@fonoster/identity 0.6.1-alpha.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Fonoster Inc
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,3 @@
+<a href="https://gitpod.io/#https://github.com/fonoster/fonoster"> <img src="https://img.shields.io/badge/Contribute%20with-Gitpod-908a85?logo=gitpod" alt="Contribute with Gitpod" />
+
+This module is part of the [Fonoster](https://fonoster.com) project. By itself, it does not do much. It is intended to be used as a dependency for other modules. For more information about the project, please visit [https://github.com/fonoster/fonoster](https://github.com/fonoster/fonoster).

package/dist/JsonWebErrorEnum.d.ts

@@ -0,0 +1,5 @@
+declare enum JsonWebErrorEnum {
+    JsonWebTokenError = "JsonWebTokenError",
+    TokenExpiredError = "TokenExpiredError"
+}
+export { JsonWebErrorEnum };

package/dist/JsonWebErrorEnum.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JsonWebErrorEnum = void 0;
+/*
+ * Copyright (C) 2024 by Fonoster Inc (https://fonoster.com)
+ * http://github.com/fonoster/fonoster
+ *
+ * This file is part of Fonoster
+ *
+ * Licensed under the MIT License (the "License");
+ * you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    https://opensource.org/licenses/MIT
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+var JsonWebErrorEnum;
+(function (JsonWebErrorEnum) {
+    JsonWebErrorEnum["JsonWebTokenError"] = "JsonWebTokenError";
+    JsonWebErrorEnum["TokenExpiredError"] = "TokenExpiredError";
+})(JsonWebErrorEnum || (exports.JsonWebErrorEnum = JsonWebErrorEnum = {}));

package/dist/apikeys/ApiRoleEnum.d.ts

@@ -0,0 +1,4 @@
+declare enum ApiRoleEnum {
+    WORKSPACE_ADMIN = "WORKSPACE_ADMIN"
+}
+export { ApiRoleEnum };

package/dist/apikeys/ApiRoleEnum.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApiRoleEnum = void 0;
+/*
+ * Copyright (C) 2024 by Fonoster Inc (https://fonoster.com)
+ * http://github.com/fonoster/fonoster
+ *
+ * This file is part of Fonoster
+ *
+ * Licensed under the MIT License (the "License");
+ * you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    https://opensource.org/licenses/MIT
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+var ApiRoleEnum;
+(function (ApiRoleEnum) {
+    ApiRoleEnum["WORKSPACE_ADMIN"] = "WORKSPACE_ADMIN";
+})(ApiRoleEnum || (exports.ApiRoleEnum = ApiRoleEnum = {}));

package/dist/apikeys/createApiKey.d.ts

@@ -0,0 +1,24 @@
+import { GrpcErrorMessage } from "@fonoster/common";
+import { z } from "zod";
+import { ApiRoleEnum } from "./ApiRoleEnum";
+import { Prisma } from "../db";
+declare const CreatApiKeyRequestSchema: z.ZodObject<{
+    role: z.ZodEnum<[ApiRoleEnum]>;
+    expiresAt: z.ZodEffects<z.ZodNumber, number, number>;
+}, "strip", z.ZodTypeAny, {
+    role?: ApiRoleEnum;
+    expiresAt?: number;
+}, {
+    role?: ApiRoleEnum;
+    expiresAt?: number;
+}>;
+type CreateApiKeyRequest = z.infer<typeof CreatApiKeyRequestSchema>;
+type CreateApiKeyResponse = {
+    ref: string;
+    accessKeyId: string;
+    accessKeySecret: string;
+};
+declare function createApiKey(prisma: Prisma): (call: {
+    request: CreateApiKeyRequest;
+}, callback: (error: GrpcErrorMessage, response?: CreateApiKeyResponse) => void) => Promise<void>;
+export { createApiKey };

