@medplum/core 2.0.22 → 2.0.24

package/dist/esm/access.mjs

@@ -0,0 +1,142 @@
+import { parseCriteriaAsSearchRequest } from './search/search.mjs';
+import { matchesSearchRequest } from './search/match.mjs';
+
+/**
+ * Public resource types are in the "public" project.
+ * They are available to all users.
+ */
+const publicResourceTypes = [
+    'CapabilityStatement',
+    'CompartmentDefinition',
+    'ImplementationGuide',
+    'OperationDefinition',
+    'SearchParameter',
+    'StructureDefinition',
+];
+/**
+ * Protected resource types are in the "medplum" project.
+ * Reading and writing is limited to the system account.
+ */
+const protectedResourceTypes = ['DomainConfiguration', 'JsonWebKey', 'Login', 'User'];
+/**
+ * Project admin resource types are special resources that are only
+ * accessible to project administrators.
+ */
+const projectAdminResourceTypes = ['PasswordChangeRequest', 'Project', 'ProjectMembership'];
+/**
+ * Determines if the current user can read the specified resource type.
+ * @param accessPolicy The access policy.
+ * @param resourceType The resource type.
+ * @returns True if the current user can read the specified resource type.
+ */
+function canReadResourceType(accessPolicy, resourceType) {
+    if (accessPolicy.resource) {
+        for (const resourcePolicy of accessPolicy.resource) {
+            if (matchesAccessPolicyResourceType(resourcePolicy.resourceType, resourceType)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Determines if the current user can write the specified resource type.
+ * This is a preliminary check before evaluating a write operation in depth.
+ * If a user cannot write a resource type at all, then don't bother looking up previous versions.
+ * @param accessPolicy The access policy.
+ * @param resourceType The resource type.
+ * @returns True if the current user can write the specified resource type.
+ */
+function canWriteResourceType(accessPolicy, resourceType) {
+    if (protectedResourceTypes.includes(resourceType)) {
+        return false;
+    }
+    if (publicResourceTypes.includes(resourceType)) {
+        return false;
+    }
+    if (accessPolicy.resource) {
+        for (const resourcePolicy of accessPolicy.resource) {
+            if (matchesAccessPolicyResourceType(resourcePolicy.resourceType, resourceType) && !resourcePolicy.readonly) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Determines if the current user can write the specified resource.
+ * This is a more in-depth check after building the candidate result of a write operation.
+ * @param accessPolicy The access policy.
+ * @param resource The resource.
+ * @returns True if the current user can write the specified resource type.
+ */
+function canWriteResource(accessPolicy, resource) {
+    const resourceType = resource.resourceType;
+    if (!canWriteResourceType(accessPolicy, resourceType)) {
+        return false;
+    }
+    return matchesAccessPolicy(accessPolicy, resource, false);
+}
+/**
+ * Returns true if the resource satisfies the current access policy.
+ * @param accessPolicy The access policy.
+ * @param resource The resource.
+ * @param readonlyMode True if the resource is being read.
+ * @returns True if the resource matches the access policy.
+ */
+function matchesAccessPolicy(accessPolicy, resource, readonlyMode) {
+    if (accessPolicy.resource) {
+        for (const resourcePolicy of accessPolicy.resource) {
+            if (matchesAccessPolicyResourcePolicy(resource, resourcePolicy, readonlyMode)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Returns true if the resource satisfies the specified access policy resource policy.
+ * @param resource The resource.
+ * @param resourcePolicy One per-resource policy section from the access policy.
+ * @param readonlyMode True if the resource is being read.
+ * @returns True if the resource matches the access policy.
+ */
+function matchesAccessPolicyResourcePolicy(resource, resourcePolicy, readonlyMode) {
+    const resourceType = resource.resourceType;
+    if (!matchesAccessPolicyResourceType(resourcePolicy.resourceType, resourceType)) {
+        return false;
+    }
+    if (!readonlyMode && resourcePolicy.readonly) {
+        return false;
+    }
+    if (resourcePolicy.compartment &&
+        !resource.meta?.compartment?.find((c) => c.reference === resourcePolicy.compartment?.reference)) {
+        // Deprecated - to be removed
+        return false;
+    }
+    if (resourcePolicy.criteria &&
+        !matchesSearchRequest(resource, parseCriteriaAsSearchRequest(resourcePolicy.criteria))) {
+        return false;
+    }
+    return true;
+}
+/**
+ * Returns true if the resource type matches the access policy resource type.
+ * @param accessPolicyResourceType The resource type from the access policy.
