npm - @prosopo/user-access-policy - Versions diffs - 3.5.32 → 3.7.11 - Mend

@prosopo/user-access-policy 3.5.32 → 3.7.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (214) hide show

package/.turbo/turbo-build$colon$cjs.log +23 -21
package/.turbo/turbo-build$colon$tsc.log +41 -0
package/.turbo/turbo-build.log +28 -22
package/CHANGELOG.md +393 -0
package/dist/.export.d.ts +6 -0
package/dist/.export.d.ts.map +1 -0
package/dist/.export.js.map +1 -0
package/dist/api/.export.d.ts +7 -0
package/dist/api/.export.d.ts.map +1 -0
package/dist/api/.export.js.map +1 -0
package/dist/api/accessRulesApiClient.d.ts +2 -0
package/dist/api/accessRulesApiClient.d.ts.map +1 -0
package/dist/api/accessRulesApiClient.js +2 -0
package/dist/api/accessRulesApiClient.js.map +1 -0
package/dist/api/delete/.export.d.ts +2 -0
package/dist/api/delete/.export.d.ts.map +1 -0
package/dist/api/delete/.export.js.map +1 -0
package/dist/api/delete/deleteAllRules.d.ts +11 -0
package/dist/api/delete/deleteAllRules.d.ts.map +1 -0
package/dist/api/delete/deleteAllRules.js +3 -2
package/dist/api/delete/deleteAllRules.js.map +1 -0
package/dist/api/delete/deleteRuleGroups.d.ts +19 -0
package/dist/api/delete/deleteRuleGroups.d.ts.map +1 -0
package/dist/api/delete/deleteRuleGroups.js +3 -2
package/dist/api/delete/deleteRuleGroups.js.map +1 -0
package/dist/api/delete/deleteRules.d.ts +15 -0
package/dist/api/delete/deleteRules.d.ts.map +1 -0
package/dist/api/delete/deleteRules.js +3 -2
package/dist/api/delete/deleteRules.js.map +1 -0
package/dist/api/read/.export.d.ts +4 -0
package/dist/api/read/.export.d.ts.map +1 -0
package/dist/api/read/.export.js.map +1 -0
package/dist/api/read/fetchRules.d.ts +53 -0
package/dist/api/read/fetchRules.d.ts.map +1 -0
package/dist/api/read/fetchRules.js +4 -3
package/dist/api/read/fetchRules.js.map +1 -0
package/dist/api/read/findRuleIds.d.ts +28 -0
package/dist/api/read/findRuleIds.d.ts.map +1 -0
package/dist/api/read/findRuleIds.js +3 -2
package/dist/api/read/findRuleIds.js.map +1 -0
package/dist/api/read/getMissingIds.d.ts +28 -0
package/dist/api/read/getMissingIds.d.ts.map +1 -0
package/dist/api/read/getMissingIds.js +4 -3
package/dist/api/read/getMissingIds.js.map +1 -0
package/dist/api/ruleApiRoutes.d.ts +43 -0
package/dist/api/ruleApiRoutes.d.ts.map +1 -0
package/dist/api/ruleApiRoutes.js.map +1 -0
package/dist/api/rulesApiClient.d.ts +20 -0
package/dist/api/rulesApiClient.d.ts.map +1 -0
package/dist/api/rulesApiClient.js +18 -19
package/dist/api/rulesApiClient.js.map +1 -0
package/dist/api/write/.export.d.ts +2 -0
package/dist/api/write/.export.d.ts.map +1 -0
package/dist/api/write/.export.js.map +1 -0
package/dist/api/write/insertRules.d.ts +29 -0
package/dist/api/write/insertRules.d.ts.map +1 -0
package/dist/api/write/insertRules.js +12 -9
package/dist/api/write/insertRules.js.map +1 -0
package/dist/api/write/rehashRules.d.ts +11 -0
package/dist/api/write/rehashRules.d.ts.map +1 -0
package/dist/api/write/rehashRules.js +7 -6
package/dist/api/write/rehashRules.js.map +1 -0
package/dist/cjs/api/delete/deleteAllRules.cjs +3 -2
