@balena/pinejs 19.7.2-build-esm-36f468424324d7ef7578ae401fc681c9f8f63e03-3 → 19.7.2-build-update-deps-a909ee054f395de407ec4e1275fd0f5b7514fe29-1

package/out/sbvr-api/permissions.js

@@ -1,28 +1,70 @@
-import './express-extension.js';
-import { isBindReference, odataNameToSqlName, sqlNameToODataName, } from '@balena/odata-to-abstract-sql';
-import ODataParser from '@balena/odata-parser';
-import _ from 'lodash';
-import memoize from 'memoizee';
-import randomstring from 'randomstring';
-import * as env from '../config-loader/env.js';
-import * as sbvrUtils from '../sbvr-api/sbvr-utils.js';
-import { addPureHook, addHook } from './hooks.js';
-import { BadRequestError, PermissionError, PermissionParsingError, } from './errors.js';
-import { memoizedGetOData2AbstractSQL, memoizedParseOdata, metadataEndpoints, } from './uri-parser.js';
-import memoizeWeak from 'memoizee/weak.js';
-import { importSBVR } from '../server-glue/sbvr-loader.js';
-const userModel = await importSBVR('./user.sbvr', import.meta);
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.config = exports.addPermissions = exports.checkPermissionsMiddleware = exports.checkPermissions = exports.apiKeyMiddleware = exports.customApiKeyMiddleware = exports.resolveApiKey = exports.authorizationMiddleware = exports.customAuthorizationMiddleware = exports.canAccess = exports.resolveAuthHeader = exports.checkApiKey = exports.getApiKeyPermissions = exports.getUserPermissions = exports.checkPassword = exports.rootRead = exports.root = exports.PermissionParsingError = exports.PermissionError = void 0;
+exports.nestedCheck = nestedCheck;
+exports.setup = setup;
+require("./express-extension");
+const odata_to_abstract_sql_1 = require("@balena/odata-to-abstract-sql");
+const ODataParser = __importStar(require("@balena/odata-parser"));
+const lodash_1 = __importDefault(require("lodash"));
+const memoizee_1 = __importDefault(require("memoizee"));
+const randomstring = __importStar(require("randomstring"));
+const env = __importStar(require("../config-loader/env"));
+const sbvrUtils = __importStar(require("../sbvr-api/sbvr-utils"));
+const hooks_1 = require("./hooks");
+const errors_1 = require("./errors");
+Object.defineProperty(exports, "PermissionError", { enumerable: true, get: function () { return errors_1.PermissionError; } });
+Object.defineProperty(exports, "PermissionParsingError", { enumerable: true, get: function () { return errors_1.PermissionParsingError; } });
+const uri_parser_1 = require("./uri-parser");
+const weak_1 = __importDefault(require("memoizee/weak"));
+const sbvr_loader_1 = require("../server-glue/sbvr-loader");
+const userModel = (0, sbvr_loader_1.requireSBVR)('./user.sbvr', require);
 const DEFAULT_ACTOR_BIND = '@__ACTOR_ID';
-const DEFAULT_ACTOR_BIND_REGEX = new RegExp(_.escapeRegExp(DEFAULT_ACTOR_BIND), 'g');
-export { PermissionError, PermissionParsingError };
-export const root = {
+const DEFAULT_ACTOR_BIND_REGEX = new RegExp(lodash_1.default.escapeRegExp(DEFAULT_ACTOR_BIND), 'g');
+exports.root = {
     user: {
         id: 0,
         actor: 0,
         permissions: ['resource.all'],
     },
 };
-export const rootRead = {
+exports.rootRead = {
     user: {
         id: 0,
         actor: 0,
@@ -57,7 +99,7 @@ const $parsePermissions = env.createCache('parsePermissions', (filter) => {
 const rewriteODataBinds = ({ tree, extraBinds }, odataBinds) => {
     const bindsLength = odataBinds.length;
     odataBinds.push(...extraBinds);
-    return _.cloneDeepWith(tree, (value) => {
+    return lodash_1.default.cloneDeepWith(tree, (value) => {
         if (value != null) {
             const bind = value.bind;
             if (Number.isInteger(bind)) {
@@ -72,7 +114,7 @@ const parsePermissions = (filter, odataBinds) => {
 };
 const isAnd = (x) => typeof x === 'object' && 'and' in x;
 const isOr = (x) => typeof x === 'object' && 'or' in x;
-export function nestedCheck(check, stringCallback) {
+function nestedCheck(check, stringCallback) {
     if (typeof check === 'string') {
         return stringCallback(check);
     }
@@ -100,7 +142,7 @@ export function nestedCheck(check, stringCallback) {
         }
         if (results.length > 1) {
             return {
-                and: _.uniq(results),
+                and: lodash_1.default.uniq(results),
             };
         }
         return true;
@@ -138,7 +180,7 @@ export function nestedCheck(check, stringCallback) {
                 }
                 if (results.length > 1) {
