@dudousxd/nestjs-authz 0.2.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +70 -0
- package/dist/can-endpoint.controller.d.ts +35 -0
- package/dist/can-endpoint.controller.d.ts.map +1 -0
- package/dist/can-endpoint.controller.js +68 -0
- package/dist/can-endpoint.controller.js.map +1 -0
- package/dist/decorator/roles.decorator.d.ts +15 -0
- package/dist/decorator/roles.decorator.d.ts.map +1 -0
- package/dist/decorator/roles.decorator.js +19 -0
- package/dist/decorator/roles.decorator.js.map +1 -0
- package/dist/diagnostics.d.ts +42 -0
- package/dist/diagnostics.d.ts.map +1 -0
- package/dist/diagnostics.js +68 -0
- package/dist/diagnostics.js.map +1 -0
- package/dist/gate.d.ts +42 -1
- package/dist/gate.d.ts.map +1 -1
- package/dist/gate.js +116 -12
- package/dist/gate.js.map +1 -1
- package/dist/guard/roles.guard.d.ts +21 -0
- package/dist/guard/roles.guard.d.ts.map +1 -0
- package/dist/guard/roles.guard.js +50 -0
- package/dist/guard/roles.guard.js.map +1 -0
- package/dist/index.d.ts +9 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +6 -1
- package/dist/index.js.map +1 -1
- package/dist/module.d.ts +5 -0
- package/dist/module.d.ts.map +1 -1
- package/dist/module.js +27 -1
- package/dist/module.js.map +1 -1
- package/dist/permission-provider.d.ts +2 -0
- package/dist/permission-provider.d.ts.map +1 -1
- package/dist/policy-registry.d.ts +21 -0
- package/dist/policy-registry.d.ts.map +1 -1
- package/dist/policy-registry.js +42 -0
- package/dist/policy-registry.js.map +1 -1
- package/dist/role-provider.d.ts +40 -0
- package/dist/role-provider.d.ts.map +1 -0
- package/dist/role-provider.js +32 -0
- package/dist/role-provider.js.map +1 -0
- package/dist/tokens.d.ts +14 -0
- package/dist/tokens.d.ts.map +1 -1
- package/dist/tokens.js +14 -0
- package/dist/tokens.js.map +1 -1
- package/dist/types.d.ts +33 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +1 -1
package/dist/gate.js
CHANGED
|
@@ -12,9 +12,11 @@ var __param = (this && this.__param) || function (paramIndex, decorator) {
|
|
|
12
12
|
};
|
|
13
13
|
import { ForbiddenException, Inject, Injectable, Optional } from '@nestjs/common';
|
|
14
14
|
import { ModuleRef } from '@nestjs/core';
|
|
15
|
+
import { publishAuthzDecision } from './diagnostics.js';
|
|
15
16
|
import { AbilityNotResolvedException, AmbiguousAbilityException } from './errors/exceptions.js';
|
|
16
17
|
import { PolicyRegistry } from './policy-registry.js';
|
|
17
|
-
import {
|
|
18
|
+
import { defaultRoleResolver } from './role-provider.js';
|
|
19
|
+
import { AUTHZ_MODULE_OPTIONS, CONTEXT_ACCESSOR, PERMISSION_PROVIDER, ROLE_PROVIDER, } from './tokens.js';
|
|
18
20
|
// A sentinel marking "no user resolved" distinct from a legitimately-`undefined`
|
|
19
21
|
// user. `forUser(undefined)` explicitly authorizes an anonymous user.
|
|
20
22
|
const NO_USER = Symbol('authz:no-user');
|
|
@@ -34,16 +36,20 @@ let Gate = class Gate {
|
|
|
34
36
|
context;
|
|
35
37
|
moduleRef;
|
|
36
38
|
permissionProvider;
|
|
39
|
+
roleProvider;
|
|
37
40
|
gates = new Map();
|
|
38
41
|
superAdmin;
|
|
39
42
|
resolveUser;
|
|
40
|
-
|
|
43
|
+
roleResolver;
|
|
44
|
+
constructor(policies, options, context, moduleRef, permissionProvider, roleProvider) {
|
|
41
45
|
this.policies = policies;
|
|
42
46
|
this.context = context;
|
|
43
47
|
this.moduleRef = moduleRef;
|
|
44
48
|
this.permissionProvider = permissionProvider;
|
|
49
|
+
this.roleProvider = roleProvider;
|
|
45
50
|
this.superAdmin = options?.superAdmin;
|
|
46
51
|
this.resolveUser = options?.resolveUser;
|
|
52
|
+
this.roleResolver = options?.resolveRoles ?? defaultRoleResolver;
|
|
47
53
|
}
|
|
48
54
|
/**
|
|
49
55
|
* Locate the context accessor. Prefers the value injected into this module;
|
|
@@ -79,6 +85,23 @@ let Gate = class Gate {
|
|
|
79
85
|
return undefined;
|
|
80
86
|
}
|
|
81
87
|
}
|
|
88
|
+
/**
|
|
89
|
+
* Locate the optional {@link RoleProvider} (the coarse role seam). Prefers the value
|
|
90
|
+
* injected into this module; falls back to a non-strict {@link ModuleRef} lookup so a
|
|
91
|
+
* provider registered by ANY module (e.g. the RBAC adapter's global module) is found.
|
|
92
|
+
*/
|
|
93
|
+
resolveRoleProvider() {
|
|
94
|
+
if (this.roleProvider)
|
|
95
|
+
return this.roleProvider;
|
|
96
|
+
if (!this.moduleRef)
|
|
97
|
+
return undefined;
|
|
98
|
+
try {
|
|
99
|
+
return this.moduleRef.get(ROLE_PROVIDER, { strict: false });
|
|
100
|
+
}
|
|
101
|
+
catch {
|
|
102
|
+
return undefined;
|
|
103
|
+
}
|
|
104
|
+
}
|
|
82
105
|
/** Register an ad-hoc, model-less gate resolved by `ability` name. */
|
|
83
106
|
define(ability, fn) {
|
|
84
107
|
this.gates.set(ability, fn);
|
|
@@ -88,6 +111,14 @@ let Gate = class Gate {
|
|
|
88
111
|
hasGate(ability) {
|
|
89
112
|
return this.gates.has(ability);
|
|
90
113
|
}
|
|
114
|
+
/**
|
|
115
|
+
* Names of every ad-hoc gate registered via {@link define}. Used by integrations
|
|
116
|
+
* (e.g. `@dudousxd/nestjs-authz-inertia`) that enumerate the user's class-level
|
|
117
|
+
* abilities to share them as Inertia props — no network round-trip needed.
|
|
118
|
+
*/
|
|
119
|
+
gateNames() {
|
|
120
|
+
return [...this.gates.keys()];
|
|
121
|
+
}
|
|
91
122
|
/**
|
|
92
123
|
* Bind an explicit user, bypassing the context accessor. Use when no
|
|
93
124
|
* nestjs-context is wired, or to check a user other than the current one.
