@delmaredigital/payload-better-auth 0.3.6 → 0.3.8

package/dist/utils/access.js

@@ -18,8 +18,7 @@
  *   },
  * }
  * ```
- */
-// ─────────────────────────────────────────────────────────────────────────────
+ */ // ─────────────────────────────────────────────────────────────────────────────
 // Role Checking Utilities
 // ─────────────────────────────────────────────────────────────────────────────
 /**
@@ -32,19 +31,17 @@
  *
  * @param role - The role value from the user object
  * @returns Array of role strings
- */
-export function normalizeRoles(role) {
+ */ export function normalizeRoles(role) {
     if (Array.isArray(role)) {
-        return role.filter((r) => typeof r === 'string');
+        return role.filter((r)=>typeof r === 'string');
     }
     if (typeof role === 'string') {
         if (role.includes(',')) {
-            return role
-                .split(',')
-                .map((r) => r.trim())
-                .filter(Boolean);
+            return role.split(',').map((r)=>r.trim()).filter(Boolean);
         }
-        return role ? [role] : [];
+        return role ? [
+            role
+        ] : [];
     }
     return [];
 }
@@ -61,12 +58,10 @@ export function normalizeRoles(role) {
  * hasAnyRole(user, ['admin']) // true
  * hasAnyRole(user, ['superadmin']) // false
  * ```
- */
-export function hasAnyRole(user, roles) {
-    if (!user?.role)
-        return false;
+ */ export function hasAnyRole(user, roles) {
+    if (!user?.role) return false;
     const userRoles = normalizeRoles(user.role);
-    return userRoles.some((role) => roles.includes(role));
+    return userRoles.some((role)=>roles.includes(role));
 }
 /**
  * Check if a user has all of the specified roles.
@@ -81,12 +76,10 @@ export function hasAnyRole(user, roles) {
  * hasAllRoles(user, ['admin', 'editor']) // true
  * hasAllRoles(user, ['admin', 'superadmin']) // false
  * ```
- */
-export function hasAllRoles(user, roles) {
-    if (!user?.role)
-        return false;
+ */ export function hasAllRoles(user, roles) {
+    if (!user?.role) return false;
     const userRoles = normalizeRoles(user.role);
-    return roles.every((role) => userRoles.includes(role));
+    return roles.every((role)=>userRoles.includes(role));
 }
 // ─────────────────────────────────────────────────────────────────────────────
 // Access Control Functions
@@ -98,10 +91,11 @@ export function hasAllRoles(user, roles) {
  *
  * @param config - Configuration with admin roles
  * @returns Access check function
- */
-export function hasAdminRoles(config = {}) {
-    const { adminRoles = ['admin'] } = config;
-    return ({ req }) => {
+ */ export function hasAdminRoles(config = {}) {
+    const { adminRoles = [
+        'admin'
+    ] } = config;
+    return ({ req })=>{
         return hasAnyRole(req.user, adminRoles);
     };
 }
@@ -117,11 +111,12 @@ export function hasAdminRoles(config = {}) {
  *   delete: isAdmin({ adminRoles: ['admin', 'superadmin'] }),
  * }
  * ```
- */
-export function isAdmin(config = {}) {
+ */ export function isAdmin(config = {}) {
     const checkAdmin = hasAdminRoles(config);
-    return ({ req }) => {
-        return checkAdmin({ req });
+    return ({ req })=>{
+        return checkAdmin({
+            req
+        });
     };
 }
 /**
@@ -142,11 +137,12 @@ export function isAdmin(config = {}) {
  *   },
  * ]
  * ```
- */
-export function isAdminField(config = {}) {
+ */ export function isAdminField(config = {}) {
     const checkAdmin = hasAdminRoles(config);
-    return ({ req }) => {
-        return checkAdmin({ req });
+    return ({ req })=>{
+        return checkAdmin({
+            req
+        });
     };
 }
 /**
@@ -165,22 +161,25 @@ export function isAdminField(config = {}) {
  *   update: isAdminOrSelf({ adminRoles: ['admin'] }),
  * }
  * ```
- */
-export function isAdminOrSelf(config = {}) {
-    const { adminRoles = ['admin'], idField = 'id' } = config;
-    const checkAdmin = hasAdminRoles({ adminRoles });
-    return ({ req }) => {
+ */ export function isAdminOrSelf(config = {}) {
+    const { adminRoles = [
+        'admin'
+    ], idField = 'id' } = config;
+    const checkAdmin = hasAdminRoles({
+        adminRoles
+    });
+    return ({ req })=>{
         // Admins can access everything
-        if (checkAdmin({ req }))
-            return true;
+        if (checkAdmin({
+            req
+        })) return true;
         // Non-authenticated users have no access
-        if (!req.user)
-            return false;
+        if (!req.user) return false;
         // Restrict to own record
         return {
             [idField]: {
-                equals: req.user.id,
-            },
+                equals: req.user.id
+            }
         };
     };
 }
@@ -206,51 +205,53 @@ export function isAdminOrSelf(config = {}) {
  *   }),
  * }
  * ```
- */
-export function canUpdateOwnFields(config = {}) {
