation
+ */
+declare class DynamoDBTenantMemberRepository implements TenantMemberRepository {
+    private client;
+    private tableName;
+    private docClient;
+    constructor(client: DynamoDBClient, tableName: string);
+    get(tenantId: TenantId, audience: string, userId: UserId): Promise<Result<TenantMember | null>>;
+    create(data: CreateTenantMemberData): Promise<Result<void>>;
+    updatePermissions(tenantId: TenantId, audience: string, userId: UserId, updates: UpdateTenantMemberPermissionsData): Promise<Result<void>>;
+    updateStatus(tenantId: TenantId, audience: string, userId: UserId, status: TenantMemberStatus): Promise<Result<void>>;
+    remove(tenantId: TenantId, audience: string, userId: UserId): Promise<Result<void>>;
+    private mapItemToEntity;
+}
+/**
+ * DynamoDB Session Repository Implementation (Limited)
+ *
+ * Only implements methods needed for tenant access control:
+ * - findActiveByUserId: Query active sessions
+ * - revokeBatch: Batch revoke sessions
+ */
+declare class DynamoDBSessionRepository implements SessionRepository {
+    private client;
+    private tableName;
+    private docClient;
+    constructor(client: DynamoDBClient, tableName: string);
+    findActiveByUserId(userId: UserId, options?: {
+        limit?: number;
+        cursor?: string;
+    }): Promise<PaginatedResult<SessionInfo>>;
+    revokeBatch(sessionIds: SessionId[]): Promise<Result<number>>;
+}
+/**
+ * @auth-craft/tenant-access-control-dynamodb
+ *
+ * DynamoDB implementation for tenant-access-control.
+ *
+ * @example
+ * ```typescript
+ * import { createTenantAccessSDK } from '@auth-craft/tenant-access-control';
+ * import { createTenantAccessDynamoDBPlugin } from '@auth-craft/tenant-access-control-dynamodb';
+ *
+ * // Create DynamoDB plugin
+ * const plugin = createTenantAccessDynamoDBPlugin({
+ *   tableName: 'auth-table',
+ * });
+ *
+ * // Create SDK with DynamoDB implementation
+ * const sdk = createTenantAccessSDK(plugin);
+ * ```
+ */
+/**
+ * Create DynamoDB plugin for Tenant Access Control
+ *
+ * @param config - DynamoDB configuration
+ * @returns TenantAccessControlDeps - Dependencies for createTenantAccessSDK
+ */
+declare function createTenantAccessDynamoDBPlugin(config: TenantAccessDynamoDBConfig): TenantAccessControlDeps;
+export { DynamoDBSessionRepository, DynamoDBTenantMemberRepository, type TenantAccessDynamoDBConfig, createTenantAccessDynamoDBPlugin };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,268 @@
+import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
+import { DynamoDBDocumentClient, GetCommand, PutCommand, UpdateCommand, DeleteCommand, QueryCommand, TransactWriteCommand } from '@aws-sdk/lib-dynamodb';
+import { ok, err } from 'ts-micro-result';
+import { tenantAccessErrors } from '@auth-craft/tenant-access-control';
+import { TableAttr, KeyPattern, KeyExtractor, millisToDate, GSIKeys, GSIName } from '@auth-craft/database-plugin-dynamodb';
+// src/index.ts
+var DynamoDBTenantMemberRepository = class {
+  constructor(client, tableName) {
+    this.client = client;
+    this.tableName = tableName;
+    this.docClient = DynamoDBDocumentClient.from(client, {
+      marshallOptions: { removeUndefinedValues: true }
+    });
+  }
+  docClient;
+  async get(tenantId, audience, userId) {
+    try {
+      const response = await this.docClient.send(
+        new GetCommand({
+          TableName: this.tableName,
+          Key: {
+            [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),
+            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId)
+          }
+        })
+      );
+      if (!response.Item) {
+        return ok(null);
+      }
+      return ok(this.mapItemToEntity(response.Item));
+    } catch {
+      return err(tenantAccessErrors.DATABASE_ERROR());
+    }
+  }
+  async create(data) {
+    try {
+      const now = Date.now();
+      await this.docClient.send(
+        new PutCommand({
+          TableName: this.tableName,
+          Item: {
+            [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(data.tenantId),
+            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(data.audience, data.userId),
+            userStatus: data.status,
+            roleIds: JSON.stringify(data.roleIds),
+            permMask: data.permMask ?? 0,
