@os.io/nest-kit 0.0.1-alpha.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +111 -0
- package/dist/auth/auth.constants.d.ts +19 -0
- package/dist/auth/auth.constants.d.ts.map +1 -0
- package/dist/auth/auth.constants.js +19 -0
- package/dist/auth/auth.constants.js.map +1 -0
- package/dist/auth/auth.guard.d.ts +20 -0
- package/dist/auth/auth.guard.d.ts.map +1 -0
- package/dist/auth/auth.guard.js +84 -0
- package/dist/auth/auth.guard.js.map +1 -0
- package/dist/auth/auth.module.d.ts +26 -0
- package/dist/auth/auth.module.d.ts.map +1 -0
- package/dist/auth/auth.module.js +344 -0
- package/dist/auth/auth.module.js.map +1 -0
- package/dist/auth/auth.options.d.ts +179 -0
- package/dist/auth/auth.options.d.ts.map +1 -0
- package/dist/auth/auth.options.js +2 -0
- package/dist/auth/auth.options.js.map +1 -0
- package/dist/auth/auth.service.d.ts +57 -0
- package/dist/auth/auth.service.d.ts.map +1 -0
- package/dist/auth/auth.service.js +175 -0
- package/dist/auth/auth.service.js.map +1 -0
- package/dist/auth/authorization/index.d.ts +3 -0
- package/dist/auth/authorization/index.d.ts.map +1 -0
- package/dist/auth/authorization/index.js +3 -0
- package/dist/auth/authorization/index.js.map +1 -0
- package/dist/auth/authorization/pbac/index.d.ts +6 -0
- package/dist/auth/authorization/pbac/index.d.ts.map +1 -0
- package/dist/auth/authorization/pbac/index.js +4 -0
- package/dist/auth/authorization/pbac/index.js.map +1 -0
- package/dist/auth/authorization/pbac/pbac.decorator.d.ts +18 -0
- package/dist/auth/authorization/pbac/pbac.decorator.d.ts.map +1 -0
- package/dist/auth/authorization/pbac/pbac.decorator.js +14 -0
- package/dist/auth/authorization/pbac/pbac.decorator.js.map +1 -0
- package/dist/auth/authorization/pbac/pbac.guard.d.ts +19 -0
- package/dist/auth/authorization/pbac/pbac.guard.d.ts.map +1 -0
- package/dist/auth/authorization/pbac/pbac.guard.js +60 -0
- package/dist/auth/authorization/pbac/pbac.guard.js.map +1 -0
- package/dist/auth/authorization/pbac/pbac.service.d.ts +44 -0
- package/dist/auth/authorization/pbac/pbac.service.d.ts.map +1 -0
- package/dist/auth/authorization/pbac/pbac.service.js +146 -0
- package/dist/auth/authorization/pbac/pbac.service.js.map +1 -0
- package/dist/auth/authorization/pbac/pbac.types.d.ts +47 -0
- package/dist/auth/authorization/pbac/pbac.types.d.ts.map +1 -0
- package/dist/auth/authorization/pbac/pbac.types.js +2 -0
- package/dist/auth/authorization/pbac/pbac.types.js.map +1 -0
- package/dist/auth/authorization/rbac/index.d.ts +4 -0
- package/dist/auth/authorization/rbac/index.d.ts.map +1 -0
- package/dist/auth/authorization/rbac/index.js +4 -0
- package/dist/auth/authorization/rbac/index.js.map +1 -0
- package/dist/auth/authorization/rbac/rbac.decorator.d.ts +18 -0
- package/dist/auth/authorization/rbac/rbac.decorator.d.ts.map +1 -0
- package/dist/auth/authorization/rbac/rbac.decorator.js +25 -0
- package/dist/auth/authorization/rbac/rbac.decorator.js.map +1 -0
- package/dist/auth/authorization/rbac/rbac.guard.d.ts +19 -0
- package/dist/auth/authorization/rbac/rbac.guard.d.ts.map +1 -0
- package/dist/auth/authorization/rbac/rbac.guard.js +50 -0
- package/dist/auth/authorization/rbac/rbac.guard.js.map +1 -0
- package/dist/auth/authorization/rbac/rbac.service.d.ts +43 -0
- package/dist/auth/authorization/rbac/rbac.service.d.ts.map +1 -0
- package/dist/auth/authorization/rbac/rbac.service.js +95 -0
- package/dist/auth/authorization/rbac/rbac.service.js.map +1 -0
- package/dist/auth/decorators/current-user.decorator.d.ts +17 -0
- package/dist/auth/decorators/current-user.decorator.d.ts.map +1 -0
- package/dist/auth/decorators/current-user.decorator.js +23 -0
- package/dist/auth/decorators/current-user.decorator.js.map +1 -0
- package/dist/auth/decorators/index.d.ts +3 -0
- package/dist/auth/decorators/index.d.ts.map +1 -0
- package/dist/auth/decorators/index.js +3 -0
- package/dist/auth/decorators/index.js.map +1 -0
- package/dist/auth/decorators/public.decorator.d.ts +13 -0
- package/dist/auth/decorators/public.decorator.d.ts.map +1 -0
- package/dist/auth/decorators/public.decorator.js +15 -0
- package/dist/auth/decorators/public.decorator.js.map +1 -0
- package/dist/auth/index.d.ts +63 -0
- package/dist/auth/index.d.ts.map +1 -0
- package/dist/auth/index.js +65 -0
- package/dist/auth/index.js.map +1 -0
- package/dist/auth/interfaces/auth-request.interface.d.ts +18 -0
- package/dist/auth/interfaces/auth-request.interface.d.ts.map +1 -0
- package/dist/auth/interfaces/auth-request.interface.js +2 -0
- package/dist/auth/interfaces/auth-request.interface.js.map +1 -0
- package/dist/auth/interfaces/auth-result.interface.d.ts +28 -0
- package/dist/auth/interfaces/auth-result.interface.d.ts.map +1 -0
- package/dist/auth/interfaces/auth-result.interface.js +2 -0
- package/dist/auth/interfaces/auth-result.interface.js.map +1 -0
- package/dist/auth/interfaces/auth-strategy.interface.d.ts +37 -0
- package/dist/auth/interfaces/auth-strategy.interface.d.ts.map +1 -0
- package/dist/auth/interfaces/auth-strategy.interface.js +16 -0
- package/dist/auth/interfaces/auth-strategy.interface.js.map +1 -0
- package/dist/auth/interfaces/auth-user.interface.d.ts +25 -0
- package/dist/auth/interfaces/auth-user.interface.d.ts.map +1 -0
- package/dist/auth/interfaces/auth-user.interface.js +2 -0
- package/dist/auth/interfaces/auth-user.interface.js.map +1 -0
- package/dist/auth/interfaces/cache-service.interface.d.ts +30 -0
- package/dist/auth/interfaces/cache-service.interface.d.ts.map +1 -0
- package/dist/auth/interfaces/cache-service.interface.js +2 -0
- package/dist/auth/interfaces/cache-service.interface.js.map +1 -0
- package/dist/auth/interfaces/index.d.ts +8 -0
- package/dist/auth/interfaces/index.d.ts.map +1 -0
- package/dist/auth/interfaces/index.js +2 -0
- package/dist/auth/interfaces/index.js.map +1 -0
- package/dist/auth/interfaces/user-service.interface.d.ts +34 -0
