@axinom/mosaic-id-guard 0.18.0-rc.8 → 0.18.0

package/dist/common/helpers/guard-authorization.d.ts

@@ -0,0 +1,22 @@
+import { MosaicErrorInfo } from '@axinom/mosaic-service-common';
+import { GraphQLFieldResolver, GraphQLResolveInfo } from 'graphql';
+import { AxGuardOptions } from '../guard-utils';
+import { GenericAuthenticatedSubject } from '../types/authenticated-subject-models';
+/**
+ * Handles authorization for a given GraphQL mutation/query/subscription against a
+ * user token.
+ *
+ * @param subject Authenticated Subject
+ * @param authErrorInfo Authentication Error Info
+ * @param options AxGuardOptions
+ * @param resolveFunc Resolver function from guard-plugin or subscription-guard-plugin.
+ * @param parent
+ * @param args
+ * @param context
+ * @param info
+ * @returns
+ */
+export declare const handleAuthorization: (subject: GenericAuthenticatedSubject | undefined, authErrorInfo: MosaicErrorInfo | undefined, options: AxGuardOptions, resolveFunc: GraphQLFieldResolver<unknown, unknown, {
+    [argName: string]: unknown;
+}>, parent: unknown, args: Record<string, unknown>, context: unknown, info: GraphQLResolveInfo) => unknown;
+//# sourceMappingURL=guard-authorization.d.ts.map

package/dist/common/helpers/guard-authorization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard-authorization.d.ts","sourceRoot":"","sources":["../../../src/common/helpers/guard-authorization.ts"],"names":[],"mappings":"AAAA,OAAO,EAAe,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAC7E,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAEnE,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAIhD,OAAO,EAAE,2BAA2B,EAAE,MAAM,uCAAuC,CAAC;AAEpF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,mBAAmB,YACrB,2BAA2B,GAAG,SAAS,iBACjC,eAAe,GAAG,SAAS,WACjC,cAAc;;YAQf,OAAO,QACT,OAAO,MAAM,EAAE,OAAO,CAAC,WACpB,OAAO,QACV,kBAAkB,KACvB,OAqCF,CAAC"}

package/dist/common/helpers/guard-authorization.js

@@ -0,0 +1,49 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleAuthorization = void 0;
+const mosaic_service_common_1 = require("@axinom/mosaic-service-common");
+const __1 = require("..");
+const handle_end_user_authorization_1 = require("../handle-end-user-authorization");
+const handle_management_user_authorization_1 = require("../handle-management-user-authorization");
+const type_assertions_1 = require("../type-assertions");
+/**
+ * Handles authorization for a given GraphQL mutation/query/subscription against a
+ * user token.
+ *
+ * @param subject Authenticated Subject
+ * @param authErrorInfo Authentication Error Info
+ * @param options AxGuardOptions
+ * @param resolveFunc Resolver function from guard-plugin or subscription-guard-plugin.
+ * @param parent
+ * @param args
+ * @param context
+ * @param info
+ * @returns
+ */
+const handleAuthorization = (subject, authErrorInfo, options, resolveFunc, parent, args, context, info) => {
+    // If the permissionDefinition is not undefined, then the subject is a AuthenticatedManagementSubject
+    if (options.authorizationOptions.permissionDefinition !== undefined) {
+        if (subject !== undefined && subject !== null) {
+            (0, type_assertions_1.assertGenericAuthenticatedSubject)(subject);
+        }
+        (0, handle_management_user_authorization_1.handleManagementUserAuthorization)(options.authorizationOptions, options.ensureOnlyAuthentication, subject, authErrorInfo);
+        return resolveFunc.call(this, parent, args, context, info);
+    }
+    else {
+        /**
+         * This block handles end-user operations.
+         * If the if condition (options.authorizationOptions.permissionDefinition !== undefined) falls through to this else branch,
+         * then the request is a end-user call.
+         */
+        if (options.authorizationOptions.endUserAuthorizationConfig === undefined) {
+            throw new mosaic_service_common_1.MosaicError(__1.IdGuardErrors.AuthorizationOptionsMisconfigured);
+        }
+        if (subject !== undefined && subject !== null) {
+            (0, type_assertions_1.assertGenericAuthenticatedSubject)(subject);
+        }
+        (0, handle_end_user_authorization_1.handleEndUserAuthorization)(options.authorizationOptions, options.ensureOnlyAuthentication, subject, authErrorInfo);
+        return resolveFunc.call(this, parent, args, context, info);
+    }
+};
+exports.handleAuthorization = handleAuthorization;
+//# sourceMappingURL=guard-authorization.js.map

package/dist/common/helpers/guard-authorization.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard-authorization.js","sourceRoot":"","sources":["../../../src/common/helpers/guard-authorization.ts"],"names":[],"mappings":";;;AAAA,yEAA6E;AAE7E,0BAAmC;AAEnC,oFAA8E;AAC9E,kGAA4F;AAC5F,wDAAuE;AAGvE;;;;;;;;;;;;;GAaG;AACI,MAAM,mBAAmB,GAAG,CACjC,OAAgD,EAChD,aAA0C,EAC1C,OAAuB,EACvB,WAMC,EACD,MAAe,EACf,IAA6B,EAC7B,OAAgB,EAChB,IAAwB,EACf,EAAE;IACX,qGAAqG;IACrG,IAAI,OAAO,CAAC,oBAAoB,CAAC,oBAAoB,KAAK,SAAS,EAAE;QACnE,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,IAAI,EAAE;YAC7C,IAAA,mDAAiC,EAAC,OAAO,CAAC,CAAC;SAC5C;QAED,IAAA,wEAAiC,EAC/B,OAAO,CAAC,oBAAoB,EAC5B,OAAO,CAAC,wBAAwB,EAChC,OAAO,EACP,aAAa,CACd,CAAC;QACF,OAAO,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;KAC5D;SAAM;QACL;;;;WAIG;QAEH,IAAI,OAAO,CAAC,oBAAoB,CAAC,0BAA0B,KAAK,SAAS,EAAE;YACzE,MAAM,IAAI,mCAAW,CAAC,iBAAa,CAAC,iCAAiC,CAAC,CAAC;SACxE;QAED,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,IAAI,EAAE;YAC7C,IAAA,mDAAiC,EAAC,OAAO,CAAC,CAAC;SAC5C;QAED,IAAA,0DAA0B,EACxB,OAAO,CAAC,oBAAoB,EAC5B,OAAO,CAAC,wBAAwB,EAChC,OAAO,EACP,aAAa,CACd,CAAC;QACF,OAAO,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;KAC5D;AACH,CAAC,CAAC;AApDW,QAAA,mBAAmB,uBAoD9B"}

