@develit-services/rbac 0.0.1 → 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/database/schema.d.cts +1 -1
- package/dist/database/schema.d.mts +1 -1
- package/dist/database/schema.d.ts +1 -1
- package/dist/database/schema.mjs +1 -1
- package/dist/export/worker.cjs +28 -11
- package/dist/export/worker.d.cts +16 -6
- package/dist/export/worker.d.mts +16 -6
- package/dist/export/worker.d.ts +16 -6
- package/dist/export/worker.mjs +29 -12
- package/dist/export/wrangler.d.cts +0 -1
- package/dist/export/wrangler.d.mts +0 -1
- package/dist/export/wrangler.d.ts +0 -1
- package/dist/shared/rbac.CnJxCt2K.cjs +159 -0
- package/dist/shared/{rbac.BmuK3PNh.d.cts → rbac.CqpxM3E5.d.cts} +57 -57
- package/dist/shared/{rbac.BmuK3PNh.d.mts → rbac.CqpxM3E5.d.mts} +57 -57
- package/dist/shared/{rbac.BmuK3PNh.d.ts → rbac.CqpxM3E5.d.ts} +57 -57
- package/dist/shared/{rbac.CJLU5iuV.mjs → rbac.D5OV7UPA.mjs} +1 -1
- package/dist/shared/rbac.Dtso4lIl.d.mts +236 -0
- package/dist/shared/rbac.Du34seOj.d.cts +236 -0
- package/dist/shared/rbac.NtS5ARz0.mjs +143 -0
- package/dist/shared/rbac.UWPYxd4e.d.ts +236 -0
- package/dist/{@types.cjs → types.cjs} +1 -3
- package/dist/{@types.d.cts → types.d.cts} +2 -2
- package/dist/{@types.d.mts → types.d.mts} +2 -2
- package/dist/{@types.d.ts → types.d.ts} +2 -2
- package/dist/types.mjs +2 -0
- package/package.json +12 -15
- package/dist/@types.mjs +0 -2
- package/dist/shared/rbac.2EhZ2epo.cjs +0 -363
- package/dist/shared/rbac.C9brkvW9.mjs +0 -344
- package/dist/shared/rbac.CHxy3VJb.d.ts +0 -1034
- package/dist/shared/rbac.CaoDccv4.d.cts +0 -1034
- package/dist/shared/rbac.DH5084jg.d.mts +0 -1034
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
export {
|
|
1
|
+
export { a as role, r as roleScope, u as userRole, b as userScope } from '../shared/rbac.CqpxM3E5.cjs';
|
|
2
2
|
import 'drizzle-orm/sqlite-core';
|
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
export {
|
|
1
|
+
export { a as role, r as roleScope, u as userRole, b as userScope } from '../shared/rbac.CqpxM3E5.mjs';
|
|
2
2
|
import 'drizzle-orm/sqlite-core';
|
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
export {
|
|
1
|
+
export { a as role, r as roleScope, u as userRole, b as userScope } from '../shared/rbac.CqpxM3E5.js';
|
|
2
2
|
import 'drizzle-orm/sqlite-core';
|
package/dist/database/schema.mjs
CHANGED
|
@@ -1,3 +1,3 @@
|
|
|
1
|
-
export {
|
|
1
|
+
export { a as role, r as roleScope, u as userRole, b as userScope } from '../shared/rbac.D5OV7UPA.mjs';
|
|
2
2
|
import '@develit-io/backend-sdk';
|
|
3
3
|
import 'drizzle-orm/sqlite-core';
|
package/dist/export/worker.cjs
CHANGED
|
@@ -2,12 +2,12 @@
|
|
|
2
2
|
|
|
3
3
|
Object.defineProperty(exports, '__esModule', { value: true });
|
|
4
4
|
|
|
5
|
-
const cloudflare_workers = require('cloudflare:workers');
|
|
6
5
|
const backendSdk = require('@develit-io/backend-sdk');
|
|
7
|
-
const verifyScope = require('../shared/rbac.2EhZ2epo.cjs');
|
|
8
6
|
const database_schema = require('../shared/rbac.Cra1T2nC.cjs');
|
|
9
7
|
const drizzleOrm = require('drizzle-orm');
|
|
8
|
+
const verifyScope = require('../shared/rbac.CnJxCt2K.cjs');
|
|
10
9
|
const zod = require('zod');
|
|
10
|
+
const cloudflare_workers = require('cloudflare:workers');
|
|
11
11
|
const d1 = require('drizzle-orm/d1');
|
|
12
12
|
require('drizzle-orm/sqlite-core');
|
|
13
13
|
|
|
@@ -301,7 +301,7 @@ function extractResourcesFromPath(scope, resourcePath) {
|
|
|
301
301
|
const inputGetValueByKeySchema = zod.z.object({
|
|
302
302
|
type: zod.z.string().nonempty("Type parameter cannot be empty"),
|
|
303
303
|
path: zod.z.string().nonempty("Path parameter cannot be empty"),
|
|
304
|
-
jwt:
|
|
304
|
+
jwt: zod.z.unknown()
|
|
305
305
|
});
|
|
306
306
|
