@meridianjs/auth 0.1.2 → 0.1.3

package/dist/index.d.mts

@@ -27,6 +27,7 @@ interface JwtPayload {
     sub: string;
     workspaceId: string | null;
     roles: string[];
+    permissions: string[];
     iat?: number;
     exp?: number;
 }
@@ -40,6 +41,8 @@ declare class AuthModuleService extends AuthModuleService_base {
     login(input: LoginInput): Promise<AuthResult>;
     /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
     verifyToken(token: string, secret: string): JwtPayload;
+    /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */
+    private resolvePermissions;
     private signToken;
 }
 
@@ -64,6 +67,19 @@ declare function authenticateJWT(req: any, res: Response, next: NextFunction): v
  * { matcher: "/admin/settings", middlewares: [authenticateJWT, requireRoles("admin")] }
  */
 declare function requireRoles(...roles: string[]): (req: any, res: Response, next: NextFunction) => void;
+/**
+ * Permission guard — allows the request if `req.user.roles` includes "super-admin"
+ * (full bypass) or if `req.user.permissions` contains at least one of the listed
+ * permissions.
+ *
+ * Must be used after `authenticateJWT` so that `req.user` is populated.
+ *
+ * @example
+ * export const POST = async (req, res) => {
+ *   requirePermission("project:create")(req, res, async () => { ... })
+ * }
+ */
+declare function requirePermission(...permissions: string[]): (req: any, res: Response, next: NextFunction) => void;
 /**
  * Workspace isolation guard — rejects requests where the `workspace_id` query
  * param or body field does not match the authenticated user's workspace.
@@ -78,4 +94,4 @@ declare function requireWorkspace(req: any, res: Response, next: NextFunction):
 declare const AUTH_MODULE = "authModuleService";
 declare const _default: _meridianjs_types.ModuleDefinition;
 
-export { AUTH_MODULE, AuthModuleService, type AuthResult, type JwtPayload, type LoginInput, type RegisterInput, authenticateJWT, _default as default, requireRoles, requireWorkspace };
+export { AUTH_MODULE, AuthModuleService, type AuthResult, type JwtPayload, type LoginInput, type RegisterInput, authenticateJWT, _default as default, requirePermission, requireRoles, requireWorkspace };

package/dist/index.d.ts

@@ -27,6 +27,7 @@ interface JwtPayload {
     sub: string;
     workspaceId: string | null;
     roles: string[];
+    permissions: string[];
     iat?: number;
     exp?: number;
 }
@@ -40,6 +41,8 @@ declare class AuthModuleService extends AuthModuleService_base {
     login(input: LoginInput): Promise<AuthResult>;
     /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
     verifyToken(token: string, secret: string): JwtPayload;
+    /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */
+    private resolvePermissions;
     private signToken;
 }
 
@@ -64,6 +67,19 @@ declare function authenticateJWT(req: any, res: Response, next: NextFunction): v
  * { matcher: "/admin/settings", middlewares: [authenticateJWT, requireRoles("admin")] }
  */
 declare function requireRoles(...roles: string[]): (req: any, res: Response, next: NextFunction) => void;
+/**
+ * Permission guard — allows the request if `req.user.roles` includes "super-admin"
+ * (full bypass) or if `req.user.permissions` contains at least one of the listed
+ * permissions.
+ *
+ * Must be used after `authenticateJWT` so that `req.user` is populated.
+ *
+ * @example
+ * export const POST = async (req, res) => {
+ *   requirePermission("project:create")(req, res, async () => { ... })
+ * }
+ */
+declare function requirePermission(...permissions: string[]): (req: any, res: Response, next: NextFunction) => void;
 /**
  * Workspace isolation guard — rejects requests where the `workspace_id` query
  * param or body field does not match the authenticated user's workspace.
@@ -78,4 +94,4 @@ declare function requireWorkspace(req: any, res: Response, next: NextFunction):
 declare const AUTH_MODULE = "authModuleService";
 declare const _default: _meridianjs_types.ModuleDefinition;
 
-export { AUTH_MODULE, AuthModuleService, type AuthResult, type JwtPayload, type LoginInput, type RegisterInput, authenticateJWT, _default as default, requireRoles, requireWorkspace };
+export { AUTH_MODULE, AuthModuleService, type AuthResult, type JwtPayload, type LoginInput, type RegisterInput, authenticateJWT, _default as default, requirePermission, requireRoles, requireWorkspace };

