npm - @fiado/type-kit - Versions diffs - 3.47.0 → 3.48.0 - Mend

@fiado/type-kit 3.47.0 → 3.48.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/_test_/unit/cognitoBackofficeConnector/dtos/Introspect.test.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import 'reflect-metadata';
+import { plainToInstance } from 'class-transformer';
+import { validate } from 'class-validator';
+import { IntrospectRequest } from '../../../../src/cognitoBackofficeConnector/dtos/IntrospectRequest';
+import { IntrospectResponse } from '../../../../src/cognitoBackofficeConnector/dtos/IntrospectResponse';
+import { IntrospectFailReason } from '../../../../src/cognitoBackofficeConnector/enums/IntrospectFailReason';
+describe('IntrospectRequest', () => {
+    it('valida happy path', async () => {
+        const dto = plainToInstance(IntrospectRequest, {
+            token: 'jwt', userPoolId: 'us-east-1_o0h1s3458', region: 'us-east-1', clientId: '1b8g4shbvbi5jhq19fuc8mi2bk',
+        });
+        expect(await validate(dto)).toEqual([]);
+    });
+    it('falla si falta userPoolId', async () => {
+        const dto = plainToInstance(IntrospectRequest, { token: 'jwt', region: 'us-east-1', clientId: 'c' });
+        expect((await validate(dto)).some(e => e.property === 'userPoolId')).toBe(true);
+    });
+});
+describe('IntrospectResponse', () => {
+    it('valid=true con cognitoSub', async () => {
+        const dto = plainToInstance(IntrospectResponse, { valid: true, cognitoSub: '248814c8' });
+        expect(await validate(dto)).toEqual([]);
+    });
+    it('valid=false con reason enum', async () => {
+        const dto = plainToInstance(IntrospectResponse, { valid: false, reason: IntrospectFailReason.REVOKED });
+        expect(await validate(dto)).toEqual([]);
+    });
+});

package/_test_/unit/platformRbac/dtos/AuthorizeRequest.test.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import 'reflect-metadata';
+import { plainToInstance } from 'class-transformer';
+import { validate } from 'class-validator';
+import { AuthorizeRequest } from '../../../../src/platformRbac/dtos/AuthorizeRequest';
+import { PermissionScope } from '../../../../src/platformRbac/enums/PermissionScope';
+describe('AuthorizeRequest', () => {
+    it('valida happy path con scope opcional', async () => {
+        const dto = plainToInstance(AuthorizeRequest, {
+            token: 'jwt.abc.def',
+            permission: 'tenant.user.create',
+            scope: PermissionScope.RETAILER,
+            scopeRef: 'VL-001',
+        });
+        const errors = await validate(dto);
+        expect(errors).toEqual([]);
+    });
+    it('falla si falta token', async () => {
+        const dto = plainToInstance(AuthorizeRequest, { permission: 'tenant.user.create' });
+        const errors = await validate(dto);
+        expect(errors.some(e => e.property === 'token')).toBe(true);
+    });
+    it('acepta sin scope/scopeRef (permiso sin scope)', async () => {
+        const dto = plainToInstance(AuthorizeRequest, { token: 'jwt', permission: 'catalog.read' });
+        const errors = await validate(dto);
+        expect(errors).toEqual([]);
+    });
+});

package/_test_/unit/platformRbac/dtos/AuthorizeResponse.test.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import 'reflect-metadata';
+import { plainToInstance } from 'class-transformer';
+import { validate } from 'class-validator';
+import { AuthorizeResponse } from '../../../../src/platformRbac/dtos/AuthorizeResponse';
+import { AuthorizeDenyReason } from '../../../../src/platformRbac/enums/AuthorizeDenyReason';
+describe('AuthorizeResponse', () => {
+    it('valida allow=true sin reason', async () => {
+        const dto = plainToInstance(AuthorizeResponse, { allow: true });
+        const errors = await validate(dto);
+        expect(errors).toEqual([]);
+    });
+    it('valida allow=false con reason enum', async () => {
+        const dto = plainToInstance(AuthorizeResponse, { allow: false, reason: AuthorizeDenyReason.NO_PERMISSION });
+        const errors = await validate(dto);
+        expect(errors).toEqual([]);
+    });
+    it('rechaza reason fuera del enum', async () => {
+        const dto = plainToInstance(AuthorizeResponse, { allow: false, reason: 'WHATEVER' });
+        const errors = await validate(dto);
+        expect(errors.some(e => e.property === 'reason')).toBe(true);
+    });
+});

