npm - @authhero/multi-tenancy - Versions diffs - 13.12.0 → 13.13.0 - Mend

@authhero/multi-tenancy 13.12.0 → 13.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/multi-tenancy.cjs +1 -1
package/dist/multi-tenancy.d.ts +55 -0
package/dist/multi-tenancy.mjs +156 -156
package/package.json +4 -4

package/dist/multi-tenancy.cjs CHANGED Viewed

	@@ -1 +1 @@
1	- "use strict";var Z=Object.defineProperty;var H=(e,t,s)=>t in e?Z(e,t,{enumerable:!0,configurable:!0,writable:!0,value:s}):e[t]=s;var F=(e,t,s)=>H(e,typeof t!="symbol"?t+"":t,s);Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const N=require("hono"),T=require("authhero"),C=require("@hono/zod-openapi"),I=require("@authhero/adapter-interfaces");var v=class extends Error{constructor(t=500,s){super(s==null?void 0:s.message,{cause:s==null?void 0:s.cause});F(this,"res");F(this,"status");this.res=s==null?void 0:s.res,this.status=t}getResponse(){return this.res?new Response(this.res.body,{status:this.status,headers:this.res.headers}):new Response(this.message,{status:this.status})}};function U(e){const{controlPlaneTenantId:t,requireOrganizationMatch:s=!0}=e;return{async onTenantAccessValidation(a,i){if(i===t)return!0;if(s){const n=a.var.org_name,u=a.var.organization_id,l=n\|\|u;return l?l===i:!1}return!0}}}function E(e,t,s,a){if(t===s)return!0;const i=a\|\|e;return i?i===t:!1}function K(e){return{async resolveDataAdapters(t){try{return await e.getAdapters(t)}catch(s){console.error(`Failed to resolve data adapters for tenant ${t}:`,s);return}}}}function G(e){return{async beforeCreate(t,s){return!s.audience&&s.id?{...s,audience:T.getTenantAudience(s.id)}:s},async afterCreate(t,s){const{accessControl:a,databaseIsolation:i,settingsInheritance:n}=e;a&&t.ctx&&await x(t,s,a),i!=null&&i.onProvision&&await i.onProvision(s.id),(n==null?void 0:n.inheritFromControlPlane)!==!1&&t.ctx&&await ae(t,s,e)},async beforeDelete(t,s){const{accessControl:a,databaseIsolation:i}=e;if(a)try{const u=(await t.adapters.organizations.list(a.controlPlaneTenantId)).organizations.find(l=>l.name===s);u&&await t.adapters.organizations.remove(a.controlPlaneTenantId,u.id)}catch(n){console.warn(`Failed to remove organization for tenant ${s}:`,n)}if(i!=null&&i.onDeprovision)try{await i.onDeprovision(s)}catch(n){console.warn(`Failed to deprovision database for tenant ${s}:`,n)}}}}async function x(e,t,s){const{controlPlaneTenantId:a,defaultPermissions:i,defaultRoles:n,issuer:u,adminRoleName:l="Tenant Admin",adminRoleDescription:c="Full access to all tenant management operations",addCreatorToOrganization:r=!0}=s,f=await e.adapters.organizations.create(a,{name:t.id,display_name:t.friendly_name\|\|t.id});let d;if(u&&(d=await te(e,a,l,c)),r&&e.ctx){const o=e.ctx.var.user;if(o!=null&&o.sub&&!await ee(e,a,o.sub))try{await e.adapters.userOrganizations.create(a,{user_id:o.sub,organization_id:f.id}),d&&await e.adapters.userRoles.create(a,o.sub,d,f.id)}catch(g){console.warn(`Failed to add creator ${o.sub} to organization ${f.id}:`,g)}}n&&n.length>0&&console.log(`Would assign roles ${n.join(", ")} to organization ${f.id}`),i&&i.length>0&&console.log(`Would grant permissions ${i.join(", ")} to organization ${f.id}`)}async function ee(e,t,s){const a=await e.adapters.userRoles.list(t,s,void 0,"");for(const i of a)if((await e.adapters.rolePermissions.list(t,i.id,{per_page:1e3})).some(l=>l.permission_name==="admin:organizations"))return!0;return!1}async function te(e,t,s,a){const n=(await e.adapters.roles.list(t,{})).roles.find(r=>r.name===s);if(n)return n.id;const u=await e.adapters.roles.create(t,{name:s,description:a}),l=T.MANAGEMENT_API_AUDIENCE,c=T.MANAGEMENT_API_SCOPES.map(r=>({role_id:u.id,resource_server_identifier:l,permission_name:r.value}));return await e.adapters.rolePermissions.assign(t,u.id,c),u.id}async function ae(e,t,s){const{accessControl:a,settingsInheritance:i}=s;if(!a)return;const n=await e.adapters.tenants.get(a.controlPlaneTenantId);if(!n)return;let u={...n};const l=["id","created_at","updated_at","friendly_name","audience","sender_email","sender_name"];for(const c of l)delete u[c];if(i!=null&&i.inheritedKeys){const c={};for(const r of i.inheritedKeys)r in n&&!l.includes(r)&&(c[r]=n[r]);u=c}if(i!=null&&i.excludedKeys)for(const c of i.excludedKeys)delete u[c];i!=null&&i.transformSettings&&(u=i.transformSettings(u,t.id)),Object.keys(u).length>0&&await e.adapters.tenants.update(t.id,u)}function B(e){const{controlPlaneTenantId:t,getChildTenantIds:s,getAdapters:a,shouldSync:i=()=>!0,transformForSync:n}=e;async function u(r,f,d){return(await r.resourceServers.list(f,{q:`identifier:${d}`,per_page:1})).resource_servers[0]??null}async function l(r,f){const d=await s();await Promise.all(d.map(async o=>{try{const p=await a(o),h={...n?n(r,o):{name:r.name,identifier:r.identifier,scopes:r.scopes,signing_alg:r.signing_alg,signing_secret:r.signing_secret,token_lifetime:r.token_lifetime,token_lifetime_for_web:r.token_lifetime_for_web,skip_consent_for_verifiable_first_party_clients:r.skip_consent_for_verifiable_first_party_clients,allow_offline_access:r.allow_offline_access,verificationKey:r.verificationKey,options:r.options},is_system:!0};if(f==="create"){const A=await u(p,o,r.identifier);A&&A.id?await p.resourceServers.update(o,A.id,h):await p.resourceServers.create(o,h)}else{const A=await u(p,o,r.identifier);A&&A.id?await p.resourceServers.update(o,A.id,h):await p.resourceServers.create(o,h)}}catch(p){console.error(`Failed to sync resource server "${r.identifier}" to tenant "${o}":`,p)}}))}async function c(r){const f=await s();await Promise.all(f.map(async d=>{try{const o=await a(d),p=await u(o,d,r);p&&p.id&&await o.resourceServers.remove(d,p.id)}catch(o){console.error(`Failed to delete resource server "${r}" from tenant "${d}":`,o)}}))}return{afterCreate:async(r,f)=>{r.tenantId===t&&i(f)&&await l(f,"create")},afterUpdate:async(r,f,d)=>{r.tenantId===t&&i(d)&&await l(d,"update")},afterDelete:async(r,f)=>{r.tenantId===t&&await c(f)}}}function W(e){const{controlPlaneTenantId:t,getControlPlaneAdapters:s,getAdapters:a,shouldSync:i=()=>!0,transformForSync:n}=e;return{async afterCreate(u,l){if(l.id!==t)try{const c=await s(),r=await a(l.id),f=await T.fetchAll(d=>c.resourceServers.list(t,d),"resource_servers",{cursorField:"id",pageSize:100});await Promise.all(f.filter(d=>i(d)).map(async d=>{const o=d;try{const p=n?n(o,l.id):{name:o.name,identifier:o.identifier,scopes:o.scopes,signing_alg:o.signing_alg,signing_secret:o.signing_secret,token_lifetime:o.token_lifetime,token_lifetime_for_web:o.token_lifetime_for_web,skip_consent_for_verifiable_first_party_clients:o.skip_consent_for_verifiable_first_party_clients,allow_offline_access:o.allow_offline_access,verificationKey:o.verificationKey,options:o.options};await r.resourceServers.create(l.id,{...p,is_system:!0})}catch(p){console.error(`Failed to sync resource server "${o.identifier}" to new tenant "${l.id}":`,p)}}))}catch(c){console.error(`Failed to sync resource servers to new tenant "${l.id}":`,c)}}}}function L(e){const{controlPlaneTenantId:t,getChildTenantIds:s,getAdapters:a,shouldSync:i=()=>!0,transformForSync:n}=e;async function u(c,r,f){return(await c.roles.list(r,{q:`name:${f}`,per_page:1})).roles[0]??null}async function l(c,r){const f=await s();await Promise.all(f.map(async d=>{try{const o=await a(d),g={...n?n(c,d):{name:c.name,description:c.description},is_system:!0};if(r==="create"){const h=await u(o,d,c.name);h&&h.id?await o.roles.update(d,h.id,g):await o.roles.create(d,g)}else{const h=await u(o,d,c.name);h&&h.id?await o.roles.update(d,h.id,g):await o.roles.create(d,g)}}catch(o){console.error(`Failed to sync role "${c.name}" to tenant "${d}":`,o)}}))}return{afterCreate:async(c,r)=>{c.tenantId===t&&i(r)&&await l(r,"create")},afterUpdate:async(c,r,f)=>{c.tenantId===t&&i(f)&&await l(f,"update")},afterDelete:async(c,r)=>{c.tenantId===t&&console.warn(`Role ${r} was deleted from control plane. Child tenant roles with matching names should be deleted manually or implement role name tracking.`)}}}function Q(e){const{controlPlaneTenantId:t,getControlPlaneAdapters:s,getAdapters:a,shouldSync:i=()=>!0,transformForSync:n,syncPermissions:u=!0}=e;return{async afterCreate(l,c){if(c.id!==t)try{const r=await s(),f=await a(c.id),d=await T.fetchAll(p=>r.roles.list(t,p),"roles",{cursorField:"id",pageSize:100}),o=new Map;if(await Promise.all(d.filter(p=>i(p)).map(async p=>{const g=p;try{const h=n?n(g,c.id):{name:g.name,description:g.description},A=await f.roles.create(c.id,{...h,is_system:!0});o.set(g.id,A.id)}catch(h){console.error(`Failed to sync role "${g.name}" to new tenant "${c.id}":`,h)}})),u)for(const[p,g]of o)try{const h=await r.rolePermissions.list(t,p,{});h.length>0&&await f.rolePermissions.assign(c.id,g,h.map(A=>({role_id:g,resource_server_identifier:A.resource_server_identifier,permission_name:A.permission_name})))}catch(h){console.error(`Failed to sync permissions for role to new tenant "${c.id}":`,h)}}catch(r){console.error(`Failed to sync roles to new tenant "${c.id}":`,r)}}}}function O(e,t){const s=new C.OpenAPIHono;return s.openapi(C.createRoute({tags:["tenants"],method:"get",path:"/",request:{query:I.auth0QuerySchema},security:[{Bearer:[]}],responses:{200:{content:{"application/json":{schema:C.z.object({tenants:C.z.array(I.tenantSchema),start:C.z.number().optional(),limit:C.z.number().optional(),length:C.z.number().optional()})}},description:"List of tenants"}}}),async a=>{var p,g,h,A;const i=a.req.valid("query"),{page:n,per_page:u,include_totals:l,q:c}=i,r=a.var.user,f=((r==null?void 0:r.scope)\|\|"").split(" "),d=f.includes("auth:read");if(console.log("User scopes:",f,"hasAuthRead:",d),d){const S=await a.env.data.tenants.list({page:n,per_page:u,include_totals:l,q:c});return l?a.json({tenants:S.tenants,start:((p=S.totals)==null?void 0:p.start)??0,limit:((g=S.totals)==null?void 0:g.limit)??u,length:S.tenants.length}):a.json({tenants:S.tenants})}if(e.accessControl&&(r!