@simtlix/simfinity-js 2.4.4 → 2.5.0

package/.claude/worktrees/agitated-kepler/src/auth/index.js

@@ -0,0 +1,391 @@
+/**
+ * Simfinity GraphQL Authorization
+ * 
+ * Production-grade centralized GraphQL authorization supporting:
+ * - RBAC / ABAC
+ * - Function-based rules
+ * - Declarative policy expressions (JSON AST)
+ * - Wildcard "*" permissions
+ * - Default allow/deny policies
+ * 
+ * @example
+ * import { auth } from '@simtlix/simfinity-js';
+ * import { createYoga } from 'graphql-yoga';
+ * 
+ * const { createAuthPlugin, requireAuth, requireRole } = auth;
+ * 
+ * const permissions = {
+ *   Query: {
+ *     series: requireAuth(),
+ *     seasons: requireAuth(),
+ *   },
+ *   Mutation: {
+ *     deleteserie: requireRole('admin'),
+ *     deletestar: requireRole('admin'),
+ *   },
+ *   serie: {
+ *     '*': requireAuth(),
+ *   }
+ * };
+ * 
+ * const authPlugin = createAuthPlugin(permissions, { defaultPolicy: 'ALLOW' });
+ * const yoga = createYoga({ schema, plugins: [authPlugin] });
+ */
+
+import { GraphQLObjectType, defaultFieldResolver } from 'graphql';
+import { UnauthenticatedError, ForbiddenError, createAuthError } from './errors.js';
+import { isPolicyExpression, createRuleFromExpression, evaluateExpression } from './expressions.js';
+import {
+  resolvePath,
+  requireAuth,
+  requireRole,
+  requirePermission,
+  composeRules,
+  anyRule,
+  isOwner,
+  createRule,
+  allow,
+  deny,
+} from './rules.js';
+
+// Re-export errors
+export { UnauthenticatedError, ForbiddenError, createAuthError } from './errors.js';
+
+// Re-export expression utilities
+export { evaluateExpression, isPolicyExpression, createRuleFromExpression } from './expressions.js';
+
+// Re-export rule helpers and utilities
+export {
+  resolvePath,
+  requireAuth,
+  requireRole,
+  requirePermission,
+  composeRules,
+  anyRule,
+  isOwner,
+  createRule,
+  allow,
+  deny,
+} from './rules.js';
+
+/**
+ * @typedef {'ALLOW' | 'DENY'} DefaultPolicy
+ */
+
+/**
+ * @typedef {Object} AuthMiddlewareOptions
+ * @property {DefaultPolicy} [defaultPolicy='DENY'] - Default policy when no rule matches
+ * @property {boolean} [debug=false] - Enable debug logging
+ */
+
+/**
+ * @typedef {Function} RuleFunction
+ * @param {*} parent - Parent resolver result
+ * @param {Object} args - GraphQL arguments
+ * @param {Object} ctx - GraphQL context
+ * @param {Object} info - GraphQL resolve info
+ * @returns {boolean|void|Promise<boolean|void>} - true/void to allow, false to deny
+ */
+
+/**
+ * @typedef {Object|RuleFunction|Array<RuleFunction>} Rule
+ */
+
+/**
+ * @typedef {Object.<string, Rule>} TypePermissions
+ */
+
+/**
+ * @typedef {Object.<string, TypePermissions>} PermissionSchema
+ */
+
+/**
+ * Normalizes a rule to always be an array of functions
+ * @param {Rule} rule - The rule to normalize
+ * @returns {Function[]} Array of rule functions
+ */
+const normalizeRule = (rule) => {
+  if (typeof rule === 'function') {
+    return [rule];
+  }
+  
+  if (Array.isArray(rule)) {
+    return rule.flatMap(r => normalizeRule(r));
+  }
+  
+  if (isPolicyExpression(rule)) {
+    return [createRuleFromExpression(rule)];
+  }
+  
+  // Unknown rule type - return empty (will use default policy)
+  return [];
+};
+
+/**
+ * Gets the rule for a specific field, with wildcard fallback
+ * @param {PermissionSchema} permissions - The permission schema
+ * @param {string} typeName - The GraphQL type name
+ * @param {string} fieldName - The field name
+ * @returns {Function[]|null} Array of rule functions or null if no rule found
+ */
+const getFieldRules = (permissions, typeName, fieldName) => {
+  const typePerms = permissions[typeName];
+  
+  if (!typePerms) {
+    return null;
+  }
+  
+  // Check for exact field rule first
+  if (fieldName in typePerms) {
+    return normalizeRule(typePerms[fieldName]);
+  }
+  
+  // Fallback to wildcard
+  if ('*' in typePerms) {
+    return normalizeRule(typePerms['*']);
+  }
+  
+  return null;
+};
+
+/**
+ * Executes a single rule
+ * @param {Function} rule - The rule function to execute
+ * @param {*} parent - Parent resolver result
+ * @param {Object} args - GraphQL arguments
+ * @param {Object} ctx - GraphQL context
+ * @param {Object} info - GraphQL resolve info
+ * @returns {Promise<boolean>} True if allowed, false if denied
+ */
+const executeRule = async (rule, parent, args, ctx, info) => {
+  const result = await rule(parent, args, ctx, info);
+  
+  // void/undefined/true means allow
+  if (result === undefined || result === true) {
+    return true;
+  }
+  
+  // false means deny
+  return false;
+};
+
+/**
+ * Creates a graphql-middleware compatible authorization middleware.