|
|
@@ -131,19 +162,81 @@ let Gate = class Gate {
|
|
|
131
162
|
throw new ForbiddenException(`Unauthorized: ${ability}`);
|
|
132
163
|
}
|
|
133
164
|
}
|
|
165
|
+
// --- coarse role checks (operate on the current/context user) ---
|
|
166
|
+
/** True when the current user holds `role`. */
|
|
167
|
+
async hasRole(role) {
|
|
168
|
+
return this.checkRoles(await this.currentUser(), [role]);
|
|
169
|
+
}
|
|
170
|
+
/** True when the current user holds ANY of `roles`. */
|
|
171
|
+
async hasAnyRole(roles) {
|
|
172
|
+
return this.checkRoles(await this.currentUser(), roles);
|
|
173
|
+
}
|
|
134
174
|
// --- internal: used by BoundGate too ---
|
|
135
175
|
/** @internal */
|
|
136
176
|
allowsForUser(user, ability, resource) {
|
|
137
177
|
return this.check(user, ability, resource);
|
|
138
178
|
}
|
|
179
|
+
/** @internal */
|
|
180
|
+
hasAnyRoleForUser(user, roles) {
|
|
181
|
+
return this.checkRoles(user, roles);
|
|
182
|
+
}
|
|
183
|
+
/**
|
|
184
|
+
* Resolve the user's effective roles and test membership against `roles`. Returns
|
|
185
|
+
* `false` for an anonymous (NO_USER) caller and whenever no source yields a role
|
|
186
|
+
* (deny-by-default). Roles come from the UNION of the default/overridden
|
|
187
|
+
* {@link RoleResolver} (reads the user object) and the optional {@link RoleProvider}
|
|
188
|
+
* seam (a persisted store) — so an app needs neither to opt in.
|
|
189
|
+
*/
|
|
190
|
+
async checkRoles(maybeUser, roles) {
|
|
191
|
+
if (maybeUser === NO_USER || roles.length === 0)
|
|
192
|
+
return false;
|
|
193
|
+
const userRoles = await this.rolesOf(maybeUser);
|
|
194
|
+
if (userRoles.size === 0)
|
|
195
|
+
return false;
|
|
196
|
+
return roles.some((r) => userRoles.has(r));
|
|
197
|
+
}
|
|
198
|
+
/** The current user's effective role names (resolver ∪ provider). */
|
|
199
|
+
async rolesOf(user) {
|
|
200
|
+
const out = new Set();
|
|
201
|
+
const fromResolver = await this.roleResolver(user);
|
|
202
|
+
if (Array.isArray(fromResolver)) {
|
|
203
|
+
for (const r of fromResolver)
|
|
204
|
+
if (typeof r === 'string')
|
|
205
|
+
out.add(r);
|
|
206
|
+
}
|
|
207
|
+
const provider = this.resolveRoleProvider();
|
|
208
|
+
if (provider) {
|
|
209
|
+
const fromProvider = await provider.getRoles(user);
|
|
210
|
+
if (Array.isArray(fromProvider)) {
|
|
211
|
+
for (const r of fromProvider)
|
|
212
|
+
if (typeof r === 'string')
|
|
213
|
+
out.add(r);
|
|
214
|
+
}
|
|
215
|
+
}
|
|
216
|
+
return out;
|
|
217
|
+
}
|
|
139
218
|
async check(maybeUser, ability, resource) {
|
|
219
|
+
const { allowed, reason } = await this.resolve(maybeUser, ability, resource);
|
|
220
|
+
// Emit the decision for observers (e.g. the telescope authorization watcher).
|
|
221
|
+
// Loosely coupled via a diagnostics channel — zero-overhead when no subscriber,
|
|
222
|
+
// and a publish failure can never affect the verdict. Only reached decisions are
|
|
223
|
+
// emitted; an unresolved/ambiguous ability throws above and is intentionally silent.
|
|
224
|
+
publishAuthzDecision(ability, allowed, reason, maybeUser === NO_USER ? undefined : maybeUser, resource);
|
|
225
|
+
return allowed;
|
|
226
|
+
}
|
|
227
|
+
/**
|
|
228
|
+
* Resolve an ability to a verdict plus the path that decided it. Throws
|
|
229
|
+
* {@link AbilityNotResolvedException}/{@link AmbiguousAbilityException} when no
|
|
230
|
+
* decision can be reached (those paths emit no decision).
|
|
231
|
+
*/
|
|
232
|
+
async resolve(maybeUser, ability, resource) {
|
|
140
233
|
const user = maybeUser === NO_USER ? undefined : maybeUser;
|
|
141
234
|
// Global super-admin hook first.
|
|
142
235
|
const sa = await this.superAdmin?.(user, ability);
|
|
143
236
|
if (sa === true)
|
|
144
|
-
return true;
|
|
237
|
+
return { allowed: true, reason: 'super-admin' };
|
|
145
238
|
if (sa === false)
|
|
146
|
-
return false;
|
|
239
|
+
return { allowed: false, reason: 'super-admin' };
|
|
147
240
|
// RBAC seam (Laravel/spatie `Gate::before` grant): if a PermissionProvider is
|
|
148
241
|
// registered and the (authenticated) user holds the named permission, grant it.
|
|
149
242
|
// Grant-only — a `false`/`undefined` result falls through to normal resolution,
|
|
@@ -153,7 +246,7 @@ let Gate = class Gate {
|
|
|
153
246
|
if (provider) {
|
|
154
247
|
const granted = await provider.hasPermission(user, ability, resource);
|
|
155
248
|
if (granted === true)
|
|
156
|
-
return true;
|
|
249
|
+
return { allowed: true, reason: 'permission-provider' };
|
|
157
250
|
}
|
|
158
251
|
}
|
|
159
252
|
const policy = this.resolvePolicy(ability, resource);
|
|
@@ -168,22 +261,23 @@ let Gate = class Gate {
|
|
|
168
261
|
if (typeof before === 'function') {
|
|
169
262
|
const result = await before.call(policy, user, ability);
|
|
170
263
|
if (result === true)
|
|
171
|
-
return true;
|
|
264
|
+
return { allowed: true, reason: 'policy-before' };
|
|
172
265
|
if (result === false)
|
|
173
|
-
return false;
|
|
266
|
+
return { allowed: false, reason: 'policy-before' };
|
|
174
267
|
}
|
|
175
268
|
// Anonymous users are denied unless a hook granted access above.
|
|
176
269
|
if (maybeUser === NO_USER)
|
|
177
|
-
return false;
|
|
178
|
-
|
|
270
|
+
return { allowed: false, reason: 'anonymous' };
|
|
271
|
+
const allowed = Boolean(await method.call(policy, user, resource));
|
|
272
|
+
return { allowed, reason: 'policy' };
|
|
179
273
|
}
|
|
180
274
|
}
|
|
181
275
|
// Fall back to an ad-hoc gate.
