@develit-services/rbac 0.0.1

package/dist/shared/rbac.C9brkvW9.mjs

@@ -0,0 +1,344 @@
+import { z } from 'zod';
+
+const TEST_SCOPES = [
+  "test.read",
+  "test.edit",
+  "test.delete",
+  "test.{jwt.organizationId}.read",
+  "test.{jwt.user.rawUserMetaData.organizationId}.read",
+  "test.{jwt.user.rawUserMetaData.organizationId}.edit",
+  "test.{param.resourceId}.read",
+  "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read",
+  "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read",
+  "test.{invalid}.scope",
+  "test.{}.scope",
+  "test.{jwt.}.scope",
+  "test.{.key}.scope"
+];
+const SCOPES = [
+  "tickets.read",
+  "tickets.{jwt.user.rawUserMetaData.organizationId}.read",
+  "tickets.create",
+  "tickets.edit",
+  "tickets.delete",
+  "tickets.archive",
+  "tickets.automations.pause",
+  "tickets.automations.resume",
+  "tickets.dependencies.read",
+  "tickets.dependencies.create",
+  "tickets.dependencies.edit",
+  "tickets.dependencies.delete",
+  "tickets.confirmation.send",
+  "tickets.confirmation.download",
+  "tickets.payments.create",
+  "tickets.payments.read",
+  "tickets.payments.edit",
+  "tickets.payments.delete",
+  "tickets.payments.confirmation.send",
+  "tickets.payments.confirmation.download",
+  "tickets.logs.read",
+  "tickets.logs.create",
+  "tickets.logs.delete",
+  "users.read",
+  "users.create",
+  "users.edit",
+  "users.delete",
+  "users.archive",
+  "users.password.reset.send",
+  "users.permissions.read",
+  "users.permissions.assign",
+  "users.permissions.delete",
+  "users.2fa.enable",
+  "users.2fa.disable",
+  "users.logs.read",
+  "users.logs.create",
+  "users.logs.delete",
+  "traders.read",
+  "traders.create",
+  "traders.edit",
+  "traders.delete",
+  "traders.logs",
+  "clients.read",
+  "organization.{jwt.user.rawUserMetaData.organizationId}.clients.read",
+  "clients.create",
+  "clients.edit",
+  "clients.delete",
+  "clients.pin.read",
+  // read client pin
+  "clients.pin.edit",
+  // edit client pin
+  "clients.limits.read",
+  // read client limits
+  "clients.limits.edit",
+  // edit client limits
+  "clients.trader.assign",
+  "clients.trader.edit",
+  "clients.logs.read",
+  "clients.logs.create",
+  "clients.logs.delete",
+  "roles.read",
+  "roles.create",
+  "roles.edit",
+  "roles.delete",
+  "roles.permissions.assign",
+  // assign permissions to roles
+  "roles.permissions.delete",
+  // delete permissions from roles
+  "roles.logs.read",
+  "roles.logs.create",
+  "roles.logs.delete",
+  "roles.users.read",
+  // read users assigned to roles
+  "accounts.read",
+  "accounts.create",
+  "accounts.edit",
+  "accounts.delete",
+  "accounts.archive",
+  "accounts.balance",
+  "accounts.identifiers.create",
+  "accounts.identifiers.read",
+  "accounts.identifiers.edit",
+  "accounts.identifiers.delete",
+  "accounts.transactions.read",
+  "accounts.logs.read",
+  "accounts.logs.create",
+  "accounts.logs.delete",
+  ...TEST_SCOPES
+];
+const LABELED_SCOPES = [
+  { label: "Zobrazit tiket", value: "tickets.read" },
+  { label: "Vytvo\u0159it tiket", value: "tickets.create" },
+  { label: "Upravit tiket", value: "tickets.edit" },
+  { label: "Smazat tiket", value: "tickets.delete" },
+  { label: "Archivovat tiket", value: "tickets.archive" },
+  {
+    label: "Pozastavit automatizaci tiketu",