=null&&r.sub)){const S=e.accessControl.controlPlaneTenantId,R=(await T.fetchAll(M=>a.env.data.userOrganizations.listUserOrganizations(S,r.sub,M),"organizations")).map(M=>M.name);if(R.length===0)return l?a.json({tenants:[],start:0,limit:u??50,length:0}):a.json({tenants:[]});const $=R.length,D=n??0,P=u??50,w=DP,m=R.slice(w,w+P);if(m.length===0)return l?a.json({tenants:[],start:w,limit:P,length:$}):a.json({tenants:[]});const y=m.map(M=>`id:${M}`).join(" OR "),_=c?`(${y}) AND (${c})`:y,b=await a.env.data.tenants.list({q:_,per_page:P,include_totals:!1});return l?a.json({tenants:b.tenants,start:w,limit:P,length:$}):a.json({tenants:b.tenants})}const o=await a.env.data.tenants.list({page:n,per_page:u,include_totals:l,q:c});return l?a.json({tenants:o.tenants,start:((h=o.totals)==null?void 0:h.start)??0,limit:((A=o.totals)==null?void 0:A.limit)??u,length:o.tenants.length}):a.json({tenants:o.tenants})}),s.openapi(C.createRoute({tags:["tenants"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:I.tenantInsertSchema}}}},security:[{Bearer:[]}],responses:{201:{content:{"application/json":{schema:I.tenantSchema}},description:"Tenant created"},400:{description:"Validation error"},409:{description:"Tenant with this ID already exists"}}}),async a=>{var c,r;const i=a.var.user;if(!(i!=null&&i.sub))throw new v(401,{message:"Authentication required to create tenants"});let n=a.req.valid("json");const u={adapters:a.env.data,ctx:a};(c=t.tenants)!=null&&c.beforeCreate&&(n=await t.tenants.beforeCreate(u,n));const l=await a.env.data.tenants.create(n);return(r=t.tenants)!=null&&r.afterCreate&&await t.tenants.afterCreate(u,l),a.json(l,201)}),s.openapi(C.createRoute({tags:["tenants"],method:"delete",path:"/{id}",request:{params:C.z.object({id:C.z.string()})},security:[{Bearer:["delete:tenants"]}],responses:{204:{description:"Tenant deleted"},403:{description:"Access denied or cannot delete the control plane"},404:{description:"Tenant not found"}}}),async a=>{var l,c;const{id:i}=a.req.valid("param");if(e.accessControl){const r=a.var.user,f=e.accessControl.controlPlaneTenantId;if(!(r!=null&&r.sub))throw new v(401,{message:"Authentication required"});if(i===f)throw new v(403,{message:"Cannot delete the control plane"});if(!(await T.fetchAll(p=>a.env.data.userOrganizations.listUserOrganizations(f,r.sub,p),"organizations")).some(p=>p.name===i))throw new v(403,{message:"Access denied to this tenant"})}if(!await a.env.data.tenants.get(i))throw new v(404,{message:"Tenant not found"});const u={adapters:a.env.data,ctx:a};return(l=t.tenants)!=null&&l.beforeDelete&&await t.tenants.beforeDelete(u,i),await a.env.data.tenants.remove(i),(c=t.tenants)!=null&&c.afterDelete&&await t.tenants.afterDelete(u,i),a.body(null,204)}),s}function ne(e){const t=[{pattern:/\/api\/v2\/resource-servers\/([^/]+)$/,type:"resource_server"},{pattern:/\/api\/v2\/roles\/([^/]+)$/,type:"role"},{pattern:/\/api\/v2\/connections\/([^/]+)$/,type:"connection"}];for(const{pattern:s,type:a}of t){const i=e.match(s);if(i&&i[1])return{type:a,id:i[1]}}return null}async function re(e,t,s){try{switch(s.type){case"resource_server":{const a=await e.resourceServers.get(t,s.id);return(a==null?void 0:a.is_system)===!0}case"role":{const a=await e.roles.get(t,s.id);return(a==null?void 0:a.is_system)===!0}case"connection":{const a=await e.connections.get(t,s.id);return(a==null?void 0:a.is_system)===!0}default:return!1}}catch{return!1}}function se(e){return{resource_server:"resource server",role:"role",connection:"connection"}[e]}function V(){return async(e,t)=>{if(!["PATCH","PUT","DELETE"].includes(e.req.method))return t();const s=ne(e.req.path);if(!s)return t();const a=e.var.tenant_id\|\|e.req.header("x-tenant-id")\|\|e.req.header("tenant-id");if(!a)return t();if(await re(e.env.data,a,s))throw new v(403,{message:`This ${se(s.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`});return t()}}function k(e){return async(t,s)=>{if(!e.accessControl)return s();const a=t.var.tenant_id,i=t.var.organization_id;if(!a)throw new v(400,{message:"Tenant ID not found in request"});if(!E(i,a,e.accessControl.controlPlaneTenantId))throw new v(403,{message:`Access denied to tenant ${a}`});return s()}}function J(e){return async(t,s)=>{if(!e.subdomainRouting)return s();const{baseDomain:a,reservedSubdomains:i=[],resolveSubdomain:n}=e.subdomainRouting,u=t.req.header("host")\|\|"";let l=null;if(u.endsWith(a)){const r=u.slice(0,-(a.length+1));r&&!r.includes(".")&&(l=r)}if(l&&i.includes(l)&&(l=null),!l)return e.accessControl&&t.set("tenant_id",e.accessControl.controlPlaneTenantId),s();let c=null;if(n)c=await n(l);else if(e.subdomainRouting.useOrganizations!==!1&&e.accessControl)try{const r=await t.env.data.organizations.get(e.accessControl.controlPlaneTenantId,l);r&&(c=r.id)}catch{}if(!c)throw new v(404,{message:`Tenant not found for subdomain: ${l}`});return t.set("tenant_id",c),s()}}function X(e){return async(t,s)=>{if(!e.databaseIsolation)return s();const a=t.var.tenant_id;if(!a)throw new v(400,{message:"Tenant ID not found in request"});try{const i=await e.databaseIsolation.getAdapters(a);t.env.data=i}catch(i){throw console.error(`Failed to resolve database for tenant ${a}:`,i),new v(500,{message:"Failed to resolve tenant database"})}return s()}}function j(e){const t=J(e),s=k(e),a=X(e);return async(i,n)=>(await t(i,async()=>{}),await s(i,async()=>{}),await a(i,async()=>{}),n())}function ie(e){const t=z(e);return{name:"multi-tenancy",middleware:j(e),hooks:t,routes:[{path:"/management",handler:O(e,t)}],onRegister:async()=>{console.log("Multi-tenancy plugin registered"),e.accessControl&&console.log(` - Access control enabled (control plane: ${e.accessControl.controlPlaneTenantId})`),e.subdomainRouting&&console.log(` - Subdomain routing enabled (base domain: ${e.subdomainRouting.baseDomain})`),e.databaseIsolation&&console.log(" - Database isolation enabled")}}}function z(e){const t=e.accessControl?U(e.accessControl):{},s=e.databaseIsolation?K(e.databaseIsolation):{},a=G(e);return{...t,...s,tenants:a}}function Y(e){const t=new N.Hono,s=z(e);return t.route("/tenants",O(e,s)),t}function oe(e){return{hooks:z(e),middleware:j(e),app:Y(e),config:e}}function ce(e){const{controlPlaneTenantId:t="control_plane",syncResourceServers:s=!0,syncRoles:a=!0,multiTenancy:i,entityHooks:n,...u}=e,l={...i,accessControl:{controlPlaneTenantId:t,requireOrganizationMatch:!1,defaultPermissions:["tenant:admin"],...i==null?void 0:i.accessControl}},c=z(l);let r,f;s&&(r=B({controlPlaneTenantId:t,getChildTenantIds:async()=>(await T.fetchAll(m=>e.dataAdapter.tenants.list(m),"tenants",{cursorField:"id",pageSize:100})).filter(m=>m.id!==t).map(m=>m.id),getAdapters:async w=>e.dataAdapter}),f=W({controlPlaneTenantId:t,getControlPlaneAdapters:async()=>e.dataAdapter,getAdapters:async w=>e.dataAdapter}));let d,o;a&&(d=L({controlPlaneTenantId:t,getChildTenantIds:async()=>(await T.fetchAll(m=>e.dataAdapter.tenants.list(m),"tenants",{cursorField:"id",pageSize:100})).filter(m=>m.id!==t).map(m=>m.id),getAdapters:async w=>e.dataAdapter}),o=Q({controlPlaneTenantId:t,getControlPlaneAdapters:async()=>e.dataAdapter,getAdapters:async w=>e.dataAdapter,syncPermissions:!0}));const p=async(w,m,...y)=>{const _=[];if(w)try{await w(...y)}catch(b){_.push(b instanceof Error?b:new Error(String(b)))}if(m)try{await m(...y)}catch(b){_.push(b instanceof Error?b:new Error(String(b)))}if(_.length===1)throw _[0];if(_.length>1)throw new AggregateError(_,`Multiple hook errors: ${_.map(b=>b.message).join("; ")}`)},g=async(w,...m)=>{const y=[];for(const _ of w)if(_)try{await _(...m)}catch(b){y.push(b instanceof Error?b:new Error(String(b)))}if(y.length===1)throw y[0];if(y.length>1)throw new AggregateError(y,`Multiple hook errors: ${y.map(_=>_.message).join("; ")}`)},h={...n,resourceServers:r?{...n==null?void 0:n.resourceServers,afterCreate:async(w,m)=>{var y;await p((y=n==null?void 0:n.resourceServers)==null?void 0:y.afterCreate,r==null?void 0:r.afterCreate,w,m)},afterUpdate:async(w,m,y)=>{var _;await p((_=n==null?void 0:n.resourceServers)==null?void 0:_.afterUpdate,r==null?void 0:r.afterUpdate,w,m,y)},afterDelete:async(w,m)=>{var y;await p((y=n==null?void 0:n.resourceServers)==null?void 0:y.afterDelete,r==null?void 0:r.afterDelete,w,m)}}:n==null?void 0:n.resourceServers,roles:d?