@prosopo/user-access-policy 2.6.4 → 3.1.5

package/dist/api/deleteAllRulesEndpoint.js

@@ -0,0 +1,21 @@
+import { ApiEndpointResponseStatus, } from "@prosopo/api-route";
+import { z } from "zod";
+export const deleteAllRulesEndpointSchema = z.object({});
+export class DeleteAllRulesEndpoint {
+    constructor(accessRulesStorage) {
+        this.accessRulesStorage = accessRulesStorage;
+    }
+    async processRequest(args) {
+        const deletedCount = await this.accessRulesStorage.deleteAllRules();
+        return {
+            status: ApiEndpointResponseStatus.SUCCESS,
+            data: {
+                deleted_count: deletedCount,
+            },
+        };
+    }
+    getRequestArgsSchema() {
+        return deleteAllRulesEndpointSchema;
+    }
+}
+//# sourceMappingURL=deleteAllRulesEndpoint.js.map

package/dist/api/deleteAllRulesEndpoint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deleteAllRulesEndpoint.js","sourceRoot":"","sources":["../../src/api/deleteAllRulesEndpoint.ts"],"names":[],"mappings":"AAcA,OAAO,EAGN,yBAAyB,GACzB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAIzD,MAAM,OAAO,sBAAsB;IAGlC,YAAoC,kBAAsC;QAAtC,uBAAkB,GAAlB,kBAAkB,CAAoB;IAAG,CAAC;IAE9E,KAAK,CAAC,cAAc,CACnB,IAA2C;QAE3C,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,cAAc,EAAE,CAAC;QAEpE,OAAO;YACN,MAAM,EAAE,yBAAyB,CAAC,OAAO;YACzC,IAAI,EAAE;gBACL,aAAa,EAAE,YAAY;aAC3B;SACD,CAAC;IACH,CAAC;IAED,oBAAoB;QACnB,OAAO,4BAA4B,CAAC;IACrC,CAAC;CACD"}

