@kyro-cms/core 0.9.4 → 0.9.6

package/dist/chunk-CJONKRHJ.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/access/types.ts","../src/auth/api-key.ts"],"names":[],"mappings":";;;AA+CA,eAAsB,cAAA,CACpB,QACA,IAAA,EACgC;AAChC,EAAA,IAAI,OAAO,WAAW,SAAA,EAAW;AAC/B,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,IAAI,OAAO,WAAW,UAAA,EAAY;AAChC,IAAA,OAAO,MAAM,OAAO,IAAI,CAAA;AAAA,EAC1B;AACA,EAAA,OAAO,IAAA;AACT;AAEO,SAAS,qBACX,YAAA,EACU;AACb,EAAA,MAAM,SAAsB,EAAC;AAC7B,EAAA,KAAA,MAAW,UAAU,YAAA,EAAc;AACjC,IAAA,IAAI,MAAA,IAAU,OAAO,MAAA,KAAW,QAAA,EAAU;AACxC,MAAA,MAAA,CAAO,MAAA,CAAO,QAAQ,MAAM,CAAA;AAAA,IAC9B;AAAA,EACF;AACA,EAAA,OAAO,MAAA;AACT;AAEO,SAAS,cAAA,CACd,QACA,IAAA,EACkC;AAClC,EAAA,OAAO,cAAA,CAAe,MAAA,EAAQ,IAAI,CAAA,CAAE,KAAK,CAAA,MAAA,KAAU;AACjD,IAAA,IAAI,MAAA,KAAW,MAAM,OAAO,MAAA;AAC5B,IAAA,IAAI,MAAA,KAAW,OAAO,OAAO,EAAE,KAAK,EAAE,GAAA,EAAK,MAAK,EAAE;AAClD,IAAA,OAAO,MAAA;AAAA,EACT,CAAC,CAAA;AACH;AC7CO,IAAM,kBAAA,GAAqB;AAElC,SAAS,kBAAkB,GAAA,EAAqB;AAC9C,EAAA,OAAO,GAAA,CAAI,SAAA,CAAU,CAAA,EAAG,CAAC,CAAA;AAC3B;AAEA,SAAS,mBAAA,CAAoB,GAAW,CAAA,EAAoB;AAC1D,EAAA,IAAI,CAAA,CAAE,MAAA,KAAW,CAAA,CAAE,MAAA,EAAQ;AACzB,IAAA,OAAO,KAAA;AAAA,EACT;AACA,EAAA,IAAI;AACF,IAAA,OAAO,eAAA,CAAgB,OAAO,IAAA,CAAK,CAAC,GAAG,MAAA,CAAO,IAAA,CAAK,CAAC,CAAC,CAAA;AAAA,EACvD,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAEA,eAAsB,cAAA,CACpB,MAAA,EACA,EAAA,EACA,UAAA,EACiC;AACjC,EAAA,IAAI,CAAC,MAAA,IAAU,OAAO,MAAA,KAAW,QAAA,EAAU;AACzC,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,qBAAA,EAAsB;AAAA,EACtD;AAEA,EAAA,IAAI,CAAC,MAAA,CAAO,UAAA,CAAW,OAAO,CAAA,EAAG;AAC/B,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,wBAAA,EAAyB;AAAA,EACzD;AAEA,EAAA,MAAM,SAAA,GAAY,kBAAkB,MAAM,CAAA;AAE1C,EAAA,IAAI;AACF,IAAA,MAAM,MAAA,GAAS,MAAM,EAAA,CAAG,IAAA,CAAK;AAAA,MAC3B,UAAA,EAAY,kBAAA;AAAA,MACZ,OAAO,EAAE,SAAA,EAAW,EAAE,MAAA,EAAQ,WAAU,EAAE;AAAA,MAC1C,KAAA,EAAO,GAAA;AAAA,MACP,IAAA,EAAM;AAAA,KACP,CAAA;AAED,IAAA,IAAI,CAAC,MAAA,CAAO,IAAA,IAAQ,MAAA,CAAO,IAAA,CAAK,WAAW,CAAA,EAAG;AAC5C,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,iBAAA,EAAkB;AAAA,IAClD;AAEA,IAAA,IAAI,UAAA,GAAkC,IAAA;AACtC,IAAA,KAAA,MAAW,GAAA,IAAO,OAAO,IAAA,EAAM;AAC7B,MAAA,MAAM,MAAA,GAAS,GAAA;AACf,MAAA,IAAI,mBAAA,CAAoB,MAAA,CAAO,GAAA,EAAK,MAAM,CAAA,EAAG;AAC3C,QAAA,UAAA,GAAa,MAAA;AACb,QAAA;AAAA,MACF;AAAA,IACF;AAEA,IAAA,IAAI,CAAC,UAAA,EAAY;AACf,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,iBAAA,EAAkB;AAAA,IAClD;AAEA,IAAA,IAAI,WAAW,SAAA,EAAW;AACxB,MAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,UAAA,CAAW,SAAS,CAAA;AAC/C,MAAA,IAAI,SAAA,mBAAY,IAAI,IAAA,EAAK,EAAG;AAC1B,QAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,qBAAA,EAAsB;AAAA,MACtD;AAAA,IACF;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,GAAG,MAAA,CAAO;AAAA,QACd,UAAA,EAAY,kBAAA;AAAA,QACZ,IAAI,UAAA,CAAW,EAAA;AAAA,QACf,MAAM,EAAE,UAAA,EAAA,qBAAgB,IAAA,EAAK,EAAE,aAAY;AAAE,OAC9C,CAAA;AAAA,IACH,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,MAAM,IAAA,GAA0B;AAAA,MAC9B,IAAI,UAAA,CAAW,MAAA;AAAA,MACf,IAAA,EAAO,WAAmB,IAAA,IAAQ,QAAA;AAAA,MAClC,UAAW,UAAA,CAAmB;AAAA,KAChC;AAEA,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,UAAA,CAAW,MAAM,CAAA;AACjD,MAAA,IAAI,MAAA,EAAQ;AACV,QAAA,MAAA,CAAO,MAAA,CAAO,MAAM,MAAM,CAAA;AAAA,MAC5B;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,IAAA;AAAA,MACP,QAAQ,UAAA,CAAW,MAAA;AAAA,MACnB,IAAA;AAAA,MACA,WAAA,EAAa,UAAA,CAAW,WAAA,IAAe,EAAC;AAAA,MACxC,UAAU,UAAA,CAAW,EAAA;AAAA,MACrB,UAAU,IAAA,CAAK,QAAA;AAAA,MACf,MAAM,IAAA,CAAK;AAAA,KACb;AAAA,EACF,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,KAAA,CAAM,8BAA8B,KAAK,CAAA;AACjD,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,4BAAA,EAA6B;AAAA,EAC7D;AACF;AAEO,SAAS,yBAAyB,OAAA,EAAiC;AACxE,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAA;AACtD,EAAA,IAAI,UAAA,EAAY;AACd,IAAA,IAAI,UAAA,CAAW,UAAA,CAAW,SAAS,CAAA,EAAG;AACpC,MAAA,OAAO,UAAA,CAAW,KAAA,CAAM,CAAC,CAAA,CAAE,IAAA,EAAK;AAAA,IAClC;AACA,IAAA,IAAI,UAAA,CAAW,UAAA,CAAW,SAAS,CAAA,EAAG;AACpC,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA;AAC/C,EAAA,IAAI,OAAA,EAAS;AACX,IAAA,OAAO,QAAQ,IAAA,EAAK;AAAA,EACtB;AAEA,EAAA,OAAO,IAAA;AACT;AAEO,SAAS,oBACd,MAAA,EACsB;AACtB,EAAA,IAAI,CAAC,MAAA,CAAO,KAAA,IAAS,CAAC,OAAO,MAAA,EAAQ;AACnC,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,QAAQ,MAAA,CAAO,MAAA;AAAA,IACf,IAAA,EAAM,MAAA,CAAO,IAAA,IAAQ,EAAC;AAAA,IACtB,WAAA,EAAa,MAAA,CAAO,WAAA,IAAe,EAAC;AAAA,IACpC,QAAA,EAAU,OAAO,QAAA,IAAY,EAAA;AAAA,IAC7B,UAAU,MAAA,CAAO,QAAA;AAAA,IACjB,MAAM,MAAA,CAAO;AAAA,GACf;AACF;AAEO,SAAS,mBAAA,CACd,aACA,QAAA,EACS;AACT,EAAA,IAAI,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA;AACrC,EAAA,IAAI,WAAA,CAAY,QAAA,CAAS,GAAG,CAAA,EAAG,OAAO,IAAA;AACtC,EAAA,IAAI,WAAA,CAAY,QAAA,CAAS,QAAQ,CAAA,EAAG,OAAO,IAAA;AAE3C,EAAA,MAAM,CAAC,QAAA,EAAU,MAAM,CAAA,GAAI,QAAA,CAAS,MAAM,GAAG,CAAA;AAC7C,EAAA,IAAI,YAAY,QAAA,CAAS,CAAA,EAAG,QAAQ,CAAA,EAAA,CAAI,GAAG,OAAO,IAAA;AAElD,EAAA,OAAO,KAAA;AACT;AAEO,SAAS,cAAA,GAAyB;AACvC,EAAA,MAAM,KAAA,GAAQ,sCAAA;AACd,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,EAAA,EAAI,CAAA,EAAA,EAAK;AAC3B,IAAA,MAAA,IAAU,KAAA,CAAM,KAAK,KAAA,CAAM,IAAA,CAAK,QAAO,GAAI,KAAA,CAAM,MAAM,CAAC,CAAA;AAAA,EAC1D;AACA,EAAA,OAAO,QAAQ,MAAM,CAAA,CAAA;AACvB;AAEO,SAAS,qBAAqB,GAAA,EAAqB;AACxD,EAAA,OAAO,GAAA,CAAI,SAAA,CAAU,CAAA,EAAG,CAAC,CAAA;AAC3B","file":"chunk-CJONKRHJ.js","sourcesContent":["import type { User, Request } from '../hooks/types.js';\n\n// ============================================================================\n// Access Control Types\n// ============================================================================\n\nexport interface WhereClause {\n  [field: string]: any;\n}\n\nexport interface AccessArgs {\n  req: Request;\n  user?: User;\n  data?: any;\n  doc?: any;\n  id?: string;\n  tenantID?: string;\n  context?: Record<string, any>;\n}\n\nexport type AccessControl = boolean | ((args: AccessArgs) => Promise<boolean | WhereClause> | boolean | WhereClause);\n\nexport interface CollectionAccess {\n  create?: AccessControl;\n  read?: AccessControl;\n  update?: AccessControl;\n  delete?: AccessControl;\n  admin?: AccessControl;\n  unlock?: AccessControl;\n  readVersions?: AccessControl;\n}\n\nexport interface GlobalAccess {\n  read?: AccessControl;\n  update?: AccessControl;\n}\n\nexport interface FieldAccess {\n  create?: AccessControl;\n  