npm - @nsxbet/admin-sdk - Versions diffs - 0.8.0 → 0.9.0 - Mend

@nsxbet/admin-sdk 0.8.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

package/README.md CHANGED Viewed

@@ -1141,6 +1141,22 @@ When the shell loads modules dynamically from URLs, it validates each URL agains
 Production auth should go through **admin-bff**: the BFF sets an HttpOnly `access_token` cookie and exposes **`GET /me`** for identity. The shell does not read the JWT in the browser.
+When `AdminShell` receives an `apiUrl`, the SDK now treats **RBAC-resolved effective roles** from the Admin API as the long-term permission source:
+- `AuthProvider` calls `GET /api/access-control/users/me/resolved-roles` after successful authentication
+- the current subject's resolved roles are cached in localStorage for up to five minutes
+- temporary RBAC resolution failures may fall back to that same-subject cached role set
+- logout clears the cache immediately
+- once the cache expires, permission checks fail closed until RBAC resolution succeeds again
+This means `hasPermission()` reflects local group membership and hybrid catalog resolution rather than only raw upstream roles from `/me` or JWT payloads.
+The SDK shell also exposes a native `Access Control` route subtree under `/_access-control/*` for groups, user inspection, and audit history. Those pages are gated by exact platform permissions such as:
+- `admin.platform.access-control.groups.manage`
+- `admin.platform.access-control.users.view`
+- `admin.platform.access-control.audit.view`
 ### AdminShell
 ```tsx

package/dist/auth/client/bff.js CHANGED Viewed

@@ -6,6 +6,7 @@
  * to build the user, and persists the token in localStorage. Falls back to
  * `GET /me` (cookie-based) when no token is present.
  */
+import { matchesPermission } from './permission-match';
 const TOKEN_STORAGE_KEY = 'admin-bff-token';
 const EXPIRES_STORAGE_KEY = 'admin-bff-token-expires';
 const LOGGED_OUT_FLAG_KEY = 'admin-bff-logged-out';
@@ -70,19 +71,6 @@ function jwtToUser(payload) {
         roles: [...groups, ...roles],
     };
 }
-function matchesPermission(userRoles, permission) {
-    if (userRoles.includes('*'))
-        return true;
-    return userRoles.some((role) => {
-        if (role === permission)
-            return true;
-        if (role.endsWith('.*')) {
-            const prefix = role.slice(0, -2);
-            return permission.startsWith(prefix);
-        }
-        return false;
-    });
-}
 /** Read token + expires from URL query params, then clean the URL. */
 function consumeTokenFromUrl() {
     if (typeof window === 'undefined')
@@ -148,6 +136,8 @@ export function createBffAuthClient(options = {}) {
     const bffBaseUrl = normalizeBaseUrl(options.bffBaseUrl ?? resolveDefaultBffBaseUrl());
     let currentUser = null;
     let accessToken = null;
+    let rawRoles = [];
+    let resolvedRoles = null;
     let initialized = false;
     const subscribers = new Set();
     function notifySubscribers() {
@@ -181,6 +171,8 @@ export function createBffAuthClient(options = {}) {
             }
             const payload = decodeJwtPayload(token);
             currentUser = jwtToUser(payload);
+            rawRoles = currentUser.roles;
+            resolvedRoles = null;
             accessToken = token;
             storeToken(token, expires);
             return true;
@@ -222,6 +214,8 @@ export function createBffAuthClient(options = {}) {
                 initialized = true;
                 if (result.ok) {
                     currentUser = result.user;
+                    rawRoles = result.user.roles;
+                    resolvedRoles = null;
                     notifySubscribers();
                     return true;
                 }
@@ -250,11 +244,22 @@ export function createBffAuthClient(options = {}) {
             if (!initialized || !currentUser) {
                 return false;
             }
-            return matchesPermission(currentUser.roles, permission);
+            return matchesPermission(resolvedRoles ?? currentUser.roles, permission);
+        },
+        setResolvedRoles(roles) {
