@guren/server 0.2.0-alpha.7 → 1.0.0-rc.9

package/dist/authorization/index.js

@@ -0,0 +1,621 @@
+// src/errors/HttpException.ts
+var HttpException = class _HttpException extends Error {
+  /**
+   * HTTP status code.
+   */
+  statusCode;
+  /**
+   * Validation or field-specific errors.
+   */
+  errors;
+  /**
+   * Additional error data.
+   */
+  data;
+  constructor(statusCode, message, errors, data) {
+    super(message);
+    this.name = this.constructor.name;
+    this.statusCode = statusCode;
+    this.errors = errors;
+    this.data = data;
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, this.constructor);
+    }
+  }
+  /**
+   * Convert to response format.
+   */
+  toResponse(debug = false) {
+    const body = {
+      message: this.message
+    };
+    if (this.errors) {
+      body.errors = this.errors;
+    }
+    if (debug) {
+      body.exception = this.name;
+      body.stack = this.stack;
+    }
+    return {
+      status: this.statusCode,
+      body
+    };
+  }
+  /**
+   * Convert to JSON.
+   */
+  toJSON() {
+    return {
+      name: this.name,
+      message: this.message,
+      statusCode: this.statusCode,
+      errors: this.errors,
+      data: this.data
+    };
+  }
+  // Factory methods
+  /**
+   * Create a 400 Bad Request exception.
+   */
+  static badRequest(message = "Bad Request") {
+    return new _HttpException(400, message);
+  }
+  /**
+   * Create a 401 Unauthorized exception.
+   */
+  static unauthorized(message = "Unauthorized") {
+    return new _HttpException(401, message);
+  }
+  /**
+   * Create a 403 Forbidden exception.
+   */
+  static forbidden(message = "Forbidden") {
+    return new _HttpException(403, message);
+  }
+  /**
+   * Create a 404 Not Found exception.
+   */
+  static notFound(message = "Not Found") {
+    return new _HttpException(404, message);
+  }
+  /**
+   * Create a 405 Method Not Allowed exception.
+   */
+  static methodNotAllowed(message = "Method Not Allowed") {
+    return new _HttpException(405, message);
+  }
+  /**
+   * Create a 409 Conflict exception.
+   */
+  static conflict(message = "Conflict") {
+    return new _HttpException(409, message);
+  }
+  /**
+   * Create a 410 Gone exception.
+   */
+  static gone(message = "Gone") {
+    return new _HttpException(410, message);
+  }
+  /**
+   * Create a 422 Unprocessable Entity exception.
+   */
+  static unprocessable(message = "Unprocessable Entity", errors) {
+    return new _HttpException(422, message, errors);
+  }
+  /**
+   * Create a 429 Too Many Requests exception.
+   */
+  static tooManyRequests(message = "Too Many Requests") {
+    return new _HttpException(429, message);
+  }
+  /**
+   * Create a 500 Internal Server Error exception.
+   */
+  static internal(message = "Internal Server Error") {
+    return new _HttpException(500, message);
+  }
+  /**
+   * Create a 501 Not Implemented exception.
+   */
+  static notImplemented(message = "Not Implemented") {
+    return new _HttpException(501, message);
+  }
+  /**
+   * Create a 502 Bad Gateway exception.
+   */
+  static badGateway(message = "Bad Gateway") {
+    return new _HttpException(502, message);
+  }
+  /**
+   * Create a 503 Service Unavailable exception.
+   */
+  static serviceUnavailable(message = "Service Unavailable") {
+    return new _HttpException(503, message);
+  }
+  /**
+   * Create a 504 Gateway Timeout exception.
+   */
+  static gatewayTimeout(message = "Gateway Timeout") {
+    return new _HttpException(504, message);
+  }
+  /**
+   * Check if an error is an HTTP exception.
+   */
+  static isHttpException(error) {
+    return error instanceof _HttpException || typeof error === "object" && error !== null && "statusCode" in error && typeof error.statusCode === "number" && "toResponse" in error && typeof error.toResponse === "function";
+  }
+};
+
+// src/errors/exceptions/AuthorizationException.ts
+var AuthorizationException = class _AuthorizationException extends HttpException {
+  /**
+   * The action that was attempted.
+   */
+  action;
+  /**
+   * The resource that was being accessed.
