@generazioneai/authz 0.0.4 → 0.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/nest/authz-context.interceptor.d.ts.map +1 -1
- package/dist/nest/authz-context.interceptor.js +4 -1
- package/dist/nest/authz-context.interceptor.js.map +1 -1
- package/dist/nest/internal-auth.interceptor.d.ts +20 -0
- package/dist/nest/internal-auth.interceptor.d.ts.map +1 -1
- package/dist/nest/internal-auth.interceptor.js +38 -2
- package/dist/nest/internal-auth.interceptor.js.map +1 -1
- package/dist/snapshot/ability-builder.d.ts +2 -1
- package/dist/snapshot/ability-builder.d.ts.map +1 -1
- package/dist/snapshot/ability-builder.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authz-context.interceptor.d.ts","sourceRoot":"","sources":["../../src/nest/authz-context.interceptor.ts"],"names":[],"mappings":"AAMA,OAAO,EAEL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,UAAU,
|
|
1
|
+
{"version":3,"file":"authz-context.interceptor.d.ts","sourceRoot":"","sources":["../../src/nest/authz-context.interceptor.ts"],"names":[],"mappings":"AAMA,OAAO,EAEL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,UAAU,EAAuB,MAAM,MAAM,CAAC;AAKvD,qBACa,uBAAwB,YAAW,eAAe;IAC7D,SAAS,CAAC,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC;CA0B7E"}
|
|
@@ -37,7 +37,10 @@ let AuthzContextInterceptor = class AuthzContextInterceptor {
|
|
|
37
37
|
},
|
|
38
38
|
ability: null,
|
|
39
39
|
};
|
|
40
|
-
|
|
40
|
+
// Run the whole handler inside ALS so downstream signed .send() calls — even those
|
|
41
|
+
// after an await — see the context. The callback returns a promise (lastValueFrom)
|
|
42
|
+
// so the store stays bound across awaits; a sync subscribe loses it at the first await.
|
|
43
|
+
return (0, rxjs_1.from)(als_1.authzAls.run(ctx, () => (0, rxjs_1.lastValueFrom)(next.handle())));
|
|
41
44
|
}
|
|
42
45
|
};
|
|
43
46
|
exports.AuthzContextInterceptor = AuthzContextInterceptor;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authz-context.interceptor.js","sourceRoot":"","sources":["../../src/nest/authz-context.interceptor.ts"],"names":[],"mappings":";;;;;;;;;AAAA,6DAA6D;AAC7D,EAAE;AACF,0FAA0F;AAC1F,yFAAyF;AACzF,6FAA6F;AAC7F,4FAA4F;AAC5F,2CAKwB;AACxB,+
|
|
1
|
+
{"version":3,"file":"authz-context.interceptor.js","sourceRoot":"","sources":["../../src/nest/authz-context.interceptor.ts"],"names":[],"mappings":";;;;;;;;;AAAA,6DAA6D;AAC7D,EAAE;AACF,0FAA0F;AAC1F,yFAAyF;AACzF,6FAA6F;AAC7F,4FAA4F;AAC5F,2CAKwB;AACxB,+BAAuD;AACvD,wCAA0C;AAKnC,IAAM,uBAAuB,GAA7B,MAAM,uBAAuB;IAClC,SAAS,CAAC,OAAyB,EAAE,IAAiB;QACpD,IAAI,OAAO,CAAC,OAAO,EAAE,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QAEvD,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAsB,CAAC;QACpE,IAAI,CAAC,GAAG,EAAE,MAAM;YAAE,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,4CAA4C;QAEpF,MAAM,GAAG,GAAiB;YACxB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,YAAY,EAAE,GAAG,CAAC,YAAY;YAC9B,qBAAqB,EAAE,GAAG,CAAC,qBAAqB;YAChD,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,iBAAiB;YAC/C,