- package/dist/auth/interfaces/user-service.interface.d.ts.map +1 -0
- package/dist/auth/interfaces/user-service.interface.js +2 -0
- package/dist/auth/interfaces/user-service.interface.js.map +1 -0
- package/dist/auth/password/password.service.d.ts +23 -0
- package/dist/auth/password/password.service.d.ts.map +1 -0
- package/dist/auth/password/password.service.js +52 -0
- package/dist/auth/password/password.service.js.map +1 -0
- package/dist/auth/session/device-session.service.d.ts +43 -0
- package/dist/auth/session/device-session.service.d.ts.map +1 -0
- package/dist/auth/session/device-session.service.js +72 -0
- package/dist/auth/session/device-session.service.js.map +1 -0
- package/dist/auth/session/index.d.ts +5 -0
- package/dist/auth/session/index.d.ts.map +1 -0
- package/dist/auth/session/index.js +4 -0
- package/dist/auth/session/index.js.map +1 -0
- package/dist/auth/session/jwt.service.d.ts +37 -0
- package/dist/auth/session/jwt.service.d.ts.map +1 -0
- package/dist/auth/session/jwt.service.js +119 -0
- package/dist/auth/session/jwt.service.js.map +1 -0
- package/dist/auth/session/token-blacklist.service.d.ts +37 -0
- package/dist/auth/session/token-blacklist.service.d.ts.map +1 -0
- package/dist/auth/session/token-blacklist.service.js +70 -0
- package/dist/auth/session/token-blacklist.service.js.map +1 -0
- package/dist/auth/strategies/anonymous/anonymous.strategy.d.ts +19 -0
- package/dist/auth/strategies/anonymous/anonymous.strategy.d.ts.map +1 -0
- package/dist/auth/strategies/anonymous/anonymous.strategy.js +49 -0
- package/dist/auth/strategies/anonymous/anonymous.strategy.js.map +1 -0
- package/dist/auth/strategies/base/base.strategy.d.ts +11 -0
- package/dist/auth/strategies/base/base.strategy.d.ts.map +1 -0
- package/dist/auth/strategies/base/base.strategy.js +6 -0
- package/dist/auth/strategies/base/base.strategy.js.map +1 -0
- package/dist/auth/strategies/credentials/credentials.strategy.d.ts +21 -0
- package/dist/auth/strategies/credentials/credentials.strategy.d.ts.map +1 -0
- package/dist/auth/strategies/credentials/credentials.strategy.js +67 -0
- package/dist/auth/strategies/credentials/credentials.strategy.js.map +1 -0
- package/dist/auth/strategies/index.d.ts +12 -0
- package/dist/auth/strategies/index.d.ts.map +1 -0
- package/dist/auth/strategies/index.js +12 -0
- package/dist/auth/strategies/index.js.map +1 -0
- package/dist/auth/strategies/magic-link/magic-link.strategy.d.ts +31 -0
- package/dist/auth/strategies/magic-link/magic-link.strategy.d.ts.map +1 -0
- package/dist/auth/strategies/magic-link/magic-link.strategy.js +88 -0
- package/dist/auth/strategies/magic-link/magic-link.strategy.js.map +1 -0
- package/dist/auth/strategies/oauth/index.d.ts +3 -0
- package/dist/auth/strategies/oauth/index.d.ts.map +1 -0
- package/dist/auth/strategies/oauth/index.js +3 -0
- package/dist/auth/strategies/oauth/index.js.map +1 -0
- package/dist/auth/strategies/oauth/oauth-provider-registry.d.ts +13 -0
- package/dist/auth/strategies/oauth/oauth-provider-registry.d.ts.map +1 -0
- package/dist/auth/strategies/oauth/oauth-provider-registry.js +20 -0
- package/dist/auth/strategies/oauth/oauth-provider-registry.js.map +1 -0
- package/dist/auth/strategies/oauth/oauth.strategy.d.ts +23 -0
- package/dist/auth/strategies/oauth/oauth.strategy.d.ts.map +1 -0
- package/dist/auth/strategies/oauth/oauth.strategy.js +79 -0
- package/dist/auth/strategies/oauth/oauth.strategy.js.map +1 -0
- package/dist/auth/strategies/onetap/onetap.strategy.d.ts +24 -0
- package/dist/auth/strategies/onetap/onetap.strategy.d.ts.map +1 -0
- package/dist/auth/strategies/onetap/onetap.strategy.js +77 -0
- package/dist/auth/strategies/onetap/onetap.strategy.js.map +1 -0
- package/dist/auth/strategies/otp/otp.strategy.d.ts +31 -0
- package/dist/auth/strategies/otp/otp.strategy.d.ts.map +1 -0
- package/dist/auth/strategies/otp/otp.strategy.js +93 -0
- package/dist/auth/strategies/otp/otp.strategy.js.map +1 -0
- package/dist/auth/strategies/passkey/passkey.strategy.d.ts +32 -0
- package/dist/auth/strategies/passkey/passkey.strategy.d.ts.map +1 -0
- package/dist/auth/strategies/passkey/passkey.strategy.js +102 -0
- package/dist/auth/strategies/passkey/passkey.strategy.js.map +1 -0
- package/dist/auth/strategies/sso/sso.strategy.d.ts +25 -0
- package/dist/auth/strategies/sso/sso.strategy.d.ts.map +1 -0
- package/dist/auth/strategies/sso/sso.strategy.js +80 -0
- package/dist/auth/strategies/sso/sso.strategy.js.map +1 -0
- package/dist/auth/strategies/totp/totp.strategy.d.ts +37 -0
- package/dist/auth/strategies/totp/totp.strategy.d.ts.map +1 -0
- package/dist/auth/strategies/totp/totp.strategy.js +109 -0
- package/dist/auth/strategies/totp/totp.strategy.js.map +1 -0
- package/dist/auth/throttling/index.d.ts +2 -0
- package/dist/auth/throttling/index.d.ts.map +1 -0
- package/dist/auth/throttling/index.js +2 -0
- package/dist/auth/throttling/index.js.map +1 -0
- package/dist/auth/throttling/throttle.service.d.ts +27 -0
- package/dist/auth/throttling/throttle.service.d.ts.map +1 -0
- package/dist/auth/throttling/throttle.service.js +63 -0
- package/dist/auth/throttling/throttle.service.js.map +1 -0
- package/dist/bootstrap/cache/config.d.ts +135 -0
- package/dist/bootstrap/cache/config.d.ts.map +1 -0
- package/dist/bootstrap/cache/config.js +189 -0
- package/dist/bootstrap/cache/config.js.map +1 -0
- package/dist/bootstrap/cache/index.d.ts +11 -0
- package/dist/bootstrap/cache/index.d.ts.map +1 -0
- package/dist/bootstrap/cache/index.js +11 -0
- package/dist/bootstrap/cache/index.js.map +1 -0
- package/dist/bootstrap/index.d.ts +21 -0
- package/dist/bootstrap/index.d.ts.map +1 -0
- package/dist/bootstrap/index.js +21 -0
- package/dist/bootstrap/index.js.map +1 -0
- package/dist/bootstrap/scalar/api-docs.d.ts +39 -0
- package/dist/bootstrap/scalar/api-docs.d.ts.map +1 -0
- package/dist/bootstrap/scalar/api-docs.js +41 -0
