@mastra/auth-workos 1.4.0 → 1.5.0

package/CHANGELOG.md

@@ -1,5 +1,65 @@
 # @mastra/auth-workos
 
+## 1.5.0
+
+### Minor Changes
+
+- FGA `check()` and `require()` now accept an array of permissions and short-circuit on the first one that resolves to allow (ANY-of semantics). Single-permission usage continues to work unchanged. ([#16605](https://github.com/mastra-ai/mastra/pull/16605))
+
+  ```ts
+  // Before — one permission per call
+  await fgaProvider.check({
+    user,
+    resource: { type: 'agent', id: 'abc' },
+    permission: 'agents:read',
+  });
+
+  // After — single permission or ANY-of array
+  await fgaProvider.check({
+    user,
+    resource: { type: 'agent', id: 'abc' },
+    permission: ['agents:read', 'agents:execute'],
+  });
+  ```
+
+  When all permissions in the array are denied, the thrown `FGADeniedError` lists them as `any of [a, b, c]` in its message.
+
+### Patch Changes
+
+- Updated dependencies [[`452036a`](https://github.com/mastra-ai/mastra/commit/452036a0d965b4f4c1efd93606e4f03b50b807a5), [`c272d50`](https://github.com/mastra-ai/mastra/commit/c272d50610a54496b6b6d92ccd4d37b333a2613a), [`27fd1b7`](https://github.com/mastra-ai/mastra/commit/27fd1b79ac62eb7694f92587eb7d1be05b59be01), [`5ba7253`](https://github.com/mastra-ai/mastra/commit/5ba7253745c85e8df8012a76d954c640ffa336f7), [`5556cc1`](https://github.com/mastra-ai/mastra/commit/5556cc1befec71518d84f826b3bfe3a079a9daf7), [`f73980d`](https://github.com/mastra-ai/mastra/commit/f73980d651eb5f7f1ab20582de4615a1b6f10fce), [`5499303`](https://github.com/mastra-ai/mastra/commit/54993032c1ebc09642625b78d2014e0cf84a3cae), [`a702009`](https://github.com/mastra-ai/mastra/commit/a702009d3cfaa745120f501e21c783ed4d6a3072), [`9aee493`](https://github.com/mastra-ai/mastra/commit/9aee493ed6089b5133472623dcce49934bf2d509), [`d8692af`](https://github.com/mastra-ai/mastra/commit/d8692afa253028e39cdce2aafa0ac414071a762e), [`1a9cc60`](https://github.com/mastra-ai/mastra/commit/1a9cc6069f9910fc3d59e4953ac8cd95d89ad6f5), [`8cdb86c`](https://github.com/mastra-ai/mastra/commit/8cdb86ceed1137bc2768e147dce85a0692b9fb26), [`8534d79`](https://github.com/mastra-ai/mastra/commit/8534d791fa1cb70fe1c19e2604c4b63cc10dd051), [`eda90c5`](https://github.com/mastra-ai/mastra/commit/eda90c5bfd7de11805ecc9f4552716c895fbaf78), [`a935b0a`](https://github.com/mastra-ai/mastra/commit/a935b0a0977ae3f196b33ec7621f528069c82db0), [`9c88701`](https://github.com/mastra-ai/mastra/commit/9c8870195b41a38dc40b6ba2aa55eda04df8fa69), [`c78f8cd`](https://github.com/mastra-ai/mastra/commit/c78f8cd6222a86e6c60ae5210b6929ad5221b6fb), [`e146aad`](https://github.com/mastra-ai/mastra/commit/e146aadbba66c410ba0e74bac4c50135495cb8dd), [`ac79462`](https://github.com/mastra-ai/mastra/commit/ac79462b98f1062394c45093aa515b0766f27ee2), [`1a0ec78`](https://github.com/mastra-ai/mastra/commit/1a0ec789a26cae443744e9abbd62ed6ee676af39), [`e47bca7`](https