@murumets-ee/auth 0.1.0

package/LICENSE

@@ -0,0 +1,94 @@
+Elastic License 2.0 (ELv2)
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject
+to the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set
+of the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other
+notices of the licensor in the software. Any use of the licensor's trademarks
+is subject to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license
+for the software granted under these terms ends immediately. If your company
+makes such a claim, your patent license ends immediately for work on behalf
+of your company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from
+you also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license
+no later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your
+licenses to terminate automatically and permanently.
+
+## No Liability
+
+As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is
+the software the licensor makes available under these terms, including any
+portion of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that organization.
+**control** means ownership of substantially all the assets of an entity, or
+the power to direct the management and policies of an entity (for example, by
+voting right, contract, or otherwise). Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your
+licenses.
+
+**trademark** means trademarks, service marks, and similar rights.

package/README.md

@@ -0,0 +1,15 @@
+# @murumets-ee/auth
+
+Authentication layer — wraps better-auth with role-based access, session management, and audit hooks.
+
+Part of [Lumi CMS](https://github.com/murumets-ee/lumi-cms) — a modular, type-safe CMS toolkit for Node.js.
+
+## Install
+
+```bash
+npm install @murumets-ee/auth
+```
+
+## License
+
+[Elastic License 2.0 (ELv2)](../../LICENSE)

package/dist/admin/index.d.ts

@@ -0,0 +1,72 @@
+/**
+ * Permission management admin routes for the centralized admin API handler.
+ *
+ * Provides CRUD for role definitions and permission assignments.
+ * Admin-only by default (resource: 'permissions', only admin has access).
+ *
+ * @example
+ * ```typescript
+ * import { createAdminApiHandler } from '@murumets-ee/admin-ui/server'
+ * import { permissionRoutes } from '@murumets-ee/auth/admin'
+ *
+ * const handler = createAdminApiHandler({
+ *   authenticate: async (req) => { ... },
+ *   entities: [...],
+ *   routes: [
+ *     permissionRoutes({
+ *       getStatements: () => catalog,
+ *       loadRoles: () => client.get('roles'),
+ *       saveRoles: (roles) => client.set('roles', roles),
+ *       onSave: () => { cachedChecker = null },
+ *     }),
+ *   ],
+ * })
+ * ```
+ */
+/** Fire-and-forget audit log function — structurally matches AuditLogFn from @murumets-ee/core */
+type AuditLogFn = (entry: {
+    action: string;
+    entityType?: string;
+    entityId?: string;
+    userId?: string;
+    userName?: string;
+    changes?: Record<string, unknown>;
+    metadata?: Record<string, unknown>;
+}) => void;
+interface AdminRoute {
+    prefix: string;
+    resource?: string;
+    actions?: readonly string[];
+    handlers: Partial<Record<string, (req: Request, ctx: {
+        segments: string[];
+        user: {
+            id: string;
+            role?: string;
+            name?: string;
+        };
+        audit?: AuditLogFn;
+        checkPermission: (resource: string, action: string) => boolean;
+    }) => Promise<Response>>>;
+}
+interface PermissionRoutesConfig {
+    /** Returns the resource catalog: resource → available actions */
+    getStatements: () => Record<string, readonly string[]>;
+    /** Load saved role definitions from settings (null if first run) */
+    loadRoles: () => Promise<Record<string, Record<string, string[]>> | null>;
+    /** Save role definitions to settings */
+    saveRoles: (roles: Record<string, Record<string, string[]>>) => Promise<void>;
+    /** Called after save to invalidate cached permission checker */
+    onSave?: () => void;
+}
+/**
+ * Create admin API routes for permission management.
+ *
+ * Routes (all prefixed with `/api/admin/permissions`):
+ * - `GET    /permissions`              — Get statements + roles + builtInRoles
+ * - `PATCH  /permissions`              — Update role permissions
+ * - `POST   /permissions/roles`        — Create a custom role
+ * - `DELETE /permissions/roles/:name`  — Delete a custom role
+ */
+declare function permissionRoutes(config: PermissionRoutesConfig): AdminRoute;
+
+export { permissionRoutes };