+            createdAt: now,
+            updatedAt: now
+          },
+          ConditionExpression: "attribute_not_exists(PK)"
+        })
+      );
+      return ok();
+    } catch (error) {
+      if (error.name === "ConditionalCheckFailedException") {
+        return err(tenantAccessErrors.MEMBER_ALREADY_EXISTS());
+      }
+      return err(tenantAccessErrors.DATABASE_ERROR());
+    }
+  }
+  async updatePermissions(tenantId, audience, userId, updates) {
+    try {
+      const setClauses = ["#updatedAt = :updatedAt"];
+      const names = { "#updatedAt": "updatedAt" };
+      const values = { ":updatedAt": Date.now() };
+      if (updates.roleIds !== void 0) {
+        setClauses.push("#roleIds = :roleIds");
+        names["#roleIds"] = "roleIds";
+        values[":roleIds"] = JSON.stringify(updates.roleIds);
+      }
+      if (updates.permMask !== void 0) {
+        setClauses.push("#permMask = :permMask");
+        names["#permMask"] = "permMask";
+        values[":permMask"] = updates.permMask;
+      }
+      await this.docClient.send(
+        new UpdateCommand({
+          TableName: this.tableName,
+          Key: {
+            [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),
+            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId)
+          },
+          UpdateExpression: `SET ${setClauses.join(", ")}`,
+          ExpressionAttributeNames: names,
+          ExpressionAttributeValues: values,
+          ConditionExpression: "attribute_exists(PK)"
+        })
+      );
+      return ok();
+    } catch (error) {
+      if (error.name === "ConditionalCheckFailedException") {
+        return err(tenantAccessErrors.MEMBER_NOT_FOUND());
+      }
+      return err(tenantAccessErrors.DATABASE_ERROR());
+    }
+  }
+  async updateStatus(tenantId, audience, userId, status) {
+    try {
+      await this.docClient.send(
+        new UpdateCommand({
+          TableName: this.tableName,
+          Key: {
+            [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),
+            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId)
+          },
+          UpdateExpression: "SET #status = :status, #updatedAt = :updatedAt",
+          ExpressionAttributeNames: {
+            "#status": "userStatus",
+            "#updatedAt": "updatedAt"
+          },
+          ExpressionAttributeValues: {
+            ":status": status,
+            ":updatedAt": Date.now()
+          },
+          ConditionExpression: "attribute_exists(PK)"
+        })
+      );
+      return ok();
+    } catch (error) {
+      if (error.name === "ConditionalCheckFailedException") {
+        return err(tenantAccessErrors.MEMBER_NOT_FOUND());
+      }
+      return err(tenantAccessErrors.DATABASE_ERROR());
+    }
+  }
+  async remove(tenantId, audience, userId) {
+    try {
+      await this.docClient.send(
+        new DeleteCommand({
+          TableName: this.tableName,
+          Key: {
+            [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),
+            [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId)
+          }
+        })
+      );
+      return ok();
+    } catch {
+      return err(tenantAccessErrors.DATABASE_ERROR());
+    }
+  }
+  mapItemToEntity(item) {
+    const tenantId = KeyExtractor.tenantId(item[TableAttr.PK]);
+    const skInfo = KeyExtractor.tenantMemberSKInfo(item[TableAttr.SK]);
+    return {
+      tenantId,
+      audience: skInfo?.audience ?? "",
+      userId: skInfo?.userId ?? "",
+      status: item["userStatus"],
+      roleIds: JSON.parse(item["roleIds"]),
+      permMask: item["permMask"] ?? 0,
+      createdAt: millisToDate(item["createdAt"]),
+      updatedAt: millisToDate(item["updatedAt"])
+    };
+  }
+};
+var DynamoDBSessionRepository = class {
+  constructor(client, tableName) {
+    this.client = client;
+    this.tableName = tableName;
+    this.docClient = DynamoDBDocumentClient.from(client);
+  }
+  docClient;
+  async findActiveByUserId(userId, options) {
+    try {
+      const limit = Math.min(options?.limit ?? 50, 100);
+      let exclusiveStartKey;
+      if (options?.cursor) {
+        try {
+          exclusiveStartKey = JSON.parse(
+            Buffer.from(options.cursor, "base64url").toString("utf-8")
+          );
