@mastra/auth-cloud 0.0.1 → 1.1.0

package/dist/index.js

@@ -0,0 +1,850 @@
+import { randomBytes, createHash } from 'crypto';
+import { MastraAuthProvider } from '@mastra/core/server';
+import { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';
+
+// src/error.ts
+var AuthError = class _AuthError extends Error {
+  code;
+  cause;
+  cloudCode;
+  cloudMessage;
+  constructor(code, message, options) {
+    super(message);
+    this.name = "AuthError";
+    this.code = code;
+    this.cause = options?.cause;
+    this.cloudCode = options?.cloudCode;
+    this.cloudMessage = options?.cloudMessage;
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+  /**
+   * Factory: OAuth state parameter is invalid or malformed.
+   */
+  static invalidState() {
+    return new _AuthError("invalid_state", "OAuth state parameter is invalid or malformed.");
+  }
+  /**
+   * Factory: OAuth state parameter does not match expected value.
+   */
+  static stateMismatch() {
+    return new _AuthError("state_mismatch", "OAuth state parameter does not match. Possible CSRF attack.");
+  }
+  /**
+   * Factory: Authorization code is missing from callback.
+   */
+  static missingCode() {
+    return new _AuthError("missing_code", "Authorization code is missing from OAuth callback.");
+  }
+  /**
+   * Factory: Token exchange with Cloud API failed.
+   */
+  static tokenExchangeFailed(options) {
+    return new _AuthError("token_exchange_failed", "Failed to exchange authorization code for tokens.", options);
+  }
+  /**
+   * Factory: Token verification failed.
+   */
+  static verificationFailed() {
+    return new _AuthError("verification_failed", "Token verification failed.");
+  }
+  /**
+   * Factory: Session is invalid.
+   */
+  static sessionInvalid() {
+    return new _AuthError("session_invalid", "Session is invalid or has been revoked.");
+  }
+  /**
+   * Factory: Session has expired.
+   */
+  static sessionExpired() {
+    return new _AuthError("session_expired", "Session has expired. Please log in again.");
+  }
+  /**
+   * Factory: Network error during API call.
+   */
+  static networkError(cause) {
+    return new _AuthError("network_error", "Network error occurred while communicating with Cloud API.", { cause });
+  }
+  /**
+   * Factory: Cloud API returned an error.
+   */
+  static cloudApiError(options) {
+    const message = options?.cloudMessage ?? "Cloud API returned an error.";
+    return new _AuthError("cloud_api_error", message, options);
+  }
+};
+
+// src/oauth/state.ts
+function encodeState(csrf, returnTo) {
+  const data = { csrf, returnTo };
+  const json = JSON.stringify(data);
+  return Buffer.from(json).toString("base64url");
+}
+function decodeState(state) {
+  try {
+    const json = Buffer.from(state, "base64url").toString();
+    const data = JSON.parse(json);
+    if (typeof data.csrf !== "string" || typeof data.returnTo !== "string") {
+      throw new Error("Missing required fields");
+    }
+    return data;
+  } catch {
+    throw AuthError.invalidState();
+  }
+}
+function validateReturnTo(returnTo, requestOrigin) {
+  if (!returnTo) {
+    return "/";
+  }
+  if (returnTo.startsWith("/") && !returnTo.startsWith("//")) {
+    return returnTo;
+  }
+  try {
+    const parsed = new URL(returnTo);
+    const origin = new URL(requestOrigin);
+    if (parsed.origin === origin.origin) {
+      return returnTo;
+    }
+  } catch {
+  }
+  return "/";
+}
+
+// src/oauth/network.ts
+async function fetchWithRetry(url, options) {
+  try {
+    return await fetch(url, options);
+  } catch {
+    try {
+      return await fetch(url, options);
+    } catch (retryError) {
+      throw AuthError.networkError(retryError instanceof Error ? retryError : void 0);
+    }
+  }
+}
+
+// src/pkce/error.ts
+var PKCEError = class _PKCEError extends Error {
+  code;
+  cause;
+  constructor(code, message, cause) {
+    super(message);
+    this.name = "PKCEError";
+    this.code = code;
+    this.cause = cause;
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+  /**
+   * Factory: PKCE verifier cookie not found.
+   */
+  static missingVerifier() {
+    return new _PKCEError(
+      "MISSING_VERIFIER",
+      "PKCE verifier cookie not found. Authorization flow may have expired or was not initiated properly."