+    value: "tickets.automations.pause"
+  },
+  { label: "Obnovit automatizaci tiketu", value: "tickets.automations.resume" },
+  { label: "Zobrazit z\xE1vislosti tiket\u016F", value: "tickets.dependencies.read" },
+  { label: "Vytvo\u0159it z\xE1vislosti tiket\u016F", value: "tickets.dependencies.create" },
+  { label: "Upravit z\xE1vislosti tiket\u016F", value: "tickets.dependencies.edit" },
+  { label: "Smazat z\xE1vislosti tiket\u016F", value: "tickets.dependencies.delete" },
+  { label: "Poslat potvrzen\xED tiketu", value: "tickets.confirmation.send" },
+  {
+    label: "St\xE1hnout potvrzen\xED tiketu",
+    value: "tickets.confirmation.download"
+  },
+  { label: "Vytvo\u0159it platbu tiketu", value: "tickets.payments.create" },
+  { label: "Zobrazit platby tiketu", value: "tickets.payments.read" },
+  { label: "Upravit platby tiketu", value: "tickets.payments.edit" },
+  { label: "Smazat platby tiketu", value: "tickets.payments.delete" },
+  {
+    label: "Poslat potvrzen\xED platby tiketu",
+    value: "tickets.payments.confirmation.send"
+  },
+  {
+    label: "St\xE1hnout potvrzen\xED platby tiketu",
+    value: "tickets.payments.confirmation.download"
+  },
+  { label: "Zobrazit logy tiketu", value: "tickets.logs.read" },
+  { label: "Vytvo\u0159it logy tiketu", value: "tickets.logs.create" },
+  { label: "Smazat logy tiketu", value: "tickets.logs.delete" },
+  { label: "Zobrazit obchodn\xEDky", value: "traders.read" },
+  { label: "Vytvo\u0159it obchodn\xEDky", value: "traders.create" },
+  { label: "Upravit obchodn\xEDky", value: "traders.edit" },
+  { label: "Smazat obchodn\xEDky", value: "traders.delete" },
+  { label: "Logy obchodn\xEDk\u016F", value: "traders.logs" },
+  { label: "Zobrazit klienty", value: "clients.read" },
+  { label: "Vytvo\u0159it klienty", value: "clients.create" },
+  { label: "Upravit klienty", value: "clients.edit" },
+  { label: "Smazat klienty", value: "clients.delete" },
+  { label: "Zobrazit PIN klienta", value: "clients.pin.read" },
+  { label: "Upravit PIN klienta", value: "clients.pin.edit" },
+  { label: "Zobrazit limity klienta", value: "clients.limits.read" },
+  { label: "Upravit limity klienta", value: "clients.limits.edit" },
+  { label: "P\u0159i\u0159adit obchodn\xEDka klientovi", value: "clients.trader.assign" },
+  { label: "Upravit obchodn\xEDka klienta", value: "clients.trader.edit" },
+  { label: "Zobrazit logy klient\u016F", value: "clients.logs.read" },
+  { label: "Vytvo\u0159it logy klient\u016F", value: "clients.logs.create" },
+  { label: "Smazat logy klient\u016F", value: "clients.logs.delete" },
+  { label: "Zobrazit u\u017Eivatele", value: "users.read" },
+  { label: "Vytvo\u0159it u\u017Eivatele", value: "users.create" },
+  { label: "Upravit u\u017Eivatele", value: "users.edit" },
+  { label: "Smazat u\u017Eivatele", value: "users.delete" },
+  { label: "Archivovat u\u017Eivatele", value: "users.archive" },
+  { label: "Poslat reset hesla", value: "users.password.reset.send" },
+  { label: "Zobrazit opr\xE1vn\u011Bn\xED u\u017Eivatel\u016F", value: "users.permissions.read" },
+  { label: "P\u0159i\u0159adit opr\xE1vn\u011Bn\xED u\u017Eivatel\u016Fm", value: "users.permissions.assign" },
+  { label: "Odebrat opr\xE1vn\u011Bn\xED u\u017Eivatel\u016Fm", value: "users.permissions.delete" },
+  { label: "Povolit 2FA u\u017Eivatel\u016Fm", value: "users.2fa.enable" },
