@prosopo/user-access-policy 3.5.19 → 3.5.28

package/dist/redis/reader/redisRulesQuery.js

@@ -0,0 +1,99 @@
+import { userScopeSchema } from "../../ruleInput/userScopeInput.js";
+import { FilterScopeMatch } from "../../rulesStorage.js";
+const REDIS_QUERY_DIALECT = 2;
+const userIpQueries = {
+  numericIp: (value, scope) => {
+    if (void 0 !== value) {
+      return `( @numericIp:[${value} ${value}] | ( @numericIpMaskMin:[-inf ${value}] @numericIpMaskMax:[${value} +inf] ) )`;
+    }
+    if (scope.numericIpMaskMin === void 0 && scope.numericIpMaskMax === void 0) {
+      return "ismissing(@numericIp) ismissing(@numericIpMaskMin) ismissing(@numericIpMaskMax)";
+    }
+    return "";
+  },
+  numericIpMaskMin: (value, scope) => {
+    if (scope.numericIp !== void 0) {
+      return "";
+    }
+    return value !== void 0 ? `@numericIpMaskMin:[-inf ${value}]` : "ismissing(@numericIpMaskMin)";
+  },
+  numericIpMaskMax: (value, scope) => {
+    if (scope.numericIp !== void 0) {
+      return "";
+    }
+    return value !== void 0 ? `@numericIpMaskMax:[${value} +inf]` : "ismissing(@numericIpMaskMax)";
+  }
+};
+const getUserScopeQuery = (userScope, FilterScopeMatchType, matchingFieldsOnly) => {
+  let scopeEntries = Object.entries(userScope);
+  let scopeJoinType = " ";
+  if (FilterScopeMatchType === FilterScopeMatch.Greedy) {
+    scopeEntries = scopeEntries.filter(
+      ([_, value]) => value !== void 0
+    );
+    scopeJoinType = " | ";
+  }
+  if (matchingFieldsOnly) {
+    const scopeMap = new Map(scopeEntries);
+    if (scopeMap.has("numericIp") && scopeMap.get("numericIp") === void 0) {
+      scopeMap.set("numericIpMaskMin", void 0);
+      scopeMap.set("numericIpMaskMax", void 0);
+    }
+    for (const name of Object.keys(userScopeSchema.shape)) {
+      if (!scopeMap.has(name)) {
+        scopeMap.set(name, void 0);
+      }
+    }
+    scopeEntries = [...scopeMap.entries()];
+  }
+  const scopeObj = Object.fromEntries(scopeEntries);
+  return scopeEntries.map(
+    ([scopeFieldName, scopeFieldValue]) => getUserScopeFieldQuery(
+      scopeFieldName,
+      scopeFieldValue,
+      FilterScopeMatchType,
+      scopeObj
+    )
+  ).filter(Boolean).join(scopeJoinType);
+};
+const getUserScopeFieldQuery = (fieldName, fieldValue, scopeMatch, fullScope) => {
+  if (fieldName in userIpQueries) {
+    const queryBuilder = userIpQueries[fieldName];
+    return queryBuilder(fieldValue, fullScope);
+  }
+  return void 0 === fieldValue ? `ismissing(@${fieldName})` : `@${fieldName}:{${fieldValue}}`;
+};
+const getPolicyScopeQuery = (policyScope, scopeMatch) => {
+  const clientId = policyScope?.clientId;
+  if ("string" === typeof clientId) {
+    return FilterScopeMatch.Exact === scopeMatch ? `@clientId:{${clientId}}` : `( @clientId:{${clientId}} | ismissing(@clientId) )`;
+  }
+  return FilterScopeMatch.Exact === scopeMatch ? "ismissing(@clientId)" : "";
+};
+const getRulesRedisQuery = (filter, matchingFieldsOnly) => {
+  const { policyScope, userScope } = filter;
+  const queryParts = [];
+  if (filter.groupId) {
+    queryParts.push(`@groupId:{${filter.groupId}}`);
+  }
+  const policyScopeQuery = getPolicyScopeQuery(
+    policyScope,
+    filter.policyScopeMatch
+  );
+  if (policyScopeQuery) {
+    queryParts.push(policyScopeQuery);
+  }
+  if (userScope && Object.keys(userScope).length > 0) {
+    const userScopeFilter = getUserScopeQuery(
+      userScope,
+      filter.userScopeMatch,
+      matchingFieldsOnly
+    );
+    queryParts.push(`( ${userScopeFilter} )`);
+  }
+  return queryParts.length > 0 ? queryParts.join(" ") : "*";
+};
+export {
+  REDIS_QUERY_DIALECT,
+  getRulesRedisQuery
+};

