@os.io/nest-kit 0.0.1-alpha.0 → 0.0.1-alpha.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +30 -30
- package/package.json +41 -5
- package/dist/auth/auth.constants.d.ts +0 -19
- package/dist/auth/auth.constants.d.ts.map +0 -1
- package/dist/auth/auth.constants.js +0 -19
- package/dist/auth/auth.constants.js.map +0 -1
- package/dist/auth/auth.guard.d.ts +0 -20
- package/dist/auth/auth.guard.d.ts.map +0 -1
- package/dist/auth/auth.guard.js +0 -84
- package/dist/auth/auth.guard.js.map +0 -1
- package/dist/auth/auth.module.d.ts +0 -26
- package/dist/auth/auth.module.d.ts.map +0 -1
- package/dist/auth/auth.module.js +0 -344
- package/dist/auth/auth.module.js.map +0 -1
- package/dist/auth/auth.options.d.ts +0 -179
- package/dist/auth/auth.options.d.ts.map +0 -1
- package/dist/auth/auth.options.js +0 -2
- package/dist/auth/auth.options.js.map +0 -1
- package/dist/auth/auth.service.d.ts +0 -57
- package/dist/auth/auth.service.d.ts.map +0 -1
- package/dist/auth/auth.service.js +0 -175
- package/dist/auth/auth.service.js.map +0 -1
- package/dist/auth/authorization/index.d.ts +0 -3
- package/dist/auth/authorization/index.d.ts.map +0 -1
- package/dist/auth/authorization/index.js +0 -3
- package/dist/auth/authorization/index.js.map +0 -1
- package/dist/auth/authorization/pbac/index.d.ts +0 -6
- package/dist/auth/authorization/pbac/index.d.ts.map +0 -1
- package/dist/auth/authorization/pbac/index.js +0 -4
- package/dist/auth/authorization/pbac/index.js.map +0 -1
- package/dist/auth/authorization/pbac/pbac.decorator.d.ts +0 -18
- package/dist/auth/authorization/pbac/pbac.decorator.d.ts.map +0 -1
- package/dist/auth/authorization/pbac/pbac.decorator.js +0 -14
- package/dist/auth/authorization/pbac/pbac.decorator.js.map +0 -1
- package/dist/auth/authorization/pbac/pbac.guard.d.ts +0 -19
- package/dist/auth/authorization/pbac/pbac.guard.d.ts.map +0 -1
- package/dist/auth/authorization/pbac/pbac.guard.js +0 -60
- package/dist/auth/authorization/pbac/pbac.guard.js.map +0 -1
- package/dist/auth/authorization/pbac/pbac.service.d.ts +0 -44
- package/dist/auth/authorization/pbac/pbac.service.d.ts.map +0 -1
- package/dist/auth/authorization/pbac/pbac.service.js +0 -146
- package/dist/auth/authorization/pbac/pbac.service.js.map +0 -1
- package/dist/auth/authorization/pbac/pbac.types.d.ts +0 -47
- package/dist/auth/authorization/pbac/pbac.types.d.ts.map +0 -1
- package/dist/auth/authorization/pbac/pbac.types.js +0 -2
- package/dist/auth/authorization/pbac/pbac.types.js.map +0 -1
- package/dist/auth/authorization/rbac/index.d.ts +0 -4
- package/dist/auth/authorization/rbac/index.d.ts.map +0 -1
- package/dist/auth/authorization/rbac/index.js +0 -4
- package/dist/auth/authorization/rbac/index.js.map +0 -1
- package/dist/auth/authorization/rbac/rbac.decorator.d.ts +0 -18
- package/dist/auth/authorization/rbac/rbac.decorator.d.ts.map +0 -1
- package/dist/auth/authorization/rbac/rbac.decorator.js +0 -25
- package/dist/auth/authorization/rbac/rbac.decorator.js.map +0 -1
- package/dist/auth/authorization/rbac/rbac.guard.d.ts +0 -19
- package/dist/auth/authorization/rbac/rbac.guard.d.ts.map +0 -1
- package/dist/auth/authorization/rbac/rbac.guard.js +0 -50
- package/dist/auth/authorization/rbac/rbac.guard.js.map +0 -1
- package/dist/auth/authorization/rbac/rbac.service.d.ts +0 -43
- package/dist/auth/authorization/rbac/rbac.service.d.ts.map +0 -1
- package/dist/auth/authorization/rbac/rbac.service.js +0 -95
- package/dist/auth/authorization/rbac/rbac.service.js.map +0 -1
- package/dist/auth/decorators/current-user.decorator.d.ts +0 -17
- package/dist/auth/decorators/current-user.decorator.d.ts.map +0 -1
- package/dist/auth/decorators/current-user.decorator.js +0 -23
- package/dist/auth/decorators/current-user.decorator.js.map +0 -1
- package/dist/auth/decorators/index.d.ts +0 -3
- package/dist/auth/decorators/index.d.ts.map +0 -1
- package/dist/auth/decorators/index.js +0 -3
- package/dist/auth/decorators/index.js.map +0 -1
- package/dist/auth/decorators/public.decorator.d.ts +0 -13
- package/dist/auth/decorators/public.decorator.d.ts.map +0 -1
- package/dist/auth/decorators/public.decorator.js +0 -15
- package/dist/auth/decorators/public.decorator.js.map +0 -1
- package/dist/auth/index.d.ts +0 -63
- package/dist/auth/index.d.ts.map +0 -1
- package/dist/auth/index.js +0 -65
- package/dist/auth/index.js.map +0 -1
- package/dist/auth/interfaces/auth-request.interface.d.ts +0 -18
- package/dist/auth/interfaces/auth-request.interface.d.ts.map +0 -1
- package/dist/auth/interfaces/auth-request.interface.js +0 -2
- package/dist/auth/interfaces/auth-request.interface.js.map +0 -1
- package/dist/auth/interfaces/auth-result.interface.d.ts +0 -28
- package/dist/auth/interfaces/auth-result.interface.d.ts.map +0 -1
- package/dist/auth/interfaces/auth-result.interface.js +0 -2
- package/dist/auth/interfaces/auth-result.interface.js.map +0 -1
- package/dist/auth/interfaces/auth-strategy.interface.d.ts +0 -37
- package/dist/auth/interfaces/auth-strategy.interface.d.ts.map +0 -1
- package/dist/auth/interfaces/auth-strategy.interface.js +0 -16
- package/dist/auth/interfaces/auth-strategy.interface.js.map +0 -1
- package/dist/auth/interfaces/auth-user.interface.d.ts +0 -25
- package/dist/auth/interfaces/auth-user.interface.d.ts.map +0 -1
- package/dist/auth/interfaces/auth-user.interface.js +0 -2
- package/dist/auth/interfaces/auth-user.interface.js.map +0 -1
- package/dist/auth/interfaces/cache-service.interface.d.ts +0 -30
- package/dist/auth/interfaces/cache-service.interface.d.ts.map +0 -1
- package/dist/auth/interfaces/cache-service.interface.js +0 -2
- package/dist/auth/interfaces/cache-service.interface.js.map +0 -1
- package/dist/auth/interfaces/index.d.ts +0 -8
- package/dist/auth/interfaces/index.d.ts.map +0 -1
- package/dist/auth/interfaces/index.js +0 -2
- package/dist/auth/interfaces/index.js.map +0 -1
- package/dist/auth/interfaces/user-service.interface.d.ts +0 -34
- package/dist/auth/interfaces/user-service.interface.d.ts.map +0 -1
- package/dist/auth/interfaces/user-service.interface.js +0 -2
- package/dist/auth/interfaces/user-service.interface.js.map +0 -1
- package/dist/auth/password/password.service.d.ts +0 -23
- package/dist/auth/password/password.service.d.ts.map +0 -1
- package/dist/auth/password/password.service.js +0 -52
- package/dist/auth/password/password.service.js.map +0 -1
- package/dist/auth/session/device-session.service.d.ts +0 -43
