@m5kdev/backend 0.6.0 → 0.7.0

package/dist/src/modules/base/base.actor.js

@@ -0,0 +1,99 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createActorFromContext = createActorFromContext;
+exports.validateActor = validateActor;
+exports.createServiceActor = createServiceActor;
+exports.getServiceActorScope = getServiceActorScope;
+exports.hasServiceActorScope = hasServiceActorScope;
+const errors_1 = require("../../utils/errors");
+function createActorFromContext(context, scope) {
+    if (!context.user.role) {
+        throw new errors_1.ServerError({
+            code: "BAD_REQUEST",
+            message: "User role not found in context",
+            layer: "controller",
+            layerName: "ActorValidation",
+        });
+    }
+    if (scope === "organization") {
+        if (!context.session.activeOrganizationId || !context.session.activeOrganizationRole) {
+            throw new errors_1.ServerError({
+                code: "FORBIDDEN",
+                message: "Active organization context required",
+                layer: "controller",
+                layerName: "ActorValidation",
+            });
+        }
+    }
+    if (scope === "team") {
+        if (!context.session.activeOrganizationId || !context.session.activeOrganizationRole) {
+            throw new errors_1.ServerError({
+                code: "FORBIDDEN",
+                message: "Active organization context required for team scope",
+                layer: "controller",
+                layerName: "ActorValidation",
+            });
+        }
+        if (!context.session.activeTeamId || !context.session.activeTeamRole) {
+            throw new errors_1.ServerError({
+                code: "FORBIDDEN",
+                message: "Active team context required",
+                layer: "controller",
+                layerName: "ActorValidation",
+            });
+        }
+    }
+    return {
+        userId: context.user.id,
+        userRole: context.user.role,
+        organizationId: context.session.activeOrganizationId,
+        organizationRole: context.session.activeOrganizationRole,
+        teamId: context.session.activeTeamId,
+        teamRole: context.session.activeTeamRole,
+    };
+}
+function validateActor(actor, scope) {
+    if (!actor.userId || !actor.userRole)
+        return false;
+    if (scope === "user")
+        return true;
+    if (scope === "organization") {
+        return Boolean(actor.organizationId && actor.organizationRole);
+    }
+    return Boolean(actor.organizationId && actor.organizationRole && actor.teamId && actor.teamRole);
+}
+/**
+ * Builds a flat actor for tests / grants without session. Validates that team scope implies organization.
+ */
+function createServiceActor(claims) {
+    const organizationId = claims.organizationId ?? null;
+    const organizationRole = claims.organizationRole ?? null;
+    const teamId = claims.teamId ?? null;
+    const teamRole = claims.teamRole ?? null;
+    if ((teamId || teamRole) && (!organizationId || !organizationRole)) {
+        throw new Error("organization access before team access");
+    }
+    return {
+        userId: claims.userId,
+        userRole: claims.userRole,
+        organizationId,
+        organizationRole,
+        teamId,
+        teamRole,
+    };
+}
+function getServiceActorScope(actor) {
+    if (validateActor(actor, "team"))
+        return "team";
+    if (validateActor(actor, "organization"))
+        return "organization";
+    return "user";
+}
+function hasServiceActorScope(actor, scope) {
+    if (scope === "team")
+        return validateActor(actor, "team");
+    if (scope === "organization") {
+        return validateActor(actor, "organization") || validateActor(actor, "team");
+    }
+    return validateActor(actor, "user");
+}

package/dist/src/modules/base/base.actor.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/src/modules/base/base.actor.test.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const base_actor_1 = require("./base.actor");