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,SAAS,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,0BAA0B,EAAE,EAAE,EAAE;YAC1F,YAAY,EAAE;gBACZ,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;gBAC5D,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;aAC7D;YACD,OAAO,EAAE,IAA0C;SACpD,CAAC;QAEF,mFAAmF;QACnF,mFAAmF;QACnF,wFAAwF;QACxF,OAAO,IAAA,WAAI,EAAC,cAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,IAAA,oBAAa,EAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;IACrE,CAAC;CACF,CAAA;AA3BY,0DAAuB;kCAAvB,uBAAuB;IADnC,IAAA,mBAAU,GAAE;GACA,uBAAuB,CA2BnC"}
|
|
@@ -1,9 +1,15 @@
|
|
|
1
1
|
import { type CallHandler, type ExecutionContext, type NestInterceptor } from '@nestjs/common';
|
|
2
2
|
import type { Reflector } from '@nestjs/core';
|
|
3
3
|
import { Observable } from 'rxjs';
|
|
4
|
+
import type { AuthzContext } from '../context/authz-context';
|
|
4
5
|
import { type VerificationKey } from '../nats/internal-token';
|
|
5
6
|
import type { ReplayCache } from '../nats/replay-cache';
|
|
7
|
+
import type { AbilityRule, SnapshotEnvelope } from '../snapshot/snapshot.envelope';
|
|
6
8
|
export type InternalAuthMode = 'off' | 'shadow' | 'enforce';
|
|
9
|
+
/** Step 4 — fetch a snapshot envelope by the JWT `snap` claim. */
|
|
10
|
+
export interface SnapshotFetcher {
|
|
11
|
+
getBySnapId(snapId: string): Promise<SnapshotEnvelope | null>;
|
|
12
|
+
}
|
|
7
13
|
export interface InternalAuthOptions {
|
|
8
14
|
jwks: VerificationKey;
|
|
9
15
|
replay: ReplayCache;
|
|
@@ -14,6 +20,14 @@ export interface InternalAuthOptions {
|
|
|
14
20
|
mode?: InternalAuthMode;
|
|
15
21
|
/** Compare the token cmd against the NATS subject. Default true. */
|
|
16
22
|
strictCmd?: boolean;
|
|
23
|
+
/**
|
|
24
|
+
* Step 4 runtime hydration. When both are provided and the token carries a `snap`
|
|
25
|
+
* claim, the verified context's ability is rehydrated from the Redis snapshot so the
|
|
26
|
+
* Prisma extension can scope queries. `hydrate` is injected (createPrismaAbility) so
|
|
27
|
+
* this module stays free of a static @casl/prisma dependency.
|
|
28
|
+
*/
|
|
29
|
+
snapshotStore?: SnapshotFetcher;
|
|
30
|
+
hydrate?: (rules: AbilityRule[]) => AuthzContext['ability'];
|
|
17
31
|
}
|
|
18
32
|
export declare class InternalAuthInterceptor implements NestInterceptor {
|
|
19
33
|
private readonly opts;
|
|
@@ -23,6 +37,12 @@ export declare class InternalAuthInterceptor implements NestInterceptor {
|
|
|
23
37
|
intercept(context: ExecutionContext, next: CallHandler): Observable<unknown>;
|
|
24
38
|
/** Returns the ALS context on success; in shadow mode returns null on failure (pass). */
|
|
25
39
|
private verify;
|
|
40
|
+
/**
|
|
41
|
+
* Step 4 — rehydrate the ability from the Redis snapshot named by the `snap` claim.
|
|
42
|
+
* Missing/evicted snapshot in enforce → throw (fail-closed: the gateway must rebuild);
|
|
43
|
+
* in shadow → leave ability null (the request runs unscoped, logged elsewhere).
