@murumets-ee/auth 0.1.1 → 0.1.2

package/package.json

@@ -1,28 +1,24 @@
 {
   "name": "@murumets-ee/auth",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "license": "Elastic-2.0",
   "type": "module",
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
-      "import": "./dist/index.js",
-      "require": "./dist/index.cjs"
+      "import": "./dist/index.js"
     },
     "./client": {
       "types": "./dist/client.d.ts",
-      "import": "./dist/client.js",
-      "require": "./dist/client.cjs"
+      "import": "./dist/client.js"
     },
     "./plugin": {
       "types": "./dist/plugin.d.ts",
-      "import": "./dist/plugin.js",
-      "require": "./dist/plugin.cjs"
+      "import": "./dist/plugin.js"
     },
     "./admin": {
       "types": "./dist/admin/index.d.ts",
-      "import": "./dist/admin/index.js",
-      "require": "./dist/admin/index.cjs"
+      "import": "./dist/admin/index.js"
     }
   },
   "files": [
@@ -32,10 +28,10 @@
     "better-auth": "^1.4.0",
     "drizzle-orm": "^0.45.0",
     "server-only": "^0.0.1",
-    "@murumets-ee/core": "0.1.1",
-    "@murumets-ee/db": "0.1.1",
-    "@murumets-ee/logging": "0.1.1",
-    "@murumets-ee/entity": "0.1.1"
+    "@murumets-ee/core": "0.1.3",
+    "@murumets-ee/entity": "0.1.2",
+    "@murumets-ee/db": "0.1.2",
+    "@murumets-ee/logging": "0.1.3"
   },
   "devDependencies": {
     "@types/node": "^22.10.5",

package/dist/admin/index.cjs

@@ -1 +0,0 @@
-"use strict";var T=Object.defineProperty;var P=Object.getOwnPropertyDescriptor;var x=Object.getOwnPropertyNames;var O=Object.prototype.hasOwnProperty;var A=(o,r)=>{for(var i in r)T(o,i,{get:r[i],enumerable:!0})},S=(o,r,i,m)=>{if(r&&typeof r=="object"||typeof r=="function")for(let a of x(r))!O.call(o,a)&&a!==i&&T(o,a,{get:()=>r[a],enumerable:!(m=P(r,a))||m.enumerable});return o};var C=o=>S(T({},"__esModule",{value:!0}),o);var j={};A(j,{permissionRoutes:()=>E});module.exports=C(j);var I=require("better-auth/plugins/access");var y=["admin","public","authenticated"];var N=/^[a-z][a-z0-9-]{0,49}$/;function p(o,r=200){return new Response(JSON.stringify(o),{status:r,headers:{"Content-Type":"application/json"}})}function n(o,r){return p({error:o},r)}function E(o){let{getStatements:r,loadRoles:i,saveRoles:m,onSave:a}=o;return{prefix:"permissions",resource:"permissions",actions:["view","create","update","delete"],handlers:{GET:async(f,{segments:s})=>{let c=r(),l=await i()??{};return s.length===1&&s[0]==="roles"?p({roles:Object.keys(l),builtInRoles:[...y]}):p({statements:c,roles:l,builtInRoles:[...y]})},PATCH:async(f,{user:s,audit:c})=>{let l=await f.json(),{roles:e}=l;if(!e||typeof e!="object")return n('Body must contain "roles" object',400);if("admin"in e)return n("Cannot modify admin role permissions (admin always has full access)",400);if(s.role&&s.role!=="admin"&&s.role in e)return n("Cannot modify permissions for your own role",403);let t=await i()??{};for(let u of Object.keys(e))if(!(u in t))return n(`Role '${u}' does not exist. Create it first via POST /permissions/roles`,400);let d=r();for(let[u,g]of Object.entries(e)){if(typeof u!="string"||!u)return n("Role names must be non-empty strings",400);if(typeof g!="object"||g===null||Array.isArray(g))return n(`Permissions for role '${u}' must be an object`,400);for(let[R,h]of Object.entries(g)){if(!Array.isArray(h)||!h.every(b=>typeof b=="string"))return n(`Actions for '${R}' in role '${u}' must be a string array`,400);let w=d[R];if(!w)return n(`Unknown resource: ${R}`,400);for(let b of h)if(!w.includes(b))return n(`Invalid action '${b}' for resource '${R}'. Valid: ${w.join(", ")}`,400)}}let v={...t};for(let[u,g]of Object.entries(e))v[u]=g;return await m(v),a?.(),c?.({action:"permissions.update",entityType:"permissions",userId:s.id,userName:s.name,changes:{roles:e},metadata:{rolesModified:Object.keys(e)}}),p({ok:!0})},POST:async(f,{segments:s,user:c,audit:l})=>{if(s.length!==1||s[0]!=="roles")return n("POST only supported at /permissions/roles",400);let e=await f.json(),{name:t}=e;if(!t||typeof t!="string")return n('Body must contain "name" string',400);if(!N.test(t))return n("Role name must be lowercase alphanumeric with hyphens, start with a letter, max 50 chars",400);if(y.includes(t))return n(`Cannot create role with built-in name: ${t}`,400);let d=await i()??{};return t in d?n(`Role already exists: ${t}`,409):(d[t]={},await m(d),a?.(),l?.({action:"permissions.role.create",entityType:"permissions",userId:c.id,userName:c.name,changes:{roleName:t}}),p({name:t,permissions:{}},201))},DELETE:async(f,{segments:s,user:c,audit:l})=>{if(s.length!==2||s[0]!=="roles")return n("DELETE only supported at /permissions/roles/:name",400);let e=s[1];if(y.includes(e))return n(`Cannot delete built-in role: ${e}`,400);let t=await i()??{};if(!(e in t))return n(`Role not found: ${e}`,404);let d=t[e];return delete t[e],await m(t),a?.(),l?.({action:"permissions.role.delete",entityType:"permissions",userId:c.id,userName:c.name,changes:{roleName:e,permissions:d}}),p({deleted:e})}}}}0&&(module.exports={permissionRoutes});