+describe("base.actor", () => {
+    it("creates a user actor when only user claims are present", () => {
+        const actor = (0, base_actor_1.createServiceActor)({
+            userId: "user-1",
+            userRole: "member",
+        });
+        expect(actor).toEqual({
+            userId: "user-1",
+            userRole: "member",
+            organizationId: null,
+            organizationRole: null,
+            teamId: null,
+            teamRole: null,
+        });
+    });
+    it("derives the highest available scope", () => {
+        expect((0, base_actor_1.getServiceActorScope)({
+            userId: "user-1",
+            userRole: "member",
+            organizationId: "org-1",
+            organizationRole: "owner",
+            teamId: null,
+            teamRole: null,
+        })).toBe("organization");
+        expect((0, base_actor_1.getServiceActorScope)({
+            userId: "user-1",
+            userRole: "member",
+            organizationId: "org-1",
+            organizationRole: "owner",
+            teamId: "team-1",
+            teamRole: "manager",
+        })).toBe("team");
+    });
+    it("validates hierarchy before building a team actor", () => {
+        expect(() => (0, base_actor_1.createServiceActor)({
+            userId: "user-1",
+            userRole: "member",
+            teamId: "team-1",
+            teamRole: "manager",
+        })).toThrow("organization access before team access");
+    });
+    it("checks required scope against broader actors", () => {
+        const actor = (0, base_actor_1.createServiceActor)({
+            userId: "user-1",
+            userRole: "member",
+            organizationId: "org-1",
+            organizationRole: "owner",
+            teamId: "team-1",
+            teamRole: "manager",
+        });
+        expect((0, base_actor_1.hasServiceActorScope)(actor, "user")).toBe(true);
+        expect((0, base_actor_1.hasServiceActorScope)(actor, "organization")).toBe(true);
+        expect((0, base_actor_1.hasServiceActorScope)(actor, "team")).toBe(true);
+    });
+});

package/dist/src/modules/base/base.grants.d.ts

@@ -1,4 +1,4 @@
-import type { Session, User } from "../auth/auth.lib";
+import type { ServiceActor } from "./base.actor";
 import type { ServerResultAsync } from "./base.dto";
 type Level = "user" | "team" | "organization";
 type Access = "all" | "own";
@@ -19,10 +19,6 @@ export type NestedGrants = Record<string, Partial<Record<Level, Record<string, R
 export type ResourceGrant = Omit<Grant, "resource">;
 export type ResourceActionGrant = Omit<ResourceGrant, "action">;
 export declare function flattenNestedGrants(nestedGrants: NestedGrants): Grant[];
-interface PermissionContext {
-    session: Session;
-    user: User;
-}
-export declare function checkPermissionSync<T extends Entity>(ctx: PermissionContext, grants: ResourceActionGrant[], entities?: T | T[]): boolean;
-export declare function checkPermissionAsync<T extends Entity>(ctx: PermissionContext, grants: ResourceActionGrant[], getEntities: () => ServerResultAsync<T | T[] | undefined>): ServerResultAsync<boolean>;
+export declare function checkPermissionSync<T extends Entity>(actor: ServiceActor, grants: ResourceActionGrant[], entities?: T | T[]): boolean;
+export declare function checkPermissionAsync<T extends Entity>(actor: ServiceActor, grants: ResourceActionGrant[], getEntities: () => ServerResultAsync<T | T[] | undefined>): ServerResultAsync<boolean>;
 export {};

package/dist/src/modules/base/base.grants.js

@@ -92,26 +92,38 @@ function checkOwnAccess(grants, roles, contextValues, entities) {
     }
     return false;
 }
-function checkPermissionSync(ctx, grants, entities) {
+function checkPermissionSync(actor, grants, entities) {
     if (!grants || grants.length === 0)
         return false;
-    const { id: userId, role: userRole } = ctx.user;
