@hazeljs/casl 0.2.0-alpha.1

package/LICENSE

@@ -0,0 +1,192 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   Copyright 2024 HazelJS Team
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+---
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+   Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+   stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+   that You distribute, all copyright, patent, trademark, and
+   attribution notices from the Source form of the Work,
+   excluding those notices that do not pertain to any part of
+   the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+   distribution, then any Derivative Works that You distribute must
+   include a readable copy of the attribution notices contained
+   within such NOTICE file, excluding those notices that do not
+   pertain to any part of the Derivative Works, in at least one
+   of the following places: within a NOTICE text file distributed
+   as part of the Derivative Works; within the Source form or
+   documentation, if provided along with the Derivative Works; or,
+   within a display generated by the Derivative Works, if and
+   wherever such third-party notices normally appear. The contents
+   of the NOTICE file are for informational purposes only and
+   do not modify the License. You may add Your own attribution
+   notices within Derivative Works that You distribute, alongside
+   or as an addendum to the NOTICE text from the Work, provided
+   that such additional attribution notices cannot be construed
+   as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS

package/README.md

@@ -0,0 +1,363 @@
+# @hazeljs/casl
+
+**Attribute-level (record-level) authorization for HazelJS, powered by [CASL](https://casl.js.org).**
+
+Where `RoleGuard` asks "is your role high enough?", `@hazeljs/casl` asks:
+> **Can _this_ user perform _this action_ on _this specific record_?**
+
+[![npm version](https://img.shields.io/npm/v/@hazeljs/casl.svg)](https://www.npmjs.com/package/@hazeljs/casl)
+[![npm downloads](https://img.shields.io/npm/dm/@hazeljs/casl)](https://www.npmjs.com/package/@hazeljs/casl)
+[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
+
+## Features
+
+- **`AbilityFactory`** — abstract base class; extend it to define what each role can do, including **conditional permissions** (`can('update', 'Post', { authorId: user.id })`)
+- **`CaslService`** — injectable service; call `createForUser(user)` anywhere to build an ability for record-level checks in services
+- **`@Ability()`** — parameter decorator that injects the current user's pre-built ability directly into a controller method, so services never need `CaslService` injected
+- **`PoliciesGuard`** — factory guard (`@UseGuards(PoliciesGuard(...handlers))`) that runs policy handlers before the route executes
+- **`@CheckPolicies()`** — method decorator shorthand, equivalent to `@UseGuards(PoliciesGuard(...handlers))`
+- **Function and class handlers** — use inline lambdas or `IPolicyHandler` class instances with injected dependencies
+- **Composes with the full guard stack** — designed to sit after `JwtAuthGuard`, `TenantGuard`, and `RoleGuard`
+- **No direct `@casl/ability` dependency needed** — `MongoAbility`, `AbilityBuilder`, `createMongoAbility`, `subject` are all re-exported from `@hazeljs/casl`
+
+---
+
+## Installation
+
+```bash
+npm install @hazeljs/casl
+```
+
+`@casl/ability` is a dependency of `@hazeljs/casl` and is installed automatically. You do not need to add it to your own `package.json` — import everything you need directly from `@hazeljs/casl`.
+
+---
+
+## Setup
+
+### 1. Define your ability factory
+
+Extend `AbilityFactory` and implement `createForUser` to describe what each user can do. Decorate it with `@Injectable()` so the DI container can resolve it.
+
+```typescript
+import { Injectable } from '@hazeljs/core';
+// All @casl/ability symbols are re-exported — no separate @casl/ability dep needed.