- package/dist/auth/session/device-session.service.d.ts.map +0 -1
- package/dist/auth/session/device-session.service.js +0 -72
- package/dist/auth/session/device-session.service.js.map +0 -1
- package/dist/auth/session/index.d.ts +0 -5
- package/dist/auth/session/index.d.ts.map +0 -1
- package/dist/auth/session/index.js +0 -4
- package/dist/auth/session/index.js.map +0 -1
- package/dist/auth/session/jwt.service.d.ts +0 -37
- package/dist/auth/session/jwt.service.d.ts.map +0 -1
- package/dist/auth/session/jwt.service.js +0 -119
- package/dist/auth/session/jwt.service.js.map +0 -1
- package/dist/auth/session/token-blacklist.service.d.ts +0 -37
- package/dist/auth/session/token-blacklist.service.d.ts.map +0 -1
- package/dist/auth/session/token-blacklist.service.js +0 -70
- package/dist/auth/session/token-blacklist.service.js.map +0 -1
- package/dist/auth/strategies/anonymous/anonymous.strategy.d.ts +0 -19
- package/dist/auth/strategies/anonymous/anonymous.strategy.d.ts.map +0 -1
- package/dist/auth/strategies/anonymous/anonymous.strategy.js +0 -49
- package/dist/auth/strategies/anonymous/anonymous.strategy.js.map +0 -1
- package/dist/auth/strategies/base/base.strategy.d.ts +0 -11
- package/dist/auth/strategies/base/base.strategy.d.ts.map +0 -1
- package/dist/auth/strategies/base/base.strategy.js +0 -6
- package/dist/auth/strategies/base/base.strategy.js.map +0 -1
- package/dist/auth/strategies/credentials/credentials.strategy.d.ts +0 -21
- package/dist/auth/strategies/credentials/credentials.strategy.d.ts.map +0 -1
- package/dist/auth/strategies/credentials/credentials.strategy.js +0 -67
- package/dist/auth/strategies/credentials/credentials.strategy.js.map +0 -1
- package/dist/auth/strategies/index.d.ts +0 -12
- package/dist/auth/strategies/index.d.ts.map +0 -1
- package/dist/auth/strategies/index.js +0 -12
- package/dist/auth/strategies/index.js.map +0 -1
- package/dist/auth/strategies/magic-link/magic-link.strategy.d.ts +0 -31
- package/dist/auth/strategies/magic-link/magic-link.strategy.d.ts.map +0 -1
- package/dist/auth/strategies/magic-link/magic-link.strategy.js +0 -88
- package/dist/auth/strategies/magic-link/magic-link.strategy.js.map +0 -1
- package/dist/auth/strategies/oauth/index.d.ts +0 -3
- package/dist/auth/strategies/oauth/index.d.ts.map +0 -1
- package/dist/auth/strategies/oauth/index.js +0 -3
- package/dist/auth/strategies/oauth/index.js.map +0 -1
- package/dist/auth/strategies/oauth/oauth-provider-registry.d.ts +0 -13
- package/dist/auth/strategies/oauth/oauth-provider-registry.d.ts.map +0 -1
- package/dist/auth/strategies/oauth/oauth-provider-registry.js +0 -20
- package/dist/auth/strategies/oauth/oauth-provider-registry.js.map +0 -1
- package/dist/auth/strategies/oauth/oauth.strategy.d.ts +0 -23
- package/dist/auth/strategies/oauth/oauth.strategy.d.ts.map +0 -1
- package/dist/auth/strategies/oauth/oauth.strategy.js +0 -79
- package/dist/auth/strategies/oauth/oauth.strategy.js.map +0 -1
- package/dist/auth/strategies/onetap/onetap.strategy.d.ts +0 -24
- package/dist/auth/strategies/onetap/onetap.strategy.d.ts.map +0 -1
- package/dist/auth/strategies/onetap/onetap.strategy.js +0 -77
- package/dist/auth/strategies/onetap/onetap.strategy.js.map +0 -1
- package/dist/auth/strategies/otp/otp.strategy.d.ts +0 -31
- package/dist/auth/strategies/otp/otp.strategy.d.ts.map +0 -1
- package/dist/auth/strategies/otp/otp.strategy.js +0 -93
- package/dist/auth/strategies/otp/otp.strategy.js.map +0 -1
- package/dist/auth/strategies/passkey/passkey.strategy.d.ts +0 -32
- package/dist/auth/strategies/passkey/passkey.strategy.d.ts.map +0 -1
- package/dist/auth/strategies/passkey/passkey.strategy.js +0 -102
- package/dist/auth/strategies/passkey/passkey.strategy.js.map +0 -1
- package/dist/auth/strategies/sso/sso.strategy.d.ts +0 -25
- package/dist/auth/strategies/sso/sso.strategy.d.ts.map +0 -1
- package/dist/auth/strategies/sso/sso.strategy.js +0 -80
- package/dist/auth/strategies/sso/sso.strategy.js.map +0 -1
- package/dist/auth/strategies/totp/totp.strategy.d.ts +0 -37
- package/dist/auth/strategies/totp/totp.strategy.d.ts.map +0 -1
- package/dist/auth/strategies/totp/totp.strategy.js +0 -109
- package/dist/auth/strategies/totp/totp.strategy.js.map +0 -1
- package/dist/auth/throttling/index.d.ts +0 -2
- package/dist/auth/throttling/index.d.ts.map +0 -1
- package/dist/auth/throttling/index.js +0 -2
- package/dist/auth/throttling/index.js.map +0 -1
- package/dist/auth/throttling/throttle.service.d.ts +0 -27
- package/dist/auth/throttling/throttle.service.d.ts.map +0 -1
- package/dist/auth/throttling/throttle.service.js +0 -63
- package/dist/auth/throttling/throttle.service.js.map +0 -1
- package/dist/bootstrap/cache/config.d.ts +0 -135
- package/dist/bootstrap/cache/config.d.ts.map +0 -1
- package/dist/bootstrap/cache/config.js +0 -189
- package/dist/bootstrap/cache/config.js.map +0 -1
- package/dist/bootstrap/cache/index.d.ts +0 -11
- package/dist/bootstrap/cache/index.d.ts.map +0 -1
- package/dist/bootstrap/cache/index.js +0 -11
- package/dist/bootstrap/cache/index.js.map +0 -1
- package/dist/bootstrap/index.d.ts +0 -21
- package/dist/bootstrap/index.d.ts.map +0 -1
- package/dist/bootstrap/index.js +0 -21
- package/dist/bootstrap/index.js.map +0 -1
- package/dist/bootstrap/scalar/api-docs.d.ts +0 -39
- package/dist/bootstrap/scalar/api-docs.d.ts.map +0 -1
- package/dist/bootstrap/scalar/api-docs.js +0 -41
- package/dist/bootstrap/scalar/api-docs.js.map +0 -1
- package/dist/bootstrap/scalar/index.d.ts +0 -39
- package/dist/bootstrap/scalar/index.d.ts.map +0 -1
- package/dist/bootstrap/scalar/index.js +0 -41
- package/dist/bootstrap/scalar/index.js.map +0 -1
- package/dist/bootstrap/swagger/api-docs.d.ts +0 -73
- package/dist/bootstrap/swagger/api-docs.d.ts.map +0 -1
- package/dist/bootstrap/swagger/api-docs.js +0 -87
- package/dist/bootstrap/swagger/api-docs.js.map +0 -1
- package/dist/bootstrap/swagger/index.d.ts +0 -37
- package/dist/bootstrap/swagger/index.d.ts.map +0 -1
- package/dist/bootstrap/swagger/index.js +0 -36
- package/dist/bootstrap/swagger/index.js.map +0 -1
- package/dist/bootstrap/typeorm/config/index.d.ts +0 -12
- package/dist/bootstrap/typeorm/config/index.d.ts.map +0 -1
- package/dist/bootstrap/typeorm/config/index.js +0 -62
- package/dist/bootstrap/typeorm/config/index.js.map +0 -1
- package/dist/bootstrap/typeorm/crud/controller.d.ts +0 -13
- package/dist/bootstrap/typeorm/crud/controller.d.ts.map +0 -1
