@mastra/auth-workos 1.4.0 → 1.5.0-alpha.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +30 -0
- package/dist/fga-provider.d.ts +6 -0
- package/dist/fga-provider.d.ts.map +1 -1
- package/dist/index.cjs +37 -21
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +37 -21
- package/dist/index.js.map +1 -1
- package/package.json +3 -3
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,35 @@
|
|
|
1
1
|
# @mastra/auth-workos
|
|
2
2
|
|
|
3
|
+
## 1.5.0-alpha.0
|
|
4
|
+
|
|
5
|
+
### Minor Changes
|
|
6
|
+
|
|
7
|
+
- FGA `check()` and `require()` now accept an array of permissions and short-circuit on the first one that resolves to allow (ANY-of semantics). Single-permission usage continues to work unchanged. ([#16605](https://github.com/mastra-ai/mastra/pull/16605))
|
|
8
|
+
|
|
9
|
+
```ts
|
|
10
|
+
// Before — one permission per call
|
|
11
|
+
await fgaProvider.check({
|
|
12
|
+
user,
|
|
13
|
+
resource: { type: 'agent', id: 'abc' },
|
|
14
|
+
permission: 'agents:read',
|
|
15
|
+
});
|
|
16
|
+
|
|
17
|
+
// After — single permission or ANY-of array
|
|
18
|
+
await fgaProvider.check({
|
|
19
|
+
user,
|
|
20
|
+
resource: { type: 'agent', id: 'abc' },
|
|
21
|
+
permission: ['agents:read', 'agents:execute'],
|
|
22
|
+
});
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
When all permissions in the array are denied, the thrown `FGADeniedError` lists them as `any of [a, b, c]` in its message.
|
|
26
|
+
|
|
27
|
+
### Patch Changes
|
|
28
|
+
|
|
29
|
+
- Updated dependencies [[`5ba7253`](https://github.com/mastra-ai/mastra/commit/5ba7253745c85e8df8012a76d954c640ffa336f7), [`f73980d`](https://github.com/mastra-ai/mastra/commit/f73980d651eb5f7f1ab20582de4615a1b6f10fce), [`9c88701`](https://github.com/mastra-ai/mastra/commit/9c8870195b41a38dc40b6ba2aa55eda04df8fa69), [`4e88dc6`](https://github.com/mastra-ai/mastra/commit/4e88dc6b89f154c0eae37221c8126be0c23c569f), [`19018f0`](https://github.com/mastra-ai/mastra/commit/19018f05722af74a5978781a7731a654b26f7f2a)]:
|
|
30
|
+
- @mastra/core@1.36.0-alpha.2
|
|
31
|
+
- @mastra/auth@1.0.2
|
|
32
|
+
|
|
3
33
|
## 1.4.0
|
|
4
34
|
|
|
5
35
|
### Minor Changes
|
package/dist/fga-provider.d.ts
CHANGED
|
@@ -73,10 +73,16 @@ export declare class MastraFGAWorkos implements IFGAManager<WorkOSUser> {
|
|
|
73
73
|
*
|
|
74
74
|
* Resolves the user's organization membership ID, maps the permission
|
|
75
75
|
* via `permissionMapping`, and delegates to `workos.authorization.check()`.
|
|
76
|
+
*
|
|
77
|
+
* When `params.permission` is an array, ANY-of semantics apply: returns true
|
|
78
|
+
* if any single permission in the array authorizes the user.
|
|
76
79
|
*/
|
|
77
80
|
check(user: WorkOSUser, params: FGACheckParams): Promise<boolean>;
|
|
78
81
|
/**
|
|
79
82
|
* Require that a user has permission, throwing FGADeniedError if not.
|
|
83
|
+
*
|
|
84
|
+
* When `params.permission` is an array, ANY-of semantics apply: passes if any
|
|
85
|
+
* single permission authorizes the user; throws if none do.