const parseJson = (data) => {
|
|
307
307
|
try {
|
|
@@ -369,12 +369,20 @@ var __decorateClass = (decorators, target, key, kind) => {
|
|
|
369
369
|
if (kind && result) __defProp(target, key, result);
|
|
370
370
|
return result;
|
|
371
371
|
};
|
|
372
|
-
let RbacServiceBase = class extends backendSdk.develitWorker(
|
|
373
|
-
|
|
374
|
-
) {
|
|
375
|
-
constructor(ctx, env) {
|
|
372
|
+
let RbacServiceBase = class extends backendSdk.develitWorker(cloudflare_workers.WorkerEntrypoint) {
|
|
373
|
+
constructor(ctx, env, scopes) {
|
|
376
374
|
super(ctx, env);
|
|
377
375
|
this.db = d1.drizzle(this.env.RBAC_D1, { schema: tables });
|
|
376
|
+
this.SCOPES = scopes;
|
|
377
|
+
}
|
|
378
|
+
validateScope(scope) {
|
|
379
|
+
if (!this.SCOPES.some((s) => s.value === scope)) {
|
|
380
|
+
throw backendSdk.createInternalError(null, {
|
|
381
|
+
message: `Invalid scope: ${scope}. Available scopes: ${this.SCOPES.map((s) => s.value).join(", ")}`,
|
|
382
|
+
status: 400,
|
|
383
|
+
code: "INVALID_SCOPE"
|
|
384
|
+
});
|
|
385
|
+
}
|
|
378
386
|
}
|
|
379
387
|
async createRole(input) {
|
|
380
388
|
return this.handleAction(
|
|
@@ -471,6 +479,7 @@ let RbacServiceBase = class extends backendSdk.develitWorker(
|
|
|
471
479
|
{ data: input, schema: verifyScope.grantScopeToUserInputSchema },
|
|
472
480
|
{ successMessage: "Scope successfully granted to user." },
|
|
473
481
|
async ({ userId, scope, resourceId }) => {
|
|
482
|
+
this.validateScope(scope);
|
|
474
483
|
const userScope = await getScopesByUserQuery({ db: this.db, userId });
|
|
475
484
|
if (userScope.some((s) => s.scope === scope)) {
|
|
476
485
|
throw backendSdk.createInternalError(null, {
|
|
@@ -495,6 +504,7 @@ let RbacServiceBase = class extends backendSdk.develitWorker(
|
|
|
495
504
|
{ successMessage: "Scopes successfully granted to user." },
|
|
496
505
|
async ({ userId, scopes }) => {
|
|
497
506
|
for (const scope of scopes) {
|
|
507
|
+
this.validateScope(scope.scope);
|
|
498
508
|
const userScopes = await getScopesByUserQuery({ db: this.db, userId });
|
|
499
509
|
if (userScopes.some((s) => s.scope === scope.scope)) {
|
|
500
510
|
throw backendSdk.createInternalError(null, {
|
|
@@ -518,6 +528,7 @@ let RbacServiceBase = class extends backendSdk.develitWorker(
|
|
|
518
528
|
{ data: input, schema: verifyScope.revokeScopeFromUserInputSchema },
|
|
519
529
|
{ successMessage: "Scope successfully revoked from user." },
|
|
520
530
|
async ({ userId, scope, resourceId }) => {
|
|
531
|
+
this.validateScope(scope);
|
|
521
532
|
const { command } = await revokeScopeFromUserCommand({
|
|
522
533
|
db: this.db,
|
|
523
534
|
userId,
|
|
@@ -534,6 +545,7 @@ let RbacServiceBase = class extends backendSdk.develitWorker(
|
|
|
534
545
|
{ data: input, schema: verifyScope.grantScopeToRoleInputSchema },
|
|
535
546
|
{ successMessage: "Scope successfully granted to role." },
|
|
536
547
|
async ({ roleId, scope, resourceId }) => {
|
|
548
|
+
this.validateScope(scope);
|
|
537
549
|
const { command } = await grantScopeToRoleCommand({
|
|
538
550
|
db: this.db,
|
|
539
551
|
scope,
|
|
@@ -550,6 +562,7 @@ let RbacServiceBase = class extends backendSdk.develitWorker(
|
|
|
550
562
|
{ data: input, schema: verifyScope.revokeScopeFromRoleInputSchema },
|
|
551
563
|
{ successMessage: "Scope successfully revoked from role." },
|
|
552
564
|
async ({ roleId, scope, resourceId }) => {
|
|
565
|
+
this.validateScope(scope);
|
|
553
566
|
const { command } = await revokeScopeFromRoleCommand({
|
|
554
567
|
db: this.db,
|
|
555
568
|
roleId,
|
|
@@ -587,8 +600,9 @@ let RbacServiceBase = class extends backendSdk.develitWorker(
|
|
|
587
600
|
return {
|
|
588
601
|
roles,
|
|
589
602
|
rolesCount: roles.length,
|
|
590
|
-
scopes: [...