://github.com/mastra-ai/mastra/commit/e47bca7b72866d3abd173b9f530ac4318113a8ff), [`afc004f`](https://github.com/mastra-ai/mastra/commit/afc004f5cc7e30697809e7021820b9f5881e6719), [`0031d0f`](https://github.com/mastra-ai/mastra/commit/0031d0f13831d7843ac5d498734a7d92862e2ce3), [`841a222`](https://github.com/mastra-ai/mastra/commit/841a222560d8c19238f8213713f30535cdd82284), [`64c1e0b`](https://github.com/mastra-ai/mastra/commit/64c1e0b35165c96b659818bd0177aa18794ef11f), [`40d83a9`](https://github.com/mastra-ai/mastra/commit/40d83a90d9be31a1b83e04649edb703eb7753e33), [`4e88dc6`](https://github.com/mastra-ai/mastra/commit/4e88dc6b89f154c0eae37221c8126be0c23c569f), [`19018f0`](https://github.com/mastra-ai/mastra/commit/19018f05722af74a5978781a7731a654b26f7f2a), [`19281c7`](https://github.com/mastra-ai/mastra/commit/19281c70424f757219782de16c2699743c5e04d0), [`3498b49`](https://github.com/mastra-ai/mastra/commit/3498b4946be94f4313cd817733589680dcda5278), [`d52b6fe`](https://github.com/mastra-ai/mastra/commit/d52b6fe1c56853eb38864baae0bbfa75cc739ccb), [`408be73`](https://github.com/mastra-ai/mastra/commit/408be73449dfab92b51eab8c6623b6c443debc25), [`359439b`](https://github.com/mastra-ai/mastra/commit/359439bb8c635e048176306828195f8297f50021), [`71a820b`](https://github.com/mastra-ai/mastra/commit/71a820b2353fa1406772c50760a3732058a8b337), [`1698f5e`](https://github.com/mastra-ai/mastra/commit/1698f5ec141d34f22a873efdb145ce3cdf848a5e)]:
+  - @mastra/core@1.36.0
+  - @mastra/auth@1.0.2
+
+## 1.5.0-alpha.0
+
+### Minor Changes
+
+- FGA `check()` and `require()` now accept an array of permissions and short-circuit on the first one that resolves to allow (ANY-of semantics). Single-permission usage continues to work unchanged. ([#16605](https://github.com/mastra-ai/mastra/pull/16605))
+
+  ```ts
+  // Before — one permission per call
+  await fgaProvider.check({
+    user,
+    resource: { type: 'agent', id: 'abc' },
+    permission: 'agents:read',
+  });
+
+  // After — single permission or ANY-of array
+  await fgaProvider.check({
+    user,
+    resource: { type: 'agent', id: 'abc' },
+    permission: ['agents:read', 'agents:execute'],
+  });
+  ```
+
+  When all permissions in the array are denied, the thrown `FGADeniedError` lists them as `any of [a, b, c]` in its message.
+
+### Patch Changes
+
+- Updated dependencies [[`5ba7253`](https://github.com/mastra-ai/mastra/commit/5ba7253745c85e8df8012a76d954c640ffa336f7), [`f73980d`](https://github.com/mastra-ai/mastra/commit/f73980d651eb5f7f1ab20582de4615a1b6f10fce), [`9c88701`](https://github.com/mastra-ai/mastra/commit/9c8870195b41a38dc40b6ba2aa55eda04df8fa69), [`4e88dc6`](https://github.com/mastra-ai/mastra/commit/4e88dc6b89f154c0eae37221c8126be0c23c569f), [`19018f0`](https://github.com/mastra-ai/mastra/commit/19018f05722af74a5978781a7731a654b26f7f2a)]:
+  - @mastra/core@1.36.0-alpha.2
+  - @mastra/auth@1.0.2
+
 ## 1.4.0
 