|
|
182
276
|
const gate = this.gates.get(ability);
|
|
183
277
|
if (gate) {
|
|
184
278
|
if (maybeUser === NO_USER)
|
|
185
|
-
return false;
|
|
186
|
-
return Boolean(await gate(user, resource));
|
|
279
|
+
return { allowed: false, reason: 'anonymous' };
|
|
280
|
+
return { allowed: Boolean(await gate(user, resource)), reason: 'gate' };
|
|
187
281
|
}
|
|
188
282
|
throw new AbilityNotResolvedException(ability);
|
|
189
283
|
}
|
|
@@ -219,7 +313,9 @@ Gate = __decorate([
|
|
|
219
313
|
__param(3, Optional()),
|
|
220
314
|
__param(4, Optional()),
|
|
221
315
|
__param(4, Inject(PERMISSION_PROVIDER)),
|
|
222
|
-
|
|
316
|
+
__param(5, Optional()),
|
|
317
|
+
__param(5, Inject(ROLE_PROVIDER)),
|
|
318
|
+
__metadata("design:paramtypes", [PolicyRegistry, Object, Object, ModuleRef, Object, Object])
|
|
223
319
|
], Gate);
|
|
224
320
|
export { Gate };
|
|
225
321
|
/**
|
|
@@ -243,5 +339,13 @@ export class BoundGate {
|
|
|
243
339
|
throw new ForbiddenException(`Unauthorized: ${ability}`);
|
|
244
340
|
}
|
|
245
341
|
}
|
|
342
|
+
/** True when the bound user holds `role`. */
|
|
343
|
+
hasRole(role) {
|
|
344
|
+
return this.gate.hasAnyRoleForUser(this.user, [role]);
|
|
345
|
+
}
|
|
346
|
+
/** True when the bound user holds ANY of `roles`. */
|
|
347
|
+
hasAnyRole(roles) {
|
|
348
|
+
return this.gate.hasAnyRoleForUser(this.user, roles);
|
|
349
|
+
}
|
|
246
350
|
}
|
|
247
351
|
//# sourceMappingURL=gate.js.map
|
package/dist/gate.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gate.js","sourceRoot":"","sources":["../src/gate.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAa,MAAM,gBAAgB,CAAC;AAC7F,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAAE,2BAA2B,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAEhG,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,oBAAoB,
|
|
1
|
+
{"version":3,"file":"gate.js","sourceRoot":"","sources":["../src/gate.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAa,MAAM,gBAAgB,CAAC;AAC7F,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAA4B,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAClF,OAAO,EAAE,2BAA2B,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAEhG,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAwC,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC/F,OAAO,EACL,oBAAoB,EACpB,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,GACd,MAAM,aAAa,CAAC;AAWrB,iFAAiF;AACjF,sEAAsE;AACtE,MAAM,OAAO,GAAG,MAAM,CAAC,eAAe,CAAC,CAAC;AAGxC;;;;;;;;;;GAUG;AAEI,IAAM,IAAI,GAAV,MAAM,IAAI;IAOI;IAMA;IAEA;IAGA;IAGA;IApBF,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IAClC,UAAU,CAA6B;IACvC,WAAW,CAAoC;IAC/C,YAAY,CAAe;IAE5C,YACmB,QAAwB,EAGzC,OAAuC,EAGtB,OAAyB,EAEzB,SAAqB,EAGrB,kBAAuC,EAGvC,YAA2B;QAd3B,aAAQ,GAAR,QAAQ,CAAgB;QAMxB,YAAO,GAAP,OAAO,CAAkB;QAEzB,cAAS,GAAT,SAAS,CAAY;QAGrB,uBAAkB,GAAlB,kBAAkB,CAAqB;QAGvC,iBAAY,GAAZ,YAAY,CAAe;QAE5C,IAAI,CAAC,UAAU,GAAG,OAAO,EAAE,UAAU,CAAC;QACtC,IAAI,CAAC,WAAW,GAAG,OAAO,EAAE,WAAW,CAAC;QACxC,IAAI,CAAC,YAAY,GAAG,OAAO,EAAE,YAAY,IAAI,mBAAmB,CAAC;IACnE,CAAC;IAED;;;;OAIG;IACK,cAAc;QACpB,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC,OAAO,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO,SAAS,CAAC;QACtC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAkB,gBAAgB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAClF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,yBAAyB;QAC/B,IAAI,IAAI,CAAC,kBAAkB;YAAE,OAAO,IAAI,CAAC,kBAAkB,CAAC;QAC5D,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO,SAAS,CAAC;QACtC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAqB,mBAAmB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACxF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,mBAAmB;QACzB,IAAI,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC,YAAY,CAAC;QAChD,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO,SAAS,CAAC;QACtC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAe,aAAa,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5E,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,sEAAsE;IACtE,MAAM,CAAC,OAAe,EAAE,EAAU;QAChC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,4DAA4D;IAC5D,OAAO,CAAC,OAAe;QACrB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED;;;;OAIG;IACH,SAAS;QACP,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IAChC,CAAC;IAED;;;;;;;;;OASG;IACH,OAAO,CAAC,IAAU;QAChB,OAAO,IAAI,SAAS,CAAC,IAAI,EAAE,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAC5D,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,WAAW;QACvB,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QACtC,IAAI,CAAC,OAAO;YAAE,OAAO,OAAO,CAAC;QAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;QAC9B,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,OAAO,CAAC;QACtC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,GAAc,CAAC,CAAC;YACxD,OAAO,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC;QAC/C,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,4DAA4D;IAE5D,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,QAAmB;QAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,WAAW,EAAE,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,QAAmB;QAC/C,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAAe,EAAE,QAAmB;QAClD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,kBAAkB,CAAC,iBAAiB,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,mEAAmE;IAEnE,+CAA+C;IAC/C,KAAK,CAAC,OAAO,CAAC,IAAY;QACxB,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,uDAAuD;IACvD,KAAK,CAAC,UAAU,CAAC,KAAe;QAC9B,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,IAAI,CAAC,WAAW,EAAE,EAAE,KAAK,CAAC,CAAC;IAC1D,CAAC;IAED,0CAA0C;IAE1C,gBAAgB;IAChB,aAAa,CAAC,IAAe,EAAE,OAAe,EAAE,QAAmB;QACjE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAED,gBAAgB;IAChB,iBAAiB,CAAC,IAAe,EAAE,KAAe;QAChD,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACtC,CAAC;IAED;;;;;;OAMG;IACK,KAAK,CAAC,UAAU,CAAC,SAAoB,EAAE,KAAe;QAC5D,IAAI,SAAS,KAAK,OAAO,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC9D,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,SAAS,CAAC,IAAI,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACvC,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC;IAED,qEAAqE;IAC7D,KAAK,CAAC,OAAO,CAAC,IAAU;QAC9B,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;QAC9B,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YAChC,KAAK,MAAM,CAAC,IAAI,YAAY;gBAAE,IAAI,OAAO,CAAC,KAAK,QAAQ;oBAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACtE,CAAC;QACD,MAAM,QAAQ,GAAG,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAC5C,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnD,IAAI,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;gBAChC,KAAK,MAAM,CAAC,IAAI,YAAY;oBAAE,IAAI,OAAO,CAAC,KAAK,QAAQ;wBAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAEO,KAAK,CAAC,KAAK,CACjB,SAAoB,EACpB,OAAe,EACf,QAAmB;QAEnB,