npm - @openstax/ts-utils - Versions diffs - 1.34.0 → 1.35.0 - Mend

@openstax/ts-utils 1.34.0 → 1.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (507) hide show

package/dist/esm/services/authProvider/browser.js ADDED Viewed

@@ -0,0 +1,151 @@
+import { once } from '../..';
+import { resolveConfigValue } from '../../config';
+import { ifDefined } from '../../guards';
+import { METHOD, unsafePayloadValidator } from '../../routing';
+import { embeddedAuthProvider, PostMessageTypes } from './utils/embeddedAuthProvider';
+const isUserData = unsafePayloadValidator();
+export const browserAuthProvider = ({ window, configSpace }) => (configProvider) => {
+    const config = configProvider[ifDefined(configSpace, 'auth')];
+    const accountsBase = once(() => resolveConfigValue(config.accountsBase));
+    const queryString = window.location.search;
+    const queryKey = 'auth';
+    const urlSearchParams = new URLSearchParams(queryString);
+    const authQuery = urlSearchParams.get(queryKey);
+    const referrer = window.document.referrer ? new URL(window.document.referrer) : undefined;
+    const isEmbedded = window.parent !== window;
+    const trustedParent = isEmbedded && referrer && referrer.hostname.match(/^(openstax\.org|((.*)(\.openstax\.org|local|localhost)))$/) ? referrer : undefined;
+    const { embeddedQueryKey, embeddedQueryValue, getAuthorizedEmbedUrl } = embeddedAuthProvider(() => getUserData(), { authQuery: { key: queryKey, value: authQuery }, window });
+    const embeddedQuery = urlSearchParams.get(embeddedQueryKey);
+    let userData = { token: authQuery };
+    const getAuthToken = async () => {
+        return (await getUserData()).token;
+    };
+    const getAuthorizedLinkUrl = (urlString) => {
+        const url = new URL(urlString);
+        if (userData.token) {
+            url.searchParams.set(queryKey, userData.token);
+        }
+        return url.href;
+    };
+    const getAuthorizedUrl = (urlString) => {
+        const url = new URL(urlString);
+        if (authQuery) {
+            url.searchParams.set(queryKey, authQuery);
+        }
+        else if (embeddedQuery) {
+            url.searchParams.set(queryKey, 'embedded');
+        }
+        if (embeddedQuery) {
+            url.searchParams.set(embeddedQueryKey, embeddedQuery);
+        }
+        return url.href;
+    };
+    // *note* that this does not actually prevent cookies from being sent on same-origin
+    // requests, i'm not sure if its possible to stop browsers from sending cookies in
+    // that case
+    const getAuthorizedFetchConfigFromData = (data) => {
+        const { token } = data;
+        return token ? {
+            headers: { Authorization: `Bearer ${token}` },
+        } : {
+            credentials: 'include',
+        };
+    };
+    const getAuthorizedFetchConfig = async () => {
+        return getAuthorizedFetchConfigFromData(userData.token ? userData : await getUserData());
+    };
+    /*
+     * requests user identity from parent window via postMessage
+     */
+    const getParentWindowUser = () => new Promise((resolve, reject) => {
+        if (!window.parent || !trustedParent) {
+            return reject(new Error('parent window is undefined or not trusted'));
+        }
+        const handler = (event) => {
+            if (event.data.type === PostMessageTypes.ReceiveUser && event.origin === trustedParent.origin) {
+                clearTimeout(timeout);
+                window.removeEventListener('message', handler);
