@platformatic/db-authorization 3.29.1 → 3.31.0

package/index.d.ts

@@ -47,11 +47,14 @@ export type AuthorizationRule<T> = AuthorizationRuleEntity<T> | AuthorizationRul
 export type SetupDBAuthorizationUserDecorator = () => Promise<void>
 export type AddRulesForRoles = <T>(rules: Iterable<AuthorizationRule<T>>) => void
 
+export type RoleMergeStrategy = 'first-match' | 'most-permissive'
+
 export interface DBAuthorizationPluginOptions<T = any> extends FastifyUserPluginOptions {
   adminSecret?: string
   roleKey?: string
   isRolePath?: boolean
   anonymousRole?: string
+  roleMergeStrategy?: RoleMergeStrategy
   rules?: Array<AuthorizationRule<T>>
 }
 

package/index.js

@@ -13,6 +13,7 @@ async function auth (app, opts) {
   const roleKey = opts.rolePath || opts.roleKey || 'X-PLATFORMATIC-ROLE'
   const isRolePath = !!opts.rolePath // if `true` the role is intepreted as path like `user.role`
   const anonymousRole = opts.anonymousRole || 'anonymous'
+  const roleMergeStrategy = opts.roleMergeStrategy || 'first-match'
 
   app.decorateRequest('setupDBAuthorizationUser', setupUser)
 
@@ -174,7 +175,7 @@ async function auth (app, opts) {
             return originalFind({ ...restOpts, where, ctx, fields })
           }
           const request = getRequestFromContext(ctx)
-          const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)
+          const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath, roleMergeStrategy)
           checkFieldsFromRule(rule.find, fields || Object.keys(app.platformatic.entities[entityKey].fields))
           where = await fromRuleToWhere(ctx, rule.find, where, request.user)
 
@@ -186,7 +187,7 @@ async function auth (app, opts) {
             return originalSave({ ctx, input, fields, ...restOpts })
           }
           const request = getRequestFromContext(ctx)
-          const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)
+          const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath, roleMergeStrategy)
 
           if (!rule.save) {
             throw new Unauthorized()
@@ -237,7 +238,7 @@ async function auth (app, opts) {
             return originalInsert({ inputs, ctx, fields, ...restOpts })
           }
           const request = getRequestFromContext(ctx)
-          const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)
+          const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath, roleMergeStrategy)
 
           if (!rule.save) {
             throw new Unauthorized()
@@ -268,7 +269,7 @@ async function auth (app, opts) {
             return originalDelete({ where, ctx, fields, ...restOpts })
           }
           const request = getRequestFromContext(ctx)
-          const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)
+          const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath, roleMergeStrategy)
 
           where = await fromRuleToWhere(ctx, rule.delete, where, request.user)
 
@@ -280,7 +281,7 @@ async function auth (app, opts) {
             return originalUpdateMany({ ...restOpts, where, ctx, fields })
           }
           const request = getRequestFromContext(ctx)
-          const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath)
+          const rule = await findRuleForRequestUser(ctx, rules, roleKey, anonymousRole, isRolePath, roleMergeStrategy)
 
           where = await fromRuleToWhere(ctx, rule.updateMany, where, request.user)
 
@@ -357,11 +358,11 @@ async function fromRuleToWhere (ctx, rule, where, user) {
   return where
 }
 
-async function findRuleForRequestUser (ctx, rules, roleKey, anonymousRole, isRolePath = false) {
+async function findRuleForRequestUser (ctx, rules, roleKey, anonymousRole, isRolePath = false, roleMergeStrategy = 'first-match') {
   const request = getRequestFromContext(ctx)
   await request.setupDBAuthorizationUser()
   const roles = getRoles(request, roleKey, anonymousRole, isRolePath)
-  const rule = findRule(rules, roles)
+  const rule = findRule(rules, roles, roleMergeStrategy)
   if (!rule) {
     ctx.reply.request.log.warn({ roles, rules }, 'no rule for roles')
     throw new Unauthorized()

package/lib/find-rule.d.ts

@@ -1,4 +1,3 @@
-import { MercuriusContext } from 'mercurius'
 interface IRules {
   [key: string]: {
     role: string,
@@ -11,4 +10,6 @@ interface IRules {
   }
 }
 