-    const { activeOrganizationRole: organizationRole, activeTeamRole: teamRole, activeOrganizationId: organizationId, activeTeamId: teamId, } = ctx.session;
-    const roles = { userRole, teamRole, organizationRole };
-    const contextValues = { userId, teamId, organizationId };
+    const roles = {
+        userRole: actor.userRole,
+        teamRole: actor.teamRole,
+        organizationRole: actor.organizationRole,
+    };
+    const contextValues = {
+        userId: actor.userId,
+        teamId: actor.teamId,
+        organizationId: actor.organizationId,
+    };
     // Pass 1: Check for "all" access first (no ownership check needed)
     if (hasAllAccess(grants, roles))
         return true;
     // Pass 2: Check "own" access with ownership validation
     return checkOwnAccess(grants, roles, contextValues, entities);
 }
-async function checkPermissionAsync(ctx, grants, getEntities) {
+async function checkPermissionAsync(actor, grants, getEntities) {
     if (!grants || grants.length === 0)
         return (0, neverthrow_1.ok)(false);
-    const { id: userId, role: userRole } = ctx.user;
-    const { activeOrganizationRole: organizationRole, activeTeamRole: teamRole, activeOrganizationId: organizationId, activeTeamId: teamId, } = ctx.session;
-    const roles = { userRole, teamRole, organizationRole };
-    const contextValues = { userId, teamId, organizationId };
+    const roles = {
+        userRole: actor.userRole,
+        teamRole: actor.teamRole,
+        organizationRole: actor.organizationRole,
+    };
+    const contextValues = {
+        userId: actor.userId,
+        teamId: actor.teamId,
+        organizationId: actor.organizationId,
+    };
     // Pass 1: Check for "all" access first (no entity fetch needed)
     if (hasAllAccess(grants, roles))
         return (0, neverthrow_1.ok)(true);

package/dist/src/modules/base/base.grants.test.js

@@ -1,53 +1,24 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 const neverthrow_1 = require("neverthrow");
-const base_grants_1 = require("./base.grants");
 const errors_1 = require("../../utils/errors");
-// ============================================
-// Mock Factories
-// ============================================
-function createMockUser(overrides = {}) {
-    return {
-        id: "user-123",
-        role: "member",
-        email: "test@example.com",
-        emailVerified: true,
-        name: "Test User",
-        createdAt: new Date(),
-        updatedAt: new Date(),
-        image: null,
-        onboarding: null,
-        preferences: null,
-        flags: null,
-        stripeCustomerId: null,
-        paymentCustomerId: null,
-        paymentPlanTier: null,
-        paymentPlanExpiresAt: null,
-        ...overrides,
-    };
-}
-function createMockSession(overrides = {}) {
-    return {
-        id: "session-123",
-        userId: "user-123",
-        token: "token-123",
-        expiresAt: new Date(Date.now() + 86400000),
-        createdAt: new Date(),
-        updatedAt: new Date(),
-        ipAddress: null,
-        userAgent: null,
-        activeOrganizationId: null,
-        activeTeamId: null,
-        activeOrganizationRole: null,
-        activeTeamRole: null,
-        ...overrides,
-    };
-}
+const base_actor_1 = require("./base.actor");
+const base_grants_1 = require("./base.grants");
 function createMockContext(userOverrides = {}, sessionOverrides = {}) {
-    return {
-        user: createMockUser(userOverrides),
-        session: createMockSession(sessionOverrides),
-    };
+    const organizationId = sessionOverrides.activeOrganizationId ?? (sessionOverrides.activeTeamId ? "org-123" : null);
+    const organizationRole = sessionOverrides.activeOrganizationRole ?? (sessionOverrides.activeTeamRole ? "member" : null);
+    const actor = (0, base_actor_1.createServiceActor)({
+        userId: userOverrides.id ?? "user-123",
+        userRole: userOverrides.role ?? "member",
+        organizationId,