- package/dist/bootstrap/typeorm/crud/controller.js +0 -72
- package/dist/bootstrap/typeorm/crud/controller.js.map +0 -1
- package/dist/bootstrap/typeorm/crud/index.d.ts +0 -4
- package/dist/bootstrap/typeorm/crud/index.d.ts.map +0 -1
- package/dist/bootstrap/typeorm/crud/index.js +0 -3
- package/dist/bootstrap/typeorm/crud/index.js.map +0 -1
- package/dist/bootstrap/typeorm/crud/service.d.ts +0 -10
- package/dist/bootstrap/typeorm/crud/service.d.ts.map +0 -1
- package/dist/bootstrap/typeorm/crud/service.js +0 -21
- package/dist/bootstrap/typeorm/crud/service.js.map +0 -1
- package/dist/bootstrap/typeorm/index.d.ts +0 -18
- package/dist/bootstrap/typeorm/index.d.ts.map +0 -1
- package/dist/bootstrap/typeorm/index.js +0 -18
- package/dist/bootstrap/typeorm/index.js.map +0 -1
- package/dist/bootstrap/typeorm/uow/factory.d.ts +0 -5
- package/dist/bootstrap/typeorm/uow/factory.d.ts.map +0 -1
- package/dist/bootstrap/typeorm/uow/factory.js +0 -27
- package/dist/bootstrap/typeorm/uow/factory.js.map +0 -1
- package/dist/bootstrap/typeorm/uow/index.d.ts +0 -4
- package/dist/bootstrap/typeorm/uow/index.d.ts.map +0 -1
- package/dist/bootstrap/typeorm/uow/index.js +0 -4
- package/dist/bootstrap/typeorm/uow/index.js.map +0 -1
- package/dist/bootstrap/typeorm/uow/transactional.decorator.d.ts +0 -62
- package/dist/bootstrap/typeorm/uow/transactional.decorator.d.ts.map +0 -1
- package/dist/bootstrap/typeorm/uow/transactional.decorator.js +0 -114
- package/dist/bootstrap/typeorm/uow/transactional.decorator.js.map +0 -1
- package/dist/bootstrap/typeorm/uow/unit-of-work.d.ts +0 -11
- package/dist/bootstrap/typeorm/uow/unit-of-work.d.ts.map +0 -1
- package/dist/bootstrap/typeorm/uow/unit-of-work.js +0 -23
- package/dist/bootstrap/typeorm/uow/unit-of-work.js.map +0 -1
- package/dist/core/index.d.ts +0 -11
- package/dist/core/index.d.ts.map +0 -1
- package/dist/core/index.js +0 -11
- package/dist/core/index.js.map +0 -1
- package/dist/infra/audit-log/index.d.ts +0 -12
- package/dist/infra/audit-log/index.d.ts.map +0 -1
- package/dist/infra/audit-log/index.js +0 -13
- package/dist/infra/audit-log/index.js.map +0 -1
- package/dist/infra/index.d.ts +0 -20
- package/dist/infra/index.d.ts.map +0 -1
- package/dist/infra/index.js +0 -21
- package/dist/infra/index.js.map +0 -1
- package/dist/infra/logger/index.d.ts +0 -12
- package/dist/infra/logger/index.d.ts.map +0 -1
- package/dist/infra/logger/index.js +0 -13
- package/dist/infra/logger/index.js.map +0 -1
- package/dist/infra/metrics/index.d.ts +0 -18
- package/dist/infra/metrics/index.d.ts.map +0 -1
- package/dist/infra/metrics/index.js +0 -19
- package/dist/infra/metrics/index.js.map +0 -1
- package/dist/infra/notification/index.d.ts +0 -12
- package/dist/infra/notification/index.d.ts.map +0 -1
- package/dist/infra/notification/index.js +0 -13
- package/dist/infra/notification/index.js.map +0 -1
- package/dist/infra/storage/index.d.ts +0 -12
- package/dist/infra/storage/index.d.ts.map +0 -1
- package/dist/infra/storage/index.js +0 -13
- package/dist/infra/storage/index.js.map +0 -1
- package/dist/infra/stripe/index.d.ts +0 -12
- package/dist/infra/stripe/index.d.ts.map +0 -1
- package/dist/infra/stripe/index.js +0 -13
- package/dist/infra/stripe/index.js.map +0 -1
- package/dist/saas/index.d.ts +0 -18
- package/dist/saas/index.d.ts.map +0 -1
- package/dist/saas/index.js +0 -19
- package/dist/saas/index.js.map +0 -1
|
@@ -1,175 +0,0 @@
|
|
|
1
|
-
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
2
|
-
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
3
|
-
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
4
|
-
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
5
|
-
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
6
|
-
};
|
|
7
|
-
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
8
|
-
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
9
|
-
};
|
|
10
|
-
var __param = (this && this.__param) || function (paramIndex, decorator) {
|
|
11
|
-
return function (target, key) { decorator(target, key, paramIndex); }
|
|
12
|
-
};
|
|
13
|
-
import { Inject, Injectable } from '@nestjs/common';
|
|
14
|
-
import { AUTH_MODULE_OPTIONS, AUTH_STRATEGIES, CACHE_SERVICE } from './auth.constants';
|
|
15
|
-
import { JwtService } from './session/jwt.service';
|
|
16
|
-
import { TokenBlacklistService } from './session/token-blacklist.service';
|
|
17
|
-
import { DeviceSessionService } from './session/device-session.service';
|
|
18
|
-
/**
|
|
19
|
-
* Central authentication orchestrator.
|
|
20
|
-
*
|
|
21
|
-
* Delegates to the appropriate strategy based on `AuthMethod`,
|
|
22
|
-
* manages token lifecycle, session tracking, and cache acceleration.
|
|
23
|
-
*/
|
|
24
|
-
let AuthService = class AuthService {
|
|
25
|
-
options;
|
|
26
|
-
cache;
|
|
27
|
-
jwtService;
|
|
28
|
-
tokenBlacklist;
|
|
29
|
-
deviceSession;
|
|
30
|
-
strategyMap = new Map();
|
|
31
|
-
constructor(options, _strategies, cache, jwtService, tokenBlacklist, deviceSession) {
|
|
32
|
-
this.options = options;
|
|
33
|
-
this.cache = cache;
|
|
34
|
-
this.jwtService = jwtService;
|
|
35
|
-
this.tokenBlacklist = tokenBlacklist;
|
|
36
|
-
this.deviceSession = deviceSession;
|
|
37
|
-
for (const strategy of _strategies) {
|
|
38
|
-
this.strategyMap.set(strategy.type, strategy);
|
|
39
|
-
}
|
|
40
|
-
}
|
|
41
|
-
/**
|
|
42
|
-
* Authenticate using the given method.
|
|
43
|
-
*
|
|
44
|
-
* @param method Authentication method (e.g. 'credentials', 'oauth')
|
|
45
|
-
* @param payload Strategy-specific payload
|
|
46
|
-
* @param context Optional execution context
|
|
47
|
-
*/
|
|
48
|
-
async authenticate(method, payload, context) {
|
|
49
|
-
const strategy = this.strategyMap.get(method);
|
|
50
|
-
if (!strategy) {
|
|
51
|
-
throw new Error(`Authentication method "${method}" is not enabled`);
|
|
52
|
-
}
|
|
53
|
-
const result = await strategy.authenticate(payload, context);
|
|
54
|
-
// Track device session if multi-device is enabled
|
|
55
|
-
if (this.options.session?.multiDevice) {
|
|
56
|
-
await this.deviceSession.register({
|
|
57
|
-
deviceId: payload.deviceId ?? 'default',
|
|
58
|
-
userId: result.user.id,
|
|
59
|
-
userAgent: payload.userAgent,
|
|
60
|
-
ip: payload.ip,
|
|
61
|
-
lastActivity: Date.now(),
|
|
62
|
-
});
|
|
63
|
-
}
|
|
64
|
-
return result;
|
|
65
|
-
}
|
|
66
|
-
/**
|
|
67
|
-
* Validate an access token and return its decoded payload.
