@baeta/auth 0.0.0 → 2.0.0-next.15

package/dist/index.d.ts

@@ -0,0 +1,204 @@
+import { AppPlugin, FieldUsePlugin, SubscriptionUsePlugin, TypeUsePlugin } from "@baeta/core/sdk";
+import { ResolverParams } from "@baeta/core";
+
+//#region lib/error.d.ts
+/** Custom error resolver function for authorization failures. */
+type ScopeErrorResolver = (err: unknown) => unknown;
+/**
+ * Default error resolver for authorization failures.
+ * If multiple authorization errors are encountered they are combined into `AggregateGraphQLError` with proper HTTP status codes.
+ */
+declare function aggregateErrorResolver(err: AggregateError): any;
+//#endregion
+//#region lib/grant.d.ts
+/**
+ * Represents the result of a grant operation.
+ * Can be either a single grant or an array of grants defined in AuthExtension.GrantsMap.
+ */
+type GetGrantResult<Grant extends string, Result> = Grant | Grant[] | GrantConfig<Grant, Result> | GrantConfig<Grant, Result>[];
+/**
+ * Attaches a grant to a specific object derived from the resolver result,
+ * instead of the result itself. For array results, `target` is invoked per
+ * entry. `target` must return a non-primitive value.
+ */
+type GrantConfig<Grant extends string, Result> = {
+  grant: Grant | Grant[];
+  target: (result: GrantTarget<Result>) => unknown;
+};
+type GrantTarget<Result> = Result extends Array<infer U> ? U : Result;
+/**
+ * Function that determines grants based on resolver parameters and result.
+ * Used for dynamic permission granting based on resolved data.
+ */
+type GetGrantFn<Grants extends string, Result, Source, Context, Args, Info> = (params: ResolverParams<Source, Context, Args, Info>, result: Result) => GetGrantResult<Grants, Result> | PromiseLike<GetGrantResult<Grants, Result>>;
+/**
+ * Union type for grant specifications.
+ * Can be either a static grant result or a function that determines grants dynamically.
+ */
+type GetGrant<Grants extends string, Result, Source, Context, Args, Info> = GetGrantFn<Grants, Result, Source, Context, Args, Info> | GetGrantResult<Grants, Result>;
+//#endregion
+//#region lib/scope-rules.d.ts
+type LogicRule = 'and' | 'or' | 'chain' | 'race';
+type ScopesShape = Record<string, unknown>;
+/**
+ * Defines the structure of authorization scope rules.
+ * Combines individual scope rules with logical operators and granted permissions.
+ */
+type ScopeRules<Scopes extends ScopesShape, Grants extends string> = ScopeRule<Scopes, Grants> | ScopeLogicRule<Scopes, Grants>;
+/**
+ * Utility type that enforces boolean scopes must be true.
+ * For non-boolean scopes, preserves the original type.
+ */
+type ScopeRule<Scopes extends ScopesShape, Grants extends string> = { [K in keyof Scopes]: {
+  type: 'scope';
+  key: K;
+  value: Scopes[K] extends boolean ? true : Scopes[K];
+} }[keyof Scopes] | {
+  type: 'grant';
+  grant: Grants;
+};
+type ScopeLogicRule<Scopes extends ScopesShape, Grants extends string> = {
+  type: 'rule';
+  rule: LogicRule;
+  scopes: ScopeRules<Scopes, Grants>[];
+};
+//#endregion
+//#region lib/scope-cache-keys.d.ts
+/**
+ * Builds a cache key for a single scope. The returned value must be stable —
+ * equal inputs must produce a value that compares equal as a `Map` key (a
+ * string, or a stable object reference).
+ */
+type ScopeCacheKeyFn<Param> = (param: Param) => unknown;
+/**
+ * Provide an entry when the scope's argument can't be safely
+ * auto-serialized in a stable manner or when a more compact key
+ * is preferable.