-    const { adminRoles = ['admin'], allowedFields = ['name'], idField = 'id', userSlug = 'users', } = config;
-    const checkAdmin = hasAdminRoles({ adminRoles });
-    return async ({ req, id, data }) => {
+ */ export function canUpdateOwnFields(config = {}) {
+    const { adminRoles = [
+        'admin'
+    ], allowedFields = [
+        'name'
+    ], idField = 'id', userSlug = 'users' } = config;
+    const checkAdmin = hasAdminRoles({
+        adminRoles
+    });
+    return async ({ req, id, data })=>{
         // Admins can update everything
-        if (checkAdmin({ req }))
-            return true;
+        if (checkAdmin({
+            req
+        })) return true;
         // Must be authenticated
-        if (!req.user)
-            return false;
+        if (!req.user) return false;
         // Must be updating own record
         const userId = req.user[idField];
-        if (userId !== id || !data)
-            return false;
+        if (userId !== id || !data) return false;
         const dataKeys = Object.keys(data);
-        const effectiveAllowed = [...allowedFields];
+        const effectiveAllowed = [
+            ...allowedFields
+        ];
         // Handle password changes specially
         const hasCurrentPassword = dataKeys.includes('currentPassword');
         const hasPassword = dataKeys.includes('password');
         if (hasPassword || hasCurrentPassword) {
             // Both must be provided for password change
-            if (!(hasCurrentPassword && hasPassword))
-                return false;
+            if (!(hasCurrentPassword && hasPassword)) return false;
             try {
                 // Verify current password
-                if (!req.user.email)
-                    return false;
+                if (!req.user.email) return false;
                 const result = await req.payload.login({
                     collection: userSlug,
                     data: {
                         email: req.user.email,
-                        password: data.currentPassword,
-                    },
+                        password: data.currentPassword
+                    }
                 });
-                if (!result)
-                    return false;
+                if (!result) return false;
                 effectiveAllowed.push('password', 'currentPassword');
-            }
-            catch {
+            } catch  {
                 return false;
             }
         }
         // Check all fields are allowed
-        const hasDisallowed = dataKeys.some((key) => !effectiveAllowed.includes(key));
+        const hasDisallowed = dataKeys.some((key)=>!effectiveAllowed.includes(key));
         return !hasDisallowed;
     };
 }
@@ -268,9 +269,8 @@ export function canUpdateOwnFields(config = {}) {
  *   read: isAuthenticated(),
  * }
  * ```
- */
-export function isAuthenticated() {
-    return ({ req }) => {
+ */ export function isAuthenticated() {
+    return ({ req })=>{
         return !!req.user;
     };
 }
@@ -278,9 +278,8 @@ export function isAuthenticated() {
  * Field access control: Allow any authenticated user.
  *
  * @returns Payload field access function
- */
-export function isAuthenticatedField() {
-    return ({ req }) => {
+ */ export function isAuthenticatedField() {
+    return ({ req })=>{
         return !!req.user;
     };
 }
@@ -300,9 +299,8 @@ export function isAuthenticatedField() {
  *   update: hasRole(['admin', 'editor']),
  * }
  * ```
- */
-export function hasRole(roles) {
-    return ({ req }) => {
+ */ export function hasRole(roles) {
+    return ({ req })=>{
         return hasAnyRole(req.user, roles);
     };
 }
@@ -311,9 +309,8 @@ export function hasRole(roles) {
  *
  * @param roles - Roles that have access
  * @returns Payload field access function
- */
-export function hasRoleField(roles) {
-    return ({ req }) => {
+ */ export function hasRoleField(roles) {
+    return ({ req })=>{
         return hasAnyRole(req.user, roles);
     };
 }
@@ -329,10 +326,10 @@ export function hasRoleField(roles) {
  *   delete: requireAllRoles(['admin', 'verified']),
  * }
  * ```
- */
-export function requireAllRoles(roles) {
-    return ({ req }) => {
+ */ export function requireAllRoles(roles) {
+    return ({ req })=>{
         return hasAllRoles(req.user, roles);
     };
 }
+
 //# sourceMappingURL=access.js.map

package/dist/utils/access.js.map

@@ -1 +1 @@