|
|
44
|
+
*/
|
|
45
|
+
private hydrateSnapshot;
|
|
26
46
|
private stripToken;
|
|
27
47
|
private tryGetSubject;
|
|
28
48
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"internal-auth.interceptor.d.ts","sourceRoot":"","sources":["../../src/nest/internal-auth.interceptor.ts"],"names":[],"mappings":"AAcA,OAAO,EAGL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AAExB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,UAAU,
|
|
1
|
+
{"version":3,"file":"internal-auth.interceptor.d.ts","sourceRoot":"","sources":["../../src/nest/internal-auth.interceptor.ts"],"names":[],"mappings":"AAcA,OAAO,EAGL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACrB,MAAM,gBAAgB,CAAC;AAExB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAuB,MAAM,MAAM,CAAC;AAGvD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAOL,KAAK,eAAe,EACrB,MAAM,wBAAwB,CAAC;AAChC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,KAAK,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AAGnF,MAAM,MAAM,gBAAgB,GAAG,KAAK,GAAG,QAAQ,GAAG,SAAS,CAAC;AAE5D,kEAAkE;AAClE,MAAM,WAAW,eAAe;IAC9B,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAC;CAC/D;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,eAAe,CAAC;IACtB,MAAM,EAAE,WAAW,CAAC;IACpB,0DAA0D;IAC1D,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,SAAS,CAAC;IACrB,qEAAqE;IACrE,IAAI,CAAC,EAAE,gBAAgB,CAAC;IACxB,oEAAoE;IACpE,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB;;;;;OAKG;IACH,aAAa,CAAC,EAAE,eAAe,CAAC;IAChC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,KAAK,YAAY,CAAC,SAAS,CAAC,CAAC;CAC7D;AA8BD,qBACa,uBAAwB,YAAW,eAAe;IAIjD,OAAO,CAAC,QAAQ,CAAC,IAAI;IAHjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA8B;IACrD,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAmB;gBAEX,IAAI,EAAE,mBAAmB;IAKtD,SAAS,CAAC,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,WAAW,GAAG,UAAU,CAAC,OAAO,CAAC;IAgC5E,yFAAyF;YAC3E,MAAM;IAqCpB;;;;OAIG;YACW,eAAe;IAsB7B,OAAO,CAAC,UAAU;IAKlB,OAAO,CAAC,aAAa;CAItB"}
|
|
@@ -84,7 +84,11 @@ let InternalAuthInterceptor = class InternalAuthInterceptor {
|
|
|
84
84
|
return next.handle();
|
|
85
85
|
}
|
|
86
86
|
return (0, rxjs_1.from)(this.verify(context)).pipe((0, operators_1.mergeMap)((authCtx) => authCtx
|
|
87
|
-
?
|
|
87
|
+
? // Run the WHOLE handler inside the ALS context. The callback must return a
|
|
88
|
+
// promise (lastValueFrom) so the store stays bound across every await — a
|
|
89
|
+
// sync `run(ctx, () => obs.subscribe())` loses context at the first await,
|
|
90
|
+
// leaving the Prisma extension unscoped (request/response RPC: single value).
|
|
91
|
+
(0, rxjs_1.from)(als_1.authzAls.run(authCtx, () => (0, rxjs_1.lastValueFrom)(next.handle())))
|
|
88
92
|
: next.handle()));
|
|
89
93
|
}
|
|
90
94
|
/** Returns the ALS context on success; in shadow mode returns null on failure (pass). */
|
|
@@ -110,7 +114,9 @@ let InternalAuthInterceptor = class InternalAuthInterceptor {
|
|
|
110
114
|
}
|
|
111
115
|
if (!first)
|
|
112
116
|
throw new internal_token_1.InternalAuthError('replay', `jti '${claims.jti}' already used`);
|
|
113
|
-
|
|
117
|
+
const authCtx = claimsToContext(claims);
|
|
118
|
+
await this.hydrateSnapshot(authCtx, claims);
|
|
119
|
+
return authCtx;
|
|
114
120
|
}
|
|
115
121
|
catch (e) {
|
|
116
122
|
const reason = e instanceof internal_token_1.InternalAuthError ? e.reason : 'sig';
|
|
@@ -122,6 +128,36 @@ let InternalAuthInterceptor = class InternalAuthInterceptor {
|
|
|
122
128
|
throw new microservices_1.RpcException({ code: 'INTERNAL_AUTH', reason, message: e.message });
|
|
123
129
|
}
|
|
124
130
|
}
|
|
131
|
+
/**
|
|
132
|
+
* Step 4 — rehydrate the ability from the Redis snapshot named by the `snap` claim.
|
|
133
|
+
* Missing/evicted snapshot in enforce → throw (fail-closed: the gateway must rebuild);
|
|
134
|
+
* in shadow → leave ability null (the request runs unscoped, logged elsewhere).
