npm - @objectstack/plugin-security - Versions diffs - 5.1.0 → 5.2.0 - Mend

@objectstack/plugin-security 5.1.0 → 5.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -179,6 +179,14 @@ interface RLSUserContext {
      */
     organization_id?: string;
     roles?: string[];
+    /**
+     * IDs of all users that share the active organization with the
+     * current user (incl. self). Pre-resolved by the runtime so RLS can
+     * scope identity tables like `sys_user` via
+     * `id IN (current_user.org_user_ids)` without needing subquery
+     * support in the compiler.
+     */
+    org_user_ids?: string[];
     [key: string]: unknown;
 }
 /**
@@ -8552,4 +8560,78 @@ declare const securityPluginManifestHeader: {
     description: string;
 };
-export { FieldMasker, PermissionDeniedError, PermissionEvaluator, RLSCompiler, RLS_DENY_FILTER, SECURITY_PLUGIN_ID, SECURITY_PLUGIN_VERSION, SecurityPlugin, isPermissionDeniedError, securityDefaultPermissionSets, securityObjects, securityPluginManifestHeader };
+/**
+ * ensureUserHasOrganization — auto-create a personal org for new users.
+ *
+ * In multi-tenant mode, every record visible through the default
+ * `tenant_isolation` RLS policy must have an `organization_id`, and
+ * every authenticated user must have an `activeOrganizationId` on their
+ * session for that policy to evaluate to anything other than "deny
+ * all". A user with zero `sys_member` rows, however, can sign in
+ * successfully and reach the dashboard — the dashboard's
+ * `RequireOrganization` guard has a single-tenant carve-out that lets
+ * users with empty organization lists through, so they land on a UI
+ * that simply hides every record. The standard remedy ("invite users
+ * via an admin") doesn't apply to self-service signup.
+ *
+ * This helper, run right after a `sys_user` insert, ensures the new
+ * user has at least one organization by creating a personal workspace
+ * (named "<User>'s Workspace", slug `<username>-workspace`) and an
+ * owner-role `sys_member` row. The user's session will pick this up as
+ * their `activeOrganizationId` on the next sign-in / org-list refresh
+ * (better-auth's `setActiveOrganization` runs lazily when the picker
+ * sees exactly one membership).
+ *
+ * Idempotent: bails out if the user already has any `sys_member` row.
+ * Slug collisions retry with a numeric suffix; a cap of 5 attempts
+ * means a pathological username will fail loudly rather than loop.
+ */
+interface EnsureOptions {
+    logger?: {
+        info: (message: string, meta?: Record<string, any>) => void;
+        warn: (message: string, meta?: Record<string, any>) => void;
+    };
+    /**
+     * Optional hook called after a personal org is successfully created.
+     * Used by SecurityPlugin to wire in `cloneTenantSeedData` so each
+     * new workspace gets its own copy of demo data. Pulled in via DI
+     * to keep this helper free of a hard import on the cloner (which
+     * keeps the tenant-claim and ensure-org test surfaces narrow).
+     */
+    cloneSeedData?: (ql: any, targetOrgId: string, opts: {
+        logger?: EnsureOptions['logger'];
+    }) => Promise<{
+        object: string;
+        count: number;
+    }[]>;
+}
+/**
+ * Ensure `user` has at least one `sys_member` row. Creates a personal
+ * organization owned by them if not.
+ *
+ * Returns `{ created: true, organizationId }` when a new org was made,
+ * or `{ created: false, reason }` when the user already has memberships
+ * or the operation was skipped.
+ */
+declare function ensureUserHasOrganization(ql: any, user: {
+    id: string;
+    name?: string;
+    email?: string;
+}, options?: EnsureOptions): Promise<{
+    created: boolean;
+    organizationId?: string;
+    reason?: string;
+}>;
+interface CloneOptions {
+    logger?: {
+        info: (message: string, meta?: Record<string, any>) => void;
+        warn: (message: string, meta?: Record<string, any>) => void;
+    };
+}
+declare function cloneTenantSeedData(ql: any, targetOrgId: string, options?: CloneOptions): Promise<{
+    object: string;
+    count: number;
+}[]>;
+export { FieldMasker, PermissionDeniedError, PermissionEvaluator, RLSCompiler, RLS_DENY_FILTER, SECURITY_PLUGIN_ID, SECURITY_PLUGIN_VERSION, SecurityPlugin, cloneTenantSeedData, ensureUserHasOrganization, isPermissionDeniedError, securityDefaultPermissionSets, securityObjects, securityPluginManifestHeader };