-{"version":3,"file":"access.js","sourceRoot":"","sources":["../../src/utils/access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAqCH,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF;;;;;;;;;;GAUG;AACH,MAAM,UAAU,cAAc,CAAC,IAAa;IAC1C,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAA;IAC/D,CAAC;IAED,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,OAAO,IAAI;iBACR,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBACpB,MAAM,CAAC,OAAO,CAAC,CAAA;QACpB,CAAC;QACD,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAC3B,CAAC;IAED,OAAO,EAAE,CAAA;AACX,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,UAAU,CACxB,IAA2C,EAC3C,KAAe;IAEf,IAAI,CAAC,IAAI,EAAE,IAAI;QAAE,OAAO,KAAK,CAAA;IAC7B,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAC3C,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAA;AACvD,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,WAAW,CACzB,IAA2C,EAC3C,KAAe;IAEf,IAAI,CAAC,IAAI,EAAE,IAAI;QAAE,OAAO,KAAK,CAAA;IAC7B,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAC3C,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAA;AACxD,CAAC;AAED,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF;;;;;;;GAOG;AACH,MAAM,UAAU,aAAa,CAC3B,SAA0B,EAAE;IAE5B,MAAM,EAAE,UAAU,GAAG,CAAC,OAAO,CAAC,EAAE,GAAG,MAAM,CAAA;IAEzC,OAAO,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;QACjB,OAAO,UAAU,CAAC,GAAG,CAAC,IAAiC,EAAE,UAAU,CAAC,CAAA;IACtE,CAAC,CAAA;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,OAAO,CAAC,SAA0B,EAAE;IAClD,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,CAAA;IAExC,OAAO,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;QACjB,OAAO,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC,CAAA;IAC5B,CAAC,CAAA;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,YAAY,CAAC,SAA0B,EAAE;IACvD,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,CAAA;IAExC,OAAO,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;QACjB,OAAO,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC,CAAA;IAC5B,CAAC,CAAA;AACH,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,aAAa,CAAC,SAA2B,EAAE;IACzD,MAAM,EAAE,UAAU,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,GAAG,IAAI,EAAE,GAAG,MAAM,CAAA;IACzD,MAAM,UAAU,GAAG,aAAa,CAAC,EAAE,UAAU,EAAE,CAAC,CAAA;IAEhD,OAAO,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;QACjB,+BAA+B;QAC/B,IAAI,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC;YAAE,OAAO,IAAI,CAAA;QAEpC,yCAAyC;QACzC,IAAI,CAAC,GAAG,CAAC,IAAI;YAAE,OAAO,KAAK,CAAA;QAE3B,yBAAyB;QACzB,OAAO;YACL,CAAC,OAAO,CAAC,EAAE;gBACT,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE;aACpB;SACF,CAAA;IACH,CAAC,CAAA;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,kBAAkB,CAAC,SAA4B,EAAE;IAC/D,MAAM,EACJ,UAAU,GAAG,CAAC,OAAO,CAAC,EACtB,aAAa,GAAG,CAAC,MAAM,CAAC,EACxB,OAAO,GAAG,IAAI,EACd,QAAQ,GAAG,OAAO,GACnB,GAAG,MAAM,CAAA;IACV,MAAM,UAAU,GAAG,aAAa,CAAC,EAAE,UAAU,EAAE,CAAC,CAAA;IAEhD,OAAO,KAAK,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;QACjC,+BAA+B;QAC/B,IAAI,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC;YAAE,OAAO,IAAI,CAAA;QAEpC,wBAAwB;QACxB,IAAI,CAAC,GAAG,CAAC,IAAI;YAAE,OAAO,KAAK,CAAA;QAE3B,8BAA8B;QAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QAChC,IAAI,MAAM,KAAK,EAAE,IAAI,CAAC,IAAI;YAAE,OAAO,KAAK,CAAA;QAExC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAClC,MAAM,gBAAgB,GAAG,CAAC,GAAG,aAAa,CAAC,CAAA;QAE3C,oCAAoC;QACpC,MAAM,kBAAkB,GAAG,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAA;QAC/D,MAAM,WAAW,GAAG,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;QAEjD,IAAI,WAAW,IAAI,kBAAkB,EAAE,CAAC;YACtC,4CAA4C;YAC5C,IAAI,CAAC,CAAC,kBAAkB,IAAI,WAAW,CAAC;gBAAE,OAAO,KAAK,CAAA;YAEtD,IAAI,CAAC;gBACH,0BAA0B;gBAC1B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK;oBAAE,OAAO,KAAK,CAAA;gBAEjC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC;oBACrC,UAAU,EAAE,QAAQ;oBACpB,IAAI,EAAE;wBACJ,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,KAAe;wBAC/B,QAAQ,EAAE,IAAI,CAAC,eAAyB;qBACzC;iBACF,CAAC,CAAA;gBAEF,IAAI,CAAC,MAAM;oBAAE,OAAO,KAAK,CAAA;gBAEzB,gBAAgB,CAAC,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAA;YACtD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,gBAAgB,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAA;QAC7E,OAAO,CAAC,aAAa,CAAA;IACvB,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;QACjB,OAAO,CAAC,CAAC,GAAG,CAAC,IAAI,CAAA;IACnB,CAAC,CAAA;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;QACjB,OAAO,CAAC,CAAC,GAAG,CAAC,IAAI,CAAA;IACnB,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,OAAO,CAAC,KAAe;IACrC,OAAO,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;QACjB,OAAO,UAAU,CAAC,GAAG,CAAC,IAAiC,EAAE,KAAK,CAAC,CAAA;IACjE,CAAC,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,KAAe;IAC1C,OAAO,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;QACjB,OAAO,UAAU,CAAC,GAAG,CAAC,IAAiC,EAAE,KAAK,CAAC,CAAA;IACjE,CAAC,CAAA;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,eAAe,CAAC,KAAe;IAC7C,OAAO,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;QACjB,OAAO,WAAW,CAAC,GAAG,CAAC,IAAiC,EAAE,KAAK,CAAC,CAAA;IAClE,CAAC,CAAA;AACH,CAAC"}