+ */
+type ScopeCacheKeyMap<Scopes extends ScopesShape> = { [K in keyof Scopes as Scopes[K] extends boolean ? never : K]?: ScopeCacheKeyFn<Scopes[K]> };
+//#endregion
+//#region lib/scope-defaults.d.ts
+/** Configuration for default authorization scopes that apply to all operations of a specific type. */
+type DefaultScopes<Scopes extends ScopesShape, Grants extends string> = {
+  /** Default scopes applied to all Query operations */Query?: ScopeRules<Scopes, Grants>; /** Default scopes applied to all Mutation operations */
+  Mutation?: ScopeRules<Scopes, Grants>; /** Default scopes for Subscription operations */
+  Subscription?: ScopeRules<Scopes, Grants>;
+};
+//#endregion
+//#region lib/scope-resolver.d.ts
+/**
+ * Function that creates scope loaders for authorization checks.
+ * Returns a map of scope loaders that can be synchronous or asynchronous.
+ *
+ * @param ctx - The application context
+ * @returns A map of scope loaders or a promise resolving to scope loaders
+ *
+ * @example
+ * ```typescript
+ * const getScopeLoader: GetScopeLoader<Context> = (ctx) => ({
+ *   isLoggedIn: async () => {
+ *     if (!ctx.userId) throw new UnauthenticatedError();
+ *     return true;
+ *   },
+ *   hasAccess: (role) => ctx.user?.role === role
+ * });
+ * ```
+ */
+type GetScopeLoader<Scopes extends ScopesShape, Ctx> = (ctx: Ctx) => ScopeLoaderMap<Scopes> | Promise<ScopeLoaderMap<Scopes>>;
+/**
+ * Represents a scope loader that can be either a boolean value or a function.
+ * Function loaders receive the scope value and return a boolean result.
+ *
+ * @example
+ * ```typescript
+ * // Boolean loader
+ * const publicLoader: ScopeLoader<boolean> = true;
+ *
+ * // Function loader
+ * const roleLoader: ScopeLoader<string> = (role) => userRole === role;
+ * ```
+ */
+type ScopeLoader<T> = T extends boolean ? boolean | (() => boolean | Promise<boolean>) : (param: T) => boolean | Promise<boolean>;
+/**
+ * Maps scope names to their respective loaders.
+ * Each loader handles authorization checks for its scope.
+ *
+ * @example
+ * ```typescript
+ * const loaders: ScopeLoaderMap = {
+ *   isPublic: true,
+ *   isLoggedIn: () => Boolean(ctx.userId),
+ *   hasAccess: (role) => ctx.user?.roles.includes(role)
+ * };
+ * ```
+ */
+type ScopeLoaderMap<Scopes extends ScopesShape> = { [K in keyof Scopes]: Scopes[K] extends boolean ? boolean | (() => boolean | Promise<boolean>) : (param: Scopes[K]) => boolean | Promise<boolean> };
+//#endregion
+//#region lib/auth-middlewares.d.ts
+/**
+ * Options for authorization middlewares
+ */
+interface AuthMiddlewareOptions<Grants extends string, Result, Source, Context, Args, Info> {
+  /** Permissions to grant after successful authorization */
+  grants?: GetGrant<Grants, Result, Source, Context, Args, Info>;
+  /** Whether to skip default scopes for this operation */
+  skipDefaults?: boolean;
+}
+/**
+ * Function to get scope rules for pre-resolution authorization
+ */
+type GetScopeRules<Scopes extends ScopesShape, Grants extends string, Source, Context, Args, Info> = (params: ResolverParams<Source, Context, Args, Info>) => boolean | ScopeRules<Scopes, Grants> | PromiseLike<boolean | ScopeRules<Scopes, Grants>>;
+/**
+ * Function to get scope rules for post-resolution authorization
+ */
+type GetPostScopeRules<Scopes extends ScopesShape, Grants extends string, Result, Source, Context, Args, Info> = (params: ResolverParams<Source, Context, Args, Info>, result: Result) => boolean | ScopeRules<Scopes, Grants> | PromiseLike<boolean | ScopeRules<Scopes, Grants>>;
+//#endregion
+//#region lib/define-rules.d.ts
+type RuleAccessor<Scopes extends ScopesShape, Grants extends string> = {
+  and(scope: ScopeRules<Scopes, Grants>, ...scopes: ScopeRules<Scopes, Grants>[]): ScopeRules<Scopes, Grants>;
+  or(scope: ScopeRules<Scopes, Grants>, ...scopes: ScopeRules<Scopes, Grants>[]): ScopeRules<Scopes, Grants>;
+  chain(scope: ScopeRules<Scopes, Grants>, ...scopes: ScopeRules<Scopes, Grants>[]): ScopeRules<Scopes, Grants>;
