@happyvertical/smrt-users 0.31.1 → 0.32.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +40 -15
- package/dist/chunks/{TerminalAuthService-DsQBk1Hc.js → TerminalAuthService-D5VVPG9e.js} +87 -19
- package/dist/chunks/{TerminalAuthService-DsQBk1Hc.js.map → TerminalAuthService-D5VVPG9e.js.map} +1 -1
- package/dist/chunks/{index-Cp33Tyha.js → index-CitgZk-4.js} +3 -3
- package/dist/chunks/{index-Cp33Tyha.js.map → index-CitgZk-4.js.map} +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +4 -4
- package/dist/manifest.json +2 -2
- package/dist/services/PermissionResolver.d.ts +24 -3
- package/dist/services/PermissionResolver.d.ts.map +1 -1
- package/dist/services/SessionService.d.ts +42 -5
- package/dist/services/SessionService.d.ts.map +1 -1
- package/dist/services/index.d.ts +1 -1
- package/dist/services/index.d.ts.map +1 -1
- package/dist/smrt-knowledge.json +6 -6
- package/dist/sveltekit/index.d.ts +10 -0
- package/dist/sveltekit/index.d.ts.map +1 -1
- package/dist/sveltekit.js +23 -2
- package/dist/sveltekit.js.map +1 -1
- package/package.json +8 -8
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { _ as getSigKey, $ as checkKeyLength, a0 as subtleAlgorithm, a1 as JWSInvalid, a2 as isDisjoint, a3 as validateCrit, a4 as checkKeyType, a5 as encode, a6 as encode$1, a7 as concat, a8 as normalizeKey, a9 as JWTClaimsBuilder, aa as JWTInvalid, ab as errors, ac as jwtVerify } from "./TerminalAuthService-
|
|
2
|
-
import { ad, ae, af, ag, ah, ai, aj } from "./TerminalAuthService-
|
|
1
|
+
import { _ as getSigKey, $ as checkKeyLength, a0 as subtleAlgorithm, a1 as JWSInvalid, a2 as isDisjoint, a3 as validateCrit, a4 as checkKeyType, a5 as encode, a6 as encode$1, a7 as concat, a8 as normalizeKey, a9 as JWTClaimsBuilder, aa as JWTInvalid, ab as errors, ac as jwtVerify } from "./TerminalAuthService-D5VVPG9e.js";
|
|
2
|
+
import { ad, ae, af, ag, ah, ai, aj } from "./TerminalAuthService-D5VVPG9e.js";
|
|
3
3
|
async function sign(alg, key, data) {
|
|
4
4
|
const cryptoKey = await getSigKey(alg, key, "sign");
|
|
5
5
|
checkKeyLength(alg, cryptoKey);
|
|
@@ -166,4 +166,4 @@ export {
|
|
|
166
166
|
aj as jwksCache,
|
|
167
167
|
jwtVerify
|
|
168
168
|
};
|
|
169
|
-
//# sourceMappingURL=index-
|
|
169
|
+
//# sourceMappingURL=index-CitgZk-4.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index-
|
|
1
|
+
{"version":3,"file":"index-CitgZk-4.js","sources":["../../../../node_modules/.pnpm/jose@6.1.3/node_modules/jose/dist/webapi/lib/sign.js","../../../../node_modules/.pnpm/jose@6.1.3/node_modules/jose/dist/webapi/jws/flattened/sign.js","../../../../node_modules/.pnpm/jose@6.1.3/node_modules/jose/dist/webapi/jws/compact/sign.js","../../../../node_modules/.pnpm/jose@6.1.3/node_modules/jose/dist/webapi/jwt/sign.js"],"sourcesContent":["import { subtleAlgorithm } from './subtle_dsa.js';\nimport { checkKeyLength } from './check_key_length.js';\nimport { getSigKey } from './get_sign_verify_key.js';\nexport async function sign(alg, key, data) {\n const cryptoKey = await getSigKey(alg, key, 'sign');\n checkKeyLength(alg, cryptoKey);\n const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);\n return new Uint8Array(signature);\n}\n","import { encode as b64u } from '../../util/base64url.js';\nimport { sign } from '../../lib/sign.js';\nimport { isDisjoint } from '../../lib/is_disjoint.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { concat, encode } from '../../lib/buffer_utils.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nexport class FlattenedSign {\n #payload;\n #protectedHeader;\n #unprotectedHeader;\n constructor(payload) {\n if (!(payload instanceof Uint8Array)) {\n throw new TypeError('payload must be an instance of Uint8Array');\n }\n this.#payload = payload;\n }\n setProtectedHeader(protectedHeader) {\n if (this.#protectedHeader) {\n throw new TypeError('setProtectedHeader can only be called once');\n }\n this.#protectedHeader = protectedHeader;\n return this;\n }\n setUnprotectedHeader(unprotectedHeader) {\n if (this.#unprotectedHeader) {\n throw new TypeError('setUnprotectedHeader can only be called once');\n }\n this.#unprotectedHeader = unprotectedHeader;\n return this;\n }\n async sign(key, options) {\n if (!this.#protectedHeader && !this.#unprotectedHeader) {\n throw new JWSInvalid('either setProtectedHeader or setUnprotectedHeader must be called before #sign()');\n }\n if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...this.#protectedHeader,\n ...this.#unprotectedHeader,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, this.#protectedHeader, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = this.#protectedHeader.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n checkKeyType(alg, key, 'sign');\n let payloadS;\n let payloadB;\n if (b64) {\n payloadS = b64u(this.#payload);\n payloadB = encode(payloadS);\n }\n else {\n payloadB = this.#payload;\n payloadS = '';\n }\n let protectedHeaderString;\n let protectedHeaderBytes;\n if (this.#protectedHeader) {\n protectedHeaderString = b64u(JSON.stringify(this.#protectedHeader));\n protectedHeaderBytes = encode(protectedHeaderString);\n }\n else {\n protectedHeaderString = '';\n protectedHeaderBytes = new Uint8Array();\n }\n const data = concat(protectedHeaderBytes, encode('.'), payloadB);\n const k = await normalizeKey(key, alg);\n const signature = await sign(alg, k, data);\n const jws = {\n signature: b64u(signature),\n payload: payloadS,\n };\n if (this.#unprotectedHeader) {\n jws.header = this.#unprotectedHeader;\n }\n if (this.#protectedHeader) {\n jws.protected = protectedHeaderString;\n }\n return jws;\n }\n}\n","import { FlattenedSign } from '../flattened/sign.js';\nexport class CompactSign {\n #flattened;\n constructor(payload) {\n this.#flattened = new FlattenedSign(payload);\n }\n setProtectedHeader(protectedHeader) {\n this.#flattened.setProtectedHeader(protectedHeader);\n return this;\n }\n async sign(key, options) {\n const jws = await this.#flattened.sign(key, options);\n if (jws.payload === undefined) {\n throw new TypeError('use the flattened module for creating JWS with b64: false');\n }\n return `${jws.protected}.${jws.payload}.${jws.signature}`;\n }\n}\n","import { CompactSign } from '../jws/compact/sign.js';\nimport { JWTInvalid } from '../util/errors.js';\nimport { JWTClaimsBuilder } from '../lib/jwt_claims_set.js';\nexport class SignJWT {\n #protectedHeader;\n #jwt;\n constructor(payload = {}) {\n this.#jwt = new JWTClaimsBuilder(payload);\n }\n setIssuer(issuer) {\n this.#jwt.iss = issuer;\n return this;\n }\n setSubject(subject) {\n this.#jwt.sub = subject;\n return this;\n }\n setAudience(audience) {\n this.#jwt.aud = audience;\n return this;\n }\n setJti(jwtId) {\n this.#jwt.jti = jwtId;\n return this;\n }\n setNotBefore(input) {\n this.#jwt.nbf = input;\n return this;\n }\n setExpirationTime(input) {\n this.#jwt.exp = input;\n return this;\n }\n setIssuedAt(input) {\n this.#jwt.iat = input;\n return this;\n }\n setProtectedHeader(protectedHeader) {\n this.#protectedHeader = protectedHeader;\n return this;\n }\n async sign(key, options) {\n const sig = new CompactSign(this.#jwt.data());\n sig.setProtectedHeader(this.