+        organizationRole,
+        teamId: sessionOverrides.activeTeamId ?? null,
+        teamRole: sessionOverrides.activeTeamRole ?? null,
+    });
+    if (!actor) {
+        throw new Error("Expected actor");
+    }
+    return actor;
 }
 function createMockEntity(overrides = {}) {
     return {

package/dist/src/modules/base/base.procedure.d.ts

@@ -2,22 +2,25 @@ import type { QueryInput } from "@m5kdev/commons/modules/schemas/query.schema";
 import type { TRPC_ERROR_CODE_KEY } from "@trpc/server";
 import type { ServerError } from "../../utils/errors";
 import type { logger } from "../../utils/logger";
-import type { Context, Session, User } from "../auth/auth.lib";
 import type { Base } from "./base.abstract";
+import { type Actor, type ActorScope, type AuthenticatedActor } from "./base.actor";
 import type { ServerResult, ServerResultAsync } from "./base.dto";
 import type { Entity, ResourceActionGrant } from "./base.grants";
 type ServiceLogger = ReturnType<typeof logger.child>;
 type RepositoryMap = Record<string, Base>;
 type ServiceMap = Record<string, Base>;
 export type ServiceProcedureContext = {
-    user?: User | null;
-    session?: Session | null;
+    actor?: AuthenticatedActor | null;
 } & Record<string, unknown>;
 export type ServiceProcedureState = Record<string, unknown>;
 export type ServiceProcedureStoredValue<T> = [T] extends [undefined] ? undefined : Awaited<T>;
 export type ServiceProcedureResultLike<T> = T | ServerResult<T> | Promise<T | ServerResult<T>>;
-export type ServiceProcedureContextFilterScope = "user" | "organization" | "team";
+export type ServiceProcedureContextFilterScope = ActorScope;
 export type ServiceProcedureContextFilteredInput<TInput> = Extract<NonNullable<TInput>, QueryInput>;
+type ServiceProcedureAuthContext<Scope extends ActorScope> = {
+    actor: Actor[Scope];
+};
+type ServiceProcedureRequiredScopeFromFilter<TInclude extends readonly ServiceProcedureContextFilterScope[] | undefined> = TInclude extends readonly ServiceProcedureContextFilterScope[] ? "team" extends TInclude[number] ? "team" : "organization" extends TInclude[number] ? "organization" : "user" : "user";
 export type ServiceProcedure<TInput, TCtx extends ServiceProcedureContext, TOutput> = (input: TInput, ctx: TCtx) => ServerResultAsync<TOutput>;
 export type ServiceProcedureArgs<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState> = {
     input: TInput;
@@ -50,24 +53,24 @@ export type ServiceProcedureAccessConfig<TInput, TCtx extends ServiceProcedureCo
 export interface ServiceProcedureBuilder<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState = Record<string, never>> {
     use<StepName extends string, TOutput = void>(stepName: StepName, step: ServiceProcedureStep<TInput, TCtx, Repositories, Services, State, TOutput>): ServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State & Record<StepName, ServiceProcedureStoredValue<TOutput>>>;
     mapInput<StepName extends string, TNextInput>(stepName: StepName, step: ServiceProcedureInputMapper<TInput, TCtx, Repositories, Services, State, TNextInput>): ServiceProcedureBuilder<ServiceProcedureStoredValue<TNextInput>, TCtx, Repositories, Services, State & Record<StepName, ServiceProcedureStoredValue<TNextInput>>>;
-    addContextFilter(include?: readonly ServiceProcedureContextFilterScope[]): ServiceProcedureBuilder<ServiceProcedureContextFilteredInput<TInput>, TCtx & Context, Repositories, Services, State & {
+    addContextFilter<TInclude extends readonly ServiceProcedureContextFilterScope[] | undefined = undefined>(include?: TInclude): ServiceProcedureBuilder<ServiceProcedureContextFilteredInput<TInput>, TCtx & ServiceProcedureAuthContext<ServiceProcedureRequiredScopeFromFilter<TInclude>>, Repositories, Services, State & {
         contextFilter: ServiceProcedureContextFilteredInput<TInput>;
     }>;
-    requireAuth(): ServiceProcedureBuilder<TInput, TCtx & Context, Repositories, Services, State>;