+    );
+  }
+  /**
+   * Factory: PKCE verifier has expired.
+   */
+  static expired() {
+    return new _PKCEError("EXPIRED", "PKCE verifier has expired. Please restart the authorization flow.");
+  }
+  /**
+   * Factory: PKCE verifier cookie is malformed.
+   */
+  static invalid(cause) {
+    return new _PKCEError("INVALID", "PKCE verifier cookie is malformed or invalid.", cause);
+  }
+};
+
+// src/pkce/cookie.ts
+var PKCE_COOKIE_NAME = "mastra_pkce_verifier";
+function setPKCECookie(verifier, state, isProduction) {
+  const ttlSeconds = 5 * 60;
+  const data = {
+    verifier,
+    state,
+    expiresAt: Date.now() + ttlSeconds * 1e3
+  };
+  const encoded = encodeURIComponent(JSON.stringify(data));
+  let cookie = `${PKCE_COOKIE_NAME}=${encoded}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${ttlSeconds}`;
+  if (isProduction) {
+    cookie += "; Secure";
+  }
+  return cookie;
+}
+function parsePKCECookie(cookieHeader) {
+  if (!cookieHeader) {
+    throw PKCEError.missingVerifier();
+  }
+  const match = cookieHeader.match(new RegExp(`${PKCE_COOKIE_NAME}=([^;]+)`));
+  if (!match?.[1]) {
+    throw PKCEError.missingVerifier();
+  }
+  let data;
+  try {
+    data = JSON.parse(decodeURIComponent(match[1]));
+  } catch (e) {
+    throw PKCEError.invalid(e instanceof Error ? e : void 0);
+  }
+  if (data.expiresAt < Date.now()) {
+    throw PKCEError.expired();
+  }
+  return data;
+}
+function clearPKCECookie() {
+  return `${PKCE_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`;
+}
+function generateCodeVerifier() {
+  return randomBytes(32).toString("base64url");
+}
+function computeCodeChallenge(verifier) {
+  return createHash("sha256").update(verifier).digest("base64url");
+}
+function generateState() {
+  return randomBytes(16).toString("base64url");
+}
+
+// src/oauth/oauth.ts
+function getLoginUrl(options) {
+  const { projectId, cloudBaseUrl, callbackUrl, returnTo, requestOrigin, isProduction } = options;
+  const verifier = generateCodeVerifier();
+  const challenge = computeCodeChallenge(verifier);
+  const csrf = generateState();
+  const validatedReturnTo = validateReturnTo(returnTo, requestOrigin);
+  const state = encodeState(csrf, validatedReturnTo);
+  const url = new URL("/auth/oss", cloudBaseUrl);
+  url.searchParams.set("project_id", projectId);
+  url.searchParams.set("code_challenge", challenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("redirect_uri", callbackUrl);
+  url.searchParams.set("state", state);
+  const isProductionEnv = isProduction ?? process.env.NODE_ENV === "production";
+  const pkceCookie = setPKCECookie(verifier, csrf, isProductionEnv);
+  return {
+    url: url.toString(),
+    cookies: [pkceCookie]
+  };
+}
+async function handleCallback(options) {
+  const { projectId, cloudBaseUrl, redirectUri, code, state, cookieHeader } = options;
+  const pkceData = parsePKCECookie(cookieHeader);
+  const stateData = decodeState(state);
+  if (stateData.csrf !== pkceData.state) {
+    throw AuthError.stateMismatch();
+  }
+  const response = await fetchWithRetry(`${cloudBaseUrl}/auth/callback`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "X-Project-ID": projectId
+    },
+    body: JSON.stringify({
+      code,
+      redirect_uri: redirectUri,
+      code_verifier: pkceData.verifier
+    })
+  });
+  if (!response.ok) {
+    let cloudCode;
+    let cloudMessage;
+    try {
+      const errorBody = await response.json();
+      cloudCode = errorBody.code;
+      cloudMessage = errorBody.message;
+    } catch {
+    }
+    throw AuthError.tokenExchangeFailed({ cloudCode, cloudMessage });
+  }
+  const body = await response.json();
+  const verifyResponse = await fetchWithRetry(`${cloudBaseUrl}/auth/verify`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${body.access_token}`,
+      "X-Project-ID": projectId
+    }
+  });
+  if (!verifyResponse.ok) {
+    throw AuthError.verificationFailed();
+  }
+  const verifyBody = await verifyResponse.json();