#protectedHeader);\n if (Array.isArray(this.#protectedHeader?.crit) &&\n this.#protectedHeader.crit.includes('b64') &&\n this.#protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n return sig.sign(key, options);\n }\n}\n"],"names":["b64u","encode"],"mappings":";;AAGO,eAAe,KAAK,KAAK,KAAK,MAAM;AACvC,QAAM,YAAY,MAAM,UAAU,KAAK,KAAK,MAAM;AAClD,iBAAe,KAAK,SAAS;AAC7B,QAAM,YAAY,MAAM,OAAO,OAAO,KAAK,gBAAgB,KAAK,UAAU,SAAS,GAAG,WAAW,IAAI;AACrG,SAAO,IAAI,WAAW,SAAS;AACnC;ACAO,MAAM,cAAc;AAAA,EACvB;AAAA,EACA;AAAA,EACA;AAAA,EACA,YAAY,SAAS;AACjB,QAAI,EAAE,mBAAmB,aAAa;AAClC,YAAM,IAAI,UAAU,2CAA2C;AAAA,IACnE;AACA,SAAK,WAAW;AAAA,EACpB;AAAA,EACA,mBAAmB,iBAAiB;AAChC,QAAI,KAAK,kBAAkB;AACvB,YAAM,IAAI,UAAU,4CAA4C;AAAA,IACpE;AACA,SAAK,mBAAmB;AACxB,WAAO;AAAA,EACX;AAAA,EACA,qBAAqB,mBAAmB;AACpC,QAAI,KAAK,oBAAoB;AACzB,YAAM,IAAI,UAAU,8CAA8C;AAAA,IACtE;AACA,SAAK,qBAAqB;AAC1B,WAAO;AAAA,EACX;AAAA,EACA,MAAM,KAAK,KAAK,SAAS;AACrB,QAAI,CAAC,KAAK,oBAAoB,CAAC,KAAK,oBAAoB;AACpD,YAAM,IAAI,WAAW,iFAAiF;AAAA,IAC1G;AACA,QAAI,CAAC,WAAW,KAAK,kBAAkB,KAAK,kBAAkB,GAAG;AAC7D,YAAM,IAAI,WAAW,2EAA2E;AAAA,IACpG;AACA,UAAM,aAAa;AAAA,MACf,GAAG,KAAK;AAAA,MACR,GAAG,KAAK;AAAA,IACpB;AACQ,UAAM,aAAa,aAAa,YAAY,oBAAI,IAAI,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,GAAG,SAAS,MAAM,KAAK,kBAAkB,UAAU;AACtH,QAAI,MAAM;AACV,QAAI,WAAW,IAAI,KAAK,GAAG;AACvB,YAAM,KAAK,iBAAiB;AAC5B,UAAI,OAAO,QAAQ,WAAW;AAC1B,cAAM,IAAI,WAAW,yEAAyE;AAAA,MAClG;AAAA,IACJ;AACA,UAAM,EAAE,IAAG,IAAK;AAChB,QAAI,OAAO,QAAQ,YAAY,CAAC,KAAK;AACjC,YAAM,IAAI,WAAW,2DAA2D;AAAA,IACpF;AACA,iBAAa,KAAK,KAAK,MAAM;AAC7B,QAAI;AACJ,QAAI;AACJ,QAAI,KAAK;AACL,iBAAWA,OAAK,KAAK,QAAQ;AAC7B,iBAAWC,SAAO,QAAQ;AAAA,IAC9B,OACK;AACD,iBAAW,KAAK;AAChB,iBAAW;AAAA,IACf;AACA,QAAI;AACJ,QAAI;AACJ,QAAI,KAAK,kBAAkB;AACvB,8BAAwBD,OAAK,KAAK,UAAU,KAAK,gBAAgB,CAAC;AAClE,6BAAuBC,SAAO,qBAAqB;AAAA,IACvD,OACK;AACD,8BAAwB;AACxB,6BAAuB,IAAI,WAAU;AAAA,IACzC;AACA,UAAM,OAAO,OAAO,sBAAsBA,SAAO,GAAG,GAAG,QAAQ;AAC/D,UAAM,IAAI,MAAM,aAAa,KAAK,GAAG;AACrC,UAAM,YAAY,MAAM,KAAK,KAAK,GAAG,IAAI;AACzC,UAAM,MAAM;AAAA,MACR,WAAWD,OAAK,SAAS;AAAA,MACzB,SAAS;AAAA,IACrB;AACQ,QAAI,KAAK,oBAAoB;AACzB,UAAI,SAAS,KAAK;AAAA,IACtB;AACA,QAAI,KAAK,kBAAkB;AACvB,UAAI,YAAY;AAAA,IACpB;AACA,WAAO;AAAA,EACX;AACJ;AC1FO,MAAM,YAAY;AAAA,EACrB;AAAA,EACA,YAAY,SAAS;AACjB,SAAK,aAAa,IAAI,cAAc,OAAO;AAAA,EAC/C;AAAA,EACA,mBAAmB,iBAAiB;AAChC,SAAK,WAAW,mBAAmB,eAAe;AAClD,WAAO;AAAA,EACX;AAAA,EACA,MAAM,KAAK,KAAK,SAAS;AACrB,UAAM,MAAM,MAAM,KAAK,WAAW,KAAK,KAAK,OAAO;AACnD,QAAI,IAAI,YAAY,QAAW;AAC3B,YAAM,IAAI,UAAU,2DAA2D;AAAA,IACnF;AACA,WAAO,GAAG,IAAI,SAAS,IAAI,IAAI,OAAO,IAAI,IAAI,SAAS;AAAA,EAC3D;AACJ;ACdO,MAAM,QAAQ;AAAA,EACjB;AAAA,EACA;AAAA,EACA,YAAY,UAAU,IAAI;AACtB,SAAK,OAAO,IAAI,iBAAiB,OAAO;AAAA,EAC5C;AAAA,EACA,UAAU,QAAQ;AACd,SAAK,KAAK,MAAM;AAChB,WAAO;AAAA,EACX;AAAA,EACA,WAAW,SAAS;AAChB,SAAK,KAAK,MAAM;AAChB,WAAO;AAAA,EACX;AAAA,EACA,YAAY,UAAU;AAClB,SAAK,KAAK,MAAM;AAChB,WAAO;AAAA,EACX;AAAA,EACA,OAAO,OAAO;AACV,SAAK,KAAK,MAAM;AAChB,WAAO;AAAA,EACX;AAAA,EACA,aAAa,OAAO;AAChB,SAAK,KAAK,MAAM;AAChB,WAAO;AAAA,EACX;AAAA,EACA,kBAAkB,OAAO;AACrB,SAAK,KAAK,MAAM;AAChB,WAAO;AAAA,EACX;AAAA,EACA,YAAY,OAAO;AACf,SAAK,KAAK,MAAM;AAChB,WAAO;AAAA,EACX;AAAA,EACA,mBAAmB,iBAAiB;AAChC,SAAK,mBAAmB;AACxB,WAAO;AAAA,EACX;AAAA,EACA,MAAM,KAAK,KAAK,SAAS;AACrB,UAAM,MAAM,IAAI,YAAY,KAAK,KAAK,KAAI,CAAE;AAC5C,QAAI,mBAAmB,KAAK,gBAAgB;AAC5C,QAAI,MAAM,QAAQ,KAAK,kBAAkB,IAAI,KACzC,KAAK,iBAAiB,KAAK,SAAS,KAAK,KACzC,KAAK,iBAAiB,QAAQ,OAAO;AACrC,YAAM,IAAI,WAAW,qCAAqC;AAAA,IAC9D;AACA,WAAO,IAAI,KAAK,KAAK,OAAO;AAAA,EAChC;AACJ;","x_google_ignoreList":[0,1,2,3]}
|
package/dist/index.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
export { CliAuthRequestCollection, type CreateChildTenantOptions, type CreateSessionOptions, type GetOrCreateFromOidcOptions, GroupCollection, GroupMemberCollection, GroupRoleCollection, MagicLinkTokenCollection, MembershipCollection, MembershipOverrideCollection, type OidcClaims, type OidcIdentityResult, PermissionCollection, RoleCollection, RolePermissionCollection, SessionCollection, TenantCollection, TenantHierarchyError, TenantPermissionOverrideCollection, type TenantPermissionOverrideResult, UserCollection, UsersCliAuthRequestCollection, UsersMagicLinkTokenCollection, } from './collections/index.js';
|
|
2
2
|
export { CliAuthRequest, type CliAuthRequestStatus, DEFAULT_SESSION_TTL, DEFAULT_TOKEN_EXPIRY_SECONDS, Group, GroupMember, GroupRole, generateSessionId, MAX_TENANT_HIERARCHY_DEPTH, MagicLinkToken, Membership, MembershipOverride, Permission, Role, RolePermission, Session, Tenant, TenantPermissionOverride, User, UsersCliAuthRequest, UsersMagicLinkToken, } from './models/index.js';
|
|
3
|
-
export { type ApproveCliAuthRequestInput, applyPostgresPermissionPolicies, type CliAuthStartResult, type CliAuthTokenResult, type CreateAuthorizationUrlOptions, DEFAULT_CLI_AUTH_POLL_INTERVAL_SECONDS, DEFAULT_CLI_AUTH_REQUEST_TTL_SECONDS, DEFAULT_CLI_SESSION_TTL_SECONDS, decodeOidcTransaction, type EnsureTenantResult, encodeOidcTransaction, type GeneratePostgresPermissionSqlResult, generatePostgresPermissionSql, getCurrentSessionPermissionContext, getRequestScopedDatabase, getUsersOidcConfig, MagicLinkError, type MagicLinkResult, MagicLinkService, type MagicLinkServiceOptions, type MagicLinkVerifyResult, type OidcCallbackResult, OidcLoginError, type OidcLoginResult, OidcLoginService, type OidcLoginServiceOptions, type OidcProviderConfig, type OidcProviderKind, type OidcProviderMetadata, type OidcProviderResolution, type OidcProviderResolutionOptions, type OidcTokenEndpointAuthMethod, type OidcTokenSet, type OidcTransaction, type PermissionCatalog, PermissionCatalogService, type PermissionCatalogSource, type PermissionCatalogSyncResult, type PermissionDefinition, type PermissionResolutionOptions, type PermissionResolutionResult, PermissionResolver, type PostgresPermissionAction, type PostgresPermissionBinding, type PostgresPermissionPolicyReportItem, type PostgresPermissionPolicyTarget, type ResolvedOidcProviderConfig, registerPermissionDefinitions, resolveOidcProviderConfig, type SessionContext, type SessionPermissionRuntimeContext, type SessionPermissionRuntimeOptions, SessionService, type SessionServiceOptions, syncPermissionCatalog, type TenantPermissionInheritanceResult, TenantService, type TenantWithOwnershipResult, TerminalAuthError, TerminalAuthRateLimitError, TerminalAuthService, type TerminalAuthServiceOptions, type UsersConfig, type UsersOidcConfig, withSessionPermissionContext, } from './services/index.js';
|
|
3
|
+