                     return {
-                        or: _.uniq(results),
+                        or: lodash_1.default.uniq(results),
                     };
                 }
                 return false;
@@ -168,13 +210,13 @@ const collapsePermissionFilters = (v) => {
     return v;
 };
 const namespaceRelationships = (relationships, alias) => {
-    _.forEach(relationships, (relationship, key) => {
+    lodash_1.default.forEach(relationships, (relationship, key) => {
         if (key === '$') {
             return;
         }
         let mapping = relationship.$;
         if (mapping != null && mapping.length === 2) {
-            mapping = _.cloneDeep(mapping);
+            mapping = lodash_1.default.cloneDeep(mapping);
             mapping[1][0] = `${mapping[1][0]}$${alias}`;
             relationships[`${key}$${alias}`] = {
                 $: mapping,
@@ -201,7 +243,7 @@ const getPermissionsLookup = env.createCache('permissionsLookup', (permissions,
     for (const target of Object.keys(permissionsLookup)) {
         const conditions = permissionsLookup[target];
         if (conditions !== true) {
-            permissionsLookup[target] = _.uniq(conditions);
+            permissionsLookup[target] = lodash_1.default.uniq(conditions);
         }
     }
     return permissionsLookup;
@@ -233,7 +275,7 @@ const $checkPermissions = (permissionsLookup, actionList, vocabulary, resourceNa
                 vocabularyResourcePermission = maybeVocabularyResourcePermission;
             }
         }
-        const conditionalPermissions = _.union(resourcePermission, vocabularyPermission, vocabularyResourcePermission);
+        const conditionalPermissions = lodash_1.default.union(resourcePermission, vocabularyPermission, vocabularyResourcePermission);
         if (conditionalPermissions.length === 1) {
             return conditionalPermissions[0];
         }
@@ -272,7 +314,7 @@ const rewriteSubPermissionBindings = (filter, counter) => {
             object.bind = counter + object.bind;
         }
         if (Array.isArray(object) || typeof object === 'object') {
-            _.forEach(object, (v) => {
+            lodash_1.default.forEach(object, (v) => {
                 rewrite(v);
             });
         }
@@ -295,28 +337,28 @@ const buildODataPermission = (permissionsLookup, actionList, vocabulary, resourc
         }
         catch (e) {
             console.warn('Failed to parse conditional permissions: ', permissionCheck);
-            throw new PermissionParsingError(e);
+            throw new errors_1.PermissionParsingError(e);
         }
     });
     const collapsedPermissionFilters = collapsePermissionFilters(permissionFilters);
     return collapsedPermissionFilters;
 };
-const constrainedPermissionError = new PermissionError();
+const constrainedPermissionError = new errors_1.PermissionError();
 const generateConstrainedAbstractSql = (permissionsLookup, actionList, vocabulary, resourceName) => {
     const abstractSQLModel = sbvrUtils.getAbstractSqlModel({
         vocabulary,
     });
-    const odata = memoizedParseOdata(`/${resourceName}`);
+    const odata = (0, uri_parser_1.memoizedParseOdata)(`/${resourceName}`);
     const collapsedPermissionFilters = buildODataPermission(permissionsLookup, actionList, vocabulary, resourceName, odata);
     if (collapsePermissionFilters == null) {
         return;
     }
-    _.set(odata, ['tree', 'options', '$filter'], collapsedPermissionFilters);
+    lodash_1.default.set(odata, ['tree', 'options', '$filter'], collapsedPermissionFilters);
     const lambdaAlias = randomstring.generate(20);
     let inc = 0;
     const canAccessTrace = [resourceName];
     const resolveBind = (maybeBind, extraBinds) => {
-        if (isBindReference(maybeBind)) {
+        if ((0, odata_to_abstract_sql_1.isBindReference)(maybeBind)) {
             const { bind } = maybeBind;
             if (typeof bind === 'string' || bind < odata.binds.length) {
                 return odata.binds[bind];
@@ -333,7 +375,7 @@ const generateConstrainedAbstractSql = (permissionsLookup, actionList, vocabular
         const targetResource = this.NavigateResources(this.defaultResource, resolvedProperty.name);
         const lambdaId = `${lambdaAlias}+${inc}`;
         inc = inc + 1;
-        const targetResourceName = sqlNameToODataName(targetResource.resource.name);
+        const targetResourceName = (0, odata_to_abstract_sql_1.sqlNameToODataName)(targetResource.resource.name);