|
|
591
|
-
|
|
603
|
+
scopes: [...this.SCOPES.map((s) => s.value)],
|
|
604
|
+
labeledScopes: this.SCOPES,
|
|
605
|
+
scopesCount: [...this.SCOPES].length,
|
|
592
606
|
roleScopes,
|
|
593
607
|
roleScopesCount: roleScopes.length
|
|
594
608
|
};
|
|
@@ -637,6 +651,9 @@ let RbacServiceBase = class extends backendSdk.develitWorker(
|
|
|
637
651
|
{ data: input, schema: verifyScope.verifyAccessInputSchema },
|
|
638
652
|
{ successMessage: "Access verification completed." },
|
|
639
653
|
async ({ userId, accessRequests, jwt }) => {
|
|
654
|
+
for (const request of accessRequests) {
|
|
655
|
+
this.validateScope(request.scope);
|
|
656
|
+
}
|
|
640
657
|
const userPermissionsResponse = await this.getUserPermissions({
|
|
641
658
|
userId
|
|
642
659
|
});
|
|
@@ -762,10 +779,10 @@ __decorateClass([
|
|
|
762
779
|
RbacServiceBase = __decorateClass([
|
|
763
780
|
backendSdk.service("rbac")
|
|
764
781
|
], RbacServiceBase);
|
|
765
|
-
function defineRbacService() {
|
|
782
|
+
function defineRbacService(config = { scopes: [] }) {
|
|
766
783
|
return class RbacService extends RbacServiceBase {
|
|
767
784
|
constructor(ctx, env) {
|
|
768
|
-
super(ctx, env);
|
|
785
|
+
super(ctx, env, config.scopes);
|
|
769
786
|
}
|
|
770
787
|
};
|
|
771
788
|
}
|
package/dist/export/worker.d.cts
CHANGED
|
@@ -1,17 +1,19 @@
|
|
|
1
1
|
import * as _develit_io_backend_sdk from '@develit-io/backend-sdk';
|
|
2
2
|
import { IRPCResponse } from '@develit-io/backend-sdk';
|
|
3
|
+
import { L as LabeledScope, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.Du34seOj.cjs';
|
|
3
4
|
import { WorkerEntrypoint } from 'cloudflare:workers';
|
|
4
|
-
import { t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.CaoDccv4.cjs';
|
|
5
5
|
import { DrizzleD1Database } from 'drizzle-orm/d1';
|
|
6
6
|
import 'zod';
|
|
7
7
|
import 'drizzle-orm';
|
|
8
|
-
import '../shared/rbac.
|
|
8
|
+
import '../shared/rbac.CqpxM3E5.cjs';
|
|
9
9
|
import 'drizzle-orm/sqlite-core';
|
|
10
10
|
|
|
11
11
|
declare const RbacServiceBase_base: (abstract new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv, {}>) & (abstract new (...args: any[]) => _develit_io_backend_sdk.DevelitWorkerMethods);
|
|
12
|
-
declare class RbacServiceBase extends RbacServiceBase_base {
|
|
12
|
+
declare class RbacServiceBase<TScopes extends readonly LabeledScope[] = LabeledScope[]> extends RbacServiceBase_base {
|
|
13
13
|
readonly db: DrizzleD1Database<typeof tables>;
|
|
14
|
-
|
|
14
|
+
readonly SCOPES: TScopes;
|
|
15
|
+
constructor(ctx: ExecutionContext, env: RbacEnv, scopes: TScopes);
|
|
16
|
+
private validateScope;
|
|
15
17
|
createRole(input: CreateRoleInput): Promise<IRPCResponse<CreateRoleOutput>>;
|
|
16
18
|
assignRoleToUser(input: AssignRoleToUserInput): Promise<IRPCResponse<AssignRoleToUserOutput>>;
|
|
17
19
|
assignRolesToUser(input: AssignRolesToUserInput): Promise<IRPCResponse<AssignRolesToUserOutput>>;
|
|
@@ -23,11 +25,19 @@ declare class RbacServiceBase extends RbacServiceBase_base {
|
|
|
23
25
|
revokeScopeFromRole(input: RevokeScopeFromRoleInput): Promise<IRPCResponse<RevokeScopeFromRoleOutput>>;
|
|
24
26
|
getPermissions(): Promise<IRPCResponse<GetPermissionsOutput>>;
|
|
25
27
|
getUserPermissions(input: GetUserPermissionsInput): Promise<IRPCResponse<GetUserPermissionsOutput>>;
|
|
26
|
-
verifyAccess(input: VerifyAccessInput
|
|
28
|
+
verifyAccess(input: Omit<VerifyAccessInput, 'accessRequests'> & {
|
|
29
|
+
accessRequests: Array<{
|
|
30
|
+
scope: TScopes[number]['value'];
|
|
31
|
+
resourceId?: string;
|
|
32
|
+
resourcePath?: string;
|
|
33
|
+
}>;
|
|
34
|
+
}): Promise<IRPCResponse<VerifyAccessOutput>>;
|
|
27
35
|
deleteRole(input: DeleteRoleInput): Promise<IRPCResponse<DeleteRoleOutput>>;
|
|
28
36
|
updateRole(input: UpdateRoleInput): Promise<IRPCResponse<UpdateRoleOutput>>;
|
|
29
37
|
}
|
|
30
|
-
declare function defineRbacService
|
|
38
|
+
declare function defineRbacService<const TScopes extends readonly LabeledScope[]>(config?: {
|
|
39
|
+
scopes: TScopes;
|
|
40
|
+
}): new (ctx: ExecutionContext, env: RbacEnv) => RbacServiceBase<TScopes>;
|
|
31
41
|
|
|
32
42
|
declare const _default: new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv>;
|
|
33
43
|
|
package/dist/export/worker.d.mts
CHANGED
|
@@ -1,17 +1,19 @@
|
|
|
1
1
|
import * as _develit_io_backend_sdk from '@develit-io/backend-sdk';
|
|
2
2
|
import { IRPCResponse } from '@develit-io/backend-sdk';
|
|
3
|
+
import { L as LabeledScope, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.Dtso4lIl.mjs';
|
|
3
4
|
import { WorkerEntrypoint } from 'cloudflare:workers';
|
|
4
|
-
import { t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.DH5084jg.mjs';
|
|
5
5
|
import { DrizzleD1Database } from 'drizzle-orm/d1';
|
|
6
6
|
import 'zod';
|
|
7
7
|
import 'drizzle-orm';
|
|
8
|
-
import '../shared/rbac.