+    requireAuth<Scope extends ActorScope = "user">(scope?: Scope): ServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<Scope>, Repositories, Services, State>;
     handle<TOutput>(handler: ServiceProcedureHandler<TInput, TCtx, Repositories, Services, State, TOutput>): ServiceProcedure<TInput, TCtx, TOutput>;
 }
 export interface PermissionServiceProcedureBuilder<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState = Record<string, never>> extends ServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State> {
     use<StepName extends string, TOutput = void>(stepName: StepName, step: ServiceProcedureStep<TInput, TCtx, Repositories, Services, State, TOutput>): PermissionServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State & Record<StepName, ServiceProcedureStoredValue<TOutput>>>;
     mapInput<StepName extends string, TNextInput>(stepName: StepName, step: ServiceProcedureInputMapper<TInput, TCtx, Repositories, Services, State, TNextInput>): PermissionServiceProcedureBuilder<ServiceProcedureStoredValue<TNextInput>, TCtx, Repositories, Services, State & Record<StepName, ServiceProcedureStoredValue<TNextInput>>>;
-    addContextFilter(include?: readonly ServiceProcedureContextFilterScope[]): PermissionServiceProcedureBuilder<ServiceProcedureContextFilteredInput<TInput>, TCtx & Context, Repositories, Services, State & {
+    addContextFilter<TInclude extends readonly ServiceProcedureContextFilterScope[] | undefined = undefined>(include?: TInclude): PermissionServiceProcedureBuilder<ServiceProcedureContextFilteredInput<TInput>, TCtx & ServiceProcedureAuthContext<ServiceProcedureRequiredScopeFromFilter<TInclude>>, Repositories, Services, State & {
         contextFilter: ServiceProcedureContextFilteredInput<TInput>;
     }>;
-    requireAuth(): PermissionServiceProcedureBuilder<TInput, TCtx & Context, Repositories, Services, State>;
-    access(config: ServiceProcedureAccessEntitiesConfig<TInput, TCtx, Repositories, Services, State>): PermissionServiceProcedureBuilder<TInput, TCtx & Context, Repositories, Services, State>;
-    access<TEntities extends Entity | Entity[] | undefined>(config: ServiceProcedureAccessEntitiesConfig<TInput, TCtx, Repositories, Services, State, TEntities>): PermissionServiceProcedureBuilder<TInput, TCtx & Context, Repositories, Services, State & {
+    requireAuth<Scope extends ActorScope = "user">(scope?: Scope): PermissionServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<Scope>, Repositories, Services, State>;
+    access(config: ServiceProcedureAccessEntitiesConfig<TInput, TCtx, Repositories, Services, State>): PermissionServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<"user">, Repositories, Services, State>;
+    access<TEntities extends Entity | Entity[] | undefined>(config: ServiceProcedureAccessEntitiesConfig<TInput, TCtx, Repositories, Services, State, TEntities>): PermissionServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<"user">, Repositories, Services, State & {
         access: TEntities;
     }>;
-    access<StepName extends ServiceProcedureEntityStepName<State>>(config: ServiceProcedureAccessStateConfig<State, StepName>): PermissionServiceProcedureBuilder<TInput, TCtx & Context, Repositories, Services, State & {
+    access<StepName extends ServiceProcedureEntityStepName<State>>(config: ServiceProcedureAccessStateConfig<State, StepName>): PermissionServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<"user">, Repositories, Services, State & {
         access: State[StepName];
     }>;
 }
@@ -75,7 +78,7 @@ type BaseServiceProcedureHost<Repositories extends RepositoryMap, Services exten
     repository: Repositories;
     service: Services;
     logger: ServiceLogger;
-    addContextFilter(ctx: Context, include?: {
+    addContextFilter(actor: AuthenticatedActor, include?: {
         user?: boolean;
         organization?: boolean;
         team?: boolean;