+                resolve(event.data.userData);
+            }
+        };
+        window.addEventListener('message', handler);
+        window.parent.postMessage({ type: PostMessageTypes.RequestUser }, trustedParent.origin);
+        const timeout = setTimeout(() => {
+            window.removeEventListener('message', handler);
+            reject(new Error('loading user identity timed out'));
+        }, 5000);
+    });
+    /*
+     * requests user identity from accounts api using given token or cookie
+     */
+    const getFetchUser = async () => {
+        const response = await window.fetch((await accountsBase()).replace(/\/+$/, '') + '/api/user?always_200=true', getAuthorizedFetchConfigFromData(userData));
+        if (response.status === 200) {
+            const body = await response.json();
+            const user = isUserData(body) ? body : undefined;
+            return { ...userData, user };
+        }
+        const message = await response.text();
+        throw new Error(`Error response from Accounts ${response.status}: ${message}`);
+    };
+    const getUserData = once(async () => {
+        // For backwards compatibility
+        if (authQuery === 'embedded') {
+            return getParentWindowUser();
+        }
+        // getFetchUser() will throw here if authQuery is not set
+        return await (embeddedQuery === embeddedQueryValue ? getParentWindowUser() : getFetchUser());
+    });
+    const getUser = async () => {
+        return (await getUserData()).user;
+    };
+    const updateUser = async (updates) => {
+        const response = await window.fetch((await accountsBase()).replace(/\/+$/, '') + '/api/user', { ...getAuthorizedFetchConfigFromData(userData), method: METHOD.PUT, body: JSON.stringify(updates) });
+        if (response.status === 200) {
+            const user = await response.json();
+            if (isUserData(user)) {
+                return { ...userData, user };
+            }
+        }
+        const message = await response.text();
+        throw new Error(`Error response from Accounts ${response.status}: ${message}`);
+    };
+    return {
+        /**
+         * gets the authentication token
+         */
+        getAuthToken,
+        /**
+         * adds auth parameters to the url. this is only safe to use when using javascript to navigate
+         * within the current window, eg `window.location = 'https://my.otherservice.com';` anchors
+         * should use getAuthorizedLinkUrl for their href.
+         *
+         * result unreliable unless `getUser` is resolved first.
+         */
+        getAuthorizedUrl,
+        /**
+         * all link href-s must be rendered with auth tokens so that they work when opened in a new tab
+         *
+         * result unreliable unless `getUser` is resolved first.
+         */
+        getAuthorizedLinkUrl,
+        /**
+         * gets an authorized url for an iframe src. sets params on the url and saves its
+         * origin to trust releasing user identity to it
+         */
+        getAuthorizedEmbedUrl,
+        /**
+         * gets second argument for `fetch` that has authentication token or cookie
+         */
+        getAuthorizedFetchConfig,
+        /**
+         * loads current user identity. does not reflect changes in identity after being called the first time.
+         */
+        getUser,
+        loadUserData: getUser,
+        /**
+         * updates user settings, for example the cookie consent preferences
+         */
+        updateUser,
+    };
+};