+ * 
+ * @deprecated Use {@link createAuthPlugin} instead. `applyMiddleware` from graphql-middleware
+ * can cause duplicate-type errors when the schema contains custom introspection extensions.
+ * 
+ * @param {PermissionSchema} permissions - The permission schema object
+ * @param {AuthMiddlewareOptions} [options={}] - Middleware options
+ * @returns {Function} A graphql-middleware compatible middleware function
+ */
+export const createAuthMiddleware = (permissions, options = {}) => {
+  const {
+    defaultPolicy = 'DENY',
+    debug = false,
+  } = options;
+
+  const log = debug ? console.log.bind(console, '[auth]') : () => {};
+
+  /**
+   * The middleware generator function
+   * Returns a middleware object keyed by type name, each containing field resolvers
+   */
+  return async (resolve, parent, args, ctx, info) => {
+    const typeName = info.parentType.name;
+    const fieldName = info.fieldName;
+
+    log(`Checking ${typeName}.${fieldName}`);
+
+    // Get rules for this field
+    const rules = getFieldRules(permissions, typeName, fieldName);
+
+    // If no rules found, apply default policy
+    if (rules === null || rules.length === 0) {
+      log(`No rules for ${typeName}.${fieldName}, applying default policy: ${defaultPolicy}`);
+      
+      if (defaultPolicy === 'DENY') {
+        throw new ForbiddenError(`Access denied to ${typeName}.${fieldName}`);
+      }
+      
+      // ALLOW - proceed to resolver
+      return resolve(parent, args, ctx, info);
+    }
+
+    // Execute all rules (AND logic - all must pass)
+    for (const rule of rules) {
+      log(`Executing rule for ${typeName}.${fieldName}`);
+      
+      const allowed = await executeRule(rule, parent, args, ctx, info);
+      
+      if (!allowed) {
+        log(`Rule denied access to ${typeName}.${fieldName}`);
+        throw new ForbiddenError(`Access denied to ${typeName}.${fieldName}`);
+      }
+    }
+
+    log(`Access granted to ${typeName}.${fieldName}`);
+    
+    // All rules passed - proceed to resolver
+    return resolve(parent, args, ctx, info);
+  };
+};
+
+/**
+ * Creates a field-level middleware object from a permission schema.
+ * This can be used with graphql-middleware's applyMiddleware.
+ * 
+ * @deprecated Use {@link createAuthPlugin} instead. `applyMiddleware` from graphql-middleware
+ * can cause duplicate-type errors when the schema contains custom introspection extensions.
+ * 
+ * @param {PermissionSchema} permissions - The permission schema
+ * @param {AuthMiddlewareOptions} [options={}] - Middleware options
+ * @returns {Object} Field middleware object compatible with graphql-middleware
+ */
+export const createFieldMiddleware = (permissions, options = {}) => {
+  const middleware = createAuthMiddleware(permissions, options);
+  const fieldMiddleware = {};
+
+  for (const typeName of Object.keys(permissions)) {
+    fieldMiddleware[typeName] = {};
+    
+    const typePerms = permissions[typeName];
+    for (const fieldName of Object.keys(typePerms)) {
+      if (fieldName === '*') {
+        // Wildcard rules are handled by the middleware internally
+        continue;
+      }
+      fieldMiddleware[typeName][fieldName] = middleware;
+    }
+  }
+
+  return fieldMiddleware;
+};
+
+/**
+ * Creates an Envelop-compatible authorization plugin that wraps schema resolvers in-place.
+ * 
+ * Unlike {@link createAuthMiddleware} (which requires graphql-middleware's `applyMiddleware`
+ * and rebuilds the schema), this plugin mutates resolvers directly on the existing schema,
+ * avoiding schema reconstruction and the duplicate-type errors it can cause.