|
|
135
|
+
*/
|
|
136
|
+
async hydrateSnapshot(ctx, claims) {
|
|
137
|
+
if (!this.opts.snapshotStore || !this.opts.hydrate)
|
|
138
|
+
return; // hydration not wired
|
|
139
|
+
if (!claims.snap) {
|
|
140
|
+
if (this.mode === 'enforce')
|
|
141
|
+
throw new internal_token_1.InternalAuthError('missing', 'token has no snap claim');
|
|
142
|
+
return;
|
|
143
|
+
}
|
|
144
|
+
const env = await this.opts.snapshotStore.getBySnapId(claims.snap);
|
|
145
|
+
if (!env) {
|
|
146
|
+
if (this.mode === 'enforce')
|
|
147
|
+
throw new internal_token_1.InternalAuthError('backend', `snapshot '${claims.snap}' not found (evicted/expired)`);
|
|
148
|
+
this.logger.warn(`shadow: snapshot '${claims.snap}' not found — running unscoped`);
|
|
149
|
+
return;
|
|
150
|
+
}
|
|
151
|
+
if (claims.ph && env.permHash !== claims.ph) {
|
|
152
|
+
// Stale token vs rebuilt snapshot; treat as a revocation signal.
|
|
153
|
+
if (this.mode === 'enforce')
|
|
154
|
+
throw new internal_token_1.InternalAuthError('hash', 'permHash mismatch (snapshot rebuilt/revoked)');
|
|
155
|
+
this.logger.warn(`shadow: permHash mismatch snap='${claims.snap}'`);
|
|
156
|
+
}
|
|
157
|
+
ctx.ability = this.opts.hydrate(env.rules);
|
|
158
|
+
ctx.connected = env.connected;
|
|
159
|
+
ctx.accreditedAs = env.accreditedAs;
|
|
160
|
+
}
|
|
125
161
|
stripToken(context) {
|
|
126
162
|
const data = context.switchToRpc().getData();
|
|
127
163
|
if (data && internal_token_1.INTERNAL_JWT_FIELD in data)
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"internal-auth.interceptor.js","sourceRoot":"","sources":["../../src/nest/internal-auth.interceptor.ts"],"names":[],"mappings":";AAAA,uFAAuF;AACvF,yFAAyF;AACzF,eAAe;AACf,EAAE;AACF,mDAAmD;AACnD,qGAAqG;AACrG,EAAE;AACF,6DAA6D;AAC7D,0FAA0F;AAC1F,8FAA8F;AAC9F,0FAA0F;AAC1F,4EAA4E;AAC5E,8FAA8F;;;;;;;;;;;;AAE9F,2CAMwB;AACxB,yDAAqD;AAErD,+
|
|
1
|
+
{"version":3,"file":"internal-auth.interceptor.js","sourceRoot":"","sources":["../../src/nest/internal-auth.interceptor.ts"],"names":[],"mappings":";AAAA,uFAAuF;AACvF,yFAAyF;AACzF,eAAe;AACf,EAAE;AACF,mDAAmD;AACnD,qGAAqG;AACrG,EAAE;AACF,6DAA6D;AAC7D,0FAA0F;AAC1F,8FAA8F;AAC9F,0FAA0F;AAC1F,4EAA4E;AAC5E,8FAA8F;;;;;;;;;;;;AAE9F,2CAMwB;AACxB,yDAAqD;AAErD,+BAAuD;AACvD,8CAA0C;AAC1C,wCAA0C;AAE1C,2DAQgC;AAGhC,iFAAwE;AA6BxE,SAAS,YAAY,CAAC,OAA2B;IAC/C,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;YAAE,OAAO,MAAM,CAAC,GAAG,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,gCAAgC;IAClC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,eAAe,CAAC,MAAsB;IAC7C,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,GAAG;QAClB,qBAAqB,EAAE,MAAM,CAAC,EAAE;QAChC,QAAQ,EAAE,MAAM,CAAC,GAAG;QACpB,MAAM,EAAE,MAAM,CAAC,IAAI;QACnB,QAAQ,EAAE,MAAM,CAAC,EAAE;QACnB,+EAA+E;QAC/E,SAAS,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,0BAA0B,EAAE,EAAE,EAAE;QAC1F,YAAY,EAAE;YACZ,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;YAC5D,QAAQ,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;SAC7D;QACD,OAAO,EAAE,IAA0C;KACpD,CAAC;AACJ,CAAC;AAGM,IAAM,uBAAuB,GAA7B,MAAM,uBAAuB;IAIlC,YAA6B,IAAyB;QAAzB,SAAI,GAAJ,IAAI,CAAqB;QAHrC,WAAM,GAAG,IAAI,eAAM,CAAC,cAAc,CAAC,CAAC;QAInD,IAAI,CAAC,IAAI;YACP,IAAI,CAAC,IAAI,IAAK,OAAO,CAAC,GAAG,CAAC,wBAA6C,IAAI,KAAK,CAAC;IACrF,CAAC;IAED,SAAS,CAAC,OAAyB,EAAE,IAAiB;QACpD,IAAI,OAAO,CAAC,OAAO,EAAE,KAAK,KAAK;YAAE,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,aAAa;QAEpE,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;YACxB,yEAAyE;YACzE,gFAAgF;YAChF,