npm - @pcg/auth - Versions diffs - 1.0.0-alpha.2 → 1.0.0-alpha.3 - Mend

@pcg/auth 1.0.0-alpha.2 → 1.0.0-alpha.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +570 -52
package/dist/{functional-scopes-CsZNJMXW.js → functional-scopes-COiTBSy_.js} +2 -19
package/dist/functional-scopes-COiTBSy_.js.map +1 -0
package/dist/{functional-scopes-DygK315q.d.ts → functional-scopes-ut8Z6MmG.d.ts} +2 -17
package/dist/functional-scopes-ut8Z6MmG.d.ts.map +1 -0
package/dist/index.d.ts +3 -3
package/dist/index.d.ts.map +1 -1
package/dist/index.js +31 -30
package/dist/index.js.map +1 -1
package/dist/scopes.d.ts +2 -2
package/dist/scopes.js +2 -2
package/package.json +6 -6
package/dist/functional-scopes-CsZNJMXW.js.map +0 -1
package/dist/functional-scopes-DygK315q.d.ts.map +0 -1

package/README.md CHANGED Viewed

@@ -1,84 +1,602 @@
-# @deep/auth
+# @pcg/auth
-### Quick Start
+Authorization library for checking user access rights. Supports a flexible permission system with scopes, wildcard access, and NestJS integration.
-Install npm package
+## Installation
-```tsx
-npm i @deep/auth --save
+```bash
+npm i @pcg/auth
 ```
-Use `isGranted` helper to check access rights.
+## Quick Start
-```jsx
-import { isGranted } from '@deep/auth'
-isGranted(user, 'js:episodes:create'); // boolean
+```typescript
+import { isGranted, resolvePermissions } from '@pcg/auth';
+import * as s from '@pcg/auth/scopes';
+// Prepare user object
+const user = {
+  id: 'hcu:2x6g7l8n9op',
+  permissions: ['js:core:episodes[org#hcorg:company1]:get'],
+  resolvedPermissions: resolvePermissions(['js:core:episodes[org#hcorg:company1]:get']),
+};
+// Check access
+isGranted(user, 'js:core:episodes:get', s.org('hcorg:company1')); // true
+isGranted(user, 'js:core:episodes:get', s.org('hcorg:other'));    // false
+```
+## Exports
+The library provides two entry points:
+| Import | Description |
+|--------|-------------|
+| `@pcg/auth` | Core functions: `isGranted`, `resolvePermissions`, `ActionScopes`, `ScopesBulder`, types |
+| `@pcg/auth/scopes` | Functional scope builders: `org`, `id`, `user`, `and`, `anyScope`, etc. |
+---
+## Permission String Format
+**Pattern**: `<service>:<module>:<resource>[scopes]:<action>`
+| Component | Description | Examples |
+|-----------|-------------|----------|
+| service | Application identifier | `js`, `tl`, `bo`, `*` |
+| module | Module within the service | `core`, `mam`, `*` |
+| resource | Entity type | `episodes`, `users`, `roles` |
+| scopes | Constraints (optional) | `[org]`, `[org,published]`, `[org+published]` |
+| action | Operation | `get`, `list`, `create`, `update`, `delete`, `*` |
+### Permission String Examples
+```typescript
+'js:core:episodes:get'                      // No scopes — full access to the action
+'js:core:episodes[org]:get'                 // Restricted to organization
+'js:core:episodes[org,published]:get'       // OR — needs ANY of the scopes
+'js:core:episodes[org+published]:get'       // AND — needs ALL scopes
+'js:core:episodes[org#hcorg:company1]:get'  // Bound to a specific organization
+'js:*:*:*'                                  // Wildcard — all actions in the service
+'*:*:*:*'                                   // Super admin — everything
+```
+---
+## Scope Logic
+### OR Logic (comma `,`)
+User is granted access if the action scope matches **any** of their scopes.
+```typescript
+// Permission: 'js:core:episodes[org,published]:get'
+// Resolved scopes: ['org', 'published']
+isGranted(user, 'js:core:episodes:get', ['org']);       // true
+isGranted(user, 'js:core:episodes:get', ['published']); // true
+isGranted(user, 'js:core:episodes:get', ['draft']);     // false
+```
+### AND Logic (plus `+`)
+User is granted access **only** if the action scope contains **all** specified scopes.
+```typescript
+// Permission: 'js:core:episodes[org+published]:get'
+// Resolved scopes: [['org', 'published']]  ← array within array
+isGranted(user, 'js:core:episodes:get', ['org']);                  // false
+isGranted(user, 'js:core:episodes:get', [['org', 'published']]);   // true
+```
+### Mixed Logic
+```typescript
+// Permission: 'js:core:episodes[published,org+draft]:get'
+// Resolved scopes: ['published', ['org', 'draft']]
+// Access granted if:
+//   - scope is 'published', OR
+//   - both 'org' AND 'draft' scopes
+isGranted(user, 'js:core:episodes:get', ['published']);       // true
+isGranted(user, 'js:core:episodes:get', [['org', 'draft']]);  // true
+isGranted(user, 'js:core:episodes:get', ['org']);              // false
+```
+### Scope ID (hash `#`)
+Scopes can include a binding to a specific entity ID.
+```typescript
+// Permission: 'js:core:episodes[org#hcorg:company1]:get'
+isGranted(user, 'js:core:episodes:get', ['org#hcorg:company1']); // true
+isGranted(user, 'js:core:episodes:get', ['org#hcorg:company2']); // false
+```
+### Wildcard (`*`)
+The `['*']` action scope bypasses scope checking.
+```typescript
+isGranted(user, 'js:core:episodes:get', ['*']); // true — if user has the permission with any scope
+```
+### Results Matrix
+| User Permission | Action Scopes | Result |
+|-----------------|---------------|--------|
+| `episodes:get` (no scopes) | any | `true` |
+| `episodes[org]:get` | `['org']` | `true` |
+| `episodes[org]:get` | `['published']` | `false` |
+| `episodes[org]:get` | `[]` (empty) | `false` |
+| `episodes[org]:get` | `['*']` | `true` |
+| `episodes[org,published]:get` | `['org']` | `true` |
+| `episodes[org+published]:get` | `['org']` | `false` |
+| `episodes[org+published]:get` | `[['org', 'published']]` | `true` |
+| `episodes[org#hcorg:A]:get` | `['org#hcorg:A']` | `true` |
+| `episodes[org#hcorg:A]:get` | `['org#hcorg:B']` | `false` |
+| `js:*:*:*` | any | `true` |
+---
+## Types
+### IUser
+The user object must contain `resolvedPermissions`:
+```typescript
+interface IUser {
+  id: string;                                         // 'hcu:2x6g7l8n9op'
+  permissions: readonly string[];                     // Raw permission strings
+  resolvedPermissions: ReadonlyResolvedPermission[];  // Parsed permissions
+}
+```
+### ResolvedPermission
+```typescript
+interface ResolvedPermission {
+  id: string;                      // Permission without scope brackets
+  scopes: (string | string[])[];   // Parsed scopes
+}
+// Examples:
+// 'js:core:episodes[org,published]:get'
+//   → { id: 'js:core:episodes:get', scopes: ['org', 'published'] }
+//
+// 'js:core:episodes[org+published]:get'
+//   → { id: 'js:core:episodes:get', scopes: [['org', 'published']] }
+```
+---
+## API
+### `isGranted(user, permission, actionScopes?)`
+Main function for checking access. Returns `boolean`.
+```typescript
+import { isGranted } from '@pcg/auth';
+import * as s from '@pcg/auth/scopes';
+// Without scopes
+isGranted(user, 'js:core:episodes:get');
+// With single scope (no array needed)
+isGranted(user, 'js:core:episodes:get', s.org('hcorg:company1'));
+// With wildcard
+isGranted(user, 'js:core:episodes:list', s.anyScope());
+```
+### `resolvePermission(permission)`
+Parses a single permission string into an object.
+```typescript
+import { resolvePermission } from '@pcg/auth';
+resolvePermission('js:core:episodes[org,published]:get');
+// { id: 'js:core:episodes:get', scopes: ['org', 'published'] }
+resolvePermission('js:core:episodes[org+published]:get');
+// { id: 'js:core:episodes:get', scopes: [['org', 'published']] }
+```
+### `resolvePermissions(permissions)`
+Parses an array of permission strings. Matching IDs are merged — their scopes are combined.
+```typescript
+import { resolvePermissions } from '@pcg/auth';
+resolvePermissions([
+  'js:core:episodes[org]:get',
+  'js:core:episodes[published]:get',
+]);
+// [{ id: 'js:core:episodes:get', scopes: ['org', 'published'] }]
+```
+### `mergeResolvedPermissions(array1, array2)`
+Merges two arrays of resolved permissions. Empty scopes (`[]`) mean full access and take precedence when merging.
+```typescript
+import { mergeResolvedPermissions } from '@pcg/auth';
+mergeResolvedPermissions(
+  [{ id: 'js:core:episodes:get', scopes: ['org#hci'] }],
+  [{ id: 'js:core:episodes:get', scopes: ['org#dv'] }],
+);
+// [{ id: 'js:core:episodes:get', scopes: ['org#hci', 'org#dv'] }]
+// Empty scopes = full access
+mergeResolvedPermissions(
+  [{ id: 'js:core:episodes:get', scopes: ['org#hci'] }],
+  [{ id: 'js:core:episodes:get', scopes: [] }],
+);
+// [{ id: 'js:core:episodes:get', scopes: [] }]
+```
+### `encodeScopes(scopes)`
+Converts a scopes array back to string format.
+```typescript
+import { encodeScopes } from '@pcg/auth';
+encodeScopes(['org#xxx', 'user#xxx']);
+// '[org#xxx,user#xxx]'
+encodeScopes([['org#xxx', 'published']]);
+// '[org#xxx+published]'
+```
+### `injectScopesIntoPermission(permission, scopes)`
+Adds scopes to a permission string.
+```typescript
+import { injectScopesIntoPermission } from '@pcg/auth';
+injectScopesIntoPermission('js:core:episodes:create', ['org']);
+// 'js:core:episodes[org]:create'
+injectScopesIntoPermission('js:core:episodes[org]:create', ['shared']);
+// 'js:core:episodes[org,shared]:create'
+```
+### `replaceScope(scopes, from, to)`
+Replaces specific scope values in an array.
+```typescript
+import { replaceScope } from '@pcg/auth';
+replaceScope(['assigned'], 'assigned', 'brand#brd:xxx');
+// ['brand#brd:xxx']
+// Works with AND scopes
+replaceScope([['assigned', 'lang']], 'assigned', 'brand#brd:xxx');
+// [['brand#brd:xxx', 'lang']]
+// Sequential replacement
+let scopes = [['assigned', 'lang']];
+scopes = replaceScope(scopes, 'assigned', 'brand#brd:xxx');
+scopes = replaceScope(scopes, 'lang', 'lang#en');
+// [['brand#brd:xxx', 'lang#en']]
 ```
-### Resolved Permissions
+---
+## Functional Scope Builders (recommended)
-User object `user` must contain `resolvedPemissions` array with array of objects:
+Imported from `@pcg/auth/scopes`. Pure functions with no classes — convenient for inline use.
-```tsx
-user.resolvedPermission = [
- {
-  id: "js:episodes:get",
-   scopes: []
- },
- {
-  id: "js:episodes:list",
-  scopes: ["published"]
- }
-],
+`isGranted` accepts a single scope string directly or an array for multiple scopes.
+```typescript
+import * as s from '@pcg/auth/scopes';
 ```
-But, is real life we store permissions in database as array of string, like this:
+### Available Functions
+| Function | Returns | Example |
+|----------|---------|---------|
+| `s.anyScope()` | `ActionScopesArray` | `s.anyScope()` → `['*']` |
+| `s.org(id)` | `string` | `s.org('jsorg:hci')` → `'org#jsorg:hci'` |
+| `s.id(entityId)` | `string` | `s.id('ep:123')` → `'id#ep:123'` |
+| `s.user(id)` | `string` | `s.user('hcu:xxx')` → `'user#hcu:xxx'` |
+| `s.form(id)` | `string` | `s.form('contact')` → `'form#contact'` |
+| `s.group(id)` | `string` | `s.group('hcgrp:ZT9')` → `'grp#hcgrp:ZT9'` |
+| `s.scope(name, id?)` | `string` | `s.scope('orggroup', 'hcgrp:ZT9')` → `'orggroup#hcgrp:ZT9'` |
+| `s.and(...items)` | `string[]` | `s.and(s.org('hci'), 'published')` → `['org#hci', 'published']` |
+### Usage Examples
+```typescript
+import * as s from '@pcg/auth/scopes';
+import { isGranted } from '@pcg/auth';
+// Single scope — no array needed
+isGranted(user, 'js:core:brands:update', s.org(brand.orgId));
-```tsx
-[
- "js:episodes:get",
- "js:episodes[@published]:list"
-]
+// Multiple scopes (OR) — use array
+isGranted(user, 'js:core:episodes:get', [s.org(episode.orgId), s.id(episode.id)]);
+// AND scopes (reuse variable)
+const org = s.org(episode.orgId);
+isGranted(user, 'js:core:episodes:get', [org, s.and(org, 'published')]);
+// Wildcard
+isGranted(user, 'js:core:episodes:list', s.anyScope());
+// Custom scope
+isGranted(user, 'js:mam:episodes:create', s.scope('action', 'approve'));
 ```
-Library has special helper, to resolve permissions:
+---
+## ActionScopes (legacy)
+The `ActionScopes` class is still supported for backward compatibility. Use functional scope builders for new code.
-```tsx
-import { resolvePermissions } from '@deep/auth';
+```typescript
+import { ActionScopes, isGranted } from '@pcg/auth';
-const permissions = [
- "js:episodes:get",
- "js:episodes[@published]:list"
-]
+const scopes = new ActionScopes();
+scopes.set('org', 'hcorg:company1');    // org#hcorg:company1
+scopes.set('org+published');            // AND: ['org#hcorg:company1', 'published']
+scopes.setEntityId('jse:episode123');   // id#jse:episode123
-user.resolvedPermission = resolvePermissions(permissions)
+isGranted(user, 'js:core:episodes:get', scopes);
 ```
-### Permission Context
+---
-Some users don't have full access to action, but have access in some execution context. For example, user dont have permission to all episodes, but have permission only to published episodes.