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC7E,8EAA8E;QAC9E,gFAAgF;QAChF,iFAAiF;QACjF,qFAAqF;QACrF,oBAAoB,CAClB,OAAO,EACP,OAAO,EACP,MAAM,EACN,SAAS,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,EAC7C,QAAQ,CACT,CAAC;QACF,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,OAAO,CACnB,SAAoB,EACpB,OAAe,EACf,QAAmB;QAEnB,MAAM,IAAI,GAAS,SAAS,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;QAEjE,iCAAiC;QACjC,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAClD,IAAI,EAAE,KAAK,IAAI;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;QACjE,IAAI,EAAE,KAAK,KAAK;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;QAEnE,8EAA8E;QAC9E,gFAAgF;QAChF,gFAAgF;QAChF,yEAAyE;QACzE,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,yBAAyB,EAAE,CAAC;YAClD,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;gBACtE,IAAI,OAAO,KAAK,IAAI;oBAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;YAChF,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACrD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,MAAM,GAAI,MAAkC,CAAC,OAAO,CAAC,CAAC;YAC5D,2EAA2E;YAC3E,uEAAuE;YACvE,yEAAyE;YACzE,4DAA4D;YAC5D,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;gBACjC,MAAM,MAAM,GAAI,MAAyB,CAAC,MAAsC,CAAC;gBACjF,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;oBACjC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;oBACxD,IAAI,MAAM,KAAK,IAAI;wBAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;oBACvE,IAAI,MAAM,KAAK,KAAK;wBAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;gBAC3E,CAAC;gBACD,iEAAiE;gBACjE,IAAI,SAAS,KAAK,OAAO;oBAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;gBAC1E,MAAM,OAAO,GAAG,OAAO,CACrB,MAAO,MAAuC,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,CAC5E,CAAC;gBACF,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;YACvC,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,SAAS,KAAK,OAAO;gBAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;YAC1E,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QAC1E,CAAC;QAED,MAAM,IAAI,2BAA2B,CAAC,OAAO,CAAC,CAAC;IACjD,CAAC;IAEO,aAAa,CAAC,OAAe,EAAE,QAAmB;QACxD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,yEAAyE;YACzE,uEAAuE;YACvE,0EAA0E;YAC1E,qEAAqE;YACrE,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ;iBAC1B,GAAG,EAAE;iBACL,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,OAAQ,MAAkC,CAAC,OAAO,CAAC,KAAK,UAAU,CAAC,CAAC;YAC1F,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,SAAS,CAAC;YAC3C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,yBAAyB,CACjC,OAAO,EACP,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAoB,CAAC,WAAW,EAAE,IAAI,IAAI,QAAQ,CAAC,CACxE,CAAC;YACJ,CAAC;YACD,OAAO,OAAO,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;QACD,qFAAqF;QACrF,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAyB,CAAC,CAAC;QAC9D,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAC7C,CAAC;CACF,CAAA;AA7SY,IAAI;IADhB,UAAU,EAAE;IASR,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,oBAAoB,CAAC,CAAA;IAE5B,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,gBAAgB,CAAC,CAAA;IAExB,WAAA,QAAQ,EAAE,CAAA;IAEV,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,mBAAmB,CAAC,CAAA;IAE3B,WAAA,QAAQ,EAAE,CAAA;IACV,WAAA,MAAM,CAAC,aAAa,CAAC,CAAA;qCAbK,cAAc,kBAQZ,SAAS;GAf7B,IAAI,CA6ShB;;AAED;;GAEG;AACH,MAAM,OAAO,SAAS;IAED;IACA;IAFnB,YACmB,IAAU,EACV,IAAe;QADf,SAAI,GAAJ,IAAI,CAAM;QACV,SAAI,GAAJ,IAAI,CAAW;IAC/B,CAAC;IAEJ,MAAM,CAAC,OAAe,EAAE,QAAmB;QACzC,OAAO,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,QAAmB;QAC/C,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAAe,EAAE,QAAmB;QAClD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,kBAAkB,CAAC,iBAAiB,OAAO,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,OAAO,CAAC,IAAY;QAClB,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;IACxD,CAAC;IAED,qDAAqD;IACrD,UAAU,CAAC,KAAe;QACxB,OAAO,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACvD,CAAC;CACF"}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import { type CanActivate, type ExecutionContext } from '@nestjs/common';
|
|
2
|
+
import { Reflector } from '@nestjs/core';
|
|
3
|
+
import { Gate } from '../gate.js';
|
|
4
|
+
/**
|
|
5
|
+
* Enforces `@Roles(...roles)` on routes.
|
|
6
|
+
*
|
|
7
|
+
* - No `@Roles` metadata → allow (the guard is inert on un-annotated routes).
|
|
8
|
+
* - Otherwise allow when the current user holds ANY of the listed roles.
|
|
9
|
+
*
|
|
10
|
+
* The current user is resolved EXACTLY as the {@link Gate} does — from the optional
|
|
11
|
+
* context accessor (nestjs-context) — and an unauthenticated request is denied by
|
|
12
|
+
* default (`gate.hasAnyRole` returns `false` for a NO_USER caller). The verdict is
|
|
13
|
+
* delegated to {@link Gate.hasAnyRole}; a denial throws `ForbiddenException`.
|
|
14
|
+
*/
|
|
15
|
+
export declare class RolesGuard implements CanActivate {
|
|
16
|
+
private readonly reflector;
|
|
17
|
+
private readonly gate;
|
|
18
|
+
constructor(reflector: Reflector, gate: Gate);
|
|
19
|
+
canActivate(ctx: ExecutionContext): Promise<boolean>;
|
|
20
|
+
}
|
|
21
|
+
//# sourceMappingURL=roles.guard.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"roles.guard.d.ts","sourceRoot":"","sources":["../../src/guard/roles.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EAGtB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAGlC;;;;;;;;;;GAUG;AACH,qBACa,UAAW,YAAW,WAAW;IAE1C,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,IAAI;gBADJ,SAAS,EAAE,SAAS,EACpB,IAAI,EAAE,IAAI;IAGvB,WAAW,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAS3D"}
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
2
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
3
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
4
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
5
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
6
|
+
};
|
|
7
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
8
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
9
|
+
};
|
|
10
|
+
import { ForbiddenException, Injectable, } from '@nestjs/common';
|
|
11
|
+
import { Reflector } from '@nestjs/core';
|
|
12
|
+
import { Gate } from '../gate.js';
|
|
13
|
+
import { ROLES_METADATA } from '../tokens.js';
|
|
14
|
+
/**
|
|
15
|
+
* Enforces `@Roles(...roles)` on routes.
|
|
16
|
+
*
|
|
17
|
+
* - No `@Roles` metadata → allow (the guard is inert on un-annotated routes).
|
|
18
|
+
* - Otherwise allow when the current user holds ANY of the listed roles.
|
|
19
|
+
*
|
|
20
|
+
* The current user is resolved EXACTLY as the {@link Gate} does — from the optional
|
|
21
|
+
* context accessor (nestjs-context) — and an unauthenticated request is denied by
|
|
22
|
+
* default (`gate.hasAnyRole` returns `false` for a NO_USER caller). The verdict is
|
|
23
|
+
* delegated to {@link Gate.hasAnyRole}; a denial throws `ForbiddenException`.