|
|
68
|
-
* Uses cache for fast-path validation when available.
|
|
69
|
-
*
|
|
70
|
-
* @param token Raw JWT access token
|
|
71
|
-
*/
|
|
72
|
-
async validateToken(token) {
|
|
73
|
-
// Fast-path: check cache first
|
|
74
|
-
const cacheKey = `auth:token:${this.hash(token)}`;
|
|
75
|
-
const cached = await this.cache.get(cacheKey);
|
|
76
|
-
if (cached)
|
|
77
|
-
return cached;
|
|
78
|
-
const payload = await this.jwtService.verifyAccess(token);
|
|
79
|
-
// Check blacklist
|
|
80
|
-
const jti = payload.jti;
|
|
81
|
-
if (jti && (await this.tokenBlacklist.isBlacklisted(jti))) {
|
|
82
|
-
throw new Error('Token has been revoked');
|
|
83
|
-
}
|
|
84
|
-
// Cache the validated payload for 30 seconds
|
|
85
|
-
await this.cache.set(cacheKey, payload, 30);
|
|
86
|
-
return payload;
|
|
87
|
-
}
|
|
88
|
-
/**
|
|
89
|
-
* Refresh an expired access token using a refresh token.
|
|
90
|
-
* Implements refresh token rotation.
|
|
91
|
-
*/
|
|
92
|
-
async refreshToken(refreshToken, deviceId) {
|
|
93
|
-
const payload = await this.jwtService.verifyRefresh(refreshToken);
|
|
94
|
-
const userId = payload.sub;
|
|
95
|
-
// Check family revocation
|
|
96
|
-
if (this.options.session?.rotation !== false) {
|
|
97
|
-
const familyId = payload.family ?? payload.jti;
|
|
98
|
-
if (familyId && (await this.tokenBlacklist.isFamilyRevoked(familyId))) {
|
|
99
|
-
throw new Error('Refresh token family has been revoked');
|
|
100
|
-
}
|
|
101
|
-
}
|
|
102
|
-
// In rotation mode, blacklist the current refresh token
|
|
103
|
-
if (this.options.session?.rotation !== false && payload.jti) {
|
|
104
|
-
const exp = payload.exp;
|
|
105
|
-
const ttl = exp ? Math.max(1, exp - Math.floor(Date.now() / 1000)) : 86400;
|
|
106
|
-
await this.tokenBlacklist.blacklistAccess(payload.jti, ttl);
|
|
107
|
-
}
|
|
108
|
-
const user = {
|
|
109
|
-
id: userId,
|
|
110
|
-
email: payload.email,
|
|
111
|
-
username: payload.username,
|
|
112
|
-
roles: payload.roles,
|
|
113
|
-
permissions: payload.permissions,
|
|
114
|
-
isAnonymous: payload.isAnonymous ?? false,
|
|
115
|
-
isMfaVerified: payload.isMfaVerified ?? false,
|
|
116
|
-
};
|
|
117
|
-
const tokens = await this.jwtService.signTokens(user);
|
|
118
|
-
// Update device session timestamp
|
|
119
|
-
if (deviceId) {
|
|
120
|
-
const session = await this.deviceSession.getSession(userId, deviceId);
|
|
121
|
-
if (session) {
|
|
122
|
-
session.lastActivity = Date.now();
|
|
123
|
-
await this.deviceSession.register(session);
|
|
124
|
-
}
|
|
125
|
-
}
|
|
126
|
-
return tokens;
|
|
127
|
-
}
|
|
128
|
-
/**
|
|
129
|
-
* Logout — blacklist the current access token and optionally
|
|
130
|
-
* remove a specific device session.
|
|
131
|
-
*/
|
|
132
|
-
async logout(accessToken, deviceId) {
|
|
133
|
-
const payload = this.jwtService.decode(accessToken);
|
|
134
|
-
const jti = payload?.jti ?? this.hash(accessToken);
|
|
135
|
-
const exp = payload?.exp;
|
|
136
|
-
const ttl = exp ? Math.max(1, exp - Math.floor(Date.now() / 1000)) : 3600;
|
|
137
|
-
await this.tokenBlacklist.blacklistAccess(jti, ttl);
|
|
138
|
-
const userId = payload?.sub;
|
|
139
|
-
if (userId && deviceId) {
|
|
140
|
-
await this.deviceSession.removeSession(userId, deviceId);
|
|
141
|
-
}
|
|
142
|
-
}
|
|
143
|
-
/**
|
|
144
|
-
* Logout from all devices — revoke all sessions for a user.
|
|
145
|
-
*/
|
|
146
|
-
async logoutAll(userId) {
|
|
147
|
-
await this.deviceSession.removeAllUserSessions(userId);
|
|
148
|
-
}
|
|
149
|
-
/**
|
|
150
|
-
* Get all active sessions for a user (multi-device view).
|
|
151
|
-
*/
|
|
152
|
-
async getUserSessions(userId) {
|
|
153
|
-
return this.deviceSession.getUserSessions(userId);
|
|
154
|
-
}
|
|
155
|
-
hash(value) {
|
|
156
|
-
let hash = 0;
|
|
157
|
-
for (let i = 0; i < value.length; i++) {
|
|
158
|
-
const char = value.charCodeAt(i);
|
|
159
|
-
hash = (hash << 5) - hash + char;
|
|
160
|
-
hash |= 0;
|
|
161
|
-
}
|
|
162
|
-
return Math.abs(hash).toString(16);
|
|
163
|
-
}
|
|
164
|
-
};
|
|
165
|
-
AuthService = __decorate([
|
|
166
|
-
Injectable(),
|
|
167
|
-
__param(0, Inject(AUTH_MODULE_OPTIONS)),
|
|
168
|
-
__param(1, Inject(AUTH_STRATEGIES)),
|
|
169
|
-
__param(2, Inject(CACHE_SERVICE)),
|
|
170
|
-
__metadata("design:paramtypes", [Object, Array, Object, JwtService,
|
|
171
|
-
TokenBlacklistService,
|
|
172
|
-
DeviceSessionService])
|
|
173
|
-
], AuthService);
|
|
174
|
-
export { AuthService };
|
|
175
|
-
//# sourceMappingURL=auth.service.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"auth.service.js","sourceRoot":"","sources":["../../packages/auth/auth.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,MAAM,EAAE,UAAU,EAAyB,MAAM,gBAAgB,CAAC;AAG3E,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEvF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,qBAAqB,EAAE,MAAM,mCAAmC,CAAC;AAC1E,OAAO,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AAExE;;;;;GAKG;AAEI,IAAM,WAAW,GAAjB,MAAM,WAAW;IAKH;IAIA;IACA;IACA;IACA;IAXF,WAAW,GAAG,IAAI,GAAG,EAA6B,CAAC;IAEpE,YAEmB,OAA0B,EAE3C,WAA4B,EAEX,KAAoB,EACpB,UAAsB,EACtB,cAAqC,EACrC,aAAmC;QAPnC,YAAO,GAAP,OAAO,CAAmB;QAI1B,UAAK,GAAL,KAAK,CAAe;QACpB,eAAU,GAAV,UAAU,CAAY;QACtB,mBAAc,GAAd,cAAc,CAAuB;QACrC,kBAAa,GAAb,aAAa,CAAsB;QAEpD,KAAK,MAAM,QAAQ,IAAI,WAAW,EAAE,CAAC;YACnC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,YAAY,CAChB,MAAkB,EAClB,OAAgC,EAChC,OAA0B;QAE1B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC9C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,0BAA0B,MAAM,kBAAkB,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAE7D,kDAAkD;QAClD,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,WAAW,EAAE,CAAC;YACtC,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC;gBAChC,QAAQ,EAAG,OAAO,CAAC,QAAmB,IAAI,SAAS;gBACnD,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE;gBACtB,SAAS,EAAE,OAAO,CAAC,SAA+B;gBAClD,EAAE,EAAE,OAAO,CAAC,EAAwB;gBACpC,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE;aACzB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,aAAa,CAAC,KAAa;QAC/B,+BAA+B;QAC/B,MAAM,QAAQ,GAAG,cAAc,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAClD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAA0B,QAAQ,CAAC,CAAC;QACvE,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAE1B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;QAE1D,kBAAkB;QAClB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAyB,CAAC;QAC9C,IAAI,GAAG,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC5C,CAAC;QAED,6CAA6C;QAC7C,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QAE5C,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,YAAoB,EAAE,QAAiB;QACxD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;QAClE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAa,CAAC;QAErC,0BAA0B;QAC1B,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,KAAK,KAAK,EAAE,CAAC;YAC7C,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC;YAC/C,IAAI,QAAQ,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,QAAkB,CAAC,CAAC,EAAE,CAAC;gBAChF,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC;QAED,wDAAwD;QACxD,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,KAAK,KAAK,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YAC5D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAyB,CAAC;YAC9C,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;YAC3E,MAAM,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,OAAO,CAAC,GAAa,EAAE,GAAG,CAAC,CAAC;QACxE,CAAC;QAED,MAAM,IAAI,GAAG;YACX,EAAE,EAAE,MAAM;YACV,KAAK,EAAE,OAAO,CAAC,KAA2B;YAC1C,QAAQ,EAAE,OAAO,CAAC,QAA8B;YAChD,KAAK,EAAE,OAAO,CAAC,KAA6B;YAC5C,WAAW,EAAE,OAAO,CAAC,WAAmC;YACxD,WAAW,EAAG,OAAO,CAAC,WAAuB,IAAI,KAAK;YACtD,aAAa,EAAG,OAAO,CAAC,aAAyB,IAAI,KAAK;SAC3D,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAEtD,kCAAkC;QAClC,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACtE,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;gBAClC,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM,CAAC,WAAmB,EAAE,QAAiB;QACjD,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACpD,MAAM,GAAG,GAAI,OAAO,EAAE,GAAc,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC/D,MAAM,GAAG,GAAG,OAAO,EAAE,GAAyB,CAAC;QAC/C,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAE1E,MAAM,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAEpD,MAAM,MAAM,GAAG,OAAO,EAAE,GAAyB,CAAC;QAClD,IAAI,MAAM,IAAI,QAAQ,EAAE,CAAC;YACvB,MAAM,IAAI,CAAC,aAAa,CAAC,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,MAAc;QAC5B,MAAM,IAAI,CAAC,aAAa,CAAC,qBAAqB,CAAC,MAAM,CAAC,CAAC;IACzD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CAAC,MAAc;QAClC,OAAO,IAAI,CAAC,aAAa,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IACpD,CAAC;IAEO,IAAI,CAAC,KAAa;QACxB,IAAI,IAAI,GAAG,CAAC,CAAC;QACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YACjC,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;YACjC,IAAI,IAAI,CAAC,CAAC;QACZ,CAAC;QACD,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACrC,CAAC;CACF,CAAA;AAtKY,WAAW;IADvB,UAAU,EAAE;IAKR,WAAA,MAAM,CAAC,mBAAmB,CAAC,CAAA;IAE3B,WAAA,MAAM,CAAC,eAAe,CAAC,CAAA;IAEvB,WAAA,MAAM,CAAC,aAAa,CAAC,CAAA;4DAEO,UAAU;QACN,qBAAqB;QACtB,oBAAoB;GAZ3C,WAAW,CAsKvB"}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../packages/auth/authorization/index.ts"],"names":[],"mappings":"AAAA,cAAc,QAAQ,CAAC;AACvB,cAAc,QAAQ,CAAC"}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../packages/auth/authorization/index.ts"],"names":[],"mappings":"AAAA,cAAc,QAAQ,CAAC;AACvB,cAAc,QAAQ,CAAC"}
|
|
@@ -1,6 +0,0 @@
|
|
|
1
|
-
export { PbacService } from './pbac.service';
|
|
2
|
-
export { PbacGuard } from './pbac.guard';
|
|
3
|
-
export { RequirePolicy } from './pbac.decorator';
|
|
4
|
-
export type { PolicyDecoratorOptions } from './pbac.decorator';
|
|
5
|
-
export type { PolicyStatement, PolicyDocument, PolicyContext, PolicyEffect } from './pbac.types';
|
|
6
|
-
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../packages/auth/authorization/pbac/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,YAAY,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC/D,YAAY,EAAE,eAAe,EAAE,cAAc,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC"}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../packages/auth/authorization/pbac/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC"}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
export interface PolicyDecoratorOptions {
|
|
2
|
-
/** Action being performed (e.g. 'document:read') */
|
|
3
|
-
action: string;
|
|
4
|
-
/** Resource being accessed (e.g. 'org:123:doc:456') */
|
|
5
|
-
resource: string | ((req: unknown) => string);
|
|
6
|
-
}
|
|
7
|
-
/**
|
|
8
|
-
* Require a policy check on a route handler.
|
|
9
|
-
* Works with the PbacGuard.
|
|
10
|
-
*
|
|
11
|
-
* @example
|
|
12
|
-
* ```typescript
|
|
13
|
-
* @RequirePolicy({ action: 'document:delete', resource: 'org:*' })
|
|
14
|
-
* @RequirePolicy({ action: 'document:read', resource: (req) => req.params.docId })
|
|
15
|
-
* ```
|
|
16
|
-
*/
|
|
17
|
-
export declare const RequirePolicy: (options: PolicyDecoratorOptions) => import("@nestjs/common").CustomDecorator<string>;
|
|
18
|
-
//# sourceMappingURL=pbac.decorator.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"pbac.decorator.d.ts","sourceRoot":"","sources":["../../../../packages/auth/authorization/pbac/pbac.decorator.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,sBAAsB;IACrC,oDAAoD;IACpD,MAAM,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,QAAQ,EAAE,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,OAAO,KAAK,MAAM,CAAC,CAAC;CAC/C;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,aAAa,GAAI,SAAS,sBAAsB,qDACtB,CAAC"}
|
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
import { SetMetadata } from '@nestjs/common';
|
|
2
|
-
import { METADATA_POLICY } from '../../auth.constants';
|
|
3
|
-
/**
|
|
4
|
-
* Require a policy check on a route handler.
|
|
5
|
-
* Works with the PbacGuard.
|
|
6
|
-
*
|
|
7
|
-
* @example
|
|
8
|
-
* ```typescript
|
|
9
|
-
* @RequirePolicy({ action: 'document:delete', resource: 'org:*' })
|
|
10
|
-
* @RequirePolicy({ action: 'document:read', resource: (req) => req.params.docId })
|
|
11
|
-
* ```
|
|
12
|
-
*/
|
|
13
|
-
export const RequirePolicy = (options) => SetMetadata(METADATA_POLICY, options);
|
|
14
|
-
//# sourceMappingURL=pbac.decorator.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"pbac.decorator.js","sourceRoot":"","sources":["../../../../packages/auth/authorization/pbac/pbac.decorator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AASvD;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,OAA+B,EAAE,EAAE,CAC/D,WAAW,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC"}
|
|
@@ -1,19 +0,0 @@
|
|
|
1
|
-
import { CanActivate, ExecutionContext } from '@nestjs/common';
|
|
2
|
-
import { Reflector } from '@nestjs/core';
|
|
3
|
-
import { PbacService } from './pbac.service';
|
|
4
|
-
/**
|
|
5
|
-
* Guard that enforces Policy-Based Access Control.