+ * @param resourceType The candidate resource resource type.
+ * @returns True if the resource type matches the access policy resource type.
+ */
+function matchesAccessPolicyResourceType(accessPolicyResourceType, resourceType) {
+    if (accessPolicyResourceType === resourceType) {
+        return true;
+    }
+    if (accessPolicyResourceType === '*' && !projectAdminResourceTypes.includes(resourceType)) {
+        // Project admin resource types are not allowed to be wildcarded
+        // Project admin resource types must be explicitly included
+        return true;
+    }
+    return false;
+}
+
+export { canReadResourceType, canWriteResource, canWriteResourceType, matchesAccessPolicy, projectAdminResourceTypes, protectedResourceTypes, publicResourceTypes };
+//# sourceMappingURL=access.mjs.map

package/dist/esm/access.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.mjs","sources":["../../src/access.ts"],"sourcesContent":["import { AccessPolicy, AccessPolicyResource, Resource, ResourceType } from '@medplum/fhirtypes';\nimport { parseCriteriaAsSearchRequest } from './search/search';\nimport { matchesSearchRequest } from './search/match';\n\n/**\n * Public resource types are in the \"public\" project.\n * They are available to all users.\n */\nexport const publicResourceTypes = [\n  'CapabilityStatement',\n  'CompartmentDefinition',\n  'ImplementationGuide',\n  'OperationDefinition',\n  'SearchParameter',\n  'StructureDefinition',\n];\n\n/**\n * Protected resource types are in the \"medplum\" project.\n * Reading and writing is limited to the system account.\n */\nexport const protectedResourceTypes = ['DomainConfiguration', 'JsonWebKey', 'Login', 'User'];\n\n/**\n * Project admin resource types are special resources that are only\n * accessible to project administrators.\n */\nexport const projectAdminResourceTypes = ['PasswordChangeRequest', 'Project', 'ProjectMembership'];\n\n/**\n * Determines if the current user can read the specified resource type.\n * @param accessPolicy The access policy.\n * @param resourceType The resource type.\n * @returns True if the current user can read the specified resource type.\n */\nexport function canReadResourceType(accessPolicy: AccessPolicy, resourceType: ResourceType): boolean {\n  if (accessPolicy.resource) {\n    for (const resourcePolicy of accessPolicy.resource) {\n      if (matchesAccessPolicyResourceType(resourcePolicy.resourceType, resourceType)) {\n        return true;\n      }\n    }\n  }\n  return false;\n}\n\n/**\n * Determines if the current user can write the specified resource type.\n * This is a preliminary check before evaluating a write operation in depth.\n * If a user cannot write a resource type at all, then don't bother looking up previous versions.\n * @param accessPolicy The access policy.\n * @param resourceType The resource type.\n * @returns True if the current user can write the specified resource type.\n */\nexport function canWriteResourceType(accessPolicy: AccessPolicy, resourceType: ResourceType): boolean {\n  if (protectedResourceTypes.includes(resourceType)) {\n    return false;\n  }\n  if (publicResourceTypes.includes(resourceType)) {\n    return false;\n  }\n  if (accessPolicy.resource) {\n    for (const resourcePolicy of accessPolicy.resource) {\n      if (matchesAccessPolicyResourceType(resourcePolicy.resourceType, resourceType) && !resourcePolicy.readonly) {\n        return true;\n      }\n    }\n  }\n  return false;\n}\n\n/**\n * Determines if the current user can write the specified resource.\n * This is a more in-depth check after building the candidate result of a write operation.\n * @param accessPolicy The access policy.\n * @param resource The resource.\n * @returns True if the current user can write the specified resource type.