+  const clearCookie = clearPKCECookie();
+  return {
+    user: {
+      id: verifyBody.sub,
+      email: verifyBody.email,
+      name: verifyBody.name,
+      avatar: verifyBody.avatar_url,
+      role: verifyBody.role
+    },
+    accessToken: body.access_token,
+    returnTo: stateData.returnTo,
+    cookies: [clearCookie]
+  };
+}
+
+// src/session/cookie.ts
+var SESSION_COOKIE_NAME = "mastra_cloud_session";
+function setSessionCookie(token, isProduction) {
+  const ttlSeconds = 24 * 60 * 60;
+  let cookie = `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${ttlSeconds}`;
+  if (isProduction) {
+    cookie += "; Secure";
+  }
+  return cookie;
+}
+function parseSessionCookie(cookieHeader) {
+  if (!cookieHeader) {
+    return null;
+  }
+  const match = cookieHeader.match(new RegExp(`${SESSION_COOKIE_NAME}=([^;]+)`));
+  return match?.[1] ?? null;
+}
+function clearSessionCookie() {
+  return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`;
+}
+
+// src/session/session.ts
+async function verifyToken(options) {
+  const { projectId, cloudBaseUrl, token } = options;
+  const response = await fetchWithRetry(`${cloudBaseUrl}/auth/verify`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+      "X-Project-ID": projectId
+    }
+  });
+  if (!response.ok) {
+    throw AuthError.verificationFailed();
+  }
+  const body = await response.json();
+  if (body.token_type === "project_api_token") {
+    return {
+      user: {
+        id: "api-token",
+        email: void 0,
+        name: void 0,
+        avatar: void 0
+      },
+      role: body.role
+    };
+  }
+  return {
+    user: {
+      id: body.sub,
+      email: body.email,
+      name: body.name,
+      avatar: body.avatar_url
+    },
+    role: body.role
+  };
+}
+async function validateSession(options) {
+  const { projectId, cloudBaseUrl, sessionToken } = options;
+  try {
+    const response = await fetchWithRetry(`${cloudBaseUrl}/auth/session/validate`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${sessionToken}`,
+        "X-Project-ID": projectId
+      }
+    });
+    if (!response.ok) {
+      return null;
+    }
+    return await response.json();
+  } catch {
+    return null;
+  }
+}
+async function destroySession(options) {
+  const { cloudBaseUrl, sessionToken } = options;
+  await fetchWithRetry(`${cloudBaseUrl}/auth/session/destroy`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${sessionToken}`
+    }
+  });
+}
+function getLogoutUrl(cloudBaseUrl, postLogoutRedirectUri, idTokenHint) {
+  const url = new URL("/auth/logout", cloudBaseUrl);
+  url.searchParams.set("post_logout_redirect_uri", postLogoutRedirectUri);
+  url.searchParams.set("id_token_hint", idTokenHint);
+  return url.toString();
+}
+
+// src/client.ts
+var MastraCloudAuth = class {
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Generate login URL for OAuth authorization.
+   *
+   * @param options - Login options
+   * @returns URL to redirect to and cookies to set
+   */
+  getLoginUrl(options) {
+    return getLoginUrl({
+      projectId: this.config.projectId,
+      cloudBaseUrl: this.config.cloudBaseUrl,
+      callbackUrl: this.config.callbackUrl,
+      returnTo: options.returnTo,
+      requestOrigin: options.requestOrigin,
+      isProduction: this.config.isProduction
+    });
+  }
+  /**
+   * Handle OAuth callback after authorization.
+   *
+   * @param options - Callback parameters
+   * @returns User info, tokens, and redirect URL
+   */
+  handleCallback(options) {
+    return handleCallback({
+      projectId: this.config.projectId,
+      cloudBaseUrl: this.config.cloudBaseUrl,
+      redirectUri: this.config.callbackUrl,
+      ...options
+    });
+  }
+  /**
+   * Verify an access token.
+   *
+   * @param token - Access token to verify
+   * @returns User and role information
+   */
+  verifyToken(token) {
+    return verifyToken({ projectId: this.config.projectId, cloudBaseUrl: this.config.cloudBaseUrl, token });
+  }
+  /**
+   * Validate an existing session.