+## ScopesBulder
-In this case we determinate execution context. If user fetch only published episodes, we set scope to `published`. If user has special permission `js:episodes[@published]:list` he will obtain access to this action.
+Utility for building complex scope combinations.
-```tsx
-import { isGranted, PermissionContext } from '@deep/auth';
-const ctx = new PermissionContext();
+```typescript
+import { ScopesBulder } from '@pcg/auth';
-if (filter.published) {
- ctx.addScope('published');
+const builder = new ScopesBulder();
+// Add scopes
+builder.append('org#hci');
+builder.extend(['org#hci', 'org#dv']);
+// Join — creates AND combinations (cartesian product)
+builder.extend(['published', 'draft']);
+builder.join('org#hcc', 'before');
+// [['org#hcc', 'published'], ['org#hcc', 'draft']]
+// Replace prefix
+builder.replacePrefix('org', 'id');
+// ['org#hcorg:hci'] → ['id#hcorg:hci']
+// Clone and build
+const clone = builder.clone();
+const scopes = builder.build();
+```
+### Example: Multi-language, multi-org access
+```typescript
+const builder = new ScopesBulder();
+builder.extend(['org#hci', 'org#dv']);
+builder.join(['lang#en', 'lang#de']);
+builder.build();
+// [
+//   ['org#hci', 'lang#en'],
+//   ['org#hci', 'lang#de'],
+//   ['org#dv', 'lang#en'],
+//   ['org#dv', 'lang#de'],
+// ]
+```
+---
+## NestJS Integration
+### Basic CRUD
+```typescript
+import * as s from '@pcg/auth/scopes';
+@Resolver(() => Episode)
+@UseGuards(GraphQLJwtAuthGuard, GraphQLPermissionsGuard)
+export class EpisodesResolver {
+  @Query(() => Episode)
+  @UsePermission('js:core:episodes:get')
+  async episode(
+    @Args('id') id: string,
+    @ActionContextParam() ctx: ActionContext,
+  ) {
+    const episode = await this.episodesService.findOne(id);
+    ctx.validateAccess(
+      'js:core:episodes:get',
+      [s.org(episode.organizationId), s.id(episode.id)],
+    );
+    return episode;
+  }
 }
+```
+### Two-Level Permission Check
+1. **`@UsePermission()`** — guard checks whether the user has access to the action with **any** scope (uses `['*']` wildcard)
+2. **`ctx.validateAccess()`** — inside the resolver, checks **specific scopes** for the given entity
+```typescript
+import * as s from '@pcg/auth/scopes';
+@Mutation(() => Episode)
+@UsePermission('js:mam:episodes:update')  // Step 1: does the user have this permission at all?
+async updateEpisode(
+  @Args('input') input: UpdateEpisodeInput,
+  @ActionContextParam() ctx: ActionContext,
+) {
+  const episode = await this.episodeService.findOne(input.id);
-isGranted(user, 'js:episodes:list'); // boolean
+  // Step 2: check the specific scope
+  ctx.validateAccess(
+    'js:mam:episodes:update',
+    s.org(episode.organizationId),
+  );
+  // If the episode belongs to company2 but the user only has access to company1 — throws an error
+  return this.episodeService.update(input, ctx);
+}
+```
+### `ctx.validateAccess()` vs `ctx.isGranted()`
+| Method | Behavior | When to use |
+|--------|----------|-------------|
+| `ctx.validateAccess()` | Throws an error if access is denied | When access is mandatory |
+| `ctx.isGranted()` | Returns `boolean` | When branching logic is needed |
+```typescript
+// validateAccess — throws if access is denied
+ctx.validateAccess('js:core:episodes:get', s.org(episode.orgId));
+// isGranted — for conditional logic
+if (ctx.isGranted('js:core:episodes:list', s.anyScope())) {
+  return this.episodeService.findAll();
+}
+```
+### Conditional Access: Full vs Scoped
+```typescript
+import * as s from '@pcg/auth/scopes';
+@Query(() => [Episode])
+@UsePermission('js:mam:episodes:list')
+async episodes(@ActionContextParam() ctx: ActionContext) {
+  // Admin: full access (permission without scopes)
+  if (ctx.isGranted('js:mam:episodes:list', s.anyScope())) {
+    return this.episodeService.findAll();
+  }
+  // User: organization-scoped access
+  if (ctx.isGranted(
+    'js:mam:episodes:list',
+    s.org(ctx.user.organizationId),
+  )) {
+    return this.episodeService.findByOrg(ctx.user.organizationId);
+  }
+  return [];
+}
+```
+### Status-Based Access (published/draft)
+```typescript
+import * as s from '@pcg/auth/scopes';
+// Permission: 'js:mam:episodes[org+published]:get'
+// Can only view published episodes within their organization
+async getEpisode(id: string, ctx: ActionContext) {
+  const episode = await this.repository.findOne(id);
+  const org = s.org(episode.organizationId);
+  const items: s.ScopeItem[] = [org];
+  if (episode.status === 'published') {
+    items.push('published', s.and(org, 'published'));
+  } else if (episode.status === 'draft') {
+    items.push('draft', s.and(org, 'draft'));
+  }
+  ctx.validateAccess('js:mam:episodes:get', items);
+  return episode;
+}
 ```
-Otherwise, we can build query based on user rights. In this case, we add system roles if user have special permission.
+### Public Resources
+```typescript
+import * as s from '@pcg/auth/scopes';
+// AUTHORIZED: 'tl:core:forms[public]:get'
+// ORGANIZATION_ADMIN: 'tl:core:forms[assigned-org]:get' → resolved to org#tlorg:xxx
-```tsx
-import { isGranted } from '@deep/auth'
-if(isGranted(user, 'js:roles:get', { scopes: ['system'] })) {
- where.or.push({
-    type: 'system'
-  })
+@Query(() => Form)
+@UsePermission('tl:core:forms:get')
+async form(
+  @Args() input: FetchFormInput,
+  @ActionContextParam() ctx: ActionContext,
+) {
+  const form = await this.formsService.getOneByOrFail(input, ctx);
+  const items: s.ScopeItem[] = [
+    s.org(form.organizationId),
+    s.id(form.id),
+  ];
+  if (form.audienceType === FormAudienceType.PUBLIC) {
+    items.push('public');
+  }
+  ctx.validateAccess('tl:core:forms:get', items);
+  return form;
 }
 ```
+---
+## Preparing the User Object
+Permission strings are stored in the database as an array of strings. Before checking access, they must be parsed into `resolvedPermissions`:
+```typescript
+import { resolvePermissions } from '@pcg/auth';
+const rawPermissions = [
+  'js:core:episodes[org]:get',
+  'js:core:episodes[published]:get',
+  'js:core:episodes[org]:create',
+  'js:mam:*[org]:*',
+];
+const user = {
+  id: 'hcu:2x6g7l8n9op',
+  permissions: rawPermissions,
+  resolvedPermissions: resolvePermissions(rawPermissions),
+};
+// resolvedPermissions:
+// [
+//   { id: 'js:core:episodes:get', scopes: ['org', 'published'] },
+//   { id: 'js:core:episodes:create', scopes: ['org'] },
+//   { id: 'js:mam:*:*', scopes: ['org'] },
+// ]
+```
+---
+## Best Practices
+1. **Permission naming**: lowercase with colons — `js:core:episodes:get`
+2. **Standard actions**: `get`, `list`, `create`, `update`, `delete`
+3. **Scopes**: use `org` for organization, `id#` for entity
+4. **Functional builders**: prefer `@pcg/auth/scopes` over the `ActionScopes` class
+5. **Checks in resolvers**: all scope checks should be done in the resolver, NOT in the service layer
+6. **`@UsePermission`**: for basic access control at the guard level
+7. **`ctx.validateAccess()`**: for scope-specific checks inside the resolver
+8. **Do not use** `assigned-org`, `assigned-form`, `assigned-group` in action scopes — these are meant for role definitions and are automatically resolved to `org#xxx` / `id#xxx`

package/dist/{functional-scopes-CsZNJMXW.js → functional-scopes-COiTBSy_.js} RENAMED Viewed

@@ -1,22 +1,5 @@
 //#region src/permissions/functional-scopes.ts
 /**
-* Create an ActionScopesArray from individual scope items.
-*
-* @example
-* scopes(org('jsorg:hci'))
-* // => ['org#jsorg:hci']
-*
-* scopes(org('jsorg:hci'), entityId('ep:123'))
-* // => ['org#jsorg:hci', 'id#ep:123']
-*
-* const o = org('jsorg:hci');
-* scopes(o, and(o, 'published'))
-* // => ['org#jsorg:hci', ['org#jsorg:hci', 'published']]
-*/
-function scopes(...items) {
-	return items;
-}
-/**
 * Create a wildcard scope that matches any permission scope.
 *
 * @example
@@ -92,5 +75,5 @@ function and(...items) {
 }
 //#endregion
-export { id as a, scopes as c, group as i, user as l, anyScope as n, org as o, form as r, scope as s, and as t };
-//# sourceMappingURL=functional-scopes-CsZNJMXW.js.map
+export { id as a, user as c, group as i, anyScope as n, org as o, form as r, scope as s, and as t };
+//# sourceMappingURL=functional-scopes-COiTBSy_.js.map

package/dist/functional-scopes-COiTBSy_.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"functional-scopes-COiTBSy_.js","names":["id"],"sources":["../src/permissions/functional-scopes.ts"],"sourcesContent":["import { type ActionScopesArray } from './action-scopes.js';\n\nexport type ScopeItem = string | string[];\n\n/**\n * Create a wildcard scope that matches any permission scope.\n *\n * @example\n * isGranted(user, 'js:core:episodes:list', anyScope())\n */\nexport function anyScope(): ActionScopesArray {\n return ['*'];\n}\n\n/**\n * Create an organization scope.\n *\n * @example\n * org('jsorg:hci') // => 'org#jsorg:hci'\n */\nexport function org(id: string): string {\n return `org#${id}`;\n}\n\n/**\n * Create an entity id scope.\n *\n * @example\n * id('ep:123') // => 'id#ep:123'\n */\nexport function id(entityId: string): string {\n return `id#${entityId}`;\n}\n\n/**\n * Create a user scope.\n *\n * @example\n * user('hcu:xxx') // => 'user#hcu:xxx'\n */\nexport function user(id: string): string {\n return `user#${id}`;\n}\n\n/**\n * Create a form scope.\n *\n * @example\n * form('contact') // => 'form#contact'\n */\nexport function form(id: string): string {\n return `form#${id}`;\n}\n\n/**\n * Create a group scope.\n *\n * @example\n * group('hcgrp:ZT9') // => 'grp#hcgrp:ZT9'\n */\nexport function group(id: string): string {\n return `grp#${id}`;\n}\n\n/**\n * Create a named scope with an optional ID.\n *\n * @example\n * scope('published') // => 'published'\n * scope('orggroup', 'hcgrp:ZT9mt8j9lSR') // => 'orggroup#hcgrp:ZT9mt8j9lSR'\n */\nexport function scope(name: string, id?: string): string {\n return id ? `${name}#${id}` : name;\n}\n\n/**\n * Combine multiple scopes with AND logic (all must match).\n *\n * @example\n * and(org('jsorg:hci'), 'published')\n * // => ['org#jsorg:hci', 'published']\n */\nexport function and(...items: string[]): string[] {\n return items;\n}\n"],"mappings":";;;;;;;AAUA,SAAgB,WAA8B;AAC5C,QAAO,CAAC,IAAI;;;;;;;;AASd,SAAgB,IAAI,MAAoB;AACtC,QAAO,OAAOA;;;;;;;;AAShB,SAAgB,GAAG,UAA0B;AAC3C,QAAO,MAAM;;;;;;;;AASf,SAAgB,KAAK,MAAoB;AACvC,QAAO,QAAQA;;;;;;;;AASjB,SAAgB,KAAK,MAAoB;AACvC,QAAO,QAAQA;;;;;;;;AASjB,SAAgB,MAAM,MAAoB;AACxC,QAAO,OAAOA;;;;;;;;;AAUhB,SAAgB,MAAM,MAAc,MAAqB;AACvD,QAAOA,OAAK,GAAG,KAAK,GAAGA,SAAO;;;;;;;;;AAUhC,SAAgB,IAAI,GAAG,OAA2B;AAChD,QAAO"}

package/dist/{functional-scopes-DygK315q.d.ts → functional-scopes-ut8Z6MmG.d.ts} RENAMED Viewed

@@ -55,21 +55,6 @@ declare class ActionScopes {
 //#endregion
 //#region src/permissions/functional-scopes.d.ts
 type ScopeItem = string | string[];
-/**
- * Create an ActionScopesArray from individual scope items.
- *
- * @example
- * scopes(org('jsorg:hci'))
- * // => ['org#jsorg:hci']
- *
- * scopes(org('jsorg:hci'), entityId('ep:123'))
- * // => ['org#jsorg:hci', 'id#ep:123']
- *
- * const o = org('jsorg:hci');
- * scopes(o, and(o, 'published'))
- * // => ['org#jsorg:hci', ['org#jsorg:hci', 'published']]
- */
-declare function scopes(...items: ScopeItem[]): ActionScopesArray;
 /**
  * Create a wildcard scope that matches any permission scope.