export { type ApproveCliAuthRequestInput, applyPostgresPermissionPolicies, type CliAuthStartResult, type CliAuthTokenResult, type CreateAuthorizationUrlOptions, DEFAULT_CLI_AUTH_POLL_INTERVAL_SECONDS, DEFAULT_CLI_AUTH_REQUEST_TTL_SECONDS, DEFAULT_CLI_SESSION_TTL_SECONDS, decodeOidcTransaction, type EnsureTenantResult, encodeOidcTransaction, type GeneratePostgresPermissionSqlResult, generatePostgresPermissionSql, getCurrentSessionPermissionContext, getRequestScopedDatabase, getUsersOidcConfig, MagicLinkError, type MagicLinkResult, MagicLinkService, type MagicLinkServiceOptions, type MagicLinkVerifyResult, type OidcCallbackResult, OidcLoginError, type OidcLoginResult, OidcLoginService, type OidcLoginServiceOptions, type OidcProviderConfig, type OidcProviderKind, type OidcProviderMetadata, type OidcProviderResolution, type OidcProviderResolutionOptions, type OidcTokenEndpointAuthMethod, type OidcTokenSet, type OidcTransaction, type PermissionCatalog, PermissionCatalogService, type PermissionCatalogSource, type PermissionCatalogSyncResult, type PermissionDefinition, type PermissionResolutionOptions, type PermissionResolutionResult, PermissionResolver, type PostgresPermissionAction, type PostgresPermissionBinding, type PostgresPermissionPolicyReportItem, type PostgresPermissionPolicyTarget, type ResolvedOidcProviderConfig, registerPermissionDefinitions, resolveOidcProviderConfig, type SessionContext, type SessionPermissionRuntimeContext, type SessionPermissionRuntimeOptions, SessionService, type SessionServiceOptions, type SwitchTenantResult, syncPermissionCatalog, type TenantPermissionInheritanceResult, TenantService, type TenantWithOwnershipResult, TerminalAuthError, TerminalAuthRateLimitError, TerminalAuthService, type TerminalAuthServiceOptions, type UsersConfig, type UsersOidcConfig, withSessionPermissionContext, } from './services/index.js';
|
|
4
4
|
export { DEFAULT_ROLE_SLUGS, DEFAULT_ROLES, DEFAULT_TENANT_POLICY, type DefaultRoleSlug, MembershipStatus, OverrideEffect, SessionStatus, TenantPermissionEffect, type TenantPolicy, type TenantPolicyMode, TenantStatus, UserStatus, } from './types/index.js';
|
|
5
5
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsDG;AAKH,OAAO,wBAAwB,CAAC;AAGhC,OAAO,EACL,wBAAwB,EACxB,KAAK,wBAAwB,EAC7B,KAAK,oBAAoB,EACzB,KAAK,0BAA0B,EAC/B,eAAe,EACf,qBAAqB,EACrB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,EACpB,4BAA4B,EAC5B,KAAK,UAAU,EACf,KAAK,kBAAkB,EACvB,oBAAoB,EACpB,cAAc,EACd,wBAAwB,EACxB,iBAAiB,EACjB,gBAAgB,EAChB,oBAAoB,EACpB,kCAAkC,EAClC,KAAK,8BAA8B,EACnC,cAAc,EACd,6BAA6B,EAC7B,6BAA6B,GAC9B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,cAAc,EACd,KAAK,oBAAoB,EACzB,mBAAmB,EACnB,4BAA4B,EAC5B,KAAK,EACL,WAAW,EACX,SAAS,EACT,iBAAiB,EACjB,0BAA0B,EAC1B,cAAc,EACd,UAAU,EACV,kBAAkB,EAClB,UAAU,EACV,IAAI,EACJ,cAAc,EACd,OAAO,EACP,MAAM,EACN,wBAAwB,EACxB,IAAI,EACJ,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,KAAK,0BAA0B,EAC/B,+BAA+B,EAC/B,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,6BAA6B,EAClC,sCAAsC,EACtC,oCAAoC,EACpC,+BAA+B,EAC/B,qBAAqB,EACrB,KAAK,kBAAkB,EACvB,qBAAqB,EACrB,KAAK,mCAAmC,EACxC,6BAA6B,EAC7B,kCAAkC,EAClC,wBAAwB,EACxB,kBAAkB,EAClB,cAAc,EACd,KAAK,eAAe,EACpB,gBAAgB,EAChB,KAAK,uBAAuB,EAC5B,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,EACvB,cAAc,EACd,KAAK,eAAe,EACpB,gBAAgB,EAChB,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,sBAAsB,EAC3B,KAAK,6BAA6B,EAClC,KAAK,2BAA2B,EAChC,KAAK,YAAY,EACjB,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,wBAAwB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,2BAA2B,EAChC,KAAK,oBAAoB,EACzB,KAAK,2BAA2B,EAChC,KAAK,0BAA0B,EAC/B,kBAAkB,EAClB,KAAK,wBAAwB,EAC7B,KAAK,yBAAyB,EAC9B,KAAK,kCAAkC,EACvC,KAAK,8BAA8B,EACnC,KAAK,0BAA0B,EAC/B,6BAA6B,EAC7B,yBAAyB,EACzB,KAAK,cAAc,EACnB,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,cAAc,EACd,KAAK,qBAAqB,EAC1B,qBAAqB,EACrB,KAAK,iCAAiC,EACtC,aAAa,EACb,KAAK,yBAAyB,EAC9B,iBAAiB,EACjB,0BAA0B,EAC1B,mBAAmB,EACnB,KAAK,0BAA0B,EAC/B,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,4BAA4B,GAC7B,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,kBAAkB,EAClB,aAAa,EACb,qBAAqB,EACrB,KAAK,eAAe,EACpB,gBAAgB,EAChB,cAAc,EACd,aAAa,EACb,sBAAsB,EACtB,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,YAAY,EACZ,UAAU,GACX,MAAM,kBAAkB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsDG;AAKH,OAAO,wBAAwB,CAAC;AAGhC,OAAO,EACL,wBAAwB,EACxB,KAAK,wBAAwB,EAC7B,KAAK,oBAAoB,EACzB,KAAK,0BAA0B,EAC/B,eAAe,EACf,qBAAqB,EACrB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,EACpB,4BAA4B,EAC5B,KAAK,UAAU,EACf,KAAK,kBAAkB,EACvB,oBAAoB,EACpB,cAAc,EACd,wBAAwB,EACxB,iBAAiB,EACjB,gBAAgB,EAChB,oBAAoB,EACpB,kCAAkC,EAClC,KAAK,8BAA8B,EACnC,cAAc,EACd,6BAA6B,EAC7B,6BAA6B,GAC9B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,cAAc,EACd,KAAK,oBAAoB,EACzB,mBAAmB,EACnB,4BAA4B,EAC5B,KAAK,EACL,WAAW,EACX,SAAS,EACT,iBAAiB,EACjB,0BAA0B,EAC1B,cAAc,EACd,UAAU,EACV,kBAAkB,EAClB,UAAU,EACV,IAAI,EACJ,cAAc,EACd,OAAO,EACP,MAAM,EACN,wBAAwB,EACxB,IAAI,EACJ,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,KAAK,0BAA0B,EAC/B,+BAA+B,EAC/B,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,6BAA6B,EAClC,sCAAsC,EACtC,oCAAoC,EACpC,+BAA+B,EAC/B,qBAAqB,EACrB,KAAK,kBAAkB,EACvB,qBAAqB,EACrB,KAAK,mCAAmC,EACxC,6BAA6B,EAC7B,kCAAkC,EAClC,wBAAwB,EACxB,kBAAkB,EAClB,cAAc,EACd,KAAK,eAAe,EACpB,gBAAgB,EAChB,KAAK,uBAAuB,EAC5B,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,EACvB,cAAc,EACd,KAAK,eAAe,EACpB,gBAAgB,EAChB,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,sBAAsB,EAC3B,KAAK,6BAA6B,EAClC,KAAK,2BAA2B,EAChC,KAAK,YAAY,EACjB,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,wBAAwB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,2BAA2B,EAChC,KAAK,oBAAoB,EACzB,KAAK,2BAA2B,EAChC,KAAK,0BAA0B,EAC/B,kBAAkB,EAClB,KAAK,wBAAwB,EAC7B,KAAK,yBAAyB,EAC9B,KAAK,kCAAkC,EACvC,KAAK,8BAA8B,EACnC,KAAK,0BAA0B,EAC/B,6BAA6B,EAC7B,yBAAyB,EACzB,KAAK,cAAc,EACnB,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,cAAc,EACd,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,EACvB,qBAAqB,EACrB,KAAK,iCAAiC,EACtC,aAAa,EACb,KAAK,yBAAyB,EAC9B,iBAAiB,EACjB,0BAA0B,EAC1B,mBAAmB,EACnB,KAAK,0BAA0B,EAC/B,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,4BAA4B,GAC7B,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,kBAAkB,EAClB,aAAa,EACb,qBAAqB,EACrB,KAAK,eAAe,EACpB,gBAAgB,EAChB,cAAc,EACd,aAAa,EACb,sBAAsB,EACtB,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,YAAY,EACZ,UAAU,GACX,MAAM,kBAAkB,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { D as DEFAULT_ROLES, n as normalizeEmail, i as isValidEmail, P as PermissionCollection, p as parsePermissionSlug, a as isValidPermissionSlug, b as DEFAULT_TENANT_POLICY, T as TenantCollection, M as MembershipCollection, c as DEFAULT_ROLE_SLUGS } from "./chunks/TerminalAuthService-
|
|
2
|
-
import { U, d, e, f, g, h, G, j, k, l, m, o, q, r, s, t, O, u, v, w, R, x, S, y, z, A, B, C, E, F, H, I, J, K, U as U2, d as d2, L, N, Q, V, W, X, Y, Z } from "./chunks/TerminalAuthService-
|
|
1
|
+
import { D as DEFAULT_ROLES, n as normalizeEmail, i as isValidEmail, P as PermissionCollection, p as parsePermissionSlug, a as isValidPermissionSlug, b as DEFAULT_TENANT_POLICY, T as TenantCollection, M as MembershipCollection, c as DEFAULT_ROLE_SLUGS } from "./chunks/TerminalAuthService-D5VVPG9e.js";
|
|
2
|
+
import { U, d, e, f, g, h, G, j, k, l, m, o, q, r, s, t, O, u, v, w, R, x, S, y, z, A, B, C, E, F, H, I, J, K, U as U2, d as d2, L, N, Q, V, W, X, Y, Z } from "./chunks/TerminalAuthService-D5VVPG9e.js";
|
|
3
3
|
import { field, smrt, SmrtObject, SmrtCollection, foreignKey, ObjectRegistry, findManifestEntryByQualifiedName } from "@happyvertical/smrt-core";
|
|
4
4
|
import { getPackageConfig } from "@happyvertical/smrt-config";
|
|
5
5
|
import { createHash } from "node:crypto";
|
|
@@ -301,7 +301,7 @@ class MagicLinkService {
|
|
|
301
301
|
* The caller is responsible for emailing the token to the user.
