@dudousxd/nestjs-authz 0.3.0 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +14 -0
- package/dist/can-endpoint.controller.d.ts +11 -7
- package/dist/can-endpoint.controller.d.ts.map +1 -1
- package/dist/can-endpoint.controller.js +40 -11
- package/dist/can-endpoint.controller.js.map +1 -1
- package/dist/index.d.ts +2 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -1
- package/dist/index.js.map +1 -1
- package/dist/module.d.ts +8 -0
- package/dist/module.d.ts.map +1 -1
- package/dist/module.js +21 -1
- package/dist/module.js.map +1 -1
- package/dist/tokens.d.ts +15 -0
- package/dist/tokens.d.ts.map +1 -1
- package/dist/tokens.js +15 -0
- package/dist/tokens.js.map +1 -1
- package/dist/types.d.ts +34 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,19 @@
|
|
|
1
1
|
# @dudousxd/nestjs-authz
|
|
2
2
|
|
|
3
|
+
## 0.4.0
|
|
4
|
+
|
|
5
|
+
### Minor Changes
|
|
6
|
+
|
|
7
|
+
- [#4](https://github.com/DavideCarvalho/nestjs-authz/pull/4) [`8b7711d`](https://github.com/DavideCarvalho/nestjs-authz/commit/8b7711d11bdb25b3407fea742f6c1158afb36296) Thanks [@DavideCarvalho](https://github.com/DavideCarvalho)! - Add `resourceLoaders` to `AuthzModule.forRoot`/`forRootAsync` options — a map keyed by
|
|
8
|
+
the resource `type` name (e.g. `{ Post: (id) => postRepo.findOneBy({ id: Number(id) }) }`).
|
|
9
|
+
Closes the per-instance gap in the opt-in `POST /authz/can` fallback endpoint: when a loader
|
|
10
|
+
is registered for `resource.type`, the endpoint rehydrates the client's `{ type, id }` shim
|
|
11
|
+
into the REAL entity before authorizing, so an instance-bound `@Policy` matches by constructor
|
|
12
|
+
and its method decides correctly. A loader returning nullish is treated as "not found" (deny).
|
|
13
|
+
Types without a loader keep the prior class-level / ad-hoc-only behavior. Opt-in and additive:
|
|
14
|
+
unset → endpoint behavior unchanged. Also exposes a `RESOURCE_HYDRATOR` token and the
|
|
15
|
+
`ResourceLoader`/`ResourceLoaderMap` types.
|
|
16
|
+
|
|
3
17
|
## 0.3.0
|
|
4
18
|
|
|
5
19
|
### Minor Changes
|
|
@@ -21,13 +21,17 @@ export interface CanResponseBody {
|
|
|
21
21
|
* The endpoint runs `gate.allows(ability, resource?)` for the CURRENT (context)
|
|
22
22
|
* user.
|
|
23
23
|
*
|
|
24
|
-
*
|
|
25
|
-
* the `{ type, id }`
|
|
26
|
-
* registered `@Policy`
|
|
27
|
-
*
|
|
28
|
-
*
|
|
29
|
-
*
|
|
30
|
-
*
|
|
24
|
+
* RESOURCE REHYDRATION — how per-instance decisions resolve:
|
|
25
|
+
* the client sends a `{ type, id }` shim whose constructor is `Object`, which never
|
|
26
|
+
* matches a registered instance `@Policy` (those are keyed by the entity constructor).
|
|
27
|
+
* To bridge that, register `resourceLoaders` in `AuthzModule.forRoot({ resourceLoaders })`
|
|
28
|
+
* (keyed by the `type` name): when a loader exists for `resource.type`, the endpoint
|
|
29
|
+
* `await`s `loader(id)` and authorizes the REAL entity, so the instance `@Policy`
|
|
30
|
+
* matches and its method runs. A loader returning nullish → `{ allowed: false }` (not
|
|
31
|
+
* found). With NO loader for the type the raw shim is forwarded as before, so only
|
|
32
|
+
* class-level abilities and ad-hoc gates resolve and a resource-bound ability denies
|
|
33
|
+
* (a deliberate, documented fall-through, not a silent dead-end). An unresolved ability
|
|
34
|
+
* is likewise treated as a deny (never a 500).
|
|
31
35
|
*/
|
|
32
36
|
export declare function createCanController(path: string): Type<unknown>;
|
|
33
37
|
/** Default mount path for the fallback endpoint (matches codegen's `/authz/can`). */
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"can-endpoint.controller.d.ts","sourceRoot":"","sources":["../src/can-endpoint.controller.ts"],"names":[],"mappings":"AAAA,OAAO,
|
|
1
|
+
{"version":3,"file":"can-endpoint.controller.d.ts","sourceRoot":"","sources":["../src/can-endpoint.controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAsC,KAAK,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAM/E;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;CAC1D;AAED,gDAAgD;AAChD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;CAClB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,CAgD/D;AAED,qFAAqF;AACrF,eAAO,MAAM,yBAAyB,cAAc,CAAC"}
|
|
@@ -10,9 +10,10 @@ var __metadata = (this && this.__metadata) || function (k, v) {
|
|
|
10
10
|
var __param = (this && this.__param) || function (paramIndex, decorator) {
|
|
11
11
|
return function (target, key) { decorator(target, key, paramIndex); }
|
|
12
12
|
};
|
|
13
|
-
import { Body, Controller } from '@nestjs/common';
|
|
13
|
+
import { Body, Controller, Inject, Optional } from '@nestjs/common';
|
|
14
14
|
import { Post as HttpPost } from '@nestjs/common';
|
|
15
15
|
import { Gate } from './gate.js';
|
|
16
|
+
import { RESOURCE_HYDRATOR } from './tokens.js';
|
|
16
17
|
/**
|
|
17
18
|
* Build the opt-in fallback controller class, mounted at `path`. Kept as a
|
|
18
19
|
* factory so the route path is configurable via `AuthzModule.forRoot({ canEndpoint })`.