package/dist/cjs/api/delete/deleteRuleGroups.cjs +3 -2
package/dist/cjs/api/delete/deleteRules.cjs +3 -2
package/dist/cjs/api/read/fetchRules.cjs +4 -3
package/dist/cjs/api/read/findRuleIds.cjs +3 -2
package/dist/cjs/api/read/getMissingIds.cjs +4 -3
package/dist/cjs/api/rulesApiClient.cjs +18 -19
package/dist/cjs/api/write/insertRules.cjs +13 -10
package/dist/cjs/api/write/rehashRules.cjs +7 -6
package/dist/cjs/mongoose/mongooseRuleSchema.cjs +4 -1
package/dist/cjs/redis/reader/redisRulesQuery.cjs +18 -1
package/dist/cjs/redis/reader/redisRulesReader.cjs +13 -4
package/dist/cjs/redis/redisRuleIndex.cjs +5 -1
package/dist/cjs/redis/redisRulesWriter.cjs +6 -0
package/dist/cjs/ruleInput/policyInput.cjs +8 -0
package/dist/cjs/ruleInput/userScopeInput.cjs +4 -1
package/dist/cjs/ruleRecord.cjs +4 -1
package/dist/mongoose/.export.d.ts +2 -0
package/dist/mongoose/.export.d.ts.map +1 -0
package/dist/mongoose/.export.js.map +1 -0
package/dist/mongoose/mongooseRuleSchema.d.ts +4 -0
package/dist/mongoose/mongooseRuleSchema.d.ts.map +1 -0
package/dist/mongoose/mongooseRuleSchema.js +4 -1
package/dist/mongoose/mongooseRuleSchema.js.map +1 -0
package/dist/redis/.export.d.ts +3 -0
package/dist/redis/.export.d.ts.map +1 -0
package/dist/redis/.export.js.map +1 -0
package/dist/redis/reader/redisAggregate.d.ts +4 -0
package/dist/redis/reader/redisAggregate.d.ts.map +1 -0
package/dist/redis/reader/redisAggregate.js.map +1 -0
package/dist/redis/reader/redisRulesQuery.d.ts +4 -0
package/dist/redis/reader/redisRulesQuery.d.ts.map +1 -0
package/dist/redis/reader/redisRulesQuery.js +18 -1
package/dist/redis/reader/redisRulesQuery.js.map +1 -0
package/dist/redis/reader/redisRulesReader.d.ts +26 -0
package/dist/redis/reader/redisRulesReader.d.ts.map +1 -0
package/dist/redis/reader/redisRulesReader.js +14 -5
package/dist/redis/reader/redisRulesReader.js.map +1 -0
package/dist/redis/redisClient.d.ts +11 -0
package/dist/redis/redisClient.d.ts.map +1 -0
package/dist/redis/redisClient.js.map +1 -0
package/dist/redis/redisRuleIndex.d.ts +13 -0
package/dist/redis/redisRuleIndex.d.ts.map +1 -0
package/dist/redis/redisRuleIndex.js +5 -1
package/dist/redis/redisRuleIndex.js.map +1 -0
package/dist/redis/redisRulesStorage.d.ts +5 -0
package/dist/redis/redisRulesStorage.d.ts.map +1 -0
package/dist/redis/redisRulesStorage.js.map +1 -0
package/dist/redis/redisRulesWriter.d.ts +22 -0
package/dist/redis/redisRulesWriter.d.ts.map +1 -0
package/dist/redis/redisRulesWriter.js +6 -0
package/dist/redis/redisRulesWriter.js.map +1 -0
package/dist/rule.d.ts +37 -0
package/dist/rule.d.ts.map +1 -0
package/dist/rule.js.map +1 -0
package/dist/ruleInput/.export.d.ts +4 -0
package/dist/ruleInput/.export.d.ts.map +1 -0
package/dist/ruleInput/.export.js.map +1 -0
package/dist/ruleInput/policyInput.d.ts +39 -0
package/dist/ruleInput/policyInput.d.ts.map +1 -0
package/dist/ruleInput/policyInput.js +9 -1
package/dist/ruleInput/policyInput.js.map +1 -0
package/dist/ruleInput/ruleInput.d.ts +163 -0
package/dist/ruleInput/ruleInput.d.ts.map +1 -0
package/dist/ruleInput/ruleInput.js.map +1 -0
package/dist/ruleInput/userScopeInput.d.ts +117 -0