+{"version":3,"sources":["../../src/utils/access.ts"],"sourcesContent":["/**\n * Access control utilities for Payload collections.\n *\n * These helpers simplify common access control patterns when using\n * Better Auth with Payload CMS. They handle role checking, self-access\n * patterns, and field-level permissions.\n *\n * @example\n * ```ts\n * import { isAdmin, isAdminOrSelf } from '@delmaredigital/payload-better-auth'\n *\n * export const Users: CollectionConfig = {\n *   slug: 'users',\n *   access: {\n *     read: isAdminOrSelf({ adminRoles: ['admin', 'editor'] }),\n *     update: isAdminOrSelf({ adminRoles: ['admin'] }),\n *     delete: isAdmin({ adminRoles: ['admin'] }),\n *   },\n * }\n * ```\n */\n\nimport type { Access, FieldAccess, PayloadRequest } from 'payload'\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Types\n// ─────────────────────────────────────────────────────────────────────────────\n\nexport type RoleCheckConfig = {\n  /**\n   * Roles considered admin roles.\n   * @default ['admin']\n   */\n  adminRoles?: string[]\n}\n\nexport type SelfAccessConfig = RoleCheckConfig & {\n  /**\n   * The field to use for user ID comparison.\n   * @default 'id'\n   */\n  idField?: string\n}\n\nexport type FieldUpdateConfig = SelfAccessConfig & {\n  /**\n   * Fields the user is allowed to update on their own record.\n   * Password is handled specially and requires currentPassword.\n   * @default ['name']\n   */\n  allowedFields?: string[]\n  /**\n   * The user collection slug for password verification.\n   */\n  userSlug?: string\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Role Checking Utilities\n// ─────────────────────────────────────────────────────────────────────────────\n\n/**\n * Normalize a user's role to an array.\n *\n * Handles various role formats:\n * - Array of roles\n * - Comma-separated string\n * - Single role string\n *\n * @param role - The role value from the user object\n * @returns Array of role strings\n */\nexport function normalizeRoles(role: unknown): string[] {\n  if (Array.isArray(role)) {\n    return role.filter((r): r is string => typeof r === 'string')\n  }\n\n  if (typeof role === 'string') {\n    if (role.includes(',')) {\n      return role\n        .split(',')\n        .map((r) => r.trim())\n        .filter(Boolean)\n    }\n    return role ? [role] : []\n  }\n\n  return []\n}\n\n/**\n * Check if a user has any of the specified roles.\n *\n * @param user - The user object\n * @param roles - Roles to check for\n * @returns True if user has at least one matching role\n *\n * @example\n * ```ts\n * const user = { role: ['admin', 'editor'] }\n * hasAnyRole(user, ['admin']) // true\n * hasAnyRole(user, ['superadmin']) // false\n * ```\n */\nexport function hasAnyRole(\n  user: { role?: unknown } | null | undefined,\n  roles: string[]\n): boolean {\n  if (!user?.role) return false\n  const userRoles = normalizeRoles(user.role)\n  return userRoles.some((role) => roles.includes(role))\n}\n\n/**\n * Check if a user has all of the specified roles.\n *\n * @param user - The user object\n * @param roles - Roles to check for\n * @returns True if user has all matching roles\n *\n * @example\n * ```ts\n * const user = { role: ['admin', 'editor'] }\n * hasAllRoles(user, ['admin', 'editor']) // true\n * hasAllRoles(user, ['admin', 'superadmin']) // false\n * ```\n */\nexport function hasAllRoles(\n  user: { role?: unknown } | null | undefined,\n  roles: string[]\n): boolean {\n  if (!user?.role) return false\n  const userRoles = normalizeRoles(user.role)\n  return roles.every((role) => userRoles.includes(role))\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Access Control Functions\n// ─────────────────────────────────────────────────────────────────────────────\n\n/**\n * Check if the current request user has admin roles.\n *\n * Use this as a reusable check within access functions.\n *\n * @param config - Configuration with admin roles\n * @returns Access check function\n */\nexport function hasAdminRoles(\n  config: RoleCheckConfig = {}\n): (args: { req: PayloadRequest }) => boolean {\n  const { adminRoles = ['admin'] } = config\n\n  return ({ req }) => {\n    return hasAnyRole(req.user as { role?: unknown } | null, adminRoles)\n  }\n}\n\n/**\n * Access control: Only allow users with admin roles.\n *\n * @param config - Configuration with admin roles\n * @returns Payload access function\n *\n * @example\n * ```ts\n * access: {\n *   delete: isAdmin({ adminRoles: ['admin', 'superadmin'] }),\n * }\n * ```\n */\nexport function isAdmin(config: RoleCheckConfig = {}): Access {\n  const checkAdmin = hasAdminRoles(config)\n\n  return ({ req }) => {\n    return checkAdmin({ req })\n  }\n}\n\n/**\n * Field access control: Only allow users with admin roles.\n *\n * @param config - Configuration with admin roles\n * @returns Payload field access function\n *\n * @example\n * ```ts\n * fields: [\n *   {\n *     name: 'role',\n *     type: 'select',\n *     access: {\n *       update: isAdminField({ adminRoles: ['admin'] }),\n *     },\n *   },\n * ]\n * ```\n */\nexport function isAdminField(config: RoleCheckConfig = {}): FieldAccess {\n  const checkAdmin = hasAdminRoles(config)\n\n  return ({ req }) => {\n    return checkAdmin({ req })\n  }\n}\n\n/**\n * Access control: Allow admin OR the user accessing their own record.