@nu-art/permissions-backend 0.401.9 → 0.500.6

package/RequirePermission.d.ts

@@ -0,0 +1,33 @@
+import type { PermissionScope } from '@nu-art/permissions-shared';
+import type { FunctionPermissionDef } from './core/function-permission-registry.js';
+import type { PermissionAsserter } from './assertion-types.js';
+export { type FunctionPermissionDef } from './core/function-permission-registry.js';
+export { type PermissionAssertionContext, type PermissionAsserter } from './assertion-types.js';
+export declare const RequirePermissionDefKey: unique symbol;
+type AsyncMethodDecorator = <This, Args extends any[], Return>(originalMethod: (this: This, ...args: Args) => Promise<Return>, _context: ClassMethodDecoratorContext<This, (this: This, ...args: Args) => Promise<Return>>) => (this: This, ...args: Args) => Promise<Return>;
+/**
+ * Simple overload: checks that the caller has at least the required value
+ * for the given scope (position-based in the scope's ordered values array).
+ */
+export declare function RequirePermission<P extends PermissionScope>(scope: P, value: P['values'][number]): AsyncMethodDecorator;
+/**
+ * Complex overload: receives a PermissionAssertionContext and the decorated
+ * method's arguments. Return true to allow, false to deny (throws 403).
+ *
+ * @example
+ * @RequirePermission((assert, body: EditArticleRequest) => {
+ *   return assert.or(
+ *     assert.and(
+ *       assert.hasScope(PermissionScope_Articles, 'write'),
+ *       assert.ownsEntity({dbKey: 'articles', id: body.articleId})
+ *     ),
+ *     assert.hasScope(PermissionScope_Articles, 'admin')
+ *   );
+ * })
+ */
+export declare function RequirePermission(asserter: PermissionAsserter): AsyncMethodDecorator;
+/**
+ * Returns the function-permission def attached to a handler, or undefined.
+ * Only set for the simple overload (scope + value).
+ */
+export declare function getRequirePermissionDef(handler: ((...args: any[]) => any) | null | undefined): FunctionPermissionDef | undefined;

package/RequirePermission.js

@@ -0,0 +1,56 @@
+/*
+ * Permissions management system, define access level for each of
+ * your server apis, and restrict users by giving them access levels
+ *
+ * Copyright (C) 2020 Adam van der Kruk aka TacB0sS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { ApiException } from '@nu-art/ts-common';
+import { registerFunctionPermission } from './core/function-permission-registry.js';
+import { ModuleBE_PermissionsAssert } from './modules/ModuleBE_PermissionsAssert.js';
+export const RequirePermissionDefKey = Symbol.for('RequirePermissionDef');
+export function RequirePermission(scopeOrAsserter, value) {
+    if (typeof scopeOrAsserter === 'function') {
+        const asserter = scopeOrAsserter;
+        return function (originalMethod, _context) {
+            const wrapper = async function (...args) {
+                const ctx = ModuleBE_PermissionsAssert.createAssertionContext();
+                const result = await asserter(ctx, ...args);
+                if (!result)
+                    throw new ApiException(403, 'Permission assertion failed');
+                return originalMethod.call(this, ...args);
+            };
+            return wrapper;
+        };
+    }
+    const scope = scopeOrAsserter;
+    return function (originalMethod, _context) {
+        const def = registerFunctionPermission(scope, value);
+        const wrapper = async function (...args) {
+            ModuleBE_PermissionsAssert.assertScopePermission(scope, value);
+            return originalMethod.call(this, ...args);
+        };
+        wrapper[RequirePermissionDefKey] = def;
+        return wrapper;
+    };
+}
+/**
+ * Returns the function-permission def attached to a handler, or undefined.
+ * Only set for the simple overload (scope + value).
+ */
+export function getRequirePermissionDef(handler) {
+    if (!handler || typeof handler !== 'function')
+        return undefined;
+    return handler[RequirePermissionDefKey];
+}