package/dist/ruleInput/userScopeInput.d.ts.map +1 -0
package/dist/ruleInput/userScopeInput.js +4 -1
package/dist/ruleInput/userScopeInput.js.map +1 -0
package/dist/ruleRecord.d.ts +18 -0
package/dist/ruleRecord.d.ts.map +1 -0
package/dist/ruleRecord.js +4 -1
package/dist/ruleRecord.js.map +1 -0
package/dist/rulesStorage.d.ts +30 -0
package/dist/rulesStorage.d.ts.map +1 -0
package/dist/rulesStorage.js.map +1 -0
package/dist/tests/insertRulesEndpoint.unit.test.d.ts +2 -0
package/dist/tests/insertRulesEndpoint.unit.test.d.ts.map +1 -0
package/dist/tests/insertRulesEndpoint.unit.test.js +57 -0
package/dist/tests/insertRulesEndpoint.unit.test.js.map +1 -0
package/dist/tests/policyInput.unit.test.d.ts +2 -0
package/dist/tests/policyInput.unit.test.d.ts.map +1 -0
package/dist/tests/policyInput.unit.test.js +116 -0
package/dist/tests/policyInput.unit.test.js.map +1 -0
package/dist/tests/redis/reader/redisRulesQuery.unit.test.d.ts +2 -0
package/dist/tests/redis/reader/redisRulesQuery.unit.test.d.ts.map +1 -0
package/dist/tests/redis/reader/redisRulesQuery.unit.test.js +199 -0
package/dist/tests/redis/reader/redisRulesQuery.unit.test.js.map +1 -0
package/dist/tests/redis/redisRulesStorage.integration.test.d.ts +2 -0
package/dist/tests/redis/redisRulesStorage.integration.test.d.ts.map +1 -0
package/dist/tests/redis/redisRulesStorage.integration.test.js +831 -0
package/dist/tests/redis/redisRulesStorage.integration.test.js.map +1 -0
package/dist/tests/testLogger.d.ts +4 -0
package/dist/tests/testLogger.d.ts.map +1 -0
package/dist/tests/testLogger.js +22 -0
package/dist/tests/testLogger.js.map +1 -0
package/dist/tests/transformRule.unit.test.d.ts +2 -0
package/dist/tests/transformRule.unit.test.d.ts.map +1 -0
package/dist/tests/transformRule.unit.test.js +191 -0
package/dist/tests/transformRule.unit.test.js.map +1 -0
package/dist/transformRule.d.ts +7 -0
package/dist/transformRule.d.ts.map +1 -0
package/dist/transformRule.js.map +1 -0
package/entries.ts +1 -1
package/package.json +18 -12
package/src/.export.ts +44 -0
package/src/api/.export.ts +25 -0
package/src/api/accessRulesApiClient.ts +13 -0
package/src/api/delete/.export.ts +18 -0
package/src/api/delete/deleteAllRules.ts +47 -0
package/src/api/delete/deleteRuleGroups.ts +96 -0
package/src/api/delete/deleteRules.ts +81 -0
package/src/api/read/.export.ts +25 -0
package/src/api/read/fetchRules.ts +88 -0
package/src/api/read/findRuleIds.ts +95 -0
package/src/api/read/getMissingIds.ts +81 -0
package/src/api/ruleApiRoutes.ts +146 -0
package/src/api/rulesApiClient.ts +154 -0
package/src/api/write/.export.ts +15 -0
package/src/api/write/insertRules.ts +183 -0
package/src/api/write/rehashRules.ts +85 -0
package/src/mongoose/.export.ts +15 -0
package/src/mongoose/mongooseRuleSchema.ts +65 -0
package/src/redis/.export.ts +17 -0
package/src/redis/reader/redisAggregate.ts +103 -0
package/src/redis/reader/redisRulesQuery.ts +217 -0
package/src/redis/reader/redisRulesReader.ts +318 -0
package/src/redis/redisClient.ts +120 -0
package/src/redis/redisRuleIndex.ts +85 -0
package/src/redis/redisRulesStorage.ts +68 -0