- package/dist/bootstrap/scalar/api-docs.js.map +1 -0
- package/dist/bootstrap/scalar/index.d.ts +39 -0
- package/dist/bootstrap/scalar/index.d.ts.map +1 -0
- package/dist/bootstrap/scalar/index.js +41 -0
- package/dist/bootstrap/scalar/index.js.map +1 -0
- package/dist/bootstrap/swagger/api-docs.d.ts +73 -0
- package/dist/bootstrap/swagger/api-docs.d.ts.map +1 -0
- package/dist/bootstrap/swagger/api-docs.js +87 -0
- package/dist/bootstrap/swagger/api-docs.js.map +1 -0
- package/dist/bootstrap/swagger/index.d.ts +37 -0
- package/dist/bootstrap/swagger/index.d.ts.map +1 -0
- package/dist/bootstrap/swagger/index.js +36 -0
- package/dist/bootstrap/swagger/index.js.map +1 -0
- package/dist/bootstrap/typeorm/config/index.d.ts +12 -0
- package/dist/bootstrap/typeorm/config/index.d.ts.map +1 -0
- package/dist/bootstrap/typeorm/config/index.js +62 -0
- package/dist/bootstrap/typeorm/config/index.js.map +1 -0
- package/dist/bootstrap/typeorm/crud/controller.d.ts +13 -0
- package/dist/bootstrap/typeorm/crud/controller.d.ts.map +1 -0
- package/dist/bootstrap/typeorm/crud/controller.js +72 -0
- package/dist/bootstrap/typeorm/crud/controller.js.map +1 -0
- package/dist/bootstrap/typeorm/crud/index.d.ts +4 -0
- package/dist/bootstrap/typeorm/crud/index.d.ts.map +1 -0
- package/dist/bootstrap/typeorm/crud/index.js +3 -0
- package/dist/bootstrap/typeorm/crud/index.js.map +1 -0
- package/dist/bootstrap/typeorm/crud/service.d.ts +10 -0
- package/dist/bootstrap/typeorm/crud/service.d.ts.map +1 -0
- package/dist/bootstrap/typeorm/crud/service.js +21 -0
- package/dist/bootstrap/typeorm/crud/service.js.map +1 -0
- package/dist/bootstrap/typeorm/index.d.ts +18 -0
- package/dist/bootstrap/typeorm/index.d.ts.map +1 -0
- package/dist/bootstrap/typeorm/index.js +18 -0
- package/dist/bootstrap/typeorm/index.js.map +1 -0
- package/dist/bootstrap/typeorm/uow/factory.d.ts +5 -0
- package/dist/bootstrap/typeorm/uow/factory.d.ts.map +1 -0
- package/dist/bootstrap/typeorm/uow/factory.js +27 -0
- package/dist/bootstrap/typeorm/uow/factory.js.map +1 -0
- package/dist/bootstrap/typeorm/uow/index.d.ts +4 -0
- package/dist/bootstrap/typeorm/uow/index.d.ts.map +1 -0
- package/dist/bootstrap/typeorm/uow/index.js +4 -0
- package/dist/bootstrap/typeorm/uow/index.js.map +1 -0
- package/dist/bootstrap/typeorm/uow/transactional.decorator.d.ts +62 -0
- package/dist/bootstrap/typeorm/uow/transactional.decorator.d.ts.map +1 -0
- package/dist/bootstrap/typeorm/uow/transactional.decorator.js +114 -0
- package/dist/bootstrap/typeorm/uow/transactional.decorator.js.map +1 -0
- package/dist/bootstrap/typeorm/uow/unit-of-work.d.ts +11 -0
- package/dist/bootstrap/typeorm/uow/unit-of-work.d.ts.map +1 -0
- package/dist/bootstrap/typeorm/uow/unit-of-work.js +23 -0
- package/dist/bootstrap/typeorm/uow/unit-of-work.js.map +1 -0
- package/dist/core/index.d.ts +11 -0
- package/dist/core/index.d.ts.map +1 -0
- package/dist/core/index.js +11 -0
- package/dist/core/index.js.map +1 -0
- package/dist/infra/audit-log/index.d.ts +12 -0
- package/dist/infra/audit-log/index.d.ts.map +1 -0
- package/dist/infra/audit-log/index.js +13 -0
- package/dist/infra/audit-log/index.js.map +1 -0
- package/dist/infra/index.d.ts +20 -0
- package/dist/infra/index.d.ts.map +1 -0
- package/dist/infra/index.js +21 -0
- package/dist/infra/index.js.map +1 -0
- package/dist/infra/logger/index.d.ts +12 -0
- package/dist/infra/logger/index.d.ts.map +1 -0
- package/dist/infra/logger/index.js +13 -0
- package/dist/infra/logger/index.js.map +1 -0
- package/dist/infra/metrics/index.d.ts +18 -0
- package/dist/infra/metrics/index.d.ts.map +1 -0
- package/dist/infra/metrics/index.js +19 -0
- package/dist/infra/metrics/index.js.map +1 -0
- package/dist/infra/notification/index.d.ts +12 -0
- package/dist/infra/notification/index.d.ts.map +1 -0
- package/dist/infra/notification/index.js +13 -0
- package/dist/infra/notification/index.js.map +1 -0
- package/dist/infra/storage/index.d.ts +12 -0
- package/dist/infra/storage/index.d.ts.map +1 -0
- package/dist/infra/storage/index.js +13 -0
- package/dist/infra/storage/index.js.map +1 -0
- package/dist/infra/stripe/index.d.ts +12 -0
- package/dist/infra/stripe/index.d.ts.map +1 -0
- package/dist/infra/stripe/index.js +13 -0
- package/dist/infra/stripe/index.js.map +1 -0
- package/dist/saas/index.d.ts +18 -0
- package/dist/saas/index.d.ts.map +1 -0
- package/dist/saas/index.js +19 -0
- package/dist/saas/index.js.map +1 -0
- package/package.json +165 -0
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
import type { ICacheService } from '../../interfaces';
|
|
2
|
+
import type { PolicyContext, PolicyEffect, PolicyDocument } from './pbac.types';
|
|
3
|
+
/**
|
|
4
|
+
* Policy-Based Access Control service.
|
|
5
|
+
*
|
|
6
|
+
* Evaluates user-assigned policies against the current request context.
|
|
7
|
+
* Supports wildcard matching and simple condition evaluation.
|
|
8
|
+
*/
|
|
9
|
+
export declare class PbacService {
|
|
10
|
+
private readonly cache;
|
|
11
|
+
private defaultEffect;
|
|
12
|
+
constructor(cache: ICacheService);
|
|
13
|
+
/**
|
|
14
|
+
* Configure the default effect when no policy matches.
|
|
15
|
+
*/
|
|
16
|
+
setDefaultEffect(effect: PolicyEffect): void;
|
|
17
|
+
/**
|
|
18
|
+
* Evaluate a list of policy documents for a given action + resource.
|
|
19
|
+
*
|
|
20
|
+
* Returns `true` if access is granted, `false` otherwise.
|
|
21
|
+
*
|
|
22
|
+
* Evaluation logic (AWS IAM style):
|
|
23
|
+
* 1. An explicit `deny` overrides everything.
|
|
24
|
+
* 2. If any statement matches with `allow`, access is granted.
|
|
25
|
+
* 3. If no statement matches, the default effect applies.
|
|
26
|
+
*/
|
|
27
|
+
evaluate(policies: PolicyDocument[], action: string, resource: string, context: PolicyContext): boolean;
|
|
28
|
+
/**
|
|
29
|
+
* Fetch policies for a user, using cache when possible.