|
|
6
|
-
*
|
|
7
|
-
* Reads the required policy from the `@RequirePolicy()` decorator
|
|
8
|
-
* and evaluates it against the user's assigned policies.
|
|
9
|
-
*
|
|
10
|
-
* This guard is independent — you can use it with or without RBAC on
|
|
11
|
-
* different routes in the same application.
|
|
12
|
-
*/
|
|
13
|
-
export declare class PbacGuard implements CanActivate {
|
|
14
|
-
private readonly reflector;
|
|
15
|
-
private readonly pbacService;
|
|
16
|
-
constructor(reflector: Reflector, pbacService: PbacService);
|
|
17
|
-
canActivate(context: ExecutionContext): Promise<boolean>;
|
|
18
|
-
}
|
|
19
|
-
//# sourceMappingURL=pbac.guard.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"pbac.guard.d.ts","sourceRoot":"","sources":["../../../../packages/auth/authorization/pbac/pbac.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAC3E,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAM7C;;;;;;;;GAQG;AACH,qBACa,SAAU,YAAW,WAAW;IAEzC,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,WAAW;gBADX,SAAS,EAAE,SAAS,EACpB,WAAW,EAAE,WAAW;IAGrC,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAgC/D"}
|
|
@@ -1,60 +0,0 @@
|
|
|
1
|
-
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
2
|
-
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
3
|
-
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
4
|
-
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
5
|
-
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
6
|
-
};
|
|
7
|
-
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
8
|
-
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
9
|
-
};
|
|
10
|
-
import { Injectable } from '@nestjs/common';
|
|
11
|
-
import { Reflector } from '@nestjs/core';
|
|
12
|
-
import { PbacService } from './pbac.service';
|
|
13
|
-
import { METADATA_POLICY } from '../../auth.constants';
|
|
14
|
-
/**
|
|
15
|
-
* Guard that enforces Policy-Based Access Control.
|
|
16
|
-
*
|
|
17
|
-
* Reads the required policy from the `@RequirePolicy()` decorator
|
|
18
|
-
* and evaluates it against the user's assigned policies.
|
|
19
|
-
*
|
|
20
|
-
* This guard is independent — you can use it with or without RBAC on
|
|
21
|
-
* different routes in the same application.
|
|
22
|
-
*/
|
|
23
|
-
let PbacGuard = class PbacGuard {
|
|
24
|
-
reflector;
|
|
25
|
-
pbacService;
|
|
26
|
-
constructor(reflector, pbacService) {
|
|
27
|
-
this.reflector = reflector;
|
|
28
|
-
this.pbacService = pbacService;
|
|
29
|
-
}
|
|
30
|
-
async canActivate(context) {
|
|
31
|
-
const policyMeta = this.reflector.getAllAndOverride(METADATA_POLICY, [
|
|
32
|
-
context.getHandler(),
|
|
33
|
-
context.getClass(),
|
|
34
|
-
]);
|
|
35
|
-
if (!policyMeta)
|
|
36
|
-
return true;
|
|
37
|
-
const request = context.switchToHttp().getRequest();
|
|
38
|
-
const user = request.user;
|
|
39
|
-
if (!user)
|
|
40
|
-
return false;
|
|
41
|
-
const action = policyMeta.action;
|
|
42
|
-
const resource = typeof policyMeta.resource === 'function'
|
|
43
|
-
? policyMeta.resource(request)
|
|
44
|
-
: policyMeta.resource;
|
|
45
|
-
const policies = await this.pbacService.getUserPolicies(user.id);
|
|
46
|
-
const ctx = {
|
|
47
|
-
user: user,
|
|
48
|
-
resource: { id: resource, ...request.params },
|
|
49
|
-
environment: {},
|
|
50
|
-
};
|
|
51
|
-
return this.pbacService.evaluate(policies, action, resource, ctx);
|
|
52
|
-
}
|
|
53
|
-
};
|
|
54
|
-
PbacGuard = __decorate([
|
|
55
|
-
Injectable(),
|
|
56
|
-
__metadata("design:paramtypes", [Reflector,
|
|
57
|
-
PbacService])
|
|
58
|
-
], PbacGuard);
|
|
59
|
-
export { PbacGuard };
|
|
60
|
-
//# sourceMappingURL=pbac.guard.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"pbac.guard.js","sourceRoot":"","sources":["../../../../packages/auth/authorization/pbac/pbac.guard.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,UAAU,EAAiC,MAAM,gBAAgB,CAAC;AAC3E,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAKvD;;;;;;;;GAQG;AAEI,IAAM,SAAS,GAAf,MAAM,SAAS;IAED;IACA;IAFnB,YACmB,SAAoB,EACpB,WAAwB;QADxB,cAAS,GAAT,SAAS,CAAW;QACpB,gBAAW,GAAX,WAAW,CAAa;IACxC,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,OAAyB;QACzC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAyB,eAAe,EAAE;YAC3F,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAE7B,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAI7C,CAAC;QACL,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QAC1B,IAAI,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QAExB,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;QACjC,MAAM,QAAQ,GACZ,OAAO,UAAU,CAAC,QAAQ,KAAK,UAAU;YACvC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC;YAC9B,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC;QAE1B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEjE,MAAM,GAAG,GAAkB;YACzB,IAAI,EAAE,IAAI;YACV,QAAQ,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE;YAC7C,WAAW,EAAE,EAAE;SAChB,CAAC;QAEF,OAAO,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC;IACpE,CAAC;CACF,CAAA;AAtCY,SAAS;IADrB,UAAU,EAAE;qCAGmB,SAAS;QACP,WAAW;GAHhC,SAAS,CAsCrB"}
|
|
@@ -1,44 +0,0 @@
|
|
|
1
|
-
import type { ICacheService } from '../../interfaces';
|
|
2
|
-
import type { PolicyContext, PolicyEffect, PolicyDocument } from './pbac.types';
|
|
3
|
-
/**
|
|
4
|
-
* Policy-Based Access Control service.
|
|
5
|
-
*
|
|
6
|
-
* Evaluates user-assigned policies against the current request context.
|
|
7
|
-
* Supports wildcard matching and simple condition evaluation.
|
|
8
|
-
*/
|
|
9
|
-
export declare class PbacService {
|
|
10
|
-
private readonly cache;
|
|
11
|
-
private defaultEffect;
|
|
12
|
-
constructor(cache: ICacheService);
|
|
13
|
-
/**
|
|
14
|
-
* Configure the default effect when no policy matches.
|
|
15
|
-
*/
|
|
16
|
-
setDefaultEffect(effect: PolicyEffect): void;
|
|
17
|
-
/**
|
|
18
|
-
* Evaluate a list of policy documents for a given action + resource.
|
|
19
|
-
*
|
|
20
|
-
* Returns `true` if access is granted, `false` otherwise.
|
|
21
|
-
*
|
|
22
|
-
* Evaluation logic (AWS IAM style):
|
|
23
|
-
* 1. An explicit `deny` overrides everything.
|
|
24
|
-
* 2. If any statement matches with `allow`, access is granted.
|
|
25
|
-
* 3. If no statement matches, the default effect applies.
|
|
26
|
-
*/
|
|
27
|
-
evaluate(policies: PolicyDocument[], action: string, resource: string, context: PolicyContext): boolean;
|
|
28
|
-
/**
|
|
29
|
-
* Fetch policies for a user, using cache when possible.
|
|
30
|
-
*/
|
|
31
|
-
getUserPolicies(userId: string): Promise<PolicyDocument[]>;
|
|
32
|
-
/**
|
|
33
|
-
* Invalidate cached policies for a user.