@@ -89,14 +92,8 @@ type BaseServiceProcedureHost<Repositories extends RepositoryMap, Services exten
     handleUnknownError(error: unknown): ServerError;
 };
 type PermissionServiceProcedureHost<Repositories extends RepositoryMap, Services extends ServiceMap> = BaseServiceProcedureHost<Repositories, Services> & {
-    checkPermission<T extends Entity>(ctx: {
-        session: Session;
-        user: User;
-    }, action: string, entities?: T | T[], grants?: ResourceActionGrant[]): boolean;
-    checkPermissionAsync<T extends Entity>(ctx: {
-        session: Session;
-        user: User;
-    }, action: string, getEntities: () => ServerResultAsync<T | T[] | undefined>, grants?: ResourceActionGrant[]): ServerResultAsync<boolean>;
+    checkPermission<T extends Entity>(actor: AuthenticatedActor, action: string, entities?: T | T[], grants?: ResourceActionGrant[]): boolean;
+    checkPermissionAsync<T extends Entity>(actor: AuthenticatedActor, action: string, getEntities: () => ServerResultAsync<T | T[] | undefined>, grants?: ResourceActionGrant[]): ServerResultAsync<boolean>;
 };
 type ProcedureRuntimeStep<Repositories extends RepositoryMap, Services extends ServiceMap> = {
     stage: "use" | "input" | "auth" | "access";

package/dist/src/modules/base/base.procedure.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.createServiceProcedureBuilder = createServiceProcedureBuilder;
 exports.createPermissionServiceProcedureBuilder = createPermissionServiceProcedureBuilder;
 const neverthrow_1 = require("neverthrow");
+const base_actor_1 = require("./base.actor");
 const DEFAULT_CONTEXT_FILTER_INCLUDE = [
     "user",
 ];
@@ -43,19 +44,24 @@ function logProcedureStage(host, procedureName, ctx, stage, { stepName, duration
         stepName,
         durationMs,
         errorCode,
-        hasUser: Boolean(ctx.user),
-        hasSession: Boolean(ctx.session),
+        hasActor: Boolean(ctx.actor),
     });
 }
-function createRequireAuthStep(host) {
+function requireProcedureActor(host, ctx, scope) {
+    if (!ctx.actor) {
+        return host.error("UNAUTHORIZED", "Unauthorized");
+    }
+    if (!(0, base_actor_1.validateActor)(ctx.actor, scope)) {
+        return host.error("FORBIDDEN", "Forbidden");
+    }
+    return (0, neverthrow_1.ok)(ctx.actor);
+}
+function createRequireAuthStep(host, scope = "user") {
     return {
         stage: "auth",
         stepName: "auth",
         run: async ({ ctx }) => {
-            if (!ctx.user || !ctx.session) {
-                return host.error("UNAUTHORIZED", "Unauthorized");
-            }
-            return (0, neverthrow_1.ok)(true);
+            return requireProcedureActor(host, ctx, scope);
         },
     };
 }
@@ -75,10 +81,20 @@ function createInputStep(stepName, step) {
 }
 function createContextFilterStep(host, include) {
     const contextInclude = getContextFilterInclude(include);
+    const requiredScope = contextInclude.team
+        ? "team"
+        : contextInclude.organization
+            ? "organization"
+            : "user";
     return {
         stage: "input",
         stepName: "contextFilter",
-        run: async ({ input, ctx }) => (0, neverthrow_1.ok)(host.addContextFilter(ctx, contextInclude, input)),
+        run: async ({ input, ctx }) => {
+            const actor = requireProcedureActor(host, ctx, requiredScope);
+            if (actor.isErr())
+                return actor;
+            return (0, neverthrow_1.ok)(host.addContextFilter(actor.value, contextInclude, input));
+        },
     };
 }
 function createAccessStep(host, config) {
@@ -87,16 +103,12 @@ function createAccessStep(host, config) {
         stepName: "access",
         run: async (args) => {
             const typedArgs = args;
-            if (!typedArgs.ctx.user || !typedArgs.ctx.session) {
-                return host.error("UNAUTHORIZED", "Unauthorized");
-            }
-            const permissionContext = {
-                user: typedArgs.ctx.user,