package/dist/redis/reader/redisRulesReader.js

@@ -0,0 +1,213 @@
+import * as util from "node:util";
+import { chunkIntoBatches, executeBatchesSequentially } from "@prosopo/common";
+import { getRulesRedisQuery, REDIS_QUERY_DIALECT } from "./redisRulesQuery.js";
+import { REDIS_BATCH_SIZE, getMissingRedisKeys, parseRedisRecords, fetchRedisHashRecords } from "../redisClient.js";
+import { ACCESS_RULE_REDIS_KEY_PREFIX, ACCESS_RULES_REDIS_INDEX_NAME } from "../redisRuleIndex.js";
+import { accessRuleInput } from "../../ruleInput/ruleInput.js";
+import { aggregateRedisKeys } from "./redisAggregate.js";
+class RedisRulesReader {
+  constructor(client, logger) {
+    this.client = client;
+    this.logger = logger;
+  }
+  async getMissingRuleIds(ruleIds) {
+    const ruleKeys = this.getRuleKeys(ruleIds);
+    const keyBatches = chunkIntoBatches(ruleKeys, REDIS_BATCH_SIZE);
+    const missingKeyBatches = await executeBatchesSequentially(
+      keyBatches,
+      async (keysBatch) => getMissingRedisKeys(this.client, keysBatch)
+    );
+    return missingKeyBatches.flat().map((ruleKey) => ruleKey.slice(ACCESS_RULE_REDIS_KEY_PREFIX.length));
+  }
+  async fetchRules(ruleIds) {
+    const ruleKeys = this.getRuleKeys(ruleIds);
+    const keyBatches = chunkIntoBatches(ruleKeys, REDIS_BATCH_SIZE);
+    const entryBatches = await executeBatchesSequentially(
+      keyBatches,
+      (keysBatch) => this.fetchRuleEntries(keysBatch)
+    );
+    return entryBatches.flat();
+  }
+  async findRules(filter, matchingFieldsOnly = false, skipEmptyUserScopes = true) {
+    const query = getRulesRedisQuery(filter, matchingFieldsOnly);
+    if (skipEmptyUserScopes && query === "ismissing(@clientId)") {
+      return [];
+    }
+    let searchReply;
+    try {
+      searchReply = await this.client.ft.search(
+        ACCESS_RULES_REDIS_INDEX_NAME,
+        query,
+        {
+          DIALECT: REDIS_QUERY_DIALECT,
+          // FT.search doesn't support "unlimited" selects
+          LIMIT: {
+            from: 0,
+            size: REDIS_BATCH_SIZE
+          }
+        }
+      );
+      if (searchReply.total > 0) {
+        this.logger.debug(() => ({
+          msg: "Executed search query",
+          data: {
+            inspect: util.inspect(
+              {
+                filter,
+                searchReply,
+                query
+              },
+              { depth: null }
+            )
+          }
+        }));
+      }
+    } catch (e) {
+      this.logger.error(() => ({
+        err: e,
+        data: {
+          inspect: util.inspect(
+            {
+              query,
+              filter
+            },
+            {
+              depth: null
+            }
+          )
+        },
+        msg: "failed to execute search query"
+      }));
+      return [];
+    }
+    const records = searchReply.documents.map(({ value }) => value);
+    return parseRedisRecords(records, accessRuleInput, this.logger);
+  }
+  async findRuleIds(filter, matchingFieldsOnly = false) {
+    const query = getRulesRedisQuery(filter, matchingFieldsOnly);
+    let ruleIds = [];
+    try {
+      const ruleKeys = await aggregateRedisKeys(
+        this.client,
+        query,
+        this.logger
+      );
+      ruleIds = ruleKeys.map(
+        (ruleKey) => ruleKey.slice(ACCESS_RULE_REDIS_KEY_PREFIX.length)
+      );
+    } catch (e) {
+      this.logger.error(() => ({
+        err: e,
+        data: {
+          inspect: util.inspect(
+            {
+              query,
+              filter
+            },
+            {
+              depth: null
+            }
+          )
+        },
+        msg: "Failed to execute search query for rule IDs"
+      }));
+      return [];
+    }
+    this.logger.debug(() => ({
+      msg: "Executed search query for rule IDs",
+      data: {
+        query,
+        foundCount: ruleIds.length,
+        foundIds: ruleIds
+      }
+    }));
+    return ruleIds;
+  }
+  async fetchAllRuleIds(batchHandler) {
+    const keysBatchHandler = async (keys) => {
+      const ids = keys.map(
+        (ruleKey) => ruleKey.slice(ACCESS_RULE_REDIS_KEY_PREFIX.length)
+      );
+      await batchHandler(ids);
+    };
+    await aggregateRedisKeys(this.client, "*", this.logger, keysBatchHandler);
+  }
+  async fetchRuleEntries(keys) {
+    const { records, expirations } = await fetchRedisHashRecords(
+      this.client,
+      keys,
+      this.logger
+    );
+    const entries = [];
+    for (const [index, ruleData] of records.entries()) {
+      const isRulePresent = Object.keys(ruleData).length > 0;
+      if (isRulePresent) {
+        const rule = parseRedisRecords(
+          [ruleData],
+          accessRuleInput,
+          this.logger
+        )[0];
+        if (rule) {
+          entries.push({
+            rule,
+            expiresUnixTimestamp: expirations[index]
+          });
+        }
+      }
+    }
+    return entries;
+  }
+  getRuleKeys(ruleIds) {
+    return ruleIds.map((id) => `${ACCESS_RULE_REDIS_KEY_PREFIX}${id}`);
+  }
+}
+class DummyRedisRulesReader {
+  constructor(logger) {
+    this.logger = logger;
+  }
+  async getMissingRuleIds(ruleIds) {
+    this.logger.info(() => ({
+      msg: "Dummy getMissingRuleIds() has no effect (redis is not ready)",
+      data: {
+        ruleIds
+      }
+    }));
+    return [];
+  }
+  async fetchRules(ruleIds) {
+    this.logger.info(() => ({
+      msg: "Dummy fetchRule() has no effect (redis is not ready)",
+      data: {
+        ruleIds
+      }
+    }));
+    return [];
+  }
+  async findRules(filter, matchingFieldsOnly = false, skipEmptyUserScopes = true) {
+    this.logger.info(() => ({
+      msg: "Dummy findRules() has no effect (redis is not ready)",
+      data: {
+        filter
+      }
+    }));
+    return [];
+  }
+  async findRuleIds(filter, matchingFieldsOnly = false) {
+    this.logger.info(() => ({
+      msg: "Dummy findRuleIds() has no effect (redis is not ready)",
+      data: {
+        filter
+      }
+    }));
+    return [];
+  }
+  async fetchAllRuleIds(batchHandler) {
+    this.logger.info(() => ({
+      msg: "Dummy fetchAllRuleIds() has no effect (redis is not ready)"
+    }));
+  }
+}
+export {
+  DummyRedisRulesReader,
+  RedisRulesReader
+};