+   *
+   * @param sessionToken - Session token to validate
+   * @returns Session data if valid, null otherwise
+   */
+  validateSession(sessionToken) {
+    return validateSession({ projectId: this.config.projectId, cloudBaseUrl: this.config.cloudBaseUrl, sessionToken });
+  }
+  /**
+   * Destroy a session (server-side logout).
+   *
+   * @param sessionToken - Session token to destroy
+   */
+  destroySession(sessionToken) {
+    return destroySession({ cloudBaseUrl: this.config.cloudBaseUrl, sessionToken });
+  }
+  /**
+   * Get the logout URL for client-side redirect.
+   *
+   * @param postLogoutRedirectUri - URL to redirect to after logout
+   * @param idTokenHint - The access token
+   * @returns Full logout URL with redirect and token parameters
+   */
+  getLogoutUrl(postLogoutRedirectUri, idTokenHint) {
+    return getLogoutUrl(this.config.cloudBaseUrl, postLogoutRedirectUri, idTokenHint);
+  }
+  /**
+   * Create Set-Cookie header value for session token.
+   *
+   * @param token - Session token to store
+   * @returns Set-Cookie header value
+   */
+  setSessionCookie(token) {
+    return setSessionCookie(token, this.config.isProduction ?? process.env.NODE_ENV === "production");
+  }
+  /**
+   * Create Set-Cookie header value to clear session cookie.
+   *
+   * @returns Set-Cookie header value
+   */
+  clearSessionCookie() {
+    return clearSessionCookie();
+  }
+};
+var MastraCloudAuthProvider = class extends MastraAuthProvider {
+  client;
+  /** Marker for EE license exemption - MastraCloudAuth is exempt */
+  isMastraCloudAuth = true;
+  /**
+   * Cookie header for handleCallback PKCE validation.
+   * Set via setCallbackCookieHeader() before handleCallback() is called.
+   * @internal
+   */
+  _lastCallbackCookieHeader = null;
+  constructor(options) {
+    super({ name: options?.name ?? "cloud" });
+    this.client = new MastraCloudAuth({
+      projectId: options.projectId,
+      cloudBaseUrl: options.cloudBaseUrl,
+      callbackUrl: options.callbackUrl,
+      isProduction: options.isProduction
+    });
+    this.registerOptions(options);
+  }
+  /**
+   * Set cookie header for handleCallback PKCE validation.
+   * Must be called before handleCallback() to pass cookie header.
+   *
+   * @param cookieHeader - Cookie header from original request
+   */
+  setCallbackCookieHeader(cookieHeader) {
+    this._lastCallbackCookieHeader = cookieHeader;
+  }
+  // ============================================================================
+  // MastraAuthProvider Implementation
+  // ============================================================================
+  /**
+   * Authenticate a bearer token or session cookie.
+   *
+   * Checks session cookie first, falls back to bearer token for API clients.
+   *
+   * @param token - Bearer token (from Authorization header)
+   * @param request - Hono or raw Request
+   * @returns Authenticated user with role, or null if invalid
+   */
+  async authenticateToken(token, request) {
+    try {
+      const rawRequest = "raw" in request ? request.raw : request;
+      const cookieHeader = rawRequest.headers.get("cookie");
+      const sessionToken = parseSessionCookie(cookieHeader);
+      if (sessionToken) {
+        const { user, role } = await this.client.verifyToken(sessionToken);
+        return { ...user, role };
+      }
+      if (token) {
+        const { user, role } = await this.client.verifyToken(token);
+        return { ...user, role };
+      }
+      return null;
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Authorize a user for access.
+   *
+   * Simple validation - detailed permission checking happens in server
+   * middleware via checkRoutePermission(), not authorizeUser().
+   *
+   * @param user - Authenticated user
+   * @returns True if user has valid id
+   */
+  authorizeUser(user) {
+    return !!user?.id;
+  }
+  // ============================================================================
+  // ISSOProvider Implementation
+  // ============================================================================
+  /**
+   * Cached login result for getLoginCookies() to retrieve cookies.
+   * @internal
+   */
+  _lastLoginResult = null;
+  /**
+   * Get URL to redirect user to for SSO login.