+import { AbilityFactory, MongoAbility, AbilityBuilder, createMongoAbility } from '@hazeljs/casl';
+
+type Action  = 'create' | 'read' | 'update' | 'delete' | 'manage';
+type Subject = Post | 'Post' | 'all';
+export type AppAbility = MongoAbility<[Action, Subject]>;
+
+@Injectable()
+export class AppAbilityFactory extends AbilityFactory<AppAbility> {
+  createForUser(user: AuthUser): AppAbility {
+    const { can, cannot, build } = new AbilityBuilder<AppAbility>(createMongoAbility);
+
+    if (user.role === 'admin') {
+      can('manage', 'all');                              // admin: everything
+    } else {
+      can('read',   'Post');
+      can('update', 'Post', { authorId: user.id });     // own posts only
+      cannot('delete', 'Post');
+    }
+
+    return build();
+  }
+}
+```
+
+### 2. Register `CaslModule`
+
+Call `CaslModule.forRoot()` once in your root module.
+
+```typescript
+import { HazelModule } from '@hazeljs/core';
+import { CaslModule } from '@hazeljs/casl';
+import { AppAbilityFactory } from './casl/app-ability.factory';
+
+@HazelModule({
+  imports: [
+    CaslModule.forRoot({ abilityFactory: AppAbilityFactory }),
+  ],
+})
+export class AppModule {}
+```
+
+---
+
+## Guards
+
+### `PoliciesGuard`
+
+Factory guard — pass one or more policy handlers inline. The guard builds the ability for the current user and runs every handler; if any returns `false` it throws 403.
+
+**Requires `JwtAuthGuard` (or any guard that sets `req.user`) to run first.**
+
+```typescript
+import { Controller, Get, Post, UseGuards } from '@hazeljs/core';
+import { JwtAuthGuard } from '@hazeljs/auth';
+import { PoliciesGuard } from '@hazeljs/casl';
+import type { AppAbility } from './casl/app-ability.factory';
+
+@UseGuards(JwtAuthGuard)
+@Controller('/posts')
+export class PostsController {
+
+  @UseGuards(PoliciesGuard<AppAbility>((ability) => ability.can('read', 'Post')))
+  @Get('/')
+  list() { ... }
+
+  @UseGuards(PoliciesGuard<AppAbility>((ability) => ability.can('create', 'Post')))
+  @Post('/')
+  create(@Body() dto: CreatePostDto) { ... }
+}
+```
+
+Errors thrown:
+
+| Condition | Status |
+|---|---|
+| No `req.user` (guard order wrong) | 401 |
+| Any handler returns `false` | 403 |
+
+---
+
+### `@CheckPolicies()` (shorthand)
+
+Method decorator equivalent to `@UseGuards(PoliciesGuard(...handlers))`. Cleaner syntax, same behaviour.
+
+```typescript
+import { JwtAuthGuard } from '@hazeljs/auth';
+import { CheckPolicies } from '@hazeljs/casl';
+import type { AppAbility } from './casl/app-ability.factory';
+
+@UseGuards(JwtAuthGuard)
+@Controller('/posts')
+export class PostsController {
+
+  @CheckPolicies((ability: AppAbility) => ability.can('read', 'Post'))
+  @Get('/')
+  list() { ... }
+
+  @CheckPolicies((ability: AppAbility) => ability.can('create', 'Post'))
+  @Post('/')
+  create(@Body() dto: CreatePostDto) { ... }
+
+  // Multiple handlers — all must pass
+  @CheckPolicies(
+    (ability: AppAbility) => ability.can('read',   'Post'),
+    (ability: AppAbility) => ability.can('update', 'Post'),
+  )
+  @Get('/:id/edit')
+  editForm(@Param('id') id: string) { ... }
+}
+```
+
+---
+
+### Class-instance handlers (`IPolicyHandler`)
+
+For handlers that need constructor-injected dependencies, implement the `IPolicyHandler` interface and pass an instance:
+
+```typescript
+import { Injectable } from '@hazeljs/core';
+import { IPolicyHandler } from '@hazeljs/casl';
+import type { AppAbility } from './casl/app-ability.factory';
+
+@Injectable()
+export class CanManagePost implements IPolicyHandler<AppAbility> {
+  constructor(private readonly config: SomeService) {}
+
+  handle(ability: AppAbility): boolean {
+    return ability.can('manage', 'Post');
+  }
+}
+
+// Usage
+@CheckPolicies(new CanManagePost())
+@Delete('/:id')
+remove(@Param('id') id: string) { ... }
+```
+
+---
+
+### Combining with other guards
+
+Guards run left-to-right. The recommended order:
+
+```typescript
+@UseGuards(
+  JwtAuthGuard,                                             // 1. verify token, attach req.user
+  TenantGuard({ source: 'param', key: 'orgId' }),           // 2. enforce tenant isolation
+  RoleGuard('user'),                                        // 3. coarse role check
+)
+@Controller('/orgs/:orgId/posts')
+export class PostsController {
+
+  @CheckPolicies((ability: AppAbility) => ability.can('read', 'Post'))
+  @Get('/')
+  list() { ... }
+
+  @CheckPolicies((ability: AppAbility) => ability.can('create', 'Post'))
+  @Post('/')
+  create(@Body() dto: CreatePostDto) { ... }
+}
+```
+
+```
+Request
+  → JwtAuthGuard       — who are you?