 ### Minor Changes

package/dist/fga-provider.d.ts

@@ -73,10 +73,16 @@ export declare class MastraFGAWorkos implements IFGAManager<WorkOSUser> {
      *
      * Resolves the user's organization membership ID, maps the permission
      * via `permissionMapping`, and delegates to `workos.authorization.check()`.
+     *
+     * When `params.permission` is an array, ANY-of semantics apply: returns true
+     * if any single permission in the array authorizes the user.
      */
     check(user: WorkOSUser, params: FGACheckParams): Promise<boolean>;
     /**
      * Require that a user has permission, throwing FGADeniedError if not.
+     *
+     * When `params.permission` is an array, ANY-of semantics apply: passes if any
+     * single permission authorizes the user; throws if none do.
      */
     require(user: WorkOSUser, params: FGACheckParams): Promise<void>;
     /**

package/dist/fga-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"fga-provider.d.ts","sourceRoot":"","sources":["../src/fga-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,cAAc,EACd,WAAW,EACX,uBAAuB,EACvB,uBAAuB,EACvB,uBAAuB,EACvB,uBAAuB,EACvB,iBAAiB,EACjB,aAAa,EACb,6BAA6B,EAC7B,wBAAwB,EACzB,MAAM,sBAAsB,CAAC;AAI9B,OAAO,KAAK,EAAE,sBAAsB,EAA2B,UAAU,EAAE,MAAM,SAAS,CAAC;AAQ3F,qBAAa,8BAA+B,SAAQ,KAAK;IACvD,QAAQ,CAAC,MAAM,OAAO;IACtB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;gBAEhB,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM;CAWrD;AAED,qBAAa,kCAAmC,SAAQ,KAAK;IAC3D,QAAQ,CAAC,MAAM,OAAO;IACtB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;gBAEb,IAAI,EAAE,UAAU;CAQ7B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,qBAAa,eAAgB,YAAW,WAAW,CAAC,UAAU,CAAC;IAC7D,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,cAAc,CAAC,CAAS;IAChC,OAAO,CAAC,eAAe,CAA0C;IACjE,OAAO,CAAC,iBAAiB,CAAyB;IAClD,QAAQ,CAAC,yBAAyB,CAAC,EAAE,OAAO,CAAC;IAC7C,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;IAC3D,QAAQ,CAAC,eAAe,CAAC,EAAE,sBAAsB,CAAC,iBAAiB,CAAC,CAAC;IACrE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,sBAAsB,CAAC,qBAAqB,CAAC,CAAC;gBAEjE,OAAO,EAAE,sBAAsB;IAyB3C;;;;;OAKG;IACG,KAAK,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;IAcvE;;OAEG;IACG,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;IAoBtE;;;;;;;;;OASG;IACG,gBAAgB,CAAC,CAAC,SAAS;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,EAC7C,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,CAAC,EAAE,EACd,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,wBAAwB,GACnC,OAAO,CAAC,CAAC,EAAE,CAAC;IAuDf;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,WAAW,CAAC;IAkB3E;;OAEG;IACG,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAK3D;;OAEG;IACG,aAAa,CAAC,OAAO,CAAC,EAAE,uBAAuB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAa9E;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,WAAW,CAAC;IAS3E;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpE;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAuBnE;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IActD;;OAEG;IACG,mBAAmB,CAAC,OAAO,EAAE,6BAA6B,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC;IAsB/F;;;;;;;;OAQG;IACH,OAAO,CAAC,+BAA+B;IAgCvC;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAIzB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAiB7B;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAezB,OAAO,CAAC,iBAAiB;IAgCzB,OAAO,CAAC,kBAAkB;IAsB1B;;OAEG;YACW,iCAAiC;IAgC/C;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAWjC"}
+{"version":3,"file":"fga-provider.d.ts","sourceRoot":"","sources":["../src/fga-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,cAAc,EACd,WAAW,EACX,uBAAuB,EACvB,uBAAuB,EACvB,uBAAuB,EACvB,uBAAuB,EACvB,iBAAiB,EACjB,aAAa,EACb,6BAA6B,EAC7B,wBAAwB,EACzB,MAAM,sBAAsB,CAAC;AAI9B,OAAO,KAAK,EAAE,sBAAsB,EAA2B,UAAU,EAAE,MAAM,SAAS,CAAC;AAQ3F,qBAAa,8BAA+B,SAAQ,KAAK;IACvD,QAAQ,CAAC,MAAM,OAAO;IACtB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;gBAEhB,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM;CAWrD;AAED,qBAAa,kCAAmC,SAAQ,KAAK;IAC3D,QAAQ,CAAC,MAAM,OAAO;IACtB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;gBAEb,IAAI,EAAE,UAAU;CAQ7B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,qBAAa,eAAgB,YAAW,WAAW,CAAC,UAAU,CAAC;IAC7D,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,cAAc,CAAC,CAAS;IAChC,OAAO,CAAC,eAAe,CAA0C;IACjE,OAAO,CAAC,iBAAiB,CAAyB;IAClD,QAAQ,CAAC,yBAAyB,CAAC,EAAE,OAAO,CAAC;IAC7C,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;IAC3D,QAAQ,CAAC,eAAe,CAAC,EAAE,sBAAsB,CAAC,iBAAiB,CAAC,CAAC;IACrE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,sBAAsB,CAAC,qBAAqB,CAAC,CAAC;gBAEjE,OAAO,EAAE,sBAAsB;IAyB3C;;;;;;;;OAQG;IACG,KAAK,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;IAkBvE;;;;;OAKG;IACG,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;IA6BtE;;;;;;;;;OASG;IACG,gBAAgB,CAAC,CAAC,SAAS;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,EAC7C,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,CAAC,EAAE,EACd,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,wBAAwB,GACnC,OAAO,CAAC,CAAC,EAAE,CAAC;IAuDf;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,WAAW,CAAC;IAkB3E;;OAEG;IACG,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAK3D;;OAEG;IACG,aAAa,CAAC,OAAO,CAAC,EAAE,uBAAuB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAa9E;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,WAAW,CAAC;IAS3E;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpE;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAuBnE;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IActD;;OAEG;IACG,mBAAmB,CAAC,OAAO,EAAE,6BAA6B,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC;IAsB/F;;;;;;;;OAQG;IACH,OAAO,CAAC,+BAA+B;IAgCvC;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAIzB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAiB7B;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAezB,OAAO,CAAC,iBAAiB;IAgCzB,OAAO,CAAC,kBAAkB;IAsB1B;;OAEG;YACW,iCAAiC;IAgC/C;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAWjC"}

