@moostjs/arbac 0.5.27

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 moostjs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,117 @@
+# @moostjs/arbac
+
+Advanced Role-Based Access Control (ARBAC) integration for MoostJS, enabling seamless authorization management with `@prostojs/arbac` while leveraging Moost's dependency injection and metadata-driven event processing capabilities.
+
+## Features
+
+- **MoostJS Integration** – Provides decorators and utilities for enforcing access control.
+- **Role & Scope-Based Authorization** – Supports fine-grained access control based on user roles and attributes.
+- **Dependency Injection Support** – Utilizes MoostJS's DI system for injecting ARBAC services.
+- **Easy Decorators** – Define resource-based access rules with simple decorators.
+
+## Installation
+
+```sh
+npm install @moostjs/arbac
+```
+
+or using pnpm:
+
+```sh
+pnpm i @moostjs/arbac
+```
+
+## Quick Start
+
+### Setup `MoostArbac`
+
+To integrate ARBAC into your MoostJS application, define an instance of `MoostArbac`, register roles, and provide it as a dependency.
+
+```typescript
+import { createProvideRegistry } from 'moost'
+import { MoostArbac } from '@moostjs/arbac'
+import * as roles from './roles'
+import type { TRoleScope, TUserAttrs } from './types'
+
+export const ArbacProvideRegistry = createProvideRegistry([
+  MoostArbac,
+  () => {
+    const instance = new MoostArbac<TUserAttrs, TRoleScope>()
+    for (const role of roles) {
+      instance.registerRole(role)
+    }
+    return instance
+  },
+])
+```
+
+### Define a Custom User Provider
+
+To integrate user attributes and roles dynamically, replace the generic `ArbacUserProvider` with an application-specific implementation.
+
+```typescript
+import { createReplaceRegistry } from 'moost'
+import { ArbacUserProvider } from '@moostjs/arbac'
+import { CustomUserProvider } from './custom-user-provider'
+
+export const ArbacReplaceRegistry = createReplaceRegistry([ArbacUserProvider, CustomUserProvider])
+```
+
+### Register ARBAC in Moost Application
+
+```typescript
+import { App } from 'moost'
+import { ArbacProvideRegistry, ArbacReplaceRegistry } from './arbac-setup'
+
+const app = new App()
+app.setProvideRegistry(ArbacProvideRegistry)
+app.setReplaceRegistry(ArbacReplaceRegistry)
+```
+
+### Protect Routes with `@Authorized()`
+
+```typescript
+import { Authorized, Public } from '@moostjs/arbac'
+import { Controller, Get } from 'moost'
+
+@Controller('/data')
+@ArbacAuthorized()
+export class DataController {
+  @Get()
+  getProtectedData() {
+    return { data: 'secured' }
+  }
+
+  @Get('/public')
+  @ArbacPublic()
+  getPublicData() {
+    return { data: 'open' }
+  }
+}
+```
+
+## API
+
+### `MoostArbac<TUserAttrs, TScope>`
+
+Extends `@prostojs/arbac` and integrates with MoostJS DI.
+
+### `ArbacUserProvider<TUserAttrs>`
+
+Abstract class for defining user-related access control logic.
+
+### `@ArbacAuthorized()`
+
+Method decorator to enforce ARBAC checks.
+
+### `@ArbacPublic()`
+
+Marks a route as publicly accessible, bypassing authorization.
+
+### `useArbac()`
+
+Composable function for evaluating access control dynamically.
+
+## License
+
+MIT