|
|
302
302
|
*/
|
|
303
303
|
async generate(email) {
|
|
304
|
-
const { SignJWT } = await import("./chunks/index-
|
|
304
|
+
const { SignJWT } = await import("./chunks/index-CitgZk-4.js");
|
|
305
305
|
const key = await this.getSigningKey();
|
|
306
306
|
const nonce = crypto.randomUUID();
|
|
307
307
|
const normalizedEmail = normalizeEmail(email);
|
|
@@ -330,7 +330,7 @@ class MagicLinkService {
|
|
|
330
330
|
* @throws {MagicLinkError} If the token is invalid, expired, or already used
|
|
331
331
|
*/
|
|
332
332
|
async verify(token) {
|
|
333
|
-
const { jwtVerify, errors } = await import("./chunks/index-
|
|
333
|
+
const { jwtVerify, errors } = await import("./chunks/index-CitgZk-4.js");
|
|
334
334
|
const key = await this.getSigningKey();
|
|
335
335
|
let payload;
|
|
336
336
|
try {
|
package/dist/manifest.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"version": "1.0.0",
|
|
3
|
-
"timestamp":
|
|
3
|
+
"timestamp": 1782198558582,
|
|
4
4
|
"packageName": "@happyvertical/smrt-users",
|
|
5
|
-
"packageVersion": "0.
|
|
5
|
+
"packageVersion": "0.32.0",
|
|
6
6
|
"objects": {
|
|
7
7
|
"@happyvertical/smrt-users:UsersCliAuthRequestCollection": {
|
|
8
8
|
"name": "userscliauthrequestcollection",
|
|
@@ -34,6 +34,17 @@ export interface TenantPermissionInheritanceResult {
|
|
|
34
34
|
contributingTenantIds: string[];
|
|
35
35
|
/** Whether inheritance was active (at least one tenant in chain had inheritPermissions: true) */
|
|
36
36
|
inheritanceActive: boolean;
|
|
37
|
+
/**
|
|
38
|
+
* Permission slugs explicitly DENY'd by a `TenantPermissionOverride` anywhere
|
|
39
|
+
* in the tenant hierarchy. These are a HARD, tenant-wide block:
|
|
40
|
+
* `resolvePermissions` subtracts them AFTER role + group grants are applied,
|
|
41
|
+
* so a tenant-DENY overrides a permission a role/group otherwise grants. A
|
|
42
|
+
* more-specific membership-override GRANT can still re-add a slug listed here;
|
|
43
|
+
* a membership-override DENY stays absolute. (This set is independent of the
|
|
44
|
+
* net `permissions` above, which only reflects DENY's effect on the inherited
|
|
45
|
+
* cascade.)
|
|
46
|
+
*/
|
|
47
|
+
deniedPermissions: Set<string>;
|
|
37
48
|
}
|
|
38
49
|
/**
|
|
39
50
|
* PermissionResolver resolves the effective permissions for a user in a tenant.
|
|
@@ -121,13 +132,23 @@ export declare class PermissionResolver {
|
|
|
121
132
|
cascades: boolean;
|
|
122
133
|
}>>;
|
|
123
134
|
/**
|
|
124
|
-
* Resolve all effective permissions for a user in a tenant
|
|
135
|
+
* Resolve all effective permissions for a user in a tenant.
|
|
136
|
+
*
|
|
137
|
+
* Precedence (broad -> specific, most-specific wins):
|
|
138
|
+
* tenant-inherited (cascade)
|
|
139
|
+
* -> role
|
|
140
|
+
* -> group roles
|
|
141
|
+
* -> tenant-DENY (removes; overrides role/group grants, tenant-wide)
|
|
142
|
+
* -> membership GRANT (re-adds; most specific, can win over a tenant-DENY)
|
|
143
|
+
* -> membership DENY (absolute; always wins)
|
|
125
144
|
*
|
|
126
145
|
* Algorithm:
|
|
127
146
|
* 1. Get membership and collect all permission IDs from all sources
|
|
128
147
|
* 2. Batch fetch all permissions in a single query
|
|
129
|
-
* 3. Apply permissions from role, groups
|
|
130
|
-
* 4. DENY
|
|
148
|
+
* 3. Apply permissions from role, then groups
|
|
149
|
+
* 4. Subtract tenant-level DENY'd slugs (hard tenant-wide block)
|
|
150
|
+
* 5. Apply membership GRANT overrides (can re-add a tenant-DENY'd slug)
|
|
151
|
+
* 6. Subtract membership DENY overrides (absolute precedence)
|
|
131
152
|
*/
|
|
132
153
|
resolvePermissions(userId: string, tenantId: string, options?: PermissionResolutionOptions): Promise<PermissionResolutionResult>;
|
|
133
154
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"PermissionResolver.d.ts","sourceRoot":"","sources":["../../src/services/PermissionResolver.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AASjE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAElD;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,sCAAsC;IACtC,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACzB,wCAAwC;IACxC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,uCAAuC;IACvC,mBAAmB,EAAE,MAAM,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,2BAA2B;IAC1C;;;;OAIG;IACH,UAAU,CAAC,EAAE,UAAU,GAAG,IAAI,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,iCAAiC;IAChD,wEAAwE;IACxE,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACzB,2DAA2D;IAC3D,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,iGAAiG;IACjG,iBAAiB,EAAE,OAAO,CAAC;
|
|
1
|
+
{"version":3,"file":"PermissionResolver.d.ts","sourceRoot":"","sources":["../../src/services/PermissionResolver.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AASjE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAElD;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,sCAAsC;IACtC,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACzB,wCAAwC;IACxC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,uCAAuC;IACvC,mBAAmB,EAAE,MAAM,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,2BAA2B;IAC1C;;;;OAIG;IACH,UAAU,CAAC,EAAE,UAAU,GAAG,IAAI,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,iCAAiC;IAChD,wEAAwE;IACxE,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACzB,2DAA2D;IAC3D,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,iGAAiG;IACjG,iBAAiB,EAAE,OAAO,CAAC;IAC3B;;;;;;;;;OASG;IACH,iBAAiB,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CAChC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,OAAO,CAAmB;IAClC,OAAO,CAAC,oBAAoB,CAAwB;IACpD,OAAO,CAAC,wBAAwB,CAA4B;IAC5D,OAAO,CAAC,4BAA4B,CAAgC;IACpE,OAAO,CAAC,qBAAqB,CAAyB;IACtD,OAAO,CAAC,mBAAmB,CAAuB;IAClD,OAAO,CAAC,oBAAoB,CAAwB;IACpD,OAAO,CAAC,gBAAgB,CAAoB;IAC5C,OAAO,CAAC,kCAAkC,CAAsC;gBAEpE,OAAO,EAAE,gBAAgB;IAIrC;;;;;;;;;OASG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IA+BjC;;;;;;;;;;;;OAYG;IACG,wBAAwB,CAC5B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,iCAAiC,CAAC;IAqI7C;;OAEG;IACG,yBAAyB,CAC7B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAmC3E;;;;;;;;;;;;;;;;;;OAkBG;IACG,kBAAkB,CACtB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,2BAAgC,GACxC,OAAO,CAAC,0BAA0B,CAAC;IAuJtC;;OAEG;IACG,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,EACtB,OAAO,GAAE,2BAAgC,GACxC,OAAO,CAAC,OAAO,CAAC;IAKnB;;OAEG;IACG,iBAAiB,CACrB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,eAAe,EAAE,MAAM,EAAE,EACzB,OAAO,GAAE,2BAAgC,GACxC,OAAO,CAAC,OAAO,CAAC;IAKnB;;OAEG;IACG,gBAAgB,CACpB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,eAAe,EAAE,MAAM,EAAE,EACzB,OAAO,GAAE,2BAAgC,GACxC,OAAO,CAAC,OAAO,CAAC;IAKnB;;OAEG;WACU,MAAM,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,kBAAkB,CAAC;CAK5E"}
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import { SmrtClassOptions } from '@happyvertical/smrt-core';
|
|
2
2
|
import { CreateSessionOptions } from '../collections/SessionCollection.js';
|
|
3
3
|
import { Membership } from '../models/Membership.js';
|
|
4
|
+
import { Session } from '../models/Session.js';
|
|
4
5
|
import { User } from '../models/User.js';
|
|
5
6
|
/**
|
|
6
7
|
* Session context with user and permissions
|
|
@@ -17,6 +18,28 @@ export interface SessionContext {
|
|
|
17
18
|
/** Session ID */
|
|
18
19
|
sessionId: string;
|
|
19
20
|
}
|
|
21
|
+
/**
|
|
22
|
+
* Result of {@link SessionService.switchTenant}.
|
|
23
|
+
*
|
|
24
|
+
* A successful switch into a non-null tenant ROTATES the session id (#1354
|
|
25
|
+
* follow-up): a brand-new {@link Session} is minted and the old one is revoked,
|
|
26
|
+
* so a captured pre-switch id stops validating. Callers MUST persist `sessionId`
|
|
27
|
+
* (e.g. re-set the session cookie) after a rotation.