package/dist/redis/redisClient.js

@@ -0,0 +1,67 @@
+import { z } from "zod";
+const REDIS_BATCH_SIZE = 1e3;
+const getMissingRedisKeys = async (client, keys) => {
+  const queries = client.multi();
+  keys.map((key) => {
+    queries.exists(key);
+  });
+  const records = await queries.exec();
+  const missingKeys = [];
+  records.map((exists, recordIndex) => {
+    if ("0" === String(exists)) {
+      const key = keys[recordIndex];
+      if (key) {
+        missingKeys.push(key);
+      }
+    }
+  });
+  return missingKeys;
+};
+const fetchRedisHashRecords = async (client, keys, logger) => {
+  const rulesPipe = client.multi();
+  const expirationPipe = client.multi();
+  for (const key of keys) {
+    rulesPipe.hGetAll(key);
+    expirationPipe.expireTime(key);
+  }
+  const records = await rulesPipe.exec();
+  const expirationRecords = await expirationPipe.exec();
+  return {
+    records,
+    expirations: parseExpirationRecords(expirationRecords, logger)
+  };
+};
+const parseRedisRecords = (records, recordSchema, logger) => records.flatMap((record) => {
+  const parseResult = recordSchema.safeParse(record);
+  if (parseResult.success) {
+    return [parseResult.data];
+  }
+  logger.error(() => ({
+    msg: "Failed to parse Redis record",
+    data: { record, error: parseResult.error }
+  }));
+  return [];
+});
+const expirationRecordSchema = z.coerce.number();
+const UNSET_EXPIRATION_VALUE = -1;
+const parseExpirationRecords = (records, logger) => records.flatMap((record) => {
+  const parseResult = expirationRecordSchema.safeParse(record);
+  if (parseResult.success) {
+    const expiration = UNSET_EXPIRATION_VALUE === parseResult.data ? void 0 : parseResult.data;
+    return [expiration];
+  }
+  logger.error(() => ({
+    msg: "Failed to parse Redis expiration record",
+    data: {
+      record,
+      error: parseResult.error
+    }
+  }));
+  return [void 0];
+});
+export {
+  REDIS_BATCH_SIZE,
+  fetchRedisHashRecords,
+  getMissingRedisKeys,
+  parseRedisRecords
+};