+        } catch {
+          return err(tenantAccessErrors.INVALID_CURSOR());
+        }
+      }
+      const response = await this.docClient.send(
+        new QueryCommand({
+          TableName: this.tableName,
+          IndexName: GSIName.ACTIVE_SESSIONS,
+          KeyConditionExpression: `${TableAttr.ACTIVE_SESSION_PK} = :activePk`,
+          ExpressionAttributeValues: {
+            ":activePk": GSIKeys.ACTIVE_SESSION_PK(userId)
+          },
+          ProjectionExpression: `${TableAttr.PK}, ${TableAttr.TENANT_ID}, ${TableAttr.AUDIENCE}, ${TableAttr.USER_ID}`,
+          Limit: limit,
+          ExclusiveStartKey: exclusiveStartKey,
+          ScanIndexForward: false
+        })
+      );
+      const sessions = (response.Items ?? []).map((item) => ({
+        id: KeyExtractor.sessionId(item[TableAttr.PK]),
+        userId: item[TableAttr.USER_ID],
+        tenantId: item[TableAttr.TENANT_ID],
+        audience: item[TableAttr.AUDIENCE]
+      }));
+      const hasNext = !!response.LastEvaluatedKey;
+      const cursor = hasNext ? Buffer.from(JSON.stringify(response.LastEvaluatedKey)).toString("base64url") : null;
+      const pagination = {
+        type: "cursor",
+        limit,
+        count: sessions.length,
+        hasNext,
+        hasPrev: !!options?.cursor,
+        cursor
+      };
+      return ok(sessions, { pagination });
+    } catch {
+      return err(tenantAccessErrors.DATABASE_ERROR());
+    }
+  }
+  async revokeBatch(sessionIds) {
+    if (sessionIds.length === 0) {
+      return ok(0);
+    }
+    try {
+      const revokedAt = Date.now();
+      let count = 0;
+      const batchSize = 25;
+      for (let i = 0; i < sessionIds.length; i += batchSize) {
+        const batch = sessionIds.slice(i, i + batchSize);
+        const transactItems = batch.map((sessionId) => ({
+          Update: {
+            TableName: this.tableName,
+            Key: {
+              [TableAttr.PK]: KeyPattern.SESSION_PK(sessionId),
+              [TableAttr.SK]: KeyPattern.SESSION_SK()
+            },
+            UpdateExpression: `SET #revokedAt = :revokedAt REMOVE #activePk, #activeSk`,
+            ExpressionAttributeNames: {
+              "#revokedAt": TableAttr.REVOKED_AT,
+              "#activePk": TableAttr.ACTIVE_SESSION_PK,
+              "#activeSk": TableAttr.ACTIVE_SESSION_SK
+            },
+            ExpressionAttributeValues: {
+              ":revokedAt": revokedAt
+            },
+            ConditionExpression: `attribute_exists(${TableAttr.PK}) AND attribute_not_exists(#revokedAt)`
+          }
+        }));
+        try {
+          await this.docClient.send(
+            new TransactWriteCommand({ TransactItems: transactItems })
+          );
+          count += batch.length;
+        } catch {
+        }
+      }
+      return ok(count);
+    } catch {
+      return err(tenantAccessErrors.DATABASE_ERROR());
+    }
+  }
+};
+// src/index.ts
+function createTenantAccessDynamoDBPlugin(config) {
+  const client = config.client ?? new DynamoDBClient({});
+  return {
+    tenantMemberRepository: new DynamoDBTenantMemberRepository(client, config.tableName),
+    sessionRepository: new DynamoDBSessionRepository(client, config.tableName)
+  };
+}
+export { DynamoDBSessionRepository, DynamoDBTenantMemberRepository, createTenantAccessDynamoDBPlugin };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/dynamodb-tenant-member-repo.ts","../src/dynamodb-session-repo.ts","../src/index.ts"],"names":["DynamoDBDocumentClient","err","tenantAccessErrors","TableAttr","KeyExtractor","ok","KeyPattern","DynamoDBClient"],"mappings":";;;;;;;AA8BO,IAAM,iCAAN,MAAuE;AAAA,EAG5E,WAAA,CACU,QACA,SAAA,EACR;AAFQ,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AAER,IAAA,IAAA,CAAK,SAAA,GAAY,sBAAA,CAAuB,IAAA,CAAK,MAAA,EAAQ;AAAA,MACnD,eAAA,EAAiB,EAAE,qBAAA,EAAuB,IAAA;AAAK,KAChD,CAAA;AAAA,EACH;AAAA,EATQ,SAAA;AAAA,EAWR,MAAM,GAAA,CACJ,QAAA,EACA,QAAA,EACA,MAAA,EACsC;AACtC,IAAA,IAAI;AACF,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,SAAA,CAAU,IAAA;AAAA,QACpC,IAAI,UAAA,CAAW;AAAA,UACb,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,GAAA,EAAK;AAAA,YACH,CAAC,SAAA,CAAU,EAAE,GAAG,UAAA,CAAW,iBAAiB,QAAQ,CAAA;AAAA,YACpD,CAAC,SAAA,CAAU,EAAE,GAAG,UAAA,CAAW,gBAAA,CAAiB,UAAU,MAAM;AAAA;AAC9D,SACD;AAAA,OACH;AAEA