package/dist/common/id-guard-error.d.ts

@@ -2,4 +2,5 @@ import { MosaicError, MosaicErrorInfo } from '@axinom/mosaic-service-common';
 export declare class IdGuardError extends MosaicError {
     constructor(info: MosaicErrorInfo);
 }
+export declare const assertIdGuardError: (error: unknown) => asserts error is IdGuardError;
 //# sourceMappingURL=id-guard-error.d.ts.map

package/dist/common/id-guard-error.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"id-guard-error.d.ts","sourceRoot":"","sources":["../../src/common/id-guard-error.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,eAAe,EAEhB,MAAM,+BAA+B,CAAC;AAEvC,qBAAa,YAAa,SAAQ,WAAW;gBAC/B,IAAI,EAAE,eAAe;CAIlC"}
+{"version":3,"file":"id-guard-error.d.ts","sourceRoot":"","sources":["../../src/common/id-guard-error.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,eAAe,EAGhB,MAAM,+BAA+B,CAAC;AAEvC,qBAAa,YAAa,SAAQ,WAAW;gBAC/B,IAAI,EAAE,eAAe;CAIlC;AAED,eAAO,MAAM,kBAAkB,EAAE,CAC/B,KAAK,EAAE,OAAO,KACX,OAAO,CAAC,KAAK,IAAI,YAQrB,CAAC"}

package/dist/common/id-guard-error.js

@@ -11,7 +11,7 @@ var __rest = (this && this.__rest) || function (s, e) {
     return t;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.IdGuardError = void 0;
+exports.assertIdGuardError = exports.IdGuardError = void 0;
 const mosaic_service_common_1 = require("@axinom/mosaic-service-common");
 class IdGuardError extends mosaic_service_common_1.MosaicError {
     constructor(info) {
@@ -20,4 +20,10 @@ class IdGuardError extends mosaic_service_common_1.MosaicError {
     }
 }
 exports.IdGuardError = IdGuardError;
+const assertIdGuardError = (error) => {
+    if (!(error instanceof IdGuardError)) {
+        throw new mosaic_service_common_1.NonMosaicError(`A caught error is not an instance of an IdGuardError class.`);
+    }
+};
+exports.assertIdGuardError = assertIdGuardError;
 //# sourceMappingURL=id-guard-error.js.map

package/dist/common/id-guard-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"id-guard-error.js","sourceRoot":"","sources":["../../src/common/id-guard-error.ts"],"names":[],"mappings":";;;;;;;;;;;;;;AAAA,yEAIuC;AAEvC,MAAa,YAAa,SAAQ,mCAAW;IAC3C,YAAY,IAAqB;QAC/B,MAAM,EAAE,OAAO,KAAwB,IAAI,EAAvB,cAAc,UAAK,IAAI,EAArC,WAA8B,CAAO,CAAC;QAC5C,KAAK,iCAAM,cAAc,KAAE,OAAO,kCAAO,OAAO,KAAE,WAAW,EAAX,mCAAW,OAAK,CAAC;IACrE,CAAC;CACF;AALD,oCAKC"}
+{"version":3,"file":"id-guard-error.js","sourceRoot":"","sources":["../../src/common/id-guard-error.ts"],"names":[],"mappings":";;;;;;;;;;;;;;AAAA,yEAKuC;AAEvC,MAAa,YAAa,SAAQ,mCAAW;IAC3C,YAAY,IAAqB;QAC/B,MAAM,EAAE,OAAO,KAAwB,IAAI,EAAvB,cAAc,UAAK,IAAI,EAArC,WAA8B,CAAO,CAAC;QAC5C,KAAK,iCAAM,cAAc,KAAE,OAAO,kCAAO,OAAO,KAAE,WAAW,EAAX,mCAAW,OAAK,CAAC;IACrE,CAAC;CACF;AALD,oCAKC;AAEM,MAAM,kBAAkB,GAEM,CACnC,KAAc,EACiB,EAAE;IACjC,IAAI,CAAC,CAAC,KAAK,YAAY,YAAY,CAAC,EAAE;QACpC,MAAM,IAAI,sCAAc,CACtB,6DAA6D,CAC9D,CAAC;KACH;AACH,CAAC,CAAC;AAVW,QAAA,kBAAkB,sBAU7B"}

package/dist/common/id-guard-errors.d.ts

@@ -83,5 +83,13 @@ export declare const IdGuardErrors: {
         readonly message: "Authenticated End User not found.";
         readonly code: "AUTHENTICATED_END_USER_NOT_FOUND";
     };
+    readonly WebSocketNotFound: {
+        readonly message: "Websocket not found in ExtendedGraphQLContext. This is a development time issue. A reference to the websocket must be included in Postgraphile build options.";
+        readonly code: "WEBSOCKET_NOT_FOUND";
+    };
+    readonly AuthorizationOptionsMisconfigured: {
+        readonly message: "A Permission Definition or an EndUserAuthorizationConfig was not found to be passed into Postgraphile build options. This is a development time issue.";
+        readonly code: "AUTHORIZATION_OPTIONS_MISCONFIGURED";
+    };
 };
 //# sourceMappingURL=id-guard-errors.d.ts.map

package/dist/common/id-guard-errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"id-guard-errors.d.ts","sourceRoot":"","sources":["../../src/common/id-guard-errors.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyFhB,CAAC"}
+{"version":3,"file":"id-guard-errors.d.ts","sourceRoot":"","sources":["../../src/common/id-guard-errors.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAmGhB,CAAC"}

package/dist/common/id-guard-errors.js

@@ -86,5 +86,13 @@ exports.IdGuardErrors = {
         message: 'Authenticated End User not found.',
         code: 'AUTHENTICATED_END_USER_NOT_FOUND',
     },
+    WebSocketNotFound: {
+        message: 'Websocket not found in ExtendedGraphQLContext. This is a development time issue. A reference to the websocket must be included in Postgraphile build options.',
+        code: 'WEBSOCKET_NOT_FOUND',
+    },
+    AuthorizationOptionsMisconfigured: {
+        message: 'A Permission Definition or an EndUserAuthorizationConfig was not found to be passed into Postgraphile build options. This is a development time issue.',
+        code: 'AUTHORIZATION_OPTIONS_MISCONFIGURED',
+    },
 };
 //# sourceMappingURL=id-guard-errors.js.map

