@axium/server 0.26.3 → 0.28.0

package/dist/acl.d.ts

@@ -1,60 +1,41 @@
-import type { AccessControl, Permission, UserInternal } from '@axium/core';
-import type { AliasedRawBuilder, Expression, ExpressionBuilder, Selectable } from 'kysely';
+import type { AccessControl, AccessMap, UserInternal } from '@axium/core';
+import type * as kysely from 'kysely';
+import type { WithRequired } from 'utilium';
 import * as db from './database.js';
-export interface Target {
-    userId: string;
-    publicPermission: Permission;
-}
-type _TableNames = (string & keyof db.Schema) & keyof {
-    [K in Exclude<keyof db.Schema, `acl.${string}`> as Selectable<db.Schema[K]> extends Omit<Target, 'acl'> ? K : never]: null;
+type _TableNames = keyof {
+    [K in keyof db.Schema as db.Schema[K] extends db.DBAccessControl ? K : never]: null;
+};
+type _TargetNames = keyof db.Schema & keyof {
+    [K in _TableNames as K extends `acl.${infer TB extends keyof db.Schema}` ? TB : never]: null;
 };
 /**
  * `never` causes a ton of problems, so we use `string` if none of the tables are shareable.
  */
-export type TargetName = _TableNames extends never ? keyof db.Schema : _TableNames;
+export type TableName = _TableNames extends never ? keyof db.Schema : _TableNames;
+export type TargetName = _TargetNames extends never ? keyof db.Schema : _TargetNames;
 export interface AccessControlInternal extends AccessControl {
-    user?: UserInternal;
+    tag?: string | null;
 }
-export declare const expectedTypes: {
-    userId: {
-        type: string;
-        required: true;
-    };
-    createdAt: {
-        type: string;
-        required: true;
-        hasDefault: true;
-    };
-    itemId: {
-        type: string;
-        required: true;
-    };
-    permission: {
-        type: string;
-        required: true;
-        hasDefault: true;
-    };
-};
-/**
- * Adds an Access Control List (ACL) in the database for managing access to rows in an existing table.
- * @category Plugin API
- */
-export declare function createTable(table: TargetName): Promise<void>;
-export declare function dropTable(table: TargetName): Promise<void>;
-export declare function wipeTable(table: TargetName): Promise<void>;
-export declare function createEntry(itemType: TargetName, data: Omit<AccessControl, 'createdAt'>): Promise<AccessControlInternal>;
-export declare function deleteEntry(itemType: TargetName, itemId: string, userId: string): Promise<void>;
+export type PermissionsFor<TB extends TableName> = Omit<kysely.Selectable<db.Schema[TB]>, keyof AccessControlInternal | number | symbol>;
+export type Result<TB extends TableName> = AccessControlInternal & PermissionsFor<TB>;
+export type WithACL<TB extends TargetName> = kysely.Selectable<db.Schema[TB]> & {
+    userId: string;
+    acl: Result<`acl.${TB}`>[];
+} & Record<string, any>;
 export interface ACLSelectionOptions {
-    /** If specified, only returns the access control for the given user ID. */
-    onlyId?: string | Expression<any>;
+    /** If specified, files by user UUID */
+    user?: Pick<UserInternal, 'id' | 'roles' | 'tags'>;
     /** Instead of using the `id` from `table`, use the `id` from this instead */
     alias?: string;
 }
 /**
  * Helper to select all access controls for a given table, including the user information.
- *
- * @param onlyId If specified, only returns the access control for the given user ID.
+ * Optionally filter for the entries applicable to a specific user.
+ * This includes entries matching the user's ID, roles, or tags along with the "public" entry where all three "target" columns are null.
  */
-export declare function from(table: TargetName, opt?: ACLSelectionOptions): (eb: ExpressionBuilder<db.Schema, any>) => AliasedRawBuilder<Required<AccessControl>[], 'acl'>;
-export declare function get(itemType: TargetName, itemId: string): Promise<Required<AccessControlInternal>[]>;
+export declare function from<const TB extends TargetName>(table: TB, opt?: ACLSelectionOptions): (eb: kysely.ExpressionBuilder<db.Schema, any>) => kysely.AliasedRawBuilder<Result<`acl.${TB}`>[], 'acl'>;
+export declare function get<const TB extends TableName>(table: TB, itemId: string): Promise<WithRequired<AccessControlInternal & kysely.Selectable<db.Schema[TB]>, 'user'>[]>;
+export declare function set<const TB extends TableName>(table: TB, itemId: string, data: AccessMap): Promise<(AccessControlInternal & kysely.Selectable<db.Schema[TB]>)[]>;
+export declare function check<const TB extends TableName>(acl: Result<TB>[], permissions: Partial<PermissionsFor<TB>>): Set<keyof PermissionsFor<TB>>;
+export declare function listTables(): Record<string, TableName>;
 export {};

