npm - @autorix/express - Versions diffs - 0.1.0 - Mend

@autorix/express 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/License ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026-present Sergio Galaz <www.adinet.app>
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,403 @@
+# @autorix/express
+**Express.js integration for Autorix policy-based authorization (RBAC + ABAC)**
+Middleware and utilities to integrate Autorix authorization into your Express.js applications with a clean, flexible API.
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+[![Node.js](https://img.shields.io/badge/Node.js-%3E%3D18-green.svg)](https://nodejs.org)
+## ✨ Features
+- 🛡️ **Middleware-based** - Simple Express.js middleware integration
+- 🎯 **Route-level Authorization** - Protect specific routes with the `authorize` middleware
+- 🔄 **Request Context** - Automatic context building from Express requests
+- 💪 **Flexible Principal Resolution** - Custom logic for extracting user information
+- 🏢 **Multi-tenant Support** - Built-in tenant isolation
+- 📦 **Resource Loading** - Automatic resource resolution from route parameters
+- 🚀 **TypeScript Ready** - Full type safety with Express types augmentation
+- ⚡ **Zero Config** - Works out of the box with sensible defaults
+## 📦 Installation
+```bash
+npm install @autorix/express @autorix/core @autorix/storage
+# or
+pnpm add @autorix/express @autorix/core @autorix/storage
+# or
+yarn add @autorix/express @autorix/core @autorix/storage
+```
+## 🚀 Quick Start
+### Basic Setup
+```typescript
+import express from 'express';
+import { autorixExpress, authorize } from '@autorix/express';
+import { Autorix } from '@autorix/core';
+import { MemoryPolicyProvider } from '@autorix/storage';
+const app = express();
+// Initialize Autorix
+const policyProvider = new MemoryPolicyProvider();
+const autorix = new Autorix(policyProvider);
+// Add the Autorix middleware
+app.use(autorixExpress({
+  enforcer: autorix,
+  getPrincipal: async (req) => {
+    // Extract user from your auth middleware
+    return req.user ? { id: req.user.id, roles: req.user.roles } : null;
+  },
+  getTenant: async (req) => {
+    // Extract tenant/organization ID
+    return req.user?.tenantId || null;
+  }
+}));
+// Protect routes with authorize middleware
+app.get('/admin/users',
+  authorize('user:list'),
+  (req, res) => {
+    res.json({ message: 'Authorized!' });
+  }
+);
+app.delete('/posts/:id',
+  authorize({
+    action: 'post:delete',
+    resource: {
+      type: 'post',
+      idFrom: (req) => req.params.id,
+      loader: async (id) => await db.posts.findById(id)
+    }
+  }),
+  (req, res) => {
+    res.json({ message: 'Post deleted!' });
+  }
+);
+app.listen(3000);
+```
+## 📚 API Reference
+### `autorixExpress(options)`
+Main middleware that initializes Autorix on the Express request object.
+#### Options
+```typescript
+type AutorixExpressOptions = {
+  enforcer: {
+    can: (input: {
+      action: string;
+      context: AutorixRequestContext;
+      resource?: unknown;
+    }) => Promise<{ allowed: boolean; reason?: string }>;
+  };
+  getPrincipal: (req: Request) => Principal | Promise<Principal>;
+  getTenant?: (req: Request) => string | null | Promise<string | null>;
+  getContext?: (req: Request) => Partial<AutorixRequestContext> | Promise<Partial<AutorixRequestContext>>;
+  onDecision?: (decision: { allowed: boolean; action: string; reason?: string }, req: Request) => void;
+};
+```
+- **`enforcer`**: The Autorix instance or compatible enforcer
+- **`getPrincipal`**: Function to extract user/principal information from the request
+- **`getTenant`** *(optional)*: Function to extract tenant/organization ID
+- **`getContext`** *(optional)*: Additional context builder (IP, user agent, custom attributes)
+- **`onDecision`** *(optional)*: Callback for logging/auditing authorization decisions
+#### Request Augmentation
+After this middleware runs, `req.autorix` is available with:
+```typescript
+req.autorix = {
+  context: AutorixRequestContext,
+  can: (action: string, resource?: unknown, ctxExtra?: Record<string, unknown>) => Promise<boolean>,
+  enforce: (action: string, resource?: unknown, ctxExtra?: Record<string, unknown>) => Promise<void>
+}
+```
+### `authorize(config)`
+Route-level middleware for authorization checks.