package/dist/common/id-guard-errors.js.map

@@ -1 +1 @@
-{"version":3,"file":"id-guard-errors.js","sourceRoot":"","sources":["../../src/common/id-guard-errors.ts"],"names":[],"mappings":";;;AAAa,QAAA,aAAa,GAAG;IAC3B,mBAAmB,EAAE;QACnB,OAAO,EAAE,8BAA8B;QACvC,IAAI,EAAE,uBAAuB;KAC9B;IACD,kBAAkB,EAAE;QAClB,OAAO,EAAE,yBAAyB;QAClC,IAAI,EAAE,sBAAsB;KAC7B;IACD,kBAAkB,EAAE;QAClB,OAAO,EAAE,2BAA2B;QACpC,IAAI,EAAE,sBAAsB;KAC7B;IACD,iBAAiB,EAAE;QACjB,OAAO,EAAE,iDAAiD;QAC1D,IAAI,EAAE,qBAAqB;KAC5B;IACD,kBAAkB,EAAE;QAClB,OAAO,EACL,oMAAoM;QACtM,IAAI,EAAE,uBAAuB;KAC9B;IACD,SAAS,EAAE;QACT,OAAO,EACL,kHAAkH;QACpH,IAAI,EAAE,YAAY;KACnB;IACD,6BAA6B,EAAE;QAC7B,OAAO,EAAE,kCAAkC;QAC3C,IAAI,EAAE,kCAAkC;KACzC;IACD,4BAA4B,EAAE;QAC5B,OAAO,EACL,wEAAwE;QAC1E,IAAI,EAAE,iCAAiC;KACxC;IACD,wBAAwB,EAAE;QACxB,OAAO,EACL,oEAAoE;QACtE,IAAI,EAAE,6BAA6B;KACpC;IACD,iBAAiB,EAAE;QACjB,OAAO,EAAE,yBAAyB;QAClC,IAAI,EAAE,qBAAqB;KAC5B;IACD,0BAA0B,EAAE;QAC1B,OAAO,EAAE,gEAAgE;QACzE,IAAI,EAAE,yBAAyB;KAChC;IACD,sCAAsC,EAAE;QACtC,OAAO,EAAE,6CAA6C;QACtD,IAAI,EAAE,4CAA4C;KACnD;IACD,uBAAuB,EAAE;QACvB,OAAO,EAAE,4CAA4C;QACrD,IAAI,EAAE,4BAA4B;KACnC;IACD,qBAAqB,EAAE;QACrB,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,0BAA0B;KACjC;IACD,8BAA8B,EAAE;QAC9B,OAAO,EAAE,iDAAiD;QAC1D,IAAI,EAAE,mCAAmC;KAC1C;IACD,iCAAiC,EAAE;QACjC,OAAO,EAAE,oDAAoD;QAC7D,IAAI,EAAE,sCAAsC;KAC7C;IACD,uBAAuB,EAAE;QACvB,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,2BAA2B;KAClC;IACD,kCAAkC,EAAE;QAClC,OAAO,EAAE,qDAAqD;QAC9D,IAAI,EAAE,uCAAuC;KAC9C;IACD,+BAA+B,EAAE;QAC/B,OAAO,EAAE,mDAAmD;QAC5D,IAAI,EAAE,qCAAqC;KAC5C;IACD,cAAc,EAAE;QACd,OAAO,EAAE,iCAAiC;QAC1C,IAAI,EAAE,iBAAiB;KACxB;IACD,4BAA4B,EAAE;QAC5B,OAAO,EAAE,mCAAmC;QAC5C,IAAI,EAAE,kCAAkC;KACzC;CACO,CAAC"}
+{"version":3,"file":"id-guard-errors.js","sourceRoot":"","sources":["../../src/common/id-guard-errors.ts"],"names":[],"mappings":";;;AAAa,QAAA,aAAa,GAAG;IAC3B,mBAAmB,EAAE;QACnB,OAAO,EAAE,8BAA8B;QACvC,IAAI,EAAE,uBAAuB;KAC9B;IACD,kBAAkB,EAAE;QAClB,OAAO,EAAE,yBAAyB;QAClC,IAAI,EAAE,sBAAsB;KAC7B;IACD,kBAAkB,EAAE;QAClB,OAAO,EAAE,2BAA2B;QACpC,IAAI,EAAE,sBAAsB;KAC7B;IACD,iBAAiB,EAAE;QACjB,OAAO,EAAE,iDAAiD;QAC1D,IAAI,EAAE,qBAAqB;KAC5B;IACD,kBAAkB,EAAE;QAClB,OAAO,EACL,oMAAoM;QACtM,IAAI,EAAE,uBAAuB;KAC9B;IACD,SAAS,EAAE;QACT,OAAO,EACL,kHAAkH;QACpH,IAAI,EAAE,YAAY;KACnB;IACD,6BAA6B,EAAE;QAC7B,OAAO,EAAE,kCAAkC;QAC3C,IAAI,EAAE,kCAAkC;KACzC;IACD,4BAA4B,EAAE;QAC5B,OAAO,EACL,wEAAwE;QAC1E,IAAI,EAAE,iCAAiC;KACxC;IACD,wBAAwB,EAAE;QACxB,OAAO,EACL,oEAAoE;QACtE,IAAI,EAAE,6BAA6B;KACpC;IACD,iBAAiB,EAAE;QACjB,OAAO,EAAE,yBAAyB;QAClC,IAAI,EAAE,qBAAqB;KAC5B;IACD,0BAA0B,EAAE;QAC1B,OAAO,EAAE,gEAAgE;QACzE,IAAI,EAAE,yBAAyB;KAChC;IACD,sCAAsC,EAAE;QACtC,OAAO,EAAE,6CAA6C;QACtD,IAAI,EAAE,4CAA4C;KACnD;IACD,uBAAuB,EAAE;QACvB,OAAO,EAAE,4CAA4C;QACrD,IAAI,EAAE,4BAA4B;KACnC;IACD,qBAAqB,EAAE;QACrB,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,0BAA0B;KACjC;IACD,8BAA8B,EAAE;QAC9B,OAAO,EAAE,iDAAiD;QAC1D,IAAI,EAAE,mCAAmC;KAC1C;IACD,iCAAiC,EAAE;QACjC,OAAO,EAAE,oDAAoD;QAC7D,IAAI,EAAE,sCAAsC;KAC7C;IACD,uBAAuB,EAAE;QACvB,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,2BAA2B;KAClC;IACD,kCAAkC,EAAE;QAClC,OAAO,EAAE,qDAAqD;QAC9D,IAAI,EAAE,uCAAuC;KAC9C;IACD,+BAA+B,EAAE;QAC/B,OAAO,EAAE,mDAAmD;QAC5D,IAAI,EAAE,qCAAqC;KAC5C;IACD,cAAc,EAAE;QACd,OAAO,EAAE,iCAAiC;QAC1C,IAAI,EAAE,iBAAiB;KACxB;IACD,4BAA4B,EAAE;QAC5B,OAAO,EAAE,mCAAmC;QAC5C,IAAI,EAAE,kCAAkC;KACzC;IACD,iBAAiB,EAAE;QACjB,OAAO,EACL,+JAA+J;QACjK,IAAI,EAAE,qBAAqB;KAC5B;IACD,iCAAiC,EAAE;QACjC,OAAO,EACL,wJAAwJ;QAC1J,IAAI,EAAE,qCAAqC;KAC5C;CACO,CAAC"}