\n *\n * Returns a query constraint for non-admin users to limit access\n * to their own records only.\n *\n * @param config - Configuration with admin roles and ID field\n * @returns Payload access function\n *\n * @example\n * ```ts\n * access: {\n *   read: isAdminOrSelf({ adminRoles: ['admin'] }),\n *   update: isAdminOrSelf({ adminRoles: ['admin'] }),\n * }\n * ```\n */\nexport function isAdminOrSelf(config: SelfAccessConfig = {}): Access {\n  const { adminRoles = ['admin'], idField = 'id' } = config\n  const checkAdmin = hasAdminRoles({ adminRoles })\n\n  return ({ req }) => {\n    // Admins can access everything\n    if (checkAdmin({ req })) return true\n\n    // Non-authenticated users have no access\n    if (!req.user) return false\n\n    // Restrict to own record\n    return {\n      [idField]: {\n        equals: req.user.id,\n      },\n    }\n  }\n}\n\n/**\n * Access control: Allow admin OR user updating allowed fields on own record.\n *\n * This is useful for allowing users to update specific fields (like name)\n * on their own profile while preventing them from changing sensitive fields\n * like role.\n *\n * Password changes require `currentPassword` to be provided and validated.\n *\n * @param config - Configuration with admin roles, allowed fields, and user slug\n * @returns Payload access function\n *\n * @example\n * ```ts\n * access: {\n *   update: canUpdateOwnFields({\n *     adminRoles: ['admin'],\n *     allowedFields: ['name', 'image'],\n *     userSlug: 'users',\n *   }),\n * }\n * ```\n */\nexport function canUpdateOwnFields(config: FieldUpdateConfig = {}): Access {\n  const {\n    adminRoles = ['admin'],\n    allowedFields = ['name'],\n    idField = 'id',\n    userSlug = 'users',\n  } = config\n  const checkAdmin = hasAdminRoles({ adminRoles })\n\n  return async ({ req, id, data }) => {\n    // Admins can update everything\n    if (checkAdmin({ req })) return true\n\n    // Must be authenticated\n    if (!req.user) return false\n\n    // Must be updating own record\n    const userId = req.user[idField]\n    if (userId !== id || !data) return false\n\n    const dataKeys = Object.keys(data)\n    const effectiveAllowed = [...allowedFields]\n\n    // Handle password changes specially\n    const hasCurrentPassword = dataKeys.includes('currentPassword')\n    const hasPassword = dataKeys.includes('password')\n\n    if (hasPassword || hasCurrentPassword) {\n      // Both must be provided for password change\n      if (!(hasCurrentPassword && hasPassword)) return false\n\n      try {\n        // Verify current password\n        if (!req.user.email) return false\n\n        const result = await req.payload.login({\n          collection: userSlug,\n          data: {\n            email: req.user.email as string,\n            password: data.currentPassword as string,\n          },\n        })\n\n        if (!result) return false\n\n        effectiveAllowed.push('password', 'currentPassword')\n      } catch {\n        return false\n      }\n    }\n\n    // Check all fields are allowed\n    const hasDisallowed = dataKeys.some((key) => !effectiveAllowed.includes(key))\n    return !hasDisallowed\n  }\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Authenticated Access\n// ─────────────────────────────────────────────────────────────────────────────\n\n/**\n * Access control: Allow any authenticated user.\n *\n * @returns Payload access function\n *\n * @example\n * ```ts\n * access: {\n *   read: isAuthenticated(),\n * }\n * ```\n */\nexport function isAuthenticated(): Access {\n  return ({ req }) => {\n    return !!req.user\n  }\n}\n\n/**\n * Field access control: Allow any authenticated user.\n *\n * @returns Payload field access function\n */\nexport function isAuthenticatedField(): FieldAccess {\n  return ({ req }) => {\n    return !!req.user\n  }\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Role-Based Access\n// ─────────────────────────────────────────────────────────────────────────────\n\n/**\n * Access control: Allow users with any of the specified roles.\n *\n * @param roles - Roles that have access\n * @returns Payload access function\n *\n * @example\n * ```ts\n * access: {\n *   read: hasRole(['admin', 'editor', 'viewer']),\n *   update: hasRole(['admin', 'editor']),\n * }\n * ```\n */\nexport function hasRole(roles: string[]): Access {\n  return ({ req }) => {\n    return hasAnyRole(req.user as { role?: unknown } | null, roles)\n  }\n}\n\n/**\n * Field access control: Allow users with any of the specified roles.\n *\n * @param roles - Roles that have access\n * @returns Payload field access function\n */\nexport function hasRoleField(roles: string[]): FieldAccess {\n  return ({ req }) => {\n    return hasAnyRole(req.user as { role?: unknown } | null, roles)\n  }\n}\n\n/**\n * Access control: Allow users with all of the specified roles.