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAU,qDAAsB,EAAE;YAClF,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QACH,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;YACzB,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,CAAC;QAED,OAAO,IAAA,WAAI,EAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CACpC,IAAA,oBAAQ,EAAC,CAAC,OAAO,EAAE,EAAE,CACnB,OAAO;YACL,CAAC,CAAC,2EAA2E;gBAC3E,0EAA0E;gBAC1E,2EAA2E;gBAC3E,8EAA8E;gBAC9E,IAAA,WAAI,EAAC,cAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAA,oBAAa,EAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YACjE,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAClB,CACF,CAAC;IACJ,CAAC;IAED,yFAAyF;IACjF,KAAK,CAAC,MAAM,CAAC,OAAyB;QAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,EAAyC,CAAC;QAClE,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,IAAK,IAAI,CAAC,mCAAkB,CAAwB,CAAC;YACrE,IAAI,CAAC,GAAG;gBAAE,MAAM,IAAI,kCAAiB,CAAC,SAAS,EAAE,4BAA4B,CAAC,CAAC;YAE/E,MAAM,MAAM,GAAG,MAAM,IAAA,oCAAmB,EAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAErF,OAAQ,IAAgC,CAAC,mCAAkB,CAAC,CAAC;YAC7D,IAAA,+BAAc,EAAC,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;YACnC,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,KAAK,KAAK,IAAI,GAAG;gBAAE,IAAA,0BAAS,EAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YAEjE,IAAI,KAAc,CAAC;YACnB,IAAI,CAAC;gBACH,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvD,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,IAAI,kCAAiB,CAAC,SAAS,EAAE,+BAAgC,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YAChG,CAAC;YACD,IAAI,CAAC,KAAK;gBAAE,MAAM,IAAI,kCAAiB,CAAC,QAAQ,EAAE,QAAQ,MAAM,CAAC,GAAG,gBAAgB,CAAC,CAAC;YAEtF,MAAM,OAAO,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;YACxC,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC5C,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,MAAM,GAAG,CAAC,YAAY,kCAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;YACjE,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC3B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sBAAsB,MAAM,SAAS,GAAG,IAAI,GAAG,KAAM,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC7F,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,qCAAqC;gBAC/D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,MAAM,IAAI,4BAAY,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE,OAAO,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,eAAe,CAAC,GAAiB,EAAE,MAAsB;QACrE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO,CAAC,sBAAsB;QAClF,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;gBAAE,MAAM,IAAI,kCAAiB,CAAC,SAAS,EAAE,yBAAyB,CAAC,CAAC;YAC/F,OAAO;QACT,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACnE,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;gBAAE,MAAM,IAAI,kCAAiB,CAAC,SAAS,EAAE,aAAa,MAAM,CAAC,IAAI,+BAA+B,CAAC,CAAC;YAC7H,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qBAAqB,MAAM,CAAC,IAAI,gCAAgC,CAAC,CAAC;YACnF,OAAO;QACT,CAAC;QACD,IAAI,MAAM,CAAC,EAAE,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC;YAC5C,iEAAiE;YACjE,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;gBAAE,MAAM,IAAI,kCAAiB,CAAC,MAAM,EAAE,8CAA8C,CAAC,CAAC;YACjH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,mCAAmC,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC;QACtE,CAAC;QACD,GAAG,CAAC,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC3C,GAAG,CAAC,SAAS,GAAG,GAAG,CAAC,SAAS,CAAC;QAC9B,GAAG,CAAC,YAAY,GAAG,GAAG,CAAC,YAAY,CAAC;IACtC,CAAC;IAEO,UAAU,CAAC,OAAyB;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,OAAO,EAAyC,CAAC;QACpF,IAAI,IAAI,IAAI,mCAAkB,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC,mCAAkB,CAAC,CAAC;IAC1E,CAAC;IAEO,aAAa,CAAC,GAAgD;QACpE,MAAM,GAAG,GAAG,GAAG,CAAC,UAAU,EAA+C,CAAC;QAC1E,OAAO,OAAO,GAAG,EAAE,UAAU,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9E,CAAC;CACF,CAAA;AAnHY,0DAAuB;kCAAvB,uBAAuB;IADnC,IAAA,mBAAU,GAAE;;GACA,uBAAuB,CAmHnC"}