+  race(scope: ScopeRules<Scopes, Grants>, ...scopes: ScopeRules<Scopes, Grants>[]): ScopeRules<Scopes, Grants>;
+};
+//#endregion
+//#region lib/define-scopes.d.ts
+type ScopeAccessor<Scopes extends ScopesShape, Grants extends string> = { [K in keyof Scopes]: Scopes[K] extends boolean ? ScopeRules<Scopes, Grants> : (param: Scopes[K]) => ScopeRules<Scopes, Grants> } & {
+  $granted: <G extends Grants>(grant: G) => ScopeRule<Scopes, G>;
+};
+//#endregion
+//#region lib/create-auth.d.ts
+type AuthPlugin<Result, Source, Context, Args, Info> = FieldUsePlugin<Result, Source, Context, Args, Info> & TypeUsePlugin<Source, Context, Info> & SubscriptionUsePlugin<Result, Source, Context, Args, Info, 'resolve'> & SubscriptionUsePlugin<Result, Source, Context, Args, Info, 'subscribe'>;
+/** Configuration options for Auth */
+interface AuthOptions<Scopes extends ScopesShape, Grants extends string> {
+  /** Default authorization scopes for queries, mutations or subscriptions */
+  defaultScopes?: (opt: {
+    scope: ScopeAccessor<Scopes, Grants>;
+    rule: RuleAccessor<Scopes, Grants>;
+  }) => DefaultScopes<Scopes, Grants>;
+  /** Custom error resolver for authorization failures */
+  errorResolver?: ScopeErrorResolver;
+  /**
+   * Per-scope cache key overrides. Recommended for scopes whose argument
+   * isn't safely auto-serializable: serializable args (primitives, plain
+   * objects, arrays of those) are stringified automatically, and anything
+   * else falls back to reference identity — which may miss cache hits when
+   * callers construct equivalent-but-distinct values.
+   */
+  cacheKeyMap?: ScopeCacheKeyMap<Scopes>;
+}
+declare function createAuth<Context, Scopes extends ScopesShape, Grants extends string>(loadScopes: GetScopeLoader<Scopes, Context>, globalOptions?: AuthOptions<Scopes, Grants>): {
+  auth: <Result, Source, Context_1, Args, Info>(scopes: ScopeRules<Scopes, Grants> | GetScopeRules<Scopes, Grants, Source, Context_1, Args, Info>, options?: AuthMiddlewareOptions<Grants, Result, Source, Context_1, Args, Info>) => AuthPlugin<Result, Source, Context_1, Args, Info>;
+  authAfter: <Result, Source, Context_1, Args, Info>(getScopes: GetPostScopeRules<Scopes, Grants, Result, Source, Context_1, Args, Info>, options?: AuthMiddlewareOptions<Grants, Result, Source, Context_1, Args, Info>) => AuthPlugin<Result, Source, Context_1, Args, Info>;
+  authAppPlugin: AppPlugin;
+  rule: RuleAccessor<Scopes, Grants>;
+  scope: ScopeAccessor<Scopes, Grants>;
+};
+//#endregion
+//#region lib/serialize.d.ts
+type SerializableScope = string | number | boolean | null | SerializableScope[] | {
+  [key: string]: SerializableScope;
+};
+declare function createScopeCacheKey(params: SerializableScope): string;
+//#endregion
+export { type AuthMiddlewareOptions, type AuthOptions, type DefaultScopes, type GetGrant, type GetGrantFn, type GetGrantResult, type GetPostScopeRules, type GetScopeLoader, type GetScopeRules, type GrantConfig, type LogicRule, type ScopeCacheKeyFn, type ScopeCacheKeyMap, type ScopeErrorResolver, type ScopeLoader, type ScopeLoaderMap, type ScopeRule, type ScopeRules, type ScopesShape, type SerializableScope, aggregateErrorResolver, createAuth, createScopeCacheKey };
+//# sourceMappingURL=index.d.ts.map

package/dist/index.js

@@ -0,0 +1,426 @@
+import { AggregateGraphQLError, ForbiddenError, InternalServerError } from "@baeta/errors";
+import { log } from "@baeta/util-log";
+import { GraphQLError } from "graphql";
+import { createAppPluginId, makePluginSymbol, nameFunction } from "@baeta/core/sdk";
+import { createContextStore } from "@baeta/core";
+import stringify from "safe-stable-stringify";
+//#region lib/error.ts
+function resolveError(err, resolve) {
+	const resolvedError = resolve(err);
+	if (resolvedError instanceof Error) throw resolvedError;
+	throw err;
+}
+function defaultErrorResolver(err) {
+	if (err instanceof AggregateError) return aggregateErrorResolver(err);
+	if (!isGraphqlError(err)) log.warn(`Non GraphQLError encountered by auth`, err);
+	return err;
+}
+/**
+* Default error resolver for authorization failures.
