@develit-services/rbac 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. package/dist/export/worker.cjs +76 -48
  2. package/dist/export/worker.d.cts +14 -7
  3. package/dist/export/worker.d.mts +14 -7
  4. package/dist/export/worker.d.ts +14 -7
  5. package/dist/export/worker.mjs +76 -48
  6. package/dist/shared/{rbac.ihzxYB9Z.mjs → rbac.2_i8g_mW.mjs} +27 -10
  7. package/dist/shared/{rbac.DrhiDe1P.d.ts → rbac.BrefTsLW.d.ts} +23 -7
  8. package/dist/shared/{rbac.DbnJpvqK.d.mts → rbac.CG3CtEwh.d.mts} +23 -7
  9. package/dist/shared/{rbac.B4wUvd3l.d.cts → rbac.DBpIRbd3.d.cts} +23 -7
  10. package/dist/shared/{rbac.BZDCYlSt.cjs → rbac.JCf4hSCf.cjs} +32 -9
  11. package/dist/types.cjs +7 -1
  12. package/dist/types.d.cts +1 -1
  13. package/dist/types.d.mts +1 -1
  14. package/dist/types.d.ts +1 -1
  15. package/dist/types.mjs +1 -1
  16. package/package.json +1 -1
package/dist/export/worker.cjs CHANGED
@@ -5,7 +5,7 @@ Object.defineProperty(exports, '__esModule', { value: true });
5
5
  const backendSdk = require('@develit-io/backend-sdk');
6
6
  const database_schema = require('../shared/rbac.Cra1T2nC.cjs');
7
7
  const drizzleOrm = require('drizzle-orm');
8
- const verifyScope = require('../shared/rbac.BZDCYlSt.cjs');
8
+ const verifyScope = require('../shared/rbac.JCf4hSCf.cjs');
9
9
  const zod = require('zod');
10
10
  const cloudflare_workers = require('cloudflare:workers');
11
11
  const d1 = require('drizzle-orm/d1');
@@ -661,10 +661,24 @@ let RbacServiceBase = class extends backendSdk.develitWorker(cloudflare_workers.
661
661
  { data: input, schema: verifyScope.verifyAccessInputSchema },
662
662
  { successMessage: "Access verification completed." },
663
663
  async ({ userId, accessRequests, jwt }) => {
664
- for (const requestGroup of accessRequests) {
665
- for (const request of requestGroup) {
666
- this.validateScope(request.scope);
664
+ const collectScopes = (condition) => {
665
+ if (verifyScope.isScopeObject(condition)) {
666
+ return [condition];
667
667
  }
668
+ if (verifyScope.isOrCondition(condition)) {
669
+ return condition.or.flatMap(collectScopes);
670
+ }
671
+ if (verifyScope.isAndCondition(condition)) {
672
+ return condition.and.flatMap(collectScopes);
673
+ }
674
+ if (verifyScope.isImplicitAndCondition(condition)) {
675
+ return condition.flatMap(collectScopes);
676
+ }
677
+ return [];
678
+ };
679
+ const allScopeObjects = collectScopes(accessRequests);
680
+ for (const scopeObj of allScopeObjects) {
681
+ this.validateScope(scopeObj.scope);
668
682
  }
669
683
  const userPermissionsResponse = await this.getUserPermissions({
670
684
  userId
@@ -679,59 +693,71 @@ let RbacServiceBase = class extends backendSdk.develitWorker(cloudflare_workers.
679
693
  ...userPermissionsResponse.data.roleScopes,
680
694
  ...userPermissionsResponse.data.scopes
681
695
  ];
682
- if (accessRequests.length === 0) {
696
+ if (allScopeObjects.length === 0) {
683
697
  return {
684
698
  isVerified: true
685
699
  };
686
700
  }
687
- const anyGroupSatisfied = accessRequests.some((requestGroup) => {
688
- return requestGroup.every((request) => {
689
- const placeholders = parseScopeTemplate(request.scope);
690
- return allScopes.some((userScope) => {
691
- const scopesMatch = userScope.scope === request.scope;
692
- let resourceMatches = false;
693
- if (placeholders.length > 0) {
694
- if (!request.resourcePath) {
695
- throw backendSdk.createInternalError(null, {
696
- message: `Resource path is required when scope '${request.scope}' contains placeholders`,
697
- status: 400,
698
- code: "RESOURCE_PATH_REQUIRED"
699
- });
700
- }
701
- const extractedResources = extractResourcesFromPath(
702
- request.scope,
703
- request.resourcePath
704
- );
705
- const allPlaceholdersMatch = placeholders.every(
706
- (placeholder) => {
707
- const extractedValue = extractedResources[`${placeholder.type}.${placeholder.path}`];
708
- const jwtParam = placeholder.type === "jwt" ? jwt : void 0;
709
- const expectedValue = getValueByKey(
710
- placeholder.type,
711
- placeholder.path,
712
- jwtParam
713
- );
714
- if (expectedValue === void 0) {
715
- return false;
716
- }
717
- return String(extractedValue) === String(expectedValue);
718
- }
719
- );
720
- const resourceIdMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
721
- resourceMatches = allPlaceholdersMatch && resourceIdMatches;
722
- } else {
723
- resourceMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
724
- }
725
- return scopesMatch && resourceMatches;
726
- });
727
- });
728
- });
701
+ const evaluateCondition = (condition) => {
702
+ if (verifyScope.isScopeObject(condition)) {
703
+ return this.verifySingleScope(condition, allScopes, jwt);
704
+ }
705
+ if (verifyScope.isOrCondition(condition)) {
706
+ return condition.or.some(evaluateCondition);
707
+ }
708
+ if (verifyScope.isAndCondition(condition)) {
709
+ return condition.and.every(evaluateCondition);
710
+ }
711
+ if (verifyScope.isImplicitAndCondition(condition)) {
712
+ return condition.every(evaluateCondition);
713
+ }
714
+ return false;
715
+ };
716
+ const isVerified = evaluateCondition(accessRequests);
729
717
  return {
730
- isVerified: anyGroupSatisfied
718
+ isVerified
731
719
  };
732
720
  }
733
721
  );
734
722
  }
723
+ verifySingleScope(request, allScopes, jwt) {
724
+ const placeholders = parseScopeTemplate(request.scope);
725
+ return allScopes.some((userScope) => {
726
+ const scopesMatch = userScope.scope === request.scope;
727
+ let resourceMatches = false;
728
+ if (placeholders.length > 0) {
729
+ if (!request.resourcePath) {
730
+ throw backendSdk.createInternalError(null, {
731
+ message: `Resource path is required when scope '${request.scope}' contains placeholders`,
732
+ status: 400,
733
+ code: "RESOURCE_PATH_REQUIRED"
734
+ });
735
+ }
736
+ const extractedResources = extractResourcesFromPath(
737
+ request.scope,
738
+ request.resourcePath
739
+ );
740
+ const allPlaceholdersMatch = placeholders.every((placeholder) => {
741
+ const extractedValue = extractedResources[`${placeholder.type}.${placeholder.path}`];
742
+ const jwtParam = placeholder.type === "jwt" ? jwt : void 0;
743
+ const expectedValue = getValueByKey(
744
+ placeholder.type,
745
+ placeholder.path,
746
+ jwtParam
747
+ );
748
+ if (expectedValue === void 0) {
749
+ return false;
750
+ }
751
+ return String(extractedValue) === String(expectedValue);
752
+ });
753
+ const resourceIdMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
754
+ resourceMatches = allPlaceholdersMatch && resourceIdMatches;
755
+ } else {
756
+ resourceMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
757
+ }
758
+ return scopesMatch && resourceMatches;
759
+ });
760
+ }
735
761
  async deleteRole(input) {
736
762
  return this.handleAction(
737
763
  { data: input, schema: verifyScope.deleteRoleInputSchema },
@@ -816,6 +842,7 @@ const organizationScopedKeys = (scopes) => {
816
842
  return out;
817
843
  };
818
844
  const TEST_SCOPES = [
845
+ "test.admin",
819
846
  "test.read",
820
847
  "test.edit",
821
848
  "test.delete",
@@ -1016,6 +1043,7 @@ const LABELED_SCOPES = [
1016
1043
  { label: "Smazat logy rol\xED", value: "roles.logs.delete" },
1017
1044
  { label: "Zobrazit u\u017Eivatele p\u0159i\u0159azen\xE9 k rol\xEDm", value: "roles.users.read" },
1018
1045
  // Test scopes
1046
+ { label: "Test: Admin", value: "test.admin" },
1019
1047
  { label: "Test: Read", value: "test.read" },
1020
1048
  { label: "Test: Edit", value: "test.edit" },
1021
1049
  { label: "Test: Delete", value: "test.delete" },
package/dist/export/worker.d.cts CHANGED
@@ -1,6 +1,6 @@
1
1
  import * as _develit_io_backend_sdk from '@develit-io/backend-sdk';
2
2
  import { IRPCResponse } from '@develit-io/backend-sdk';
3
- import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.B4wUvd3l.cjs';
3
+ import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.DBpIRbd3.cjs';
4
4
  import { WorkerEntrypoint } from 'cloudflare:workers';
5
5
  import { DrizzleD1Database } from 'drizzle-orm/d1';
6
6
  import 'zod';
@@ -8,6 +8,16 @@ import 'drizzle-orm';
8
8
  import '../shared/rbac.CqpxM3E5.cjs';
9
9
  import 'drizzle-orm/sqlite-core';
10
10
 