|
|
30
|
+
*/
|
|
31
|
+
getUserPolicies(userId: string): Promise<PolicyDocument[]>;
|
|
32
|
+
/**
|
|
33
|
+
* Invalidate cached policies for a user.
|
|
34
|
+
*/
|
|
35
|
+
invalidateUser(userId: string): Promise<void>;
|
|
36
|
+
private matchAction;
|
|
37
|
+
private matchResource;
|
|
38
|
+
private wildcardMatch;
|
|
39
|
+
private evaluateCondition;
|
|
40
|
+
private resolveCondition;
|
|
41
|
+
private eq;
|
|
42
|
+
private resolveValue;
|
|
43
|
+
}
|
|
44
|
+
//# sourceMappingURL=pbac.service.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"pbac.service.d.ts","sourceRoot":"","sources":["../../../../packages/auth/authorization/pbac/pbac.service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEtD,OAAO,KAAK,EAAmB,aAAa,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEjG;;;;;GAKG;AACH,qBACa,WAAW;IAKpB,OAAO,CAAC,QAAQ,CAAC,KAAK;IAJxB,OAAO,CAAC,aAAa,CAAwB;gBAI1B,KAAK,EAAE,aAAa;IAGvC;;OAEG;IACH,gBAAgB,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI;IAI5C;;;;;;;;;OASG;IACH,QAAQ,CACN,QAAQ,EAAE,cAAc,EAAE,EAC1B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,aAAa,GACrB,OAAO;IAoBV;;OAEG;IACG,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAOhE;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAInD,OAAO,CAAC,WAAW;IAInB,OAAO,CAAC,aAAa;IAIrB,OAAO,CAAC,aAAa;IAKrB,OAAO,CAAC,iBAAiB;IAUzB,OAAO,CAAC,gBAAgB;IAoBxB,OAAO,CAAC,EAAE;IAWV,OAAO,CAAC,YAAY;CAWrB"}
|
|
@@ -0,0 +1,146 @@
|
|
|
1
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
2
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
3
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
4
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
5
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
6
|
+
};
|
|
7
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
8
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
9
|
+
};
|
|
10
|
+
var __param = (this && this.__param) || function (paramIndex, decorator) {
|
|
11
|
+
return function (target, key) { decorator(target, key, paramIndex); }
|
|
12
|
+
};
|
|
13
|
+
import { Inject, Injectable } from '@nestjs/common';
|
|
14
|
+
import { CACHE_SERVICE } from '../../auth.constants';
|
|
15
|
+
/**
|
|
16
|
+
* Policy-Based Access Control service.
|
|
17
|
+
*
|
|
18
|
+
* Evaluates user-assigned policies against the current request context.
|
|
19
|
+
* Supports wildcard matching and simple condition evaluation.
|
|
20
|
+
*/
|
|
21
|
+
let PbacService = class PbacService {
|
|
22
|
+
cache;
|
|
23
|
+
defaultEffect = 'deny';
|
|
24
|
+
constructor(cache) {
|
|
25
|
+
this.cache = cache;
|
|
26
|
+
}
|
|
27
|
+
/**
|
|
28
|
+
* Configure the default effect when no policy matches.
|
|
29
|
+
*/
|
|
30
|
+
setDefaultEffect(effect) {
|
|
31
|
+
this.defaultEffect = effect;
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* Evaluate a list of policy documents for a given action + resource.
|
|
35
|
+
*
|
|
36
|
+
* Returns `true` if access is granted, `false` otherwise.
|
|
37
|
+
*
|
|
38
|
+
* Evaluation logic (AWS IAM style):
|
|
39
|
+
* 1. An explicit `deny` overrides everything.
|
|
40
|
+
* 2. If any statement matches with `allow`, access is granted.
|
|
41
|
+
* 3. If no statement matches, the default effect applies.
|
|
42
|
+
*/
|
|
43
|
+
evaluate(policies, action, resource, context) {
|
|
44
|
+
let allowCount = 0;
|
|
45
|
+
for (const doc of policies) {
|
|
46
|
+
for (const stmt of doc.statements) {
|
|
47
|
+
if (!this.matchAction(stmt, action))
|
|
48
|
+
continue;
|
|
49
|
+
if (!this.matchResource(stmt, resource))
|
|
50
|
+
continue;
|
|
51
|
+
if (stmt.condition && !this.evaluateCondition(stmt.condition, context)) {
|
|
52
|
+
continue;
|
|
53
|
+
}
|
|
54
|
+
if (stmt.effect === 'deny')
|
|
55
|
+
return false;
|
|
56
|
+
if (stmt.effect === 'allow')
|
|
57
|
+
allowCount += 1;
|
|
58
|
+
}
|
|
59
|
+
}
|
|
60
|
+
if (allowCount > 0)
|
|
61
|
+
return true;
|
|
62
|
+
return this.defaultEffect === 'allow';
|
|
63
|
+
}
|
|
64
|
+
/**
|
|
65
|
+
* Fetch policies for a user, using cache when possible.
|
|
66
|
+
*/
|
|
67
|
+
async getUserPolicies(userId) {
|
|
68
|
+
const cacheKey = `pbac:policies:${userId}`;
|
|
69
|
+
const cached = await this.cache.get(cacheKey);
|
|
70
|
+
if (cached)
|
|
71
|
+
return cached;
|
|
72
|
+
return [];
|
|
73
|
+
}
|
|
74
|
+
/**
|
|
75
|
+
* Invalidate cached policies for a user.
|
|
76
|
+
*/
|
|
77
|
+
async invalidateUser(userId) {
|
|
78
|
+
await this.cache.del(`pbac:policies:${userId}`);
|
|
79
|
+
}
|
|
80
|
+
matchAction(stmt, action) {
|
|
81
|
+
return stmt.actions.some((a) => this.wildcardMatch(a, action));
|
|
82
|
+
}
|
|
83
|
+
matchResource(stmt, resource) {
|
|
84
|
+
return stmt.resources.some((r) => this.wildcardMatch(r, resource));
|
|
85
|
+
}
|
|
86
|
+
wildcardMatch(pattern, value) {
|
|
87
|
+
const regexStr = pattern.replace(/[.+^${}()|[\]\\]/g, '\\$&').replace(/\*/g, '.*');
|
|
88
|
+
return new RegExp(`^${regexStr}$`).test(value);
|
|
89
|
+
}
|
|
90
|
+
evaluateCondition(condition, context) {
|
|
91
|
+
// Simple condition evaluator — supports { "eq": { "user.department": "engineering" } }
|
|
92
|
+
// Extend this for production use with a proper expression engine.