package/dist/index.js

@@ -34,6 +34,7 @@ __export(index_exports, {
   AuthModuleService: () => AuthModuleService,
   authenticateJWT: () => authenticateJWT,
   default: () => index_default,
+  requirePermission: () => requirePermission,
   requireRoles: () => requireRoles,
   requireWorkspace: () => requireWorkspace
 });
@@ -74,7 +75,8 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
       role,
       is_active: true
     });
-    const token = this.signToken(user.id, null, [user.role], config.projectConfig.jwtSecret);
+    const permissions = await this.resolvePermissions(user.app_role_id);
+    const token = this.signToken(user.id, null, [user.role], permissions, config.projectConfig.jwtSecret);
     return {
       user: {
         id: user.id,
@@ -102,7 +104,8 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
     }
     await userService.recordLogin(user.id).catch(() => {
     });
-    const token = this.signToken(user.id, null, [user.role ?? "member"], config.projectConfig.jwtSecret);
+    const permissions = await this.resolvePermissions(user.app_role_id);
+    const token = this.signToken(user.id, null, [user.role ?? "member"], permissions, config.projectConfig.jwtSecret);
     return {
       user: {
         id: user.id,
@@ -117,8 +120,18 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
   verifyToken(token, secret) {
     return import_jsonwebtoken.default.verify(token, secret);
   }
-  signToken(userId, workspaceId, roles, secret) {
-    return import_jsonwebtoken.default.sign({ sub: userId, workspaceId, roles }, secret, {
+  /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */
+  async resolvePermissions(appRoleId) {
+    if (!appRoleId) return [];
+    try {
+      const appRoleService = this.container.resolve("appRoleModuleService");
+      return await appRoleService.getPermissionsForRole(appRoleId);
+    } catch {
+      return [];
+    }
+  }
+  signToken(userId, workspaceId, roles, permissions, secret) {
+    return import_jsonwebtoken.default.sign({ sub: userId, workspaceId, roles, permissions }, secret, {
       expiresIn: JWT_EXPIRES_IN
     });
   }
@@ -146,7 +159,8 @@ function authenticateJWT(req, res, next) {
     req.user = {
       id: payload.sub,
       workspaceId: payload.workspaceId ?? null,
-      roles: Array.isArray(payload.roles) ? payload.roles : []
+      roles: Array.isArray(payload.roles) ? payload.roles : [],
+      permissions: Array.isArray(payload.permissions) ? payload.permissions : []
     };
     next();
   } catch {
@@ -162,6 +176,15 @@ function requireRoles(...roles) {
     res.status(403).json({ error: { message: "Forbidden" } });
   };
 }
+function requirePermission(...permissions) {
+  return (req, res, next) => {
+    const userRoles = req.user?.roles ?? [];
+    if (userRoles.includes("super-admin")) return next();
+    const userPermissions = req.user?.permissions ?? [];
+    if (permissions.some((p) => userPermissions.includes(p))) return next();
+    res.status(403).json({ error: { message: "Forbidden \u2014 insufficient permissions" } });
+  };
+}
 function requireWorkspace(req, res, next) {
   const workspaceId = req.query?.workspace_id ?? req.body?.workspace_id;
   if (workspaceId && req.user?.workspaceId && req.user.workspaceId !== workspaceId) {
@@ -180,6 +203,7 @@ var index_default = (0, import_framework_utils2.Module)(AUTH_MODULE, {
   AUTH_MODULE,
   AuthModuleService,
   authenticateJWT,
+  requirePermission,
   requireRoles,
   requireWorkspace
 });

package/dist/index.mjs

@@ -35,7 +35,8 @@ var AuthModuleService = class extends MeridianService({}) {
       role,
       is_active: true
     });
-    const token = this.signToken(user.id, null, [user.role], config.projectConfig.jwtSecret);
+    const permissions = await this.resolvePermissions(user.app_role_id);
+    const token = this.signToken(user.id, null, [user.role], permissions, config.projectConfig.jwtSecret);
     return {
       user: {
         id: user.id,
@@ -63,7 +64,8 @@ var AuthModuleService = class extends MeridianService({}) {
     }
     await userService.recordLogin(user.id).catch(() => {
     });
-    const token = this.signToken(user.id, null, [user.role ?? "member"], config.projectConfig.jwtSecret);
+    const permissions = await this.resolvePermissions(user.app_role_id);
+    const token = this.signToken(user.id, null, [user.role ?? "member"], permissions, config.projectConfig.jwtSecret);
     return {
       user: {
         id: user.id,
@@ -78,8 +80,18 @@ var AuthModuleService = class extends MeridianService({}) {
   verifyToken(token, secret) {
     return jwt.verify(token, secret);
   }
-  signToken(userId, workspaceId, roles, secret) {
-    return jwt.sign({ sub: userId, workspaceId, roles }, secret, {
+  /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */
+  async resolvePermissions(appRoleId) {
+    if (!appRoleId) return [];
+    try {
+      const appRoleService = this.container.resolve("appRoleModuleService");
+      return await appRoleService.getPermissionsForRole(appRoleId);
+    } catch {
+      return [];
+    }
+  }
+  signToken(userId, workspaceId, roles, permissions, secret) {
+    return jwt.sign({ sub: userId, workspaceId, roles, permissions }, secret, {
       expiresIn: JWT_EXPIRES_IN
     });
   }
@@ -107,7 +119,8 @@ function authenticateJWT(req, res, next) {
     req.user = {
       id: payload.sub,
       workspaceId: payload.workspaceId ?? null,
-      roles: Array.isArray(payload.roles) ? payload.roles : []
+      roles: Array.isArray(payload.roles) ? payload.roles : [],
+      permissions: Array.isArray(payload.permissions) ? payload.permissions : []
     };
     next();
   } catch {
@@ -123,6 +136,15 @@ function requireRoles(...roles) {
     res.status(403).json({ error: { message: "Forbidden" } });
   };
 }
+function requirePermission(...permissions) {
+  return (req, res, next) => {
+    const userRoles = req.user?.roles ?? [];
+    if (userRoles.includes("super-admin")) return next();
+    const userPermissions = req.user?.permissions ?? [];
+    if (permissions.some((p) => userPermissions.includes(p))) return next();
+    res.status(403).json({ error: { message: "Forbidden \u2014 insufficient permissions" } });
+  };
+}
 function requireWorkspace(req, res, next) {
   const workspaceId = req.query?.workspace_id ?? req.body?.workspace_id;
   if (workspaceId && req.user?.workspaceId && req.user.workspaceId !== workspaceId) {
@@ -141,6 +163,7 @@ export {
   AuthModuleService,
   authenticateJWT,
   index_default as default,
+  requirePermission,
   requireRoles,
   requireWorkspace
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meridianjs/auth",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "Meridian auth module — JWT authentication and middleware",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",