+* If multiple authorization errors are encountered they are combined into `AggregateGraphQLError` with proper HTTP status codes.
+*/
+function aggregateErrorResolver(err) {
+	if (err.errors.length === 1) {
+		if (!isGraphqlError(err.errors[0])) log.warn(`Non GraphQLError encountered by auth`, err);
+		return err.errors[0];
+	}
+	let http = {};
+	const errors = [];
+	for (const error of err.errors) {
+		if (!isGraphqlError(error)) {
+			errors.push(new InternalServerError(error));
+			log.warn(`Non GraphQLError encountered by auth`, err);
+			continue;
+		}
+		errors.push(error);
+		if (error.extensions.http && http?.status !== 401) http = error.extensions.http;
+	}
+	return new AggregateGraphQLError(errors, void 0, { extensions: { http } });
+}
+function isGraphqlError(err) {
+	return err instanceof GraphQLError;
+}
+//#endregion
+//#region utils/resolver.ts
+function isOperationType(type) {
+	return [
+		"Query",
+		"Mutation",
+		"Subscription"
+	].includes(type);
+}
+const [getAuthStore, setAuthStore] = createContextStore(Symbol("@baeta/auth"));
+//#endregion
+//#region lib/grant.ts
+async function saveGrants(params, result, grants) {
+	if (result == null) return;
+	const [store, resolvedGrants] = await Promise.all([getAuthStore(params.ctx), resolveGrants(params, result, grants)]);
+	const entries = Array.isArray(result) ? result : [result];
+	resolvedGrants.forEach(({ grant, target }) => {
+		for (const entry of entries) {
+			if (entry == null) continue;
+			store.grantCache.addGrants(target(entry), grant);
+		}
+	});
+}
+function defaultTarget(entry) {
+	return entry;
+}
+function normalizeGrant(grants) {
+	if (typeof grants === "string") return {
+		grant: [grants],
+		target: defaultTarget
+	};
+	return {
+		grant: Array.isArray(grants.grant) ? grants.grant : [grants.grant],
+		target: grants.target
+	};
+}
+function normalizeGrants(grants) {
+	if (Array.isArray(grants)) return grants.map((el) => normalizeGrant(el));
+	return [normalizeGrant(grants)];
+}
+async function resolveGrants(params, result, grants) {
+	if (typeof grants !== "function") return normalizeGrants(grants);
+	return normalizeGrants(await grants(params, result));
+}
+//#endregion
+//#region lib/scope-defaults.ts
+function selectDefaultScopes(skipDefaults, type, defaultScopes) {
+	if (!defaultScopes) return;
+	if (!isOperationType(type)) return;
+	if (skipDefaults === true) return;
+	if (type === "Query") return defaultScopes.Query;
+	if (type === "Mutation") return defaultScopes.Mutation;
+	if (type === "Subscription") return defaultScopes.Subscription;
+}
+//#endregion
+//#region lib/scope-rules.ts
+async function verifyGrant(params, grant) {
+	if (grant == null) throw new Error("Grant key '$granted' must be defined in the scope rules!");
+	if ((await getAuthStore(params.ctx)).grantCache.getGrants(params.source)?.has(grant) !== true) throw new ForbiddenError();
+	return true;
+}
+async function verifyScope(params, scope) {
+	if (scope == null) throw new Error("Scope rules cannot be undefined!");
+	if (scope.type === "rule") return await verifyScopeRule(params, scope);
+	if (scope.type === "grant") return await verifyGrant(params, scope.grant);
+	if (scope.type === "scope") {
+		const resolve = (await getAuthStore(params.ctx)).scopes.get(scope.key);
+		if (resolve == null) throw new Error(`No scope resolver found for key '${scope.key}'!`);
+		if (await resolve(scope.value) !== true) throw new Error("Scope resolver should throw for non true results!");
+		return true;
+	}
+	throw new Error("Invalid scope rule! Must be a scope, grant, or nested rule.");
+}
+async function verifyScopeRule(params, scope) {