+   */
+  resource;
+  constructor(message = "This action is unauthorized.", action, resource) {
+    super(403, message);
+    this.name = "AuthorizationException";
+    this.action = action;
+    this.resource = resource;
+  }
+  /**
+   * Create exception for a specific action and resource.
+   */
+  static forAction(action, resource) {
+    const message = resource ? `You are not authorized to ${action} this ${resource}.` : `You are not authorized to ${action}.`;
+    return new _AuthorizationException(message, action, resource);
+  }
+  /**
+   * Deny access to a resource.
+   */
+  static deny(resource) {
+    const message = resource ? `Access to ${resource} denied.` : "Access denied.";
+    return new _AuthorizationException(message, "access", resource);
+  }
+};
+
+// src/authorization/Gate.ts
+var Response = {
+  allow(message) {
+    return { allowed: true, message };
+  },
+  deny(message, code) {
+    return { allowed: false, message: message ?? "This action is unauthorized.", code };
+  },
+  denyWithStatus(status, message) {
+    return { allowed: false, message: message ?? "This action is unauthorized.", status };
+  },
+  denyAsNotFound(message) {
+    return { allowed: false, message: message ?? "Not found.", status: 404 };
+  }
+};
+var Gate = class {
+  /**
+   * Defined gates.
+   */
+  gates = /* @__PURE__ */ new Map();
+  /**
+   * Registered policies.
+   */
+  policies = /* @__PURE__ */ new Map();
+  /**
+   * Policy instances cache.
+   */
+  policyInstances = /* @__PURE__ */ new Map();
+  /**
+   * Before callbacks.
+   */
+  beforeCallbacks = [];
+  /**
+   * After callbacks.
+   */
+  afterCallbacks = [];
+  /**
+   * User resolver function.
+   */
+  userResolver;
+  /**
+   * Current user for checks.
+   */
+  currentUser = null;
+  constructor(options = {}) {
+    this.userResolver = options.userResolver;
+  }
+  /**
+   * Define a new gate.
+   */
+  define(ability, callback) {
+    this.gates.set(ability, { callback });
+    return this;
+  }
+  /**
+   * Register a policy for a model class.
+   */
+  policy(modelClass, policyClass) {
+    this.policies.set(modelClass, policyClass);
+    return this;
+  }
+  /**
+   * Register a before callback.
+   * Return true to allow, false to deny, undefined to continue.
+   */
+  before(callback) {
+    this.beforeCallbacks.push(callback);
+    return this;
+  }
+  /**
+   * Register an after callback.
+   */
+  after(callback) {
+    this.afterCallbacks.push(callback);
+    return this;
+  }
+  /**
+   * Set the current user for authorization checks.
+   */
+  forUser(user) {
+    const clone = Object.assign(
+      Object.create(Object.getPrototypeOf(this)),
+      this
+    );
+    clone.currentUser = user;
+    return clone;
+  }
+  /**
+   * Resolve the user from context.
+   */
+  async resolveUser(ctx) {
+    if (this.currentUser !== null) {
+      return this.currentUser;
+    }
+    if (this.userResolver) {
+      return this.userResolver(ctx);
+    }
+    const user = ctx.get("user");
+    return user ?? null;
+  }
+  /**
+   * Check if the user has the given ability.
+   */
+  async allows(ability, ...args) {
+    return this.check(ability, this.currentUser, ...args);
+  }
+  /**
+   * Check if the user doesn't have the given ability.
+   */
+  async denies(ability, ...args) {
+    return !await this.allows(ability, ...args);
+  }
+  /**
+   * Check if the user has any of the given abilities.
+   */
+  async any(abilities, ...args) {
+    for (const ability of abilities) {
+      if (await this.allows(ability, ...args)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  /**
+   * Check if the user has all of the given abilities.
+   */
+  async all(abilities, ...args) {
+    for (const ability of abilities) {
+      if (!await this.allows(ability, ...args)) {
+        return false;
+      }
+    }
+    return true;
+  }
+  /**
+   * Check if the user has none of the given abilities.
+   */
+  async none(abilities, ...args) {
+    return !await this.any(abilities, ...args);
+  }
+  /**
+   * Authorize the ability or throw an exception.
