@mastra/auth-workos 1.3.0-alpha.0 → 1.4.0-alpha.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +86 -0
- package/dist/fga-provider.d.ts +4 -0
- package/dist/fga-provider.d.ts.map +1 -1
- package/dist/index.cjs +15 -4
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +15 -4
- package/dist/index.js.map +1 -1
- package/dist/types.d.ts +29 -1
- package/dist/types.d.ts.map +1 -1
- package/package.json +4 -4
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,91 @@
|
|
|
1
1
|
# @mastra/auth-workos
|
|
2
2
|
|
|
3
|
+
## 1.4.0-alpha.0
|
|
4
|
+
|
|
5
|
+
### Minor Changes
|
|
6
|
+
|
|
7
|
+
- Added FGA route policy coverage controls, built-in resource route metadata resolution, and resolver hooks. ([#16485](https://github.com/mastra-ai/mastra/pull/16485))
|
|
8
|
+
|
|
9
|
+
For example:
|
|
10
|
+
|
|
11
|
+
```ts
|
|
12
|
+
import { MastraFGAWorkos } from '@mastra/auth-workos';
|
|
13
|
+
import type { FGARouteConfig, FGARouteResolver, IFGAProvider } from '@mastra/core/auth/ee';
|
|
14
|
+
import { createRoute } from '@mastra/server/server-adapter';
|
|
15
|
+
|
|
16
|
+
const routeFGA = {
|
|
17
|
+
'GET /billing/:accountId': {
|
|
18
|
+
resourceType: 'account',
|
|
19
|
+
resourceIdParam: 'accountId',
|
|
20
|
+
permission: 'billing:read',
|
|
21
|
+
},
|
|
22
|
+
} satisfies Record<string, FGARouteConfig>;
|
|
23
|
+
|
|
24
|
+
const resolveRouteFGA: FGARouteResolver = ({ route }) => routeFGA[`${route.method} ${route.path}`];
|
|
25
|
+
|
|
26
|
+
const fga: IFGAProvider = new MastraFGAWorkos({
|
|
27
|
+
apiKey: process.env.WORKOS_API_KEY!,
|
|
28
|
+
clientId: process.env.WORKOS_CLIENT_ID!,
|
|
29
|
+
requireForProtectedRoutes: true,
|
|
30
|
+
auditProtectedRoutes: 'warn',
|
|
31
|
+
resolveRouteFGA,
|
|
32
|
+
validatePermissions: async permissions => {
|
|
33
|
+
/* validate mappings */
|
|
34
|
+
},
|
|
35
|
+
});
|
|
36
|
+
|
|
37
|
+
export const getProjectRoute = createRoute({
|
|
38
|
+
method: 'GET',
|
|
39
|
+
path: '/projects/:projectId',
|
|
40
|
+
responseType: 'json',
|
|
41
|
+
requiresAuth: true,
|
|
42
|
+
fga: {
|
|
43
|
+
resourceType: 'project',
|
|
44
|
+
resourceIdParam: 'projectId',
|
|
45
|
+
permission: 'projects:read',
|
|
46
|
+
},
|
|
47
|
+
handler: async () => {
|
|
48
|
+
return { project: null };
|
|
49
|
+
},
|
|
50
|
+
});
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
### Patch Changes
|
|
54
|
+
|
|
55
|
+
- Fixed WorkOS FGA missing resources so authorization checks deny access instead of surfacing provider errors. ([#16485](https://github.com/mastra-ai/mastra/pull/16485))
|
|
56
|
+
|
|
57
|
+
- Updated dependencies [[`bad08e9`](https://github.com/mastra-ai/mastra/commit/bad08e99c5291884c3ac76743c78c74f53a302c2)]:
|
|
58
|
+
- @mastra/core@1.35.0-alpha.1
|
|
59
|
+
- @mastra/auth@1.0.2
|
|
60
|
+
|
|
61
|
+
## 1.3.0
|
|
62
|
+
|
|
63
|
+
### Minor Changes
|
|
64
|
+
|
|
65
|
+
- Added optional `getAvailableRoles` and `getPermissionsForRole` methods to the WorkOS RBAC provider, so consumers can list configured roles and inspect their permissions through `@mastra/auth-workos`. ([#16578](https://github.com/mastra-ai/mastra/pull/16578))
|
|
66
|
+
|
|
67
|
+
```typescript
|
|
68
|
+
import { MastraRBACWorkos } from '@mastra/auth-workos';
|
|
69
|
+
|
|
70
|
+
const rbac = new MastraRBACWorkos({
|
|
71
|
+
/* config */
|
|
72
|
+
});
|
|
73
|
+
|
|
74
|
+
// List all available roles
|
|
75
|
+
const roles = await rbac.getAvailableRoles();
|
|
76
|
+
// [{ id: 'admin', name: 'Admin' }, { id: 'member', name: 'Member' }]
|
|
77
|
+
|
|
78
|
+
// Get permissions for a specific role
|
|
79
|
+
const permissions = await rbac.getPermissionsForRole('member');
|
|
80
|
+
// ['agents:read', 'workflows:read']
|
|
81
|
+
```
|
|
82
|
+
|
|
83
|
+
### Patch Changes
|
|
84
|
+
|
|
85
|
+
