@nodii/grpc-interceptors 0.5.0 → 0.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enrich-auth.d.ts","sourceRoot":"","sources":["../../src/interceptors/enrich-auth.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACV,gBAAgB,EAGhB,gBAAgB,EACjB,MAAM,UAAU,CAAC;AA6ClB,wBAAgB,iBAAiB,CAC/B,MAAM,GAAE,gBAAqB,GAC5B,gBAAgB,
|
|
1
|
+
{"version":3,"file":"enrich-auth.d.ts","sourceRoot":"","sources":["../../src/interceptors/enrich-auth.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACV,gBAAgB,EAGhB,gBAAgB,EACjB,MAAM,UAAU,CAAC;AA6ClB,wBAAgB,iBAAiB,CAC/B,MAAM,GAAE,gBAAqB,GAC5B,gBAAgB,CA8DlB"}
|
|
@@ -57,7 +57,20 @@ export function enrichAuthContext(config = {}) {
|
|
|
57
57
|
const tenantFromProto = readProtoField(call.request, tenantField);
|
|
58
58
|
const tenantFromUserActor = call.auth?.userActor?.tenant_id;
|
|
59
59
|
const tenantFromServiceActor = call.auth?.serviceActor?.tenant_id;
|
|
60
|
-
|
|
60
|
+
// The authenticated actor's tenant is authoritative. A caller-controlled
|
|
61
|
+
// proto tenant_id MUST NOT override it: requestContext.tenant_id flows
|
|
62
|
+
// into `SET app.tenant_id` (tenantContext), so a proto override would
|
|
63
|
+
// scope RLS to an attacker-chosen tenant (08-rls § "resolved tenant_id,
|
|
64
|
+
// never JWT/caller-derived"). Proto may only supply the tenant when no
|
|
65
|
+
// authenticated actor tenant exists; a proto tenant that contradicts the
|
|
66
|
+
// actor tenant is a cross-tenant attempt → fail closed.
|
|
67
|
+
const tenantFromActor = tenantFromUserActor ?? tenantFromServiceActor;
|
|
68
|
+
if (tenantFromActor !== undefined &&
|
|
69
|
+
tenantFromProto !== undefined &&
|
|
70
|
+
tenantFromProto !== tenantFromActor) {
|
|
71
|
+
throw new GrpcStatusError("PERMISSION_DENIED", "cross_tenant_binding_rejected");
|
|
72
|
+
}
|
|
73
|
+
const tenant_id = tenantFromActor ?? tenantFromProto;
|
|
61
74
|
const intent_id = readMetadata(call, "x-nodii-intent-id");
|
|
62
75
|
const actor_type_raw = readMetadata(call, "x-nodii-actor-type");
|
|
63
76
|
const actor_type = actor_type_raw === "user" ||
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enrich-auth.js","sourceRoot":"","sources":["../../src/interceptors/enrich-auth.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,yEAAyE;AACzE,oEAAoE;AACpE,wEAAwE;AACxE,yDAAyD;AAQzD,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE3C,MAAM,oBAAoB,GAAG,WAAW,CAAC;AAEzC,SAAS,YAAY,CAAC,IAAe,EAAE,GAAW;IAChD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IACrD,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACxB,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5C,IAAI,KAAK,YAAY,UAAU,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5D,IAAI,CAAC;YACH,OAAO,MAAM,CAAC,IAAI,CAAC,KAAmB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,cAAc,CAAC,GAAY,EAAE,KAAa;IACjD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IACtD,MAAM,CAAC,GAAG,GAA8B,CAAC;IACzC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IACnB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,CAAC,CAAC;IACpD,2BAA2B;IAC3B,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACrE,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;QACpB,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,EAAE,CAAC;IACzD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,wBAAwB;IAC/B,oEAAoE;IACpE,4DAA4D;IAC5D,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE;QAAE,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC;IACxE,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CACxE,EAAE,CACH,CAAC;IACF,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC;AAC7G,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,SAA2B,EAAE;IAE7B,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,oBAAoB,CAAC;IAC/D,MAAM,sBAAsB,GAAG,MAAM,CAAC,sBAAsB,IAAI,EAAE,CAAC;IACnE,MAAM,iBAAiB,GACrB,MAAM,CAAC,iBAAiB,IAAI,wBAAwB,CAAC;IAEvD,OAAO,CAAC,UAAkB,EAAE,OAAqB,EAAgB,EAAE;QACjE,OAAO,KAAK,EAAE,IAAe,EAAoB,EAAE;YACjD,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,mBAAmB,GAAG,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,SAAS,CAAC;YAC5D,MAAM,sBAAsB,GAAG,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE,SAAS,CAAC;YAClE,MAAM,SAAS,
|
|
1
|
+