11
+ type TypedScopeObject<TScopes extends readonly LabeledScope$1[]> = {
12
+ scope: TScopes[number]['value'];
13
+ resourceId?: string;
14
+ resourcePath?: string;
15
+ };
16
+ type TypedScopeCondition<TScopes extends readonly LabeledScope$1[]> = TypedScopeObject<TScopes> | {
17
+ or: TypedScopeCondition<TScopes>[];
18
+ } | {
19
+ and: TypedScopeCondition<TScopes>[];
20
+ } | TypedScopeCondition<TScopes>[];
11
21
  declare const RbacServiceBase_base: (abstract new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv, {}>) & (abstract new (...args: any[]) => _develit_io_backend_sdk.DevelitWorkerMethods);
12
22
  declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = LabeledScope$1[]> extends RbacServiceBase_base {
13
23
  readonly db: DrizzleD1Database<typeof tables>;
@@ -26,12 +36,9 @@ declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = Labele
26
36
  getPermissions(): Promise<IRPCResponse<GetPermissionsOutput>>;
27
37
  getUserPermissions(input: GetUserPermissionsInput): Promise<IRPCResponse<GetUserPermissionsOutput>>;
28
38
  verifyAccess(input: Omit<VerifyAccessInput, 'accessRequests'> & {
29
- accessRequests: Array<Array<{
30
- scope: TScopes[number]['value'];
31
- resourceId?: string;
32
- resourcePath?: string;
33
- }>>;
39
+ accessRequests: TypedScopeCondition<TScopes>;
34
40
  }): Promise<IRPCResponse<VerifyAccessOutput>>;
41
+ private verifySingleScope;
35
42
  deleteRole(input: DeleteRoleInput): Promise<IRPCResponse<DeleteRoleOutput>>;
36
43
  updateRole(input: UpdateRoleInput): Promise<IRPCResponse<UpdateRoleOutput>>;
37
44
  }
@@ -39,7 +46,7 @@ declare function defineRbacService<const TScopes extends readonly LabeledScope$1
39
46
  scopes: TScopes;
40
47
  }): new (ctx: ExecutionContext, env: RbacEnv) => RbacServiceBase<TScopes>;
41
48
 
42
- declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
49
+ declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.admin", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
43
50
  type LabeledScope = {
44
51
  label: string;
45
52
  value: (typeof SCOPES)[number];
package/dist/export/worker.d.mts CHANGED
@@ -1,6 +1,6 @@
1
1
  import * as _develit_io_backend_sdk from '@develit-io/backend-sdk';
2
2
  import { IRPCResponse } from '@develit-io/backend-sdk';
3
- import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.DbnJpvqK.mjs';
3
+ import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.CG3CtEwh.mjs';
4
4
  import { WorkerEntrypoint } from 'cloudflare:workers';
5
5
  import { DrizzleD1Database } from 'drizzle-orm/d1';
6
6
  import 'zod';
@@ -8,6 +8,16 @@ import 'drizzle-orm';
8
8
  import '../shared/rbac.CqpxM3E5.mjs';
9
9
  import 'drizzle-orm/sqlite-core';
10
10
 
11
+ type TypedScopeObject<TScopes extends readonly LabeledScope$1[]> = {
12
+ scope: TScopes[number]['value'];
13
+ resourceId?: string;
14
+ resourcePath?: string;
15
+ };
16
+ type TypedScopeCondition<TScopes extends readonly LabeledScope$1[]> = TypedScopeObject<TScopes> | {
17
+ or: TypedScopeCondition<TScopes>[];
18
+ } | {
19
+ and: TypedScopeCondition<TScopes>[];
20
+ } | TypedScopeCondition<TScopes>[];
11
21
  declare const RbacServiceBase_base: (abstract new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv, {}>) & (abstract new (...args: any[]) => _develit_io_backend_sdk.DevelitWorkerMethods);
12
22
  declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = LabeledScope$1[]> extends RbacServiceBase_base {
13
23
  readonly db: DrizzleD1Database<typeof tables>;
@@ -26,12 +36,9 @@ declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = Labele
26
36
  getPermissions(): Promise<IRPCResponse<GetPermissionsOutput>>;
27
37
  getUserPermissions(input: GetUserPermissionsInput): Promise<IRPCResponse<GetUserPermissionsOutput>>;
28
38
  verifyAccess(input: Omit<VerifyAccessInput, 'accessRequests'> & {
29
- accessRequests: Array<Array<{
30
- scope: TScopes[number]['value'];
31
- resourceId?: string;
32
- resourcePath?: string;
33
- }>>;
39
+ accessRequests: TypedScopeCondition<TScopes>;
34
40
  }): Promise<IRPCResponse<VerifyAccessOutput>>;
41
+ private verifySingleScope;
35
42
  deleteRole(input: DeleteRoleInput): Promise<IRPCResponse<DeleteRoleOutput>>;
36
43
  updateRole(input: UpdateRoleInput): Promise<IRPCResponse<UpdateRoleOutput>>;
37
44
  }
@@ -39,7 +46,7 @@ declare function defineRbacService<const TScopes extends readonly LabeledScope$1
39
46
  scopes: TScopes;
40
47
  }): new (ctx: ExecutionContext, env: RbacEnv) => RbacServiceBase<TScopes>;
41
48
 