package/dist/apikeys/createApiKey.js

@@ -0,0 +1,73 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createApiKey = void 0;
+/*
+ * Copyright (C) 2024 by Fonoster Inc (https://fonoster.com)
+ * http://github.com/fonoster/fonoster
+ *
+ * This file is part of Fonoster
+ *
+ * Licensed under the MIT License (the "License");
+ * you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    https://opensource.org/licenses/MIT
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const common_1 = require("@fonoster/common");
+const logger_1 = require("@fonoster/logger");
+const zod_1 = require("zod");
+const ApiRoleEnum_1 = require("./ApiRoleEnum");
+const utils_1 = require("../utils");
+const generateAccessKeyId_1 = require("../utils/generateAccessKeyId");
+const generateAccessKeySecret_1 = require("../utils/generateAccessKeySecret");
+const logger = (0, logger_1.getLogger)({ service: "identity", filePath: __filename });
+const CreatApiKeyRequestSchema = zod_1.z.object({
+    role: zod_1.z.enum([ApiRoleEnum_1.ApiRoleEnum.WORKSPACE_ADMIN]),
+    expiresAt: zod_1.z.number().transform((value) => (value === 0 ? null : value))
+});
+function createApiKey(prisma) {
+    return (call, callback) => __awaiter(this, void 0, void 0, function* () {
+        try {
+            const validatedRequest = CreatApiKeyRequestSchema.parse(call.request);
+            const accessKeyId = (0, utils_1.getAccessKeyIdFromCall)(call);
+            const { role, expiresAt } = validatedRequest;
+            logger.info("creating new ApiKey", { accessKeyId, role, expiresAt });
+            const workspace = yield prisma.workspace.findUnique({
+                where: { accessKeyId }
+            });
+            const response = yield prisma.apiKey.create({
+                data: {
+                    workspaceRef: workspace.ref,
+                    role: validatedRequest.role,
+                    accessKeyId: (0, generateAccessKeyId_1.generateAccessKeyId)(generateAccessKeyId_1.AccessKeyIdType.API_KEY),
+                    accessKeySecret: (0, generateAccessKeySecret_1.generateAccessKeySecret)(),
+                    expiresAt: expiresAt ? new Date(expiresAt) : null
+                }
+            });
+            callback(null, {
+                ref: response.ref,
+                accessKeyId: response.accessKeyId,
+                accessKeySecret: response.accessKeySecret
+            });
+        }
+        catch (error) {
+            (0, common_1.handleError)(error, callback);
+        }
+    });
+}
+exports.createApiKey = createApiKey;

package/dist/apikeys/deleteApiKey.d.ts

@@ -0,0 +1,18 @@
+import { GrpcErrorMessage } from "@fonoster/common";
+import { z } from "zod";
+import { Prisma } from "../db";
+declare const DeleteApiKeyRequestSchema: z.ZodObject<{
+    ref: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    ref?: string;
+}, {
+    ref?: string;
+}>;
+type DeleteApiKeyRequest = z.infer<typeof DeleteApiKeyRequestSchema>;
+type DeleteApiKeyResponse = {
+    ref: string;
+};
+declare function deleteApiKey(prisma: Prisma): (call: {
+    request: DeleteApiKeyRequest;
+}, callback: (error: GrpcErrorMessage, response?: DeleteApiKeyResponse) => void) => Promise<void>;
+export { deleteApiKey };

package/dist/apikeys/deleteApiKey.js

@@ -0,0 +1,58 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deleteApiKey = void 0;
+/*
+ * Copyright (C) 2024 by Fonoster Inc (https://fonoster.com)
+ * http://github.com/fonoster/fonoster
+ *
+ * This file is part of Fonoster
+ *
+ * Licensed under the MIT License (the "License");
+ * you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    https://opensource.org/licenses/MIT
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const common_1 = require("@fonoster/common");
+const logger_1 = require("@fonoster/logger");
+const zod_1 = require("zod");
+const logger = (0, logger_1.getLogger)({ service: "identity", filePath: __filename });
+const DeleteApiKeyRequestSchema = zod_1.z.object({
+    ref: zod_1.z.string()
+});
+function deleteApiKey(prisma) {
+    return (call, callback) => __awaiter(this, void 0, void 0, function* () {
+        try {
+            const validatedRequest = DeleteApiKeyRequestSchema.parse(call.request);
+            const { ref } = validatedRequest;
+            logger.info("deleting ApiKey", { ref });
+            const response = yield prisma.apiKey.delete({
+                where: {
+                    ref
+                }
+            });
+            callback(null, {
+                ref: response.ref
+            });
+        }
+        catch (error) {
+            (0, common_1.handleError)(error, callback);
+        }
+    });
+}
+exports.deleteApiKey = deleteApiKey;