\n *\n * @param roles - All roles required for access\n * @returns Payload access function\n *\n * @example\n * ```ts\n * access: {\n *   delete: requireAllRoles(['admin', 'verified']),\n * }\n * ```\n */\nexport function requireAllRoles(roles: string[]): Access {\n  return ({ req }) => {\n    return hasAllRoles(req.user as { role?: unknown } | null, roles)\n  }\n}\n"],"names":["normalizeRoles","role","Array","isArray","filter","r","includes","split","map","trim","Boolean","hasAnyRole","user","roles","userRoles","some","hasAllRoles","every","hasAdminRoles","config","adminRoles","req","isAdmin","checkAdmin","isAdminField","isAdminOrSelf","idField","equals","id","canUpdateOwnFields","allowedFields","userSlug","data","userId","dataKeys","Object","keys","effectiveAllowed","hasCurrentPassword","hasPassword","email","result","payload","login","collection","password","currentPassword","push","hasDisallowed","key","isAuthenticated","isAuthenticatedField","hasRole","hasRoleField","requireAllRoles"],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;CAoBC,GAqCD,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF;;;;;;;;;;CAUC,GACD,OAAO,SAASA,eAAeC,IAAa;IAC1C,IAAIC,MAAMC,OAAO,CAACF,OAAO;QACvB,OAAOA,KAAKG,MAAM,CAAC,CAACC,IAAmB,OAAOA,MAAM;IACtD;IAEA,IAAI,OAAOJ,SAAS,UAAU;QAC5B,IAAIA,KAAKK,QAAQ,CAAC,MAAM;YACtB,OAAOL,KACJM,KAAK,CAAC,KACNC,GAAG,CAAC,CAACH,IAAMA,EAAEI,IAAI,IACjBL,MAAM,CAACM;QACZ;QACA,OAAOT,OAAO;YAACA;SAAK,GAAG,EAAE;IAC3B;IAEA,OAAO,EAAE;AACX;AAEA;;;;;;;;;;;;;CAaC,GACD,OAAO,SAASU,WACdC,IAA2C,EAC3CC,KAAe;IAEf,IAAI,CAACD,MAAMX,MAAM,OAAO;IACxB,MAAMa,YAAYd,eAAeY,KAAKX,IAAI;IAC1C,OAAOa,UAAUC,IAAI,CAAC,CAACd,OAASY,MAAMP,QAAQ,CAACL;AACjD;AAEA;;;;;;;;;;;;;CAaC,GACD,OAAO,SAASe,YACdJ,IAA2C,EAC3CC,KAAe;IAEf,IAAI,CAACD,MAAMX,MAAM,OAAO;IACxB,MAAMa,YAAYd,eAAeY,KAAKX,IAAI;IAC1C,OAAOY,MAAMI,KAAK,CAAC,CAAChB,OAASa,UAAUR,QAAQ,CAACL;AAClD;AAEA,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF;;;;;;;CAOC,GACD,OAAO,SAASiB,cACdC,SAA0B,CAAC,CAAC;IAE5B,MAAM,EAAEC,aAAa;QAAC;KAAQ,EAAE,GAAGD;IAEnC,OAAO,CAAC,EAAEE,GAAG,EAAE;QACb,OAAOV,WAAWU,IAAIT,IAAI,EAA+BQ;IAC3D;AACF;AAEA;;;;;;;;;;;;CAYC,GACD,OAAO,SAASE,QAAQH,SAA0B,CAAC,CAAC;IAClD,MAAMI,aAAaL,cAAcC;IAEjC,OAAO,CAAC,EAAEE,GAAG,EAAE;QACb,OAAOE,WAAW;YAAEF;QAAI;IAC1B;AACF;AAEA;;;;;;;;;;;;;;;;;;CAkBC,GACD,OAAO,SAASG,aAAaL,SAA0B,CAAC,CAAC;IACvD,MAAMI,aAAaL,cAAcC;IAEjC,OAAO,CAAC,EAAEE,GAAG,EAAE;QACb,OAAOE,WAAW;YAAEF;QAAI;IAC1B;AACF;AAEA;;;;;;;;;;;;;;;;CAgBC,GACD,OAAO,SAASI,cAAcN,SAA2B,CAAC,CAAC;IACzD,MAAM,EAAEC,aAAa;QAAC;KAAQ,EAAEM,UAAU,IAAI,EAAE,GAAGP;IACnD,MAAMI,aAAaL,cAAc;QAAEE;IAAW;IAE9C,OAAO,CAAC,EAAEC,GAAG,EAAE;QACb,+BAA+B;QAC/B,IAAIE,WAAW;YAAEF;QAAI,IAAI,OAAO;QAEhC,yCAAyC;QACzC,IAAI,CAACA,IAAIT,IAAI,EAAE,OAAO;QAEtB,yBAAyB;QACzB,OAAO;YACL,CAACc,QAAQ,EAAE;gBACTC,QAAQN,IAAIT,IAAI,CAACgB,EAAE;YACrB;QACF;IACF;AACF;AAEA;;;;;;;;;;;;;;;;;;;;;;CAsBC,GACD,OAAO,SAASC,mBAAmBV,SAA4B,CAAC,CAAC;IAC/D,MAAM,EACJC,aAAa;QAAC;KAAQ,EACtBU,gBAAgB;QAAC;KAAO,EACxBJ,UAAU,IAAI,EACdK,WAAW,OAAO,EACnB,GAAGZ;IACJ,MAAMI,aAAaL,cAAc;QAAEE;IAAW;IAE9C,OAAO,OAAO,EAAEC,GAAG,EAAEO,EAAE,EAAEI,IAAI,EAAE;QAC7B,+BAA+B;QAC/B,IAAIT,WAAW;YAAEF;QAAI,IAAI,OAAO;QAEhC,wBAAwB;QACxB,IAAI,CAACA,IAAIT,IAAI,EAAE,OAAO;QAEtB,8BAA8B;QAC9B,MAAMqB,SAASZ,IAAIT,IAAI,CAACc,QAAQ;QAChC,IAAIO,WAAWL,MAAM,CAACI,MAAM,OAAO;QAEnC,MAAME,WAAWC,OAAOC,IAAI,CAACJ;QAC7B,MAAMK,mBAAmB;eAAIP;SAAc;QAE3C,oCAAoC;QACpC,MAAMQ,qBAAqBJ,SAAS5B,QAAQ,CAAC;QAC7C,MAAMiC,cAAcL,SAAS5B,QAAQ,CAAC;QAEtC,IAAIiC,eAAeD,oBAAoB;YACrC,4CAA4C;YAC5C,IAAI,CAAEA,CAAAA,sBAAsBC,WAAU,GAAI,OAAO;YAEjD,IAAI;gBACF,0BAA0B;gBAC1B,IAAI,CAAClB,IAAIT,IAAI,CAAC4B,KAAK,EAAE,OAAO;gBAE5B,MAAMC,SAAS,MAAMpB,IAAIqB,OAAO,CAACC,KAAK,CAAC;oBACrCC,YAAYb;oBACZC,MAAM;wBACJQ,OAAOnB,IAAIT,IAAI,CAAC4B,KAAK;wBACrBK,UAAUb,KAAKc,eAAe;oBAChC;gBACF;gBAEA,IAAI,CAACL,QAAQ,OAAO;gBAEpBJ,iBAAiBU,IAAI,CAAC,YAAY;YACpC,EAAE,OAAM;gBACN,OAAO;YACT;QACF;QAEA,+BAA+B;QAC/B,MAAMC,gBAAgBd,SAASnB,IAAI,CAAC,CAACkC,MAAQ,CAACZ,iBAAiB/B,QAAQ,CAAC2C;QACxE,OAAO,CAACD;IACV;AACF;AAEA,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;;;;;;;;;;CAWC,GACD,OAAO,SAASE;IACd,OAAO,CAAC,EAAE7B,GAAG,EAAE;QACb,OAAO,CAAC,CAACA,IAAIT,IAAI;IACnB;AACF;AAEA;;;;CAIC,GACD,OAAO,SAASuC;IACd,OAAO,CAAC,EAAE9B,GAAG,EAAE;QACb,OAAO,CAAC,CAACA,IAAIT,IAAI;IACnB;AACF;AAEA,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF;;;;;;;;;;;;;CAaC,GACD,OAAO,SAASwC,QAAQvC,KAAe;IACrC,OAAO,CAAC,EAAEQ,GAAG,EAAE;QACb,OAAOV,WAAWU,IAAIT,IAAI,EAA+BC;IAC3D;AACF;AAEA;;;;;CAKC,GACD,OAAO,SAASwC,aAAaxC,KAAe;IAC1C,OAAO,CAAC,EAAEQ,GAAG,EAAE;QACb,OAAOV,WAAWU,IAAIT,IAAI,EAA+BC;IAC3D;AACF;AAEA;;;;;;;;;;;;CAYC,GACD,OAAO,SAASyC,gBAAgBzC,KAAe;IAC7C,OAAO,CAAC,EAAEQ,GAAG,EAAE;QACb,OAAOL,YAAYK,IAAIT,IAAI,EAA+BC;IAC5D;AACF"}

package/dist/utils/apiKeyAccess.js

@@ -19,18 +19,15 @@
  *   },
  * }
  * ```
- */
-// ─────────────────────────────────────────────────────────────────────────────
+ */ // ─────────────────────────────────────────────────────────────────────────────
 // Helpers
 // ─────────────────────────────────────────────────────────────────────────────
 /**
  * Extract API key from request headers.