package/dist/admin/index.js

@@ -0,0 +1 @@
+import{d as f}from"../chunk-NH6AU5Z6.js";var P=/^[a-z][a-z0-9-]{0,49}$/;function u(d,c=200){return new Response(JSON.stringify(d),{status:c,headers:{"Content-Type":"application/json"}})}function r(d,c){return u({error:d},c)}function T(d){let{getStatements:c,loadRoles:g,saveRoles:R,onSave:b}=d;return{prefix:"permissions",resource:"permissions",actions:["view","create","update","delete"],handlers:{GET:async(m,{segments:s})=>{let t=c(),i=await g()??{};return s.length===1&&s[0]==="roles"?u({roles:Object.keys(i),builtInRoles:[...f]}):u({statements:t,roles:i,builtInRoles:[...f]})},PATCH:async(m,{user:s,audit:t})=>{let i=await m.json(),{roles:e}=i;if(!e||typeof e!="object")return r('Body must contain "roles" object',400);if("admin"in e)return r("Cannot modify admin role permissions (admin always has full access)",400);if(s.role&&s.role!=="admin"&&s.role in e)return r("Cannot modify permissions for your own role",403);let n=await g()??{};for(let o of Object.keys(e))if(!(o in n))return r(`Role '${o}' does not exist. Create it first via POST /permissions/roles`,400);let a=c();for(let[o,l]of Object.entries(e)){if(typeof o!="string"||!o)return r("Role names must be non-empty strings",400);if(typeof l!="object"||l===null||Array.isArray(l))return r(`Permissions for role '${o}' must be an object`,400);for(let[p,w]of Object.entries(l)){if(!Array.isArray(w)||!w.every(y=>typeof y=="string"))return r(`Actions for '${p}' in role '${o}' must be a string array`,400);let h=a[p];if(!h)return r(`Unknown resource: ${p}`,400);for(let y of w)if(!h.includes(y))return r(`Invalid action '${y}' for resource '${p}'. Valid: ${h.join(", ")}`,400)}}let j={...n};for(let[o,l]of Object.entries(e))j[o]=l;return await R(j),b?.(),t?.({action:"permissions.update",entityType:"permissions",userId:s.id,userName:s.name,changes:{roles:e},metadata:{rolesModified:Object.keys(e)}}),u({ok:!0})},POST:async(m,{segments:s,user:t,audit:i})=>{if(s.length!==1||s[0]!=="roles")return r("POST only supported at /permissions/roles",400);let e=await m.json(),{name:n}=e;if(!n||typeof n!="string")return r('Body must contain "name" string',400);if(!P.test(n))return r("Role name must be lowercase alphanumeric with hyphens, start with a letter, max 50 chars",400);if(f.includes(n))return r(`Cannot create role with built-in name: ${n}`,400);let a=await g()??{};return n in a?r(`Role already exists: ${n}`,409):(a[n]={},await R(a),b?.(),i?.({action:"permissions.role.create",entityType:"permissions",userId:t.id,userName:t.name,changes:{roleName:n}}),u({name:n,permissions:{}},201))},DELETE:async(m,{segments:s,user:t,audit:i})=>{if(s.length!==2||s[0]!=="roles")return r("DELETE only supported at /permissions/roles/:name",400);let e=s[1];if(f.includes(e))return r(`Cannot delete built-in role: ${e}`,400);let n=await g()??{};if(!(e in n))return r(`Role not found: ${e}`,404);let a=n[e];return delete n[e],await R(n),b?.(),i?.({action:"permissions.role.delete",entityType:"permissions",userId:t.id,userName:t.name,changes:{roleName:e,permissions:a}}),u({deleted:e})}}}}export{T as permissionRoutes};

package/dist/chunk-2GGGFSMD.js

@@ -0,0 +1 @@
+var e=null;function a(){if(!e)throw new Error("@murumets-ee/auth not initialized. Add auth() to your toolkit config plugins.");return e}function m(r={}){return{name:"@murumets-ee/auth",init:async t=>{let{createAuthServer:u}=await import("./server-GEU5KK6Y.js"),i;if(r.audit!==!1){let{createAuditLogger:o,createAuditDbWriter:n,createLogger:g}=await import("@murumets-ee/logging");i=o({logger:g({name:"auth-audit"}),dbWriter:n(t.db.readWrite)})}e=u(r,t,i),t.logger.info("Auth plugin initialized")}}}export{a,m as b};

package/dist/chunk-NH6AU5Z6.js

@@ -0,0 +1 @@
+import{createAccessControl as p}from"better-auth/plugins/access";var u=["view","create","update","delete"],d=["view","create","update","delete","publish"];var g=["admin","public","authenticated"],m={GET:"view",POST:"create",PATCH:"update",DELETE:"delete"};function f(){return{public:{},authenticated:{}}}function b(n){let r=new Map;for(let[e,t]of Object.entries(n)){let s=new Map;for(let[c,a]of Object.entries(t))s.set(c,new Set(a));r.set(e,s)}return(e,t,s)=>e==="admin"?!0:r.get(e)?.get(t)?.has(s)??!1}function i(n){return n.behaviors?.some(r=>r.name==="publishable")??!1}function R(n,r){let e={};for(let t of n)e[t.name]=i(t)?["view","create","update","delete","publish"]:["view","create","update","delete"];if(r)for(let t of r)t.resource&&t.actions&&!(t.resource in e)&&(e[t.resource]=[...t.actions]);return e}var o={user:["create","list","set-role","ban","impersonate","delete","set-password","get","update"],session:["list","revoke","delete"]};function h(n){let r={...o};for(let e of n)r[e.name]=i(e)?d:u;return r}function T(n,r){let e={},t={};e.user=[...o.user],e.session=[...o.session],t.user=[],t.session=[];for(let s of r)e[s.name]=i(s)?["view","create","update","delete","publish"]:["view","create","update","delete"],t[s.name]=["view"];return{admin:n.newRole(e),authenticated:n.newRole(t)}}export{p as a,u as b,d as c,g as d,m as e,f,b as g,R as h,h as i,T as j};