{...n==null?void 0:n.roles,afterCreate:async(w,m)=>{var y;await p((y=n==null?void 0:n.roles)==null?void 0:y.afterCreate,d==null?void 0:d.afterCreate,w,m)},afterUpdate:async(w,m,y)=>{var _;await p((_=n==null?void 0:n.roles)==null?void 0:_.afterUpdate,d==null?void 0:d.afterUpdate,w,m,y)},afterDelete:async(w,m)=>{var y;await p((y=n==null?void 0:n.roles)==null?void 0:y.afterDelete,d==null?void 0:d.afterDelete,w,m)}}:n==null?void 0:n.roles,tenants:f\|\|o?{...n==null?void 0:n.tenants,afterCreate:async(w,m)=>{var y;await g([(y=n==null?void 0:n.tenants)==null?void 0:y.afterCreate,f==null?void 0:f.afterCreate,o==null?void 0:o.afterCreate],w,m)}}:n==null?void 0:n.tenants},A={...c,tenants:f\|\|o?{...c.tenants,afterCreate:async(w,m)=>{var y;(y=c.tenants)!=null&&y.afterCreate&&await c.tenants.afterCreate(w,m),await g([f==null?void 0:f.afterCreate,o==null?void 0:o.afterCreate],w,m)}}:c.tenants},S=O(l,A),q=T.init({...u,entityHooks:h,managementApiExtensions:[...u.managementApiExtensions\|\|[],{path:"/tenants",router:S}]}),{app:R,managementApp:$,...D}=q,P=new N.Hono;return P.onError((w,m)=>w instanceof v?w.getResponse():(console.error(w),m.json({message:"Internal Server Error"},500))),P.use("/api/v2/",V()),P.route("/",R),{app:P,managementApp:$,...D,multiTenancyConfig:l,multiTenancyHooks:c}}Object.defineProperty(exports,"MANAGEMENT_API_SCOPES",{enumerable:!0,get:()=>T.MANAGEMENT_API_SCOPES});Object.defineProperty(exports,"fetchAll",{enumerable:!0,get:()=>T.fetchAll});Object.defineProperty(exports,"seed",{enumerable:!0,get:()=>T.seed});exports.createAccessControlHooks=U;exports.createAccessControlMiddleware=k;exports.createDatabaseHooks=K;exports.createDatabaseMiddleware=X;exports.createMultiTenancy=Y;exports.createMultiTenancyHooks=z;exports.createMultiTenancyMiddleware=j;exports.createMultiTenancyPlugin=ie;exports.createProtectSyncedMiddleware=V;exports.createProvisioningHooks=G;exports.createResourceServerSyncHooks=B;exports.createRoleSyncHooks=L;exports.createSubdomainMiddleware=J;exports.createTenantResourceServerSyncHooks=W;exports.createTenantRoleSyncHooks=Q;exports.createTenantsOpenAPIRouter=O;exports.init=ce;exports.setupMultiTenancy=oe;exports.validateTenantAccess=E;
1	+ "use strict";var Z=Object.defineProperty;var H=(e,t,s)=>t in e?Z(e,t,{enumerable:!0,configurable:!0,writable:!0,value:s}):e[t]=s;var D=(e,t,s)=>H(e,typeof t!="symbol"?t+"":t,s);Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const N=require("hono"),T=require("authhero"),C=require("@hono/zod-openapi"),I=require("@authhero/adapter-interfaces");var v=class extends Error{constructor(t=500,s){super(s==null?void 0:s.message,{cause:s==null?void 0:s.cause});D(this,"res");D(this,"status");this.res=s==null?void 0:s.res,this.status=t}getResponse(){return this.res?new Response(this.res.body,{status:this.status,headers:this.res.headers}):new Response(this.message,{status:this.status})}};function U(e){const{controlPlaneTenantId:t,requireOrganizationMatch:s=!0}=e;return{async onTenantAccessValidation(a,i){if(i===t)return!0;if(s){const n=a.var.org_name,d=a.var.organization_id,l=n\|\|d;return l?l===i:!1}return!0}}}function E(e,t,s,a){if(t===s)return!0;const i=a\|\|e;return i?i===t:!1}function K(e){return{async resolveDataAdapters(t){try{return await e.getAdapters(t)}catch(s){console.error(`Failed to resolve data adapters for tenant ${t}:`,s);return}}}}function G(e){return{async beforeCreate(t,s){return!s.audience&&s.id?{...s,audience:T.getTenantAudience(s.id)}:s},async afterCreate(t,s){const{accessControl:a,databaseIsolation:i,settingsInheritance:n}=e;a&&t.ctx&&await x(t,s,a),i!=null&&i.onProvision&&await i.onProvision(s.id),(n==null?void 0:n.inheritFromControlPlane)!==!1&&t.ctx&&await ae(t,s,e)},async beforeDelete(t,s){const{accessControl:a,databaseIsolation:i}=e;if(a)try{const d=(await t.adapters.organizations.list(a.controlPlaneTenantId)).organizations.find(l=>l.name===s);d&&await t.adapters.organizations.remove(a.controlPlaneTenantId,d.id)}catch(n){console.warn(`Failed to remove organization for tenant ${s}:`,n)}if(i!=null&&i.onDeprovision)try{await i.onDeprovision(s)}catch(n){console.warn(`Failed to deprovision database for tenant ${s}:`,n)}}}}async function x(e,t,s){const{controlPlaneTenantId:a,defaultPermissions:i,defaultRoles:n,issuer:d,adminRoleName:l="Tenant Admin",adminRoleDescription:c="Full access to all tenant management operations",addCreatorToOrganization:r=!0}=s,f=await e.adapters.organizations.create(a,{name:t.id,display_name:t.friendly_name\|\|t.id});let u;if(d&&(u=await te(e,a,l,c)),r&&e.ctx){const o=e.ctx.var.user;if(o!=null&&o.sub&&!await ee(e,a,o.sub))try{await e.adapters.userOrganizations.create(a,{user_id:o.sub,organization_id:f.id}),u&&await e.adapters.userRoles.create(a,o.sub,u,f.id)}catch(g){console.warn(`Failed to add creator ${o.sub} to organization ${f.id}:`,g)}}n&&n.length>0&&console.log(`Would assign roles ${n.join(", ")} to organization ${f.id}`),i&&i.length>0&&console.log(`Would grant permissions ${i.join(", ")} to organization ${f.id}`)}async function ee(e,t,s){const a=await e.adapters.userRoles.list(t,s,void 0,"");for(const i of a)if((await e.adapters.rolePermissions.list(t,i.id,{per_page:1e3})).some(l=>l.permission_name==="admin:organizations"))return!0;return!1}async function te(e,t,s,a){const n=(await e.adapters.roles.list(t,{})).roles.find(r=>r.name===s);if(n)return n.id;const d=await e.adapters.roles.create(t,{name:s,description:a}),l=T.MANAGEMENT_API_AUDIENCE,c=T.MANAGEMENT_API_SCOPES.map(r=>({role_id:d.id,resource_server_identifier:l,permission_name:r.value}));return await e.adapters.rolePermissions.assign(t,d.id,c),d.id}async function ae(e,t,s){const{accessControl:a,settingsInheritance:i}=s;if(!a)return;const n=await e.adapters.tenants.get(a.controlPlaneTenantId);if(!n)return;let d={...n};const l=["id","created_at","updated_at","friendly_name","audience","sender_email","sender_name"];for(const c of l)delete d[c];if(i!=null&&i.inheritedKeys){const c={};for(const r of i.inheritedKeys)r in n&&!l.includes(r)&&(c[r]=n[r]);d=c}if(i!=null&&i.excludedKeys)for(const c of i.excludedKeys)delete d[c];i!=null&&i.transformSettings&&(d=i.transformSettings(d,t.id)),Object.keys(d).length>0&&await e.adapters.tenants.update(t.id,d)}function B(e){const{controlPlaneTenantId:t,getChildTenantIds:s,getAdapters:a,shouldSync:i=()=>!0,transformForSync:n}=e;async function d(r,f,u){return(await r.resourceServers.list(f,{q:`identifier:${u}`,per_page:1})).resource_servers[0]??null}async function l(r,f){const u=await s();await Promise.all(u.map(async o=>{try{const p=await a(o),h={...n?n(r,o):{name:r.name,identifier:r.identifier,scopes:r.scopes,signing_alg:r.signing_alg,signing_secret:r.signing_secret,token_lifetime:r.token_lifetime,token_lifetime_for_web:r.token_lifetime_for_web,skip_consent_for_verifiable_first_party_clients:r.skip_consent_for_verifiable_first_party_clients,allow_offline_access:r.allow_offline_access,verificationKey:r.verificationKey,options:r.options},is_system:!0};if(f==="create"){const A=await d(p,o,r.identifier);A&&A.id?await p.resourceServers.update(o,A.id,h):await p.resourceServers.create(o,h)}else{const A=await d(p,o,r.identifier);A&&A.id?await p.resourceServers.update(o,A.id,h):await p.resourceServers.create(o,h)}}catch(p){console.error(`Failed to sync resource server "${r.identifier}" to tenant "${o}":`,p)}}))}async function c(r){const f=await s();await Promise.all(f.map(async u=>{try{const o=await a(u),p=await d(o,u,r);p&&p.id&&await o.resourceServers.remove(u,p.id)}catch(o){console.error(`Failed to delete resource server "${r}" from tenant "${u}":`,o)}}))}return{afterCreate:async(r,f)=>{r.tenantId===t&&i(f)&&await l(f,"create")},afterUpdate:async(r,f,u)=>{r.tenantId===t&&i(u)&&await l(u,"update")},afterDelete:async(r,f)=>{r.tenantId===t&&await c(f)}}}function W(e){const{controlPlaneTenantId:t,getControlPlaneAdapters:s,getAdapters:a,shouldSync:i=()=>!0,transformForSync:n}=e;return{async afterCreate(d,l){if(l.id!==t)try{const c=await s(),r=await a(l.id),f=await T.fetchAll(u=>c.resourceServers.list(t,u),"resource_servers",{cursorField:"id",pageSize:100});await Promise.all(f.filter(u=>i(u)).map(async u=>{const o=u;try{const p=n?n(o,l.id):{name:o.name,identifier:o.identifier,scopes:o.scopes,signing_alg:o.signing_alg,signing_secret:o.signing_secret,token_lifetime:o.token_lifetime,token_lifetime_for_web:o.token_lifetime_for_web,skip_consent_for_verifiable_first_party_clients:o.skip_consent_for_verifiable_first_party_clients,allow_offline_access:o.allow_offline_access,verificationKey:o.verificationKey,options:o.options};await r.resourceServers.create(l.id,{...p,is_system:!0})}catch(p){console.error(`Failed to sync resource server "${o.identifier}" to new tenant "${l.id}":`,p)}}))}catch(c){console.error(`Failed to sync resource servers to new tenant "${l.id}":`,c)}}}}function L(e){const{controlPlaneTenantId:t,getChildTenantIds:s,getAdapters:a,shouldSync:i=()=>!0,transformForSync:n}=e;async function d(c,r,f){return(await c.roles.list(r,{q:`name:${f}`,per_page:1})).roles[0]??null}async function l(c,r){const f=await s();await Promise.all(f.map(async u=>{try{const o=await a(u),g={...n?n(c,u):{name:c.name,description:c.description},is_system:!0};if(r==="create"){const h=await d(o,u,c.name);h&&h.id?await o.roles.update(u,h.id,g):await o.roles.create(u,g)}else{const h=await d(o,u,c.name);h&&h.id?await o.roles.update(u,h.id,g):await o.roles.create(u,g)}}catch(o){console.error(`Failed to sync role "${c.name}" to tenant "${u}":`,o)}}))}return{afterCreate:async(c,r)=>{c.tenantId===t&&i(r)&&await l(r,"create")},afterUpdate:async(c,r,f)=>{c.tenantId===t&&i(f)&&await l(f,"update")},afterDelete:async(c,r)=>{c.tenantId===t&&console.warn(`Role ${r} was deleted from control plane. Child tenant roles with matching names should be deleted manually or implement role name tracking.