\n */\nexport function canWriteResource(accessPolicy: AccessPolicy, resource: Resource): boolean {\n  const resourceType = resource.resourceType;\n  if (!canWriteResourceType(accessPolicy, resourceType)) {\n    return false;\n  }\n  return matchesAccessPolicy(accessPolicy, resource, false);\n}\n\n/**\n * Returns true if the resource satisfies the current access policy.\n * @param accessPolicy The access policy.\n * @param resource The resource.\n * @param readonlyMode True if the resource is being read.\n * @returns True if the resource matches the access policy.\n */\nexport function matchesAccessPolicy(accessPolicy: AccessPolicy, resource: Resource, readonlyMode: boolean): boolean {\n  if (accessPolicy.resource) {\n    for (const resourcePolicy of accessPolicy.resource) {\n      if (matchesAccessPolicyResourcePolicy(resource, resourcePolicy, readonlyMode)) {\n        return true;\n      }\n    }\n  }\n  return false;\n}\n\n/**\n * Returns true if the resource satisfies the specified access policy resource policy.\n * @param resource The resource.\n * @param resourcePolicy One per-resource policy section from the access policy.\n * @param readonlyMode True if the resource is being read.\n * @returns True if the resource matches the access policy.\n */\nfunction matchesAccessPolicyResourcePolicy(\n  resource: Resource,\n  resourcePolicy: AccessPolicyResource,\n  readonlyMode: boolean\n): boolean {\n  const resourceType = resource.resourceType;\n  if (!matchesAccessPolicyResourceType(resourcePolicy.resourceType, resourceType)) {\n    return false;\n  }\n  if (!readonlyMode && resourcePolicy.readonly) {\n    return false;\n  }\n  if (\n    resourcePolicy.compartment &&\n    !resource.meta?.compartment?.find((c) => c.reference === resourcePolicy.compartment?.reference)\n  ) {\n    // Deprecated - to be removed\n    return false;\n  }\n  if (\n    resourcePolicy.criteria &&\n    !matchesSearchRequest(resource, parseCriteriaAsSearchRequest(resourcePolicy.criteria))\n  ) {\n    return false;\n  }\n  return true;\n}\n\n/**\n * Returns true if the resource type matches the access policy resource type.\n * @param accessPolicyResourceType The resource type from the access policy.\n * @param resourceType The candidate resource resource type.\n * @returns True if the resource type matches the access policy resource type.\n */\nfunction matchesAccessPolicyResourceType(\n  accessPolicyResourceType: string | undefined,\n  resourceType: ResourceType\n): boolean {\n  if (accessPolicyResourceType === resourceType) {\n    return true;\n  }\n  if (accessPolicyResourceType === '*' && !projectAdminResourceTypes.includes(resourceType)) {\n    // Project admin resource types are not allowed to be wildcarded\n    // Project admin resource types must be explicitly included\n    return true;\n  }\n  return false;\n}\n"],"names":[],"mappings":";;;AAIA;;;AAGG;AACU,MAAA,mBAAmB,GAAG;IACjC,qBAAqB;IACrB,uBAAuB;IACvB,qBAAqB;IACrB,qBAAqB;IACrB,iBAAiB;IACjB,qBAAqB;EACrB;AAEF;;;AAGG;AACI,MAAM,sBAAsB,GAAG,CAAC,qBAAqB,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,EAAE;AAE7F;;;AAGG;AACU,MAAA,yBAAyB,GAAG,CAAC,uBAAuB,EAAE,SAAS,EAAE,mBAAmB,EAAE;AAEnG;;;;;AAKG;AACa,SAAA,mBAAmB,CAAC,YAA0B,EAAE,YAA0B,EAAA;IACxF,IAAI,YAAY,CAAC,QAAQ,EAAE;AACzB,QAAA,KAAK,MAAM,cAAc,IAAI,YAAY,CAAC,QAAQ,EAAE;YAClD,IAAI,+BAA+B,CAAC,cAAc,CAAC,YAAY,EAAE,YAAY,CAAC,EAAE;AAC9E,gBAAA,OAAO,IAAI,CAAC;AACb,aAAA;AACF,SAAA;AACF,KAAA;AACD,IAAA,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;AAOG;AACa,SAAA,oBAAoB,CAAC,YAA0B,EAAE,YAA0B,EAAA;AACzF,IAAA,IAAI,sBAAsB,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE;AACjD,QAAA,OAAO,KAAK,CAAC;AACd,KAAA;AACD,IAAA,IAAI,mBAAmB,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE;AAC9C,QAAA,OAAO,KAAK,CAAC;AACd,KAAA;IACD,IAAI,YAAY,CAAC,QAAQ,EAAE;AACzB,QAAA,KAAK,MAAM,cAAc,IAAI,YAAY,CAAC,QAAQ,EAAE;AAClD,YAAA,IAAI,+BAA+B,CAAC,cAAc,CAAC,YAAY,EAAE,YAAY,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE;AAC1G,gBAAA,OAAO,IAAI,CAAC;AACb,aAAA;AACF,SAAA;AACF,KAAA;AACD,IAAA,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;AAMG;AACa,SAAA,gBAAgB,CAAC,YAA0B,EAAE,QAAkB,EAAA;AAC7E,IAAA,MAAM,YAAY,GAAG,QAAQ,CAAC,YAAY,CAAC;AAC3C,IAAA,IAAI,CAAC,oBAAoB,CAAC,YAAY,EAAE,YAAY,CAAC,EAAE;AACrD,QAAA,OAAO,KAAK,CAAC;AACd,KAAA;IACD,OAAO,mBAAmB,CAAC,YAAY,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;AAC5D,CAAC;AAED;;;;;;AAMG;SACa,mBAAmB,CAAC,YAA0B,EAAE,QAAkB,EAAE,YAAqB,EAAA;IACvG,IAAI,YAAY,CAAC,QAAQ,EAAE;AACzB,QAAA,KAAK,MAAM,cAAc,IAAI,YAAY,CAAC,QAAQ,EAAE;YAClD,IAAI,iCAAiC,CAAC,QAAQ,EAAE,cAAc,EAAE,YAAY,CAAC,EAAE;AAC7E,gBAAA,OAAO,IAAI,CAAC;AACb,aAAA;AACF,SAAA;AACF,KAAA;AACD,IAAA,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;AAMG;AACH,SAAS,iCAAiC,CACxC,QAAkB,EAClB,cAAoC,EACpC,YAAqB,EAAA;AAErB,IAAA,MAAM,YAAY,GAAG,QAAQ,CAAC,YAAY,CAAC;IAC3C,IAAI,CAAC,+BAA+B,CAAC,cAAc,CAAC,YAAY,EAAE,YAAY,CAAC,EAAE;AAC/E,QAAA,OAAO,KAAK,CAAC;AACd,KAAA;AACD,IAAA,IAAI,CAAC,YAAY,IAAI,cAAc,CAAC,QAAQ,EAAE;AAC5C,QAAA,OAAO,KAAK,CAAC;AACd,KAAA;IACD,IACE,cAAc,CAAC,WAAW;QAC1B,CAAC,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,SAAS,KAAK,cAAc,CAAC,WAAW,EAAE,SAAS,CAAC,EAC/F;;AAEA,QAAA,OAAO,KAAK,CAAC;AACd,KAAA;IACD,IACE,cAAc,CAAC,QAAQ;QACvB,CAAC,oBAAoB,CAAC,QAAQ,EAAE,4BAA4B,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,EACtF;AACA,QAAA,OAAO,KAAK,CAAC;AACd,KAAA;AACD,IAAA,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;AAKG;AACH,SAAS,+BAA+B,CACtC,wBAA4C,EAC5C,YAA0B,EAAA;IAE1B,IAAI,wBAAwB,KAAK,YAAY,EAAE;AAC7C,QAAA,OAAO,IAAI,CAAC;AACb,KAAA;IACD,IAAI,wBAAwB,KAAK,GAAG,IAAI,CAAC,yBAAyB,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE;;;AAGzF,QAAA,OAAO,IAAI,CAAC;AACb,KAAA;AACD,IAAA,OAAO,KAAK,CAAC;AACf;;;;"}

package/dist/esm/bundle.mjs

@@ -9,9 +9,9 @@
  */
 function convertToTransactionBundle(bundle) {
     for (const entry of bundle.entry || []) {
-        delete entry?.resource?.meta;
-        entry.fullUrl = 'urn:uuid:' + entry?.resource?.id;
-        delete entry?.resource?.id;
+        delete entry.resource?.meta;
+        entry.fullUrl = 'urn:uuid:' + entry.resource?.id;
+        delete entry.resource?.id;
     }
     const input = bundle.entry;
     const jsonString = JSON.stringify({

package/dist/esm/bundle.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"bundle.mjs","sources":["../../src/bundle.ts"],"sourcesContent":["import { Bundle } from '@medplum/fhirtypes';\n\n/**\n * More on Bundles can be found here\n * http://hl7.org/fhir/R4/bundle.html\n */\n\n/**\n * Takes a bundle and creates a Transaction Type bundle\n * @param bundle The Bundle object that we'll receive from the search query\n * @returns transaction type bundle\n */\nexport function convertToTransactionBundle(bundle: Bundle): Bundle {\n  for (const entry of bundle.entry || []) {\n    delete entry?.resource?.meta;\n    entry.fullUrl = 'urn:uuid:' + entry?.resource?.id;\n    delete entry?.resource?.id;\n  }\n  const input = bundle.entry;\n  const jsonString = JSON.stringify(\n    {\n      resourceType: 'Bundle',\n      type: 'transaction',\n      entry: input?.map((entry: any) => ({\n        fullUrl: entry.fullUrl,\n        request: { method: 'POST', url: entry.resource.resourceType },\n        resource: entry.resource,\n      })),\n    },\n    replacer,\n    2\n  );\n  return JSON.parse(jsonString);\n}\n\nfunction replacer(key: string, value: string): string {\n  if (key === 'reference' && typeof value === 'string' && value.includes('/')) {\n    return 'urn:uuid:' + value.split('/')[1];\n  }\n  return