@develit-services/rbac 0.2.3 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. package/dist/export/worker.cjs +81 -43
  2. package/dist/export/worker.d.cts +14 -7
  3. package/dist/export/worker.d.mts +14 -7
  4. package/dist/export/worker.d.ts +14 -7
  5. package/dist/export/worker.mjs +81 -43
  6. package/dist/shared/{rbac.CUCczegz.mjs → rbac.2_i8g_mW.mjs} +27 -8
  7. package/dist/shared/{rbac.CAcqvrNj.d.ts → rbac.BrefTsLW.d.ts} +23 -7
  8. package/dist/shared/{rbac.CocWK7y6.d.mts → rbac.CG3CtEwh.d.mts} +23 -7
  9. package/dist/shared/{rbac.DB0xguAY.d.cts → rbac.DBpIRbd3.d.cts} +23 -7
  10. package/dist/shared/{rbac.B2KUW5xp.cjs → rbac.JCf4hSCf.cjs} +32 -7
  11. package/dist/types.cjs +7 -1
  12. package/dist/types.d.cts +1 -1
  13. package/dist/types.d.mts +1 -1
  14. package/dist/types.d.ts +1 -1
  15. package/dist/types.mjs +1 -1
  16. package/package.json +1 -1
package/dist/export/worker.cjs CHANGED
@@ -5,7 +5,7 @@ Object.defineProperty(exports, '__esModule', { value: true });
5
5
  const backendSdk = require('@develit-io/backend-sdk');
6
6
  const database_schema = require('../shared/rbac.Cra1T2nC.cjs');
7
7
  const drizzleOrm = require('drizzle-orm');
8
- const verifyScope = require('../shared/rbac.B2KUW5xp.cjs');
8
+ const verifyScope = require('../shared/rbac.JCf4hSCf.cjs');
9
9
  const zod = require('zod');
10
10
  const cloudflare_workers = require('cloudflare:workers');
11
11
  const d1 = require('drizzle-orm/d1');
@@ -658,12 +658,27 @@ let RbacServiceBase = class extends backendSdk.develitWorker(cloudflare_workers.
658
658
  }
659
659
  async verifyAccess(input) {
660
660
  return this.handleAction(
661
- // TODO: This input schema is just copied from auth and is not 100% type safe
662
661
  { data: input, schema: verifyScope.verifyAccessInputSchema },
663
662
  { successMessage: "Access verification completed." },
664
663
  async ({ userId, accessRequests, jwt }) => {
665
- for (const request of accessRequests) {
666
- this.validateScope(request.scope);
664
+ const collectScopes = (condition) => {
665
+ if (verifyScope.isScopeObject(condition)) {
666
+ return [condition];
667
+ }
668
+ if (verifyScope.isOrCondition(condition)) {
669
+ return condition.or.flatMap(collectScopes);
670
+ }
671
+ if (verifyScope.isAndCondition(condition)) {
672
+ return condition.and.flatMap(collectScopes);
673
+ }
674
+ if (verifyScope.isImplicitAndCondition(condition)) {
675
+ return condition.flatMap(collectScopes);
676
+ }
677
+ return [];
678
+ };
679
+ const allScopeObjects = collectScopes(accessRequests);
680
+ for (const scopeObj of allScopeObjects) {
681
+ this.validateScope(scopeObj.scope);
667
682
  }
668
683
  const userPermissionsResponse = await this.getUserPermissions({
669
684
  userId
@@ -678,50 +693,71 @@ let RbacServiceBase = class extends backendSdk.develitWorker(cloudflare_workers.
678
693
  ...userPermissionsResponse.data.roleScopes,
679
694
  ...userPermissionsResponse.data.scopes
680
695
  ];
681
- const allAccessRequestsSatisfied = accessRequests.every((request) => {
682
- const placeholders = parseScopeTemplate(request.scope);
683
- return allScopes.some((userScope) => {
684
- const scopesMatch = userScope.scope === request.scope;
685
- let resourceMatches = false;
686
- if (placeholders.length > 0) {
687
- if (!request.resourcePath) {
688
- throw backendSdk.createInternalError(null, {
689
- message: `Resource path is required when scope '${request.scope}' contains placeholders`,
690
- status: 400,
691
- code: "RESOURCE_PATH_REQUIRED"
692
- });
693
- }
694
- const extractedResources = extractResourcesFromPath(
695
- request.scope,
696
- request.resourcePath
697
- );
698
- const allPlaceholdersMatch = placeholders.every((placeholder) => {
699
- const extractedValue = extractedResources[`${placeholder.type}.${placeholder.path}`];
700
- const jwtParam = placeholder.type === "jwt" ? jwt : void 0;
701
- const expectedValue = getValueByKey(
702
- placeholder.type,
703
- placeholder.path,
704
- jwtParam
705
- );
706
- if (expectedValue === void 0) {
707
- return false;
708
- }
709
- return String(extractedValue) === String(expectedValue);
710
- });
711
- const resourceIdMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
712
- resourceMatches = allPlaceholdersMatch && resourceIdMatches;
713
- } else {
714
- resourceMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
715
- }
716
- return scopesMatch && resourceMatches;
717
- });
718
- });
696
+ if (allScopeObjects.length === 0) {
697
+ return {
698
+ isVerified: true
699
+ };
700
+ }
701
+ const evaluateCondition = (condition) => {
702
+ if (verifyScope.isScopeObject(condition)) {
703
+ return this.verifySingleScope(condition, allScopes, jwt);
704
+ }
705
+ if (verifyScope.isOrCondition(condition)) {
706
+ return condition.or.some(evaluateCondition);
707
+ }
708
+ if (verifyScope.isAndCondition(condition)) {
709
+ return condition.and.every(evaluateCondition);
710
+ }
711
+ if (verifyScope.isImplicitAndCondition(condition)) {
712
+ return condition.every(evaluateCondition);
713
+ }
714
+ return false;
715
+ };
716
+ const isVerified = evaluateCondition(accessRequests);
719
717
  return {
720
- isVerified: allAccessRequestsSatisfied
718
+ isVerified
721
719
  };
722
720
  }
723
721
  );
724
722
  }
723
+ verifySingleScope(request, allScopes, jwt) {
724
+ const placeholders = parseScopeTemplate(request.scope);
725
+ return allScopes.some((userScope) => {
726
+ const scopesMatch = userScope.scope === request.scope;
727
+ let resourceMatches = false;
728
+ if (placeholders.length > 0) {
729
+ if (!request.resourcePath) {
730
+ throw backendSdk.createInternalError(null, {
731
+ message: `Resource path is required when scope '${request.scope}' contains placeholders`,
732
+ status: 400,
733
+ code: "RESOURCE_PATH_REQUIRED"
734
+ });
735
+ }
736
+ const extractedResources = extractResourcesFromPath(
737
+ request.scope,
738
+ request.resourcePath
739
+ );
740
+ const allPlaceholdersMatch = placeholders.every((placeholder) => {
741
+ const extractedValue = extractedResources[`${placeholder.type}.${placeholder.path}`];
742
+ const jwtParam = placeholder.type === "jwt" ? jwt : void 0;
743
+ const expectedValue = getValueByKey(
744
+ placeholder.type,
745
+ placeholder.path,
746
+ jwtParam
747
+ );
748
+ if (expectedValue === void 0) {
749
+ return false;
750
+ }
751
+ return String(extractedValue) === String(expectedValue);
752
+ });
753
+ const resourceIdMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
754
+ resourceMatches = allPlaceholdersMatch && resourceIdMatches;
755
+ } else {
756
+ resourceMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
757
+ }
758
+ return scopesMatch && resourceMatches;
759
+ });
760
+ }
725
761
  async deleteRole(input) {
726
762
  return this.handleAction(
727
763
  { data: input, schema: verifyScope.deleteRoleInputSchema },
@@ -806,6 +842,7 @@ const organizationScopedKeys = (scopes) => {
806
842
  return out;
807
843
  };
808
844
  const TEST_SCOPES = [
845
+ "test.admin",
809
846
  "test.read",
810
847
  "test.edit",
811
848
  "test.delete",
@@ -1006,6 +1043,7 @@ const LABELED_SCOPES = [
1006
1043
  { label: "Smazat logy rol\xED", value: "roles.logs.delete" },
1007
1044
  { label: "Zobrazit u\u017Eivatele p\u0159i\u0159azen\xE9 k rol\xEDm", value: "roles.users.read" },
1008
1045
  // Test scopes
1046
+ { label: "Test: Admin", value: "test.admin" },
1009
1047
  { label: "Test: Read", value: "test.read" },
1010
1048
  { label: "Test: Edit", value: "test.edit" },
1011
1049
  { label: "Test: Delete", value: "test.delete" },
package/dist/export/worker.d.cts CHANGED
@@ -1,6 +1,6 @@
1
1
  import * as _develit_io_backend_sdk from '@develit-io/backend-sdk';
2
2
  import { IRPCResponse } from '@develit-io/backend-sdk';
3
- import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.DB0xguAY.cjs';
3
+ import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.DBpIRbd3.cjs';
4
4
  import { WorkerEntrypoint } from 'cloudflare:workers';
5
5
  import { DrizzleD1Database } from 'drizzle-orm/d1';
6
6
  import 'zod';
@@ -8,6 +8,16 @@ import 'drizzle-orm';
8
8
  import '../shared/rbac.CqpxM3E5.cjs';
9
9
  import 'drizzle-orm/sqlite-core';
10
10
 
