@axium/server 0.39.6 → 0.40.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/acl.d.ts +1 -4
- package/dist/acl.js +1 -21
- package/dist/auth.js +20 -12
- package/package.json +3 -3
package/dist/acl.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import type { AccessControl, AccessControllable, AccessTarget, UserInternal } from '@axium/core';
|
|
2
2
|
import type * as kysely from 'kysely';
|
|
3
3
|
import type { WithRequired } from 'utilium';
|
|
4
4
|
import * as db from './database.js';
|
|
@@ -25,7 +25,6 @@ export type WithACL<TB extends TargetName> = kysely.Selectable<db.Schema[TB]> &
|
|
|
25
25
|
};
|
|
26
26
|
/** Match ACL entries, optionally selecting for a given user-like object */
|
|
27
27
|
export declare function match(user?: Pick<UserInternal, 'id' | 'roles' | 'tags'>): (eb: kysely.ExpressionBuilder<db.Schema, any>) => kysely.ExpressionWrapper<db.Schema, any, kysely.SqlBool>;
|
|
28
|
-
export declare function controlMatchesUser(control: AccessControl, user: Pick<UserInternal, 'id' | 'roles' | 'tags'>): boolean | "" | null | undefined;
|
|
29
28
|
export interface ACLSelectionOptions {
|
|
30
29
|
/** Instead of using the `id` from `table`, use the `id` from this instead */
|
|
31
30
|
alias?: string;
|
|
@@ -42,8 +41,6 @@ export declare function get<const TB extends TableName>(table: TB, itemId: strin
|
|
|
42
41
|
export declare function update<const TB extends TableName>(table: TB, itemId: string, target: AccessTarget, permissions: PermissionsFor<TB>): Promise<Result<TB>>;
|
|
43
42
|
export declare function remove<const TB extends TableName>(table: TB, itemId: string, target: AccessTarget): Promise<Result<TB>>;
|
|
44
43
|
export declare function add<const TB extends TableName>(table: TB, itemId: string, target: AccessTarget): Promise<Result<TB>>;
|
|
45
|
-
/** Check an ACL against a set of permissions. */
|
|
46
|
-
export declare function check<const TB extends TableName>(acl: Result<TB>[], permissions: Partial<PermissionsFor<TB>>): Set<keyof PermissionsFor<TB>>;
|
|
47
44
|
export declare function listTables(): Record<string, TableName>;
|
|
48
45
|
export interface OptionsForWhere<TB extends TargetName> {
|
|
49
46
|
itemId?: keyof db.Schema[TB] & string;
|
package/dist/acl.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { fromTarget } from '@axium/core';
|
|
1
|
+
import { fromTarget } from '@axium/core/access';
|
|
2
2
|
import { jsonArrayFrom } from 'kysely/helpers/postgres';
|
|
3
3
|
import * as db from './database.js';
|
|
4
4
|
/** Match ACL entries, optionally selecting for a given user-like object */
|
|
@@ -15,12 +15,6 @@ export function match(user) {
|
|
|
15
15
|
return eb.or(ors);
|
|
16
16
|
};
|
|
17
17
|
}
|
|
18
|
-
export function controlMatchesUser(control, user) {
|
|
19
|
-
return ((!control.role && !control.tag && !control.userId) ||
|
|
20
|
-
control.userId === user.id ||
|
|
21
|
-
(control.role && user.roles.includes(control.role)) ||
|
|
22
|
-
(control.tag && user.tags.includes(control.tag)));
|
|
23
|
-
}
|
|
24
18
|
/**
|
|
25
19
|
* Helper to select all access controls for a given table, including the user information.
|
|
26
20
|
* Optionally filter for the entries applicable to a specific user.