`)}}}function Q(e){const{controlPlaneTenantId:t,getControlPlaneAdapters:s,getAdapters:a,shouldSync:i=()=>!0,transformForSync:n,syncPermissions:d=!0}=e;return{async afterCreate(l,c){if(c.id!==t)try{const r=await s(),f=await a(c.id),u=await T.fetchAll(p=>r.roles.list(t,p),"roles",{cursorField:"id",pageSize:100}),o=new Map;if(await Promise.all(u.filter(p=>i(p)).map(async p=>{const g=p;try{const h=n?n(g,c.id):{name:g.name,description:g.description},A=await f.roles.create(c.id,{...h,is_system:!0});o.set(g.id,A.id)}catch(h){console.error(`Failed to sync role "${g.name}" to new tenant "${c.id}":`,h)}})),d)for(const[p,g]of o)try{const h=await r.rolePermissions.list(t,p,{});h.length>0&&await f.rolePermissions.assign(c.id,g,h.map(A=>({role_id:g,resource_server_identifier:A.resource_server_identifier,permission_name:A.permission_name})))}catch(h){console.error(`Failed to sync permissions for role to new tenant "${c.id}":`,h)}}catch(r){console.error(`Failed to sync roles to new tenant "${c.id}":`,r)}}}}function O(e,t){const s=new C.OpenAPIHono;return s.openapi(C.createRoute({tags:["tenants"],method:"get",path:"/",request:{query:I.auth0QuerySchema},security:[{Bearer:[]}],responses:{200:{content:{"application/json":{schema:C.z.object({tenants:C.z.array(I.tenantSchema),start:C.z.number().optional(),limit:C.z.number().optional(),length:C.z.number().optional()})}},description:"List of tenants"}}}),async a=>{var p,g,h,A;const i=a.req.valid("query"),{page:n,per_page:d,include_totals:l,q:c}=i,r=a.var.user,f=(r==null?void 0:r.permissions)\|\|[];if(f.includes("auth:read")\|\|f.includes("admin:organizations")){const S=await a.env.data.tenants.list({page:n,per_page:d,include_totals:l,q:c});return l?a.json({tenants:S.tenants,start:((p=S.totals)==null?void 0:p.start)??0,limit:((g=S.totals)==null?void 0:g.limit)??d,length:S.tenants.length}):a.json({tenants:S.tenants})}if(e.accessControl&&(r!=null&&r.sub)){const S=e.accessControl.controlPlaneTenantId,z=(await T.fetchAll(M=>a.env.data.userOrganizations.listUserOrganizations(S,r.sub,M),"organizations")).map(M=>M.name);if(z.length===0)return l?a.json({tenants:[],start:0,limit:d??50,length:0}):a.json({tenants:[]});const $=z.length,F=n??0,P=d??50,w=FP,m=z.slice(w,w+P);if(m.length===0)return l?a.json({tenants:[],start:w,limit:P,length:$}):a.json({tenants:[]});const y=m.map(M=>`id:${M}`).join(" OR "),_=c?`(${y}) AND (${c})`:y,b=await a.env.data.tenants.list({q:_,per_page:P,include_totals:!1});return l?a.json({tenants:b.tenants,start:w,limit:P,length:$}):a.json({tenants:b.tenants})}const o=await a.env.data.tenants.list({page:n,per_page:d,include_totals:l,q:c});return l?a.json({tenants:o.tenants,start:((h=o.totals)==null?void 0:h.start)??0,limit:((A=o.totals)==null?void 0:A.limit)??d,length:o.tenants.length}):a.json({tenants:o.tenants})}),s.openapi(C.createRoute({tags:["tenants"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:I.tenantInsertSchema}}}},security:[{Bearer:[]}],responses:{201:{content:{"application/json":{schema:I.tenantSchema}},description:"Tenant created"},400:{description:"Validation error"},409:{description:"Tenant with this ID already exists"}}}),async a=>{var c,r;const i=a.var.user;if(!(i!=null&&i.sub))throw new v(401,{message:"Authentication required to create tenants"});let n=a.req.valid("json");const d={adapters:a.env.data,ctx:a};(c=t.tenants)!=null&&c.beforeCreate&&(n=await t.tenants.beforeCreate(d,n));const l=await a.env.data.tenants.create(n);return(r=t.tenants)!=null&&r.afterCreate&&await t.tenants.afterCreate(d,l),a.json(l,201)}),s.openapi(C.createRoute({tags:["tenants"],method:"delete",path:"/{id}",request:{params:C.z.object({id:C.z.string()})},security:[{Bearer:["delete:tenants"]}],responses:{204:{description:"Tenant deleted"},403:{description:"Access denied or cannot delete the control plane"},404:{description:"Tenant not found"}}}),async a=>{var l,c;const{id:i}=a.req.valid("param");if(e.accessControl){const r=a.var.user,f=e.accessControl.controlPlaneTenantId;if(!(r!=null&&r.sub))throw new v(401,{message:"Authentication required"});if(i===f)throw new v(403,{message:"Cannot delete the control plane"});if(!(await T.fetchAll(p=>a.env.data.userOrganizations.listUserOrganizations(f,r.sub,p),"organizations")).some(p=>p.name===i))throw new v(403,{message:"Access denied to this tenant"})}if(!await a.env.data.tenants.get(i))throw new v(404,{message:"Tenant not found"});const d={adapters:a.env.data,ctx:a};return(l=t.tenants)!=null&&l.beforeDelete&&await t.tenants.beforeDelete(d,i),await a.env.data.tenants.remove(i),(c=t.tenants)!=null&&c.afterDelete&&await t.tenants.afterDelete(d,i),a.body(null,204)}),s}function ne(e){const t=[{pattern:/\/api\/v2\/resource-servers\/([^/]+)$/,type:"resource_server"},{pattern:/\/api\/v2\/roles\/([^/]+)$/,type:"role"},{pattern:/\/api\/v2\/connections\/([^/]+)$/,type:"connection"}];for(const{pattern:s,type:a}of t){const i=e.match(s);if(i&&i[1])return{type:a,id:i[1]}}return null}async function re(e,t,s){try{switch(s.type){case"resource_server":{const a=await e.resourceServers.get(t,s.id);return(a==null?void 0:a.is_system)===!0}case"role":{const a=await e.roles.get(t,s.id);return(a==null?void 0:a.is_system)===!0}case"connection":{const a=await e.connections.get(t,s.id);return(a==null?void 0:a.is_system)===!0}default:return!1}}catch{return!1}}function se(e){return{resource_server:"resource server",role:"role",connection:"connection"}[e]}function V(){return async(e,t)=>{if(!["PATCH","PUT","DELETE"].includes(e.req.method))return t();const s=ne(e.req.path);if(!s)return t();const a=e.var.tenant_id\|\|e.req.header("x-tenant-id")\|\|e.req.header("tenant-id");if(!a)return t();if(await re(e.env.data,a,s))throw new v(403,{message:`This ${se(s.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`});return t()}}function k(e){return async(t,s)=>{if(!e.accessControl)return s();const a=t.var.tenant_id,i=t.var.organization_id;if(!a)throw new v(400,{message:"Tenant ID not found in request"});if(!E(i,a,e.accessControl.controlPlaneTenantId))throw new v(403,{message:`Access denied to tenant ${a}`});return s()}}function J(e){return async(t,s)=>{if(!e.subdomainRouting)return s();const{baseDomain:a,reservedSubdomains:i=[],resolveSubdomain:n}=e.subdomainRouting,d=t.req.header("host")\|\|"";let l=null;if(d.endsWith(a)){const r=d.slice(0,-(a.length+1));r&&!r.includes(".")&&(l=r)}if(l&&i.includes(l)&&(l=null),!l)return e.accessControl&&t.set("tenant_id",e.accessControl.controlPlaneTenantId),s();let c=null;if(n)c=await n(l);else if(e.subdomainRouting.useOrganizations!==!1&&e.accessControl)try{const r=await t.env.data.organizations.get(e.accessControl.controlPlaneTenantId,l);r&&(c=r.id)}catch{}if(!c)throw new v(404,{message:`Tenant not found for subdomain: ${l}`});return t.set("tenant_id",c),s()}}function X(e){return async(t,s)=>{if(!e.databaseIsolation)return s();const a=t.var.tenant_id;if(!a)throw new v(400,{message:"Tenant ID not found in request"});try{const i=await e.databaseIsolation.getAdapters(a);t.env.data=i}catch(i){throw console.error(`Failed to resolve database for tenant ${a}:`,i),new v(500,{message:"Failed to resolve tenant database"})}return s()}}function j(e){const t=J(e),s=k(e),a=X(e);return async(i,n)=>(await t(i,async()=>{}),await s(i,async()=>{}),await a(i,async()=>{}),n())}function ie(e){const t=R(e);return{name:"multi-tenancy",middleware:j(e),hooks:t,routes:[{path:"/management",handler:O(e,t)}],onRegister:async()=>{console.log("Multi-tenancy plugin registered"),e.accessControl&&console.log(` - Access control enabled (control plane: ${e.accessControl.controlPlaneTenantId})`),e.subdomainRouting&&console.log(` - Subdomain routing enabled (base domain: ${e.subdomainRouting.baseDomain})`),e.databaseIsolation&&console.log(" - Database isolation enabled")}}}function R(e){const t=e.accessControl?U(e.accessControl):{},s=e.databaseIsolation?K(e.databaseIsolation):{},a=G(e);return{...t,...s,tenants:a}}function Y(e){const t=new N.Hono,s=R(e);return t.route("/tenants",O(e,s)),t}function oe(e){return{hooks:R(e),middleware:j(e),app:Y(e),config:e}}function ce(e){const{controlPlaneTenantId:t="control_plane",syncResourceServers:s=!0,syncRoles:a=!0,multiTenancy:i,entityHooks:n,...d}=e,l={...i,accessControl:{controlPlaneTenantId:t,requireOrganizationMatch:!1,defaultPermissions:["tenant:admin"],...i==null?void 0:i.accessControl}},c=R(l);let r,f;s&&(r=B({controlPlaneTenantId:t,getChildTenantIds:async()=>(await T.fetchAll(m=>e.dataAdapter.tenants.list(m),"tenants",{cursorField:"id",pageSize:100})).filter(m=>m.id!