+            resolvedRoles = roles ? [...roles] : null;
+            if (currentUser) {
+                currentUser = {
+                    ...currentUser,
+                    roles: resolvedRoles ?? rawRoles,
+                };
+            }
         },
         logout() {
             currentUser = null;
             accessToken = null;
+            rawRoles = [];
+            resolvedRoles = null;
             clearStoredToken();
             setLoggedOutFlag();
             notifySubscribers();

package/dist/auth/client/in-memory.js CHANGED Viewed

@@ -6,6 +6,7 @@
  */
 import { fetchGatewayToken } from './gateway-token';
 import { env } from '../../env';
+import { matchesPermission } from './permission-match';
 export { GatewayTimeoutError, GatewayFetchError } from './gateway-token';
 /**
  * Create mock users from a role configuration
@@ -80,6 +81,7 @@ export function createInMemoryAuthClient(options) {
     let tokenCache = null;
     let useMockFallback = false;
     let backgroundRefreshInFlight = false;
+    let resolvedRoles = null;
     const subscribers = new Set();
     const REFRESH_BUFFER_MS = 60000;
     function loadStorage() {
@@ -111,7 +113,7 @@ export function createInMemoryAuthClient(options) {
                 id: selectedUser.id,
                 email: selectedUser.email,
                 displayName: selectedUser.displayName,
-                roles: selectedUser.roles,
+                roles: resolvedRoles ?? selectedUser.roles,
             } : null,
         };
         subscribers.forEach((callback) => callback(state));
@@ -121,7 +123,7 @@ export function createInMemoryAuthClient(options) {
             id: mockUser.id,
             email: mockUser.email,
             displayName: mockUser.displayName,
-            roles: mockUser.roles,
+            roles: resolvedRoles ?? mockUser.roles,
         };
     }
     function mockToken() {
@@ -147,6 +149,7 @@ export function createInMemoryAuthClient(options) {
                 const user = findUser(storage.selectedUserId);
                 if (user) {
                     selectedUser = user;
+                    resolvedRoles = null;
                     return true;
                 }
             }
@@ -194,23 +197,16 @@ export function createInMemoryAuthClient(options) {
             if (!selectedUser) {
                 return false;
             }
-            if (selectedUser.roles.includes('*')) {
-                return true;
-            }
-            return selectedUser.roles.some((role) => {
-                if (role === permission)
-                    return true;
-                if (role.endsWith('.*')) {
-                    const prefix = role.slice(0, -2);
-                    return permission.startsWith(prefix);
-                }
-                return false;
-            });
+            return matchesPermission(resolvedRoles ?? selectedUser.roles, permission);
+        },
+        setResolvedRoles(roles) {
+            resolvedRoles = roles ? [...roles] : null;
         },
         logout() {
             selectedUser = null;
             tokenCache = null;
             useMockFallback = false;
+            resolvedRoles = null;
             const storage = loadStorage();
             storage.selectedUserId = null;
             saveStorage(storage);
@@ -231,6 +227,7 @@ export function createInMemoryAuthClient(options) {
                 throw new Error(`User not found: ${userId}`);
             }
             tokenCache = null;
+            resolvedRoles = null;
             if (loginOptions?.fallbackToMock || !resolvedGatewayUrl) {
                 useMockFallback = true;
                 if (resolvedGatewayUrl && loginOptions?.fallbackToMock) {

package/dist/auth/client/interface.d.ts CHANGED Viewed

@@ -76,6 +76,11 @@ export interface AuthClient {
      * Check if user has a specific permission/role
      */
     hasPermission(permission: string): boolean;
+    /**
+     * Override raw auth roles with RBAC-resolved roles when available.
+     * Passing `null` clears the override and falls back to raw roles.