|
|
34
|
-
*/
|
|
35
|
-
invalidateUser(userId: string): Promise<void>;
|
|
36
|
-
private matchAction;
|
|
37
|
-
private matchResource;
|
|
38
|
-
private wildcardMatch;
|
|
39
|
-
private evaluateCondition;
|
|
40
|
-
private resolveCondition;
|
|
41
|
-
private eq;
|
|
42
|
-
private resolveValue;
|
|
43
|
-
}
|
|
44
|
-
//# sourceMappingURL=pbac.service.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"pbac.service.d.ts","sourceRoot":"","sources":["../../../../packages/auth/authorization/pbac/pbac.service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEtD,OAAO,KAAK,EAAmB,aAAa,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEjG;;;;;GAKG;AACH,qBACa,WAAW;IAKpB,OAAO,CAAC,QAAQ,CAAC,KAAK;IAJxB,OAAO,CAAC,aAAa,CAAwB;gBAI1B,KAAK,EAAE,aAAa;IAGvC;;OAEG;IACH,gBAAgB,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI;IAI5C;;;;;;;;;OASG;IACH,QAAQ,CACN,QAAQ,EAAE,cAAc,EAAE,EAC1B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,aAAa,GACrB,OAAO;IAoBV;;OAEG;IACG,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAOhE;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAInD,OAAO,CAAC,WAAW;IAInB,OAAO,CAAC,aAAa;IAIrB,OAAO,CAAC,aAAa;IAKrB,OAAO,CAAC,iBAAiB;IAUzB,OAAO,CAAC,gBAAgB;IAoBxB,OAAO,CAAC,EAAE;IAWV,OAAO,CAAC,YAAY;CAWrB"}
|
|
@@ -1,146 +0,0 @@
|
|
|
1
|
-
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
2
|
-
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
3
|
-
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
4
|
-
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
5
|
-
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
6
|
-
};
|
|
7
|
-
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
8
|
-
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
9
|
-
};
|
|
10
|
-
var __param = (this && this.__param) || function (paramIndex, decorator) {
|
|
11
|
-
return function (target, key) { decorator(target, key, paramIndex); }
|
|
12
|
-
};
|
|
13
|
-
import { Inject, Injectable } from '@nestjs/common';
|
|
14
|
-
import { CACHE_SERVICE } from '../../auth.constants';
|
|
15
|
-
/**
|
|
16
|
-
* Policy-Based Access Control service.
|
|
17
|
-
*
|
|
18
|
-
* Evaluates user-assigned policies against the current request context.
|
|
19
|
-
* Supports wildcard matching and simple condition evaluation.
|
|
20
|
-
*/
|
|
21
|
-
let PbacService = class PbacService {
|
|
22
|
-
cache;
|
|
23
|
-
defaultEffect = 'deny';
|
|
24
|
-
constructor(cache) {
|
|
25
|
-
this.cache = cache;
|
|
26
|
-
}
|
|
27
|
-
/**
|
|
28
|
-
* Configure the default effect when no policy matches.
|
|
29
|
-
*/
|
|
30
|
-
setDefaultEffect(effect) {
|
|
31
|
-
this.defaultEffect = effect;
|
|
32
|
-
}
|
|
33
|
-
/**
|
|
34
|
-
* Evaluate a list of policy documents for a given action + resource.
|
|
35
|
-
*
|
|
36
|
-
* Returns `true` if access is granted, `false` otherwise.
|
|
37
|
-
*
|
|
38
|
-
* Evaluation logic (AWS IAM style):
|
|
39
|
-
* 1. An explicit `deny` overrides everything.
|
|
40
|
-
* 2. If any statement matches with `allow`, access is granted.
|
|
41
|
-
* 3. If no statement matches, the default effect applies.
|
|
42
|
-
*/
|
|
43
|
-
evaluate(policies, action, resource, context) {
|
|
44
|
-
let allowCount = 0;
|
|
45
|
-
for (const doc of policies) {
|
|
46
|
-
for (const stmt of doc.statements) {
|
|
47
|
-
if (!this.matchAction(stmt, action))
|
|
48
|
-
continue;
|
|
49
|
-
if (!this.matchResource(stmt, resource))
|
|
50
|
-
continue;
|
|
51
|
-
if (stmt.condition && !this.evaluateCondition(stmt.condition, context)) {
|
|
52
|
-
continue;
|
|
53
|
-
}
|
|
54
|
-
if (stmt.effect === 'deny')
|
|
55
|
-
return false;
|
|
56
|
-
if (stmt.effect === 'allow')
|
|
57
|
-
allowCount += 1;
|
|
58
|
-
}
|
|
59
|
-
}
|
|
60
|
-
if (allowCount > 0)
|
|
61
|
-
return true;
|
|
62
|
-
return this.defaultEffect === 'allow';
|
|
63
|
-
}
|
|
64
|
-
/**
|
|
65
|
-
* Fetch policies for a user, using cache when possible.
|
|
66
|
-
*/
|
|
67
|
-
async getUserPolicies(userId) {
|
|
68
|
-
const cacheKey = `pbac:policies:${userId}`;
|
|
69
|
-
const cached = await this.cache.get(cacheKey);
|
|
70
|
-
if (cached)
|
|
71
|
-
return cached;
|
|
72
|
-
return [];
|
|
73
|
-
}
|
|
74
|
-
/**
|
|
75
|
-
* Invalidate cached policies for a user.
|
|
76
|
-
*/
|
|
77
|
-
async invalidateUser(userId) {
|
|
78
|
-
await this.cache.del(`pbac:policies:${userId}`);
|
|
79
|
-
}
|
|
80
|
-
matchAction(stmt, action) {
|
|
81
|
-
return stmt.actions.some((a) => this.wildcardMatch(a, action));
|
|
82
|
-
}
|
|
83
|
-
matchResource(stmt, resource) {
|
|
84
|
-
return stmt.resources.some((r) => this.wildcardMatch(r, resource));
|
|
85
|
-
}
|
|
86
|
-
wildcardMatch(pattern, value) {
|
|
87
|
-
const regexStr = pattern.replace(/[.+^${}()|[\]\\]/g, '\\$&').replace(/\*/g, '.*');
|
|
88
|
-
return new RegExp(`^${regexStr}$`).test(value);
|
|
89
|
-
}
|
|
90
|
-
evaluateCondition(condition, context) {
|
|
91
|
-
// Simple condition evaluator — supports { "eq": { "user.department": "engineering" } }
|
|
92
|
-
// Extend this for production use with a proper expression engine.