value;\n}\n"],"names":[],"mappings":"AAEA;;;AAGG;AAEH;;;;AAIG;AACG,SAAU,0BAA0B,CAAC,MAAc,EAAA;IACvD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE;AACtC,QAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,IAAI,CAAC;QAC7B,KAAK,CAAC,OAAO,GAAG,WAAW,GAAG,KAAK,EAAE,QAAQ,EAAE,EAAE,CAAC;AAClD,QAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,EAAE,CAAC;AAC5B,KAAA;AACD,IAAA,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;AAC3B,IAAA,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAC/B;AACE,QAAA,YAAY,EAAE,QAAQ;AACtB,QAAA,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,KAAU,MAAM;YACjC,OAAO,EAAE,KAAK,CAAC,OAAO;AACtB,YAAA,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,QAAQ,CAAC,YAAY,EAAE;YAC7D,QAAQ,EAAE,KAAK,CAAC,QAAQ;AACzB,SAAA,CAAC,CAAC;AACJ,KAAA,EACD,QAAQ,EACR,CAAC,CACF,CAAC;AACF,IAAA,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW,EAAE,KAAa,EAAA;AAC1C,IAAA,IAAI,GAAG,KAAK,WAAW,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;QAC3E,OAAO,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAC1C,KAAA;AACD,IAAA,OAAO,KAAK,CAAC;AACf;;;;"}
+{"version":3,"file":"bundle.mjs","sources":["../../src/bundle.ts"],"sourcesContent":["import { Bundle } from '@medplum/fhirtypes';\n\n/**\n * More on Bundles can be found here\n * http://hl7.org/fhir/R4/bundle.html\n */\n\n/**\n * Takes a bundle and creates a Transaction Type bundle\n * @param bundle The Bundle object that we'll receive from the search query\n * @returns transaction type bundle\n */\nexport function convertToTransactionBundle(bundle: Bundle): Bundle {\n  for (const entry of bundle.entry || []) {\n    delete entry.resource?.meta;\n    entry.fullUrl = 'urn:uuid:' + entry.resource?.id;\n    delete entry.resource?.id;\n  }\n  const input = bundle.entry;\n  const jsonString = JSON.stringify(\n    {\n      resourceType: 'Bundle',\n      type: 'transaction',\n      entry: input?.map((entry: any) => ({\n        fullUrl: entry.fullUrl,\n        request: { method: 'POST', url: entry.resource.resourceType },\n        resource: entry.resource,\n      })),\n    },\n    replacer,\n    2\n  );\n  return JSON.parse(jsonString);\n}\n\nfunction replacer(key: string, value: string): string {\n  if (key === 'reference' && typeof value === 'string' && value.includes('/')) {\n    return 'urn:uuid:' + value.split('/')[1];\n  }\n  return value;\n}\n"],"names":[],"mappings":"AAEA;;;AAGG;AAEH;;;;AAIG;AACG,SAAU,0BAA0B,CAAC,MAAc,EAAA;IACvD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE;AACtC,QAAA,OAAO,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC;QAC5B,KAAK,CAAC,OAAO,GAAG,WAAW,GAAG,KAAK,CAAC,QAAQ,EAAE,EAAE,CAAC;AACjD,QAAA,OAAO,KAAK,CAAC,QAAQ,EAAE,EAAE,CAAC;AAC3B,KAAA;AACD,IAAA,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;AAC3B,IAAA,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAC/B;AACE,QAAA,YAAY,EAAE,QAAQ;AACtB,QAAA,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,KAAU,MAAM;YACjC,OAAO,EAAE,KAAK,CAAC,OAAO;AACtB,YAAA,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,QAAQ,CAAC,YAAY,EAAE;YAC7D,QAAQ,EAAE,KAAK,CAAC,QAAQ;AACzB,SAAA,CAAC,CAAC;AACJ,KAAA,EACD,QAAQ,EACR,CAAC,CACF,CAAC;AACF,IAAA,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW,EAAE,KAAa,EAAA;AAC1C,IAAA,IAAI,GAAG,KAAK,WAAW,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;QAC3E,OAAO,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAC1C,KAAA;AACD,IAAA,OAAO,KAAK,CAAC;AACf;;;;"}

package/dist/esm/client.mjs

@@ -3,7 +3,7 @@ import { LRUCache } from './cache.mjs';
 import { getRandomString, encryptSHA256 } from './crypto.mjs';
 import { EventTarget } from './eventtarget.mjs';
 import { parseJWTPayload } from './jwt.mjs';
-import { OperationOutcomeError, notFound, normalizeOperationOutcome, isOk } from './outcomes.mjs';
+import { isOperationOutcome, OperationOutcomeError, notFound, normalizeOperationOutcome, isOk, badRequest } from './outcomes.mjs';