         const traceIndex = canAccessTrace.findIndex((rName) => rName === targetResourceName);
         if (traceIndex !== -1) {
             if (canAccessTrace[canAccessTrace.length - 1] !== targetResourceName) {
@@ -358,7 +400,7 @@ const generateConstrainedAbstractSql = (permissionsLookup, actionList, vocabular
                 return this.Property(resolvedProperty);
             }
         }
-        const parentOdata = memoizedParseOdata(`/${targetResourceName}`);
+        const parentOdata = (0, uri_parser_1.memoizedParseOdata)(`/${targetResourceName}`);
         const collapsedParentPermissionFilters = buildODataPermission(permissionsLookup, actionList, vocabulary, targetResourceName, parentOdata);
         if (collapsedParentPermissionFilters == null) {
             return ['Equals', ['Boolean', true], ['Boolean', true]];
@@ -379,7 +421,7 @@ const generateConstrainedAbstractSql = (permissionsLookup, actionList, vocabular
             canAccessTrace.pop();
         }
     };
-    const { tree, extraBindVars } = memoizedGetOData2AbstractSQL(abstractSQLModel).match(odata.tree, 'GET', [], odata.binds.length, {
+    const { tree, extraBindVars } = (0, uri_parser_1.memoizedGetOData2AbstractSQL)(abstractSQLModel).match(odata.tree, 'GET', [], odata.binds.length, {
         canAccess: canAccessFunction,
     });
     odata.binds.push(...extraBindVars);
@@ -388,7 +430,7 @@ const generateConstrainedAbstractSql = (permissionsLookup, actionList, vocabular
     const select = abstractSqlQuery.find((v) => v[0] === 'Select');
     select[1] = select[1].map((selectField) => {
         if (selectField[0] === 'Alias') {
-            const sqlName = odataNameToSqlName(selectField[2]);
+            const sqlName = (0, odata_to_abstract_sql_1.odataNameToSqlName)(selectField[2]);
             const maybeField = selectField[1];
             if ((maybeField[0] === 'ReferencedField' && maybeField[2] === sqlName) ||
                 (maybeField[0] === 'Field' && maybeField[1] === sqlName)) {
@@ -436,7 +478,7 @@ const deepFreezeExceptDefinition = (obj) => {
         }
     }
 };
-const createBypassDefinition = (definition) => _.cloneDeepWith(definition, (abstractSql) => {
+const createBypassDefinition = (definition) => lodash_1.default.cloneDeepWith(definition, (abstractSql) => {
     if (Array.isArray(abstractSql) &&
         abstractSql[0] === 'Resource' &&
         !abstractSql[1].endsWith('$bypass')) {
@@ -445,13 +487,13 @@ const createBypassDefinition = (definition) => _.cloneDeepWith(definition, (abst
 });
 const createVersionSpecificPermissionDefinition = ({ abstractSql, ...restDefinition }, permissionsJSON) => {
     return {
-        ..._.cloneDeep(restDefinition),
-        abstractSql: _.cloneDeepWith(abstractSql, (abstractSqlNode) => {
+        ...lodash_1.default.cloneDeep(restDefinition),
+        abstractSql: lodash_1.default.cloneDeepWith(abstractSql, (abstractSqlNode) => {
             if (!Array.isArray(abstractSqlNode)) {
                 return;
             }
             if (abstractSqlNode[0] === 'Select' || abstractSqlNode[0] === 'Where') {
-                return _.cloneDeep(abstractSqlNode);
+                return lodash_1.default.cloneDeep(abstractSqlNode);
             }
             if (abstractSqlNode[0] === 'Resource' &&
                 typeof abstractSqlNode[1] === 'string' &&
@@ -473,10 +515,10 @@ const getAlias = (name) => {
     }
     return `permissions${permissionsJSON}`;
 };
-const rewriteRelationship = memoizeWeak((value, name, abstractSqlModel, permissionsLookup, vocabulary, odata2AbstractSQL) => {
-    let escapedName = sqlNameToODataName(name);
+const rewriteRelationship = (0, weak_1.default)((value, name, abstractSqlModel, permissionsLookup, vocabulary, odata2AbstractSQL) => {
+    let escapedName = (0, odata_to_abstract_sql_1.sqlNameToODataName)(name);
     if (abstractSqlModel.tables[name]) {
-        escapedName = sqlNameToODataName(abstractSqlModel.tables[name].name);
+        escapedName = (0, odata_to_abstract_sql_1.sqlNameToODataName)(abstractSqlModel.tables[name].name);
     }
     const rewrite = (object) => {
         if ('$' in object && Array.isArray(object.$)) {
@@ -489,27 +531,27 @@ const rewriteRelationship = memoizeWeak((value, name, abstractSqlModel, permissi
                 if (possibleTargetResourceName.endsWith('$bypass')) {
                     return;
                 }
-                const targetResourceEscaped = sqlNameToODataName(abstractSqlModel.tables[possibleTargetResourceName]?.name ??