+     */
+    setResolvedRoles?(roles: string[] | null): void;
     /**
      * Log out the current user
      */

package/dist/auth/client/permission-match.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function matchesPermission(userRoles: string[], permission: string): boolean;

package/dist/auth/client/permission-match.js ADDED Viewed

@@ -0,0 +1,13 @@
+export function matchesPermission(userRoles, permission) {
+    if (userRoles.includes('*'))
+        return true;
+    return userRoles.some((role) => {
+        if (role === permission)
+            return true;
+        if (role.endsWith('.*')) {
+            const prefix = role.slice(0, -2);
+            return permission.startsWith(prefix);
+        }
+        return false;
+    });
+}

package/dist/auth/client/rbac-resolution.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+export interface ResolvedRoleUser {
+    id: number;
+    subject: string;
+    email: string;
+    displayName: string;
+}
+export interface ResolvedRoleGroup {
+    id: string;
+    displayName: string;
+    permissions: string[];
+}
+export interface ResolvedRoleAttribution {
+    permission: string;
+    groups: Array<{
+        id: string;
+        displayName: string;
+    }>;
+}
+export interface ResolvedRolesResponse {
+    user: ResolvedRoleUser;
+    roles: string[];
+    groups: ResolvedRoleGroup[];
+    attribution: ResolvedRoleAttribution[];
+}
+export interface FetchResolvedRolesOptions {
+    apiUrl: string;
+    getAccessToken: () => Promise<string | null>;
+}
+export declare function fetchCurrentUserResolvedRoles(options: FetchResolvedRolesOptions): Promise<ResolvedRolesResponse>;

package/dist/auth/client/rbac-resolution.js ADDED Viewed

@@ -0,0 +1,22 @@
+function normalizeApiUrl(apiUrl) {
+    const normalized = apiUrl.replace(/\/+$/, '');
+    return normalized.endsWith('/api') ? normalized : `${normalized}/api`;
+}
+export async function fetchCurrentUserResolvedRoles(options) {
+    const token = await options.getAccessToken();
+    const headers = new Headers();
+    const response = await fetch(`${normalizeApiUrl(options.apiUrl)}/access-control/users/me/resolved-roles`, token === null
+        ? {
+            headers,
+            credentials: 'include',
+        }
+        : {
+            headers: {
+                Authorization: `Bearer ${token}`,
+            },
+        });
+    if (!response.ok) {
+        throw new Error(`RBAC resolution failed: ${response.status}`);
+    }
+    return response.json();
+}

package/dist/auth/client/resolved-role-cache.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+export declare const RESOLVED_ROLE_CACHE_STORAGE_KEY = "adminPlatform.resolvedRoles";
+export declare const RESOLVED_ROLE_CACHE_TTL_MS: number;
+export interface ResolvedRoleCacheEntry {
+    subject: string;
+    roles: string[];
+    cachedAt: number;
+}
+export declare function readResolvedRoleCache(): ResolvedRoleCacheEntry | null;
+export declare function writeResolvedRoleCache(subject: string, roles: string[]): void;
+export declare function clearResolvedRoleCache(): void;
+export declare function readUsableResolvedRolesFromCache(subject: string, now?: number, ttlMs?: number): string[] | null;

package/dist/auth/client/resolved-role-cache.js ADDED Viewed

@@ -0,0 +1,54 @@
+export const RESOLVED_ROLE_CACHE_STORAGE_KEY = 'adminPlatform.resolvedRoles';
+export const RESOLVED_ROLE_CACHE_TTL_MS = 5 * 60 * 1000;
+export function readResolvedRoleCache() {
+    try {
+        const raw = localStorage.getItem(RESOLVED_ROLE_CACHE_STORAGE_KEY);
+        if (!raw)
+            return null;
+        const parsed = JSON.parse(raw);
+        if (typeof parsed.subject !== 'string' ||
+            !Array.isArray(parsed.roles) ||
+            typeof parsed.cachedAt !== 'number') {
+            return null;
+        }
+        return {
+            subject: parsed.subject,
+            roles: parsed.roles.filter((role) => typeof role === 'string'),
+            cachedAt: parsed.cachedAt,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+export function writeResolvedRoleCache(subject, roles) {
+    try {
+        const entry = {
+            subject,
+            roles,
+            cachedAt: Date.now(),
+        };
+        localStorage.setItem(RESOLVED_ROLE_CACHE_STORAGE_KEY, JSON.stringify(entry));
+    }
+    catch {
+        // Ignore storage failures and continue without cache.