+  { label: "Zak\xE1zat 2FA u\u017Eivatel\u016Fm", value: "users.2fa.disable" },
+  { label: "Zobrazit logy u\u017Eivatel\u016F", value: "users.logs.read" },
+  { label: "Vytvo\u0159it logy u\u017Eivatel\u016F", value: "users.logs.create" },
+  { label: "Smazat logy u\u017Eivatel\u016F", value: "users.logs.delete" },
+  { label: "Zobrazit role", value: "roles.read" },
+  { label: "Vytvo\u0159it role", value: "roles.create" },
+  { label: "Upravit role", value: "roles.edit" },
+  { label: "Smazat role", value: "roles.delete" },
+  { label: "P\u0159i\u0159adit opr\xE1vn\u011Bn\xED rol\xEDm", value: "roles.permissions.assign" },
+  { label: "Odebrat opr\xE1vn\u011Bn\xED rol\xEDm", value: "roles.permissions.delete" },
+  { label: "Zobrazit logy rol\xED", value: "roles.logs.read" },
+  { label: "Vytvo\u0159it logy rol\xED", value: "roles.logs.create" },
+  { label: "Smazat logy rol\xED", value: "roles.logs.delete" },
+  { label: "Zobrazit u\u017Eivatele p\u0159i\u0159azen\xE9 k rol\xEDm", value: "roles.users.read" },
+  { label: "Zobrazit \xFA\u010Dty", value: "accounts.read" },
+  { label: "Vytvo\u0159it \xFA\u010Dty", value: "accounts.create" },
+  { label: "Upravit \xFA\u010Dty", value: "accounts.edit" },
+  { label: "Smazat \xFA\u010Dty", value: "accounts.delete" },
+  { label: "Archivovat \xFA\u010Dty", value: "accounts.archive" },
+  { label: "Zobrazit z\u016Fstatek \xFA\u010Dtu", value: "accounts.balance" },
+  {
+    label: "Vytvo\u0159it identifik\xE1tory \xFA\u010Dtu",
+    value: "accounts.identifiers.create"
+  },
+  { label: "Zobrazit identifik\xE1tory \xFA\u010Dtu", value: "accounts.identifiers.read" },
+  { label: "Upravit identifik\xE1tory \xFA\u010Dtu", value: "accounts.identifiers.edit" },
+  { label: "Smazat identifik\xE1tory \xFA\u010Dtu", value: "accounts.identifiers.delete" },
+  { label: "Zobrazit transakce \xFA\u010Dtu", value: "accounts.transactions.read" },
+  { label: "Zobrazit logy \xFA\u010Dt\u016F", value: "accounts.logs.read" },
+  { label: "Vytvo\u0159it logy \xFA\u010Dt\u016F", value: "accounts.logs.create" },
+  { label: "Smazat logy \xFA\u010Dt\u016F", value: "accounts.logs.delete" }
+];
+
+const assignRoleToUserInputSchema = z.object({
+  userId: z.uuid(),
+  roleId: z.uuid()
+});
+
+const assignRolesToUserInputSchema = z.object({
+  userId: z.uuid(),
+  roles: z.array(z.uuid())
+});
+
+const createRoleInputSchema = z.object({
+  name: z.string()
+});
+
+const deleteRoleInputSchema = z.object({
+  id: z.uuid()
+});
+
+const getUserPermissionsInputSchema = z.object({
+  userId: z.uuid()
+});
+
+const grantScopeToRoleInputSchema = z.object({
+  roleId: z.uuid(),
+  scope: z.enum(SCOPES),
+  resourceId: z.string().optional()
+});
+
+const grantScopeToUserInputSchema = z.object({
+  userId: z.uuid(),
+  scope: z.enum(SCOPES),
+  resourceId: z.string().optional()
+});
+
+const grantScopesToUserInputSchema = z.object({
+  userId: z.uuid(),
+  scopes: z.array(
+    z.object({
+      scope: z.enum(SCOPES),
+      resourceId: z.string().optional()
+    })
+  )
+});
+
+const revokeRoleFromUserInputSchema = z.object({
+  userId: z.uuid(),
+  roleId: z.uuid()
+});
+
+const revokeScopeFromRoleInputSchema = z.object({
+  roleId: z.uuid(),
+  scope: z.enum(SCOPES),
+  resourceId: z.string().optional()
+});
+
