@nu-art/permissions-backend 0.400.5

package/modules/ModuleBE_Permissions.js

@@ -0,0 +1,357 @@
+import { _keys, arrayToMap, Dispatcher, filterInstances, flatArray, Module, MUSTNeverHappenException, reduceToMap, RuntimeModules, } from '@nu-art/ts-common';
+import { addRoutes, createQueryServerApi, MemKey_ServerApi, ModuleBE_AppConfigDB, Storm } from '@nu-art/thunderstorm-backend';
+import { ApiDef_Permissions, DefaultAccessLevel_Admin, DefaultAccessLevel_NoAccess, DefaultAccessLevel_Read, DefaultAccessLevel_Write, defaultLevelsRouteLookupWords, DuplicateDefaultAccessLevels, } from '@nu-art/permissions-shared';
+import { MemKey_AccountId, ModuleBE_SessionDB } from '@nu-art/user-account-backend';
+import { Domain_AccountManagement, Domain_Developer, Domain_PermissionsAssign, Domain_PermissionsDefine, PermissionsPackage_Developer, PermissionsPackage_Permissions } from '../permissions.js';
+import { ModuleBE_PermissionsAssert } from './ModuleBE_PermissionsAssert.js';
+import { ModuleBE_PermissionAccessLevelDB, ModuleBE_PermissionAPIDB, ModuleBE_PermissionDomainDB, ModuleBE_PermissionGroupDB, ModuleBE_PermissionProjectDB, ModuleBE_PermissionUserDB } from '../_entity.js';
+import { trimStartingForwardSlash } from '@nu-art/thunderstorm-shared/route-tools';
+const dispatcher_collectPermissionsProjects = new Dispatcher('__collectPermissionsProjects');
+const GroupId_SuperAdmin = '8b54efda69b385a566735cca7be031d5';
+export const PermissionGroup_Permissions_SuperAdmin = {
+    _id: GroupId_SuperAdmin,
+    name: 'Super Admin',
+    uiLabel: 'Super Admin',
+    accessLevels: {
+        [Domain_PermissionsDefine.namespace]: DefaultAccessLevel_Admin.name,
+        [Domain_PermissionsAssign.namespace]: DefaultAccessLevel_Admin.name,
+        [Domain_AccountManagement.namespace]: DefaultAccessLevel_Admin.name,
+        [Domain_Developer.namespace]: DefaultAccessLevel_Admin.name,
+    }
+};
+export const PermissionGroup_Permissions_Viewer = {
+    _id: '8c38d3bd2d76bbc37b5281f481c0bc1b',
+    name: 'Permissions Viewer',
+    uiLabel: 'Permissions Viewer',
+    accessLevels: {
+        [Domain_AccountManagement.namespace]: DefaultAccessLevel_Read.name,
+        [Domain_PermissionsDefine.namespace]: DefaultAccessLevel_Read.name,
+        [Domain_PermissionsAssign.namespace]: DefaultAccessLevel_Read.name,
+    }
+};
+export const PermissionGroup_Permissions_Editor = {
+    _id: '1524909cae174d0052b76a469b339218',
+    name: 'Permissions Editor',
+    uiLabel: 'Permissions Editor',
+    accessLevels: {
+        [Domain_AccountManagement.namespace]: DefaultAccessLevel_Read.name,
+        [Domain_PermissionsDefine.namespace]: DefaultAccessLevel_Read.name,
+        [Domain_PermissionsAssign.namespace]: DefaultAccessLevel_Write.name,
+    }
+};
+export const PermissionGroup_Account_Manager = {
+    _id: '6bb5feb12d0712ecee77f7f44188ec79',
+    name: 'Accounts Manager',
+    uiLabel: 'Accounts Manager',
+    accessLevels: {
+        [Domain_AccountManagement.namespace]: DefaultAccessLevel_Write.name,
+    }
+};
+export const PermissionGroup_Account_Admin = {
+    _id: '761a84bdde3f9be3fde9c50402a60401',
+    name: 'Accounts Admin',
+    uiLabel: 'Accounts Admin',
+    accessLevels: {