,MAAA,IAAI,CAAC,SAAS,IAAA,EAAM;AAClB,QAAA,OAAO,GAAG,IAAI,CAAA;AAAA,MAChB;AAEA,MAAA,OAAO,EAAA,CAAG,IAAA,CAAK,eAAA,CAAgB,QAAA,CAAS,IAAI,CAAC,CAAA;AAAA,IAC/C,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,GAAA,CAAI,kBAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,IAChD;AAAA,EACF;AAAA,EAEA,MAAM,OAAO,IAAA,EAAqD;AAChE,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAErB,MAAA,MAAM,KAAK,SAAA,CAAU,IAAA;AAAA,QACnB,IAAI,UAAA,CAAW;AAAA,UACb,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,IAAA,EAAM;AAAA,YACJ,CAAC,SAAA,CAAU,EAAE,GAAG,UAAA,CAAW,gBAAA,CAAiB,KAAK,QAAQ,CAAA;AAAA,YACzD,CAAC,UAAU,EAAE,GAAG,WAAW,gBAAA,CAAiB,IAAA,CAAK,QAAA,EAAU,IAAA,CAAK,MAAM,CAAA;AAAA,YACtE,YAAY,IAAA,CAAK,MAAA;AAAA,YACjB,OAAA,EAAS,IAAA,CAAK,SAAA,CAAU,IAAA,CAAK,OAAO,CAAA;AAAA,YACpC,QAAA,EAAU,KAAK,QAAA,IAAY,CAAA;AAAA,YAC3B,SAAA,EAAW,GAAA;AAAA,YACX,SAAA,EAAW;AAAA,WACb;AAAA,UACA,mBAAA,EAAqB;AAAA,SACtB;AAAA,OACH;AAEA,MAAA,OAAO,EAAA,EAAG;AAAA,IACZ,SAAS,KAAA,EAAgB;AACvB,MAAA,IAAK,KAAA,CAA4B,SAAS,iCAAA,EAAmC;AAC3E,QAAA,OAAO,GAAA,CAAI,kBAAA,CAAmB,qBAAA,EAAuB,CAAA;AAAA,MACvD;AACA,MAAA,OAAO,GAAA,CAAI,kBAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,IAChD;AAAA,EACF;AAAA,EAEA,MAAM,iBAAA,CACJ,QAAA,EACA,QAAA,EACA,QACA,OAAA,EACuB;AACvB,IAAA,IAAI;AACF,MAAA,MAAM,UAAA,GAAuB,CAAC,yBAAyB,CAAA;AACvD,MAAA,MAAM,KAAA,GAAgC,EAAE,YAAA,EAAc,WAAA,EAAY;AAClE,MAAA,MAAM,MAAA,GAAkC,EAAE,YAAA,EAAc,IAAA,CAAK,KAAI,EAAE;AAEnE,MAAA,IAAI,OAAA,CAAQ,YAAY,KAAA,CAAA,EAAW;AACjC,QAAA,UAAA,CAAW,KAAK,qBAAqB,CAAA;AACrC,QAAA,KAAA,CAAM,UAAU,CAAA,GAAI,SAAA;AACpB,QAAA,MAAA,CAAO,UAAU,CAAA,GAAI,IAAA,CAAK,SAAA,CAAU,QAAQ,OAAO,CAAA;AAAA,MACrD;AAEA,MAAA,IAAI,OAAA,CAAQ,aAAa,KAAA,CAAA,EAAW;AAClC,QAAA,UAAA,CAAW,KAAK,uBAAuB,CAAA;AACvC,QAAA,KAAA,CAAM,WAAW,CAAA,GAAI,UAAA;AACrB,QAAA,MAAA,CAAO,WAAW,IAAI,OAAA,CAAQ,QAAA;AAAA,MAChC;AAEA,MAAA,MAAM,KAAK,SAAA,CAAU,IAAA;AAAA,QACnB,IAAI,aAAA,CAAc;AAAA,UAChB,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,GAAA,EAAK;AAAA,YACH,CAAC,SAAA,CAAU,EAAE,GAAG,UAAA,CAAW,iBAAiB,QAAQ,CAAA;AAAA,YACpD,CAAC,SAAA,CAAU,EAAE,GAAG,UAAA,CAAW,gBAAA,CAAiB,UAAU,MAAM;AAAA,WAC9D;AAAA,UACA,gBAAA,EAAkB,CAAA,IAAA,EAAO,UAAA,CAAW,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,UAC9C,wBAAA,EAA0B,KAAA;AAAA,UAC1B,yBAAA,EAA2B,MAAA;AAAA,UAC3B,mBAAA,EAAqB;AAAA,SACtB;AAAA,OACH;AAEA,MAAA,OAAO,EAAA,EAAG;AAAA,IACZ,SAAS,KAAA,EAAgB;AACvB,MAAA,IAAK,KAAA,CAA4B,SAAS,iCAAA,EAAmC;AAC3E,QAAA,OAAO,GAAA,CAAI,kBAAA,CAAmB,gBAAA,EAAkB,CAAA;AAAA,MAClD;AACA,MAAA,OAAO,GAAA,CAAI,kBAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,IAChD;AAAA,EACF;AAAA,EAEA,MAAM,YAAA,CACJ,QAAA,EACA,QAAA,EACA,QACA,MAAA,EACuB;AACvB,IAAA,IAAI;AACF,MAAA,MAAM,KAAK,SAAA,CAAU,IAAA;AAAA,QACnB,IAAI,aAAA,CAAc;AAAA,UAChB,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,GAAA,EAAK;AAAA,YACH,CAAC,SAAA,CAAU,EAAE,GAAG,UAAA,CAAW,iBAAiB,QAAQ,CAAA;AAAA,YACpD,CAAC,SAAA,CAAU,EAAE,GAAG,UAAA,CAAW,gBAAA,CAAiB,UAAU,MAAM;AAAA,WAC9D;AAAA,UACA,gBAAA,EAAkB,gDAAA;AAAA,UAClB,wBAAA,EAA0B;AAAA,YACxB,SAAA,EAAW,YAAA;AAAA,YACX,YAAA,EAAc;AAAA,WAChB;AAAA,UACA,yBAAA,EAA2B;AAAA,YACzB,SAAA,EAAW,MAAA;AAAA,YACX,YAAA,EAAc,KAAK,GAAA;AAAI,WACzB;AAAA,UACA,mBAAA,EAAqB;AAAA,SACtB;AAAA,OACH;AAEA,MAAA,OAAO,EAAA,EAAG;AAAA,IACZ,SAAS,KAAA,EAAgB;AACvB,MAAA,IAAK,KAAA,CAA4B,SAAS,iCAAA,EAAmC;AAC3E,QAAA,OAAO,GAAA,CAAI,kBAAA,CAAmB,gBAAA,EAAkB,CAAA;AAAA,MAClD;AACA,MAAA,OAAO,GAAA,CAAI,kBAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,IAChD;AAAA,EACF;AAAA,EAEA,MAAM,MAAA,CAAO,QAAA,EAAoB,QAAA,EAAkB,MAAA,EAAuC;AACxF,IAAA,IAAI;AACF,MAAA,MAAM,KAAK,SAAA,CAAU,IAAA;AAAA,QACnB,IAAI,aAAA,CAAc;AAAA,UAChB,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,GAAA,EAAK;AAAA,YACH,CAAC,SAAA,CAAU,EAAE,GAAG,UAAA,CAAW,iBAAiB,QAAQ,CAAA;AAAA,YACpD,CAAC,SAAA,CAAU,EAAE,GAAG,UAAA,CAAW,gBAAA,CAAiB,UAAU,MAAM;AAAA;AAC9D,SACD;AAAA,OACH;AAEA,MAAA,OAAO,EAAA,EAAG;AAAA,IACZ,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,GAAA,CAAI,kBAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,IAChD;AAAA,EACF;AAAA,EAEQ,gBAAgB,IAAA,EAA6C;AACnE,IAAA,MAAM,WAAW,YAAA,CAAa,QAAA,CAAS,IAAA,CAAK,SAAA,CAAU,EAAE,CAAW,CAAA;AACnE,IAAA,MAAM,SAAS,YAAA,CAAa,kBAAA,CAAmB,IAAA,CAAK,SAAA,CAAU,EAAE,CAAW,CAAA;AAE3E,IAAA,OAAO;AAAA,MACL,QAAA;AAAA,MACA,QAAA,EAAU,QAAQ,QAAA,IAAY,EAAA;AAAA,MAC9B,MAAA,EAAS,QAAQ,MAAA,IAAU,EAAA;AAAA,MAC3B,MAAA,EAAQ,KAAK,YAAY,CAAA;AAAA,MACzB,OAAA,EAAS,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