+   *
+   * @param redirectUri - Callback URL after authentication
+   * @param state - State parameter (format: uuid|encodedPostLoginRedirect)
+   * @returns Full authorization URL
+   */
+  getLoginUrl(redirectUri, state) {
+    let postLoginRedirect = "/";
+    if (state && state.includes("|")) {
+      const parts = state.split("|", 2);
+      const encodedRedirect = parts[1];
+      if (encodedRedirect) {
+        try {
+          postLoginRedirect = decodeURIComponent(encodedRedirect);
+        } catch {
+          postLoginRedirect = "/";
+        }
+      }
+    }
+    const redirectUrl = new URL(redirectUri);
+    const origin = redirectUrl.origin;
+    const result = this.client.getLoginUrl({
+      returnTo: postLoginRedirect,
+      requestOrigin: origin
+    });
+    this._lastLoginResult = result;
+    return result.url;
+  }
+  /**
+   * Get cookies to set during login redirect (PKCE verifier).
+   * Must be called after getLoginUrl() in same request.
+   *
+   * @returns Array of Set-Cookie header values
+   */
+  getLoginCookies() {
+    const cookies = this._lastLoginResult?.cookies;
+    this._lastLoginResult = null;
+    return cookies;
+  }
+  /**
+   * Handle OAuth callback, exchange code for tokens and user.
+   *
+   * @param code - Authorization code from callback
+   * @param state - State parameter for CSRF validation
+   * @returns User, tokens, and session cookies
+   */
+  async handleCallback(code, state) {
+    const cookieHeader = this._lastCallbackCookieHeader;
+    this._lastCallbackCookieHeader = null;
+    const result = await this.client.handleCallback({
+      code,
+      state,
+      cookieHeader
+    });
+    const sessionCookie = this.client.setSessionCookie(result.accessToken);
+    return {
+      user: result.user,
+      // Already has role from handleCallback
+      tokens: {
+        accessToken: result.accessToken
+      },
+      cookies: [...result.cookies, sessionCookie]
+    };
+  }
+  /**
+   * Get configuration for rendering login button in UI.
+   *
+   * @returns Login button configuration
+   */
+  getLoginButtonConfig() {
+    return {
+      provider: "mastra",
+      text: "Sign in with Mastra Cloud"
+    };
+  }
+  /**
+   * Get logout URL for client-side redirect.
+   * Requires the request to extract the session token for id_token_hint.
+   *
+   * @param redirectUri - URL to redirect to after logout
+   * @param request - Request to extract session token from
+   * @returns Logout URL with redirect and token parameters, or null if no session
+   */
+  getLogoutUrl(redirectUri, request) {
+    const sessionToken = request ? this.getSessionIdFromRequest(request) : null;
+    if (!sessionToken) {
+      return null;
+    }
+    return this.client.getLogoutUrl(redirectUri, sessionToken);
+  }
+  // ============================================================================
+  // ISessionProvider Implementation
+  // ============================================================================
+  /**
+   * Create a new session for a user.
+   *
+   * For Cloud auth, sessions are created via handleCallback.
+   * This method builds a Session object for interface compatibility.
+   *
+   * @param userId - User to create session for
+   * @param metadata - Optional metadata (accessToken can be passed here)
+   * @returns Session object
+   */
+  async createSession(userId, metadata) {
+    const now = /* @__PURE__ */ new Date();
+    const expiresAt = new Date(now.getTime() + 24 * 60 * 60 * 1e3);
+    return {
+      id: metadata?.accessToken ?? crypto.randomUUID(),
+      userId,
+      createdAt: now,
+      expiresAt,
+      metadata
+    };
+  }
+  /**
+   * Validate a session and return it if valid.
+   *
+   * @param sessionId - Session token to validate
+   * @returns Session object or null if invalid/expired
+   */
+  async validateSession(sessionId) {
+    const session = await this.client.validateSession(sessionId);
+    if (!session) return null;
+    return {
+      id: sessionId,
+      userId: session.userId,
+      createdAt: new Date(session.createdAt),
+      expiresAt: new Date(session.expiresAt)
+    };
+  }
+  /**
+   * Destroy a session (logout).
+   *
+   * @param sessionId - Session token to destroy
+   */
+  async destroySession(sessionId) {
+    await this.client.destroySession(sessionId);
+  }
+  /**
+   * Refresh a session, extending its expiry.
+   * Cloud handles refresh internally, so just validate.
+   *
+   * @param sessionId - Session token to refresh
+   * @returns Session object or null if invalid
+   */
+  async refreshSession(sessionId) {
+    return this.validateSession(sessionId);
+  }
+  /**
+   * Extract session ID from an incoming request.