package/bin/cognitoBackofficeConnector/dtos/IntrospectRequest.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+/** Input del POST /auth/introspect: token + datos del pool (el connector es stateless). */
+export declare class IntrospectRequest {
+    token: string;
+    userPoolId: string;
+    region: string;
+    clientId: string;
+}

package/bin/cognitoBackofficeConnector/dtos/IntrospectRequest.js ADDED Viewed

@@ -0,0 +1,42 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IntrospectRequest = void 0;
+const class_transformer_1 = require("class-transformer");
+const class_validator_1 = require("class-validator");
+/** Input del POST /auth/introspect: token + datos del pool (el connector es stateless). */
+class IntrospectRequest {
+}
+exports.IntrospectRequest = IntrospectRequest;
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.IsNotEmpty)(),
+    __metadata("design:type", String)
+], IntrospectRequest.prototype, "token", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.IsNotEmpty)(),
+    __metadata("design:type", String)
+], IntrospectRequest.prototype, "userPoolId", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.IsNotEmpty)(),
+    __metadata("design:type", String)
+], IntrospectRequest.prototype, "region", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.IsNotEmpty)(),
+    __metadata("design:type", String)
+], IntrospectRequest.prototype, "clientId", void 0);

package/bin/cognitoBackofficeConnector/dtos/IntrospectResponse.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { IntrospectFailReason } from '../enums/IntrospectFailReason';
+/** Output del POST /auth/introspect: validez + identidad (sub) o reason del fallo. */
+export declare class IntrospectResponse {
+    valid: boolean;
+    cognitoSub?: string;
+    reason?: IntrospectFailReason;
+}

package/bin/cognitoBackofficeConnector/dtos/IntrospectResponse.js ADDED Viewed

@@ -0,0 +1,36 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IntrospectResponse = void 0;
+const class_transformer_1 = require("class-transformer");
+const class_validator_1 = require("class-validator");
+const IntrospectFailReason_1 = require("../enums/IntrospectFailReason");
+/** Output del POST /auth/introspect: validez + identidad (sub) o reason del fallo. */
+class IntrospectResponse {
+}
+exports.IntrospectResponse = IntrospectResponse;
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsBoolean)(),
+    __metadata("design:type", Boolean)
+], IntrospectResponse.prototype, "valid", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], IntrospectResponse.prototype, "cognitoSub", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsEnum)(IntrospectFailReason_1.IntrospectFailReason),
+    __metadata("design:type", String)
+], IntrospectResponse.prototype, "reason", void 0);

package/bin/cognitoBackofficeConnector/enums/IntrospectFailReason.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+/**
+ * Razón de fallo del POST /auth/introspect del cognito-backoffice-connector.
+ */
+export declare enum IntrospectFailReason {
+    INVALID_SIGNATURE = "INVALID_SIGNATURE",
+    EXPIRED = "EXPIRED",
+    CLIENT_ID_MISMATCH = "CLIENT_ID_MISMATCH",
+    TOKEN_USE_MISMATCH = "TOKEN_USE_MISMATCH",
+    REVOKED = "REVOKED",
+    USER_NOT_FOUND = "USER_NOT_FOUND"
+}

package/bin/cognitoBackofficeConnector/enums/IntrospectFailReason.js ADDED Viewed

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IntrospectFailReason = void 0;
+/**
+ * Razón de fallo del POST /auth/introspect del cognito-backoffice-connector.
+ */
+var IntrospectFailReason;
+(function (IntrospectFailReason) {
+    IntrospectFailReason["INVALID_SIGNATURE"] = "INVALID_SIGNATURE";
+    IntrospectFailReason["EXPIRED"] = "EXPIRED";
+    IntrospectFailReason["CLIENT_ID_MISMATCH"] = "CLIENT_ID_MISMATCH";
+    IntrospectFailReason["TOKEN_USE_MISMATCH"] = "TOKEN_USE_MISMATCH";
+    IntrospectFailReason["REVOKED"] = "REVOKED";
+    IntrospectFailReason["USER_NOT_FOUND"] = "USER_NOT_FOUND";
+})(IntrospectFailReason || (exports.IntrospectFailReason = IntrospectFailReason = {}));