package/dist/acl.js

@@ -1,66 +1,64 @@
-import * as io from '@axium/core/node/io';
-import { sql } from 'kysely';
 import { jsonArrayFrom } from 'kysely/helpers/postgres';
 import * as db from './database.js';
-const accessControllableTypes = {
-    userId: { type: 'uuid', required: true },
-    publicPermission: { type: 'int4', required: true, hasDefault: true },
-};
-export const expectedTypes = {
-    userId: { type: 'uuid', required: true },
-    createdAt: { type: 'timestamptz', required: true, hasDefault: true },
-    itemId: { type: 'uuid', required: true },
-    permission: { type: 'int4', required: true, hasDefault: true },
-};
-/**
- * Adds an Access Control List (ACL) in the database for managing access to rows in an existing table.
- * @category Plugin API
- */
-export async function createTable(table) {
-    await db.checkTableTypes(table, accessControllableTypes, { strict: true, extra: false });
-    io.start(`Creating table acl.${table}`);
-    await db.database.schema
-        .createTable(`acl.${table}`)
-        .addColumn('userId', 'uuid', col => col.references('users.id').onDelete('cascade'))
-        .addColumn('itemId', 'uuid', col => col.references(`${table}.id`).onDelete('cascade'))
-        .addPrimaryKeyConstraint('PK_acl_' + table, ['userId', 'itemId'])
-        .addColumn('createdAt', 'timestamptz', col => col.notNull().defaultTo(sql `now()`))
-        .addColumn('permission', 'integer', col => col.notNull().check(sql `permission >= 0 AND permission <= 5`))
-        .execute()
-        .then(io.done)
-        .catch(db.warnExists);
-    await db.createIndex(`acl.${table}`, 'userId');
-    await db.createIndex(`acl.${table}`, 'itemId');
-}
-export async function dropTable(table) {
-    io.start(`Dropping table acl.${table}`);
-    await db.database.schema.dropTable(`acl.${table}`).execute().then(io.done).catch(db.warnExists);
-}
-export async function wipeTable(table) {
-    io.start(`Wiping table acl.${table}`);
-    await db.database.deleteFrom(`acl.${table}`).execute().then(io.done).catch(db.warnExists);
-}
-export async function createEntry(itemType, data) {
-    return await db.database.insertInto(`acl.${itemType}`).values(data).returningAll().executeTakeFirstOrThrow();
-}
-export async function deleteEntry(itemType, itemId, userId) {
-    await db.database.deleteFrom(`acl.${itemType}`).where('itemId', '=', itemId).where('userId', '=', userId).execute();
-}
 /**
  * Helper to select all access controls for a given table, including the user information.
- *
- * @param onlyId If specified, only returns the access control for the given user ID.
+ * Optionally filter for the entries applicable to a specific user.
+ * This includes entries matching the user's ID, roles, or tags along with the "public" entry where all three "target" columns are null.
  */
 export function from(table, opt = {}) {
     return (eb) => jsonArrayFrom(eb
         .selectFrom(`acl.${table} as _acl`)
         .selectAll()
-        .select(db.userFromId)
         .whereRef(`_acl.itemId`, '=', `${opt.alias || table}.id`)
-        .$if(!!opt.onlyId, qb => qb.where('userId', '=', opt.onlyId)))
+        .where(eb => {
+        const allNull = eb.and([eb('userId', 'is', null), eb('role', 'is', null), eb('tag', 'is', null)]);
+        if (!opt.user)
+            return allNull;
+        const ors = [allNull, eb('userId', '=', opt.user.id)];
+        if (opt.user.roles.length)
+            ors.push(eb('role', 'in', opt.user.roles));
+        if (opt.user.tags.length)
+            ors.push(eb('tag', 'in', opt.user.tags));
+        return eb.or(ors);
+    }))
         .$castTo()
         .as('acl');
 }
-export async function get(itemType, itemId) {
-    return await db.database.selectFrom(`acl.${itemType}`).where('itemId', '=', itemId).selectAll().select(db.userFromId).execute();
+export async function get(table, itemId) {
+    // @ts-expect-error 2349
+    return await db.database.selectFrom(table).where('itemId', '=', itemId).selectAll().select(db.userFromId).execute();
+}
+export async function set(table, itemId, data) {
+    const entries = Object.entries(data).map(([userId, perm]) => ({ userId, ...perm }));
+    if (!entries.length)
+        return [];
+    return await db.database
+        .updateTable(table)
+        // @ts-expect-error 2349
+        .from(db.values(entries, 'data'))
+        .set()
+        .whereRef(`${table}.userId`, '=', 'data.userId')
+        .where('itemId', '=', itemId)
+        .returningAll()
+        .execute();
+}
+export function check(acl, permissions) {
+    const allowed = new Set();
+    const all = new Set(Object.keys(permissions));
+    const entries = Object.entries(permissions);
+    for (const control of acl) {
+        for (const [key, needed] of entries) {
+            const value = control[key];
+            if (value === needed)
+                allowed.add(key);
+        }
+    }
+    return all.difference(allowed);
+}
+export function listTables() {
+    const tables = {};
+    for (const [, file] of db.getSchemaFiles()) {
+        Object.assign(tables, file.acl_tables || {});
+    }
+    return tables;
 }