+ * 
+ * @param {PermissionSchema} permissions - The permission schema object
+ * @param {AuthMiddlewareOptions} [options={}] - Plugin options
+ * @returns {Object} An Envelop plugin with an `onSchemaChange` hook
+ * 
+ * @example
+ * import { auth } from '@simtlix/simfinity-js';
+ * import { createYoga } from 'graphql-yoga';
+ * 
+ * const permissions = {
+ *   Query: {
+ *     users: requireAuth(),
+ *     adminDashboard: requireRole('ADMIN')
+ *   },
+ *   User: {
+ *     '*': requireAuth(),
+ *     email: requireRole('ADMIN')
+ *   }
+ * };
+ * 
+ * const authPlugin = auth.createAuthPlugin(permissions, { defaultPolicy: 'DENY' });
+ * const yoga = createYoga({ schema, plugins: [authPlugin] });
+ */
+export const createAuthPlugin = (permissions, options = {}) => {
+  const {
+    defaultPolicy = 'DENY',
+    debug = false,
+  } = options;
+
+  const log = debug ? console.log.bind(console, '[auth]') : () => {};
+  const processedSchemas = new WeakSet();
+
+  const wrapSchemaResolvers = (schema) => {
+    if (processedSchemas.has(schema)) return;
+
+    const typeMap = schema.getTypeMap();
+
+    for (const [typeName, type] of Object.entries(typeMap)) {
+      if (!(type instanceof GraphQLObjectType) || typeName.startsWith('__')) continue;
+
+      const fields = type.getFields();
+
+      for (const [fieldName, field] of Object.entries(fields)) {
+        const rules = getFieldRules(permissions, typeName, fieldName);
+        const originalResolve = field.resolve || defaultFieldResolver;
+
+        field.resolve = async (parent, args, ctx, info) => {
+          log(`Checking ${typeName}.${fieldName}`);
+
+          if (rules === null || rules.length === 0) {
+            log(`No rules for ${typeName}.${fieldName}, applying default policy: ${defaultPolicy}`);
+
+            if (defaultPolicy === 'DENY') {
+              throw new ForbiddenError(`Access denied to ${typeName}.${fieldName}`);
+            }
+
+            return originalResolve(parent, args, ctx, info);
+          }
+
+          for (const rule of rules) {
+            log(`Executing rule for ${typeName}.${fieldName}`);
+
+            const allowed = await executeRule(rule, parent, args, ctx, info);
+
+            if (!allowed) {
+              log(`Rule denied access to ${typeName}.${fieldName}`);
+              throw new ForbiddenError(`Access denied to ${typeName}.${fieldName}`);
+            }
+          }
+
+          log(`Access granted to ${typeName}.${fieldName}`);
+
+          return originalResolve(parent, args, ctx, info);
+        };
+      }
+    }
+
+    processedSchemas.add(schema);
+  };
+
+  return {
+    onSchemaChange({ schema }) {
+      wrapSchemaResolvers(schema);
+    },
+  };
+};
+
+// Default export with all auth utilities
+const auth = {
+  // Main factories
+  createAuthPlugin,
+  createAuthMiddleware,
+  createFieldMiddleware,
+  
+  // Utilities
+  resolvePath,
+  
+  // Rule helpers
+  requireAuth,
+  requireRole,
+  requirePermission,
+  composeRules,
+  anyRule,
+  isOwner,
+  createRule,
+  allow,
+  deny,
+  
+  // Expression utilities
+  evaluateExpression,
+  isPolicyExpression,
+  createRuleFromExpression,
+  
+  // Errors
+  UnauthenticatedError,
+  ForbiddenError,
+  createAuthError,
+};
+
+export default auth;
+

package/.claude/worktrees/agitated-kepler/src/auth/rules.js

@@ -0,0 +1,274 @@
+import { UnauthenticatedError, ForbiddenError } from './errors.js';
+
+/**
+ * Resolves a value from an object using a dotted path string or function.
