@lowdefy/api 4.7.1 → 4.7.3

package/dist/context/createAuthorize.js

@@ -18,6 +18,11 @@ function createAuthorize({ session }) {
     // else session will be null
     const authenticated = !!session;
     const roles = session?.user?.roles ?? [];
+    if (!Array.isArray(roles)) {
+        throw new ConfigError('session.user.roles must be an array of strings.', {
+            received: roles
+        });
+    }
     function authorize(config) {
         const { auth } = config;
         if (auth.public === true) return true;

package/dist/routes/auth/callbacks/createSessionCallback.js

@@ -15,6 +15,7 @@
 */ import crypto from 'crypto';
 import addUserFieldsToSession from './addUserFieldsToSession.js';
 import createCallbackPlugins from './createCallbackPlugins.js';
+import validateSessionRoles from './validateSessionRoles.js';
 function createSessionCallback({ authConfig, plugins }) {
     const sessionCallbackPlugins = createCallbackPlugins({
         authConfig,
@@ -67,6 +68,9 @@ function createSessionCallback({ authConfig, plugins }) {
                 user
             });
         }
+        validateSessionRoles({
+            session
+        });
         // TODO: Should this be session.hashed_id or session.user.hashed_id
         // Only session.user will be available using the _user operator
         session.hashed_id = crypto.createHash('sha256').update(identifier ?? '').digest('base64');

package/dist/routes/auth/callbacks/validateSessionRoles.js

@@ -0,0 +1,33 @@
+/*
+  Copyright 2020-2026 Lowdefy, Inc
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+*/ import { ConfigError } from '@lowdefy/errors';
+import { type } from '@lowdefy/helpers';
+function validateSessionRoles({ session }) {
+    const roles = session?.user?.roles;
+    if (type.isNone(roles)) return;
+    if (!Array.isArray(roles)) {
+        throw new ConfigError('session.user.roles must be an array of strings. Check auth.userFields configuration and custom session callback plugins.', {
+            received: roles
+        });
+    }
+    for (const role of roles){
+        if (!type.isString(role)) {
+            throw new ConfigError('session.user.roles must be an array of strings. Check auth.userFields configuration and custom session callback plugins.', {
+                received: roles
+            });
+        }
+    }
+}
+export default validateSessionRoles;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lowdefy/api",
-  "version": "4.7.1",
+  "version": "4.7.3",
   "license": "Apache-2.0",
   "description": "",
   "homepage": "https://lowdefy.com",
@@ -34,13 +34,13 @@
     "dist/*"
   ],
   "dependencies": {
-    "@lowdefy/ajv": "4.7.1",
-    "@lowdefy/errors": "4.7.1",
-    "@lowdefy/helpers": "4.7.1",
-    "@lowdefy/node-utils": "4.7.1",
-    "@lowdefy/nunjucks": "4.7.1",
-    "@lowdefy/operators": "4.7.1",
-    "@lowdefy/operators-js": "4.7.1"
+    "@lowdefy/ajv": "4.7.3",
+    "@lowdefy/errors": "4.7.3",
+    "@lowdefy/helpers": "4.7.3",
+    "@lowdefy/node-utils": "4.7.3",
+    "@lowdefy/nunjucks": "4.7.3",
+    "@lowdefy/operators": "4.7.3",
+    "@lowdefy/operators-js": "4.7.3"
   },
   "devDependencies": {
     "@jest/globals": "28.1.3",