|
|
8
|
+
import '../shared/rbac.CqpxM3E5.mjs';
|
|
9
9
|
import 'drizzle-orm/sqlite-core';
|
|
10
10
|
|
|
11
11
|
declare const RbacServiceBase_base: (abstract new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv, {}>) & (abstract new (...args: any[]) => _develit_io_backend_sdk.DevelitWorkerMethods);
|
|
12
|
-
declare class RbacServiceBase extends RbacServiceBase_base {
|
|
12
|
+
declare class RbacServiceBase<TScopes extends readonly LabeledScope[] = LabeledScope[]> extends RbacServiceBase_base {
|
|
13
13
|
readonly db: DrizzleD1Database<typeof tables>;
|
|
14
|
-
|
|
14
|
+
readonly SCOPES: TScopes;
|
|
15
|
+
constructor(ctx: ExecutionContext, env: RbacEnv, scopes: TScopes);
|
|
16
|
+
private validateScope;
|
|
15
17
|
createRole(input: CreateRoleInput): Promise<IRPCResponse<CreateRoleOutput>>;
|
|
16
18
|
assignRoleToUser(input: AssignRoleToUserInput): Promise<IRPCResponse<AssignRoleToUserOutput>>;
|
|
17
19
|
assignRolesToUser(input: AssignRolesToUserInput): Promise<IRPCResponse<AssignRolesToUserOutput>>;
|
|
@@ -23,11 +25,19 @@ declare class RbacServiceBase extends RbacServiceBase_base {
|
|
|
23
25
|
revokeScopeFromRole(input: RevokeScopeFromRoleInput): Promise<IRPCResponse<RevokeScopeFromRoleOutput>>;
|
|
24
26
|
getPermissions(): Promise<IRPCResponse<GetPermissionsOutput>>;
|
|
25
27
|
getUserPermissions(input: GetUserPermissionsInput): Promise<IRPCResponse<GetUserPermissionsOutput>>;
|
|
26
|
-
verifyAccess(input: VerifyAccessInput
|
|
28
|
+
verifyAccess(input: Omit<VerifyAccessInput, 'accessRequests'> & {
|
|
29
|
+
accessRequests: Array<{
|
|
30
|
+
scope: TScopes[number]['value'];
|
|
31
|
+
resourceId?: string;
|
|
32
|
+
resourcePath?: string;
|
|
33
|
+
}>;
|
|
34
|
+
}): Promise<IRPCResponse<VerifyAccessOutput>>;
|
|
27
35
|
deleteRole(input: DeleteRoleInput): Promise<IRPCResponse<DeleteRoleOutput>>;
|
|
28
36
|
updateRole(input: UpdateRoleInput): Promise<IRPCResponse<UpdateRoleOutput>>;
|
|
29
37
|
}
|
|
30
|
-
declare function defineRbacService
|
|
38
|
+
declare function defineRbacService<const TScopes extends readonly LabeledScope[]>(config?: {
|
|
39
|
+
scopes: TScopes;
|
|
40
|
+
}): new (ctx: ExecutionContext, env: RbacEnv) => RbacServiceBase<TScopes>;
|
|
31
41
|
|
|
32
42
|
declare const _default: new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv>;
|
|
33
43
|
|
package/dist/export/worker.d.ts
CHANGED
|
@@ -1,17 +1,19 @@
|
|
|
1
1
|
import * as _develit_io_backend_sdk from '@develit-io/backend-sdk';
|
|
2
2
|
import { IRPCResponse } from '@develit-io/backend-sdk';
|
|
3
|
+
import { L as LabeledScope, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.UWPYxd4e.js';
|
|
3
4
|
import { WorkerEntrypoint } from 'cloudflare:workers';
|
|
4
|
-
import { t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.CHxy3VJb.js';
|
|
5
5
|
import { DrizzleD1Database } from 'drizzle-orm/d1';
|
|
6
6
|
import 'zod';
|
|
7
7
|
import 'drizzle-orm';
|
|
8
|
-
import '../shared/rbac.