package/dist/graphql/ax-guard-plugin.d.ts

@@ -0,0 +1,23 @@
+/**
+ * AxGuard plugin is created by combining two plugins - `QueryMutationGuardPlugin`
+ * and `SubscriptionGuardPlugin`.
+ *
+ * This plugin handles authorization for GraphQL resources exposed by the APIs.
+ * For Queries and Mutations an error is thrown if the authorization fails.
+ *
+ * For subscriptions, if the JWT token expires while subscription events are emitted,
+ * the websocket connection is closed with `4403` code, allowing the client to automatically
+ * re-establish the connection.
+ * For authorization errors, the websocket is closed with `4401` code.
+ *
+ * **!!!!!!!!!! IMPORTANT !!!!!!!!!!**
+ *
+ * When using this plugin with subscriptions, it's mandatory to send the reference to
+ * the websocket through Extended GraphQL Context with the key name `websocket`.
+ * `getWebsocketFromRequest` from `@axinom/mosaic-service-common` can be used to extract the
+ * websocket from request.
+ *
+ * @returns
+ */
+export declare const AxGuardPlugin: import("graphile-build").Plugin;
+//# sourceMappingURL=ax-guard-plugin.d.ts.map

package/dist/graphql/ax-guard-plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ax-guard-plugin.d.ts","sourceRoot":"","sources":["../../src/graphql/ax-guard-plugin.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,aAAa,iCAGzB,CAAC"}

package/dist/graphql/ax-guard-plugin.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AxGuardPlugin = void 0;
+const graphile_utils_1 = require("graphile-utils");
+const query_mutation_guard_plugin_1 = require("./query-mutation-guard-plugin");
+const subscription_guard_plugin_1 = require("./subscription-guard-plugin");
+/**
+ * AxGuard plugin is created by combining two plugins - `QueryMutationGuardPlugin`
+ * and `SubscriptionGuardPlugin`.
+ *
+ * This plugin handles authorization for GraphQL resources exposed by the APIs.
+ * For Queries and Mutations an error is thrown if the authorization fails.
+ *
+ * For subscriptions, if the JWT token expires while subscription events are emitted,
+ * the websocket connection is closed with `4403` code, allowing the client to automatically
+ * re-establish the connection.
+ * For authorization errors, the websocket is closed with `4401` code.
+ *
+ * **!!!!!!!!!! IMPORTANT !!!!!!!!!!**
+ *
+ * When using this plugin with subscriptions, it's mandatory to send the reference to
+ * the websocket through Extended GraphQL Context with the key name `websocket`.
+ * `getWebsocketFromRequest` from `@axinom/mosaic-service-common` can be used to extract the
+ * websocket from request.
+ *
+ * @returns
+ */
+exports.AxGuardPlugin = (0, graphile_utils_1.makePluginByCombiningPlugins)(query_mutation_guard_plugin_1.QueryMutationGuardPlugin, subscription_guard_plugin_1.SubscriptionGuardPlugin);
+//# sourceMappingURL=ax-guard-plugin.js.map

package/dist/graphql/ax-guard-plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ax-guard-plugin.js","sourceRoot":"","sources":["../../src/graphql/ax-guard-plugin.ts"],"names":[],"mappings":";;;AAAA,mDAA8D;AAC9D,+EAAyE;AACzE,2EAAsE;AAEtE;;;;;;;;;;;;;;;;;;;;GAoBG;AACU,QAAA,aAAa,GAAG,IAAA,6CAA4B,EACvD,sDAAwB,EACxB,mDAAuB,CACxB,CAAC"}

package/dist/graphql/enforce-strict-permissions.plugin.d.ts

@@ -1,4 +1,4 @@
-import { Plugin } from 'graphile-build';
+import { Plugin } from 'postgraphile';
 /**
  * This will omit any operations currently not having any permission mappings for it.
  *

package/dist/graphql/enforce-strict-permissions.plugin.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"enforce-strict-permissions.plugin.d.ts","sourceRoot":"","sources":["../../src/graphql/enforce-strict-permissions.plugin.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAQxC;;;;GAIG;AACH,eAAO,MAAM,8BAA8B,EAAE,MA+I5C,CAAC"}
+{"version":3,"file":"enforce-strict-permissions.plugin.d.ts","sourceRoot":"","sources":["../../src/graphql/enforce-strict-permissions.plugin.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAQtC;;;;GAIG;AACH,eAAO,MAAM,8BAA8B,EAAE,MA+I5C,CAAC"}

package/dist/graphql/index.d.ts

@@ -1,6 +1,7 @@
+export * from './ax-guard-plugin';
 export * from './enforce-strict-permissions.plugin';
 export * from './guard-context';
 export { setupEndUserAuthentication, setupEndUserGQLSubscriptionAuthentication, setupManagementAuthentication, setupManagementGQLSubscriptionAuthentication, throwEndUserAuthError, throwManagementAuthError, } from './guard-middleware';
-export * from './guard-plugin';
-export * from './subscription-authorization-hook-factory';
+export * from './query-mutation-guard-plugin';
+export * from './subscription-guard-plugin';
 //# sourceMappingURL=index.d.ts.map