+	if (scope.scopes.length === 0) throw new Error("Scope rule cannot be empty!");
+	if (scope.rule === "chain") return await verifyChainScopes(params, scope.scopes);
+	if (scope.rule === "race") return await verifyRaceScopes(params, scope.scopes);
+	if (scope.rule === "or") return await verifyOrScopes(params, scope.scopes);
+	if (scope.rule === "and") return await verifyAndScopes(params, scope.scopes);
+	scope.rule;
+	throw new Error("Invalid logic rule! Must be one of 'chain', 'race', 'or', or 'and'.");
+}
+async function verifyChainScopes(params, scopes) {
+	for (const scope of scopes) await verifyScope(params, scope);
+	return true;
+}
+async function verifyRaceScopes(params, scopes) {
+	for (const scope of scopes) if (await verifyScope(params, scope).catch((err) => err) === true) return true;
+	throw new ForbiddenError();
+}
+async function verifyOrScopes(params, scopes) {
+	const promises = scopes.map((scope) => verifyScope(params, scope));
+	return await Promise.any(promises);
+}
+async function verifyAndScopes(params, scopes) {
+	const promises = scopes.map((scope) => verifyScope(params, scope));
+	await Promise.all(promises);
+	return true;
+}
+//#endregion
+//#region lib/grant-cache.ts
+function createGrantCache() {
+	const cache = /* @__PURE__ */ new WeakMap();
+	return {
+		getGrants: (result) => {
+			if (!isValidTarget(result)) return;
+			return cache.get(result);
+		},
+		addGrants: (result, values) => {
+			if (!isValidTarget(result)) {
+				log.warn(`Attempted to add grants for a non-object result. Grants will not be saved.`, (/* @__PURE__ */ new Error()).stack);
+				return;
+			}
+			const existing = cache.get(result) ?? /* @__PURE__ */ new Set();
+			values.forEach((grant) => existing.add(grant));
+			cache.set(result, existing);
+		}
+	};
+}
+function isValidTarget(target) {
+	return typeof target === "object" && target !== null;
+}
+//#endregion
+//#region lib/serialize.ts
+function createScopeCacheKey(params) {
+	return stringify(params);
+}
+function canSafelySerialize(value, path = /* @__PURE__ */ new WeakSet()) {
+	if (Array.isArray(value)) {
+		if (path.has(value)) return false;
+		path.add(value);
+		const ok = value.every((v) => canSafelySerialize(v, path));
+		path.delete(value);
+		return ok;
+	}
+	if (value && typeof value === "object") {
+		const proto = Object.getPrototypeOf(value);
+		if (proto !== null && proto !== Object.prototype) return false;
+		if (path.has(value)) return false;
+		path.add(value);
+		const ok = Object.values(value).every((v) => canSafelySerialize(v, path));
+		path.delete(value);
+		return ok;
+	}
+	return isSerializablePrimitive(value);
+}
+function isSerializablePrimitive(value) {
+	if (typeof value === "number") return Number.isFinite(value);
+	return value === null || typeof value === "boolean" || typeof value === "string";
+}
+//#endregion
+//#region lib/scope-cache.ts
+const noParameterKey = Symbol("no-parameter");
+function createScopeCache(cacheKeyMap) {
+	const scopeCache = /* @__PURE__ */ new Map();
+	const keyFns = cacheKeyMap;
+	const makeKey = (scope, params) => {
+		if (params === void 0) return noParameterKey;
+		const customKeyFn = keyFns[scope];
+		if (customKeyFn) return customKeyFn(params);
+		if (canSafelySerialize(params)) return createScopeCacheKey(params);
+		return params;
+	};
+	return {
+		getScopeValue: (scope, params) => {
+			return scopeCache.get(scope)?.get(makeKey(scope, params));
+		},
+		setScopeValue: (scope, params, value) => {
+			let scopeParamsMap = scopeCache.get(scope);
+			if (scopeParamsMap == null) {
+				scopeParamsMap = /* @__PURE__ */ new Map();
+				scopeCache.set(scope, scopeParamsMap);
+			}
+			scopeParamsMap.set(makeKey(scope, params), value);