package/dist/esm/services/authProvider/decryption.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import type { ConfigProviderForConfig } from '../../config';
+import { GenericFetch } from '../../fetch';
+import { ApiUser, AuthProvider, CookieAuthProvider } from '.';
+type Config = {
+    accountsBase: string;
+    cookieName: string;
+    encryptionPrivateKey: string;
+    signaturePublicKey: string;
+};
+interface Initializer<C> {
+    configSpace?: C;
+    fetch: GenericFetch;
+}
+export type DecryptionAuthProvider = AuthProvider & {
+    getTokenExpiration: (tokenString?: string) => Promise<number | null | undefined>;
+    loadUserData: () => Promise<ApiUser | undefined>;
+};
+export declare const decryptionAuthProvider: <C extends string = "decryption">(initializer: Initializer<C>) => (configProvider: { [_key in C]: ConfigProviderForConfig<Config>; }) => CookieAuthProvider<DecryptionAuthProvider>;
+export {};

package/dist/esm/services/authProvider/decryption.js ADDED Viewed

@@ -0,0 +1,69 @@
+import { resolveConfigValue } from '../../config/resolveConfigValue';
+import { SessionExpiredError } from '../../errors';
+import { ifDefined } from '../../guards';
+import { once } from '../../misc/helpers';
+import { decryptAndVerify } from './utils/decryptAndVerify';
+import { loadUserData } from './utils/userSubrequest';
+import { getAuthTokenOrCookie } from '.';
+export const decryptionAuthProvider = (initializer) => (configProvider) => {
+    const config = configProvider[ifDefined(initializer.configSpace, 'decryption')];
+    const accountsBase = once(() => resolveConfigValue(config.accountsBase));
+    const cookieName = once(() => resolveConfigValue(config.cookieName));
+    const encryptionPrivateKey = once(() => resolveConfigValue(config.encryptionPrivateKey));
+    const signaturePublicKey = once(() => resolveConfigValue(config.signaturePublicKey));
+    return ({ request, logger }) => {
+        let user;
+        let userData;
+        const getAuthToken = async () => getAuthTokenOrCookie(request, await cookieName())[0];
+        const getAuthorizedFetchConfig = async () => {
+            const [token, headers] = getAuthTokenOrCookie(request, await cookieName());
+            if (!token) {
+                return {};
+            }
+            return { headers };
+        };
+        const getDecryptedPayload = async (tokenString) => {
+            const token = tokenString !== null && tokenString !== void 0 ? tokenString : await getAuthToken();
+            if (!token) {
+                return undefined;
+            }
+            return decryptAndVerify(token, await encryptionPrivateKey(), await signaturePublicKey());
+        };
+        const getUser = async () => {
+            if (!user) {
+                const result = await getDecryptedPayload();
+                if (!result) {
+                    return undefined;
+                }
+                if ('error' in result && result.error == 'expired token') {
+                    throw new SessionExpiredError();
+                }
+                if ('user' in result) {
+                    logger.setContext({ user: result.user.uuid });
+                    user = result.user;
+                }
+            }
+            return user;
+        };
+        return {
+            getAuthToken,
+            getAuthorizedFetchConfig,
+            getTokenExpiration: async (tokenString) => {
+                var _a;
+                const payload = await getDecryptedPayload(tokenString);
+                return payload ? ((_a = payload.exp) !== null && _a !== void 0 ? _a : null) : undefined;
+            },
+            getUser,
+            loadUserData: async () => {
+                if (!userData) {
+                    const token = await getAuthToken();
+                    if (!token) {
+                        return undefined;
+                    }
+                    userData = await loadUserData(initializer.fetch, await accountsBase(), await cookieName(), token);
+                }
+                return userData;
+            },
+        };
+    };
+};

package/dist/esm/services/authProvider/index.d.ts ADDED Viewed

@@ -0,0 +1,63 @@
+import type { FetchConfig } from '../../fetch';
+import type { HttpHeaders, QueryParams } from '../../routing';
+import type { Logger } from '../logger';
+export type ConsentPreferences = {
+    consent_preferences: {
+        accepted: string[];
+        rejected: string[];
+    };
+};
+export type TokenUser = {
+    id: number;
+    name: string;
+    uuid: string;
+    faculty_status: string;
+    is_admin: boolean;
+};
+export type ApiUser = TokenUser & {
+    first_name: string;
+    last_name: string;
+    full_name: string;
+    contact_infos: Array<{
+        type: string;
+        value: string;
+        is_verified: boolean;
+        is_guessed_preferred: boolean;
+    }>;
+    applications: Array<{
+        id: number;
+        name: string;
+        roles: string[];
+    }>;
+    external_ids: string[];
+    is_not_gdpr_location: boolean;
+    self_reported_role: string;
+    signed_contract_names: string[];
+    using_openstax: boolean;
+} & Partial<ConsentPreferences>;
+export type User = TokenUser | ApiUser;
+export type AuthProvider = {
+    getAuthToken: () => Promise<string | null>;
+    getUser: () => Promise<User | undefined>;
+    /**
+     * gets second argument for `fetch` that has authentication token or cookie
+     */
+    getAuthorizedFetchConfig: () => Promise<FetchConfig>;
+    loadUserData: () => Promise<ApiUser | undefined>;
+};
+export type CookieAuthProviderRequest = {
+    cookies?: string[];
+    headers: HttpHeaders;
+    queryStringParameters?: QueryParams;
+};
+export type CookieAuthProvider<T extends AuthProvider = AuthProvider> = (inputs: {
+    request: CookieAuthProviderRequest;
+    logger: Logger;
+}) => T;
+export type StubAuthProvider = (user: User | undefined) => AuthProvider;
+export declare const stubAuthProvider: (user?: User) => AuthProvider;
+export declare const getAuthTokenOrCookie: (request: CookieAuthProviderRequest, cookieName: string, queryKey?: string) => [string, {
+    Authorization: string;
+}] | [string, {
+    cookie: string;
+}] | [null, {}];