package/_entity/access-group/ModuleBE_AccessGroupDB.d.ts

@@ -0,0 +1,13 @@
+import { UniqueId } from '@nu-art/ts-common';
+import { ModuleBE_BaseDB, PostWriteProcessingDataShape } from '@nu-art/db-api-backend';
+import type { DatabaseDef_AccessGroup, DB_AccessGroup } from '@nu-art/permissions-shared';
+import { CollectionActionType } from '@nu-art/firebase-backend/firestore/FirestoreCollection';
+export interface OnAccessGroupChanged {
+    __onAccessGroupChanged(changedGroupIds: UniqueId[]): Promise<void>;
+}
+export declare class ModuleBE_AccessGroupDB_Class extends ModuleBE_BaseDB<DatabaseDef_AccessGroup> {
+    constructor();
+    protected preWriteProcessing(instance: DB_AccessGroup, _original: DatabaseDef_AccessGroup['dbType']): Promise<void>;
+    protected postWriteProcessing(data: PostWriteProcessingDataShape<DatabaseDef_AccessGroup['dbType']>, _actionType: CollectionActionType): Promise<void>;
+}
+export declare const ModuleBE_AccessGroupDB: ModuleBE_AccessGroupDB_Class;

package/_entity/access-group/ModuleBE_AccessGroupDB.js

@@ -0,0 +1,36 @@
+import { ApiException, Dispatcher, filterDuplicates } from '@nu-art/ts-common';
+import { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import { DBDef_AccessGroup } from '@nu-art/permissions-shared';
+const dispatcher_accessGroupChanged = new Dispatcher('__onAccessGroupChanged');
+export class ModuleBE_AccessGroupDB_Class extends ModuleBE_BaseDB {
+    constructor() {
+        super(DBDef_AccessGroup);
+    }
+    async preWriteProcessing(instance, _original) {
+        if ((instance.type === 'user' || instance.type === 'service-account') && instance.members.length > 0)
+            throw new ApiException(400, `${instance.type} access groups cannot have members`);
+    }
+    async postWriteProcessing(data, _actionType) {
+        const updated = Array.isArray(data.updated) ? data.updated : data.updated ? [data.updated] : [];
+        const before = Array.isArray(data.before) ? data.before : data.before ? [data.before] : [];
+        const deleted = Array.isArray(data.deleted) ? data.deleted : data.deleted ? [data.deleted] : [];
+        const changedGroupIds = [];
+        for (let i = 0; i < updated.length; i++) {
+            const prev = before[i];
+            if (!prev) {
+                changedGroupIds.push(updated[i]._id);
+                continue;
+            }
+            const membersChanged = JSON.stringify([...updated[i].members].sort()) !== JSON.stringify([...prev.members].sort());
+            const scopesChanged = JSON.stringify([...(updated[i].scopeEntries ?? [])].sort()) !== JSON.stringify([...(prev.scopeEntries ?? [])].sort());
+            if (membersChanged || scopesChanged)
+                changedGroupIds.push(updated[i]._id);
+        }
+        for (const del of deleted)
+            changedGroupIds.push(del._id);
+        if (changedGroupIds.length === 0)
+            return;
+        await dispatcher_accessGroupChanged.dispatchModuleAsync(filterDuplicates(changedGroupIds));
+    }
+}
+export const ModuleBE_AccessGroupDB = new ModuleBE_AccessGroupDB_Class();

package/_entity/access-group/module-pack.d.ts

@@ -0,0 +1 @@
+export declare const ModulePackBE_AccessGroup: (import("./ModuleBE_AccessGroupDB.js").ModuleBE_AccessGroupDB_Class | import("@nu-art/db-api-backend").ModuleBE_BaseApi_Class<import("@nu-art/permissions-shared").DatabaseDef_AccessGroup, any>)[];

package/_entity/access-group/module-pack.js

@@ -0,0 +1,3 @@
+import { createApisForDBModule } from '@nu-art/db-api-backend';
+import { ModuleBE_AccessGroupDB } from './ModuleBE_AccessGroupDB.js';
+export const ModulePackBE_AccessGroup = [ModuleBE_AccessGroupDB, createApisForDBModule(ModuleBE_AccessGroupDB)];

package/_entity/permission-scope/ModuleBE_PermissionScopeDB.d.ts

@@ -0,0 +1,6 @@
+import { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import { DatabaseDef_PermissionScope } from '@nu-art/permissions-shared';
+export declare class ModuleBE_PermissionScopeDB_Class extends ModuleBE_BaseDB<DatabaseDef_PermissionScope> {
+    constructor();
+}
+export declare const ModuleBE_PermissionScopeDB: ModuleBE_PermissionScopeDB_Class;