|
|
@@ -20,19 +21,25 @@ import { Gate } from './gate.js';
|
|
|
20
21
|
* The endpoint runs `gate.allows(ability, resource?)` for the CURRENT (context)
|
|
21
22
|
* user.
|
|
22
23
|
*
|
|
23
|
-
*
|
|
24
|
-
* the `{ type, id }`
|
|
25
|
-
* registered `@Policy`
|
|
26
|
-
*
|
|
27
|
-
*
|
|
28
|
-
*
|
|
29
|
-
*
|
|
24
|
+
* RESOURCE REHYDRATION — how per-instance decisions resolve:
|
|
25
|
+
* the client sends a `{ type, id }` shim whose constructor is `Object`, which never
|
|
26
|
+
* matches a registered instance `@Policy` (those are keyed by the entity constructor).
|
|
27
|
+
* To bridge that, register `resourceLoaders` in `AuthzModule.forRoot({ resourceLoaders })`
|
|
28
|
+
* (keyed by the `type` name): when a loader exists for `resource.type`, the endpoint
|
|
29
|
+
* `await`s `loader(id)` and authorizes the REAL entity, so the instance `@Policy`
|
|
30
|
+
* matches and its method runs. A loader returning nullish → `{ allowed: false }` (not
|
|
31
|
+
* found). With NO loader for the type the raw shim is forwarded as before, so only
|
|
32
|
+
* class-level abilities and ad-hoc gates resolve and a resource-bound ability denies
|
|
33
|
+
* (a deliberate, documented fall-through, not a silent dead-end). An unresolved ability
|
|
34
|
+
* is likewise treated as a deny (never a 500).
|
|
30
35
|
*/
|
|
31
36
|
export function createCanController(path) {
|
|
32
37
|
let AuthzCanController = class AuthzCanController {
|
|
33
38
|
gate;
|
|
34
|
-
|
|
39
|
+
loaders;
|
|
40
|
+
constructor(gate, loaders) {
|
|
35
41
|
this.gate = gate;
|
|
42
|
+
this.loaders = loaders;
|
|
36
43
|
}
|
|
37
44
|
async can(body) {
|
|
38
45
|
const ability = body?.ability;
|
|
@@ -41,7 +48,11 @@ export function createCanController(path) {
|
|
|
41
48
|
}
|
|
42
49
|
const resource = body?.resource ?? undefined;
|
|
43
50
|
try {
|
|
44
|
-
const
|
|
51
|
+
const target = await this.rehydrate(resource);
|
|
52
|
+
// A registered loader that produced nothing → not found → deny.
|
|
53
|
+
if (target === null)
|
|
54
|
+
return { allowed: false };
|
|
55
|
+
const allowed = await this.gate.allows(ability, target);
|
|
45
56
|
return { allowed };
|
|
46
57
|
}
|
|
47
58
|
catch {
|
|
@@ -49,6 +60,22 @@ export function createCanController(path) {
|
|
|
49
60
|
return { allowed: false };
|
|
50
61
|
}
|
|
51
62
|
}
|
|
63
|
+
/**
|
|
64
|
+
* Turn the client's `{ type, id }` shim into the resource the gate authorizes.
|
|
65
|
+
* - No resource → `undefined` (class-level ability).
|
|
66
|
+
* - Loader registered for `type` → the loaded entity, or `null` when the loader
|
|
67
|
+
* yields nullish ("not found", which the caller maps to a deny).
|
|
68
|
+
* - No loader for `type` → the raw shim, forwarded as before (class-level / gate only).
|
|
69
|
+
*/
|
|
70
|
+
async rehydrate(resource) {
|
|
71
|
+
if (resource == null)
|
|
72
|
+
return undefined;
|
|
73
|
+
const loader = this.loaders?.[resource.type];
|
|
74
|
+
if (typeof loader !== 'function')
|
|
75
|
+
return resource;
|
|
76
|
+
const loaded = await loader(resource.id);
|
|
77
|
+
return loaded == null ? null : loaded;
|
|
78
|
+
}
|
|
52
79
|
};
|
|
53
80
|
__decorate([
|
|
54
81
|
HttpPost(),
|
|
@@ -59,7 +86,9 @@ export function createCanController(path) {
|
|
|
59
86
|
], AuthzCanController.prototype, "can", null);
|
|
60
87
|
AuthzCanController = __decorate([
|
|
61
88
|
Controller(path),
|
|
62
|
-
|
|
89
|
+
__param(1, Optional()),
|
|
90
|
+
__param(1, Inject(RESOURCE_HYDRATOR)),
|
|
91
|
+
__metadata("design:paramtypes", [Gate, Object])
|
|
63
92
|
], AuthzCanController);
|
|
64
93
|
return AuthzCanController;
|
|
65
94
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"can-endpoint.controller.js","sourceRoot":"","sources":["../src/can-endpoint.controller.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,IAAI,EAAE,UAAU,EAAa,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"can-endpoint.controller.js","sourceRoot":"","sources":["../src/can-endpoint.controller.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAa,MAAM,gBAAgB,CAAC;AAC/E,OAAO,EAAE,IAAI,IAAI,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAiBhD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAY;IAC9C,IACM,kBAAkB,GADxB,MACM,kBAAkB;QAEH;QAGA;QAJnB,YACmB,IAAU,EAGV,OAA2B;YAH3B,SAAI,GAAJ,IAAI,CAAM;YAGV,YAAO,GAAP,OAAO,CAAoB;QAC3C,CAAC;QAGE,AAAN,KAAK,CAAC,GAAG,CAAS,IAAoB;YACpC,MAAM,OAAO,GAAG,IAAI,EAAE,OAAO,CAAC;YAC9B,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACxD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YAC5B,CAAC;YACD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,IAAI,SAAS,CAAC;YAC7C,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;gBAC9C,gEAAgE;gBAChE,IAAI,MAAM,KAAK,IAAI;oBAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;gBAC/C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;gBACxD,OAAO,EAAE,OAAO,EAAE,CAAC;YACrB,CAAC;YAAC,MAAM,CAAC;gBACP,8CAA8C;gBAC9C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YAC5B,CAAC;QACH,CAAC;QAED;;;;;;WAMG;QACK,KAAK,CAAC,SAAS,CACrB,QAAgD;YAEhD,IAAI,QAAQ,IAAI,IAAI;gBAAE,OAAO,SAAS,CAAC;YACvC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC7C,IAAI,OAAO,MAAM,KAAK,UAAU;gBAAE,OAAO,QAAkB,CAAC;YAC5D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,EAAqB,CAAC,CAAC;YAC5D,OAAO,MAAM,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAE,MAAiB,CAAC;QACpD,CAAC;KACF,CAAA;IAlCO;QADL,QAAQ,EAAE;QACA,WAAA,IAAI,EAAE,CAAA;;;;iDAgBhB;IAzBG,kBAAkB;QADvB,UAAU,CAAC,IAAI,CAAC;QAIZ,WAAA,QAAQ,EAAE,CAAA;QACV,WAAA,MAAM,CAAC,iBAAiB,CAAC,CAAA;yCAFH,IAAI;OAFzB,kBAAkB,CA2CvB;IAED,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED,qFAAqF;AACrF,MAAM,CAAC,MAAM,yBAAyB,GAAG,WAAW,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -18,7 +18,7 @@ export type { ContextAccessor, ContextStore, UserRef } from './context-accessor.