package/dist/esm/services/authProvider/index.js ADDED Viewed

@@ -0,0 +1,26 @@
+import cookie from 'cookie';
+import { tuple } from '../../misc/helpers';
+import { getHeader } from '../../routing/helpers';
+export const stubAuthProvider = (user) => {
+    const getUser = () => Promise.resolve(user);
+    return {
+        getAuthToken: () => Promise.resolve('authToken'),
+        getUser,
+        getAuthorizedFetchConfig: () => Promise.resolve(user ? { headers: { Authorization: user.uuid } } : {}),
+        // This is not technically correct, but most tests won't care
+        loadUserData: getUser
+    };
+};
+export const getAuthTokenOrCookie = (request, cookieName, queryKey = 'auth') => {
+    var _a, _b;
+    const authParam = request.queryStringParameters ? request.queryStringParameters[queryKey] : undefined;
+    const authHeader = getHeader(request.headers, 'authorization');
+    const cookieValue = cookie.parse((_b = (_a = request.cookies) === null || _a === void 0 ? void 0 : _a.join('; ')) !== null && _b !== void 0 ? _b : '')[cookieName];
+    return typeof authParam === 'string'
+        ? tuple(authParam, { Authorization: `Bearer ${authParam}` })
+        : authHeader && authHeader.length >= 8 && authHeader.startsWith('Bearer ')
+            ? tuple(authHeader.slice(7), { Authorization: authHeader })
+            : cookieValue
+                ? tuple(cookieValue, { cookie: cookie.serialize(cookieName, cookieValue) })
+                : tuple(null, {});
+};

package/dist/esm/services/authProvider/subrequest.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { ConfigProviderForConfig } from '../../config';
+import { GenericFetch } from '../../fetch';
+import { CookieAuthProvider } from '.';
+type Config = {
+    accountsBase: string;
+    cookieName: string;
+};
+interface Initializer<C> {
+    configSpace?: C;
+    fetch: GenericFetch;
+}
+export declare const subrequestAuthProvider: <C extends string = "subrequest">(initializer: Initializer<C>) => (configProvider: { [_key in C]: ConfigProviderForConfig<Config>; }) => CookieAuthProvider;
+export {};

package/dist/esm/services/authProvider/subrequest.js ADDED Viewed

@@ -0,0 +1,45 @@
+import { once } from '../..';
+import { resolveConfigValue } from '../../config';
+import { ifDefined } from '../../guards';
+import { loadUserData } from './utils/userSubrequest';
+import { getAuthTokenOrCookie } from '.';
+export const subrequestAuthProvider = (initializer) => (configProvider) => {
+    const config = configProvider[ifDefined(initializer.configSpace, 'subrequest')];
+    const cookieName = once(() => resolveConfigValue(config.cookieName));
+    const accountsBase = once(() => resolveConfigValue(config.accountsBase));
+    return ({ request, logger }) => {
+        let user;
+        const getAuthToken = async () => getAuthTokenOrCookie(request, await cookieName())[0];
+        const getAuthorizedFetchConfig = async () => {
+            const [token, headers] = getAuthTokenOrCookie(request, await cookieName());
+            if (!token) {
+                return {};
+            }
+            return { headers };
+        };
+        const loadUser = async () => {
+            const resolvedCookieName = await cookieName();
+            const [token] = getAuthTokenOrCookie(request, resolvedCookieName);
+            if (!token) {
+                return undefined;
+            }
+            const user = await loadUserData(initializer.fetch, await accountsBase(), resolvedCookieName, token);
+            if (user) {
+                logger.setContext({ user: user.uuid });
+            }
+            return user;
+        };
+        const getUser = async () => {
+            if (!user) {
+                user = await loadUser();
+            }
+            return user;
+        };
+        return {
+            getAuthToken,
+            getAuthorizedFetchConfig,
+            getUser,
+            loadUserData: getUser
+        };
+    };
+};