-                session: typedArgs.ctx.session,
-            };
+            const actor = requireProcedureActor(host, typedArgs.ctx, "user");
+            if (actor.isErr())
+                return actor;
             if ("entityStep" in config && typeof config.entityStep === "string") {
                 const entities = typedArgs.state[config.entityStep];
-                const hasPermission = host.checkPermission(permissionContext, config.action, entities, config.grants);
+                const hasPermission = host.checkPermission(actor.value, config.action, entities, config.grants);
                 if (!hasPermission) {
                     return host.error("FORBIDDEN");
                 }
@@ -105,7 +117,7 @@ function createAccessStep(host, config) {
             if (typeof config.entities === "function") {
                 const resolveEntities = config.entities;
                 let loadedEntities;
-                const permission = await host.checkPermissionAsync(permissionContext, config.action, async () => {
+                const permission = await host.checkPermissionAsync(actor.value, config.action, async () => {
                     const entityResult = await normalizeProcedureResult(resolveEntities(typedArgs));
                     if (entityResult.isOk()) {
                         loadedEntities = entityResult.value;
@@ -121,7 +133,7 @@ function createAccessStep(host, config) {
                 return (0, neverthrow_1.ok)(loadedEntities);
             }
             const entities = config.entities;
-            const hasPermission = host.checkPermission(permissionContext, config.action, entities, config.grants);
+            const hasPermission = host.checkPermission(actor.value, config.action, entities, config.grants);
             if (!hasPermission) {
                 return host.error("FORBIDDEN");
             }
@@ -203,7 +215,7 @@ function createServiceProcedureBuilder(host, config) {
     function addContextFilter(include) {
         const steps = hasStepName(config.steps, "auth")
             ? config.steps
-            : [...config.steps, createRequireAuthStep(host)];
+            : [...config.steps, createRequireAuthStep(host, "user")];
         assertUniqueStepName(steps, "contextFilter");
         return createServiceProcedureBuilder(host, {
             ...config,
@@ -226,11 +238,11 @@ function createServiceProcedureBuilder(host, config) {
             });
         },
         addContextFilter,
-        requireAuth() {
+        requireAuth(scope) {
             assertUniqueStepName(config.steps, "auth");
             return createServiceProcedureBuilder(host, {
                 ...config,
-                steps: [...config.steps, createRequireAuthStep(host)],
+                steps: [...config.steps, createRequireAuthStep(host, scope ?? "user")],
             });
         },
         handle(handler) {
@@ -243,7 +255,7 @@ function createPermissionServiceProcedureBuilder(host, config) {
     function addContextFilter(include) {
         const steps = hasStepName(config.steps, "auth")
             ? config.steps
-            : [...config.steps, createRequireAuthStep(host)];
+            : [...config.steps, createRequireAuthStep(host, "user")];
         assertUniqueStepName(steps, "contextFilter");
         return createPermissionServiceProcedureBuilder(host, {
             ...config,
@@ -273,11 +285,11 @@ function createPermissionServiceProcedureBuilder(host, config) {
             });
         },
         addContextFilter,
-        requireAuth() {
+        requireAuth(scope) {
             assertUniqueStepName(config.steps, "auth");
             return createPermissionServiceProcedureBuilder(host, {
                 ...config,
-                steps: [...config.steps, createRequireAuthStep(host)],
+                steps: [...config.steps, createRequireAuthStep(host, scope ?? "user")],
             });
         },
         access,