+#### Simple Usage
+```typescript
+app.get('/users', authorize('user:list'), handler);
+```
+#### Advanced Usage
+```typescript
+authorize({
+  action: string;
+  resource?: ResourceSpec;
+  context?: Record<string, unknown> | ((req: Request) => Record<string, unknown> | Promise<Record<string, unknown>>);
+  requireAuth?: boolean;
+})
+```
+- **`action`**: The action to authorize (e.g., `'user:read'`, `'post:delete'`)
+- **`resource`** *(optional)*: Resource specification
+  - String: Static resource identifier
+  - Object with `type`, `id`, `data`: Static resource object
+  - Object with `type`, `idFrom`, `loader`: Dynamic resource loading
+- **`context`** *(optional)*: Additional context attributes or function to compute them
+- **`requireAuth`** *(optional)*: Whether to require authenticated principal (throws `AutorixUnauthenticatedError` if not present)
+#### Resource Specification
+```typescript
+// Static resource
+authorize({ action: 'post:read', resource: 'post/123' })
+// Resource from route params
+authorize({
+  action: 'post:delete',
+  resource: {
+    type: 'post',
+    idFrom: (req) => req.params.id,
+    loader: async (id, req) => await db.posts.findById(id)
+  }
+})
+// Pre-loaded resource
+authorize({
+  action: 'user:update',
+  resource: { type: 'user', id: '123', data: { ownerId: 'u1' } }
+})
+```
+## 🎯 Usage Examples
+### Role-Based Access Control (RBAC)
+```typescript
+import { autorixExpress, authorize } from '@autorix/express';
+import { Autorix } from '@autorix/core';
+import { MemoryPolicyProvider } from '@autorix/storage';
+const provider = new MemoryPolicyProvider();
+const autorix = new Autorix(provider);
+// Add policies
+await provider.attachPolicy({
+  scope: { type: 'TENANT', id: 't1' },
+  policyId: 'admin-policy',
+  principals: [{ type: 'ROLE', id: 'admin' }]
+});
+await provider.setPolicy('admin-policy', {
+  Version: '2024-01-01',
+  Statement: [{
+    Effect: 'Allow',
+    Action: ['*'],
+    Resource: ['*']
+  }]
+});
+app.use(autorixExpress({
+  enforcer: autorix,
+  getPrincipal: (req) => req.user || null,
+  getTenant: (req) => req.user?.tenantId || 't1'
+}));
+// Only admins can access
+app.get('/admin/settings',
+  authorize('admin:settings:read'),
+  (req, res) => res.json({ settings: {} })
+);
+```
+### Attribute-Based Access Control (ABAC)
+```typescript
+// Policy with conditions
+await provider.setPolicy('owner-only', {
+  Version: '2024-01-01',
+  Statement: [{
+    Effect: 'Allow',
+    Action: ['post:update', 'post:delete'],
+    Resource: ['post/*'],
+    Condition: {
+      StringEquals: {
+        'principal.id': '${resource.ownerId}'
+      }
+    }
+  }]
+});
+// Route with resource loading
+app.put('/posts/:id',
+  authorize({
+    action: 'post:update',
+    resource: {
+      type: 'post',
+      idFrom: (req) => req.params.id,
+      loader: async (id) => {
+        const post = await db.posts.findById(id);
+        return { ...post, ownerId: post.userId };
+      }
+    }
+  }),
+  (req, res) => {
+    // Only post owner can update
+    res.json({ message: 'Post updated!' });
+  }
+);
+```
+### Custom Context Attributes
+```typescript
+app.use(autorixExpress({
+  enforcer: autorix,
+  getPrincipal: (req) => req.user,
+  getContext: (req) => ({
+    ip: req.ip,
+    userAgent: req.get('user-agent'),
+    requestId: req.id,
+    attributes: {
+      timeOfDay: new Date().getHours(),