package/dist/graphql/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/graphql/index.ts"],"names":[],"mappings":"AAAA,cAAc,qCAAqC,CAAC;AACpD,cAAc,iBAAiB,CAAC;AAChC,OAAO,EACL,0BAA0B,EAC1B,yCAAyC,EACzC,6BAA6B,EAC7B,4CAA4C,EAC5C,qBAAqB,EACrB,wBAAwB,GACzB,MAAM,oBAAoB,CAAC;AAC5B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,2CAA2C,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/graphql/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,qCAAqC,CAAC;AACpD,cAAc,iBAAiB,CAAC;AAChC,OAAO,EACL,0BAA0B,EAC1B,yCAAyC,EACzC,6BAA6B,EAC7B,4CAA4C,EAC5C,qBAAqB,EACrB,wBAAwB,GACzB,MAAM,oBAAoB,CAAC;AAC5B,cAAc,+BAA+B,CAAC;AAC9C,cAAc,6BAA6B,CAAC"}

package/dist/graphql/index.js

@@ -11,6 +11,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.throwManagementAuthError = exports.throwEndUserAuthError = exports.setupManagementGQLSubscriptionAuthentication = exports.setupManagementAuthentication = exports.setupEndUserGQLSubscriptionAuthentication = exports.setupEndUserAuthentication = void 0;
+__exportStar(require("./ax-guard-plugin"), exports);
 __exportStar(require("./enforce-strict-permissions.plugin"), exports);
 __exportStar(require("./guard-context"), exports);
 var guard_middleware_1 = require("./guard-middleware");
@@ -20,6 +21,6 @@ Object.defineProperty(exports, "setupManagementAuthentication", { enumerable: tr
 Object.defineProperty(exports, "setupManagementGQLSubscriptionAuthentication", { enumerable: true, get: function () { return guard_middleware_1.setupManagementGQLSubscriptionAuthentication; } });
 Object.defineProperty(exports, "throwEndUserAuthError", { enumerable: true, get: function () { return guard_middleware_1.throwEndUserAuthError; } });
 Object.defineProperty(exports, "throwManagementAuthError", { enumerable: true, get: function () { return guard_middleware_1.throwManagementAuthError; } });
-__exportStar(require("./guard-plugin"), exports);
-__exportStar(require("./subscription-authorization-hook-factory"), exports);
+__exportStar(require("./query-mutation-guard-plugin"), exports);
+__exportStar(require("./subscription-guard-plugin"), exports);
 //# sourceMappingURL=index.js.map

package/dist/graphql/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/graphql/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,sEAAoD;AACpD,kDAAgC;AAChC,uDAO4B;AAN1B,8HAAA,0BAA0B,OAAA;AAC1B,6IAAA,yCAAyC,OAAA;AACzC,iIAAA,6BAA6B,OAAA;AAC7B,gJAAA,4CAA4C,OAAA;AAC5C,yHAAA,qBAAqB,OAAA;AACrB,4HAAA,wBAAwB,OAAA;AAE1B,iDAA+B;AAC/B,4EAA0D"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/graphql/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,oDAAkC;AAClC,sEAAoD;AACpD,kDAAgC;AAChC,uDAO4B;AAN1B,8HAAA,0BAA0B,OAAA;AAC1B,6IAAA,yCAAyC,OAAA;AACzC,iIAAA,6BAA6B,OAAA;AAC7B,gJAAA,4CAA4C,OAAA;AAC5C,yHAAA,qBAAqB,OAAA;AACrB,4HAAA,wBAAwB,OAAA;AAE1B,gEAA8C;AAC9C,8DAA4C"}

package/dist/graphql/{guard-plugin.d.ts → query-mutation-guard-plugin.d.ts}

@@ -7,5 +7,5 @@
  * @param additionalGraphQLContextFromRequest should be of type `Record<string, any> & { subject: AuthenticatedSubject, authErrorInfo: AxGuardErrorInfo }`
  * @param graphileBuildOptions should be of type `Partial<Options> & { permissionDefinition: PermissionDefinition, serviceId: string, ensureOnlyAuthentication: boolean }`
  */
-export declare const AxGuardPlugin: import("graphile-build").Plugin;
-//# sourceMappingURL=guard-plugin.d.ts.map
+export declare const QueryMutationGuardPlugin: import("graphile-build").Plugin;
+//# sourceMappingURL=query-mutation-guard-plugin.d.ts.map

package/dist/graphql/query-mutation-guard-plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"query-mutation-guard-plugin.d.ts","sourceRoot":"","sources":["../../src/graphql/query-mutation-guard-plugin.ts"],"names":[],"mappings":"AAWA;;;;;;;;GAQG;AACH,eAAO,MAAM,wBAAwB,iCAyDpC,CAAC"}

package/dist/graphql/{guard-plugin.js → query-mutation-guard-plugin.js}

@@ -1,11 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AxGuardPlugin = void 0;
+exports.QueryMutationGuardPlugin = void 0;
 const graphile_utils_1 = require("graphile-utils");
-const common_1 = require("../common");
 const guard_utils_1 = require("../common/guard-utils");
-const handle_end_user_authorization_1 = require("../common/handle-end-user-authorization");
-const handle_management_user_authorization_1 = require("../common/handle-management-user-authorization");
+const guard_authorization_1 = require("../common/helpers/guard-authorization");
 /**
  * Postgraphile plugin that wraps resolver execution into an authentication check, making sure that that JwtToken subject is authorized to access a GraphQL resource.
  * It extracts the `ensureOnlyAuthentication` property from Postgraphile Build Options to determine if only the authentication check must be performed or authorization checks
@@ -15,7 +13,7 @@ const handle_management_user_authorization_1 = require("../common/handle-managem
  * @param additionalGraphQLContextFromRequest should be of type `Record<string, any> & { subject: AuthenticatedSubject, authErrorInfo: AxGuardErrorInfo }`
  * @param graphileBuildOptions should be of type `Partial<Options> & { permissionDefinition: PermissionDefinition, serviceId: string, ensureOnlyAuthentication: boolean }`
  */
-exports.AxGuardPlugin = (0, graphile_utils_1.makeWrapResolversPlugin)(({ scope }, _build, _config, { ensureOnlyAuthentication, serviceId, permissionDefinition, endUserAuthorizationConfig, }) => {
+exports.QueryMutationGuardPlugin = (0, graphile_utils_1.makeWrapResolversPlugin)(({ scope }, _build, _config, { ensureOnlyAuthentication, serviceId, permissionDefinition, endUserAuthorizationConfig, }) => {
     const operationCanBeProtected = scope.fieldName !== 'query' &&
         (scope.isRootQuery ||
             scope.isRootMutation ||
@@ -40,25 +38,6 @@ exports.AxGuardPlugin = (0, graphile_utils_1.makeWrapResolversPlugin)(({ scope }
     options.authorizationOptions.operation = resolveInfo.fieldName;
     // Validate if the Postgraphile build options related to authorization are correctly set.
     (0, guard_utils_1.validatePostgraphileBuildOptions)(options);
-    // If the permissionDefinition is not undefined, it is assumed that the subject is a AuthenticatedManagementSubject
-    if (options.authorizationOptions.permissionDefinition !== undefined) {
-        if (subject !== undefined && subject !== null) {
-            (0, common_1.assertGenericAuthenticatedSubject)(subject);
-        }
-        (0, handle_management_user_authorization_1.handleManagementUserAuthorization)(options.authorizationOptions, options.ensureOnlyAuthentication, subject, authErrorInfo);
-        return resolver(source, args, context, resolveInfo);
-    }
-    else {
-        /**
-         * This block handles end-user operations.
-         * If the if condition (options.authorizationOptions.permissionDefinition !== undefined) falls through to this else branch,
-         * it is assumed that the request is a end-user call.
-         */
-        if (subject !== undefined && subject !== null) {
-            (0, common_1.assertGenericAuthenticatedSubject)(subject);
-        }
-        (0, handle_end_user_authorization_1.handleEndUserAuthorization)(options.authorizationOptions, options.ensureOnlyAuthentication, subject, authErrorInfo);
-        return resolver(source, args, context, resolveInfo);
-    }
+    return (0, guard_authorization_1.handleAuthorization)(subject, authErrorInfo, options, resolver, source, args, context, resolveInfo);
 });
-//# sourceMappingURL=guard-plugin.js.map
+//# sourceMappingURL=query-mutation-guard-plugin.js.map

