@invect/rbac 0.0.1 → 0.0.3

package/dist/backend/index.mjs

@@ -8,8 +8,8 @@
 * ```ts
 * import { resolveTeamIds } from '@invect/rbac/backend';
 *
-* betterAuthPlugin({
-*   auth,
+* auth({
+*   auth: betterAuthInstance,
 *   mapUser: async (user, session) => ({
 *     id: user.id,
 *     name: user.name ?? undefined,
@@ -197,6 +197,58 @@ async function listAllDirectFlowAccess(db, flowId) {
 	const now = Date.now();
 	return rows.map(normalizeFlowAccessRecord).filter((record) => !record.expiresAt || new Date(record.expiresAt).getTime() > now);
 }
+async function grantDirectFlowAccess(db, input) {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	const existingRows = await db.query("SELECT id FROM flow_access WHERE flow_id = ? AND user_id IS ? AND team_id IS ?", [
+		input.flowId,
+		input.userId ?? null,
+		input.teamId ?? null
+	]);
+	if (existingRows.length > 0) {
+		const existingId = String(existingRows[0].id);
+		await db.execute("UPDATE flow_access SET permission = ?, granted_by = ?, granted_at = ?, expires_at = ? WHERE id = ?", [
+			input.permission,
+			input.grantedBy ?? null,
+			now,
+			input.expiresAt ?? null,
+			existingId
+		]);
+		return {
+			id: existingId,
+			flowId: input.flowId,
+			userId: input.userId ?? null,
+			teamId: input.teamId ?? null,
+			permission: input.permission,
+			grantedBy: input.grantedBy ?? null,
+			grantedAt: now,
+			expiresAt: input.expiresAt ?? null
+		};
+	}
+	const id = crypto.randomUUID();
+	await db.execute("INSERT INTO flow_access (id, flow_id, user_id, team_id, permission, granted_by, granted_at, expires_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)", [
+		id,
+		input.flowId,
+		input.userId ?? null,
+		input.teamId ?? null,
+		input.permission,
+		input.grantedBy ?? null,
+		now,
+		input.expiresAt ?? null
+	]);
+	return {
+		id,
+		flowId: input.flowId,
+		userId: input.userId ?? null,
+		teamId: input.teamId ?? null,
+		permission: input.permission,
+		grantedBy: input.grantedBy ?? null,
+		grantedAt: now,
+		expiresAt: input.expiresAt ?? null
+	};
+}
+async function revokeDirectFlowAccess(db, accessId) {
+	await db.execute("DELETE FROM flow_access WHERE id = ?", [accessId]);
+}
 async function listAllEffectiveFlowAccessForPreview(db, flowId, overrideScopeId) {
 	const direct = await listAllDirectFlowAccess(db, flowId);
 	const scopeId = overrideScopeId === void 0 ? await getFlowScopeId(db, flowId) : overrideScopeId;
@@ -279,8 +331,17 @@ async function resolveAccessChangeNames(db, entries) {
 		source: entry.source
 	}));
 }
-function rbacPlugin(options = {}) {
-	const { useFlowAccessTable = true, adminPermission = "flow:read", enableTeams = true } = options;
+function rbac(options = {}) {
+	const { frontend, ...backendOptions } = options;
+	return {
+		id: "rbac",
+		name: "Role-Based Access Control",
+		backend: _rbacBackendPlugin(backendOptions),
+		frontend
+	};
+}
+function _rbacBackendPlugin(options = {}) {
+	const { adminPermission = "flow:read", enableTeams = true } = options;
 	const teamsSchema = enableTeams ? {
 		flows: { fields: { scope_id: {
 			type: "string",
@@ -444,10 +505,10 @@ function rbacPlugin(options = {}) {
 				"rbac_scope_access"
 			] : []
 		],
-		setupInstructions: "The RBAC plugin requires better-auth tables (user, session). Make sure @invect/user-auth is configured, then run `npx invect generate` followed by `npx drizzle-kit push`.",
+		setupInstructions: "The RBAC plugin requires user-auth tables (user, session). Make sure @invect/user-auth is configured, then run `npx invect-cli generate` followed by `npx drizzle-kit push`.",
 		init: async (ctx) => {
-			if (!ctx.hasPlugin("better-auth")) ctx.logger.warn("RBAC plugin requires the @invect/user-auth plugin. RBAC will work with reduced functionality (no session resolution). Make sure betterAuthPlugin() is registered before rbacPlugin().");
-			ctx.logger.info("RBAC plugin initialized", { useFlowAccessTable });
+			if (!ctx.hasPlugin("user-auth")) ctx.logger.warn("RBAC plugin requires the @invect/user-auth plugin. RBAC will work with reduced functionality (no session resolution). Make sure auth() is registered before rbac().");
+			ctx.logger.info("RBAC plugin initialized");
 		},
 		endpoints: [
 			{
@@ -510,13 +571,6 @@ function rbacPlugin(options = {}) {
 						status: 400,
 						body: { error: "Missing flowId parameter" }
 					};
-					if (!ctx.core.isFlowAccessTableEnabled()) return {
-						status: 501,
-						body: {
-							error: "Not Implemented",
-							message: "Flow access table not enabled. Set auth.useFlowAccessTable: true in config."