package/dist/redis/redisRuleIndex.js

@@ -0,0 +1,50 @@
+import { SCHEMA_FIELD_TYPE } from "@redis/search";
+import { makeAccessRuleHash } from "../transformRule.js";
+const userIpRedisSchema = {
+  numericIpMaskMin: { type: SCHEMA_FIELD_TYPE.NUMERIC, INDEXMISSING: true },
+  numericIpMaskMax: { type: SCHEMA_FIELD_TYPE.NUMERIC, INDEXMISSING: true },
+  numericIp: { type: SCHEMA_FIELD_TYPE.NUMERIC, INDEXMISSING: true }
+};
+const userAttributesRedisSchema = {
+  userId: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true },
+  ja4Hash: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true },
+  headersHash: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true },
+  userAgentHash: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true }
+};
+const userScopeRedisSchema = {
+  ...userAttributesRedisSchema,
+  ...userIpRedisSchema
+};
+const policyScopeRedisSchema = {
+  clientId: {
+    type: SCHEMA_FIELD_TYPE.TAG,
+    INDEXMISSING: true
+  }
+};
+const accessRuleRedisSchema = {
+  ...policyScopeRedisSchema,
+  ...userScopeRedisSchema,
+  groupId: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true }
+};
+const ACCESS_RULES_REDIS_INDEX_NAME = "index:user-access-rules";
+const ACCESS_RULE_REDIS_KEY_PREFIX = "uar:";
+const accessRulesRedisIndex = {
+  name: ACCESS_RULES_REDIS_INDEX_NAME,
+  schema: accessRuleRedisSchema,
+  options: {
+    ON: "HASH",
+    PREFIX: [ACCESS_RULE_REDIS_KEY_PREFIX]
+  }
+};
+const getAccessRuleRedisKey = (rule) => ACCESS_RULE_REDIS_KEY_PREFIX + makeAccessRuleHash(rule);
+export {
+  ACCESS_RULES_REDIS_INDEX_NAME,
+  ACCESS_RULE_REDIS_KEY_PREFIX,
+  accessRuleRedisSchema,
+  accessRulesRedisIndex,
+  getAccessRuleRedisKey,
+  policyScopeRedisSchema,
+  userAttributesRedisSchema,
+  userIpRedisSchema,
+  userScopeRedisSchema
+};

package/dist/redis/redisRulesStorage.js

@@ -1,21 +1,34 @@
-import { getDummyRedisRulesReader, createRedisRulesReader } from "./redisRulesReader.js";
-import { getDummyRedisRulesWriter, createRedisRulesWriter } from "./redisRulesWriter.js";
+import { DummyRedisRulesReader, RedisRulesReader } from "./reader/redisRulesReader.js";
+import { DummyRedisRulesWriter, RedisRulesWriter } from "./redisRulesWriter.js";
 const createRedisAccessRulesStorage = (connection, logger) => {
-  const storage = {
-    ...getDummyRedisRulesReader(logger),
-    ...getDummyRedisRulesWriter(logger)
-  };
+  const storage = composeStorage(
+    new DummyRedisRulesReader(logger),
+    new DummyRedisRulesWriter(logger)
+  );
   connection.getClient().then((client) => {
-    Object.assign(storage, {
-      ...createRedisRulesReader(client, logger),
-      ...createRedisRulesWriter(client)
-    });
+    const realStorage = composeStorage(
+      new RedisRulesReader(client, logger),
+      new RedisRulesWriter(client, logger)
+    );
+    Object.assign(storage, realStorage);
     logger.info(() => ({
       msg: "RedisAccessRules storage got a ready Redis client"
     }));
   });
   return storage;
 };
+const composeStorage = (reader, writer) => ({
+  // reader
+  fetchRules: reader.fetchRules.bind(reader),
+  getMissingRuleIds: reader.getMissingRuleIds.bind(reader),
+  findRules: reader.findRules.bind(reader),
+  findRuleIds: reader.findRuleIds.bind(reader),
+  fetchAllRuleIds: reader.fetchAllRuleIds.bind(reader),
+  // writer
+  insertRules: writer.insertRules.bind(writer),
+  deleteRules: writer.deleteRules.bind(writer),
+  deleteAllRules: writer.deleteAllRules.bind(writer)
+});
 export {
   createRedisAccessRulesStorage
 };