package/_entity/permission-scope/ModuleBE_PermissionScopeDB.js

@@ -0,0 +1,8 @@
+import { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import { DBDef_PermissionScope } from '@nu-art/permissions-shared';
+export class ModuleBE_PermissionScopeDB_Class extends ModuleBE_BaseDB {
+    constructor() {
+        super(DBDef_PermissionScope);
+    }
+}
+export const ModuleBE_PermissionScopeDB = new ModuleBE_PermissionScopeDB_Class();

package/_entity/permission-scope/module-pack.d.ts

@@ -0,0 +1 @@
+export declare const ModulePackBE_PermissionScope: (import("./ModuleBE_PermissionScopeDB.js").ModuleBE_PermissionScopeDB_Class | import("@nu-art/db-api-backend").ModuleBE_BaseApi_Class<import("@nu-art/permissions-shared").DatabaseDef_PermissionScope, any>)[];

package/_entity/permission-scope/module-pack.js

@@ -0,0 +1,3 @@
+import { createApisForDBModule } from '@nu-art/db-api-backend';
+import { ModuleBE_PermissionScopeDB } from './ModuleBE_PermissionScopeDB.js';
+export const ModulePackBE_PermissionScope = [ModuleBE_PermissionScopeDB, createApisForDBModule(ModuleBE_PermissionScopeDB)];

package/_entity/user-permissions/ModuleBE_UserPermissionsAPI.d.ts

@@ -0,0 +1,9 @@
+import { ModuleBE_BaseApi_Class } from '@nu-art/db-api-backend';
+import type { QueryParams } from '@nu-art/api-types';
+import { DatabaseDef_UserPermissions, Response_MyPermissions } from '@nu-art/permissions-shared';
+declare class ModuleBE_UserPermissionsAPI_Class extends ModuleBE_BaseApi_Class<DatabaseDef_UserPermissions> {
+    constructor();
+    getMyPermissions(_params: QueryParams): Promise<Response_MyPermissions>;
+}
+export declare const ModuleBE_UserPermissionsAPI: ModuleBE_UserPermissionsAPI_Class;
+export {};