11
+ type TypedScopeObject<TScopes extends readonly LabeledScope$1[]> = {
12
+ scope: TScopes[number]['value'];
13
+ resourceId?: string;
14
+ resourcePath?: string;
15
+ };
16
+ type TypedScopeCondition<TScopes extends readonly LabeledScope$1[]> = TypedScopeObject<TScopes> | {
17
+ or: TypedScopeCondition<TScopes>[];
18
+ } | {
19
+ and: TypedScopeCondition<TScopes>[];
20
+ } | TypedScopeCondition<TScopes>[];
11
21
  declare const RbacServiceBase_base: (abstract new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv, {}>) & (abstract new (...args: any[]) => _develit_io_backend_sdk.DevelitWorkerMethods);
12
22
  declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = LabeledScope$1[]> extends RbacServiceBase_base {
13
23
  readonly db: DrizzleD1Database<typeof tables>;
@@ -26,12 +36,9 @@ declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = Labele
26
36
  getPermissions(): Promise<IRPCResponse<GetPermissionsOutput>>;
27
37
  getUserPermissions(input: GetUserPermissionsInput): Promise<IRPCResponse<GetUserPermissionsOutput>>;
28
38
  verifyAccess(input: Omit<VerifyAccessInput, 'accessRequests'> & {
29
- accessRequests: Array<{
30
- scope: TScopes[number]['value'];
31
- resourceId?: string;
32
- resourcePath?: string;
33
- }>;
39
+ accessRequests: TypedScopeCondition<TScopes>;
34
40
  }): Promise<IRPCResponse<VerifyAccessOutput>>;
41
+ private verifySingleScope;
35
42
  deleteRole(input: DeleteRoleInput): Promise<IRPCResponse<DeleteRoleOutput>>;
36
43
  updateRole(input: UpdateRoleInput): Promise<IRPCResponse<UpdateRoleOutput>>;
37
44
  }
@@ -39,7 +46,7 @@ declare function defineRbacService<const TScopes extends readonly LabeledScope$1
39
46
  scopes: TScopes;
40
47
  }): new (ctx: ExecutionContext, env: RbacEnv) => RbacServiceBase<TScopes>;
41
48
 