package/dist/redis/redisRulesWriter.js

@@ -1,73 +1,100 @@
-import crypto from "node:crypto";
-import { redisRuleKeyPrefix } from "./redisRulesIndex.js";
-const redisRuleContentHashAlgorithm = "md5";
-const createRedisRulesWriter = (client) => {
-  return {
-    insertRule: async (rule, expirationTimestamp) => {
-      const ruleKey = getRedisRuleKey(rule);
+import { chunkIntoBatches, executeBatchesSequentially } from "@prosopo/common";
+import { REDIS_BATCH_SIZE } from "./redisClient.js";
+import { ACCESS_RULE_REDIS_KEY_PREFIX, getAccessRuleRedisKey } from "./redisRuleIndex.js";
+class RedisRulesWriter {
+  constructor(client, logger) {
+    this.client = client;
+    this.logger = logger;
+  }
+  async insertRules(ruleEntries) {
+    const entryBatches = chunkIntoBatches(ruleEntries, REDIS_BATCH_SIZE);
+    const keyBatches = await executeBatchesSequentially(
+      entryBatches,
+      async (entriesBatch) => this.insertRuleEntries(entriesBatch)
+    );
+    return keyBatches.flatMap(
+      (ruleKey) => ruleKey.slice(ACCESS_RULE_REDIS_KEY_PREFIX.length)
+    );
+  }
+  async deleteRules(ruleIds) {
+    const ruleKeys = ruleIds.map(
+      (ruleId) => ACCESS_RULE_REDIS_KEY_PREFIX + ruleId
+    );
+    const keyBatches = chunkIntoBatches(ruleKeys, REDIS_BATCH_SIZE);
+    await executeBatchesSequentially(keyBatches, async (keysBatch) => {
+      const queries = this.client.multi();
+      for (const ruleKey of keysBatch) {
+        queries.del(ruleKey);
+      }
+      await queries.exec();
+    });
+  }
+  async deleteAllRules() {
+    let cursor = "0";
+    let total = 0;
+    do {
+      const reply = await this.client.scan(cursor, {
+        MATCH: `${ACCESS_RULE_REDIS_KEY_PREFIX}*`,
+        COUNT: REDIS_BATCH_SIZE
+      });
+      const ids = reply.keys.map(
+        (key) => key.slice(ACCESS_RULE_REDIS_KEY_PREFIX.length)
+      );
+      await this.deleteRules(ids);
+      total += ids.length;
+      cursor = reply.cursor;
+    } while ("0" !== cursor);
+    return total;
+  }
+  async insertRuleEntries(ruleEntries) {
+    const queries = this.client.multi();
+    const ruleKeys = ruleEntries.map((ruleEntry) => {
+      const { rule, expiresUnixTimestamp } = ruleEntry;
+      const ruleKey = getAccessRuleRedisKey(rule);
       const ruleValue = getRedisRuleValue(rule);
-      await client.hSet(ruleKey, ruleValue);
-      if (expirationTimestamp) {
-        const expiryDate = new Date(expirationTimestamp);
-        if (expiryDate.getUTCFullYear() === 1970) {
-          await client.expireAt(ruleKey, expirationTimestamp);
-        } else {
-          const timestampInSeconds = Math.floor(expirationTimestamp / 1e3);
-          await client.expireAt(ruleKey, timestampInSeconds);
-        }
+      queries.hSet(ruleKey, ruleValue);
+      if (expiresUnixTimestamp) {
+        queries.expireAt(ruleKey, expiresUnixTimestamp);
       }
       return ruleKey;
-    },
-    deleteRules: async (ruleIds) => void await client.del(ruleIds),
-    deleteAllRules: async () => {
-      const keys = await client.keys(`${redisRuleKeyPrefix}*`);
-      if (keys.length === 0) return 0;
-      return await client.del(keys);
-    }
-  };
-};
-const getDummyRedisRulesWriter = (logger) => {
-  return {
-    insertRule: async (rule, expirationTimestamp) => {
-      logger.info(() => ({
-        msg: "Dummy insertRule() has no effect (redis is not ready)",
-        data: {
-          rule
-        }
-      }));
-      return "";
-    },
-    deleteRules: async (ruleIds) => {
-      logger.info(() => ({
-        msg: "Dummy deleteRules() has no effect (redis is not ready)",
-        data: {
-          ruleIds
-        }
-      }));
-    },
-    deleteAllRules: async () => {
-      logger.info(() => ({
-        msg: "Dummy deleteAllRules() has no effect (redis is not ready)"
-      }));
-      return 0;
-    }
-  };
-};
-const getRedisRuleKey = (rule) => redisRuleKeyPrefix + crypto.createHash(redisRuleContentHashAlgorithm).update(
-  JSON.stringify(
-    rule,
-    (key, value) => (
-      // JSON.stringify can't handle BigInt itself: throws "Do not know how to serialize a BigInt"
-      "bigint" === typeof value ? value.toString() : value
-    )
-  )
-).digest("hex");
+    });
+    await queries.exec();
+    return ruleKeys;
+  }
+}
 const getRedisRuleValue = (rule) => Object.fromEntries(
   Object.entries(rule).map(([key, value]) => [key, String(value)])
 );
+class DummyRedisRulesWriter {
+  constructor(logger) {
+    this.logger = logger;
+  }
+  async insertRules(ruleEntries) {
+    this.logger.info(() => ({
+      msg: "Dummy insertRules() has no effect (redis is not ready)",
+      data: {
+        ruleEntries
+      }
+    }));
+    return [];
+  }
+  async deleteRules(ruleIds) {
+    this.logger.info(() => ({
+      msg: "Dummy deleteRules() has no effect (redis is not ready)",
+      data: {
+        ruleIds
+      }
+    }));
+  }
+  async deleteAllRules() {
+    this.logger.info(() => ({
+      msg: "Dummy deleteAllRules() has no effect (redis is not ready)"
+    }));
+    return 0;
+  }
+}
 export {
-  createRedisRulesWriter,
-  getDummyRedisRulesWriter,
-  getRedisRuleKey,
+  DummyRedisRulesWriter,
+  RedisRulesWriter,
   getRedisRuleValue
 };