  * Supports Bearer token format: Authorization: Bearer <api-key>
- */
-export function extractApiKeyFromRequest(req) {
+ */ export function extractApiKeyFromRequest(req) {
     const authHeader = req.headers?.get('authorization');
-    if (!authHeader)
-        return null;
+    if (!authHeader) return null;
     // Support "Bearer <key>" format
     if (authHeader.startsWith('Bearer ')) {
         return authHeader.slice(7).trim();
@@ -41,31 +38,38 @@ export function extractApiKeyFromRequest(req) {
 /**
  * Look up API key info from the database.
  * Returns null if key not found or disabled.
- */
-export async function getApiKeyInfo(req, apiKey, apiKeysCollection = 'apiKeys') {
+ */ export async function getApiKeyInfo(req, apiKey, apiKeysCollection = 'apiKeys') {
     try {
         // Try the provided collection name first
         let results = await req.payload.find({
             collection: apiKeysCollection,
             where: {
-                key: { equals: apiKey },
-                enabled: { not_equals: false },
+                key: {
+                    equals: apiKey
+                },
+                enabled: {
+                    not_equals: false
+                }
             },
             limit: 1,
-            depth: 0,
-        }).catch(() => null);
+            depth: 0
+        }).catch(()=>null);
         // If not found, try alternative slug
         if (!results || results.docs.length === 0) {
             const altSlug = apiKeysCollection === 'apiKeys' ? 'api-keys' : 'apiKeys';
             results = await req.payload.find({
                 collection: altSlug,
                 where: {
-                    key: { equals: apiKey },
-                    enabled: { not_equals: false },
+                    key: {
+                        equals: apiKey
+                    },
+                    enabled: {
+                        not_equals: false
+                    }
                 },
                 limit: 1,
-                depth: 0,
-            }).catch(() => null);
+                depth: 0
+            }).catch(()=>null);
         }
         if (!results || results.docs.length === 0) {
             return null;
@@ -78,29 +82,24 @@ export async function getApiKeyInfo(req, apiKey, apiKeysCollection = 'apiKeys')
                 const parsed = JSON.parse(doc.permissions);
                 if (Array.isArray(parsed)) {
                     scopes = parsed;
-                }
-                else if (typeof parsed === 'object') {
+                } else if (typeof parsed === 'object') {
                     // If it's an object, extract keys or flatten
                     scopes = Object.keys(parsed);
                 }
-            }
-            catch {
+            } catch  {
                 // If not JSON, treat as comma-separated
-                scopes = doc.permissions.split(',').map((s) => s.trim()).filter(Boolean);
+                scopes = doc.permissions.split(',').map((s)=>s.trim()).filter(Boolean);
             }
-        }
-        else if (Array.isArray(doc.scopes)) {
+        } else if (Array.isArray(doc.scopes)) {
             scopes = doc.scopes;
         }
         // Get user ID (handle both direct field and relationship)
         let userId;
         if (doc.userId) {
             userId = String(doc.userId);
-        }
-        else if (doc.user) {
+        } else if (doc.user) {
             userId = typeof doc.user === 'object' ? String(doc.user.id) : String(doc.user);
-        }
-        else {
+        } else {
             return null;
         }
         // Parse metadata
@@ -109,12 +108,10 @@ export async function getApiKeyInfo(req, apiKey, apiKeysCollection = 'apiKeys')
             if (typeof doc.metadata === 'string') {
                 try {
                     metadata = JSON.parse(doc.metadata);
+                } catch  {
+                // Ignore parse errors
                 }
-                catch {
-                    // Ignore parse errors
-                }
-            }
-            else {
+            } else {
                 metadata = doc.metadata;
             }
         }
@@ -123,44 +120,39 @@ export async function getApiKeyInfo(req, apiKey, apiKeysCollection = 'apiKeys')
             userId,
             scopes,
             keyPrefix: doc.start,
-            metadata,
+            metadata
         };
-    }
-    catch {
+    } catch  {
         return null;
     }
 }
 /**
  * Check if an API key has a specific scope.
  * Supports wildcard patterns like 'posts:*' matching 'posts:read', 'posts:write', etc.