42
- declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
49
+ declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.admin", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
43
50
  type LabeledScope = {
44
51
  label: string;
45
52
  value: (typeof SCOPES)[number];
package/dist/export/worker.d.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  import * as _develit_io_backend_sdk from '@develit-io/backend-sdk';
2
2
  import { IRPCResponse } from '@develit-io/backend-sdk';
3
- import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.DrhiDe1P.js';
3
+ import { L as LabeledScope$1, t as tables, C as CreateRoleInput, a as CreateRoleOutput, A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, V as VerifyAccessInput, r as VerifyAccessOutput, D as DeleteRoleInput, s as DeleteRoleOutput, U as UpdateRoleInput, u as UpdateRoleOutput } from '../shared/rbac.BrefTsLW.js';
4
4
  import { WorkerEntrypoint } from 'cloudflare:workers';
5
5
  import { DrizzleD1Database } from 'drizzle-orm/d1';
6
6
  import 'zod';
@@ -8,6 +8,16 @@ import 'drizzle-orm';
8
8
  import '../shared/rbac.CqpxM3E5.js';
9
9
  import 'drizzle-orm/sqlite-core';
10
10
 
11
+ type TypedScopeObject<TScopes extends readonly LabeledScope$1[]> = {
12
+ scope: TScopes[number]['value'];
13
+ resourceId?: string;
14
+ resourcePath?: string;
15
+ };
16
+ type TypedScopeCondition<TScopes extends readonly LabeledScope$1[]> = TypedScopeObject<TScopes> | {
17
+ or: TypedScopeCondition<TScopes>[];
18
+ } | {
19
+ and: TypedScopeCondition<TScopes>[];
20
+ } | TypedScopeCondition<TScopes>[];
11
21
  declare const RbacServiceBase_base: (abstract new (ctx: ExecutionContext, env: RbacEnv) => WorkerEntrypoint<RbacEnv, {}>) & (abstract new (...args: any[]) => _develit_io_backend_sdk.DevelitWorkerMethods);
12
22
  declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = LabeledScope$1[]> extends RbacServiceBase_base {
13
23
  readonly db: DrizzleD1Database<typeof tables>;
@@ -26,12 +36,9 @@ declare class RbacServiceBase<TScopes extends readonly LabeledScope$1[] = Labele
26
36
  getPermissions(): Promise<IRPCResponse<GetPermissionsOutput>>;
27
37
  getUserPermissions(input: GetUserPermissionsInput): Promise<IRPCResponse<GetUserPermissionsOutput>>;
28
38
  verifyAccess(input: Omit<VerifyAccessInput, 'accessRequests'> & {
29
- accessRequests: Array<Array<{
30
- scope: TScopes[number]['value'];
31
- resourceId?: string;
32
- resourcePath?: string;
33
- }>>;
39
+ accessRequests: TypedScopeCondition<TScopes>;
34
40
  }): Promise<IRPCResponse<VerifyAccessOutput>>;
41
+ private verifySingleScope;
35
42
  deleteRole(input: DeleteRoleInput): Promise<IRPCResponse<DeleteRoleOutput>>;
36
43
  updateRole(input: UpdateRoleInput): Promise<IRPCResponse<UpdateRoleOutput>>;
37
44
  }
@@ -39,7 +46,7 @@ declare function defineRbacService<const TScopes extends readonly LabeledScope$1
39
46
  scopes: TScopes;
40
47
  }): new (ctx: ExecutionContext, env: RbacEnv) => RbacServiceBase<TScopes>;
41
48
 