package/dist/rule.js

@@ -0,0 +1,8 @@
+var AccessPolicyType = /* @__PURE__ */ ((AccessPolicyType2) => {
+  AccessPolicyType2["Block"] = "block";
+  AccessPolicyType2["Restrict"] = "restrict";
+  return AccessPolicyType2;
+})(AccessPolicyType || {});
+export {
+  AccessPolicyType
+};

package/dist/ruleInput/.export.js

@@ -0,0 +1,9 @@
+import { accessRuleInput } from "./ruleInput.js";
+import { accessPolicyInput, policyScopeInput } from "./policyInput.js";
+import { userScopeInput } from "./userScopeInput.js";
+export {
+  accessPolicyInput,
+  accessRuleInput,
+  policyScopeInput,
+  userScopeInput
+};

package/dist/ruleInput/policyInput.js

@@ -0,0 +1,25 @@
+import { CaptchaTypeSchema } from "@prosopo/types";
+import { z } from "zod";
+import { AccessPolicyType } from "../rule.js";
+const accessPolicyInput = z.object({
+  type: z.nativeEnum(AccessPolicyType),
+  captchaType: CaptchaTypeSchema.optional(),
+  description: z.coerce.string().optional(),
+  // Redis stores values as strings, so coerce is needed to parse properly
+  solvedImagesCount: z.coerce.number().optional(),
+  // the percentage of image panels that must be solved per image CAPTCHA
+  imageThreshold: z.coerce.number().optional(),
+  // the Proof-of-Work difficulty level
+  powDifficulty: z.coerce.number().optional(),
+  // the number of unsolved image CAPTCHA challenges to serve
+  unsolvedImagesCount: z.coerce.number().optional(),
+  // used to increase the user's score
+  frictionlessScore: z.coerce.number().optional()
+});
+const policyScopeInput = z.object({
+  clientId: z.coerce.string().optional()
+});
+export {
+  accessPolicyInput,
+  policyScopeInput
+};