package/dist/api/deleteRulesEndpoint.d.ts

@@ -0,0 +1,116 @@
+import { type ApiEndpoint, type ApiEndpointResponse } from "@prosopo/api-route";
+import { z } from "zod";
+import type { AccessRulesStorage } from "#policy/accessRules.js";
+export declare const deleteRulesEndpointSchema: z.ZodArray<z.ZodObject<{
+    policyScope: z.ZodOptional<z.ZodObject<{
+        clientId: z.ZodOptional<z.ZodString>;
+        ruleGroupId: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        clientId?: string | undefined;
+        ruleGroupId?: string | undefined;
+    }, {
+        clientId?: string | undefined;
+        ruleGroupId?: string | undefined;
+    }>>;
+    policyScopeMatch: z.ZodDefault<z.ZodNativeEnum<typeof import("#policy/accessPolicyResolver.js").ScopeMatch>>;
+    userScope: z.ZodOptional<z.ZodEffects<z.ZodObject<z.objectUtil.extendShape<{
+        userId: z.ZodOptional<z.ZodString>;
+        numericIp: z.ZodOptional<z.ZodBigInt>;
+        numericIpMaskMin: z.ZodOptional<z.ZodBigInt>;
+        numericIpMaskMax: z.ZodOptional<z.ZodBigInt>;
+        ja4Hash: z.ZodOptional<z.ZodString>;
+        headersHash: z.ZodOptional<z.ZodString>;
+        userAgentHash: z.ZodOptional<z.ZodString>;
+    }, {
+        ip: z.ZodOptional<z.ZodString>;
+        ipMask: z.ZodOptional<z.ZodString>;
+        userAgent: z.ZodOptional<z.ZodString>;
+    }>, "strip", z.ZodTypeAny, {
+        userId?: string | undefined;
+        numericIp?: bigint | undefined;
+        numericIpMaskMin?: bigint | undefined;
+        numericIpMaskMax?: bigint | undefined;
+        ja4Hash?: string | undefined;
+        headersHash?: string | undefined;
+        userAgentHash?: string | undefined;
+        ip?: string | undefined;
+        ipMask?: string | undefined;
+        userAgent?: string | undefined;
+    }, {
+        userId?: string | undefined;
+        numericIp?: bigint | undefined;
+        numericIpMaskMin?: bigint | undefined;
+        numericIpMaskMax?: bigint | undefined;
+        ja4Hash?: string | undefined;
+        headersHash?: string | undefined;
+        userAgentHash?: string | undefined;
+        ip?: string | undefined;
+        ipMask?: string | undefined;
+        userAgent?: string | undefined;
+    }>, {
+        userId?: string | undefined;
+        numericIp?: bigint | undefined;
+        numericIpMaskMin?: bigint | undefined;
+        numericIpMaskMax?: bigint | undefined;
+        ja4Hash?: string | undefined;
+        headersHash?: string | undefined;
+        userAgentHash?: string | undefined;
+    }, {
+        userId?: string | undefined;
+        numericIp?: bigint | undefined;
+        numericIpMaskMin?: bigint | undefined;
+        numericIpMaskMax?: bigint | undefined;
+        ja4Hash?: string | undefined;
+        headersHash?: string | undefined;
+        userAgentHash?: string | undefined;
+        ip?: string | undefined;
+        ipMask?: string | undefined;
+        userAgent?: string | undefined;
+    }>>;
+    userScopeMatch: z.ZodDefault<z.ZodNativeEnum<typeof import("#policy/accessPolicyResolver.js").ScopeMatch>>;
+}, "strip", z.ZodTypeAny, {
+    policyScopeMatch: import("#policy/accessPolicyResolver.js").ScopeMatch;
+    userScopeMatch: import("#policy/accessPolicyResolver.js").ScopeMatch;
+    userScope?: {
+        userId?: string | undefined;
+        numericIp?: bigint | undefined;
+        numericIpMaskMin?: bigint | undefined;
+        numericIpMaskMax?: bigint | undefined;
+        ja4Hash?: string | undefined;
+        headersHash?: string | undefined;
+        userAgentHash?: string | undefined;
+    } | undefined;
+    policyScope?: {
+        clientId?: string | undefined;
+        ruleGroupId?: string | undefined;
+    } | undefined;
+}, {
+    userScope?: {
+        userId?: string | undefined;
+        numericIp?: bigint | undefined;
+        numericIpMaskMin?: bigint | undefined;
+        numericIpMaskMax?: bigint | undefined;
+        ja4Hash?: string | undefined;
+        headersHash?: string | undefined;
+        userAgentHash?: string | undefined;
+        ip?: string | undefined;
+        ipMask?: string | undefined;
+        userAgent?: string | undefined;
+    } | undefined;
+    policyScope?: {
+        clientId?: string | undefined;
+        ruleGroupId?: string | undefined;
+    } | undefined;
+    policyScopeMatch?: import("#policy/accessPolicyResolver.js").ScopeMatch | undefined;
+    userScopeMatch?: import("#policy/accessPolicyResolver.js").ScopeMatch | undefined;
+}>, "many">;
+export type DeleteRulesEndpointSchemaOutput = z.output<typeof deleteRulesEndpointSchema>;
+export type DeleteRulesEndpointSchemaInput = z.input<typeof deleteRulesEndpointSchema>;
+export type DeleteRulesEndpointSchema = typeof deleteRulesEndpointSchema;
+export declare class DeleteRulesEndpoint implements ApiEndpoint<DeleteRulesEndpointSchema> {
+    private readonly accessRulesStorage;
+    constructor(accessRulesStorage: AccessRulesStorage);
+    processRequest(args: DeleteRulesEndpointSchemaInput): Promise<ApiEndpointResponse>;
+    getRequestArgsSchema(): DeleteRulesEndpointSchema;
+}
+//# sourceMappingURL=deleteRulesEndpoint.d.ts.map

package/dist/api/deleteRulesEndpoint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deleteRulesEndpoint.d.ts","sourceRoot":"","sources":["../../src/api/deleteRulesEndpoint.ts"],"names":[],"mappings":"AAcA,OAAO,EACN,KAAK,WAAW,EAChB,KAAK,mBAAmB,EAExB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAEjE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WAA8B,CAAC;AAErE,MAAM,MAAM,+BAA+B,GAAG,CAAC,CAAC,MAAM,CACrD,OAAO,yBAAyB,CAChC,CAAC;AAEF,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CACnD,OAAO,yBAAyB,CAChC,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG,OAAO,yBAAyB,CAAC;AAEzE,qBAAa,mBACZ,YAAW,WAAW,CAAC,yBAAyB,CAAC;IAE9B,OAAO,CAAC,QAAQ,CAAC,kBAAkB;gBAAlB,kBAAkB,EAAE,kBAAkB;IAEpE,cAAc,CACnB,IAAI,EAAE,8BAA8B,GAClC,OAAO,CAAC,mBAAmB,CAAC;IA0BxB,oBAAoB,IAAI,yBAAyB;CAGxD"}