,SAAS,CAAW,CAAA;AAAA,MAC7C,QAAA,EAAW,IAAA,CAAK,UAAU,CAAA,IAAgB,CAAA;AAAA,MAC1C,SAAA,EAAW,YAAA,CAAa,IAAA,CAAK,WAAW,CAAW,CAAA;AAAA,MACnD,SAAA,EAAW,YAAA,CAAa,IAAA,CAAK,WAAW,CAAW;AAAA,KACrD;AAAA,EACF;AACF;ACrLO,IAAM,4BAAN,MAA6D;AAAA,EAGlE,WAAA,CACU,QACA,SAAA,EACR;AAFQ,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AAER,IAAA,IAAA,CAAK,SAAA,GAAYA,sBAAAA,CAAuB,IAAA,CAAK,MAAM,CAAA;AAAA,EACrD;AAAA,EAPQ,SAAA;AAAA,EASR,MAAM,kBAAA,CACJ,MAAA,EACA,OAAA,EACuC;AACvC,IAAA,IAAI;AACF,MAAA,MAAM,QAAQ,IAAA,CAAK,GAAA,CAAI,OAAA,EAAS,KAAA,IAAS,IAAI,GAAG,CAAA;AAChD,MAAA,IAAI,iBAAA;AAEJ,MAAA,IAAI,SAAS,MAAA,EAAQ;AACnB,QAAA,IAAI;AACF,UAAA,iBAAA,GAAoB,IAAA,CAAK,KAAA;AAAA,YACvB,OAAO,IAAA,CAAK,OAAA,CAAQ,QAAQ,WAAW,CAAA,CAAE,SAAS,OAAO;AAAA,WAC3D;AAAA,QACF,CAAA,CAAA,MAAQ;AACN,UAAA,OAAOC,GAAAA,CAAIC,kBAAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,QAChD;AAAA,MACF;AAEA,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,SAAA,CAAU,IAAA;AAAA,QACpC,IAAI,YAAA,CAAa;AAAA,UACf,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,WAAW,OAAA,CAAQ,eAAA;AAAA,UACnB,sBAAA,EAAwB,CAAA,EAAGC,SAAAA,CAAU,iBAAiB,CAAA,YAAA,CAAA;AAAA,UACtD,yBAAA,EAA2B;AAAA,YACzB,WAAA,EAAa,OAAA,CAAQ,iBAAA,CAAkB,MAAM;AAAA,WAC/C;AAAA,UACA,oBAAA,EAAsB,CAAA,EAAGA,SAAAA,CAAU,EAAE,CAAA,EAAA,EAAKA,SAAAA,CAAU,SAAS,CAAA,EAAA,EAAKA,SAAAA,CAAU,QAAQ,CAAA,EAAA,EAAKA,SAAAA,CAAU,OAAO,CAAA,CAAA;AAAA,UAC1G,KAAA,EAAO,KAAA;AAAA,UACP,iBAAA,EAAmB,iBAAA;AAAA,UACnB,gBAAA,EAAkB;AAAA,SACnB;AAAA,OACH;AAEA,MAAA,MAAM,YAA2B,QAAA,CAAS,KAAA,IAAS,EAAC,EAAG,GAAA,CAAI,CAAC,IAAA,MAAU;AAAA,QACpE,IAAIC,YAAAA,CAAa,SAAA,CAAU,IAAA,CAAKD,SAAAA,CAAU,EAAE,CAAW,CAAA;AAAA,QACvD,MAAA,EAAQ,IAAA,CAAKA,SAAAA,CAAU,OAAO,CAAA;AAAA,QAC9B,QAAA,EAAU,IAAA,CAAKA,SAAAA,CAAU,SAAS,CAAA;AAAA,QAClC,QAAA,EAAU,IAAA,CAAKA,SAAAA,CAAU,QAAQ;AAAA,OACnC,CAAE,CAAA;AAEF,MAAA,MAAM,OAAA,GAAU,CAAC,CAAC,QAAA,CAAS,gBAAA;AAC3B,MAAA,MAAM,MAAA,GAAS,OAAA,GACX,MAAA,CAAO,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,QAAA,CAAS,gBAAgB,CAAC,CAAA,CAAE,QAAA,CAAS,WAAW,CAAA,GAC3E,IAAA;AAEJ,MAAA,MAAM,UAAA,GAA+B;AAAA,QACnC,IAAA,EAAM,QAAA;AAAA,QACN,KAAA;AAAA,QACA,OAAO,QAAA,CAAS,MAAA;AAAA,QAChB,OAAA;AAAA,QACA,OAAA,EAAS,CAAC,CAAC,OAAA,EAAS,MAAA;AAAA,QACpB;AAAA,OACF;AAEA,MAAA,OAAOE,EAAAA,CAAG,QAAA,EAAU,EAAE,UAAA,EAAY,CAAA;AAAA,IACpC,CAAA,CAAA,MAAQ;AACN,MAAA,OAAOJ,GAAAA,CAAIC,kBAAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,IAChD;AAAA,EACF;AAAA,EAEA,MAAM,YAAY,UAAA,EAAkD;AAClE,IAAA,IAAI,UAAA,CAAW,WAAW,CAAA,EAAG;AAC3B,MAAA,OAAOG,GAAG,CAAC,CAAA;AAAA,IACb;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAC3B,MAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,MAAA,MAAM,SAAA,GAAY,EAAA;AAElB,MAAA,KAAA,IAAS,IAAI,CAAA,EAAG,CAAA,GAAI,UAAA,CAAW,MAAA,EAAQ,KAAK,SAAA,EAAW;AACrD,QAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,CAAA,EAAG,IAAI,SAAS,CAAA;AAE/C,QAAA,MAAM,aAAA,GAAgB,KAAA,CAAM,GAAA,CAAI,CAAC,SAAA,MAAe;AAAA,UAC9C,MAAA,EAAQ;AAAA,YACN,WAAW,IAAA,CAAK,SAAA;AAAA,YAChB,GAAA,EAAK;AAAA,cACH,CAACF,SAAAA,CAAU,EAAE,GAAGG,UAAAA,CAAW,WAAW,SAAS,CAAA;AAAA,cAC/C,CAACH,SAAAA,CAAU,EAAE,GAAGG,WAAW,UAAA;AAAW,aACxC;AAAA,YACA,gBAAA,EAAkB,CAAA,uDAAA,CAAA;AAAA,YAClB,wBAAA,EAA0B;AAAA,cACxB,cAAcH,SAAAA,CAAU,UAAA;AAAA,cACxB,aAAaA,SAAAA,CAAU,iBAAA;AAAA,cACvB,aAAaA,SAAAA,CAAU;AAAA,aACzB;AAAA,YACA,yBAAA,EAA2B;AAAA,cACzB,YAAA,EAAc;AAAA,aAChB;AAAA,YACA,mBAAA,EAAqB,CAAA,iBAAA,EAAoBA,SAAAA,CAAU,EAAE,CAAA,sCAAA;AAAA;AACvD,SACF,CAAE,CAAA;AAEF,QAAA,IAAI;AACF,UAAA,MAAM,KAAK,SAAA,CAAU,IAAA;AAAA,YACnB,IAAI,oBAAA,CAAqB,EAAE,aAAA,EAAe,eAAe;AAAA,WAC3D;AACA,UAAA,KAAA,IAAS,KAAA,CAAM,MAAA;AAAA,QACjB,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAEA,MAAA,OAAOE,GAAG,KAAK,CAAA;AAAA,IACjB,CAAA,CAAA,MAAQ;AACN,MAAA,OAAOJ,GAAAA,CAAIC,kBAAAA,CAAmB,cAAA,EAAgB,CAAA;AAAA,IAChD;AAAA,EACF;AACF;;;ACrHO,SAAS,iCACd,MAAA,EACyB;AACzB,EAAA,MAAM,SAAS,MAAA,CAAO,MAAA,IAAU,IAAIK,cAAAA,CAAe,EAAE,CAAA;AAErD,EAAA,OAAO;AAAA,IACL,sBAAA,EAAwB,IAAI,8BAAA,CAA+B,MAAA,EAAQ,OAAO,SAAS,CAAA;AAAA,IACnF,iBAAA,EAAmB,IAAI,yBAAA,CAA0B,MAAA,EAAQ,OAAO,SAAS;AAAA,GAC3E;AACF","file":"index.js","sourcesContent":["/**\r\n * DynamoDB TenantMember Repository Implementation\r\n */\r\n\r\nimport { DynamoDBClient } from '@aws-sdk/client-dynamodb';\r\nimport {\r\n DynamoDBDocumentClient,\r\n GetCommand,\r\n PutCommand,\r\n UpdateCommand,\r\n DeleteCommand,\r\n} from '@aws-sdk/lib-dynamodb';\r\nimport { ok, err, type Result } from 'ts-micro-result';\r\nimport type {\r\n TenantMemberRepository,\r\n TenantMember,\r\n TenantMemberStatus,\r\n CreateTenantMemberData,\r\n UpdateTenantMemberPermissionsData,\r\n TenantId,\r\n UserId,\r\n} from '@auth-craft/tenant-access-control';\r\nimport { tenantAccessErrors } from '@auth-craft/tenant-access-control';\r\nimport {\r\n KeyPattern,\r\n KeyExtractor,\r\n TableAttr,\r\n millisToDate,\r\n} from '@auth-craft/database-plugin-dynamodb';\r\n\r\nexport class DynamoDBTenantMemberRepository implements TenantMemberRepository {\r\n private docClient: DynamoDBDocumentClient;\r\n\r\n constructor(\r\n private client: DynamoDBClient,\r\n private tableName: string\r\n ) {\r\n this.docClient = DynamoDBDocumentClient.from(client, {\r\n marshallOptions: { removeUndefinedValues: true },\r\n });\r\n }\r\n\r\n async get(\r\n tenantId: TenantId,\r\n audience: string,\r\n userId: UserId\r\n ): Promise<Result<TenantMember | null>> {\r\n try {\r\n const response = await this.docClient.send(\r\n new GetCommand({\r\n TableName: this.tableName,\r\n Key: {\r\n [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),\r\n [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId),\r\n },\r\n })\r\n );\r\n\r\n if (!response.Item) {\r\n return ok(null);\r\n }\r\n\r\n return ok(this.mapItemToEntity(response.Item));\r\n } catch {\r\n return err(tenantAccessErrors.DATABASE_ERROR());\r\n }\r\n }\r\n\r\n async create(data: CreateTenantMemberData): Promise<Result<void>> {\r\n try {\r\n const now = Date.now();\r\n\r\n await this.docClient.send(\r\n new PutCommand({\r\n TableName: this.tableName,\r\n Item: {\r\n [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(data.tenantId),\r\n [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(data.audience, data.userId),\r\n userStatus: data.status,\r\n roleIds: JSON.stringify(data.roleIds),\r\n permMask: data.permMask ?? 0,\r\n createdAt: now,\r\n updatedAt: now,\r\n },\r\n ConditionExpression: 'attribute_not_exists(PK)',\r\n })\r\n );\r\n\r\n return ok();\r\n } catch (error: unknown) {\r\n if ((error as { name?: string }).name === 'ConditionalCheckFailedException') {\r\n return err(tenantAccessErrors.MEMBER_ALREADY_EXISTS());\r\n }\r\n return err(tenantAccessErrors.DATABASE_ERROR());\r\n }\r\n }\r\n\r\n async updatePermissions(\r\n tenantId: TenantId,\r\n audience: string,\r\n userId: UserId,\r\n updates: UpdateTenantMemberPermissionsData\r\n ): Promise<Result<void>> {\r\n try {\r\n const setClauses: string[] = ['#updatedAt = :updatedAt'];\r\n const names: Record<string, string> = { '#updatedAt': 'updatedAt' };\r\n const values: Record<string, unknown> = { ':updatedAt': Date.now() };\r\n\r\n if (updates.roleIds !== undefined) {\r\n setClauses.push('#roleIds = :roleIds');\r\n names['#roleIds'] = 'roleIds';\r\n values[':roleIds'] = JSON.stringify(updates.roleIds);\r\n }\r\n\r\n if (updates.permMask !== undefined) {\r\n setClauses.push('#permMask = :permMask');\r\n names['#permMask'] = 'permMask';\r\n values[':permMask'] = updates.permMask;\r\n }\r\n\r\n await this.docClient.send(\r\n new UpdateCommand({\r\n TableName: this.tableName,\r\n Key: {\r\n [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),\r\n [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId),\r\n },\r\n UpdateExpression: `SET ${setClauses.join(', ')}`,\r\n ExpressionAttributeNames: names,\r\n ExpressionAttributeValues: values,\r\n ConditionExpression: 'attribute_exists(PK)',\r\n })\r\n );\r\n\r\n return ok();\r\n } catch (error: unknown) {\r\n if ((error as { name?: string }).name === 'ConditionalCheckFailedException') {\r\n return err(tenantAccessErrors.MEMBER_NOT_FOUND());\r\n }\r\n return err(tenantAccessErrors.DATABASE_ERROR());\r\n }\r\n }\r\n\r\n async updateStatus(\r\n tenantId: TenantId,\r\n audience: string,\r\n userId: UserId,\r\n status: TenantMemberStatus\r\n ): Promise<Result<void>> {\r\n try {\r\n await this.docClient.send(\r\n new UpdateCommand({\r\n TableName: this.tableName,\r\n Key: {\r\n [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),\r\n [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId),\r\n },\r\n UpdateExpression: 'SET #status = :status, #updatedAt = :updatedAt',\r\n ExpressionAttributeNames: {\r\n '#status': 'userStatus',\r\n '#updatedAt': 'updatedAt',\r\n },\r\n ExpressionAttributeValues: {\r\n ':status': status,\r\n ':updatedAt': Date.now(),\r\n },\r\n ConditionExpression: 'attribute_exists(PK)',\r\n })\r\n );\r\n\r\n return ok();\r\n } catch (error: unknown) {\r\n if ((error as { name?: string }).name === 'ConditionalCheckFailedException') {\r\n return err(tenantAccessErrors.MEMBER_NOT_FOUND());\r\n }\r\n return err(tenantAccessErrors.DATABASE_ERROR());\r\n }\r\n }\r\n\r\n async remove(tenantId: TenantId, audience: string, userId: UserId): Promise<Result<void>> {\r\n try {\r\n await this.docClient.send(\r\n new DeleteCommand({\r\n TableName: this.tableName,\r\n Key: {\r\n [TableAttr.PK]: KeyPattern.TENANT_MEMBER_PK(tenantId),\r\n [TableAttr.SK]: KeyPattern.TENANT_MEMBER_SK(audience, userId),\r\n },\r\n })\r\n );\r\n\r\n return ok();\r\n } catch {\r\n return err(tenantAccessErrors.DATABASE_ERROR());\r\n }\r\n }\r\n\r\n private mapItemToEntity(item: Record<string, unknown>): TenantMember {\r\n const tenantId = KeyExtractor.tenantId(item[TableAttr.PK] as string) as TenantId;\r\n const skInfo = KeyExtractor.tenantMemberSKInfo(item[TableAttr.SK] as string);\r\n\r\n return {\r\n tenantId,\r\n audience: skInfo?.audience ?? '',\r\n userId: (skInfo?.userId ?? '') as UserId,\r\n status: item['userStatus'] as TenantMemberStatus,\r\n roleIds: JSON.parse(item['roleIds'] as string),\r\n permMask: (item['permMask'] as number) ?? 0,\r\n createdAt: millisToDate(item['createdAt'] as number),\r\n updatedAt: millisToDate(item['updatedAt'] as number),\r\n };\r\n }\r\n}\r\n","/**\r\n * DynamoDB Session Repository Implementation (Limited)\r\n *\r\n * Only implements methods needed for tenant access control:\r\n * - findActiveByUserId: Query active sessions\r\n * - revokeBatch: Batch revoke sessions\r\n */\r\n\r\nimport { DynamoDBClient } from '@aws-sdk/client-dynamodb';\r\nimport {\r\n DynamoDBDocumentClient,\r\n QueryCommand,\r\n TransactWriteCommand,\r\n} from '@aws-sdk/lib-dynamodb';\r\nimport { ok, err, type Result, type PaginatedResult, type CursorPagination } from 'ts-micro-result';\r\nimport type {\r\n SessionRepository,\r\n SessionInfo,\r\n SessionId,\r\n UserId,\r\n TenantId,\r\n} from '@auth-craft/tenant-access-control';\r\nimport { tenantAccessErrors } from '@auth-craft/tenant-access-control';\r\nimport {\r\n KeyPattern,\r\n KeyExtractor,\r\n TableAttr,\r\n GSIName,\r\n GSIKeys,\r\n} from '@auth-craft/database-plugin-dynamodb';\r\n\r\nexport class DynamoDBSessionRepository implements SessionRepository {\r\n private docClient: DynamoDBDocumentClient;\r\n\r\n constructor(\r\n private client: DynamoDBClient,\r\n private tableName: string\r\n ) {\r\n this.docClient = DynamoDBDocumentClient.from(client);\r\n }\r\n\r\n async findActiveByUserId(\r\n userId: UserId,\r\n options?: { limit?: number; cursor?: string }\r\n ): Promise<PaginatedResult<SessionInfo>> {\r\n try {\r\n const limit = Math.min(options?.limit ?? 50, 100);\r\n let exclusiveStartKey: Record<string, unknown> | undefined;\r\n\r\n if (options?.cursor) {\r\n try {\r\n exclusiveStartKey = JSON.parse(\r\n Buffer.from(options.cursor, 'base64url').toString('utf-8')\r\n );\r\n } catch {\r\n return err(tenantAccessErrors.INVALID_CURSOR()) as PaginatedResult<SessionInfo>;\r\n }\r\n }\r\n\r\n const response = await this.docClient.send(\r\n new QueryCommand({\r\n TableName: this.tableName,\r\n IndexName: GSIName.ACTIVE_SESSIONS,\r\n KeyConditionExpression: `${TableAttr.ACTIVE_SESSION_PK} = :activePk`,\r\n ExpressionAttributeValues: {\r\n ':activePk': GSIKeys.ACTIVE_SESSION_PK(userId),\r\n },\r\n ProjectionExpression: `${TableAttr.PK}, ${TableAttr.TENANT_ID}, ${TableAttr.AUDIENCE}, ${TableAttr.USER_ID}`,\r\n Limit: limit,\r\n ExclusiveStartKey: exclusiveStartKey,\r\n ScanIndexForward: false,\r\n })\r\n );\r\n\r\n const sessions: SessionInfo[] = (response.Items ?? []).map((item) => ({\r\n id: KeyExtractor.sessionId(item[TableAttr.PK] as string) as SessionId,\r\n userId: item[TableAttr.USER_ID] as UserId,\r\n tenantId: item[TableAttr.TENANT_ID] as TenantId | undefined,\r\n audience: item[TableAttr.AUDIENCE] as string,\r\n }));\r\n\r\n const hasNext = !!response.LastEvaluatedKey;\r\n const cursor = hasNext\r\n ? Buffer.from(JSON.stringify(response.LastEvaluatedKey)).toString('base64url')\r\n : null;\r\n\r\n const pagination: CursorPagination = {\r\n type: 'cursor',\r\n limit,\r\n count: sessions.length,\r\n hasNext,\r\n hasPrev: !!options?.cursor,\r\n cursor,\r\n };\r\n\r\n return ok(sessions, { pagination }) as PaginatedResult<SessionInfo>;\r\n } catch {\r\n return err(tenantAccessErrors.DATABASE_ERROR()) as PaginatedResult<SessionInfo>;\r\n }\r\n }\r\n\r\n async revokeBatch(sessionIds: SessionId[]): Promise<Result<number>> {\r\n if (sessionIds.length === 0) {\r\n return ok(0);\r\n }\r\n\r\n try {\r\n const revokedAt = Date.now();\r\n let count = 0;\r\n const batchSize = 25;\r\n\r\n for (let i = 0; i < sessionIds.length; i += batchSize) {\r\n const batch = sessionIds.slice(i, i + batchSize);\r\n\r\n const transactItems = batch.map((sessionId) => ({\r\n Update: {\r\n TableName: this.tableName,\r\n Key: {\r\n [TableAttr.PK]: KeyPattern.SESSION_PK(sessionId),\r\n [TableAttr.SK]: KeyPattern.SESSION_SK(),\r\n },\r\n UpdateExpression: `SET #revokedAt = :revokedAt REMOVE #activePk, #activeSk`,\r\n ExpressionAttributeNames: {\r\n '#revokedAt': TableAttr.REVOKED_AT,\r\n '#activePk': TableAttr.ACTIVE_SESSION_PK,\r\n '#activeSk': TableAttr.ACTIVE_SESSION_SK,\r\n },\r\n ExpressionAttributeValues: {\r\n ':revokedAt': revokedAt,\r\n },\r\n ConditionExpression: `attribute_exists(${TableAttr.PK}) AND attribute_not_exists(#revokedAt)`,\r\n },\r\n }));\r\n\r\n try {\r\n await this.docClient.send(\r\n new TransactWriteCommand({ TransactItems: transactItems })\r\n );\r\n count += batch.length;\r\n } catch {\r\n // Some sessions may already be revoked, continue with remaining batches\r\n }\r\n }\r\n\r\n return ok(count);\r\n } catch {\r\n return err(tenantAccessErrors.DATABASE_ERROR());\r\n }\r\n }\r\n}\r\n","/**\r\n * @auth-craft/tenant-access-control-dynamodb\r\n *\r\n * DynamoDB implementation for tenant-access-control.\r\n *\r\n * @example\r\n * ```typescript\r\n * import { createTenantAccessSDK } from '@auth-craft/tenant-access-control';\r\n * import { createTenantAccessDynamoDBPlugin } from '@auth-craft/tenant-access-control-dynamodb';\r\n *\r\n * // Create DynamoDB plugin\r\n * const plugin = createTenantAccessDynamoDBPlugin({\r\n * tableName: 'auth-table',\r\n * });\r\n *\r\n * // Create SDK with DynamoDB implementation\r\n * const sdk = createTenantAccessSDK(plugin);\r\n * ```\r\n */\r\n\r\nimport { DynamoDBClient } from '@aws-sdk/client-dynamodb';\r\nimport type { TenantAccessControlDeps } from '@auth-craft/tenant-access-control';\r\nimport { DynamoDBTenantMemberRepository } from './dynamodb-tenant-member-repo';\r\nimport { DynamoDBSessionRepository } from './dynamodb-session-repo';\r\nimport type { TenantAccessDynamoDBConfig } from './config';\r\n\r\n/**\r\n * Create DynamoDB plugin for Tenant Access Control\r\n *\r\n * @param config - DynamoDB configuration\r\n * @returns TenantAccessControlDeps - Dependencies for createTenantAccessSDK\r\n */\r\nexport function createTenantAccessDynamoDBPlugin(\r\n config: TenantAccessDynamoDBConfig\r\n): TenantAccessControlDeps {\r\n const client = config.client ?? new DynamoDBClient({});\r\n\r\n return {\r\n tenantMemberRepository: new DynamoDBTenantMemberRepository(client, config.tableName),\r\n sessionRepository: new DynamoDBSessionRepository(client, config.tableName),\r\n };\r\n}\r\n\r\n// Export config type\r\nexport type { TenantAccessDynamoDBConfig } from './config';\r\n\r\n// Export repositories for advanced use cases\r\nexport { DynamoDBTenantMemberRepository } from './dynamodb-tenant-member-repo';\r\nexport { DynamoDBSessionRepository } from './dynamodb-session-repo';\r\n"]}

package/package.json ADDED Viewed

@@ -0,0 +1,38 @@
+{
+  "name": "@auth-craft/tenant-access-control-dynamodb",
+  "version": "0.0.1",
+  "license": "MIT",
+  "description": "DynamoDB implementation for tenant-access-control",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "type-check": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@auth-craft/tenant-access-control": "workspace:*",
+    "@auth-craft/database-plugin-dynamodb": "workspace:*",
+    "@aws-sdk/client-dynamodb": "^3.600.0",
+    "@aws-sdk/lib-dynamodb": "^3.600.0",
+    "ts-micro-result": "^2.2.0"
+  },
+  "devDependencies": {
+    "@auth-craft/tsup-config": "workspace:*",
+    "@types/node": "^22.10.0",
+    "tsup": "^8.3.5",
+    "typescript": "^5.7.2"
+  }
+}