+        [Domain_AccountManagement.namespace]: DefaultAccessLevel_Admin.name,
+    }
+};
+export const PermissionGroup_Account_Viewer = {
+    _id: '7343853a980149ec94f967ac7ff4ccc3',
+    name: 'Accounts Viewer',
+    uiLabel: 'Accounts Viewer',
+    accessLevels: {
+        [Domain_AccountManagement.namespace]: DefaultAccessLevel_Read.name,
+    }
+};
+export const PermissionGroups_Permissions = [
+    PermissionGroup_Permissions_SuperAdmin,
+    PermissionGroup_Permissions_Viewer,
+    PermissionGroup_Permissions_Editor,
+    PermissionGroup_Account_Manager,
+    PermissionGroup_Account_Admin,
+    PermissionGroup_Account_Viewer,
+    // {
+    // 	_id: '60a417683e4016f4d933fee88953f0d5',
+    // 	name: 'Permissions Read Self',
+    // 	accessLevels: {
+    // 		[Domain_PermissionsDefine.namespace]: PermissionsAccessLevel_ReadSelf.name,
+    // 		[Domain_PermissionsAssign.namespace]: PermissionsAccessLevel_ReadSelf.name,
+    // 	}
+    // },
+];
+export const PermissionProject_Permissions = {
+    _id: 'f60db83936835e0be33e89caa365f0c3',
+    name: 'Permissions',
+    packages: [PermissionsPackage_Permissions, PermissionsPackage_Developer],
+    groups: PermissionGroups_Permissions
+};
+class ModuleBE_Permissions_Class extends Module {
+    init() {
+        super.init();
+        addRoutes([
+            createQueryServerApi(ApiDef_Permissions.v1.toggleStrictMode, this.toggleStrictMode),
+            createQueryServerApi(ApiDef_Permissions.v1.createProject, this.__performProjectSetup().processor),
+            // createBodyServerApi(ApiDef_Permissions.v1.connectDomainToRoutes, this.connectDomainToRoutes)
+        ]);
+    }
+    // __collectPermissionsProjects() {
+    // 	return PermissionProject_Permissions;
+    // }
+    async __collectSessionData(data) {
+        const permissionUser = await ModuleBE_PermissionUserDB.query.uniqueAssert(data.accountId);
+        const userGroups = filterInstances(await ModuleBE_PermissionGroupDB.query.all(permissionUser.groups.map(g => g.groupId)));
+        const permissionMap = await this.getUserPermissionMap(userGroups);
+        return {
+            key: 'permissions', value: {
+                domainToValueMap: permissionMap,
+                roles: userGroups.map(group => ({ key: group.label, uiLabel: group.uiLabel })),
+            }
+        };
+    }
+    getUserPermissionMap = async (userGroups) => {
+        const permissionMap = {};
+        const levelMaps = filterInstances(userGroups.map(i => i._levelsMap));
+        levelMaps.forEach(levelMap => {
+            _keys(levelMap).forEach(domainId => {
+                if (!permissionMap[domainId])
+                    permissionMap[domainId] = 0;
+                if (levelMap[domainId] > permissionMap[domainId])
+                    permissionMap[domainId] = levelMap[domainId];
+            });
+        });
+        //All domains that are not defined for the user, are NoAccess by default.
+        const allDomains = await ModuleBE_PermissionDomainDB.query.where({});
+        allDomains.forEach(domain => {
+            if (!permissionMap[domain._id])
+                permissionMap[domain._id] = DefaultAccessLevel_NoAccess.value; //"fill in the gaps" - All domains that are not defined for the user, are NoAccess by default.