+    }
+}
+export function clearResolvedRoleCache() {
+    try {
+        localStorage.removeItem(RESOLVED_ROLE_CACHE_STORAGE_KEY);
+    }
+    catch {
+        // Ignore storage failures.
+    }
+}
+export function readUsableResolvedRolesFromCache(subject, now = Date.now(), ttlMs = RESOLVED_ROLE_CACHE_TTL_MS) {
+    const entry = readResolvedRoleCache();
+    if (!entry)
+        return null;
+    if (entry.subject !== subject)
+        return null;
+    if (entry.cachedAt + ttlMs < now)
+        return null;
+    return entry.roles;
+}

package/dist/components/AuthProvider.d.ts CHANGED Viewed

@@ -31,11 +31,13 @@ interface AuthProviderProps {
     children: React.ReactNode;
     /** The auth client to use */
     authClient: AuthClient;
+    /** Base URL for the admin API used for RBAC resolution */
+    apiUrl?: string;
 }
 /**
  * AuthProvider manages authentication state and renders appropriate UI
  */
-export declare function AuthProvider({ children, authClient }: AuthProviderProps): import("react/jsx-runtime").JSX.Element;
+export declare function AuthProvider({ children, authClient, apiUrl }: AuthProviderProps): import("react/jsx-runtime").JSX.Element;
 /**
  * Hook to access auth context
  */

package/dist/components/AuthProvider.js CHANGED Viewed

@@ -5,8 +5,11 @@ import { jsx as _jsx, jsxs as _jsxs, Fragment as _Fragment } from "react/jsx-run
  * Works with both in-memory (mock) and BFF cookie auth clients.
  * Shows user selection screen when in-memory client has no selected user.
  */
-import { createContext, useContext, useEffect, useState, useCallback, useMemo } from 'react';
+import { createContext, useContext, useEffect, useState, useCallback, useMemo, useRef } from 'react';
 import { useCallbackRef } from '../hooks/useCallbackRef';
+import { matchesPermission } from '../auth/client/permission-match';
+import { fetchCurrentUserResolvedRoles } from '../auth/client/rbac-resolution';
+import { clearResolvedRoleCache, readUsableResolvedRolesFromCache, writeResolvedRoleCache, } from '../auth/client/resolved-role-cache';
 import { isLoggedOutFlag } from '../auth/client/bff';
 import { UserSelector } from '../auth/components/UserSelector';
 import { LoginPage } from '../auth/components/LoginPage';
@@ -20,7 +23,7 @@ function LoadingScreen() {
 /**
  * AuthProvider manages authentication state and renders appropriate UI
  */
-export function AuthProvider({ children, authClient }) {
+export function AuthProvider({ children, authClient, apiUrl }) {
     const [authState, setAuthState] = useState({
         isAuthenticated: false,
         user: null,
@@ -29,6 +32,53 @@ export function AuthProvider({ children, authClient }) {
     const [isInitializing, setIsInitializing] = useState(!bffLoggedOut);
     const [needsUserSelection, setNeedsUserSelection] = useState(false);
     const [needsLogin, setNeedsLogin] = useState(bffLoggedOut);
+    const effectiveRolesRef = useRef([]);
+    effectiveRolesRef.current = authState.user?.roles ?? [];
+    const applyResolvedRoles = useCallback(async (state) => {
+        if (!state.isAuthenticated || !state.user) {
+            authClient.setResolvedRoles?.(null);
+            return state;
+        }
+        if (!apiUrl) {
+            return state;
+        }
+        try {
+            const resolved = await fetchCurrentUserResolvedRoles({
+                apiUrl,
+                getAccessToken: () => authClient.getAccessToken(),
+            });
+            writeResolvedRoleCache(state.user.id, resolved.roles);
+            authClient.setResolvedRoles?.(resolved.roles);
+            return {
+                ...state,
+                user: {
+                    ...state.user,
+                    roles: resolved.roles,
+                },
+            };
+        }
+        catch {
+            const cachedRoles = readUsableResolvedRolesFromCache(state.user.id);
+            if (cachedRoles) {
+                authClient.setResolvedRoles?.(cachedRoles);
+                return {
+                    ...state,
+                    user: {
+                        ...state.user,
+                        roles: cachedRoles,
+                    },
+                };
+            }
+            authClient.setResolvedRoles?.([]);
+            return {
+                ...state,
+                user: {