package/src/redis/redisRulesWriter.ts +158 -0
package/src/rule.ts +59 -0
package/src/ruleInput/.export.ts +19 -0
package/src/ruleInput/policyInput.ts +51 -0
package/src/ruleInput/ruleInput.ts +103 -0
package/src/ruleInput/userScopeInput.ts +108 -0
package/src/ruleRecord.ts +69 -0
package/src/rulesStorage.ts +72 -0
package/src/tests/insertRulesEndpoint.unit.test.ts +89 -0
package/src/tests/policyInput.unit.test.ts +150 -0
package/src/tests/redis/reader/redisRulesQuery.unit.test.ts +284 -0
package/src/tests/redis/redisRulesStorage.integration.test.ts +1156 -0
package/src/tests/testLogger.ts +38 -0
package/src/tests/transformRule.unit.test.ts +255 -0
package/src/transformRule.ts +128 -0
package/tsconfig.cjs.json +41 -0
package/tsconfig.json +47 -0
package/tsconfig.tsbuildinfo +1 -0
package/tsconfig.types.json +9 -0
package/vite.cjs.config.ts +1 -1
package/vite.esm.config.ts +1 -1
package/vite.test.config.ts +1 -1

package/src/redis/reader/redisRulesReader.ts ADDED Viewed

@@ -0,0 +1,318 @@
+// Copyright 2021-2026 Prosopo (UK) Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+import * as util from "node:util";
+import { chunkIntoBatches, executeBatchesSequentially } from "@prosopo/common";
+import type { Logger } from "@prosopo/logger";
+import type { RedisClientType } from "redis";
+import {
+	REDIS_QUERY_DIALECT,
+	getRulesRedisQuery,
+} from "#policy/redis/reader/redisRulesQuery.js";
+import {
+	REDIS_BATCH_SIZE,
+	fetchRedisHashRecords,
+	getMissingRedisKeys,
+	parseRedisRecords,
+} from "#policy/redis/redisClient.js";
+import {
+	ACCESS_RULES_REDIS_INDEX_NAME,
+	ACCESS_RULE_REDIS_KEY_PREFIX,
+} from "#policy/redis/redisRuleIndex.js";
+import type { AccessRule } from "#policy/rule.js";
+import { accessRuleInput } from "#policy/ruleInput/ruleInput.js";
+import type {
+	AccessRuleEntry,
+	AccessRulesFilter,
+	AccessRulesReader,
+} from "#policy/rulesStorage.js";
+import { aggregateRedisKeys } from "./redisAggregate.js";
+export class RedisRulesReader implements AccessRulesReader {
+	constructor(
+		private readonly client: RedisClientType,
+		private readonly logger: Logger,
+	) {}
+	async getMissingRuleIds(ruleIds: string[]): Promise<string[]> {
+		const ruleKeys = this.getRuleKeys(ruleIds);
+		const keyBatches = chunkIntoBatches(ruleKeys, REDIS_BATCH_SIZE);
+		const missingKeyBatches = await executeBatchesSequentially(
+			keyBatches,
+			async (keysBatch) => getMissingRedisKeys(this.client, keysBatch),
+		);
+		return missingKeyBatches
+			.flat()
+			.map((ruleKey) => ruleKey.slice(ACCESS_RULE_REDIS_KEY_PREFIX.length));
+	}
+	async fetchRules(ruleIds: string[]): Promise<AccessRuleEntry[]> {
+		const ruleKeys = this.getRuleKeys(ruleIds);
+		const keyBatches = chunkIntoBatches(ruleKeys, REDIS_BATCH_SIZE);
+		const entryBatches = await executeBatchesSequentially(
+			keyBatches,
+			(keysBatch) => this.fetchRuleEntries(keysBatch),
+		);
+		return entryBatches.flat();
+	}
+	async findRules(
+		filter: AccessRulesFilter,
+		matchingFieldsOnly = false,
+		skipEmptyUserScopes = true,
+	): Promise<AccessRule[]> {
+		const query = getRulesRedisQuery(filter, matchingFieldsOnly);