package/dist/index.cjs

@@ -0,0 +1,163 @@
+"use strict";
+//#region rolldown:runtime
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+	if (from && typeof from === "object" || typeof from === "function") for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
+		key = keys[i];
+		if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, {
+			get: ((k) => from[k]).bind(null, key),
+			enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+		});
+	}
+	return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
+	value: mod,
+	enumerable: true
+}) : target, mod));
+
+//#endregion
+const moost = __toESM(require("moost"));
+const __prostojs_arbac = __toESM(require("@prostojs/arbac"));
+const __wooksjs_event_http = __toESM(require("@wooksjs/event-http"));
+
+//#region packages/arbac/src/moost-arbac.ts
+function _ts_decorate$1(decorators, target, key, desc) {
+	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+	return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+var MoostArbac = class extends __prostojs_arbac.Arbac {};
+MoostArbac = _ts_decorate$1([(0, moost.Injectable)()], MoostArbac);
+
+//#endregion
+//#region packages/arbac/src/user.provider.ts
+function _ts_decorate(decorators, target, key, desc) {
+	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+	return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+var ArbacUserProvider = class {
+	/**
+	* Retrieves the unique identifier of the user.
+	*
+	* @returns {string | Promise<string>} The user ID, or a rejected promise if not implemented.
+	* @throws {Error} If the method is not overridden by a subclass.
+	*/ getUserId() {
+		return Promise.reject(new Error("ArbacUserProvider class must be extended"));
+	}
+	/**
+	* Retrieves the roles assigned to a user based on their ID.
+	*
+	* @param {string} id - The user ID.
+	* @returns {string[] | Promise<string[]>} An array of role identifiers, or a rejected promise if not implemented.
+	* @throws {Error} If the method is not overridden by a subclass.
+	*/ getRoles(id) {
+		return Promise.reject(new Error("ArbacUserProvider class must be extended"));
+	}
+	/**
+	* Retrieves the attributes associated with a user based on their ID.
+	*
+	* @param {string} id - The user ID.
+	* @returns {TUserAttrs | Promise<TUserAttrs>} The user attributes, or a rejected promise if not implemented.
+	* @throws {Error} If the method is not overridden by a subclass.
+	*/ getAttrs(id) {
+		return Promise.reject(new Error("ArbacUserProvider class must be extended"));
+	}
+};
+ArbacUserProvider = _ts_decorate([(0, moost.Injectable)()], ArbacUserProvider);
+
+//#endregion
+//#region packages/arbac/src/arbac.composables.ts
+function useArbac() {
+	const store = (0, moost.useAsyncEventContext)().store("arbac");
+	const cc = (0, moost.useControllerContext)();
+	const getScopes = () => store.get("scopes");
+	const setScopes = (scope) => store.set("scopes", scope);
+	const evaluate = async (opts) => {
+		const user = await cc.instantiate(ArbacUserProvider);
+		const userId = await user.getUserId();
+		const arbac = await cc.instantiate(MoostArbac);
+		const result = await arbac.evaluate(opts, {
+			id: userId,
+			roles: await user.getRoles(userId),
+			attrs: async (id) => user.getAttrs(id)
+		});
+		Object.assign(result, { userId });
+		return result;
+	};
+	const cMeta = cc.getControllerMeta();
+	const mMeta = cc.getMethodMeta();
+	const resource = mMeta?.arbacResourceId || cMeta?.arbacResourceId || cMeta?.id || (0, moost.getConstructor)(cc.getController()).name;
+	const action = mMeta?.arbacActionId || mMeta?.id || cc.getMethod() || "";
+	const isPublic = mMeta?.arbacPublic || cMeta?.arbacPublic || false;
+	return {
+		getScopes,
+		setScopes,
+		evaluate,
+		resource,
+		action,
+		isPublic
+	};
+}
+
+//#endregion
+//#region packages/arbac/src/arbac.mate.ts
+function getArbacMate() {
+	return (0, moost.getMoostMate)();
+}
+
+//#endregion
+//#region packages/arbac/src/arbac.decorator.ts
+const arbackAuthorizeInterceptor = (0, moost.defineInterceptorFn)(async (before, after, onError) => {
+	const logger = (0, moost.useEventLogger)("arbac");
+	const { setScopes, evaluate, resource, action, isPublic } = useArbac();
+	if (!action || !resource || isPublic) return;
+	try {
+		const { allowed, scopes, userId } = await evaluate({
+			resource,
+			action
+		});
+		logger.debug(`[${userId}] ${allowed ? "Authorized" : "Blocked"} "${resource}" : "${action}"`);
+		if (!allowed) throw new __wooksjs_event_http.HttpError(403, `Insufficient privileges for action "${action}" on resource "${resource}"`);
+		setScopes(scopes);
+	} catch (error) {
+		if (error instanceof __wooksjs_event_http.HttpError) throw error;
+		logger.warn(error);
+		throw new __wooksjs_event_http.HttpError(401, `Authorization error`);
+	}
+}, moost.TInterceptorPriority.GUARD);
+const ArbacAuthorize = () => (0, moost.Intercept)(arbackAuthorizeInterceptor);
+const ArbacScopes = () => (0, moost.Resolve)(() => useArbac().getScopes());
+const ArbacResource = (name) => getArbacMate().decorate("arbacResourceId", name);
+const ArbacAction = (name) => getArbacMate().decorate("arbacActionId", name);
+const ArbacPublic = () => getArbacMate().decorate("arbacPublic", true);
+
+//#endregion
+exports.ArbacAction = ArbacAction
+exports.ArbacAuthorize = ArbacAuthorize
+exports.ArbacPublic = ArbacPublic
+exports.ArbacResource = ArbacResource
+exports.ArbacScopes = ArbacScopes
+Object.defineProperty(exports, 'ArbacUserProvider', {
+  enumerable: true,
+  get: function () {
+    return ArbacUserProvider;
+  }
+});
+Object.defineProperty(exports, 'MoostArbac', {
+  enumerable: true,
+  get: function () {
+    return MoostArbac;
+  }
+});
+exports.arbackAuthorizeInterceptor = arbackAuthorizeInterceptor
+exports.getArbacMate = getArbacMate
+exports.useArbac = useArbac