package/_entity/user-permissions/ModuleBE_UserPermissionsAPI.js

@@ -0,0 +1,67 @@
+var __runInitializers = (this && this.__runInitializers) || function (thisArg, initializers, value) {
+    var useValue = arguments.length > 2;
+    for (var i = 0; i < initializers.length; i++) {
+        value = useValue ? initializers[i].call(thisArg, value) : initializers[i].call(thisArg);
+    }
+    return useValue ? value : void 0;
+};
+var __esDecorate = (this && this.__esDecorate) || function (ctor, descriptorIn, decorators, contextIn, initializers, extraInitializers) {
+    function accept(f) { if (f !== void 0 && typeof f !== "function") throw new TypeError("Function expected"); return f; }
+    var kind = contextIn.kind, key = kind === "getter" ? "get" : kind === "setter" ? "set" : "value";
+    var target = !descriptorIn && ctor ? contextIn["static"] ? ctor : ctor.prototype : null;
+    var descriptor = descriptorIn || (target ? Object.getOwnPropertyDescriptor(target, contextIn.name) : {});
+    var _, done = false;
+    for (var i = decorators.length - 1; i >= 0; i--) {
+        var context = {};
+        for (var p in contextIn) context[p] = p === "access" ? {} : contextIn[p];
+        for (var p in contextIn.access) context.access[p] = contextIn.access[p];
+        context.addInitializer = function (f) { if (done) throw new TypeError("Cannot add initializers after decoration has completed"); extraInitializers.push(accept(f || null)); };
+        var result = (0, decorators[i])(kind === "accessor" ? { get: descriptor.get, set: descriptor.set } : descriptor[key], context);
+        if (kind === "accessor") {
+            if (result === void 0) continue;
+            if (result === null || typeof result !== "object") throw new TypeError("Object expected");
+            if (_ = accept(result.get)) descriptor.get = _;
+            if (_ = accept(result.set)) descriptor.set = _;
+            if (_ = accept(result.init)) initializers.unshift(_);
+        }
+        else if (_ = accept(result)) {
+            if (kind === "field") initializers.unshift(_);
+            else descriptor[key] = _;
+        }
+    }
+    if (target) Object.defineProperty(target, contextIn.name, descriptor);
+    done = true;
+};
+import { ModuleBE_BaseApi_Class } from '@nu-art/db-api-backend';
+import { CrudApiDef, stringToUniqueId } from '@nu-art/db-api-shared';
+import { ApiHandler } from '@nu-art/http-server';
+import { ApiDef_UserPermissions, DBDef_UserPermissions, } from '@nu-art/permissions-shared';
+import { ModuleBE_UserPermissionsDB } from './ModuleBE_UserPermissionsDB.js';
+import { SessionKey_Account_BE } from '@nu-art/user-account-backend';
+let ModuleBE_UserPermissionsAPI_Class = (() => {
+    let _classSuper = ModuleBE_BaseApi_Class;
+    let _instanceExtraInitializers = [];
+    let _getMyPermissions_decorators;
+    return class ModuleBE_UserPermissionsAPI_Class extends _classSuper {
+        static {
+            const _metadata = typeof Symbol === "function" && Symbol.metadata ? Object.create(_classSuper[Symbol.metadata] ?? null) : void 0;
+            _getMyPermissions_decorators = [ApiHandler(ApiDef_UserPermissions.getMyPermissions)];
+            __esDecorate(this, null, _getMyPermissions_decorators, { kind: "method", name: "getMyPermissions", static: false, private: false, access: { has: obj => "getMyPermissions" in obj, get: obj => obj.getMyPermissions }, metadata: _metadata }, null, _instanceExtraInitializers);
+            if (_metadata) Object.defineProperty(this, Symbol.metadata, { enumerable: true, configurable: true, writable: true, value: _metadata });
+        }
+        constructor() {
+            super({
+                dbModule: ModuleBE_UserPermissionsDB,
+                crudApiDef: CrudApiDef(DBDef_UserPermissions.dbKey),
+            });
+            __runInitializers(this, _instanceExtraInitializers);
+        }
+        async getMyPermissions(_params) {
+            const account = SessionKey_Account_BE.get();
+            const permissionsId = stringToUniqueId(account._id);
+            const entity = await ModuleBE_UserPermissionsDB.query.unique(permissionsId);
+            return { scopeEntries: entity?.scopeEntries ?? [] };
+        }
+    };
+})();
+export const ModuleBE_UserPermissionsAPI = new ModuleBE_UserPermissionsAPI_Class();

package/_entity/user-permissions/ModuleBE_UserPermissionsDB.d.ts

@@ -0,0 +1,6 @@
+import { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import { DatabaseDef_UserPermissions } from '@nu-art/permissions-shared';
+export declare class ModuleBE_UserPermissionsDB_Class extends ModuleBE_BaseDB<DatabaseDef_UserPermissions> {
+    constructor();
+}
+export declare const ModuleBE_UserPermissionsDB: ModuleBE_UserPermissionsDB_Class;

package/_entity/user-permissions/ModuleBE_UserPermissionsDB.js

@@ -0,0 +1,8 @@
+import { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import { DBDef_UserPermissions } from '@nu-art/permissions-shared';
+export class ModuleBE_UserPermissionsDB_Class extends ModuleBE_BaseDB {
+    constructor() {
+        super(DBDef_UserPermissions);
+    }
+}
+export const ModuleBE_UserPermissionsDB = new ModuleBE_UserPermissionsDB_Class();

package/_entity/user-permissions/module-pack.d.ts

@@ -0,0 +1,2 @@
+import { Module } from '@nu-art/ts-common';
+export declare const ModulePackBE_UserPermissions: Module[];

package/_entity/user-permissions/module-pack.js

@@ -0,0 +1,3 @@
+import { ModuleBE_UserPermissionsDB } from './ModuleBE_UserPermissionsDB.js';
+import { ModuleBE_UserPermissionsAPI } from './ModuleBE_UserPermissionsAPI.js';
+export const ModulePackBE_UserPermissions = [ModuleBE_UserPermissionsDB, ModuleBE_UserPermissionsAPI];