==t).map(m=>m.id),getAdapters:async w=>e.dataAdapter}),f=W({controlPlaneTenantId:t,getControlPlaneAdapters:async()=>e.dataAdapter,getAdapters:async w=>e.dataAdapter}));let u,o;a&&(u=L({controlPlaneTenantId:t,getChildTenantIds:async()=>(await T.fetchAll(m=>e.dataAdapter.tenants.list(m),"tenants",{cursorField:"id",pageSize:100})).filter(m=>m.id!==t).map(m=>m.id),getAdapters:async w=>e.dataAdapter}),o=Q({controlPlaneTenantId:t,getControlPlaneAdapters:async()=>e.dataAdapter,getAdapters:async w=>e.dataAdapter,syncPermissions:!0}));const p=async(w,m,...y)=>{const _=[];if(w)try{await w(...y)}catch(b){_.push(b instanceof Error?b:new Error(String(b)))}if(m)try{await m(...y)}catch(b){_.push(b instanceof Error?b:new Error(String(b)))}if(_.length===1)throw _[0];if(_.length>1)throw new AggregateError(_,`Multiple hook errors: ${_.map(b=>b.message).join("; ")}`)},g=async(w,...m)=>{const y=[];for(const _ of w)if(_)try{await _(...m)}catch(b){y.push(b instanceof Error?b:new Error(String(b)))}if(y.length===1)throw y[0];if(y.length>1)throw new AggregateError(y,`Multiple hook errors: ${y.map(_=>_.message).join("; ")}`)},h={...n,resourceServers:r?{...n==null?void 0:n.resourceServers,afterCreate:async(w,m)=>{var y;await p((y=n==null?void 0:n.resourceServers)==null?void 0:y.afterCreate,r==null?void 0:r.afterCreate,w,m)},afterUpdate:async(w,m,y)=>{var _;await p((_=n==null?void 0:n.resourceServers)==null?void 0:_.afterUpdate,r==null?void 0:r.afterUpdate,w,m,y)},afterDelete:async(w,m)=>{var y;await p((y=n==null?void 0:n.resourceServers)==null?void 0:y.afterDelete,r==null?void 0:r.afterDelete,w,m)}}:n==null?void 0:n.resourceServers,roles:u?{...n==null?void 0:n.roles,afterCreate:async(w,m)=>{var y;await p((y=n==null?void 0:n.roles)==null?void 0:y.afterCreate,u==null?void 0:u.afterCreate,w,m)},afterUpdate:async(w,m,y)=>{var _;await p((_=n==null?void 0:n.roles)==null?void 0:_.afterUpdate,u==null?void 0:u.afterUpdate,w,m,y)},afterDelete:async(w,m)=>{var y;await p((y=n==null?void 0:n.roles)==null?void 0:y.afterDelete,u==null?void 0:u.afterDelete,w,m)}}:n==null?void 0:n.roles,tenants:f\|\|o?{...n==null?void 0:n.tenants,afterCreate:async(w,m)=>{var y;await g([(y=n==null?void 0:n.tenants)==null?void 0:y.afterCreate,f==null?void 0:f.afterCreate,o==null?void 0:o.afterCreate],w,m)}}:n==null?void 0:n.tenants},A={...c,tenants:f\|\|o?{...c.tenants,afterCreate:async(w,m)=>{var y;(y=c.tenants)!=null&&y.afterCreate&&await c.tenants.afterCreate(w,m),await g([f==null?void 0:f.afterCreate,o==null?void 0:o.afterCreate],w,m)}}:c.tenants},S=O(l,A),q=T.init({...d,entityHooks:h,managementApiExtensions:[...d.managementApiExtensions\|\|[],{path:"/tenants",router:S}]}),{app:z,managementApp:$,...F}=q,P=new N.Hono;return P.onError((w,m)=>w instanceof v?w.getResponse():(console.error(w),m.json({message:"Internal Server Error"},500))),P.use("/api/v2/",V()),P.route("/",z),{app:P,managementApp:$,...F,multiTenancyConfig:l,multiTenancyHooks:c}}Object.defineProperty(exports,"MANAGEMENT_API_SCOPES",{enumerable:!0,get:()=>T.MANAGEMENT_API_SCOPES});Object.defineProperty(exports,"fetchAll",{enumerable:!0,get:()=>T.fetchAll});Object.defineProperty(exports,"seed",{enumerable:!0,get:()=>T.seed});exports.createAccessControlHooks=U;exports.createAccessControlMiddleware=k;exports.createDatabaseHooks=K;exports.createDatabaseMiddleware=X;exports.createMultiTenancy=Y;exports.createMultiTenancyHooks=R;exports.createMultiTenancyMiddleware=j;exports.createMultiTenancyPlugin=ie;exports.createProtectSyncedMiddleware=V;exports.createProvisioningHooks=G;exports.createResourceServerSyncHooks=B;exports.createRoleSyncHooks=L;exports.createSubdomainMiddleware=J;exports.createTenantResourceServerSyncHooks=W;exports.createTenantRoleSyncHooks=Q;exports.createTenantsOpenAPIRouter=O;exports.init=ce;exports.setupMultiTenancy=oe;exports.validateTenantAccess=E;

package/dist/multi-tenancy.d.ts CHANGED Viewed

@@ -563,6 +563,7 @@ export interface Totals {
 	start: number;
 	limit: number;
 	length: number;
+	total?: number;
 }
 declare const userInsertSchema: z.ZodObject<{
 	email: z.ZodEffects<z.ZodOptional<z.ZodString>, string | undefined, string | undefined>;
@@ -11223,6 +11224,8 @@ export interface ListParams {
 		sort_by: string;
 		sort_order: "asc" | "desc";
 	};
+	from?: string;
+	take?: number;
 }
 declare const loginSessionInsertSchema: z.ZodObject<{
 	csrf_token: z.ZodString;
@@ -15817,6 +15820,7 @@ interface Totals$1 {
 	start: number;
 	limit: number;
 	length: number;
+	total?: number;
 }
 declare const userInsertSchema$1: z.ZodObject<{
 	email: z.ZodEffects<z.ZodOptional<z.ZodString>, string | undefined, string | undefined>;
@@ -26477,6 +26481,8 @@ interface ListParams$1 {
 		sort_by: string;
 		sort_order: "asc" | "desc";
 	};
+	from?: string;
+	take?: number;
 }
 declare const loginSessionInsertSchema$1: z.ZodObject<{
 	csrf_token: z.ZodString;
@@ -33096,6 +33102,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -33166,6 +33174,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 							is_signup_enabled: boolean;
 						}[] | undefined;
 					}[];
+					total?: number | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -33389,6 +33398,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -33477,6 +33488,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -33553,6 +33566,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -33805,6 +33820,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -33875,6 +33892,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						allow_offline_access?: boolean | undefined | undefined;
 						verificationKey?: string | undefined | undefined;
 					}[];
+					total?: number | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -34096,6 +34114,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -34122,6 +34142,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						description?: string | undefined | undefined;
 						is_system?: boolean | undefined | undefined;
 					}[];
+					total?: number | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -34237,6 +34258,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -34311,6 +34334,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -34421,6 +34446,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 							mask_output?: boolean | undefined | undefined;
 						})[];
 					}[];
+					total?: number | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -34738,6 +34764,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -35638,6 +35666,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 							[x: string]: any;
 						} | undefined;
 					}[];
+					total?: number | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -38083,6 +38112,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -38169,6 +38200,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 							[x: string]: any;
 						} | undefined;
 					}[];
+					total?: number | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -38472,6 +38504,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -38520,6 +38554,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						form_id: string;
 						priority?: number | undefined | undefined;
 					})[];
+					total?: number | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -38722,6 +38757,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -38804,6 +38841,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 							continent_code: string;
 						} | undefined;
 					}[];
+					total?: number | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -39247,6 +39285,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						subject_type?: "client" | "user" | undefined | undefined;
 						authorization_details_types?: string[] | undefined | undefined;
 					}[];
+					total?: number | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -39383,6 +39422,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -39551,6 +39592,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 							[x: string]: any;
 						} | undefined;
 					}[];
+					total?: number | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -40190,6 +40232,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -40292,6 +40336,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 							} | undefined;
 						}[] | undefined;
 					}[];
+					total?: number | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -40608,6 +40653,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -40662,6 +40709,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						revoked_at?: string | undefined | undefined;
 						idle_expires_at?: string | undefined | undefined;
 					}[];
+					total?: number | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -40680,6 +40728,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -40827,6 +40877,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {
@@ -40897,6 +40949,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 							is_signup_enabled: boolean;