42
- declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
49
+ declare const SCOPES: readonly ["tickets.read", "tickets.create", "tickets.edit", "tickets.delete", "tickets.archive", "tickets.automations.pause", "tickets.automations.resume", "tickets.dependencies.read", "tickets.dependencies.create", "tickets.dependencies.edit", "tickets.dependencies.delete", "tickets.confirmation.send", "tickets.confirmation.download", "tickets.payments.create", "tickets.payments.read", "tickets.payments.edit", "tickets.payments.delete", "tickets.payments.confirmation.send", "tickets.payments.confirmation.download", "tickets.logs.read", "tickets.logs.create", "tickets.logs.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.archive", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.pause", "tickets.{jwt.user.rawUserMetaData.organizationId}.automations.resume", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.dependencies.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.edit", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.delete", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.send", "tickets.{jwt.user.rawUserMetaData.organizationId}.payments.confirmation.download", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.read", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.create", "tickets.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "clients.read", "clients.create", "clients.edit", "clients.delete", "clients.pin.read", "clients.pin.edit", "clients.trader.edit", "clients.logs.read", "clients.logs.create", "clients.logs.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.read", "clients.{jwt.user.rawUserMetaData.organizationId}.create", "clients.{jwt.user.rawUserMetaData.organizationId}.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.delete", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.read", "clients.{jwt.user.rawUserMetaData.organizationId}.pin.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.trader.edit", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.read", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.create", "clients.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "users.read", "users.create", "users.edit", "users.delete", "users.ban", "users.password.reset.send", "users.password.edit", "users.2fa.enable", "users.2fa.disable", "users.roles.read", "users.roles.edit", "users.scopes.read", "users.scopes.assign", "users.scopes.delete", "users.logs.read", "users.logs.create", "users.logs.delete", "users.{jwt.user.rawUserMetaData.organizationId}.read", "users.{jwt.user.rawUserMetaData.organizationId}.create", "users.{jwt.user.rawUserMetaData.organizationId}.edit", "users.{jwt.user.rawUserMetaData.organizationId}.delete", "users.{jwt.user.rawUserMetaData.organizationId}.ban", "users.{jwt.user.rawUserMetaData.organizationId}.password.reset.send", "users.{jwt.user.rawUserMetaData.organizationId}.password.edit", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.enable", "users.{jwt.user.rawUserMetaData.organizationId}.2fa.disable", "users.{jwt.user.rawUserMetaData.organizationId}.roles.read", "users.{jwt.user.rawUserMetaData.organizationId}.roles.edit", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.read", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.assign", "users.{jwt.user.rawUserMetaData.organizationId}.scopes.delete", "users.{jwt.user.rawUserMetaData.organizationId}.logs.read", "users.{jwt.user.rawUserMetaData.organizationId}.logs.create", "users.{jwt.user.rawUserMetaData.organizationId}.logs.delete", "traders.read", "traders.create", "traders.edit", "traders.delete", "traders.logs", "roles.read", "roles.create", "roles.edit", "roles.delete", "roles.scopes.assign", "roles.scopes.delete", "roles.logs.read", "roles.logs.create", "roles.logs.delete", "roles.users.read", "test.admin", "test.read", "test.edit", "test.delete", "test.{jwt.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.read", "test.{jwt.user.rawUserMetaData.organizationId}.edit", "test.{param.resourceId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.resource.{jwt.user.rawUserMetaData.organizationId}.read", "test.organization.{jwt.user.rawUserMetaData.organizationId}.branch.{jwt.userData.organizationBranchId}.read", "test.{invalid}.scope", "test.{}.scope", "test.{jwt.}.scope", "test.{.key}.scope"];
43
50
  type LabeledScope = {
44
51
  label: string;
45
52
  value: (typeof SCOPES)[number];
package/dist/export/worker.mjs CHANGED
@@ -1,7 +1,7 @@
1
1
  import { uuidv4, first, createInternalError, develitWorker, action, service } from '@develit-io/backend-sdk';
2
2
  import { s as schema } from '../shared/rbac.D5OV7UPA.mjs';
3
3
  import { eq, and, count, inArray } from 'drizzle-orm';
4
- import { c as createRoleInputSchema, a as assignRoleToUserInputSchema, b as assignRolesToUserInputSchema, r as revokeRoleFromUserInputSchema, f as grantScopeToUserInputSchema, h as grantScopesToUserInputSchema, j as revokeScopeFromUserInputSchema, e as grantScopeToRoleInputSchema, i as revokeScopeFromRoleInputSchema, g as getUserPermissionsInputSchema, v as verifyAccessInputSchema, d as deleteRoleInputSchema, u as updateRoleInputSchema } from '../shared/rbac.ihzxYB9Z.mjs';
4
+ import { c as createRoleInputSchema, a as assignRoleToUserInputSchema, b as assignRolesToUserInputSchema, r as revokeRoleFromUserInputSchema, f as grantScopeToUserInputSchema, h as grantScopesToUserInputSchema, j as revokeScopeFromUserInputSchema, e as grantScopeToRoleInputSchema, i as revokeScopeFromRoleInputSchema, g as getUserPermissionsInputSchema, v as verifyAccessInputSchema, d as deleteRoleInputSchema, u as updateRoleInputSchema, l as isScopeObject, m as isOrCondition, n as isAndCondition, o as isImplicitAndCondition } from '../shared/rbac.2_i8g_mW.mjs';
5
5
  import { z } from 'zod';
6
6
  import { WorkerEntrypoint } from 'cloudflare:workers';
7
7
  import { drizzle } from 'drizzle-orm/d1';
@@ -657,10 +657,24 @@ let RbacServiceBase = class extends develitWorker(WorkerEntrypoint) {
657
657
  { data: input, schema: verifyAccessInputSchema },
658
658
  { successMessage: "Access verification completed." },
659
659
  async ({ userId, accessRequests, jwt }) => {
660
- for (const requestGroup of accessRequests) {
661
- for (const request of requestGroup) {
662
- this.validateScope(request.scope);
660
+ const collectScopes = (condition) => {
661
+ if (isScopeObject(condition)) {
662
+ return [condition];
663
663
  }
664
+ if (isOrCondition(condition)) {
665
+ return condition.or.flatMap(collectScopes);
666
+ }
667
+ if (isAndCondition(condition)) {
668
+ return condition.and.flatMap(collectScopes);
669
+ }
670
+ if (isImplicitAndCondition(condition)) {
671
+ return condition.flatMap(collectScopes);
672
+ }
673
+ return [];
674
+ };
675
+ const allScopeObjects = collectScopes(accessRequests);
676
+ for (const scopeObj of allScopeObjects) {
677
+ this.validateScope(scopeObj.scope);
664
678
  }
665
679
  const userPermissionsResponse = await this.getUserPermissions({
666
680
  userId
@@ -675,59 +689,71 @@ let RbacServiceBase = class extends develitWorker(WorkerEntrypoint) {
675
689
  ...userPermissionsResponse.data.roleScopes,
676
690
  ...userPermissionsResponse.data.scopes
677
691
  ];
678
- if (accessRequests.length === 0) {
692
+ if (allScopeObjects.length === 0) {
679
693
  return {
680
694
  isVerified: true
681
695
  };
682
696
  }
683
- const anyGroupSatisfied = accessRequests.some((requestGroup) => {
684
- return requestGroup.every((request) => {
685
- const placeholders = parseScopeTemplate(request.scope);
686
- return allScopes.some((userScope) => {
687
- const scopesMatch = userScope.scope === request.scope;
688
- let resourceMatches = false;
689
- if (placeholders.length > 0) {
690
- if (!request.resourcePath) {
691
- throw createInternalError(null, {
692
- message: `Resource path is required when scope '${request.scope}' contains placeholders`,
693
- status: 400,
694
- code: "RESOURCE_PATH_REQUIRED"
695
- });
696
- }
697
- const extractedResources = extractResourcesFromPath(
698
- request.scope,
699
- request.resourcePath
700
- );
701
- const allPlaceholdersMatch = placeholders.every(
702
- (placeholder) => {
703
- const extractedValue = extractedResources[`${placeholder.type}.${placeholder.path}`];
704
- const jwtParam = placeholder.type === "jwt" ? jwt : void 0;
705
- const expectedValue = getValueByKey(
706
- placeholder.type,
707
- placeholder.path,
708
- jwtParam
709
- );
710
- if (expectedValue === void 0) {
711
- return false;
712
- }
713
- return String(extractedValue) === String(expectedValue);
714
- }
715
- );
716
- const resourceIdMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
717
- resourceMatches = allPlaceholdersMatch && resourceIdMatches;
718
- } else {
719
- resourceMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
720
- }
721
- return scopesMatch && resourceMatches;
722
- });
723
- });
724
- });
697
+ const evaluateCondition = (condition) => {
698
+ if (isScopeObject(condition)) {
699
+ return this.verifySingleScope(condition, allScopes, jwt);
700
+ }
701
+ if (isOrCondition(condition)) {
702
+ return condition.or.some(evaluateCondition);
703
+ }
704
+ if (isAndCondition(condition)) {
705
+ return condition.and.every(evaluateCondition);
706
+ }
707
+ if (isImplicitAndCondition(condition)) {
708
+ return condition.every(evaluateCondition);
709
+ }
710
+ return false;
711
+ };
712
+ const isVerified = evaluateCondition(accessRequests);
725
713
  return {
726
- isVerified: anyGroupSatisfied
714
+ isVerified
727
715
  };
728
716
  }
729
717
  );
730
718
  }
719
+ verifySingleScope(request, allScopes, jwt) {
720
+ const placeholders = parseScopeTemplate(request.scope);
721
+ return allScopes.some((userScope) => {
722
+ const scopesMatch = userScope.scope === request.scope;
723
+ let resourceMatches = false;
724
+ if (placeholders.length > 0) {
725
+ if (!request.resourcePath) {
726
+ throw createInternalError(null, {
727
+ message: `Resource path is required when scope '${request.scope}' contains placeholders`,
728
+ status: 400,
729
+ code: "RESOURCE_PATH_REQUIRED"
730
+ });
731
+ }
732
+ const extractedResources = extractResourcesFromPath(
733
+ request.scope,
734
+ request.resourcePath
735
+ );
736
+ const allPlaceholdersMatch = placeholders.every((placeholder) => {
737
+ const extractedValue = extractedResources[`${placeholder.type}.${placeholder.path}`];
738
+ const jwtParam = placeholder.type === "jwt" ? jwt : void 0;
739
+ const expectedValue = getValueByKey(
740
+ placeholder.type,
741
+ placeholder.path,
742
+ jwtParam
743
+ );
744
+ if (expectedValue === void 0) {
745
+ return false;
746
+ }
747
+ return String(extractedValue) === String(expectedValue);
748
+ });
749
+ const resourceIdMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
750
+ resourceMatches = allPlaceholdersMatch && resourceIdMatches;
751
+ } else {
752
+ resourceMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
753
+ }
754
+ return scopesMatch && resourceMatches;
755
+ });
756
+ }
731
757
  async deleteRole(input) {
732
758
  return this.handleAction(
733
759
  { data: input, schema: deleteRoleInputSchema },
@@ -812,6 +838,7 @@ const organizationScopedKeys = (scopes) => {
812
838
  return out;
813
839
  };
814
840
  const TEST_SCOPES = [
841
+ "test.admin",
815
842
  "test.read",
816
843
  "test.edit",
817
844
  "test.delete",
@@ -1012,6 +1039,7 @@ const LABELED_SCOPES = [
1012
1039
  { label: "Smazat logy rol\xED", value: "roles.logs.delete" },
1013
1040
  { label: "Zobrazit u\u017Eivatele p\u0159i\u0159azen\xE9 k rol\xEDm", value: "roles.users.read" },
1014
1041
  // Test scopes
1042
+ { label: "Test: Admin", value: "test.admin" },
1015
1043
  { label: "Test: Read", value: "test.read" },
1016
1044
  { label: "Test: Edit", value: "test.edit" },
1017
1045
  { label: "Test: Delete", value: "test.delete" },
package/dist/shared/{rbac.ihzxYB9Z.mjs → rbac.2_i8g_mW.mjs} RENAMED
@@ -135,19 +135,36 @@ const coercedUserSchema = jwtUserSchema.extend({
135
135
  const coercedJwtPayloadSchema = jwtPayloadSchema.extend({
136
136
  user: coercedUserSchema
137
137
  });
138
+ const scopeObjectSchema = z.object({
139
+ scope: z.string(),
140
+ resourceId: z.string().optional(),
141
+ resourcePath: z.string().optional()
142
+ });
143
+ const scopeConditionSchema = z.lazy(
144
+ () => z.union([
145
+ scopeObjectSchema,
146
+ z.object({ or: z.array(scopeConditionSchema) }),
147
+ z.object({ and: z.array(scopeConditionSchema) }),
148
+ z.array(scopeConditionSchema)
149
+ ])
150
+ );
138
151
  const verifyAccessInputSchema = z.object({
139
152
  userId: z.uuid(),
140
- accessRequests: z.array(
141
- z.array(
142
- z.object({
143
- scope: z.string(),
144
- resourceId: z.string().optional(),
145
- resourcePath: z.string().optional()
146
- })
147
- )
148
- ),
153
+ accessRequests: scopeConditionSchema,
149
154
  jwt: coercedJwtPayloadSchema.optional()
150
155
  });
156
+ function isScopeObject(condition) {
157
+ return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "scope" in condition && !("or" in condition) && !("and" in condition);
158
+ }
159
+ function isOrCondition(condition) {
160
+ return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "or" in condition;
161
+ }
162
+ function isAndCondition(condition) {
163
+ return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "and" in condition;
164
+ }
165
+ function isImplicitAndCondition(condition) {
166
+ return Array.isArray(condition);
167
+ }
151
168
 