package/assertion-types.d.ts

@@ -0,0 +1,9 @@
+import type { PermissionScope } from '@nu-art/permissions-shared';
+import type { DBPointer } from '@nu-art/ts-common';
+export type PermissionAssertionContext = {
+    readonly hasScope: (scope: PermissionScope, value: string) => boolean;
+    readonly ownsEntity: (pointer: DBPointer) => Promise<boolean>;
+    readonly and: (...predicates: (boolean | Promise<boolean>)[]) => Promise<boolean>;
+    readonly or: (...predicates: (boolean | Promise<boolean>)[]) => Promise<boolean>;
+};
+export type PermissionAsserter = (assert: PermissionAssertionContext, ...args: any[]) => boolean | Promise<boolean>;

package/consts.d.ts

@@ -1,7 +1,10 @@
 import { SessionKey_BE } from '@nu-art/user-account-backend';
 import { MemKey } from '@nu-art/ts-common/mem-storage/MemStorage';
-import { TypedMap } from '@nu-art/ts-common';
-import { SessionData_Permissions, SessionData_StrictMode } from '@nu-art/permissions-shared';
-export declare const SessionKey_Permissions_BE: SessionKey_BE<SessionData_Permissions>;
+import type { DBPointer } from '@nu-art/ts-common';
+import type { ScopedAccessIds } from '@nu-art/permissions-shared';
+import { SessionData_StrictMode } from '@nu-art/permissions-shared';
 export declare const SessionKey_StrictMode_BE: SessionKey_BE<SessionData_StrictMode>;
-export declare const MemKey_UserPermissions: MemKey<TypedMap<number>>;
+export declare const MemKey_UserScopePermissions: MemKey<string[]>;
+export declare const MemKey_UserEntityContexts: MemKey<DBPointer[]>;
+export declare const MemKey_ServiceAccountId: MemKey<string>;
+export declare const MemKey_UserAccessIds: MemKey<ScopedAccessIds>;

package/consts.js

@@ -1,5 +1,7 @@
 import { SessionKey_BE } from '@nu-art/user-account-backend';
 import { MemKey } from '@nu-art/ts-common/mem-storage/MemStorage';
-export const SessionKey_Permissions_BE = new SessionKey_BE('permissions');
 export const SessionKey_StrictMode_BE = new SessionKey_BE('strictMode');
-export const MemKey_UserPermissions = new MemKey('user-permissions'); //[domainId]: access level numerical value
+export const MemKey_UserScopePermissions = new MemKey('user-scope-permissions');
+export const MemKey_UserEntityContexts = new MemKey('user-entity-contexts');
+export const MemKey_ServiceAccountId = new MemKey('service-account-id');
+export const MemKey_UserAccessIds = new MemKey('user-access-ids');

package/core/function-permission-registry.d.ts

@@ -0,0 +1,24 @@
+import type { PermissionScope } from '@nu-art/permissions-shared';
+export type FunctionPermissionDef = {
+    id: string;
+    scopeKey: string;
+    value: string;
+};
+/**
+ * Registers a function permission (scope + value). Called from @RequirePermission decorator init.
+ * Returns the same def if (scopeKey, value) was already registered (stable id).
+ * Also stores the scope's ordered values array for position-based assertion.
+ */
+export declare function registerFunctionPermission(scope: PermissionScope, value: string): FunctionPermissionDef;
+/**
+ * Returns all registered function permissions for server load (create domains/levels in DB).
+ */
+export declare function getRegisteredFunctionPermissions(): FunctionPermissionDef[];
+/**
+ * Returns the def for a given (scopeKey, value), or undefined if not registered.
+ */
+export declare function getFunctionPermissionDef(scopeKey: string, value: string): FunctionPermissionDef | undefined;
+/**
+ * Returns the ordered values array for a scope key, or undefined if the scope was never registered.
+ */
+export declare function getScopeValues(scopeKey: string): readonly string[] | undefined;