|
|
93
|
-
try {
|
|
94
|
-
return this.resolveCondition(condition, context);
|
|
95
|
-
}
|
|
96
|
-
catch {
|
|
97
|
-
return false;
|
|
98
|
-
}
|
|
99
|
-
}
|
|
100
|
-
resolveCondition(node, context) {
|
|
101
|
-
if (typeof node !== 'object' || node === null)
|
|
102
|
-
return true;
|
|
103
|
-
const obj = node;
|
|
104
|
-
// Operator keys
|
|
105
|
-
if ('eq' in obj)
|
|
106
|
-
return this.eq(obj.eq, context);
|
|
107
|
-
if ('ne' in obj)
|
|
108
|
-
return !this.eq(obj.ne, context);
|
|
109
|
-
if ('and' in obj) {
|
|
110
|
-
const conditions = obj.and;
|
|
111
|
-
return conditions.every((c) => this.resolveCondition(c, context));
|
|
112
|
-
}
|
|
113
|
-
if ('or' in obj) {
|
|
114
|
-
const conditions = obj.or;
|
|
115
|
-
return conditions.some((c) => this.resolveCondition(c, context));
|
|
116
|
-
}
|
|
117
|
-
return true;
|
|
118
|
-
}
|
|
119
|
-
eq(mapping, context) {
|
|
120
|
-
if (typeof mapping !== 'object' || mapping === null)
|
|
121
|
-
return false;
|
|
122
|
-
const entries = Object.entries(mapping);
|
|
123
|
-
if (entries.length !== 1)
|
|
124
|
-
return false;
|
|
125
|
-
const [key, expected] = entries[0];
|
|
126
|
-
const actual = this.resolveValue(key, context);
|
|
127
|
-
return String(actual) === String(expected);
|
|
128
|
-
}
|
|
129
|
-
resolveValue(path, context) {
|
|
130
|
-
const parts = path.split('.');
|
|
131
|
-
let current = context;
|
|
132
|
-
for (const part of parts) {
|
|
133
|
-
if (typeof current !== 'object' || current === null)
|
|
134
|
-
return undefined;
|
|
135
|
-
current = current[part];
|
|
136
|
-
}
|
|
137
|
-
return current;
|
|
138
|
-
}
|
|
139
|
-
};
|
|
140
|
-
PbacService = __decorate([
|
|
141
|
-
Injectable(),
|
|
142
|
-
__param(0, Inject(CACHE_SERVICE)),
|
|
143
|
-
__metadata("design:paramtypes", [Object])
|
|
144
|
-
], PbacService);
|
|
145
|
-
export { PbacService };
|
|
146
|
-
//# sourceMappingURL=pbac.service.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"pbac.service.js","sourceRoot":"","sources":["../../../../packages/auth/authorization/pbac/pbac.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAEpD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAGrD;;;;;GAKG;AAEI,IAAM,WAAW,GAAjB,MAAM,WAAW;IAKH;IAJX,aAAa,GAAiB,MAAM,CAAC;IAE7C,YAEmB,KAAoB;QAApB,UAAK,GAAL,KAAK,CAAe;IACpC,CAAC;IAEJ;;OAEG;IACH,gBAAgB,CAAC,MAAoB;QACnC,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC;IAC9B,CAAC;IAED;;;;;;;;;OASG;IACH,QAAQ,CACN,QAA0B,EAC1B,MAAc,EACd,QAAgB,EAChB,OAAsB;QAEtB,IAAI,UAAU,GAAG,CAAC,CAAC;QAEnB,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC;gBAClC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,MAAM,CAAC;oBAAE,SAAS;gBAC9C,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC;oBAAE,SAAS;gBAClD,IAAI,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC;oBACvE,SAAS;gBACX,CAAC;gBAED,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM;oBAAE,OAAO,KAAK,CAAC;gBACzC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO;oBAAE,UAAU,IAAI,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,IAAI,UAAU,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAChC,OAAO,IAAI,CAAC,aAAa,KAAK,OAAO,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CAAC,MAAc;QAClC,MAAM,QAAQ,GAAG,iBAAiB,MAAM,EAAE,CAAC;QAC3C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAmB,QAAQ,CAAC,CAAC;QAChE,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAC1B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,MAAc;QACjC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,iBAAiB,MAAM,EAAE,CAAC,CAAC;IAClD,CAAC;IAEO,WAAW,CAAC,IAAqB,EAAE,MAAc;QACvD,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACjE,CAAC;IAEO,aAAa,CAAC,IAAqB,EAAE,QAAgB;QAC3D,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IACrE,CAAC;IAEO,aAAa,CAAC,OAAe,EAAE,KAAa;QAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACnF,OAAO,IAAI,MAAM,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjD,CAAC;IAEO,iBAAiB,CAAC,SAAkC,EAAE,OAAsB;QAClF,uFAAuF;QACvF,kEAAkE;QAClE,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,IAAa,EAAE,OAAsB;QAC5D,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAE3D,MAAM,GAAG,GAAG,IAA+B,CAAC;QAE5C,gBAAgB;QAChB,IAAI,IAAI,IAAI,GAAG;YAAE,OAAO,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QACjD,IAAI,IAAI,IAAI,GAAG;YAAE,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QAClD,IAAI,KAAK,IAAI,GAAG,EAAE,CAAC;YACjB,MAAM,UAAU,GAAG,GAAG,CAAC,GAAgB,CAAC;YACxC,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;YAChB,MAAM,UAAU,GAAG,GAAG,CAAC,EAAe,CAAC;YACvC,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;QACnE,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,EAAE,CAAC,OAAgB,EAAE,OAAsB;QACjD,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;QAClE,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,OAAkC,CAAC,CAAC;QACnE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAEvC,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAE/C,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAEO,YAAY,CAAC,IAAY,EAAE,OAAsB;QACvD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,OAAO,GAAY,OAAO,CAAC;QAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI;gBAAE,OAAO,SAAS,CAAC;YACtE,OAAO,GAAI,OAAmC,CAAC,IAAI,CAAC,CAAC;QACvD,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CACF,CAAA;AApIY,WAAW;IADvB,UAAU,EAAE;IAKR,WAAA,MAAM,CAAC,aAAa,CAAC,CAAA;;GAJb,WAAW,CAoIvB"}
|
|
@@ -1,47 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Policy effect — the outcome of evaluating a policy statement.
|
|
3
|
-
*/
|
|
4
|
-
export type PolicyEffect = 'allow' | 'deny';
|
|
5
|
-
/**
|
|
6
|
-
* A single policy statement (akin to AWS IAM).
|
|
7
|
-
*
|
|
8
|
-
* @example
|
|
9
|
-
* ```typescript
|
|
10
|
-
* const policy: PolicyStatement = {
|
|
11
|
-
* effect: 'deny',
|
|
12
|
-
* actions: ['document:delete'],
|
|
13
|
-
* resources: ['org:*'],
|
|
14
|
-
* condition: { department: { ne: { ref: 'user.department' } } },
|
|
15
|
-
* };
|
|
16
|
-
* ```
|
|
17
|
-
*/
|
|
18
|
-
export interface PolicyStatement {
|
|
19
|
-
/** Whether this statement allows or denies access */
|
|
20
|
-
effect: PolicyEffect;
|
|
21
|
-
/** Actions this statement applies to (supports wildcard: 'document:*') */
|
|
22
|
-
actions: string[];
|
|
23
|
-
/** Resources this statement applies to (supports wildcard) */
|
|
24
|
-
resources: string[];
|
|
25
|
-
/** Optional conditions that must be satisfied */
|
|
26
|
-
condition?: Record<string, unknown>;
|
|
27
|
-
}
|
|
28
|
-
/**
|
|
29
|
-
* A complete policy document assigned to a user or role.
|
|
30
|
-
*/
|
|
31
|
-
export interface PolicyDocument {
|
|
32
|
-
/** Policy identifier */
|
|
33
|
-
id?: string;
|
|
34
|
-
/** Policy name */
|
|
35
|
-
name?: string;
|
|
36
|
-
/** List of statements */
|
|
37
|
-
statements: PolicyStatement[];
|
|
38
|
-
}
|
|
39
|
-
/**
|
|
40
|
-
* Evaluation context passed to condition functions.
|
|
41
|
-
*/
|
|
42
|
-
export interface PolicyContext {
|
|
43
|
-
user: Record<string, unknown>;
|
|
44
|
-
resource: Record<string, unknown>;
|
|
45
|
-
environment: Record<string, unknown>;
|
|
46
|
-
}
|
|
47
|
-
//# sourceMappingURL=pbac.types.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"pbac.types.d.ts","sourceRoot":"","sources":["../../../../packages/auth/authorization/pbac/pbac.types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,MAAM,CAAC;AAE5C;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,eAAe;IAC9B,qDAAqD;IACrD,MAAM,EAAE,YAAY,CAAC;IACrB,0EAA0E;IAC1E,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,8DAA8D;IAC9D,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,iDAAiD;IACjD,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,wBAAwB;IACxB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,kBAAkB;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,yBAAyB;IACzB,UAAU,EAAE,eAAe,EAAE,CAAC;CAC/B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC"}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"pbac.types.js","sourceRoot":"","sources":["../../../../packages/auth/authorization/pbac/pbac.types.ts"],"names":[],"mappings":""}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../packages/auth/authorization/rbac/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC"}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../packages/auth/authorization/rbac/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC"}
|