package/dist/esm/services/authProvider/utils/decryptAndVerify.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type { User } from '..';
+export declare const decryptJwe: (jwe: string, encryptionPrivateKey: Buffer | string) => string | undefined;
+type MaybeAccountsSSOToken = {
+    iss?: string;
+    sub?: User | string;
+    aud?: string;
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+};
+export declare const verifyJws: (jws: string, signaturePublicKey: Buffer | string) => MaybeAccountsSSOToken | undefined;
+/**
+ * Decrypts and verifies a SSO cookie.
+ *
+ * @param token the encrypted token
+ * @param encryptionPrivateKey the private key used to encrypt the token
+ * @param signaturePublicKey the public key used to verify the decrypted token
+ * @returns {user: User; exp: number} (success) or {error: string} (failure)
+ */
+export declare const decryptAndVerify: (token: string, encryptionPrivateKey: string, signaturePublicKey: string) => {
+    user: User;
+    exp: number;
+} | {
+    error: string;
+    exp?: number;
+};
+export {};

package/dist/esm/services/authProvider/utils/decryptAndVerify.js ADDED Viewed

@@ -0,0 +1,85 @@
+import { createDecipheriv, verify } from 'crypto';
+import { isPlainObject } from '../../../guards';
+export const decryptJwe = (jwe, encryptionPrivateKey) => {
+    const jweParts = jwe.split('.', 6);
+    if (jweParts.length !== 5 || jweParts[1]) {
+        return undefined;
+    } // Invalid/unsupported JWE
+    const header = JSON.parse(Buffer.from(jweParts[0], 'base64url').toString());
+    if (header.alg !== 'dir' || header.enc !== 'A256GCM') {
+        // Unsupported signature/encryption algorithm
+        return undefined;
+    }
+    const aad = Buffer.from(jweParts[0]);
+    const iv = Buffer.from(jweParts[2], 'base64url');
+    const cipherText = Buffer.from(jweParts[3], 'base64url');
+    const authTag = Buffer.from(jweParts[4], 'base64url');
+    // Verify token signature and decrypt
+    const decipher = createDecipheriv('aes-256-gcm', encryptionPrivateKey, iv, { authTagLength: 16 });
+    decipher.setAAD(aad, { plaintextLength: cipherText.length });
+    try {
+        decipher.setAuthTag(authTag);
+        return `${decipher.update(cipherText)}${decipher.final()}`;
+    }
+    catch (error) {
+        // Invalid cipherText or authTag
+        return undefined;
+    }
+};
+const issuer = 'OpenStax Accounts';
+const audience = 'OpenStax';
+const clockTolerance = 300; // 5 minutes
+export const verifyJws = (jws, signaturePublicKey) => {
+    const jwsParts = jws.split('.', 4);
+    if (jwsParts.length !== 3) {
+        return undefined;
+    } // Invalid JWS
+    const header = JSON.parse(Buffer.from(jwsParts[0], 'base64url').toString());
+    if (header.alg !== 'RS256' || header.typ !== 'JWT') {
+        return undefined;
+    } // Unsupported JWS
+    const signedContent = Buffer.from(`${jwsParts[0]}.${jwsParts[1]}`);
+    const signature = Buffer.from(jwsParts[2], 'base64url');
+    if (!verify('RSA-SHA256', signedContent, signaturePublicKey, signature)) {
+        return undefined;
+    }
+    const payload = Buffer.from(jwsParts[1], 'base64url').toString();
+    try {
+        return JSON.parse(payload);
+    }
+    catch (error) {
+        return undefined;
+    }
+};
+/**
+ * Decrypts and verifies a SSO cookie.
+ *
+ * @param token the encrypted token
+ * @param encryptionPrivateKey the private key used to encrypt the token
+ * @param signaturePublicKey the public key used to verify the decrypted token
+ * @returns {user: User; exp: number} (success) or {error: string} (failure)
+ */
+export const decryptAndVerify = (token, encryptionPrivateKey, signaturePublicKey) => {
+    const timestamp = Math.floor(Date.now() / 1000);
+    const jws = decryptJwe(token, encryptionPrivateKey);
+    if (!jws) {
+        return { error: 'invalid token' };
+    }
+    const payload = verifyJws(jws, signaturePublicKey);
+    // Ensure payload contains all the claims we expect
+    // Normally "sub" would be a string but Accounts uses an object for it instead
+    if (!isPlainObject(payload) ||
+        !isPlainObject(payload.sub) || !payload.sub.uuid ||
+        payload.iss !== issuer ||
+        payload.aud !== audience ||
+        !payload.exp ||
+        !payload.nbf || payload.nbf > timestamp + clockTolerance ||
+        !payload.iat || payload.iat > timestamp + clockTolerance ||
+        !payload.jti) {
+        return { error: 'invalid token' };
+    }
+    if (payload.exp < timestamp - clockTolerance) {
+        return { error: 'expired token', exp: payload.exp };
+    }
+    return { user: payload.sub, exp: payload.exp };
+};