+   */
+  async authorize(ability, ...args) {
+    const allowed = await this.allows(ability, ...args);
+    if (!allowed) {
+      throw new AuthorizationException(`This action is unauthorized.`);
+    }
+  }
+  /**
+   * Get the authorization response.
+   */
+  async inspect(ability, ...args) {
+    const allowed = await this.check(ability, this.currentUser, ...args);
+    return allowed ? Response.allow() : Response.deny();
+  }
+  /**
+   * Check the ability with a specific user.
+   */
+  async check(ability, user, ...args) {
+    for (const beforeCallback of this.beforeCallbacks) {
+      const result = await beforeCallback(user, ability, ...args);
+      if (typeof result === "boolean") {
+        await this.runAfterCallbacks(user, ability, result, args);
+        return result;
+      }
+    }
+    const model = args[0];
+    if (model !== void 0 && model !== null) {
+      const policyResult = await this.checkPolicy(ability, user, model, args.slice(1));
+      if (policyResult !== void 0) {
+        await this.runAfterCallbacks(user, ability, policyResult, args);
+        return policyResult;
+      }
+    }
+    const gate = this.gates.get(ability);
+    if (gate) {
+      const result = await gate.callback(user, ...args);
+      await this.runAfterCallbacks(user, ability, result, args);
+      return result;
+    }
+    await this.runAfterCallbacks(user, ability, false, args);
+    return false;
+  }
+  /**
+   * Check a policy for the given ability.
+   */
+  async checkPolicy(ability, user, model, additionalArgs) {
+    const modelConstructor = model?.constructor;
+    if (!modelConstructor) {
+      return void 0;
+    }
+    const policyClass = this.policies.get(modelConstructor);
+    if (!policyClass) {
+      return void 0;
+    }
+    const policy = this.getPolicyInstance(policyClass);
+    if (policy.before) {
+      const beforeResult = await policy.before(user, ability);
+      if (typeof beforeResult === "boolean") {
+        return beforeResult;
+      }
+    }
+    const method = policy[ability];
+    if (typeof method === "function") {
+      return method.call(policy, user, model, ...additionalArgs);
+    }
+    return void 0;
+  }
+  /**
+   * Get or create a policy instance.
+   */
+  getPolicyInstance(policyClass) {
+    let instance = this.policyInstances.get(policyClass);
+    if (!instance) {
+      instance = new policyClass();
+      this.policyInstances.set(policyClass, instance);
+    }
+    return instance;
+  }
+  /**
+   * Run after callbacks.
+   */
+  async runAfterCallbacks(user, ability, result, args) {
+    for (const afterCallback of this.afterCallbacks) {
+      await afterCallback(user, ability, result, args);
+    }
+  }
+  /**
+   * Get all defined abilities.
+   */
+  abilities() {
+    return Array.from(this.gates.keys());
+  }
+  /**
+   * Check if an ability is defined.
+   */
+  has(ability) {
+    return this.gates.has(ability);
+  }
+  /**
+   * Get the policy for a model.
+   */
+  getPolicyFor(model) {
+    const modelConstructor = model?.constructor;
+    if (!modelConstructor) {
+      return void 0;
+    }
+    const policyClass = this.policies.get(modelConstructor);
+    if (!policyClass) {
+      return void 0;
+    }
+    return this.getPolicyInstance(policyClass);
+  }
+};
+var globalGate = null;
+function createGate(options) {
+  return new Gate(options);
+}
+function setGate(gate) {
+  globalGate = gate;
+}
+function getGate() {
+  if (!globalGate) {
+    throw new Error("Gate not initialized. Call setGate() first.");
+  }
+  return globalGate;
+}
+function defineGate(ability, callback) {
+  getGate().define(ability, callback);
+}
+async function can(ability, ...args) {
+  return getGate().allows(ability, ...args);
+}
+async function cannot(ability, ...args) {
+  return getGate().denies(ability, ...args);
+}
+async function authorize(ability, ...args) {
+  return getGate().authorize(ability, ...args);
+}
+
+// src/authorization/Policy.ts
+var Policy = class {
+  /**
+   * Allow the action.
+   */
+  allow(message) {
+    return Response.allow(message);
+  }
+  /**
+   * Deny the action.