+                const targetResourceEscaped = (0, odata_to_abstract_sql_1.sqlNameToODataName)(abstractSqlModel.tables[possibleTargetResourceName]?.name ??
                     possibleTargetResourceName);
                 if (targetResourceEscaped.includes('$')) {
                     return;
                 }
                 let foundCanAccessLink = false;
                 try {
-                    const odata = memoizedParseOdata(`/${targetResourceEscaped}`);
+                    const odata = (0, uri_parser_1.memoizedParseOdata)(`/${targetResourceEscaped}`);
                     const collapsedPermissionFilters = buildODataPermission(permissionsLookup, methodPermissions.GET, vocabulary, targetResourceEscaped, odata);
                     if (collapsedPermissionFilters == null) {
                         return;
                     }
-                    _.set(odata, ['tree', 'options', '$filter'], collapsedPermissionFilters);
+                    lodash_1.default.set(odata, ['tree', 'options', '$filter'], collapsedPermissionFilters);
                     const canAccessFunction = function (property) {
                         delete property.method;
                         if (!this.defaultResource) {
                             throw new Error(`No resource selected in AST.`);
                         }
                         const targetResourceAST = this.NavigateResources(this.defaultResource, property.name);
-                        const targetResourceName = sqlNameToODataName(targetResourceAST.resource.name);
-                        const currentResourceName = sqlNameToODataName(this.defaultResource.name);
+                        const targetResourceName = (0, odata_to_abstract_sql_1.sqlNameToODataName)(targetResourceAST.resource.name);
+                        const currentResourceName = (0, odata_to_abstract_sql_1.sqlNameToODataName)(this.defaultResource.name);
                         if (currentResourceName === targetResourceEscaped &&
                             targetResourceName === escapedName) {
                             foundCanAccessLink = true;
@@ -540,7 +582,7 @@ const rewriteRelationship = memoizeWeak((value, name, abstractSqlModel, permissi
             }
         }
         if (Array.isArray(object) || typeof object === 'object') {
-            _.forEach(object, (v) => {
+            lodash_1.default.forEach(object, (v) => {
                 if (typeof v !== 'string') {
                     rewrite(v);
                 }
@@ -553,15 +595,15 @@ const rewriteRelationships = (abstractSqlModel, relationships, permissionsLookup
     const originalAbstractSQLModel = sbvrUtils.getAbstractSqlModel({
         vocabulary,
     });
-    const odata2AbstractSQL = memoizedGetOData2AbstractSQL(originalAbstractSQLModel);
-    const newRelationships = _.cloneDeep(relationships);
-    _.forOwn(newRelationships, (value, name) => {
+    const odata2AbstractSQL = (0, uri_parser_1.memoizedGetOData2AbstractSQL)(originalAbstractSQLModel);
+    const newRelationships = lodash_1.default.cloneDeep(relationships);
+    lodash_1.default.forOwn(newRelationships, (value, name) => {
         rewriteRelationship(value, name, abstractSqlModel, permissionsLookup, vocabulary, odata2AbstractSQL);
     });
     return newRelationships;
 };
-const getBoundConstrainedMemoizer = memoizeWeak((abstractSqlModel) => memoizeWeak((permissionsLookup, vocabulary) => {
-    const constrainedAbstractSqlModel = _.cloneDeep(abstractSqlModel);
+const getBoundConstrainedMemoizer = (0, weak_1.default)((abstractSqlModel) => (0, weak_1.default)((permissionsLookup, vocabulary) => {
+    const constrainedAbstractSqlModel = lodash_1.default.cloneDeep(abstractSqlModel);
     const origSynonyms = Object.entries(constrainedAbstractSqlModel.synonyms);
     constrainedAbstractSqlModel.synonyms = new Proxy(constrainedAbstractSqlModel.synonyms, {
         get(synonyms, permissionSynonym, receiver) {
@@ -582,7 +624,7 @@ const getBoundConstrainedMemoizer = memoizeWeak((abstractSqlModel) => memoizeWea