package/dist/apikeys/index.d.ts

@@ -0,0 +1,5 @@
+export * from "./createApiKey";
+export * from "./deleteApiKey";
+export * from "./listApiKeys";
+export * from "./regenerateApiKey";
+export * from "./ApiRoleEnum";

package/dist/apikeys/index.js

@@ -0,0 +1,39 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/*
+ * Copyright (C) 2024 by Fonoster Inc (https://fonoster.com)
+ * http://github.com/fonoster/fonoster
+ *
+ * This file is part of Fonoster
+ *
+ * Licensed under the MIT License (the "License");
+ * you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    https://opensource.org/licenses/MIT
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+__exportStar(require("./createApiKey"), exports);
+__exportStar(require("./deleteApiKey"), exports);
+__exportStar(require("./listApiKeys"), exports);
+__exportStar(require("./regenerateApiKey"), exports);
+__exportStar(require("./ApiRoleEnum"), exports);

package/dist/apikeys/listApiKeys.d.ts

@@ -0,0 +1,23 @@
+import { GrpcErrorMessage } from "@fonoster/common";
+import { ApiRoleEnum } from "./ApiRoleEnum";
+import { Prisma } from "../db";
+type ListApiKeysRequest = {
+    pageSize: number;
+    pageToken: string;
+};
+type ApiKey = {
+    ref: string;
+    accessKeyId: string;
+    role: ApiRoleEnum;
+    expiresAt: Date;
+    createdAt: Date;
+    updatedAt: Date;
+};
+type ListApiKeysResponse = {
+    items: ApiKey[];
+    nextPageToken?: string;
+};
+declare function listApiKeys(prisma: Prisma): (call: {
+    request: ListApiKeysRequest;
+}, callback: (error: GrpcErrorMessage, response?: ListApiKeysResponse) => void) => Promise<void>;
+export { listApiKeys };

package/dist/apikeys/listApiKeys.js

@@ -0,0 +1,50 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.listApiKeys = void 0;
+const logger_1 = require("@fonoster/logger");
+const utils_1 = require("../utils");
+const logger = (0, logger_1.getLogger)({ service: "identity", filePath: __filename });
+function listApiKeys(prisma) {
+    return (call, callback) => __awaiter(this, void 0, void 0, function* () {
+        var _a;
+        const { pageSize, pageToken } = call.request;
+        const accessKeyId = (0, utils_1.getAccessKeyIdFromCall)(call);
+        logger.verbose("list keys for workspace", { accessKeyId });
+        const workspace = yield prisma.workspace.findUnique({
+            where: {
+                accessKeyId
+            }
+        });
+        const keys = yield prisma.apiKey.findMany({
+            where: {
+                workspaceRef: workspace.ref
+            },
+            take: pageSize,
+            skip: pageToken ? 1 : 0,
+            cursor: pageToken ? { ref: pageToken } : undefined
+        });
+        const items = keys.map((key) => ({
+            ref: key.ref,
+            accessKeyId: key.accessKeyId,
+            role: key.role,
+            expiresAt: key.expiresAt,
+            createdAt: key.createdAt,
+            updatedAt: key.updatedAt
+        }));
+        const response = {
+            items,
+            nextPageToken: (_a = items[items.length - 1]) === null || _a === void 0 ? void 0 : _a.ref
+        };
+        callback(null, response);
+    });
+}
+exports.listApiKeys = listApiKeys;

package/dist/apikeys/regenerateApiKey.d.ts

@@ -0,0 +1,20 @@
+import { GrpcErrorMessage } from "@fonoster/common";
+import { z } from "zod";
+import { Prisma } from "../db";
+declare const RegenerateApiKeyRequestSchema: z.ZodObject<{
+    ref: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    ref?: string;
+}, {
+    ref?: string;
+}>;
+type RegenerateApiKeyRequest = z.infer<typeof RegenerateApiKeyRequestSchema>;
+type RegenerateApiKeyResponse = {
+    ref: string;
+    accessKeyId: string;
+    accessKeySecret: string;
+};
+declare function regenerateApiKey(prisma: Prisma): (call: {
+    request: RegenerateApiKeyRequest;
+}, callback: (error: GrpcErrorMessage, response?: RegenerateApiKeyResponse) => void) => Promise<void>;
+export { regenerateApiKey };