package/core/function-permission-registry.js

@@ -0,0 +1,60 @@
+/*
+ * Permissions management system, define access level for each of
+ * your server apis, and restrict users by giving them access levels
+ *
+ * Copyright (C) 2020 Adam van der Kruk aka TacB0sS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import { md5 } from '@nu-art/ts-common';
+const registry = new Map();
+const scopeValuesRegistry = new Map();
+function compositeKey(scopeKey, value) {
+    return `${scopeKey}\0${value}`;
+}
+/**
+ * Registers a function permission (scope + value). Called from @RequirePermission decorator init.
+ * Returns the same def if (scopeKey, value) was already registered (stable id).
+ * Also stores the scope's ordered values array for position-based assertion.
+ */
+export function registerFunctionPermission(scope, value) {
+    const scopeKey = scope.key;
+    if (!scopeValuesRegistry.has(scopeKey))
+        scopeValuesRegistry.set(scopeKey, scope.values);
+    const key = compositeKey(scopeKey, value);
+    const existing = registry.get(key);
+    if (existing)
+        return existing;
+    const id = md5(`function-permission/${scopeKey}/${value}`);
+    const def = { id, scopeKey, value };
+    registry.set(key, def);
+    return def;
+}
+/**
+ * Returns all registered function permissions for server load (create domains/levels in DB).
+ */
+export function getRegisteredFunctionPermissions() {
+    return [...registry.values()];
+}
+/**
+ * Returns the def for a given (scopeKey, value), or undefined if not registered.
+ */
+export function getFunctionPermissionDef(scopeKey, value) {
+    return registry.get(compositeKey(scopeKey, value));
+}
+/**
+ * Returns the ordered values array for a scope key, or undefined if the scope was never registered.
+ */
+export function getScopeValues(scopeKey) {
+    return scopeValuesRegistry.get(scopeKey);
+}

package/core/module-pack.js

@@ -18,14 +18,13 @@
  */
 import { ModuleBE_PermissionsAssert } from '../modules/ModuleBE_PermissionsAssert.js';
 import { ModuleBE_Permissions } from '../modules/ModuleBE_Permissions.js';
-import { ModulePackBE_PermissionAccessLevel, ModulePackBE_PermissionAPI, ModulePackBE_PermissionDomain, ModulePackBE_PermissionGroup, ModulePackBE_PermissionProject, ModulePackBE_PermissionUser } from '../_entity.js';
+import { ModulePackBE_PermissionScope } from '../_entity/permission-scope/module-pack.js';
+import { ModulePackBE_UserPermissions } from '../_entity/user-permissions/module-pack.js';
+import { ModulePackBE_AccessGroup } from '../_entity/access-group/module-pack.js';
 export const ModulePackBE_Permissions = [
-    ...ModulePackBE_PermissionAccessLevel,
-    ...ModulePackBE_PermissionAPI,
-    ...ModulePackBE_PermissionProject,
-    ...ModulePackBE_PermissionDomain,
-    ...ModulePackBE_PermissionGroup,
-    ...ModulePackBE_PermissionUser,
+    ...ModulePackBE_PermissionScope,
+    ...ModulePackBE_UserPermissions,
+    ...ModulePackBE_AccessGroup,
     ModuleBE_PermissionsAssert,
     ModuleBE_Permissions,
 ];

package/document-access-api.d.ts

@@ -0,0 +1,6 @@
+import type { UniqueId } from '@nu-art/ts-common';
+import type { DB_Prototype } from '@nu-art/db-api-shared';
+import type { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import type { DocumentAccessCapabilities } from '@nu-art/permissions-shared';
+export declare function shareDocument<Database extends DB_Prototype>(dbModule: ModuleBE_BaseDB<Database>, documentId: Database['uniqueParam'], principalId: UniqueId, capabilities: DocumentAccessCapabilities): Promise<Database['dbType']>;
+export declare function unshareDocument<Database extends DB_Prototype>(dbModule: ModuleBE_BaseDB<Database>, documentId: Database['uniqueParam'], principalId: UniqueId, capabilities: DocumentAccessCapabilities): Promise<Database['dbType']>;