+      department: req.user?.department
+    }
+  })
+}));
+// Policy can check custom attributes
+await provider.setPolicy('business-hours', {
+  Version: '2024-01-01',
+  Statement: [{
+    Effect: 'Allow',
+    Action: ['report:generate'],
+    Resource: ['*'],
+    Condition: {
+      NumericGreaterThanEquals: { 'context.attributes.timeOfDay': 9 },
+      NumericLessThanEquals: { 'context.attributes.timeOfDay': 17 }
+    }
+  }]
+});
+```
+### Manual Authorization Checks
+```typescript
+app.get('/mixed-access', async (req, res) => {
+  // Check without throwing
+  const canRead = await req.autorix.can('document:read', { type: 'document', id: '123' });
+  const canEdit = await req.autorix.can('document:edit', { type: 'document', id: '123' });
+  res.json({
+    document: canRead ? await loadDocument('123') : null,
+    editable: canEdit
+  });
+});
+app.post('/critical-action', async (req, res) => {
+  // Enforce (throws on deny)
+  await req.autorix.enforce('admin:critical:execute');
+  // This code only runs if authorized
+  await performCriticalAction();
+  res.json({ success: true });
+});
+```
+### Multi-tenant Isolation
+```typescript
+app.use(autorixExpress({
+  enforcer: autorix,
+  getPrincipal: (req) => req.user,
+  getTenant: (req) => {
+    // Extract from subdomain
+    const subdomain = req.subdomains[0];
+    return subdomain || req.user?.tenantId;
+  }
+}));
+// Each tenant has isolated policies
+await provider.attachPolicy({
+  scope: { type: 'TENANT', id: 'acme-corp' },
+  policyId: 'acme-admins',
+  principals: [{ type: 'USER', id: 'alice' }]
+});
+await provider.attachPolicy({
+  scope: { type: 'TENANT', id: 'other-corp' },
+  policyId: 'other-admins',
+  principals: [{ type: 'USER', id: 'bob' }]
+});
+```
+### Audit Logging
+```typescript
+app.use(autorixExpress({
+  enforcer: autorix,
+  getPrincipal: (req) => req.user,
+  onDecision: (decision, req) => {
+    // Log all authorization decisions
+    logger.info('Authorization decision', {
+      userId: req.user?.id,
+      action: decision.action,
+      allowed: decision.allowed,
+      reason: decision.reason,
+      path: req.path,
+      method: req.method,
+      timestamp: new Date()
+    });
+  }
+}));
+```
+## 🔧 Error Handling
+The package provides custom error classes:
+```typescript
+import {
+  AutorixForbiddenError,
+  AutorixUnauthenticatedError,
+  AutorixMissingMiddlewareError
+} from '@autorix/express';
+app.use((err, req, res, next) => {
+  if (err instanceof AutorixForbiddenError) {
+    return res.status(403).json({ error: 'Forbidden' });
+  }
+  if (err instanceof AutorixUnauthenticatedError) {
+    return res.status(401).json({ error: 'Authentication required' });
+  }
+  if (err instanceof AutorixMissingMiddlewareError) {
+    return res.status(500).json({ error: 'Autorix middleware not configured' });
+  }
+  next(err);
+});
+```
+## 🔗 Related Packages
+- [@autorix/core](../core) - Core policy evaluation engine
+- [@autorix/storage](../storage) - Policy storage providers
+- [@autorix/nestjs](../nestjs) - NestJS integration
+## 📝 License
+MIT © [Chechooxd](https://github.com/chechooxd)
+## 🤝 Contributing
+Contributions are welcome! Please check the [main repository](https://github.com/chechooxd/autorix) for guidelines.
+## 📖 Documentation
+For more information, visit the [Autorix documentation](https://github.com/chechooxd/autorix).