 						}[] | undefined;
 					}[];
+					total?: number | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -41044,6 +41097,8 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						page?: string | undefined;
 						per_page?: string | undefined;
 						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
 						q?: string | undefined;
 					};
 				} & {

package/dist/multi-tenancy.mjs CHANGED Viewed

@@ -1,7 +1,7 @@
 var K = Object.defineProperty;
 var E = (e, t, s) => t in e ? K(e, t, { enumerable: !0, configurable: !0, writable: !0, value: s }) : e[t] = s;
 var D = (e, t, s) => E(e, typeof t != "symbol" ? t + "" : t, s);
-import { Hono as U } from "hono";
+import { Hono as N } from "hono";
 import { getTenantAudience as G, MANAGEMENT_API_SCOPES as B, MANAGEMENT_API_AUDIENCE as W, fetchAll as S, init as L } from "authhero";
 import { MANAGEMENT_API_SCOPES as Ce, fetchAll as Pe, seed as Se } from "authhero";
 import { OpenAPIHono as Q, createRoute as M, z as P } from "@hono/zod-openapi";
@@ -39,7 +39,7 @@ function X(e) {
       if (i === t)
         return !0;
       if (s) {
-        const n = a.var.org_name, u = a.var.organization_id, l = n || u;
+        const n = a.var.org_name, d = a.var.organization_id, l = n || d;
         return l ? l === i : !1;
       }
       return !0;
@@ -83,12 +83,12 @@ function k(e) {
       const { accessControl: a, databaseIsolation: i } = e;
       if (a)
         try {
-          const u = (await t.adapters.organizations.list(
+          const d = (await t.adapters.organizations.list(
             a.controlPlaneTenantId
           )).organizations.find((l) => l.name === s);
-          u && await t.adapters.organizations.remove(
+          d && await t.adapters.organizations.remove(
             a.controlPlaneTenantId,
-            u.id
+            d.id
           );
         } catch (n) {
           console.warn(
@@ -113,7 +113,7 @@ async function H(e, t, s) {
     controlPlaneTenantId: a,
     defaultPermissions: i,
     defaultRoles: n,
-    issuer: u,
+    issuer: d,
     adminRoleName: l = "Tenant Admin",
     adminRoleDescription: c = "Full access to all tenant management operations",
     addCreatorToOrganization: r = !0
@@ -124,8 +124,8 @@ async function H(e, t, s) {
       display_name: t.friendly_name || t.id
     }
   );
-  let d;
-  if (u && (d = await ee(
+  let u;
+  if (d && (u = await ee(
     e,
     a,
     l,
@@ -141,10 +141,10 @@ async function H(e, t, s) {
         await e.adapters.userOrganizations.create(a, {
           user_id: o.sub,
           organization_id: f.id
-        }), d && await e.adapters.userRoles.create(
+        }), u && await e.adapters.userRoles.create(
           a,
           o.sub,
-          d,
+          u,
           f.id
           // organizationId
         );
@@ -184,19 +184,19 @@ async function ee(e, t, s, a) {
   const n = (await e.adapters.roles.list(t, {})).roles.find((r) => r.name === s);
   if (n)
     return n.id;
-  const u = await e.adapters.roles.create(t, {
+  const d = await e.adapters.roles.create(t, {
     name: s,
     description: a
   }), l = W, c = B.map((r) => ({
-    role_id: u.id,
+    role_id: d.id,
     resource_server_identifier: l,
     permission_name: r.value
   }));
   return await e.adapters.rolePermissions.assign(
     t,
-    u.id,
+    d.id,
     c
-  ), u.id;
+  ), d.id;
 }
 async function te(e, t, s) {
   const { accessControl: a, settingsInheritance: i } = s;
@@ -207,7 +207,7 @@ async function te(e, t, s) {
   );
   if (!n)
     return;
-  let u = { ...n };
+  let d = { ...n };
   const l = [
     "id",
     "created_at",
@@ -219,20 +219,20 @@ async function te(e, t, s) {
     "sender_name"
   ];
   for (const c of l)
-    delete u[c];
+    delete d[c];
   if (i != null && i.inheritedKeys) {
     const c = {};
     for (const r of i.inheritedKeys)
       r in n && !l.includes(r) && (c[r] = n[r]);
-    u = c;
+    d = c;
   }
   if (i != null && i.excludedKeys)
     for (const c of i.excludedKeys)
-      delete u[c];
-  i != null && i.transformSettings && (u = i.transformSettings(
-    u,
+      delete d[c];
+  i != null && i.transformSettings && (d = i.transformSettings(
+    d,
     t.id
-  )), Object.keys(u).length > 0 && await e.adapters.tenants.update(t.id, u);
+  )), Object.keys(d).length > 0 && await e.adapters.tenants.update(t.id, d);
 }
 function ae(e) {
   const {
@@ -242,18 +242,18 @@ function ae(e) {
     shouldSync: i = () => !0,
     transformForSync: n
   } = e;
-  async function u(r, f, d) {
+  async function d(r, f, u) {
     return (await r.resourceServers.list(f, {
-      q: `identifier:${d}`,
+      q: `identifier:${u}`,
       per_page: 1
     })).resource_servers[0] ?? null;
   }
   async function l(r, f) {
-    const d = await s();
+    const u = await s();
     await Promise.all(
-      d.map(async (o) => {
+      u.map(async (o) => {
         try {
-          const p = await a(o), h = { ...n ? n(r, o) : {
+          const m = await a(o), h = { ...n ? n(r, o) : {
             name: r.name,
             identifier: r.identifier,
             scopes: r.scopes,
@@ -267,32 +267,32 @@ function ae(e) {
             options: r.options
           }, is_system: !0 };
           if (f === "create") {
-            const A = await u(
-              p,
+            const A = await d(
+              m,
               o,
               r.identifier
             );
-            A && A.id ? await p.resourceServers.update(
+            A && A.id ? await m.resourceServers.update(
               o,
               A.id,
               h
-            ) : await p.resourceServers.create(o, h);
+            ) : await m.resourceServers.create(o, h);
           } else {
-            const A = await u(
-              p,
+            const A = await d(
+              m,
               o,
               r.identifier
             );
-            A && A.id ? await p.resourceServers.update(
+            A && A.id ? await m.resourceServers.update(
               o,
               A.id,
               h
-            ) : await p.resourceServers.create(o, h);
+            ) : await m.resourceServers.create(o, h);
           }
-        } catch (p) {
+        } catch (m) {
           console.error(
             `Failed to sync resource server "${r.identifier}" to tenant "${o}":`,
-            p
+            m
           );
         }
       })
@@ -301,17 +301,17 @@ function ae(e) {
   async function c(r) {
     const f = await s();
     await Promise.all(
-      f.map(async (d) => {
+      f.map(async (u) => {
         try {
-          const o = await a(d), p = await u(
+          const o = await a(u), m = await d(
             o,
-            d,
+            u,
             r
           );
-          p && p.id && await o.resourceServers.remove(d, p.id);
+          m && m.id && await o.resourceServers.remove(u, m.id);
         } catch (o) {
           console.error(
-            `Failed to delete resource server "${r}" from tenant "${d}":`,
+            `Failed to delete resource server "${r}" from tenant "${u}":`,
             o
           );
         }
@@ -322,8 +322,8 @@ function ae(e) {
     afterCreate: async (r, f) => {
       r.tenantId === t && i(f) && await l(f, "create");
     },
-    afterUpdate: async (r, f, d) => {
-      r.tenantId === t && i(d) && await l(d, "update");
+    afterUpdate: async (r, f, u) => {
+      r.tenantId === t && i(u) && await l(u, "update");
     },
     afterDelete: async (r, f) => {
       r.tenantId === t && await c(f);
@@ -339,22 +339,22 @@ function ne(e) {
     transformForSync: n
   } = e;
   return {
-    async afterCreate(u, l) {
+    async afterCreate(d, l) {
       if (l.id !== t)
         try {
           const c = await s(), r = await a(l.id), f = await S(
-            (d) => c.resourceServers.list(
+            (u) => c.resourceServers.list(
               t,
-              d
+              u
             ),
             "resource_servers",
             { cursorField: "id", pageSize: 100 }
           );
           await Promise.all(
-            f.filter((d) => i(d)).map(async (d) => {
-              const o = d;
+            f.filter((u) => i(u)).map(async (u) => {
+              const o = u;
               try {
-                const p = n ? n(o, l.id) : {
+                const m = n ? n(o, l.id) : {
                   name: o.name,
                   identifier: o.identifier,
                   scopes: o.scopes,
@@ -368,13 +368,13 @@ function ne(e) {
                   options: o.options
                 };
                 await r.resourceServers.create(l.id, {
-                  ...p,
+                  ...m,
                   is_system: !0
                 });
-              } catch (p) {
+              } catch (m) {
                 console.error(
                   `Failed to sync resource server "${o.identifier}" to new tenant "${l.id}":`,
-                  p
+                  m
                 );
               }
             })
@@ -396,7 +396,7 @@ function re(e) {
     shouldSync: i = () => !0,
     transformForSync: n
   } = e;