|
|
28
|
+
*/
|
|
29
|
+
export interface SwitchTenantResult {
|
|
30
|
+
/** Whether the switch succeeded (true also for a `null` clear). */
|
|
31
|
+
switched: boolean;
|
|
32
|
+
/**
|
|
33
|
+
* The session id to use going forward: the NEW id after a rotation, the
|
|
34
|
+
* unchanged id after a `null` clear, or `null` when the switch failed
|
|
35
|
+
* (unknown session or non-member — fail-closed).
|
|
36
|
+
*/
|
|
37
|
+
sessionId: string | null;
|
|
38
|
+
/** The resulting session (new on rotation; existing on clear; null on failure). */
|
|
39
|
+
session: Session | null;
|
|
40
|
+
/** True only when a fresh session id was minted (non-null tenant switch). */
|
|
41
|
+
rotated: boolean;
|
|
42
|
+
}
|
|
20
43
|
/**
|
|
21
44
|
* Options for SessionService
|
|
22
45
|
*/
|
|
@@ -106,15 +129,29 @@ export declare class SessionService {
|
|
|
106
129
|
* query, so it must never be set to a tenant the session's user is not an
|
|
107
130
|
* active member of — otherwise a caller could read/write another tenant's data
|
|
108
131
|
* by feeding an arbitrary id here (e.g. straight from untrusted form data).
|
|
109
|
-
*
|
|
110
|
-
*
|
|
111
|
-
*
|
|
132
|
+
*
|
|
133
|
+
* Fail-closed (#1400): the user's ACTIVE membership in the target tenant is
|
|
134
|
+
* verified BEFORE any write. A non-member switch returns
|
|
135
|
+
* `{ switched: false, ... }` and mutates nothing.
|
|
136
|
+
*
|
|
137
|
+
* Session-id ROTATION (#1354 follow-up): a successful switch into a non-null
|
|
138
|
+
* tenant mints a BRAND-NEW session (fresh secure id, fresh TTL) for the same
|
|
139
|
+
* user with the new tenant, then REVOKES the old session — so any captured
|
|
140
|
+
* pre-switch session id immediately stops validating, shrinking the blast
|
|
141
|
+
* radius of a leaked id across a privilege/tenant boundary. The device context
|
|
142
|
+
* (user agent, IP, custom data) carries over to the new session. Callers MUST
|
|
143
|
+
* persist the returned `sessionId` (e.g. re-set the cookie).
|
|
144
|
+
*
|
|
145
|
+
* Passing `null` clears the tenant context, is always allowed, and stays
|
|
146
|
+
* in-place (no rotation — there is no privilege boundary being crossed).
|
|
147
|
+
*
|
|
148
|
+
* @returns A {@link SwitchTenantResult}; check `switched` for success.
|
|
112
149
|
*/
|
|
113
|
-
switchTenant(sessionId: string, tenantId: string | null): Promise<
|
|
150
|
+
switchTenant(sessionId: string, tenantId: string | null): Promise<SwitchTenantResult>;
|
|
114
151
|
/**
|
|
115
152
|
* Get all active sessions for a user (for "manage sessions" UI)
|
|
116
153
|
*/
|
|
117
|
-
getUserSessions(userId: string): Promise<
|
|
154
|
+
getUserSessions(userId: string): Promise<Session[]>;
|
|
118
155
|
/**
|
|
119
156
|
* Clean up expired sessions (run periodically)
|
|
120
157
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SessionService.d.ts","sourceRoot":"","sources":["../../src/services/SessionService.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAEjE,OAAO,EACL,KAAK,oBAAoB,EAE1B,MAAM,qCAAqC,CAAC;AAE7C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;
|
|
1
|
+
{"version":3,"file":"SessionService.d.ts","sourceRoot":"","sources":["../../src/services/SessionService.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAEjE,OAAO,EACL,KAAK,oBAAoB,EAE1B,MAAM,qCAAqC,CAAC;AAE7C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAuB,KAAK,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACzE,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAG9C;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,sBAAsB;IACtB,IAAI,EAAE,IAAI,CAAC;IACX,oEAAoE;IACpE,UAAU,CAAC,EAAE,UAAU,GAAG,IAAI,CAAC;IAC/B,gCAAgC;IAChC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,sCAAsC;IACtC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,iBAAiB;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,kBAAkB;IACjC,mEAAmE;IACnE,QAAQ,EAAE,OAAO,CAAC;IAClB;;;;OAIG;IACH,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,mFAAmF;IACnF,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;IACxB,6EAA6E;IAC7E,OAAO,EAAE,OAAO,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAsB,SAAQ,gBAAgB;IAC7D,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mCAAmC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iEAAiE;IACjE,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,OAAO,CAAwB;IACvC,OAAO,CAAC,iBAAiB,CAAqB;IAC9C,OAAO,CAAC,cAAc,CAAkB;IACxC,OAAO,CAAC,oBAAoB,CAAwB;IACpD,OAAO,CAAC,kBAAkB,CAAsB;IAChD,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,UAAU,CAAU;gBAEhB,OAAO,EAAE,qBAAqB;IAM1C;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAWjC;;;;;;;OAOG;IACG,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,QAAQ,CAAC,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,OAAO,CAAC,oBAAoB,CAAC,GACtC,OAAO,CAAC,MAAM,CAAC;IAalB;;;;OAIG;IACG,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IA6C3E;;OAEG;IACH,WAAW;IAIX;;OAEG;IACG,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIzD;;OAEG;IACG,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIzD;;OAEG;IACG,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAI7D;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACG,YAAY,CAChB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,GAAG,IAAI,GACtB,OAAO,CAAC,kBAAkB,CAAC;IAyD9B;;OAEG;IACG,eAAe,CAAC,MAAM,EAAE,MAAM;IAIpC;;OAEG;IACG,sBAAsB,IAAI,OAAO,CAAC,MAAM,CAAC;IAI/C;;OAEG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAM5E;;OAEG;IACG,cAAc,CAAC,CAAC,EACpB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,CAAC,GAAG,SAAS,CAAC;IAIzB;;OAEG;IACG,cAAc,CAClB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,OAAO,CAAC;IAInB;;OAEG;WACU,MAAM,CAAC,OAAO,EAAE,qBAAqB,GAAG,OAAO,CAAC,cAAc,CAAC;CAK7E"}
|
package/dist/services/index.d.ts
CHANGED
|
@@ -8,7 +8,7 @@ export { type PermissionCatalog, PermissionCatalogService, type PermissionCatalo
|
|
|
8
8
|
export { type PermissionResolutionOptions, type PermissionResolutionResult, PermissionResolver, type TenantPermissionInheritanceResult, } from './PermissionResolver.js';
|
|
9
9
|
export { applyPostgresPermissionPolicies, type GeneratePostgresPermissionSqlResult, generatePostgresPermissionSql, type PostgresPermissionPolicyReportItem, type PostgresPermissionPolicyTarget, } from './PostgresPermissionPolicies.js';
|
|
10
10
|
export { getCurrentSessionPermissionContext, getRequestScopedDatabase, type SessionPermissionRuntimeContext, type SessionPermissionRuntimeOptions, withSessionPermissionContext, } from './SessionPermissionContext.js';
|
|
11
|
-
export { type SessionContext, SessionService, type SessionServiceOptions, } from './SessionService.js';
|
|
11
|
+
export { type SessionContext, SessionService, type SessionServiceOptions, type SwitchTenantResult, } from './SessionService.js';
|
|
12
12
|
export { type EnsureTenantResult, TenantService, type TenantWithOwnershipResult, } from './TenantService.js';
|
|
13
13
|
export { type ApproveCliAuthRequestInput, type CliAuthStartResult, type CliAuthTokenResult, DEFAULT_CLI_AUTH_APPROVE_ATTEMPT_WINDOW_SECONDS, DEFAULT_CLI_AUTH_MAX_APPROVE_ATTEMPTS, DEFAULT_CLI_AUTH_POLL_INTERVAL_SECONDS, DEFAULT_CLI_AUTH_REQUEST_TTL_SECONDS, DEFAULT_CLI_SESSION_TTL_SECONDS, TerminalAuthError, TerminalAuthRateLimitError, TerminalAuthService, type TerminalAuthServiceOptions, } from './TerminalAuthService.js';
|
|
14
14
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/services/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,cAAc,EACd,KAAK,eAAe,EACpB,gBAAgB,EAChB,KAAK,uBAAuB,EAC5B,KAAK,qBAAqB,GAC3B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,KAAK,6BAA6B,EAClC,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,EAClB,KAAK,kBAAkB,EACvB,cAAc,EACd,KAAK,eAAe,EACpB,gBAAgB,EAChB,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,sBAAsB,EAC3B,KAAK,6BAA6B,EAClC,KAAK,2BAA2B,EAChC,KAAK,YAAY,EACjB,KAAK,eAAe,EACpB,KAAK,0BAA0B,EAC/B,yBAAyB,EACzB,KAAK,eAAe,GACrB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,KAAK,iBAAiB,EACtB,wBAAwB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,2BAA2B,EAChC,KAAK,oBAAoB,EACzB,KAAK,wBAAwB,EAC7B,KAAK,yBAAyB,EAC9B,6BAA6B,EAC7B,qBAAqB,EACrB,KAAK,WAAW,GACjB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EACL,KAAK,2BAA2B,EAChC,KAAK,0BAA0B,EAC/B,kBAAkB,EAClB,KAAK,iCAAiC,GACvC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,+BAA+B,EAC/B,KAAK,mCAAmC,EACxC,6BAA6B,EAC7B,KAAK,kCAAkC,EACvC,KAAK,8BAA8B,GACpC,MAAM,iCAAiC,CAAC;AACzC,OAAO,EACL,kCAAkC,EAClC,wBAAwB,EACxB,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,4BAA4B,GAC7B,MAAM,+BAA+B,CAAC;AACvC,OAAO,EACL,KAAK,cAAc,EACnB,cAAc,EACd,KAAK,qBAAqB,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/services/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,cAAc,EACd,KAAK,eAAe,EACpB,gBAAgB,EAChB,KAAK,uBAAuB,EAC5B,KAAK,qBAAqB,GAC3B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,KAAK,6BAA6B,EAClC,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,EAClB,KAAK,kBAAkB,EACvB,cAAc,EACd,KAAK,eAAe,EACpB,gBAAgB,EAChB,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,sBAAsB,EAC3B,KAAK,6BAA6B,EAClC,KAAK,2BAA2B,EAChC,KAAK,YAAY,EACjB,KAAK,eAAe,EACpB,KAAK,0BAA0B,EAC/B,yBAAyB,EACzB,KAAK,eAAe,GACrB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,KAAK,iBAAiB,EACtB,wBAAwB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,2BAA2B,EAChC,KAAK,oBAAoB,EACzB,KAAK,wBAAwB,EAC7B,KAAK,yBAAyB,EAC9B,6BAA6B,EAC7B,qBAAqB,EACrB,KAAK,WAAW,GACjB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EACL,KAAK,2BAA2B,EAChC,KAAK,0BAA0B,EAC/B,kBAAkB,EAClB,KAAK,iCAAiC,GACvC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,+BAA+B,EAC/B,KAAK,mCAAmC,EACxC,6BAA6B,EAC7B,KAAK,kCAAkC,EACvC,KAAK,8BAA8B,GACpC,MAAM,iCAAiC,CAAC;AACzC,OAAO,EACL,kCAAkC,EAClC,wBAAwB,EACxB,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,4BAA4B,GAC7B,MAAM,+BAA+B,CAAC;AACvC,OAAO,EACL,KAAK,cAAc,EACnB,cAAc,EACd,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,GACxB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,KAAK,kBAAkB,EACvB,aAAa,EACb,KAAK,yBAAyB,GAC/B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,KAAK,0BAA0B,EAC/B,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,+CAA+C,EAC/C,qCAAqC,EACrC,sCAAsC,EACtC,oCAAoC,EACpC,+BAA+B,EAC/B,iBAAiB,EACjB,0BAA0B,EAC1B,mBAAmB,EACnB,KAAK,0BAA0B,GAChC,MAAM,0BAA0B,CAAC"}
|
package/dist/smrt-knowledge.json
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
{
|
|
2
2
|
"schemaVersion": 1,
|
|
3
|
-
"generatedAt": "2026-06-
|
|
3
|
+
"generatedAt": "2026-06-23T07:09:19.361Z",
|
|
4
4
|
"packageName": "@happyvertical/smrt-users",
|
|
5
|
-
"packageVersion": "0.