+  → TenantGuard        — does this belong to your org?
+  → RoleGuard          — is your role high enough?
+  → @CheckPolicies     — can you act on THIS record?
+  → Controller method
+```
+
+---
+
+## `@Ability()` — inject the ability directly
+
+`@Ability()` is a **parameter decorator** that resolves `CaslService.createForUser(req.user)` once per request and injects the result straight into your controller method.  Services receive the pre-built ability instead of the raw user, keeping business logic clean.
+
+```typescript
+// posts.controller.ts
+import { Controller, Patch, Delete, Param, Body, UseGuards } from '@hazeljs/core';
+import { JwtAuthGuard, RoleGuard } from '@hazeljs/auth';
+import { Ability } from '@hazeljs/casl';
+import type { AppAbility } from './casl/app-ability.factory';
+
+@UseGuards(JwtAuthGuard, RoleGuard('user'))
+@Controller('/posts')
+export class PostsController {
+  constructor(private readonly postsService: PostsService) {}
+
+  @Patch('/:id')
+  update(
+    @Ability() ability: AppAbility,   // ← resolved from req.user automatically
+    @Param('id') id: string,
+    @Body() dto: UpdatePostDto,
+  ) {
+    return this.postsService.update(ability, id, dto);
+  }
+
+  @Delete('/:id')
+  remove(
+    @Ability() ability: AppAbility,
+    @Param('id') id: string,
+  ) {
+    return this.postsService.remove(ability, id);
+  }
+}
+```
+
+The service just receives an `AppAbility` — no `CaslService` injection needed:
+
+```typescript
+// posts.service.ts
+import { Injectable } from '@hazeljs/core';
+import { subject } from '@hazeljs/casl';   // re-exported — no @casl/ability dep needed
+import type { AppAbility } from './casl/app-ability.factory';
+
+@Injectable()
+export class PostsService {
+  constructor(private readonly postsRepo: PostsRepository) {}
+
+  async update(ability: AppAbility, postId: string, dto: UpdatePostDto) {
+    const post = await this.postsRepo.findById(postId);
+
+    // subject() tags the plain object so CASL evaluates conditional rules correctly.
+    if (!ability.can('update', subject('Post', post))) {
+      throw Object.assign(new Error('You can only edit your own posts'), { status: 403 });
+    }
+    return this.postsRepo.update(postId, dto);
+  }
+
+  async remove(ability: AppAbility, postId: string) {
+    const post = await this.postsRepo.findById(postId);
+
+    if (!ability.can('delete', subject('Post', post))) {
+      throw Object.assign(new Error('Forbidden'), { status: 403 });
+    }
+    return this.postsRepo.delete(postId);
+  }
+}
+```
+
+> **When to use `@Ability()` vs `CaslService`**  
+> Use `@Ability()` when the controller passes the ability to a single service.  Use `CaslService` directly when a service is called from multiple places (background jobs, other services) and the caller may not hold an ability object.
+
+---
+
+## Record-level checks in services (manual approach)
+
+If you prefer to inject `CaslService` directly — for example, when a service is called from multiple sources — the pattern is the same as above but the ability is built inside the service.