|
|
@@ -72,20 +66,6 @@ export async function add(table, itemId, target) {
|
|
|
72
66
|
.$castTo()
|
|
73
67
|
.executeTakeFirstOrThrow();
|
|
74
68
|
}
|
|
75
|
-
/** Check an ACL against a set of permissions. */
|
|
76
|
-
export function check(acl, permissions) {
|
|
77
|
-
const allowed = new Set();
|
|
78
|
-
const all = new Set(Object.keys(permissions));
|
|
79
|
-
const entries = Object.entries(permissions);
|
|
80
|
-
for (const control of acl) {
|
|
81
|
-
for (const [key, needed] of entries) {
|
|
82
|
-
const value = control[key];
|
|
83
|
-
if (value === needed)
|
|
84
|
-
allowed.add(key);
|
|
85
|
-
}
|
|
86
|
-
}
|
|
87
|
-
return all.difference(allowed);
|
|
88
|
-
}
|
|
89
69
|
export function listTables() {
|
|
90
70
|
const tables = {};
|
|
91
71
|
for (const [, file] of db.schema.getFiles()) {
|
package/dist/auth.js
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { checkACL, controlMatchesUser } from '@axium/core';
|
|
1
2
|
import { randomBytes, randomUUID } from 'node:crypto';
|
|
2
3
|
import { omit } from 'utilium';
|
|
3
4
|
import * as acl from './acl.js';
|
|
@@ -121,8 +122,8 @@ export async function authSessionForItem(itemType, itemId, permissions, session,
|
|
|
121
122
|
.select(acl.from(itemType))
|
|
122
123
|
.executeTakeFirstOrThrow()
|
|
123
124
|
.catch(e => {
|
|
124
|
-
if (e.message.includes('no rows'))
|
|
125
|
-
error(404,
|
|
125
|
+
if (e.constructor.name == 'NoResultError' || e.message.includes('no rows'))
|
|
126
|
+
error(404, 'Not found');
|
|
126
127
|
throw e;
|
|
127
128
|
}));
|
|
128
129
|
const result = {
|
|
@@ -131,9 +132,7 @@ export async function authSessionForItem(itemType, itemId, permissions, session,
|
|
|
131
132
|
user,
|
|
132
133
|
fromACL: false,
|
|
133
134
|
};
|
|
134
|
-
if (
|
|
135
|
-
error(401, 'Item is not public');
|
|
136
|
-
if (user.isSuspended)
|
|
135
|
+
if (user?.isSuspended)
|
|
137
136
|
error(403, 'User is suspended');
|
|
138
137
|
if (userId == item.userId)
|
|
139
138
|
return result;
|
|
@@ -166,10 +165,13 @@ export async function authSessionForItem(itemType, itemId, permissions, session,
|
|
|
166
165
|
}
|
|
167
166
|
})
|
|
168
167
|
: item.acl;
|
|
169
|
-
const matching = controls.filter(c =>
|
|
168
|
+
const matching = controls.filter(c => controlMatchesUser(c, user));
|
|
170
169
|
if (!matching.length)
|
|
171
|
-
|
|
172
|
-
|
|
170
|
+
if (!session || !user)
|
|
171
|
+
error(401, 'Item is not public');
|
|
172
|
+
else
|
|
173
|
+
error(403, 'Item is not shared with you');
|
|
174
|
+
const missing = Array.from(checkACL(matching, permissions));
|
|
173
175
|
if (missing.length)
|
|
174
176
|
error(403, 'Missing permissions: ' + missing.join(', '));
|
|
175
177
|
return result;
|
|
@@ -179,9 +181,15 @@ export async function authSessionForItem(itemType, itemId, permissions, session,
|
|
|
179
181
|
* This will fetch the item, ACLs, users, and the authenticating session.
|
|
180
182
|
*/
|
|
181
183
|
export async function authRequestForItem(request, itemType, itemId, permissions, recursive = false) {
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
|
|
184
|
+
let session = null;
|
|
185
|
+
try {
|
|
186
|
+
const token = getToken(request, false);
|
|
187
|
+
if (!token)
|
|
188
|
+
error(401, 'Missing token');
|
|
189
|
+
session = await getSessionAndUser(token).catch(() => null);
|
|
190
|
+
}
|
|
191
|
+
catch {
|
|
192
|
+
session = null;
|
|
193
|
+
}
|
|
186
194
|
return await authSessionForItem(itemType, itemId, permissions, session, recursive);
|
|
187
195
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@axium/server",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.40.0",
|
|
4
4
|
"author": "James Prevett <axium@jamespre.dev>",
|
|
5
5
|
"funding": {
|
|
6
6
|
"type": "individual",
|
|
@@ -47,8 +47,8 @@
|
|
|
47
47
|
"clean": "rm -rf build .svelte-kit node_modules/{.vite,.vite-temp}"
|
|
48
48
|
},
|
|
49
49
|
"peerDependencies": {
|
|
50
|
-
"@axium/client": ">=0.
|
|
51
|
-
"@axium/core": ">=0.
|
|
50
|
+
"@axium/client": ">=0.20.0",
|
|
51
|
+
"@axium/core": ">=0.23.0",
|
|
52
52
|
"kysely": "^0.28.0",
|
|
53
53
|
"utilium": "^2.6.0",
|
|
54
54
|
"zod": "^4.0.5"
|