42
- declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
49
+ declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.admin", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
43
50
  type LabeledScope = {
44
51
  label: string;
45
52
  value: (typeof SCOPES)[number];
package/dist/export/worker.d.mts CHANGED
@@ -1,6 +1,6 @@
1
1
  import * as _develit_io_backend_sdk from '@develit-io/backend-sdk';
2
2
  import { IRPCResponse } from '@develit-io/backend-sdk';
3
- import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.CocWK7y6.mjs';
3
+ import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.CG3CtEwh.mjs';
4
4
  import { WorkerEntrypoint } from 'cloudflare:workers';
5
5
  import { DrizzleD1Database } from 'drizzle-orm/d1';
6
6
  import 'zod';
@@ -8,6 +8,16 @@ import 'drizzle-orm';
8
8
  import '../shared/rbac.CqpxM3E5.mjs';
9
9
  import 'drizzle-orm/sqlite-core';
10
10
 
11
+ type TypedScopeObject<TScopes extends readonly LabeledScope$1[]> = {
12
+ scope: TScopes[number]['value'];
13
+ resourceId?: string;
14
+ resourcePath?: string;
15
+ };
16
+ type TypedScopeCondition<TScopes extends readonly LabeledScope$1[]> = TypedScopeObject<TScopes> | {
17
+ or: TypedScopeCondition<TScopes>[];
18
+ } | {
19
+ and: TypedScopeCondition<TScopes>[];
20
+ } | TypedScopeCondition<TScopes>[];
11
21
  declare const RbacServiceBase_base: (abstract new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv, {}>) & (abstract new (...args: any[]) => _develit_io_backend_sdk.DevelitWorkerMethods);
12
22
  declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = LabeledScope$1[]> extends RbacServiceBase_base {
13
23
  readonly db: DrizzleD1Database<typeof tables>;
@@ -26,12 +36,9 @@ declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = Labele
26
36
  getPermissions(): Promise<IRPCResponse<GetPermissionsOutput>>;
27
37
  getUserPermissions(input: GetUserPermissionsInput): Promise<IRPCResponse<GetUserPermissionsOutput>>;
28
38
  verifyAccess(input: Omit<VerifyAccessInput, 'accessRequests'> & {
29
- accessRequests: Array<{
30
- scope: TScopes[number]['value'];
31
- resourceId?: string;
32
- resourcePath?: string;
33
- }>;
39
+ accessRequests: TypedScopeCondition<TScopes>;
34
40
  }): Promise<IRPCResponse<VerifyAccessOutput>>;
41
+ private verifySingleScope;
35
42
  deleteRole(input: DeleteRoleInput): Promise<IRPCResponse<DeleteRoleOutput>>;
36
43
  updateRole(input: UpdateRoleInput): Promise<IRPCResponse<UpdateRoleOutput>>;
37
44
  }
@@ -39,7 +46,7 @@ declare function defineRbacService<const TScopes extends readonly LabeledScope$1
39
46
  scopes: TScopes;
40
47
  }): new (ctx: ExecutionContext, env: RbacEnv) => RbacServiceBase<TScopes>;
41
48
 
42
- declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
49
+ declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.admin", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
43
50
  type LabeledScope = {
44
51
  label: string;
45
52
  value: (typeof SCOPES)[number];
package/dist/export/worker.d.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  import * as _develit_io_backend_sdk from '@develit-io/backend-sdk';
2
2
  import { IRPCResponse } from '@develit-io/backend-sdk';
3
- import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.CAcqvrNj.js';
3
+ import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.BrefTsLW.js';
4
4
  import { WorkerEntrypoint } from 'cloudflare:workers';
5
5
  import { DrizzleD1Database } from 'drizzle-orm/d1';
6
6
  import 'zod';
@@ -8,6 +8,16 @@ import 'drizzle-orm';
8
8
  import '../shared/rbac.CqpxM3E5.js';
9
9
  import 'drizzle-orm/sqlite-core';
10
10
 
11
+ type TypedScopeObject<TScopes extends readonly LabeledScope$1[]> = {
12
+ scope: TScopes[number]['value'];
13
+ resourceId?: string;
14
+ resourcePath?: string;
15
+ };
16
+ type TypedScopeCondition<TScopes extends readonly LabeledScope$1[]> = TypedScopeObject<TScopes> | {
17
+ or: TypedScopeCondition<TScopes>[];
18
+ } | {
19
+ and: TypedScopeCondition<TScopes>[];
20
+ } | TypedScopeCondition<TScopes>[];
11
21
  declare const RbacServiceBase_base: (abstract new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv, {}>) & (abstract new (...args: any[]) => _develit_io_backend_sdk.DevelitWorkerMethods);
12
22
  declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = LabeledScope$1[]> extends RbacServiceBase_base {
13
23
  readonly db: DrizzleD1Database<typeof tables>;
@@ -26,12 +36,9 @@ declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = Labele
26
36
  getPermissions(): Promise<IRPCResponse<GetPermissionsOutput>>;
27
37
  getUserPermissions(input: GetUserPermissionsInput): Promise<IRPCResponse<GetUserPermissionsOutput>>;
28
38
  verifyAccess(input: Omit<VerifyAccessInput, 'accessRequests'> & {
29
- accessRequests: Array<{
30
- scope: TScopes[number]['value'];
31
- resourceId?: string;
32
- resourcePath?: string;
33
- }>;
39
+ accessRequests: TypedScopeCondition<TScopes>;
34
40
  }): Promise<IRPCResponse<VerifyAccessOutput>>;
41
+ private verifySingleScope;
35
42
  deleteRole(input: DeleteRoleInput): Promise<IRPCResponse<DeleteRoleOutput>>;
36
43
  updateRole(input: UpdateRoleInput): Promise<IRPCResponse<UpdateRoleOutput>>;
37
44
  }
@@ -39,7 +46,7 @@ declare function defineRbacService<const TScopes extends readonly LabeledScope$1
39
46
  scopes: TScopes;
40
47
  }): new (ctx: ExecutionContext, env: RbacEnv) => RbacServiceBase<TScopes>;
41
48
 