 import { ReadablePromise } from './readablepromise.mjs';
 import { ClientStorage } from './storage.mjs';
 import { globalSchema, indexStructureDefinition, indexSearchParameter } from './types.mjs';
@@ -11,7 +11,7 @@ import { createReference, arrayBufferToBase64 } from './utils.mjs';
 
 // PKCE auth based on:
 // https://aws.amazon.com/blogs/security/how-to-add-authentication-single-page-web-application-with-amazon-cognito-oauth2-implementation/
-const MEDPLUM_VERSION = "2.0.22-f51ac45a" ;
+const MEDPLUM_VERSION = "2.0.24-8a2dc16" ;
 const DEFAULT_BASE_URL = 'https://api.medplum.com/';
 const DEFAULT_RESOURCE_CACHE_SIZE = 1000;
 const DEFAULT_CACHE_TIME = 60000; // 60 seconds
@@ -107,7 +107,7 @@ class MedplumClient extends EventTarget {
                 throw new Error('Base URL must start with http or https');
             }
         }
-        this.fetch = options?.fetch || getDefaultFetch();
+        this.fetch = options?.fetch ?? getDefaultFetch();
         this.storage = options?.storage || new ClientStorage();
         this.createPdfImpl = options?.createPdf;
         this.baseUrl = ensureTrailingSlash(options?.baseUrl) || DEFAULT_BASE_URL;
@@ -125,7 +125,7 @@ class MedplumClient extends EventTarget {
             this.requestCache = undefined;
         }
         if (options?.autoBatchTime) {
-            this.autoBatchTime = options?.autoBatchTime ?? 0;
+            this.autoBatchTime = options.autoBatchTime ?? 0;
             this.autoBatchQueue = [];
         }
         else {
@@ -150,6 +150,16 @@ class MedplumClient extends EventTarget {
     getBaseUrl() {
         return this.baseUrl;
     }
+    /**
+     * Returns the current authorize URL.
+     * By default, this is set to `https://api.medplum.com/oauth2/authorize`.
+     * This can be overridden by setting the `authorizeUrl` option when creating the client.
+     * @category HTTP
+     * @returns The current authorize URL.
+     */
+    getAuthorizeUrl() {
+        return this.authorizeUrl;
+    }
     /**
      * Clears all auth state including local storage and session storage.
      * @category Authentication
@@ -171,8 +181,7 @@ class MedplumClient extends EventTarget {
         this.requestCache?.clear();
         this.accessToken = undefined;
         this.refreshToken = undefined;
-        this.profile = undefined;
-        this.config = undefined;
+        this.sessionDetails = undefined;
         this.dispatchEvent({ type: 'change' });
     }
     /**
@@ -681,12 +690,12 @@ class MedplumClient extends EventTarget {
         while (url) {
             const searchParams = new URL(url).searchParams;
             const bundle = await this.search(resourceType, searchParams, options);
-            const nextLink = bundle?.link?.find((link) => link.relation === 'next');
-            if (!bundle?.entry?.length && !nextLink) {
+            const nextLink = bundle.link?.find((link) => link.relation === 'next');
+            if (!bundle.entry?.length && !nextLink) {
                 break;
             }
-            yield bundle?.entry?.map((e) => e.resource) ?? [];
-            url = nextLink?.url ? new URL(nextLink?.url) : undefined;
+            yield bundle.entry?.map((e) => e.resource) ?? [];
+            url = nextLink?.url ? new URL(nextLink.url) : undefined;
         }
     }
     /**
@@ -713,7 +722,7 @@ class MedplumClient extends EventTarget {
      */
     getCached(resourceType, id) {
         const cached = this.requestCache?.get(this.fhirUrl(resourceType, id).toString())?.value;
-        return cached && cached.isOk() ? cached.read() : undefined;
+        return cached?.isOk() ? cached.read() : undefined;
     }
     /**
      * Returns a cached resource if it is available.