+ * @param {Object} obj - The object to resolve from
+ * @param {string|Function} pathOrFn - Dotted path (e.g., 'user.profile.id') or function to extract value
+ * @returns {*} The resolved value or undefined if not found
+ * @example
+ * resolvePath({ user: { id: '123' } }, 'user.id') // returns '123'
+ * resolvePath({ user: { id: '123' } }, (obj) => obj.user.id) // returns '123'
+ */
+export const resolvePath = (obj, pathOrFn) => {
+  if (typeof pathOrFn === 'function') {
+    return pathOrFn(obj);
+  }
+  if (typeof pathOrFn === 'string') {
+    const parts = pathOrFn.split('.');
+    let value = obj;
+    for (const part of parts) {
+      if (value == null) return undefined;
+      value = value[part];
+    }
+    return value;
+  }
+  return undefined;
+};
+
+/**
+ * Rule that requires the user to be authenticated
+ * Checks for user existence at the specified path in context
+ * @param {string|Function} [userPath='user'] - Path to user in context (e.g., 'user', 'auth.user', 'session.user')
+ * @returns {Function} Rule function (parent, args, ctx, info) => boolean | throws
+ * @example
+ * requireAuth()                    // checks ctx.user
+ * requireAuth('auth.user')         // checks ctx.auth.user
+ * requireAuth('session.currentUser') // checks ctx.session.currentUser
+ */
+export const requireAuth = (userPath = 'user') => {
+  return (_parent, _args, ctx) => {
+    if (!ctx) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    const user = resolvePath(ctx, userPath);
+    if (!user) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    return true;
+  };
+};
+
+/**
+ * Rule that requires the user to have a specific role
+ * @param {string|string[]} role - Required role or array of roles (any match)
+ * @param {Object} [options] - Configuration options
+ * @param {string|Function} [options.userPath='user'] - Path to user in context
+ * @param {string|Function} [options.rolePath='role'] - Path to role field in user object
+ * @returns {Function} Rule function (parent, args, ctx, info) => boolean | throws
+ * @example
+ * requireRole('ADMIN')
+ * requireRole(['ADMIN', 'EDITOR'])
+ * requireRole('ADMIN', { userPath: 'auth.user', rolePath: 'roles.primary' })
+ */
+export const requireRole = (role, options = {}) => {
+  const roles = Array.isArray(role) ? role : [role];
+  const { userPath = 'user', rolePath = 'role' } = options;
+  
+  return (_parent, _args, ctx) => {
+    if (!ctx) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    const user = resolvePath(ctx, userPath);
+    if (!user) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    
+    const userRole = resolvePath(user, rolePath);
+    
+    if (!roles.includes(userRole)) {
+      throw new ForbiddenError(`Requires role: ${roles.join(' or ')}`);
+    }
+    
+    return true;
+  };
+};
+
+/**
+ * Rule that requires the user to have a specific permission
+ * @param {string|string[]} permission - Required permission(s) (all must match if array)
+ * @param {Object} [options] - Configuration options
+ * @param {string|Function} [options.userPath='user'] - Path to user in context
+ * @param {string|Function} [options.permissionsPath='permissions'] - Path to permissions array in user object
+ * @returns {Function} Rule function (parent, args, ctx, info) => boolean | throws
+ * @example
+ * requirePermission('posts:read')
+ * requirePermission(['posts:read', 'posts:write'])
+ * requirePermission('posts:read', { userPath: 'auth.user', permissionsPath: 'grants' })
+ */
+export const requirePermission = (permission, options = {}) => {
+  const requiredPermissions = Array.isArray(permission) ? permission : [permission];
+  const { userPath = 'user', permissionsPath = 'permissions' } = options;
+  
+  return (_parent, _args, ctx) => {
+    if (!ctx) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    const user = resolvePath(ctx, userPath);
+    if (!user) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    
+    const userPermissions = resolvePath(user, permissionsPath) || [];
+    
+    // Check if user has wildcard permission
+    if (userPermissions.includes('*')) {
+      return true;
+    }
+    
+    // All required permissions must be present
+    for (const perm of requiredPermissions) {
+      if (!userPermissions.includes(perm)) {
+        throw new ForbiddenError(`Missing permission: ${perm}`);
+      }
+    }
+    
+    return true;
+  };
+};
+
+/**
+ * Composes multiple rules - all must pass (logical AND)
+ * @param  {...Function} rules - Rule functions to compose
+ * @returns {Function} Composed rule function
+ */
+export const composeRules = (...rules) => {
+  return async (parent, args, ctx, info) => {
+    for (const rule of rules) {
+      const result = await rule(parent, args, ctx, info);