package/dist/api/deleteRulesEndpoint.js

@@ -0,0 +1,31 @@
+import { ApiEndpointResponseStatus, } from "@prosopo/api-route";
+import { z } from "zod";
+import { policyFilterSchema } from "#policy/accessPolicyResolver.js";
+export const deleteRulesEndpointSchema = z.array(policyFilterSchema);
+export class DeleteRulesEndpoint {
+    constructor(accessRulesStorage) {
+        this.accessRulesStorage = accessRulesStorage;
+    }
+    async processRequest(args) {
+        const allRuleIds = [];
+        for (const accessRuleFilter of args) {
+            const parsedRules = policyFilterSchema.parse(accessRuleFilter);
+            const foundRuleIds = await this.accessRulesStorage.findRuleIds(parsedRules);
+            allRuleIds.push(...foundRuleIds);
+        }
+        const uniqueRuleIds = [...new Set(allRuleIds)];
+        if (uniqueRuleIds.length > 0) {
+            await this.accessRulesStorage.deleteRules(uniqueRuleIds);
+        }
+        return {
+            status: ApiEndpointResponseStatus.SUCCESS,
+            data: {
+                deleted_count: uniqueRuleIds.length,
+            },
+        };
+    }
+    getRequestArgsSchema() {
+        return deleteRulesEndpointSchema;
+    }
+}
+//# sourceMappingURL=deleteRulesEndpoint.js.map

package/dist/api/deleteRulesEndpoint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deleteRulesEndpoint.js","sourceRoot":"","sources":["../../src/api/deleteRulesEndpoint.ts"],"names":[],"mappings":"AAcA,OAAO,EAGN,yBAAyB,GACzB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AAGrE,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;AAYrE,MAAM,OAAO,mBAAmB;IAG/B,YAAoC,kBAAsC;QAAtC,uBAAkB,GAAlB,kBAAkB,CAAoB;IAAG,CAAC;IAE9E,KAAK,CAAC,cAAc,CACnB,IAAoC;QAEpC,MAAM,UAAU,GAAG,EAAE,CAAC;QAEtB,KAAK,MAAM,gBAAgB,IAAI,IAAI,EAAE,CAAC;YACrC,MAAM,WAAW,GAAG,kBAAkB,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;YAC/D,MAAM,YAAY,GACjB,MAAM,IAAI,CAAC,kBAAkB,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;YAExD,UAAU,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;QAClC,CAAC;QAGD,MAAM,aAAa,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;QAE/C,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,CAAC,kBAAkB,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;QAC1D,CAAC;QAED,OAAO;YACN,MAAM,EAAE,yBAAyB,CAAC,OAAO;YACzC,IAAI,EAAE;gBACL,aAAa,EAAE,aAAa,CAAC,MAAM;aACnC;SACD,CAAC;IACH,CAAC;IAEM,oBAAoB;QAC1B,OAAO,yBAAyB,CAAC;IAClC,CAAC;CACD"}

package/dist/api/insertRulesEndpoint.d.ts

@@ -0,0 +1,22 @@
+import { type ApiEndpoint, type ApiEndpointResponse } from "@prosopo/api-route";
+import { type Logger } from "@prosopo/common";
+import { z } from "zod";
+import { accessPolicySchema, policyScopeSchema, userScopeInputSchema } from "#policy/accessPolicy.js";
+import type { AccessRulesWriter } from "#policy/accessRules.js";
+export declare const insertRulesEndpointSchema: z.ZodType<{
+    accessPolicy: z.infer<typeof accessPolicySchema>;
+    policyScope?: z.infer<typeof policyScopeSchema>;
+    userScopes: z.input<typeof userScopeInputSchema>[];
+    expirationTimestampSeconds?: number;
+}>;
+export type InsertRulesEndpointSchema = typeof insertRulesEndpointSchema;
+export type InsertManyRulesEndpointInputSchema = z.input<typeof insertRulesEndpointSchema>;
+export type InsertManyRulesEndpointOutputSchema = z.output<typeof insertRulesEndpointSchema>;
+export declare class InsertRulesEndpoint implements ApiEndpoint<InsertRulesEndpointSchema> {
+    private readonly accessRulesWriter;
+    constructor(accessRulesWriter: AccessRulesWriter);
+    processRequest(args: z.infer<InsertRulesEndpointSchema>, logger?: Logger): Promise<ApiEndpointResponse>;
+    getRequestArgsSchema(): InsertRulesEndpointSchema;
+    protected createRules(args: InsertManyRulesEndpointOutputSchema): Promise<string[]>;
+}
+//# sourceMappingURL=insertRulesEndpoint.d.ts.map