  *
@@ -129,5 +114,5 @@ declare function scope(name: string, id?: string): string;
  */
 declare function and(...items: string[]): string[];
 //#endregion
-export { group as a, scope as c, ActionScopes as d, ActionScopesArray as f, form as i, scopes as l, and as n, id as o, anyScope as r, org as s, ScopeItem as t, user as u };
-//# sourceMappingURL=functional-scopes-DygK315q.d.ts.map
+export { group as a, scope as c, ActionScopesArray as d, form as i, user as l, and as n, id as o, anyScope as r, org as s, ScopeItem as t, ActionScopes as u };
+//# sourceMappingURL=functional-scopes-ut8Z6MmG.d.ts.map

package/dist/functional-scopes-ut8Z6MmG.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"functional-scopes-ut8Z6MmG.d.ts","names":[],"sources":["../src/permissions/action-scopes.ts","../src/permissions/functional-scopes.ts"],"sourcesContent":[],"mappings":";KAAY,iBAAA;AAAZ;AAMA;;;AA6Dc,cA7DD,YAAA,CA6DC;EAAiB,KAAA,EA5Df,iBA4De;;;uBAxDR;ECTX;AAQZ;AAUA;AAUA;AAUA;AAUA;AAUA;AAWA;AAWA;;;;;;;;;;;;;;;;;;cDfc;;;;;;;;;;;;;;;;;;;AAnEF,KCEA,SAAA,GDFiB,MAAA,GAAA,MAAA,EAAA;AAM7B;;;;;;iBCIgB,QAAA,CAAA,GAAY;;AAR5B;AAQA;AAUA;AAUA;AAUA;AAUgB,iBA9BA,GAAA,CA8BI,EAAA,EAAA,MAAA,CAAA,EAAA,MAAA;AAUpB;AAWA;AAWA;;;;iBApDgB,EAAA;;;;;;;iBAUA,IAAA;;;;;;;iBAUA,IAAA;;;;;;;iBAUA,KAAA;;;;;;;;iBAWA,KAAA;;;;;;;;iBAWA,GAAA"}

package/dist/index.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { a as group, c as scope, d as ActionScopes, f as ActionScopesArray, i as form, l as scopes, n as and, o as id, r as anyScope, s as org, t as ScopeItem, u as user } from "./functional-scopes-DygK315q.js";
+import { a as group, c as scope, d as ActionScopesArray, i as form, l as user, n as and, o as id, r as anyScope, s as org, t as ScopeItem, u as ActionScopes } from "./functional-scopes-ut8Z6MmG.js";
 //#region src/types/permissions.d.ts
@@ -72,7 +72,7 @@ interface IUser {
  * @param actionScopes - action scopes (e.g. ['org#hcorg:hci'] or ActionScopes instance)
  * @returns - true if user has access to permission
  */
-declare const isGranted: (user: IUser, permission: string, actionScopes?: ActionScopesArray | ActionScopes) => boolean;
+declare const isGranted: (user: IUser, permission: string, actionScopes?: ActionScopesArray | ActionScopes | string) => boolean;
 declare const encodeScopes: (scopes: (string | string[])[]) => string;
 /**
  * Inject scopes into permission
@@ -190,5 +190,5 @@ declare class ScopesBulder {
   replacePrefix(from: string, to: string): void;
 }
 //#endregion
-export { ActionScopes, ActionScopesArray, IUser, ReadonlyResolvedPermission, ResolvedPermission, ResolvedPermissionGroup, ScopeItem, ScopesBulder, and, anyScope, concatScopes, encodeScopes, form, group, id, injectScopesIntoPermission, isGranted, mergeResolvedPermissions, org, replaceScope, resolvePermission, resolvePermissionGroup, resolvePermissionGroups, resolvePermissions, scope, scopes, user };
+export { ActionScopes, ActionScopesArray, IUser, ReadonlyResolvedPermission, ResolvedPermission, ResolvedPermissionGroup, ScopeItem, ScopesBulder, and, anyScope, concatScopes, encodeScopes, form, group, id, injectScopesIntoPermission, isGranted, mergeResolvedPermissions, org, replaceScope, resolvePermission, resolvePermissionGroup, resolvePermissionGroups, resolvePermissions, scope, user };
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","names":[],"sources":["../src/types/permissions.ts","../src/types/user.ts","../src/permissions/helpers.ts","../src/permissions/scopes-bulder.ts"],"sourcesContent":[],"mappings":";;;;;;;AAKA;AAUA;AAKiB,UAfA,kBAAA,CAe0B;;;;AClB3C;;;;~~ACoCA~~;AACQ,~~UFxBS~~,uBAAA,~~CEwBT~~;EAEQ,EAAA,EAAA,MAAA;EAAoB,MAAA,EAAA,CAAA,MAAA,GAAA,MAAA,EAAA,CAAA,EAAA;;AAgCvB,~~UFrDI~~,0BAAA,~~CE2DhB~~;EAWY,SAAA,EAAA,EAAA,MAAA;EAqBA,SAAA,MAqBZ,EAAA,SAAA,CAAA,MAAA,GAAA,MAAA,EAAA,CAAA,EAAA;AAUD;;;~~UD5IiB~~,KAAA;;ADGjB;AAUA;AAKA;;;;EClBiB,EAAA,EAAA,MAAK;;;;~~ACoCtB~~;;;;~~EAGqD~~,WAAA,EAAA,SAAA,MAAA,EAAA;~~EAgCxC~~;AAiBb;AAqBA;AA+BA;AAkCA;AAiCA;AAaA;AAOA;;;EAE8B,mBAAA,~~EDxMP~~,~~0BCwMO~~,EAAA;;;;~~AFlO9B~~;AAUA;AAKA;;;;AClBA;;;;~~ACoCA~~;;;;;AAmCa,cAnCA,SAyCZ,EAAA,CAAA,IAAA,EAxCO,KAwCP,EAAA,UAAA,EAAA,MAAA,EAAA,YAAA,CAAA,EAtCe,iBAsCf,GAtCmC,YAsCnC,EAAA,GAAA,OAAA;AAWY,cAjBA,YA4BZ,EAAA,CAAA,MAAA,EAAA,CAAA,MAAA,GAAA,MAAA,EAAA,CAAA,EAAA,EAAA,GAAA,MAAA;AAUD;AA+BA;AAkCA;AAiCA;AAaA;AAOA;;;;AAE8B,cA7IjB,0BA6IiB,EAAA,CAAA,UAAA,EAAA,MAAA,EAAA,cAAA,EAAA,CAAA,MAAA,GAAA,MAAA,EAAA,CAAA,EAAA,EAAA,GAAA,MAAA;AAmD9B;;;;~~ACxRA~~;;;;AAmCyC,~~cD0E5B~~,~~YC1E4B~~,EAAA,CAAA,GAAA,EAAA,CAAA,MAAA,GAAA,MAAA,EAAA,CAAA,EAAA,EAAA,KAAA,EAAA,CAAA,MAAA,GAAA,MAAA,EAAA,CAAA,EAAA,EAAA,GAAA,IAAA;;;;;;;;;~~cDyG5B~~,2CAA0C;;;;;;;;;cAkC1C,+CAEV;;;;;;;;;cA+BU,qDAAiD;;;;;;;;;cAajD,yDAEV;cAKU,mCACH,8BACA,yBAAoB;;;;;;;;;;;cAmDjB;;;;;~~cCxRA~~,YAAA;;;EHGI,OAAA,UAAA,CAAA,OAAkB,EGAN,YHAM,CAAA,EGAM,YHAN;EAUlB,KAAA,CAAA,CAAA,EAAA,CAAA,MAAA,GAAA,MAAA,EAAuB,CAAA,EAAA;EAKvB,KAAA,CAAA,CAAA,EGPV,YHOU;;;;AClBjB;;;;~~ACoCA~~;;EAGgB,MAAA,CAAA,KAAA,EAAA,MAAA,GAAA,MAAA,EAAA,CAAA,EAAA,IAAA;EAAoB;;AAgCpC;AAiBA;AAqBA;AA+BA;AAkCA;EAiCa,MAAA,CAAA,MAAA,EAAA,CAAA,MAAA,GAGZ,MAAA,EAAA,CAAA,EAAA,~~GC/KwC~~,~~YD4KqB~~,CAAA,EAAA,IAG7D;EAUY;AAOb;;;;;AAqDA;;;;~~ECxRa~~"}
1	+ {"version":3,"file":"index.d.ts","names":[],"sources":["../src/types/permissions.ts","../src/types/user.ts","../src/permissions/helpers.ts","../src/permissions/scopes-bulder.ts"],"sourcesContent":[],"mappings":";;;;;;;AAKA;AAUA;AAKiB,UAfA,kBAAA,CAe0B;;;;AClB3C;;;;ACwCA;AACQ,UF5BS,uBAAA,CE4BT;EAEQ,EAAA,EAAA,MAAA;EAAoB,MAAA,EAAA,CAAA,MAAA,GAAA,MAAA,EAAA,CAAA,EAAA;;AAgCvB,UFzDI,0BAAA,CE+DhB;EAWY,SAAA,EAAA,EAAA,MAAA;EAqBA,SAAA,MAqBZ,EAAA,SAAA,CAAA,MAAA,GAAA,MAAA,EAAA,CAAA,EAAA;AAUD;;;UDhJiB,KAAA;;ADGjB;AAUA;AAKA;;;;EClBiB,EAAA,EAAA,MAAK;;;;ACwCtB;;;;EAGgD,WAAA,EAAA,SAAA,MAAA,EAAA;EAgCnC;AAiBb;AAqBA;AA+BA;AAkCA;AAiCA;AAaA;AAOA;;;EAE8B,mBAAA,ED5MP,0BC4MO,EAAA;;;;AFtO9B;AAUA;AAKA;;;;AClBA;;;;ACwCA;;;;;AAmCa,cAnCA,SAyCZ,EAAA,CAAA,IAAA,EAxCO,KAwCP,EAAA,UAAA,EAAA,MAAA,EAAA,YAAA,CAAA,EAtCe,iBAsCf,GAtCmC,YAsCnC,GAAA,MAAA,EAAA,GAAA,OAAA;AAWY,cAjBA,YA4BZ,EAAA,CAAA,MAAA,EAAA,CAAA,MAAA,GAAA,MAAA,EAAA,CAAA,EAAA,EAAA,GAAA,MAAA;AAUD;AA+BA;AAkCA;AAiCA;AAaA;AAOA;;;;AAE8B,cA7IjB,0BA6IiB,EAAA,CAAA,UAAA,EAAA,MAAA,EAAA,cAAA,EAAA,CAAA,MAAA,GAAA,MAAA,EAAA,CAAA,EAAA,EAAA,GAAA,MAAA;AAmD9B;;;;AC5RA;;;;AAmCyC,cD8E5B,YC9E4B,EAAA,CAAA,GAAA,EAAA,CAAA,MAAA,GAAA,MAAA,EAAA,CAAA,EAAA,EAAA,KAAA,EAAA,CAAA,MAAA,GAAA,MAAA,EAAA,CAAA,EAAA,EAAA,GAAA,IAAA;;;;;;;;;cD6G5B,2CAA0C;;;;;;;;;cAkC1C,+CAEV;;;;;;;;;cA+BU,qDAAiD;;;;;;;;;cAajD,yDAEV;cAKU,mCACH,8BACA,yBAAoB;;;;;;;;;;;cAmDjB;;;;;cC5RA,YAAA;;;EHGI,OAAA,UAAA,CAAA,OAAkB,EGAN,YHAM,CAAA,EGAM,YHAN;EAUlB,KAAA,CAAA,CAAA,EAAA,CAAA,MAAA,GAAA,MAAA,EAAuB,CAAA,EAAA;EAKvB,KAAA,CAAA,CAAA,EGPV,YHOU;;;;AClBjB;;;;ACwCA;;EAGgB,MAAA,CAAA,KAAA,EAAA,MAAA,GAAA,MAAA,EAAA,CAAA,EAAA,IAAA;EAAoB;;AAgCpC;AAiBA;AAqBA;AA+BA;AAkCA;EAiCa,MAAA,CAAA,MAAA,EAAA,CAAA,MAAA,GAGZ,MAAA,EAAA,CAAA,EAAA,GCnLwC,YDgLqB,CAAA,EAAA,IAG7D;EAUY;AAOb;;;;;AAqDA;;;;EC5Ra"}

package/dist/index.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { a as id, c as scopes, i as group, l as user, n as anyScope, o as org, r as form, s as scope, t as and } from "./functional-scopes-CsZNJMXW.js";
+import { a as id, c as user, i as group, n as anyScope, o as org, r as form, s as scope, t as and } from "./functional-scopes-COiTBSy_.js";
 //#region src/permissions/action-scopes.ts
 /**
@@ -9,8 +9,8 @@ var ActionScopes = class {
 	array = [];
 	anyScope = false;
 	idsMap = /* @__PURE__ */ new Map();
-	constructor(scopes$1) {
-		if (scopes$1) this.array = scopes$1;
+	constructor(scopes) {
+		if (scopes) this.array = scopes;
 	}
 	/**
 	* Set id scope (e.g. 'id#jsu:123')
@@ -103,9 +103,10 @@ var ActionScopes = class {
 *
 * scopes.set('my')
 */
-const normalizeScopes = (scopes$1) => {
-	if (!(scopes$1 instanceof ActionScopes)) return new ActionScopes(scopes$1);
-	return scopes$1;
+const normalizeScopes = (scopes) => {
+	if (scopes instanceof ActionScopes) return scopes;
+	if (typeof scopes === "string") return new ActionScopes([scopes]);
+	return new ActionScopes(scopes);
 };
 /**
 * Check if user has access to permission
@@ -126,14 +127,14 @@ const isGranted = (user$1, permission, actionScopes = []) => {
 	const [service, module, resource, action] = permission.split(":");
 	if (user$1.resolvedPermissions.length === 0) return false;
 	const userPermissions = user$1.resolvedPermissions;
-	const scopes$1 = normalizeScopes(actionScopes);
-	const permissionCanBeExecutedInScopes = (perm, scopes$2) => perm.scopes.length === 0 || scopes$2.canBeExecutedInScopes(perm.scopes);
+	const scopes = normalizeScopes(actionScopes);
+	const permissionCanBeExecutedInScopes = (perm, scopes$1) => perm.scopes.length === 0 || scopes$1.canBeExecutedInScopes(perm.scopes);
 	const regexp = /* @__PURE__ */ new RegExp(`^(${service}|\\*):(${module}|\\*):(${resource}|\\*):(${action}|\\*)$`);
-	if (userPermissions.some((perm) => regexp.test(perm.id) && permissionCanBeExecutedInScopes(perm, scopes$1))) return true;
+	if (userPermissions.some((perm) => regexp.test(perm.id) && permissionCanBeExecutedInScopes(perm, scopes))) return true;
 	return false;
 };
-const encodeScopes = (scopes$1) => {
-	const scopesString = scopes$1.map((s) => Array.isArray(s) ? s.join("+") : s).join(",");
+const encodeScopes = (scopes) => {
+	const scopesString = scopes.map((s) => Array.isArray(s) ? s.join("+") : s).join(",");
 	return scopesString.length > 0 ? `[${scopesString}]` : "";
 };
 /**
@@ -146,10 +147,10 @@ const encodeScopes = (scopes$1) => {
 * // js:core:episodes[org,published]:get
 */
 const injectScopesIntoPermission = (permission, scopesToInject) => {
-	const { id: id$1, scopes: scopes$1 } = resolvePermission(permission);
+	const { id: id$1, scopes } = resolvePermission(permission);
 	const [service, module, resource, action] = id$1.split(":");