+		}
+	};
+}
+//#endregion
+//#region lib/scope-resolver.ts
+function resolveBoolean(param) {
+	if (param !== true) throw new ForbiddenError();
+	return true;
+}
+function createScopeResolver(ctx, name, value) {
+	if (!(typeof value === "function")) return () => resolveBoolean(value);
+	return async (params) => {
+		const store = await getAuthStore(ctx);
+		const cached = await store.scopeCache.getScopeValue(name, params);
+		if (cached != null) return resolveBoolean(cached);
+		const resultPromise = value(params);
+		store.scopeCache.setScopeValue(name, params, resultPromise);
+		return resolveBoolean(await resultPromise);
+	};
+}
+function createScopeResolverMap(ctx, scopeLoaderMap) {
+	const map = /* @__PURE__ */ new Map();
+	for (const [key, value] of Object.entries(scopeLoaderMap)) map.set(key, createScopeResolver(ctx, key, value));
+	return map;
+}
+//#endregion
+//#region lib/store-loader.ts
+function loadAuthStore(ctx, getScopeLoader, cacheKeyMap) {
+	setAuthStore(ctx, async () => {
+		return {
+			scopes: createScopeResolverMap(ctx, await getScopeLoader(ctx)),
+			scopeCache: createScopeCache(cacheKeyMap),
+			grantCache: createGrantCache()
+		};
+	});
+}
+//#endregion
+//#region lib/auth-middlewares.ts
+function createMiddleware(type, loadScopes, cacheKeyMap, scopes, globalScopes, options, onError) {
+	const getScopes = typeof scopes === "function" ? scopes : () => scopes;
+	const defaultScopes = selectDefaultScopes(options?.skipDefaults, type, globalScopes);
+	return async (next, params) => {
+		loadAuthStore(params.ctx, loadScopes, cacheKeyMap);
+		await verifyMiddlewareScopes(params, defaultScopes, await getScopes(params), onError ?? defaultErrorResolver);
+		const result = await next();
+		if (options?.grants) await saveGrants(params, result, options.grants);
+		return result;
+	};
+}
+function createPostMiddleware(type, loadScopes, cacheKeyMap, getScopes, globalScopes, options, onError) {
+	const defaultScopes = selectDefaultScopes(options?.skipDefaults, type, globalScopes);
+	return async (next, params) => {
+		loadAuthStore(params.ctx, loadScopes, cacheKeyMap);
+		const result = await next();
+		await verifyMiddlewareScopes(params, defaultScopes, await getScopes(params, result), onError ?? defaultErrorResolver);
+		if (options?.grants) await saveGrants(params, result, options.grants);
+		return result;
+	};
+}
+function createFallbackMiddleware(type, loadScopes, cacheKeyMap, globalScopes, onError) {
+	const rules = selectDefaultScopes(false, type, globalScopes);
+	if (rules == null) return;
+	return createMiddleware(type, loadScopes, cacheKeyMap, rules, {}, { skipDefaults: true }, onError);
+}
+async function verifyMiddlewareScopes(params, defaultScopes, requiredScopes, errorResolver) {
+	if (requiredScopes === false) throw new ForbiddenError();
+	const promises = [];
+	if (defaultScopes) promises.push(verifyScope(params, defaultScopes));
+	if (requiredScopes !== true) promises.push(verifyScope(params, requiredScopes));
+	if (promises.length === 0) return;
+	return await Promise.all(promises).catch((err) => resolveError(err, errorResolver));
+}
+//#endregion
+//#region lib/define-rules.ts
+function defineRules() {
+	return {
+		and(...scopes) {
+			return {
+				type: "rule",
+				rule: "and",
+				scopes
+			};
+		},
+		or(...scopes) {
+			return {
+				type: "rule",
+				rule: "or",
+				scopes
+			};
+		},
+		chain(...scopes) {
+			return {
+				type: "rule",
+				rule: "chain",
+				scopes
+			};
+		},
+		race(...scopes) {
+			return {
+				type: "rule",
+				rule: "race",
+				scopes
+			};
+		}
+	};
+}
+//#endregion
+//#region lib/define-scopes.ts