package/document-access-api.js

@@ -0,0 +1,49 @@
+import { ApiException, filterDuplicates, removeItemFromArray } from '@nu-art/ts-common';
+import { CapabilityToAccessKey } from '@nu-art/permissions-shared';
+import { MemKey_UserAccessIds } from './consts.js';
+function getAllAccessIds() {
+    const dict = MemKey_UserAccessIds.get();
+    return filterDuplicates(Object.values(dict).flat());
+}
+function assertOwnership(access) {
+    const accessIds = getAllAccessIds();
+    const isOwner = access?.owners?.some(id => accessIds.includes(id));
+    if (!isOwner)
+        throw new ApiException(403, 'Only document owners can manage access');
+}
+export async function shareDocument(dbModule, documentId, principalId, capabilities) {
+    const doc = await dbModule.query.unique(documentId);
+    if (!doc)
+        throw new ApiException(404, 'Document not found');
+    const mutable = doc;
+    assertOwnership(mutable.__access);
+    if (!mutable.__access)
+        mutable.__access = {};
+    for (const [cap, enabled] of Object.entries(capabilities)) {
+        if (!enabled)
+            continue;
+        const accessKey = CapabilityToAccessKey[cap];
+        if (!mutable.__access[accessKey])
+            mutable.__access[accessKey] = [];
+        mutable.__access[accessKey] = filterDuplicates([...mutable.__access[accessKey], principalId]);
+    }
+    return dbModule.set.item(mutable);
+}
+export async function unshareDocument(dbModule, documentId, principalId, capabilities) {
+    const doc = await dbModule.query.unique(documentId);
+    if (!doc)
+        throw new ApiException(404, 'Document not found');
+    const mutable = doc;
+    assertOwnership(mutable.__access);
+    if (!mutable.__access)
+        return dbModule.set.item(mutable);
+    for (const [cap, enabled] of Object.entries(capabilities)) {
+        if (!enabled)
+            continue;
+        const accessKey = CapabilityToAccessKey[cap];
+        if (!mutable.__access[accessKey])
+            continue;
+        removeItemFromArray(mutable.__access[accessKey], principalId);
+    }
+    return dbModule.set.item(mutable);
+}

package/document-access-enforcement.d.ts

@@ -0,0 +1,9 @@
+import type { DB_Prototype } from '@nu-art/db-api-shared';
+import type { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import type { DatabaseDef_AccessGroup, DocumentAccessFields, DocumentAccessInner } from '@nu-art/permissions-shared';
+import { UniqueId } from '@nu-art/ts-common';
+export type AccessContextResolver<Database extends DB_Prototype = DB_Prototype> = (item: Database['uiType']) => Promise<DocumentAccessFields> | DocumentAccessFields;
+export declare function copyAccessFields(source: Record<string, unknown>): DocumentAccessFields;
+export declare function deriveEntityGroupId(entityId: UniqueId, accessKey: keyof DocumentAccessInner): DatabaseDef_AccessGroup['id'];
+export declare function deriveEntityAccessFields(entityId: UniqueId): DocumentAccessFields;
+export declare function wireDocumentAccess<Database extends DB_Prototype>(dbModule: ModuleBE_BaseDB<Database>, resolverProvider: () => AccessContextResolver<Database> | undefined, scopeKeysProvider: () => string[] | undefined): void;