152
169
  const verifyScopeInputSchema = z.object({
153
170
  scopes: z.array(z.string()),
@@ -163,4 +180,4 @@ const verifyScopeOutputSchema = z.object({
163
180
  isVerified: z.boolean().default(false)
164
181
  });
165
182
 
166
- export { assignRoleToUserInputSchema as a, assignRolesToUserInputSchema as b, createRoleInputSchema as c, deleteRoleInputSchema as d, grantScopeToRoleInputSchema as e, grantScopeToUserInputSchema as f, getUserPermissionsInputSchema as g, grantScopesToUserInputSchema as h, revokeScopeFromRoleInputSchema as i, revokeScopeFromUserInputSchema as j, verifyScopeInputSchema as k, verifyScopeOutputSchema as l, revokeRoleFromUserInputSchema as r, updateRoleInputSchema as u, verifyAccessInputSchema as v };
183
+ export { assignRoleToUserInputSchema as a, assignRolesToUserInputSchema as b, createRoleInputSchema as c, deleteRoleInputSchema as d, grantScopeToRoleInputSchema as e, grantScopeToUserInputSchema as f, getUserPermissionsInputSchema as g, grantScopesToUserInputSchema as h, revokeScopeFromRoleInputSchema as i, revokeScopeFromUserInputSchema as j, scopeConditionSchema as k, isScopeObject as l, isOrCondition as m, isAndCondition as n, isImplicitAndCondition as o, verifyScopeInputSchema as p, verifyScopeOutputSchema as q, revokeRoleFromUserInputSchema as r, scopeObjectSchema as s, updateRoleInputSchema as u, verifyAccessInputSchema as v };
package/dist/shared/{rbac.DrhiDe1P.d.ts → rbac.BrefTsLW.d.ts} RENAMED
@@ -188,13 +188,21 @@ interface UpdateRoleInput extends z.infer<typeof updateRoleInputSchema> {
188
188
  interface UpdateRoleOutput {
189
189
  }
190
190
 