+        });
+        return permissionMap;
+    };
+    toggleStrictMode = async () => {
+        MemKey_ServerApi.get().addPostCallAction(async () => {
+            const envConfigRef = Storm.getInstance().getEnvConfigRef(ModuleBE_PermissionsAssert);
+            const currentConfig = await envConfigRef.get({});
+            currentConfig.strictMode = !currentConfig.strictMode;
+            await envConfigRef.set(currentConfig);
+        });
+    };
+    __performProjectSetup() {
+        return {
+            priority: 0,
+            processor: async () => {
+                const projects = dispatcher_collectPermissionsProjects.dispatchModule();
+                projects.reduce((issues, project) => {
+                    return project.packages.reduce((issues, _package) => {
+                        return issues;
+                    }, issues);
+                }, []);
+                // Create All Projects
+                await this.createPermissionProjects(projects);
+                // Create all AppConfigs
+                await this.createPermissionsKeys(projects);
+                //Assign Super Admin if necessary
+                await this.assignSuperAdmin();
+            }
+        };
+    }
+    ;
+    async createPermissionProjects(projects) {
+        const map_nameToDBProject = await this.createProjects(projects);
+        const map_nameToDbDomain = await this.createDomains(projects, map_nameToDBProject);
+        const domainNameToLevelNameToDBAccessLevel = await this.createAccessLevels(projects, map_nameToDbDomain);
+        await this.createGroups(projects, map_nameToDbDomain, domainNameToLevelNameToDBAccessLevel);
+        await this.createApis(projects, domainNameToLevelNameToDBAccessLevel);
+    }
+    /**
+     * Creates All the DB_PermissionProject
+     *
+     * @param projects - predefined permissions projects
+     */
+    async createProjects(projects) {
+        this.logInfoBold('Creating Projects');
+        const _auditorId = MemKey_AccountId.get();
+        const preDBProjects = await ModuleBE_PermissionProjectDB.set.all(projects.map(project => ({
+            _id: project._id,
+            name: project.name,
+            _auditorId
+        })));
+        const projectsMap_nameToDBProject = reduceToMap(preDBProjects, project => project.name, project => project);
+        this.logInfoBold(`Created ${preDBProjects.length} Projects`);
+        return projectsMap_nameToDBProject;
+    }
+    /**
+     * Creates All the DB_PermissionDomains
+     *
+     * @param projects - predefined permissions projects
+     * @param map_nameToDBProject
+     */
+    async createDomains(projects, map_nameToDBProject) {
+        this.logInfoBold('Creating Domains');
+        const _auditorId = MemKey_AccountId.get();
+        const domainsToUpsert = flatArray(projects.map(project => project.packages.map(_package => _package.domains.map(domain => ({
+            _id: domain._id,
+            namespace: domain.namespace,
+            projectId: map_nameToDBProject[project.name]._id,
+            _auditorId
+        })))));
+        const dbDomain = await ModuleBE_PermissionDomainDB.set.all(domainsToUpsert);
+        const domainsMap_nameToDbDomain = reduceToMap(dbDomain, domain => domain.namespace, domain => domain);
+        this.logInfoBold(`Created ${dbDomain.length} Domains`);
+        return domainsMap_nameToDbDomain;
+    }
+    /**
+     * Creates All the DB_PermissionAccessLevel
+     *
+     * @param projects - predefined permissions projects
+     * @param map_nameToDbDomain
+     */
+    async createAccessLevels(projects, map_nameToDbDomain) {
+        this.logInfoBold('Creating Access Levels');
+        const _auditorId = MemKey_AccountId.get();
+        const levelsToUpsert = flatArray(projects.map(project => project.packages.map(_package => _package.domains.map(domain => {
+            let levels = domain.levels;
+            if (!levels)
+                levels = DuplicateDefaultAccessLevels(domain._id);
+            return levels.map(level => {
+                return {
+                    _id: level._id,
+                    domainId: map_nameToDbDomain[domain.namespace]._id,
+                    value: level.value,
+                    name: level.name,
+                    uiLabel: level.name,
+                    _auditorId
+                };
+            });
+        }))));
+        const dbLevels = await ModuleBE_PermissionAccessLevelDB.set.all(levelsToUpsert);
+        const domainNameToLevelNameToDBAccessLevel = reduceToMap(dbLevels, level => level.domainId, (level, index, map) => {
+            const domainLevels = map[level.domainId] || (map[level.domainId] = {});