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,213 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  AutorixForbiddenError: () => AutorixForbiddenError,
+  AutorixHttpError: () => AutorixHttpError,
+  AutorixMissingMiddlewareError: () => AutorixMissingMiddlewareError,
+  AutorixUnauthenticatedError: () => AutorixUnauthenticatedError,
+  authorize: () => authorize,
+  autorixExpress: () => autorixExpress,
+  buildRequestContext: () => buildRequestContext,
+  resolvePrincipal: () => resolvePrincipal,
+  resolveResource: () => resolveResource
+});
+module.exports = __toCommonJS(index_exports);
+// src/context/principal.ts
+async function resolvePrincipal(req, getPrincipal) {
+  return await getPrincipal(req);
+}
+__name(resolvePrincipal, "resolvePrincipal");
+// src/context/buildRequestContext.ts
+async function buildRequestContext(req, opts) {
+  const principal = await resolvePrincipal(req, opts.getPrincipal);
+  const tenantId = opts.getTenant ? await opts.getTenant(req) : null;
+  const extra = opts.getContext ? await opts.getContext(req) : {};
+  const context = {
+    principal,
+    tenantId: tenantId ?? void 0,
+    ip: req.ip,
+    userAgent: req.headers["user-agent"],
+    requestId: req.headers["x-request-id"],
+    attributes: extra?.attributes,
+    resource: void 0,
+    ...extra
+  };
+  return context;
+}
+__name(buildRequestContext, "buildRequestContext");
+// src/errors/AutorixHttpErrors.ts
+var AutorixHttpError = class extends Error {
+  static {
+    __name(this, "AutorixHttpError");
+  }
+  statusCode;
+  code;
+  details;
+  constructor(params) {
+    super(params.message);
+    this.name = "AutorixHttpError";
+    this.statusCode = params.statusCode;
+    this.code = params.code;
+    this.details = params.details;
+  }
+};
+var AutorixForbiddenError = class extends AutorixHttpError {
+  static {
+    __name(this, "AutorixForbiddenError");
+  }
+  constructor(reason, details) {
+    super({
+      message: reason ?? "Forbidden",
+      statusCode: 403,
+      code: "AUTORIX_FORBIDDEN",
+      details
+    });
+    this.name = "AutorixForbiddenError";
+  }
+};
+var AutorixUnauthenticatedError = class extends AutorixHttpError {
+  static {
+    __name(this, "AutorixUnauthenticatedError");
+  }
+  constructor(details) {
+    super({
+      message: "Unauthenticated",
+      statusCode: 401,
+      code: "AUTORIX_UNAUTHENTICATED",
+      details
+    });
+    this.name = "AutorixUnauthenticatedError";
+  }
+};
+var AutorixMissingMiddlewareError = class extends AutorixHttpError {
+  static {
+    __name(this, "AutorixMissingMiddlewareError");
+  }
+  constructor(details) {
+    super({
+      message: "Autorix middleware not registered",
+      statusCode: 500,
+      code: "AUTORIX_MISSING_MIDDLEWARE",
+      details
+    });
+    this.name = "AutorixMissingMiddlewareError";
+  }
+};
+// src/middleware/autorixExpress.ts
+function autorixExpress(opts) {
+  return /* @__PURE__ */ __name(async function autorixMiddleware(req, _res, next) {
+    try {
+      const context = await buildRequestContext(req, opts);
+      req.autorix = {
+        context,
+        can: /* @__PURE__ */ __name(async (action, resource, ctxExtra) => {
+          const decision = await opts.enforcer.can({
+            action,
+            context: {
+              ...context,
+              attributes: {
+                ...context.attributes ?? {},
+                ...ctxExtra ?? {}
+              }
+            },
+            resource
+          });
+          opts.onDecision?.({
+            ...decision,
+            action
+          }, req);
+          return decision.allowed;
+        }, "can"),
+        enforce: /* @__PURE__ */ __name(async (action, resource, ctxExtra) => {
+          const allowed = await req.autorix.can(action, resource, ctxExtra);
+          if (!allowed) throw new AutorixForbiddenError();
+        }, "enforce")
+      };
+      return next();
+    } catch (e) {