+                    ...state.user,
+                    roles: [],
+                },
+            };
+        }
+    }, [apiUrl, authClient]);
     // Initialize auth client
     useEffect(() => {
         let mounted = true;
@@ -38,18 +88,25 @@ export function AuthProvider({ children, authClient }) {
                 if (!mounted)
                     return;
                 if (isAuthenticated) {
-                    setAuthState({
+                    const resolvedState = await applyResolvedRoles({
                         isAuthenticated: true,
                         user: authClient.getUser(),
                     });
+                    if (!mounted)
+                        return;
+                    setAuthState(resolvedState);
                     setNeedsUserSelection(false);
                     setNeedsLogin(false);
                 }
                 else if (authClient.type === 'in-memory') {
+                    clearResolvedRoleCache();
+                    authClient.setResolvedRoles?.(null);
                     setNeedsUserSelection(true);
                     setNeedsLogin(false);
                 }
                 else if (authClient.type === 'bff') {
+                    clearResolvedRoleCache();
+                    authClient.setResolvedRoles?.(null);
                     setNeedsLogin(true);
                     setNeedsUserSelection(false);
                 }
@@ -69,38 +126,53 @@ export function AuthProvider({ children, authClient }) {
         initialize();
         // Subscribe to auth state changes
         const unsubscribe = authClient.subscribe((state) => {
-            if (mounted) {
-                setAuthState(state);
-                if (!state.isAuthenticated && authClient.type === 'in-memory') {
-                    setNeedsUserSelection(true);
-                    setNeedsLogin(false);
-                }
-                else if (!state.isAuthenticated && authClient.type === 'bff') {
-                    setNeedsLogin(true);
-                    setNeedsUserSelection(false);
-                }
-                else {
-                    setNeedsUserSelection(false);
-                    setNeedsLogin(false);
+            if (!mounted)
+                return;
+            const syncState = async () => {
+                if (!state.isAuthenticated) {
+                    clearResolvedRoleCache();
+                    authClient.setResolvedRoles?.(null);
+                    setAuthState(state);
+                    if (authClient.type === 'in-memory') {
+                        setNeedsUserSelection(true);
+                        setNeedsLogin(false);
+                    }
+                    else if (authClient.type === 'bff') {
+                        setNeedsLogin(true);
+                        setNeedsUserSelection(false);
+                    }
+                    return;
                 }
-            }
+                const resolvedState = await applyResolvedRoles(state);
+                if (!mounted)
+                    return;
+                setAuthState(resolvedState);
+                setNeedsUserSelection(false);
+                setNeedsLogin(false);
+            };
+            syncState();
         });
         return () => {
             mounted = false;
             unsubscribe();
         };
-    }, [authClient]);
+    }, [authClient, applyResolvedRoles]);
     // Handle user selection
-    const handleUserSelected = useCallback(() => {
-        setAuthState({
+    const handleUserSelected = useCallback(async () => {
+        const resolvedState = await applyResolvedRoles({
             isAuthenticated: authClient.isAuthenticated(),
             user: authClient.getUser(),
         });
+        setAuthState(resolvedState);
         setNeedsUserSelection(false);
-    }, [authClient]);
+    }, [authClient, applyResolvedRoles]);
     const getAccessToken = useCallbackRef(() => authClient.getAccessToken());
-    const hasPermission = useCallbackRef((permission) => authClient.hasPermission(permission));
-    const logout = useCallbackRef(() => authClient.logout());
+    const hasPermission = useCallbackRef((permission) => matchesPermission(effectiveRolesRef.current, permission));
+    const logout = useCallbackRef(() => {
+        clearResolvedRoleCache();