+   *
+   * @param request - Incoming HTTP request
+   * @returns Session token or null if not present
+   */
+  getSessionIdFromRequest(request) {
+    return parseSessionCookie(request.headers.get("cookie"));
+  }
+  /**
+   * Create response headers to set session cookie.
+   *
+   * @param session - Session to encode (id is the access token)
+   * @returns Headers object with Set-Cookie
+   */
+  getSessionHeaders(session) {
+    return { "Set-Cookie": this.client.setSessionCookie(session.id) };
+  }
+  /**
+   * Create response headers to clear session (for logout).
+   *
+   * @returns Headers object to clear session cookie
+   */
+  getClearSessionHeaders() {
+    return { "Set-Cookie": this.client.clearSessionCookie() };
+  }
+  // ============================================================================
+  // IUserProvider Implementation
+  // ============================================================================
+  /**
+   * Get current user from request (session cookie).
+   *
+   * @param request - Incoming HTTP request
+   * @returns User with role or null if not authenticated
+   */
+  async getCurrentUser(request) {
+    const sessionToken = this.getSessionIdFromRequest(request);
+    if (!sessionToken) return null;
+    try {
+      const { user, role } = await this.client.verifyToken(sessionToken);
+      return { ...user, role };
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Get user by ID.
+   * Cloud API doesn't have a /users/:id endpoint.
+   *
+   * @returns Always null (not supported)
+   */
+  async getUser(_userId) {
+    return null;
+  }
+};
+var MastraRBACCloud = class {
+  options;
+  /**
+   * Expose roleMapping for middleware access.
+   * This allows the authorization middleware to resolve permissions
+   * without needing to call the async methods.
+   */
+  get roleMapping() {
+    return this.options.roleMapping;
+  }
+  /**
+   * Create a new Mastra Cloud RBAC provider.
+   *
+   * @param options - RBAC configuration options
+   */
+  constructor(options) {
+    this.options = options;
+  }
+  /**
+   * Get all roles for a user.
+   *
+   * Returns the user's role as a single-element array, or empty array if no role.
+   * Cloud uses a single-role model (role is attached via verifyToken()).
+   *
+   * @param user - Cloud user to get roles for
+   * @returns Array containing user's role, or empty array
+   */
+  async getRoles(user) {
+    return user.role ? [user.role] : [];
+  }
+  /**
+   * Check if a user has a specific role.
+   *
+   * @param user - Cloud user to check
+   * @param role - Role name to check for
+   * @returns True if user has the role
+   */
+  async hasRole(user, role) {
+    const roles = await this.getRoles(user);
+    return roles.includes(role);
+  }
+  /**
+   * Get all permissions for a user by mapping their role.
+   *
+   * Uses the configured roleMapping to translate the user's role
+   * into Mastra permission strings.
+   *
+   * If the user has no role, the _default permissions from the
+   * role mapping are applied.
+   *
+   * @param user - Cloud user to get permissions for
+   * @returns Array of permission strings
+   */
+  async getPermissions(user) {
+    const roles = await this.getRoles(user);
+    if (roles.length === 0) {
+      return this.options.roleMapping["_default"] ?? [];
+    }
+    return resolvePermissionsFromMapping(roles, this.options.roleMapping);
+  }
+  /**
+   * Check if a user has a specific permission.
+   *
+   * Uses wildcard matching to check if the user's permissions
+   * grant access to the required permission.
+   *
+   * @param user - Cloud user to check
+   * @param permission - Permission to check for (e.g., 'agents:read')
+   * @returns True if user has the permission
+   */
+  async hasPermission(user, permission) {
+    const permissions = await this.getPermissions(user);
+    return permissions.some((p) => matchesPermission(p, permission));
+  }
+  /**
+   * Check if a user has ALL of the specified permissions.
+   *
+   * @param user - Cloud user to check
+   * @param permissions - Array of permissions to check for
+   * @returns True if user has all permissions
+   */
+  async hasAllPermissions(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.every((required) => userPermissions.some((p) => matchesPermission(p, required)));
+  }
+  /**
+   * Check if a user has ANY of the specified permissions.
+   *
+   * @param user - Cloud user to check
+   * @param permissions - Array of permissions to check for
+   * @returns True if user has at least one permission
+   */
+  async hasAnyPermission(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.some((required) => userPermissions.some((p) => matchesPermission(p, required)));
+  }
+};
+
+export { AuthError, MastraCloudAuth, MastraCloudAuthProvider, MastraRBACCloud };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map