42
- declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
49
+ declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.admin", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
43
50
  type LabeledScope = {
44
51
  label: string;
45
52
  value: (typeof SCOPES)[number];
package/dist/export/worker.mjs CHANGED
@@ -1,7 +1,7 @@
1
1
  import { uuidv4, first, createInternalError, develitWorker, action, service } from '@develit-io/backend-sdk';
2
2
  import { s as schema } from '../shared/rbac.D5OV7UPA.mjs';
3
3
  import { eq, and, count, inArray } from 'drizzle-orm';
4
- import { c as createRoleInputSchema, a as assignRoleToUserInputSchema, b as assignRolesToUserInputSchema, r as revokeRoleFromUserInputSchema, f as grantScopeToUserInputSchema, h as grantScopesToUserInputSchema, j as revokeScopeFromUserInputSchema, e as grantScopeToRoleInputSchema, i as revokeScopeFromRoleInputSchema, g as getUserPermissionsInputSchema, v as verifyAccessInputSchema, d as deleteRoleInputSchema, u as updateRoleInputSchema } from '../shared/rbac.CUCczegz.mjs';
4
+ import { c as createRoleInputSchema, a as assignRoleToUserInputSchema, b as assignRolesToUserInputSchema, r as revokeRoleFromUserInputSchema, f as grantScopeToUserInputSchema, h as grantScopesToUserInputSchema, j as revokeScopeFromUserInputSchema, e as grantScopeToRoleInputSchema, i as revokeScopeFromRoleInputSchema, g as getUserPermissionsInputSchema, v as verifyAccessInputSchema, d as deleteRoleInputSchema, u as updateRoleInputSchema, l as isScopeObject, m as isOrCondition, n as isAndCondition, o as isImplicitAndCondition } from '../shared/rbac.2_i8g_mW.mjs';
5
5
  import { z } from 'zod';
6
6
  import { WorkerEntrypoint } from 'cloudflare:workers';
7
7
  import { drizzle } from 'drizzle-orm/d1';
@@ -654,12 +654,27 @@ let RbacServiceBase = class extends develitWorker(WorkerEntrypoint) {
654
654
  }
655
655
  async verifyAccess(input) {
656
656
  return this.handleAction(
657
- // TODO: This input schema is just copied from auth and is not 100% type safe
658
657
  { data: input, schema: verifyAccessInputSchema },
659
658
  { successMessage: "Access verification completed." },
660
659
  async ({ userId, accessRequests, jwt }) => {
661
- for (const request of accessRequests) {
662
- this.validateScope(request.scope);
660
+ const collectScopes = (condition) => {
661
+ if (isScopeObject(condition)) {
662
+ return [condition];
663
+ }
664
+ if (isOrCondition(condition)) {
665
+ return condition.or.flatMap(collectScopes);
666
+ }
667
+ if (isAndCondition(condition)) {
668
+ return condition.and.flatMap(collectScopes);
669
+ }
670
+ if (isImplicitAndCondition(condition)) {
671
+ return condition.flatMap(collectScopes);
672
+ }
673
+ return [];
674
+ };
675
+ const allScopeObjects = collectScopes(accessRequests);
676
+ for (const scopeObj of allScopeObjects) {
677
+ this.validateScope(scopeObj.scope);
663
678
  }
664
679
  const userPermissionsResponse = await this.getUserPermissions({
665
680
  userId
@@ -674,50 +689,71 @@ let RbacServiceBase = class extends develitWorker(WorkerEntrypoint) {
674
689
  ...userPermissionsResponse.data.roleScopes,
675
690
  ...userPermissionsResponse.data.scopes
676
691
  ];
677
- const allAccessRequestsSatisfied = accessRequests.every((request) => {
678
- const placeholders = parseScopeTemplate(request.scope);
679
- return allScopes.some((userScope) => {
680
- const scopesMatch = userScope.scope === request.scope;
681
- let resourceMatches = false;
682
- if (placeholders.length > 0) {
683
- if (!request.resourcePath) {
684
- throw createInternalError(null, {
685
- message: `Resource path is required when scope '${request.scope}' contains placeholders`,
686
- status: 400,
687
- code: "RESOURCE_PATH_REQUIRED"
688
- });
689
- }
690
- const extractedResources = extractResourcesFromPath(
691
- request.scope,
692
- request.resourcePath
693
- );
694
- const allPlaceholdersMatch = placeholders.every((placeholder) => {
695
- const extractedValue = extractedResources[`${placeholder.type}.${placeholder.path}`];
696
- const jwtParam = placeholder.type === "jwt" ? jwt : void 0;
697
- const expectedValue = getValueByKey(
698
- placeholder.type,
699
- placeholder.path,
700
- jwtParam
701
- );
702
- if (expectedValue === void 0) {
703
- return false;
704
- }
705
- return String(extractedValue) === String(expectedValue);
706
- });
707
- const resourceIdMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
708
- resourceMatches = allPlaceholdersMatch && resourceIdMatches;
709
- } else {
710
- resourceMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
711
- }
712
- return scopesMatch && resourceMatches;
713
- });
714
- });
692
+ if (allScopeObjects.length === 0) {
693
+ return {
694
+ isVerified: true
695
+ };
696
+ }
697
+ const evaluateCondition = (condition) => {
698
+ if (isScopeObject(condition)) {
699
+ return this.verifySingleScope(condition, allScopes, jwt);
700
+ }
701
+ if (isOrCondition(condition)) {
702
+ return condition.or.some(evaluateCondition);
703
+ }
704
+ if (isAndCondition(condition)) {
705
+ return condition.and.every(evaluateCondition);
706
+ }
707
+ if (isImplicitAndCondition(condition)) {
708
+ return condition.every(evaluateCondition);
709
+ }
710
+ return false;
711
+ };
712
+ const isVerified = evaluateCondition(accessRequests);
715
713
  return {
716
- isVerified: allAccessRequestsSatisfied
714
+ isVerified
717
715
  };
718
716
  }
719
717
  );
720
718
  }
719
+ verifySingleScope(request, allScopes, jwt) {
720
+ const placeholders = parseScopeTemplate(request.scope);
721
+ return allScopes.some((userScope) => {
722
+ const scopesMatch = userScope.scope === request.scope;
723
+ let resourceMatches = false;
724
+ if (placeholders.length > 0) {
725
+ if (!request.resourcePath) {
726
+ throw createInternalError(null, {
727
+ message: `Resource path is required when scope '${request.scope}' contains placeholders`,
728
+ status: 400,
729
+ code: "RESOURCE_PATH_REQUIRED"
730
+ });
731
+ }
732
+ const extractedResources = extractResourcesFromPath(
733
+ request.scope,
734
+ request.resourcePath
735
+ );
736
+ const allPlaceholdersMatch = placeholders.every((placeholder) => {
737
+ const extractedValue = extractedResources[`${placeholder.type}.${placeholder.path}`];
738
+ const jwtParam = placeholder.type === "jwt" ? jwt : void 0;
739
+ const expectedValue = getValueByKey(
740
+ placeholder.type,
741
+ placeholder.path,
742
+ jwtParam
743
+ );
744
+ if (expectedValue === void 0) {
745
+ return false;
746
+ }
747
+ return String(extractedValue) === String(expectedValue);
748
+ });
749
+ const resourceIdMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
750
+ resourceMatches = allPlaceholdersMatch && resourceIdMatches;
751
+ } else {
752
+ resourceMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
753
+ }
754
+ return scopesMatch && resourceMatches;
755
+ });
756
+ }
721
757
  async deleteRole(input) {
722
758
  return this.handleAction(
723
759
  { data: input, schema: deleteRoleInputSchema },
@@ -802,6 +838,7 @@ const organizationScopedKeys = (scopes) => {
802
838
  return out;
803
839
  };
804
840
  const TEST_SCOPES = [
841
+ "test.admin",
805
842
  "test.read",
806
843
  "test.edit",
807
844
  "test.delete",
@@ -1002,6 +1039,7 @@ const LABELED_SCOPES = [
1002
1039
  { label: "Smazat logy rol\xED", value: "roles.logs.delete" },
1003
1040
  { label: "Zobrazit u\u017Eivatele p\u0159i\u0159azen\xE9 k rol\xEDm", value: "roles.users.read" },
1004
1041
  // Test scopes
1042
+ { label: "Test: Admin", value: "test.admin" },
1005
1043
  { label: "Test: Read", value: "test.read" },
1006
1044
  { label: "Test: Edit", value: "test.edit" },
1007
1045
  { label: "Test: Delete", value: "test.delete" },
package/dist/shared/{rbac.CUCczegz.mjs → rbac.2_i8g_mW.mjs} RENAMED
@@ -135,17 +135,36 @@ const coercedUserSchema = jwtUserSchema.extend({
135
135
  const coercedJwtPayloadSchema = jwtPayloadSchema.extend({
136
136
  user: coercedUserSchema
137
137
  });
138
+ const scopeObjectSchema = z.object({
139
+ scope: z.string(),
140
+ resourceId: z.string().optional(),
141
+ resourcePath: z.string().optional()
142
+ });
143
+ const scopeConditionSchema = z.lazy(
144
+ () => z.union([
145
+ scopeObjectSchema,
146
+ z.object({ or: z.array(scopeConditionSchema) }),
147
+ z.object({ and: z.array(scopeConditionSchema) }),
148
+ z.array(scopeConditionSchema)
149
+ ])
150
+ );
138
151
  const verifyAccessInputSchema = z.object({
139
152
  userId: z.uuid(),
140
- accessRequests: z.array(
141
- z.object({
142
- scope: z.string(),
143
- resourceId: z.string().optional(),
144
- resourcePath: z.string().optional()
145
- })
146
- ),
153
+ accessRequests: scopeConditionSchema,
147
154
  jwt: coercedJwtPayloadSchema.optional()
148
155
  });
156
+ function isScopeObject(condition) {
157
+ return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "scope" in condition && !("or" in condition) && !("and" in condition);
158
+ }
159
+ function isOrCondition(condition) {
160
+ return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "or" in condition;
161
+ }
162
+ function isAndCondition(condition) {
163
+ return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "and" in condition;
164
+ }
165
+ function isImplicitAndCondition(condition) {
166
+ return Array.isArray(condition);
167
+ }
149
168
 