+        authClient.setResolvedRoles?.(null);
+        authClient.logout();
+    });
     const contextValue = useMemo(() => ({
         isAuthenticated: authState.isAuthenticated,
         user: authState.user,

package/dist/i18n/locales/en-US.json CHANGED Viewed

@@ -10,6 +10,7 @@
         "edit": "Edit",
         "create": "Create",
         "search": "Search",
+        "retry": "Retry",
         "noResults": "No results found",
         "close": "Close",
         "back": "Back",
@@ -42,6 +43,7 @@
         "settings": "Settings",
         "profile": "Profile",
         "registry": "Registry",
+        "accessControl": "Access Control",
         "logout": "Logout",
         "pinned": "Pinned",
         "platform": "Platform",
@@ -219,10 +221,73 @@
         "loginButton": "Login with Corporate SSO",
         "secureAuth": "Secure Authentication"
     },
+    "accessControlPage": {
+        "title": "Access Control",
+        "description": "Manage local authorization, inspection, and audit workflows.",
+        "groups": "Groups",
+        "users": "Users",
+        "audit": "Audit",
+        "statusAll": "All",
+        "statusActive": "Active",
+        "statusInactive": "Inactive",
+        "groupsTitle": "Groups",
+        "groupsDescription": "Browse and manage RBAC groups.",
+        "noGroupsTitle": "No groups found",
+        "noGroupsDescription": "No groups matched the current filter.",
+        "protectedGroup": "Protected",
+        "viewGroup": "View Group",
+        "deactivate": "Deactivate",
+        "reactivate": "Reactivate",
+        "confirmDeactivate": "Are you sure you want to deactivate \"{{group}}\"? Members of this group will lose all permissions granted through it.",
+        "confirmReactivate": "Are you sure you want to reactivate \"{{group}}\"? Members will regain all permissions assigned to this group.",
+        "promptCreateGroup": "Enter a display name for the new group",
+        "promptEditGroup": "Update the group display name",
+        "groupDetailTitle": "Group Detail",
+        "groupDetailDescription": "Review memberships and permissions for group {{groupId}}.",
+        "membersTab": "Members",
+        "permissionsTab": "Permissions",
+        "noMembers": "This group has no members yet.",
+        "noPermissions": "This group has no assigned permissions yet.",
+        "selfRemoveTitle": "Remove yourself from this group?",
+        "selfRemoveDescription": "You are about to remove yourself from the \"{{group}}\" group. This may revoke your access to manage this group and other platform areas.",
+        "selfRemovePrompt": "Type CONFIRM to proceed.",
+        "selfRemoveConfirmButton": "Remove myself",
+        "userTitle": "User Access",
+        "userDescription": "Inspect resolved access for user {{userId}}.",
+        "userRolesTitle": "Effective Roles",
+        "userGroupsTitle": "Contributing Groups",
+        "noRoles": "This user has no effective roles.",
+        "auditTitle": "Audit History",
+        "auditDescription": "Browse read-only Access Control audit events.",
+        "filterEventType": "Event type",
+        "filterActor": "Actor user id",
+        "filterTargetType": "Target type",
+        "filterTargetId": "Target id",
+        "noAuditTitle": "No audit events found",
+        "noAuditDescription": "No audit events matched the current filters.",
+        "noAccess": "You do not have permission to access the Access Control area.",
+        "columnName": "Name",
+        "columnProtected": "Protected",
+        "columnEmail": "Email",
+        "columnSubject": "Subject",
+        "columnTimestamp": "Timestamp",
+        "columnEvent": "Event",
+        "columnActor": "Actor",
+        "columnTarget": "Target",
+        "columnSummary": "Summary",
+        "inspectUser": "Inspect",
+        "usersTitle": "Users",
+        "noUsersTitle": "No users found",
+        "noUsersDescription": "No known local users matched the search."
+    },
     "breadcrumbs": {
         "home": "Home",
         "registry": "Registry",
         "settings": "Settings",
-        "profile": "Profile"
+        "profile": "Profile",
+        "accessControl": "Access Control",
+        "accessControlGroups": "Groups",
+        "accessControlUsers": "Users",
+        "accessControlAudit": "Audit"
     }
 }