|
|
|
18
18
|
export type { PermissionProvider } from './permission-provider.js';
|
|
19
19
|
export { defaultRoleResolver } from './role-provider.js';
|
|
20
20
|
export type { RoleProvider, RoleResolver } from './role-provider.js';
|
|
21
|
-
export { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER, CONTEXT_ACCESSOR, PERMISSION_PROVIDER, ROLE_PROVIDER, POLICY_RESOURCE_METADATA, CAN_METADATA, ROLES_METADATA, } from './tokens.js';
|
|
21
|
+
export { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER, RESOURCE_HYDRATOR, CONTEXT_ACCESSOR, PERMISSION_PROVIDER, ROLE_PROVIDER, POLICY_RESOURCE_METADATA, CAN_METADATA, ROLES_METADATA, } from './tokens.js';
|
|
22
22
|
export { AuthzException, PolicyNotDecoratedException, AbilityNotResolvedException, AmbiguousAbilityException, ResourceResolverMissingException, } from './errors/exceptions.js';
|
|
23
|
-
export type { AuthzModuleOptions, AuthzModuleAsyncOptions, AuthzModuleOptionsFactory, GateFn, PolicyBeforeHook, PolicyInstance, PolicyMethod, Resource, SuperAdminHook, User, } from './types.js';
|
|
23
|
+
export type { AuthzModuleOptions, AuthzModuleAsyncOptions, AuthzModuleOptionsFactory, GateFn, PolicyBeforeHook, PolicyInstance, PolicyMethod, Resource, ResourceLoader, ResourceLoaderMap, SuperAdminHook, User, } from './types.js';
|
|
24
24
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,OAAO,UAAU,CAAC;AAE/B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACrF,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAC5E,OAAO,EAAE,GAAG,EAAE,MAAM,8BAA8B,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC5E,OAAO,EAAE,KAAK,EAAE,MAAM,gCAAgC,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,mBAAmB,EACnB,yBAAyB,GAC1B,MAAM,8BAA8B,CAAC;AACtC,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AACpF,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,YAAY,EAAE,eAAe,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACpF,YAAY,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,EACb,wBAAwB,EACxB,YAAY,EACZ,cAAc,GACf,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,EAC3B,yBAAyB,EACzB,gCAAgC,GACjC,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,kBAAkB,EAClB,uBAAuB,EACvB,yBAAyB,EACzB,MAAM,EACN,gBAAgB,EAChB,cAAc,EACd,YAAY,EACZ,QAAQ,EACR,cAAc,EACd,IAAI,GACL,MAAM,YAAY,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,OAAO,UAAU,CAAC;AAE/B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACrF,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAC5E,OAAO,EAAE,GAAG,EAAE,MAAM,8BAA8B,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAC;AAC5E,OAAO,EAAE,KAAK,EAAE,MAAM,gCAAgC,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,mBAAmB,EACnB,yBAAyB,GAC1B,MAAM,8BAA8B,CAAC;AACtC,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AACpF,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,YAAY,EAAE,eAAe,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACpF,YAAY,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,EACb,wBAAwB,EACxB,YAAY,EACZ,cAAc,GACf,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,EAC3B,yBAAyB,EACzB,gCAAgC,GACjC,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,kBAAkB,EAClB,uBAAuB,EACvB,yBAAyB,EACzB,MAAM,EACN,gBAAgB,EAChB,cAAc,EACd,YAAY,EACZ,QAAQ,EACR,cAAc,EACd,iBAAiB,EACjB,cAAc,EACd,IAAI,GACL,MAAM,YAAY,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -11,6 +11,6 @@ export { AuthzModule } from './module.js';
|
|
|
11
11
|
export { createCanController, DEFAULT_CAN_ENDPOINT_PATH, } from './can-endpoint.controller.js';
|
|
12
12
|
export { IdParamResourceResolver } from './resource-resolver.js';
|
|
13
13
|
export { defaultRoleResolver } from './role-provider.js';
|
|
14
|
-
export { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER, CONTEXT_ACCESSOR, PERMISSION_PROVIDER, ROLE_PROVIDER, POLICY_RESOURCE_METADATA, CAN_METADATA, ROLES_METADATA, } from './tokens.js';
|
|
14
|
+
export { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER, RESOURCE_HYDRATOR, CONTEXT_ACCESSOR, PERMISSION_PROVIDER, ROLE_PROVIDER, POLICY_RESOURCE_METADATA, CAN_METADATA, ROLES_METADATA, } from './tokens.js';
|
|
15
15
|
export { AuthzException, PolicyNotDecoratedException, AbilityNotResolvedException, AmbiguousAbilityException, ResourceResolverMissingException, } from './errors/exceptions.js';
|
|
16
16
|
//# sourceMappingURL=index.js.map
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAC5E,OAAO,EAAE,GAAG,EAAE,MAAM,8BAA8B,CAAC;AAEnD,OAAO,EAAE,KAAK,EAAE,MAAM,gCAAgC,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,mBAAmB,EACnB,yBAAyB,GAC1B,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAIjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAEzD,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,EACb,wBAAwB,EACxB,YAAY,EACZ,cAAc,GACf,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,EAC3B,yBAAyB,EACzB,gCAAgC,GACjC,MAAM,wBAAwB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AAC5E,OAAO,EAAE,GAAG,EAAE,MAAM,8BAA8B,CAAC;AAEnD,OAAO,EAAE,KAAK,EAAE,MAAM,gCAAgC,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,mBAAmB,EACnB,yBAAyB,GAC1B,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAIjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAEzD,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,EACb,wBAAwB,EACxB,YAAY,EACZ,cAAc,GACf,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,EAC3B,yBAAyB,EACzB,gCAAgC,GACjC,MAAM,wBAAwB,CAAC"}
|
package/dist/module.d.ts
CHANGED
|
@@ -10,6 +10,14 @@ export declare class AuthzModule {
|
|
|
10
10
|
* override / `idParam` knob from forRoot OR forRootAsync is honored.