+const revokeScopeFromUserInputSchema = z.object({
+  userId: z.uuid(),
+  scope: z.enum(SCOPES),
+  resourceId: z.string().optional()
+});
+
+const updateRoleInputSchema = z.object({
+  id: z.uuid(),
+  name: z.string()
+});
+
+const userDataSchema = z.object({
+  referenceId: z.string(),
+  email: z.string().optional(),
+  role: z.string().optional()
+});
+const jwtPayloadSchema = z.object({
+  sub: z.string(),
+  user: z.object({
+    id: z.uuid(),
+    createdAt: z.date().nullable(),
+    updatedAt: z.date().nullable(),
+    deletedAt: z.date().nullable(),
+    role: z.string(),
+    email: z.email(),
+    rawAppMetaData: z.any(),
+    rawUserMetaData: z.any(),
+    isSuperAdmin: z.boolean().default(false),
+    isSsoUser: z.boolean().default(false),
+    lastSignInAt: z.date().nullable().optional(),
+    emailConfirmedAt: z.date().nullable().optional(),
+    confirmationSentAt: z.date().nullable().optional(),
+    recoverySentAt: z.date().nullable().optional(),
+    emailChangeToken: z.string().nullable().optional(),
+    emailChangeSentAt: z.date().nullable().optional(),
+    isBanned: z.boolean().default(false).nullable().optional()
+  }),
+  iat: z.number(),
+  exp: z.number(),
+  userData: userDataSchema.optional()
+});
+
+const accessRequestSchema = z.object({
+  scope: z.enum(SCOPES),
+  // 'exchange-offices.{jwt.exchangeOfficeId}.read'
+  resourceId: z.string().optional(),
+  // '123'
+  resourcePath: z.string().optional()
+  // 'exchange-offices.333.read' - only needed for scopes with placeholders
+});
+const verifyAccessInputSchema = z.object({
+  userId: z.uuid(),
+  accessRequests: z.array(accessRequestSchema),
+  jwt: jwtPayloadSchema.extend({
+    createdAt: z.coerce.date().nullable().optional(),
+    updatedAt: z.coerce.date().nullable().optional(),
+    deletedAt: z.coerce.date().nullable().optional(),
+    lastSignInAt: z.coerce.date().nullable().optional(),
+    emailConfirmedAt: z.coerce.date().nullable().optional(),
+    confirmationSentAt: z.coerce.date().nullable().optional(),
+    recoverySentAt: z.coerce.date().nullable().optional(),
+    emailChangeSentAt: z.coerce.date().nullable().optional(),
+    user: jwtPayloadSchema.shape.user.extend({
+      createdAt: z.coerce.date().nullable().optional(),
+      updatedAt: z.coerce.date().nullable().optional(),
+      lastSignInAt: z.coerce.date().nullable().optional(),
+      emailConfirmedAt: z.coerce.date().nullable().optional()
+    })
+  }).optional()
+});
+
+const verifyScopeInputSchema = z.object({
+  scopes: z.array(z.string()),
+  resourceId: z.string().optional(),
+  jwt: z.object({
+    sub: z.uuid(),
+    rbac: z.object({
+      roles: z.array(z.string()).optional()
+    })
+  })
+});
+const verifyScopeOutputSchema = z.object({
+  isVerified: z.boolean().default(false)
+});
+
+export { LABELED_SCOPES as L, SCOPES as S, assignRoleToUserInputSchema as a, assignRolesToUserInputSchema as b, createRoleInputSchema as c, deleteRoleInputSchema as d, grantScopeToRoleInputSchema as e, grantScopeToUserInputSchema as f, getUserPermissionsInputSchema as g, grantScopesToUserInputSchema as h, revokeScopeFromRoleInputSchema as i, revokeScopeFromUserInputSchema as j, verifyScopeInputSchema as k, verifyScopeOutputSchema as l, jwtPayloadSchema as m, revokeRoleFromUserInputSchema as r, updateRoleInputSchema as u, verifyAccessInputSchema as v };