+      // If rule returns false, deny access
+      if (result === false) {
+        return false;
+      }
+      // If rule throws, it will propagate
+    }
+    return true;
+  };
+};
+
+/**
+ * Creates a rule that allows access if ANY of the provided rules pass (logical OR)
+ * @param  {...Function} rules - Rule functions to check
+ * @returns {Function} Combined rule function
+ */
+export const anyRule = (...rules) => {
+  return async (parent, args, ctx, info) => {
+    let lastError = null;
+    
+    for (const rule of rules) {
+      try {
+        const result = await rule(parent, args, ctx, info);
+        if (result !== false) {
+          return true; // At least one rule passed
+        }
+      } catch (error) {
+        lastError = error;
+        // Continue to next rule
+      }
+    }
+    
+    // No rule passed - throw the last error or return false
+    if (lastError) {
+      throw lastError;
+    }
+    return false;
+  };
+};
+
+/**
+ * Creates a rule that checks if the authenticated user owns the resource
+ * @param {string|Function} [ownerField='userId'] - Path to owner ID in parent, or function to extract it
+ * @param {string|Function} [userIdField='id'] - Path to user ID in user object, or function to extract it
+ * @param {Object} [options] - Configuration options
+ * @param {string|Function} [options.userPath='user'] - Path to user in context
+ * @returns {Function} Rule function
+ * @example
+ * isOwner()                                    // compares parent.userId with ctx.user.id
+ * isOwner('authorId')                          // compares parent.authorId with ctx.user.id
+ * isOwner('author.id', 'profile.id')           // compares parent.author.id with ctx.user.profile.id
+ * isOwner('authorId', 'id', { userPath: 'auth.user' }) // uses ctx.auth.user instead of ctx.user
+ */
+export const isOwner = (ownerField = 'userId', userIdField = 'id', options = {}) => {
+  const { userPath = 'user' } = options;
+
+  return (parent, _args, ctx) => {
+    if (!ctx) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+    const user = resolvePath(ctx, userPath);
+    if (!user) {
+      throw new UnauthenticatedError('You must be logged in to access this resource');
+    }
+
+    // Get ownerId from parent (using path or function)
+    const ownerId = resolvePath(parent, ownerField);
+
+    // Get userId from user object (using path or function)
+    const userId = resolvePath(user, userIdField);
+
+    if (ownerId === undefined || userId === undefined) {
+      return false;
+    }
+
+    return String(ownerId) === String(userId);
+  };
+};
+
+/**
+ * Creates a custom rule from a predicate function
+ * @param {Function} predicate - Function (parent, args, ctx, info) => boolean | Promise<boolean>
+ * @param {string} errorMessage - Error message if rule fails
+ * @param {string} errorCode - Error code (FORBIDDEN or UNAUTHENTICATED)
+ * @returns {Function} Rule function
+ */
+export const createRule = (predicate, errorMessage = 'Access denied', errorCode = 'FORBIDDEN') => {
+  return async (parent, args, ctx, info) => {
+    const result = await predicate(parent, args, ctx, info);
+    
+    if (result === false) {
+      if (errorCode === 'UNAUTHENTICATED') {
+        throw new UnauthenticatedError(errorMessage);
+      }
+      throw new ForbiddenError(errorMessage);
+    }
+    
+    return true;
+  };
+};
+
+/**
+ * Rule that always allows access (useful for public fields)
+ * @returns {Function} Rule function that always returns true
+ */
+export const allow = () => {
+  return () => true;
+};
+
+/**
+ * Rule that always denies access
+ * @param {string} message - Optional denial message
+ * @returns {Function} Rule function that always throws ForbiddenError
+ */
+export const deny = (message = 'Access denied') => {
+  return () => {
+    throw new ForbiddenError(message);
+  };
+};
+
+// Export all rules as an object for convenience
+const rules = {
+  // Utility
+  resolvePath,
+  // Rule helpers
+  requireAuth,
+  requireRole,
+  requirePermission,
+  composeRules,
+  anyRule,
+  isOwner,
+  createRule,
+  allow,
+  deny,
+};
+
+export default rules;
+

package/.claude/worktrees/agitated-kepler/src/const/QLOperator.js

@@ -0,0 +1,39 @@
+import { GraphQLEnumType } from 'graphql';
+
+const QLOperator = new GraphQLEnumType({
+  name: 'QLOperator',
+  values: {
+    EQ: {
+      value: 'EQ',
+    },
+    LT: {
+      value: 'LT',
+    },
+    GT: {
+      value: 'GT',
+    },
+    LTE: {
+      value: 'LTE',
+    },
+    GTE: {
+      value: 'GTE',
+    },
+    BTW: {
+      value: 'BTW',
+    },
+    NE: {
+      value: 'NE',
+    },
+    IN: {
+      value: 'IN',
+    },
+    NIN: {
+      value: 'NIN',
+    },
+    LIKE: {
+      value: 'LIKE',
+    },
+  },
+});
+
+export default QLOperator;