150
169
  const verifyScopeInputSchema = z.object({
151
170
  scopes: z.array(z.string()),
@@ -161,4 +180,4 @@ const verifyScopeOutputSchema = z.object({
161
180
  isVerified: z.boolean().default(false)
162
181
  });
163
182
 
164
- export { assignRoleToUserInputSchema as a, assignRolesToUserInputSchema as b, createRoleInputSchema as c, deleteRoleInputSchema as d, grantScopeToRoleInputSchema as e, grantScopeToUserInputSchema as f, getUserPermissionsInputSchema as g, grantScopesToUserInputSchema as h, revokeScopeFromRoleInputSchema as i, revokeScopeFromUserInputSchema as j, verifyScopeInputSchema as k, verifyScopeOutputSchema as l, revokeRoleFromUserInputSchema as r, updateRoleInputSchema as u, verifyAccessInputSchema as v };
183
+ export { assignRoleToUserInputSchema as a, assignRolesToUserInputSchema as b, createRoleInputSchema as c, deleteRoleInputSchema as d, grantScopeToRoleInputSchema as e, grantScopeToUserInputSchema as f, getUserPermissionsInputSchema as g, grantScopesToUserInputSchema as h, revokeScopeFromRoleInputSchema as i, revokeScopeFromUserInputSchema as j, scopeConditionSchema as k, isScopeObject as l, isOrCondition as m, isAndCondition as n, isImplicitAndCondition as o, verifyScopeInputSchema as p, verifyScopeOutputSchema as q, revokeRoleFromUserInputSchema as r, scopeObjectSchema as s, updateRoleInputSchema as u, verifyAccessInputSchema as v };
package/dist/shared/{rbac.CAcqvrNj.d.ts → rbac.BrefTsLW.d.ts} RENAMED
@@ -188,13 +188,21 @@ interface UpdateRoleInput extends z.infer<typeof updateRoleInputSchema> {
188
188
  interface UpdateRoleOutput {
189
189
  }
190
190
 
