@hazeljs/auth 0.2.0-beta.8 → 0.2.0-beta.81

package/dist/tenant/tenant-context.js

@@ -0,0 +1,108 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TenantContext = void 0;
+const async_hooks_1 = require("async_hooks");
+const core_1 = require("@hazeljs/core");
+const storage = new async_hooks_1.AsyncLocalStorage();
+/**
+ * Provides request-scoped tenant context via AsyncLocalStorage.
+ *
+ * ─── Why two layers? ──────────────────────────────────────────────────────────
+ * TenantGuard enforces isolation at the HTTP layer — it rejects requests where
+ * the JWT tenant doesn't match the route tenant.  That's necessary but not
+ * sufficient: a bug in service code could still query another tenant's rows if
+ * the guard is misconfigured or skipped.
+ *
+ * TenantContext closes that gap at the DATA layer.  After the guard validates
+ * the request, it calls TenantContext.enterWith(tenantId) which seeds an
+ * AsyncLocalStorage store for the remainder of the request's async call chain.
+ * Every repository/service that injects TenantContext can then call
+ * requireId() without receiving tenantId as a function parameter.
+ *
+ * ─── Usage in a repository ───────────────────────────────────────────────────
+ * ```ts
+ * @Service()
+ * export class OrdersRepository {
+ *   constructor(private readonly tenantCtx: TenantContext) {}
+ *
+ *   findAll() {
+ *     const tenantId = this.tenantCtx.requireId();
+ *     return db.query('SELECT * FROM orders WHERE tenant_id = $1', [tenantId]);
+ *   }
+ *
+ *   findById(id: string) {
+ *     const tenantId = this.tenantCtx.requireId();
+ *     // Even a direct ID lookup is scoped — prevents horizontal privilege escalation
+ *     return db.query(
+ *       'SELECT * FROM orders WHERE id = $1 AND tenant_id = $2',
+ *       [id, tenantId]
+ *     );
+ *   }
+ * }
+ * ```
+ *
+ * ─── How it propagates ────────────────────────────────────────────────────────
+ * Node.js AsyncLocalStorage propagates through the async call graph.
+ * TenantGuard calls enterWith() during guard execution; because the route
+ * handler is called afterwards in the same async chain, it (and everything
+ * it awaits) automatically has access to the stored tenant ID.
+ */
+let TenantContext = class TenantContext {
+    /**
+     * Returns the current tenant ID, or `undefined` if called outside a
+     * request context (e.g. during startup or in a background job).
+     */
+    getId() {
+        return storage.getStore()?.tenantId;
+    }
+    /**
+     * Returns the current tenant ID and throws if it is not set.
+     *
+     * Use this in any repository or service method that must never run without
+     * a tenant — it acts as a last-resort safety net even if the guard was
+     * accidentally omitted on a route.
+     */
+    requireId() {
+        const id = this.getId();
+        if (!id) {
+            throw Object.assign(new Error('TenantContext: no tenant ID found. ' + 'Ensure TenantGuard is applied to the route.'), { status: 500 });
+        }
+        return id;
+    }
+    /**
+     * Seeds the current async context with the given tenant ID.
+     *
+     * Called internally by TenantGuard after it validates the request.
+     * Unlike `run()`, `enterWith` propagates through the rest of the current
+     * async execution chain without requiring a wrapping callback — which
+     * makes it the right tool for seeding from within a guard.
+     */
+    static enterWith(tenantId) {
+        storage.enterWith({ tenantId });
+    }
+    /**
+     * Wraps a callback so that everything inside it (and all async operations
+     * it spawns) runs with the given tenant ID in context.
+     *
+     * Use this when you need explicit scoping, e.g. in background jobs or tests:
+     *
+     * ```ts
+     * await TenantContext.run('acme', async () => {
+     *   await ordersService.processPendingOrders();
+     * });
+     * ```
+     */
+    static run(tenantId, fn) {
+        return storage.run({ tenantId }, fn);
+    }
+};
+exports.TenantContext = TenantContext;
+exports.TenantContext = TenantContext = __decorate([
+    (0, core_1.Injectable)()
+], TenantContext);