package/dist/api/acl.js

@@ -1,19 +1,27 @@
-import { Permission } from '@axium/core/access';
+import { AccessMap } from '@axium/core/access';
 import * as z from 'zod';
 import * as acl from '../acl.js';
-import { parseBody, withError } from '../requests.js';
+import { error, parseBody, withError } from '../requests.js';
 import { addRoute } from '../routes.js';
+import { checkAuthForItem } from '../auth.js';
 addRoute({
     path: '/api/acl/:itemType/:itemId',
     params: {
         itemType: z.string(),
         itemId: z.uuid(),
     },
-    async PUT(request, params) {
-        const type = params.itemType;
-        const itemId = params.itemId;
-        const data = await parseBody(request, z.object({ userId: z.uuid(), permission: Permission }));
-        const share = await acl.createEntry(type, { ...data, itemId }).catch(withError('Failed to create access control'));
-        return share;
+    async GET(request, { itemType, itemId }) {
+        const tables = acl.listTables();
+        if (!(itemType in tables))
+            error(400, 'Invalid item type: ' + itemType);
+        return await acl.get(tables[itemType], itemId).catch(withError('Failed to get access controls'));
+    },
+    async POST(request, { itemType, itemId }) {
+        const data = await parseBody(request, AccessMap);
+        const tables = acl.listTables();
+        if (!(itemType in tables))
+            error(400, 'Invalid item type: ' + itemType);
+        await checkAuthForItem(request, itemType, itemId, { manage: true });
+        return await acl.set(tables[itemType], itemId, data);
     },
 });

package/dist/api/admin.js

@@ -5,16 +5,13 @@ import { omit } from 'utilium';
 import * as z from 'zod';
 import pkg from '../../package.json' with { type: 'json' };
 import { audit, events, getEvents } from '../audit.js';
-import { getSessionAndUser } from '../auth.js';
+import { requireSession } from '../auth.js';
 import { config } from '../config.js';
 import { count, database as db } from '../database.js';
-import { error, getToken, withError } from '../requests.js';
+import { error, withError } from '../requests.js';
 import { addRoute } from '../routes.js';
 async function assertAdmin(route, req) {
-    const token = getToken(req);
-    if (!token)
-        error(401, 'Missing token');
-    const admin = await getSessionAndUser(token).catch(withError('Invalid session', 400));
+    const admin = await requireSession(req);
     if (!admin.user.isAdmin)
         error(403, 'Not an administrator');
     if (!config.admin_api)
@@ -55,9 +52,9 @@ addRoute({
 addRoute({
     path: '/api/admin/users/:userId',
     params: { userId: z.uuid() },
-    async GET(req, params) {
+    async GET(req, { userId }) {
         await assertAdmin(this, req);
-        if (!params.userId)
+        if (!userId)
             error(400, 'Missing user ID');
         const user = await db
             .selectFrom('users')
@@ -65,7 +62,7 @@ addRoute({
             .select(eb => jsonArrayFrom(eb.selectFrom('sessions').whereRef('sessions.userId', '=', 'users.id').selectAll())
             .$castTo()
             .as('sessions'))
-            .where('id', '=', params.userId)
+            .where('id', '=', userId)
             .executeTakeFirstOrThrow()
             .catch(withError('User not found', 404));
         return {
@@ -134,9 +131,9 @@ addRoute({
 addRoute({
     path: '/api/admin/audit/:eventId',
     params: { eventId: z.uuid() },
-    async GET(req, params) {
+    async GET(req, { eventId }) {
         await assertAdmin(this, req);
-        if (!params.eventId)
+        if (!eventId)
             error(400, 'Missing event ID');
         const event = await db
             .selectFrom('audit_log')
@@ -144,7 +141,7 @@ addRoute({
             .select(eb => jsonObjectFrom(eb.selectFrom('users').whereRef('users.id', '=', 'audit_log.userId').selectAll())
             .$castTo()
             .as('user'))
-            .where('id', '=', params.eventId)
+            .where('id', '=', eventId)
             .executeTakeFirstOrThrow()
             .catch(withError('Audit event not found', 404));
         return event;