package/dist/api/insertRulesEndpoint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"insertRulesEndpoint.d.ts","sourceRoot":"","sources":["../../src/api/insertRulesEndpoint.ts"],"names":[],"mappings":"AAcA,OAAO,EACN,KAAK,WAAW,EAChB,KAAK,mBAAmB,EAExB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAY,KAAK,MAAM,EAAa,MAAM,iBAAiB,CAAC;AACnE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EACN,kBAAkB,EAClB,iBAAiB,EACjB,oBAAoB,EACpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAEhE,eAAO,MAAM,yBAAyB,EAAE,CAAC,CAAC,OAAO,CAAC;IACjD,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;IACjD,WAAW,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;IAChD,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,EAAE,CAAC;IACnD,0BAA0B,CAAC,EAAE,MAAM,CAAC;CACpC,CAQC,CAAC;AAEH,MAAM,MAAM,yBAAyB,GAAG,OAAO,yBAAyB,CAAC;AAEzE,MAAM,MAAM,kCAAkC,GAAG,CAAC,CAAC,KAAK,CACvD,OAAO,yBAAyB,CAChC,CAAC;AAEF,MAAM,MAAM,mCAAmC,GAAG,CAAC,CAAC,MAAM,CACzD,OAAO,yBAAyB,CAChC,CAAC;AAEF,qBAAa,mBACZ,YAAW,WAAW,CAAC,yBAAyB,CAAC;IAE9B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;gBAAjB,iBAAiB,EAAE,iBAAiB;IAElE,cAAc,CACnB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,yBAAyB,CAAC,EACxC,MAAM,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,mBAAmB,CAAC;IAgCxB,oBAAoB,IAAI,yBAAyB;cAIxC,WAAW,CAC1B,IAAI,EAAE,mCAAmC,GACvC,OAAO,CAAC,MAAM,EAAE,CAAC;CAoBpB"}

package/dist/api/insertRulesEndpoint.js

@@ -0,0 +1,62 @@
+import { ApiEndpointResponseStatus, } from "@prosopo/api-route";
+import { LogLevel, getLogger } from "@prosopo/common";
+import { z } from "zod";
+import { accessPolicySchema, policyScopeSchema, userScopeInputSchema, } from "#policy/accessPolicy.js";
+export const insertRulesEndpointSchema = z.object({
+    accessPolicy: accessPolicySchema,
+    policyScope: policyScopeSchema.optional(),
+    userScopes: z.array(userScopeInputSchema),
+    expirationTimestampSeconds: z
+        .number()
+        .optional()
+        .transform((val) => (val !== undefined ? Math.floor(val) : val)),
+});
+export class InsertRulesEndpoint {
+    constructor(accessRulesWriter) {
+        this.accessRulesWriter = accessRulesWriter;
+    }
+    async processRequest(args, logger) {
+        logger = logger || getLogger(LogLevel.enum.info, "InsertRulesEndpoint");
+        const timeoutPromise = new Promise((resolve) => {
+            setTimeout(() => {
+                resolve({
+                    status: ApiEndpointResponseStatus.PROCESSING,
+                });
+            }, 5000);
+        });
+        const createRulesPromise = this.createRules(args)
+            .then(() => ({
+            status: ApiEndpointResponseStatus.SUCCESS,
+        }))
+            .catch((error) => {
+            if (logger?.getLogLevel() === LogLevel.enum.debug) {
+                logger.error(() => ({
+                    err: error,
+                    data: { args },
+                    msg: "Failed to insert access rules",
+                }));
+            }
+            return {
+                status: ApiEndpointResponseStatus.FAIL,
+            };
+        });
+        return Promise.race([timeoutPromise, createRulesPromise]);
+    }
+    getRequestArgsSchema() {
+        return insertRulesEndpointSchema;
+    }
+    async createRules(args) {
+        const policyScope = args.policyScope || {};
+        const createPromises = [];
+        for (const userScope of args.userScopes) {
+            const rule = {
+                ...args.accessPolicy,
+                ...policyScope,
+                ...userScope,
+            };
+            createPromises.push(this.accessRulesWriter.insertRule(rule, args.expirationTimestampSeconds));
+        }
+        return Promise.all(createPromises);
+    }
+}
+//# sourceMappingURL=insertRulesEndpoint.js.map