+            domainLevels[level.name] = level;
+            return domainLevels;
+        });
+        this.logInfoBold(`Created ${dbLevels.length} Access Levels`);
+        return domainNameToLevelNameToDBAccessLevel;
+    }
+    /**
+     * Creates All the DB_PermissionGroup
+     *
+     * @param projects - predefined permissions projects
+     * @param map_nameToDbDomain
+     * @param domainNameToLevelNameToDBAccessLevel
+     */
+    async createGroups(projects, map_nameToDbDomain, domainNameToLevelNameToDBAccessLevel) {
+        this.logInfoBold('Creating Groups');
+        const _auditorId = MemKey_AccountId.get();
+        const groupsToUpsert = flatArray(projects.map(project => {
+            const groupsDef = flatArray([...project.packages.map(p => p.groups || []), ...project.groups || []]);
+            return (groupsDef).map(group => {
+                return {
+                    projectId: project._id,
+                    _id: group._id,
+                    _auditorId,
+                    label: group.name,
+                    uiLabel: group.name,
+                    accessLevelIds: _keys(group.accessLevels)
+                        .map(key => {
+                        const domainsMapNameToDbDomainElement = map_nameToDbDomain[key];
+                        if (!domainsMapNameToDbDomainElement)
+                            throw new MUSTNeverHappenException(`bah for key ${key}`);
+                        return domainNameToLevelNameToDBAccessLevel[domainsMapNameToDbDomainElement._id][group.accessLevels[key]]._id;
+                    })
+                };
+            });
+        }));
+        const dbGroups = await ModuleBE_PermissionGroupDB.set.all(groupsToUpsert);
+        this.logInfoBold(`Created ${dbGroups.length} Groups`);
+    }
+    /**
+     * Creates All the DB_PermissionApi
+     *
+     * @param projects - predefined permissions projects
+     * @param domainNameToLevelNameToDBAccessLevel
+     */
+    async createApis(projects, domainNameToLevelNameToDBAccessLevel) {
+        this.logInfoBold('Creating APIs');
+        const _auditorId = MemKey_AccountId.get();
+        const apisToUpsert = flatArray(projects.map(project => {
+            return project.packages.map(_package => _package.domains.map(domain => {
+                const apis = [];
+                apis.push(...(domain.customApis || []).map(api => ({
+                    projectId: project._id,
+                    path: trimStartingForwardSlash(api.path),
+                    _auditorId,
+                    accessLevelIds: [domainNameToLevelNameToDBAccessLevel[api.domainId ?? domain._id][api.accessLevel]._id]
+                })));
+                const apiModules = arrayToMap(RuntimeModules()
+                    .filter((module) => !!module.apiDef && !!module.dbModule?.dbDef?.dbKey), item => item.dbModule.dbDef.dbKey);
+                this.logDebug(_keys(apiModules));
+                // / I think there is a bug here... comment it and see what happens
+                const _apis = (domain.dbNames || []).map(dbName => {
+                    const apiModule = apiModules[dbName];
+                    if (!apiModule)
+                        throw new MUSTNeverHappenException(`Could not find api module with dbName: ${dbName}`);
+                    const _apiDefs = apiModule.apiDef;
+                    return _keys(_apiDefs).map(_apiDefKey => {
+                        const apiDefs = _apiDefs[_apiDefKey];
+                        return filterInstances(_keys(apiDefs).map(apiDefKey => {
+                            const apiDef = apiDefs[apiDefKey];
+                            const accessLevelNameToAssign = defaultLevelsRouteLookupWords[apiDef.path.substring(apiDef.path.lastIndexOf('/') + 1)];
+                            const accessLevel = domainNameToLevelNameToDBAccessLevel[domain._id][accessLevelNameToAssign];
+                            if (!accessLevel)
+                                return;
+                            const accessId = accessLevel._id;
+                            return {
+                                projectId: project._id,
+                                path: apiDef.path,
+                                _auditorId,
+                                accessLevelIds: [accessId]
+                            };
+                        }));
+                    });
+                });
+                apis.push(...flatArray(_apis));
+                return apis;
+            }));
+        }));
+        const dbApis = await ModuleBE_PermissionAPIDB.set.all(apisToUpsert);
+        this.logInfoBold(`Created ${dbApis.length} APIs`);
+    }
+    /**
+     * Creates permission keys associated with the given projects.