191
+ declare const scopeObjectSchema: z.ZodObject<{
192
+ scope: z.ZodString;
193
+ resourceId: z.ZodOptional<z.ZodString>;
194
+ resourcePath: z.ZodOptional<z.ZodString>;
195
+ }, z.core.$strip>;
196
+ type ScopeObject = z.infer<typeof scopeObjectSchema>;
197
+ type ScopeCondition = ScopeObject | {
198
+ or: ScopeCondition[];
199
+ } | {
200
+ and: ScopeCondition[];
201
+ } | ScopeCondition[];
202
+ declare const scopeConditionSchema: z.ZodType<ScopeCondition>;
191
203
  declare const verifyAccessInputSchema: z.ZodObject<{
192
204
  userId: z.ZodUUID;
193
- accessRequests: z.ZodArray<z.ZodObject<{
194
- scope: z.ZodString;
195
- resourceId: z.ZodOptional<z.ZodString>;
196
- resourcePath: z.ZodOptional<z.ZodString>;
197
- }, z.core.$strip>>;
205
+ accessRequests: z.ZodType<ScopeCondition, unknown, z.core.$ZodTypeInternals<ScopeCondition, unknown>>;
198
206
  jwt: z.ZodOptional<z.ZodObject<{
199
207
  sub: z.ZodString;
200
208
  iat: z.ZodNumber;
@@ -233,6 +241,14 @@ interface VerifyAccessInput extends z.infer<typeof verifyAccessInputSchema> {
233
241
  interface VerifyAccessOutput {
234
242
  isVerified: boolean;
235
243
  }
244
+ declare function isScopeObject(condition: ScopeCondition): condition is ScopeObject;
245
+ declare function isOrCondition(condition: ScopeCondition): condition is {
246
+ or: ScopeCondition[];
247
+ };
248
+ declare function isAndCondition(condition: ScopeCondition): condition is {
249
+ and: ScopeCondition[];
250
+ };
251
+ declare function isImplicitAndCondition(condition: ScopeCondition): condition is ScopeCondition[];
236
252
 
237
- export { assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, verifyAccessInputSchema as Y, tables as t };
238
- export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
253
+ export { scopeConditionSchema as $, assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, scopeObjectSchema as Y, verifyAccessInputSchema as a0, isScopeObject as a1, isOrCondition as a2, isAndCondition as a3, isImplicitAndCondition as a4, tables as t };
254
+ export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, ScopeObject as Z, ScopeCondition as _, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
package/dist/shared/{rbac.CocWK7y6.d.mts → rbac.CG3CtEwh.d.mts} RENAMED
@@ -188,13 +188,21 @@ interface UpdateRoleInput extends z.infer<typeof updateRoleInputSchema> {
188
188
  interface UpdateRoleOutput {
189
189
  }
190
190
 
191
+ declare const scopeObjectSchema: z.ZodObject<{
192
+ scope: z.ZodString;
193
+ resourceId: z.ZodOptional<z.ZodString>;
194
+ resourcePath: z.ZodOptional<z.ZodString>;
195
+ }, z.core.$strip>;
196
+ type ScopeObject = z.infer<typeof scopeObjectSchema>;
197
+ type ScopeCondition = ScopeObject | {
198
+ or: ScopeCondition[];
199
+ } | {
200
+ and: ScopeCondition[];
201
+ } | ScopeCondition[];
202
+ declare const scopeConditionSchema: z.ZodType<ScopeCondition>;
191
203
  declare const verifyAccessInputSchema: z.ZodObject<{
192
204
  userId: z.ZodUUID;
193
- accessRequests: z.ZodArray<z.ZodObject<{
194
- scope: z.ZodString;
195
- resourceId: z.ZodOptional<z.ZodString>;
196
- resourcePath: z.ZodOptional<z.ZodString>;
197
- }, z.core.$strip>>;
205
+ accessRequests: z.ZodType<ScopeCondition, unknown, z.core.$ZodTypeInternals<ScopeCondition, unknown>>;
198
206
  jwt: z.ZodOptional<z.ZodObject<{
199
207
  sub: z.ZodString;
200
208
  iat: z.ZodNumber;
@@ -233,6 +241,14 @@ interface VerifyAccessInput extends z.infer<typeof verifyAccessInputSchema> {
233
241
  interface VerifyAccessOutput {
234
242
  isVerified: boolean;
235
243
  }
244
+ declare function isScopeObject(condition: ScopeCondition): condition is ScopeObject;
245
+ declare function isOrCondition(condition: ScopeCondition): condition is {
246
+ or: ScopeCondition[];
247
+ };
248
+ declare function isAndCondition(condition: ScopeCondition): condition is {
249
+ and: ScopeCondition[];
250
+ };
251
+ declare function isImplicitAndCondition(condition: ScopeCondition): condition is ScopeCondition[];
236
252
 
237
- export { assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, verifyAccessInputSchema as Y, tables as t };
238
- export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
253
+ export { scopeConditionSchema as $, assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, scopeObjectSchema as Y, verifyAccessInputSchema as a0, isScopeObject as a1, isOrCondition as a2, isAndCondition as a3, isImplicitAndCondition as a4, tables as t };
254
+ export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, ScopeObject as Z, ScopeCondition as _, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
package/dist/shared/{rbac.DB0xguAY.d.cts → rbac.DBpIRbd3.d.cts} RENAMED
@@ -188,13 +188,21 @@ interface UpdateRoleInput extends z.infer<typeof updateRoleInputSchema> {
188
188
  interface UpdateRoleOutput {
189
189
  }
190
190
 