|
|
5
|
+
"packageVersion": "0.32.0",
|
|
6
6
|
"sourceManifestPath": "dist/manifest.json",
|
|
7
7
|
"agentDocPath": "AGENTS.md",
|
|
8
8
|
"sourceHashes": {
|
|
9
|
-
"manifest": "
|
|
10
|
-
"packageJson": "
|
|
11
|
-
"agents": "
|
|
9
|
+
"manifest": "f526b417cde5b18aa044abcdc6274ef62a764d0dd18f6bff043718fa6890e841",
|
|
10
|
+
"packageJson": "a32af4a443328aff88d71e82aa3baa1e7a2ac68ebecef915d9d9a0cf9ef982ba",
|
|
11
|
+
"agents": "2684404a1735fd4993d4383f2dfed5f9c0f4de68f0cbfcd996f7e94eb50ac9c8"
|
|
12
12
|
},
|
|
13
13
|
"exports": [
|
|
14
14
|
".",
|
|
@@ -2740,5 +2740,5 @@
|
|
|
2740
2740
|
"polymorphicAssociations": 0,
|
|
2741
2741
|
"uuidColumns": 47
|
|
2742
2742
|
},
|
|
2743
|
-
"agentDoc": "# @happyvertical/smrt-users\n\nMulti-tenant user management with RBAC, hierarchical tenants, session handling, and SvelteKit integration.\n\n## Models (13)\n\n| Model | Key Pattern |\n|-------|-------------|\n| User | Auth identity. `profileId` is plain string (not FK) to smrt-profiles. Email auto-lowercased. |\n| Tenant | **STI** + hierarchical parent-child. `hierarchyPath` (materialized path), `hierarchyLevel`. Max depth 10. |\n| Session | Server-side. Secure UUID. TTL in **seconds** (not ms). Status auto-updates to EXPIRED on access. |\n| MagicLinkToken | Single-use email login token. Backed by `MagicLinkService`. |\n| Role | `tenantId = null` → system role (available to all tenants). `isSystem: true` blocks deletion. |\n| Permission | Slug format: `resource.action`. Parsed by PermissionResolver. |\n| Membership | User + Tenant + Role junction. UNIQUE(userId, tenantId). |\n| Group | Team within a tenant. Multiple roles via GroupRole. |\n| GroupMember, GroupRole, RolePermission | Join tables. |\n| MembershipOverride | Per-user permission grant/deny. **DENY always wins.** |\n| TenantPermissionOverride | Tenant-level cascade overrides. Effect: INHERIT/GRANT/DENY. |\n\n## Permission Resolution —
|
|
2743
|
+
"agentDoc": "# @happyvertical/smrt-users\n\nMulti-tenant user management with RBAC, hierarchical tenants, session handling, and SvelteKit integration.\n\n## Models (13)\n\n| Model | Key Pattern |\n|-------|-------------|\n| User | Auth identity. `profileId` is plain string (not FK) to smrt-profiles. Email auto-lowercased. |\n| Tenant | **STI** + hierarchical parent-child. `hierarchyPath` (materialized path), `hierarchyLevel`. Max depth 10. |\n| Session | Server-side. Secure UUID. TTL in **seconds** (not ms). Status auto-updates to EXPIRED on access. |\n| MagicLinkToken | Single-use email login token. Backed by `MagicLinkService`. |\n| Role | `tenantId = null` → system role (available to all tenants). `isSystem: true` blocks deletion. |\n| Permission | Slug format: `resource.action`. Parsed by PermissionResolver. |\n| Membership | User + Tenant + Role junction. UNIQUE(userId, tenantId). |\n| Group | Team within a tenant. Multiple roles via GroupRole. |\n| GroupMember, GroupRole, RolePermission | Join tables. |\n| MembershipOverride | Per-user permission grant/deny. **DENY always wins.** |\n| TenantPermissionOverride | Tenant-level cascade overrides. Effect: INHERIT/GRANT/DENY. |\n\n## Permission Resolution — Precedence (broad → specific, most-specific wins)\n\n`PermissionResolver.resolvePermissions` builds the effective set in this order;\neach later layer overrides earlier ones:\n\n1. **Tenant-inherited** — walk ancestors, apply each `TenantPermissionOverride`\n down the cascade (GRANT adds, DENY removes within the hierarchy)\n2. **Membership role** — base permissions from the user's role in the tenant\n3. **Group roles** — permissions from all groups the user belongs to **in that tenant**\n4. **Tenant-level DENY** *(removes; overrides role/group grants, tenant-wide)* — a\n `TenantPermissionOverride` with effect `DENY` is a HARD, tenant-wide block: it\n subtracts the DENY'd slug even if a role or group granted it (steps 2–3). It\n sits just **above** the per-user membership overrides and **below** role/group.\n5. **Membership GRANT override** *(re-adds; most specific)* — a per-user GRANT can\n re-add a slug a tenant DENY'd in step 4, because it is more specific.\n6. **Membership DENY override** *(absolute; always wins)* — a per-user DENY removes\n the slug last and is never overridden.\n\nSo a permission a role grants but the tenant DENYs is **removed**, unless that\nexact user also has a membership-GRANT override for it. A membership-DENY always\nwins. Tenant-DENY of an inherited/cascade grant still blocks it (unchanged).\nThe hard block reflects the tenant cascade's **net** resolution, not an\nunconditional union of every DENY in the chain — so a more-specific tenant GRANT\n(e.g. a child sub-tenant re-granting a permission its parent DENYs) still wins.\n\n**Critical**: `getGroupIdsForTenant(userId, tenantId)` (joins with groups table to scope by tenant). Never use `getGroupIds()` — it's cross-tenant.\n\n## Hierarchical Tenants\n\n- `TenantCollection.createChild()` auto-calculates hierarchy fields, enforces depth limit\n- `moveToParent()` updates tenant + ALL descendants' paths/levels\n- `cascadePermissions` (parent pushes down) + `inheritPermissions` (child accepts) — both must be true\n- `getTree(rootId?)` returns nested structure for UI\n\n## SvelteKit Integration\n\n```typescript\n// hooks.server.ts\nexport const handle = createSessionHandler({ db, ttl: 604800, skipPaths: ['/api/public'] });\n// Populates event.locals: { user, membership, permissions: string[], tenantId, sessionId }\n\n// +page.server.ts\nawait createSessionCookie(event, userId, tenantId, { db });\nawait destroySessionCookie(event, { db });\nawait switchSessionTenant(event, tenantId, { db });\n```\n\n## Security (S5 #1400)\n\n- **Generated REST/MCP surface is READ-ONLY for every RBAC/identity model.**\n User, Tenant, Group, Membership, MembershipOverride, Role, Permission,\n RolePermission, GroupRole, GroupMember, and TenantPermissionOverride generate\n `list`/`get` only — `create`/`update`/`delete` are intentionally NOT\n generated. The merged `requireRouteAuth` gate (#1540) enforces *authentication*,\n not *authorization*, and these models are not `@TenantScoped`, so an\n auto-generated mutating route would let any authenticated user self-grant a\n role/permission, flip a tenant's cascade flags, or change another user's auth\n identity. Mutate them through the permission-gated services (`TenantService`,\n collection helpers) or consumer-owned, permission-checked handlers. A\n structural regression test (`security-audit-1400.test.ts`) enumerates the\n registry to assert no authority model exposes a mutating op. (`cli` stays\n enabled — local-operator surface, outside the network/agent threat model.)\n- **`switchTenant` is fail-closed AND rotates the session id.**\n `SessionService.switchTenant` / `switchSessionTenant` verify the session's user\n has an ACTIVE membership in the target tenant before any write (the tenant id\n is the isolation key for every `@TenantScoped` query). A non-member/unknown-\n session switch returns `{ switched: false, sessionId: null, ... }` and mutates\n nothing. On a successful switch into a NON-null tenant the session id is\n ROTATED: a fresh `Session` (new secure id, fresh TTL, same user, new tenant,\n device context carried over) is minted and the old session is REVOKED — so a\n captured pre-switch id immediately stops validating, shrinking the blast radius\n of a leaked id across a tenant boundary. `switchTenant` returns a\n `SwitchTenantResult` (`{ switched, sessionId, session, rotated }`); callers MUST\n persist the returned `sessionId`. `switchSessionTenant` does this for you by\n re-setting the session cookie (preserving httpOnly/secure/sameSite) to the new\n id. A `null` clear stays in place (no rotation, no cookie change). The\n low-level `SessionCollection.setSessionTenant` is the UNGUARDED primitive (used\n for the null-clear path) — never call it with an untrusted tenant id.\n- **OIDC `email_verified` is enforced.** `UserCollection.getOrCreateFromOidc`\n refuses to provision a user when the IdP explicitly returns\n `email_verified: false` (opt out with `{ allowUnverifiedEmail: true }`). An\n absent claim makes no assertion and is not enforced.\n\n## Gotchas\n\n- **seedSystemRoles() required**: call `RoleCollection.seedSystemRoles()` at app init (creates owner/admin/member/viewer)\n- **PermissionResolver casts `as any`**: collections have protected constructors — known framework limitation\n- **Session TTL in seconds**: `DEFAULT_SESSION_TTL = 7 * 24 * 60 * 60` (not milliseconds)\n- **Users are cross-tenant**: one user, many tenants via Membership. Email globally unique.\n- **Batch permission queries**: resolver fetches all permission IDs in one query, then maps to slugs (avoids N+1)\n"
|
|
2744
2744
|
}
|
|
@@ -219,6 +219,12 @@ export declare function destroySessionCookie(event: HandleInput['event'], option
|
|
|
219
219
|
* target tenant id is therefore safe to take straight from untrusted form data,
|
|
220
220
|
* but callers MUST honour the boolean result rather than assuming success.