+      return next(e);
+    }
+  }, "autorixMiddleware");
+}
+__name(autorixExpress, "autorixExpress");
+// src/context/resource.ts
+async function resolveResource(spec, req) {
+  if (typeof spec === "string") return {
+    type: spec
+  };
+  if ("loader" in spec) {
+    const id = spec.idFrom(req);
+    const data = await spec.loader(id, req);
+    return {
+      type: spec.type,
+      id,
+      data
+    };
+  }
+  return spec;
+}
+__name(resolveResource, "resolveResource");
+// src/middleware/authorize.ts
+function authorize(actionOrConfig, cfg) {
+  const config = typeof actionOrConfig === "string" ? {
+    action: actionOrConfig,
+    ...cfg ?? {}
+  } : actionOrConfig;
+  return /* @__PURE__ */ __name(async function authorizeMiddleware(req, _res, next) {
+    try {
+      if (!req.autorix) throw new AutorixMissingMiddlewareError();
+      if (config.requireAuth && !req.autorix.context.principal) {
+        throw new AutorixUnauthenticatedError();
+      }
+      const ctxExtra = typeof config.context === "function" ? await config.context(req) : config.context ?? {};
+      let resource = void 0;
+      if (config.resource) {
+        resource = await resolveResource(config.resource, req);
+        req.autorix.context.resource = resource;
+      }
+      await req.autorix.enforce(config.action, resource, ctxExtra);
+      return next();
+    } catch (e) {
+      return next(e);
+    }
+  }, "authorizeMiddleware");
+}
+__name(authorize, "authorize");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AutorixForbiddenError,
+  AutorixHttpError,
+  AutorixMissingMiddlewareError,
+  AutorixUnauthenticatedError,
+  authorize,
+  autorixExpress,
+  buildRequestContext,
+  resolvePrincipal,
+  resolveResource
+});

package/dist/index.d.cts ADDED Viewed

@@ -0,0 +1,98 @@
+import { Request, Response, NextFunction } from 'express';
+type Principal = {
+    id: string;
+    roles?: string[];
+    [k: string]: unknown;
+} | null;
+type AutorixRequestContext = {
+    principal: Principal;
+    tenantId?: string | null;
+    ip?: string;
+    userAgent?: string;
+    requestId?: string;
+    attributes?: Record<string, unknown>;
+    resource?: unknown;
+};
+type ResourceSpec = string | {
+    type: string;
+    id?: string;
+    data?: unknown;
+} | {
+    type: string;
+    idFrom: (req: Request) => string;
+    loader: (id: string, req: Request) => Promise<unknown>;
+};
+type GetContextFn = (req: Request) => Partial<AutorixRequestContext> | Promise<Partial<AutorixRequestContext>>;
+type AutorixExpressOptions = {
+    enforcer: {
+        can: (input: {
+            action: string;
+            context: AutorixRequestContext;
+            resource?: unknown;
+        }) => Promise<{
+            allowed: boolean;
+            reason?: string;
+        }>;
+    };
+    getPrincipal: (req: Request) => Principal | Promise<Principal>;
+    getTenant?: (req: Request) => string | null | Promise<string | null>;
+    getContext?: GetContextFn;
+    onDecision?: (d: {
+        allowed: boolean;
+        action: string;
+        reason?: string;
+    }, req: Request) => void;
+};
+declare global {
+    namespace Express {
+        interface Request {
+            autorix?: {
+                context: AutorixRequestContext;
+                can: (action: string, resource?: unknown, ctxExtra?: Record<string, unknown>) => Promise<boolean>;
+                enforce: (action: string, resource?: unknown, ctxExtra?: Record<string, unknown>) => Promise<void>;
+            };
+        }
+    }
+}
+declare function autorixExpress(opts: AutorixExpressOptions): (req: Request, _res: Response, next: NextFunction) => Promise<void>;
+type AuthorizeConfig = {
+    action: string;
+    resource?: ResourceSpec;
+    context?: Record<string, unknown> | ((req: Request) => Record<string, unknown> | Promise<Record<string, unknown>>);
+    requireAuth?: boolean;
+};