package/dist/api/insertRulesEndpoint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"insertRulesEndpoint.js","sourceRoot":"","sources":["../../src/api/insertRulesEndpoint.ts"],"names":[],"mappings":"AAcA,OAAO,EAGN,yBAAyB,GACzB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,QAAQ,EAAe,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACnE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EACN,kBAAkB,EAClB,iBAAiB,EACjB,oBAAoB,GACpB,MAAM,yBAAyB,CAAC;AAGjC,MAAM,CAAC,MAAM,yBAAyB,GAKjC,CAAC,CAAC,MAAM,CAAC;IACb,YAAY,EAAE,kBAAkB;IAChC,WAAW,EAAE,iBAAiB,CAAC,QAAQ,EAAE;IACzC,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,oBAAoB,CAAC;IACzC,0BAA0B,EAAE,CAAC;SAC3B,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,SAAS,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;CACjE,CAAC,CAAC;AAYH,MAAM,OAAO,mBAAmB;IAG/B,YAAoC,iBAAoC;QAApC,sBAAiB,GAAjB,iBAAiB,CAAmB;IAAG,CAAC;IAE5E,KAAK,CAAC,cAAc,CACnB,IAAwC,EACxC,MAAe;QAEf,MAAM,GAAG,MAAM,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,qBAAqB,CAAC,CAAC;QAExE,MAAM,cAAc,GAAG,IAAI,OAAO,CAAsB,CAAC,OAAO,EAAE,EAAE;YACnE,UAAU,CAAC,GAAG,EAAE;gBACf,OAAO,CAAC;oBACP,MAAM,EAAE,yBAAyB,CAAC,UAAU;iBAC5C,CAAC,CAAC;YACJ,CAAC,EAAE,IAAI,CAAC,CAAC;QACV,CAAC,CAAC,CAAC;QAEH,MAAM,kBAAkB,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC;aAC/C,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YACZ,MAAM,EAAE,yBAAyB,CAAC,OAAO;SACzC,CAAC,CAAC;aACF,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YAChB,IAAI,MAAM,EAAE,WAAW,EAAE,KAAK,QAAQ,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACnD,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;oBACnB,GAAG,EAAE,KAAK;oBACV,IAAI,EAAE,EAAE,IAAI,EAAE;oBACd,GAAG,EAAE,+BAA+B;iBACpC,CAAC,CAAC,CAAC;YACL,CAAC;YACD,OAAO;gBACN,MAAM,EAAE,yBAAyB,CAAC,IAAI;aACtC,CAAC;QACH,CAAC,CAAC,CAAC;QAGJ,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC,CAAC;IAC3D,CAAC;IAEM,oBAAoB;QAC1B,OAAO,yBAAyB,CAAC;IAClC,CAAC;IAES,KAAK,CAAC,WAAW,CAC1B,IAAyC;QAEzC,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;QAE3C,MAAM,cAAc,GAAG,EAAE,CAAC;QAC1B,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACzC,MAAM,IAAI,GAAG;gBACZ,GAAG,IAAI,CAAC,YAAY;gBACpB,GAAG,WAAW;gBACd,GAAG,SAAS;aACZ,CAAC;YAEF,cAAc,CAAC,IAAI,CAClB,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAChC,IAAI,EACJ,IAAI,CAAC,0BAA0B,CAC/B,CACD,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACpC,CAAC;CACD"}

package/dist/cjs/accessPolicy.cjs

@@ -0,0 +1,79 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const types = require("@prosopo/types");
+const ipAddress = require("ip-address");
+const zod = require("zod");
+const util = require("./util.cjs");
+var AccessPolicyType = /* @__PURE__ */ ((AccessPolicyType2) => {
+  AccessPolicyType2["Block"] = "block";
+  AccessPolicyType2["Restrict"] = "restrict";
+  return AccessPolicyType2;
+})(AccessPolicyType || {});
+const accessPolicySchema = zod.z.object({
+  type: zod.z.nativeEnum(AccessPolicyType),
+  captchaType: types.CaptchaTypeSchema.optional(),
+  description: zod.z.coerce.string().optional(),
+  // Redis stores values as strings, so coerce is needed to parse properly
+  solvedImagesCount: zod.z.coerce.number().optional(),
+  // the percentage of image panels that must be solved per image CAPTCHA
+  imageThreshold: zod.z.coerce.number().optional(),
+  // the Proof-of-Work difficulty level
+  powDifficulty: zod.z.coerce.number().optional(),
+  // the number of unsolved image CAPTCHA challenges to serve
+  unsolvedImagesCount: zod.z.coerce.number().optional(),
+  // used to increase the user's score
+  frictionlessScore: zod.z.coerce.number().optional()
+});
+const policyScopeSchema = zod.z.object({
+  clientId: zod.z.coerce.string().optional(),
+  ruleGroupId: zod.z.coerce.string().optional()
+});
+const userScopeSchema = zod.z.object({
+  // coerce is used for safety, as e.g., incoming userId can be digital
+  userId: zod.z.coerce.string().optional(),
+  numericIp: zod.z.coerce.bigint().optional(),
+  numericIpMaskMin: zod.z.coerce.bigint().optional(),
+  numericIpMaskMax: zod.z.coerce.bigint().optional(),
+  ja4Hash: zod.z.coerce.string().optional(),
+  headersHash: zod.z.coerce.string().optional(),
+  userAgentHash: zod.z.coerce.string().optional()
+});
+const userScopeInputSchema = userScopeSchema.extend({
+  // human-friendly ip versions. If present, then converted to numeric and removed from the object
+  // 127.0.0.1
+  ip: zod.z.string().optional(),
+  // 127.0.0.1/24
+  ipMask: zod.z.string().optional(),
+  // human friendly user agent
+  userAgent: zod.z.string().optional()
+}).transform((inputUserScope) => {
+  const { ip, ipMask, userAgent, ...userScope } = inputUserScope;
+  if ("string" === typeof ip) {
+    userScope.numericIp = new ipAddress.Address4(ip).bigInt();
+  }
+  if ("string" === typeof ipMask) {
+    const ipObject = new ipAddress.Address4(ipMask);
+    userScope.numericIpMaskMin = ipObject.startAddress().bigInt();
+    userScope.numericIpMaskMax = ipObject.endAddress().bigInt();
+  }
+  if ("string" === typeof userAgent) {
+    userScope.userAgentHash = util.hashUserAgent(userAgent);
+  }
+  return userScope;
+});
+const accessRuleSchemaExtended = zod.z.object({
+  // flat structure is used to fit the Redis requirements
+  ...accessPolicySchema.shape,
+  ...policyScopeSchema.shape,
+  ...userScopeInputSchema._def.schema.shape
+}).omit({
+  numericIp: true,
+  numericIpMaskMin: true,
+  numericIpMaskMax: true
+});
+exports.AccessPolicyType = AccessPolicyType;
+exports.accessPolicySchema = accessPolicySchema;
+exports.accessRuleSchemaExtended = accessRuleSchemaExtended;
+exports.policyScopeSchema = policyScopeSchema;
+exports.userScopeInputSchema = userScopeInputSchema;
+exports.userScopeSchema = userScopeSchema;