         },
     });
     const origRelationships = Object.keys(constrainedAbstractSqlModel.relationships);
-    _.forEach(constrainedAbstractSqlModel.tables, (table, resourceName) => {
+    lodash_1.default.forEach(constrainedAbstractSqlModel.tables, (table, resourceName) => {
         const bypassResourceName = `${resourceName}$bypass`;
         constrainedAbstractSqlModel.tables[bypassResourceName] = {
             ...table,
@@ -593,7 +635,7 @@ const getBoundConstrainedMemoizer = memoizeWeak((abstractSqlModel) => memoizeWea
             constrainedAbstractSqlModel.tables[bypassResourceName].definition =
                 createBypassDefinition(table.definition);
             const tableDefinition = table.definition;
-            for (const stringifiedPermission of _.uniq(Object.values(stringifiedMethodPermissions))) {
+            for (const stringifiedPermission of lodash_1.default.uniq(Object.values(stringifiedMethodPermissions))) {
                 if (stringifiedPermission === stringifiedMethodPermissions.GET) {
                     continue;
                 }
@@ -630,7 +672,7 @@ const getBoundConstrainedMemoizer = memoizeWeak((abstractSqlModel) => memoizeWea
                 ...table,
             });
             permissionsTable.resourceName = permissionResourceName;
-            onceGetter(permissionsTable, 'definition', () => generateConstrainedAbstractSql(permissionsLookup, permissions, vocabulary, sqlNameToODataName(permissionsTable.modifyName ?? permissionsTable.name)));
+            onceGetter(permissionsTable, 'definition', () => generateConstrainedAbstractSql(permissionsLookup, permissions, vocabulary, (0, odata_to_abstract_sql_1.sqlNameToODataName)(permissionsTable.modifyName ?? permissionsTable.name)));
             return permissionsTable;
         },
     });
@@ -661,10 +703,10 @@ const getBoundConstrainedMemoizer = memoizeWeak((abstractSqlModel) => memoizeWea
     primitive: true,
 }));
 const memoizedGetConstrainedModel = (abstractSqlModel, permissionsLookup, vocabulary) => getBoundConstrainedMemoizer(abstractSqlModel)(permissionsLookup, vocabulary);
-const getCheckPasswordQuery = _.once(() => sbvrUtils.api.Auth.prepare({
+const getCheckPasswordQuery = lodash_1.default.once(() => sbvrUtils.api.Auth.prepare({
     resource: 'user',
     passthrough: {
-        req: rootRead,
+        req: exports.rootRead,
     },
     id: {
         username: { '@': 'username' },
@@ -673,7 +715,7 @@ const getCheckPasswordQuery = _.once(() => sbvrUtils.api.Auth.prepare({
         $select: ['id', 'actor', 'password'],
     },
 }, { username: ['string'] }));
-export const checkPassword = async (username, password) => {
+const checkPassword = async (username, password) => {
     const user = await getCheckPasswordQuery()({
         username,
     });
@@ -685,7 +727,7 @@ export const checkPassword = async (username, password) => {
         throw new Error('Passwords do not match');
     }
     const userId = user.id;
-    const permissions = await getUserPermissions(userId);
+    const permissions = await (0, exports.getUserPermissions)(userId);
     return {
         id: userId,
         actor: user.actor.__id,
@@ -693,11 +735,12 @@ export const checkPassword = async (username, password) => {
         permissions,
     };
 };
+exports.checkPassword = checkPassword;
 const $getUserPermissions = (() => {
-    const getUserPermissionsQuery = _.once(() => sbvrUtils.api.Auth.prepare({
+    const getUserPermissionsQuery = lodash_1.default.once(() => sbvrUtils.api.Auth.prepare({
         resource: 'permission',
         passthrough: {
-            req: rootRead,
+            req: exports.rootRead,
         },
         options: {
             $select: 'name',
@@ -775,7 +818,7 @@ const $getUserPermissions = (() => {
         normalizer: ([userId]) => `${userId}`,
     });
 })();
-export const getUserPermissions = async (userId, tx) => {
+const getUserPermissions = async (userId, tx) => {
     if (typeof userId === 'string') {