package/bin/cognitoBackofficeConnector/index.d.ts CHANGED Viewed

@@ -50,3 +50,6 @@ export * from './dtos/AppClientConfig';
 export * from './dtos/CreatePoolRequest';
 export * from './dtos/CreatePoolResponse';
 export * from './dtos/DeletePoolRequest';
+export * from './enums/IntrospectFailReason';
+export * from './dtos/IntrospectRequest';
+export * from './dtos/IntrospectResponse';

package/bin/cognitoBackofficeConnector/index.js CHANGED Viewed

@@ -66,3 +66,7 @@ __exportStar(require("./dtos/AppClientConfig"), exports);
 __exportStar(require("./dtos/CreatePoolRequest"), exports);
 __exportStar(require("./dtos/CreatePoolResponse"), exports);
 __exportStar(require("./dtos/DeletePoolRequest"), exports);
+// Introspección de token (POST /auth/introspect) — consumido por el platform-rbac-business.
+__exportStar(require("./enums/IntrospectFailReason"), exports);
+__exportStar(require("./dtos/IntrospectRequest"), exports);
+__exportStar(require("./dtos/IntrospectResponse"), exports);

package/bin/platformRbac/dtos/AuthorizeRequest.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { PermissionScope } from '../enums/PermissionScope';
+/**
+ * Input del POST /internal/authorize. El decorador @RequirePermission lo construye:
+ * token (del cookie session), permission requerida, y scope+scopeRef opcionales.
+ */
+export declare class AuthorizeRequest {
+    token: string;
+    permission: string;
+    scope?: PermissionScope;
+    scopeRef?: string;
+}

package/bin/platformRbac/dtos/AuthorizeRequest.js ADDED Viewed

@@ -0,0 +1,46 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizeRequest = void 0;
+const class_transformer_1 = require("class-transformer");
+const class_validator_1 = require("class-validator");
+const PermissionScope_1 = require("../enums/PermissionScope");
+/**
+ * Input del POST /internal/authorize. El decorador @RequirePermission lo construye:
+ * token (del cookie session), permission requerida, y scope+scopeRef opcionales.
+ */
+class AuthorizeRequest {
+}
+exports.AuthorizeRequest = AuthorizeRequest;
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.IsNotEmpty)(),
+    __metadata("design:type", String)
+], AuthorizeRequest.prototype, "token", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.IsNotEmpty)(),
+    __metadata("design:type", String)
+], AuthorizeRequest.prototype, "permission", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsEnum)(PermissionScope_1.PermissionScope),
+    __metadata("design:type", String)
+], AuthorizeRequest.prototype, "scope", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], AuthorizeRequest.prototype, "scopeRef", void 0);

package/bin/platformRbac/dtos/AuthorizeResponse.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { AuthorizeDenyReason } from '../enums/AuthorizeDenyReason';
+import type { AuthContext } from './AuthContext';
+/**
+ * Output del POST /internal/authorize. Si allow=true trae el context resuelto
+ * (para que el decorador lo populé en el request). Si allow=false trae el reason.
+ * `context` es solo contrato TS de salida (AuthContext es interface, no clase) → SIN @Expose,
+ * es passthrough; los responses no se validan (fiado-validation-and-dtos § 7).
+ */
+export declare class AuthorizeResponse {
+    allow: boolean;
+    reason?: AuthorizeDenyReason;
+    context?: AuthContext;
+}

package/bin/platformRbac/dtos/AuthorizeResponse.js ADDED Viewed

@@ -0,0 +1,35 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizeResponse = void 0;
+const class_transformer_1 = require("class-transformer");
+const class_validator_1 = require("class-validator");
+const AuthorizeDenyReason_1 = require("../enums/AuthorizeDenyReason");
+/**
+ * Output del POST /internal/authorize. Si allow=true trae el context resuelto
+ * (para que el decorador lo populé en el request). Si allow=false trae el reason.
+ * `context` es solo contrato TS de salida (AuthContext es interface, no clase) → SIN @Expose,
+ * es passthrough; los responses no se validan (fiado-validation-and-dtos § 7).
+ */
+class AuthorizeResponse {
+}
+exports.AuthorizeResponse = AuthorizeResponse;
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsBoolean)(),
+    __metadata("design:type", Boolean)
+], AuthorizeResponse.prototype, "allow", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsEnum)(AuthorizeDenyReason_1.AuthorizeDenyReason),
+    __metadata("design:type", String)
+], AuthorizeResponse.prototype, "reason", void 0);