|
|
8
|
+
import '../shared/rbac.CqpxM3E5.js';
|
|
9
9
|
import 'drizzle-orm/sqlite-core';
|
|
10
10
|
|
|
11
11
|
declare const RbacServiceBase_base: (abstract new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv, {}>) & (abstract new (...args: any[]) => _develit_io_backend_sdk.DevelitWorkerMethods);
|
|
12
|
-
declare class RbacServiceBase extends RbacServiceBase_base {
|
|
12
|
+
declare class RbacServiceBase<TScopes extends readonly LabeledScope[] = LabeledScope[]> extends RbacServiceBase_base {
|
|
13
13
|
readonly db: DrizzleD1Database<typeof tables>;
|
|
14
|
-
|
|
14
|
+
readonly SCOPES: TScopes;
|
|
15
|
+
constructor(ctx: ExecutionContext, env: RbacEnv, scopes: TScopes);
|
|
16
|
+
private validateScope;
|
|
15
17
|
createRole(input: CreateRoleInput): Promise<IRPCResponse<CreateRoleOutput>>;
|
|
16
18
|
assignRoleToUser(input: AssignRoleToUserInput): Promise<IRPCResponse<AssignRoleToUserOutput>>;
|
|
17
19
|
assignRolesToUser(input: AssignRolesToUserInput): Promise<IRPCResponse<AssignRolesToUserOutput>>;
|
|
@@ -23,11 +25,19 @@ declare class RbacServiceBase extends RbacServiceBase_base {
|
|
|
23
25
|
revokeScopeFromRole(input: RevokeScopeFromRoleInput): Promise<IRPCResponse<RevokeScopeFromRoleOutput>>;
|
|
24
26
|
getPermissions(): Promise<IRPCResponse<GetPermissionsOutput>>;
|
|
25
27
|
getUserPermissions(input: GetUserPermissionsInput): Promise<IRPCResponse<GetUserPermissionsOutput>>;
|
|
26
|
-
verifyAccess(input: VerifyAccessInput
|
|
28
|
+
verifyAccess(input: Omit<VerifyAccessInput, 'accessRequests'> & {
|
|
29
|
+
accessRequests: Array<{
|
|
30
|
+
scope: TScopes[number]['value'];
|
|
31
|
+
resourceId?: string;
|
|
32
|
+
resourcePath?: string;
|
|
33
|
+
}>;
|
|
34
|
+
}): Promise<IRPCResponse<VerifyAccessOutput>>;
|
|
27
35
|
deleteRole(input: DeleteRoleInput): Promise<IRPCResponse<DeleteRoleOutput>>;
|
|
28
36
|
updateRole(input: UpdateRoleInput): Promise<IRPCResponse<UpdateRoleOutput>>;
|
|
29
37
|
}
|
|
30
|
-
declare function defineRbacService
|
|
38
|
+
declare function defineRbacService<const TScopes extends readonly LabeledScope[]>(config?: {
|
|
39
|
+
scopes: TScopes;
|
|
40
|
+
}): new (ctx: ExecutionContext, env: RbacEnv) => RbacServiceBase<TScopes>;
|
|
31
41
|
|
|
32
42
|
declare const _default: new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv>;
|
|
33
43
|
|
package/dist/export/worker.mjs
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
|
-
import { WorkerEntrypoint } from 'cloudflare:workers';
|
|
2
1
|
import { uuidv4, first, createInternalError, develitWorker, action, service } from '@develit-io/backend-sdk';
|
|
3
|
-
import {
|
|
4
|
-
import { s as schema } from '../shared/rbac.CJLU5iuV.mjs';
|
|
2
|
+
import { s as schema } from '../shared/rbac.D5OV7UPA.mjs';
|
|
5
3
|
import { eq, and, count, inArray } from 'drizzle-orm';
|
|
4
|
+
import { c as createRoleInputSchema, a as assignRoleToUserInputSchema, b as assignRolesToUserInputSchema, r as revokeRoleFromUserInputSchema, f as grantScopeToUserInputSchema, h as grantScopesToUserInputSchema, j as revokeScopeFromUserInputSchema, e as grantScopeToRoleInputSchema, i as revokeScopeFromRoleInputSchema, g as getUserPermissionsInputSchema, v as verifyAccessInputSchema, d as deleteRoleInputSchema, u as updateRoleInputSchema } from '../shared/rbac.NtS5ARz0.mjs';
|
|
6
5
|
import { z } from 'zod';
|
|
6
|
+
import { WorkerEntrypoint } from 'cloudflare:workers';
|
|
7
7
|
import { drizzle } from 'drizzle-orm/d1';
|
|
8
8
|
import 'drizzle-orm/sqlite-core';
|
|
9
9
|
|
|
@@ -297,7 +297,7 @@ function extractResourcesFromPath(scope, resourcePath) {
|
|
|
297
297
|
const inputGetValueByKeySchema = z.object({
|
|
298
298
|
type: z.string().nonempty("Type parameter cannot be empty"),
|
|
299
299
|
path: z.string().nonempty("Path parameter cannot be empty"),
|
|
300
|
-
jwt:
|
|
300
|
+
jwt: z.unknown()