|
|
24
|
+
*/
|
|
25
|
+
let RolesGuard = class RolesGuard {
|
|
26
|
+
reflector;
|
|
27
|
+
gate;
|
|
28
|
+
constructor(reflector, gate) {
|
|
29
|
+
this.reflector = reflector;
|
|
30
|
+
this.gate = gate;
|
|
31
|
+
}
|
|
32
|
+
async canActivate(ctx) {
|
|
33
|
+
const roles = this.reflector.getAllAndOverride(ROLES_METADATA, [
|
|
34
|
+
ctx.getHandler(),
|
|
35
|
+
ctx.getClass(),
|
|
36
|
+
]);
|
|
37
|
+
if (!roles || roles.length === 0)
|
|
38
|
+
return true;
|
|
39
|
+
if (await this.gate.hasAnyRole(roles))
|
|
40
|
+
return true;
|
|
41
|
+
throw new ForbiddenException(`Unauthorized: requires one of [${roles.join(', ')}]`);
|
|
42
|
+
}
|
|
43
|
+
};
|
|
44
|
+
RolesGuard = __decorate([
|
|
45
|
+
Injectable(),
|
|
46
|
+
__metadata("design:paramtypes", [Reflector,
|
|
47
|
+
Gate])
|
|
48
|
+
], RolesGuard);
|
|
49
|
+
export { RolesGuard };
|
|
50
|
+
//# sourceMappingURL=roles.guard.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"roles.guard.js","sourceRoot":"","sources":["../../src/guard/roles.guard.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAGL,kBAAkB,EAClB,UAAU,GACX,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAClC,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C;;;;;;;;;;GAUG;AAEI,IAAM,UAAU,GAAhB,MAAM,UAAU;IAEF;IACA;IAFnB,YACmB,SAAoB,EACpB,IAAU;QADV,cAAS,GAAT,SAAS,CAAW;QACpB,SAAI,GAAJ,IAAI,CAAM;IAC1B,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,GAAqB;QACrC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAuB,cAAc,EAAE;YACnF,GAAG,CAAC,UAAU,EAAE;YAChB,GAAG,CAAC,QAAQ,EAAE;SACf,CAAC,CAAC;QACH,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC9C,IAAI,MAAM,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnD,MAAM,IAAI,kBAAkB,CAAC,kCAAkC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACtF,CAAC;CACF,CAAA;AAfY,UAAU;IADtB,UAAU,EAAE;qCAGmB,SAAS;QACd,IAAI;GAHlB,UAAU,CAetB"}
|
package/dist/index.d.ts
CHANGED
|
@@ -1,16 +1,24 @@
|
|
|
1
1
|
export declare const VERSION = "0.0.0";
|
|
2
2
|
export { Gate, BoundGate } from './gate.js';
|
|
3
|
+
export { AUTHZ_DECISION_CHANNEL, authzDecisionChannel, publishAuthzDecision, } from './diagnostics.js';
|
|
4
|
+
export type { AuthzDecisionDiagnostic, AuthzDecisionReason } from './diagnostics.js';
|
|
3
5
|
export { PolicyRegistry } from './policy-registry.js';
|
|
4
6
|
export { Policy, getPolicyResource } from './decorator/policy.decorator.js';
|
|
5
7
|
export { Can } from './decorator/can.decorator.js';
|
|
6
8
|
export type { CanMetadata, CanOptions } from './decorator/can.decorator.js';
|
|
9
|
+
export { Roles } from './decorator/roles.decorator.js';
|
|
7
10
|
export { CanGuard } from './guard/can.guard.js';
|
|
11
|
+
export { RolesGuard } from './guard/roles.guard.js';
|
|
8
12
|
export { AuthzModule } from './module.js';
|
|
13
|
+
export { createCanController, DEFAULT_CAN_ENDPOINT_PATH, } from './can-endpoint.controller.js';
|
|
14
|
+
export type { CanRequestBody, CanResponseBody } from './can-endpoint.controller.js';
|
|
9
15
|
export { IdParamResourceResolver } from './resource-resolver.js';
|
|
10
16
|
export type { ResourceResolver } from './resource-resolver.js';
|
|
11
17
|
export type { ContextAccessor, ContextStore, UserRef } from './context-accessor.js';
|
|
12
18
|
export type { PermissionProvider } from './permission-provider.js';
|
|
13
|
-
export {
|
|
19
|
+
export { defaultRoleResolver } from './role-provider.js';
|
|
20
|
+
export type { RoleProvider, RoleResolver } from './role-provider.js';
|
|
21
|
+
export { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER, CONTEXT_ACCESSOR, PERMISSION_PROVIDER, ROLE_PROVIDER, POLICY_RESOURCE_METADATA, CAN_METADATA, ROLES_METADATA, } from './tokens.js';
|
|
14
22
|
export { AuthzException, PolicyNotDecoratedException, AbilityNotResolvedException, AmbiguousAbilityException, ResourceResolverMissingException, } from './errors/exceptions.js';
|
|
15
23
|
export type { AuthzModuleOptions, AuthzModuleAsyncOptions, AuthzModuleOptionsFactory, GateFn, PolicyBeforeHook, PolicyInstance, PolicyMethod, Resource, SuperAdminHook, User, } from './types.js';
|
|
16
24
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,OAAO,UAAU,CAAC;AAE/B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAC5E,OAAO,EAAE,GAAG,EAAE,MAAM,8BAA8B,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC5E,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,YAAY,EAAE,eAAe,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACpF,YAAY,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,wBAAwB,EACxB,YAAY,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,OAAO,UAAU,CAAC;AAE/B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACrF,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAC5E,OAAO,EAAE,GAAG,EAAE,MAAM,8BAA8B,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC5E,OAAO,EAAE,KAAK,EAAE,MAAM,gCAAgC,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,mBAAmB,EACnB,yBAAyB,GAC1B,MAAM,8BAA8B,CAAC;AACtC,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AACpF,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,YAAY,EAAE,eAAe,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACpF,YAAY,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,EACb,wBAAwB,EACxB,YAAY,EACZ,cAAc,GACf,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,EAC3B,yBAAyB,EACzB,gCAAgC,GACjC,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,kBAAkB,EAClB,uBAAuB,EACvB,yBAAyB,EACzB,MAAM,EACN,gBAAgB,EAChB,cAAc,EACd,YAAY,EACZ,QAAQ,EACR,cAAc,EACd,IAAI,GACL,MAAM,YAAY,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -1,11 +1,16 @@
|
|
|
1
1
|
export const VERSION = '0.0.0';
|
|
2
2
|
export { Gate, BoundGate } from './gate.js';
|
|
3
|
+
export { AUTHZ_DECISION_CHANNEL, authzDecisionChannel, publishAuthzDecision, } from './diagnostics.js';
|
|
3
4
|
export { PolicyRegistry } from './policy-registry.js';
|
|
4
5
|
export { Policy, getPolicyResource } from './decorator/policy.decorator.js';
|
|
5
6
|
export { Can } from './decorator/can.decorator.js';
|
|
7
|
+
export { Roles } from './decorator/roles.decorator.js';
|
|
6
8
|
export { CanGuard } from './guard/can.guard.js';
|
|
9
|
+
export { RolesGuard } from './guard/roles.guard.js';
|
|
7
10
|
export { AuthzModule } from './module.js';
|
|
11
|
+
export { createCanController, DEFAULT_CAN_ENDPOINT_PATH, } from './can-endpoint.controller.js';
|
|
8
12
|
export { IdParamResourceResolver } from './resource-resolver.js';
|
|
9
|
-
export {
|
|
13
|
+
export { defaultRoleResolver } from './role-provider.js';
|
|
14
|
+
export { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER, CONTEXT_ACCESSOR, PERMISSION_PROVIDER, ROLE_PROVIDER, POLICY_RESOURCE_METADATA, CAN_METADATA, ROLES_METADATA, } from './tokens.js';
|
|
10
15
|
export { AuthzException, PolicyNotDecoratedException, AbilityNotResolvedException, AmbiguousAbilityException, ResourceResolverMissingException, } from './errors/exceptions.js';
|
|
11
16
|
//# sourceMappingURL=index.js.map
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAC5E,OAAO,EAAE,GAAG,EAAE,MAAM,8BAA8B,CAAC;AAEnD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAIjE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,wBAAwB,EACxB,YAAY,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAC5E,OAAO,EAAE,GAAG,EAAE,MAAM,8BAA8B,CAAC;AAEnD,OAAO,EAAE,KAAK,EAAE,MAAM,gCAAgC,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,mBAAmB,EACnB,yBAAyB,GAC1B,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAIjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAEzD,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,EACb,wBAAwB,EACxB,YAAY,EACZ,cAAc,GACf,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,EAC3B,yBAAyB,EACzB,gCAAgC,GACjC,MAAM,wBAAwB,CAAC"}
|
package/dist/module.d.ts
CHANGED
|
@@ -15,6 +15,11 @@ export declare class AuthzModule {
|
|
|
15
15
|
* + auto-discovered `@Policy` providers). Registered for both forRoot/forRootAsync.
|
|
16
16
|
*/
|
|
17
17
|
private static bootstrapProviders;
|
|
18
|
+
/**
|
|
19
|
+
* Build the opt-in `POST /authz/can` fallback controller (or none). Off by
|
|
20
|
+
* default; `true` mounts at the default path, a string mounts at that path.