|
|
93
|
+
try {
|
|
94
|
+
return this.resolveCondition(condition, context);
|
|
95
|
+
}
|
|
96
|
+
catch {
|
|
97
|
+
return false;
|
|
98
|
+
}
|
|
99
|
+
}
|
|
100
|
+
resolveCondition(node, context) {
|
|
101
|
+
if (typeof node !== 'object' || node === null)
|
|
102
|
+
return true;
|
|
103
|
+
const obj = node;
|
|
104
|
+
// Operator keys
|
|
105
|
+
if ('eq' in obj)
|
|
106
|
+
return this.eq(obj.eq, context);
|
|
107
|
+
if ('ne' in obj)
|
|
108
|
+
return !this.eq(obj.ne, context);
|
|
109
|
+
if ('and' in obj) {
|
|
110
|
+
const conditions = obj.and;
|
|
111
|
+
return conditions.every((c) => this.resolveCondition(c, context));
|
|
112
|
+
}
|
|
113
|
+
if ('or' in obj) {
|
|
114
|
+
const conditions = obj.or;
|
|
115
|
+
return conditions.some((c) => this.resolveCondition(c, context));
|
|
116
|
+
}
|
|
117
|
+
return true;
|
|
118
|
+
}
|
|
119
|
+
eq(mapping, context) {
|
|
120
|
+
if (typeof mapping !== 'object' || mapping === null)
|
|
121
|
+
return false;
|
|
122
|
+
const entries = Object.entries(mapping);
|
|
123
|
+
if (entries.length !== 1)
|
|
124
|
+
return false;
|
|
125
|
+
const [key, expected] = entries[0];
|
|
126
|
+
const actual = this.resolveValue(key, context);
|
|
127
|
+
return String(actual) === String(expected);
|
|
128
|
+
}
|
|
129
|
+
resolveValue(path, context) {
|
|
130
|
+
const parts = path.split('.');
|
|
131
|
+
let current = context;
|
|
132
|
+
for (const part of parts) {
|
|
133
|
+
if (typeof current !== 'object' || current === null)
|
|
134
|
+
return undefined;
|
|
135
|
+
current = current[part];
|
|
136
|
+
}
|
|
137
|
+
return current;
|
|
138
|
+
}
|
|
139
|
+
};
|
|
140
|
+
PbacService = __decorate([
|
|
141
|
+
Injectable(),
|
|
142
|
+
__param(0, Inject(CACHE_SERVICE)),
|
|
143
|
+
__metadata("design:paramtypes", [Object])
|
|
144
|
+
], PbacService);
|
|
145
|
+
export { PbacService };
|
|
146
|
+
//# sourceMappingURL=pbac.service.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"pbac.service.js","sourceRoot":"","sources":["../../../../packages/auth/authorization/pbac/pbac.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAEpD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAGrD;;;;;GAKG;AAEI,IAAM,WAAW,GAAjB,MAAM,WAAW;IAKH;IAJX,aAAa,GAAiB,MAAM,CAAC;IAE7C,YAEmB,KAAoB;QAApB,UAAK,GAAL,KAAK,CAAe;IACpC,CAAC;IAEJ;;OAEG;IACH,gBAAgB,CAAC,MAAoB;QACnC,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC;IAC9B,CAAC;IAED;;;;;;;;;OASG;IACH,QAAQ,CACN,QAA0B,EAC1B,MAAc,EACd,QAAgB,EAChB,OAAsB;QAEtB,IAAI,UAAU,GAAG,CAAC,CAAC;QAEnB,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC;gBAClC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,MAAM,CAAC;oBAAE,SAAS;gBAC9C,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC;oBAAE,SAAS;gBAClD,IAAI,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC;oBACvE,SAAS;gBACX,CAAC;gBAED,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM;oBAAE,OAAO,KAAK,CAAC;gBACzC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO;oBAAE,UAAU,IAAI,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,IAAI,UAAU,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAChC,OAAO,IAAI,CAAC,aAAa,KAAK,OAAO,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CAAC,MAAc;QAClC,MAAM,QAAQ,GAAG,iBAAiB,MAAM,EAAE,CAAC;QAC3C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAmB,QAAQ,CAAC,CAAC;QAChE,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAC1B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,MAAc;QACjC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,iBAAiB,MAAM,EAAE,CAAC,CAAC;IAClD,CAAC;IAEO,WAAW,CAAC,IAAqB,EAAE,MAAc;QACvD,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACjE,CAAC;IAEO,aAAa,CAAC,IAAqB,EAAE,QAAgB;QAC3D,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IACrE,CAAC;IAEO,aAAa,CAAC,OAAe,EAAE,KAAa;QAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACnF,OAAO,IAAI,MAAM,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjD,CAAC;IAEO,iBAAiB,CAAC,SAAkC,EAAE,OAAsB;QAClF,uFAAuF;QACvF,kEAAkE;QAClE,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,IAAa,EAAE,OAAsB;QAC5D,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAE3D,MAAM,GAAG,GAAG,IAA+B,CAAC;QAE5C,gBAAgB;QAChB,IAAI,IAAI,IAAI,GAAG;YAAE,OAAO,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QACjD,IAAI,IAAI,IAAI,GAAG;YAAE,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QAClD,IAAI,KAAK,IAAI,GAAG,EAAE,CAAC;YACjB,MAAM,UAAU,GAAG,GAAG,CAAC,GAAgB,CAAC;YACxC,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;YAChB,MAAM,UAAU,GAAG,GAAG,CAAC,EAAe,CAAC;YACvC,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;QACnE,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,EAAE,CAAC,OAAgB,EAAE,OAAsB;QACjD,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;QAClE,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,OAAkC,CAAC,CAAC;QACnE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAEvC,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAE/C,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAEO,YAAY,CAAC,IAAY,EAAE,OAAsB;QACvD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,OAAO,GAAY,OAAO,CAAC;QAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI;gBAAE,OAAO,SAAS,CAAC;YACtE,OAAO,GAAI,OAAmC,CAAC,IAAI,CAAC,CAAC;QACvD,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CACF,CAAA;AApIY,WAAW;IADvB,UAAU,EAAE;IAKR,WAAA,MAAM,CAAC,aAAa,CAAC,CAAA;;GAJb,WAAW,CAoIvB"}
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Policy effect — the outcome of evaluating a policy statement.
|
|
3
|
+
*/
|
|
4
|
+
export type PolicyEffect = 'allow' | 'deny';
|
|
5
|
+
/**
|
|
6
|
+
* A single policy statement (akin to AWS IAM).
|
|
7
|
+
*
|
|
8
|
+
* @example
|
|
9
|
+
* ```typescript
|
|
10
|
+
* const policy: PolicyStatement = {
|
|
11
|
+
* effect: 'deny',
|
|
12
|
+
* actions: ['document:delete'],
|
|
13
|
+
* resources: ['org:*'],
|
|
14
|
+
* condition: { department: { ne: { ref: 'user.department' } } },
|
|
15
|
+
* };
|
|
16
|
+
* ```
|
|
17
|
+
*/
|
|
18
|
+
export interface PolicyStatement {
|
|
19
|
+
/** Whether this statement allows or denies access */
|
|
20
|
+
effect: PolicyEffect;
|
|
21
|
+
/** Actions this statement applies to (supports wildcard: 'document:*') */
|
|
22
|
+
actions: string[];
|
|
23
|
+
/** Resources this statement applies to (supports wildcard) */
|
|
24
|
+
resources: string[];
|
|
25
|
+
/** Optional conditions that must be satisfied */
|
|
26
|
+
condition?: Record<string, unknown>;
|
|
27
|
+
}
|
|
28
|
+
/**
|
|
29
|
+
* A complete policy document assigned to a user or role.
|
|
30
|
+
*/
|
|
31
|
+
export interface PolicyDocument {
|
|
32
|
+
/** Policy identifier */
|
|
33
|
+
id?: string;
|
|
34
|
+
/** Policy name */
|
|
35
|
+
name?: string;
|
|
36
|
+
/** List of statements */
|
|
37
|
+
statements: PolicyStatement[];
|
|
38
|
+
}
|
|
39
|
+
/**
|
|
40
|
+
* Evaluation context passed to condition functions.