package/dist/api/metadata.js

@@ -2,24 +2,17 @@ import { apps } from '@axium/core';
 import { plugins } from '@axium/core/plugins';
 import { requestMethods } from '@axium/core/requests';
 import pkg from '../../package.json' with { type: 'json' };
-import { getSessionAndUser } from '../auth.js';
+import { requireSession } from '../auth.js';
 import { config } from '../config.js';
-import { error, getToken } from '../requests.js';
+import { error } from '../requests.js';
 import { addRoute, routes } from '../routes.js';
 addRoute({
     path: '/api/metadata',
     async GET(request) {
         if (!config.debug) {
-            const token = getToken(request);
-            if (!token)
-                error(401, 'Missing session token');
-            const session = await getSessionAndUser(token);
-            if (!session)
-                error(401, 'Invalid session');
-            if (!session.user.isAdmin)
+            const { user } = await requireSession(request);
+            if (!user.isAdmin)
                 error(403, 'User is not an administrator');
-            if (session.user.isSuspended)
-                error(403, 'User is suspended');
         }
         return {
             version: pkg.version,

package/dist/api/passkeys.js

@@ -10,14 +10,14 @@ addRoute({
     params: {
         id: z.string(),
     },
-    async GET(request, params) {
-        const passkey = await getPasskey(params.id);
+    async GET(request, { id }) {
+        const passkey = await getPasskey(id);
         await checkAuthForUser(request, passkey.userId);
         return omit(passkey, 'counter', 'publicKey');
     },
-    async PATCH(request, params) {
+    async PATCH(request, { id }) {
         const body = await parseBody(request, PasskeyChangeable);
-        const passkey = await getPasskey(params.id);
+        const passkey = await getPasskey(id);
         await checkAuthForUser(request, passkey.userId);
         const result = await db
             .updateTable('passkeys')
@@ -28,8 +28,8 @@ addRoute({
             .catch(withError('Could not update passkey'));
         return omit(result, 'counter', 'publicKey');
     },
-    async DELETE(request, params) {
-        const passkey = await getPasskey(params.id);
+    async DELETE(request, { id }) {
+        const passkey = await getPasskey(id);
         await checkAuthForUser(request, passkey.userId);
         const { count } = await db
             .selectFrom('passkeys')

package/dist/api/register.js

@@ -48,7 +48,7 @@ async function POST(request) {
     const { verified, registrationInfo } = await verifyRegistrationResponse({
         response,
         expectedChallenge,
-        expectedOrigin: config.auth.origin,
+        expectedOrigin: config.origin,
     }).catch(() => error(400, 'Verification failed'));
     if (!verified || !registrationInfo)
         error(401, 'Verification failed');