|
|
11
11
|
*/
|
|
12
12
|
private static resourceResolverProviders;
|
|
13
|
+
/**
|
|
14
|
+
* Bind the {@link RESOURCE_HYDRATOR} token to the resolved options'
|
|
15
|
+
* `resourceLoaders` map so the opt-in `POST /authz/can` endpoint can rehydrate a
|
|
16
|
+
* `{ type, id }` shim into the REAL entity before authorizing. Reads the resolved
|
|
17
|
+
* options so the map from forRoot OR a forRootAsync factory is honored. Resolves to
|
|
18
|
+
* `undefined` when no `resourceLoaders` are configured (endpoint behavior unchanged).
|
|
19
|
+
*/
|
|
20
|
+
private static resourceHydratorProviders;
|
|
13
21
|
/**
|
|
14
22
|
* Provider that populates the {@link PolicyRegistry} on init (explicit policies
|
|
15
23
|
* + auto-discovered `@Policy` providers). Registered for both forRoot/forRootAsync.
|
package/dist/module.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAQnB,MAAM,gBAAgB,CAAC;AAUxB,OAAO,KAAK,EACV,uBAAuB,EACvB,kBAAkB,
|
|
1
|
+
{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAQnB,MAAM,gBAAgB,CAAC;AAUxB,OAAO,KAAK,EACV,uBAAuB,EACvB,kBAAkB,EAInB,MAAM,YAAY,CAAC;AAmEpB,qBACa,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,OAAO,GAAE,kBAAuB,GAAG,aAAa;IAiC/D,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,uBAAuB,GAAG,aAAa;IAgCpE;;;;;OAKG;IACH,OAAO,CAAC,MAAM,CAAC,yBAAyB;IAWxC;;;;;;OAMG;IACH,OAAO,CAAC,MAAM,CAAC,yBAAyB;IAWxC;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,kBAAkB;IAIjC;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,cAAc;IAM7B,OAAO,CAAC,MAAM,CAAC,yBAAyB;CA2BzC"}
|
package/dist/module.js
CHANGED
|
@@ -20,7 +20,7 @@ import { CanGuard } from './guard/can.guard.js';
|
|
|
20
20
|
import { RolesGuard } from './guard/roles.guard.js';
|
|
21
21
|
import { PolicyRegistry } from './policy-registry.js';
|
|
22
22
|
import { IdParamResourceResolver } from './resource-resolver.js';
|
|
23
|
-
import { AUTHZ_MODULE_OPTIONS, RESOURCE_RESOLVER } from './tokens.js';
|
|
23
|
+
import { AUTHZ_MODULE_OPTIONS, RESOURCE_HYDRATOR, RESOURCE_RESOLVER } from './tokens.js';
|
|
24
24
|
/**
|
|
25
25
|
* Populates the {@link PolicyRegistry} at boot from explicit `policies: []` and
|
|
26
26
|
* auto-discovered `@Policy`-decorated providers.
|
|
@@ -113,6 +113,7 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
|
|
|
113
113
|
RolesGuard,
|
|
114
114
|
{ provide: APP_GUARD, useExisting: RolesGuard },
|
|
115
115
|
...AuthzModule_1.resourceResolverProviders(),
|
|
116
|
+
...AuthzModule_1.resourceHydratorProviders(),
|
|
116
117
|
...AuthzModule_1.bootstrapProviders(),
|
|
117
118
|
],
|
|
118
119
|
exports: [
|
|
@@ -122,6 +123,7 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
|
|
|
122
123
|
RolesGuard,
|
|
123
124
|
AUTHZ_MODULE_OPTIONS,
|
|
124
125
|
RESOURCE_RESOLVER,
|
|
126
|
+
RESOURCE_HYDRATOR,
|
|
125
127
|
...(options.policies ?? []),
|
|
126
128
|
],
|
|
127
129
|
};
|
|
@@ -143,6 +145,7 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
|
|
|
143
145
|
RolesGuard,
|
|
144
146
|
{ provide: APP_GUARD, useExisting: RolesGuard },
|
|
145
147
|
...AuthzModule_1.resourceResolverProviders(),
|
|
148
|
+
...AuthzModule_1.resourceHydratorProviders(),
|
|
146
149
|
...AuthzModule_1.bootstrapProviders(),
|
|
147
150
|
],
|
|
148
151
|
exports: [
|
|
@@ -152,6 +155,7 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
|
|
|
152
155
|
RolesGuard,
|
|
153
156
|
AUTHZ_MODULE_OPTIONS,
|
|
154
157
|
RESOURCE_RESOLVER,
|
|
158
|
+
RESOURCE_HYDRATOR,
|
|
155
159
|
],
|
|
156
160
|
};
|
|
157
161
|
}
|
|
@@ -170,6 +174,22 @@ let AuthzModule = AuthzModule_1 = class AuthzModule {
|
|
|
170
174
|
},
|
|
171
175
|
];
|
|
172
176
|
}
|
|
177
|
+
/**
|
|
178
|
+
* Bind the {@link RESOURCE_HYDRATOR} token to the resolved options'
|
|
179
|
+
* `resourceLoaders` map so the opt-in `POST /authz/can` endpoint can rehydrate a
|
|
180
|
+
* `{ type, id }` shim into the REAL entity before authorizing. Reads the resolved
|
|
181
|
+
* options so the map from forRoot OR a forRootAsync factory is honored. Resolves to
|
|
182
|
+
* `undefined` when no `resourceLoaders` are configured (endpoint behavior unchanged).