+     *
+     * @param projects - An array of projects.
+     */
+    async createPermissionsKeys(projects) {
+        this.logInfoBold('Creating App Config');
+        // const permissionKeysToCreate: PermissionKey_BE<any>[] = filterInstances(flatArray(projects.map(project => project.packages.map(_package => _package.domains.map(domain => domain.permissionKeys)))));
+        try {
+            await ModuleBE_AppConfigDB.createDefaults(this);
+            this.logInfoBold('Created Permission Key defaults.');
+        }
+        catch (e) {
+            this.logErrorBold('Failed creating Permission Key defaults.', e);
+        }
+        this.logInfoBold('Created App Config');
+    }
+    /**
+     * If no "Super Admin" user is defined in the system!
+     * The first user to press the create project button will become the "Super Admin" of the system
+     *
+     * If a "Super Admin" already exists in the system, a 403 will be thrown
+     */
+    assignSuperAdmin = async () => {
+        this.logInfoBold('Assigning SuperAdmin permissions');
+        const existingSuperAdmin = (await ModuleBE_PermissionUserDB.query.custom({
+            where: { __groupIds: { $ac: GroupId_SuperAdmin } },
+            limit: 1
+        }))[0];
+        if (existingSuperAdmin)
+            return;
+        const currentUser = await ModuleBE_PermissionUserDB.query.uniqueAssert(MemKey_AccountId.get());
+        (currentUser.groups || (currentUser.groups = [])).push({ groupId: GroupId_SuperAdmin });
+        await ModuleBE_PermissionUserDB.set.item(currentUser);
+        await ModuleBE_SessionDB._session.rotate.reissue.bySession();
+        this.logInfoBold('Assigned SuperAdmin permissions');
+    };
+}
+export const ModuleBE_Permissions = new ModuleBE_Permissions_Class();

package/modules/ModuleBE_PermissionsAssert.d.ts

@@ -0,0 +1,48 @@
+import { Module, StringMap, TypedMap } from '@nu-art/ts-common';
+import { ServerApi_Middleware } from '@nu-art/thunderstorm-backend';
+import { CollectSessionData } from '@nu-art/user-account-backend';
+import { Base_AccessLevel, DB_PermissionAccessLevel, DB_PermissionAPI, DomainToLevelValueMap, SessionData_StrictMode } from '@nu-art/permissions-shared';
+import { PermissionKey_BE } from '../PermissionKey_BE.js';
+export type UserCalculatedAccessLevel = {
+    [domainId: string]: number;
+};
+export type GroupPairWithBaseLevelsObj = {
+    accessLevels: Base_AccessLevel[];
+};
+export type RequestPairWithLevelsObj = {
+    accessLevels: DB_PermissionAccessLevel[];
+};
+type Config = {
+    strictMode?: boolean;
+};
+/**
+ * [DomainId uniqueString]: accessLevel's numerical value
+ */
+export declare class ModuleBE_PermissionsAssert_Class extends Module<Config> implements CollectSessionData<SessionData_StrictMode> {
+    private projectId;
+    _keys: TypedMap<boolean>;
+    permissionKeys: TypedMap<PermissionKey_BE<any>>;
+    readonly Middleware: (keys?: string[]) => ServerApi_Middleware;
+    readonly LoadPermissionsMiddleware: ServerApi_Middleware;
+    readonly CustomMiddleware: (keys: string[], action: (projectId: string, customFields: StringMap) => Promise<void>) => ServerApi_Middleware;
+    __collectSessionData(): Promise<SessionData_StrictMode>;
+    init(): void;
+    private assertPermission;
+    assertUserPermissions(projectId: string, path: string): Promise<void>;
+    assertUserPassesAccessLevels(domainToLevelValueMap: DomainToLevelValueMap, userPermissions: TypedMap<number>): void;
+    getApiDetails(_path: string, projectId: string): Promise<{
+        dbApi: DB_PermissionAPI;
+        requestPermissions: DB_PermissionAccessLevel[];
+    } | undefined>;
+    getApisDetails(urls: string[], projectId: string): Promise<({
+        apiDb: DB_PermissionAPI;
+        requestPermissions: DB_PermissionAccessLevel[];
+    } | undefined)[]>;
+    private getAccessLevels;
+    setProjectId: (projectId: string) => void;