|
|
41
|
+
*/
|
|
42
|
+
export interface PolicyContext {
|
|
43
|
+
user: Record<string, unknown>;
|
|
44
|
+
resource: Record<string, unknown>;
|
|
45
|
+
environment: Record<string, unknown>;
|
|
46
|
+
}
|
|
47
|
+
//# sourceMappingURL=pbac.types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"pbac.types.d.ts","sourceRoot":"","sources":["../../../../packages/auth/authorization/pbac/pbac.types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,MAAM,CAAC;AAE5C;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,eAAe;IAC9B,qDAAqD;IACrD,MAAM,EAAE,YAAY,CAAC;IACrB,0EAA0E;IAC1E,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,8DAA8D;IAC9D,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,iDAAiD;IACjD,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,wBAAwB;IACxB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,kBAAkB;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,yBAAyB;IACzB,UAAU,EAAE,eAAe,EAAE,CAAC;CAC/B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"pbac.types.js","sourceRoot":"","sources":["../../../../packages/auth/authorization/pbac/pbac.types.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../packages/auth/authorization/rbac/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../packages/auth/authorization/rbac/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC"}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Require specific roles to access a route.
|
|
3
|
+
* Works with the RbacGuard.
|
|
4
|
+
*
|
|
5
|
+
* By default, a user needs **at least one** of the listed roles.
|
|
6
|
+
* Pass `{ requireAll: true }` in options to require all roles.
|
|
7
|
+
*
|
|
8
|
+
* @example
|
|
9
|
+
* ```typescript
|
|
10
|
+
* @Roles('admin')
|
|
11
|
+
* @Roles('admin', 'moderator')
|
|
12
|
+
* @Roles('admin', 'super-admin', { requireAll: true })
|
|
13
|
+
* ```
|
|
14
|
+
*/
|
|
15
|
+
export declare const Roles: (...args: (string | {
|
|
16
|
+
requireAll: boolean;
|
|
17
|
+
})[]) => import("@nestjs/common").CustomDecorator<string>;
|
|
18
|
+
//# sourceMappingURL=rbac.decorator.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"rbac.decorator.d.ts","sourceRoot":"","sources":["../../../../packages/auth/authorization/rbac/rbac.decorator.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,KAAK,GAAI,GAAG,MAAM,CAAC,MAAM,GAAG;IAAE,UAAU,EAAE,OAAO,CAAA;CAAE,CAAC,EAAE,qDAOlE,CAAC"}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
import { SetMetadata } from '@nestjs/common';
|
|
2
|
+
import { METADATA_ROLES } from '../../auth.constants';
|
|
3
|
+
/**
|
|
4
|
+
* Require specific roles to access a route.
|
|
5
|
+
* Works with the RbacGuard.
|
|
6
|
+
*
|
|
7
|
+
* By default, a user needs **at least one** of the listed roles.
|
|
8
|
+
* Pass `{ requireAll: true }` in options to require all roles.
|
|
9
|
+
*
|
|
10
|
+
* @example
|
|
11
|
+
* ```typescript
|
|
12
|
+
* @Roles('admin')
|
|
13
|
+
* @Roles('admin', 'moderator')
|
|
14
|
+
* @Roles('admin', 'super-admin', { requireAll: true })
|
|
15
|
+
* ```
|
|
16
|
+
*/
|
|
17
|
+
export const Roles = (...args) => {
|
|
18
|
+
const last = args[args.length - 1];
|
|
19
|
+
const opts = typeof last === 'object' ? args.pop() : undefined;
|
|
20
|
+
return SetMetadata(METADATA_ROLES, {
|
|
21
|
+
roles: args,
|
|
22
|
+
requireAll: opts?.requireAll ?? false,
|
|
23
|
+
});
|
|
24
|
+
};
|
|
25
|
+
//# sourceMappingURL=rbac.decorator.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"rbac.decorator.js","sourceRoot":"","sources":["../../../../packages/auth/authorization/rbac/rbac.decorator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,KAAK,GAAG,CAAC,GAAG,IAA0C,EAAE,EAAE;IACrE,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACnC,MAAM,IAAI,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAE,IAAI,CAAC,GAAG,EAA8B,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5F,OAAO,WAAW,CAAC,cAAc,EAAE;QACjC,KAAK,EAAE,IAAgB;QACvB,UAAU,EAAE,IAAI,EAAE,UAAU,IAAI,KAAK;KACtC,CAAC,CAAC;AACL,CAAC,CAAC"}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
import { CanActivate, ExecutionContext } from '@nestjs/common';
|
|
2
|
+
import { Reflector } from '@nestjs/core';
|
|
3
|
+
import { RbacService } from './rbac.service';
|
|
4
|
+
/**
|
|
5
|
+
* Guard that enforces Role-Based Access Control.
|
|
6
|
+
*
|
|
7
|
+
* Reads the required roles from the `@Roles()` decorator on the route
|
|
8
|
+
* handler (or controller) and checks them against the authenticated user.
|
|
9
|
+
*
|
|
10
|
+
* This guard is independent — you can use it with or without PBAC on
|
|
11
|
+
* different routes in the same application.
|
|
12
|
+
*/
|
|
13
|
+
export declare class RbacGuard implements CanActivate {
|
|
14
|
+
private readonly reflector;
|
|
15
|
+
private readonly rbacService;
|
|
16
|
+
constructor(reflector: Reflector, rbacService: RbacService);
|
|
17
|
+
canActivate(context: ExecutionContext): Promise<boolean>;
|
|
18
|
+
}
|
|
19
|
+
//# sourceMappingURL=rbac.guard.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"rbac.guard.d.ts","sourceRoot":"","sources":["../../../../packages/auth/authorization/rbac/rbac.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAC3E,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAG7C;;;;;;;;GAQG;AACH,qBACa,SAAU,YAAW,WAAW;IAEzC,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,WAAW;gBADX,SAAS,EAAE,SAAS,EACpB,WAAW,EAAE,WAAW;IAGrC,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAmB/D"}
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
2
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
3
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
4
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
5
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
6
|
+
};
|
|
7
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
8
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
9
|
+
};
|
|
10
|
+
import { Injectable } from '@nestjs/common';
|
|
11
|
+
import { Reflector } from '@nestjs/core';
|
|
12
|
+
import { RbacService } from './rbac.service';
|
|
13
|
+
import { METADATA_ROLES } from '../../auth.constants';
|
|
14
|
+
/**
|
|
15
|
+
* Guard that enforces Role-Based Access Control.
|
|
16
|
+
*
|
|
17
|
+
* Reads the required roles from the `@Roles()` decorator on the route
|
|
18
|
+
* handler (or controller) and checks them against the authenticated user.
|
|
19
|
+
*
|
|
20
|
+
* This guard is independent — you can use it with or without PBAC on
|
|
21
|
+
* different routes in the same application.