package/dist/api/users.js

@@ -32,14 +32,12 @@ addRoute({
 addRoute({
     path: '/api/users/:id',
     params,
-    async GET(request, params) {
-        const userId = params.id;
+    async GET(request, { id: userId }) {
         const auth = await checkAuthForUser(request, userId).catch(() => null);
         const user = auth?.user || (await getUser(userId).catch(withError('User does not exist', 404)));
         return stripUser(user, !!auth);
     },
-    async PATCH(request, params) {
-        const userId = params.id;
+    async PATCH(request, { id: userId }) {
         const body = await parseBody(request, UserChangeable);
         await checkAuthForUser(request, userId);
         if ('email' in body)
@@ -55,8 +53,7 @@ addRoute({
             .catch(withError('Failed to update user'));
         return stripUser(result, true);
     },
-    async DELETE(request, params) {
-        const userId = params.id;
+    async DELETE(request, { id: userId }) {
         await checkAuthForUser(request, userId, true);
         const result = await db
             .deleteFrom('users')
@@ -71,8 +68,7 @@ addRoute({
 addRoute({
     path: '/api/users/:id/full',
     params,
-    async GET(request, params) {
-        const userId = params.id;
+    async GET(request, { id: userId }) {
         const { user } = await checkAuthForUser(request, userId);
         const sessions = await getSessions(userId);
         return {
@@ -84,8 +80,7 @@ addRoute({
 addRoute({
     path: '/api/users/:id/auth',
     params,
-    async OPTIONS(request, params) {
-        const userId = params.id;
+    async OPTIONS(request, { id: userId }) {
         const { type } = await parseBody(request, UserAuthOptions);
         const user = await getUser(userId).catch(withError('User does not exist', 404));
         if (user.isSuspended)
@@ -100,8 +95,7 @@ addRoute({
         challenges.set(userId, { data: options.challenge, type });
         return options;
     },
-    async POST(request, params) {
-        const userId = params.id;
+    async POST(request, { id: userId }) {
         const response = await parseBody(request, PasskeyAuthenticationResponse);
         const auth = challenges.get(userId);
         if (!auth)
@@ -116,7 +110,7 @@ addRoute({
             response,
             credential: passkey,
             expectedChallenge,
-            expectedOrigin: config.auth.origin,
+            expectedOrigin: config.origin,
             expectedRPID: config.auth.rp_id,
         })
             .catch(withError('Verification failed', 400));
@@ -143,8 +137,7 @@ addRoute({
     /**
      * Get passkey registration options for a user.
      */
-    async OPTIONS(request, params) {
-        const userId = params.id;
+    async OPTIONS(request, { id: userId }) {
         const existing = await getPasskeysByUserId(userId);
         const { user } = await checkAuthForUser(request, userId);
         const options = await webauthn.generateRegistrationOptions({
@@ -166,8 +159,7 @@ addRoute({
     /**
      * Get passkeys for a user.
      */
-    async GET(request, params) {
-        const userId = params.id;
+    async GET(request, { id: userId }) {
         await checkAuthForUser(request, userId);
         const passkeys = await getPasskeysByUserId(userId);
         return passkeys.map(p => omit(p, 'publicKey', 'counter'));
@@ -175,8 +167,7 @@ addRoute({
     /**
      * Register a new passkey for an existing user.
      */
-    async PUT(request, params) {
-        const userId = params.id;
+    async PUT(request, { id: userId }) {
         const response = await parseBody(request, PasskeyRegistration);
         await checkAuthForUser(request, userId);
         const expectedChallenge = registrations.get(userId);
@@ -187,7 +178,7 @@ addRoute({
             .verifyRegistrationResponse({
             response,
             expectedChallenge,
-            expectedOrigin: config.auth.origin,
+            expectedOrigin: config.origin,
         })
             .catch(withError('Verification failed', 400));
         if (!verified || !registrationInfo)
@@ -205,13 +196,11 @@ addRoute({
 addRoute({
     path: '/api/users/:id/sessions',
     params,
-    async GET(request, params) {
-        const userId = params.id;
+    async GET(request, { id: userId }) {
         await checkAuthForUser(request, userId);
         return (await getSessions(userId).catch(e => error(503, 'Failed to get sessions' + (config.debug ? ': ' + e : '')))).map(s => omit(s, 'token'));
     },
-    async DELETE(request, params) {
-        const userId = params.id;
+    async DELETE(request, { id: userId }) {
         const body = await parseBody(request, LogoutSessions);
         await checkAuthForUser(request, userId, body.confirm_all);
         if (!body.confirm_all && !Array.isArray(body.id))
@@ -229,8 +218,7 @@ addRoute({
 addRoute({
     path: '/api/users/:id/verify_email',
     params,
-    async OPTIONS(request, params) {
-        const userId = params.id;
+    async OPTIONS(request, { id: userId }) {
         if (!config.auth.email_verification)
             return { enabled: false };
         await checkAuthForUser(request, userId);
@@ -238,16 +226,14 @@ addRoute({
             return { enabled: false };
         return { enabled: true };
     },
-    async GET(request, params) {
-        const userId = params.id;
+    async GET(request, { id: userId }) {
         const { user } = await checkAuthForUser(request, userId);
         if (user.emailVerified)
             error(409, 'Email already verified');
         const verification = await createVerification('verify_email', userId, config.auth.verification_timeout * 60);
         return omit(verification, 'token', 'role');
     },
-    async POST(request, params) {
-        const userId = params.id;
+    async POST(request, { id: userId }) {
         const { token } = await parseBody(request, z.object({ token: z.string() }));
         const { user } = await checkAuthForUser(request, userId);
         if (user.emailVerified)