|
|
183
|
+
*/
|
|
184
|
+
static resourceHydratorProviders() {
|
|
185
|
+
return [
|
|
186
|
+
{
|
|
187
|
+
provide: RESOURCE_HYDRATOR,
|
|
188
|
+
useFactory: (options) => options?.resourceLoaders,
|
|
189
|
+
inject: [{ token: AUTHZ_MODULE_OPTIONS, optional: true }],
|
|
190
|
+
},
|
|
191
|
+
];
|
|
192
|
+
}
|
|
173
193
|
/**
|
|
174
194
|
* Provider that populates the {@link PolicyRegistry} on init (explicit policies
|
|
175
195
|
* + auto-discovered `@Policy` providers). Registered for both forRoot/forRootAsync.
|
package/dist/module.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"module.js","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,OAAO,EAEL,MAAM,EACN,UAAU,EACV,MAAM,EAEN,QAAQ,GAGT,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACvF,OAAO,EAAE,yBAAyB,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAC9F,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AACpE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAyB,MAAM,wBAAwB,CAAC;AACxF,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"module.js","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,OAAO,EAEL,MAAM,EACN,UAAU,EACV,MAAM,EAEN,QAAQ,GAGT,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACvF,OAAO,EAAE,yBAAyB,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAC9F,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAC;AACpE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAyB,MAAM,wBAAwB,CAAC;AACxF,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AASzF;;;;;;;GAOG;AACH,IACM,oBAAoB,GAD1B,MACM,oBAAoB;IAEL;IACA;IACA;IAC0C;IAJ7D,YACmB,QAAwB,EACxB,SAA2B,EAC3B,SAAoB,EACsB,OAA4B;QAHtE,aAAQ,GAAR,QAAQ,CAAgB;QACxB,cAAS,GAAT,SAAS,CAAkB;QAC3B,cAAS,GAAT,SAAS,CAAW;QACsB,YAAO,GAAP,OAAO,CAAqB;IACtF,CAAC;IAEJ,KAAK,CAAC,YAAY;QAChB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAW,CAAC;QAEhC,+EAA+E;QAC/E,KAAK,MAAM,WAAW,IAAI,IAAI,CAAC,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,CAAC;YACvD,IAAI,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBAAE,SAAS;YACpC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,WAAW,CAAC,CAAC;YAC/D,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBACtB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,kDAAkD;QAClD,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,EAAE,CAAC;YACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAsC,CAAC;YAChE,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ;gBAAE,SAAS;YACxD,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,CAAC;YAClC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YACtC,IAAI,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAChC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACf,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,qBAAqB,CACjC,WAAiC;QAEjC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAiB,WAAW,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5E,CAAC;QAAC,MAAM,CAAC;YACP,6DAA6D;QAC/D,CAAC;QACD,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAiB,WAAW,CAAC,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;CACF,CAAA;AAtDK,oBAAoB;IADzB,UAAU,EAAE;IAMR,WAAA,QAAQ,EAAE,CAAA;IAAE,WAAA,MAAM,CAAC,oBAAoB,CAAC,CAAA;qCAHd,cAAc;QACb,gBAAgB;QAChB,SAAS;GAJnC,oBAAoB,CAsDzB;AAGM,IAAM,WAAW,mBAAjB,MAAM,WAAW;IACtB,MAAM,CAAC,OAAO,CAAC,UAA8B,EAAE;QAC7C,MAAM,eAAe,GAAe,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAa,CAAC,CAAC;QACvF,OAAO;YACL,MAAM,EAAE,aAAW;YACnB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,eAAe,CAAC;YAC1B,WAAW,EAAE,aAAW,CAAC,cAAc,CAAC,OAAO,CAAC,WAAW,CAAC;YAC5D,SAAS,EAAE;gBACT,EAAE,OAAO,EAAE,oBAAoB,EAAE,QAAQ,EAAE,OAAO,EAAE;gBACpD,GAAG,eAAe;gBAClB,cAAc;gBACd,IAAI;gBACJ,QAAQ;gBACR,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE;gBAC7C,UAAU;gBACV,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE;gBAC/C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,kBAAkB,EAAE;aACpC;YACD,OAAO,EAAE;gBACP,IAAI;gBACJ,cAAc;gBACd,QAAQ;gBACR,UAAU;gBACV,oBAAoB;gBACpB,iBAAiB;gBACjB,iBAAiB;gBACjB,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;aAC5B;SACF,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,OAAgC;QAClD,MAAM,aAAa,GAAG,aAAW,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC;QACrE,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;QACtF,OAAO;YACL,MAAM,EAAE,aAAW;YACnB,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,eAAe,EAAE,GAAI,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAqB,CAAC;YAC3E,WAAW,EAAE,aAAW,CAAC,cAAc,CAAC,OAAO,CAAC,WAAW,CAAC;YAC5D,SAAS,EAAE;gBACT,GAAG,cAAc;gBACjB,cAAc;gBACd,IAAI;gBACJ,QAAQ;gBACR,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE;gBAC7C,UAAU;gBACV,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE;gBAC/C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,yBAAyB,EAAE;gBAC1C,GAAG,aAAW,CAAC,kBAAkB,EAAE;aACpC;YACD,OAAO,EAAE;gBACP,IAAI;gBACJ,cAAc;gBACd,QAAQ;gBACR,UAAU;gBACV,oBAAoB;gBACpB,iBAAiB;gBACjB,iBAAiB;aAClB;SACF,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACK,MAAM,CAAC,yBAAyB;QACtC,OAAO;YACL;gBACE,OAAO,EAAE,iBAAiB;gBAC1B,UAAU,EAAE,CAAC,OAA4B,EAAoB,EAAE,CAC7D,OAAO,EAAE,gBAAgB,IAAI,IAAI,uBAAuB,CAAC,OAAO,EAAE,OAAO,CAAC;gBAC5E,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;aAC1D;SACF,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACK,MAAM,CAAC,yBAAyB;QACtC,OAAO;YACL;gBACE,OAAO,EAAE,iBAAiB;gBAC1B,UAAU,EAAE,CAAC,OAA4B,EAAiC,EAAE,CAC1E,OAAO,EAAE,eAAe;gBAC1B,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;aAC1D;SACF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,MAAM,CAAC,kBAAkB;QAC/B,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAChC,CAAC;IAED;;;OAGG;IACK,MAAM,CAAC,cAAc,CAAC,WAAyC;QACrE,IAAI,CAAC,WAAW;YAAE,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,OAAO,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,yBAAyB,CAAC;QACvF,OAAO,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC;IACrC,CAAC;IAEO,MAAM,CAAC,yBAAyB,CACtC,OAAgC;QAEhC,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,OAAO;gBACL,OAAO,EAAE,oBAAoB;gBAC7B,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAyB;aACvD,CAAC;QACJ,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,OAAO;gBACL,EAAE,OAAO,EAAE,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE;gBACzD;oBACE,OAAO,EAAE,oBAAoB;oBAC7B,UAAU,EAAE,KAAK,EAAE,OAAkC,EAAE,EAAE,CAAC,OAAO,CAAC,kBAAkB,EAAE;oBACtF,MAAM,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC;iBAC3B;aACF,CAAC;QACJ,CAAC;QACD,MAAM,YAAY,GAAG,OAAO,CAAC,WAA8C,CAAC;QAC5E,OAAO;YACL,OAAO,EAAE,oBAAoB;YAC7B,UAAU,EAAE,KAAK,EAAE,OAAkC,EAAE,EAAE,CAAC,OAAO,CAAC,kBAAkB,EAAE;YACtF,MAAM,EAAE,CAAC,YAAY,CAAC;SACvB,CAAC;IACJ,CAAC;CACF,CAAA;AAlJY,WAAW;IADvB,MAAM,CAAC,EAAE,CAAC;GACE,WAAW,CAkJvB"}
|
package/dist/tokens.d.ts
CHANGED
|
@@ -2,6 +2,21 @@
|
|
|
2
2
|
export declare const AUTHZ_MODULE_OPTIONS: unique symbol;
|
|
3
3
|
/** Injection token for the optional {@link ResourceResolver} registered by the app. */
|
|
4
4
|
export declare const RESOURCE_RESOLVER: unique symbol;
|
|
5
|
+
/**
|
|
6
|
+
* Injection token holding the optional resource-loader map consulted by the opt-in
|
|
7
|
+
* `POST /authz/can` endpoint to rehydrate a `{ type, id }` shim into the REAL entity
|
|
8
|
+
* instance before authorizing — so an instance-bound `@Policy` matches by constructor.
|
|
9
|
+
*
|
|
10
|
+
* Resolves to a `ResourceLoaderMap` (`Record<type, (id) => instance | Promise<instance>>`)
|
|
11
|
+
* keyed by the resource `type` name the client/codegen emits. Populated from the
|
|
12
|
+
* `resourceLoaders` forRoot option; an adapter MAY also bind this token to register
|
|
13
|
+
* loaders, mirroring the {@link PERMISSION_PROVIDER}/{@link ROLE_PROVIDER} seam.
|
|
14
|
+
*
|
|
15
|
+
* Shared via `Symbol.for(key)` (global registry) so an external package binding this
|
|
16
|
+
* same key resolves to the SAME symbol instance. Consulted with `@Optional()` — absent
|
|
17
|
+
* or empty, the endpoint behaves exactly as before (class-level / ad-hoc only).
|
|
18
|
+
*/
|
|
19
|
+
export declare const RESOURCE_HYDRATOR: unique symbol;
|
|
5
20
|
/** Metadata key for `@Policy(Resource)` — stores the resource class on the policy. */
|
|
6
21
|
export declare const POLICY_RESOURCE_METADATA = "nestjs-authz:policy-resource";
|
|
7
22
|
/** Metadata key for `@Can(ability, Resource?)` — stores the ability descriptor on a route. */
|
package/dist/tokens.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokens.d.ts","sourceRoot":"","sources":["../src/tokens.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,eAAO,MAAM,oBAAoB,eAA+C,CAAC;AAEjF,uFAAuF;AACvF,eAAO,MAAM,iBAAiB,eAAyD,CAAC;AAExF,sFAAsF;AACtF,eAAO,MAAM,wBAAwB,iCAAiC,CAAC;AAEvE,8FAA8F;AAC9F,eAAO,MAAM,YAAY,qBAAqB,CAAC;AAE/C,sFAAsF;AACtF,eAAO,MAAM,cAAc,uBAAuB,CAAC;AAEnD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,mBAAmB,eAA2D,CAAC;AAE5F;;;;;;;;;;GAUG;AACH,eAAO,MAAM,aAAa,eAAqD,CAAC;AAEhF;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,eAAkD,CAAC"}
|
|
1
|
+
{"version":3,"file":"tokens.d.ts","sourceRoot":"","sources":["../src/tokens.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,eAAO,MAAM,oBAAoB,eAA+C,CAAC;AAEjF,uFAAuF;AACvF,eAAO,MAAM,iBAAiB,eAAyD,CAAC;AAExF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,iBAAiB,eAAyD,CAAC;AAExF,sFAAsF;AACtF,eAAO,MAAM,wBAAwB,iCAAiC,CAAC;AAEvE,8FAA8F;AAC9F,eAAO,MAAM,YAAY,qBAAqB,CAAC;AAE/C,sFAAsF;AACtF,eAAO,MAAM,cAAc,uBAAuB,CAAC;AAEnD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,mBAAmB,eAA2D,CAAC;AAE5F;;;;;;;;;;GAUG;AACH,eAAO,MAAM,aAAa,eAAqD,CAAC;AAEhF;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,eAAkD,CAAC"}
|
package/dist/tokens.js
CHANGED
|
@@ -2,6 +2,21 @@
|
|
|
2
2
|
export const AUTHZ_MODULE_OPTIONS = Symbol.for('@dudousxd/nestjs-authz:options');
|
|
3
3
|
/** Injection token for the optional {@link ResourceResolver} registered by the app. */
|
|
4
4
|
export const RESOURCE_RESOLVER = Symbol.for('@dudousxd/nestjs-authz:resource-resolver');
|
|
5
|
+
/**
|
|
6
|
+
* Injection token holding the optional resource-loader map consulted by the opt-in
|
|
7
|
+
* `POST /authz/can` endpoint to rehydrate a `{ type, id }` shim into the REAL entity
|
|
8
|
+
* instance before authorizing — so an instance-bound `@Policy` matches by constructor.