191
+ declare const scopeObjectSchema: z.ZodObject<{
192
+ scope: z.ZodString;
193
+ resourceId: z.ZodOptional<z.ZodString>;
194
+ resourcePath: z.ZodOptional<z.ZodString>;
195
+ }, z.core.$strip>;
196
+ type ScopeObject = z.infer<typeof scopeObjectSchema>;
197
+ type ScopeCondition = ScopeObject | {
198
+ or: ScopeCondition[];
199
+ } | {
200
+ and: ScopeCondition[];
201
+ } | ScopeCondition[];
202
+ declare const scopeConditionSchema: z.ZodType<ScopeCondition>;
191
203
  declare const verifyAccessInputSchema: z.ZodObject<{
192
204
  userId: z.ZodUUID;
193
- accessRequests: z.ZodArray<z.ZodObject<{
194
- scope: z.ZodString;
195
- resourceId: z.ZodOptional<z.ZodString>;
196
- resourcePath: z.ZodOptional<z.ZodString>;
197
- }, z.core.$strip>>;
205
+ accessRequests: z.ZodType<ScopeCondition, unknown, z.core.$ZodTypeInternals<ScopeCondition, unknown>>;
198
206
  jwt: z.ZodOptional<z.ZodObject<{
199
207
  sub: z.ZodString;
200
208
  iat: z.ZodNumber;
@@ -233,6 +241,14 @@ interface VerifyAccessInput extends z.infer<typeof verifyAccessInputSchema> {
233
241
  interface VerifyAccessOutput {
234
242
  isVerified: boolean;
235
243
  }
244
+ declare function isScopeObject(condition: ScopeCondition): condition is ScopeObject;
245
+ declare function isOrCondition(condition: ScopeCondition): condition is {
246
+ or: ScopeCondition[];
247
+ };
248
+ declare function isAndCondition(condition: ScopeCondition): condition is {
249
+ and: ScopeCondition[];
250
+ };
251
+ declare function isImplicitAndCondition(condition: ScopeCondition): condition is ScopeCondition[];
236
252
 
237
- export { assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, verifyAccessInputSchema as Y, tables as t };
238
- export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
253
+ export { scopeConditionSchema as $, assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, scopeObjectSchema as Y, verifyAccessInputSchema as a0, isScopeObject as a1, isOrCondition as a2, isAndCondition as a3, isImplicitAndCondition as a4, tables as t };
254
+ export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, ScopeObject as Z, ScopeCondition as _, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
package/dist/shared/{rbac.B2KUW5xp.cjs → rbac.JCf4hSCf.cjs} RENAMED
@@ -137,17 +137,36 @@ const coercedUserSchema = jwtUserSchema.extend({
137
137
  const coercedJwtPayloadSchema = jwtPayloadSchema.extend({
138
138
  user: coercedUserSchema
139
139
  });
140
+ const scopeObjectSchema = zod.z.object({
141
+ scope: zod.z.string(),
142
+ resourceId: zod.z.string().optional(),
143
+ resourcePath: zod.z.string().optional()
144
+ });
145
+ const scopeConditionSchema = zod.z.lazy(
146
+ () => zod.z.union([
147
+ scopeObjectSchema,
148
+ zod.z.object({ or: zod.z.array(scopeConditionSchema) }),
149
+ zod.z.object({ and: zod.z.array(scopeConditionSchema) }),
150
+ zod.z.array(scopeConditionSchema)
151
+ ])
152
+ );
140
153
  const verifyAccessInputSchema = zod.z.object({
141
154
  userId: zod.z.uuid(),
142
- accessRequests: zod.z.array(
143
- zod.z.object({
144
- scope: zod.z.string(),
145
- resourceId: zod.z.string().optional(),
146
- resourcePath: zod.z.string().optional()
147
- })
148
- ),
155
+ accessRequests: scopeConditionSchema,
149
156
  jwt: coercedJwtPayloadSchema.optional()
150
157
  });
158
+ function isScopeObject(condition) {
159
+ return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "scope" in condition && !("or" in condition) && !("and" in condition);
160
+ }
161
+ function isOrCondition(condition) {
162
+ return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "or" in condition;
163
+ }
164
+ function isAndCondition(condition) {
165
+ return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "and" in condition;
166
+ }
167
+ function isImplicitAndCondition(condition) {
168
+ return Array.isArray(condition);
169
+ }
151
170
 
152
171
  const verifyScopeInputSchema = zod.z.object({
153
172
  scopes: zod.z.array(zod.z.string()),
@@ -171,9 +190,15 @@ exports.getUserPermissionsInputSchema = getUserPermissionsInputSchema;
171
190
  exports.grantScopeToRoleInputSchema = grantScopeToRoleInputSchema;
172
191
  exports.grantScopeToUserInputSchema = grantScopeToUserInputSchema;
173
192
  exports.grantScopesToUserInputSchema = grantScopesToUserInputSchema;
193
+ exports.isAndCondition = isAndCondition;
194
+ exports.isImplicitAndCondition = isImplicitAndCondition;
195
+ exports.isOrCondition = isOrCondition;
196
+ exports.isScopeObject = isScopeObject;
174
197
  exports.revokeRoleFromUserInputSchema = revokeRoleFromUserInputSchema;
175
198
  exports.revokeScopeFromRoleInputSchema = revokeScopeFromRoleInputSchema;
176
199
  exports.revokeScopeFromUserInputSchema = revokeScopeFromUserInputSchema;
200
+ exports.scopeConditionSchema = scopeConditionSchema;
201
+ exports.scopeObjectSchema = scopeObjectSchema;
177
202
  exports.updateRoleInputSchema = updateRoleInputSchema;
178
203
  exports.verifyAccessInputSchema = verifyAccessInputSchema;
179
204
  exports.verifyScopeInputSchema = verifyScopeInputSchema;
package/dist/types.cjs CHANGED
@@ -1,6 +1,6 @@
1
1
  'use strict';
2
2
 
3
- const verifyScope = require('./shared/rbac.B2KUW5xp.cjs');
3
+ const verifyScope = require('./shared/rbac.JCf4hSCf.cjs');
4
4
  require('zod');
5
5
 