package/bin/platformRbac/enums/AuthorizeDenyReason.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+/**
+ * Razón de denegación del endpoint POST /internal/authorize del platform-rbac-business.
+ * Consumido por el decorador @RequirePermission del @fiado/gateway-adapter.
+ */
+export declare enum AuthorizeDenyReason {
+    INVALID_TOKEN = "INVALID_TOKEN",
+    NO_PERMISSION = "NO_PERMISSION",
+    SCOPE_DENIED = "SCOPE_DENIED",
+    USER_NOT_FOUND = "USER_NOT_FOUND"
+}

package/bin/platformRbac/enums/AuthorizeDenyReason.js ADDED Viewed

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizeDenyReason = void 0;
+/**
+ * Razón de denegación del endpoint POST /internal/authorize del platform-rbac-business.
+ * Consumido por el decorador @RequirePermission del @fiado/gateway-adapter.
+ */
+var AuthorizeDenyReason;
+(function (AuthorizeDenyReason) {
+    AuthorizeDenyReason["INVALID_TOKEN"] = "INVALID_TOKEN";
+    AuthorizeDenyReason["NO_PERMISSION"] = "NO_PERMISSION";
+    AuthorizeDenyReason["SCOPE_DENIED"] = "SCOPE_DENIED";
+    AuthorizeDenyReason["USER_NOT_FOUND"] = "USER_NOT_FOUND";
+})(AuthorizeDenyReason || (exports.AuthorizeDenyReason = AuthorizeDenyReason = {}));

package/bin/platformRbac/index.d.ts CHANGED Viewed

@@ -18,3 +18,6 @@ export * from './mfa/EnrollTotpResponse';
 export * from './mfa/VerifyTotpEnrollmentRequest';
 export * from './mfa/ChangeMfaMethodRequest';
 export * from './mfa/MfaStatusResponse';
+export { AuthorizeDenyReason } from './enums/AuthorizeDenyReason';
+export * from './dtos/AuthorizeRequest';
+export * from './dtos/AuthorizeResponse';

package/bin/platformRbac/index.js CHANGED Viewed

@@ -23,7 +23,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.PermissionCategory = exports.PermissionScope = exports.Permission = void 0;
+exports.AuthorizeDenyReason = exports.PermissionCategory = exports.PermissionScope = exports.Permission = void 0;
 var Permission_1 = require("./enums/Permission");
 Object.defineProperty(exports, "Permission", { enumerable: true, get: function () { return Permission_1.Permission; } });
 var PermissionScope_1 = require("./enums/PermissionScope");
@@ -46,3 +46,8 @@ __exportStar(require("./mfa/EnrollTotpResponse"), exports);
 __exportStar(require("./mfa/VerifyTotpEnrollmentRequest"), exports);
 __exportStar(require("./mfa/ChangeMfaMethodRequest"), exports);
 __exportStar(require("./mfa/MfaStatusResponse"), exports);
+// RBAC enforcement (capa de protección) — DTOs del POST /internal/authorize.
+var AuthorizeDenyReason_1 = require("./enums/AuthorizeDenyReason");
+Object.defineProperty(exports, "AuthorizeDenyReason", { enumerable: true, get: function () { return AuthorizeDenyReason_1.AuthorizeDenyReason; } });
+__exportStar(require("./dtos/AuthorizeRequest"), exports);
+__exportStar(require("./dtos/AuthorizeResponse"), exports);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@fiado/type-kit",
-  "version": "3.47.0",
+  "version": "3.48.0",
   "description": "",
   "main": "bin/index.js",
   "types": "bin/index.d.ts",

package/src/cognitoBackofficeConnector/dtos/IntrospectRequest.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { Expose } from 'class-transformer';
+import { IsNotEmpty, IsString } from 'class-validator';
+/** Input del POST /auth/introspect: token + datos del pool (el connector es stateless). */
+export class IntrospectRequest {
+    @Expose() @IsString() @IsNotEmpty() token!: string;
+    @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
+    @Expose() @IsString() @IsNotEmpty() clientId!: string;
+}

package/src/cognitoBackofficeConnector/dtos/IntrospectResponse.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { Expose } from 'class-transformer';
+import { IsBoolean, IsEnum, IsOptional, IsString } from 'class-validator';
+import { IntrospectFailReason } from '../enums/IntrospectFailReason';
+/** Output del POST /auth/introspect: validez + identidad (sub) o reason del fallo. */
+export class IntrospectResponse {
+    @Expose() @IsBoolean() valid!: boolean;
+    @Expose() @IsOptional() @IsString() cognitoSub?: string;
+    @Expose() @IsOptional() @IsEnum(IntrospectFailReason) reason?: IntrospectFailReason;
+}

package/src/cognitoBackofficeConnector/enums/IntrospectFailReason.ts ADDED Viewed