package/dist/apikeys/regenerateApiKey.js

@@ -0,0 +1,64 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.regenerateApiKey = void 0;
+/*
+ * Copyright (C) 2024 by Fonoster Inc (https://fonoster.com)
+ * http://github.com/fonoster/fonoster
+ *
+ * This file is part of Fonoster
+ *
+ * Licensed under the MIT License (the "License");
+ * you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    https://opensource.org/licenses/MIT
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const common_1 = require("@fonoster/common");
+const logger_1 = require("@fonoster/logger");
+const zod_1 = require("zod");
+const generateAccessKeySecret_1 = require("../utils/generateAccessKeySecret");
+const logger = (0, logger_1.getLogger)({ service: "identity", filePath: __filename });
+const RegenerateApiKeyRequestSchema = zod_1.z.object({
+    ref: zod_1.z.string()
+});
+function regenerateApiKey(prisma) {
+    return (call, callback) => __awaiter(this, void 0, void 0, function* () {
+        try {
+            const validatedRequest = RegenerateApiKeyRequestSchema.parse(call.request);
+            const { ref } = validatedRequest;
+            logger.info("regenerating ApiKey", { ref });
+            const response = yield prisma.apiKey.update({
+                where: {
+                    ref
+                },
+                data: {
+                    accessKeySecret: (0, generateAccessKeySecret_1.generateAccessKeySecret)()
+                }
+            });
+            callback(null, {
+                ref: response.ref,
+                accessKeyId: response.accessKeyId,
+                accessKeySecret: response.accessKeySecret
+            });
+        }
+        catch (error) {
+            (0, common_1.handleError)(error, callback);
+        }
+    });
+}
+exports.regenerateApiKey = regenerateApiKey;

package/dist/createAuthInterceptor.d.ts

@@ -0,0 +1,15 @@
+import { ServerInterceptingCall } from "@grpc/grpc-js";
+/**
+ * This function is a gRPC interceptor that checks if the request is valid
+ * and if the user has the right permissions to access the resource. When
+ * validating the request, the function will check if the request is in the
+ * skip list, if the token is valid and if the role is allowed by the RBAC.
+ *
+ * @param {string} identityPublicKey - The public key to validate the token
+ * @param {string[]} publicPath - The list of public paths
+ * @return {Function} - The gRPC interceptor
+ */
+declare function createAuthInterceptor(identityPublicKey: string, publicPath: string[]): (methodDefinition: {
+    path: string;
+}, call: ServerInterceptingCall) => ServerInterceptingCall;
+export { createAuthInterceptor };

package/dist/createAuthInterceptor.js

@@ -0,0 +1,75 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthInterceptor = void 0;
+/*
+ * Copyright (C) 2024 by Fonoster Inc (https://fonoster.com)
+ * http://github.com/fonoster/fonoster
+ *
+ * This file is part of Fonoster
+ *
+ * Licensed under the MIT License (the "License");
+ * you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    https://opensource.org/licenses/MIT
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const logger_1 = require("@fonoster/logger");
+const errors_1 = require("./errors");
+const roles_1 = require("./roles");
+const utils_1 = require("./utils");
+const logger = (0, logger_1.getLogger)({ service: "identity", filePath: __filename });
+/**
+ * This function is a gRPC interceptor that checks if the request is valid
+ * and if the user has the right permissions to access the resource. When
+ * validating the request, the function will check if the request is in the
+ * skip list, if the token is valid and if the role is allowed by the RBAC.
+ *
+ * @param {string} identityPublicKey - The public key to validate the token
+ * @param {string[]} publicPath - The list of public paths
+ * @return {Function} - The gRPC interceptor
+ */
+function createAuthInterceptor(identityPublicKey, publicPath) {
+    /**
+     * Inner function that will be called by the gRPC server.
+     *
+     * @param {object} methodDefinition - The method definition
+     * @param {string} methodDefinition.path - The path of the gRPC method
+     * @param {ServerInterceptingCall} call - The call object
+     * @return {ServerInterceptingCall} - The modified call object
+     */
+    return (methodDefinition, call) => {
+        const { path } = methodDefinition;
+        const accessKeyId = (0, utils_1.getAccessKeyIdFromCall)(call);
+        logger.verbose("intercepting api call to path", { accessKeyId, path });
+        if (publicPath.includes(methodDefinition.path)) {
+            logger.verbose("skipping auth for public path", { path });
+            return call;
+        }
+        const token = (0, utils_1.getTokenFromCall)(call);
+        logger.verbose("validating token", { accessKeyId, path });
+        if (!(0, utils_1.isValidToken)(token, identityPublicKey)) {
+            return (0, errors_1.unauthenticatedError)(call);
+        }
+        const decodedToken = (0, utils_1.decodeToken)(token);
+        logger.verbose("checking access for accessKeyId", {
+            accessKeyId,
+            path,
+            hasAccess: (0, utils_1.hasAccess)(decodedToken.access, path),
+            pathIsWorkspacePath: roles_1.workspaceAccess.includes(path),
+            tokenHasAccessKeyId: (0, utils_1.tokenHasAccessKeyId)(token, accessKeyId)
+        });
+        if (!(0, utils_1.hasAccess)(decodedToken.access, path) ||
+            (roles_1.workspaceAccess.includes(path) &&
+                !(0, utils_1.tokenHasAccessKeyId)(token, accessKeyId))) {
+            return (0, errors_1.permissionDeniedError)(call);
+        }
+        return call;
+    };
+}
+exports.createAuthInterceptor = createAuthInterceptor;