191
+ declare const scopeObjectSchema: z.ZodObject<{
192
+ scope: z.ZodString;
193
+ resourceId: z.ZodOptional<z.ZodString>;
194
+ resourcePath: z.ZodOptional<z.ZodString>;
195
+ }, z.core.$strip>;
196
+ type ScopeObject = z.infer<typeof scopeObjectSchema>;
197
+ type ScopeCondition = ScopeObject | {
198
+ or: ScopeCondition[];
199
+ } | {
200
+ and: ScopeCondition[];
201
+ } | ScopeCondition[];
202
+ declare const scopeConditionSchema: z.ZodType<ScopeCondition>;
191
203
  declare const verifyAccessInputSchema: z.ZodObject<{
192
204
  userId: z.ZodUUID;
193
- accessRequests: z.ZodArray<z.ZodArray<z.ZodObject<{
194
- scope: z.ZodString;
195
- resourceId: z.ZodOptional<z.ZodString>;
196
- resourcePath: z.ZodOptional<z.ZodString>;
197
- }, z.core.$strip>>>;
205
+ accessRequests: z.ZodType<ScopeCondition, unknown, z.core.$ZodTypeInternals<ScopeCondition, unknown>>;
198
206
  jwt: z.ZodOptional<z.ZodObject<{
199
207
  sub: z.ZodString;
200
208
  iat: z.ZodNumber;
@@ -233,6 +241,14 @@ interface VerifyAccessInput extends z.infer<typeof verifyAccessInputSchema> {
233
241
  interface VerifyAccessOutput {
234
242
  isVerified: boolean;
235
243
  }
244
+ declare function isScopeObject(condition: ScopeCondition): condition is ScopeObject;
245
+ declare function isOrCondition(condition: ScopeCondition): condition is {
246
+ or: ScopeCondition[];
247
+ };
248
+ declare function isAndCondition(condition: ScopeCondition): condition is {
249
+ and: ScopeCondition[];
250
+ };
251
+ declare function isImplicitAndCondition(condition: ScopeCondition): condition is ScopeCondition[];
236
252
 
237
- export { assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, verifyAccessInputSchema as Y, tables as t };
238
- export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
253
+ export { scopeConditionSchema as $, assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, scopeObjectSchema as Y, verifyAccessInputSchema as a0, isScopeObject as a1, isOrCondition as a2, isAndCondition as a3, isImplicitAndCondition as a4, tables as t };
254
+ export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, ScopeObject as Z, ScopeCondition as _, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
package/dist/shared/{rbac.DbnJpvqK.d.mts → rbac.CG3CtEwh.d.mts} RENAMED
@@ -188,13 +188,21 @@ interface UpdateRoleInput extends z.infer<typeof updateRoleInputSchema> {
188
188
  interface UpdateRoleOutput {
189
189
  }
190
190
 
191
+ declare const scopeObjectSchema: z.ZodObject<{
192
+ scope: z.ZodString;
193
+ resourceId: z.ZodOptional<z.ZodString>;
194
+ resourcePath: z.ZodOptional<z.ZodString>;
195
+ }, z.core.$strip>;
196
+ type ScopeObject = z.infer<typeof scopeObjectSchema>;
197
+ type ScopeCondition = ScopeObject | {
198
+ or: ScopeCondition[];
199
+ } | {
200
+ and: ScopeCondition[];
201
+ } | ScopeCondition[];
202
+ declare const scopeConditionSchema: z.ZodType<ScopeCondition>;
191
203
  declare const verifyAccessInputSchema: z.ZodObject<{
192
204
  userId: z.ZodUUID;
193
- accessRequests: z.ZodArray<z.ZodArray<z.ZodObject<{
194
- scope: z.ZodString;
195
- resourceId: z.ZodOptional<z.ZodString>;
196
- resourcePath: z.ZodOptional<z.ZodString>;
197
- }, z.core.$strip>>>;
205
+ accessRequests: z.ZodType<ScopeCondition, unknown, z.core.$ZodTypeInternals<ScopeCondition, unknown>>;
198
206
  jwt: z.ZodOptional<z.ZodObject<{
199
207
  sub: z.ZodString;
200
208
  iat: z.ZodNumber;
@@ -233,6 +241,14 @@ interface VerifyAccessInput extends z.infer<typeof verifyAccessInputSchema> {
233
241
  interface VerifyAccessOutput {
234
242
  isVerified: boolean;
235
243
  }
244
+ declare function isScopeObject(condition: ScopeCondition): condition is ScopeObject;
245
+ declare function isOrCondition(condition: ScopeCondition): condition is {
246
+ or: ScopeCondition[];
247
+ };
248
+ declare function isAndCondition(condition: ScopeCondition): condition is {
249
+ and: ScopeCondition[];
250
+ };
251
+ declare function isImplicitAndCondition(condition: ScopeCondition): condition is ScopeCondition[];
236
252
 
237
- export { assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, verifyAccessInputSchema as Y, tables as t };
238
- export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
253
+ export { scopeConditionSchema as $, assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, scopeObjectSchema as Y, verifyAccessInputSchema as a0, isScopeObject as a1, isOrCondition as a2, isAndCondition as a3, isImplicitAndCondition as a4, tables as t };
254
+ export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, ScopeObject as Z, ScopeCondition as _, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
package/dist/shared/{rbac.B4wUvd3l.d.cts → rbac.DBpIRbd3.d.cts} RENAMED
@@ -188,13 +188,21 @@ interface UpdateRoleInput extends z.infer<typeof updateRoleInputSchema> {
188
188
  interface UpdateRoleOutput {
189
189
  }
190
190
 
191
+ declare const scopeObjectSchema: z.ZodObject<{
192
+ scope: z.ZodString;
193
+ resourceId: z.ZodOptional<z.ZodString>;
194
+ resourcePath: z.ZodOptional<z.ZodString>;
195
+ }, z.core.$strip>;
196
+ type ScopeObject = z.infer<typeof scopeObjectSchema>;
197
+ type ScopeCondition = ScopeObject | {
198
+ or: ScopeCondition[];
199
+ } | {
200
+ and: ScopeCondition[];
201
+ } | ScopeCondition[];
202
+ declare const scopeConditionSchema: z.ZodType<ScopeCondition>;
191
203
  declare const verifyAccessInputSchema: z.ZodObject<{
192
204
  userId: z.ZodUUID;
193
- accessRequests: z.ZodArray<z.ZodArray<z.ZodObject<{
194
- scope: z.ZodString;
195
- resourceId: z.ZodOptional<z.ZodString>;
196
- resourcePath: z.ZodOptional<z.ZodString>;
197
- }, z.core.$strip>>>;
205
+ accessRequests: z.ZodType<ScopeCondition, unknown, z.core.$ZodTypeInternals<ScopeCondition, unknown>>;
198
206
  jwt: z.ZodOptional<z.ZodObject<{
199
207
  sub: z.ZodString;
200
208
  iat: z.ZodNumber;
@@ -233,6 +241,14 @@ interface VerifyAccessInput extends z.infer<typeof verifyAccessInputSchema> {
233
241
  interface VerifyAccessOutput {
234
242
  isVerified: boolean;
235
243
  }
244
+ declare function isScopeObject(condition: ScopeCondition): condition is ScopeObject;
245
+ declare function isOrCondition(condition: ScopeCondition): condition is {
246
+ or: ScopeCondition[];
247
+ };
248
+ declare function isAndCondition(condition: ScopeCondition): condition is {
249
+ and: ScopeCondition[];
250
+ };
251
+ declare function isImplicitAndCondition(condition: ScopeCondition): condition is ScopeCondition[];
236
252
 