|
|
21
|
+
*/
|
|
22
|
+
private static canControllers;
|
|
18
23
|
private static buildAsyncOptionsProvider;
|
|
19
24
|
}
|
|
20
25
|
//# sourceMappingURL=module.d.ts.map
|
package/dist/module.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAQnB,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAQnB,MAAM,gBAAgB,CAAC;AAUxB,OAAO,KAAK,EACV,uBAAuB,EACvB,kBAAkB,EAGnB,MAAM,YAAY,CAAC;AAmEpB,qBACa,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,OAAO,GAAE,kBAAuB,GAAG,aAAa;IA+B/D,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,uBAAuB,GAAG,aAAa;IA8BpE;;;;;OAKG;IACH,OAAO,CAAC,MAAM,CAAC,yBAAyB;IAWxC;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,kBAAkB;IAIjC;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,cAAc;IAM7B,OAAO,CAAC,MAAM,CAAC,yBAAyB;CA2BzC"}
|
package/dist/module.js
CHANGED
|
@@ -13,9 +13,11 @@ var __param = (this && this.__param) || function (paramIndex, decorator) {
|
|
|
13
13
|
var AuthzModule_1;
|
|
14
14
|
import { Inject, Injectable, Module, Optional, } from '@nestjs/common';
|
|
15
15
|
import { APP_GUARD, DiscoveryModule, DiscoveryService, ModuleRef } from '@nestjs/core';
|
|
16
|
+
import { DEFAULT_CAN_ENDPOINT_PATH, createCanController } from './can-endpoint.controller.js';
|
|
16
17
|
import { getPolicyResource } from './decorator/policy.decorator.js';
|
|
17
18
|
import { Gate } from './gate.js';
|
|
18
19
|
import { CanGuard } from './guard/can.guard.js';
|
|
20
|
+
import { RolesGuard } from './guard/roles.guard.js';
|
|
19
21
|
import { PolicyRegistry } from './policy-registry.js';
|
|
20
22
|
import { IdParamResourceResolver } from './resource-resolver.js';
|
|
21
23
|
import { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER } from './tokens.js';
|
|
@@ -100,6 +102,7 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
|
|
|
100
102
|
module: AuthzModule_1,
|
|
101
103
|
global: true,
|
|
102
104
|
imports: [DiscoveryModule],
|
|
105
|
+
controllers: AuthzModule_1.canControllers(options.canEndpoint),
|
|
103
106
|
providers: [
|
|
104
107
|
{ provide: AUTHZ_MODULE_OPTIONS, useValue: options },
|
|
105
108
|
...policyProviders,
|
|
@@ -107,6 +110,8 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
|
|
|
107
110
|
Gate,
|
|
108
111
|
CanGuard,
|
|
109
112
|
{ provide: APP_GUARD, useExisting: CanGuard },
|
|
113
|
+
RolesGuard,
|
|
114
|
+
{ provide: APP_GUARD, useExisting: RolesGuard },
|
|
110
115
|
...AuthzModule_1.resourceResolverProviders(),
|
|
111
116
|
...AuthzModule_1.bootstrapProviders(),
|
|
112
117
|
],
|
|
@@ -114,6 +119,7 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
|
|
|
114
119
|
Gate,
|
|
115
120
|
PolicyRegistry,
|
|
116
121
|
CanGuard,
|
|
122
|
+
RolesGuard,
|
|
117
123
|
AUTHZ_MODULE_OPTIONS,
|
|
118
124
|
RESOURCE_RESOLVER,
|
|
119
125
|
...(options.policies ?? []),
|
|
@@ -127,16 +133,26 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
|
|
|
127
133
|
module: AuthzModule_1,
|
|
128
134
|
global: true,
|
|
129
135
|
imports: [DiscoveryModule, ...(options.imports ?? [])],
|
|
136
|
+
controllers: AuthzModule_1.canControllers(options.canEndpoint),
|
|
130
137
|
providers: [
|
|
131
138
|
...asyncProviders,
|
|
132
139
|
PolicyRegistry,
|
|
133
140
|
Gate,
|
|
134
141
|
CanGuard,
|
|
135
142
|
{ provide: APP_GUARD, useExisting: CanGuard },
|
|
143
|
+
RolesGuard,
|
|
144
|
+
{ provide: APP_GUARD, useExisting: RolesGuard },
|
|
136
145
|
...AuthzModule_1.resourceResolverProviders(),
|
|
137
146
|
...AuthzModule_1.bootstrapProviders(),
|
|
138
147
|
],
|
|
139
|
-
exports: [
|
|
148
|
+
exports: [
|
|
149
|
+
Gate,
|
|
150
|
+
PolicyRegistry,
|
|
151
|
+
CanGuard,
|
|
152
|
+
RolesGuard,
|
|
153
|
+
AUTHZ_MODULE_OPTIONS,
|
|
154
|
+
RESOURCE_RESOLVER,
|
|
155
|
+
],
|
|
140
156
|
};
|
|
141
157
|
}
|
|
142
158
|
/**
|
|
@@ -161,6 +177,16 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
|
|
|
161
177
|
static bootstrapProviders() {
|
|
162
178
|
return [AuthzPolicyBootstrap];
|
|
163
179
|
}
|
|
180
|
+
/**
|
|
181
|
+
* Build the opt-in `POST /authz/can` fallback controller (or none). Off by
|
|
182
|
+
* default; `true` mounts at the default path, a string mounts at that path.