|
|
301
301
|
});
|
|
302
302
|
const parseJson = (data) => {
|
|
303
303
|
try {
|
|
@@ -365,12 +365,20 @@ var __decorateClass = (decorators, target, key, kind) => {
|
|
|
365
365
|
if (kind && result) __defProp(target, key, result);
|
|
366
366
|
return result;
|
|
367
367
|
};
|
|
368
|
-
let RbacServiceBase = class extends develitWorker(
|
|
369
|
-
|
|
370
|
-
) {
|
|
371
|
-
constructor(ctx, env) {
|
|
368
|
+
let RbacServiceBase = class extends develitWorker(WorkerEntrypoint) {
|
|
369
|
+
constructor(ctx, env, scopes) {
|
|
372
370
|
super(ctx, env);
|
|
373
371
|
this.db = drizzle(this.env.RBAC_D1, { schema: tables });
|
|
372
|
+
this.SCOPES = scopes;
|
|
373
|
+
}
|
|
374
|
+
validateScope(scope) {
|
|
375
|
+
if (!this.SCOPES.some((s) => s.value === scope)) {
|
|
376
|
+
throw createInternalError(null, {
|
|
377
|
+
message: `Invalid scope: ${scope}. Available scopes: ${this.SCOPES.map((s) => s.value).join(", ")}`,
|
|
378
|
+
status: 400,
|
|
379
|
+
code: "INVALID_SCOPE"
|
|
380
|
+
});
|
|
381
|
+
}
|
|
374
382
|
}
|
|
375
383
|
async createRole(input) {
|
|
376
384
|
return this.handleAction(
|
|
@@ -467,6 +475,7 @@ let RbacServiceBase = class extends develitWorker(
|
|
|
467
475
|
{ data: input, schema: grantScopeToUserInputSchema },
|
|
468
476
|
{ successMessage: "Scope successfully granted to user." },
|
|
469
477
|
async ({ userId, scope, resourceId }) => {
|
|
478
|
+
this.validateScope(scope);
|
|
470
479
|
const userScope = await getScopesByUserQuery({ db: this.db, userId });
|
|
471
480
|
if (userScope.some((s) => s.scope === scope)) {
|
|
472
481
|
throw createInternalError(null, {
|
|
@@ -491,6 +500,7 @@ let RbacServiceBase = class extends develitWorker(
|
|
|
491
500
|
{ successMessage: "Scopes successfully granted to user." },
|
|
492
501
|
async ({ userId, scopes }) => {
|
|
493
502
|
for (const scope of scopes) {
|
|
503
|
+
this.validateScope(scope.scope);
|
|
494
504
|
const userScopes = await getScopesByUserQuery({ db: this.db, userId });
|
|
495
505
|
if (userScopes.some((s) => s.scope === scope.scope)) {
|
|
496
506
|
throw createInternalError(null, {
|
|
@@ -514,6 +524,7 @@ let RbacServiceBase = class extends develitWorker(
|
|
|
514
524
|
{ data: input, schema: revokeScopeFromUserInputSchema },
|
|
515
525
|
{ successMessage: "Scope successfully revoked from user." },
|
|
516
526
|
async ({ userId, scope, resourceId }) => {
|
|
527
|
+
this.validateScope(scope);
|
|
517
528
|
const { command } = await revokeScopeFromUserCommand({
|
|
518
529
|
db: this.db,
|
|
519
530
|
userId,
|
|
@@ -530,6 +541,7 @@ let RbacServiceBase = class extends develitWorker(
|
|
|
530
541
|
{ data: input, schema: grantScopeToRoleInputSchema },
|
|
531
542
|
{ successMessage: "Scope successfully granted to role." },
|
|
532
543
|
async ({ roleId, scope, resourceId }) => {
|
|
544
|
+
this.validateScope(scope);
|
|
533
545
|
const { command } = await grantScopeToRoleCommand({
|
|
534
546
|
db: this.db,
|
|
535
547
|
scope,
|
|
@@ -546,6 +558,7 @@ let RbacServiceBase = class extends develitWorker(
|
|
|
546
558
|
{ data: input, schema: revokeScopeFromRoleInputSchema },
|
|
547
559
|
{ successMessage: "Scope successfully revoked from role." },
|
|
548
560
|
async ({ roleId, scope, resourceId }) => {
|
|
561
|
+
this.validateScope(scope);
|
|
549
562
|
const { command } = await revokeScopeFromRoleCommand({
|
|
550
563
|
db: this.db,
|
|
551
564
|
roleId,
|
|
@@ -583,8 +596,9 @@ let RbacServiceBase = class extends develitWorker(
|
|
|
583
596
|
return {
|
|
584
597
|
roles,
|
|
585
598
|
rolesCount: roles.length,
|
|
586
|
-
scopes: [...SCOPES],
|
|
587
|
-
|
|
599
|
+
scopes: [...this.SCOPES.map((s) => s.value)],
|
|
600
|
+
labeledScopes: this.SCOPES,
|
|
601
|
+
scopesCount: [...this.SCOPES].length,
|
|
588
602
|
roleScopes,
|
|
589
603
|
roleScopesCount: roleScopes.length
|