package/dist/db.d.ts

@@ -0,0 +1,14 @@
+import { Prisma as DMMF } from "@prisma/identity-client";
+declare const prisma: import("@prisma/identity-client/runtime/library").DynamicClientExtensionThis<DMMF.TypeMap<import("@prisma/identity-client/runtime/library").InternalArgs & {
+    result: {};
+    model: {};
+    query: {};
+    client: {};
+}>, DMMF.TypeMapCb, {
+    result: {};
+    model: {};
+    query: {};
+    client: {};
+}>;
+type Prisma = typeof prisma;
+export { prisma, Prisma };

package/dist/db.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.prisma = void 0;
+/*
+ * Copyright (C) 2024 by Fonoster Inc (https://fonoster.com)
+ * http://github.com/fonoster/fonoster
+ *
+ * This file is part of Fonoster
+ *
+ * Licensed under the MIT License (the "License");
+ * you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    https://opensource.org/licenses/MIT
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const identity_client_1 = require("@prisma/identity-client");
+const prisma_field_encryption_1 = require("prisma-field-encryption");
+const envs_1 = require("./envs");
+// Check the link for details on dmff:
+// https://www.npmjs.com/package/prisma-field-encryption#custom-prisma-client-location
+const prisma = new identity_client_1.PrismaClient().$extends((0, prisma_field_encryption_1.fieldEncryptionExtension)({
+    encryptionKey: envs_1.CLOAK_ENCRYPTION_KEY,
+    dmmf: identity_client_1.Prisma.dmmf
+}));
+exports.prisma = prisma;

package/dist/envs.d.ts

@@ -0,0 +1 @@
+export declare const CLOAK_ENCRYPTION_KEY: string;

package/dist/envs.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CLOAK_ENCRYPTION_KEY = void 0;
+/*
+ * Copyright (C) 2024 by Fonoster Inc (https://fonoster.com)
+ * http://github.com/fonoster/fonoster
+ *
+ * This file is part of Fonoster
+ *
+ * Licensed under the MIT License (the "License");
+ * you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    https://opensource.org/licenses/MIT
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const common_1 = require("@fonoster/common");
+(0, common_1.assertEnvsAreSet)(["CLOAK_ENCRYPTION_KEY"]);
+exports.CLOAK_ENCRYPTION_KEY = process.env.CLOAK_ENCRYPTION_KEY;

package/dist/errors.d.ts

@@ -0,0 +1,4 @@
+import { ServerInterceptingCall } from "@grpc/grpc-js";
+declare const unauthenticatedError: (call: ServerInterceptingCall) => ServerInterceptingCall;
+declare const permissionDeniedError: (call: ServerInterceptingCall) => ServerInterceptingCall;
+export { unauthenticatedError, permissionDeniedError };