237
- export { assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, verifyAccessInputSchema as Y, tables as t };
238
- export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
253
+ export { scopeConditionSchema as $, assignRoleToUserInputSchema as H, assignRolesToUserInputSchema as I, createRoleInputSchema as J, deleteRoleInputSchema as K, getUserPermissionsInputSchema as M, grantScopeToRoleInputSchema as N, grantScopeToUserInputSchema as O, grantScopesToUserInputSchema as P, revokeRoleFromUserInputSchema as Q, revokeScopeFromRoleInputSchema as T, revokeScopeFromUserInputSchema as W, updateRoleInputSchema as X, scopeObjectSchema as Y, verifyAccessInputSchema as a0, isScopeObject as a1, isOrCondition as a2, isAndCondition as a3, isImplicitAndCondition as a4, tables as t };
254
+ export type { AssignRoleToUserInput as A, UserRoleInsertType as B, CreateRoleInput as C, DeleteRoleInput as D, UserScopeSelectType as E, UserScopeInsertType as F, GrantScopeToUserInput as G, LabeledScope as L, RevokeRoleFromUserInput as R, Scope as S, UpdateRoleInput as U, VerifyAccessInput as V, ScopeObject as Z, ScopeCondition as _, CreateRoleOutput as a, AssignRoleToUserOutput as b, AssignRolesToUserInput as c, AssignRolesToUserOutput as d, RevokeRoleFromUserOutput as e, GrantScopeToUserOutput as f, GrantScopesToUserInput as g, GrantScopesToUserOutput as h, RevokeScopeFromUserInput as i, RevokeScopeFromUserOutput as j, GrantScopeToRoleInput as k, GrantScopeToRoleOutput as l, RevokeScopeFromRoleInput as m, RevokeScopeFromRoleOutput as n, GetPermissionsOutput as o, GetUserPermissionsInput as p, GetUserPermissionsOutput as q, VerifyAccessOutput as r, DeleteRoleOutput as s, UpdateRoleOutput as u, RoleScopeSelectType as v, RoleScopeInsertType as w, RoleSelectType as x, RoleInsertType as y, UserRoleSelectType as z };
package/dist/shared/{rbac.BZDCYlSt.cjs → rbac.JCf4hSCf.cjs} RENAMED
@@ -137,19 +137,36 @@ const coercedUserSchema = jwtUserSchema.extend({
137
137
  const coercedJwtPayloadSchema = jwtPayloadSchema.extend({
138
138
  user: coercedUserSchema
139
139
  });
140
+ const scopeObjectSchema = zod.z.object({
141
+ scope: zod.z.string(),
142
+ resourceId: zod.z.string().optional(),
143
+ resourcePath: zod.z.string().optional()
144
+ });
145
+ const scopeConditionSchema = zod.z.lazy(
146
+ () => zod.z.union([
147
+ scopeObjectSchema,
148
+ zod.z.object({ or: zod.z.array(scopeConditionSchema) }),
149
+ zod.z.object({ and: zod.z.array(scopeConditionSchema) }),
150
+ zod.z.array(scopeConditionSchema)
151
+ ])
152
+ );
140
153
  const verifyAccessInputSchema = zod.z.object({
141
154
  userId: zod.z.uuid(),
142
- accessRequests: zod.z.array(
143
- zod.z.array(
144
- zod.z.object({
145
- scope: zod.z.string(),
146
- resourceId: zod.z.string().optional(),
147
- resourcePath: zod.z.string().optional()
148
- })
149
- )
150
- ),
155
+ accessRequests: scopeConditionSchema,
151
156
  jwt: coercedJwtPayloadSchema.optional()
152
157
  });
158
+ function isScopeObject(condition) {
159
+ return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "scope" in condition && !("or" in condition) && !("and" in condition);
160
+ }
161
+ function isOrCondition(condition) {
162
+ return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "or" in condition;
163
+ }
164
+ function isAndCondition(condition) {
165
+ return typeof condition === "object" && condition !== null && !Array.isArray(condition) && "and" in condition;
166
+ }
167
+ function isImplicitAndCondition(condition) {
168
+ return Array.isArray(condition);
169
+ }
153
170
 
154
171
  const verifyScopeInputSchema = zod.z.object({
155
172
  scopes: zod.z.array(zod.z.string()),
@@ -173,9 +190,15 @@ exports.getUserPermissionsInputSchema = getUserPermissionsInputSchema;
173
190
  exports.grantScopeToRoleInputSchema = grantScopeToRoleInputSchema;
174
191
  exports.grantScopeToUserInputSchema = grantScopeToUserInputSchema;
175
192
  exports.grantScopesToUserInputSchema = grantScopesToUserInputSchema;
193
+ exports.isAndCondition = isAndCondition;
194
+ exports.isImplicitAndCondition = isImplicitAndCondition;
195
+ exports.isOrCondition = isOrCondition;
196
+ exports.isScopeObject = isScopeObject;
176
197
  exports.revokeRoleFromUserInputSchema = revokeRoleFromUserInputSchema;
177
198
  exports.revokeScopeFromRoleInputSchema = revokeScopeFromRoleInputSchema;
178
199
  exports.revokeScopeFromUserInputSchema = revokeScopeFromUserInputSchema;
200
+ exports.scopeConditionSchema = scopeConditionSchema;
201
+ exports.scopeObjectSchema = scopeObjectSchema;
179
202
  exports.updateRoleInputSchema = updateRoleInputSchema;
180
203
  exports.verifyAccessInputSchema = verifyAccessInputSchema;
181
204
  exports.verifyScopeInputSchema = verifyScopeInputSchema;
package/dist/types.cjs CHANGED
@@ -1,6 +1,6 @@
1
1
  'use strict';
2
2
 
3
- const verifyScope = require('./shared/rbac.BZDCYlSt.cjs');
3
+ const verifyScope = require('./shared/rbac.JCf4hSCf.cjs');
4
4
  require('zod');
5
5
 