package/dist/esm/services/authProvider/utils/embeddedAuthProvider.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import { User } from '..';
+import { Window } from '../browser';
+export type UserData<T = User> = {
+    user?: T;
+    token: string | null;
+};
+type UserDataLoader = () => Promise<UserData>;
+export declare enum PostMessageTypes {
+    ReceiveUser = "receive-user",
+    RequestUser = "request-user"
+}
+export declare const embeddedAuthProvider: (getUserData: UserDataLoader, { authQuery, window }: {
+    authQuery?: {
+        key: string;
+        value: string | null;
+    };
+    window: Window;
+}) => {
+    embeddedQueryKey: string;
+    embeddedQueryValue: string;
+    getAuthorizedEmbedUrl: (urlString: string, extraParams?: {
+        [key: string]: string;
+    }) => string;
+    unmount: () => void;
+};
+export {};

package/dist/esm/services/authProvider/utils/embeddedAuthProvider.js ADDED Viewed

@@ -0,0 +1,40 @@
+import queryString from 'query-string';
+export var PostMessageTypes;
+(function (PostMessageTypes) {
+    PostMessageTypes["ReceiveUser"] = "receive-user";
+    PostMessageTypes["RequestUser"] = "request-user";
+})(PostMessageTypes || (PostMessageTypes = {}));
+export const embeddedAuthProvider = (getUserData, { authQuery, window }) => {
+    const trustedEmbeds = new Set();
+    const embeddedQueryKey = 'embedded';
+    const embeddedQueryValue = 'true';
+    const messageHandler = event => {
+        if (event.data.type === PostMessageTypes.RequestUser && trustedEmbeds.has(event.origin)) {
+            getUserData().then(data => {
+                event.source.postMessage({ type: PostMessageTypes.ReceiveUser, userData: data }, event.origin);
+            });
+        }
+    };
+    window.addEventListener('message', messageHandler);
+    const getAuthorizedEmbedUrl = (urlString, extraParams) => {
+        const url = new URL(urlString);
+        trustedEmbeds.add(url.origin);
+        const params = queryString.parse(url.search);
+        url.search = queryString.stringify({
+            ...params,
+            ...extraParams,
+            ...(authQuery && authQuery.value ? { [authQuery.key]: authQuery.value } : { auth: 'embedded' }),
+            [embeddedQueryKey]: embeddedQueryValue,
+            subcontent: 'true',
+        });
+        return url.href;
+    };
+    return {
+        embeddedQueryKey,
+        embeddedQueryValue,
+        getAuthorizedEmbedUrl,
+        unmount: () => {
+            window.removeEventListener('message', messageHandler);
+        }
+    };
+};