+declare function authorize(actionOrConfig: string | AuthorizeConfig, cfg?: Omit<AuthorizeConfig, "action">): (req: Request, _res: Response, next: NextFunction) => Promise<void>;
+declare function buildRequestContext(req: Request, opts: AutorixExpressOptions): Promise<AutorixRequestContext>;
+type GetPrincipalFn = (req: Request) => Principal | Promise<Principal>;
+declare function resolvePrincipal(req: Request, getPrincipal: GetPrincipalFn): Promise<Principal>;
+declare function resolveResource(spec: ResourceSpec, req: Request): Promise<unknown>;
+type AutorixErrorCode = "AUTORIX_FORBIDDEN" | "AUTORIX_UNAUTHENTICATED" | "AUTORIX_MISSING_MIDDLEWARE" | "AUTORIX_INTERNAL";
+declare class AutorixHttpError extends Error {
+    readonly statusCode: number;
+    readonly code: AutorixErrorCode;
+    readonly details?: unknown;
+    constructor(params: {
+        message: string;
+        statusCode: number;
+        code: AutorixErrorCode;
+        details?: unknown;
+    });
+}
+declare class AutorixForbiddenError extends AutorixHttpError {
+    constructor(reason?: string, details?: unknown);
+}
+declare class AutorixUnauthenticatedError extends AutorixHttpError {
+    constructor(details?: unknown);
+}
+declare class AutorixMissingMiddlewareError extends AutorixHttpError {
+    constructor(details?: unknown);
+}
+export { type AutorixErrorCode, type AutorixExpressOptions, AutorixForbiddenError, AutorixHttpError, AutorixMissingMiddlewareError, type AutorixRequestContext, AutorixUnauthenticatedError, type GetContextFn, type GetPrincipalFn, type Principal, type ResourceSpec, authorize, autorixExpress, buildRequestContext, resolvePrincipal, resolveResource };

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,98 @@
+import { Request, Response, NextFunction } from 'express';
+type Principal = {
+    id: string;
+    roles?: string[];
+    [k: string]: unknown;
+} | null;
+type AutorixRequestContext = {
+    principal: Principal;
+    tenantId?: string | null;
+    ip?: string;
+    userAgent?: string;
+    requestId?: string;
+    attributes?: Record<string, unknown>;
+    resource?: unknown;
+};
+type ResourceSpec = string | {
+    type: string;
+    id?: string;
+    data?: unknown;
+} | {
+    type: string;
+    idFrom: (req: Request) => string;
+    loader: (id: string, req: Request) => Promise<unknown>;
+};
+type GetContextFn = (req: Request) => Partial<AutorixRequestContext> | Promise<Partial<AutorixRequestContext>>;
+type AutorixExpressOptions = {
+    enforcer: {
+        can: (input: {
+            action: string;
+            context: AutorixRequestContext;
+            resource?: unknown;
+        }) => Promise<{
+            allowed: boolean;
+            reason?: string;
+        }>;
+    };
+    getPrincipal: (req: Request) => Principal | Promise<Principal>;
+    getTenant?: (req: Request) => string | null | Promise<string | null>;
+    getContext?: GetContextFn;
+    onDecision?: (d: {
+        allowed: boolean;
+        action: string;
+        reason?: string;
+    }, req: Request) => void;
+};
+declare global {
+    namespace Express {
+        interface Request {
+            autorix?: {
+                context: AutorixRequestContext;
+                can: (action: string, resource?: unknown, ctxExtra?: Record<string, unknown>) => Promise<boolean>;
+                enforce: (action: string, resource?: unknown, ctxExtra?: Record<string, unknown>) => Promise<void>;
+            };
+        }
+    }
+}
+declare function autorixExpress(opts: AutorixExpressOptions): (req: Request, _res: Response, next: NextFunction) => Promise<void>;
+type AuthorizeConfig = {
+    action: string;
+    resource?: ResourceSpec;
+    context?: Record<string, unknown> | ((req: Request) => Record<string, unknown> | Promise<Record<string, unknown>>);
+    requireAuth?: boolean;
+};
+declare function authorize(actionOrConfig: string | AuthorizeConfig, cfg?: Omit<AuthorizeConfig, "action">): (req: Request, _res: Response, next: NextFunction) => Promise<void>;