-  async function u(c, r, f) {
+  async function d(c, r, f) {
     return (await c.roles.list(r, {
       q: `name:${f}`,
       per_page: 1
@@ -405,30 +405,30 @@ function re(e) {
   async function l(c, r) {
     const f = await s();
     await Promise.all(
-      f.map(async (d) => {
+      f.map(async (u) => {
         try {
-          const o = await a(d), g = { ...n ? n(c, d) : {
+          const o = await a(u), g = { ...n ? n(c, u) : {
             name: c.name,
             description: c.description
           }, is_system: !0 };
           if (r === "create") {
-            const h = await u(o, d, c.name);
+            const h = await d(o, u, c.name);
             h && h.id ? await o.roles.update(
-              d,
+              u,
               h.id,
               g
-            ) : await o.roles.create(d, g);
+            ) : await o.roles.create(u, g);
           } else {
-            const h = await u(o, d, c.name);
+            const h = await d(o, u, c.name);
             h && h.id ? await o.roles.update(
-              d,
+              u,
               h.id,
               g
-            ) : await o.roles.create(d, g);
+            ) : await o.roles.create(u, g);
           }
         } catch (o) {
           console.error(
-            `Failed to sync role "${c.name}" to tenant "${d}":`,
+            `Failed to sync role "${c.name}" to tenant "${u}":`,
             o
           );
         }
@@ -456,20 +456,20 @@ function se(e) {
     getAdapters: a,
     shouldSync: i = () => !0,
     transformForSync: n,
-    syncPermissions: u = !0
+    syncPermissions: d = !0
   } = e;
   return {
     async afterCreate(l, c) {
       if (c.id !== t)
         try {
-          const r = await s(), f = await a(c.id), d = await S(
-            (p) => r.roles.list(t, p),
+          const r = await s(), f = await a(c.id), u = await S(
+            (m) => r.roles.list(t, m),
             "roles",
             { cursorField: "id", pageSize: 100 }
           ), o = /* @__PURE__ */ new Map();
           if (await Promise.all(
-            d.filter((p) => i(p)).map(async (p) => {
-              const g = p;
+            u.filter((m) => i(m)).map(async (m) => {
+              const g = m;
               try {
                 const h = n ? n(g, c.id) : {
                   name: g.name,
@@ -486,12 +486,12 @@ function se(e) {
                 );
               }
             })
-          ), u)
-            for (const [p, g] of o)
+          ), d)
+            for (const [m, g] of o)
               try {
                 const h = await r.rolePermissions.list(
                   t,
-                  p,
+                  m,
                   {}
                 );
                 h.length > 0 && await f.rolePermissions.assign(
@@ -550,47 +550,47 @@ function O(e, t) {
       }
     }),
     async (a) => {
-      var p, g, h, A;
-      const i = a.req.valid("query"), { page: n, per_page: u, include_totals: l, q: c } = i, r = a.var.user, f = ((r == null ? void 0 : r.scope) || "").split(" "), d = f.includes("auth:read");
-      if (console.log("User scopes:", f, "hasAuthRead:", d), d) {
+      var m, g, h, A;
+      const i = a.req.valid("query"), { page: n, per_page: d, include_totals: l, q: c } = i, r = a.var.user, f = (r == null ? void 0 : r.permissions) || [];
+      if (f.includes("auth:read") || f.includes("admin:organizations")) {
         const C = await a.env.data.tenants.list({
           page: n,
-          per_page: u,
+          per_page: d,
           include_totals: l,
           q: c
         });
         return l ? a.json({
           tenants: C.tenants,
-          start: ((p = C.totals) == null ? void 0 : p.start) ?? 0,
-          limit: ((g = C.totals) == null ? void 0 : g.limit) ?? u,
+          start: ((m = C.totals) == null ? void 0 : m.start) ?? 0,
+          limit: ((g = C.totals) == null ? void 0 : g.limit) ?? d,
           length: C.tenants.length
         }) : a.json({ tenants: C.tenants });
       }
       if (e.accessControl && (r != null && r.sub)) {
         const C = e.accessControl.controlPlaneTenantId, $ = (await S(
-          (R) => a.env.data.userOrganizations.listUserOrganizations(
+          (z) => a.env.data.userOrganizations.listUserOrganizations(
             C,
             r.sub,
-            R
+            z
           ),
           "organizations"
-        )).map((R) => R.name);
+        )).map((z) => z.name);
         if ($.length === 0)
           return l ? a.json({
             tenants: [],
             start: 0,
-            limit: u ?? 50,
+            limit: d ?? 50,
             length: 0
           }) : a.json({ tenants: [] });
-        const z = $.length, F = n ?? 0, v = u ?? 50, w = F * v, m = $.slice(w, w + v);
-        if (m.length === 0)
+        const R = $.length, I = n ?? 0, v = d ?? 50, w = I * v, p = $.slice(w, w + v);
+        if (p.length === 0)
           return l ? a.json({
             tenants: [],
             start: w,
             limit: v,
-            length: z
+            length: R
           }) : a.json({ tenants: [] });
-        const y = m.map((R) => `id:${R}`).join(" OR "), _ = c ? `(${y}) AND (${c})` : y, b = await a.env.data.tenants.list({
+        const y = p.map((z) => `id:${z}`).join(" OR "), _ = c ? `(${y}) AND (${c})` : y, b = await a.env.data.tenants.list({
           q: _,
           per_page: v,
           include_totals: !1
@@ -600,19 +600,19 @@ function O(e, t) {
           tenants: b.tenants,
           start: w,
           limit: v,
-          length: z
+          length: R
         }) : a.json({ tenants: b.tenants });
       }
       const o = await a.env.data.tenants.list({
         page: n,
-        per_page: u,
+        per_page: d,
         include_totals: l,
         q: c
       });
       return l ? a.json({
         tenants: o.tenants,
         start: ((h = o.totals) == null ? void 0 : h.start) ?? 0,
-        limit: ((A = o.totals) == null ? void 0 : A.limit) ?? u,
+        limit: ((A = o.totals) == null ? void 0 : A.limit) ?? d,
         length: o.tenants.length
       }) : a.json({ tenants: o.tenants });
     }
@@ -660,13 +660,13 @@ function O(e, t) {
           message: "Authentication required to create tenants"
         });
       let n = a.req.valid("json");
-      const u = {
+      const d = {
         adapters: a.env.data,
         ctx: a
       };
-      (c = t.tenants) != null && c.beforeCreate && (n = await t.tenants.beforeCreate(u, n));
+      (c = t.tenants) != null && c.beforeCreate && (n = await t.tenants.beforeCreate(d, n));
       const l = await a.env.data.tenants.create(n);
-      return (r = t.tenants) != null && r.afterCreate && await t.tenants.afterCreate(u, l), a.json(l, 201);
+      return (r = t.tenants) != null && r.afterCreate && await t.tenants.afterCreate(d, l), a.json(l, 201);
     }
   ), s.openapi(
     M({
@@ -709,13 +709,13 @@ function O(e, t) {
             message: "Cannot delete the control plane"
           });
         if (!(await S(
-          (p) => a.env.data.userOrganizations.listUserOrganizations(
+          (m) => a.env.data.userOrganizations.listUserOrganizations(
             f,
             r.sub,
-            p
+            m
           ),
           "organizations"
-        )).some((p) => p.name === i))
+        )).some((m) => m.name === i))
           throw new T(403, {
             message: "Access denied to this tenant"
           });
@@ -724,11 +724,11 @@ function O(e, t) {
         throw new T(404, {
           message: "Tenant not found"
         });
-      const u = {
+      const d = {
         adapters: a.env.data,
         ctx: a
       };
-      return (l = t.tenants) != null && l.beforeDelete && await t.tenants.beforeDelete(u, i), await a.env.data.tenants.remove(i), (c = t.tenants) != null && c.afterDelete && await t.tenants.afterDelete(u, i), a.body(null, 204);
+      return (l = t.tenants) != null && l.beforeDelete && await t.tenants.beforeDelete(d, i), await a.env.data.tenants.remove(i), (c = t.tenants) != null && c.afterDelete && await t.tenants.afterDelete(d, i), a.body(null, 204);
     }
   ), s;
 }
@@ -822,10 +822,10 @@ function ue(e) {
       baseDomain: a,
       reservedSubdomains: i = [],
       resolveSubdomain: n
-    } = e.subdomainRouting, u = t.req.header("host") || "";
+    } = e.subdomainRouting, d = t.req.header("host") || "";
     let l = null;
-    if (u.endsWith(a)) {
-      const r = u.slice(0, -(a.length + 1));
+    if (d.endsWith(a)) {
+      const r = d.slice(0, -(a.length + 1));
       r && !r.includes(".") && (l = r);
     }
     if (l && i.includes(l) && (l = null), !l)
@@ -872,7 +872,7 @@ function fe(e) {
     return s();
   };
 }
-function N(e) {
+function U(e) {
   const t = ue(e), s = de(e), a = fe(e);
   return async (i, n) => (await t(i, async () => {
   }), await s(i, async () => {
@@ -880,11 +880,11 @@ function N(e) {
   }), n());
 }
 function _e(e) {
-  const t = I(e);
+  const t = F(e);
   return {
     name: "multi-tenancy",
     // Apply multi-tenancy middleware for subdomain routing, database resolution, etc.