|
590
604
|
};
|
|
@@ -633,6 +647,9 @@ let RbacServiceBase = class extends develitWorker(
|
|
|
633
647
|
{ data: input, schema: verifyAccessInputSchema },
|
|
634
648
|
{ successMessage: "Access verification completed." },
|
|
635
649
|
async ({ userId, accessRequests, jwt }) => {
|
|
650
|
+
for (const request of accessRequests) {
|
|
651
|
+
this.validateScope(request.scope);
|
|
652
|
+
}
|
|
636
653
|
const userPermissionsResponse = await this.getUserPermissions({
|
|
637
654
|
userId
|
|
638
655
|
});
|
|
@@ -758,10 +775,10 @@ __decorateClass([
|
|
|
758
775
|
RbacServiceBase = __decorateClass([
|
|
759
776
|
service("rbac")
|
|
760
777
|
], RbacServiceBase);
|
|
761
|
-
function defineRbacService() {
|
|
778
|
+
function defineRbacService(config = { scopes: [] }) {
|
|
762
779
|
return class RbacService extends RbacServiceBase {
|
|
763
780
|
constructor(ctx, env) {
|
|
764
|
-
super(ctx, env);
|
|
781
|
+
super(ctx, env, config.scopes);
|
|
765
782
|
}
|
|
766
783
|
};
|
|
767
784
|
}
|
|
@@ -0,0 +1,159 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
const zod = require('zod');
|
|
4
|
+
|
|
5
|
+
const assignRoleToUserInputSchema = zod.z.object({
|
|
6
|
+
userId: zod.z.uuid(),
|
|
7
|
+
roleId: zod.z.uuid()
|
|
8
|
+
});
|
|
9
|
+
|
|
10
|
+
const assignRolesToUserInputSchema = zod.z.object({
|
|
11
|
+
userId: zod.z.uuid(),
|
|
12
|
+
roles: zod.z.array(zod.z.uuid())
|
|
13
|
+
});
|
|
14
|
+
|
|
15
|
+
const createRoleInputSchema = zod.z.object({
|
|
16
|
+
name: zod.z.string()
|
|
17
|
+
});
|
|
18
|
+
|
|
19
|
+
const deleteRoleInputSchema = zod.z.object({
|
|
20
|
+
id: zod.z.uuid()
|
|
21
|
+
});
|
|
22
|
+
|
|
23
|
+
const getUserPermissionsInputSchema = zod.z.object({
|
|
24
|
+
userId: zod.z.uuid()
|
|
25
|
+
});
|
|
26
|
+
|
|
27
|
+
const grantScopeToRoleInputSchema = zod.z.object({
|
|
28
|
+
roleId: zod.z.uuid(),
|
|
29
|
+
scope: zod.z.string(),
|
|
30
|
+
resourceId: zod.z.string().optional()
|
|
31
|
+
});
|
|
32
|
+
|
|
33
|
+
const grantScopeToUserInputSchema = zod.z.object({
|
|
34
|
+
userId: zod.z.uuid(),
|
|
35
|
+
scope: zod.z.string(),
|
|
36
|
+
resourceId: zod.z.string().optional()
|
|
37
|
+
});
|
|
38
|
+
|
|
39
|
+
const grantScopesToUserInputSchema = zod.z.object({
|
|
40
|
+
userId: zod.z.uuid(),
|
|
41
|
+
scopes: zod.z.array(
|
|
42
|
+
zod.z.object({
|
|
43
|
+
scope: zod.z.string(),
|
|
44
|
+
resourceId: zod.z.string().optional()
|
|
45
|
+
})
|
|
46
|
+
)
|
|
47
|
+
});
|
|
48
|
+
|
|
49
|
+
const revokeRoleFromUserInputSchema = zod.z.object({
|
|
50
|
+
userId: zod.z.uuid(),
|
|
51
|
+
roleId: zod.z.uuid()
|
|
52
|
+
});
|
|
53
|
+
|
|
54
|
+
const revokeScopeFromRoleInputSchema = zod.z.object({
|
|
55
|
+
roleId: zod.z.uuid(),
|
|
56
|
+
scope: zod.z.string(),
|
|
57
|
+
resourceId: zod.z.string().optional()
|
|
58
|
+
});
|
|
59
|
+
|
|
60
|
+
const revokeScopeFromUserInputSchema = zod.z.object({
|
|
61
|
+
userId: zod.z.uuid(),
|
|
62
|
+
scope: zod.z.string(),
|
|
63
|
+
resourceId: zod.z.string().optional()
|
|
64
|
+
});
|
|
65
|
+
|
|
66
|
+
const updateRoleInputSchema = zod.z.object({
|
|
67
|
+
id: zod.z.uuid(),
|
|
68
|
+
name: zod.z.string()
|
|
69
|
+
});
|
|
70
|
+
|
|
71
|
+
const userDataSchema = zod.z.object({
|
|
72
|
+
referenceId: zod.z.string(),
|
|
73
|
+
email: zod.z.string().optional(),
|
|
74
|
+
role: zod.z.string().optional()
|
|
75
|
+
});
|
|
76
|
+
const jwtPayloadSchema = zod.z.object({
|
|
77
|
+
sub: zod.z.string(),
|
|
78
|
+
user: zod.z.object({
|
|
79
|
+
id: zod.z.uuid(),
|
|
80
|
+
createdAt: zod.z.date().nullable(),
|
|
81
|
+
updatedAt: zod.z.date().nullable(),
|
|
82
|
+
deletedAt: zod.z.date().nullable(),
|
|
83
|
+
role: zod.z.string(),
|
|
84
|
+
email: zod.z.email(),
|
|
85
|
+
rawAppMetaData: zod.z.any(),
|
|
86
|
+
rawUserMetaData: zod.z.any(),
|
|
87
|
+
isSuperAdmin: zod.z.boolean().default(false),