-						}
-					};
 					if (!ctx.identity) return {
 						status: 401,
 						body: {
@@ -533,7 +587,7 @@ function rbacPlugin(options = {}) {
 					};
 					return {
 						status: 200,
-						body: { access: await ctx.core.listFlowAccess(flowId) }
+						body: { access: await listAllDirectFlowAccess(ctx.database, flowId) }
 					};
 				}
 			},
@@ -547,13 +601,6 @@ function rbacPlugin(options = {}) {
 						status: 400,
 						body: { error: "Missing flowId parameter" }
 					};
-					if (!ctx.core.isFlowAccessTableEnabled()) return {
-						status: 501,
-						body: {
-							error: "Not Implemented",
-							message: "Flow access table not enabled. Set auth.useFlowAccessTable: true in config."
-						}
-					};
 					const { userId, teamId, permission, expiresAt } = ctx.body;
 					if (!userId && !teamId) return {
 						status: 400,
@@ -584,7 +631,7 @@ function rbacPlugin(options = {}) {
 					};
 					return {
 						status: 201,
-						body: await ctx.core.grantFlowAccess({
+						body: await grantDirectFlowAccess(ctx.database, {
 							flowId,
 							userId,
 							teamId,
@@ -605,13 +652,6 @@ function rbacPlugin(options = {}) {
 						status: 400,
 						body: { error: "Missing flowId or accessId parameter" }
 					};
-					if (!ctx.core.isFlowAccessTableEnabled()) return {
-						status: 501,
-						body: {
-							error: "Not Implemented",
-							message: "Flow access table not enabled. Set auth.useFlowAccessTable: true in config."
-						}
-					};
 					if (!ctx.identity) return {
 						status: 401,
 						body: {
@@ -626,7 +666,7 @@ function rbacPlugin(options = {}) {
 							message: "Owner access is required to manage sharing"
 						}
 					};
-					await ctx.core.revokeFlowAccess(accessId);
+					await revokeDirectFlowAccess(ctx.database, accessId);
 					return {
 						status: 204,
 						body: null
@@ -638,13 +678,6 @@ function rbacPlugin(options = {}) {
 				path: "/rbac/flows/accessible",
 				isPublic: false,
 				handler: async (ctx) => {
-					if (!ctx.core.isFlowAccessTableEnabled()) return {
-						status: 501,
-						body: {
-							error: "Not Implemented",
-							message: "Flow access table not enabled. Set auth.useFlowAccessTable: true in config."
-						}
-					};
 					const identity = ctx.identity;
 					if (!identity) return {
 						status: 401,
@@ -1323,7 +1356,6 @@ function rbacPlugin(options = {}) {
 				} catch {}
 			} : void 0,
 			onAuthorize: async (context) => {
-				if (!useFlowAccessTable) return;
 				const { identity, resource, action } = context;
 				if (!identity || !resource?.id) return;
 				if (!FLOW_RESOURCE_TYPES.has(resource.type)) return;
@@ -1358,6 +1390,6 @@ function rbacPlugin(options = {}) {
 	};
 }
 //#endregion
-export { rbacPlugin, resolveTeamIds };
+export { rbac, resolveTeamIds };
 
 //# sourceMappingURL=index.mjs.map