+    getRegEx(value: string): RegExp;
+    registerPermissionKeys(keys: string[]): void;
+    private isStrictMode;
+}
+export declare const ModuleBE_PermissionsAssert: ModuleBE_PermissionsAssert_Class;
+export {};

package/modules/ModuleBE_PermissionsAssert.js

@@ -0,0 +1,242 @@
+/*
+ * Permissions management system, define access level for each of
+ * your server apis, and restrict users by giving them access levels
+ *
+ * Copyright (C) 2020 Adam van der Kruk aka TacB0sS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { _keys, ApiException, arrayToMap, BadImplementationException, batchActionParallel, exists, filterDuplicates, filterInstances, ImplementationMissingException, Module, RuntimeModules } from '@nu-art/ts-common';
+import { addRoutes, createBodyServerApi, ModuleBE_SyncManager } from '@nu-art/thunderstorm-backend';
+import { HttpMethod } from '@nu-art/thunderstorm-shared';
+import { MemKey_AccountEmail } from '@nu-art/user-account-backend';
+import { ApiDef_PermissionsAssert } from '@nu-art/permissions-shared';
+import { MemKey_HttpRequestBody, MemKey_HttpRequestMethod, MemKey_HttpRequestQuery, MemKey_HttpRequestUrl } from '@nu-art/thunderstorm-backend/modules/server/consts';
+import { MemKey_UserPermissions, SessionKey_Permissions_BE } from '../consts.js';
+import { PermissionKey_BE } from '../PermissionKey_BE.js';
+import { ModuleBE_PermissionAccessLevelDB, ModuleBE_PermissionAPIDB } from '../_entity.js';
+/**
+ * [DomainId uniqueString]: accessLevel's numerical value
+ */
+export class ModuleBE_PermissionsAssert_Class extends Module {
+    projectId;
+    _keys = {};
+    permissionKeys = {};
+    // constructor() {
+    // 	super();
+    // 	this.setMinLevel(LogLevel.Debug);
+    // }
+    Middleware = (keys = []) => async () => {
+        await this.CustomMiddleware(keys, async (projectId) => {
+            return this.assertUserPermissions(projectId, MemKey_HttpRequestUrl.get());
+        })();
+    };
+    LoadPermissionsMiddleware = async () => {
+        try {
+            MemKey_UserPermissions.get();
+        }
+        catch (err) {
+            MemKey_UserPermissions.set(SessionKey_Permissions_BE.get().domainToValueMap);
+        }
+    };
+    CustomMiddleware = (keys, action) => async () => {
+        const customFields = {};
+        let object;
+        const reqMethod = MemKey_HttpRequestMethod.get();
+        switch (reqMethod) {
+            case HttpMethod.POST:
+            case HttpMethod.PATCH:
+            case HttpMethod.PUT:
+                object = MemKey_HttpRequestBody.get();
+                break;
+            case HttpMethod.GET:
+            case HttpMethod.DELETE:
+                object = MemKey_HttpRequestQuery.get();
+                break;
+            default:
+                throw new BadImplementationException(`Generic custom fields cannot be extracted on api with method: ${reqMethod}`);
+        }
+        _keys(object).filter(key => keys.includes(key)).forEach(key => {
+            const oElement = object[key];
+            if (oElement === undefined || oElement === null)
+                return;
+            if (typeof oElement !== 'string')
+                return;
+            customFields[key] = oElement;
+        });
+        const projectId = this.projectId;
+        await action(projectId, customFields);
+    };
+    async __collectSessionData() {
+        return { key: 'strictMode', value: { isStrictMode: this.isStrictMode() } };
+    }
+    init() {
+        super.init();
+        addRoutes([createBodyServerApi(ApiDef_PermissionsAssert.vv1.assertUserPermissions, this.assertPermission)]);
+        _keys(this._keys).forEach(key => this.permissionKeys[key] = new PermissionKey_BE(key));
+        ModuleBE_SyncManager.setModuleFilter(async (dbModules) => {
+            // return dbModules;
+            //Filter out any module we don't have permission to sync