         userId = parseInt(userId, 10);
     }
@@ -790,11 +833,12 @@ export const getUserPermissions = async (userId, tx) => {
         throw err;
     }
 };
+exports.getUserPermissions = getUserPermissions;
 const $getApiKeyPermissions = (() => {
-    const getApiKeyPermissionsQuery = _.once(() => sbvrUtils.api.Auth.prepare({
+    const getApiKeyPermissionsQuery = lodash_1.default.once(() => sbvrUtils.api.Auth.prepare({
         resource: 'permission',
         passthrough: {
-            req: rootRead,
+            req: exports.rootRead,
         },
         options: {
             $select: 'name',
@@ -892,7 +936,7 @@ const $getApiKeyPermissions = (() => {
         normalizer: ([apiKey]) => apiKey,
     });
 })();
-export const getApiKeyPermissions = async (apiKey, tx) => {
+const getApiKeyPermissions = async (apiKey, tx) => {
     if (typeof apiKey !== 'string') {
         throw new Error('API key has to be a string, got: ' + typeof apiKey);
     }
@@ -904,11 +948,12 @@ export const getApiKeyPermissions = async (apiKey, tx) => {
         throw err;
     }
 };
+exports.getApiKeyPermissions = getApiKeyPermissions;
 const getApiKeyActorId = (() => {
-    const getApiKeyActorIdQuery = _.once(() => sbvrUtils.api.Auth.prepare({
+    const getApiKeyActorIdQuery = lodash_1.default.once(() => sbvrUtils.api.Auth.prepare({
         resource: 'api_key',
         passthrough: {
-            req: rootRead,
+            req: exports.rootRead,
         },
         id: {
             key: { '@': 'apiKey' },
@@ -923,7 +968,7 @@ const getApiKeyActorId = (() => {
             },
         },
     }, { apiKey: ['string'] }));
-    const apiActorPermissionError = new PermissionError();
+    const apiActorPermissionError = new errors_1.PermissionError();
     return env.createCache('apiKeyActorId', async (apiKey, tx) => {
         const apiKeyResult = await getApiKeyActorIdQuery()({
             apiKey,
@@ -942,8 +987,8 @@ const getApiKeyActorId = (() => {
         normalizer: ([apiKey]) => apiKey,
     });
 })();
-export const checkApiKey = async (apiKey, tx) => {
-    const permissions = await getApiKeyPermissions(apiKey, tx);
+const checkApiKey = async (apiKey, tx) => {
+    const permissions = await (0, exports.getApiKeyPermissions)(apiKey, tx);
     const actor = await getApiKeyActorId(apiKey, tx);
     return {
         key: apiKey,
@@ -951,7 +996,8 @@ export const checkApiKey = async (apiKey, tx) => {
         actor,
     };
 };
-export const resolveAuthHeader = async (req, expectedScheme = 'Bearer', tx) => {
+exports.checkApiKey = checkApiKey;
+const resolveAuthHeader = async (req, expectedScheme = 'Bearer', tx) => {
     const auth = req.header('Authorization');
     if (!auth) {
         return;
@@ -964,19 +1010,20 @@ export const resolveAuthHeader = async (req, expectedScheme = 'Bearer', tx) => {
     if (scheme.toLowerCase() !== expectedScheme.toLowerCase()) {
         return;
     }
-    return await checkApiKey(apiKey, tx);
+    return await (0, exports.checkApiKey)(apiKey, tx);
 };
-export const canAccess = {
+exports.resolveAuthHeader = resolveAuthHeader;
+exports.canAccess = {
     $fn: {
         $scope: 'Auth',
         $method: 'canAccess',
     },
 };
-export const customAuthorizationMiddleware = (expectedScheme = 'Bearer') => {
+const customAuthorizationMiddleware = (expectedScheme = 'Bearer') => {
     expectedScheme = expectedScheme.toLowerCase();
     return async (req, _res, next) => {
         try {
-            const apiKey = await resolveAuthHeader(req, expectedScheme);
+            const apiKey = await (0, exports.resolveAuthHeader)(req, expectedScheme);
             if (apiKey) {
                 req.apiKey = apiKey;
             }
@@ -986,18 +1033,20 @@ export const customAuthorizationMiddleware = (expectedScheme = 'Bearer') => {
         }
     };
 };
-export const authorizationMiddleware = customAuthorizationMiddleware();
-export const resolveApiKey = async (req, paramName = 'apikey', tx) => {
+exports.customAuthorizationMiddleware = customAuthorizationMiddleware;
