@mxtommy/kip 4.5.2 → 4.6.0-beta.2

package/plugin/plugin-auth.service.js

@@ -1,75 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.normalizeUserScope = normalizeUserScope;
-exports.resolveAuthenticatedUserScope = resolveAuthenticatedUserScope;
-exports.resolveReadUserScope = resolveReadUserScope;
-exports.resolveWriteUserScopeOrReject = resolveWriteUserScopeOrReject;
-/**
- * Normalizes a candidate user scope value.
- *
- * @param {unknown} value Candidate scope value.
- * @returns {string | null} Trimmed scope or null when empty.
- *
- * @example
- * const scope = normalizeUserScope(' demo-user ');
- */
-function normalizeUserScope(value) {
-    const normalized = typeof value === 'string' ? value.trim() : '';
-    return normalized.length > 0 ? normalized : null;
-}
-/**
- * Resolves authenticated user scope from request identity fields.
- *
- * @param {Request} req Incoming Express request.
- * @returns {string | null} Resolved scope or null when unavailable.
- *
- * @example
- * const scope = resolveAuthenticatedUserScope(req);
- */
-function resolveAuthenticatedUserScope(req) {
-    // Check for skPrincipal.identifier as the primary method for authenticated scope resolution
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    const skPrincipal = req.skPrincipal;
-    if (skPrincipal && typeof skPrincipal === 'object') {
-        const skPrincipalId = normalizeUserScope(skPrincipal.identifier);
-        if (skPrincipalId) {
-            return skPrincipalId;
-        }
-    }
-    return null;
-}
-/**
- * Resolves user scope for read operations, returning a fallback when unauthenticated.
- *
- * @param {Request} req Incoming Express request.
- * @param {string} [fallback='anonymous'] Fallback scope value.
- * @returns {string} Resolved or fallback scope.
- *
- * @example
- * const scope = resolveReadUserScope(req);
- */
-function resolveReadUserScope(req, fallback = 'anonymous') {
-    return resolveAuthenticatedUserScope(req) ?? fallback;
-}
-/**
- * Resolves user scope for write operations and rejects the request when unresolved.
- *
- * @param {Request} req Incoming Express request.
- * @param {Response} res Express response used for rejection.
- * @param {string} operation Operation label for diagnostics.
- * @param {(message: string) => void} errorLogger Logger callback for refusal messages.
- * @param {TAuthFailureResponder} sendFail Response helper callback.
- * @returns {string | null} Resolved scope or null when rejected.
- *
- * @example
- * const scope = resolveWriteUserScopeOrReject(req, res, 'PUT /series/:seriesId', console.error, sendFail);
- */
-function resolveWriteUserScopeOrReject(req, res, operation, errorLogger, sendFail) {
-    const userScope = resolveAuthenticatedUserScope(req);
-    if (userScope) {
-        return userScope;
-    }
-    errorLogger(`[SERIES AUTH] Refused ${operation}: unresolved authenticated user scope method=${req.method} path=${req.path} ip=${req.ip}`);
-    sendFail(res, 403, 'Authenticated user scope is required for series write operations');
-    return null;
-}