|
|
22
|
+
*/
|
|
23
|
+
let RbacGuard = class RbacGuard {
|
|
24
|
+
reflector;
|
|
25
|
+
rbacService;
|
|
26
|
+
constructor(reflector, rbacService) {
|
|
27
|
+
this.reflector = reflector;
|
|
28
|
+
this.rbacService = rbacService;
|
|
29
|
+
}
|
|
30
|
+
async canActivate(context) {
|
|
31
|
+
const meta = this.reflector.getAllAndOverride(METADATA_ROLES, [context.getHandler(), context.getClass()]);
|
|
32
|
+
if (!meta || !meta.roles || meta.roles.length === 0) {
|
|
33
|
+
return true;
|
|
34
|
+
}
|
|
35
|
+
const request = context
|
|
36
|
+
.switchToHttp()
|
|
37
|
+
.getRequest();
|
|
38
|
+
const user = request.user;
|
|
39
|
+
if (!user)
|
|
40
|
+
return false;
|
|
41
|
+
return this.rbacService.hasRoles(user, meta.roles, meta.requireAll);
|
|
42
|
+
}
|
|
43
|
+
};
|
|
44
|
+
RbacGuard = __decorate([
|
|
45
|
+
Injectable(),
|
|
46
|
+
__metadata("design:paramtypes", [Reflector,
|
|
47
|
+
RbacService])
|
|
48
|
+
], RbacGuard);
|
|
49
|
+
export { RbacGuard };
|
|
50
|
+
//# sourceMappingURL=rbac.guard.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"rbac.guard.js","sourceRoot":"","sources":["../../../../packages/auth/authorization/rbac/rbac.guard.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,UAAU,EAAiC,MAAM,gBAAgB,CAAC;AAC3E,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD;;;;;;;;GAQG;AAEI,IAAM,SAAS,GAAf,MAAM,SAAS;IAED;IACA;IAFnB,YACmB,SAAoB,EACpB,WAAwB;QADxB,cAAS,GAAT,SAAS,CAAW;QACpB,gBAAW,GAAX,WAAW,CAAa;IACxC,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,OAAyB;QACzC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAG1C,cAAc,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QAE/D,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,OAAO,GAAG,OAAO;aACpB,YAAY,EAAE;aACd,UAAU,EAAmD,CAAC;QACjE,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QAE1B,IAAI,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QAExB,OAAO,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACtE,CAAC;CACF,CAAA;AAzBY,SAAS;IADrB,UAAU,EAAE;qCAGmB,SAAS;QACP,WAAW;GAHhC,SAAS,CAyBrB"}
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
import type { IAuthUser, ICacheService } from '../../interfaces';
|
|
2
|
+
/**
|
|
3
|
+
* Service that resolves and caches role → permissions mappings.
|
|
4
|
+
*
|
|
5
|
+
* Cache key convention: `rbac:roles:<userId>` → string[]
|
|
6
|
+
* `rbac:perms:<role>` → string[]
|
|
7
|
+
*/
|
|
8
|
+
export declare class RbacService {
|
|
9
|
+
private readonly cache;
|
|
10
|
+
constructor(cache: ICacheService);
|
|
11
|
+
/**
|
|
12
|
+
* Check if a user has at least one of the required roles.
|
|
13
|
+
*
|
|
14
|
+
* @param user Authenticated user
|
|
15
|
+
* @param roles List of role names required (at least one must match)
|
|
16
|
+
* @param requireAll If true, the user must have ALL specified roles
|
|
17
|
+
*/
|
|
18
|
+
hasRoles(user: IAuthUser, roles: string[], requireAll?: boolean): Promise<boolean>;
|
|
19
|
+
/**
|
|
20
|
+
* Check if a user has a specific permission (derived from their roles).
|
|
21
|
+
*
|
|
22
|
+
* @param user Authenticated user
|
|
23
|
+
* @param permission Permission identifier
|
|
24
|
+
*/
|
|
25
|
+
hasPermission(user: IAuthUser, permission: string): Promise<boolean>;
|
|
26
|
+
/**
|
|
27
|
+
* Fetch roles for a user, using cache when possible.
|
|
28
|
+
*/
|
|
29
|
+
getUserRoles(userId: string): Promise<string[]>;
|
|
30
|
+
/**
|
|
31
|
+
* Fetch permissions for a role, using cache when possible.
|
|
32
|
+
*/
|
|
33
|
+
getRolePermissions(role: string): Promise<string[]>;
|
|
34
|
+
/**
|
|
35
|
+
* Invalidate the role cache for a user.
|
|
36
|
+
*/
|
|
37
|
+
invalidateUser(userId: string): Promise<void>;
|
|
38
|
+
/**
|
|
39
|
+
* Invalidate the permission cache for a role.
|
|
40
|
+
*/
|
|
41
|
+
invalidateRole(role: string): Promise<void>;
|
|
42
|
+
}
|
|
43
|
+
//# sourceMappingURL=rbac.service.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"rbac.service.d.ts","sourceRoot":"","sources":["../../../../packages/auth/authorization/rbac/rbac.service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGjE;;;;;GAKG;AACH,qBACa,WAAW;IAGpB,OAAO,CAAC,QAAQ,CAAC,KAAK;gBAAL,KAAK,EAAE,aAAa;IAGvC;;;;;;OAMG;IACG,QAAQ,CAAC,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,UAAU,UAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IAUtF;;;;;OAKG;IACG,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAW1E;;OAEG;IACG,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAOrD;;OAEG;IACG,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAOzD;;OAEG;IACG,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAInD;;OAEG;IACG,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGlD"}
|
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
2
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
3
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
4
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
5
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
6
|
+
};
|
|
7
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
8
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
9
|
+
};
|
|
10
|
+
var __param = (this && this.__param) || function (paramIndex, decorator) {
|
|
11
|
+
return function (target, key) { decorator(target, key, paramIndex); }
|
|
12
|
+
};
|
|
13
|
+
import { Inject, Injectable } from '@nestjs/common';
|
|
14
|
+
import { CACHE_SERVICE } from '../../auth.constants';
|
|
15
|
+
/**
|
|
16
|
+
* Service that resolves and caches role → permissions mappings.
|
|
17
|
+
*
|
|
18
|
+
* Cache key convention: `rbac:roles:<userId>` → string[]
|
|
19
|
+
* `rbac:perms:<role>` → string[]
|
|
20
|
+
*/
|
|
21
|
+
let RbacService = class RbacService {
|
|
22
|
+
cache;
|
|
23
|
+
constructor(cache) {
|
|
24
|
+
this.cache = cache;
|
|
25
|
+
}
|
|
26
|
+
/**
|
|
27
|
+
* Check if a user has at least one of the required roles.
|
|
28
|
+
*
|
|
29
|
+
* @param user Authenticated user
|
|
30
|
+
* @param roles List of role names required (at least one must match)
|
|
31
|
+
* @param requireAll If true, the user must have ALL specified roles
|
|
32
|
+
*/
|
|
33
|
+
async hasRoles(user, roles, requireAll = false) {
|
|
34
|
+
if (!roles.length)
|
|
35
|
+
return true;
|
|
36
|
+
const userRoles = user.roles ?? (await this.getUserRoles(user.id));
|
|
37
|
+
return requireAll
|
|
38
|
+
? roles.every((r) => userRoles.includes(r))
|
|
39
|
+
: roles.some((r) => userRoles.includes(r));
|
|
40
|
+
}
|
|
41
|
+
/**
|
|
42
|
+
* Check if a user has a specific permission (derived from their roles).