+   */
+  deny(message, code) {
+    return Response.deny(message, code);
+  }
+  /**
+   * Deny with a specific HTTP status.
+   */
+  denyWithStatus(status, message) {
+    return Response.denyWithStatus(status, message);
+  }
+  /**
+   * Deny as not found (404).
+   */
+  denyAsNotFound(message) {
+    return Response.denyAsNotFound(message);
+  }
+};
+function definePolicy(definition) {
+  return class extends Policy {
+    before = definition.before;
+    viewAny(user) {
+      return definition.viewAny?.(user) ?? false;
+    }
+    view(user, model) {
+      return definition.view?.(user, model) ?? false;
+    }
+    create(user) {
+      return definition.create?.(user) ?? false;
+    }
+    update(user, model) {
+      return definition.update?.(user, model) ?? false;
+    }
+    delete(user, model) {
+      return definition.delete?.(user, model) ?? false;
+    }
+    restore(user, model) {
+      return definition.restore?.(user, model) ?? false;
+    }
+    forceDelete(user, model) {
+      return definition.forceDelete?.(user, model) ?? false;
+    }
+  };
+}
+
+// src/authorization/middleware.ts
+function authorizeMiddleware(ability, modelResolver, options = {}) {
+  return async (ctx, next) => {
+    const gate = getGate();
+    const user = await gate.resolveUser(ctx);
+    const gateForUser = gate.forUser(user);
+    const abilities = Array.isArray(ability) ? ability : [ability];
+    const model = modelResolver ? await modelResolver(ctx) : void 0;
+    let authorized = false;
+    if (Array.isArray(ability)) {
+      authorized = await gateForUser.any(abilities, model);
+    } else {
+      authorized = await gateForUser.allows(ability, model);
+    }
+    if (!authorized) {
+      throw new AuthorizationException(
+        options.message ?? "This action is unauthorized."
+      );
+    }
+    await next();
+  };
+}
+function authorizeAllMiddleware(abilities, modelResolver, options = {}) {
+  return async (ctx, next) => {
+    const gate = getGate();
+    const user = await gate.resolveUser(ctx);
+    const gateForUser = gate.forUser(user);
+    const model = modelResolver ? await modelResolver(ctx) : void 0;
+    const authorized = await gateForUser.all(abilities, model);
+    if (!authorized) {
+      throw new AuthorizationException(
+        options.message ?? "This action is unauthorized."
+      );
+    }
+    await next();
+  };
+}
+function authorizeResourceMiddleware(modelResolver, options = {}) {
+  return async (ctx, next) => {
+    const method = ctx.req.method.toUpperCase();
+    let ability;
+    switch (method) {
+      case "GET":
+      case "HEAD":
+        ability = "view";
+        break;
+      case "POST":
+        ability = "create";
+        break;
+      case "PUT":
+      case "PATCH":
+        ability = "update";
+        break;
+      case "DELETE":
+        ability = "delete";
+        break;
+      default:
+        ability = "view";
+    }
+    const gate = getGate();
+    const user = await gate.resolveUser(ctx);
+    const gateForUser = gate.forUser(user);
+    const model = await modelResolver(ctx);
+    const authorized = await gateForUser.allows(ability, model);
+    if (!authorized) {
+      throw new AuthorizationException(
+        options.message ?? "This action is unauthorized."
+      );
+    }
+    await next();
+  };
+}
+function withAuthorization(gate) {
+  return async (ctx, next) => {
+    const user = await gate.resolveUser(ctx);
+    const gateForUser = gate.forUser(user);
+    ctx.set("gate", gateForUser);
+    ctx.set("can", async (ability, ...args) => {
+      return gateForUser.allows(ability, ...args);
+    });
+    ctx.set("cannot", async (ability, ...args) => {
+      return gateForUser.denies(ability, ...args);
+    });
+    ctx.set("authorize", async (ability, ...args) => {
+      return gateForUser.authorize(ability, ...args);
+    });
+    await next();
+  };
+}
+export {
+  Gate,
+  Policy,
+  Response,
+  authorize,
+  authorizeAllMiddleware,
+  authorizeMiddleware,
+  authorizeResourceMiddleware,
+  can,
+  cannot,
+  createGate,
+  defineGate,
+  definePolicy,
+  getGate,
+  setGate,
+  withAuthorization
+};