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { type PrismaAbility } from '@casl/prisma';
|
|
1
2
|
import type { AuthzContext } from '../context/authz-context';
|
|
2
3
|
import type { ResourceRegistry } from '../resource-registry';
|
|
3
4
|
import type { AbilityRule } from './snapshot.envelope';
|
|
@@ -18,5 +19,5 @@ export interface Grant {
|
|
|
18
19
|
*/
|
|
19
20
|
export declare function buildRulesFromGrants(grants: Grant[], registry: ResourceRegistry, ctx: AuthzContext): AbilityRule[];
|
|
20
21
|
/** Rehydrate a PrismaAbility from serialized rules (snapshot → runtime). */
|
|
21
|
-
export declare function hydrateAbility(rules: AbilityRule[]):
|
|
22
|
+
export declare function hydrateAbility(rules: AbilityRule[]): PrismaAbility<any>;
|
|
22
23
|
//# sourceMappingURL=ability-builder.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ability-builder.d.ts","sourceRoot":"","sources":["../../src/snapshot/ability-builder.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"ability-builder.d.ts","sourceRoot":"","sources":["../../src/snapshot/ability-builder.ts"],"names":[],"mappings":"AAIA,OAAO,EAAuB,KAAK,aAAa,EAAE,MAAM,cAAc,CAAC;AAEvE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,MAAM,MAAM,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,KAAK,GAAG,WAAW,GAAG,UAAU,GAAG,UAAU,CAAC;AAExF,MAAM,WAAW,KAAK;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,qEAAqE;IACrE,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,KAAK,CAAC;IACb,yDAAyD;IACzD,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,KAAK,EAAE,EACf,QAAQ,EAAE,gBAAgB,EAC1B,GAAG,EAAE,YAAY,GAChB,WAAW,EAAE,CAiBf;AAED,4EAA4E;AAC5E,wBAAgB,cAAc,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,aAAa,CAAC,GAAG,CAAC,CAEvE"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ability-builder.js","sourceRoot":"","sources":["../../src/snapshot/ability-builder.ts"],"names":[],"mappings":";;AA2BA,oDAqBC;AAGD,wCAEC;AArDD,qFAAqF;AACrF,wFAAwF;AACxF,oFAAoF;AACpF,iEAAiE;AACjE,
|
|
1
|
+
{"version":3,"file":"ability-builder.js","sourceRoot":"","sources":["../../src/snapshot/ability-builder.ts"],"names":[],"mappings":";;AA2BA,oDAqBC;AAGD,wCAEC;AArDD,qFAAqF;AACrF,wFAAwF;AACxF,oFAAoF;AACpF,iEAAiE;AACjE,yCAAuE;AACvE,0DAAwD;AAiBxD;;;;GAIG;AACH,SAAgB,oBAAoB,CAClC,MAAe,EACf,QAA0B,EAC1B,GAAiB;IAEjB,MAAM,KAAK,GAAkB,EAAE,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,MAAM,IAAI,GAAgB,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;QACnE,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM;YAAE,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;QACxD,IAAI,CAAC,CAAC,QAAQ;YAAE,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QAErC,IAAI,CAAC,CAAC,KAAK,KAAK,QAAQ,IAAI,CAAC,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAChD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjB,SAAS;QACX,CAAC;QACD,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAC5D,IAAI,CAAC,QAAQ;YAAE,SAAS,CAAC,gEAAgE;QACzF,IAAI,CAAC,UAAU,GAAG,IAAA,oCAAiB,EAAC,QAAQ,EAAE,GAAG,CAA4B,CAAC;QAC9E,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,4EAA4E;AAC5E,SAAgB,cAAc,CAAC,KAAoB;IACjD,OAAO,IAAA,4BAAmB,EAAC,KAAkD,CAAuB,CAAC;AACvG,CAAC"}
|