|
|
80
86
|
*/
|
|
81
87
|
require(user: WorkOSUser, params: FGACheckParams): Promise<void>;
|
|
82
88
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"fga-provider.d.ts","sourceRoot":"","sources":["../src/fga-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,cAAc,EACd,WAAW,EACX,uBAAuB,EACvB,uBAAuB,EACvB,uBAAuB,EACvB,uBAAuB,EACvB,iBAAiB,EACjB,aAAa,EACb,6BAA6B,EAC7B,wBAAwB,EACzB,MAAM,sBAAsB,CAAC;AAI9B,OAAO,KAAK,EAAE,sBAAsB,EAA2B,UAAU,EAAE,MAAM,SAAS,CAAC;AAQ3F,qBAAa,8BAA+B,SAAQ,KAAK;IACvD,QAAQ,CAAC,MAAM,OAAO;IACtB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;gBAEhB,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM;CAWrD;AAED,qBAAa,kCAAmC,SAAQ,KAAK;IAC3D,QAAQ,CAAC,MAAM,OAAO;IACtB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;gBAEb,IAAI,EAAE,UAAU;CAQ7B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,qBAAa,eAAgB,YAAW,WAAW,CAAC,UAAU,CAAC;IAC7D,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,cAAc,CAAC,CAAS;IAChC,OAAO,CAAC,eAAe,CAA0C;IACjE,OAAO,CAAC,iBAAiB,CAAyB;IAClD,QAAQ,CAAC,yBAAyB,CAAC,EAAE,OAAO,CAAC;IAC7C,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;IAC3D,QAAQ,CAAC,eAAe,CAAC,EAAE,sBAAsB,CAAC,iBAAiB,CAAC,CAAC;IACrE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,sBAAsB,CAAC,qBAAqB,CAAC,CAAC;gBAEjE,OAAO,EAAE,sBAAsB;IAyB3C
|
|
1
|
+
{"version":3,"file":"fga-provider.d.ts","sourceRoot":"","sources":["../src/fga-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,cAAc,EACd,WAAW,EACX,uBAAuB,EACvB,uBAAuB,EACvB,uBAAuB,EACvB,uBAAuB,EACvB,iBAAiB,EACjB,aAAa,EACb,6BAA6B,EAC7B,wBAAwB,EACzB,MAAM,sBAAsB,CAAC;AAI9B,OAAO,KAAK,EAAE,sBAAsB,EAA2B,UAAU,EAAE,MAAM,SAAS,CAAC;AAQ3F,qBAAa,8BAA+B,SAAQ,KAAK;IACvD,QAAQ,CAAC,MAAM,OAAO;IACtB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;gBAEhB,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM;CAWrD;AAED,qBAAa,kCAAmC,SAAQ,KAAK;IAC3D,QAAQ,CAAC,MAAM,OAAO;IACtB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;gBAEb,IAAI,EAAE,UAAU;CAQ7B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AACH,qBAAa,eAAgB,YAAW,WAAW,CAAC,UAAU,CAAC;IAC7D,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,cAAc,CAAC,CAAS;IAChC,OAAO,CAAC,eAAe,CAA0C;IACjE,OAAO,CAAC,iBAAiB,CAAyB;IAClD,QAAQ,CAAC,yBAAyB,CAAC,EAAE,OAAO,CAAC;IAC7C,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;IAC3D,QAAQ,CAAC,eAAe,CAAC,EAAE,sBAAsB,CAAC,iBAAiB,CAAC,CAAC;IACrE,QAAQ,CAAC,mBAAmB,CAAC,EAAE,sBAAsB,CAAC,qBAAqB,CAAC,CAAC;gBAEjE,OAAO,EAAE,sBAAsB;IAyB3C;;;;;;;;OAQG;IACG,KAAK,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;IAkBvE;;;;;OAKG;IACG,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;IA6BtE;;;;;;;;;OASG;IACG,gBAAgB,CAAC,CAAC,SAAS;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,EAC7C,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,CAAC,EAAE,EACd,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,wBAAwB,GACnC,OAAO,CAAC,CAAC,EAAE,CAAC;IAuDf;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,WAAW,CAAC;IAkB3E;;OAEG;IACG,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAK3D;;OAEG;IACG,aAAa,CAAC,OAAO,CAAC,EAAE,uBAAuB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAa9E;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,WAAW,CAAC;IAS3E;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpE;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAuBnE;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IActD;;OAEG;IACG,mBAAmB,CAAC,OAAO,EAAE,6BAA6B,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC;IAsB/F;;;;;;;;OAQG;IACH,OAAO,CAAC,+BAA+B;IAgCvC;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAIzB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAiB7B;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAezB,OAAO,CAAC,iBAAiB;IAgCzB,OAAO,CAAC,kBAAkB;IAsB1B;;OAEG;YACW,iCAAiC;IAgC/C;;OAEG;IACH,OAAO,CAAC,wBAAwB;CAWjC"}
|
package/dist/index.cjs
CHANGED
|
@@ -848,40 +848,56 @@ var MastraFGAWorkos = class {
|
|
|
848
848
|
*
|
|
849
849
|
* Resolves the user's organization membership ID, maps the permission
|
|
850
850
|
* via `permissionMapping`, and delegates to `workos.authorization.check()`.