+		if (skipEmptyUserScopes && query === "ismissing(@clientId)") {
+			// We don't want to accidentally return all rules when the filter is empty
+			return [];
+		}
+		try {
+			// Use searchNoContent to get document keys only, then fetch data separately.
+			// This avoids a bug in @redis/search where ft.search crashes with
+			// "Cannot read properties of null (reading 'length')" when a document
+			// is deleted/expired between the index scan and data retrieval.
+			const searchReply = await this.client.ft.searchNoContent(
+				ACCESS_RULES_REDIS_INDEX_NAME,
+				query,
+				{
+					DIALECT: REDIS_QUERY_DIALECT,
+					// FT.search doesn't support "unlimited" selects
+					LIMIT: {
+						from: 0,
+						size: REDIS_BATCH_SIZE,
+					},
+				},
+			);
+			if (searchReply.total > 0) {
+				this.logger.debug(() => ({
+					msg: "Executed search query",
+					data: {
+						inspect: util.inspect(
+							{
+								filter: filter,
+								searchReply: searchReply,
+								query: query,
+							},
+							{ depth: null },
+						),
+					},
+				}));
+			}
+			if (searchReply.documents.length === 0) {
+				return [];
+			}
+			const { records } = await fetchRedisHashRecords(
+				this.client,
+				searchReply.documents,
+				this.logger,
+			);
+			const nonEmptyRecords = records.filter(
+				(record) => Object.keys(record).length > 0,
+			);
+			return parseRedisRecords(nonEmptyRecords, accessRuleInput, this.logger);
+		} catch (e) {
+			this.logger.error(() => ({
+				err: e,
+				data: {
+					inspect: util.inspect(
+						{
+							query: query,
+							filter: filter,
+						},
+						{
+							depth: null,
+						},
+					),
+				},
+				msg: "failed to execute search query",
+			}));
+			return [];
+		}
+	}
+	async findRuleIds(
+		filter: AccessRulesFilter,
+		matchingFieldsOnly = false,
+	): Promise<string[]> {
+		const query = getRulesRedisQuery(filter, matchingFieldsOnly);
+		let ruleIds: string[] = [];
+		try {
+			// aggregation is used instead ft.search to overcome the limitation on search results number
+			const ruleKeys = await aggregateRedisKeys(
+				this.client,
+				query,
+				this.logger,
+			);
+			ruleIds = ruleKeys.map((ruleKey) =>
+				ruleKey.slice(ACCESS_RULE_REDIS_KEY_PREFIX.length),
+			);
+		} catch (e) {
+			this.logger.error(() => ({
+				err: e,
+				data: {
+					inspect: util.inspect(
+						{
+							query: query,
+							filter: filter,
+						},
+						{
+							depth: null,
+						},
+					),
+				},
+				msg: "Failed to execute search query for rule IDs",
+			}));
+			return [];
+		}
+		this.logger.debug(() => ({
+			msg: "Executed search query for rule IDs",
+			data: {
+				query: query,
+				foundCount: ruleIds.length,
+				foundIds: ruleIds,
+			},
+		}));
+		return ruleIds;
+	}
+	async fetchAllRuleIds(
+		batchHandler: (ruleIds: string[]) => Promise<void>,
+	): Promise<void> {
+		const keysBatchHandler = async (keys: string[]) => {
+			const ids = keys.map((ruleKey) =>
+				ruleKey.slice(ACCESS_RULE_REDIS_KEY_PREFIX.length),
+			);
+			await batchHandler(ids);
+		};