@@ -775,7 +784,7 @@ class MedplumClient extends EventTarget {
      * @returns The resource if available; undefined otherwise.
      */
     readReference(reference, options) {
-        const refString = reference?.reference;
+        const refString = reference.reference;
         if (!refString) {
             return new ReadablePromise(Promise.reject(new Error('Missing reference')));
         }
@@ -1451,8 +1460,7 @@ class MedplumClient extends EventTarget {
     setAccessToken(accessToken) {
         this.accessToken = accessToken;
         this.refreshToken = undefined;
-        this.profile = undefined;
-        this.config = undefined;
+        this.sessionDetails = undefined;
     }
     /**
      * Returns the list of available logins.
@@ -1475,10 +1483,9 @@ class MedplumClient extends EventTarget {
             this.get('auth/me')
                 .then((result) => {
                 this.profilePromise = undefined;
-                this.profile = result.profile;
-                this.config = result.config;
+                this.sessionDetails = result;
                 this.dispatchEvent({ type: 'change' });
-                resolve(this.profile);
+                resolve(result.profile);
             })
                 .catch(reject);
         });
@@ -1492,6 +1499,38 @@ class MedplumClient extends EventTarget {
     isLoading() {
         return !!this.profilePromise;
     }
+    /**
+     * Returns true if the current user is authenticated as a super admin.
+     * @returns True if the current user is authenticated as a super admin.
+     * @category Authentication
+     */
+    isSuperAdmin() {
+        return !!this.sessionDetails?.project.superAdmin;
+    }
+    /**
+     * Returns true if the current user is authenticated as a project admin.
+     * @returns True if the current user is authenticated as a project admin.
+     * @category Authentication
+     */
+    isProjectAdmin() {
+        return !!this.sessionDetails?.membership.admin;
+    }
+    /**
+     * Returns the current project if available.
+     * @returns The current project if available.
+     * @category User Profile
+     */
+    getProject() {
+        return this.sessionDetails?.project;
+    }
+    /**
+     * Returns the current project membership if available.
+     * @returns The current project membership if available.
+     * @category User Profile
+     */
+    getProjectMembership() {
+        return this.sessionDetails?.membership;
+    }
     /**
      * Returns the current user profile resource if available.
      * This method does not wait for loading promises.
@@ -1499,7 +1538,7 @@ class MedplumClient extends EventTarget {
      * @category User Profile
      */
     getProfile() {
-        return this.profile;
+        return this.sessionDetails?.profile;
     }
     /**
      * Returns the current user profile resource if available.
@@ -1519,7 +1558,15 @@ class MedplumClient extends EventTarget {
      * @category User Profile
      */
     getUserConfiguration() {
-        return this.config;
+        return this.sessionDetails?.config;
+    }
+    /**
+     * Returns the current user access policy if available.
+     * @returns The current user access policy if available.
+     * @category User Profile
+     */
+    getAccessPolicy() {
+        return this.sessionDetails?.accessPolicy;
     }
     /**
      * Downloads the URL as a blob.
@@ -1565,7 +1612,9 @@ class MedplumClient extends EventTarget {
      * @param options Optional fetch options.
      * @returns Bulk Data Response containing links to Bulk Data files. See "Response - Complete Status" for full details: https://build.fhir.org/ig/HL7/bulk-data/export.html#response---complete-status
      */
-    async bulkExport(exportLevel = '', resourceTypes, since, options = {}) {
+    async bulkExport(
+    //eslint-disable-next-line default-param-last
+    exportLevel = '', resourceTypes, since, options) {
         const fhirPath = exportLevel ? `${exportLevel}/` : exportLevel;
         const url = this.fhirUrl(`${fhirPath}$export`);
         if (resourceTypes) {
@@ -1574,17 +1623,35 @@ class MedplumClient extends EventTarget {
         if (since) {
             url.searchParams.set('_since', since);
         }
+        return this.startAsyncRequest(url.toString(), options);
+    }
+    /**
+     * Starts an async request following the FHIR "Asynchronous Request Pattern".
+     * See: https://hl7.org/fhir/r4/async.html
+     * @param url The URL to request.
+     * @param options Optional fetch options.
+     * @returns The response body.
