npm - @mastra/auth-workos - Versions diffs - 1.4.0 → 1.5.0 - Mend

@mastra/auth-workos 1.4.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +60 -0
package/dist/fga-provider.d.ts +6 -0
package/dist/fga-provider.d.ts.map +1 -1
package/dist/index.cjs +37 -21
package/dist/index.cjs.map +1 -1
package/dist/index.js +37 -21
package/dist/index.js.map +1 -1
package/package.json +4 -4

package/dist/index.js CHANGED Viewed

@@ -846,40 +846,56 @@ var MastraFGAWorkos = class {
    *
    * Resolves the user's organization membership ID, maps the permission
    * via `permissionMapping`, and delegates to `workos.authorization.check()`.
+   *
+   * When `params.permission` is an array, ANY-of semantics apply: returns true
+   * if any single permission in the array authorizes the user.
    */
   async check(user, params) {
-    const checkOptions = this.buildCheckOptions(user, params);
-    if (!checkOptions) return false;
-    try {
-      const result = await this.workos.authorization.check(checkOptions);
-      return result.authorized;
-    } catch (error) {
-      if (isWorkOSResourceNotFoundError(error)) {
-        return false;
+    const permissions = Array.isArray(params.permission) ? params.permission : [params.permission];
+    if (permissions.length === 0) return false;
+    for (const permission of permissions) {
+      const checkOptions = this.buildCheckOptions(user, { ...params, permission });
+      if (!checkOptions) continue;
+      try {
+        const result = await this.workos.authorization.check(checkOptions);
+        if (result.authorized) return true;
+      } catch (error) {
+        if (isWorkOSResourceNotFoundError(error)) continue;
+        throw error;
       }
-      throw error;
     }
+    return false;
   }
   /**
    * Require that a user has permission, throwing FGADeniedError if not.
+   *
+   * When `params.permission` is an array, ANY-of semantics apply: passes if any
+   * single permission authorizes the user; throws if none do.
    */
   async require(user, params) {
-    const checkOptions = this.buildCheckOptions(user, params, { strictMembershipResolution: true });
-    if (!checkOptions) {
+    const permissions = Array.isArray(params.permission) ? params.permission : [params.permission];
+    if (permissions.length === 0) {
       throw new FGADeniedError(user, params.resource, params.permission);
     }
-    try {
-      const result = await this.workos.authorization.check(checkOptions);
-      if (!result.authorized) {
-        throw new FGADeniedError(user, params.resource, params.permission);
-      }
-    } catch (error) {
-      if (error instanceof FGADeniedError) throw error;
-      if (isWorkOSResourceNotFoundError(error)) {
-        throw new FGADeniedError(user, params.resource, params.permission);
+    let lastError;
+    for (const permission of permissions) {
+      const checkOptions = this.buildCheckOptions(
+        user,
+        { ...params, permission },
+        { strictMembershipResolution: true }
+      );
+      if (!checkOptions) continue;
+      try {
+        const result = await this.workos.authorization.check(checkOptions);
+        if (result.authorized) return;
+      } catch (error) {
+        if (error instanceof FGADeniedError) throw error;
+        if (isWorkOSResourceNotFoundError(error)) continue;
+        lastError = error;
       }
-      throw error;
     }
+    if (lastError) throw lastError;
+    throw new FGADeniedError(user, params.resource, params.permission);
   }
   /**
    * Filter resources to only those the user has permission to access.