|
|
183
|
+
*/
|
|
184
|
+
static canControllers(canEndpoint) {
|
|
185
|
+
if (!canEndpoint)
|
|
186
|
+
return [];
|
|
187
|
+
const path = typeof canEndpoint === 'string' ? canEndpoint : DEFAULT_CAN_ENDPOINT_PATH;
|
|
188
|
+
return [createCanController(path)];
|
|
189
|
+
}
|
|
164
190
|
static buildAsyncOptionsProvider(options) {
|
|
165
191
|
if (options.useFactory) {
|
|
166
192
|
return {
|
package/dist/module.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"module.js","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,OAAO,EAEL,MAAM,EACN,UAAU,EACV,MAAM,EAEN,QAAQ,GAGT,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACvF,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AACpE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAyB,MAAM,wBAAwB,CAAC;AACxF,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAQtE;;;;;;;GAOG;AACH,IACM,oBAAoB,GAD1B,MACM,oBAAoB;IAEL;IACA;IACA;IAC0C;IAJ7D,YACmB,QAAwB,EACxB,SAA2B,EAC3B,SAAoB,EACsB,OAA4B;QAHtE,aAAQ,GAAR,QAAQ,CAAgB;QACxB,cAAS,GAAT,SAAS,CAAkB;QAC3B,cAAS,GAAT,SAAS,CAAW;QACsB,YAAO,GAAP,OAAO,CAAqB;IACtF,CAAC;IAEJ,KAAK,CAAC,YAAY;QAChB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAW,CAAC;QAEhC,+EAA+E;QAC/E,KAAK,MAAM,WAAW,IAAI,IAAI,CAAC,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,CAAC;YACvD,IAAI,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBAAE,SAAS;YACpC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;YAC/D,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBACtB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,kDAAkD;QAClD,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,EAAE,CAAC;YACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAsC,CAAC;YAChE,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ;gBAAE,SAAS;YACxD,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,CAAC;YAClC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YACtC,IAAI,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAChC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACf,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,qBAAqB,CACjC,WAAiC;QAEjC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAiB,WAAW,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5E,CAAC;QAAC,MAAM,CAAC;YACP,6DAA6D;QAC/D,CAAC;QACD,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAiB,WAAW,CAAC,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;CACF,CAAA;AAtDK,oBAAoB;IADzB,UAAU,EAAE;IAMR,WAAA,QAAQ,EAAE,CAAA;IAAE,WAAA,MAAM,CAAC,oBAAoB,CAAC,CAAA;qCAHd,cAAc;QACb,gBAAgB;QAChB,SAAS;GAJnC,oBAAoB,CAsDzB;AAGM,IAAM,WAAW,mBAAjB,MAAM,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,UAA8B,EAAE;QAC7C,MAAM,eAAe,GAAe,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAa,CAAC,CAAC;QACvF,OAAO;YACL,MAAM,EAAE,aAAW;YACnB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,eAAe,CAAC;YAC1B,SAAS,EAAE;gBACT,EAAE,OAAO,EAAE,oBAAoB,EAAE,QAAQ,EAAE,OAAO,EAAE;gBACpD,GAAG,eAAe;gBAClB,cAAc;gBACd,IAAI;gBACJ,QAAQ;gBACR,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE;gBAC7C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,kBAAkB,EAAE;aACpC;YACD,OAAO,EAAE;gBACP,IAAI;gBACJ,cAAc;gBACd,QAAQ;gBACR,oBAAoB;gBACpB,iBAAiB;gBACjB,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;aAC5B;SACF,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,OAAgC;QAClD,MAAM,aAAa,GAAG,aAAW,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC;QACrE,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;QACtF,OAAO;YACL,MAAM,EAAE,aAAW;YACnB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,eAAe,EAAE,GAAI,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAqB,CAAC;YAC3E,SAAS,EAAE;gBACT,GAAG,cAAc;gBACjB,cAAc;gBACd,IAAI;gBACJ,QAAQ;gBACR,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE;gBAC7C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,kBAAkB,EAAE;aACpC;YACD,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"module.js","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,OAAO,EAEL,MAAM,EACN,UAAU,EACV,MAAM,EAEN,QAAQ,GAGT,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACvF,OAAO,EAAE,yBAAyB,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAC9F,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AACpE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAyB,MAAM,wBAAwB,CAAC;AACxF,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAQtE;;;;;;;GAOG;AACH,IACM,oBAAoB,GAD1B,MACM,oBAAoB;IAEL;IACA;IACA;IAC0C;IAJ7D,YACmB,QAAwB,EACxB,SAA2B,EAC3B,SAAoB,EACsB,OAA4B;QAHtE,aAAQ,GAAR,QAAQ,CAAgB;QACxB,cAAS,GAAT,SAAS,CAAkB;QAC3B,cAAS,GAAT,SAAS,CAAW;QACsB,YAAO,GAAP,OAAO,CAAqB;IACtF,CAAC;IAEJ,KAAK,CAAC,YAAY;QAChB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAW,CAAC;QAEhC,+EAA+E;QAC/E,KAAK,MAAM,WAAW,IAAI,IAAI,CAAC,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,CAAC;YACvD,IAAI,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBAAE,SAAS;YACpC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;YAC/D,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBACtB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,kDAAkD;QAClD,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,EAAE,CAAC;YACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAsC,CAAC;YAChE,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ;gBAAE,SAAS;YACxD,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,CAAC;YAClC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YACtC,IAAI,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAChC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACf,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,qBAAqB,CACjC,WAAiC;QAEjC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAiB,WAAW,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5E,CAAC;QAAC,MAAM,CAAC;YACP,6DAA6D;QAC/D,CAAC;QACD,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAiB,WAAW,CAAC,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;CACF,CAAA;AAtDK,oBAAoB;IADzB,UAAU,EAAE;IAMR,WAAA,QAAQ,EAAE,CAAA;IAAE,WAAA,MAAM,CAAC,oBAAoB,CAAC,CAAA;qCAHd,cAAc;QACb,gBAAgB;QAChB,SAAS;GAJnC,oBAAoB,CAsDzB;AAGM,IAAM,WAAW,mBAAjB,MAAM,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,UAA8B,EAAE;QAC7C,MAAM,eAAe,GAAe,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAa,CAAC,CAAC;QACvF,OAAO;YACL,MAAM,EAAE,aAAW;YACnB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,eAAe,CAAC;YAC1B,WAAW,EAAE,aAAW,CAAC,cAAc,CAAC,OAAO,CAAC,WAAW,CAAC;YAC5D,SAAS,EAAE;gBACT,EAAE,OAAO,EAAE,oBAAoB,EAAE,QAAQ,EAAE,OAAO,EAAE;gBACpD,GAAG,eAAe;gBAClB,cAAc;gBACd,IAAI;gBACJ,QAAQ;gBACR,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE;gBAC7C,UAAU;gBACV,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE;gBAC/C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,kBAAkB,EAAE;aACpC;YACD,OAAO,EAAE;gBACP,IAAI;gBACJ,cAAc;gBACd,QAAQ;gBACR,UAAU;gBACV,oBAAoB;gBACpB,iBAAiB;gBACjB,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;aAC5B;SACF,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,OAAgC;QAClD,MAAM,aAAa,GAAG,aAAW,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC;QACrE,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;QACtF,OAAO;YACL,MAAM,EAAE,aAAW;YACnB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,eAAe,EAAE,GAAI,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAqB,CAAC;YAC3E,WAAW,EAAE,aAAW,CAAC,cAAc,CAAC,OAAO,CAAC,WAAW,CAAC;YAC5D,SAAS,EAAE;gBACT,GAAG,cAAc;gBACjB,cAAc;gBACd,IAAI;gBACJ,QAAQ;gBACR,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE;gBAC7C,UAAU;gBACV,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE;gBAC/C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,kBAAkB,EAAE;aACpC;YACD,OAAO,EAAE;gBACP,IAAI;gBACJ,cAAc;gBACd,QAAQ;gBACR,UAAU;gBACV,oBAAoB;gBACpB,iBAAiB;aAClB;SACF,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACK,MAAM,CAAC,yBAAyB;QACtC,OAAO;YACL;gBACE,OAAO,EAAE,iBAAiB;gBAC1B,UAAU,EAAE,CAAC,OAA4B,EAAoB,EAAE,CAC7D,OAAO,EAAE,gBAAgB,IAAI,IAAI,uBAAuB,CAAC,OAAO,EAAE,OAAO,CAAC;gBAC5E,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;aAC1D;SACF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,MAAM,CAAC,kBAAkB;QAC/B,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAChC,CAAC;IAED;;;OAGG;IACK,MAAM,CAAC,cAAc,CAAC,WAAyC;QACrE,IAAI,CAAC,WAAW;YAAE,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,OAAO,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,yBAAyB,CAAC;QACvF,OAAO,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC;IACrC,CAAC;IAEO,MAAM,CAAC,yBAAyB,CACtC,OAAgC;QAEhC,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,OAAO;gBACL,OAAO,EAAE,oBAAoB;gBAC7B,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAyB;aACvD,CAAC;QACJ,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,OAAO;gBACL,EAAE,OAAO,EAAE,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE;gBACzD;oBACE,OAAO,EAAE,oBAAoB;oBAC7B,UAAU,EAAE,KAAK,EAAE,OAAkC,EAAE,EAAE,CAAC,OAAO,CAAC,kBAAkB,EAAE;oBACtF,MAAM,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;iBAC3B;aACF,CAAC;QACJ,CAAC;QACD,MAAM,YAAY,GAAG,OAAO,CAAC,WAA8C,CAAC;QAC5E,OAAO;YACL,OAAO,EAAE,oBAAoB;YAC7B,UAAU,EAAE,KAAK,EAAE,OAAkC,EAAE,EAAE,CAAC,OAAO,CAAC,kBAAkB,EAAE;YACtF,MAAM,EAAE,CAAC,YAAY,CAAC;SACvB,CAAC;IACJ,CAAC;CACF,CAAA;AA5HY,WAAW;IADvB,MAAM,CAAC,EAAE,CAAC;GACE,WAAW,CA4HvB"}
|
|
@@ -16,6 +16,8 @@ import type { Resource, User } from './types.js';
|
|
|
16
16
|
*
|
|
17
17
|
* `userRef` is the current user (whatever the app's auth layer produced; `undefined`
|
|
18
18
|
* when anonymous). `permission` is the ability name passed to `gate.allows(...)`.