read?: AccessControl;\n  update?: AccessControl;\n}\n\n// ============================================================================\n// Access Control Evaluation\n// ============================================================================\n\nexport async function evaluateAccess(\n  access: AccessControl,\n  args: AccessArgs\n): Promise<boolean | WhereClause> {\n  if (typeof access === 'boolean') {\n    return access;\n  }\n  if (typeof access === 'function') {\n    return await access(args);\n  }\n  return true;\n}\n\nexport function mergeWhereClauses(\n  ...whereClauses: (WhereClause | boolean | undefined)[]\n): WhereClause {\n  const result: WhereClause = {};\n  for (const clause of whereClauses) {\n    if (clause && typeof clause === 'object') {\n      Object.assign(result, clause);\n    }\n  }\n  return result;\n}\n\nexport function getWhereClause(\n  access: AccessControl,\n  args: AccessArgs\n): Promise<WhereClause | undefined> {\n  return evaluateAccess(access, args).then(result => {\n    if (result === true) return undefined;\n    if (result === false) return { _id: { $eq: null } };\n    return result;\n  });\n}\n","import { timingSafeEqual } from \"crypto\";\nimport type { BaseAdapter } from \"../registry/types.js\";\nimport type { AuthUser, UserRole } from \"./types.js\";\n\nexport interface ApiKeyRecord {\n  id: string;\n  userId: string;\n  name: string;\n  key: string;\n  keyPrefix: string;\n  permissions: string[];\n  lastUsedAt?: string;\n  expiresAt?: string;\n  createdAt: string;\n}\n\nexport interface ApiKeyValidationResult {\n  valid: boolean;\n  userId?: string;\n  user?: Partial<AuthUser>;\n  permissions?: string[];\n  apiKeyId?: string;\n  error?: string;\n  tenantId?: string;\n  role?: UserRole;\n}\n\nexport interface ApiKeyContext {\n  userId: string;\n  user: Partial<AuthUser>;\n  permissions: string[];\n  apiKeyId: string;\n  tenantId?: string;\n  role?: UserRole;\n}\n\nexport const API_KEY_COLLECTION = \"_api_keys\";\n\nfunction generateKeyPrefix(key: string): string {\n  return key.substring(0, 8);\n}\n\nfunction constantTimeCompare(a: string, b: string): boolean {\n  if (a.length !== b.length) {\n    return false;\n  }\n  try {\n    return timingSafeEqual(Buffer.from(a), Buffer.from(b));\n  } catch {\n    return false;\n  }\n}\n\nexport async function validateApiKey(\n  rawKey: string,\n  db: BaseAdapter,\n  userLookup?: (userId: string) => Promise<Partial<AuthUser> | null>,\n): Promise<ApiKeyValidationResult> {\n  if (!rawKey || typeof rawKey !== \"string\") {\n    return { valid: false, error: \"No API key provided\" };\n  }\n\n  if (!rawKey.startsWith(\"kyro_\")) {\n    return { valid: false, error: \"Invalid API key format\" };\n  }\n\n  const keyPrefix = generateKeyPrefix(rawKey);\n\n  try {\n    const result = await db.find({\n      collection: API_KEY_COLLECTION,\n      where: { keyPrefix: { equals: keyPrefix } },\n      limit: 100,\n      page: 1,\n    });\n\n    if (!result.docs || result.docs.length === 0) {\n      return { valid: false, error: \"Invalid API key\" };\n    }\n\n    let matchedKey: ApiKeyRecord | null = null;\n    for (const doc of result.docs) {\n      const record = doc as unknown as ApiKeyRecord;\n      if (constantTimeCompare(record.key, rawKey)) {\n        matchedKey = record;\n        break;\n      }\n    }\n\n    if (!matchedKey) {\n      return { valid: false, error: \"Invalid API key\" };\n    }\n\n    if (matchedKey.expiresAt) {\n      const expiresAt = new Date(matchedKey.expiresAt);\n      if (expiresAt < new Date()) {\n        return { valid: false, error: \"API key has expired\" };\n      }\n    }\n\n    try {\n      await db.update({\n        collection: API_KEY_COLLECTION,\n        id: matchedKey.id,\n        data: { lastUsedAt: new Date().toISOString() },\n      });\n    } catch {\n      // Non-critical: don't fail if lastUsedAt update fails\n    }\n\n    const user: Partial<AuthUser> = {\n      id: matchedKey.userId,\n      role: (matchedKey as any).role || \"author\",\n      tenantId: (matchedKey as any).tenantId,\n    };\n\n    if (userLookup) {\n      const dbUser = await userLookup(matchedKey.userId);\n      if (dbUser) {\n        Object.assign(user, dbUser);\n      }\n    }\n\n    return {\n      valid: true,\n      userId: matchedKey.userId,\n      user,\n      permissions: matchedKey.permissions || [],\n      apiKeyId: matchedKey.id,\n      tenantId: user.tenantId,\n      role: user.role,\n    };\n  } catch (error) {\n    console.error(\"[ApiKey] Validation error:\", error);\n    return { valid: false, error: \"Failed to validate API key\" };\n  }\n}\n\nexport function extractApiKeyFromRequest(request: Request): string | null {\n  const authHeader = request.headers.get(\"Authorization\");\n  if (authHeader) {\n    if (authHeader.startsWith(\"ApiKey \")) {\n      return authHeader.slice(7).trim();\n    }\n    if (authHeader.startsWith(\"Bearer \")) {\n      return null;\n    }\n  }\n\n  const xApiKey = request.headers.get(\"X-API-Key\");\n  if (xApiKey) {\n    return xApiKey.trim();\n  }\n\n  return null;\n}\n\nexport function createApiKeyContext(\n  result: ApiKeyValidationResult,\n): ApiKeyContext | null {\n  if (!result.valid || !result.userId) {\n    return null;\n  }\n  return {\n    userId: result.userId,\n    user: result.user || {},\n    permissions: result.permissions || [],\n    apiKeyId: result.apiKeyId || \"\",\n    tenantId: result.tenantId,\n    role: result.role,\n  };\n}\n\nexport function hasApiKeyPermission(\n  permissions: string[],\n  required: string,\n): boolean {\n  if (permissions.length === 0) return false;\n  if (permissions.includes(\"*\")) return true;\n  if (permissions.includes(required)) return true;\n\n  const [resource, action] = required.split(\":\");\n  if (permissions.includes(`${resource}:*`)) return true;\n\n  return false;\n}\n\nexport function generateApiKey(): string {\n  const chars = \"abcdefghijklmnopqrstuvwxyz0123456789\";\n  let suffix = \"\";\n  for (let i = 0; i < 32; i++) {\n    suffix += chars[Math.floor(Math.random() * chars.length)];\n  }\n  return `kyro_${suffix}`;\n}\n\nexport function generateApiKeyPrefix(key: string): string {\n  return key.substring(0, 8);\n}\n"]}