package/dist/graphql/query-mutation-guard-plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"query-mutation-guard-plugin.js","sourceRoot":"","sources":["../../src/graphql/query-mutation-guard-plugin.ts"],"names":[],"mappings":";;;AAAA,mDAAyD;AAKzD,uDAG+B;AAC/B,+EAA4E;AAE5E;;;;;;;;GAQG;AACU,QAAA,wBAAwB,GAAG,IAAA,wCAAuB,EAC7D,CACE,EAAE,KAAK,EAAE,EACT,MAAM,EACN,OAAO,EACP,EACE,wBAAwB,EACxB,SAAS,EACT,oBAAoB,EACpB,0BAA0B,GAC3B,EACD,EAAE;IACF,MAAM,uBAAuB,GAC3B,KAAK,CAAC,SAAS,KAAK,OAAO;QAC3B,CAAC,KAAK,CAAC,WAAW;YAChB,KAAK,CAAC,cAAc;YACpB,KAAK,CAAC,wBAAwB;YAC9B,KAAK,CAAC,yBAAyB;YAC/B,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAE9B,IAAI,uBAAuB,EAAE;QAC3B,OAAO;YACL,wBAAwB,EAAE,wBAAwB,aAAxB,wBAAwB,cAAxB,wBAAwB,GAAI,KAAK;YAC3D,oBAAoB,EAAE;gBACpB,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,SAAS;gBACT,oBAAoB;gBACpB,0BAA0B;aAC3B;SACF,CAAC;KACH;IAED,OAAO,IAAI,CAAC;AACd,CAAC,EACD,CAAC,OAAuB,EAAE,EAAE,CAC1B,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,EAAE;IACrD,MAAM,EAAE,aAAa,EAAE,OAAO,EAAE,GAAG,OAEH,CAAC,CAAC,mEAAmE;IAErG,sIAAsI;IACtI,OAAO,CAAC,oBAAoB,CAAC,SAAS,GAAG,WAAW,CAAC,SAAS,CAAC;IAE/D,yFAAyF;IACzF,IAAA,8CAAgC,EAAC,OAAO,CAAC,CAAC;IAE1C,OAAO,IAAA,yCAAmB,EACxB,OAAO,EACP,aAAa,EACb,OAAO,EACP,QAAQ,EACR,MAAM,EACN,IAAI,EACJ,OAAO,EACP,WAAW,CACZ,CAAC;AACJ,CAAC,CACJ,CAAC"}

package/dist/graphql/subscription-guard-plugin.d.ts

@@ -0,0 +1,20 @@
+import { Plugin } from 'postgraphile';
+/**
+ * This plugin wraps around the `subscribe` method for subscriptions
+ * and performs authorization, making sure that that JwtToken subject is authorized to access a GraphQL resource.
+ *
+ * The websocket is closed with error code 4403 if the access token has expired, allowing the client
+ * to re-establish the connection.
+ * If any other error is thrown, the websocket is closed with error code 4401.
+ *
+ * **!!!!!!!!!! IMPORTANT !!!!!!!!!!**
+ *
+ * When using this plugin, it's mandatory to send the reference to the websocket through
+ * Extended GraphQL Context with the key name `websocket`.
+ * `getWebsocketFromRequest` from `@axinom/mosaic-service-common` can be used to extract the
+ * websocket from request.
+ *
+ * @param builder
+ */
+export declare const SubscriptionGuardPlugin: Plugin;
+//# sourceMappingURL=subscription-guard-plugin.d.ts.map

package/dist/graphql/subscription-guard-plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"subscription-guard-plugin.d.ts","sourceRoot":"","sources":["../../src/graphql/subscription-guard-plugin.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAatC;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,uBAAuB,EAAE,MA+ErC,CAAC"}