package/dist/cjs/accessPolicyResolver.cjs

@@ -0,0 +1,87 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const util = require("node:util");
+const zod = require("zod");
+const accessPolicy = require("./accessPolicy.cjs");
+function _interopNamespaceDefault(e) {
+  const n = Object.create(null, { [Symbol.toStringTag]: { value: "Module" } });
+  if (e) {
+    for (const k in e) {
+      if (k !== "default") {
+        const d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: () => e[k]
+        });
+      }
+    }
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+const util__namespace = /* @__PURE__ */ _interopNamespaceDefault(util);
+var ScopeMatch = /* @__PURE__ */ ((ScopeMatch2) => {
+  ScopeMatch2["Exact"] = "exact";
+  ScopeMatch2["Greedy"] = "greedy";
+  return ScopeMatch2;
+})(ScopeMatch || {});
+const policyFilterSchema = zod.z.object({
+  policyScope: accessPolicy.policyScopeSchema.optional(),
+  /**
+   * Exact: "clientId" => client rules, "undefined" => global rules. Used by the API
+   * Greedy: "clientId" => client + global rules, "undefined" => any rules. Used by the Express middleware
+   */
+  policyScopeMatch: zod.z.nativeEnum(ScopeMatch).default(
+    "exact"
+    /* Exact */
+  ),
+  userScope: accessPolicy.userScopeInputSchema.optional(),
+  /**
+   * Exact: finds rules where all the given fields matches and doesn't check IP against masks. Used by the API
+   * Greedy: finds rules where any of the given fields match and checks IP against masks. Used by the Express middleware
+   */
+  userScopeMatch: zod.z.nativeEnum(ScopeMatch).default(
+    "exact"
+    /* Exact */
+  )
+});
+const createAccessPolicyResolver = (accessRulesReader, logger) => {
+  return async (filter) => {
+    const accessRules = await accessRulesReader.findRules(filter);
+    const primaryAccessRule = resolvePrimaryRule(accessRules);
+    logger.debug(() => ({
+      msg: "Resolved access policy",
+      // filter contains BigInt, which can't be handled directly via logger.
+      data: {
+        inspect: util__namespace.inspect(
+          {
+            filter,
+            accessRules,
+            primaryAccessRule
+          },
+          { depth: null }
+        )
+      }
+    }));
+    return primaryAccessRule;
+  };
+};
+const resolvePrimaryRule = (rules) => {
+  const blockingRules = rules.filter(
+    (accessRule) => accessPolicy.AccessPolicyType.Block === accessRule.type
+  );
+  const rulesToEvaluate = blockingRules.length > 0 ? blockingRules : rules;
+  return resolveMostLocalRule(rulesToEvaluate);
+};
+const resolveMostLocalRule = (rules) => {
+  const clientRules = rules.filter(
+    (accessRule) => "string" === typeof accessRule.clientId
+  );
+  if (clientRules.length > 0) {
+    return clientRules.shift();
+  }
+  return rules.shift();
+};
+exports.ScopeMatch = ScopeMatch;
+exports.createAccessPolicyResolver = createAccessPolicyResolver;
+exports.policyFilterSchema = policyFilterSchema;