-	concatScopes(scopes$1, scopesToInject);
-	return `${service}:${module}:${resource}${encodeScopes(scopes$1)}:${action}`;
+	concatScopes(scopes, scopesToInject);
+	return `${service}:${module}:${resource}${encodeScopes(scopes)}:${action}`;
 };
 /**
 * Concat scopes
@@ -175,13 +176,13 @@ const concatScopes = (set, items) => {
 const resolvePermission = (permission) => {
 	const matches = /\[(?<scopes>.*?)\]/u.exec(permission);
 	if (matches?.[0] && matches.groups?.scopes) {
-		const scopes$1 = matches.groups.scopes.split(",").map((s) => {
+		const scopes = matches.groups.scopes.split(",").map((s) => {
 			if (s.includes("+")) return s.split("+");
 			return s;
 		});
 		return {
 			id: permission.replace(matches[0], ""),
-			scopes: scopes$1
+			scopes
 		};
 	}
 	return {
@@ -200,12 +201,12 @@ const resolvePermission = (permission) => {
 const resolvePermissions = (permissions) => {
 	const resolvedPermissions = [];
 	for (const permission of permissions) {
-		const { id: id$1, scopes: scopes$1 } = resolvePermission(permission);
+		const { id: id$1, scopes } = resolvePermission(permission);
 		const currentPermission = resolvedPermissions.find((p) => p.id === id$1);
-		if (currentPermission) concatScopes(currentPermission.scopes, scopes$1);
+		if (currentPermission) concatScopes(currentPermission.scopes, scopes);
 		else resolvedPermissions.push({
 			id: id$1,
-			scopes: scopes$1
+			scopes
 		});
 	}
 	return resolvedPermissions;
@@ -243,11 +244,11 @@ const mergeResolvedPermissions = (array1, array2) => {
 			});
 			continue;
 		}
-		const scopes$1 = [...rp1.scopes];
-		for (const rp2 of rps2) concatScopes(scopes$1, rp2.scopes);
+		const scopes = [...rp1.scopes];
+		for (const rp2 of rps2) concatScopes(scopes, rp2.scopes);
 		result.push({
 			id: rp1.id,
-			scopes: scopes$1
+			scopes
 		});
 	}
 	for (const rp2 of array2) if (!result.some((rp) => rp.id === rp2.id)) result.push(rp2);
@@ -263,9 +264,9 @@ const mergeResolvedPermissions = (array1, array2) => {
 * replaceScope(['org#jsorg:xxx', ['org#jsorg:xxx', 'published']], 'org#jsorg:xxx', 'org#jsorg:hci')
 * // ['org#jsorg:hci', ['org#jsorg:hci', 'published']]
 */
-const replaceScope = (scopes$1, from, to) => {
+const replaceScope = (scopes, from, to) => {
 	const result = [];
-	for (const scope$1 of scopes$1) if (Array.isArray(scope$1)) result.push(replaceScope(scope$1, from, to));
+	for (const scope$1 of scopes) if (Array.isArray(scope$1)) result.push(replaceScope(scope$1, from, to));
 	else if (scope$1 === from) if (Array.isArray(to)) result.push(...to);
 	else result.push(to);
 	else result.push(scope$1);
@@ -275,8 +276,8 @@ const replaceScope = (scopes$1, from, to) => {
 //#endregion
 //#region src/permissions/scopes-bulder.ts
 var ScopesBulder = class ScopesBulder {
-	constructor(scopes$1 = []) {
-		this.scopes = scopes$1;
+	constructor(scopes = []) {
+		this.scopes = scopes;
 	}
 	static fromBulder(builder) {
 		return new ScopesBulder(builder.scopes.slice());
@@ -306,9 +307,9 @@ var ScopesBulder = class ScopesBulder {
 	* extend(['lang#en', 'lang#de'])
 	* // ['published', 'draft'] => ['published', 'draft', 'lang#en', 'lang#de']
 	*/
-	extend(scopes$1) {
-		if (Array.isArray(scopes$1)) concatScopes(this.scopes, scopes$1);
-		else if (scopes$1 instanceof ScopesBulder) concatScopes(this.scopes, scopes$1.scopes);
+	extend(scopes) {
+		if (Array.isArray(scopes)) concatScopes(this.scopes, scopes);
+		else if (scopes instanceof ScopesBulder) concatScopes(this.scopes, scopes.scopes);
 	}
 	/**
 	* Join all scopes with the given scope
@@ -348,5 +349,5 @@ var ScopesBulder = class ScopesBulder {
 };
 //#endregion
-export { ActionScopes, ScopesBulder, and, anyScope, concatScopes, encodeScopes, form, group, id, injectScopesIntoPermission, isGranted, mergeResolvedPermissions, org, replaceScope, resolvePermission, resolvePermissionGroup, resolvePermissionGroups, resolvePermissions, scope, scopes, user };
+export { ActionScopes, ScopesBulder, and, anyScope, concatScopes, encodeScopes, form, group, id, injectScopesIntoPermission, isGranted, mergeResolvedPermissions, org, replaceScope, resolvePermission, resolvePermissionGroup, resolvePermissionGroups, resolvePermissions, scope, user };
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","names":["scopes","id","scope","scopes","user","id","scope","scopes: (string \| string[])[]","resolvedPermissions: ResolvedPermission[]","result: ResolvedPermission[]","result: (string \| string[])[]","scopes: (string \| string[])[]","scope","scopes","result: (string \| string[])[]"],"sources":["../src/permissions/action-scopes.ts","../src/permissions/helpers.ts","../src/permissions/scopes-bulder.ts"],"sourcesContent":["export type ActionScopesArray = (string \| string[])[];\n\n/*\n Action scopes are used to describe\n * what scopes are required to execute an action.\n /\nexport class ActionScopes {\n public array: ActionScopesArray = [];\n public anyScope = false;\n private idsMap = new Map<string, string>();\n\n constructor(scopes?: ActionScopesArray) {\n if (scopes) {\n this.array = scopes;\n }\n }\n\n /\n Set id scope (e.g. 'id#jsu:123')\n * @param id - entity id\n * @returns - this\n * @example\n * scopes.setEntityId('jsu:123')\n \n // scopes.getArray() = ['id#jsu:123']\n /\n setEntityId(id: string): this {\n this.set(`id#${id}`);\n\n return this;\n }\n\n /\n Set scope (e.g. 'org', 'org+review')\n * @param scope - scope name (e.g. 'org', 'org+review')\n * @param id - entity id (e.g. 'jsorg:hci')\n * @returns - this\n * @example\n * scopes.set('my')\n \n // scopes.getArray() = ['my']\n \n scopes.set('org', 'jsorg:hci')\n \n // scopes.getArray() = ['org#jsorg:hci']\n /\n set(scope: string, id?: string): this {\n if (id && /^[A-Za-z_]+$/.test(scope)) {\n this.idsMap.set(scope, id);\n }\n\n if (scope.includes('+')) {\n const subscopes = scope.split('+');\n this.array.push(\n subscopes.map((subscope) => this.resolveScopeId(subscope)),\n );\n } else {\n this.array.push(this.resolveScopeId(scope));\n }\n\n return this;\n }\n\n has(scope: string): boolean {\n return this.array.includes(scope);\n }\n\n getArray(): ActionScopesArray {\n return [...this.array];\n }\n\n /\n Permission scopes must cover auth scopes determined in auth context.\n * @param permissionScopes\n /\n canBeExecutedInScopes(\n permissionScopes: readonly (string \| string[])[],\n ): boolean {\n // if scopes has then it can be executed in any scope\n if (this.array.includes('')) {\n return true;\n }\n\n / action scopes = ['user#jsu:123', 'org#hci', ['org#hci', 'draft']]\n /* permission scopes: ['user#jsu:123', ['org#hci', 'draft']]\n\n /*\n empty user permission scopes = full access to action\n /\n if (permissionScopes.length === 0) {\n return true;\n }\n\n /\n Empty auth scopes but user has permission scopes = no access to action\n \n action scopes = []\n * permission scopes = ['org#hci']\n \n Example:\n * User try to get list of all entities\n * But user only has permission to entity from org#hci\n /\n if (this.array.length === 0) {\n return false;\n }\n\n return this.array.some((authScope) => {\n if (Array.isArray(authScope)) {\n // scopes ['org#hci', 'draft'] == permissionScope ['org#hci', 'draft']\n\n return permissionScopes.some((permissionScope) => {\n if (Array.isArray(permissionScope)) {\n return permissionScope.every(\n (sub) => authScope.includes(sub),\n );\n }\n\n return authScope.includes(permissionScope);\n });\n }\n\n return permissionScopes.includes(authScope); // 'user#jsu:123' == 'user#jsu:123'\n });\n }\n\n /\n Resolve presaved scopes\n * @example\n * authCtx.setScope('org', 'jsorg:hci')\n * [org#hci]\n \n authCtx.setScope('org+review');\n * [org#hci, [org#hci, review]]\n /\n private resolveScopeId(scope: string) {\n const id = this.idsMap.get(scope);\n return id !== undefined\n ? `${scope}#${id}`\n : scope;\n }\n}\n","import {\n type ReadonlyResolvedPermission, type ResolvedPermission, type ResolvedPermissionGroup,\n} from '../types/permissions.js';\nimport { type IUser } from '../types/user.js';\nimport { ActionScopes, type ActionScopesArray } from './action-scopes.js';\n\n/\n * Normilize scopes to ActionScopes\n * @example\n * const scopes = normalizeScopes(['org#hci', 'user#hcu:xxxxx') // ActionScopes\n \n scopes.set('my')\n /\nconst normalizeScopes = (\n scopes: ActionScopesArray \| ActionScopes,\n): ActionScopes => {\n if (!(scopes instanceof ActionScopes)) {\n return new ActionScopes(scopes);\n }\n\n return scopes;\n};\n\n/\n Check if user has access to permission\n * @example\n \n // Check episode access\n * const scopes = new ActionScopes();\n * scopes.setEntityId(episode.id); // id#js:core:episodes:xxxxx\n * scopes.set('org', episode.organizationId); // org#hcorg:hci\n \n isGranted(user, 'js:core:episodes:get', scopes)\n * @param user - user object with resolvedPermissions\n * @param permission - permission string (e.g. 'js:core:episodes:get')\n * @param actionScopes - action scopes (e.g. ['org#hcorg:hci'] or ActionScopes instance)\n * @returns - true if user has access to permission\n /\nexport const isGranted = (\n user: IUser,\n permission: string,\n actionScopes: ActionScopesArray \| ActionScopes = [],\n): boolean => {\n const [service, module, resource, action] = permission.split(':');\n\n if (user.resolvedPermissions.length === 0) {\n return false;\n }\n\n const userPermissions = user.resolvedPermissions;\n\n const scopes = normalizeScopes(actionScopes);\n\n const permissionCanBeExecutedInScopes = (perm: ReadonlyResolvedPermission, scopes: ActionScopes) =>\n (perm.scopes.length === 0 \|\| scopes.canBeExecutedInScopes(perm.scopes));\n\n const regexp = new RegExp(`^(${service}\|\\\\):(${module}\|\\\\):(${resource}\|\\\\):(${action}\|\\\\)$`);\n\n // novajs::: or novajs::[org]:\n // novajs:module::* or novajs:module:[org]:\n // novajs:module:resource:* or novajs:module:resource:[org]:\n // novajs:modules:resource:create\n // :modules:resource:create\n if (userPermissions.some(\n (perm) => regexp.test(perm.id)\n && permissionCanBeExecutedInScopes(perm, scopes))\n ) {\n return true;\n }\n\n return false;\n};\n\nexport const encodeScopes = (scopes: (string \| string[])[]): string => {\n const scopesString = scopes\n .map((s) => (Array.isArray(s) ? s.join('+') : s))\n .join(',');\n\n return scopesString.length > 0 ? `[${scopesString}]` : '';\n};\n\n/*\n Inject scopes into permission\n * @param permission - permission string (e.g. 