package/dist/graphql/subscription-guard-plugin.js

@@ -0,0 +1,81 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SubscriptionGuardPlugin = void 0;
+const mosaic_service_common_1 = require("@axinom/mosaic-service-common");
+const graphql_ws_1 = require("graphql-ws");
+const common_1 = require("../common");
+const guard_utils_1 = require("../common/guard-utils");
+const guard_authorization_1 = require("../common/helpers/guard-authorization");
+/**
+ * This plugin wraps around the `subscribe` method for subscriptions
+ * and performs authorization, making sure that that JwtToken subject is authorized to access a GraphQL resource.
+ *
+ * The websocket is closed with error code 4403 if the access token has expired, allowing the client
+ * to re-establish the connection.
+ * If any other error is thrown, the websocket is closed with error code 4401.
+ *
+ * **!!!!!!!!!! IMPORTANT !!!!!!!!!!**
+ *
+ * When using this plugin, it's mandatory to send the reference to the websocket through
+ * Extended GraphQL Context with the key name `websocket`.
+ * `getWebsocketFromRequest` from `@axinom/mosaic-service-common` can be used to extract the
+ * websocket from request.
+ *
+ * @param builder
+ */
+const SubscriptionGuardPlugin = (builder) => {
+    builder.hook('GraphQLObjectType:fields:field', (field, build, _context) => {
+        if (field.subscribe) {
+            const oldSubscribe = field.subscribe;
+            field.subscribe = async function (parent, args, 
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            context, info) {
+                var _a;
+                if (!context.websocket) {
+                    throw new mosaic_service_common_1.MosaicError(common_1.IdGuardErrors.WebSocketNotFound);
+                }
+                const options = {
+                    authorizationOptions: {
+                        endUserAuthorizationConfig: build.options.endUserAuthorizationConfig,
+                        operation: info.fieldName,
+                        permissionDefinition: build.options.permissionDefinition,
+                        serviceId: build.options.serviceId,
+                    },
+                    ensureOnlyAuthentication: (_a = build.options.ensureOnlyAuthentication) !== null && _a !== void 0 ? _a : false,
+                };
+                const { authErrorInfo, subject } = context; // The context could be either a Management or an End-User context.
+                try {
+                    // Validate if the Postgraphile build options related to authorization are correctly set.
+                    (0, guard_utils_1.validatePostgraphileBuildOptions)(options);
+                    return (0, guard_authorization_1.handleAuthorization)(subject, authErrorInfo, options, oldSubscribe, parent, args, context, info);
+                }
+                catch (error) {
+                    (0, common_1.assertIdGuardError)(error);
+                    /**
+                     * If the token has expired, we close the connection with CloseCode.Forbidden, and allow the client to automatically re-establish
+                     * the connection with a new token.
+                     */
+                    if (error.code === common_1.IdGuardErrors.AccessTokenExpired.code) {
+                        /**
+                         * `CloseCode.Forbidden` is used so that the client will automatically start retry process with a newer token.
+                         * Any other CloseCode will result in a client exception and the client will not automatically retry.
+                         */
+                        context.websocket.close(graphql_ws_1.CloseCode.Forbidden, common_1.IdGuardErrors.AccessTokenExpired.code);
+                    }
+                    else {
+                        // Close the websocket connection.
+                        context.websocket.close(graphql_ws_1.CloseCode.Unauthorized, error.message);
+                    }
+                    throw error;
+                }
+            };
+        }
+        return field;
+    }, [], [], 
+    // Add the `subscribe` method to the graphql fields, wrapping around the GQL resolver.
+    // It looks for the `@pgSubscription` directive, and adds the `subscribe` method.
+    // https://github.com/graphile/graphile-engine/blob/1bc8cfefdab7a61fd7ad287bcdff66298352e308/packages/pg-pubsub/src/PgSubscriptionResolverPlugin.ts
+    ['PgSubscriptionResolver']);
+};
+exports.SubscriptionGuardPlugin = SubscriptionGuardPlugin;
+//# sourceMappingURL=subscription-guard-plugin.js.map

package/dist/graphql/subscription-guard-plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"subscription-guard-plugin.js","sourceRoot":"","sources":["../../src/graphql/subscription-guard-plugin.ts"],"names":[],"mappings":";;;AAAA,yEAA4D;AAC5D,2CAAuC;AAEvC,sCAKmB;AACnB,uDAG+B;AAC/B,+EAA4E;AAE5E;;;;;;;;;;;;;;;;GAgBG;AACI,MAAM,uBAAuB,GAAW,CAAC,OAAO,EAAE,EAAE;IACzD,OAAO,CAAC,IAAI,CACV,gCAAgC,EAChC,CAAC,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;QACzB,IAAI,KAAK,CAAC,SAAS,EAAE;YACnB,MAAM,YAAY,GAAG,KAAK,CAAC,SAAS,CAAC;YACrC,KAAK,CAAC,SAAS,GAAG,KAAK,WACrB,MAAe,EACf,IAAI;YACJ,8DAA8D;YAC9D,OAAY,EACZ,IAAI;;gBAEJ,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE;oBACtB,MAAM,IAAI,mCAAW,CAAC,sBAAa,CAAC,iBAAiB,CAAC,CAAC;iBACxD;gBAED,MAAM,OAAO,GAAmB;oBAC9B,oBAAoB,EAAE;wBACpB,0BAA0B,EACxB,KAAK,CAAC,OAAO,CAAC,0BAA0B;wBAC1C,SAAS,EAAE,IAAI,CAAC,SAAS;wBACzB,oBAAoB,EAAE,KAAK,CAAC,OAAO,CAAC,oBAAoB;wBACxD,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,SAAS;qBACnC;oBACD,wBAAwB,EACtB,MAAA,KAAK,CAAC,OAAO,CAAC,wBAAwB,mCAAI,KAAK;iBAClD,CAAC;gBAEF,MAAM,EAAE,aAAa,EAAE,OAAO,EAAE,GAAG,OAEH,CAAC,CAAC,mEAAmE;gBAErG,IAAI;oBACF,yFAAyF;oBACzF,IAAA,8CAAgC,EAAC,OAAO,CAAC,CAAC;oBAE1C,OAAO,IAAA,yCAAmB,EACxB,OAAO,EACP,aAAa,EACb,OAAO,EACP,YAAY,EACZ,MAAM,EACN,IAAI,EACJ,OAAO,EACP,IAAI,CACL,CAAC;iBACH;gBAAC,OAAO,KAAK,EAAE;oBACd,IAAA,2BAAkB,EAAC,KAAK,CAAC,CAAC;oBAC1B;;;uBAGG;oBACH,IAAI,KAAK,CAAC,IAAI,KAAK,sBAAa,CAAC,kBAAkB,CAAC,IAAI,EAAE;wBACxD;;;2BAGG;wBACH,OAAO,CAAC,SAAS,CAAC,KAAK,CACrB,sBAAS,CAAC,SAAS,EACnB,sBAAa,CAAC,kBAAkB,CAAC,IAAI,CACtC,CAAC;qBACH;yBAAM;wBACL,kCAAkC;wBAClC,OAAO,CAAC,SAAS,CAAC,KAAK,CAAC,sBAAS,CAAC,YAAY,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;qBAChE;oBACD,MAAM,KAAK,CAAC;iBACb;YACH,CAAC,CAAC;SACH;QACD,OAAO,KAAK,CAAC;IACf,CAAC,EACD,EAAE,EACF,EAAE;IACF,sFAAsF;IACtF,iFAAiF;IACjF,mJAAmJ;IACnJ,CAAC,wBAAwB,CAAC,CAC3B,CAAC;AACJ,CAAC,CAAC;AA/EW,QAAA,uBAAuB,2BA+ElC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@axinom/mosaic-id-guard",
-  "version": "0.18.0-rc.8",
+  "version": "0.18.0",
   "description": "Authentication and authorization helpers for Axinom Mosaic services",
   "author": "Axinom",
   "license": "PROPRIETARY",
@@ -28,22 +28,21 @@
     "lint": "eslint . --ext .ts,.tsx,.js --color --cache"
   },
   "dependencies": {
-    "@axinom/mosaic-id-utils": "^0.12.0-rc.8",
-    "@axinom/mosaic-message-bus": "^0.13.0-rc.8",
-    "@axinom/mosaic-service-common": "^0.28.0-rc.8",
+    "@axinom/mosaic-id-utils": "^0.12.0",
+    "@axinom/mosaic-message-bus": "^0.13.0",
+    "@axinom/mosaic-service-common": "^0.28.0",
     "amqplib": "^0.6.0",
     "express": "^4.17.1",
     "express-bearer-token": "^2.4.0",
-    "graphile-build": "^4.12.0",
-    "graphile-build-pg": "^4.12.1",
-    "graphile-utils": "^4.12.1",
+    "graphile-build": "^4.13.0",
+    "graphile-utils": "^4.13.0",
     "graphql": "^15.4.0",
     "graphql-tag": "^2.11.0",
-    "graphql-ws": "^5.5.0",
+    "graphql-ws": "^5.11.2",
     "jsonwebtoken": "^8.5.1",
     "jwks-rsa": "^1.8.1",
     "pg": "^8.5.1",
-    "postgraphile": "^4.12.4",
+    "postgraphile": "^4.13.0",
     "rascal": "^14.0.1",
     "subscriptions-transport-ws": "^0.9.19"
   },
@@ -61,5 +60,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "acabd6cd509ce5d2b574e87468415fc3c71da8ca"
+  "gitHead": "45c880122572715cffa53f68c7dc75dfb207785e"
 }