-    middleware: N(e),
+    middleware: U(e),
     // Provide lifecycle hooks
     hooks: t,
     // Mount tenant management routes
@@ -904,7 +904,7 @@ function _e(e) {
     }
   };
 }
-function I(e) {
+function F(e) {
   const t = e.accessControl ? X(e.accessControl) : {}, s = e.databaseIsolation ? Z(e.databaseIsolation) : {}, a = k(e);
   return {
     ...t,
@@ -912,15 +912,15 @@ function I(e) {
     tenants: a
   };
 }
-function pe(e) {
-  const t = new U(), s = I(e);
+function me(e) {
+  const t = new N(), s = F(e);
   return t.route("/tenants", O(e, s)), t;
 }
 function Ae(e) {
   return {
-    hooks: I(e),
-    middleware: N(e),
-    app: pe(e),
+    hooks: F(e),
+    middleware: U(e),
+    app: me(e),
     config: e
   };
 }
@@ -931,7 +931,7 @@ function be(e) {
     syncRoles: a = !0,
     multiTenancy: i,
     entityHooks: n,
-    ...u
+    ...d
   } = e, l = {
     ...i,
     accessControl: {
@@ -940,29 +940,29 @@ function be(e) {
       defaultPermissions: ["tenant:admin"],
       ...i == null ? void 0 : i.accessControl
     }
-  }, c = I(l);
+  }, c = F(l);
   let r, f;
   s && (r = ae({
     controlPlaneTenantId: t,
     getChildTenantIds: async () => (await S(
-      (m) => e.dataAdapter.tenants.list(m),
+      (p) => e.dataAdapter.tenants.list(p),
       "tenants",
       { cursorField: "id", pageSize: 100 }
-    )).filter((m) => m.id !== t).map((m) => m.id),
+    )).filter((p) => p.id !== t).map((p) => p.id),
     getAdapters: async (w) => e.dataAdapter
   }), f = ne({
     controlPlaneTenantId: t,
     getControlPlaneAdapters: async () => e.dataAdapter,
     getAdapters: async (w) => e.dataAdapter
   }));
-  let d, o;
-  a && (d = re({
+  let u, o;
+  a && (u = re({
     controlPlaneTenantId: t,
     getChildTenantIds: async () => (await S(
-      (m) => e.dataAdapter.tenants.list(m),
+      (p) => e.dataAdapter.tenants.list(p),
       "tenants",
       { cursorField: "id", pageSize: 100 }
-    )).filter((m) => m.id !== t).map((m) => m.id),
+    )).filter((p) => p.id !== t).map((p) => p.id),
     getAdapters: async (w) => e.dataAdapter
   }), o = se({
     controlPlaneTenantId: t,
@@ -970,7 +970,7 @@ function be(e) {
     getAdapters: async (w) => e.dataAdapter,
     syncPermissions: !0
   }));
-  const p = async (w, m, ...y) => {
+  const m = async (w, p, ...y) => {
     const _ = [];
     if (w)
       try {
@@ -978,9 +978,9 @@ function be(e) {
       } catch (b) {
         _.push(b instanceof Error ? b : new Error(String(b)));
       }
-    if (m)
+    if (p)
       try {
-        await m(...y);
+        await p(...y);
       } catch (b) {
         _.push(b instanceof Error ? b : new Error(String(b)));
       }
@@ -991,12 +991,12 @@ function be(e) {
         _,
         `Multiple hook errors: ${_.map((b) => b.message).join("; ")}`
       );
-  }, g = async (w, ...m) => {
+  }, g = async (w, ...p) => {
     const y = [];
     for (const _ of w)
       if (_)
         try {
-          await _(...m);
+          await _(...p);
         } catch (b) {
           y.push(
             b instanceof Error ? b : new Error(String(b))
@@ -1013,69 +1013,69 @@ function be(e) {
     ...n,
     resourceServers: r ? {
       ...n == null ? void 0 : n.resourceServers,
-      afterCreate: async (w, m) => {
+      afterCreate: async (w, p) => {
         var y;
-        await p(
+        await m(
           (y = n == null ? void 0 : n.resourceServers) == null ? void 0 : y.afterCreate,
           r == null ? void 0 : r.afterCreate,
           w,
-          m
+          p
         );
       },
-      afterUpdate: async (w, m, y) => {
+      afterUpdate: async (w, p, y) => {
         var _;
-        await p(
+        await m(
           (_ = n == null ? void 0 : n.resourceServers) == null ? void 0 : _.afterUpdate,
           r == null ? void 0 : r.afterUpdate,
           w,
-          m,
+          p,
           y
         );
       },
-      afterDelete: async (w, m) => {
+      afterDelete: async (w, p) => {
         var y;
-        await p(
+        await m(
           (y = n == null ? void 0 : n.resourceServers) == null ? void 0 : y.afterDelete,
           r == null ? void 0 : r.afterDelete,
           w,
-          m
+          p
         );
       }
     } : n == null ? void 0 : n.resourceServers,
-    roles: d ? {
+    roles: u ? {
       ...n == null ? void 0 : n.roles,
-      afterCreate: async (w, m) => {
+      afterCreate: async (w, p) => {
         var y;
-        await p(
+        await m(
           (y = n == null ? void 0 : n.roles) == null ? void 0 : y.afterCreate,
-          d == null ? void 0 : d.afterCreate,
+          u == null ? void 0 : u.afterCreate,
           w,
-          m
+          p
         );
       },
-      afterUpdate: async (w, m, y) => {
+      afterUpdate: async (w, p, y) => {
         var _;
-        await p(
+        await m(
           (_ = n == null ? void 0 : n.roles) == null ? void 0 : _.afterUpdate,
-          d == null ? void 0 : d.afterUpdate,
+          u == null ? void 0 : u.afterUpdate,
           w,
-          m,
+          p,
           y
         );
       },
-      afterDelete: async (w, m) => {
+      afterDelete: async (w, p) => {
         var y;
-        await p(
+        await m(
           (y = n == null ? void 0 : n.roles) == null ? void 0 : y.afterDelete,
-          d == null ? void 0 : d.afterDelete,
+          u == null ? void 0 : u.afterDelete,
           w,
-          m
+          p
         );
       }
     } : n == null ? void 0 : n.roles,
     tenants: f || o ? {
       ...n == null ? void 0 : n.tenants,
-      afterCreate: async (w, m) => {
+      afterCreate: async (w, p) => {
         var y;
         await g(
           [
@@ -1084,7 +1084,7 @@ function be(e) {
             o == null ? void 0 : o.afterCreate
           ],
           w,
-          m
+          p
         );
       }
     } : n == null ? void 0 : n.tenants
@@ -1092,15 +1092,15 @@ function be(e) {
     ...c,
     tenants: f || o ? {
       ...c.tenants,
-      afterCreate: async (w, m) => {
+      afterCreate: async (w, p) => {
         var y;
-        (y = c.tenants) != null && y.afterCreate && await c.tenants.afterCreate(w, m), await g(
+        (y = c.tenants) != null && y.afterCreate && await c.tenants.afterCreate(w, p), await g(
           [
             f == null ? void 0 : f.afterCreate,
             o == null ? void 0 : o.afterCreate
           ],
           w,
-          m
+          p
         );
       }
     } : c.tenants
@@ -1108,19 +1108,19 @@ function be(e) {
     l,
     A
   ), j = L({
-    ...u,
+    ...d,
     entityHooks: h,
     // Register tenant routes via the extension mechanism
     // This ensures they go through the full middleware chain (caching, tenant, auth, entity hooks)
     managementApiExtensions: [
-      ...u.managementApiExtensions || [],
+      ...d.managementApiExtensions || [],
       { path: "/tenants", router: C }
     ]
-  }), { app: $, managementApp: z, ...F } = j, v = new U();
-  return v.onError((w, m) => w instanceof T ? w.getResponse() : (console.error(w), m.json({ message: "Internal Server Error" }, 500))), v.use("/api/v2/*", le()), v.route("/", $), {
+  }), { app: $, managementApp: R, ...I } = j, v = new N();
+  return v.onError((w, p) => w instanceof T ? w.getResponse() : (console.error(w), p.json({ message: "Internal Server Error" }, 500))), v.use("/api/v2/*", le()), v.route("/", $), {
     app: v,
-    managementApp: z,
-    ...F,
+    managementApp: R,
+    ...I,
     multiTenancyConfig: l,
     multiTenancyHooks: c
   };
@@ -1131,9 +1131,9 @@ export {
   de as createAccessControlMiddleware,
   Z as createDatabaseHooks,
   fe as createDatabaseMiddleware,
-  pe as createMultiTenancy,
-  I as createMultiTenancyHooks,
-  N as createMultiTenancyMiddleware,
+  me as createMultiTenancy,
+  F as createMultiTenancyHooks,
+  U as createMultiTenancyMiddleware,
   _e as createMultiTenancyPlugin,
   le as createProtectSyncedMiddleware,
   k as createProvisioningHooks,

package/package.json CHANGED Viewed

@@ -11,7 +11,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "13.12.0",
+  "version": "13.13.0",
   "description": "Multi-tenancy support for AuthHero with organization-based access control and per-tenant database isolation",
   "files": [
     "dist"
@@ -37,12 +37,12 @@
     "typescript": "^5.6.0",
     "vite": "^6.0.0",
     "vitest": "^2.1.0",
-    "@authhero/kysely-adapter": "10.74.0"
+    "@authhero/kysely-adapter": "10.75.0"
   },
   "dependencies": {
     "zod": "^3.24.0",
-    "@authhero/adapter-interfaces": "0.114.0",
-    "authhero": "1.2.0"
+    "@authhero/adapter-interfaces": "0.115.0",
+    "authhero": "1.3.0"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^0.19.10",