+		await aggregateRedisKeys(this.client, "*", this.logger, keysBatchHandler);
+	}
+	protected async fetchRuleEntries(keys: string[]): Promise<AccessRuleEntry[]> {
+		const { records, expirations } = await fetchRedisHashRecords(
+			this.client,
+			keys,
+			this.logger,
+		);
+		const entries: AccessRuleEntry[] = [];
+		for (const [index, ruleData] of records.entries()) {
+			const isRulePresent = Object.keys(ruleData).length > 0;
+			if (isRulePresent) {
+				const rule = parseRedisRecords(
+					[ruleData],
+					accessRuleInput,
+					this.logger,
+				)[0];
+				if (rule) {
+					entries.push({
+						rule: rule,
+						expiresUnixTimestamp: expirations[index],
+					});
+				}
+			}
+		}
+		return entries;
+	}
+	protected getRuleKeys(ruleIds: string[]): string[] {
+		return ruleIds.map((id) => `${ACCESS_RULE_REDIS_KEY_PREFIX}${id}`);
+	}
+}
+export class DummyRedisRulesReader implements AccessRulesReader {
+	constructor(private readonly logger: Logger) {}
+	async getMissingRuleIds(ruleIds: string[]): Promise<string[]> {
+		this.logger.info(() => ({
+			msg: "Dummy getMissingRuleIds() has no effect (redis is not ready)",
+			data: {
+				ruleIds,
+			},
+		}));
+		return [];
+	}
+	async fetchRules(ruleIds: string[]): Promise<AccessRuleEntry[]> {
+		this.logger.info(() => ({
+			msg: "Dummy fetchRule() has no effect (redis is not ready)",
+			data: {
+				ruleIds,
+			},
+		}));
+		return [];
+	}
+	async findRules(
+		filter: AccessRulesFilter,
+		matchingFieldsOnly = false,
+		skipEmptyUserScopes = true,
+	): Promise<AccessRule[]> {
+		this.logger.info(() => ({
+			msg: "Dummy findRules() has no effect (redis is not ready)",
+			data: {
+				filter,
+			},
+		}));
+		return [];
+	}
+	async findRuleIds(
+		filter: AccessRulesFilter,
+		matchingFieldsOnly = false,
+	): Promise<string[]> {
+		this.logger.info(() => ({
+			msg: "Dummy findRuleIds() has no effect (redis is not ready)",
+			data: {
+				filter,
+			},
+		}));
+		return [];
+	}
+	async fetchAllRuleIds(
+		batchHandler: (ruleIds: string[]) => Promise<void>,
+	): Promise<void> {
+		this.logger.info(() => ({
+			msg: "Dummy fetchAllRuleIds() has no effect (redis is not ready)",
+		}));
+	}
+}

package/src/redis/redisClient.ts ADDED Viewed

@@ -0,0 +1,120 @@
+// Copyright 2021-2026 Prosopo (UK) Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+import type { Logger } from "@prosopo/logger";
+import type { RedisClientType } from "redis";
+import { type ZodType, z } from "zod";
+export const REDIS_BATCH_SIZE = 1_000;
+export const getMissingRedisKeys = async (
+	client: RedisClientType,
+	keys: string[],
+): Promise<string[]> => {
+	const queries = client.multi();
+	keys.map((key) => {
+		queries.exists(key);
+	});
+	const records: unknown[] = await queries.exec();
+	const missingKeys: string[] = [];
+	records.map((exists, recordIndex) => {
+		if ("0" === String(exists)) {
+			const key = keys[recordIndex];
+			if (key) {
+				missingKeys.push(key);
+			}
+		}
+	});
+	return missingKeys;
+};
+export const fetchRedisHashRecords = async (
+	client: RedisClientType,
+	keys: string[],
+	logger: Logger,