- Updated dependencies [[`20787de`](https://github.com/mastra-ai/mastra/commit/20787de5965234a1af28fe35f49437c537dbfa0d), [`784ad98`](https://github.com/mastra-ai/mastra/commit/784ad989549de91dc5d33ab8ef36caa6f7dcd34e), [`fceae1f`](https://github.com/mastra-ai/mastra/commit/fceae1f5f5db4722cb078a663c6eb4bd22944123), [`090a647`](https://github.com/mastra-ai/mastra/commit/090a647ba5a66d36f203f9f49457e03a1ff4e6fb), [`bf02acb`](https://github.com/mastra-ai/mastra/commit/bf02acbb8a6110f638ac844e89f1ebf04cb7fe74), [`090a647`](https://github.com/mastra-ai/mastra/commit/090a647ba5a66d36f203f9f49457e03a1ff4e6fb), [`bdb4cbf`](https://github.com/mastra-ai/mastra/commit/bdb4cbf8ba4b685d7481f28bb9dc3de6c79c9ed2), [`0fd3fbe`](https://github.com/mastra-ai/mastra/commit/0fd3fbe40fb63657aedd72f6e7b38c8e8ee6940d), [`f84447d`](https://github.com/mastra-ai/mastra/commit/f84447d6c80f3471836a9b300d246b331fb47e0d), [`a1a5b3e`](https://github.com/mastra-ai/mastra/commit/a1a5b3e42ab2ca5161ea21db59ebf28442680fa7), [`af84f57`](https://github.com/mastra-ai/mastra/commit/af84f571ed762e92e8e61c5f9a72363520914274), [`8b3c6f9`](https://github.com/mastra-ai/mastra/commit/8b3c6f90f7879833ba7d1bc70937e1d8f69d0804), [`fed0475`](https://github.com/mastra-ai/mastra/commit/fed0475ccfea31e4fc251469ac05640d0742c1f0), [`0d53730`](https://github.com/mastra-ai/mastra/commit/0d53730c1ed87ef80c87caa5701c4170ea8028e6), [`522f44d`](https://github.com/mastra-ai/mastra/commit/522f44d947214bfc06cff50599bae1ef3494880d)]:
|
|
86
|
+
- @mastra/core@1.34.0
|
|
87
|
+
- @mastra/auth@1.0.2
|
|
88
|
+
|
|
3
89
|
## 1.3.0-alpha.0
|
|
4
90
|
|
|
5
91
|
### Minor Changes
|
package/dist/fga-provider.d.ts
CHANGED
|
@@ -63,6 +63,10 @@ export declare class MastraFGAWorkos implements IFGAManager<WorkOSUser> {
|
|
|
63
63
|
private organizationId?;
|
|
64
64
|
private resourceMapping;
|
|
65
65
|
private permissionMapping;
|
|
66
|
+
readonly requireForProtectedRoutes?: boolean;
|
|
67
|
+
readonly auditProtectedRoutes?: boolean | 'warn' | 'error';
|
|
68
|
+
readonly resolveRouteFGA?: MastraFGAWorkosOptions['resolveRouteFGA'];
|
|
69
|
+
readonly validatePermissions?: MastraFGAWorkosOptions['validatePermissions'];
|
|
66
70
|
constructor(options: MastraFGAWorkosOptions);
|
|
67
71
|
/**
|
|
68
72
|
* Check if a user has permission on a resource.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"fga-provider.d.ts","sourceRoot":"","sources":["../src/fga-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,cAAc,EACd,WAAW,EACX,uBAAuB,EACvB,uBAAuB,EACvB,uBAAuB,EACvB,uBAAuB,EACvB,iBAAiB,EACjB,aAAa,EACb,6BAA6B,EAC7B,wBAAwB,EACzB,MAAM,sBAAsB,CAAC;AAI9B,OAAO,KAAK,EAAE,sBAAsB,EAA2B,UAAU,EAAE,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"fga-provider.d.ts","sourceRoot":"","sources":["../src/fga-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,cAAc,EACd,WAAW,EACX,uBAAuB,EACvB,uBAAuB,EACvB,uBAAuB,EACvB,uBAAuB,EACvB,iBAAiB,EACjB,aAAa,EACb,6BAA6B,EAC7B,wBAAwB,EACzB,MAAM,sBAAsB,CAAC;AAI9B,OAAO,KAAK,EAAE,sBAAsB,EAA2B,UAAU,EAAE,MAAM,SAAS,CAAC;AAQ3F,qBAAa,8BAA+B,SAAQ,KAAK;IACvD,QAAQ,CAAC,MAAM,OAAO;IACtB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;gBAEhB,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM;CAWrD;AAED,qBAAa,kCAAmC,SAAQ,KAAK;IAC3D,QAAQ,CAAC,MAAM,OAAO;IACtB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;gBAEb,IAAI,EAAE,UAAU;CAQ7B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,qBAAa,eAAgB,YAAW,WAAW,CAAC,UAAU,CAAC;IAC7D,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,cAAc,CAAC,CAAS;IAChC,OAAO,CAAC,eAAe,CAA0C;IACjE,OAAO,CAAC,iBAAiB,CAAyB;IAClD,QAAQ,CAAC,yBAAyB,CAAC,EAAE,OAAO,CAAC;IAC7C,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;IAC3D,QAAQ,CAAC,eAAe,CAAC,EAAE,sBAAsB,CAAC,iBAAiB,CAAC,CAAC;IACrE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,sBAAsB,CAAC,qBAAqB,CAAC,CAAC;gBAEjE,OAAO,EAAE,sBAAsB;IAyB3C;;;;;OAKG;IACG,KAAK,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;IAcvE;;OAEG;IACG,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;IAoBtE;;;;;;;;;OASG;IACG,gBAAgB,CAAC,CAAC,SAAS;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,EAC7C,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,CAAC,EAAE,EACd,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,wBAAwB,GACnC,OAAO,CAAC,CAAC,EAAE,CAAC;IAuDf;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,WAAW,CAAC;IAkB3E;;OAEG;IACG,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAK3D;;OAEG;IACG,aAAa,CAAC,OAAO,CAAC,EAAE,uBAAuB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAa9E;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,WAAW,CAAC;IAS3E;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpE;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAuBnE;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IActD;;OAEG;IACG,mBAAmB,CAAC,OAAO,EAAE,6BAA6B,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC;IAsB/F;;;;;;;;OAQG;IACH,OAAO,CAAC,+BAA+B;IAgCvC;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAIzB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAiB7B;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAezB,OAAO,CAAC,iBAAiB;IAgCzB,OAAO,CAAC,kBAAkB;IAsB1B;;OAEG;YACW,iCAAiC;IAgC/C;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAWjC"}
|
package/dist/index.cjs
CHANGED
|
@@ -787,6 +787,9 @@ var MastraRBACWorkos = class {
|
|
|
787
787
|
}
|
|
788
788
|
};
|
|
789
789
|
var FILTER_ACCESSIBLE_CHECK_CONCURRENCY = 5;
|
|
790
|
+
function isWorkOSResourceNotFoundError(error) {
|
|
791
|
+
return error?.status === 404 || error?.code === "entity_not_found";
|
|
792
|
+
}
|
|
790
793
|
var WorkOSFGAResourceNotFoundError = class extends Error {
|
|
791
794
|
status = 404;
|
|
792
795
|
resourceType;
|
|
@@ -816,6 +819,10 @@ var MastraFGAWorkos = class {
|
|
|
816
819
|
organizationId;
|
|
817
820
|
resourceMapping;
|
|
818
821
|
permissionMapping;
|
|
822
|
+
requireForProtectedRoutes;
|
|
823
|
+
auditProtectedRoutes;
|
|
824
|
+
resolveRouteFGA;
|
|
825
|
+
validatePermissions;
|
|
819
826
|
constructor(options) {
|
|
820
827
|
const apiKey = options.apiKey ?? process.env.WORKOS_API_KEY;
|
|
821
828
|
const clientId = options.clientId ?? process.env.WORKOS_CLIENT_ID;
|
|
@@ -828,6 +835,10 @@ var MastraFGAWorkos = class {
|
|
|
828
835
|
this.organizationId = options.organizationId;
|
|
829
836
|
this.resourceMapping = options.resourceMapping ?? {};
|
|
830
837
|
this.permissionMapping = options.permissionMapping ?? {};
|
|
838
|
+
this.requireForProtectedRoutes = options.requireForProtectedRoutes;
|
|
839
|
+
this.auditProtectedRoutes = options.auditProtectedRoutes;
|
|
840
|
+
this.resolveRouteFGA = options.resolveRouteFGA;
|
|
841
|
+
this.validatePermissions = options.validatePermissions;
|
|
831
842
|
}
|
|
832
843
|
// ──────────────────────────────────────────────────────────────
|
|
833
844
|
// IFGAProvider — Read-only checks
|
|
@@ -845,8 +856,8 @@ var MastraFGAWorkos = class {
|
|
|
845
856
|
const result = await this.workos.authorization.check(checkOptions);
|
|
846
857
|
return result.authorized;
|
|
847
858
|
} catch (error) {
|
|
848
|
-
if (error
|
|
849
|
-
|
|
859
|
+
if (isWorkOSResourceNotFoundError(error)) {
|
|
860
|
+
return false;
|
|
850
861
|
}
|
|
851
862
|
throw error;
|
|
852
863
|
}
|
|
@@ -866,8 +877,8 @@ var MastraFGAWorkos = class {
|
|
|
866
877
|
}
|
|
867
878
|
} catch (error) {
|
|
868
879
|
if (error instanceof ee.FGADeniedError) throw error;
|
|
869
|
-
if (error
|
|
870
|
-
throw new
|
|
880
|
+
if (isWorkOSResourceNotFoundError(error)) {
|
|
881
|
+
throw new ee.FGADeniedError(user, params.resource, params.permission);
|
|
871
882
|
}
|
|
872
883
|
throw error;
|
|
873
884
|
}
|