package/dist/cjs/accessRules.cjs

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const zod = require("zod");
+const accessPolicy = require("./accessPolicy.cjs");
+const accessRuleSchema = zod.z.object({
+  // flat structure is used to fit the Redis requirements
+  ...accessPolicy.accessPolicySchema.shape,
+  ...accessPolicy.policyScopeSchema.shape,
+  ...accessPolicy.userScopeSchema.shape
+});
+exports.accessRuleSchema = accessRuleSchema;

package/dist/cjs/api/accessRuleApiRoutes.cjs

@@ -0,0 +1,79 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const deleteAllRulesEndpoint = require("./deleteAllRulesEndpoint.cjs");
+const deleteRulesEndpoint = require("./deleteRulesEndpoint.cjs");
+const insertRulesEndpoint = require("./insertRulesEndpoint.cjs");
+var accessRuleApiPaths = /* @__PURE__ */ ((accessRuleApiPaths2) => {
+  accessRuleApiPaths2["INSERT_MANY"] = "/v1/prosopo/user-access-policy/rules/insert-many";
+  accessRuleApiPaths2["DELETE_MANY"] = "/v1/prosopo/user-access-policy/rules/delete-many";
+  accessRuleApiPaths2["DELETE_ALL"] = "/v1/prosopo/user-access-policy/rules/delete-all";
+  return accessRuleApiPaths2;
+})(accessRuleApiPaths || {});
+class AccessRuleApiRoutes {
+  constructor(accessRulesStorage) {
+    this.accessRulesStorage = accessRulesStorage;
+  }
+  getRoutes() {
+    return [
+      {
+        path: "/v1/prosopo/user-access-policy/rules/insert-many",
+        endpoint: new insertRulesEndpoint.InsertRulesEndpoint(this.accessRulesStorage)
+      },
+      {
+        path: "/v1/prosopo/user-access-policy/rules/delete-many",
+        endpoint: new deleteRulesEndpoint.DeleteRulesEndpoint(this.accessRulesStorage)
+      },
+      {
+        path: "/v1/prosopo/user-access-policy/rules/delete-all",
+        endpoint: new deleteAllRulesEndpoint.DeleteAllRulesEndpoint(this.accessRulesStorage)
+      }
+    ];
+  }
+}
+const getExpressApiRuleRateLimits = () => {
+  const defaultWindowsMs = 6e4;
+  const defaultLimit = 5;
+  return {
+    [
+      "/v1/prosopo/user-access-policy/rules/insert-many"
+      /* INSERT_MANY */
+    ]: {
+      windowMs: getIntEnvironmentVariable(
+        "PROSOPO_USER_ACCESS_POLICY_RULE_INSERT_MANY_WINDOW"
+      ) || defaultWindowsMs,
+      limit: getIntEnvironmentVariable(
+        "PROSOPO_USER_ACCESS_POLICY_RULE_INSERT_MANY_LIMIT"
+      ) || defaultLimit
+    },
+    [
+      "/v1/prosopo/user-access-policy/rules/delete-many"
+      /* DELETE_MANY */
+    ]: {
+      windowMs: getIntEnvironmentVariable(
+        "PROSOPO_USER_ACCESS_POLICY_RULE_DELETE_MANY_WINDOW"
+      ) || defaultWindowsMs,
+      limit: getIntEnvironmentVariable(
+        "PROSOPO_USER_ACCESS_POLICY_RULE_DELETE_MANY_LIMIT"
+      ) || defaultLimit
+    },
+    [
+      "/v1/prosopo/user-access-policy/rules/delete-all"
+      /* DELETE_ALL */
+    ]: {
+      windowMs: getIntEnvironmentVariable(
+        "PROSOPO_USER_ACCESS_POLICY_RULE_DELETE_ALL_WINDOW"
+      ) || defaultWindowsMs,
+      limit: getIntEnvironmentVariable(
+        "PROSOPO_USER_ACCESS_POLICY_RULE_DELETE_ALL_LIMIT"
+      ) || defaultLimit
+    }
+  };
+};
+const getIntEnvironmentVariable = (variableName) => {
+  const variableValue = process.env[variableName];
+  const numericValue = variableValue ? Number.parseInt(variableValue) : Number.NaN;
+  return Number.isInteger(numericValue) ? numericValue : void 0;
+};
+exports.AccessRuleApiRoutes = AccessRuleApiRoutes;
+exports.accessRuleApiPaths = accessRuleApiPaths;
+exports.getExpressApiRuleRateLimits = getExpressApiRuleRateLimits;