+): Promise<{ records: object[]; expirations: (number | undefined)[] }> => {
+	const rulesPipe = client.multi();
+	const expirationPipe = client.multi();
+	for (const key of keys) {
+		rulesPipe.hGetAll(key);
+		expirationPipe.expireTime(key);
+	}
+	const records = (await rulesPipe.exec()) as object[];
+	const expirationRecords = (await expirationPipe.exec()) as unknown[];
+	return {
+		records: records,
+		expirations: parseExpirationRecords(expirationRecords, logger),
+	};
+};
+export const parseRedisRecords = <T>(
+	records: unknown[],
+	recordSchema: ZodType<T>,
+	logger: Logger,
+): T[] =>
+	records.flatMap((record) => {
+		const parseResult = recordSchema.safeParse(record);
+		if (parseResult.success) {
+			return [parseResult.data];
+		}
+		logger.error(() => ({
+			msg: "Failed to parse Redis record",
+			data: { record, error: parseResult.error },
+		}));
+		return [];
+	});
+const expirationRecordSchema = z.coerce.number();
+// Redis returns -1 when expiration is not set
+const UNSET_EXPIRATION_VALUE = -1;
+const parseExpirationRecords = <T>(
+	records: unknown[],
+	logger: Logger,
+): (number | undefined)[] =>
+	records.flatMap((record) => {
+		const parseResult = expirationRecordSchema.safeParse(record);
+		if (parseResult.success) {
+			const expiration =
+				UNSET_EXPIRATION_VALUE === parseResult.data
+					? undefined
+					: parseResult.data;
+			return [expiration];
+		}
+		logger.error(() => ({
+			msg: "Failed to parse Redis expiration record",
+			data: {
+				record,
+				error: parseResult.error,
+			},
+		}));
+		// ensure consistent output length
+		return [undefined];
+	});

package/src/redis/redisRuleIndex.ts ADDED Viewed

@@ -0,0 +1,85 @@
+// Copyright 2021-2026 Prosopo (UK) Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+import type { AllKeys, Keys } from "@prosopo/common";
+import type { RedisIndex } from "@prosopo/redis-client";
+import { type RediSearchSchema, SCHEMA_FIELD_TYPE } from "@redis/search";
+import type {
+	AccessRule,
+	PolicyScope,
+	UserAttributes,
+	UserIp,
+	UserScope,
+} from "#policy/rule.js";
+import { makeAccessRuleHash } from "#policy/transformRule.js";
+export const userIpRedisSchema: RediSearchSchema = {
+	numericIpMaskMin: { type: SCHEMA_FIELD_TYPE.NUMERIC, INDEXMISSING: true },
+	numericIpMaskMax: { type: SCHEMA_FIELD_TYPE.NUMERIC, INDEXMISSING: true },
+	numericIp: { type: SCHEMA_FIELD_TYPE.NUMERIC, INDEXMISSING: true },
+} satisfies AllKeys<UserIp>;
+export const userAttributesRedisSchema: RediSearchSchema = {
+	userId: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true },
+	ja4Hash: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true },
+	headersHash: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true },
+	userAgentHash: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true },
+	headHash: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true },
+	// Use pipe separator for coords since JSON strings contain commas
+	coords: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true, SEPARATOR: "|" },
+	countryCode: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true },