|
|
851
|
+
*
|
|
852
|
+
* When `params.permission` is an array, ANY-of semantics apply: returns true
|
|
853
|
+
* if any single permission in the array authorizes the user.
|
|
851
854
|
*/
|
|
852
855
|
async check(user, params) {
|
|
853
|
-
const
|
|
854
|
-
if (
|
|
855
|
-
|
|
856
|
-
const
|
|
857
|
-
|
|
858
|
-
|
|
859
|
-
|
|
860
|
-
return
|
|
856
|
+
const permissions = Array.isArray(params.permission) ? params.permission : [params.permission];
|
|
857
|
+
if (permissions.length === 0) return false;
|
|
858
|
+
for (const permission of permissions) {
|
|
859
|
+
const checkOptions = this.buildCheckOptions(user, { ...params, permission });
|
|
860
|
+
if (!checkOptions) continue;
|
|
861
|
+
try {
|
|
862
|
+
const result = await this.workos.authorization.check(checkOptions);
|
|
863
|
+
if (result.authorized) return true;
|
|
864
|
+
} catch (error) {
|
|
865
|
+
if (isWorkOSResourceNotFoundError(error)) continue;
|
|
866
|
+
throw error;
|
|
861
867
|
}
|
|
862
|
-
throw error;
|
|
863
868
|
}
|
|
869
|
+
return false;
|
|
864
870
|
}
|
|
865
871
|
/**
|
|
866
872
|
* Require that a user has permission, throwing FGADeniedError if not.
|
|
873
|
+
*
|
|
874
|
+
* When `params.permission` is an array, ANY-of semantics apply: passes if any
|
|
875
|
+
* single permission authorizes the user; throws if none do.
|
|
867
876
|
*/
|
|
868
877
|
async require(user, params) {
|
|
869
|
-
const
|
|
870
|
-
if (
|
|
878
|
+
const permissions = Array.isArray(params.permission) ? params.permission : [params.permission];
|
|
879
|
+
if (permissions.length === 0) {
|
|
871
880
|
throw new ee.FGADeniedError(user, params.resource, params.permission);
|
|
872
881
|
}
|
|
873
|
-
|
|
874
|
-
|
|
875
|
-
|
|
876
|
-
|
|
877
|
-
|
|
878
|
-
|
|
879
|
-
|
|
880
|
-
if (
|
|
881
|
-
|
|
882
|
+
let lastError;
|
|
883
|
+
for (const permission of permissions) {
|
|
884
|
+
const checkOptions = this.buildCheckOptions(
|
|
885
|
+
user,
|
|
886
|
+
{ ...params, permission },
|
|
887
|
+
{ strictMembershipResolution: true }
|
|
888
|
+
);
|
|
889
|
+
if (!checkOptions) continue;
|
|
890
|
+
try {
|
|
891
|
+
const result = await this.workos.authorization.check(checkOptions);
|
|
892
|
+
if (result.authorized) return;
|
|
893
|
+
} catch (error) {
|
|
894
|
+
if (error instanceof ee.FGADeniedError) throw error;
|
|
895
|
+
if (isWorkOSResourceNotFoundError(error)) continue;
|
|
896
|
+
lastError = error;
|
|
882
897
|
}
|
|
883
|
-
throw error;
|
|
884
898
|
}
|
|
899
|
+
if (lastError) throw lastError;
|
|
900
|
+
throw new ee.FGADeniedError(user, params.resource, params.permission);
|
|
885
901
|
}
|
|
886
902
|
/**
|
|
887
903
|
* Filter resources to only those the user has permission to access.
|