'js:core:episodes:get')\n * @param scopesToInject - scopes to inject (e.g. ['org', 'published'])\n * @returns - permission string with injected scopes (e.g. 'js:core:episodes[org,published]:get')\n * @example\n * injectScopesIntoPermission('js:core:episodes:get', ['org', 'published'])\n * // js:core:episodes[org,published]:get\n /\nexport const injectScopesIntoPermission = (\n permission: string,\n scopesToInject: (string \| string[])[],\n) => {\n const { id, scopes } = resolvePermission(permission);\n\n const [service, module, resource, action] = id.split(':');\n\n concatScopes(scopes, scopesToInject);\n\n return `${service}:${module}:${resource}${encodeScopes(scopes)}:${action}`;\n};\n\n/\n Concat scopes\n * @param set - set of scopes\n * @param items - items to concat\n * @example\n * concatScopes(['org#hci'], ['org#dv'])\n * // ['org#hci', 'org#dv']\n /\nexport const concatScopes = (\n set: (string \| string[])[],\n items: (string \| string[])[],\n): void => {\n for (const item of items) {\n if (Array.isArray(item)) {\n // check if scopes not includes array with subscopes rp2Scope\n if (\n !set.some(\n (scope) =>\n Array.isArray(scope)\n && scope.length === item.length\n && scope.every((s) => item.includes(s)),\n )\n ) {\n set.push(item);\n }\n } else if (!set.includes(item)) {\n set.push(item);\n }\n }\n};\n\n/\n Resolve permission string to object with scopes\n * @param permission - permission string\n * @returns - resolved permission object\n * @example\n * resolvePermission('js:core:episodes[org,published]:get')\n * // { id: 'js:core:episodes:get', scopes: ['org', 'published'] }\n /\nexport const resolvePermission = (permission: string): ResolvedPermission => {\n const matches = /\\[(?<scopes>.?)\\]/u.exec(permission);\n\n if (matches?.[0] && matches.groups?.scopes) {\n const scopes: (string \| string[])[] = matches.groups.scopes\n .split(',') // scopes with OR logic\n .map((s) => {\n if (s.includes('+')) {\n return s.split('+'); // scopes with AND logic\n }\n\n return s;\n });\n\n return {\n id: permission.replace(matches[0], ''),\n scopes,\n };\n }\n\n return {\n id: permission,\n scopes: [],\n };\n};\n\n/*\n Resolve permissions to array of resolved permissions\n * @param permissions - array of permissions\n * @returns - array of resolved permissions\n * @example\n * resolvePermissions(['js:core:episodes[org]:get', 'js:core:episodes[published]:get'])\n * // [{ id: 'js:core:episodes:get', scopes: ['org', 'published'] }]\n /\nexport const resolvePermissions = (\n permissions: string[],\n): ResolvedPermission[] => {\n const resolvedPermissions: ResolvedPermission[] = [];\n\n for (const permission of permissions) {\n const { id, scopes } = resolvePermission(permission);\n\n const currentPermission = resolvedPermissions.find(\n (p) => p.id === id,\n );\n\n if (currentPermission) {\n concatScopes(currentPermission.scopes, scopes);\n } else {\n resolvedPermissions.push({\n id,\n scopes,\n });\n }\n }\n\n return resolvedPermissions;\n};\n\n/\n Resolve permission group string to object with scopes\n * @param permissionGroup - permission group string\n * @returns - resolved permission group object\n * @example\n * resolvePermissionGroup('g:js:core:episodes[org]:read')\n * // { id: 'g:js:core:episodes:read', scopes: ['org'] }\n /\nexport const resolvePermissionGroup = (permissionGroup: string) => {\n // Currently it has the same algorithm\n return resolvePermission(permissionGroup);\n};\n\n/\n Resolve permission groups to array of resolved permission groups\n * @param permissionGroups - array of permission groups\n * @returns - array of resolved permission groups\n * @example\n * resolvePermissionGroups(['g:js:core:episodes[org]:read', 'g:js:core:episodes[published]:read'])\n * // [{ id: 'g:js:core:episodes:read', scopes: ['org', 'published'] }]\n /\nexport const resolvePermissionGroups = (\n permissionGroups: string[],\n): ResolvedPermissionGroup[] => {\n // Currently it has the same algorithm\n return resolvePermissions(permissionGroups);\n};\n\nexport const mergeResolvedPermissions = (\n array1: ResolvedPermission[],\n array2: ResolvedPermission[],\n) => {\n const result: ResolvedPermission[] = [];\n\n for (const rp1 of array1) {\n const rps2 = array2.filter((rp2) => rp2.id === rp1.id);\n\n / Empty scopes = has full access /\n if (\n rp1.scopes.length === 0\n \|\| rps2.some((rp2) => rp2.id === rp1.id && rp2.scopes.length === 0)\n ) {\n result.push({\n id: rp1.id,\n scopes: [],\n });\n\n continue;\n }\n\n // [org#hci, user#hcu:xxxxx, [org#hci, review]]\n const scopes = [...rp1.scopes];\n for (const rp2 of rps2) {\n concatScopes(scopes, rp2.scopes);\n }\n\n result.push({\n id: rp1.id,\n scopes,\n });\n }\n\n for (const rp2 of array2) {\n if (!result.some((rp) => rp.id === rp2.id)) {\n result.push(rp2);\n }\n }\n\n return result;\n};\n\n/\n Replace scope in array of scopes\n * @param scopes - array of scopes\n * @param from - scope to replace\n * @param to - scope to replace with\n * @returns - array of scopes with replaced scopes\n * @example\n * replaceScope(['org#jsorg:xxx', ['org#jsorg:xxx', 'published']], 'org#jsorg:xxx', 'org#jsorg:hci')\n * // ['org#jsorg:hci', ['org#jsorg:hci', 'published']]\n /\nexport const replaceScope = (\n scopes: (string \| string[])[], // [org#jsorg:xxx, [org#jsorg:xxx, published]]\n from: string,\n to: string \| (string \| string[])[],\n) => {\n const result: (string \| string[])[] = [];\n for (const scope of scopes) {\n if (Array.isArray(scope)) {\n result.push(replaceScope(scope, from, to) as string[]);\n } else if (scope === from) {\n if (Array.isArray(to)) {\n result.push(...to);\n } else {\n result.push(to);\n }\n } else {\n result.push(scope);\n }\n }\n\n return result;\n};\n","import { concatScopes } from './helpers.js';\n\nexport class ScopesBulder {\n constructor(private scopes: (string \| string[])[] = []) {}\n\n static fromBulder(builder: ScopesBulder) {\n return new ScopesBulder(builder.scopes.slice());\n }\n\n build() {\n return JSON.parse(JSON.stringify(this.scopes)) as (string \| string[])[];\n }\n\n clone() {\n return ScopesBulder.fromBulder(this);\n }\n\n /\n Append scope or scopes to the current scopes\n * @param scope - scope or array of scopes to append\n * @example\n * append('org#jsorg:hci')\n * // ['org#xxx'] => ['org#xxx', 'org#jsorg:hci']\n * append(['org#hci', 'lang#en])\n * // ['org#xxx'] => ['org#xxx', ['org#hci', 'lang#en']]\n /\n append(scope: string \| string[]) {\n this.scopes.push(scope);\n }\n\n /\n Extend current scopes with the given scopes\n * @param scopes - scope or array of scopes to extend with\n * @example\n * extend(['lang#en', 'lang#de'])\n * // ['published', 'draft'] => ['published', 'draft', 'lang#en', 'lang#de']\n /\n extend(scopes: (string \| string[])[] \| ScopesBulder) {\n if (Array.isArray(scopes)) {\n concatScopes(this.scopes, scopes);\n } else if (scopes instanceof ScopesBulder) {\n concatScopes(this.scopes, scopes.scopes);\n }\n }\n\n /\n Join all scopes with the given scope\n * @param scope - scope to join with\n * @example\n * join('org#jsorg:hci', 'before')\n * // ['published', 'draft'] => [['org#jsorg:hci', 'published'], ['org#jsorg:hci', 'draft']]\n * join(['lang#en', 'lang#de'])\n * // ['published', 'draft'] => [['published', 'lang#en'], ['published', 'lang#de'], ['draft', 'lang#en'], ['draft', 'lang#de']]\n /\n join(scopeOrScopes: string \| (string \| string[])[], pos: 'before' \| 'after' = 'after') {\n const result: (string \| string[])[] = [];\n\n const scopesToJoin = Array.isArray(scopeOrScopes) ? scopeOrScopes : [scopeOrScopes];\n\n if (scopesToJoin.length === 0) {\n return;\n }\n\n const currentScopesCopy = this.build();\n for (const scope of scopesToJoin) {\n const scopeToJoin = Array.isArray(scope) ? scope : [scope];\n\n for (const s of currentScopesCopy) {\n if (Array.isArray(s)) {\n result.push(pos === 'before' ? [...scopeToJoin, ...s] : [...s, ...scopeToJoin]);\n } else {\n result.push(pos === 'before' ? [...scopeToJoin, s] : [s, ...scopeToJoin]);\n }\n }\n }\n\n this.scopes = result;\n }\n\n /\n Replace prefix in all scopes\n * @param from - prefix to replace\n * @param to - prefix to replace with\n * @example\n * replacePrefix('org', 'id')\n * ['org#jsorg:hci'] => ['id#jsorg:hci']\n */\n replacePrefix(from: string, to: string) {\n const result: (string \| string[])[] = [];\n for (const scope of this.scopes) {\n if (Array.isArray(scope)) {\n result.push(scope.map((s) => s.replace(`${from}#`, `${to}#`)));\n } else {\n result.push(scope.replace(`${from}#`, `${to}#`));\n }\n }\n this.scopes = result;\n }\n}\n"],"mappings":";;;;;;;AAMA,IAAa,eAAb,MAA0B;CACxB,AAAO,QAA2B,EAAE;CACpC,AAAO,WAAW;CAClB,AAAQ,yBAAS,IAAI,KAAqB;CAE1C,YAAY,UAA4B;AACtC,MAAIA,SACF,MAAK,QAAQA;;;;;;;;;;;CAajB,YAAY,MAAkB;AAC5B,OAAK,IAAI,MAAMC,OAAK;AAEpB,SAAO;;;;;;;;;;;;;;;;CAiBT,IAAI,SAAe,MAAmB;AACpC,MAAIA,QAAM,eAAe,KAAKC,QAAM,CAClC,MAAK,OAAO,IAAIA,SAAOD,KAAG;AAG5B,MAAIC,QAAM,SAAS,IAAI,EAAE;GACvB,MAAM,YAAYA,QAAM,MAAM,IAAI;AAClC,QAAK,MAAM,KACT,UAAU,KAAK,aAAa,KAAK,eAAe,SAAS,CAAC,CAC3D;QAED,MAAK,MAAM,KAAK,KAAK,eAAeA,QAAM,CAAC;AAG7C,SAAO;;CAGT,IAAI,SAAwB;AAC1B,SAAO,KAAK,MAAM,SAASA,QAAM;;CAGnC,WAA8B;AAC5B,SAAO,CAAC,GAAG,KAAK,MAAM;;;;;;CAOxB,sBACE,kBACS;AAET,MAAI,KAAK,MAAM,SAAS,IAAI,CAC1B,QAAO;AAST,MAAI,iBAAiB,WAAW,EAC9B,QAAO;;;;;;;;;;;AAaT,MAAI,KAAK,MAAM,WAAW,EACxB,QAAO;AAGT,SAAO,KAAK,MAAM,MAAM,cAAc;AACpC,OAAI,MAAM,QAAQ,UAAU,CAG1B,QAAO,iBAAiB,MAAM,oBAAoB;AAChD,QAAI,MAAM,QAAQ,gBAAgB,CAChC,QAAO,gBAAgB,OACpB,QAAQ,UAAU,SAAS,IAAI,CACjC;AAGH,WAAO,UAAU,SAAS,gBAAgB;KAC1C;AAGJ,UAAO,iBAAiB,SAAS,UAAU;IAC3C;;;;;;;;;;;CAYJ,AAAQ,eAAe,SAAe;EACpC,MAAMD,OAAK,KAAK,OAAO,IAAIC,QAAM;AACjC,SAAOD,SAAO,SACV,GAAGC,QAAM,GAAGD,SACZC;;;;;;;;;;;;;AC9HR,MAAM,mBACJ,aACiB;AACjB,KAAI,EAAEC,oBAAkB,cACtB,QAAO,IAAI,aAAaA,SAAO;AAGjC,QAAOA;;;;;;;;;;;;;;;;;AAkBT,MAAa,aACX,QACA,YACA,eAAiD,EAAE,KACvC;CACZ,MAAM,CAAC,SAAS,QAAQ,UAAU,UAAU,WAAW,MAAM,IAAI;AAEjE,KAAIC,OAAK,oBAAoB,WAAW,EACtC,QAAO;CAGT,MAAM,kBAAkBA,OAAK;CAE7B,MAAMD,WAAS,gBAAgB,aAAa;CAE5C,MAAM,mCAAmC,MAAkC,aACxE,KAAK,OAAO,WAAW,KAAKA,SAAO,sBAAsB,KAAK,OAAO;CAExE,MAAM,yBAAS,IAAI,OAAO,KAAK,QAAQ,SAAS,OAAO,SAAS,SAAS,SAAS,OAAO,QAAQ;AAOjG,KAAI,gBAAgB,MACjB,SAAS,OAAO,KAAK,KAAK,GAAG,IACzB,gCAAgC,MAAMA,SAAO,CAAC,CAEnD,QAAO;AAGT,QAAO;;AAGT,MAAa,gBAAgB,aAA0C;CACrE,MAAM,eAAeA,SAClB,KAAK,MAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,KAAK,IAAI,GAAG,EAAG,CAChD,KAAK,IAAI;AAEZ,QAAO,aAAa,SAAS,IAAI,IAAI,aAAa,KAAK;;;;;;;;;;;AAYzD,MAAa,8BACX,YACA,mBACG;CACH,MAAM,EAAE,UAAI,qBAAW,kBAAkB,WAAW;CAEpD,MAAM,CAAC,SAAS,QAAQ,UAAU,UAAUE,KAAG,MAAM,IAAI;AAEzD,cAAaF,UAAQ,eAAe;AAEpC,QAAO,GAAG,QAAQ,GAAG,OAAO,GAAG,WAAW,aAAaA,SAAO,CAAC,GAAG;;;;;;;;;;AAWpE,MAAa,gBACX,KACA,UACS;AACT,MAAK,MAAM,QAAQ,MACjB,KAAI,MAAM,QAAQ,KAAK,EAErB;MACE,CAAC,IAAI,MACF,YACC,MAAM,QAAQG,QAAM,IACjBA,QAAM,WAAW,KAAK,UACtBA,QAAM,OAAO,MAAM,KAAK,SAAS,EAAE,CAAC,CAC1C,CAED,KAAI,KAAK,KAAK;YAEP,CAAC,IAAI,SAAS,KAAK,CAC5B,KAAI,KAAK,KAAK;;;;;;;;;;AAapB,MAAa,qBAAqB,eAA2C;CAC3E,MAAM,UAAU,sBAAsB,KAAK,WAAW;AAEtD,KAAI,UAAU,MAAM,QAAQ,QAAQ,QAAQ;EAC1C,MAAMC,WAAgC,QAAQ,OAAO,OAClD,MAAM,IAAI,CACV,KAAK,MAAM;AACV,OAAI,EAAE,SAAS,IAAI,CACjB,QAAO,EAAE,MAAM,IAAI;AAGrB,UAAO;IACP;AAEJ,SAAO;GACL,IAAI,WAAW,QAAQ,QAAQ,IAAI,GAAG;GACtC;GACD;;AAGH,QAAO;EACL,IAAI;EACJ,QAAQ,EAAE;EACX;;;;;;;;;;AAWH,MAAa,sBACX,gBACyB;CACzB,MAAMC,sBAA4C,EAAE;AAEpD,MAAK,MAAM,cAAc,aAAa;EACpC,MAAM,EAAE,UAAI,qBAAW,kBAAkB,WAAW;EAEpD,MAAM,oBAAoB,oBAAoB,MAC3C,MAAM,EAAE,OAAOH,KACjB;AAED,MAAI,kBACF,cAAa,kBAAkB,QAAQF,SAAO;MAE9C,qBAAoB,KAAK;GACvB;GACA;GACD,CAAC;;AAIN,QAAO;;;;;;;;;;AAWT,MAAa,0BAA0B,oBAA4B;AAEjE,QAAO,kBAAkB,gBAAgB;;;;;;;;;;AAW3C,MAAa,2BACX,qBAC8B;AAE9B,QAAO,mBAAmB,iBAAiB;;AAG7C,MAAa,4BACX,QACA,WACG;CACH,MAAMM,SAA+B,EAAE;AAEvC,MAAK,MAAM,OAAO,QAAQ;EACxB,MAAM,OAAO,OAAO,QAAQ,QAAQ,IAAI,OAAO,IAAI,GAAG;AAGtD,MACE,IAAI,OAAO,WAAW,KACnB,KAAK,MAAM,QAAQ,IAAI,OAAO,IAAI,MAAM,IAAI,OAAO,WAAW,EAAE,EACnE;AACA,UAAO,KAAK;IACV,IAAI,IAAI;IACR,QAAQ,EAAE;IACX,CAAC;AAEF;;EAIF,MAAMN,WAAS,CAAC,GAAG,IAAI,OAAO;AAC9B,OAAK,MAAM,OAAO,KAChB,cAAaA,UAAQ,IAAI,OAAO;AAGlC,SAAO,KAAK;GACV,IAAI,IAAI;GACR;GACD,CAAC;;AAGJ,MAAK,MAAM,OAAO,OAChB,KAAI,CAAC,OAAO,MAAM,OAAO,GAAG,OAAO,IAAI,GAAG,CACxC,QAAO,KAAK,IAAI;AAIpB,QAAO;;;;;;;;;;;;AAaT,MAAa,gBACX,UACA,MACA,OACG;CACH,MAAMO,SAAgC,EAAE;AACxC,MAAK,MAAMJ,WAASH,SAClB,KAAI,MAAM,QAAQG,QAAM,CACtB,QAAO,KAAK,aAAaA,SAAO,MAAM,GAAG,CAAa;UAC7CA,YAAU,KACnB,KAAI,MAAM,QAAQ,GAAG,CACnB,QAAO,KAAK,GAAG,GAAG;KAElB,QAAO,KAAK,GAAG;KAGjB,QAAO,KAAKA,QAAM;AAItB,QAAO;;;;;AC5ST,IAAa,eAAb,MAAa,aAAa;CACxB,YAAY,AAAQK,WAAgC,EAAE,EAAE;EAApC;;CAEpB,OAAO,WAAW,SAAuB;AACvC,SAAO,IAAI,aAAa,QAAQ,OAAO,OAAO,CAAC;;CAGjD,QAAQ;AACN,SAAO,KAAK,MAAM,KAAK,UAAU,KAAK,OAAO,CAAC;;CAGhD,QAAQ;AACN,SAAO,aAAa,WAAW,KAAK;;;;;;;;;;;CAYtC,OAAO,SAA0B;AAC/B,OAAK,OAAO,KAAKC,QAAM;;;;;;;;;CAUzB,OAAO,UAA8C;AACnD,MAAI,MAAM,QAAQC,SAAO,CACvB,cAAa,KAAK,QAAQA,SAAO;WACxBA,oBAAkB,aAC3B,cAAa,KAAK,QAAQA,SAAO,OAAO;;;;;;;;;;;CAa5C,KAAK,eAA+C,MAA0B,SAAS;EACrF,MAAMC,SAAgC,EAAE;EAExC,MAAM,eAAe,MAAM,QAAQ,cAAc,GAAG,gBAAgB,CAAC,cAAc;AAEnF,MAAI,aAAa,WAAW,EAC1B;EAGF,MAAM,oBAAoB,KAAK,OAAO;AACtC,OAAK,MAAMF,WAAS,cAAc;GAChC,MAAM,cAAc,MAAM,QAAQA,QAAM,GAAGA,UAAQ,CAACA,QAAM;AAE1D,QAAK,MAAM,KAAK,kBACd,KAAI,MAAM,QAAQ,EAAE,CAClB,QAAO,KAAK,QAAQ,WAAW,CAAC,GAAG,aAAa,GAAG,EAAE,GAAG,CAAC,GAAG,GAAG,GAAG,YAAY,CAAC;OAE/E,QAAO,KAAK,QAAQ,WAAW,CAAC,GAAG,aAAa,EAAE,GAAG,CAAC,GAAG,GAAG,YAAY,CAAC;;AAK/E,OAAK,SAAS;;;;;;;;;;CAWhB,cAAc,MAAc,IAAY;EACtC,MAAME,SAAgC,EAAE;AACxC,OAAK,MAAMF,WAAS,KAAK,OACvB,KAAI,MAAM,QAAQA,QAAM,CACtB,QAAO,KAAKA,QAAM,KAAK,MAAM,EAAE,QAAQ,GAAG,KAAK,IAAI,GAAG,GAAG,GAAG,CAAC,CAAC;MAE9D,QAAO,KAAKA,QAAM,QAAQ,GAAG,KAAK,IAAI,GAAG,GAAG,GAAG,CAAC;AAGpD,OAAK,SAAS"}
1	+ {"version":3,"file":"index.js","names":["id","scope","user","scopes","id","scope","scopes: (string \| string[])[]","resolvedPermissions: ResolvedPermission[]","result: ResolvedPermission[]","result: (string \| string[])[]","scopes: (string \| string[])[]","scope","result: (string \| string[])[]"],"sources":["../src/permissions/action-scopes.ts","../src/permissions/helpers.ts","../src/permissions/scopes-bulder.ts"],"sourcesContent":["export type ActionScopesArray = (string \| string[])[];\n\n/*\n Action scopes are used to describe\n * what scopes are required to execute an action.\n /\nexport class ActionScopes {\n public array: ActionScopesArray = [];\n public anyScope = false;\n private idsMap = new Map<string, string>();\n\n constructor(scopes?: ActionScopesArray) {\n if (scopes) {\n this.array = scopes;\n }\n }\n\n /\n Set id scope (e.g. 'id#jsu:123')\n * @param id - entity id\n * @returns - this\n * @example\n * scopes.setEntityId('jsu:123')\n \n // scopes.getArray() = ['id#jsu:123']\n /\n setEntityId(id: string): this {\n this.set(`id#${id}`);\n\n return this;\n }\n\n /\n Set scope (e.g. 'org', 'org+review')\n * @param scope - scope name (e.g. 'org', 'org+review')\n * @param id - entity id (e.g. 'jsorg:hci')\n * @returns - this\n * @example\n * scopes.set('my')\n \n // scopes.getArray() = ['my']\n \n scopes.set('org', 'jsorg:hci')\n \n // scopes.getArray() = ['org#jsorg:hci']\n /\n set(scope: string, id?: string): this {\n if (id && /^[A-Za-z_]+$/.test(scope)) {\n this.idsMap.set(scope, id);\n }\n\n if (scope.includes('+')) {\n const subscopes = scope.split('+');\n this.array.push(\n subscopes.map((subscope) => this.resolveScopeId(subscope)),\n );\n } else {\n this.array.push(this.resolveScopeId(scope));\n }\n\n return this;\n }\n\n has(scope: string): boolean {\n return this.array.includes(scope);\n }\n\n getArray(): ActionScopesArray {\n return [...this.array];\n }\n\n /\n Permission scopes must cover auth scopes determined in auth context.\n * @param permissionScopes\n /\n canBeExecutedInScopes(\n permissionScopes: readonly (string \| string[])[],\n ): boolean {\n // if scopes has then it can be executed in any scope\n if (this.array.includes('')) {\n return true;\n }\n\n / action scopes = ['user#jsu:123', 'org#hci', ['org#hci', 'draft']]\n /* permission scopes: ['user#jsu:123', ['org#hci', 'draft']]\n\n /*\n empty user permission scopes = full access to action\n /\n if (permissionScopes.length === 0) {\n return true;\n }\n\n /\n Empty auth scopes but user has permission scopes = no access to action\n \n action scopes = []\n * permission scopes = ['org#hci']\n \n Example:\n * User try to get list of all entities\n * But user only has permission to entity from org#hci\n /\n if (this.array.length === 0) {\n return false;\n }\n\n return this.array.some((authScope) => {\n if (Array.isArray(authScope)) {\n // scopes ['org#hci', 'draft'] == permissionScope ['org#hci', 'draft']\n\n return permissionScopes.some((permissionScope) => {\n if (Array.isArray(permissionScope)) {\n return permissionScope.every(\n (sub) => authScope.includes(sub),\n );\n }\n\n return authScope.includes(permissionScope);\n });\n }\n\n return permissionScopes.includes(authScope); // 'user#jsu:123' == 'user#jsu:123'\n });\n }\n\n /\n Resolve presaved scopes\n * @example\n * authCtx.setScope('org', 'jsorg:hci')\n * [org#hci]\n \n authCtx.setScope('org+review');\n * [org#hci, [org#hci, review]]\n /\n private resolveScopeId(scope: string) {\n const id = this.idsMap.get(scope);\n return id !== undefined\n ? `${scope}#${id}`\n : scope;\n }\n}\n","import {\n type ReadonlyResolvedPermission, type ResolvedPermission, type ResolvedPermissionGroup,\n} from '../types/permissions.js';\nimport { type IUser } from '../types/user.js';\nimport { ActionScopes, type ActionScopesArray } from './action-scopes.js';\n\n/\n * Normilize scopes to ActionScopes\n * @example\n * const scopes = normalizeScopes(['org#hci', 'user#hcu:xxxxx') // ActionScopes\n \n scopes.set('my')\n /\nconst normalizeScopes = (\n scopes: ActionScopesArray \| ActionScopes \| string,\n): ActionScopes => {\n if (scopes instanceof ActionScopes) {\n return scopes;\n }\n\n if (typeof scopes === 'string') {\n return new ActionScopes([scopes]);\n }\n\n return new ActionScopes(scopes);\n};\n\n/\n Check if user has access to permission\n * @example\n \n // Check episode access\n * const scopes = new ActionScopes();\n * scopes.setEntityId(episode.id); // id#js:core:episodes:xxxxx\n * scopes.set('org', episode.organizationId); // org#hcorg:hci\n \n isGranted(user, 'js:core:episodes:get', scopes)\n * @param user - user object with resolvedPermissions\n * @param permission - permission string (e.g. 