package/dist/audit.d.ts

@@ -15,9 +15,6 @@ export interface $EventTypes {
     logout: {
         sessions: string[];
     };
-    acl_id_mismatch: {
-        item: string;
-    };
     admin_change: {
         user: string;
     };
@@ -25,6 +22,9 @@ export interface $EventTypes {
         route: string;
         session: string;
     };
+    response_error: {
+        stack?: string;
+    };
 }
 export type EventName = keyof $EventTypes;
 export type EventExtra<T extends EventName> = $EventTypes[T];

package/dist/audit.js

@@ -74,7 +74,7 @@ export async function audit(eventName, userId, extra) {
     }
 }
 export function getEvents(filter) {
-    let query = database.selectFrom('audit_log').selectAll();
+    let query = database.selectFrom('audit_log').selectAll().orderBy('timestamp', 'desc');
     if ('user' in filter && !filter.user)
         query = query.where('userId', 'is', null);
     else if (filter.user)
@@ -105,14 +105,6 @@ addEvent({
     tags: ['cli'],
     extra: { user: z.string() },
 });
-addEvent({
-    source: '@axium/server',
-    name: 'acl_id_mismatch',
-    severity: Severity.Critical,
-    tags: ['acl', 'auth'],
-    extra: { item: z.string() },
-    noAutoSuspend: true,
-});
 addEvent({
     source: '@axium/server',
     name: 'admin_api',
@@ -120,3 +112,10 @@ addEvent({
     tags: ['auth'],
     extra: { route: z.string(), session: z.string() },
 });
+addEvent({
+    source: '@axium/server',
+    name: 'response_error',
+    severity: Severity.Error,
+    tags: [],
+    extra: { stack: z.string().optional() },
+});

package/dist/auth.d.ts

@@ -1,5 +1,5 @@
-import type { Passkey, Permission, Session, UserInternal, Verification } from '@axium/core';
-import type { Insertable } from 'kysely';
+import type { Passkey, Session, UserInternal, Verification } from '@axium/core';
+import type { Insertable, Selectable } from 'kysely';
 import * as acl from './acl.js';
 import { type Schema } from './database.js';
 export declare function getUser(id: string): Promise<UserInternal>;
@@ -13,6 +13,7 @@ export interface SessionAndUser extends SessionInternal {
 }
 export declare function getSessionAndUser(token: string): Promise<SessionAndUser>;
 export declare function getSession(sessionId: string): Promise<SessionInternal>;
+export declare function requireSession(request: Request, sensitive?: boolean): Promise<SessionAndUser>;
 export declare function getSessions(userId: string): Promise<SessionInternal[]>;
 export type VerificationRole = 'verify_email' | 'login';
 export interface VerificationInternal extends Verification {
@@ -38,10 +39,14 @@ export interface UserAuthResult extends SessionAndUser {
     accessor: UserInternal;
 }
 export declare function checkAuthForUser(request: Request, userId: string, sensitive?: boolean): Promise<UserAuthResult>;
-export interface ItemAuthResult<T extends acl.Target> {
+export interface ItemAuthResult<TB extends acl.TargetName> {
     fromACL: boolean;
-    item: T;
+    item: Selectable<Schema[TB]>;
     user?: UserInternal;
     session?: SessionInternal;
 }
-export declare function checkAuthForItem<const V extends acl.Target>(request: Request, itemType: acl.TargetName, itemId: string, permission: Permission): Promise<ItemAuthResult<V>>;
+/**
+ * Authenticate a request against an "item" which has an ACL table.
+ * This will fetch the item, ACLs, users, and the authenticating session.
+ */
+export declare function checkAuthForItem<const TB extends acl.TargetName>(request: Request, itemType: TB, itemId: string, permissions: Partial<acl.PermissionsFor<`acl.${TB}`>>): Promise<ItemAuthResult<TB>>;