+
+```typescript
+import { Injectable } from '@hazeljs/core';
+import { CaslService, subject } from '@hazeljs/casl';
+import type { AppAbility } from './casl/app-ability.factory';
+
+@Injectable()
+export class PostsService {
+  constructor(
+    private readonly postsRepo: PostsRepository,
+    private readonly casl: CaslService<AppAbility>,
+  ) {}
+
+  async update(user: Record<string, unknown>, postId: string, dto: UpdatePostDto) {
+    const post    = await this.postsRepo.findById(postId);
+    const ability = this.casl.createForUser(user);
+
+    if (!ability.can('update', subject('Post', post))) {
+      throw Object.assign(new Error('You can only edit your own posts'), { status: 403 });
+    }
+    return this.postsRepo.update(postId, dto);
+  }
+}
+```
+
+> **Why use `subject()`?** When you define conditions like `can('update', 'Post', { authorId: user.id })`, CASL needs to know the subject type of the plain object you pass to `ability.can()`. `subject('Post', post)` tags the object without mutating it.
+
+---
+
+## `CaslService` API
+
+```typescript
+import { CaslService } from '@hazeljs/casl';
+
+// Inject and call createForUser to get an ability for the current user
+const ability = this.casl.createForUser(user);
+
+ability.can('read',   'Post')                          // true / false
+ability.can('update', subject('Post', post))           // checks conditions
+ability.cannot('delete', 'Post')                       // negation check
+```
+
+---
+
+## `AbilityFactory` API
+
+```typescript
+import { AbilityFactory } from '@hazeljs/casl';
+
+// Extend this abstract class
+abstract class AbilityFactory<A extends AnyAbility> {
+  abstract createForUser(user: Record<string, unknown>): A;
+}
+```
+
+---
+
+## `CaslModule.forRoot()` options
+
+| Option | Type | Required | Description |
+|---|---|---|---|
+| `abilityFactory` | `new (...args: any[]) => AbilityFactory<A>` | ✓ | Your factory class (must be `@Injectable()`) |
+
+---
+
+## Links
+
+- [Documentation](https://hazeljs.com/docs/packages/casl)
+- [GitHub](https://github.com/hazel-js/hazeljs)
+- [Issues](https://github.com/hazel-js/hazeljs/issues)
+- [Discord](https://discord.com/channels/1448263814238965833/1448263814859456575)

package/package.json

@@ -0,0 +1,56 @@
+{
+  "name": "@hazeljs/casl",
+  "version": "0.2.0-alpha.1",
+  "description": "Attribute-level (resource-level) authorization for HazelJS via CASL",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "test": "jest --coverage --passWithNoTests",
+    "lint": "eslint \"src/**/*.ts\"",
+    "lint:fix": "eslint \"src/**/*.ts\" --fix",
+    "clean": "rm -rf dist"
+  },
+  "dependencies": {
+    "@casl/ability": "^6.7.3"
+  },
+  "devDependencies": {
+    "@types/node": "^20.17.50",
+    "@typescript-eslint/eslint-plugin": "^8.18.2",
+    "@typescript-eslint/parser": "^8.18.2",
+    "eslint": "^8.56.0",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.1.2",
+    "typescript": "^5.3.3"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/hazel-js/hazeljs.git",
+    "directory": "packages/casl"
+  },
+  "keywords": [
+    "hazeljs",
+    "casl",
+    "authorization",
+    "permissions",
+    "rbac",
+    "abac",
+    "policy"
+  ],
+  "author": "Muhammad Arslan <muhammad.arslan@hazeljs.com>",
+  "license": "Apache-2.0",
+  "bugs": {
+    "url": "https://github.com/hazeljs/hazel-js/issues"
+  },
+  "homepage": "https://hazeljs.com",
+  "peerDependencies": {
+    "@hazeljs/core": ">=0.2.0-beta.0"
+  },
+  "gitHead": "cbc5ee2c12ced28fd0576faf13c5f078c1e8421e"
+}