package/dist/index.d.ts

@@ -0,0 +1,47 @@
+import * as _prostojs_arbac from '@prostojs/arbac';
+import { Arbac } from '@prostojs/arbac';
+import * as moost from 'moost';
+import { Mate, TMoostMetadata, TMateParamMeta } from 'moost';
+
+declare function useArbac<TScope extends object>(): {
+    getScopes: () => TScope[] | undefined;
+    setScopes: (scope: TScope[] | undefined) => TScope[] | undefined;
+    evaluate: (opts: {
+        resource: string;
+        action: string;
+    }) => Promise<_prostojs_arbac.TArbacEvalResult<TScope> & {
+        userId: string;
+    }>;
+    resource: string;
+    action: string;
+    isPublic: boolean;
+};
+
+declare const arbackAuthorizeInterceptor: moost.TInterceptorFn;
+declare const ArbacAuthorize: () => ClassDecorator & MethodDecorator;
+declare const ArbacScopes: () => ParameterDecorator & PropertyDecorator;
+declare const ArbacResource: (name: string) => MethodDecorator & ClassDecorator & ParameterDecorator & PropertyDecorator;
+declare const ArbacAction: (name: string) => MethodDecorator & ClassDecorator & ParameterDecorator & PropertyDecorator;
+declare const ArbacPublic: () => MethodDecorator & ClassDecorator & ParameterDecorator & PropertyDecorator;
+
+interface TArbacMeta {
+    arbacResourceId?: string;
+    arbacActionId?: string;
+    arbacPublic?: boolean;
+}
+declare function getArbacMate(): Mate<TMoostMetadata & TArbacMeta & {
+    params: Array<TMateParamMeta>;
+}, TMoostMetadata & TArbacMeta & {
+    params: Array<TMateParamMeta>;
+}>;
+
+declare class MoostArbac<TUserAttrs extends object, TScope extends object> extends Arbac<TUserAttrs, TScope> {
+}
+
+declare class ArbacUserProvider<TUserAttrs extends object> {
+    getUserId(): string | Promise<string>;
+    getRoles(id: string): string[] | Promise<string[]>;
+    getAttrs(id: string): TUserAttrs | Promise<TUserAttrs>;
+}
+
+export { ArbacAction, ArbacAuthorize, ArbacPublic, ArbacResource, ArbacScopes, ArbacUserProvider, MoostArbac, type TArbacMeta, arbackAuthorizeInterceptor, getArbacMate, useArbac };