+} satisfies AllKeys<UserAttributes>;
+export const userScopeRedisSchema: RediSearchSchema = {
+	...userAttributesRedisSchema,
+	...userIpRedisSchema,
+} satisfies Keys<UserScope>;
+export const policyScopeRedisSchema: RediSearchSchema = {
+	clientId: {
+		type: SCHEMA_FIELD_TYPE.TAG,
+		INDEXMISSING: true,
+	},
+} satisfies AllKeys<PolicyScope>;
+/**
+ * Note on the field type decision
+ *
+ * TAG is designed for the exact value matching
+ * TEXT is designed for the word-based and pattern matching
+ *
+ * For our goal TAG fits perfectly and, more performant
+ */
+export const accessRuleRedisSchema: RediSearchSchema = {
+	...policyScopeRedisSchema,
+	...userScopeRedisSchema,
+	groupId: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true },
+} satisfies Keys<AccessRule>;
+export const ACCESS_RULES_REDIS_INDEX_NAME = "index:user-access-rules";
+// names take space, so we use an acronym instead of the long-tailed one
+export const ACCESS_RULE_REDIS_KEY_PREFIX = "uar:";
+export const accessRulesRedisIndex: RedisIndex = {
+	name: ACCESS_RULES_REDIS_INDEX_NAME,
+	schema: accessRuleRedisSchema,
+	options: {
+		ON: "HASH" as const,
+		PREFIX: [ACCESS_RULE_REDIS_KEY_PREFIX],
+	},
+};
+export const getAccessRuleRedisKey = (rule: AccessRule): string =>
+	ACCESS_RULE_REDIS_KEY_PREFIX + makeAccessRuleHash(rule);

package/src/redis/redisRulesStorage.ts ADDED Viewed

@@ -0,0 +1,68 @@
+// Copyright 2021-2026 Prosopo (UK) Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+import type { Logger } from "@prosopo/logger";
+import type { RedisConnection } from "@prosopo/redis-client";
+import type {
+	AccessRulesReader,
+	AccessRulesStorage,
+	AccessRulesWriter,
+} from "#policy/rulesStorage.js";
+import {
+	DummyRedisRulesReader,
+	RedisRulesReader,
+} from "./reader/redisRulesReader.js";
+import { DummyRedisRulesWriter, RedisRulesWriter } from "./redisRulesWriter.js";
+export const createRedisAccessRulesStorage = (
+	connection: RedisConnection,
+	logger: Logger,
+): AccessRulesStorage => {
+	const storage: AccessRulesStorage = composeStorage(
+		new DummyRedisRulesReader(logger),
+		new DummyRedisRulesWriter(logger),
+	);
+	connection.getClient().then((client) => {
+		const realStorage = composeStorage(
+			new RedisRulesReader(client, logger),
+			new RedisRulesWriter(client, logger),
+		);
+		// use assigning instead of var overwriting to keep the object reference
+		Object.assign(storage, realStorage);
+		logger.info(() => ({
+			msg: "RedisAccessRules storage got a ready Redis client",
+		}));
+	});
+	return storage;
+};
+const composeStorage = (
+	reader: AccessRulesReader,
+	writer: AccessRulesWriter,
+): AccessRulesStorage => ({
+	// reader
+	fetchRules: reader.fetchRules.bind(reader),
+	getMissingRuleIds: reader.getMissingRuleIds.bind(reader),
+	findRules: reader.findRules.bind(reader),
+	findRuleIds: reader.findRuleIds.bind(reader),
+	fetchAllRuleIds: reader.fetchAllRuleIds.bind(reader),
+	// writer
+	insertRules: writer.insertRules.bind(writer),
+	deleteRules: writer.deleteRules.bind(writer),
+	deleteAllRules: writer.deleteAllRules.bind(writer),
+});