package/dist/esm/services/authProvider/utils/userRoleValidator.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { AuthProvider } from '..';
+import { AssertionFailed } from '../../../assertions';
+import { ConfigProviderForConfig } from '../../../config';
+type Config = {
+    application: string;
+};
+export declare const createUserRoleValidator: (auth: AuthProvider, config: ConfigProviderForConfig<Config>) => {
+    getUserRoles: () => Promise<string[]>;
+    userHasRole: (role: string[]) => Promise<boolean>;
+    assertUserRole: (role: string[], fail?: AssertionFailed) => Promise<void>;
+};
+export type UserRoleValidator = ReturnType<typeof createUserRoleValidator>;
+export {};

package/dist/esm/services/authProvider/utils/userRoleValidator.js ADDED Viewed

@@ -0,0 +1,33 @@
+import { doThrow } from '../../../assertions';
+import { resolveConfigValue } from '../../../config/resolveConfigValue';
+import { UnauthorizedError } from '../../../errors';
+import { once } from '../../../misc/helpers';
+export const createUserRoleValidator = (auth, config) => {
+    const application = once(() => resolveConfigValue(config.application));
+    const getUserRoles = async () => {
+        var _a;
+        const user = await auth.getUser();
+        const appName = await application();
+        if (!user || !('applications' in user)) {
+            return [];
+        }
+        return ((_a = user.applications.find(a => a.name === appName)) === null || _a === void 0 ? void 0 : _a.roles) || [];
+    };
+    const userHasRole = async (role) => {
+        const roles = await getUserRoles();
+        if (!roles.some(r => role.includes(r))) {
+            return false;
+        }
+        return true;
+    };
+    const assertUserRole = async (role, fail = new UnauthorizedError()) => {
+        if (!await userHasRole(role)) {
+            return doThrow(fail);
+        }
+    };
+    return {
+        getUserRoles,
+        userHasRole,
+        assertUserRole
+    };
+};

package/dist/esm/services/authProvider/utils/userSubrequest.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import { ApiUser } from '..';
+import { GenericFetch } from '../../../fetch';
+export declare const loadUserData: (fetch: GenericFetch, accountsBase: string, cookieName: string, token: string) => Promise<ApiUser | undefined>;

package/dist/esm/services/authProvider/utils/userSubrequest.js ADDED Viewed

@@ -0,0 +1,6 @@
+import cookie from 'cookie';
+export const loadUserData = (fetch, accountsBase, cookieName, token) => {
+    const headers = { cookie: cookie.serialize(cookieName, token) };
+    return fetch(accountsBase.replace(/\/+$/, '') + '/api/user', { headers })
+        .then(response => response.json());
+};

package/dist/esm/services/documentStore/dynamoEncoding.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { AttributeValue } from '@aws-sdk/client-dynamodb';
+import { DocumentBaseType, DocumentBaseValueTypes } from '.';
+export declare const encodeDynamoAttribute: (value: DocumentBaseValueTypes) => AttributeValue;
+export declare const encodeDynamoDocument: (base: DocumentBaseType) => {
+    [k: string]: AttributeValue;
+};
+export declare const decodeDynamoAttribute: (value: AttributeValue) => DocumentBaseValueTypes;
+export declare const decodeDynamoDocument: <T extends DocumentBaseType>(document: {
+    [key: string]: AttributeValue;
+}) => T;