|
|
9
|
+
*
|
|
10
|
+
* Resolves to a `ResourceLoaderMap` (`Record<type, (id) => instance | Promise<instance>>`)
|
|
11
|
+
* keyed by the resource `type` name the client/codegen emits. Populated from the
|
|
12
|
+
* `resourceLoaders` forRoot option; an adapter MAY also bind this token to register
|
|
13
|
+
* loaders, mirroring the {@link PERMISSION_PROVIDER}/{@link ROLE_PROVIDER} seam.
|
|
14
|
+
*
|
|
15
|
+
* Shared via `Symbol.for(key)` (global registry) so an external package binding this
|
|
16
|
+
* same key resolves to the SAME symbol instance. Consulted with `@Optional()` — absent
|
|
17
|
+
* or empty, the endpoint behaves exactly as before (class-level / ad-hoc only).
|
|
18
|
+
*/
|
|
19
|
+
export const RESOURCE_HYDRATOR = Symbol.for('@dudousxd/nestjs-authz:resource-hydrator');
|
|
5
20
|
/** Metadata key for `@Policy(Resource)` — stores the resource class on the policy. */
|
|
6
21
|
export const POLICY_RESOURCE_METADATA = 'nestjs-authz:policy-resource';
|
|
7
22
|
/** Metadata key for `@Can(ability, Resource?)` — stores the ability descriptor on a route. */
|
package/dist/tokens.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokens.js","sourceRoot":"","sources":["../src/tokens.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,MAAM,CAAC,MAAM,oBAAoB,GAAG,MAAM,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;AAEjF,uFAAuF;AACvF,MAAM,CAAC,MAAM,iBAAiB,GAAG,MAAM,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;AAExF,sFAAsF;AACtF,MAAM,CAAC,MAAM,wBAAwB,GAAG,8BAA8B,CAAC;AAEvE,8FAA8F;AAC9F,MAAM,CAAC,MAAM,YAAY,GAAG,kBAAkB,CAAC;AAE/C,sFAAsF;AACtF,MAAM,CAAC,MAAM,cAAc,GAAG,oBAAoB,CAAC;AAEnD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,MAAM,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;AAE5F;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;AAEhF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,MAAM,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC"}
|
|
1
|
+
{"version":3,"file":"tokens.js","sourceRoot":"","sources":["../src/tokens.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,MAAM,CAAC,MAAM,oBAAoB,GAAG,MAAM,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;AAEjF,uFAAuF;AACvF,MAAM,CAAC,MAAM,iBAAiB,GAAG,MAAM,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;AAExF;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,MAAM,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;AAExF,sFAAsF;AACtF,MAAM,CAAC,MAAM,wBAAwB,GAAG,8BAA8B,CAAC;AAEvE,8FAA8F;AAC9F,MAAM,CAAC,MAAM,YAAY,GAAG,kBAAkB,CAAC;AAE/C,sFAAsF;AACtF,MAAM,CAAC,MAAM,cAAc,GAAG,oBAAoB,CAAC;AAEnD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,MAAM,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;AAE5F;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;AAEhF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,MAAM,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC"}
|
package/dist/types.d.ts
CHANGED
|
@@ -31,6 +31,18 @@ export type PolicyInstance = Record<string, unknown> & {
|
|
|
31
31
|
* An ad-hoc gate: a model-less ability resolved by name via `gate.define`.
|
|
32
32
|
*/
|
|
33
33
|
export type GateFn = (user: User, resource?: Resource) => boolean | Promise<boolean>;
|
|
34
|
+
/**
|
|
35
|
+
* A resource loader: turns an `id` into the REAL entity instance for a resource
|
|
36
|
+
* `type`. Used by the opt-in `POST /authz/can` endpoint to rehydrate the client's
|
|
37
|
+
* `{ type, id }` shim before authorizing, so an instance-bound `@Policy` matches by
|
|
38
|
+
* constructor. Returning nullish signals "not found" (the endpoint denies). May be async.
|
|
39
|
+
*/
|
|
40
|
+
export type ResourceLoader = (id: string | number) => unknown | Promise<unknown>;
|
|
41
|
+
/**
|
|
42
|
+
* Resource loaders keyed by the resource `type` name as emitted by the client/codegen
|
|
43
|
+
* (e.g. `'Post'`). See {@link AuthzModuleOptions.resourceLoaders}.
|
|
44
|
+
*/
|
|
45
|
+
export type ResourceLoaderMap = Record<string, ResourceLoader>;
|
|
34
46
|
/**
|
|
35
47
|
* Global super-admin before-hook. Runs before any policy/gate; truthy → allow.
|
|
36
48
|
* `void`/`undefined`/`false` falls through to normal resolution.
|
|
@@ -110,6 +122,21 @@ export interface AuthzModuleOptions {
|
|
|
110
122
|
* — this endpoint exists only for abilities not already hydrated on the client.