package/dist/src/modules/base/base.service.d.ts

@@ -1,6 +1,6 @@
 import type { QueryFilter, QueryInput } from "@m5kdev/commons/modules/schemas/query.schema";
-import type { Context, Session, User } from "../auth/auth.lib";
 import { Base } from "./base.abstract";
+import { type AuthenticatedActor } from "./base.actor";
 import type { ServerResult, ServerResultAsync } from "./base.dto";
 import { type Entity, type ResourceActionGrant, type ResourceGrant } from "./base.grants";
 import { type PermissionServiceProcedureBuilder, type ServiceProcedureBuilder, type ServiceProcedureContext } from "./base.procedure";
@@ -12,7 +12,7 @@ export declare class BaseService<Repositories extends Record<string, Base>, Serv
     addUserFilter(value: string, query?: undefined, columnId?: string, method?: QueryFilter["method"]): QueryInput;
     addUserFilter<TQuery extends QueryInput>(value: string, query: TQuery, columnId?: string, method?: QueryFilter["method"]): TQuery;
     protected procedure<TInput, TCtx extends ServiceProcedureContext = DefaultContext>(name: string): ServiceProcedureBuilder<TInput, TCtx, Repositories, Services>;
-    addContextFilter(ctx: Context, include?: {
+    addContextFilter(actor: AuthenticatedActor, include?: {
         user?: boolean;
         organization?: boolean;
         team?: boolean;
@@ -20,7 +20,7 @@ export declare class BaseService<Repositories extends Record<string, Base>, Serv
         columnId: string;
         method: QueryFilter["method"];
     }>): QueryInput;
-    addContextFilter<TQuery extends QueryInput>(ctx: Context, include: {
+    addContextFilter<TQuery extends QueryInput>(actor: AuthenticatedActor, include: {
         user?: boolean;
         organization?: boolean;
         team?: boolean;
@@ -32,21 +32,9 @@ export declare class BaseService<Repositories extends Record<string, Base>, Serv
 export declare class BasePermissionService<Repositories extends Record<string, Base>, Services extends Record<string, Base>, DefaultContext extends ServiceProcedureContext = ServiceProcedureContext> extends BaseService<Repositories, Services, DefaultContext> {
     grants: ResourceGrant[];
     constructor(repository: Repositories, service: Services, grants?: ResourceGrant[]);
-    accessGuard<T extends Entity>(ctx: {
-        session: Session;
-        user: User;
-    }, action: string, entities?: T | T[], grants?: ResourceActionGrant[]): ServerResult<true>;
-    accessGuardAsync<T extends Entity>(ctx: {
-        session: Session;
-        user: User;
-    }, action: string, getEntities: () => ServerResultAsync<T | T[] | undefined>, grants?: ResourceActionGrant[]): ServerResultAsync<true>;
+    accessGuard<T extends Entity>(actor: AuthenticatedActor, action: string, entities?: T | T[], grants?: ResourceActionGrant[]): ServerResult<true>;
+    accessGuardAsync<T extends Entity>(actor: AuthenticatedActor, action: string, getEntities: () => ServerResultAsync<T | T[] | undefined>, grants?: ResourceActionGrant[]): ServerResultAsync<true>;
     protected procedure<TInput, TCtx extends ServiceProcedureContext = DefaultContext>(name: string): PermissionServiceProcedureBuilder<TInput, TCtx, Repositories, Services>;
-    checkPermission<T extends Entity>(ctx: {
-        session: Session;
-        user: User;
-    }, action: string, entities?: T | T[], grants?: ResourceActionGrant[]): boolean;
-    checkPermissionAsync<T extends Entity>(ctx: {
-        session: Session;
-        user: User;
-    }, action: string, getEntities: () => ServerResultAsync<T | T[] | undefined>, grants?: ResourceActionGrant[]): ServerResultAsync<boolean>;
+    checkPermission<T extends Entity>(actor: AuthenticatedActor, action: string, entities?: T | T[], grants?: ResourceActionGrant[]): boolean;
+    checkPermissionAsync<T extends Entity>(actor: AuthenticatedActor, action: string, getEntities: () => ServerResultAsync<T | T[] | undefined>, grants?: ResourceActionGrant[]): ServerResultAsync<boolean>;
 }