+declare function buildRequestContext(req: Request, opts: AutorixExpressOptions): Promise<AutorixRequestContext>;
+type GetPrincipalFn = (req: Request) => Principal | Promise<Principal>;
+declare function resolvePrincipal(req: Request, getPrincipal: GetPrincipalFn): Promise<Principal>;
+declare function resolveResource(spec: ResourceSpec, req: Request): Promise<unknown>;
+type AutorixErrorCode = "AUTORIX_FORBIDDEN" | "AUTORIX_UNAUTHENTICATED" | "AUTORIX_MISSING_MIDDLEWARE" | "AUTORIX_INTERNAL";
+declare class AutorixHttpError extends Error {
+    readonly statusCode: number;
+    readonly code: AutorixErrorCode;
+    readonly details?: unknown;
+    constructor(params: {
+        message: string;
+        statusCode: number;
+        code: AutorixErrorCode;
+        details?: unknown;
+    });
+}
+declare class AutorixForbiddenError extends AutorixHttpError {
+    constructor(reason?: string, details?: unknown);
+}
+declare class AutorixUnauthenticatedError extends AutorixHttpError {
+    constructor(details?: unknown);
+}
+declare class AutorixMissingMiddlewareError extends AutorixHttpError {
+    constructor(details?: unknown);
+}
+export { type AutorixErrorCode, type AutorixExpressOptions, AutorixForbiddenError, AutorixHttpError, AutorixMissingMiddlewareError, type AutorixRequestContext, AutorixUnauthenticatedError, type GetContextFn, type GetPrincipalFn, type Principal, type ResourceSpec, authorize, autorixExpress, buildRequestContext, resolvePrincipal, resolveResource };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,180 @@
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+// src/context/principal.ts
+async function resolvePrincipal(req, getPrincipal) {
+  return await getPrincipal(req);
+}
+__name(resolvePrincipal, "resolvePrincipal");
+// src/context/buildRequestContext.ts
+async function buildRequestContext(req, opts) {
+  const principal = await resolvePrincipal(req, opts.getPrincipal);
+  const tenantId = opts.getTenant ? await opts.getTenant(req) : null;
+  const extra = opts.getContext ? await opts.getContext(req) : {};
+  const context = {
+    principal,
+    tenantId: tenantId ?? void 0,
+    ip: req.ip,
+    userAgent: req.headers["user-agent"],
+    requestId: req.headers["x-request-id"],
+    attributes: extra?.attributes,
+    resource: void 0,
+    ...extra
+  };
+  return context;
+}
+__name(buildRequestContext, "buildRequestContext");
+// src/errors/AutorixHttpErrors.ts
+var AutorixHttpError = class extends Error {
+  static {
+    __name(this, "AutorixHttpError");
+  }
+  statusCode;
+  code;
+  details;
+  constructor(params) {
+    super(params.message);
+    this.name = "AutorixHttpError";
+    this.statusCode = params.statusCode;
+    this.code = params.code;
+    this.details = params.details;
+  }
+};
+var AutorixForbiddenError = class extends AutorixHttpError {
+  static {
+    __name(this, "AutorixForbiddenError");
+  }
+  constructor(reason, details) {
+    super({
+      message: reason ?? "Forbidden",
+      statusCode: 403,
+      code: "AUTORIX_FORBIDDEN",
+      details
+    });
+    this.name = "AutorixForbiddenError";
+  }
+};
+var AutorixUnauthenticatedError = class extends AutorixHttpError {
+  static {
+    __name(this, "AutorixUnauthenticatedError");
+  }
+  constructor(details) {
+    super({
+      message: "Unauthenticated",
+      statusCode: 401,
+      code: "AUTORIX_UNAUTHENTICATED",
+      details
+    });
+    this.name = "AutorixUnauthenticatedError";
+  }
+};
+var AutorixMissingMiddlewareError = class extends AutorixHttpError {
+  static {
+    __name(this, "AutorixMissingMiddlewareError");
+  }
+  constructor(details) {
+    super({
+      message: "Autorix middleware not registered",
+      statusCode: 500,
+      code: "AUTORIX_MISSING_MIDDLEWARE",
+      details
+    });
+    this.name = "AutorixMissingMiddlewareError";
+  }
+};
+// src/middleware/autorixExpress.ts
+function autorixExpress(opts) {
+  return /* @__PURE__ */ __name(async function autorixMiddleware(req, _res, next) {