{"version":3,"file":"enrich-auth.js","sourceRoot":"","sources":["../../src/interceptors/enrich-auth.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,yEAAyE;AACzE,oEAAoE;AACpE,wEAAwE;AACxE,yDAAyD;AAQzD,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE3C,MAAM,oBAAoB,GAAG,WAAW,CAAC;AAEzC,SAAS,YAAY,CAAC,IAAe,EAAE,GAAW;IAChD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IACrD,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACxB,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5C,IAAI,KAAK,YAAY,UAAU,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5D,IAAI,CAAC;YACH,OAAO,MAAM,CAAC,IAAI,CAAC,KAAmB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,cAAc,CAAC,GAAY,EAAE,KAAa;IACjD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IACtD,MAAM,CAAC,GAAG,GAA8B,CAAC;IACzC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IACnB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,CAAC,CAAC;IACpD,2BAA2B;IAC3B,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACrE,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;QACpB,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACpB,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,EAAE,CAAC;IACzD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,wBAAwB;IAC/B,oEAAoE;IACpE,4DAA4D;IAC5D,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE;QAAE,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC;IACxE,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CACxE,EAAE,CACH,CAAC;IACF,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC;AAC7G,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,SAA2B,EAAE;IAE7B,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,oBAAoB,CAAC;IAC/D,MAAM,sBAAsB,GAAG,MAAM,CAAC,sBAAsB,IAAI,EAAE,CAAC;IACnE,MAAM,iBAAiB,GACrB,MAAM,CAAC,iBAAiB,IAAI,wBAAwB,CAAC;IAEvD,OAAO,CAAC,UAAkB,EAAE,OAAqB,EAAgB,EAAE;QACjE,OAAO,KAAK,EAAE,IAAe,EAAoB,EAAE;YACjD,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YAClE,MAAM,mBAAmB,GAAG,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,SAAS,CAAC;YAC5D,MAAM,sBAAsB,GAAG,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE,SAAS,CAAC;YAClE,yEAAyE;YACzE,uEAAuE;YACvE,sEAAsE;YACtE,wEAAwE;YACxE,uEAAuE;YACvE,yEAAyE;YACzE,wDAAwD;YACxD,MAAM,eAAe,GAAG,mBAAmB,IAAI,sBAAsB,CAAC;YACtE,IACE,eAAe,KAAK,SAAS;gBAC7B,eAAe,KAAK,SAAS;gBAC7B,eAAe,KAAK,eAAe,EACnC,CAAC;gBACD,MAAM,IAAI,eAAe,CACvB,mBAAmB,EACnB,+BAA+B,CAChC,CAAC;YACJ,CAAC;YACD,MAAM,SAAS,GAAG,eAAe,IAAI,eAAe,CAAC;YAErD,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;YAC1D,MAAM,cAAc,GAAG,YAAY,CAAC,IAAI,EAAE,oBAAoB,CAAC,CAAC;YAChE,MAAM,UAAU,GACd,cAAc,KAAK,MAAM;gBACzB,cAAc,KAAK,OAAO;gBAC1B,cAAc,KAAK,QAAQ;gBACzB,CAAC,CAAC,cAAc;gBAChB,CAAC,CAAC,SAAS,CAAC;YAEhB,MAAM,QAAQ,GAAG,sBAAsB,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;YAC5D,IAAI,QAAQ,IAAI,CAAC,SAAS,EAAE,CAAC;gBAC3B,MAAM,IAAI,eAAe,CACvB,qBAAqB,EACrB,yBAAyB,CAC1B,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;YAC7B,IAAI,CAAC,cAAc,GAAG;gBACpB,GAAG,IAAI,CAAC,cAAc;gBACtB,SAAS;gBACT,SAAS;gBACT,UAAU;gBACV,cAAc,EACZ,IAAI,CAAC,cAAc,EAAE,cAAc,IAAI,iBAAiB,EAAE;aAC7D,CAAC;YACF,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;YAEjB,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@nodii/grpc-interceptors",
|
|
3
|
-
"version": "0.5.
|
|
3
|
+
"version": "0.5.1",
|
|
4
4
|
"description": "Substrate gRPC interceptor library for the Nodii microservice stack — 8 cross-cutting interceptors (logging, audit, enrichAuthContext, tenantContext, auditContext, deadlineGuard, cancellationGuard, errorMap) + re-export façade over @nodii/grpc-auth/saga/idempotency + locked-order createStandardServerStack factory. Spec: planning hub docKey=grpc-interceptors.",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"type": "module",
|
|
@@ -24,14 +24,14 @@
|
|
|
24
24
|
"test": "bun test"
|
|
25
25
|
},
|
|
26
26
|
"devDependencies": {
|
|
27
|
-
"@nodii/audit-chain": "0.
|
|
27
|
+
"@nodii/audit-chain": "0.8.0",
|
|
28
28
|
"ioredis": "^5.4.0",
|
|
29
29
|
"postgres": "^3.4.0",
|
|
30
30
|
"typescript": "^5.9.3",
|
|
31
|
-
"@nodii/grpc-auth": "0.
|
|
32
|
-
"@nodii/idempotency": "0.
|
|
31
|
+
"@nodii/grpc-auth": "0.9.0",
|
|
32
|
+
"@nodii/idempotency": "0.6.0",
|
|
33
33
|
"@nodii/saga": "0.6.0",
|
|
34
|
-
"@nodii/telemetry": "0.
|
|
34
|
+
"@nodii/telemetry": "0.9.0"
|
|
35
35
|
},
|
|
36
36
|
"repository": {
|
|
37
37
|
"type": "git",
|