|
|
19
|
+
* `resource` is the dispatch target, when one was given; providers MAY ignore it —
|
|
20
|
+
* model-less, named-ability grants (e.g. the typeorm RBAC adapter) do.
|
|
19
21
|
*/
|
|
20
22
|
export interface PermissionProvider {
|
|
21
23
|
hasPermission(user: User, permission: string, resource?: Resource): boolean | undefined | Promise<boolean | undefined>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"permission-provider.d.ts","sourceRoot":"","sources":["../src/permission-provider.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAEjD
|
|
1
|
+
{"version":3,"file":"permission-provider.d.ts","sourceRoot":"","sources":["../src/permission-provider.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAEjD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,WAAW,kBAAkB;IACjC,aAAa,CACX,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,QAAQ,CAAC,EAAE,QAAQ,GAClB,OAAO,GAAG,SAAS,GAAG,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC;CACvD"}
|
|
@@ -19,5 +19,26 @@ export declare class PolicyRegistry {
|
|
|
19
19
|
has(resource: Type<unknown>): boolean;
|
|
20
20
|
/** All registered policies (for introspection/testing). */
|
|
21
21
|
all(): PolicyInstance[];
|
|
22
|
+
/** All registered resource classes (insertion order). */
|
|
23
|
+
resources(): Type<unknown>[];
|
|
24
|
+
/**
|
|
25
|
+
* Enumerate the CLASS-LEVEL ability method names declared on each registered
|
|
26
|
+
* policy, keyed by resource class. Used by integrations that pre-resolve a
|
|
27
|
+
* user's class-level abilities (e.g. to share them as Inertia props).
|
|
28
|
+
*
|
|
29
|
+
* Walks the policy prototype chain and collects own function-valued members,
|
|
30
|
+
* excluding `constructor` and the reserved `before` hook. Inherited Object
|
|
31
|
+
* members are skipped.
|
|
32
|
+
*
|
|
33
|
+
* Only methods that take NO resource instance are included — heuristically,
|
|
34
|
+
* arity `<= 1` (just `user`, e.g. `create(user)` / `viewAny(user)`). An
|
|
35
|
+
* instance method like `update(user, post)` is excluded: dispatching it
|
|
36
|
+
* against the resource CLASS would call it with the class constructor as
|
|
37
|
+
* `post` and write a bogus class-level verdict.
|
|
38
|
+
*/
|
|
39
|
+
classAbilities(): Array<{
|
|
40
|
+
resource: Type<unknown>;
|
|
41
|
+
abilities: string[];
|
|
42
|
+
}>;
|
|
22
43
|
}
|
|
23
44
|
//# sourceMappingURL=policy-registry.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy-registry.d.ts","sourceRoot":"","sources":["../src/policy-registry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD;;;GAGG;AACH,qBACa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA4C;IAEvE;;;OAGG;IACH,QAAQ,CAAC,MAAM,EAAE,cAAc,GAAG,IAAI;IAStC,wEAAwE;IACxE,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,cAAc,GAAG,SAAS;IAIhE,+EAA+E;IAC/E,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAIzD,+DAA+D;IAC/D,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,OAAO;IAIrC,2DAA2D;IAC3D,GAAG,IAAI,cAAc,EAAE;
|
|
1
|
+
{"version":3,"file":"policy-registry.d.ts","sourceRoot":"","sources":["../src/policy-registry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAGvD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD;;;GAGG;AACH,qBACa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA4C;IAEvE;;;OAGG;IACH,QAAQ,CAAC,MAAM,EAAE,cAAc,GAAG,IAAI;IAStC,wEAAwE;IACxE,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,cAAc,GAAG,SAAS;IAIhE,+EAA+E;IAC/E,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAIzD,+DAA+D;IAC/D,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,OAAO;IAIrC,2DAA2D;IAC3D,GAAG,IAAI,cAAc,EAAE;IAIvB,yDAAyD;IACzD,SAAS,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE;IAI5B;;;;;;;;;;;;;;OAcG;IACH,cAAc,IAAI,KAAK,CAAC;QAAE,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAAC,SAAS,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CAsB1E"}
|
package/dist/policy-registry.js
CHANGED
|
@@ -41,6 +41,48 @@ let PolicyRegistry = class PolicyRegistry {
|
|
|
41
41
|
all() {
|
|
42
42
|
return [...this.byResource.values()];
|
|
43
43
|
}
|
|
44
|
+
/** All registered resource classes (insertion order). */
|
|
45
|
+
resources() {
|
|
46
|
+
return [...this.byResource.keys()];
|
|
47
|
+
}
|
|
48
|
+
/**
|
|
49
|
+
* Enumerate the CLASS-LEVEL ability method names declared on each registered
|
|
50
|
+
* policy, keyed by resource class. Used by integrations that pre-resolve a
|
|
51
|
+
* user's class-level abilities (e.g. to share them as Inertia props).
|
|
52
|
+
*
|
|
53
|
+
* Walks the policy prototype chain and collects own function-valued members,
|
|
54
|
+
* excluding `constructor` and the reserved `before` hook. Inherited Object
|
|
55
|
+
* members are skipped.
|
|
56
|
+
*
|
|
57
|
+
* Only methods that take NO resource instance are included — heuristically,
|
|
58
|
+
* arity `<= 1` (just `user`, e.g. `create(user)` / `viewAny(user)`). An
|
|
59
|
+
* instance method like `update(user, post)` is excluded: dispatching it
|
|
60
|
+
* against the resource CLASS would call it with the class constructor as
|
|
61
|
+
* `post` and write a bogus class-level verdict.
|
|
62
|
+
*/
|
|
63
|
+
classAbilities() {
|
|
64
|
+
const out = [];
|
|
65
|
+
for (const [resource, policy] of this.byResource) {
|
|
66
|
+
const abilities = new Set();
|
|
67
|
+
let proto = Object.getPrototypeOf(policy);
|
|
68
|
+
while (proto && proto !== Object.prototype) {
|
|
69
|
+
for (const name of Object.getOwnPropertyNames(proto)) {
|
|
70
|
+
if (name === 'constructor' || name === 'before')
|
|
71
|
+
continue;
|
|
72
|
+
const member = policy[name];
|
|
73
|
+
// Class-level abilities take only `user` (arity <= 1). A method that
|
|
74
|
+
// also declares a resource param (arity >= 2) is instance-scoped and
|
|
75
|
+
// must not be dispatched against the class.
|
|
76
|
+
if (typeof member === 'function' && member.length <= 1) {
|
|
77
|
+
abilities.add(name);
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
proto = Object.getPrototypeOf(proto);
|
|
81
|
+
}
|
|
82
|
+
out.push({ resource, abilities: [...abilities] });
|
|
83
|
+
}
|
|
84
|
+
return out;
|
|
85
|
+
}
|
|
44
86
|
};
|
|
45
87
|
PolicyRegistry = __decorate([
|
|
46
88
|
Injectable()
|