package/dist/index.d.ts CHANGED Viewed

@@ -179,6 +179,14 @@ interface RLSUserContext {
      */
     organization_id?: string;
     roles?: string[];
+    /**
+     * IDs of all users that share the active organization with the
+     * current user (incl. self). Pre-resolved by the runtime so RLS can
+     * scope identity tables like `sys_user` via
+     * `id IN (current_user.org_user_ids)` without needing subquery
+     * support in the compiler.
+     */
+    org_user_ids?: string[];
     [key: string]: unknown;
 }
 /**
@@ -8552,4 +8560,78 @@ declare const securityPluginManifestHeader: {
     description: string;
 };
-export { FieldMasker, PermissionDeniedError, PermissionEvaluator, RLSCompiler, RLS_DENY_FILTER, SECURITY_PLUGIN_ID, SECURITY_PLUGIN_VERSION, SecurityPlugin, isPermissionDeniedError, securityDefaultPermissionSets, securityObjects, securityPluginManifestHeader };
+/**
+ * ensureUserHasOrganization — auto-create a personal org for new users.
+ *
+ * In multi-tenant mode, every record visible through the default
+ * `tenant_isolation` RLS policy must have an `organization_id`, and
+ * every authenticated user must have an `activeOrganizationId` on their
+ * session for that policy to evaluate to anything other than "deny
+ * all". A user with zero `sys_member` rows, however, can sign in
+ * successfully and reach the dashboard — the dashboard's
+ * `RequireOrganization` guard has a single-tenant carve-out that lets
+ * users with empty organization lists through, so they land on a UI
+ * that simply hides every record. The standard remedy ("invite users
+ * via an admin") doesn't apply to self-service signup.
+ *
+ * This helper, run right after a `sys_user` insert, ensures the new
+ * user has at least one organization by creating a personal workspace
+ * (named "<User>'s Workspace", slug `<username>-workspace`) and an
+ * owner-role `sys_member` row. The user's session will pick this up as
+ * their `activeOrganizationId` on the next sign-in / org-list refresh
+ * (better-auth's `setActiveOrganization` runs lazily when the picker
+ * sees exactly one membership).
+ *
+ * Idempotent: bails out if the user already has any `sys_member` row.
+ * Slug collisions retry with a numeric suffix; a cap of 5 attempts
+ * means a pathological username will fail loudly rather than loop.
+ */
+interface EnsureOptions {
+    logger?: {
+        info: (message: string, meta?: Record<string, any>) => void;
+        warn: (message: string, meta?: Record<string, any>) => void;
+    };
+    /**
+     * Optional hook called after a personal org is successfully created.
+     * Used by SecurityPlugin to wire in `cloneTenantSeedData` so each
+     * new workspace gets its own copy of demo data. Pulled in via DI
+     * to keep this helper free of a hard import on the cloner (which
+     * keeps the tenant-claim and ensure-org test surfaces narrow).
+     */
+    cloneSeedData?: (ql: any, targetOrgId: string, opts: {
+        logger?: EnsureOptions['logger'];
+    }) => Promise<{
+        object: string;
+        count: number;
+    }[]>;
+}
+/**
+ * Ensure `user` has at least one `sys_member` row. Creates a personal
+ * organization owned by them if not.
+ *
+ * Returns `{ created: true, organizationId }` when a new org was made,
+ * or `{ created: false, reason }` when the user already has memberships
+ * or the operation was skipped.
+ */
+declare function ensureUserHasOrganization(ql: any, user: {
+    id: string;
+    name?: string;
+    email?: string;
+}, options?: EnsureOptions): Promise<{
+    created: boolean;
+    organizationId?: string;
+    reason?: string;
+}>;
+interface CloneOptions {
+    logger?: {
+        info: (message: string, meta?: Record<string, any>) => void;
+        warn: (message: string, meta?: Record<string, any>) => void;
+    };
+}
+declare function cloneTenantSeedData(ql: any, targetOrgId: string, options?: CloneOptions): Promise<{
+    object: string;
+    count: number;
+}[]>;
+export { FieldMasker, PermissionDeniedError, PermissionEvaluator, RLSCompiler, RLS_DENY_FILTER, SECURITY_PLUGIN_ID, SECURITY_PLUGIN_VERSION, SecurityPlugin, cloneTenantSeedData, ensureUserHasOrganization, isPermissionDeniedError, securityDefaultPermissionSets, securityObjects, securityPluginManifestHeader };

package/dist/index.js CHANGED Viewed

@@ -28,6 +28,8 @@ __export(index_exports, {
   SECURITY_PLUGIN_ID: () => SECURITY_PLUGIN_ID,
   SECURITY_PLUGIN_VERSION: () => SECURITY_PLUGIN_VERSION,
   SecurityPlugin: () => SecurityPlugin,
+  cloneTenantSeedData: () => cloneTenantSeedData,
+  ensureUserHasOrganization: () => ensureUserHasOrganization,
   isPermissionDeniedError: () => isPermissionDeniedError,
   securityDefaultPermissionSets: () => securityDefaultPermissionSets,
   securityObjects: () => securityObjects,
@@ -179,7 +181,8 @@ var RLSCompiler = class {
     const userCtx = {
       id: executionContext?.userId,
       organization_id: executionContext?.tenantId,
-      roles: executionContext?.roles
+      roles: executionContext?.roles,
+      org_user_ids: executionContext?.org_user_ids
     };
     const filters = [];
     for (const policy of policies) {
@@ -1248,6 +1251,8 @@ var SecurityPlugin = class {
   SECURITY_PLUGIN_ID,
   SECURITY_PLUGIN_VERSION,
   SecurityPlugin,
+  cloneTenantSeedData,
+  ensureUserHasOrganization,
   isPermissionDeniedError,
   securityDefaultPermissionSets,
   securityObjects,