+            const userPermissions = MemKey_UserPermissions.get();
+            const mapDbNameToApiModules = arrayToMap(RuntimeModules()
+                .filter((module) => !!module.apiDef && !!module.dbModule?.dbDef?.dbKey), item => item.dbModule.dbDef.dbKey);
+            const paths = dbModules.map(module => {
+                const mapDbNameToApiModule = mapDbNameToApiModules[module.dbDef.dbKey];
+                if (!mapDbNameToApiModule) {
+                    // this.logWarning(`no module found for ${module.dbDef.dbKey}`);
+                    return undefined;
+                }
+                return mapDbNameToApiModule.apiDef?.['v1']?.['query'].path;
+            });
+            // this.logWarning(`Paths(${paths.length}):`, paths);
+            const _allApis = await ModuleBE_PermissionAPIDB.query.where({});
+            const apis = _allApis.filter(_api => paths.includes(_api.path));
+            const mapPathToDBApi = arrayToMap(apis, api => api.path);
+            return dbModules.filter((dbModule, index) => {
+                const path = paths[index];
+                if (!path) {
+                    // this.logWarningBold('no path');
+                    return false;
+                }
+                const dbApi = mapPathToDBApi[path];
+                if (!dbApi) {
+                    // this.logWarningBold(`no dbApi ${path}`);
+                    return !ModuleBE_PermissionsAssert.isStrictMode();
+                }
+                const accessLevels = dbApi._accessLevels;
+                return _keys(accessLevels).reduce((hasAccess, domainId) => {
+                    if (!hasAccess)
+                        return false;
+                    const userDomainAccessValue = userPermissions[domainId];
+                    const apiRequiredAccessValue = accessLevels[domainId];
+                    if (!userDomainAccessValue)
+                        return false;
+                    if (!exists(userDomainAccessValue) || userDomainAccessValue < apiRequiredAccessValue) {
+                        this.logErrorBold(`${(userDomainAccessValue ?? 0)} < ${apiRequiredAccessValue} === ${(userDomainAccessValue ?? 0) < apiRequiredAccessValue}`);
+                        return false;
+                    }
+                    return hasAccess;
+                }, true);
+            });
+        });
+    }
+    assertPermission = async (body) => {
+        await ModuleBE_PermissionsAssert.assertUserPermissions(body.projectId, body.path);
+        return { userId: MemKey_AccountEmail.get() };
+    };
+    async assertUserPermissions(projectId, path) {
+        // [DomainId]: accessLevel's numerical value
+        const userPermissions = MemKey_UserPermissions.get();
+        const apiDetails = await this.getApiDetails(path, projectId);
+        this.logDebug('______________________________');
+        this.logDebug(userPermissions);
+        this.logDebug('______________________________');
+        this.logDebug(apiDetails?.dbApi);
+        this.logDebug('______________________________');
+        if (!apiDetails || !apiDetails.dbApi.accessLevelIds) {
+            if (!this.config.strictMode)
+                return;
+            throw new ApiException(403, `No permissions configuration specified for api: ${projectId ? `${projectId}--` : ''}${path}`);
+        }
+        //_accessLevels is a map[domain id <> access level numeric value]
+        this.assertUserPassesAccessLevels(apiDetails.dbApi._accessLevels, userPermissions);
+    }
+    assertUserPassesAccessLevels(domainToLevelValueMap, userPermissions) {
+        _keys(domainToLevelValueMap).forEach(domainId => {
+            const userDomainPermission = userPermissions[domainId];
+            if (!exists(userDomainPermission))
+                throw new ApiException(403, 'Missing Access For This Domain');
+            if (userDomainPermission < domainToLevelValueMap[domainId]) {