package/document-access-enforcement.js

@@ -0,0 +1,137 @@
+import { hashToUniqueId } from '@nu-art/db-api-shared';
+import { AccessScope_Self, AllDocumentAccessKeys } from '@nu-art/permissions-shared';
+import { ApiException, filterDuplicates, tsValidateResult, tsValidator_arrayOfUniqueIds } from '@nu-art/ts-common';
+import { MemKey_UserAccessIds } from './consts.js';
+const documentAccessInnerValidator = {
+    readers: tsValidator_arrayOfUniqueIds,
+    writers: tsValidator_arrayOfUniqueIds,
+    deleters: tsValidator_arrayOfUniqueIds,
+    owners: tsValidator_arrayOfUniqueIds,
+};
+function getCallerScopedAccessIds() {
+    return MemKey_UserAccessIds.peak();
+}
+function resolveAccessIds(scopedDict, scopeKeys) {
+    const selfIds = scopedDict[AccessScope_Self] ?? [];
+    if (!scopeKeys)
+        return filterDuplicates([...selfIds, ...Object.values(scopedDict).flat()]);
+    const scopedIds = scopeKeys.flatMap(key => scopedDict[key] ?? []);
+    return filterDuplicates([...selfIds, ...scopedIds]);
+}
+function defaultAccessFields(callerAccessIds) {
+    const callerId = callerAccessIds[0];
+    return {
+        __access: {
+            readers: [callerId],
+            writers: [callerId],
+            deleters: [callerId],
+            owners: [callerId],
+        }
+    };
+}
+function assertCallerAccess(access, callerIds, ...keys) {
+    if (!keys.some(key => access[key]?.length))
+        return;
+    if (keys.some(key => access[key]?.some(id => callerIds.includes(id))))
+        return;
+    throw new ApiException(403, 'Insufficient document access');
+}
+function createQueryInterceptor(scopeKeysProvider) {
+    return (query) => {
+        const scopedDict = getCallerScopedAccessIds();
+        if (!scopedDict)
+            return query;
+        const accessIds = resolveAccessIds(scopedDict, scopeKeysProvider());
+        const where = (query.where ?? {});
+        where.__access = { readers: { $aca: accessIds } };
+        query.where = where;
+        return query;
+    };
+}
+function createPreWriteInterceptor(resolverProvider, scopeKeysProvider) {
+    return async (dbItem, original) => {
+        const scopedDict = getCallerScopedAccessIds();
+        if (!scopedDict)
+            return;
+        const item = dbItem;
+        delete item.__access;
+        if (!original) {
+            const selfIds = scopedDict[AccessScope_Self] ?? [];
+            const resolver = resolverProvider();
+            const resolved = resolver ? await resolver(dbItem) : defaultAccessFields(selfIds);
+            item.__access = {
+                ...resolved.__access,
+                owners: filterDuplicates([...(resolved.__access.owners ?? []), ...selfIds]),
+            };
+            return;
+        }
+        const existingAccess = original.__access;
+        if (!existingAccess)
+            return;
+        item.__access = { ...existingAccess };
+        assertCallerAccess(existingAccess, resolveAccessIds(scopedDict, scopeKeysProvider()), 'writers', 'owners');
+    };
+}
+function createPreDeleteInterceptor(scopeKeysProvider) {
+    return async (dbItems) => {
+        const scopedDict = getCallerScopedAccessIds();
+        if (!scopedDict)
+            return;
+        const accessIds = resolveAccessIds(scopedDict, scopeKeysProvider());
+        for (const dbItem of dbItems) {
+            const access = dbItem.__access;
+            if (!access)
+                throw new ApiException(403, 'No delete access to this document');
+            assertCallerAccess(access, accessIds, 'deleters', 'owners');
+        }
+    };
+}
+export function copyAccessFields(source) {
+    const access = source.__access;
+    return {
+        __access: {
+            readers: [...(access?.readers ?? [])],
+            writers: [...(access?.writers ?? [])],
+            deleters: [...(access?.deleters ?? [])],
+            owners: [...(access?.owners ?? [])],
+        }
+    };
+}
+export function deriveEntityGroupId(entityId, accessKey) {
+    return hashToUniqueId(`${entityId}:${accessKey}`);
+}
+export function deriveEntityAccessFields(entityId) {
+    const inner = AllDocumentAccessKeys.reduce((fields, key) => {
+        fields[key] = [deriveEntityGroupId(entityId, key)];
+        return fields;
+    }, {});
+    return { __access: inner };
+}
+function patchCollectionValidator(dbModule) {
+    let patched = false;
+    dbModule.registerPreWriteInterceptor(async () => {
+        if (patched)
+            return;
+        patched = true;
+        const collection = dbModule.collection;
+        const originalValidate = collection.validateItem.bind(collection);
+        collection.validateItem = (dbItem) => {
+            const extractedAccess = dbItem.__access;
+            delete dbItem.__access;
+            originalValidate(dbItem);
+            if (extractedAccess) {
+                const results = tsValidateResult(extractedAccess, documentAccessInnerValidator);
+                if (results)
+                    throw new ApiException(400, `Invalid document access fields: ${JSON.stringify(results)}`);
+            }
+            if (extractedAccess)
+                dbItem.__access = extractedAccess;
+        };
+    });
+}
+export function wireDocumentAccess(dbModule, resolverProvider, scopeKeysProvider) {
+    patchCollectionValidator(dbModule);
+    dbModule.registerQueryInterceptor(createQueryInterceptor(scopeKeysProvider));
+    dbModule.registerPreWriteInterceptor(createPreWriteInterceptor(resolverProvider, scopeKeysProvider));
+    dbModule.registerPreDeleteInterceptor(createPreDeleteInterceptor(scopeKeysProvider));
+}