6
6
 
@@ -13,9 +13,15 @@ exports.getUserPermissionsInputSchema = verifyScope.getUserPermissionsInputSchem
13
13
  exports.grantScopeToRoleInputSchema = verifyScope.grantScopeToRoleInputSchema;
14
14
  exports.grantScopeToUserInputSchema = verifyScope.grantScopeToUserInputSchema;
15
15
  exports.grantScopesToUserInputSchema = verifyScope.grantScopesToUserInputSchema;
16
+ exports.isAndCondition = verifyScope.isAndCondition;
17
+ exports.isImplicitAndCondition = verifyScope.isImplicitAndCondition;
18
+ exports.isOrCondition = verifyScope.isOrCondition;
19
+ exports.isScopeObject = verifyScope.isScopeObject;
16
20
  exports.revokeRoleFromUserInputSchema = verifyScope.revokeRoleFromUserInputSchema;
17
21
  exports.revokeScopeFromRoleInputSchema = verifyScope.revokeScopeFromRoleInputSchema;
18
22
  exports.revokeScopeFromUserInputSchema = verifyScope.revokeScopeFromUserInputSchema;
23
+ exports.scopeConditionSchema = verifyScope.scopeConditionSchema;
24
+ exports.scopeObjectSchema = verifyScope.scopeObjectSchema;
19
25
  exports.updateRoleInputSchema = verifyScope.updateRoleInputSchema;
20
26
  exports.verifyAccessInputSchema = verifyScope.verifyAccessInputSchema;
21
27
  exports.verifyScopeInputSchema = verifyScope.verifyScopeInputSchema;
package/dist/types.d.cts CHANGED
@@ -1,4 +1,4 @@
1
- export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, X as updateRoleInputSchema, Y as verifyAccessInputSchema } from './shared/rbac.DB0xguAY.cjs';
1
+ export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, _ as ScopeCondition, Z as ScopeObject, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, a3 as isAndCondition, a4 as isImplicitAndCondition, a2 as isOrCondition, a1 as isScopeObject, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, $ as scopeConditionSchema, Y as scopeObjectSchema, X as updateRoleInputSchema, a0 as verifyAccessInputSchema } from './shared/rbac.DBpIRbd3.cjs';
2
2
  import { z } from 'zod';
3
3
  export { b as RbacServiceEnv, a as RbacServiceEnvironmentConfig, R as RbacServiceWranglerConfig } from './shared/rbac.ClMKyW8J.cjs';
4
4
  import 'drizzle-orm';
package/dist/types.d.mts CHANGED
@@ -1,4 +1,4 @@
1
- export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, X as updateRoleInputSchema, Y as verifyAccessInputSchema } from './shared/rbac.CocWK7y6.mjs';
1
+ export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, _ as ScopeCondition, Z as ScopeObject, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, a3 as isAndCondition, a4 as isImplicitAndCondition, a2 as isOrCondition, a1 as isScopeObject, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, $ as scopeConditionSchema, Y as scopeObjectSchema, X as updateRoleInputSchema, a0 as verifyAccessInputSchema } from './shared/rbac.CG3CtEwh.mjs';
2
2
  import { z } from 'zod';
3
3
  export { b as RbacServiceEnv, a as RbacServiceEnvironmentConfig, R as RbacServiceWranglerConfig } from './shared/rbac.ClMKyW8J.mjs';
4
4
  import 'drizzle-orm';
package/dist/types.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, X as updateRoleInputSchema, Y as verifyAccessInputSchema } from './shared/rbac.CAcqvrNj.js';
1
+ export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, _ as ScopeCondition, Z as ScopeObject, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, a3 as isAndCondition, a4 as isImplicitAndCondition, a2 as isOrCondition, a1 as isScopeObject, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, $ as scopeConditionSchema, Y as scopeObjectSchema, X as updateRoleInputSchema, a0 as verifyAccessInputSchema } from './shared/rbac.BrefTsLW.js';
2
2
  import { z } from 'zod';
3
3
  export { b as RbacServiceEnv, a as RbacServiceEnvironmentConfig, R as RbacServiceWranglerConfig } from './shared/rbac.ClMKyW8J.js';
4
4
  import 'drizzle-orm';
package/dist/types.mjs CHANGED
@@ -1,2 +1,2 @@
1
- export { a as assignRoleToUserInputSchema, b as assignRolesToUserInputSchema, c as createRoleInputSchema, d as deleteRoleInputSchema, g as getUserPermissionsInputSchema, e as grantScopeToRoleInputSchema, f as grantScopeToUserInputSchema, h as grantScopesToUserInputSchema, r as revokeRoleFromUserInputSchema, i as revokeScopeFromRoleInputSchema, j as revokeScopeFromUserInputSchema, u as updateRoleInputSchema, v as verifyAccessInputSchema, k as verifyScopeInputSchema, l as verifyScopeOutputSchema } from './shared/rbac.CUCczegz.mjs';
1
+ export { a as assignRoleToUserInputSchema, b as assignRolesToUserInputSchema, c as createRoleInputSchema, d as deleteRoleInputSchema, g as getUserPermissionsInputSchema, e as grantScopeToRoleInputSchema, f as grantScopeToUserInputSchema, h as grantScopesToUserInputSchema, n as isAndCondition, o as isImplicitAndCondition, m as isOrCondition, l as isScopeObject, r as revokeRoleFromUserInputSchema, i as revokeScopeFromRoleInputSchema, j as revokeScopeFromUserInputSchema, k as scopeConditionSchema, s as scopeObjectSchema, u as updateRoleInputSchema, v as verifyAccessInputSchema, p as verifyScopeInputSchema, q as verifyScopeOutputSchema } from './shared/rbac.2_i8g_mW.mjs';
2
2
  import 'zod';
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@develit-services/rbac",
3
- "version": "0.2.3",
3
+ "version": "0.4.0",
4
4
  "author": "Develit.io s.r.o.",
5
5
  "type": "module",
6
6
  "exports": {