+     */
+    async startAsyncRequest(url, options = {}) {
         this.addFetchOptionsDefaults(options);
         const headers = options.headers;
         headers['Prefer'] = 'respond-async';
-        const response = await this.fetchWithRetry(url.toString(), options);
+        const response = await this.fetchWithRetry(url, options);
         if (response.status === 202) {
+            // Accepted content location can come from multiple sources
+            // The authoritative source is the "Content-Location" HTTP header.
             const contentLocation = response.headers.get('content-location');
             if (contentLocation) {
-                return await this.pollStatus(contentLocation);
+                return this.pollStatus(contentLocation);
+            }
+            // However, "Content-Location" may not be available due to CORS limitations.
+            // In this case, we use the OperationOutcome.diagnostics field.
+            const body = await response.json();
+            if (isOperationOutcome(body) && body.issue?.[0]?.diagnostics) {
+                return this.pollStatus(body.issue[0].diagnostics);
             }
         }
-        return await this.parseResponse(response, 'POST', url.toString());
+        return this.parseResponse(response, 'POST', url);
     }
     //
     // Private helpers
@@ -1646,13 +1713,10 @@ class MedplumClient extends EventTarget {
         if (this.refreshPromise) {
             await this.refreshPromise;
         }
-        if (!url.startsWith('http')) {
-            url = this.baseUrl + url;
-        }
         options.method = method;
         this.addFetchOptionsDefaults(options);
         const response = await this.fetchWithRetry(url, options);
-        return await this.parseResponse(response, method, url, options);
+        return this.parseResponse(response, method, url, options);
     }
     async parseResponse(response, method, url, options = {}) {
         if (response.status === 401) {
@@ -1683,6 +1747,9 @@ class MedplumClient extends EventTarget {
         return obj;
     }
     async fetchWithRetry(url, options) {
+        if (!url.startsWith('http')) {
+            url = this.baseUrl + url;
+        }
         const maxRetries = 3;
         const retryDelay = 200;
         let response = undefined;
@@ -1696,14 +1763,16 @@ class MedplumClient extends EventTarget {
             catch (err) {
                 this.retryCatch(retry, maxRetries, err);
             }
-            await new Promise((resolve) => setTimeout(resolve, retryDelay));
+            await new Promise((resolve) => {
+                setTimeout(resolve, retryDelay);
+            });
         }
         return response;
     }
     async pollStatus(statusUrl) {
         let checkStatus = true;
         let resultResponse;
-        const retryDelay = 200;
+        const retryDelay = 2000;
         while (checkStatus) {
             const fetchOptions = {};
             this.addFetchOptionsDefaults(fetchOptions);
@@ -1712,9 +1781,11 @@ class MedplumClient extends EventTarget {
                 checkStatus = false;
                 resultResponse = statusResponse;
             }
-            await new Promise((resolve) => setTimeout(resolve, retryDelay));
+            await new Promise((resolve) => {
+                setTimeout(resolve, retryDelay);
+            });
         }
-        return await this.parseResponse(resultResponse, 'POST', statusUrl);
+        return this.parseResponse(resultResponse, 'POST', statusUrl);
     }
     /**
      * Executes a batch of requests that were automatically batched together.
@@ -1850,7 +1921,7 @@ class MedplumClient extends EventTarget {
         const codeVerifier = getRandomString();
         sessionStorage.setItem('codeVerifier', codeVerifier);
         const arrayHash = await encryptSHA256(codeVerifier);
-        const codeChallenge = arrayBufferToBase64(arrayHash).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+        const codeChallenge = arrayBufferToBase64(arrayHash).replaceAll('+', '-').replaceAll('/', '_').replaceAll('=', '');
         sessionStorage.setItem('codeChallenge', codeChallenge);
         return { codeChallengeMethod: 'S256', codeChallenge };
     }
@@ -1963,7 +2034,7 @@ class MedplumClient extends EventTarget {
      * Invite a user to a project.
      * @param projectId The project ID.
      * @param body The InviteBody.
-     * @returns Promise that returns an invite result or an operation outcome.
+     * @returns Promise that returns a project membership or an operation outcome.
      */
     async invite(projectId, body) {
         return this.post('admin/projects/' + projectId + '/invite', body);
@@ -1988,7 +2059,13 @@ class MedplumClient extends EventTarget {
         const response = await this.fetch(this.tokenUrl, options);
         if (!response.ok) {
             this.clearActiveLogin();
-            throw new Error('Failed to fetch tokens');
+            try {
+                const error = await response.json();
+                throw new OperationOutcomeError(badRequest(error.error_description));
+            }
+            catch (err) {
+                throw new OperationOutcomeError(badRequest('Failed to fetch tokens'), err);
+            }
         }
         const tokens = await response.json();
         await this.verifyTokens(tokens);