package/dist/cjs/api/deleteAllRulesEndpoint.cjs

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const apiRoute = require("@prosopo/api-route");
+const zod = require("zod");
+const deleteAllRulesEndpointSchema = zod.z.object({});
+class DeleteAllRulesEndpoint {
+  constructor(accessRulesStorage) {
+    this.accessRulesStorage = accessRulesStorage;
+  }
+  async processRequest(args) {
+    const deletedCount = await this.accessRulesStorage.deleteAllRules();
+    return {
+      status: apiRoute.ApiEndpointResponseStatus.SUCCESS,
+      data: {
+        deleted_count: deletedCount
+      }
+    };
+  }
+  getRequestArgsSchema() {
+    return deleteAllRulesEndpointSchema;
+  }
+}
+exports.DeleteAllRulesEndpoint = DeleteAllRulesEndpoint;
+exports.deleteAllRulesEndpointSchema = deleteAllRulesEndpointSchema;

package/dist/cjs/api/deleteRulesEndpoint.cjs

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const apiRoute = require("@prosopo/api-route");
+const zod = require("zod");
+const accessPolicyResolver = require("../accessPolicyResolver.cjs");
+const deleteRulesEndpointSchema = zod.z.array(accessPolicyResolver.policyFilterSchema);
+class DeleteRulesEndpoint {
+  constructor(accessRulesStorage) {
+    this.accessRulesStorage = accessRulesStorage;
+  }
+  async processRequest(args) {
+    const allRuleIds = [];
+    for (const accessRuleFilter of args) {
+      const parsedRules = accessPolicyResolver.policyFilterSchema.parse(accessRuleFilter);
+      const foundRuleIds = await this.accessRulesStorage.findRuleIds(parsedRules);
+      allRuleIds.push(...foundRuleIds);
+    }
+    const uniqueRuleIds = [...new Set(allRuleIds)];
+    if (uniqueRuleIds.length > 0) {
+      await this.accessRulesStorage.deleteRules(uniqueRuleIds);
+    }
+    return {
+      status: apiRoute.ApiEndpointResponseStatus.SUCCESS,
+      data: {
+        deleted_count: uniqueRuleIds.length
+      }
+    };
+  }
+  getRequestArgsSchema() {
+    return deleteRulesEndpointSchema;
+  }
+}
+exports.DeleteRulesEndpoint = DeleteRulesEndpoint;
+exports.deleteRulesEndpointSchema = deleteRulesEndpointSchema;

package/dist/cjs/api/insertRulesEndpoint.cjs

@@ -0,0 +1,65 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const apiRoute = require("@prosopo/api-route");
+const common = require("@prosopo/common");
+const zod = require("zod");
+const accessPolicy = require("../accessPolicy.cjs");
+const insertRulesEndpointSchema = zod.z.object({
+  accessPolicy: accessPolicy.accessPolicySchema,
+  policyScope: accessPolicy.policyScopeSchema.optional(),
+  userScopes: zod.z.array(accessPolicy.userScopeInputSchema),
+  expirationTimestampSeconds: zod.z.number().optional().transform((val) => val !== void 0 ? Math.floor(val) : val)
+});
+class InsertRulesEndpoint {
+  constructor(accessRulesWriter) {
+    this.accessRulesWriter = accessRulesWriter;
+  }
+  async processRequest(args, logger) {
+    logger = logger || common.getLogger(common.LogLevel.enum.info, "InsertRulesEndpoint");
+    const timeoutPromise = new Promise((resolve) => {
+      setTimeout(() => {
+        resolve({
+          status: apiRoute.ApiEndpointResponseStatus.PROCESSING
+        });
+      }, 5e3);
+    });
+    const createRulesPromise = this.createRules(args).then(() => ({
+      status: apiRoute.ApiEndpointResponseStatus.SUCCESS
+    })).catch((error) => {
+      if (logger?.getLogLevel() === common.LogLevel.enum.debug) {
+        logger.error(() => ({
+          err: error,
+          data: { args },
+          msg: "Failed to insert access rules"
+        }));
+      }
+      return {
+        status: apiRoute.ApiEndpointResponseStatus.FAIL
+      };
+    });
+    return Promise.race([timeoutPromise, createRulesPromise]);
+  }
+  getRequestArgsSchema() {
+    return insertRulesEndpointSchema;
+  }
+  async createRules(args) {
+    const policyScope = args.policyScope || {};
+    const createPromises = [];
+    for (const userScope of args.userScopes) {
+      const rule = {
+        ...args.accessPolicy,
+        ...policyScope,
+        ...userScope
+      };
+      createPromises.push(
+        this.accessRulesWriter.insertRule(
+          rule,
+          args.expirationTimestampSeconds
+        )
+      );
+    }
+    return Promise.all(createPromises);
+  }
+}
+exports.InsertRulesEndpoint = InsertRulesEndpoint;
+exports.insertRulesEndpointSchema = insertRulesEndpointSchema;