+                this.logErrorBold(`for domain - userAccessLevel <> expectedAccessLevel: "${domainId}" ${(userDomainPermission ?? 0)} <> ${domainToLevelValueMap[domainId]}`);
+                throw new ApiException(403, 'Action Forbidden');
+            }
+        });
+    }
+    async getApiDetails(_path, projectId) {
+        let path = _path.substring(0, (_path + '?').indexOf('?')); //Get raw path without query
+        if (path.at(0) === '/')
+            path = path.substring(1);
+        this.logDebug(`Fetching Permission API for path: ${path} and project id: ${projectId}`);
+        const dbApi = (await ModuleBE_PermissionAPIDB.query.custom({
+            where: {
+                path,
+                projectId
+            }
+        }))[0];
+        if (!dbApi)
+            return undefined;
+        const requestPermissions = await this.getAccessLevels(dbApi.accessLevelIds || []);
+        return {
+            dbApi,
+            requestPermissions
+        };
+    }
+    async getApisDetails(urls, projectId) {
+        const paths = urls.map(_path => _path.substring(0, (_path + '?').indexOf('?')));
+        const apiDbs = await batchActionParallel(paths, 10, elements => ModuleBE_PermissionAPIDB.query.custom({
+            where: {
+                projectId,
+                path: { $in: elements }
+            }
+        }));
+        return Promise.all(paths.map(async (path) => {
+            const apiDb = apiDbs.find(_apiDb => _apiDb.path === path);
+            if (!apiDb)
+                return;
+            try {
+                const requestPermissions = await this.getAccessLevels(apiDb.accessLevelIds);
+                return ({
+                    apiDb,
+                    requestPermissions
+                });
+            }
+            catch (e) {
+                return;
+            }
+        }));
+    }
+    async getAccessLevels(_accessLevelIds) {
+        const accessLevelIds = filterDuplicates(_accessLevelIds || []);
+        const requestPermissions = filterInstances(await ModuleBE_PermissionAccessLevelDB.query.all(accessLevelIds));
+        const idNotFound = accessLevelIds.find(lId => !requestPermissions.find(r => r._id === lId));
+        if (idNotFound)
+            throw new ApiException(404, `Could not find api level with _id: ${idNotFound}`);
+        return requestPermissions;
+    }
+    setProjectId = (projectId) => {
+        this.projectId = projectId;
+    };
+    getRegEx(value) {
+        if (!value)
+            return new RegExp(`^${value}$`, 'g');
+        let regExValue = value;
+        const startRegEx = '^';
+        const endRegEx = '$';
+        if (value[0] !== startRegEx)
+            regExValue = startRegEx + regExValue;
+        if (value[value.length - 1] !== endRegEx)
+            regExValue = regExValue + endRegEx;
+        return new RegExp(regExValue, 'g');
+    }
+    registerPermissionKeys(keys) {
+        keys.forEach(key => {
+            if (this._keys[key])
+                throw new ImplementationMissingException(`Registered PermissionKey '${key}' more than once!`);
+            this._keys[key] = true;
+        });
+    }
+    isStrictMode() {
+        return !!this.config.strictMode;
+    }
+}
+export const ModuleBE_PermissionsAssert = new ModuleBE_PermissionsAssert_Class();

package/modules/consts.d.ts

@@ -0,0 +1,11 @@
+import { DefaultDef_Package } from '../types.js';
+export declare const Domain_PermissionAssignment: Readonly<{
+    _id: "1f41541c4514b50140ae62c1f7097029";
+    namespace: "Permissions Assignment";
+}>;
+export declare const Permissions_PermissionAssignment: DefaultDef_Package;
+export declare const Domain_PermissionManagement: Readonly<{
+    _id: "1f41541c4514b50140ae62c1f7097029";
+    namespace: "Permissions Management";
+}>;
+export declare const Permissions_PermissionManagement: DefaultDef_Package;