6
6
 
@@ -13,9 +13,15 @@ exports.getUserPermissionsInputSchema = verifyScope.getUserPermissionsInputSchem
13
13
  exports.grantScopeToRoleInputSchema = verifyScope.grantScopeToRoleInputSchema;
14
14
  exports.grantScopeToUserInputSchema = verifyScope.grantScopeToUserInputSchema;
15
15
  exports.grantScopesToUserInputSchema = verifyScope.grantScopesToUserInputSchema;
16
+ exports.isAndCondition = verifyScope.isAndCondition;
17
+ exports.isImplicitAndCondition = verifyScope.isImplicitAndCondition;
18
+ exports.isOrCondition = verifyScope.isOrCondition;
19
+ exports.isScopeObject = verifyScope.isScopeObject;
16
20
  exports.revokeRoleFromUserInputSchema = verifyScope.revokeRoleFromUserInputSchema;
17
21
  exports.revokeScopeFromRoleInputSchema = verifyScope.revokeScopeFromRoleInputSchema;
18
22
  exports.revokeScopeFromUserInputSchema = verifyScope.revokeScopeFromUserInputSchema;
23
+ exports.scopeConditionSchema = verifyScope.scopeConditionSchema;
24
+ exports.scopeObjectSchema = verifyScope.scopeObjectSchema;
19
25
  exports.updateRoleInputSchema = verifyScope.updateRoleInputSchema;
20
26
  exports.verifyAccessInputSchema = verifyScope.verifyAccessInputSchema;
21
27
  exports.verifyScopeInputSchema = verifyScope.verifyScopeInputSchema;
package/dist/types.d.cts CHANGED
@@ -1,4 +1,4 @@
1
- export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, X as updateRoleInputSchema, Y as verifyAccessInputSchema } from './shared/rbac.B4wUvd3l.cjs';
1
+ export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, _ as ScopeCondition, Z as ScopeObject, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, a3 as isAndCondition, a4 as isImplicitAndCondition, a2 as isOrCondition, a1 as isScopeObject, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, $ as scopeConditionSchema, Y as scopeObjectSchema, X as updateRoleInputSchema, a0 as verifyAccessInputSchema } from './shared/rbac.DBpIRbd3.cjs';
2
2
  import { z } from 'zod';
3
3
  export { b as RbacServiceEnv, a as RbacServiceEnvironmentConfig, R as RbacServiceWranglerConfig } from './shared/rbac.ClMKyW8J.cjs';
4
4
  import 'drizzle-orm';
package/dist/types.d.mts CHANGED
@@ -1,4 +1,4 @@
1
- export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, X as updateRoleInputSchema, Y as verifyAccessInputSchema } from './shared/rbac.DbnJpvqK.mjs';
1
+ export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, _ as ScopeCondition, Z as ScopeObject, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, a3 as isAndCondition, a4 as isImplicitAndCondition, a2 as isOrCondition, a1 as isScopeObject, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, $ as scopeConditionSchema, Y as scopeObjectSchema, X as updateRoleInputSchema, a0 as verifyAccessInputSchema } from './shared/rbac.CG3CtEwh.mjs';
2
2
  import { z } from 'zod';
3
3
  export { b as RbacServiceEnv, a as RbacServiceEnvironmentConfig, R as RbacServiceWranglerConfig } from './shared/rbac.ClMKyW8J.mjs';
4
4
  import 'drizzle-orm';
package/dist/types.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, X as updateRoleInputSchema, Y as verifyAccessInputSchema } from './shared/rbac.DrhiDe1P.js';
1
+ export { A as AssignRoleToUserInput, b as AssignRoleToUserOutput, c as AssignRolesToUserInput, d as AssignRolesToUserOutput, C as CreateRoleInput, a as CreateRoleOutput, D as DeleteRoleInput, s as DeleteRoleOutput, o as GetPermissionsOutput, p as GetUserPermissionsInput, q as GetUserPermissionsOutput, k as GrantScopeToRoleInput, l as GrantScopeToRoleOutput, G as GrantScopeToUserInput, f as GrantScopeToUserOutput, g as GrantScopesToUserInput, h as GrantScopesToUserOutput, L as LabeledScope, R as RevokeRoleFromUserInput, e as RevokeRoleFromUserOutput, m as RevokeScopeFromRoleInput, n as RevokeScopeFromRoleOutput, i as RevokeScopeFromUserInput, j as RevokeScopeFromUserOutput, y as RoleInsertType, w as RoleScopeInsertType, v as RoleScopeSelectType, x as RoleSelectType, S as Scope, _ as ScopeCondition, Z as ScopeObject, U as UpdateRoleInput, u as UpdateRoleOutput, B as UserRoleInsertType, z as UserRoleSelectType, F as UserScopeInsertType, E as UserScopeSelectType, V as VerifyAccessInput, r as VerifyAccessOutput, H as assignRoleToUserInputSchema, I as assignRolesToUserInputSchema, J as createRoleInputSchema, K as deleteRoleInputSchema, M as getUserPermissionsInputSchema, N as grantScopeToRoleInputSchema, O as grantScopeToUserInputSchema, P as grantScopesToUserInputSchema, a3 as isAndCondition, a4 as isImplicitAndCondition, a2 as isOrCondition, a1 as isScopeObject, Q as revokeRoleFromUserInputSchema, T as revokeScopeFromRoleInputSchema, W as revokeScopeFromUserInputSchema, $ as scopeConditionSchema, Y as scopeObjectSchema, X as updateRoleInputSchema, a0 as verifyAccessInputSchema } from './shared/rbac.BrefTsLW.js';
2
2
  import { z } from 'zod';
3
3
  export { b as RbacServiceEnv, a as RbacServiceEnvironmentConfig, R as RbacServiceWranglerConfig } from './shared/rbac.ClMKyW8J.js';
4
4
  import 'drizzle-orm';
package/dist/types.mjs CHANGED
@@ -1,2 +1,2 @@
1
- export { a as assignRoleToUserInputSchema, b as assignRolesToUserInputSchema, c as createRoleInputSchema, d as deleteRoleInputSchema, g as getUserPermissionsInputSchema, e as grantScopeToRoleInputSchema, f as grantScopeToUserInputSchema, h as grantScopesToUserInputSchema, r as revokeRoleFromUserInputSchema, i as revokeScopeFromRoleInputSchema, j as revokeScopeFromUserInputSchema, u as updateRoleInputSchema, v as verifyAccessInputSchema, k as verifyScopeInputSchema, l as verifyScopeOutputSchema } from './shared/rbac.ihzxYB9Z.mjs';
1
+ export { a as assignRoleToUserInputSchema, b as assignRolesToUserInputSchema, c as createRoleInputSchema, d as deleteRoleInputSchema, g as getUserPermissionsInputSchema, e as grantScopeToRoleInputSchema, f as grantScopeToUserInputSchema, h as grantScopesToUserInputSchema, n as isAndCondition, o as isImplicitAndCondition, m as isOrCondition, l as isScopeObject, r as revokeRoleFromUserInputSchema, i as revokeScopeFromRoleInputSchema, j as revokeScopeFromUserInputSchema, k as scopeConditionSchema, s as scopeObjectSchema, u as updateRoleInputSchema, v as verifyAccessInputSchema, p as verifyScopeInputSchema, q as verifyScopeOutputSchema } from './shared/rbac.2_i8g_mW.mjs';
2
2
  import 'zod';
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@develit-services/rbac",
3
- "version": "0.3.0",
3
+ "version": "0.4.0",
4
4
  "author": "Develit.io s.r.o.",
5
5
  "type": "module",
6
6
  "exports": {