+exports.authorizationMiddleware = (0, exports.customAuthorizationMiddleware)();
+const resolveApiKey = async (req, paramName = 'apikey', tx) => {
     const apiKey = req.params[paramName] ?? req.body[paramName] ?? req.query[paramName];
     if (apiKey == null) {
         return;
     }
-    return await checkApiKey(apiKey, tx);
+    return await (0, exports.checkApiKey)(apiKey, tx);
 };
-export const customApiKeyMiddleware = (paramName = 'apikey') => {
+exports.resolveApiKey = resolveApiKey;
+const customApiKeyMiddleware = (paramName = 'apikey') => {
     return async (req, _res, next) => {
         try {
-            const apiKey = await resolveApiKey(req, paramName);
+            const apiKey = await (0, exports.resolveApiKey)(req, paramName);
             if (apiKey) {
                 req.apiKey = apiKey;
             }
@@ -1007,14 +1056,16 @@ export const customApiKeyMiddleware = (paramName = 'apikey') => {
         }
     };
 };
-export const apiKeyMiddleware = customApiKeyMiddleware();
-export const checkPermissions = async (req, actionList, resourceName, vocabulary) => {
+exports.customApiKeyMiddleware = customApiKeyMiddleware;
+exports.apiKeyMiddleware = (0, exports.customApiKeyMiddleware)();
+const checkPermissions = async (req, actionList, resourceName, vocabulary) => {
     const permissionsLookup = await getReqPermissions(req);
     return $checkPermissions(permissionsLookup, actionList, vocabulary, resourceName);
 };
-export const checkPermissionsMiddleware = (action) => async (req, res, next) => {
+exports.checkPermissions = checkPermissions;
+const checkPermissionsMiddleware = (action) => async (req, res, next) => {
     try {
-        const allowed = await checkPermissions(req, action);
+        const allowed = await (0, exports.checkPermissions)(req, action);
         switch (allowed) {
             case false:
                 res.status(401).end();
@@ -1031,12 +1082,13 @@ export const checkPermissionsMiddleware = (action) => async (req, res, next) =>
         res.status(503).end();
     }
 };
+exports.checkPermissionsMiddleware = checkPermissionsMiddleware;
 let guestPermissionsInitialized = false;
-const getGuestPermissions = memoize(async () => {
+const getGuestPermissions = (0, memoizee_1.default)(async () => {
     const result = await sbvrUtils.api.Auth.get({
         resource: 'user',
         passthrough: {
-            req: rootRead,
+            req: exports.rootRead,
         },
         id: {
             username: 'guest',
@@ -1048,7 +1100,7 @@ const getGuestPermissions = memoize(async () => {
     if (result == null) {
         throw new Error('No guest user');
     }
-    const guestPermissions = _.uniq(await getUserPermissions(result.id));
+    const guestPermissions = lodash_1.default.uniq(await (0, exports.getUserPermissions)(result.id));
     if (guestPermissions.some((p) => DEFAULT_ACTOR_BIND_REGEX.test(p))) {
         throw new Error('Guest permissions cannot reference actors');
     }
@@ -1058,7 +1110,7 @@ const getGuestPermissions = memoize(async () => {
 const getReqPermissions = async (req, odataBinds = []) => {
     const guestPermissions = await (async () => {
         if (guestPermissionsInitialized === false &&
-            (req.user === root.user || req.user === rootRead.user)) {
+            (req.user === exports.root.user || req.user === exports.rootRead.user)) {
             return [];
         }
         return await getGuestPermissions();
@@ -1076,14 +1128,14 @@ const getReqPermissions = async (req, odataBinds = []) => {
     }
     return getPermissionsLookup(actorPermissions, guestPermissions);
 };
-export const addPermissions = async (req, request) => {
+const addPermissions = async (req, request) => {
     const { resourceName, odataQuery, odataBinds } = request;
-    const vocabulary = _.last(request.translateVersions);
+    const vocabulary = lodash_1.default.last(request.translateVersions);
     let abstractSqlModel = sbvrUtils.getAbstractSqlModel(request);