|
|
111
123
|
*/
|
|
112
124
|
canEndpoint?: boolean | string;
|
|
125
|
+
/**
|
|
126
|
+
* Resource loaders keyed by the resource `type` name the client/codegen emits
|
|
127
|
+
* (e.g. `'Post'`). They close the per-instance gap in the {@link canEndpoint}
|
|
128
|
+
* fallback: when the endpoint receives `{ ability, resource: { type, id } }` and a
|
|
129
|
+
* loader is registered for `type`, it `await`s `loader(id)` and authorizes the REAL
|
|
130
|
+
* entity — so an instance-bound `@Policy` matches by constructor and its method runs
|
|
131
|
+
* with the loaded resource. A loader returning nullish is treated as "not found"
|
|
132
|
+
* (the endpoint denies). Types WITHOUT a loader keep the prior behavior (class-level
|
|
133
|
+
* / ad-hoc only; a resource-bound ability still denies). Opt-in: unset → unchanged.
|
|
134
|
+
*
|
|
135
|
+
* ```ts
|
|
136
|
+
* resourceLoaders: { Post: (id) => postRepo.findOneBy({ id: Number(id) }) }
|
|
137
|
+
* ```
|
|
138
|
+
*/
|
|
139
|
+
resourceLoaders?: ResourceLoaderMap;
|
|
113
140
|
}
|
|
114
141
|
export interface AuthzModuleOptionsFactory {
|
|
115
142
|
createAuthzOptions(): Promise<AuthzModuleOptions> | AuthzModuleOptions;
|
|
@@ -126,5 +153,12 @@ export interface AuthzModuleAsyncOptions {
|
|
|
126
153
|
* time, before the async options factory resolves. Off by default.
|
|
127
154
|
*/
|
|
128
155
|
canEndpoint?: boolean | string;
|
|
156
|
+
/**
|
|
157
|
+
* Resource loaders for the {@link canEndpoint} fallback
|
|
158
|
+
* (see {@link AuthzModuleOptions.resourceLoaders}). May also be returned from the
|
|
159
|
+
* async options factory; either way the endpoint reads them from the resolved
|
|
160
|
+
* options, so this declaration is for the rarer case of supplying them statically.
|
|
161
|
+
*/
|
|
162
|
+
resourceLoaders?: ResourceLoaderMap;
|
|
129
163
|
}
|
|
130
164
|
//# sourceMappingURL=types.d.ts.map
|
package/dist/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE/D;;;GAGG;AACH,MAAM,MAAM,QAAQ,GAAG,MAAM,CAAC;AAE9B;;;GAGG;AACH,MAAM,MAAM,IAAI,GAAG,OAAO,CAAC;AAE3B;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,QAAQ,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAE3F;;;;;GAKG;AACH,MAAM,MAAM,gBAAgB,GAAG,CAC7B,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,MAAM,KACZ,OAAO,GAAG,SAAS,GAAG,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC;AAExD,4EAA4E;AAC5E,MAAM,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG;IACrD,MAAM,CAAC,EAAE,gBAAgB,CAAC;CAC3B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,QAAQ,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAErF;;;GAGG;AACH,MAAM,MAAM,cAAc,GAAG,CAC3B,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,MAAM,KACZ,OAAO,GAAG,SAAS,GAAG,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC;AAExD,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC;IACvC;;;;;;;;;;OAUG;IACH,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B;;;;;;;;;;;;OAYG;IACH,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,IAAI,GAAG,SAAS,GAAG,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC,CAAC;IAC7E;;;;;;;;;;;OAWG;IACH,YAAY,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,KAAK,MAAM,EAAE,GAAG,SAAS,GAAG,OAAO,CAAC,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;IACpF;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC;;;;OAIG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;;;;;OAYG;IACH,WAAW,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE/D;;;GAGG;AACH,MAAM,MAAM,QAAQ,GAAG,MAAM,CAAC;AAE9B;;;GAGG;AACH,MAAM,MAAM,IAAI,GAAG,OAAO,CAAC;AAE3B;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,QAAQ,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAE3F;;;;;GAKG;AACH,MAAM,MAAM,gBAAgB,GAAG,CAC7B,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,MAAM,KACZ,OAAO,GAAG,SAAS,GAAG,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC;AAExD,4EAA4E;AAC5E,MAAM,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG;IACrD,MAAM,CAAC,EAAE,gBAAgB,CAAC;CAC3B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,QAAQ,CAAC,EAAE,QAAQ,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAErF;;;;;GAKG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEjF;;;GAGG;AACH,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;AAE/D;;;GAGG;AACH,MAAM,MAAM,cAAc,GAAG,CAC3B,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,MAAM,KACZ,OAAO,GAAG,SAAS,GAAG,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC;AAExD,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC;IACvC;;;;;;;;;;OAUG;IACH,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B;;;;;;;;;;;;OAYG;IACH,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,IAAI,GAAG,SAAS,GAAG,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC,CAAC;IAC7E;;;;;;;;;;;OAWG;IACH,YAAY,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,KAAK,MAAM,EAAE,GAAG,SAAS,GAAG,OAAO,CAAC,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;IACpF;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC;;;;OAIG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;;;;;OAYG;IACH,WAAW,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IAC/B;;;;;;;;;;;;;OAaG;IACH,eAAe,CAAC,EAAE,iBAAiB,CAAC;CACrC;AAED,MAAM,WAAW,yBAAyB;IACxC,kBAAkB,IAAI,OAAO,CAAC,kBAAkB,CAAC,GAAG,kBAAkB,CAAC;CACxE;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC;IACpB,WAAW,CAAC,EAAE,IAAI,CAAC,yBAAyB,CAAC,CAAC;IAC9C,QAAQ,CAAC,EAAE,IAAI,CAAC,yBAAyB,CAAC,CAAC;IAC3C,UAAU,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,kBAAkB,CAAC,GAAG,kBAAkB,CAAC;IACtF,MAAM,CAAC,EAAE,OAAO,EAAE,CAAC;IACnB;;;;OAIG;IACH,WAAW,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IAC/B;;;;;OAKG;IACH,eAAe,CAAC,EAAE,iBAAiB,CAAC;CACrC"}
|