@@ -0,0 +1,11 @@
+/**
+ * Razón de fallo del POST /auth/introspect del cognito-backoffice-connector.
+ */
+export enum IntrospectFailReason {
+    INVALID_SIGNATURE = 'INVALID_SIGNATURE',
+    EXPIRED = 'EXPIRED',
+    CLIENT_ID_MISMATCH = 'CLIENT_ID_MISMATCH',
+    TOKEN_USE_MISMATCH = 'TOKEN_USE_MISMATCH',
+    REVOKED = 'REVOKED',
+    USER_NOT_FOUND = 'USER_NOT_FOUND',
+}

package/src/cognitoBackofficeConnector/index.ts CHANGED Viewed

@@ -50,3 +50,8 @@ export * from './dtos/AppClientConfig';
 export * from './dtos/CreatePoolRequest';
 export * from './dtos/CreatePoolResponse';
 export * from './dtos/DeletePoolRequest';
+// Introspección de token (POST /auth/introspect) — consumido por el platform-rbac-business.
+export * from './enums/IntrospectFailReason';
+export * from './dtos/IntrospectRequest';
+export * from './dtos/IntrospectResponse';

package/src/platformRbac/dtos/AuthorizeRequest.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import { Expose } from 'class-transformer';
+import { IsEnum, IsNotEmpty, IsOptional, IsString } from 'class-validator';
+import { PermissionScope } from '../enums/PermissionScope';
+/**
+ * Input del POST /internal/authorize. El decorador @RequirePermission lo construye:
+ * token (del cookie session), permission requerida, y scope+scopeRef opcionales.
+ */
+export class AuthorizeRequest {
+    @Expose() @IsString() @IsNotEmpty() token!: string;
+    @Expose() @IsString() @IsNotEmpty() permission!: string;
+    @Expose() @IsOptional() @IsEnum(PermissionScope) scope?: PermissionScope;
+    @Expose() @IsOptional() @IsString() scopeRef?: string;
+}

package/src/platformRbac/dtos/AuthorizeResponse.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import { Expose } from 'class-transformer';
+import { IsBoolean, IsEnum, IsOptional } from 'class-validator';
+import { AuthorizeDenyReason } from '../enums/AuthorizeDenyReason';
+import type { AuthContext } from './AuthContext';
+/**
+ * Output del POST /internal/authorize. Si allow=true trae el context resuelto
+ * (para que el decorador lo populé en el request). Si allow=false trae el reason.
+ * `context` es solo contrato TS de salida (AuthContext es interface, no clase) → SIN @Expose,
+ * es passthrough; los responses no se validan (fiado-validation-and-dtos § 7).
+ */
+export class AuthorizeResponse {
+    @Expose() @IsBoolean() allow!: boolean;
+    @Expose() @IsOptional() @IsEnum(AuthorizeDenyReason) reason?: AuthorizeDenyReason;
+    context?: AuthContext;
+}

package/src/platformRbac/enums/AuthorizeDenyReason.ts ADDED Viewed

@@ -0,0 +1,10 @@
+/**
+ * Razón de denegación del endpoint POST /internal/authorize del platform-rbac-business.
+ * Consumido por el decorador @RequirePermission del @fiado/gateway-adapter.
+ */
+export enum AuthorizeDenyReason {
+    INVALID_TOKEN = 'INVALID_TOKEN',
+    NO_PERMISSION = 'NO_PERMISSION',
+    SCOPE_DENIED = 'SCOPE_DENIED',
+    USER_NOT_FOUND = 'USER_NOT_FOUND',
+}

package/src/platformRbac/index.ts CHANGED Viewed

@@ -32,3 +32,8 @@ export * from './mfa/EnrollTotpResponse';
 export * from './mfa/VerifyTotpEnrollmentRequest';
 export * from './mfa/ChangeMfaMethodRequest';
 export * from './mfa/MfaStatusResponse';
+// RBAC enforcement (capa de protección) — DTOs del POST /internal/authorize.
+export { AuthorizeDenyReason } from './enums/AuthorizeDenyReason';
+export * from './dtos/AuthorizeRequest';
+export * from './dtos/AuthorizeResponse';