|
|
88
|
+
isSsoUser: zod.z.boolean().default(false),
|
|
89
|
+
lastSignInAt: zod.z.date().nullable().optional(),
|
|
90
|
+
emailConfirmedAt: zod.z.date().nullable().optional(),
|
|
91
|
+
confirmationSentAt: zod.z.date().nullable().optional(),
|
|
92
|
+
recoverySentAt: zod.z.date().nullable().optional(),
|
|
93
|
+
emailChangeToken: zod.z.string().nullable().optional(),
|
|
94
|
+
emailChangeSentAt: zod.z.date().nullable().optional(),
|
|
95
|
+
isBanned: zod.z.boolean().default(false).nullable().optional()
|
|
96
|
+
}),
|
|
97
|
+
iat: zod.z.number(),
|
|
98
|
+
exp: zod.z.number(),
|
|
99
|
+
userData: userDataSchema.optional()
|
|
100
|
+
});
|
|
101
|
+
|
|
102
|
+
const accessRequestSchema = zod.z.object({
|
|
103
|
+
scope: zod.z.string(),
|
|
104
|
+
// 'exchange-offices.{jwt.exchangeOfficeId}.read'
|
|
105
|
+
resourceId: zod.z.string().optional(),
|
|
106
|
+
// '123'
|
|
107
|
+
resourcePath: zod.z.string().optional()
|
|
108
|
+
// 'exchange-offices.333.read' - only needed for scopes with placeholders
|
|
109
|
+
});
|
|
110
|
+
const verifyAccessInputSchema = zod.z.object({
|
|
111
|
+
userId: zod.z.uuid(),
|
|
112
|
+
accessRequests: zod.z.array(accessRequestSchema),
|
|
113
|
+
jwt: jwtPayloadSchema.extend({
|
|
114
|
+
createdAt: zod.z.coerce.date().nullable().optional(),
|
|
115
|
+
updatedAt: zod.z.coerce.date().nullable().optional(),
|
|
116
|
+
deletedAt: zod.z.coerce.date().nullable().optional(),
|
|
117
|
+
lastSignInAt: zod.z.coerce.date().nullable().optional(),
|
|
118
|
+
emailConfirmedAt: zod.z.coerce.date().nullable().optional(),
|
|
119
|
+
confirmationSentAt: zod.z.coerce.date().nullable().optional(),
|
|
120
|
+
recoverySentAt: zod.z.coerce.date().nullable().optional(),
|
|
121
|
+
emailChangeSentAt: zod.z.coerce.date().nullable().optional(),
|
|
122
|
+
user: jwtPayloadSchema.shape.user.extend({
|
|
123
|
+
createdAt: zod.z.coerce.date().nullable().optional(),
|
|
124
|
+
updatedAt: zod.z.coerce.date().nullable().optional(),
|
|
125
|
+
lastSignInAt: zod.z.coerce.date().nullable().optional(),
|
|
126
|
+
emailConfirmedAt: zod.z.coerce.date().nullable().optional()
|
|
127
|
+
})
|
|
128
|
+
}).optional()
|
|
129
|
+
});
|
|
130
|
+
|
|
131
|
+
const verifyScopeInputSchema = zod.z.object({
|
|
132
|
+
scopes: zod.z.array(zod.z.string()),
|
|
133
|
+
resourceId: zod.z.string().optional(),
|
|
134
|
+
jwt: zod.z.object({
|
|
135
|
+
sub: zod.z.uuid(),
|
|
136
|
+
rbac: zod.z.object({
|
|
137
|
+
roles: zod.z.array(zod.z.string()).optional()
|
|
138
|
+
})
|
|
139
|
+
})
|
|
140
|
+
});
|
|
141
|
+
const verifyScopeOutputSchema = zod.z.object({
|
|
142
|
+
isVerified: zod.z.boolean().default(false)
|
|
143
|
+
});
|
|
144
|
+
|
|
145
|
+
exports.assignRoleToUserInputSchema = assignRoleToUserInputSchema;
|
|
146
|
+
exports.assignRolesToUserInputSchema = assignRolesToUserInputSchema;
|
|
147
|
+
exports.createRoleInputSchema = createRoleInputSchema;
|
|
148
|
+
exports.deleteRoleInputSchema = deleteRoleInputSchema;
|
|
149
|
+
exports.getUserPermissionsInputSchema = getUserPermissionsInputSchema;
|
|
150
|
+
exports.grantScopeToRoleInputSchema = grantScopeToRoleInputSchema;
|
|
151
|
+
exports.grantScopeToUserInputSchema = grantScopeToUserInputSchema;
|
|
152
|
+
exports.grantScopesToUserInputSchema = grantScopesToUserInputSchema;
|
|
153
|
+
exports.revokeRoleFromUserInputSchema = revokeRoleFromUserInputSchema;
|
|
154
|
+
exports.revokeScopeFromRoleInputSchema = revokeScopeFromRoleInputSchema;
|
|
155
|
+
exports.revokeScopeFromUserInputSchema = revokeScopeFromUserInputSchema;
|
|
156
|
+
exports.updateRoleInputSchema = updateRoleInputSchema;
|
|
157
|
+
exports.verifyAccessInputSchema = verifyAccessInputSchema;
|
|
158
|
+
exports.verifyScopeInputSchema = verifyScopeInputSchema;
|
|
159
|
+
exports.verifyScopeOutputSchema = verifyScopeOutputSchema;
|