package/dist/admin/index.d.cts

@@ -1,72 +0,0 @@
-/**
- * Permission management admin routes for the centralized admin API handler.
- *
- * Provides CRUD for role definitions and permission assignments.
- * Admin-only by default (resource: 'permissions', only admin has access).
- *
- * @example
- * ```typescript
- * import { createAdminApiHandler } from '@murumets-ee/admin-ui/server'
- * import { permissionRoutes } from '@murumets-ee/auth/admin'
- *
- * const handler = createAdminApiHandler({
- *   authenticate: async (req) => { ... },
- *   entities: [...],
- *   routes: [
- *     permissionRoutes({
- *       getStatements: () => catalog,
- *       loadRoles: () => client.get('roles'),
- *       saveRoles: (roles) => client.set('roles', roles),
- *       onSave: () => { cachedChecker = null },
- *     }),
- *   ],
- * })
- * ```
- */
-/** Fire-and-forget audit log function — structurally matches AuditLogFn from @murumets-ee/core */
-type AuditLogFn = (entry: {
-    action: string;
-    entityType?: string;
-    entityId?: string;
-    userId?: string;
-    userName?: string;
-    changes?: Record<string, unknown>;
-    metadata?: Record<string, unknown>;
-}) => void;
-interface AdminRoute {
-    prefix: string;
-    resource?: string;
-    actions?: readonly string[];
-    handlers: Partial<Record<string, (req: Request, ctx: {
-        segments: string[];
-        user: {
-            id: string;
-            role?: string;
-            name?: string;
-        };
-        audit?: AuditLogFn;
-        checkPermission: (resource: string, action: string) => boolean;
-    }) => Promise<Response>>>;
-}
-interface PermissionRoutesConfig {
-    /** Returns the resource catalog: resource → available actions */
-    getStatements: () => Record<string, readonly string[]>;
-    /** Load saved role definitions from settings (null if first run) */
-    loadRoles: () => Promise<Record<string, Record<string, string[]>> | null>;
-    /** Save role definitions to settings */
-    saveRoles: (roles: Record<string, Record<string, string[]>>) => Promise<void>;
-    /** Called after save to invalidate cached permission checker */
-    onSave?: () => void;
-}
-/**
- * Create admin API routes for permission management.
- *
- * Routes (all prefixed with `/api/admin/permissions`):
- * - `GET    /permissions`              — Get statements + roles + builtInRoles
- * - `PATCH  /permissions`              — Update role permissions
- * - `POST   /permissions/roles`        — Create a custom role
- * - `DELETE /permissions/roles/:name`  — Delete a custom role
- */
-declare function permissionRoutes(config: PermissionRoutesConfig): AdminRoute;
-
-export { permissionRoutes };

package/dist/client.cjs

@@ -1 +0,0 @@
-"use strict";var i=Object.defineProperty;var l=Object.getOwnPropertyDescriptor;var m=Object.getOwnPropertyNames;var c=Object.prototype.hasOwnProperty;var g=(a,n)=>{for(var e in n)i(a,e,{get:n[e],enumerable:!0})},u=(a,n,e,s)=>{if(n&&typeof n=="object"||typeof n=="function")for(let r of m(n))!c.call(a,r)&&r!==e&&i(a,r,{get:()=>n[r],enumerable:!(s=l(n,r))||s.enumerable});return a};var d=a=>u(i({},"__esModule",{value:!0}),a);var w={};g(w,{createClient:()=>p,createUsersApi:()=>b});module.exports=d(w);var t=require("better-auth/client/plugins"),o=require("better-auth/react");function p(a){return(0,o.createAuthClient)({baseURL:a?.baseURL,plugins:[(0,t.adminClient)(),...a?.organizations?[(0,t.organizationClient)()]:[]]})}function b(a){function n(e){if(e.error)throw new Error(e.error.message??"Unknown error");return e.data}return{async list(e){let s=await a.admin.listUsers({query:{limit:e.limit,offset:e.offset,...e.sortBy?{sortBy:e.sortBy,sortDirection:e.sortDirection}:{},...e.searchValue?{searchValue:e.searchValue,searchField:e.searchField??"email",searchOperator:e.searchOperator??"contains"}:{}}}),r=n(s);return{users:(r.users??[]).map(f),total:r.total??0}},async create(e){let s=await a.admin.createUser({name:e.name,email:e.email,password:e.password,role:e.role});n(s)},async update(e,s){let r=await a.admin.updateUser({userId:e,data:s});n(r)},async remove(e){let s=await a.admin.removeUser({userId:e});n(s)},async setRole(e,s){let r=await a.admin.setRole({userId:e,role:s});n(r)},async ban(e,s){let r=await a.admin.banUser({userId:e,...s?.reason?{banReason:s.reason}:{},...s?.expiresIn?{banExpiresIn:s.expiresIn}:{}});n(r)},async unban(e){let s=await a.admin.unbanUser({userId:e});n(s)},async revokeSessions(e){let s=await a.admin.revokeUserSessions({userId:e});n(s)}}}function f(a){let n=a;return{id:n.id,name:n.name??"",email:n.email,emailVerified:n.emailVerified??!1,image:n.image??null,createdAt:String(n.createdAt??""),updatedAt:String(n.updatedAt??""),role:n.role??null,banned:n.banned??null,banReason:n.banReason??null,banExpires:n.banExpires?String(n.banExpires):null}}0&&(module.exports={createClient,createUsersApi});