-export default function findRule (ctx: MercuriusContext, rules: IRules[], roleKey: string, anonymousRole: string)
+export type RoleMergeStrategy = 'first-match' | 'most-permissive'
+
+export default function findRule (rules: IRules[], roles: string[], strategy?: RoleMergeStrategy): IRules | null

package/lib/find-rule.js

@@ -1,4 +1,13 @@
-export function findRule (rules, roles) {
+const PLT_ADMIN_ROLE = 'platformatic-admin'
+
+export function findRule (rules, roles, strategy = 'first-match') {
+  if (strategy === 'first-match') {
+    return findRuleFirstMatch(rules, roles)
+  }
+  return findRuleMostPermissive(rules, roles)
+}
+
+function findRuleFirstMatch (rules, roles) {
   let found = null
   for (const rule of rules) {
     for (const role of roles) {
@@ -13,3 +22,52 @@ export function findRule (rules, roles) {
   }
   return found
 }
+
+function findRuleMostPermissive (rules, roles) {
+  const matchingRules = []
+
+  for (const rule of rules) {
+    for (const role of roles) {
+      if (rule.role === role) {
+        matchingRules.push(rule)
+        break
+      }
+    }
+  }
+
+  if (matchingRules.length === 0) {
+    return null
+  }
+
+  if (matchingRules.length === 1) {
+    return matchingRules[0]
+  }
+
+  const nonAdminRules = matchingRules.filter(rule => rule.role !== PLT_ADMIN_ROLE)
+  const rulesToMerge = nonAdminRules.length > 0 ? nonAdminRules : matchingRules
+
+  if (rulesToMerge.length === 1) {
+    return rulesToMerge[0]
+  }
+
+  const mergedRule = { ...rulesToMerge[0] }
+
+  for (let i = 1; i < rulesToMerge.length; i++) {
+    const rule = rulesToMerge[i]
+
+    for (const key of Object.keys(rule)) {
+      if (key === 'role' || key === 'entity') {
+        continue
+      }
+
+      const currentValue = mergedRule[key]
+      const newValue = rule[key]
+
+      if (newValue && !currentValue) {
+        mergedRule[key] = newValue
+      }
+    }
+  }
+
+  return mergedRule
+}

package/lib/schema.js

@@ -13,6 +13,12 @@ export const AuthSchema = {
     rolePath: {
       type: 'string',
       description: 'The path in the user object that contains the roles.'
+    },
+    roleMergeStrategy: {
+      type: 'string',
+      enum: ['first-match', 'most-permissive'],
+      default: 'first-match',
+      description: 'Strategy for merging permissions when a user has multiple roles. "first-match" returns the first matching rule (default). "most-permissive" merges all matching rules, where truthy permissions win over falsy ones.'
     }
   },
   additionalProperties: true // TODO remove and add proper validation for the rules

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@platformatic/db-authorization",
-  "version": "3.29.1",
+  "version": "3.31.0",
   "description": "",
   "main": "index.js",
   "type": "module",
@@ -17,15 +17,15 @@
     "cleaner-spec-reporter": "^0.5.0",
     "eslint": "9",
     "fast-jwt": "^5.0.0",
-    "fastify": "^5.0.0",
+    "fastify": "^5.7.0",
     "get-jwks": "^11.0.0",
     "neostandard": "^0.12.0",
     "tsd": "^0.33.0",
     "typescript": "^5.5.4",
     "why-is-node-running": "^2.2.2",
     "ws": "^8.16.0",
-    "@platformatic/db-core": "3.29.1",
-    "@platformatic/sql-mapper": "3.29.1"
+    "@platformatic/db-core": "3.31.0",
+    "@platformatic/sql-mapper": "3.31.0"
   },
   "dependencies": {
     "@fastify/error": "^4.0.0",