package/dist/index.mjs

@@ -0,0 +1,120 @@
+import { Injectable, Intercept, Resolve, TInterceptorPriority, defineInterceptorFn, getConstructor, getMoostMate, useAsyncEventContext, useControllerContext, useEventLogger } from "moost";
+import { Arbac } from "@prostojs/arbac";
+import { HttpError } from "@wooksjs/event-http";
+
+//#region packages/arbac/src/moost-arbac.ts
+function _ts_decorate$1(decorators, target, key, desc) {
+	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+	return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+var MoostArbac = class extends Arbac {};
+MoostArbac = _ts_decorate$1([Injectable()], MoostArbac);
+
+//#endregion
+//#region packages/arbac/src/user.provider.ts
+function _ts_decorate(decorators, target, key, desc) {
+	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+	return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+var ArbacUserProvider = class {
+	/**
+	* Retrieves the unique identifier of the user.
+	*
+	* @returns {string | Promise<string>} The user ID, or a rejected promise if not implemented.
+	* @throws {Error} If the method is not overridden by a subclass.
+	*/ getUserId() {
+		return Promise.reject(new Error("ArbacUserProvider class must be extended"));
+	}
+	/**
+	* Retrieves the roles assigned to a user based on their ID.
+	*
+	* @param {string} id - The user ID.
+	* @returns {string[] | Promise<string[]>} An array of role identifiers, or a rejected promise if not implemented.
+	* @throws {Error} If the method is not overridden by a subclass.
+	*/ getRoles(id) {
+		return Promise.reject(new Error("ArbacUserProvider class must be extended"));
+	}
+	/**
+	* Retrieves the attributes associated with a user based on their ID.
+	*
+	* @param {string} id - The user ID.
+	* @returns {TUserAttrs | Promise<TUserAttrs>} The user attributes, or a rejected promise if not implemented.
+	* @throws {Error} If the method is not overridden by a subclass.
+	*/ getAttrs(id) {
+		return Promise.reject(new Error("ArbacUserProvider class must be extended"));
+	}
+};
+ArbacUserProvider = _ts_decorate([Injectable()], ArbacUserProvider);
+
+//#endregion
+//#region packages/arbac/src/arbac.composables.ts
+function useArbac() {
+	const store = useAsyncEventContext().store("arbac");
+	const cc = useControllerContext();
+	const getScopes = () => store.get("scopes");
+	const setScopes = (scope) => store.set("scopes", scope);
+	const evaluate = async (opts) => {
+		const user = await cc.instantiate(ArbacUserProvider);
+		const userId = await user.getUserId();
+		const arbac = await cc.instantiate(MoostArbac);
+		const result = await arbac.evaluate(opts, {
+			id: userId,
+			roles: await user.getRoles(userId),
+			attrs: async (id) => user.getAttrs(id)
+		});
+		Object.assign(result, { userId });
+		return result;
+	};
+	const cMeta = cc.getControllerMeta();
+	const mMeta = cc.getMethodMeta();
+	const resource = mMeta?.arbacResourceId || cMeta?.arbacResourceId || cMeta?.id || getConstructor(cc.getController()).name;
+	const action = mMeta?.arbacActionId || mMeta?.id || cc.getMethod() || "";
+	const isPublic = mMeta?.arbacPublic || cMeta?.arbacPublic || false;
+	return {
+		getScopes,
+		setScopes,
+		evaluate,
+		resource,
+		action,
+		isPublic
+	};
+}
+
+//#endregion
+//#region packages/arbac/src/arbac.mate.ts
+function getArbacMate() {
+	return getMoostMate();
+}
+
+//#endregion
+//#region packages/arbac/src/arbac.decorator.ts
+const arbackAuthorizeInterceptor = defineInterceptorFn(async (before, after, onError) => {
+	const logger = useEventLogger("arbac");
+	const { setScopes, evaluate, resource, action, isPublic } = useArbac();
+	if (!action || !resource || isPublic) return;
+	try {
+		const { allowed, scopes, userId } = await evaluate({
+			resource,
+			action
+		});
+		logger.debug(`[${userId}] ${allowed ? "Authorized" : "Blocked"} "${resource}" : "${action}"`);
+		if (!allowed) throw new HttpError(403, `Insufficient privileges for action "${action}" on resource "${resource}"`);
+		setScopes(scopes);
+	} catch (error) {
+		if (error instanceof HttpError) throw error;
+		logger.warn(error);
+		throw new HttpError(401, `Authorization error`);
+	}
+}, TInterceptorPriority.GUARD);
+const ArbacAuthorize = () => Intercept(arbackAuthorizeInterceptor);
+const ArbacScopes = () => Resolve(() => useArbac().getScopes());
+const ArbacResource = (name) => getArbacMate().decorate("arbacResourceId", name);
+const ArbacAction = (name) => getArbacMate().decorate("arbacActionId", name);
+const ArbacPublic = () => getArbacMate().decorate("arbacPublic", true);
+
+//#endregion
+export { ArbacAction, ArbacAuthorize, ArbacPublic, ArbacResource, ArbacScopes, ArbacUserProvider, MoostArbac, arbackAuthorizeInterceptor, getArbacMate, useArbac };

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@moostjs/arbac",
+  "version": "0.5.27",
+  "description": "Access Control @prostojs/arbac",
+  "main": "dist/index.cjs",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "sideEffects": false,
+  "exports": {
+    "./package.json": "./package.json",
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/moostjs/moostjs.git",
+    "directory": "packages/arbac"
+  },
+  "keywords": [
+    "moost",
+    "moostjs",
+    "arbac",
+    "rbac",
+    "abac",
+    "access control"
+  ],
+  "author": "Artem Maltsev",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/moostjs/moostjs/issues"
+  },
+  "homepage": "https://github.com/moostjs/moostjs/tree/main/packages/arbac#readme",
+  "dependencies": {
+    "@wooksjs/event-http": "^0.5.25",
+    "@prostojs/arbac": "^0.0.2",
+    "moost": "^0.5.27"
+  },
+  "devDependencies": {
+    "vitest": "^3.0.5"
+  },
+  "scripts": {
+    "pub": "pnpm publish --access public",
+    "test": "vitest"
+  }
+}