package/dist/index.cjs

@@ -848,40 +848,56 @@ var MastraFGAWorkos = class {
    *
    * Resolves the user's organization membership ID, maps the permission
    * via `permissionMapping`, and delegates to `workos.authorization.check()`.
+   *
+   * When `params.permission` is an array, ANY-of semantics apply: returns true
+   * if any single permission in the array authorizes the user.
    */
   async check(user, params) {
-    const checkOptions = this.buildCheckOptions(user, params);
-    if (!checkOptions) return false;
-    try {
-      const result = await this.workos.authorization.check(checkOptions);
-      return result.authorized;
-    } catch (error) {
-      if (isWorkOSResourceNotFoundError(error)) {
-        return false;
+    const permissions = Array.isArray(params.permission) ? params.permission : [params.permission];
+    if (permissions.length === 0) return false;
+    for (const permission of permissions) {
+      const checkOptions = this.buildCheckOptions(user, { ...params, permission });
+      if (!checkOptions) continue;
+      try {
+        const result = await this.workos.authorization.check(checkOptions);
+        if (result.authorized) return true;
+      } catch (error) {
+        if (isWorkOSResourceNotFoundError(error)) continue;
+        throw error;
       }
-      throw error;
     }
+    return false;
   }
   /**
    * Require that a user has permission, throwing FGADeniedError if not.
+   *
+   * When `params.permission` is an array, ANY-of semantics apply: passes if any
+   * single permission authorizes the user; throws if none do.
    */
   async require(user, params) {
-    const checkOptions = this.buildCheckOptions(user, params, { strictMembershipResolution: true });
-    if (!checkOptions) {
+    const permissions = Array.isArray(params.permission) ? params.permission : [params.permission];
+    if (permissions.length === 0) {
       throw new ee.FGADeniedError(user, params.resource, params.permission);
     }
-    try {
-      const result = await this.workos.authorization.check(checkOptions);
-      if (!result.authorized) {
-        throw new ee.FGADeniedError(user, params.resource, params.permission);
-      }
-    } catch (error) {
-      if (error instanceof ee.FGADeniedError) throw error;
-      if (isWorkOSResourceNotFoundError(error)) {
-        throw new ee.FGADeniedError(user, params.resource, params.permission);
+    let lastError;
+    for (const permission of permissions) {
+      const checkOptions = this.buildCheckOptions(
+        user,
+        { ...params, permission },
+        { strictMembershipResolution: true }
+      );
+      if (!checkOptions) continue;
+      try {
+        const result = await this.workos.authorization.check(checkOptions);
+        if (result.authorized) return;
+      } catch (error) {
+        if (error instanceof ee.FGADeniedError) throw error;
+        if (isWorkOSResourceNotFoundError(error)) continue;
+        lastError = error;
       }
-      throw error;
     }
+    if (lastError) throw lastError;
+    throw new ee.FGADeniedError(user, params.resource, params.permission);
   }
   /**
    * Filter resources to only those the user has permission to access.