- */
-export function hasScope(keyScopes, requiredScope) {
-    return keyScopes.some((scope) => {
+ */ export function hasScope(keyScopes, requiredScope) {
+    return keyScopes.some((scope)=>{
         // Exact match
-        if (scope === requiredScope)
-            return true;
+        if (scope === requiredScope) return true;
         // Wildcard match: 'posts:*' matches 'posts:read'
         if (scope.endsWith(':*')) {
-            const prefix = scope.slice(0, -1); // Remove '*', keep ':'
+            const prefix = scope.slice(0, -1) // Remove '*', keep ':'
+            ;
             return requiredScope.startsWith(prefix);
         }
         // Global wildcard
-        if (scope === '*')
-            return true;
+        if (scope === '*') return true;
         return false;
     });
 }
 /**
  * Check if an API key has any of the specified scopes.
- */
-export function hasAnyScope(keyScopes, requiredScopes) {
-    return requiredScopes.some((scope) => hasScope(keyScopes, scope));
+ */ export function hasAnyScope(keyScopes, requiredScopes) {
+    return requiredScopes.some((scope)=>hasScope(keyScopes, scope));
 }
 /**
  * Check if an API key has all of the specified scopes.
- */
-export function hasAllScopes(keyScopes, requiredScopes) {
-    return requiredScopes.every((scope) => hasScope(keyScopes, scope));
+ */ export function hasAllScopes(keyScopes, requiredScopes) {
+    return requiredScopes.every((scope)=>hasScope(keyScopes, scope));
 }
 // ─────────────────────────────────────────────────────────────────────────────
 // Access Control Functions
@@ -179,15 +171,15 @@ export function hasAllScopes(keyScopes, requiredScopes) {
  *   create: requireScope('posts:write'),
  * }
  * ```
- */
-export function requireScope(scope, config = {}) {
-    const { apiKeysCollection = 'apiKeys', allowAuthenticatedUsers = false, extractApiKey = extractApiKeyFromRequest, } = config;
-    return async ({ req }) => {
+ */ export function requireScope(scope, config = {}) {
+    const { apiKeysCollection = 'apiKeys', allowAuthenticatedUsers = false, extractApiKey = extractApiKeyFromRequest } = config;
+    return async ({ req })=>{
         // If authenticated users are allowed and user is logged in without API key
         if (allowAuthenticatedUsers && req.user) {
             const apiKey = extractApiKey(req);
             if (!apiKey) {
-                return true; // User authenticated via session, no API key = allow
+                return true // User authenticated via session, no API key = allow
+                ;
             }
         }
         // Extract API key from request
@@ -217,10 +209,9 @@ export function requireScope(scope, config = {}) {
  *   read: requireAnyScope(['posts:read', 'content:read', 'admin:*']),
  * }
  * ```
- */
-export function requireAnyScope(scopes, config = {}) {
-    const { apiKeysCollection = 'apiKeys', allowAuthenticatedUsers = false, extractApiKey = extractApiKeyFromRequest, } = config;
-    return async ({ req }) => {
+ */ export function requireAnyScope(scopes, config = {}) {
+    const { apiKeysCollection = 'apiKeys', allowAuthenticatedUsers = false, extractApiKey = extractApiKeyFromRequest } = config;
+    return async ({ req })=>{
         // If authenticated users are allowed and user is logged in without API key
         if (allowAuthenticatedUsers && req.user) {
             const apiKey = extractApiKey(req);
@@ -252,10 +243,9 @@ export function requireAnyScope(scopes, config = {}) {
  *   delete: requireAllScopes(['posts:delete', 'admin:write']),
  * }
  * ```
- */
-export function requireAllScopes(scopes, config = {}) {
-    const { apiKeysCollection = 'apiKeys', allowAuthenticatedUsers = false, extractApiKey = extractApiKeyFromRequest, } = config;
-    return async ({ req }) => {
+ */ export function requireAllScopes(scopes, config = {}) {
+    const { apiKeysCollection = 'apiKeys', allowAuthenticatedUsers = false, extractApiKey = extractApiKeyFromRequest } = config;
+    return async ({ req })=>{
         // If authenticated users are allowed and user is logged in without API key
         if (allowAuthenticatedUsers && req.user) {
             const apiKey = extractApiKey(req);
@@ -291,9 +281,11 @@ export function requireAllScopes(scopes, config = {}) {
  *   read: allowSessionOrScope('posts:read'),
  * }
  * ```
- */
-export function allowSessionOrScope(scope, config = {}) {
-    return requireScope(scope, { ...config, allowAuthenticatedUsers: true });
+ */ export function allowSessionOrScope(scope, config = {}) {
+    return requireScope(scope, {
+        ...config,
+        allowAuthenticatedUsers: true
+    });
 }
 /**
  * Create an access control function that allows either:
@@ -303,9 +295,11 @@ export function allowSessionOrScope(scope, config = {}) {
  * @param scopes - Array of acceptable scopes for API key access
  * @param config - Configuration options
  * @returns Payload access function
- */
-export function allowSessionOrAnyScope(scopes, config = {}) {
-    return requireAnyScope(scopes, { ...config, allowAuthenticatedUsers: true });
+ */ export function allowSessionOrAnyScope(scopes, config = {}) {
+    return requireAnyScope(scopes, {
+        ...config,
+        allowAuthenticatedUsers: true
+    });
 }
 // ─────────────────────────────────────────────────────────────────────────────
 // Better Auth Integration
@@ -328,11 +322,10 @@ export function allowSessionOrAnyScope(scopes, config = {}) {
  *   console.log('Scopes:', keyInfo.scopes)
  * }
  * ```
- */
-export async function validateApiKey(req, apiKeysCollection = 'apiKeys') {
+ */ export async function validateApiKey(req, apiKeysCollection = 'apiKeys') {
     const apiKey = extractApiKeyFromRequest(req);
-    if (!apiKey)
-        return null;
+    if (!apiKey) return null;
     return getApiKeyInfo(req, apiKey, apiKeysCollection);
 }
+
 //# sourceMappingURL=apiKeyAccess.js.map