@clairejs/server 3.25.0 → 3.25.2

package/README.md

@@ -1,7 +1,8 @@
 ## Change Log
 
-#### 3.25.0
+#### 3.25.2
 
+-   add AbstractRbacAuthorizer
 -   add other security access condition classes
 
 #### 3.24.0

package/dist/common/request/endpoint-metadata.d.ts

@@ -5,6 +5,7 @@ import { AbstractAccessCondition } from "../../http/security/abstract-access-con
 export interface EndpointMetadata extends ApiInfo, ObjectFieldMetadata {
     controller: any;
     accessConditionCls?: Constructor<AbstractAccessCondition<any>>[];
+    accessConditionInstances?: AbstractAccessCondition<any>[];
     params?: {
         [index: number]: {
             source?: RequestDataSource;

package/dist/http/auth/AbstractRbacAuthorizer.d.ts

@@ -0,0 +1,22 @@
+import { HttpRequest } from "../common/HttpRequest";
+import { EndpointMetadata } from "../../common/request/endpoint-metadata";
+import { AbstractRequestAuthorizer } from "./AbstractHttpAuthorizer";
+interface UserPrincipal {
+    principalId: string;
+    tfa?: boolean;
+}
+interface PermissionDetailResponse {
+    isSuperUser?: boolean;
+    permissions?: {
+        conditions?: {
+            conditionName: string;
+            conditionValue: string;
+        }[];
+    }[];
+}
+export declare abstract class AbstractRbacAuthorizer extends AbstractRequestAuthorizer {
+    abstract getPermissionDetail(principal: string, endpoint: string): Promise<PermissionDetailResponse>;
+    abstract getUserFromRequest(req: HttpRequest): Promise<UserPrincipal>;
+    authorize(req: HttpRequest, endpoint: EndpointMetadata): Promise<void>;
+}
+export {};

package/dist/http/auth/AbstractRbacAuthorizer.js

@@ -0,0 +1,59 @@
+import { Errors } from "@clairejs/core";
+import { AbstractRequestAuthorizer } from "./AbstractHttpAuthorizer";
+export class AbstractRbacAuthorizer extends AbstractRequestAuthorizer {
+    async authorize(req, endpoint) {
+        if (endpoint.publicAccess) {
+            return;
+        }
+        const user = await this.getUserFromRequest(req);
+        if (endpoint.tfaRequired && !user.tfa) {
+            throw Errors.TFA_REQUIRED();
+        }
+        const detail = await this.getPermissionDetail(user.principalId, endpoint.id);
+        if (detail.isSuperUser) {
+            return;
+        }
+        if (!detail.permissions?.length) {
+            throw Errors.ACCESS_DENIED();
+        }
+        let passed = false;
+        let failedCondition = "";
+        for (const permission of detail.permissions) {
+            if (!permission.conditions?.length) {
+                passed = true;
+            }
+            else {
+                let allConditionCheckPassed = true;
+                for (const condition of permission.conditions) {
+                    const matchedCondition = endpoint.accessConditionInstances?.find((c) => c.getConditionMetadata().name === condition.conditionName);
+                    if (!matchedCondition) {
+                        //-- condition not found, skip
+                        continue;
+                    }
+                    try {
+                        const requestedConditionValue = await matchedCondition.resolveConditionValue(req);
+                        const permittedConditionValue = JSON.parse(condition.conditionValue);
+                        allConditionCheckPassed = await matchedCondition.validate(requestedConditionValue, permittedConditionValue);
+                    }
+                    catch (err) {
+                        //-- this condition does not passed, skip
+                        allConditionCheckPassed = false;
+                    }
+                    if (!allConditionCheckPassed) {
+                        //-- at least one condition not satisfied, stop condition checking
+                        failedCondition = condition.conditionName;
+                        break;
+                    }
+                }
+                passed = allConditionCheckPassed;
+            }
+            if (passed) {
+                //-- at least one permission and conditions suit checked passed
+                break;
+            }
+        }
+        if (!passed) {
+            throw Errors.ACCESS_DENIED(`Condition check failed: ${failedCondition}`);
+        }
+    }
+}

package/dist/http/controller/AbstractHttpRequestHandler.js

@@ -53,7 +53,8 @@ export class AbstractHttpRequestHandler {
                     this.logger?.warn(`Implicit overriding endpoint: ${overridingEndpoint.method}:${overridingEndpoint.mount} of ${overridingEndpoint.controller?.constructor.name}:${overridingEndpoint.name}`, `Ignore ${endpointInfo.method}:${endpointInfo.mount} of ${endpointInfo.controller?.constructor.name}:${endpointInfo.name}`);
                 }
                 else {
-                    endpointInfo.accessConditions = endpointInfo.accessConditionCls?.map((cls) => injector.resolve(cls).getConditionMetadata());
+                    endpointInfo.accessConditionInstances = endpointInfo.accessConditionCls?.map((cls) => injector.resolve(cls));
+                    endpointInfo.accessConditions = endpointInfo.accessConditionInstances?.map((instance) => instance.getConditionMetadata());
                     mountedEndpointInfo.push(endpointInfo);
                 }
             }

package/dist/http/utils.js

@@ -11,7 +11,7 @@ export const getApiInfo = async () => {
         socketManager ? socketManager.getMountedEndpointInfo() : Promise.resolve([]),
     ]);
     const result = {
-        apis: [...httpInfo, ...socketInfo].map(({ controller, params, injecteeSuperClass, accessConditionCls, ...api }) => api),
+        apis: [...httpInfo, ...socketInfo].map(({ controller, params, injecteeSuperClass, accessConditionCls, accessConditionInstances, ...api }) => api),
     };
     await injector.initInstances();
     return result;

package/dist/index.d.ts

@@ -5,6 +5,7 @@ export * from "./common/request/endpoint-metadata";
 export * from "./common/request/RequestOptions";
 export * from "./common/ControllerMetadata";
 export * from "./common/decorator";
+export * from "./http/common/dto";
 export * from "./http/common/HttpResponse";
 export * from "./http/decorators";
 export * from "./http/common/HttpRequest";
@@ -22,6 +23,7 @@ export * from "./http/security/abstract-access-condition";
 export * from "./http/security/access-condition-metadata";
 export * from "./http/security/access-condition-value-type";
 export * from "./http/auth/AbstractHttpAuthorizer";
+export * from "./http/auth/AbstractRbacAuthorizer";
 export * from "./http/repository/ModelRepository";
 export * from "./http/repository/DtoRepository";
 export * from "./http/repository/ICrudRepository";

package/dist/index.js

@@ -7,6 +7,7 @@ export * from "./common/request/RequestOptions";
 export * from "./common/ControllerMetadata";
 export * from "./common/decorator";
 //-- http & security
+export * from "./http/common/dto";
 export * from "./http/common/HttpResponse";
 export * from "./http/decorators";
 export * from "./http/common/HttpRequest";
@@ -24,6 +25,7 @@ export * from "./http/security/abstract-access-condition";
 export * from "./http/security/access-condition-metadata";
 export * from "./http/security/access-condition-value-type";
 export * from "./http/auth/AbstractHttpAuthorizer";
+export * from "./http/auth/AbstractRbacAuthorizer";
 export * from "./http/repository/ModelRepository";
 export * from "./http/repository/DtoRepository";
 export * from "./http/repository/ICrudRepository";

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@clairejs/server",
-    "version": "3.25.0",
+    "version": "3.25.2",
     "description": "Claire server NodeJs framework written in Typescript.",
     "types": "dist/index.d.ts",
     "main": "dist/index.js",