+    try {
+      const context = await buildRequestContext(req, opts);
+      req.autorix = {
+        context,
+        can: /* @__PURE__ */ __name(async (action, resource, ctxExtra) => {
+          const decision = await opts.enforcer.can({
+            action,
+            context: {
+              ...context,
+              attributes: {
+                ...context.attributes ?? {},
+                ...ctxExtra ?? {}
+              }
+            },
+            resource
+          });
+          opts.onDecision?.({
+            ...decision,
+            action
+          }, req);
+          return decision.allowed;
+        }, "can"),
+        enforce: /* @__PURE__ */ __name(async (action, resource, ctxExtra) => {
+          const allowed = await req.autorix.can(action, resource, ctxExtra);
+          if (!allowed) throw new AutorixForbiddenError();
+        }, "enforce")
+      };
+      return next();
+    } catch (e) {
+      return next(e);
+    }
+  }, "autorixMiddleware");
+}
+__name(autorixExpress, "autorixExpress");
+// src/context/resource.ts
+async function resolveResource(spec, req) {
+  if (typeof spec === "string") return {
+    type: spec
+  };
+  if ("loader" in spec) {
+    const id = spec.idFrom(req);
+    const data = await spec.loader(id, req);
+    return {
+      type: spec.type,
+      id,
+      data
+    };
+  }
+  return spec;
+}
+__name(resolveResource, "resolveResource");
+// src/middleware/authorize.ts
+function authorize(actionOrConfig, cfg) {
+  const config = typeof actionOrConfig === "string" ? {
+    action: actionOrConfig,
+    ...cfg ?? {}
+  } : actionOrConfig;
+  return /* @__PURE__ */ __name(async function authorizeMiddleware(req, _res, next) {
+    try {
+      if (!req.autorix) throw new AutorixMissingMiddlewareError();
+      if (config.requireAuth && !req.autorix.context.principal) {
+        throw new AutorixUnauthenticatedError();
+      }
+      const ctxExtra = typeof config.context === "function" ? await config.context(req) : config.context ?? {};
+      let resource = void 0;
+      if (config.resource) {
+        resource = await resolveResource(config.resource, req);
+        req.autorix.context.resource = resource;
+      }
+      await req.autorix.enforce(config.action, resource, ctxExtra);
+      return next();
+    } catch (e) {
+      return next(e);
+    }
+  }, "authorizeMiddleware");
+}
+__name(authorize, "authorize");
+export {
+  AutorixForbiddenError,
+  AutorixHttpError,
+  AutorixMissingMiddlewareError,
+  AutorixUnauthenticatedError,
+  authorize,
+  autorixExpress,
+  buildRequestContext,
+  resolvePrincipal,
+  resolveResource
+};

package/package.json ADDED Viewed

@@ -0,0 +1,63 @@
+{
+  "name": "@autorix/express",
+  "version": "0.1.0",
+  "description": "Express.js integration for Autorix policy-based authorization (RBAC + ABAC)",
+  "keywords": [
+    "authorization",
+    "rbac",
+    "abac",
+    "iam",
+    "policy",
+    "express",
+    "autorix"
+  ],
+  "license": "MIT",
+  "author": "Chechooxd <sergiogalaz60@gmail.com>",
+  "homepage": "https://github.com/chechooxd/autorix",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/chechooxd/autorix.git",
+    "directory": "packages/autorix-express"
+  },
+  "bugs": {
+    "url": "https://github.com/chechooxd/autorix/issues"
+  },
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    },
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "dist"
+  ],
+  "sideEffects": false,
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format cjs,esm --dts",
+    "test": "vitest -c ../../vitest.config.ts run",
+    "clean": "rm -rf dist"
+  },
+  "dependencies": {
+    "@autorix/core": "^0.1.0"
+  },
+  "peerDependencies": {
+    "express": "^5.2.1"
+  },
+  "devDependencies": {
+    "@types/express": "^5.0.6",
+    "@types/supertest": "^6.0.3",
+    "express": "^5.2.1",
+    "supertest": "^7.2.2"
+  },
+  "engines": {
+    "node": ">=18"
+  }
+}