package/dist/utils/role-hierarchy.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Describes which roles a given role "inherits".
+ *
+ * Example: `{ superadmin: ['admin'], admin: ['manager'], manager: ['user'] }`
+ * means superadmin implicitly satisfies any check for admin, manager, or user.
+ */
+export type RoleHierarchyMap = Record<string, string[]>;
+/**
+ * A sensible default hierarchy for most applications.
+ * Override by passing your own map to RoleHierarchy or to RoleGuard.
+ *
+ *   superadmin → admin → manager → user
+ */
+export declare const DEFAULT_ROLE_HIERARCHY: RoleHierarchyMap;
+/**
+ * Resolves inherited roles so that a higher-level role implicitly satisfies
+ * requirements for any role it inherits.
+ *
+ * @example
+ * ```ts
+ * const h = new RoleHierarchy({ admin: ['editor'], editor: ['viewer'] });
+ *
+ * h.satisfies('admin', 'viewer')  // true  — admin → editor → viewer
+ * h.satisfies('editor', 'admin')  // false — editor does not inherit admin
+ * h.resolve('admin')              // Set { 'admin', 'editor', 'viewer' }
+ * ```
+ */
+export declare class RoleHierarchy {
+    private readonly map;
+    constructor(map?: RoleHierarchyMap);
+    /**
+     * Returns true if `userRole` satisfies the `requiredRole` check, either
+     * directly (same role) or via inheritance.
+     */
+    satisfies(userRole: string, requiredRole: string): boolean;
+    /**
+     * Returns the complete set of roles that `role` covers (itself plus all
+     * transitively inherited roles).
+     */
+    resolve(role: string): Set<string>;
+}
+//# sourceMappingURL=role-hierarchy.d.ts.map

package/dist/utils/role-hierarchy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-hierarchy.d.ts","sourceRoot":"","sources":["../../src/utils/role-hierarchy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;AAExD;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,EAAE,gBAKpC,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,qBAAa,aAAa;IACZ,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAAH,GAAG,GAAE,gBAAyC;IAE3E;;;OAGG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAI1D;;;OAGG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;CAcnC"}

package/dist/utils/role-hierarchy.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RoleHierarchy = exports.DEFAULT_ROLE_HIERARCHY = void 0;
+/**
+ * A sensible default hierarchy for most applications.
+ * Override by passing your own map to RoleHierarchy or to RoleGuard.
+ *
+ *   superadmin → admin → manager → user
+ */
+exports.DEFAULT_ROLE_HIERARCHY = {
+    superadmin: ['admin'],
+    admin: ['manager'],
+    manager: ['user'],
+    user: [],
+};
+/**
+ * Resolves inherited roles so that a higher-level role implicitly satisfies
+ * requirements for any role it inherits.
+ *
+ * @example
+ * ```ts
+ * const h = new RoleHierarchy({ admin: ['editor'], editor: ['viewer'] });
+ *
+ * h.satisfies('admin', 'viewer')  // true  — admin → editor → viewer
+ * h.satisfies('editor', 'admin')  // false — editor does not inherit admin
+ * h.resolve('admin')              // Set { 'admin', 'editor', 'viewer' }
+ * ```
+ */
+class RoleHierarchy {
+    constructor(map = exports.DEFAULT_ROLE_HIERARCHY) {
+        this.map = map;
+    }
+    /**
+     * Returns true if `userRole` satisfies the `requiredRole` check, either
+     * directly (same role) or via inheritance.
+     */
+    satisfies(userRole, requiredRole) {
+        return this.resolve(userRole).has(requiredRole);
+    }
+    /**
+     * Returns the complete set of roles that `role` covers (itself plus all
+     * transitively inherited roles).
+     */
+    resolve(role) {
+        const visited = new Set();
+        const queue = [role];
+        while (queue.length > 0) {
+            const current = queue.shift();
+            if (!visited.has(current)) {
+                visited.add(current);
+                (this.map[current] ?? []).forEach((child) => queue.push(child));
+            }
+        }
+        return visited;
+    }
+}
+exports.RoleHierarchy = RoleHierarchy;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hazeljs/auth",
-  "version": "0.2.0-beta.8",
+  "version": "0.2.0-beta.81",
   "description": "Authentication and JWT module for HazelJS framework",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -15,7 +15,6 @@
     "clean": "rm -rf dist"
   },
   "dependencies": {
-    "@hazeljs/core": "^0.2.0-beta.8",
     "jsonwebtoken": "^9.0.2"
   },
   "devDependencies": {
@@ -43,7 +42,14 @@
     "jwt",
     "security"
   ],
-  "author": "Muhammad Arslan <marslan@hazeljs.com>",
-  "license": "MIT",
-  "gitHead": "b5cc0bf7d43739cad25220a611490b1d175acd62"
+  "author": "Muhammad Arslan <muhammad.arslan@hazeljs.com>",
+  "license": "Apache-2.0",
+  "bugs": {
+    "url": "https://github.com/hazeljs/hazel-js/issues"
+  },
+  "homepage": "https://hazeljs.com",
+  "peerDependencies": {
+    "@hazeljs/core": ">=0.2.0-beta.0"
+  },
+  "gitHead": "1054f957451360f973469d436a1d58e57cc9231a"
 }