     let { permissionType } = request;
     if (permissionType == null) {
         const method = request.method.toUpperCase();
-        const isMetadataEndpoint = method === 'OPTIONS' || metadataEndpoints.includes(resourceName);
+        const isMetadataEndpoint = method === 'OPTIONS' || uri_parser_1.metadataEndpoints.includes(resourceName);
         if (isMetadataEndpoint) {
             permissionType = 'model';
         }
@@ -1100,11 +1152,12 @@ export const addPermissions = async (req, request) => {
     }
     const permissionsLookup = await getReqPermissions(req, odataBinds);
     request.abstractSqlModel = abstractSqlModel = memoizedGetConstrainedModel(abstractSqlModel, permissionsLookup, vocabulary);
-    if (!_.isEqual(permissionType, methodPermissions.GET)) {
+    if (!lodash_1.default.isEqual(permissionType, methodPermissions.GET)) {
         const sqlName = sbvrUtils.resolveSynonym(request);
         odataQuery.resource = `${sqlName}$permissions${JSON.stringify(permissionType)}`;
     }
 };
+exports.addPermissions = addPermissions;
 const authModelConfig = {
     apiRoot: 'Auth',
     modelText: userModel,
@@ -1144,14 +1197,14 @@ const authModelConfig = {
 		`,
     },
 };
-export const config = {
+exports.config = {
     models: [authModelConfig],
 };
-export function setup() {
-    addHook('all', 'all', 'all', {
+function setup() {
+    (0, hooks_1.addHook)('all', 'all', 'all', {
         sideEffects: false,
         readOnlyTx: true,
-        PREPARSE: ({ req }) => apiKeyMiddleware(req),
+        PREPARSE: ({ req }) => (0, exports.apiKeyMiddleware)(req),
         POSTPARSE: async ({ req, request, }) => {
             if (request.abstractSqlQuery != null) {
                 return;
@@ -1159,16 +1212,16 @@ export function setup() {
             if (request.method === 'POST' &&
                 request.odataQuery.property?.resource === 'canAccess') {
                 if (request.odataQuery.key == null) {
-                    throw new BadRequestError();
+                    throw new errors_1.BadRequestError();
                 }
                 const { action, method } = request.values;
                 if ((method == null) === (action == null)) {
-                    throw new BadRequestError();
+                    throw new errors_1.BadRequestError();
                 }
                 if (method != null) {
                     const permissions = methodPermissions[method];
                     if (permissions == null) {
-                        throw new BadRequestError();
+                        throw new errors_1.BadRequestError();
                     }
                     request.permissionType = permissions;
                 }
@@ -1193,18 +1246,18 @@ export function setup() {
                 request.method = 'GET';
                 request.custom.isAction = 'canAccess';
             }
-            await addPermissions(req, request);
+            await (0, exports.addPermissions)(req, request);
         },
         PRERESPOND: ({ request, response }) => {
             if (request.custom.isAction === 'canAccess' &&
                 (response.body == null ||
                     typeof response.body === 'string' ||
-                    _.isEmpty(response.body?.d))) {
-                throw new PermissionError();
+                    lodash_1.default.isEmpty(response.body?.d))) {
+                throw new errors_1.PermissionError();
             }
         },
     });
-    addPureHook('POST', 'Auth', 'user', {
+    (0, hooks_1.addPureHook)('POST', 'Auth', 'user', {
         POSTPARSE: async ({ request, api }) => {
             const result = await api.post({
                 resource: 'actor',
@@ -1213,7 +1266,7 @@ export function setup() {
             request.values.actor = result.id;
         },
     });
-    addPureHook('DELETE', 'Auth', 'user', {
+    (0, hooks_1.addPureHook)('DELETE', 'Auth', 'user', {
         POSTRUN: ({ request, api }) => api.delete({
             resource: 'actor',
             id: request.values.actor,