package/src/common/helpers/guard-authorization.ts

@@ -0,0 +1,76 @@
+import { MosaicError, MosaicErrorInfo } from '@axinom/mosaic-service-common';
+import { GraphQLFieldResolver, GraphQLResolveInfo } from 'graphql';
+import { IdGuardErrors } from '..';
+import { AxGuardOptions } from '../guard-utils';
+import { handleEndUserAuthorization } from '../handle-end-user-authorization';
+import { handleManagementUserAuthorization } from '../handle-management-user-authorization';
+import { assertGenericAuthenticatedSubject } from '../type-assertions';
+import { GenericAuthenticatedSubject } from '../types/authenticated-subject-models';
+
+/**
+ * Handles authorization for a given GraphQL mutation/query/subscription against a
+ * user token.
+ *
+ * @param subject Authenticated Subject
+ * @param authErrorInfo Authentication Error Info
+ * @param options AxGuardOptions
+ * @param resolveFunc Resolver function from guard-plugin or subscription-guard-plugin.
+ * @param parent
+ * @param args
+ * @param context
+ * @param info
+ * @returns
+ */
+export const handleAuthorization = (
+  subject: GenericAuthenticatedSubject | undefined,
+  authErrorInfo: MosaicErrorInfo | undefined,
+  options: AxGuardOptions,
+  resolveFunc: GraphQLFieldResolver<
+    unknown,
+    unknown,
+    {
+      [argName: string]: unknown;
+    }
+  >,
+  parent: unknown,
+  args: Record<string, unknown>,
+  context: unknown,
+  info: GraphQLResolveInfo,
+): unknown => {
+  // If the permissionDefinition is not undefined, then the subject is a AuthenticatedManagementSubject
+  if (options.authorizationOptions.permissionDefinition !== undefined) {
+    if (subject !== undefined && subject !== null) {
+      assertGenericAuthenticatedSubject(subject);
+    }
+
+    handleManagementUserAuthorization(
+      options.authorizationOptions,
+      options.ensureOnlyAuthentication,
+      subject,
+      authErrorInfo,
+    );
+    return resolveFunc.call(this, parent, args, context, info);
+  } else {
+    /**
+     * This block handles end-user operations.
+     * If the if condition (options.authorizationOptions.permissionDefinition !== undefined) falls through to this else branch,
+     * then the request is a end-user call.
+     */
+
+    if (options.authorizationOptions.endUserAuthorizationConfig === undefined) {
+      throw new MosaicError(IdGuardErrors.AuthorizationOptionsMisconfigured);
+    }
+
+    if (subject !== undefined && subject !== null) {
+      assertGenericAuthenticatedSubject(subject);
+    }
+
+    handleEndUserAuthorization(
+      options.authorizationOptions,
+      options.ensureOnlyAuthentication,
+      subject,
+      authErrorInfo,
+    );
+    return resolveFunc.call(this, parent, args, context, info);
+  }
+};

package/src/common/id-guard-error.ts

@@ -1,6 +1,7 @@
 import {
   MosaicError,
   MosaicErrorInfo,
+  NonMosaicError,
   skipMaskTag,
 } from '@axinom/mosaic-service-common';
 
@@ -10,3 +11,15 @@ export class IdGuardError extends MosaicError {
     super({ ...everythingElse, details: { ...details, skipMaskTag } });
   }
 }
+
+export const assertIdGuardError: (
+  error: unknown,
+) => asserts error is IdGuardError = (
+  error: unknown,
+): asserts error is IdGuardError => {
+  if (!(error instanceof IdGuardError)) {
+    throw new NonMosaicError(
+      `A caught error is not an instance of an IdGuardError class.`,
+    );
+  }
+};

package/src/common/id-guard-errors.ts

@@ -87,4 +87,14 @@ export const IdGuardErrors = {
     message: 'Authenticated End User not found.',
     code: 'AUTHENTICATED_END_USER_NOT_FOUND',
   },
+  WebSocketNotFound: {
+    message:
+      'Websocket not found in ExtendedGraphQLContext. This is a development time issue. A reference to the websocket must be included in Postgraphile build options.',
+    code: 'WEBSOCKET_NOT_FOUND',
+  },
+  AuthorizationOptionsMisconfigured: {
+    message:
+      'A Permission Definition or an EndUserAuthorizationConfig was not found to be passed into Postgraphile build options. This is a development time issue.',
+    code: 'AUTHORIZATION_OPTIONS_MISCONFIGURED',
+  },
 } as const;