|
|
221
221
|
*
|
|
222
|
+
* Session-id ROTATION (#1354 follow-up): a successful switch into a non-null
|
|
223
|
+
* tenant mints a fresh session and revokes the old one. This helper transparently
|
|
224
|
+
* re-sets the session COOKIE to the new id (same flags), so the old cookie value
|
|
225
|
+
* stops working and the browser carries the rotated id forward. A `null` clear
|
|
226
|
+
* leaves the id (and cookie) unchanged.
|
|
227
|
+
*
|
|
222
228
|
* @example
|
|
223
229
|
* ```typescript
|
|
224
230
|
* // +page.server.ts
|
|
@@ -244,6 +250,10 @@ export declare function destroySessionCookie(event: HandleInput['event'], option
|
|
|
244
250
|
*/
|
|
245
251
|
export declare function switchSessionTenant(event: HandleInput['event'], tenantId: string | null, options: SmrtClassOptions & {
|
|
246
252
|
cookieName?: string;
|
|
253
|
+
cookiePath?: string;
|
|
254
|
+
cookieDomain?: string;
|
|
255
|
+
cookieSecure?: boolean;
|
|
256
|
+
cookieSameSite?: 'strict' | 'lax' | 'none';
|
|
247
257
|
ttl?: number;
|
|
248
258
|
}): Promise<boolean>;
|
|
249
259
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sveltekit/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AASH,OAAO,yBAAyB,CAAC;AAGjC,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAEjE,OAAO,EAKL,KAAK,eAAe,EAGpB,KAAK,6BAA6B,EAClC,KAAK,eAAe,EAGrB,MAAM,iCAAiC,CAAC;AAGzC,OAAO,EAEL,iBAAiB,EACjB,0BAA0B,EAC1B,mBAAmB,EACnB,KAAK,0BAA0B,EAChC,MAAM,oCAAoC,CAAC;AAE5C,OAAO,EACL,KAAK,WAAW,EAChB,KAAK,iBAAiB,EACtB,KAAK,WAAW,EAChB,KAAK,oBAAoB,EACzB,KAAK,YAAY,EACjB,KAAK,gCAAgC,EACrC,yBAAyB,EACzB,kBAAkB,EAClB,KAAK,eAAe,EACpB,KAAK,wBAAwB,GAC9B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,oBAAoB,EAAE,KAAK,aAAa,EAAE,MAAM,YAAY,CAAC;AAItE;;GAEG;AACH,MAAM,WAAW,qBAAsB,SAAQ,gBAAgB;IAC7D,mCAAmC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+CAA+C;IAC/C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,0DAA0D;IAC1D,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,uEAAuE;IACvE,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+DAA+D;IAC/D,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,iDAAiD;IACjD,cAAc,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IAC3C,4EAA4E;IAC5E,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,sEAAsE;IACtE,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;GAEG;AACH,KAAK,WAAW,GAAG;IACjB,KAAK,EAAE;QACL,OAAO,EAAE;YACP,GAAG,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;YAC1C,GAAG,EAAE,CACH,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC9B,IAAI,CAAC;YACV,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;SACnE,CAAC;QACF,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAChC,GAAG,EAAE;YAAE,QAAQ,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QAC7C,OAAO,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAChD,CAAC;AAEF,KAAK,MAAM,GAAG,CAAC,KAAK,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;AAExD,KAAK,qBAAqB,GAAG;IAC3B,OAAO,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,CAAC;IACzC,gBAAgB,CAAC,EAAE,MAAM,MAAM,CAAC;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IAC5C,OAAO,EAAE,OAAO,CAAC;IACjB,GAAG,EAAE,GAAG,CAAC;CACV,CAAC;AAEF,KAAK,oBAAoB,GACrB,MAAM,GACN,CAAC,CAAC,KAAK,EAAE,qBAAqB,KAAK,MAAM,GAAG,SAAS,CAAC,CAAC;AAE3D,KAAK,kBAAkB,CAAC,CAAC,IACrB,CAAC,GACD,CAAC,CAAC,MAAM,EAAE,eAAe,EAAE,KAAK,EAAE,qBAAqB,KAAK,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;AAEhF,MAAM,WAAW,oBACf,SAAQ,gBAAgB,EACtB,6BAA6B;IAC/B,4DAA4D;IAC5D,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,0CAA0C;IAC1C,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,uEAAuE;IACvE,QAAQ,CAAC,EAAE,oBAAoB,CAAC;IAChC,+DAA+D;IAC/D,YAAY,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,YAAY,EAAE,MAAM,KAAK,MAAM,CAAC,CAAC;IAC3D,6DAA6D;IAC7D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wDAAwD;IACxD,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,wEAAwE;IACxE,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,sDAAsD;IACtD,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,6DAA6D;IAC7D,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,gEAAgE;IAChE,yBAAyB,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IACtD,8EAA8E;IAC9E,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,4CAA4C;IAC5C,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,0CAA0C;IAC1C,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,qEAAqE;IACrE,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,6CAA6C;IAC7C,qBAAqB,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IAClD,uEAAuE;IACvE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,QAAQ,CAAC,EAAE,kBAAkB,CAAC,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC,CAAC;IACzD,iDAAiD;IACjD,eAAe,CAAC,EAAE,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAC7C,8EAA8E;IAC9E,eAAe,CAAC,EACZ,MAAM,GACN,CAAC,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,qBAAqB,KAAK,MAAM,CAAC,CAAC;CAChE;AAED,MAAM,WAAW,oBAAoB;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,eAAe,CAAC;IAC7B,GAAG,EAAE,GAAG,CAAC;CACV;AAED,MAAM,WAAW,uBAAwB,SAAQ,eAAe;IAC9D,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,qBAAqB,GAAG,MAAM,CAwE3E;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,+CAA+C;IAC/C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,wBAAwB;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wBAAwB;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0BAA0B;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC;AA0BD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,EAC3B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,OAAO,EAAE,gBAAgB,GACvB,0BAA0B,GAAG;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,cAAc,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;CAC5C,GACF,OAAO,CAAC,MAAM,CAAC,CA2BjB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,EAC3B,OAAO,EAAE,gBAAgB,GAAG;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,GACA,OAAO,CAAC,IAAI,CAAC,CAsBf;AAED
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sveltekit/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AASH,OAAO,yBAAyB,CAAC;AAGjC,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAEjE,OAAO,EAKL,KAAK,eAAe,EAGpB,KAAK,6BAA6B,EAClC,KAAK,eAAe,EAGrB,MAAM,iCAAiC,CAAC;AAGzC,OAAO,EAEL,iBAAiB,EACjB,0BAA0B,EAC1B,mBAAmB,EACnB,KAAK,0BAA0B,EAChC,MAAM,oCAAoC,CAAC;AAE5C,OAAO,EACL,KAAK,WAAW,EAChB,KAAK,iBAAiB,EACtB,KAAK,WAAW,EAChB,KAAK,oBAAoB,EACzB,KAAK,YAAY,EACjB,KAAK,gCAAgC,EACrC,yBAAyB,EACzB,kBAAkB,EAClB,KAAK,eAAe,EACpB,KAAK,wBAAwB,GAC9B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,oBAAoB,EAAE,KAAK,aAAa,EAAE,MAAM,YAAY,CAAC;AAItE;;GAEG;AACH,MAAM,WAAW,qBAAsB,SAAQ,gBAAgB;IAC7D,mCAAmC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+CAA+C;IAC/C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,0DAA0D;IAC1D,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,uEAAuE;IACvE,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+DAA+D;IAC/D,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,iDAAiD;IACjD,cAAc,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IAC3C,4EAA4E;IAC5E,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,sEAAsE;IACtE,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;GAEG;AACH,KAAK,WAAW,GAAG;IACjB,KAAK,EAAE;QACL,OAAO,EAAE;YACP,GAAG,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;YAC1C,GAAG,EAAE,CACH,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC9B,IAAI,CAAC;YACV,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;SACnE,CAAC;QACF,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAChC,GAAG,EAAE;YAAE,QAAQ,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QAC7C,OAAO,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAChD,CAAC;AAEF,KAAK,MAAM,GAAG,CAAC,KAAK,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;AAExD,KAAK,qBAAqB,GAAG;IAC3B,OAAO,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,CAAC;IACzC,gBAAgB,CAAC,EAAE,MAAM,MAAM,CAAC;