|
|
43
|
+
*
|
|
44
|
+
* @param user Authenticated user
|
|
45
|
+
* @param permission Permission identifier
|
|
46
|
+
*/
|
|
47
|
+
async hasPermission(user, permission) {
|
|
48
|
+
const userRoles = user.roles ?? (await this.getUserRoles(user.id));
|
|
49
|
+
for (const role of userRoles) {
|
|
50
|
+
const perms = await this.getRolePermissions(role);
|
|
51
|
+
if (perms.includes(permission))
|
|
52
|
+
return true;
|
|
53
|
+
}
|
|
54
|
+
return false;
|
|
55
|
+
}
|
|
56
|
+
/**
|
|
57
|
+
* Fetch roles for a user, using cache when possible.
|
|
58
|
+
*/
|
|
59
|
+
async getUserRoles(userId) {
|
|
60
|
+
const cacheKey = `rbac:roles:${userId}`;
|
|
61
|
+
const cached = await this.cache.get(cacheKey);
|
|
62
|
+
if (cached)
|
|
63
|
+
return cached;
|
|
64
|
+
return [];
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Fetch permissions for a role, using cache when possible.
|
|
68
|
+
*/
|
|
69
|
+
async getRolePermissions(role) {
|
|
70
|
+
const cacheKey = `rbac:perms:${role}`;
|
|
71
|
+
const cached = await this.cache.get(cacheKey);
|
|
72
|
+
if (cached)
|
|
73
|
+
return cached;
|
|
74
|
+
return [];
|
|
75
|
+
}
|
|
76
|
+
/**
|
|
77
|
+
* Invalidate the role cache for a user.
|
|
78
|
+
*/
|
|
79
|
+
async invalidateUser(userId) {
|
|
80
|
+
await this.cache.del(`rbac:roles:${userId}`);
|
|
81
|
+
}
|
|
82
|
+
/**
|
|
83
|
+
* Invalidate the permission cache for a role.
|
|
84
|
+
*/
|
|
85
|
+
async invalidateRole(role) {
|
|
86
|
+
await this.cache.del(`rbac:perms:${role}`);
|
|
87
|
+
}
|
|
88
|
+
};
|
|
89
|
+
RbacService = __decorate([
|
|
90
|
+
Injectable(),
|
|
91
|
+
__param(0, Inject(CACHE_SERVICE)),
|
|
92
|
+
__metadata("design:paramtypes", [Object])
|
|
93
|
+
], RbacService);
|
|
94
|
+
export { RbacService };
|
|
95
|
+
//# sourceMappingURL=rbac.service.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"rbac.service.js","sourceRoot":"","sources":["../../../../packages/auth/authorization/rbac/rbac.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAEpD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD;;;;;GAKG;AAEI,IAAM,WAAW,GAAjB,MAAM,WAAW;IAGH;IAFnB,YAEmB,KAAoB;QAApB,UAAK,GAAL,KAAK,CAAe;IACpC,CAAC;IAEJ;;;;;;OAMG;IACH,KAAK,CAAC,QAAQ,CAAC,IAAe,EAAE,KAAe,EAAE,UAAU,GAAG,KAAK;QACjE,IAAI,CAAC,KAAK,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAE/B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QAEnE,OAAO,UAAU;YACf,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;YAC3C,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,aAAa,CAAC,IAAe,EAAE,UAAkB;QACrD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QAEnE,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC;YAClD,IAAI,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC9C,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,MAAc;QAC/B,MAAM,QAAQ,GAAG,cAAc,MAAM,EAAE,CAAC;QACxC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAW,QAAQ,CAAC,CAAC;QACxD,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAC1B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CAAC,IAAY;QACnC,MAAM,QAAQ,GAAG,cAAc,IAAI,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAW,QAAQ,CAAC,CAAC;QACxD,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAC1B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,MAAc;QACjC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,MAAM,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,IAAY;QAC/B,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC;IAC7C,CAAC;CACF,CAAA;AAzEY,WAAW;IADvB,UAAU,EAAE;IAGR,WAAA,MAAM,CAAC,aAAa,CAAC,CAAA;;GAFb,WAAW,CAyEvB"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import type { IAuthUser } from '../interfaces';
|
|
2
|
+
/**
|
|
3
|
+
* Parameter decorator that extracts the authenticated user from the request.
|
|
4
|
+
*
|
|
5
|
+
* @example
|
|
6
|
+
* ```typescript
|
|
7
|
+
* // Returns the full IAuthUser object
|
|
8
|
+
* @Get('me')
|
|
9
|
+
* getProfile(@CurrentUser() user: IAuthUser) { … }
|
|
10
|
+
*
|
|
11
|
+
* // Returns only the email
|
|
12
|
+
* @Get('email')
|
|
13
|
+
* getEmail(@CurrentUser('email') email: string) { … }
|
|
14
|
+
* ```
|
|
15
|
+
*/
|
|
16
|
+
export declare const CurrentUser: (...dataOrPipes: (keyof IAuthUser | import("@nestjs/common").PipeTransform<any, any> | import("@nestjs/common").Type<import("@nestjs/common").PipeTransform<any, any>> | undefined)[]) => ParameterDecorator;
|
|
17
|
+
//# sourceMappingURL=current-user.decorator.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"current-user.decorator.d.ts","sourceRoot":"","sources":["../../../packages/auth/decorators/current-user.decorator.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAE/C;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,WAAW,8MAOvB,CAAC"}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
import { createParamDecorator } from '@nestjs/common';
|
|
2
|
+
/**
|
|
3
|
+
* Parameter decorator that extracts the authenticated user from the request.
|
|
4
|
+
*
|
|
5
|
+
* @example
|
|
6
|
+
* ```typescript
|
|
7
|
+
* // Returns the full IAuthUser object
|
|
8
|
+
* @Get('me')
|
|
9
|
+
* getProfile(@CurrentUser() user: IAuthUser) { … }
|
|
10
|
+
*
|
|
11
|
+
* // Returns only the email
|
|
12
|
+
* @Get('email')
|
|
13
|
+
* getEmail(@CurrentUser('email') email: string) { … }
|
|
14
|
+
* ```
|
|
15
|
+
*/
|
|
16
|
+
export const CurrentUser = createParamDecorator((key, ctx) => {
|
|
17
|
+
const request = ctx.switchToHttp().getRequest();
|
|
18
|
+
const user = request.user;
|
|
19
|
+
if (!user)
|
|
20
|
+
return undefined;
|
|
21
|
+
return key ? user[key] : user;
|
|
22
|
+
});
|
|
23
|
+
//# sourceMappingURL=current-user.decorator.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"current-user.decorator.js","sourceRoot":"","sources":["../../../packages/auth/decorators/current-user.decorator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAyB,MAAM,gBAAgB,CAAC;AAG7E;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,oBAAoB,CAC7C,CAAC,GAAgC,EAAE,GAAqB,EAAW,EAAE;IACnE,MAAM,OAAO,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC,UAAU,EAAwB,CAAC;IACtE,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAC1B,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAChC,CAAC,CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../packages/auth/decorators/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../packages/auth/decorators/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Mark a route handler or controller as publicly accessible
|
|
3
|
+
* (bypasses the global AuthGuard).
|
|
4
|
+
*
|
|
5
|
+
* @example
|
|
6
|
+
* ```typescript
|
|
7
|
+
* @Public()
|
|
8
|
+
* @Get('login')
|
|
9
|
+
* login() { … }
|
|
10
|
+
* ```
|
|
11
|
+
*/
|
|
12
|
+
export declare const Public: () => import("@nestjs/common").CustomDecorator<string>;
|
|
13
|
+
//# sourceMappingURL=public.decorator.d.ts.map
|