'js:core:episodes:get')\n * @param actionScopes - action scopes (e.g. ['org#hcorg:hci'] or ActionScopes instance)\n * @returns - true if user has access to permission\n /\nexport const isGranted = (\n user: IUser,\n permission: string,\n actionScopes: ActionScopesArray \| ActionScopes \| string = [],\n): boolean => {\n const [service, module, resource, action] = permission.split(':');\n\n if (user.resolvedPermissions.length === 0) {\n return false;\n }\n\n const userPermissions = user.resolvedPermissions;\n\n const scopes = normalizeScopes(actionScopes);\n\n const permissionCanBeExecutedInScopes = (perm: ReadonlyResolvedPermission, scopes: ActionScopes) =>\n (perm.scopes.length === 0 \|\| scopes.canBeExecutedInScopes(perm.scopes));\n\n const regexp = new RegExp(`^(${service}\|\\\\):(${module}\|\\\\):(${resource}\|\\\\):(${action}\|\\\\)$`);\n\n // novajs::: or novajs::[org]:\n // novajs:module::* or novajs:module:[org]:\n // novajs:module:resource:* or novajs:module:resource:[org]:\n // novajs:modules:resource:create\n // :modules:resource:create\n if (userPermissions.some(\n (perm) => regexp.test(perm.id)\n && permissionCanBeExecutedInScopes(perm, scopes))\n ) {\n return true;\n }\n\n return false;\n};\n\nexport const encodeScopes = (scopes: (string \| string[])[]): string => {\n const scopesString = scopes\n .map((s) => (Array.isArray(s) ? s.join('+') : s))\n .join(',');\n\n return scopesString.length > 0 ? `[${scopesString}]` : '';\n};\n\n/*\n Inject scopes into permission\n * @param permission - permission string (e.g. 'js:core:episodes:get')\n * @param scopesToInject - scopes to inject (e.g. ['org', 'published'])\n * @returns - permission string with injected scopes (e.g. 'js:core:episodes[org,published]:get')\n * @example\n * injectScopesIntoPermission('js:core:episodes:get', ['org', 'published'])\n * // js:core:episodes[org,published]:get\n /\nexport const injectScopesIntoPermission = (\n permission: string,\n scopesToInject: (string \| string[])[],\n) => {\n const { id, scopes } = resolvePermission(permission);\n\n const [service, module, resource, action] = id.split(':');\n\n concatScopes(scopes, scopesToInject);\n\n return `${service}:${module}:${resource}${encodeScopes(scopes)}:${action}`;\n};\n\n/\n Concat scopes\n * @param set - set of scopes\n * @param items - items to concat\n * @example\n * concatScopes(['org#hci'], ['org#dv'])\n * // ['org#hci', 'org#dv']\n /\nexport const concatScopes = (\n set: (string \| string[])[],\n items: (string \| string[])[],\n): void => {\n for (const item of items) {\n if (Array.isArray(item)) {\n // check if scopes not includes array with subscopes rp2Scope\n if (\n !set.some(\n (scope) =>\n Array.isArray(scope)\n && scope.length === item.length\n && scope.every((s) => item.includes(s)),\n )\n ) {\n set.push(item);\n }\n } else if (!set.includes(item)) {\n set.push(item);\n }\n }\n};\n\n/\n Resolve permission string to object with scopes\n * @param permission - permission string\n * @returns - resolved permission object\n * @example\n * resolvePermission('js:core:episodes[org,published]:get')\n * // { id: 'js:core:episodes:get', scopes: ['org', 'published'] }\n /\nexport const resolvePermission = (permission: string): ResolvedPermission => {\n const matches = /\\[(?<scopes>.?)\\]/u.exec(permission);\n\n if (matches?.[0] && matches.groups?.scopes) {\n const scopes: (string \| string[])[] = matches.groups.scopes\n .split(',') // scopes with OR logic\n .map((s) => {\n if (s.includes('+')) {\n return s.split('+'); // scopes with AND logic\n }\n\n return s;\n });\n\n return {\n id: permission.replace(matches[0], ''),\n scopes,\n };\n }\n\n return {\n id: permission,\n scopes: [],\n };\n};\n\n/*\n Resolve permissions to array of resolved permissions\n * @param permissions - array of permissions\n * @returns - array of resolved permissions\n * @example\n * resolvePermissions(['js:core:episodes[org]:get', 'js:core:episodes[published]:get'])\n * // [{ id: 'js:core:episodes:get', scopes: ['org', 'published'] }]\n /\nexport const resolvePermissions = (\n permissions: string[],\n): ResolvedPermission[] => {\n const resolvedPermissions: ResolvedPermission[] = [];\n\n for (const permission of permissions) {\n const { id, scopes } = resolvePermission(permission);\n\n const currentPermission = resolvedPermissions.find(\n (p) => p.id === id,\n );\n\n if (currentPermission) {\n concatScopes(currentPermission.scopes, scopes);\n } else {\n resolvedPermissions.push({\n id,\n scopes,\n });\n }\n }\n\n return resolvedPermissions;\n};\n\n/\n Resolve permission group string to object with scopes\n * @param permissionGroup - permission group string\n * @returns - resolved permission group object\n * @example\n * resolvePermissionGroup('g:js:core:episodes[org]:read')\n * // { id: 'g:js:core:episodes:read', scopes: ['org'] }\n /\nexport const resolvePermissionGroup = (permissionGroup: string) => {\n // Currently it has the same algorithm\n return resolvePermission(permissionGroup);\n};\n\n/\n Resolve permission groups to array of resolved permission groups\n * @param permissionGroups - array of permission groups\n * @returns - array of resolved permission groups\n * @example\n * resolvePermissionGroups(['g:js:core:episodes[org]:read', 'g:js:core:episodes[published]:read'])\n * // [{ id: 'g:js:core:episodes:read', scopes: ['org', 'published'] }]\n /\nexport const resolvePermissionGroups = (\n permissionGroups: string[],\n): ResolvedPermissionGroup[] => {\n // Currently it has the same algorithm\n return resolvePermissions(permissionGroups);\n};\n\nexport const mergeResolvedPermissions = (\n array1: ResolvedPermission[],\n array2: ResolvedPermission[],\n) => {\n const result: ResolvedPermission[] = [];\n\n for (const rp1 of array1) {\n const rps2 = array2.filter((rp2) => rp2.id === rp1.id);\n\n / Empty scopes = has full access /\n if (\n rp1.scopes.length === 0\n \|\| rps2.some((rp2) => rp2.id === rp1.id && rp2.scopes.length === 0)\n ) {\n result.push({\n id: rp1.id,\n scopes: [],\n });\n\n continue;\n }\n\n // [org#hci, user#hcu:xxxxx, [org#hci, review]]\n const scopes = [...rp1.scopes];\n for (const rp2 of rps2) {\n concatScopes(scopes, rp2.scopes);\n }\n\n result.push({\n id: rp1.id,\n scopes,\n });\n }\n\n for (const rp2 of array2) {\n if (!result.some((rp) => rp.id === rp2.id)) {\n result.push(rp2);\n }\n }\n\n return result;\n};\n\n/\n Replace scope in array of scopes\n * @param scopes - array of scopes\n * @param from - scope to replace\n * @param to - scope to replace with\n * @returns - array of scopes with replaced scopes\n * @example\n * replaceScope(['org#jsorg:xxx', ['org#jsorg:xxx', 'published']], 'org#jsorg:xxx', 'org#jsorg:hci')\n * // ['org#jsorg:hci', ['org#jsorg:hci', 'published']]\n /\nexport const replaceScope = (\n scopes: (string \| string[])[], // [org#jsorg:xxx, [org#jsorg:xxx, published]]\n from: string,\n to: string \| (string \| string[])[],\n) => {\n const result: (string \| string[])[] = [];\n for (const scope of scopes) {\n if (Array.isArray(scope)) {\n result.push(replaceScope(scope, from, to) as string[]);\n } else if (scope === from) {\n if (Array.isArray(to)) {\n result.push(...to);\n } else {\n result.push(to);\n }\n } else {\n result.push(scope);\n }\n }\n\n return result;\n};\n","import { concatScopes } from './helpers.js';\n\nexport class ScopesBulder {\n constructor(private scopes: (string \| string[])[] = []) {}\n\n static fromBulder(builder: ScopesBulder) {\n return new ScopesBulder(builder.scopes.slice());\n }\n\n build() {\n return JSON.parse(JSON.stringify(this.scopes)) as (string \| string[])[];\n }\n\n clone() {\n return ScopesBulder.fromBulder(this);\n }\n\n /\n Append scope or scopes to the current scopes\n * @param scope - scope or array of scopes to append\n * @example\n * append('org#jsorg:hci')\n * // ['org#xxx'] => ['org#xxx', 'org#jsorg:hci']\n * append(['org#hci', 'lang#en])\n * // ['org#xxx'] => ['org#xxx', ['org#hci', 'lang#en']]\n /\n append(scope: string \| string[]) {\n this.scopes.push(scope);\n }\n\n /\n Extend current scopes with the given scopes\n * @param scopes - scope or array of scopes to extend with\n * @example\n * extend(['lang#en', 'lang#de'])\n * // ['published', 'draft'] => ['published', 'draft', 'lang#en', 'lang#de']\n /\n extend(scopes: (string \| string[])[] \| ScopesBulder) {\n if (Array.isArray(scopes)) {\n concatScopes(this.scopes, scopes);\n } else if (scopes instanceof ScopesBulder) {\n concatScopes(this.scopes, scopes.scopes);\n }\n }\n\n /\n Join all scopes with the given scope\n * @param scope - scope to join with\n * @example\n * join('org#jsorg:hci', 'before')\n * // ['published', 'draft'] => [['org#jsorg:hci', 'published'], ['org#jsorg:hci', 'draft']]\n * join(['lang#en', 'lang#de'])\n * // ['published', 'draft'] => [['published', 'lang#en'], ['published', 'lang#de'], ['draft', 'lang#en'], ['draft', 'lang#de']]\n /\n join(scopeOrScopes: string \| (string \| string[])[], pos: 'before' \| 'after' = 'after') {\n const result: (string \| string[])[] = [];\n\n const scopesToJoin = Array.isArray(scopeOrScopes) ? scopeOrScopes : [scopeOrScopes];\n\n if (scopesToJoin.length === 0) {\n return;\n }\n\n const currentScopesCopy = this.build();\n for (const scope of scopesToJoin) {\n const scopeToJoin = Array.isArray(scope) ? scope : [scope];\n\n for (const s of currentScopesCopy) {\n if (Array.isArray(s)) {\n result.push(pos === 'before' ? [...scopeToJoin, ...s] : [...s, ...scopeToJoin]);\n } else {\n result.push(pos === 'before' ? [...scopeToJoin, s] : [s, ...scopeToJoin]);\n }\n }\n }\n\n this.scopes = result;\n }\n\n /\n Replace prefix in all scopes\n * @param from - prefix to replace\n * @param to - prefix to replace with\n * @example\n * replacePrefix('org', 'id')\n * ['org#jsorg:hci'] => ['id#jsorg:hci']\n */\n replacePrefix(from: string, to: string) {\n const result: (string \| string[])[] = [];\n for (const scope of this.scopes) {\n if (Array.isArray(scope)) {\n result.push(scope.map((s) => s.replace(`${from}#`, `${to}#`)));\n } else {\n result.push(scope.replace(`${from}#`, `${to}#`));\n }\n }\n this.scopes = result;\n }\n}\n"],"mappings":";;;;;;;AAMA,IAAa,eAAb,MAA0B;CACxB,AAAO,QAA2B,EAAE;CACpC,AAAO,WAAW;CAClB,AAAQ,yBAAS,IAAI,KAAqB;CAE1C,YAAY,QAA4B;AACtC,MAAI,OACF,MAAK,QAAQ;;;;;;;;;;;CAajB,YAAY,MAAkB;AAC5B,OAAK,IAAI,MAAMA,OAAK;AAEpB,SAAO;;;;;;;;;;;;;;;;CAiBT,IAAI,SAAe,MAAmB;AACpC,MAAIA,QAAM,eAAe,KAAKC,QAAM,CAClC,MAAK,OAAO,IAAIA,SAAOD,KAAG;AAG5B,MAAIC,QAAM,SAAS,IAAI,EAAE;GACvB,MAAM,YAAYA,QAAM,MAAM,IAAI;AAClC,QAAK,MAAM,KACT,UAAU,KAAK,aAAa,KAAK,eAAe,SAAS,CAAC,CAC3D;QAED,MAAK,MAAM,KAAK,KAAK,eAAeA,QAAM,CAAC;AAG7C,SAAO;;CAGT,IAAI,SAAwB;AAC1B,SAAO,KAAK,MAAM,SAASA,QAAM;;CAGnC,WAA8B;AAC5B,SAAO,CAAC,GAAG,KAAK,MAAM;;;;;;CAOxB,sBACE,kBACS;AAET,MAAI,KAAK,MAAM,SAAS,IAAI,CAC1B,QAAO;AAST,MAAI,iBAAiB,WAAW,EAC9B,QAAO;;;;;;;;;;;AAaT,MAAI,KAAK,MAAM,WAAW,EACxB,QAAO;AAGT,SAAO,KAAK,MAAM,MAAM,cAAc;AACpC,OAAI,MAAM,QAAQ,UAAU,CAG1B,QAAO,iBAAiB,MAAM,oBAAoB;AAChD,QAAI,MAAM,QAAQ,gBAAgB,CAChC,QAAO,gBAAgB,OACpB,QAAQ,UAAU,SAAS,IAAI,CACjC;AAGH,WAAO,UAAU,SAAS,gBAAgB;KAC1C;AAGJ,UAAO,iBAAiB,SAAS,UAAU;IAC3C;;;;;;;;;;;CAYJ,AAAQ,eAAe,SAAe;EACpC,MAAMD,OAAK,KAAK,OAAO,IAAIC,QAAM;AACjC,SAAOD,SAAO,SACV,GAAGC,QAAM,GAAGD,SACZC;;;;;;;;;;;;;AC9HR,MAAM,mBACJ,WACiB;AACjB,KAAI,kBAAkB,aACpB,QAAO;AAGT,KAAI,OAAO,WAAW,SACpB,QAAO,IAAI,aAAa,CAAC,OAAO,CAAC;AAGnC,QAAO,IAAI,aAAa,OAAO;;;;;;;;;;;;;;;;;AAkBjC,MAAa,aACX,QACA,YACA,eAA0D,EAAE,KAChD;CACZ,MAAM,CAAC,SAAS,QAAQ,UAAU,UAAU,WAAW,MAAM,IAAI;AAEjE,KAAIC,OAAK,oBAAoB,WAAW,EACtC,QAAO;CAGT,MAAM,kBAAkBA,OAAK;CAE7B,MAAM,SAAS,gBAAgB,aAAa;CAE5C,MAAM,mCAAmC,MAAkC,aACxE,KAAK,OAAO,WAAW,KAAKC,SAAO,sBAAsB,KAAK,OAAO;CAExE,MAAM,yBAAS,IAAI,OAAO,KAAK,QAAQ,SAAS,OAAO,SAAS,SAAS,SAAS,OAAO,QAAQ;AAOjG,KAAI,gBAAgB,MACjB,SAAS,OAAO,KAAK,KAAK,GAAG,IACzB,gCAAgC,MAAM,OAAO,CAAC,CAEnD,QAAO;AAGT,QAAO;;AAGT,MAAa,gBAAgB,WAA0C;CACrE,MAAM,eAAe,OAClB,KAAK,MAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,KAAK,IAAI,GAAG,EAAG,CAChD,KAAK,IAAI;AAEZ,QAAO,aAAa,SAAS,IAAI,IAAI,aAAa,KAAK;;;;;;;;;;;AAYzD,MAAa,8BACX,YACA,mBACG;CACH,MAAM,EAAE,UAAI,WAAW,kBAAkB,WAAW;CAEpD,MAAM,CAAC,SAAS,QAAQ,UAAU,UAAUC,KAAG,MAAM,IAAI;AAEzD,cAAa,QAAQ,eAAe;AAEpC,QAAO,GAAG,QAAQ,GAAG,OAAO,GAAG,WAAW,aAAa,OAAO,CAAC,GAAG;;;;;;;;;;AAWpE,MAAa,gBACX,KACA,UACS;AACT,MAAK,MAAM,QAAQ,MACjB,KAAI,MAAM,QAAQ,KAAK,EAErB;MACE,CAAC,IAAI,MACF,YACC,MAAM,QAAQC,QAAM,IACjBA,QAAM,WAAW,KAAK,UACtBA,QAAM,OAAO,MAAM,KAAK,SAAS,EAAE,CAAC,CAC1C,CAED,KAAI,KAAK,KAAK;YAEP,CAAC,IAAI,SAAS,KAAK,CAC5B,KAAI,KAAK,KAAK;;;;;;;;;;AAapB,MAAa,qBAAqB,eAA2C;CAC3E,MAAM,UAAU,sBAAsB,KAAK,WAAW;AAEtD,KAAI,UAAU,MAAM,QAAQ,QAAQ,QAAQ;EAC1C,MAAMC,SAAgC,QAAQ,OAAO,OAClD,MAAM,IAAI,CACV,KAAK,MAAM;AACV,OAAI,EAAE,SAAS,IAAI,CACjB,QAAO,EAAE,MAAM,IAAI;AAGrB,UAAO;IACP;AAEJ,SAAO;GACL,IAAI,WAAW,QAAQ,QAAQ,IAAI,GAAG;GACtC;GACD;;AAGH,QAAO;EACL,IAAI;EACJ,QAAQ,EAAE;EACX;;;;;;;;;;AAWH,MAAa,sBACX,gBACyB;CACzB,MAAMC,sBAA4C,EAAE;AAEpD,MAAK,MAAM,cAAc,aAAa;EACpC,MAAM,EAAE,UAAI,WAAW,kBAAkB,WAAW;EAEpD,MAAM,oBAAoB,oBAAoB,MAC3C,MAAM,EAAE,OAAOH,KACjB;AAED,MAAI,kBACF,cAAa,kBAAkB,QAAQ,OAAO;MAE9C,qBAAoB,KAAK;GACvB;GACA;GACD,CAAC;;AAIN,QAAO;;;;;;;;;;AAWT,MAAa,0BAA0B,oBAA4B;AAEjE,QAAO,kBAAkB,gBAAgB;;;;;;;;;;AAW3C,MAAa,2BACX,qBAC8B;AAE9B,QAAO,mBAAmB,iBAAiB;;AAG7C,MAAa,4BACX,QACA,WACG;CACH,MAAMI,SAA+B,EAAE;AAEvC,MAAK,MAAM,OAAO,QAAQ;EACxB,MAAM,OAAO,OAAO,QAAQ,QAAQ,IAAI,OAAO,IAAI,GAAG;AAGtD,MACE,IAAI,OAAO,WAAW,KACnB,KAAK,MAAM,QAAQ,IAAI,OAAO,IAAI,MAAM,IAAI,OAAO,WAAW,EAAE,EACnE;AACA,UAAO,KAAK;IACV,IAAI,IAAI;IACR,QAAQ,EAAE;IACX,CAAC;AAEF;;EAIF,MAAM,SAAS,CAAC,GAAG,IAAI,OAAO;AAC9B,OAAK,MAAM,OAAO,KAChB,cAAa,QAAQ,IAAI,OAAO;AAGlC,SAAO,KAAK;GACV,IAAI,IAAI;GACR;GACD,CAAC;;AAGJ,MAAK,MAAM,OAAO,OAChB,KAAI,CAAC,OAAO,MAAM,OAAO,GAAG,OAAO,IAAI,GAAG,CACxC,QAAO,KAAK,IAAI;AAIpB,QAAO;;;;;;;;;;;;AAaT,MAAa,gBACX,QACA,MACA,OACG;CACH,MAAMC,SAAgC,EAAE;AACxC,MAAK,MAAMJ,WAAS,OAClB,KAAI,MAAM,QAAQA,QAAM,CACtB,QAAO,KAAK,aAAaA,SAAO,MAAM,GAAG,CAAa;UAC7CA,YAAU,KACnB,KAAI,MAAM,QAAQ,GAAG,CACnB,QAAO,KAAK,GAAG,GAAG;KAElB,QAAO,KAAK,GAAG;KAGjB,QAAO,KAAKA,QAAM;AAItB,QAAO;;;;;AChTT,IAAa,eAAb,MAAa,aAAa;CACxB,YAAY,AAAQK,SAAgC,EAAE,EAAE;EAApC;;CAEpB,OAAO,WAAW,SAAuB;AACvC,SAAO,IAAI,aAAa,QAAQ,OAAO,OAAO,CAAC;;CAGjD,QAAQ;AACN,SAAO,KAAK,MAAM,KAAK,UAAU,KAAK,OAAO,CAAC;;CAGhD,QAAQ;AACN,SAAO,aAAa,WAAW,KAAK;;;;;;;;;;;CAYtC,OAAO,SAA0B;AAC/B,OAAK,OAAO,KAAKC,QAAM;;;;;;;;;CAUzB,OAAO,QAA8C;AACnD,MAAI,MAAM,QAAQ,OAAO,CACvB,cAAa,KAAK,QAAQ,OAAO;WACxB,kBAAkB,aAC3B,cAAa,KAAK,QAAQ,OAAO,OAAO;;;;;;;;;;;CAa5C,KAAK,eAA+C,MAA0B,SAAS;EACrF,MAAMC,SAAgC,EAAE;EAExC,MAAM,eAAe,MAAM,QAAQ,cAAc,GAAG,gBAAgB,CAAC,cAAc;AAEnF,MAAI,aAAa,WAAW,EAC1B;EAGF,MAAM,oBAAoB,KAAK,OAAO;AACtC,OAAK,MAAMD,WAAS,cAAc;GAChC,MAAM,cAAc,MAAM,QAAQA,QAAM,GAAGA,UAAQ,CAACA,QAAM;AAE1D,QAAK,MAAM,KAAK,kBACd,KAAI,MAAM,QAAQ,EAAE,CAClB,QAAO,KAAK,QAAQ,WAAW,CAAC,GAAG,aAAa,GAAG,EAAE,GAAG,CAAC,GAAG,GAAG,GAAG,YAAY,CAAC;OAE/E,QAAO,KAAK,QAAQ,WAAW,CAAC,GAAG,aAAa,EAAE,GAAG,CAAC,GAAG,GAAG,YAAY,CAAC;;AAK/E,OAAK,SAAS;;;;;;;;;;CAWhB,cAAc,MAAc,IAAY;EACtC,MAAMC,SAAgC,EAAE;AACxC,OAAK,MAAMD,WAAS,KAAK,OACvB,KAAI,MAAM,QAAQA,QAAM,CACtB,QAAO,KAAKA,QAAM,KAAK,MAAM,EAAE,QAAQ,GAAG,KAAK,IAAI,GAAG,GAAG,GAAG,CAAC,CAAC;MAE9D,QAAO,KAAKA,QAAM,QAAQ,GAAG,KAAK,IAAI,GAAG,GAAG,GAAG,CAAC;AAGpD,OAAK,SAAS"}

package/dist/scopes.d.ts CHANGED Viewed

@@ -1,2 +1,2 @@
-import { a as group, c as scope, i as form, l as scopes, n as and, o as id, r as anyScope, s as org, t as ScopeItem, u as user } from "./functional-scopes-DygK315q.js";
-export { ScopeItem, and, anyScope, form, group, id, org, scope, scopes, user };
+import { a as group, c as scope, i as form, l as user, n as and, o as id, r as anyScope, s as org, t as ScopeItem } from "./functional-scopes-ut8Z6MmG.js";
+export { ScopeItem, and, anyScope, form, group, id, org, scope, user };

package/dist/scopes.js CHANGED Viewed

@@ -1,3 +1,3 @@
-import { a as id, c as scopes, i as group, l as user, n as anyScope, o as org, r as form, s as scope, t as and } from "./functional-scopes-CsZNJMXW.js";
+import { a as id, c as user, i as group, n as anyScope, o as org, r as form, s as scope, t as and } from "./functional-scopes-COiTBSy_.js";
-export { and, anyScope, form, group, id, org, scope, scopes, user };
+export { and, anyScope, form, group, id, org, scope, user };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@pcg/auth",
-  "version": "1.0.0-alpha.2",
+  "version": "1.0.0-alpha.3",
   "description": "Authorization library",
   "license": "MIT",
   "author": {
@@ -27,15 +27,15 @@
   "files": [
     "dist"
   ],
-  "devDependencies": {
-    "@vitest/ui": "^4.0.8",
-    "vitest": "^4.0.8"
-  },
   "scripts": {
     "dev": "tsdown --watch",
     "build": "tsdown",
     "test": "vitest run",
     "test:watch": "vitest",
     "lint": "eslint \"src/**/*.ts\" --fix"
+  },
+  "devDependencies": {
+    "@vitest/ui": "^4.0.8",
+    "vitest": "^4.0.8"
   }
-}
+}

package/dist/functional-scopes-CsZNJMXW.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"functional-scopes-CsZNJMXW.js","names":["id"],"sources":["../src/permissions/functional-scopes.ts"],"sourcesContent":["import { type ActionScopesArray } from './action-scopes.js';\n\nexport type ScopeItem = string | string[];\n\n/**\n * Create an ActionScopesArray from individual scope items.\n *\n * @example\n * scopes(org('jsorg:hci'))\n * // => ['org#jsorg:hci']\n *\n * scopes(org('jsorg:hci'), entityId('ep:123'))\n * // => ['org#jsorg:hci', 'id#ep:123']\n *\n * const o = org('jsorg:hci');\n * scopes(o, and(o, 'published'))\n * // => ['org#jsorg:hci', ['org#jsorg:hci', 'published']]\n */\nexport function scopes(...items: ScopeItem[]): ActionScopesArray {\n return items;\n}\n\n/**\n * Create a wildcard scope that matches any permission scope.\n *\n * @example\n * isGranted(user, 'js:core:episodes:list', anyScope())\n */\nexport function anyScope(): ActionScopesArray {\n return ['*'];\n}\n\n/**\n * Create an organization scope.\n *\n * @example\n * org('jsorg:hci') // => 'org#jsorg:hci'\n */\nexport function org(id: string): string {\n return `org#${id}`;\n}\n\n/**\n * Create an entity id scope.\n *\n * @example\n * id('ep:123') // => 'id#ep:123'\n */\nexport function id(entityId: string): string {\n return `id#${entityId}`;\n}\n\n/**\n * Create a user scope.\n *\n * @example\n * user('hcu:xxx') // => 'user#hcu:xxx'\n */\nexport function user(id: string): string {\n return `user#${id}`;\n}\n\n/**\n * Create a form scope.\n *\n * @example\n * form('contact') // => 'form#contact'\n */\nexport function form(id: string): string {\n return `form#${id}`;\n}\n\n/**\n * Create a group scope.\n *\n * @example\n * group('hcgrp:ZT9') // => 'grp#hcgrp:ZT9'\n */\nexport function group(id: string): string {\n return `grp#${id}`;\n}\n\n/**\n * Create a named scope with an optional ID.\n *\n * @example\n * scope('published') // => 'published'\n * scope('orggroup', 'hcgrp:ZT9mt8j9lSR') // => 'orggroup#hcgrp:ZT9mt8j9lSR'\n */\nexport function scope(name: string, id?: string): string {\n return id ? `${name}#${id}` : name;\n}\n\n/**\n * Combine multiple scopes with AND logic (all must match).\n *\n * @example\n * and(org('jsorg:hci'), 'published')\n * // => ['org#jsorg:hci', 'published']\n */\nexport function and(...items: string[]): string[] {\n return items;\n}\n"],"mappings":";;;;;;;;;;;;;;;AAkBA,SAAgB,OAAO,GAAG,OAAuC;AAC/D,QAAO;;;;;;;;AAST,SAAgB,WAA8B;AAC5C,QAAO,CAAC,IAAI;;;;;;;;AASd,SAAgB,IAAI,MAAoB;AACtC,QAAO,OAAOA;;;;;;;;AAShB,SAAgB,GAAG,UAA0B;AAC3C,QAAO,MAAM;;;;;;;;AASf,SAAgB,KAAK,MAAoB;AACvC,QAAO,QAAQA;;;;;;;;AASjB,SAAgB,KAAK,MAAoB;AACvC,QAAO,QAAQA;;;;;;;;AASjB,SAAgB,MAAM,MAAoB;AACxC,QAAO,OAAOA;;;;;;;;;AAUhB,SAAgB,MAAM,MAAc,MAAqB;AACvD,QAAOA,OAAK,GAAG,KAAK,GAAGA,SAAO;;;;;;;;;AAUhC,SAAgB,IAAI,GAAG,OAA2B;AAChD,QAAO"}

package/dist/functional-scopes-DygK315q.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"functional-scopes-DygK315q.d.ts","names":[],"sources":["../src/permissions/action-scopes.ts","../src/permissions/functional-scopes.ts"],"sourcesContent":[],"mappings":";KAAY,iBAAA;AAAZ;AAMA;;;AA6Dc,cA7DD,YAAA,CA6DC;EAAiB,KAAA,EA5Df,iBA4De;;;uBAxDR;ECTX;AAgBZ;AAUA;AAUA;AAUA;AAUA;AAUA;AAUA;AAWA;EAWgB,WAAG,CAAA,EAAA,EAAA,MAAA,CAAA,EAAA,IAAA;;;;;;;;;;;;;;;;;cDjCL;;;;;;;;;;;;;;;;;;;AAnEF,KCEA,SAAA,GDFiB,MAAA,GAAA,MAAA,EAAA;AAM7B;;;;;;;;ACJA;AAgBA;AAUA;AAUA;AAUA;AAUA;AAUgB,iBAlDA,MAAA,CAkDI,GAAA,KAAA,EAlDa,SAkDb,EAAA,CAAA,EAlD2B,iBAkD3B;AAUpB;AAWA;AAWA;;;;iBAxEgB,QAAA,CAAA,GAAY;;;;;;;iBAUZ,GAAA;;;;;;;iBAUA,EAAA;;;;;;;iBAUA,IAAA;;;;;;;iBAUA,IAAA;;;;;;;iBAUA,KAAA;;;;;;;;iBAWA,KAAA;;;;;;;;iBAWA,GAAA"}