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IAC5C,OAAO,EAAE,OAAO,CAAC;IACjB,GAAG,EAAE,GAAG,CAAC;CACV,CAAC;AAEF,KAAK,oBAAoB,GACrB,MAAM,GACN,CAAC,CAAC,KAAK,EAAE,qBAAqB,KAAK,MAAM,GAAG,SAAS,CAAC,CAAC;AAE3D,KAAK,kBAAkB,CAAC,CAAC,IACrB,CAAC,GACD,CAAC,CAAC,MAAM,EAAE,eAAe,EAAE,KAAK,EAAE,qBAAqB,KAAK,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;AAEhF,MAAM,WAAW,oBACf,SAAQ,gBAAgB,EACtB,6BAA6B;IAC/B,4DAA4D;IAC5D,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,0CAA0C;IAC1C,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,uEAAuE;IACvE,QAAQ,CAAC,EAAE,oBAAoB,CAAC;IAChC,+DAA+D;IAC/D,YAAY,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,YAAY,EAAE,MAAM,KAAK,MAAM,CAAC,CAAC;IAC3D,6DAA6D;IAC7D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wDAAwD;IACxD,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,wEAAwE;IACxE,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,sDAAsD;IACtD,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,6DAA6D;IAC7D,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,gEAAgE;IAChE,yBAAyB,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IACtD,8EAA8E;IAC9E,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,4CAA4C;IAC5C,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,0CAA0C;IAC1C,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,qEAAqE;IACrE,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,6CAA6C;IAC7C,qBAAqB,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IAClD,uEAAuE;IACvE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,QAAQ,CAAC,EAAE,kBAAkB,CAAC,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC,CAAC;IACzD,iDAAiD;IACjD,eAAe,CAAC,EAAE,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAC7C,8EAA8E;IAC9E,eAAe,CAAC,EACZ,MAAM,GACN,CAAC,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,qBAAqB,KAAK,MAAM,CAAC,CAAC;CAChE;AAED,MAAM,WAAW,oBAAoB;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,eAAe,CAAC;IAC7B,GAAG,EAAE,GAAG,CAAC;CACV;AAED,MAAM,WAAW,uBAAwB,SAAQ,eAAe;IAC9D,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,qBAAqB,GAAG,MAAM,CAwE3E;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,+CAA+C;IAC/C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,wBAAwB;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wBAAwB;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0BAA0B;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC;AA0BD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,EAC3B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,OAAO,EAAE,gBAAgB,GACvB,0BAA0B,GAAG;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,cAAc,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;CAC5C,GACF,OAAO,CAAC,MAAM,CAAC,CA2BjB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,EAC3B,OAAO,EAAE,gBAAgB,GAAG;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,GACA,OAAO,CAAC,IAAI,CAAC,CAsBf;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,EAC3B,QAAQ,EAAE,MAAM,GAAG,IAAI,EACvB,OAAO,EAAE,gBAAgB,GAAG;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,cAAc,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IAC3C,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,GACA,OAAO,CAAC,OAAO,CAAC,CA0ClB;AA+PD;;;;;GAKG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,qBAAqB,EAC5B,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,oBAAoB,CAAC,CAyB/B;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,qBAAqB,EAC5B,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,uBAAuB,CAAC,CA0DlC;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,oBAAoB,IACpD,OAAO,qBAAqB,KAAG,OAAO,CAAC,QAAQ,CAAC,CAI/D;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,oBAAoB,IACvD,OAAO,qBAAqB,KAAG,OAAO,CAAC,QAAQ,CAAC,CAW/D;AAoCD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAG5E;AAED,mDAAmD;AACnD,MAAM,WAAW,qCACf,SAAQ,0BAA0B;IAClC;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,KAAK,EAAE,qBAAqB,KAAK,MAAM,CAAC,CAAC;CAC1E;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,8BAA8B,CAC5C,OAAO,EAAE,qCAAqC,IAEhC,OAAO,qBAAqB,KAAG,OAAO,CAAC,QAAQ,CAAC,CAU/D;AAED;;;;GAIG;AACH,wBAAgB,8BAA8B,CAC5C,OAAO,EAAE,0BAA0B,IAErB,OAAO,qBAAqB,KAAG,OAAO,CAAC,QAAQ,CAAC,CAe/D;AAED;;;;GAIG;AACH,wBAAgB,gCAAgC,CAC9C,OAAO,EAAE,0BAA0B,IAErB,OAAO,qBAAqB,KAAG,OAAO,CAAC,QAAQ,CAAC,CAY/D;AAED;;;;GAIG;AACH,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,0BAA0B,wDAIpC;AAED,qDAAqD;AACrD,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B;AAED,uDAAuD;AACvD,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,EAAE,IAAI,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,kEAAkE;AAClE,MAAM,WAAW,2BAA2B;IAC1C,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,WAAW,6BACf,SAAQ,0BAA0B;IAClC,0DAA0D;IAC1D,WAAW,EAAE,CACX,KAAK,EAAE,qBAAqB,KACzB;QAAE,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,GAAG,IAAI,GAAG,SAAS,CAAC;IACtE,iDAAiD;IACjD,eAAe,EAAE,CAAC,KAAK,EAAE,qBAAqB,KAAK,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;IAC7E,oEAAoE;IACpE,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,wBAAwB;IACvC,IAAI,EAAE,CAAC,KAAK,EAAE,qBAAqB,KAAK,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACvE,OAAO,EAAE,CACP,KAAK,EAAE,qBAAqB,KACzB,OAAO,CACR,2BAA2B,GAC3B;QAAE,IAAI,EAAE,SAAS,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,2BAA2B,CAAA;KAAE,CACzE,CAAC;CACH;AAED,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,6BAA6B,GACrC,wBAAwB,CAuF1B;AAuBD,OAAO,EACL,iBAAiB,EACjB,0BAA0B,EAC1B,mBAAmB,EACnB,KAAK,0BAA0B,GAChC,CAAC"}
|
package/dist/sveltekit.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { O as OidcLoginError, h as DEFAULT_SESSION_TTL, Z as withSessionPermissionContext, H as TerminalAuthRateLimitError, F as TerminalAuthError, Y as resolveOidcProviderConfig, u as OidcLoginService, N as encodeOidcTransaction, X as getUsersOidcConfig, L as decodeOidcTransaction, I as TerminalAuthService, z as SessionService } from "./chunks/TerminalAuthService-
|
|
1
|
+
import { O as OidcLoginError, h as DEFAULT_SESSION_TTL, Z as withSessionPermissionContext, H as TerminalAuthRateLimitError, F as TerminalAuthError, Y as resolveOidcProviderConfig, u as OidcLoginService, N as encodeOidcTransaction, X as getUsersOidcConfig, L as decodeOidcTransaction, I as TerminalAuthService, z as SessionService } from "./chunks/TerminalAuthService-D5VVPG9e.js";
|
|
2
2
|
import { createLogger } from "@happyvertical/logger";
|
|
3
3
|
import { ObjectRegistry } from "@happyvertical/smrt-core";
|
|
4
4
|
import { classnameToTablename } from "@happyvertical/smrt-core/utils";
|
|
@@ -554,7 +554,28 @@ async function switchSessionTenant(event, tenantId, options) {
|
|
|
554
554
|
const sessionId = event.cookies.get(cookieName);
|
|
555
555
|
if (!sessionId) return false;
|
|
556
556
|
const service = await getOrCreateSessionService(options, ttl);
|
|
557
|
-
|
|
557
|
+
const result = await service.switchTenant(sessionId, tenantId);
|
|
558
|
+
if (result.rotated && result.sessionId) {
|
|
559
|
+
const cookiePath = options.cookiePath ?? "/";
|
|
560
|
+
const cookieSameSite = options.cookieSameSite ?? "lax";
|
|
561
|
+
const cookieSecure = options.cookieSecure ?? event.url.protocol === "https:";
|
|
562
|
+
const maxAge = result.session ? Math.max(
|
|
563
|
+
0,
|
|
564
|
+
Math.round(
|
|
565
|
+
(new Date(result.session.expiresAt).getTime() - Date.now()) / 1e3
|
|
566
|
+
)
|
|
567
|
+
) : ttl;
|
|
568
|
+
event.cookies.set(cookieName, result.sessionId, {
|
|
569
|
+
path: cookiePath,
|
|
570
|
+
// undefined => SvelteKit scopes the cookie to the request host.
|
|
571
|
+
domain: options.cookieDomain,
|
|
572
|
+
httpOnly: true,
|
|
573
|
+
secure: cookieSecure,
|
|
574
|
+
sameSite: cookieSameSite,
|
|
575
|
+
maxAge
|
|
576
|
+
});
|
|
577
|
+
}
|
|
578
|
+
return result.switched;
|
|
558
579
|
}
|
|
559
580
|
function getOidcProviderName(event, options) {
|
|
560
581
|
if (typeof options.provider === "function") {
|