+function defineScopes() {
+	const cache = /* @__PURE__ */ new Map();
+	const resolveScope = (prop) => {
+		if (prop === "$granted") return (grant) => makeGrant(grant);
+		const leaf = makeProp(prop, true);
+		const fn = (param) => makeProp(prop, param);
+		return Object.assign(fn, leaf);
+	};
+	return new Proxy({}, { get(_target, prop) {
+		const cached = cache.get(prop);
+		if (cached) return cached;
+		const result = resolveScope(prop);
+		cache.set(prop, result);
+		return result;
+	} });
+}
+function makeGrant(grant) {
+	return {
+		type: "grant",
+		grant
+	};
+}
+function makeProp(prop, value) {
+	return {
+		type: "scope",
+		key: prop,
+		value
+	};
+}
+//#endregion
+//#region lib/create-auth.ts
+function createAuth(loadScopes, globalOptions = {}) {
+	const id = createAppPluginId("Baeta Auth");
+	const stateKey = Symbol("auth");
+	const scope = defineScopes();
+	const rule = defineRules();
+	const loadScopesFn = loadScopes;
+	const defaultScopes = globalOptions.defaultScopes?.({
+		scope,
+		rule
+	});
+	const cacheKeyMap = globalOptions.cacheKeyMap ?? {};
+	const makeAuthBuilder = (buildMiddleware) => {
+		return { [makePluginSymbol]: ({ type, field, subscriptionFieldKind }) => {
+			const middleware = buildMiddleware(type);
+			nameFunction(middleware, buildMiddlewareName(type, field, subscriptionFieldKind));
+			return {
+				id,
+				middleware,
+				meta: new Map([[stateKey, { hasAuth: true }]])
+			};
+		} };
+	};
+	const auth = (scopes, options) => makeAuthBuilder((type) => createMiddleware(type, loadScopesFn, cacheKeyMap, scopes, defaultScopes, options, globalOptions.errorResolver));
+	const authAfter = (getScopes, options) => makeAuthBuilder((type) => {
+		if (type === "Mutation") throw new Error("\"authAfter\" cannot be used on Mutations! authAfter is executed after the resolver thus cannot protect mutations. Use \"auth\" instead for mutations.");
+		return createPostMiddleware(type, loadScopesFn, cacheKeyMap, getScopes, defaultScopes, options, globalOptions.errorResolver);
+	});
+	return {
+		auth,
+		authAfter,
+		authAppPlugin: {
+			id,
+			name: "Baeta Auth",
+			mutate: (compilers) => {
+				if (defaultScopes == null) return;
+				for (const typeCompiler of iterateTypes(compilers)) {
+					if (!isOperationType(typeCompiler.type)) continue;
+					if (defaultScopes[typeCompiler.type] == null) continue;
+					if (hasAuth(typeCompiler.useMetadata(stateKey).get())) continue;
+					for (const fieldCompiler of typeCompiler.fields) {
+						if (hasAuth(readFieldAuthState(fieldCompiler, stateKey))) continue;
+						const middleware = createFallbackMiddleware(typeCompiler.type, loadScopesFn, cacheKeyMap, defaultScopes, globalOptions.errorResolver);
+						if (!middleware) continue;
+						if (fieldCompiler.kind === "Field") fieldCompiler.addTopLevelMiddleware(middleware);
+						else fieldCompiler.addTopLevelSubscribeMiddleware(middleware);
+					}
+				}
+			}
+		},
+		rule,
+		scope
+	};
+}
+function buildMiddlewareName(type, field, subscriptionFieldKind) {
+	if (field && subscriptionFieldKind) return `${type}.${field}.${subscriptionFieldKind}.$use.auth`;
+	if (field) return `${type}.${field}.$use.auth`;
+	return `${type}.$use.auth`;
+}
+function hasAuth(state) {
+	return state?.hasAuth === true;
+}
+function readFieldAuthState(field, key) {
+	return field.kind === "Field" ? field.useMetadata(key).get() : field.useSubscribeMetadata(key).get();
+}
+function* iterateTypes(compilers) {
+	for (const compiler of compilers) for (const typeCompiler of compiler.types) yield typeCompiler;
+}
+//#endregion
+export { aggregateErrorResolver, createAuth, createScopeCacheKey };
+
+//# sourceMappingURL=index.js.map